Service Design Processes Tutorial

3.1 Service Design Processes

Service Design Processes Welcome to Learning Unit 3 of ITIL Lifecycle Intermediate Service Design Certification Course by Simplilearn! We all know that ITIL follows a process-oriented approach for managing IT services. We shall now discuss the processes covered within the Service Design Publication. There are eight processes that can be implemented and followed to ensure that effective and efficient solutions are produced considering a holistic approach. The eight processes that will be discussed in this unit are: • Design Coordination • Service Catalogue Management • Service Level Management • Availability Management • Capacity Management • IT Service Continuity Management • Information Security Management • Supplier Management Let’s continue to look at the syllabus in the next slide.

3.2 Learning Unit 3: Syllabus

Course Objectives We will discuss about: • The knowledge, interpretation and analysis of service design principles, techniques and relationships and their application to the design of effective service solutions • The interaction of service design processes • The flow of service design as it relates to the business and customer • The five design aspects and how they are incorporated into the service design process Let’s begin with the high level view of Service Design in the next slide.

3.3 Service - Design High level View:

Service Design – High Level View Service Design is not a silo stage. It is the key link between Service Strategy and the other stages of the Service lifecycle. It is responsible for a number of critical activities that determine the performance, efficiency and effectiveness of the other stages. The diagram in this slide represents the big picture of service design. New business and customer requirements form the key inputs to service strategy and after proper analysis they form part of service portfolio. These requirements are further analysed and translated into service solutions that are incorporated in the service design package and handed over to Service Transition. Service Transition builds, tests and deploys the services into live environment and thereafter Service Operation takes the responsibility of managing them in line with agreed service levels. During the Service Design stage the service catalogue management, service level management, capacity management, availability management, IT service continuity management, information security management and supplier management processes collaborate and contribute to the design of service solution and the other aspects. These processes develop respective policies, plans, reports, and other important documents and outputs required by other stages, processes and stakeholders. Developing holistic designs leads to more efficient service transition and service operation activities. This results in developing and delivering services that meet business and customer requirements and to contribute positively to business outcomes and goals. Let’s proceed to discuss about the five aspects of Service Design.

3.4 Five aspects of Service Design

Five aspects of Service Design The Service Design guidance recommends adopting an integrated approach while designing new or changed services. There are five important areas that need to be considered and these are popularly known as ‘Five Major Service Design Aspects’. We have covered these in detail in Learning Unit – 2. Let us now have a quick recap of these five aspects before we proceed further with service design processes. The five aspects of service design are: • The design of the services, including all of the functional requirements, resources and capabilities needed and agreed; • The design of Service Management Systems and Tools, especially the Service Portfolio, for the management and control of services through their lifecycle; • The design of the technology architectures and management systems required to provide the services; • The design of the processes needed to design, transition, operate and improve the services, the architectures and the processes themselves; and • The design of the measurement methods and metrics of the services, the architectures and their constituent components and the processes. In the next slide let us understand Design Coordination.

3.5 Design Coordination

Design Coordination We shall now start off with the first process of Service Design – Design Co-ordination. Designing a service by taking into consideration the five aspects of service design is such a complex task that it requires special focus and attention. The service management team or the project team will have to interact, cooperate and coordinate with a number of teams to ensure proper completion and compilation of Service Design Package. • The Purpose of Design Coordination process is to ensure that the goals and objectives of the service design stage are met by providing and maintaining a single point of coordination and control for all activities and processes within the design stage of the service lifecycle. • The Key objectives of the Design Coordination process are to : • Ensure the consistent design of appropriate services, service management information systems, architectures, technology, processes, information and metrics to meet current and evolving business outcomes and requirements; • Coordinate all design activities across projects, changes, suppliers and support teams, and manage schedules, resources and conflicts where required; • Plan and coordinate the resources and capabilities required to design new or changed services; and • Produce Service Design Packages based on service charters and change requests. • The Scope of service design process includes all design activities, especially for all new or changed service solutions that are being designed for transition into the live environment or services identified for retirement. • In particular the scope includes : • Assisting and supporting each project or service change through all the service design activities and processes; • Maintaining policies, guidelines, standards, budgets, models, resources and capabilities for service design activities and processes; • Coordinating, prioritising and scheduling of all service design resources to satisfy conflicting demands from all projects and changes; • Planning and forecasting the resources needed for the future demand for service design activities; • Reviewing, measuring and improving the performance of all service design activities and processes; • Ensuring that all requirements are appropriately addressed in service designs, particularly utility and warranty requirements; and • Ensuring the production of service designs and/or Service Design Packages and their handover to service transition. Let us now proceed to understand the value to business of Service Design.

3.6 Value to Business

Value to Business A number of benefits accrue to the business when design coordination process is implemented and adhered to by the service providers and IT organisations. Let us have a quick look at the key benefits derived by adopting design coordination process. • This process enables production of a set of consistent quality solution designs and Service Design Packages that will provide the desired business outcomes. • It enables achieving the intended business value of services through design at acceptable risk and cost levels. • This process helps in minimising rework and unplanned labour costs associated with reworking design issues during later service lifecycle stages. • It supports the achievement of higher customer and user satisfaction and improved confidence in IT and in the services received. • The process ensures that all services conform to a consistent architecture, allowing integration and data exchange between services and systems. • It provides improved focus on service value as well as business and customer outcomes. Let’s understand the policies in the next slide.

3.7 Policies

Policies It is a general good practice to establish policies to ensure that the process objectives are met and process and process activities are adhered to by all concerned. Let us now look at some of the Design Coordination process related policies. • While developing service designs and Service Design Packages, the corporate standards and conventions must be adhered to; • There should be explicit attention to governance and regulatory compliance in all design activities; • Standards for elements of a comprehensive design for new or changed services must be strictly adopted. These include using organisation defined : • Document templates, • Documentation plans, • Training plans, • Communications and marketing plans, • Measurement and metrics plans, • Testing plans, • Deployment plans; • Follow the specified criteria for resolving conflicting demands for service design resources; and • Using organisation specific standard cost models. In the next slide let’s understand the principles.?

3.8 Principles

Principles Now let us discuss two important principles that are relevant to Design Coordination Process. The first principle is ‘adopting a balanced approach and prioritisation of improvements’. • The designs developed should be comprehensive covering all aspects of utility and warranty, as well as the needs of the service throughout its lifecycle. • The standards or documentation requirements to be followed during the design stage should not create excessive bureaucracy without consistently returning better services to the business and/or customer. They should be just enough for meeting relevant compliance requirements and service objectives. • It should be ensured that there is just enough definition, measurement and control of design activities in place to successfully manage the work and improve results, but no more. Too many measurement and control activities will lead to unnecessary effort and information without adding any value to design stage or processes. The second principle is related to ‘integration with project management’. • As new services and major changes are managed through a project management approach, it is important that practices, documents, procedures or deliverables deemed to be needed for design success should be integrated into the overall project management methodology and all project managers should be trained to contribute appropriately. In the next slide we will understand the process activities.

3.9 Process activities

Process activities We all know that ‘a process is a structured set of activities designed to accomplish a specific objective’. Let us get into the details of the Design Coordination process activities. Design coordination covers two specific areas and there are separate sets of activities for each of these areas. • The first set of activities are related to the overall service design lifecycle stage and covers • Development, deployment and continual improvement of appropriate service design practices; and • Coordination of actual design activity across projects and changes. • The second set of activities is concerned with each individual design. These include • Ensuring that each individual design effort and Service Design Package, whether part of a project or simply associated with a change, conforms with defined practices, and that they produce a design that will support the required business outcomes. We shall now discuss these two categories in more detail.

3.10 Design Coordination Activities

Design Coordination Activities The diagram in this slide clearly depicts the two areas of Design Coordination with a simple process flow covering the relevant activities. Let us start with ‘The overall service design lifecycle stage activities’. • Define and maintain policies and methods is the first activity. This activity is concerned with defining the overall holistic approach to service design. This includes : • Working collaboratively with all other processes engaged in the service design stage to ensure that a common framework of standard reusable processes, procedures and systems are used. • Define the level of design coordination needed for different types of projects and changes. Design coordination, project management and change management should collaborate to define policies and consistent practices for the design work associated with projects and changes. • Maintain a set of architectural documents and principles for the design of service solutions and the production of Service Design Packages. • Plan design resources and capabilities is the next activity. This activity takes care of planning and coordination of the resources and capabilities required for new or changed services and for producing the appropriate Service Design Packages. This includes • Maintaining regular communication with business relationship managers and service owners to ensure that this process is informed of service portfolio changes and appropriate planning for required design resources can be initiated. • Identifying new capabilities required and gaps in current capabilities. This will be followed by coordinating with respective functional managers to plan and fill those gaps. • The third activity ‘Coordinate design activities’ is concerned with coordination of all design activities across projects and changes, managing schedules, resources and conflicts, and suppliers and support teams where required. This activity also integrates all five aspects of design. It ensures that : • Good communication is maintained between the various design activities and all concerned parties, including the business and IT planners, designers, architects and strategists; • That the latest versions of all appropriate business and IT plans and strategies are available to the designers; • All architectural documents, service models, service solution designs and Service Design Packages conform to strategic, architectural, governance and other corporate requirements, as well as IT policies and plans; and • Good communication and coordination is established with service transition processes to ensure proper handover to this stage. • One important activity of overall service design stage is ‘Managing design risks and issues’. This involves adopting formal risk assessment and management techniques to manage risks associated with design activities and reduce the number of issues that can subsequently be traced to poor design. Policies and procedures should be established for documenting and responding to issues during the design stage and these procedures should be integrated into design processes and the organisation’s project management methodology, wherever appropriate. • Improve service design is the last but an on-going activity. Design coordination must monitor and measure the performance of the service design stage of the lifecycle to identify improvement opportunities based on objective data. The Continual Service Improvement approach shall be used in implementing design coordination and improving processes and process activities. We shall now discuss the ‘Individual design activities’. These activities are related to various designs to be developed for each project or change. • The first activity is to ‘Plan individual designs’. A comprehensive plan for the design activity for each project or change needs to be created. The plan should cover : • the functionality or utility to be designed; • the levels of warranty; • the requirements to establish the service in effective use in the organisation; • the requirements to operate, maintain and support the service on an on-going basis; • the monitoring, maintenance and support activities required; and • cost and schedule details. • The next activity is ‘Coordinate individual designs’. • This activity is normally performed by a project manager or the person responsible for the change. It involves scheduling of both the service provider and customer resources to ensure involvement of the right people at the right time to create an accurate and complete design. • The design stage work is likely to be iterative as requirements are gathered, documented, agreed, translated into designs, validated with the customer and adjustments made. Hence a high level of coordination is required. • Throughout the individual design stage it is important that all requirements of service, business and project change management are carefully adhered to, as well as ensuring that requirements for documentation of changes to service assets via the service asset and configuration management process also be met. • The next activity is to ‘Monitor individual designs’. This involves monitoring each on-going design effort to ensure that there is adherence to agreed methods; that there are no conflicts with other on-going design efforts; that design milestones are being met; and that the development of a comprehensive design that will support the achievement of the required business outcomes is taking place. • The final activity is to ‘Review designs and ensure handover of Service Design Packages’. • This activity is concerned with performing a final review of the designs for compliance with standards and conventions, and to ensure that all agreed requirements for the Service Design Package have been completed correctly; • Any issues identified and agreed resolutions are documented and implemented; and • Handing over of Service Design Package to service transition after obtaining authorisation from change management, if required at this stage. In the next few slides let us learn about the roles involved in Design coordination.

3.11 Role : Design Coordination Process Manager

Design Coordination Process Manager We now understand the critical role that Design Coordination plays in the overall Service Design stage. The design coordination process manager’s responsibilities include: • Coordinating interfaces between design coordination and other processes within Service Design as well as other lifecycle stage • Ensuring that overall service strategies are reflected in the service design practice • Ensuring the consistent design of appropriate services, service management information systems, architectures, technology, processes, information and metrics to meet current and evolving business outcomes and requirements • Coordinating all design activities across projects, changes, suppliers and support teams, and managing schedules, resources and conflicts where required • Planning and coordinating the resources and capabilities required to design new or changed services • Producing Service Design Packages based on service charters and change requests

3.12 Role : Design Coordination Process Manager

Design Coordination Process Manager • Ensuring that appropriate service designs and Service Design Packages are produced and that they are handed over to service transition as agreed • Managing the quality criteria, requirements and handover points between the service design stage and service strategy and service transition stages • Improving the effectiveness and efficiency of service design activities and process • Ensuring that all parties adopt a common framework of standard, reusable design practices in the form of activities, processes and supporting systems, whenever appropriate.

3.13 Triggers, inputs and outputs

Triggers, Inputs and Outputs We are all well aware that a process is triggered by specific events and it takes defined inputs to convert them into desired outputs. We shall now look into the triggers, inputs and outputs relating to the Design Coordination process. • The Triggers for design coordination process are : • Changes in the business requirements and services due to various reasons like statutory requirements, business growth, new lines of business, strategic decisions, etc. • Following the above, request for changes is normally raised to implement the change, this formally initiates the change approval and thereafter the design processes. • Another trigger could be the creation of new programs and projects for designing, building and implementing new services or major changes to existing services. • The revision of the overall IT strategy itself may lead to restructuring the IT infrastructure, environment or services. • Now let us look at the Inputs to Design Coordination process. A number of sources of information are relevant to the design coordination process. These include: • Service charters for new or significantly changed services; • Change requests from any stages of the service lifecycle; • Change records and authorised changes; and • Business information, business impact analysis, service portfolio, legal and regulatory policies, project or change schedules, existing processes and the enterprise architecture.

3.14 Triggers, inputs and outputs

Triggers, Inputs and Outputs • The process outputs of design coordination are : • Comprehensive and consistent set of service designs and service design packages; • A revised enterprise architecture; • Revised management systems, processes, measurement and metrics methods; and • Updates to service portfolio and change records. Let’s understand the interfaces in the next slide.

3.15 Interfaces

Interfaces Design coordination interacts and interfaces with a number of other service management processes. The primary interfaces will be with the Service Strategy and Service Transition processes. • Service portfolio management process provides key inputs to design coordination in the form of service charter and all associated documentation such as business requirements, requirements for service utility and warranty, service options, risks and priorities. • Change management provides details of authorised changes to design coordination to initiate service design activity. Change management also provides authorisation at defined points in the service lifecycle, to ensure that required actions have taken place and that quality criteria have been met. The post-implementation reviews from change management provide valuable feedback on areas of improvement for design coordination. Design coordination provides status information on design milestones that relate to changes. • Financial management for IT services provides details of the value proposition for the new or changed service as well as budgets available for design activities. • Business relationship management provides design coordination with intelligence and information regarding the business’s required outcomes, customer needs and priorities and serves as the interface with the customer at a strategic level. This process also helps in customer verification and sign-off of designs developed. • Design coordination hands over the Service design package to ‘Transition planning and support’. Both these processes perform similar activities and it is essential that they interact well to produce consistent overall plans and resource schedules for current and future projects and changes. • Strategy management for IT services provides Design coordination with information about the current and evolving service strategy. This will enable design coordination to ensure that design guidelines and documentation remain aligned with the strategy over time. • Planning and design for release and deployment is carried out during the service design stage of the service lifecycle. Design coordination ensures that these are integrated with other service design activities and are incorporated in the overall Service Design Package. • Similarly, the planning and designing of various types of tests is carried out during the design stage. Hence Design Coordination should interact with Service validation and testing to ensure that these are integrated with other service design activities and forms part of the overall Service Design Package. • Change evaluation determines the performance of a service change. Design Coordination should assist the evaluation process by ensuring that the required resources are made available during evaluation of changes. • Service level management is responsible for defining and agreeing the service level requirements for new or changed services, which must be done in a consistent manner according to practices developed cooperatively with design coordination. Design coordination should also ensure that the required warranty levels are properly addressed in the service solution design and the service design package. • Availability, capacity, IT service continuity and information security management processes are activity involved during service solution design. Design coordination ensures that the inputs provided and design activities executed are in a consistent way according to practices developed in collaboration with these processes. • Design Coordination interfaces with Supplier management to ensure that contributions of suppliers to design activities are properly managed and to develop consistent and reliable practices in this area. In the next slide let us look at the CSFs and KPIs of design coordination.

3.16 CSFs and KPIs

CSFs and KPIs Critical success factors and key performance indicators help service providers and businesses to measure the efficiency of the process and identify opportunities for improvement. We will now discuss a few examples of Design Coordination related critical success factors and their key performance indicators. • ‘Developing accurate and consistent Service Design Packages’ is one important critical success factor of Design Coordination. The related key performance indicator will be ‘Reduction in the number of subsequent revisions of the content of Service Design Packages’. • Another Design Coordination related critical success factor we can think of is ‘Managing conflicting demands for shared resources’. The related key performance indicators are ‘Increased satisfaction with the service design activities, within project and change staff’ and ‘Reduced number of issues caused by conflict for service design resources’. • Another important Design Coordination related critical success factor is that ‘New and changed services meet customer expectations’. The related key performance indicators are ‘Customer satisfaction score for each new or changed service meets or exceeds a designated rating’ and ‘the percentage increase in the number of transitioned services that consistently achieve agreed service level targets’. Next, let’s discuss the challenges.

3.17 Challenges

Challenges There is a possibility that IT organisations and businesses might encounter some challenges while implementing and adhering to processes. We shall now discuss such Design Coordination process related challenges. • One major challenge pertains to maintaining the high quality of designs and Service Design Packages consistently across all area of business, service and infrastructure. This requires integration of standards and practices developed by design coordination into the organisation’s project management methodology, wherever appropriate. • Another challenge could be to ensure that sufficient time and resources are devoted to design coordination activities and that roles and responsibilities of the process are assigned to the appropriate individuals and groups to ensure completion of design activities. • Developing common design practices that produce the desired high quality designs without introducing unnecessary bureaucracy is another challenge that may be faced by design coordination. It is therefore important that the level of control around design activities be just appropriate to the need. Let’s move to the risks of design coordination.

3.18 Risks

Risks Risk identification and management are essential for the success of any process. The probable risks pertaining to Design Coordination process are: • Potential lack of skills and knowledge required for designing service solutions and performing design activities; • Reluctance of the business to be closely involved during the design stage which usually happens because of the notion that design is solely an IT responsibility; • Poor direction and strategy leading to ambiguous and little information on actual business requirements; • Lack of information on business priorities and impacts leading to allocation of resources to less important changes and projects; • Poorly defined requirements and desired outcomes leading to rework and wastage of valuable resources; • Poor communication between various processes and team which may lead to a plethora of issues; • Lack of involvement from all relevant stakeholders including customers, users and support and other operational staff; and • Insufficient interaction with and input from other lifecycle stages. In the next few slides we will learn about Service Catalogue Management which is the next process in Service Design.

3.19 Service Catalogue Management(SCM):

Service Catalogue Management Customers and users expect to view information on all services provided by a service provider from a single source. They expect that the information must be accurate, current and easy to understand. It is through Service Catalogue that IT organisations and service providers meet this customer expectation. In the next few slides we shall be covering all relevant information on the Service Catalogue Management Process. • The purpose of Service Catalogue Management is: • To provide and maintain a single source of consistent information on all operational services and those being prepared to be run operationally; and • To ensure that the Service Catalogue is widely available to those who are authorised to access it. • The key objectives of this process are to : • Manage the information contained within the service catalogue; • Ensure that the service catalogue is accurate and reflects the current details, status, interfaces and dependencies of all services that are being run, or being prepared to run, in the live environment, according to the defined policies; • Ensure that the service catalogue is made available to those approved to access it in a manner that supports their effective and efficient use of service catalogue information; and • Ensure that the service catalogue supports the evolving needs of all other service management processes for service catalogue information, including all interfaces and dependency information. Let’s understand the scope of SCM in the next slide.

3.20 Service Catalog Management(SCM):

Scope While designing and defining processes, it is important to establish the scope of the process so that all concerned have a clear understanding of what can be expected and what is not included within the intended outputs of the process. In general, the Service Catalogue Management process covers: • Providing and maintaining accurate information on all services that have been transitioned or are being transitioned into live environment; • Contributing to the definition of services and service packages; • Development and maintenance of service and service package descriptions appropriate for the service catalogue; • Interfaces, dependencies and consistency between the service catalogue and the overall service portfolio; and • Interfaces and dependencies between all services, supporting services, components and configuration items within the service catalogue and the Configuration Management System. Let’s understand SCM value to business in the next slide.

3.21 Value to Business:

Value to Business Implementing and adopting Service Catalogue Management process results in a number of benefits to the IT organisation as well as the Business. It provides a systematic approach to compiling the service catalogue and presenting it to the customers enabling them to request for and utilise the IT services. The following are the key benefits derived by business from Service Catalogue Management: • A service catalogue provides a central source of information on the IT services delivered by the service provider organisation. Hence customers and users can easily access this information and utilise the appropriate services required for achieving their business outcomes. • Service Catalogue Management ensures that all areas of the business can view an accurate, consistent picture of the IT services, their details and their status. • This process ensures a common understanding of IT services and improved relationships between the customer and service provider. • A service catalogue depicts a customer-facing view of the IT services in use, how they are intended to be used, the business processes they enable, and the levels and quality of service the customer can expect for each service. • This process helps in improving the efficiency and effectiveness of other service management processes as these processes can leverage the information contained in or connected to the service catalogue. Moving like any other process let’s learn about the SCM policies in the next few slides.

3.22 Policies:

Policies Policies help in adopting a consistent approach towards developing, implementing and adhering to processes. Hence IT organisations and service providers should ensure that appropriate policies are defined during the design of processes. Some examples of Service Catalogue Management policies are: • A policy with regard to what services and the level of details should be included in the overall service portfolio and the constituent service catalogue. It should also document the responsibilities for each section of the overall service portfolio and the scope of each of the constituent sections. • A policy regarding when a service is published in the service catalogue as well as when it will be removed from the service catalogue. It should also detail if these changes will fall within the scope of change management or not and who will authorise the inclusion and exclusion of services in the service catalogue. Next, let’s look into the relationship between service catalogue and service portfolio.

3.23 SCM : Service Portfolio-Pipeline, Catalogue and Retired

Service Portfolio – Pipeline, Catalogue and Retired We will now try to understand the structure of the service portfolio and also the relationship between service portfolio and service catalogue. A service portfolio represents the complete set of services that is managed by a service provider. It is used to manage the entire lifecycle of all services and it is part of the overall Service knowledge management system. It has three parts, namely – pipeline, service catalogue and retired services. Pipeline represents services that are under consideration or in development stage. Service catalogue represents services that are live and currently available for customers and those that are available for deployment. And retired services are the ones that have been decommissioned and not available for customers. The service catalogue is a subset of the Service Portfolio and is the only part of the portfolio that is visible to customers. It consists of services presently active in the Service Operation and offered to current or prospective customers. Service details can enter the Service Catalogue only after due diligence has been performed on related costs and risks. Required resources are engaged to fully support active services while they are offered to and utilised by the customers. In the next slide we will learn the definition of service catalogue.

3.24 Definition - Service Catalogue:

Definition – Service Catalogue Before we proceed further, let us try to understand what exactly a ‘service catalogue’ is. • The service catalogue is a database or structured document with information about all live IT services, including those available for deployment. While it is essential that all live IT services should find a place in service catalogue, it is also necessary that customers and users should have visibility of new services or changed services that will be available in the near future. Hence, services available for deployment into live environments are also generally included in the service catalogue. • Service portfolio consists of three parts – pipeline services, service catalogue and retired services. The service catalogue is the only part of the service portfolio that is published to customers and is used to support the sale and delivery of IT services. Hence it is important that it is designed and presented in a way that is easily accessible and understood by the customers. • Apart from the description of the services, the service catalogue includes information about deliverables, prices, contact points, ordering and request processes. These details help customers in ordering and utilising the services in a seamless way.

3.25 Defining Service:

Defining Service Before incorporating a service in the service catalogue, it is important to define and describe the service in a manner that is easily and clearly understood by customers. A proper categorisation of services is the next step that helps in relating services to business or customer requirements. • Therefore, what is a service? It is not easy to define a service and in particular an IT service. This is because different groups of people view services from different perspectives. • Many organisations have failed to come up with a clear definition for a service. In most cases either it is too technical or it is ambiguous. It requires a lot of analysis and a systematic approach to define a service that is understood by the customer in a right way. • IT staff often confuse a ‘service’ as perceived by the customer with an IT system. It should be understood that services are delivered using IT systems and resources and that IT systems by themselves do not represent a service. • One ‘service’ can be made up of other ‘services’ which are themselves made up of one or more IT systems. Hence while defining a service in a service catalogue, it needs to be decided as to what level of the service needs to be described – is it top level or low level. Again, a policy should be in place for this to ensure that a consistent approach is followed always. • When two or more services are combined, it is called a service package. Service catalogues should have provision for showing a service package view as well if required. • Each organisation needs to develop a policy of what a service is and how it is to be defined and agreed. This helps in enlisting and detailing the services in service catalogue in a consistent and formal way. • Customers often have a greater clarity of what they believe a service to be and hence it is important to obtain these inputs and then come up with an appropriate definition of the service. Let’s look at the different types of services in the next slide.

3.26 Different types of Services:

Different types of services IT services can broadly be divided into two categories – Customer facing services and supporting services. We shall now discuss these two types of services. • Customer-facing services are IT services that are seen and directly used by the customer. • These are typically services that support the customer’s business units or business processes, directly facilitating some outcome or outcomes desired by the customer. Examples of customer-facing services are billing services, financial services, credit card issue, automated teller machine (ATM) services, etc. • Supporting services are IT services that support or ‘underpin’ the customer-facing services. • These are typically invisible to the customer, but essential to the delivery of customer-facing IT services. • Generally, supporting services include infrastructure services, network services, application services or technical services. It is a combination of the customer-facing services and supporting services that together constitute the overall service and enable the utility and warranty of the services provided to the customer. So far we have understood the definition of service catalogue, service and types of services. Let’s now proceed to understand the uses of service catalogue.

3.27 Service Catalogue uses:

Service Catalogue Uses A well-designed and implemented service catalogue is sometimes the best way of achieving success in IT service management. It gives a very clear picture of all services provided by the service provider which in turn depicts the capabilities of the organisation. • The service catalogue is an important tool for service strategy because it is the virtual projection of the service provider’s actual and present capabilities. A service catalogue is expected to provide accurate and current information on services delivered and this reflects the continuous alignment of service catalogue to changing business requirements. This in turn reflects the alignment of organisational capabilities to changing services. • Many customers are only interested in what the provider can commit now, rather than in the future. For customers, the utility and warranty delivered through services should meet the current business requirements and should be continuously improved to meet the changing requirements. • The service catalogue can be used by many different groups for many different purposes. We shall now see how customers, IT staff and users can use a service catalogue. • Customers can use the service catalogue to understand what the service provider can do for them and to interact with the service provider regarding the services. They will be able to select the most appropriate services that enable them to achieve their business outcomes. • Staff members of the service provider can use the service catalogue to understand how supporting services and service provider resources and capabilities support business activity. An understanding of the relationship between IT services and business processes enables set the right level of focus and prioritisation of IT activity. The service catalogue details each service and provides links to the service components that make up the service. By linking to the detailed information in the Configuration Management System, the service catalogue also provides an overview of the assets, processes and systems involved in each service. It thus enables establishing the interfaces between various service management processes. • Users or individual consumers of a service can use the service catalogue to understand the scope of services available and to learn how to place service requests and/or report incidents associated with the provided services. As the service catalogue is the single source of information for all services provided, it enables users to access all relevant information for utilising the services. Let’s discuss the structure of service catalogue in the next slide.

3.28 Service Catalogue structure:

Service Catalogue Structure Having discussed various concepts of Service Catalogue Management, let us now try to understand the key points to be considered while designing the structure of a Service Catalogue. • The structure and presentation of the service catalogue should support the uses to which it will be put, taking into consideration the different, sometimes conflicting needs of different audiences. Hence it is good practice to present more than one view of the information in the service catalogue to accommodate the different needs of those who will use it. • Not every service is of interest to every person or group. Customers, users and IT staff view service catalogue from different perspectives and their requirements will be different. Also, within the customers, different customer groups will have different interests. • Not every piece of information about a service is of interest to every person or group. The customers seek information in business language and IT staff looks for technical details. Also wholesale customers are interested in competitive prices, whereas a retail customer looks at the utility and warranty information in more detail. • It is essential that multiple service catalogue views are projected from the service portfolio to satisfy the different customer needs. Moving ahead in the next two slides we will understand the Business and Technical service catalogue.

3.29 SCM : Business and Technical

Business and Technical We shall now be discussing a couple of service catalogue structures - one with two views and the other with three views. First, a service catalogue with two views. In order to ensure that both the customer and IT have a clear understanding of the relationship between the outcome-based, customer-facing services and the business processes they support, it is recommended that a service provider, at the minimum, defines two different views. One view that shows the customer-facing services and the second view that shows all the supporting services. • The customer-facing services view is popularly known as ‘Business Service Catalogue’. • It contains details of all the IT services delivered to the customer. • The relationships to the business units and business processes that rely on the IT services. • This is meant to be used by the business and customers for ordering and receiving the services.

3.30 SCM : Business and Technical

Business and Technical • The service provider view is known as Technical Service Catalogue • It contains details of all the supporting IT services utilised for delivering the customer facing services. • It also details the relationships to the customer-facing services they underpin and the components, Configuration Items and other supporting services necessary to support the provision of the service to the customers. • This is mainly used by the service provider staff for providing and managing the core services. Let’s look at the diagrams of these structures in the next slide.?

3.31 SCM : Business and Technical

SCM: Business and Technical The diagram on this slide is a simple but good represention of Business Service Catalogue and Technical Service Catalogue. It clearly indicates that the Business Service Catalogue shows the customer-facing services. It also shows the relationship between business processes and the services. It may be noted that one service may be used by more than one business process. The lower half of the diagram represents the Technical service catalogue. The supporting services like infrastructure management, application management and database management are used to manage the service assets – hardware, software, applications and data. These services may support multiple core services or customer-facing services. Next, let’s discuss about the three view structure.

3.32 Service Catalogue with three views:

Service Catalogue with three views Now we shall move on to service catalogue with three views. In this structure, two customer-facing views are created to enable access to information on services to two different types of customers – wholesale customers and retail customers. • The wholesale customer view details all the IT services delivered to wholesale customers. • It also includes relationships to the customers they support. • The retail customer view details all the IT services delivered to retail customers. • This view also shows the relationships between the services and customers. • The supporting services view provides details of all the supporting IT services. • Also, this view details the relationships between customer-facing services and supporting services, service components, Configuration Items and other supporting services necessary to support the provision of the service to the customers. • While the wholesale customer and retail customer views are available to respective customers, the supporting services view is available only to the service provider staff. Let’s move on to the activities of SCM process.

3.33 SCM : Process activities

SCM: Process activities We shall now discuss the various activities performed as part of the Service Catalogue Management Processes. By now we understand the relationship between service portfolio management and service catalogue management. As service catalogue is a sub-set of service portfolio, most of the activities are executed in collaboration with the service portfolio management process. The Service Catalogue Management process activities are: • Agreeing and documenting a service definition and description for each service with all relevant parties. These definitions and descriptions are incorporated into the service catalogue before deployment of the service in live environment or as per organisational policy. • Interfacing with service portfolio management to agree the contents of the service portfolio and service catalogue. This includes the level of details and attributes of the service that should appear in the service catalogue. • Producing and maintaining an accurate service catalogue and its contents, in conjunction with the overall service portfolio. As and when new services are deployed or changes made to existing services, the service catalogue must be updated promptly. Customers should always be able to view accurate and current information about services offered. • Interfacing with the business and IT Service Continuity Management on the dependencies of business units and their business processes with the customer-facing IT services contained within the service catalogue. Care should be taken to ensure that these dependencies are updated when any changes to the services are made. • Interfacing with support teams, suppliers and service assets and configuration management on interfaces and dependencies between IT services and the supporting services, components and Configuration Items contained within the service catalogue. This enables performing a proper impact assessment on service related incidents and changes. • Interfacing with business relationship management and Service Level Management to ensure that the information is aligned to the business and business processes. Both these processes help in getting appropriate feedback from business and customers which enables improving the service catalogue contents to meet business requirements. In the next slide we will learn about the role of Service catalogue management process manager.

3.34 Service Catalogue Management Process Manager:

Service Catalogue Management Process Manager The responsibilities of the Service Catalogue Management Process Manager, generally called as Service Catalogue Manager, include: • Producing and maintaining the Service Catalogue in close coordination with Service Portfolio Management; • Ensuring that all operational services and all services being prepared for operational running are recorded within the Service Catalogue; • Ensuring that all the information within the Service Catalogue is accurate and up-to-date; • Ensuring that appropriate views of the service catalogue are maintained and made available to the intended and targeted customers; • Ensuring that all the information within the Service Catalogue is consistent with the information within the Service Portfolio; and • Ensuring that the information within the Service Catalogue is adequately protected and backed up. Let’s understand the triggers, inputs and outputs of SCM process in the next two slides.

3.35 Triggers, Inputs and Outputs:

Triggers, Inputs and Outputs While triggers initiate the process, inputs and outputs are the essential elements of a process. We shall now discuss the Triggers, Inputs and Outputs relating to Service Catalogue Management process. • The key triggers for this process are : • Changes in the business requirements and services • Requests for changes and the authorisation of the changes from change management • New services, changes to existing services or services being retired • The service catalogue management process interacts with a number of other processes. The key inputs to this process are : • Business information from the organisation’s business and IT strategy, plans and financial plans, and information on their current and future requirements from the service portfolio • Business Impact Analysis reports, providing information on the impact, priority and risk associated with each service or changes to service requirements

3.36 Triggers, Inputs and Outputs:

Triggers, Inputs and Outputs • Business requirements providing details of any agreed, new or changed business requirements from the service portfolio • The service portfolio and all related data and documents, the configuration management system, Requests for changes and feedback from other processes. • The key outputs from this process are : • The documentation and agreement of a ‘definition of the service’ • Updates to the service portfolio to depict the current status of all services and requirements for services • Updates to Requests For Changes • An up-to-date and accurate service catalogue. Next, let’s look at the SCM process interfaces.?

3.37 Interfaces:

Interfaces A service catalogue is used by the business, customers and IT staff. A number of service management processes interact and interface with this process. We shall now discuss the most important ones. • The Service portfolio management process determines which services will be chartered and therefore move forward for eventual inclusion in the service catalogue. It also details critical information regarding each service or potential service, including any agreed service packages and service options. All this information becomes important inputs to service catalogue management. • The Business relationship management process ensures that the relationship between the service and the customers who require it is clearly defined in terms of how the service supports the customers’ needs, business processes and business outcomes. These relationships are incorporated in the service catalogue. • The Service asset and configuration management process works collaboratively with service catalogue management to ensure that information in the Configuration Management System and information in the service catalogue are appropriately linked together to provide a consistent, accurate and comprehensive view of the interfaces and dependencies between services, customers, business processes, service assets, and Configuration Items. • The Service Level Management process negotiates specific levels of service warranty to be delivered which will be reflected in the service catalogue. • The Demand management process in conjunction with service portfolio management, determines how services will be constituted into service packages. Using this information service catalogue management ensures that these packages are appropriately represented in the service catalogue. Moving on let’s understand the CSF’s and KPI’s of SCM process.

3.38 SCM CSFs and KPIs :

CSFs and KPIs Critical success factors are derived from the objectives of a process and key performance indicators help in measuring the achievement of the critical success factors. We shall now discuss the critical success factors and key performance indicators relating to the service catalogue management process. • An important Critical Success Factor for this process is maintaining ‘An accurate service catalogue’. • The related Key Performance Indicators are “Increase in the number of services recorded and managed within the service catalogue as a percentage of those being delivered and transitioned in the live environment” and “Percentage reduction in the number of variances detected between the information contained within the service catalogue and the ‘real-world’ situation”. • Another Critical Success Factor is the level of ‘Business users’ awareness of the services being provided’. • The related Key Performance Indicators are “Percentage increase in completeness of the customer-facing views of the service catalogue against operational services” and “Percentage increase in business user survey responses showing knowledge of services listed in service catalogue”. • We know that the service catalogue is of equal importance to IT staff as that of customers and users. The critical success factor in this direction is “The IT staff awareness of the technology supporting the services”. • The relevant Key Performance Indicator is “Percentage increase in completeness of supporting services against the IT components that make up those services”. Let’s now proceed to understand the challenges and followed by risks in the next slide.

3.39 SCM Challenges and Risks:

Challenges The service management team may face certain challenges related to implementing and adhering to service catalogue management process. We shall now discuss a couple of them. • The biggest challenge is maintaining an accurate Service Catalogue as part of a Service Portfolio, incorporating both the Business Service Catalogue and the Technical Service Catalogue views. It is also important that the service portfolio along with the service catalogue is maintained within the overall Configuration Management System and the Service Knowledge Management System. This challenge can be appropriately tackled by visible senior management commitment and support, as well as a robust change management and service asset and configuration management processes. • Accepting that the Catalogue and Portfolio are the sources of information that everyone within the IT organisation needs to use and help maintain is another big challenge. This can be countered by educating all concerned about service catalogue and adhering to a strict process of ordering and receiving services via service catalogue management and other relevant processes.

3.40 SCM Challenges and Risks:

SCM Challenges and Risks The risks associated with service catalogue management process are: • Inaccuracy of the data in the catalogue and it not being under rigorous Change control • Poor acceptance of the Service Catalogue and its usage in all operational processes • Inaccuracy of information received from the business, IT and the Service Portfolio, with regard to service information • Insufficient tools and resources required to maintain the information and the service catalogue • The information is either too detailed to maintain accurately or at too high a level to be of any value. It should be consistent with the level of detail within the Configuration Management System and the Service Knowledge Management System. Next, let us understand another process of SCM process which is Service level management.

3.41 Service Level Management:

Service Level Management Business and customers have a certain level of requirements and expectations from IT services utilised to meet their business objectives and outcomes. IT organisations and service providers should understand the levels of services anticipated by the customers and should design, develop and deliver the services accordingly. Service Level Management is the process which ensures alignment of service levels to customer requirements. We shall discuss the various aspects of this important process in the following slides. • The purpose of Service Level Management is to ensure that all current and planned IT services are delivered to agreed achievable targets. This is accomplished through a constant cycle of negotiating, agreeing, monitoring, reporting on and reviewing IT service targets and achievements, and through instigation of actions to correct or improve the levels of service delivered. • The objectives of this process are to: • Define, document, agree, monitor, measure, report and review the level of IT services provided and instigate corrective measures whenever appropriate; • Provide and improve the relationship and communication with the business and customers in conjunction with business relationship management; • Ensure that specific and measurable targets are developed for all IT services; • Monitor and improve customer satisfaction with the quality of service delivered; • Ensure that IT and the customers have a clear and unambiguous expectation of the level of service to be delivered; and • Ensure that even when all agreed targets are met, the levels of service delivered are subject to proactive and cost-effective continual improvement. Let’s understand SLM scope in the next slide.

3.42 Service Level Management:

Scope Service level management is a very vital process and aims to provide a point of regular contact and communication to customers and business managers to ensure that service level requirements are properly gathered and targets established so that business performance can be consistently achieved through efficient utilisation of IT services. In this direction the scope of Service Level Management process includes: • Cooperation with business relationship management to develop relationships with the business as needed to achieve the Service Level Management process objectives • Negotiation and agreement of current and future service level requirements and targets, and the documentation and management of Service Level Requirements for all operational and proposed new or changed services • Development and management of appropriate Operational Level Agreements to ensure that targets are aligned with Service Level targets. • Review of all supplier agreements and underpinning contracts with supplier management to ensure that targets are aligned with Service Level targets • Reporting and management of all service level achievements and review of all Service Level Agreement breaches • Periodic review, renewal and/or revision of Service Level Agreements, service scope and Operational Level Agreements as appropriate • Identifying improvement opportunities for inclusion in the Continual Service Improvement register and prioritising the same. Next is the SLM process value to business.

3.43 Value to Business:

Value to Business Service Level Management is an important medium through which the business requirements for IT services and targets for levels of services are established, monitored, reported and appropriate action taken in case of deviations. The key benefits derived by business from Service Level Management are detailed here. • Service Level Management provides a consistent interface to the business for all service-level-related issues. There is a point of contact available from IT service management to communicate with regarding requirements, feedback and improvements expected. • This process also provides the business with the agreed service targets and the required management information to ensure that those targets have been met. It enables presenting the service level achievements and breaches periodically in a consistent way and also allows discussion of the service level reports, future requirements and issues if any. • It also provides feedback on the cause of the breach of service level targets and details of the actions taken to prevent the breach from recurring. This provides an assurance to the business that issues are analysed and appropriate action taken to improve service performance. • Service Level Management provides a reliable communication channel and a trusted relationship with the appropriate customers and business representatives at a tactical level. Relevant reports are shared and review meetings held at agreed intervals to share information, resolve issues, and plan for improvements. As we have an understanding of SLM process, let us proceed to understand SLA.

3.44 Service Level Agreement(SLA):

Service Level Agreement (SLA) There are number of important terms related to Service Level Management which we should be familiar with in order to understand this process better. We shall discuss all these terms now. The first one is Service Level Agreement, also known as ‘SLA’. • It is a written agreement between an IT Service Provider and a Customer. This agreement forms the basis against which service level achievements are monitored and reported. • A service level agreement describes the IT Service, documents Service Level Targets, and specifies the responsibilities of the IT Service Provider and the Customer. It should be noted here that both customer as well as service provider are responsible for performing their tasks and obligations in a timely manner to ensure achievement of service level targets. • A Service Level Agreement will typically define the warranty a service is to deliver and describes the utility of the service. The expected and agreed performance of the service is the key focus here. The key areas covered are availability of the service, capacity of the service, security of information and service assets and continuity of the service in case of major incidents and disasters. Next let us understand OLAs.

3.45 Operational Level Agreement(OLA):

Operational Level Agreement (OLA) We shall now discuss the second important concept relating to service level management – the operational level agreement, called as OLA in short form. • An Operational Level Agreement is an agreement between an IT Service Provider and another part of the same Organisation. Delivery of IT services may involve a number of organisational units or departments. It is important that there are agreements in place between these interdependent organisational units to ensure that the agreed service levels are achieved. In fact the operational level agreements should be considered while documenting the service level targets and agreements. • Operational Level Agreements support the IT Service Provider’s delivery of IT Services to Customers. When different tasks relating to service delivery are performed by different organisational units, there should be a seamless flow and completion of these tasks to ensure timely delivery of quality services to customers. • The operation level agreements provide details of the goods or services to be provided or tasks to be accomplished and the responsibilities of both parties involved in the delivery of services. • Some examples of Operational Level Agreements are : • An agreement between the IT Service Provider and a procurement department to obtain hardware within agreed timelines. • An agreement between the Service Desk and a Support Group to provide Incident resolution within agreed timelines. In the next slide we will look at another important aspect which is Underpinning contracts.

3.46 Underpinning Contract(UC):

Underpinning Contract (UC) Another important term that we should know is – Underpinning Contract. • It is a contract between an IT Service Provider and a Third Party supplier. In this context please note that a ‘contract’ is a legally binding agreement which can be enforced in a court of law when either party does not fulfil their obligation. A contract establishes a formal relationship between the service provider and the external supplier. • The Third Party provides goods or services that support delivery of an IT Service to a Customer. IT services and systems are becoming so complex that service providers will have to depend on external suppliers to procure components, goods or other supporting services required for delivering services to customers. • A contract also defines targets and responsibilities of both the parties that are required to be fulfilled to meet agreed Service Level Targets in a service level agreement. • Some examples of contracts are: Support Contracts, Maintenance Contracts, Service Contracts, contract for supply of goods or components. Now, let’s understand the SLA structures in the next slide.

3.47 SLM: SLA structure

SLM: SLA Structures Another important concept is defining the appropriate SLA structure for the services provided. Service Level Management is responsible for designing an SLA structure that best suits the organisation’s requirements. While there are varieties of SLA structures that may be designed, we shall be covering the three basic formats. • Service-based SLA covers one service, for all the customers of that service. In this structure there will be one SLA per service that is applicable across all customers. This type of SLA structure is mostly used for generic services used by all members of the customer organisations. Examples include e-mail services, messaging services, etc. • The next type is Customer-based SLA structure. In this type of structure, there will be one separate SLA for each customer or customer group covering all services provided to them. An SLA covering application services as well as infrastructure services for one customer is an example of customer-based SLA. • The third type is multi-level SLA structure. A three layer structure that falls into the following types. • Corporate level SLA covering all customer groups or business units throughout the organisation; • Customer level SLA covering a particular customer group or business unit, regardless of the service being used; and • Service level SLA covering a specific service, in relation to a specific customer group or business unit • Now let us look at an example for type of the multi-level SLA structure. • A corporate level SLA is for e-mail services, messaging services, and Timesheet services • A customer level SLA is for Finance department covering payroll services, accounting services and reporting services • A service level SLA is for network services and database services. So far we learned about SLAs and types of SLA structures in details. Next let us look at Service level requirement.

3.48 SLM: Service Level Requirements(SLR)

SLM: Service Level Requirement (SLR) ‘Service level requirements’ is another concept that we should be aware of as part of our discussion on Service Level Management process. A Service Level Requirement is a customer requirement for an aspect of the IT service. The service level requirements relate primarily to the warranty of the service detailing what levels of service are required by the customers in order for them to be able to receive the value of the utility of the service? What are the availability and security requirements? How quickly must it be restored if it should fail? • Service Level Requirements for all services must be determined and the ability to deliver against these requirements will be assessed and finally agreed in a formal Service Level Agreement. • For new services, the requirements must be determined at the start not after completion. Early compilation of the requirements enables development of appropriate service solutions. Once the service level requirements are determined, associated initial service level targets will gradually be refined as the service progresses through the stages of its lifecycle, until they eventually become part of the Service Level Agreement during Service Operation. • Building the service with the requirements in mind is essential from a Service Design perspective as the appropriate utility and warranty levels will be taken care while designing service solution. Next we will learn about SLA Monitoring charts.

3.49 SLM: SLA Monitoring Charts (SLAM)

SLM: SLA Monitoring Charts (SLAM) Once service level agreements are agreed and implemented, service performance against targets should be monitored and reported. The reporting mechanisms, intervals and report formats must be defined and agreed with the customers. • Periodic reports generally provide details of performance against all SLA targets, together with details of any trends or specific actions being undertaken to improve service quality. A highly effective reporting technique is the use of SLA monitoring charts - also known as SLAM charts. • The SLA monitoring charts are visual diagrams or charts providing ‘at-a-glance’ overview of how achievements have measured up against targets. These are highly effective diagrams as all service levels agreements per service covering many reporting periods can be shown in one chart. • SLAM charts will be very effective if colour coded using Red, Amber, and Green formats. These are also popularly known as RAG charts. Green represents that the service levels have been met, amber represents that service levels are at risk of breaching and red represents that service levels have breached and immediate action required to improve the situation. In the next slide let us understand Service Review.

3.50 SLM: Service Review

SLM: Service Review • The generation and distribution of periodic reports should be followed by review meetings involving key people from both service provider and customers. These periodic review meetings must be held on a regular basis covering specific agenda. • An important agenda item should be to review the service achievement in the last period and to preview any issues for the coming period. Service level breaches should be specifically discussed and improvement actions identified. All actions must be minuted, and progress should be reviewed in the next meeting. • It is normal to hold such meetings monthly or, at a minimum, quarterly. The intention should be to conduct them regularly with participation from both service providers and customer organisations with the key objective of achieving and improving service performance. Next, let’s discuss about SIP.

3.51 SLM: Service Improvement Plan (SIP)

SLM: Service Improvement Plan (SIP) The periodic service reports generated, review meetings held and feedback gathered from customers can trigger a need for service improvements. • Where issues that adversely impact service quality and performance have been noticed, Service Level Management should identify and implement whatever actions are necessary to overcome the difficulties and restore service quality. These corrective and improvement actions should go through a formal service improvement plan. • Service Level Management must work in conjunction with Problem Management and Availability Management to instigate a Service Improvement Plan where felt appropriate. The problem management process adopts a formal approach to identify the root cause and eliminate it by applying a permanent fix. Where service availability is impacted, availability management techniques and methods may be used to improve the same. • Service improvement initiatives may also focus on issues such as user training, service and system testing, and documentation. In these cases, the relevant people need to be involved and adequate feed-back given to make improvements. • It is a good practice to establish an up-front annual budget held by Service Level Management from which the Service Improvement initiatives can be funded. This enables faster implementation of service improvements demonstrating service level management effectiveness. • Where third parties are involved in service provision, it is important to ensure that service improvement clauses and requirements are incorporated in the contract. Generally, contracts and supplier performances are reviewed and renewed annually and number of successful service improvements implemented should be the key criteria to support renewal decisions. Let us now proceed to understand the SLM process activities.

3.52 Process activities

Process activities Service level management is a vital process within the IT service management. In fact, it is the hub around which most of the other processes operate to ensure IT services are designed, deployed and managed with the key objective of meeting customer expectations and requirements. Service level management is responsible for designing appropriate SLA frameworks that suit the organisational requirements. It is also responsible for developing and maintaining the relevant procedures, standards and document templates. The key activities of Service Level Management are: • Determining, negotiating, documenting and agreeing service level requirements for new or changed services, and managing and reviewing them through the service lifecycle into Service Level Agreements for operational services; • Monitoring and measuring service performance achievements of all operational services against targets within Service Level Agreements; • Producing service reports and distributing them as per timelines and formats agreed with the customer; • Conducting service reviews, identifying improvement opportunities for inclusion in the CSI register, and managing appropriate Service Improvement Plans; • Collating, measuring and improving customer satisfaction, in cooperation with business relationship management; • Reviewing and revising Service Level Agreements, service scope, and Operational Level Agreements; • Assisting supplier management to review and revise underpinning contracts or agreements; • Developing and documenting contacts and relationships with the business, customers and other stakeholders, in cooperation with the business relationship management process; • Logging and managing complaints and compliments, in cooperation with business relationship management; and • Providing appropriate management information to aid performance management and demonstrating service achievement. Let us look at a SLM process diagram in the next slide.

3.53 Service level management process:

Service Level Management Process Please take a few minutes to study the diagram on this slide. It is a comprehensive view that shows how the process activities we discussed just now are related to various other components of service. Some key points to note are : • A business unit executes one or more business processes • The business processes are performed by utilizing IT services • Service Level Requirements, Service Level Agreements, Operational Level Agreements, Underpinning contracts, and service reports are key documents of this process • This process closely interfaces with Business Relation Management and Supplier Management processes for executing some of the activities • The activities mentioned in purple boxes are the key activities of this process and the ones represented in white boxes are supporting activities. Moving on let us discuss about the role involved in SLM process.

3.54 SLM: Service Level Management Process Manager

SLM: Service Level Management Process Manager: Service Level Management Process Manager is also generally named as Service Level Manager. As a process manager the key responsibility of this role is to ensure that the objectives of Service Level Management are met. The other responsibilities are: • Coordinating interfaces between service level management and other processes, especially service catalogue management, service portfolio management, business relationship management and supplier management. • Keeping aware of changing business needs and proactively initiating steps to align service level agreements to new requirements. • Ensuring that the current and future service level requirements of customers are identified, understood and documented in service level requirements and service level agreement documents. • Negotiating and agreeing levels of service to be delivered with the customer and formally documenting these levels of service in Service Level Agreements. • Negotiating and agreeing Operational Level Agreements and other agreements that underpin the Service Level Agreements with the customers. • Assisting with the production and maintenance of an accurate service portfolio, service catalogue, application portfolio and the corresponding maintenance procedures. • Ensuring that targets agreed within underpinning contracts are aligned with those in Service Level Agreements.

3.55 SLM: Service Level Management Process Manager

SLM: Service Level Management Process Manager: • Ensuring that service reports are produced for each customer service and that service level breaches are highlighted, investigated and actions taken to prevent their recurrence. • Ensuring that service performance reviews are scheduled and conducted with customers regularly, minutes of meetings are documented and agreed actions progressed. • Ensuring that improvement initiatives identified in service reviews are acted upon and progress reports are provided to customers. • Reviewing service scope, Service Level Agreements, Operational Level Agreements and other agreements on a regular basis, at least minimum times, annually. • Ensuring that all changes are assessed for their impact on service levels and attending change advisory board meetings if required. • Developing relationships and communication with customers, key users and other stakeholders. As we are done with the process activities of SLM, let us now discuss about the process triggers, inputs and outputs.

3.56 Triggers, Inputs and outputs

Triggers, Inputs and Outputs We shall now discuss the Service Level Management process related triggers, inputs and outputs. • The triggers for this process are : • Changes in the service portfolio, such as new or changed business requirements or new or changed services • New or changed agreements, Service Level Requirements, Service Level Agreements, Operational Level Agreements or contracts • Service review meetings held and actions identified • Service breaches or threatened breaches identified during service monitoring and reporting • Compliments and complaints received from customers directly or during service review meetings • Periodic activities such as review meetings, reporting and customer satisfaction surveys. Next, let’s look at the inputs.

3.57 Triggers, Inputs and outputs

• The inputs to service level management process are : • Business information - from the organisation’s business strategy, plans and financial plans, and information on its current and future requirements • Business impact analysis - providing information on the impact, priority, risk and number of users associated with each service • New or changed business requirements • The strategies, policies and constraints from service strategy • The service portfolio and service catalogue • Change information and Requests for change from the change management process • Configuration Management System - containing information on the relationships between the business services, the supporting services and the technology • Customer and user feedback, complaints and compliments • Improvement opportunities from the CSI register. Let’s understand the outputs in the next slide.

3.58 Triggers, Inputs and outputs

The key outputs of Service Level Management process are: • Service reports - providing details of the service levels achieved in relation to the targets contained within Service Level Agreements. • Service improvement opportunities for inclusion in the CSI register and for later review and prioritisation in conjunction with the CSI manager. • Service Improvement Plans with prioritised improvement actions, encompassing appropriate services and processes, together with associated impacts and risks. • The service quality plan - documenting and planning the overall improvement of service quality. • Document templates and formats for Service Level Requirements, Service Level Agreements and Operational Level Agreements. • Service review meeting with planned agenda and their discussions and actions recorded in minutes of the meeting. • Service Level Agreement review and service scope review meeting minutes - summarizing agreed actions. • Updated change information, including updates to Requests for change. • Revised requirements for underpinning contracts due to changes to Service Level Agreements or new Service Level Requirements. In the next slide we will understand the interfaces of the SLM process.

3.59 Interfaces

Interfaces Hope by now you are able to appreciate the significance of Service Level Management within the overall IT service management. A number of processes interact and interface with Service Level Management. We shall be discussing some of the important ones here. • Business relationship management ensures that the service provider has a full understanding of the needs and priorities of the business. It coordinates the identification and documentation of service level requirements and ensures representation in service review meetings. • Service catalogue management provides accurate information about services and their interfaces and dependencies to support determining the appropriate SLA framework, identifying customers/business units that need to be engaged by Service Level Management and assists in communicating with customers regarding services provided. • Some key service level agreements are related to Incident management. The process provides critical data to Service Level Management to demonstrate performance against relevant SLA targets. • Supplier management process works collaboratively with Service Level Management to define, negotiate, document and agree terms of service with suppliers and to support the achievement of commitments made by the service provider in Service Level Agreements. • Availability, capacity, IT service continuity and information security management processes contribute to Service Level Management by defining service level targets that relate to their area of responsibility and by validating that the targets are realistic. Once targets are agreed, the day-to-day operation of each process ensures that achievements match the defined targets. • Financial management for IT services process works with Service Level Management to validate the predicted cost of delivering the service levels required by the customer. • Design coordination process is responsible for ensuring that the overall service design activities is completed successfully. The service level requirements and targets documented by Service Level Management are critical inputs for designing the new or changed services. Moving ahead, let’s understand the metrics in detail.

3.60 SLM: Metrics

SLM: Metrics • Metrics and measurements are useful in determining the efficiency and effectiveness of processes and process activities. Metrics can further be used to check key performance indicators. Metrics should be developed from the service, customer and business perspectives and later incorporate in relevant reports. • Metrics should cover both subjective and objective measurements. • Some examples of objective measurements are: • Number or percentage of service targets met • Number and severity of service breaches • Number of services with up-to-date Service Level Agreements • Number of services with timely reports and active service reviews • Examples of subjective measurements are: • Improvements in customer satisfaction • Improvement in service desk staff awareness on Service Level Agreements

3.61 CSF and KPI

CSF and KPI We shall now discuss a few examples of critical success factors and key performance indicators pertaining to the service level management process. • ‘Managing the overall quality of IT services required both in the number and level of services provided and managed’ is the most important critical success factor for Service Level Management. The related Key Performance Indicators are “Percentage reduction in SLA targets threatened” and “Percentage increase in customer perception and satisfaction of SLA achievements, via service reviews and customer satisfaction survey responses”. • Another critical success factor of this process is “to deliver the service as previously agreed at affordable costs”. • The related Key Performance Indicators are “Total number and percentage increase in fully documented SLAs in place”; “Percentage increase in SLAs agreed against operational services being run” and “Percentage reduction in the costs associated with service provision”. Like any other process of Service design, let us understand the challenges and risks of SLM process in the coming slides.

3.62 Challenges

Challenges IT service management is a complex set of activities, systems and skills. Introducing and sustaining a formal service management approach requires identifying the challenges and risks associated with the processes and activities and taking proper actions to counter them. The following are some key challenges relating to service level management process. • The biggest challenge is identifying suitable customer representatives with whom to negotiate the service level agreements. Assigning a designated representative during the early stages of the service life cycle will benefit implementation and execution of service level management activities in a significant way. • Another challenge is inadequate or no previous experience of Service Level Management within the service provider organisation. As service level management plays a crucial role in the overall service management, relevant experience makes a lot of difference. In such cases, it is advisable to start with a draft service level agreement and develop it increasingly. Staff at different levels within the customer community may have different objectives and perceptions. This sometimes becomes a major challenge and it is therefore important that all of the appropriate and relevant business requirements, at all levels, are identified and incorporated in Service Level Agreements. • It may be possible sometimes that no past data or metrics are available regarding the services utilised by the customers. This poses a challenge as to ‘where do we start from?’ or ‘what should be the initial service levels?’ In such cases it is advisable to leave the agreement in draft format for an initial period, until monitoring can confirm that initial targets are achievable. Let’s now look at the risks.

3.63 Risks

Risks Let us now move on to the risks associated with service level management. Hope, you would agree that identifying, prioritising and managing risks is probably the best way of ensuring quality service. The probable risks are: • Lack of accurate input, involvement and commitment from the business and customers • Lack of appropriate tools and resources required to agree, document, monitor, report and review agreements and service levels • The process is designed to be more bureaucratic and administrative rather than a proactive process delivering measurable benefit to the business • Insufficient access to and support of appropriate and up-to-date Configuration Management System and Service Knowledge Management System • Inappropriate business and customer contacts leading to delays and rework • High customer expectations and low perception of IT services • Poor and inappropriate communications with the business and customers. So far we learnt about the Service level management process; next, let us learn about Capacity Management.

3.64 Capacity Management

Capacity Management Considering capacity requirements for services as well as resources during the design stage is the best way of developing and delivering efficient services to customers. Capacity is one of the key warranty components and directly impacts the value derived from the utilisation of the services by the customers. Demand management activities, initially from strategy stage and later from service operations stage, provide valuable information to capacity management which is used for designing, building and delivering services with sufficient capacity for performing seamless business operations. Similarly, Availability management plays a vital role in determining capacity requirements and is also directly impacted by levels of capacity available. We shall now take a deep dive into various aspects of Capacity Management. The purpose of Capacity Management process is to ensure that the capacity of IT services and the IT infrastructure meets the current and future agreed capacity and performance requirements of the business in a cost-effective and timely manner. The objectives of Capacity Management process are to: • Produce and maintain an appropriate and up-to-date capacity plan, which reflects the current and future needs of the business. • Provide advice and guidance to all other areas of the business and IT on all capacity and performance related issues. • Ensure that service performance achievements meet all of their agreed targets by managing the performance and capacity of both services and resources. • Assist with the diagnosis and resolution of performance and capacity related incidents and problems. • Assess the impact of all changes on the capacity plan, and the performance and capacity of all services and resources. • Ensure that proactive measures to improve the performance of services are implemented wherever it is cost-justifiable to do so. • Let’s look at the scope of capacity management in the next slide.

3.65 Capacity Management

Scope Capacity management should provide a point of focus and management for all capacity and performance related aspects, relating to both services and resources. In this direction the scope of Capacity Management covers: • Producing a capacity plan that enables the service provider to continue to provide services of the quality defined in Service Level Agreements. This plan should also cover a sufficient planning timeframe to meet future service levels required as defined in the service portfolio and Service Level Requirements. • Understanding the agreed current and future demands being made by the customer for IT resources, and producing forecasts for future requirements. • Understand the short, medium and long-term plans of the business and IT while providing information on the latest ideas, trends and technologies being developed by the suppliers of computing hardware and software. • Monitoring patterns of business activity through performance, utilisation and throughput of IT services and the supporting infrastructure, environmental, data and applications components and the production of regular and ad hoc reports on service and component capacity and performance. • Undertaking tuning activities to make the most efficient use of existing IT resources. • Influencing demand in conjunction with the financial management for IT services and demand management processes. • Assisting with the identification and resolution of any incidents and problems associated with service or component capacity or performance. • The proactive improvement of service or component performance, wherever it is cost-justifiable and meets the needs of the business. In the next slide we will learn about the capacity management value to business.

3.66 Value to Business

Value to Business Capacity management is a very important process within IT service management. A well designed and executed capacity management process will lead to a number of benefits to business and IT. Let us now discuss some of these benefits. • Proper capacity planning and execution significantly improves the performance and availability of IT services the business needs. It also helps to reduce capacity and performance related incidents and problems in IT services delivered. • Capacity management also ensures that required capacity and performance are provided in the most cost-effective manner by analysing and making use of the latest ideas, trends and technologies in IT industry. • This process contributes in improving customer satisfaction and user productivity by ensuring that all capacity and performance related service levels are met and capacity related service improvements are implemented where required. • Capacity management is a proactive process and supports the efficient and effective design and transition of new or changed services. With close interaction with service portfolio, demand management and service level management, it ensures that the changing requirements are captured in Capacity plan and appropriate actions taken. • This process also improves the reliability of capacity-related budgeting through the use of a forward-looking capacity plan based on a sound understanding of business needs and plans. A best practice is to map capacity planning with budget cycles to ensure sufficient funding will be available for IT infrastructure changes required in the next financial period. Next we will understand the balancing act of capacity management.

3.67 Balancing Act

Balancing Act Capacity management ensures that the capacity and performance of the IT services and systems match the evolving agreed demands of the business in the most cost-effective and timely manner. In this direction capacity management is responsible for maintaining a balance between some important aspects of IT service management. We shall now discuss as to how an efficient capacity management performs these important balancing acts. • The first one is balancing costs against resources needed. • Capacity management should ensure that required processing capacity that is purchased is cost-justifiable in terms of business need. The business case or the proposal should clearly detail the benefits derived from the new or additional capacity that is required - like enhanced revenues, higher customer satisfaction or better quality of service. • Also, once the additional or new capacity has been deployed, Capacity Management should ensure that it makes the most efficient use of those resources. It is responsible for optimum utilisation of the available capacity and resources. This requires regular monitoring, analysis and allocation of infrastructure components. • The next one is balancing supply against demand. • Capacity management should ensure that the available supply of IT processing power matches the demands made on it by the business, both now and in the future. In this regard, Capacity Management should have a very good interface with Business Relationship Management and Service Level Management to understand the level of services anticipated by the customers and make appropriate plans to meet those requirements. • Where IT is constrained with limited capacity, Capacity Management should, in collaboration with Business relationship management and Demand management, manage or influence the demand for resources and services. Next, let us understand the sub processes of capacity management.

3.68 Capacity Management Sub-processes

Capacity Management Sub-processes We have seen the important role capacity management plays within the overall IT service management. This process is very complex and technical. It requires understanding and meeting capacity requirements at various levels. We can broadly categorise capacity management at three levels – Business capacity management, Service capacity management and Component capacity management. These are also known as the three sub-processes of capacity management. Let us try to understand these three sub-processes in a bit more detail. • The first sub-process is Business Capacity Management. The changing and future requirements of the organisation come from the service strategy and more specifically from service portfolio. They detail the new processes and service requirements, changes, improvements, and also the growth in the existing services. The objectives of Business Capacity management are to : • Ensure that the future business requirements or customer outcomes for IT services are considered and understood as clearly as possible; and • Ensure that sufficient IT capacity to support any new or changed services is planned and implemented within an appropriate timescale. • The second sub-process is Service Capacity Management. The key objectives of this sub-process is to: • Identify and understand the IT services, their use of resources, working patterns, peaks and troughs; and • Ensure that the services meet their Service Level Agreement targets.

3.69 Capacity Management Sub-processes

Capacity Management Sub-processes The focus of Service Capacity Management is on managing service performance, as determined by the targets contained in the agreed Service Level Agreements. This can be achieved by forecasting issues through continuous monitoring of changes in performance and the impact of these changes on the service and the business outcomes. Hence this sub-process needs to be more proactive and predictive. • The third sub-process is Component Capacity Management. This process focuses on individual components such as processors, memory, disks, network, databases and servers. All these components, where required, are continuously monitored and information on utilisation or performance is collected and analysed. The key objectives of this process is to: • Identify and understand the performance, capacity and utilisation of each of the individual components within the technology used to support the IT services; and • Ensure the optimum use of the current resources in order to achieve and maintain the agreed service levels.

3.70 Capacity Management Sub processes:

Capacity Management Sub-processes We shall now look at how these three sub-processes, though focusing on different areas, still work closely in performing the similar capacity management activities. From the diagram in this slide, it can be seen that: Business capacity management is more at a strategic level and is focused on the current and future business requirements. Service capacity management is at tactical level and the main focus is on the delivery of the existing services that support the business. Component capacity management is mostly at operational level and is focused on the IT infrastructure that underpins service provision. The capacity management process activities include: iterative or on-going activities, demand management, modelling and application sizing. As it can be observed from the diagram, iterative and demand management activities are part of all the sub-processes, but modelling and application sizing activities are performed mostly in service capacity management and component capacity management. All the three processes contribute to the production of the capacity plan and the storage of capacity related data. Thus it may be noted that these three sub-processes focus on specific areas and together play an important role in defining the overall capacity plan. It is principally the business capacity management that drives the other two processes. As we have thorough understanding of the Capacity Management sub processes, let us now look into its activities, methods and techniques.

3.71 Process activities, methods and techniques

Process Activities, Methods and Techniques Capacity management activities can be broadly divided in two areas – design related activities and on-going activities. These activities are both proactive and reactive in nature. In addition to these two there are Business capacity management, Service capacity management and Component capacity management. We shall now discuss the two main areas of activities in detail. • Let us start with Design related activities. • An important design related activity is exploitation of new technology. This involves gaining good knowledge about new technology that can be utilised in the provision of existing and new services to customers. The application and technical management teams and IT leadership should be in continuous touch with the technological innovations and changes taking place by gathering relevant literature, attending promotional seminars and user group meetings. • Another important activity is designing resilience. Capacity Management should in collaboration with Availability Management, identify susceptible areas and components within the IT infrastructure and suggest cost-effective resilience solutions. This requires a proper understanding of the business operations and processes and then ensuring that all the IT services that support vital business functions are designed and built with sufficient resilience. • Now, let us move to the on-going activities of capacity management. The on-going activities of capacity management are – monitoring, analysing, tuning and implementation. We shall now discuss these four activities in more detail. • Monitoring – An end-to-end monitoring and collection of data should be in place for effective capacity management. The key types of monitored data includes : • Processor utilisation • Memory utilisation • Input - Output rates • Queue lengths • Disk utilisation • Transaction rates • Response times • Batch duration • Database usage • Index usage • Hit rates • Concurrent user numbers, and • Network traffic rates. • An important part of the monitoring is threshold management and control. The management and control of service and component thresholds is fundamental to the effective delivery of services to meet their agreed service levels. This ensures that all service and component thresholds are maintained at the appropriate levels and are continuously, automatically monitored, alerts and warnings are generated when breaches occur. • Another part of monitoring is ‘Response time monitoring’. Service Level Agreements may sometimes include user response times as one of the targets to be measured. Capacity management is responsible for monitoring this aspect and to provide the required data. This can be achieved by using techniques like: • Incorporating specific code within client and server applications software • Using ‘robotic scripted systems’ with terminal emulation software • Using distributed agent monitoring software • Using specific passive monitoring systems. • Analysis is the subsequent activity to monitoring. The data collected from monitoring is analysed to identify trends and establish normal utilisation, service levels, or baselines. This can later be used to identify exception conditions, implement corrective actions or improve service and component performance. • The next on-going activity is ‘Tuning’. The analysis of monitored data may result in suggesting improvements or corrections to service, systems or components. Tuning techniques can be utilised to improve the performance and these include : • Balancing workloads and traffic • Balancing disk traffic • Definition of an accepted locking strategy • Efficient use of memory. • Implementation of identified changes is the next step. Monitoring, analysis and tuning activities may result in corrective, preventive or improvement actions which may require raising requests of changes. All such changes must follow formal change management process and require further monitoring to assess the effects of the changes.

3.72 Process activities, methods and techniques

Process activities, methods and techniques Now let us look at some of the other important activities and techniques of Capacity Management. Demand Management in Capacity Management The tactical demand management activity is primarily carried out by Capacity Management process and its main objective is to influence user and customer demand for IT services and manage the impact on IT resources. Two approaches can be adopted for the tactical demand management activity - short term and long term. Short-term demand management is generally adopted when there is a partial failure of a critical resource in the IT infrastructure. Capacity management, by understanding the business priority of each service and the resources utilised by these services, ensures that the important services are continued to be made available by restricting or reducing the resources for non-critical services. The long-term demand management may be required when it is difficult to cost-justify an expensive upgrade. In such cases Capacity Management provides inputs to justify the cost of the upgrade to provide additional capacity or influence the demand through other actions like physical constraints or financial constraints. Physical constraints restrict or stop some services from being available at certain times and financial constraints refer to adopting differential charging at different time periods or for different user groups. Next, Modelling and Trending Modelling is a technique used to predict the behaviour of IT services under a given volume and variety of work and can be effectively utilised in service capacity management and component capacity management. Let us try to understand the different types of modelling. Baselining is the first stage in modelling and is used to create a baseline model that reflects accurately the performance that is currently being achieved. This is further used in subsequent stages like predictive modelling. Trend analysis is based on resource utilisation and service performance information that has been collected by the capacity management process. The data is analysed in a spreadsheet, and trends and forecasts created to show the utilisation of a particular resource over a previous period of time, and how it can be expected to change in the future. Analytical modelling is used to develop representations of the behaviour of computer systems using mathematical techniques and typically these models are built using software packages. Simulation modelling involves the modelling of discrete events against a given hardware configuration. This type of modelling can be very accurate in sizing new applications or predicting the effects of changes on existing applications, but can also be very time-consuming and costly. Lastly, Application Sizing Application sizing is concerned with estimating the resource requirements to support a proposed change to an existing service or the implementation of a new service, to ensure that it meets its required service levels. Sizing activities should include all areas of technology related to the applications like infrastructure, environment and data, and will often use modelling and trending techniques. Next, let’s get an overview of capacity management.

3.73 Capacity Management overview

Capacity Management overview: The diagram on this slide summarises the components and activities of the Capacity Management Process that we discussed so for. Service Portfolio and business requirements are the key inputs to Business capacity management which basically initiates the whole process. Based on these Business capacity inputs, and the service level requirements, the IT service designs are developed. These designs ensure that the service capacity and component capacity matches the business requirements. The activities of reviewing current capacity and performance, improving service and component capacity, assessing and agreeing new capacity requirements and then planning new capacity are performed on an ongoing and iterative basis. The capacity plan and all the relevant capacity and performance data, reports and forecasts are maintained in the Capacity Management Information System which is part of the overall Service Knowledge Management System. Moving on let us understand Capacity plan in the next slide.

3.74 The Capacity Plan

The Capacity Plan One of the key objectives of Capacity Management is to produce and maintain an appropriate and up-to-date capacity plan, which reflects the current and future needs of the business. • It contains information on the current usage of service and components, and plans for the development of IT capacity to meet the needs in the growth of both existing services and any agreed new services. • The capacity plan is a very important planning document and a source of information that can be used by all areas of the business and IT management in understanding the current status of IT capacity and how the future requirements will be met. • This plan should be used as a basis for decision-making by both business and IT on issues relating to adding more capacity, technology upgrades, and exploitation of new technology. A forward-looking capacity plan based on a sound understanding of business needs and plans improves the reliability of capacity-related budgeting. Apart from producing a good Capacity Plan, Capacity Management is responsible for regularly reviewing, maintaining and revising the plan, in line with the organisation’s business planning cycle. In the next slide let us understand the role involved in capacity management.

3.75 Role - Capacity Management Process Manager

Role – Capacity Management Process Manager We are aware that an important aspect of process definition is identifying the roles and responsibilities related to the process. We shall now discuss the responsibilities of Capacity Management Process Manager also known as Capacity Manager. • The foremost responsibility of this role is to ensure that the aims and objectives of Capacity Management process are met; the other responsibilities include : • Ensuring that there is adequate IT capacity to meet required levels of service, and that senior IT management is correctly advised on how to match capacity and demand and to ensure that use of existing capacity is optimised; • Identifying capacity requirements through discussions with the business managers and users. This is normally performed in collaboration with service level manager; • Understanding the current usage of the infrastructure and IT services, and the maximum capacity of each component; • Performing sizing on all proposed new services and systems, by using modelling and other techniques where feasible, to ascertain capacity requirements; • Forecasting future capacity requirements based on business plans, usage trends, sizing of new services, etc.;

3.76 Role - Capacity Manager

Role – Capacity Management Process Manager • Production, regular review and revision of the capacity plan, in line with the organisation’s business planning cycle. The plan should clearly detail the current usage, trends and forecasts during the period covered by the plan; • Ensuring that appropriate levels of monitoring of resources and system performance are set to capture data required by capacity management and other processes; • Analysis of usage and performance data, and reporting on performance against targets contained in Service Level Agreements; • Sizing all proposed new services and systems to determine the computer and network resources required, to determine hardware utilisation, performance service levels and cost implications; and • Assessing new techniques and technology, performance testing, management reporting and participation in Change advisory board meetings to assess changes – are the other relevant responsibilities of capacity manager. Let us now understand the triggers, inputs and outputs of this process.

3.77 Triggers, Inputs and Outputs

Triggers, Inputs and Outputs We shall now discuss the triggers, inputs and outputs relating to Capacity Management process. • The key triggers for this process are : • New and changed services requiring additional capacity • Service breaches, capacity or performance events and alerts, including threshold events • Exception reports from monitoring activities, event management and service level management • Periodic reviews, forecasts, and trending and modelling activities • Review and revision of business plans, IT plans, designs, strategies, Service level agreements, etc.

3.78 Triggers, Inputs and Outputs

• The inputs to Capacity Management process are: • Business information from the organisation’s business strategy, business plans and financial plans, and information on their current and future requirements • Service and IT information from service strategy, the IT strategy and plans and current budgets, covering all areas of technology including the infrastructure, environment, data and applications, and the way in which they relate to business strategy and plans • Component performance and capacity information of both existing and new technology, from manufacturers and suppliers • Service performance issues logged as incidents and problems through incident and problem management processes • Service information from the Service Level Management, service portfolio management and service catalogue management processes. While service portfolio and the service catalogue provide details of the services, Service level management provides information on service level targets and reports on monitored Service Level Agreements, service reviews and service level breaches. • Financial information regarding the cost of service provision, the cost of resources, components and upgrades, the resultant business benefit and the financial plans and budgets, together with the costs associated with service and component failure. This information is normally provided by Financial Management. Information on costs of components and upgrades to components will be obtained from procurement, suppliers and manufacturers. • Change Management provides information on change schedule and sometimes may request capacity management to assess all changes for their impact on the capacity of the technology. • Configuration management system containing information on the relationships between the business, the services, the supporting services and the technology is a very useful source of input to capacity management. • Workload information from the IT operations team, with schedules of all the work that needs to be run, and information on the dependencies between different services and information, and the interdependencies within a service.

3.79 Triggers, Inputs and Outputs

The key outputs of Capacity Management process are: • The Capacity Management Information System which holds the information needed by all sub-processes within capacity management. • The Capacity plan which provides planning input for many other areas of IT and business. It contains information on the current usage of service and components, and plans for the development of IT capacity to meet the needs in the growth of both existing service and any agreed new services. • Service performance information and reports - these are used by many other processes, especially service level management and financial management. • Workload analysis and reports - These are used by IT operations to assess and implement changes in conjunction with capacity management and also to ensure that the most effective and efficient use is made of the available resources. • Ad hoc capacity and performance reports – that can be used by all areas of capacity management, IT and the business to analyse and resolve service and performance issues. • Forecasts and predictive reports - these are used by all areas to analyse, predict and forecast particular business and IT scenarios and their potential solutions. • Information on thresholds, alerts and events which are highly useful in day-to-day operations and Incident and Problem management. • Improvement actions identified from on-going capacity management activities that can be eventually included in service improvement plans. Let’s now understand the interfaces of capacity management.

3.80 Interfaces

Interfaces Capacity Management interacts and interfaces with a number of service management process. The key ones are discussed here. • There is a very close dependency between availability management and capacity management. These two processes work together to determine the resources needed to ensure the required availability of services and components. • Service level management helps capacity management in determining capacity targets and assists in the investigation and resolution of service and component capacity-related breaches. • Capacity management assists IT Service Continuity Management with the assessment of business impact and risk and determining the capacity needed to support risk reduction measures and recovery options. • Capacity management provides assistance to incident and problem management in finding resolutions and subsequent justification and correction of capacity-related incidents and problems. • Demand management provides information on user profiles and patterns of business activity. This information helps capacity management in identifying the means to influence the demand and also helps in strategic decision-making. Let’s look at the CSF’s and KPI’s of Capacity Management in the next slide.

3.81 CSFs and KPIs

CSFs and KPIs We shall now discuss a few examples of critical success factors and key performance indicators relating to Capacity Management process. • ‘Creating accurate business forecasts’ is the most important critical success factor for Capacity Management. • The related key performance indicators are: ‘Production of workload forecasts on time’; ‘Percentage accuracy of forecasts of business trends’; and ‘Timely incorporation of business plans into the Capacity Plan’. • Another important critical success factor is ‘the knowledge of current and future technologies’ within the capacity management team. • The related key performance indicators are: ‘Increased ability to monitor performance and throughput of all services and components’; ‘ Timely justification and implementation of new technology in line with business requirements’ and ‘Reduction in the use of old technology, causing breached SLAs due to problems with support or performance’.

3.82 Key Performance Indicator

CSFs and KPIs • ‘Ability to demonstrate cost-effectiveness’ is a key critical success factor from financial perspective. • The related key performance indicators are: ‘Reduction in last-minute buying to address urgent performance issues’; ‘Reduction in the over-capacity of IT’; and ‘Accurate forecasts of planned expenditure’. • ‘Ability to plan and implement appropriate IT capacity to match business needs’ is also another important critical success factor for the capacity management process. • The related key performance indicators are : ‘Percentage reduction in the number of incidents due to poor performance’; ‘Percentage reduction in lost business due to inadequate capacity’ and ‘All new services implemented match Service Level Requirements‘. Next, we will learn about the challenges and risks of capacity management.

3.83 Challenges and Risks

Challenges and Risks We shall now look at some key challenges that may be faced while implementing and adhering to Capacity Management process. • One major challenge faced by Capacity Management is persuading the business to provide information on its strategic business plans, to enable the IT service provider organisation to provide effective Business Capacity Management. Getting this information becomes even more difficult in outsourced situations due to confidentiality reasons. • Another key challenge is the collation of all of the Component Capacity Management data into an integrated set of information that can be analysed in a consistent manner to provide details of the usage of all components of the services. This becomes even more difficult when different technologies, tools and reporting formats are used by various IT teams. • In huge IT organisations, the amount of information and data produced by business capacity management, service capacity management and component capacity management can be so voluminous that it becomes very difficult to analyse and draw inferences from the data gathered. Let’s look at the risks.

3.84 Challenges and Risks

Challenges and Risks The risks involved with respect to capacity management are: • Lack of commitment from the business to the Capacity Management process which may lead to inaccurate capacity planning. • Lack of appropriate information from the business on future plans and strategies and this may result in a continuous mismatch between required and actual capacity. • Lack of senior management commitment or lack of resources and/or budget for the Capacity Management process. • The processes focus too much on the technology, i.e. (pronounce as that is) component capacity management and not enough on service capacity management and business capacity management. • The reports and information provided are too bulky or too technical and do not give the information required or appropriate to the customers and the business. In the next few slides we will be discussing about Availability management another process of Service design.

3.85 Availability Management

Availability Management From a customer point of view, availability of services at the agreed levels is of foremost importance. Customers and business execute number of business processes and activities to achieve the set objectives and outcomes. These processes are tightly integrated with IT services and therefore many a time customer satisfaction is a direct correlation to availability of the services. In this part of the course we shall focus on Availability Management process. • The purpose of Availability Management is to ensure that the level of availability delivered in all IT services meets the agreed availability needs and service level targets in a cost-effective and timely manner. Availability Management focuses on meeting both the current and future availability needs of the business. • The objectives of Availability Management process is to: • Produce and maintain an appropriate and up-to-date availability plan that reflects the current and future needs of the business • Provide advice and guidance to all other areas of the business and IT on all availability-related issues • Ensure that service availability achievements meet all their agreed targets by managing services and resources-related availability performance • Assist with the diagnosis and resolution of availability-related incidents and problems • Assess the impact of all changes on the availability plan and the availability of all services and resources • Ensure that proactive measures to improve the availability of services are implemented wherever it is cost-justifiable to do so. Let’s understand its scope in the next slide.

3.86 Availability Management

Scope The scope of the availability management process covers the design, implementation, measurement, management and improvement of IT service and component availability. Availability Management spans across the entire lifecycle of the service right from establishment of availability requirements to retirement of the service. It is concerned with all operational services and technology, supporting services and new IT services. The scope includes all aspects of the IT services and components and supporting organisations that may impact availability, including training, skills, process effectiveness, procedures and tools. In particular the scope of availability management covers: • Producing an availability plan • Monitoring of all aspects of availability, reliability and maintainability of IT services and the supporting components • Maintaining a set of methods, techniques and calculations for all availability measurements, metrics and reporting • Actively participating in risk assessment and management activities • Collecting measurements and the analysis and production of regular and ad hoc reports on service and component availability • Understanding the agreed current and future demands of the business for IT services and their availability • Influencing the design of services and components to align with business availability needs • Maintaining a schedule of tests for all resilience and fail-over components and mechanisms • Assisting with the identification and resolution of any incidents and problems associated with service or component unavailability • Proactively improving service or component availability wherever it is cost-justifiable and meets the needs of the business. Next, we will understand Availability management value to business.

3.87 Value to Business

Value to Business Business process and activities are tightly integrated with IT services and therefore customer satisfaction is a direct related to availability of the services. Availability management defines, analyses, plans, measures and improves all aspects of the availability of IT services, ensuring that all IT infrastructure, processes, systems, tools, and roles are appropriate for the agreed availability service level targets. The value derived by business when IT organisations adopt Availability Management process may be summarised as follows: • Availability management ensures that the availability of systems and services matches the evolving agreed needs of the business in a proactive manner. • The availability and reliability of IT services directly influence customer satisfaction and the reputation of the business. • It ensures that IT delivers the levels of service availability required by the business to achieve its business objectives and deliver the quality of service demanded by its customers. • It helps in improving the ability of the business to follow an environmentally responsible strategy by using green technologies and techniques. Let us now move on to learn about the definition of availability in the next slide.

3.88 What is Availability ?

What is Availability? Service availability is at the core of customer satisfaction and business success and there is a direct correlation between service availability and customer and user satisfaction. Providing appropriate level of availability can only begin after understanding how the IT services support the operations of the business. Availability Management spans across the service lifecycle and it is essential to design it as a more proactive process rather than a reactive process. Thus, it should include a continuous monitoring, measurement, analysis and reporting of some important aspects of a service. We shall now discuss what does ‘Availability’ actually refers to from an IT service management perspective. We shall also discuss the other important aspects of availability management. • The term ‘Availability’ refers to the ability of a service, component or configuration item to perform its agreed function when required. It may be noted that availability should be measured from the customers’ perspective and what has been agreed with them. • Availability Management is responsible for managing availability at both service level and component level. • Service availability involves all aspects of service availability and unavailability and the impact of component availability, or the potential impact of component unavailability on service availability. • Component availability involves all aspects of component availability and unavailability. Let’s understand the aspects of availability management in the next slide.

3.89 Aspects of Availability

Aspects of availability • One of the key activities of availability management is to monitor, measure, analyse, report and take required actions pertaining to various aspects of availability. The key aspects that availability management should focus on are: • Reliability • Maintainability • Serviceability • Vital Business Functions We shall now discuss each of these aspects in detail in the next few slides.

3.90 Reliability

Reliability • Reliability: Customers and business often mention that they expect reliable services from the service provider. ‘Reliability’ is a measure of how long a service, component or Configuration Item can perform its agreed function without interruption. So, Availability Management in collaboration with other service management processes and functions should focus on continuous monitoring and improving of reliability of services and their constituent components. • The reliability of the service can be improved by: • Increasing the reliability of individual components of the service; or • Increasing the resilience of the service to individual component failure, like for example increasing the component redundancy by identifying and eliminating single points of failure. • Reliability is normally measured and reported as the ‘Mean Time Between Service Incidents’ and ‘Mean Time Between Failures’. Let’s look at second aspect of availability in the next slide.

3.91 Maintainability

Maintainability • The second important aspect of availability is ‘Maintainability’. Maintainability is a measure of how quickly and effectively a service, component or Configuration Item can be restored to normal working after a failure occurs. • Measured as ‘Mean Time to Restore Service’, it should cover all the contributory factors that make the service, component or Configuration Item unavailable. These factors include : • Time to record • Time to respond • Time to resolve • Time to physically repair or replace • Time to recover • Maintainability reflects the capability of the service provider and supplier teams to understand and resolve the availability related incident or problem. An understanding of how the IT services enable business processes, knowledge of the service, appropriate skilled resources, availability of spare components, documented procedures and close coordination with concerned teams is the key factors that determine the maintainability of the service. Let’s understand Serviceability in the next slide.

3.92 Serviceability

Serviceability The third important aspect of availability is ‘Serviceability’. We understand the complexity involved in managing and providing IT services to business and customers. Dependence on third party suppliers is increasing and becoming essential for various reasons like cost-efficiency, skills, proficiency, and expertise of the suppliers. The responsibilities, obligations and terms and conditions between the service provider and third-party suppliers are managed through a contract. ‘Serviceability’ is the ability of a supplier to meet the terms and obligations of the contract with respect to the services or components delivered. • More often this contract will include details on agreed levels of availability, reliability and/or maintainability for the supporting service or components managed and delivered by the supplier. Here again the commitment levels of the supplier teams, knowledge of the services delivered, skilled resources and availability of documented procedures are the key factors that determine the level of serviceability. Lastly, let us discuss about VBF the fourth aspect of availability.?

3.93 Vital Business Functions

Vital Business Functions IT services may support a number of business processes. Some of these processes or parts of the processes may be more important than others. Vital business functions refer to the business processes or parts of a business process that are critical to the success of the business. For example, in a retail organisation the billing function is more critical than a staff payroll process. This is because billing directly impacts the sales and customer satisfaction. Thus business functions that are important or vital generally require a greater level of resilience and availability and this need to be considered during the design of related IT services. These design requirements may include one or more of the following aspects:

3.94 Vital Business Functions

Vital Business Functions • High availability: It is a characteristic of the IT service that minimises or masks the effects of IT component failure to the users of a service. For example, in a cluster approach, when one server fails, the load and transactions are automatically handled by other servers. The users will not even be aware of the incident relating to the affected server. • Fault tolerance: Is the ability of an IT service, component or Configuration Item to continue to operate correctly after failure of a component part. This basically means that the repaired or recovered component performs as expected without any other impact or further issues. • Continuous operation: Is an approach or design to eliminate planned downtime of an IT service. It may be noted that individual components or Configuration Items may be down even though the IT service remains available. Cluster approach in server management and back up networks that automatically come up when the main network fails are some examples of continuous operation. • Continuous availability: Is again an approach or design to achieve 100% availability. A continuously available IT service has no planned or unplanned downtime. Resilience and automatic back-ups are adequately incorporated into the infrastructure and other resources to ensure continuous availability of services.

3.95 MTBF, MTBSI, MTRS, MTTR

MTBF, MTBSI, MTRS, MTTR In the previous slides on reliability and maintainability we touched upon some metrics like the ‘Mean Time Between Service Incidents’, ‘Mean Time Between Failures’ and ‘Mean time to restore service’. We shall now discuss these in a bit more detail. Please spare a few minutes to analyse the contents of the diagram on this slide. This is also known as ‘the expanded incident lifecycle’ as it depicts the various stages from incident detection to restoring a service. Basically, the expanded incident lifecycle constitutes the following stages: • Incident detection • Incident diagnosis • Incident repair • Service recovery • Service restoration Each stage, and the associated time taken, influence the total downtime perceived by the user. By adopting the expanded incident lifecycle approach it is possible to identify areas of inefficiency that combine to make the loss of service experienced by the business greater than it need be. This analysis also provides availability management with metrics for both specific incidents and trending information. These metrics further help in Service Failure Analysis and service improvement activities, apart from regular availability management reporting. We shall now focus on the definitions and computation of the key metrics.

3.96 MTBF, MTBSI, MTRS, MTTR

MTBF, MTBSI, MTRS, MTTR • Mean Time between Failures, known as MTBF in the short form, is a metric for measuring and reporting ‘Reliability’. It is the average time that a Configuration Item or IT Service can perform its agreed function without interruption. It is measured from when the Configuration Item or IT Service starts working, until its next fails. • Mean Time between Service Incidents, also known as MTBSI, is another metric used for measuring and reporting ‘Reliability’. It is the mean time from when a System or IT Service fails, until its next fails.

3.97 MTBF, MTBSI, MTRS, MTTR

MTBF, MTBSI, MTRS, MTTR • Mean Time to Restore Service, known as MTRS in the short form, is the average time taken to restore a Configuration Item or IT Service after a failure. It is measured from the point the Configuration Item or IT Service fails until it is fully restored and delivers its normal functionality. • Mean Time to Repair, also known as MTTR, is the average time taken to repair a Configuration Item or IT Service after a failure. It is measured from when the Configuration Item or IT Service fails until it is repaired and does not include the time required to recover or restore. Next, let’s look into Availability terms and measurements.

3.98 Availability Terms and Measurements:

Availability Terms and Measurements Having gained some understanding of various aspects and metrics relating to Availability Management, it is time we try to understand the relationship between them. And the best way is to present this relationship in a simple diagram. The diagram in this slide is a good representation of various aspects of Availability Management. Please note that this is only a representative one and not the only way to establish and manage the availability management aspects. Different types of organisations may come up with different models based on their organisation setup and requirements. Some key points to note from this diagram are: • IT organisations and service providers agree and document the level of services expected by the business and customers. This translates into a formal document called Service Level Agreement and Availability which is one of the key components. • IT systems, teams and resources are utilised by service providers to deliver services to customers in line with the service level agreements. • Reliability and Maintainability aspects are generally taken care through operational level agreements entered with internal support teams. The respective support teams responsible for the services, supporting services, components and configuration items are responsible for reliable performance and quick resolution of incidents, problems and issues pertaining to their areas. • Similarly, external suppliers are obligated to manage and support the services, supporting services, components and configuration items as agreed in the contracts and agreements. • Metrics like availability percentage, Mean Time Between Failures and Mean Time To Restore Services are computed, analysed, reported and action taken to consistently meet and improve service availability targets. In the next slide we will learn about AIMS and Availability plan.

3.99 AIMS and Availability Plan

AIMS and Availability Plan Availability Management Information System and Availability Plan are two important outputs of Availability Management. • Availability Management Information System is a repository of all Availability Management data, usually stored in multiple physical locations. It stores availability related metrics, measurements, targets and documents, including the availability plan, achievement reports, Service Failure Analysis reports and testing schedules. This data and information are essential to support key activities such as report generation, statistical analysis and availability forecasting and planning. • Availability Management Information System is normally an integral part of the Service Knowledge Management System. • Availability Plan is a planning document formulated and maintained to ensure that existing and future Availability Requirements for IT Services can be provided in a cost effective way. This plan is expected to cover: • Aims, objectives and deliverables of Availability Management. • Actual levels of availability versus agreed levels of availability for key IT services. • Activities being progressed to address shortfalls in availability for existing IT services. • Details of changing availability requirements for existing IT services. • Details of the availability requirements for forthcoming new IT services. • A forward-looking schedule for the planned Service Failure Analysis assignments. • A technology futures section to provide an indication of the potential benefits and exploitation opportunities that exist for planned technology upgrades. • The availability plan should cover a period of one to two years, with a more detailed focus for the first six months. Let’s understand the process activities and techniques in the next slide.

3.100 Process activities, methods and techniques

Process activities, methods and techniques Availability Management process includes both reactive activities and proactive activities. The more the proactive activities are performed, the more will be the efficiency and benefits derived from this process. Let us now discuss these two sets of activities in more detail. First the reactive activities. The reactive activities include : Monitoring, measuring, analysing, reporting and reviewing service and component availability. Service availability and component availability are important components of service level agreements, operational level agreements and underpinning contracts. Hence the activity of monitoring and reporting is very important and it should be ensured that measurements that reflect and measure availability from the business and user perspective are given greater prominence than those from IT perspective. Hence, apart from the normal measurements like ‘Per cent available’, ‘duration’, ‘frequency of failure’ and ‘Impact of failure’; measurements like ‘Impact by user minutes lost’ and ‘impact by business transactions’ should be incorporated and reported. Investigating all service and component unavailability and instigating remedial action. When incidents lead to unavailability of service or component, they must be investigated and appropriate action must be taken. This involves utilising techniques like: Unavailability analysis including loss in monetary terms like tangible and intangible costs associated with failure The expanded incident lifecycle which seeks to analyse the various stages and the time taken at each stage during the service restoration process Service Failure Analysis which takes a holistic view and provides a structured approach for identifying the underlying causes of service interruptions to the user. Service Failure Analysis utilises a range of data sources to assess where and why shortfalls in availability are occurring.

3.101 Process activities, methods and techniques

Process activities, methods and techniques Let us move on to the Proactive activities of Availability Management process. These proactive activities should be designed and planned to cover both the service and the service components. The proactive activities are: Planning and designing new or changed services: Availability Management process should ensure that new or changed services are designed appropriately to meet the availability requirements as defined in the service level targets. This includes: Involve early and participate in service ‘Requirements definition’. Identifying and documenting vital business functions. Designing services and service components by considering how the availability requirements of the business are to be met and ensuring that the level of availability to be provided for an IT service is at the level actually required by the business and customers. These solutions should also be cost-justifiable to the business. While developing service availability designs, it should be ensured that they cover both the aspects of ‘designing for availability’ and ‘designing for recovery’. Adopt various techniques like ‘Component failure impact analysis’, ‘Single point of failure analysis’, ‘Fault tree analysis’, and ‘modelling’. Risk assessment and management: Risk assessment and management is a technique that can be used to identify and quantify risks and justifiable countermeasures that can be implemented to protect the availability of IT systems. It helps in achieving the required levels of availability for a new or enhanced IT service. Risk assessment involves the identification and assessment of the level of risks associated with the assets along with the threats and vulnerabilities relating to those assets. Risk management involves the identification, selection and adoption of countermeasures for the identified risks thereby reducing them to an acceptable level. Implementing cost-justifiable counter-measures, including risk reduction and recovery mechanisms: The risks identified with respect to service and component availability should be addressed through appropriate risk reduction measures and the development of effective recovery mechanisms. These countermeasures may be implemented as part of the overall design of the new or changed service, as well as through the implementation of best practice in the areas of maintenance and continual review and improvement. Reviewing all new and changed services and testing all availability and resilience mechanisms: During the service transition stage all the elements designed to contribute to service and component availability need to be reviewed and tested. Availability review and testing procedures and policies should be embedded into overall transition methods, processes and practices to ensure that the promised levels of availability will be delivered. In addition to the reviews and tests that occur during service transition, regular reviews and tests should be scheduled during service operation also. Continual reviewing and improvement: Changing business needs and customer demands and the criticality of services necessitates that the design and the technology supporting such services is regularly reviewed and improved by availability management to ensure that the change of importance in the service is reflected within a revised design and supporting technology and documentation. A key activity for availability management is to look continually at opportunities to optimise the availability of the IT infrastructure in conjunction with overall CSI activities. A number of availability management techniques can be applied to identify optimisation opportunities. It is recommended that the scope should not be restricted to the technology, but should include a review of both the business processes and other end-to-end business- owned responsibilities. Availability management should take a proactive role in identifying and progressing cost-justified availability improvement opportunities within the availability plan. Let’s understand these activities with the help of a diagram.

3.102 Availability management process

Availability Management Process The diagram on this slide is a summarised representation of the reactive and proactive activites of Availability Management process. It also clearly depicts the relationship between these two sets of activities and the Availability Management Information System. We have discussed these individual aspects in the previous slides. Please spare a few minutes to go through this diagram and understand the relationship amongst the three components shown here. Let us proceed to learn about the roles involved in availability management process in the next slide.

3.103 Availability Management Process Manager

Role – Availability Management Process Manager Availability Management spans across the service lifecycle and has a lot of significance in the overall IT service management. The role of Availability Management Process Manager, also commonly known as Availability Manager, is a very important role and the responsibilities include: Coordinating interfaces between availability management and other processes, especially service level management, capacity management, IT service continuity management and information security management; Ensuring that all existing services deliver the levels of availability agreed with the business in Service Level Agreements; Ensuring that all new services are designed to deliver the levels of availability required by the business; Assisting with the investigation and diagnosis of all incidents and problems that cause availability issues or unavailability of services or components; Participating in the IT infrastructure design, including specifying the availability requirements for hardware and software; Specifying the requirements for new or enhanced event management systems for automatic monitoring of availability of IT components; Specifying the reliability, maintainability and serviceability requirements for components supplied by internal and external suppliers; Being responsible for monitoring actual IT availability achieved against Service Level targets, and providing a range of IT availability reporting ; Proactively improving service availability wherever possible, and optimising the availability of the IT infrastructure to deliver cost-effective improvements;

3.104 Availability Management Process Manager

Creating, maintaining and regularly reviewing an availability management information system and a forward-looking availability plan, aimed at improving the overall availability of IT services; Ensuring that the availability management process, its associated techniques and methods are regularly reviewed and audited, and that all of these are subject to continual improvement and remain fit for purpose; Creating availability and recovery design criteria to be applied to new or enhanced infrastructure design; Working with financial management for IT services, ensuring the levels of IT availability required are cost-justified; Maintaining and completing an availability testing schedule for all availability mechanisms; Assisting security and IT service continuity management with the assessment and management of risk; Assessing changes for their impact on all aspects of availability, including overall service availability and the availability plan; and Attending Change Advisory Board meetings when appropriate. Next, let’s look at the triggers, inputs and outputs of the process.

3.105 Triggers, Inputs and Outputs

Triggers, Inputs and Outputs Triggers, inputs and outputs are essential components of a process. We shall now discuss the availability management process related triggers, inputs and outputs. The triggers for this process are : New or changed business needs or new or changed services New or changed targets within agreements, such as Service Level Agreements, Operational Level Agreements or contracts Service or component breaches, availability events and alerts, including threshold events, exception reports Periodic activities such as reviewing and reporting Reviews and revisions relating to business plans, IT plans, and strategies Change of risk or impact of a business process, Vital Business Function, IT service or component Request from Service Level Management for assistance with availability targets and explanation on breaches and achievements. Let’s move to the inputs of the process.

3.106 Triggers, Inputs and Outputs

Triggers, Inputs and Outputs The inputs to availability management process are : Business information from the organisation’s business strategy, business plans and financial plans, and information on their current and future requirements Business impact information from business impact analysis and assessment of vital business functions Risk assessment reports and risk registers Service information from the Service Level Management, service portfolio management and service catalogue management processes. While service portfolio and the service catalogue provide details of the services, Service level management provides information on service level targets and reports on monitored Service Level Agreements, service reviews and service level breaches Financial information regarding the cost of service provision, the cost of resources, components and upgrades, the resultant business benefit and the financial plans and budgets, together with the costs associated with service and component failure. This information is normally provided by Financial Management. Change and release information from Change Management. This includes information on change schedule, release schedule and assessment of all changes for their impact on service availability Service asset and configuration management system containing information on the relationships between the business, the services, the supporting services and the technology Component information on the availability, reliability and maintainability requirements for the technology components that underpin IT services Technology information from the Configuration Management System on the topology and the relationships between the components and the assessment of the capabilities of new technology Unavailability and failure information from incidents and problems Planning information from other processes such as the capacity plan from capacity management. Moving on let’s look at the outputs.

3.107 Triggers, Inputs and Outputs

Triggers, Inputs and Outputs The outputs of Availability Management process are : The availability management information system The availability plan for proactive improvement of IT services and technology Availability and recovery design criteria and proposed service targets for new or changed services Service as well as component availability, reliability and maintainability reports Revised risk assessment reviews and reports and updates to risk register Monitoring, management and reporting requirements for IT services and components to ensure that deviations in availability, reliability and maintainability are detected, actioned, recorded and reported Availability management test schedule for testing all availability, resilience and recovery mechanisms Proactive availability techniques and measures that will be deployed to provide additional resilience to prevent or minimise the impact of component failures on the IT service availability Improvement suggestions and actions for inclusion in service improvement plans. In the next slide we will discuss about the interfaces of availability management process.

3.108 Interfaces

Interfaces Managing process interfaces is critical for the success of the process, other related processes and service management as a whole. A number of inputs, outputs and information flow exist in a process-oriented organisation and ensuring that these interactions and interfaces are managed properly is the key to successful service management. We shall now discuss the key interfaces relating to Availability Management Process: Service Level Management depends on Availability Management to determine the service availability targets. Also, availability management provides information on achievement of targets, reasons for breaches and suggestions and actions for improving service availability. Availability management provides necessary support to incident and problem management in resolving and fixing availability related incidents and issues. Capacity management and availability management are closely interrelated and work together in achieving availability service level agreements. While capacity management provides appropriate capacity to support resilience and overall service availability, availability management provides inputs on availability requirements which support capacity management activities. Change management seeks inputs from availability management by way of assessment of proposed changes. This includes information on impact on service availability and achievement of availability targets. Availability management works collaboratively with IT service continuity management process on the assessment of business impact and risk and the provision of resilience, fail-over and recovery mechanisms for various services provided, with primary focus on vital business functions. The interface with Information security management is a unique one. As unavailability of data is sometimes synonymous with unavailability of a service, information security management and availability management work together to include design for availability and design for recovery during the service design stage. Availability management provides Access Management with the methods for appropriately granting and revoking access to services as needed. So far we have covered details about the availability definition, AIMS, availability plan, activities, role, triggers, inpu

3.109 CSFs and KPIs

CSFs and KPIs A number of critical success factors and key performance indicators can be identified for Availability Management. We shall be discussing the key ones here. The most important critical success factor for Availability Management process is “To manage availability and reliability of IT service”. The related key performance indicators are “Percentage reduction in the unavailability of services and components”; “Percentage increase in the reliability of services and components” and “Effective review and follow-up of all Service Level Agreements, Operational Level Agreements and underpinning contract breaches”. The next important critical success factor is “To satisfy business needs for access to IT services”. The related key performance indicators are “Percentage reduction in the unavailability of services”; “Percentage reduction of the cost of business overtime due to unavailable IT services” and “Percentage reduction in critical time failures”. “Availability of IT infrastructure achieved at optimum costs” is another critical success factor for availability management process. The relevant key performance indicators are “Percentage reduction in the cost of unavailability” and “Timely completion of regular Risk Analysis” Let us now look at the challenges and risks in the next two slides.

3.110 Challenges

Challenges Having discussed various aspects, activities and components of Availability Management, we are by now able to understand the significance of this process. As stated earlier, customer satisfaction is a direct correlation to service availability. This significance brings in a lot of challenges for this process. The main challenge is meeting the expectations of the customers, the business and senior management. These three groups have different expectations and the understanding and awareness of service level agreements might also be different within the customer organisation. Clearly defined agreements and publicising them to all concerned is the best way to counter this challenge. Access to the right level of quality information on the current business needs for IT services and its plans for the future is another big challenge faced by availability management. Business and customer teams may not be interested in divulging and sharing their plans and sometimes may not be in a position to articulate their requirements well. This requires greater support from senior management to get the required information and to execute the proactive activities of availability management. Integration of all of the availability data into an integrated set of information like the ‘Availability Management Information System’ that can be analysed in a consistent manner to provide details on the availability of all services and components is another challenge that may be faced by this process. Where different technologies, teams and support groups are involved, this becomes even more difficult. Senior management support, close coordination and well defined roles and responsibilities can help overcome this challenge. Let’s look at the risks in the next slide.

3.111 Risks

Risks Some of the key risks related to Availability Management process are: Lack of commitment from the business to the Availability Management process Lack of appropriate information on future plans and strategies from business Lack of senior management commitment or a lack of resources and/or budget to the Availability Management process The reporting processes becoming very labour-intensive Too much focus on technology and inadequate focus on the services and the needs of the business Availability management information system maintained in isolation and not integrated with other information systems like capacity management information system.

3.112 IT Service Continuity Management

IT Service Continuity Management Major incidents and natural calamities may cause disruption to business activities and processes. As technology is a core component of most business processes, continued or high availability of IT systems and services is critical to the survival of the business as a whole. Service continuity is one of the key components of warranty of a service through which the assured value is derived by the business. Hence appropriate and adequate risk reduction and recovery measures should be in place to ensure IT service continuity. It is important to understand that in an organisation there are two levels of continuity management – Business continuity management and IT service continuity management. Business continuity management is a business process responsible for managing risks that could seriously affect the business. It tries to safeguard the interests of key stakeholders, reputation and value-creation activities. On the other hand, IT service continuity management is an IT service management process responsible for managing risks that could seriously affect IT services which underpin the business processes. In the next few slides we shall be discussing various concepts, activities and components of the IT service continuity management process. The purpose of IT service continuity management process is to support the overall business continuity management process by managing the risks that could seriously affect IT services, and thereby ensuring minimum agreed business continuity-related service levels. The objectives of this process are to: Produce and maintain a set of IT service continuity plans that support the overall business continuity plans of the organisation Complete regular Business Impact Analysis exercises to ensure that all continuity plans are maintained in line with changing business impacts and requirements Conduct regular risk assessment and management exercises to manage IT services within an agreed level of business risk in conjunction with the business, the availability management and information security management processes Provide advice and guidance to all other areas of the business and IT on all continuity-related issues Ensure that appropriate continuity mechanisms are put in place to meet or exceed the agreed business continuity targets Assess the impact of all changes on the IT service continuity plans and supporting methods and procedures Negotiate and agree contracts with suppliers for the provision of necessary recovery capability to support all continuity plans in conjunction with the supplier management process. In the next slide let’s understand the scope of ITSCM process.

3.113 IT Service Continuity Management

Scope The scope of IT Service Continuity Management within an organisation is determined by the organisational structure, culture and strategic direction in terms of the services provided and how these develop and change over time. IT Service Continuity Management focuses on those events that the business considers significant enough to be treated as a ‘disaster’. In particular the scope of IT Service Continuity Management process includes: The agreement of the scope of the process and the policies adopted with business and senior management Ensuring that Business Impact Analysis is performed to quantify the impact on business due to loss of IT service Performing risk assessment and management to identify potential threats to continuity and implementing measures to manage the identified threats where it is cost- justified Production of an overall IT Service Continuity Management strategy and plan that must be integrated into the Business Continuity Management strategy and plan. Testing of the plans On-going operation and maintenance of the plans. Let’s understand the business value of ITSCM process.

3.114 Value to Business

Value to Business The significance of ensuring adequate capability to continue business operations even during disasters or to recover the services as quickly as possible cannot be ignored or undermined. When a major incident or disaster occurs, it may result in considerable financial loss, impact competitiveness, loss of reputation, payment of penalties, etc. Business Continuity Management in collaboration with IT Service Continuity Management proactively tries to minimise these types of impacts. The following are the key benefits derived by business when IT organisations adopt the IT Service Continuity Management process. IT Service Continuity Management plays an invaluable role in supporting the Business Continuity Management process. It creates awareness of continuity requirements and is often used to justify and implement the Business Continuity Management process and business continuity plans. IT Service Continuity Management ensures that the recovery arrangements for IT services are aligned to identify business impacts, risks and needs. Next, let’s look at Business Continuity Management.

3.115 Business Continuity Management

Business Continuity Management We now understand that IT Service Continuity Management is a sub-set of the overall Business Continuity Management. Business Continuity Management is at the organisational level and covers a much wider scope. Business Continuity Management is a Business Process responsible for managing risks that could seriously affect the business operations. It includes, or works closely with, disaster recovery management. The Business Continuity Management process tries to safeguard the interests of key stakeholders, reputation and brand image of the organisation, and the value-creating activities of the business. Business Continuity Management tries to reduce the risks associated to a disaster to an acceptable level and plans for the recovery of Business Processes, should a disruption to the Business occur. Business Continuity Management sets the objectives, scope and requirements for IT Service Continuity Management. Hence the IT Service Continuity strategy and plans should be aligned to Business Continuity strategy and plans. Let’s now understand IT service continuity plan in the next slide.

3.116 IT Service Continuity Plan

IT Service Continuity Plan An important component and output of IT Service Continuity Management is the IT Service Continuity Plan. This plan defines the steps required to restore business processes following a disruption. The description of the steps in this plan should be as detailed as possible, leaving no room for ambiguity. This plan details all possible instances that can lead to a ‘disaster’ situation and identifies the triggers for invocation. It also clearly documents people to be involved, the roles and responsibilities, and communications to be made during - the invocation of the plan, controlling of the situation and recovery of the services. IT Service Continuity Plans form a significant part of Business Continuity Plans and hence they should be aligned to the objectives and scope of this plan. The IT Service Continuity Plans should be regularly reviewed and updated to reflect the changes in business and IT priorities, strategies and plans as well as IT services and service components. Next, let’s look at business impact analysis.

3.117 Business Impact Analysis

Business Impact Analysis Business Impact Analysis is a key activity within the Business Continuity Management process. This activity essentially focuses on identifying the vital business functions and their dependencies. Business Impact Analysis is performed to quantify the impact on the business due to the loss or unavailability of an IT service. This impact can be a ‘hard’ impact that can be precisely identified – such as financial loss – or ‘soft’ impact – such as public relations, staff morale, health and safety or loss of competitive advantage. This activity identifies the most important services to the organisation - the vital business functions, and hence provides key inputs to the Business continuity and IT service continuity strategies. The business impact analysis also defines the degree of damage or loss that is likely to escalate after a disruption. It is a known fact that the longer the loss or unavailability of the service, the more the magnitude of the damage or loss. The business impact analysis activity enables mapping of critical services, applications and technology components to critical business processes. It thus helps to identify the IT Service Continuity Management elements that need to be provided. Business Impact Analysis should be conducted at regular intervals as well as before new services are deployed or when major changes are made to existing services. This is essential to identify and make appropriate changes to the Business Continuity and IT Service Continuity strategies and plans. Let’s continue to discuss BIA in the next slide.

3.118 Business Impact Analysis

Business Impact Analysis Business Impact Analysis identifies the form that the damage or loss may take due to loss or unavailability of services. These can include: Loss of income or reduction in revenues Additional costs and expenditures that may need to be incurred Damaged reputation Loss of goodwill Loss of competitive advantage Breach of law, health and safety regulations Risk to personal safety Immediate and long-term loss of market share Political, corporate or personal embarrassment Loss of operational capability, staff, facilities and services. This list by itself demonstrates the significance of Business Impact Analysis. The actual damage or loss can just be one of the above forms or a combination of more than one. The hard and soft impacts together determine the mitigation and recovery strategies of both Business continuity and IT service continuity.

3.119 Business Impact Analysis

Business Impact Analysis A good business impact analysis covers a much wider scope. Apart from identifying the vital business functions, the various dependencies, impact to business and the forms of damage that can result, it also helps in a more appropriate planning by proving the following valuable inputs. Business impact analysis provides information on how the degree of damage or loss is likely to escalate after a service disruption, and the times of the day, week, month or year when disruption will have most severe impact. It determines the relative business recovery priority for each of the IT services. Services supporting vital business function need immediate or faster recovery when compared to non-vital business of less-vital business functions. It provides information on the staffing, skills, facilities and services required to enable critical business processes to continue operating at a minimum acceptable level. Business impact analysis estimates and determines the time within which minimum levels of staffing, facilities and services should be recovered to avoid the impact or minimise the impact to business. It also determines the time within which all required business processes and supporting staff, facilities and services should be fully recovered and be operational. Let’s look at a graph on Business Impact in the next slide.

3.120 Business Impact

Business Impact We have earlier seen that, as part of business impact analysis, the degree of damage or loss that is likely to escalate after a disruption is also analysed and documented. It is a known fact that longer the loss or unavailability of the service, the more the magnitude of the damage or loss. Also, unavailability of some critical services will have immediate high impact, whereas in case of unavailability of non-critical services the impact may increase slowly over a period of time. One of the key outputs from a Business Impact Analysis exercise is a graph depicting the anticipated business impact caused by the loss of a business process or the loss of an IT service over time. This graph can then be used to drive the business and IT continuity strategies and plans. More preventive measures need to be adopted with regard to those processes and services with earlier and higher impacts, whereas greater emphasis should be placed on continuity and recovery measures for those where the impact is lower and takes longer to develop. A balanced approach of both measures should be adapted to those in between. Thus, this analysis helps in ranking the business requirements and prioritising the IT Service Continuity elements in terms of risk reduction and recovery planning. Let’ understand the risks in detail in the next slide.

3.121 Risk

Risk We have earlier seen that the scope of IT Service Continuity Management includes ‘performing risk assessment and management to identify potential threats to continuity and implementing measures to manage the identified threats where it is cost-justified’. We shall now discuss this activity in more detail. Risk may be defined as uncertainty of outcome, whether a positive opportunity or negative threat. It is the fact that there is uncertainty that creates the need for attention and formal management of risk. The purpose of formal risk management is to enable better decision making based on a sound understanding of risks and their likely impact on the achievement of objectives. There are two distinct phases to support risk related decision making – Risk assessment and Risk Management. Risk assessment is concerned with gathering information about exposure to risk so that the organisation can make appropriate decisions and manage risk in a right way. It includes analysing the value of assets to the business, identifying threats to those assets, and evaluating how vulnerable each asset is to those threats. Risk management is concerned with the identification, selection and adoption of countermeasures justified by the identified risks to assets in terms of their potential impact on services if failure occurs, and the reduction of those risks to an acceptable level. It involves having processes in place to monitor risks, access to reliable and up-to-date information about risks, the right balance of control in place to deal with those risks, and decision-making processes supported by a framework of risk analysis and evaluation. As we have clear understanding of risks, let’s now proceed to learn about Managing Risks.

3.122 Management of Risk(M o R)

Management of Risk (M_o_R) There are a number of different methodologies, standards and frameworks available for risk management. Management of Risk, ISO 31000, Risk IT and ISO/IEC 27001 are some of the popular standards and frameworks. ‘Management of Risk’ also known as M_o_R in the short form, is the OGC methodology for managing Risks. It provides guidance to organisations to put in place an effective framework for risk management. It also details the activities required to identify and control the exposure to Risks, which may have an impact on the achievement of Organisation’s Business Objectives. While we try to provide an overview of this methodology in the next slide, you may visit www.m-o-r.org (pronounce as www dot m hyphen o hyphen r dot o r g) for more details. Let’s look at a diagram in the next slide on Management of Risk.

3.123 Management of Risk

Management of Risk (M_o_R) The diagram on this slide illustrates the ‘Management of Risk’ framework. This framework is based on four core concepts which we shall discuss now. The first concept is M_o_R principles. These are high-level and universally applicable good practices that are fundamental for the development and maintenance of a good risk management practice in an organisation. The next concept is M_o_R approach. Establishing the approach involves adapting and adopting the general principles to suit organisational requirements. This approach needs to be agreed and defined within the risk management policy, process guide and strategies. The thrid concept is M_o_R process. The process consists of four steps: identify, assess, plan and implement. Each step describes the inputs, outputs, tasks and techniques involved to ensure that the overall process is effective. The fourth concept is ‘Embedding and reviewing M_o_R’. This ensures that the established approach and process are consistently applied across the organisation and that their application undergoes continual improvement in order for them to be effective. Communication is at the core. The principles, approach, process and improvement actions need to be communicated to all concerned to ensure effectiveness of ‘Management_of_Risk’. In the next slide we will look at recovery options.

3.124 Recovery Option

The IT Service Continuity Management strategy defines the recovery options that need to be adopted to support restoring critical business processes within agreed timescales. Let us now look at the different types of recovery options that can be adopted. Manual work-around: In certain cases manual work-around can be adopted to continue with the business operations. However, this would be effective for shorter durations and where the workload volumes are manageable. Reciprocal arrangements: This is an arrangement between two organisations, by way of an agreement to use the other organisation’s systems, infrastructure, applications or other resources in case of one organisation’s facilities and systems becoming non-operational due to a disaster. Gradual recovery: This option is also sometimes known as ‘cold standby’ and is normally adopted for non-critical services or for IT services supporting non-critical business processes. This type of recovery normally includes the provision of empty accommodation, fully equipped with power, environmental controls, local network cabling infrastructure, and telecommunications connections. The impacted organisation can install its own computer equipment and then gradually recover the services. Intermediate recovery: Also known as ‘warm standby’, this option is adopted by organisations that need to recover IT facilities within a predetermined time or recovery time objective to prevent impacts to the business process. In this option, normally, third-party commercial facilities are used which are fully equipped to start the operations as soon as possible. Fast recovery: This option is also known as ‘hot standby’. In this option, organisations will establish their own recovery site and install servers or systems with application systems and communications, and data mirrored from the operational servers. In the event of a system failure, the organisations can recover and switch over to the backup facility with little loss of service. This typically involves the re-establishment of the critical systems and services within a 24-hour period. Immediate recovery : This option is known by many other names like ‘hot standby’, ‘mirroring’, ‘load balancing’ or ‘split site’ and provides for immediate restoration of services, with no significant loss of service to the customer. IT equipment will be ‘dual located’ in either an owned or hosted location to be able to run the complete service from either location in the event of loss of one facility, with no loss of service to the customer. The second site can then be recovered while the service is provided from the single operable location. Though expensive, this option is adopted for critical business processes or vital business functions where non-availability, even for a short period, could result in a significant impact. Let’s proceed to learn about technical plans in the next slide.

3.125 Technical Plans

Technical Plans The Business Continuity Plan defines the steps required to restore business processes following a disruption. There are a number of additional plans that should be created and integrated with the Business Continuity Plan. We shall now discuss these technical plans. Emergency Response Plan: This plan details all the steps needed to interface with all emergency services and activities when a disaster occurs. Damage Assessment Plan: This plan contains the details of damage assessment contacts, processes and plans. Salvage Plan: This plan provides information on salvage contacts, activities and processes. Vital Records Plan: This is a very important plan providing details of all vital records and information, along with their location. Crisis Management and Public Relations Plan: This plan establishes and details the command and control of different crisis situations and management of the media and public relations. Accommodation and Services Plan: This plan details on management of accommodation, facilities and the services necessary for the continued operation of business processes. Security Plan: This plan details how all aspects of security will be managed on home sites and recovery sites. Personnel Plan: This plan contains details of how personnel issues will be managed during a major incident or a disaster. Communication Plan: This is one of the most important plans required for business continuity. It details how all aspects of communication will be handled and managed with all relevant parties during a major incident. Finance and Administration Plan: This plan details the alternative methods and processes for obtaining emergency authorisation and access to required funds during a major incident or disaster. Let’s look at risk reduction measures in the next slide.

3.126 Risk Reduction Measures

Risk Reduction Measures During our discussion on Risk Management we have seen that Risk management is concerned with the identification of risks, selection and adoption of countermeasures to reduce the risks to an acceptable level. Organisations will have to adopt a balanced approach of risk reduction and service recovery. The risk reduction measures should be planned and implemented in conjunction with availability management. Some of the essential risk reduction measures are: Installation of uninterruptible power supply and backup power to the computers and systems Fault-tolerant systems for critical applications where even minimal downtime is unacceptable RAID (pronounce as one word) arrays and disk mirroring for LAN (pronounce as one word) servers to prevent data loss and to ensure continued availability of data Spare equipment or components to be used in the event of equipment or component failure The elimination of single point of failures, such as single access network points or a single power supply into a building Resilient IT systems and networks Outsourcing services to more than one service provider Greater physical and IT-based security controls Better controls to detect service disruptions, such as fire detection systems, coupled with suppression systems A comprehensive backup and recovery strategy, including off-site storage. The next slide talks about Invocation Decision. Let’s see what it means.

3.127 Invocation Decision

Invocation Decision When disasters or major incidents occur, if situation requires, the business continuity plans and IT service continuity plans should be invoked by appropriate authority. Hence, these plans should include the invocation process and provide detailed guidance for various types of possible situations. Normally the authority to invoke rests with ‘crisis management’ team, comprising of senior managers from business and support departments, including IT. The following important points must be taken into consideration while taking a decision to invoke: Extent of the damage and scope of the potential invocation Likely length of the disruption and unavailability of premises and, or services Time of day, month, year and the potential business impact. When disasters occur during month-end or year-end, which is critical accounting period, the impact to business is very high. Similarly the IT Service Continuity Management Plan should include details of all activities that need to be undertaken in case of a disaster or major incident situation. These activities typically include: Retrieval of backup media or use of data vaulting to retrieve data Retrieval of essential documentation, procedures, workstation images, etc. which are stored off-site Mobilisation of the appropriate personnel to go to the recovery site to commence the recovery of required systems and services Contacting and putting on alert telecommunications suppliers, support services, application vendors, etc. who may be required to undertake actions or provide assistance in the recovery process. So far we discussed about BIA, risks, managing risks, impact of risks on business and invocation decision. Next let us understand the key activities of ITSCM process.

3.128 Key Activities

Key Activities The best way to represent a complex set of activities is through a simple diagram. The diagram on this slide shows the process flow, relationships and activities in a clear way. Both, Business Continuity Management and IT Service Continuity Management should follow a lifecycle and project-oriented approach to establish and execute respective strategies, plans and activities. The diagram clearly shows the lifecycle from initiation through to continual on-going operations. The Initiation and Requirements stages are principally Business Continuity Management activities and IT Service Continuity Management is only responsible to understand the relationship between the business processes and the impacts caused on them by loss of IT services. The initial business impact analysis and risk assessment activities result in creation of business continuity strategy. The IT service continuity strategy is then developed to underpin the business continuity strategy. The third stage of ‘Implementation’ is concerned with developing the IT service continuity plans based on the business continuity plans. This stage also includes IT Service Continuity Management producing the other plans like recovery plans, organisation planning, risk mitigation and test plans. The final stage is performing ‘on-going operation’. IT service continuity management should take care of educating and training all concerned staff members; perform periodic reviews and audits; perform regular tests and assess impact of changes on the plans. With this overview, we shall now discuss the IT Service Continuity Management lifecycle stages and activities in more detail.

3.129 Key Activities

Stage 1 – Initiation Let us start with the Initiation stage. It must be noted that this stage is common for Business Continuity Management and IT Service Continuity Management and covers the whole organisation. The activities within the Initiation stage are: Policy setting: A policy detailing the management intention and objectives with respect to business continuity should be defined and publicised within the organisation. It should be especially communicated to all members who are involved in, or affected by, business continuity issues. This should be the starting point to make concerned members aware of their responsibilities and compliance requirements with respect to Business continuity and IT service continuity. Define scope and specify terms of reference: This activity is mainly concerned with defining the scope of the Business Continuity initiative. It should cover tasks such as performing risk assessment, conducting business impact analysis and determination of the command and control structure required to support a business interruption. Initiate a project: The best way to implement IT service continuity management is by adopting a project approach. A project should be initiated to bring IT service continuity management till the ‘on-going operation’ stage. Project initiation includes allocation of resources for establishing and performing various IT service continuity planning and implementation activities; defining the project organisation and control structure and agreeing project and quality plans with respect to expected deliverables. In stage two we will discuss about requirements and strategy.

3.130 Key Activities

Stage 2 – Requirements and strategy: We shall now move on to the second stage of the IT service continuity lifecycle. This stage is concerned with ascertaining the business requirements and developing the IT service continuity strategy. The key activities are: A business impact analysis should be performed with the key objective to quantify the impact on the business that would have occurred due to loss of an IT service. It should try to identify both ‘hard’ as well as ‘soft’ impacts. This activity enables the mapping of critical services, applications and technology components to critical business processes, thus helping to identify the IT Service Continuity Management elements that need to be provided. It should be ensured that senior business area representatives and supervisory staff views are sought while determining the probable impact to business due to loss of service. Another important activity within this stage is performing a ‘Risk assessment’. This includes assessment of the level of threat due to a disaster or major incident occurring and the extent to which an organisation is vulnerable to that threat. Conducting a formal risk assessment will result in a risk profile and helps determine appropriate risk responses or risk reduction measures to manage the risks. Wherever possible, appropriate risk responses shall be implemented to reduce either the impact or the likelihood, or both, of these risks from manifesting themselves. The next logical activity is to develop the ‘IT service continuity strategy’ in line with the business continuity needs. The strategy should be an optimum balance of risk reduction measures and service recovery options. Next, we will learn about implementation which is the third stage of the activities.

3.131 Key Activities

Stage 2 – Requirements and strategy: We shall now move on to the second stage of the IT service continuity lifecycle. This stage is concerned with ascertaining the business requirements and developing the IT service continuity strategy. The key activities are: A business impact analysis should be performed with the key objective to quantify the impact on the business that would have occurred due to loss of an IT service. It should try to identify both ‘hard’ as well as ‘soft’ impacts. This activity enables the mapping of critical services, applications and technology components to critical business processes, thus helping to identify the IT Service Continuity Management elements that need to be provided. It should be ensured that senior business area representatives and supervisory staff views are sought while determining the probable impact to business due to loss of service. Another important activity within this stage is performing a ‘Risk assessment’. This includes assessment of the level of threat due to a disaster or major incident occurring and the extent to which an organisation is vulnerable to that threat. Conducting a formal risk assessment will result in a risk profile and helps determine appropriate risk responses or risk reduction measures to manage the risks. Wherever possible, appropriate risk responses shall be implemented to reduce either the impact or the likelihood, or both, of these risks from manifesting themselves. The next logical activity is to develop the ‘IT service continuity strategy’ in line with the business continuity needs. The strategy should be an optimum balance of risk reduction measures and service recovery options. Next, we will learn about implementation which is the third stage of the activities.

3.132 Key Activities

Stage 4 – On-going operation: The final stage is ‘On-going operation’. This stage consists of the activities necessary to firmly establish the IT service continuity management capabilities and maintain them in an accurate and reliable state on an on-going basis. Let us look at the key activities in this stage. Education, awareness and training: This activity should cover the entire IT organisation and other relevant teams. This activity ensures that all staff is aware of the implications of business continuity and IT service continuity and that everyone involved in the plan has been trained to perform their actions. Review and audit: Regular review of all of the plans, deliverables and outputs from the IT service continuity management process needs to be undertaken to ensure that they remain current. The plans and test results should be important components of the audit and any non-conformances identified should be rectified within agreed timelines. Testing: Following the initial testing, it is necessary to establish schedule of regular testing to ensure that the critical components of the strategy are tested in line with the business continuity plans. Also, all plans should be tested after every major business change or related IT change. Change management: The change management process should ensure that all changes are assessed for their potential impact on the IT service continuity management plans and necessary changes made to the plans as required. It is essential that a business impact analysis and a risk assessment are conducted on the new or changed service and the strategy and plans updated accordingly. The plans themselves must be under very strict change management and service asset and configuration management control. So far we have learned about the key activities of the ITSCM process. Next, let us understand the roles of the ITSCM process manager.

3.133 Role - IT Service Continuity Management Process Manager

IT Service Continuity Management Process Manager It is important to clearly define the roles and responsibilities for each process. This will help in ensuring that the process activities are performed as defined and that people are clearly aware of what falls within their scope of work. This basically determines the efficiency of the process. The responsibilities of the IT Service Continuity Management Process Manager include: Coordinating interfaces between IT service continuity management and other processes, especially service level management, information security management, availability management, capacity management and business continuity management Performing business impact analyses for all existing and new services Implementing and maintaining the IT service continuity management process, in accordance with the overall requirements of the organisation’s business continuity management process, and representing the IT services function within the business continuity management process Ensuring that IT service continuity management plans, risks and activities underpin and align with business continuity management plans and are capable of meeting the agreed and documented targets under any circumstances Performing risk assessment and risk management to prevent disasters where it is cost-justifiable and where practical Developing and maintaining the organisation’s continuity strategy Assessing potential service continuity issues and invoking the service continuity plan if necessary Ensuring that all IT service areas are prepared and able to respond to an invocation of the continuity plans Maintaining a comprehensive IT testing schedule including testing all continuity plans in line with business requirements and after every major business change Communicating and maintaining awareness of IT service continuity management objectives within the business areas supported and IT service areas Undertaking regular reviews, at least annually, of the continuity plans with the business areas to ensure that they accurately reflect the business needs Let’s now proceed to discuss about the triggers, inputs and outputs of the process.

3.134 Triggers, inputs and outputs

Triggers, Inputs and Outputs We shall now discuss the triggers, inputs and outputs relating to the IT service continuity management process. Let’s begin with the ‘triggers’. The events that may trigger the IT service continuity management activities are: New or changed business needs, or new or changed services New or changed targets within agreements, such as Service Level Agreements, Operational Level Agreements or contracts The occurrence of a major incident that requires assessment for potential invocation of either business or IT continuity plans Periodic activities such as the Business Impact Analysis or risk assessment activities, maintenance of continuity plans or other reviewing, revising or reporting activities Assessment of changes and attendance at change advisory board meetings Review and revision of business plans, IT plans, strategies and designs Initiation of tests of continuity and recovery plans Lessons learned from previous continuity events and associated recovery activities. Let’s look at the inputs now.

3.135 Triggers, inputs and outputs

Triggers, Inputs and Outputs The inputs to this process are: Business information from the organisation’s business strategy and plans IT information from the IT strategy, plans and current budgets The business continuity strategy and business continuity plans from all areas of the business Service information from the Service Portfolio, Service Catalogue and Service Level Management processes Financial information from financial management for IT services – this includes the cost of service provision and the cost of resources and components Change information from the change management process – including the change schedule and assessment of all changes for their impact on all IT Service Continuity Management plans Configuration Management System containing information on the relationships between the business, the services, the supporting services and the technology Business continuity management and availability management test schedules Capacity management information identifying the resources required to run the critical services in the event of a continuity event IT service continuity plans and test reports from suppliers and partners, where appropriate Let’s proceed to the outputs.

3.136 Triggers, inputs and outputs

Triggers, Inputs and Outputs The ‘outputs’ from IT Service Continuity Management are: A revised IT Service Continuity Management policy and strategy A set of IT Service Continuity Management plans, including all crisis management plans, emergency response plans and disaster recovery plans, together with a set of supporting plans and contracts with recovery service providers Business Impact Analysis exercises and reports, in conjunction with Business Continuity Management and the business Risk assessment and management reviews and reports, in conjunction with the business, availability management and information security management An IT Service Continuity Management testing schedule, test scenarios and test reports and reviews. Like any other process, let’s learn about interfaces of ITSCM in the next slide.

3.137 Interfaces

Interfaces IT Service Continuity Management interacts and interfaces with a number of service management processes. We shall discuss the key ones here. Change management: All changes need to be considered for their impact on the continuity plans. If amendments are required in the plan, updates in the plan need to be part of the change. The plan itself must be under change management control. Incident and problem management: Incidents can easily evolve into major incidents or disasters. Clear criteria need to be agreed and documented for the invocation of the IT Service Continuity Management plans. Availability management: Undertaking risk assessment and implementing risk responses should be closely coordinated with the availability process to optimise risk mitigation. Service level management: Recovery requirements will be agreed and documented in the Service Level Agreements. Different service levels for various services could be agreed and documented which may be applicable in a disaster situation. Capacity management: Ensuring that there are sufficient resources to enable recovery and replacement of computers following a disaster. Service asset and configuration management: The Configuration Management System documents the components that make up the infrastructure and the relationship between the components. This information is invaluable for all the stages of the IT Service Continuity Management lifecycle, the maintenance of plans and recovery facilities. Information security management: A very close relationship exists between IT Service Continuity Management and information security management. A major security breach could be considered as a disaster, so when conducting Business Impact Analysis and risk assessment, security will be a very important consideration. Let’s now understand the CSFs and KPIs of ITSCM process.

3.138 CSFs and KPIs

CSFs and KPIs A process design is incomplete without the identification of critical success factors and key performance indicators. These are essential to build efficiency and for continual process improvements. Let us now look at a few examples of critical success factors and key performance indicators relating to IT Service Continuity Management process. The most important critical success factor for this process is that ‘IT services are delivered and can be recovered to meet business objectives’. The related key performance indicators are “Regular audits of the IT Service Continuity Management Plans to ensure that, at all times, the agreed recovery requirements of the business can be achieved”; that “All service recovery targets are agreed and documented in Service Level Agreements and are achievable within the IT Service Continuity Management Plans” and performing “Regular and comprehensive testing of IT Service Continuity Management Plans”.

3.139 CSFs and KPIs

Another critical success factor is ‘Awareness throughout the organisations of the IT Service Continuity Management plans’. The related key performance indicators are “Ensuring awareness of business impact, needs and requirements throughout IT”; “Ensuring that all IT service areas and staff are prepared and are able to respond to an invocation of the IT Service Continuity Management Plans” and “Regular communication of the IT Service Continuity Management objectives and responsibilities within the appropriate business and IT service areas”. Next, let us discuss the challenges and risks.

3.140 Challenges

Challenges Some challenges that could evolve during the design and implementation of IT Service Continuity Management process are: Developing and providing IT Service continuity plans, when there is no Business Continuity Management process existing, is a major challenge that may be faced by IT service continuity management. This may lead to making incorrect assumptions about criticality of business processes resulting in wrong continuity strategies and plans. Another challenge that may be faced could be business perception that continuity is an IT responsibility. In such cases the business assumes that IT will be responsible for disaster recovery and timely restoration of IT services. This even becomes a big challenge in outsourced situations where business may be reluctant to share its business continuity information with the suppliers. Aligning IT service continuity management with business continuity management can be another challenge that may come up where both Business Continuity Management and IT Service Continuity Management are in place. Accurate information and timely updates about changes, from Business Continuity Management is essential for proper alignment and integration of both the processes. Let’s look at the risks in the next slide.

3.141 Risks

Risks We shall now look at some of the key risks associated with this process. These are: Lack of Business Continuity Management process Lack of commitment from the business to the IT Service Continuity Management process and procedures Lack of appropriate information on future business plans and strategies Lack of senior management commitment or a lack of resources and/or budget for the IT Service Continuity Management process The processes focus too much on the technology issues and not enough on the IT services and the needs and priorities of the business Risk assessment and management are conducted in isolation and not in conjunction with availability management and information security management Business Continuity Management plans and information become out of date and lose alignment with the information and plans of the business and Business Continuity Management. Let’s learn about information security management in the next slide.

3.142 Information Security Management

Information Security Management As organisations grow, one essential area to focus is managing business information, customer information and organisation’s own information. Customers and businesses expect that their information should be secure and the required level of confidentiality maintained. This need has led to a significant focus on ‘Information security management’. Information security management is an organisational level process and is a critical component of the corporate governance framework. ISO/IEC 27001 is the formal standard against which organisations seek independent certification of their Information Security Management System. The purpose of Information Security Management process is to align IT security with business security and ensure that the confidentiality, integrity and availability of the organisation’s assets, information, data and IT services always matches the agreed needs of the business. The objectives of this process are to ensure that: Information is observed by or disclosed to only those who have a right to know – i.e. to maintain confidentiality; Information is complete, accurate and protected against unauthorised modification – basically maintaining integrity; Information is available and usable when required, and the systems that provide it can appropriately resist attacks and recover from or prevent failures; and Business transactions, as well as information exchanges between enterprises, or with partners, can be trusted. In other words, the information should be authentic. We will now look into the scope of information security management.

3.143 Information Security Management

Scope The information security management process should be the focal point for all IT security issues. It should understand the total IT and business security environment and ensure that all the current and future security aspects and risks of the business are cost-effectively managed. Prioritisation of confidentiality, integrity and availability must be considered in the context of business and business processes and the requirements for information security must come from the business. The scope of Information Security Management includes: The production, maintenance, distribution and enforcement of an information security policy and supporting security policies Understanding the agreed current and future security requirements of the business and the existing business security policy and plans Implementation of a set of security controls that support the information security policy and manage risks associated with access to services, information and systems Documentation of all security controls, together with the operation and maintenance of the controls and their associated risks Management of suppliers and contracts regarding access to systems and services, in conjunction with supplier management Management of all security breaches, incidents and problems associated with all systems and services The proactive improvement of security controls, and security risk management and the reduction of security risks Integration of security aspects within all other IT Service Management processes We will now look into the most valuable benefits provided by information security management.

3.144 Value to Business

Value to Business Information Security Management is one process that provides the most valuable benefits to the business. It involves a holistic approach covering security of assets, information, data, HR policies and regulations and access to premises, systems and repositories. The key benefits from this process are: Information security management ensures that an information security policy is maintained and enforced in a way that it fulfils the needs of the business security policy and the requirements of corporate governance. It raises awareness of the need for security within all IT services and assets throughout the organisation, ensuring that the policy is appropriate for the needs of the organisation. This process provides assurance of business processes by enforcing appropriate security controls in all areas of IT by managing IT risk in line with business and corporate risk management processes and guidelines. Let’s move on to the next slide to learn about the security framework.

3.145 Security Framework

Security Framework The organisation’s information security management should be based on a formal framework constituting all the elements required for effective security of business and customer information assets. The key elements to consider are: Establishing an Information Security Policy and specific security policies that address each aspect of strategy, controls and regulation Setting up a Security Management Information System containing the standards, management procedures and guidelines supporting the information security policies A comprehensive security strategy, that is closely linked to the business objectives, strategies and plans.

3.146 Security Framework

An effective security organisational structure with clearly defined roles and responsibilities A set of security controls to support the policy The management of security risks through formal risk assessment and risk management procedures A set of monitoring processes to ensure compliance to laid down processes, procedures and policies and to provide feedback on effectiveness A well-defined communications strategy and plan for security management and compliance Adequate training and awareness strategy and plan, covering the entire organisation. Let’s look into the information security policy in the next slide.

3.147 Information Security Policy

Information Security Policy The first step towards Information Security Management is defining the organisation level Information Security Policy and publicising the same to all relevant parties, including staff, suppliers, and customers. Information Security Management activities should be focused on and driven by an overall Information Security Policy and a set of underpinning specific security policies. The policy should cover all areas of security, be appropriate, meet the needs of the business and should include: An overall Information Security Policy Use and misuse of IT assets policy An access control policy A password control policy An e-mail policy An internet policy An anti-virus policy

3.148 Information Security Policy

An information classification policy A document classification policy A remote access policy A policy on supplier access of IT services, information and components An asset disposal policy The policies should be reviewed and authorised by top executive management within the business and IT, and compliance with them should be endorsed on a regular basis. Also, these policies should be widely available to all customers and users, and the compliance requirements should be referred to in all Service Level Agreements, Operational Level Agreements, and underpinning contracts. Let’s now learn about the information security management system.

3.149 Information Security Management System

Information Security Management System Information security management system is the framework of policy, processes, functions, standards, guidelines and tools that ensures that an organisation can achieve its information security management objectives. This system provides a basis for the development of a cost-effective information security program that supports the business needs and objectives There are five elements in Information Security Management System which are essential for enforcing information security processes and controls systematically and consistently throughout the organisation. These elements are: Control Plan Implement Evaluate Maintain We shall be discussing these five elements in details in the following slides. ISO/IEC 27001 is the formal standard against which organisations may seek independent certification of their Information Security Management System.

3.150 Elements of ISMS

Elements of ISMS We shall now discuss the five elements of Information Security Management System in more detail. The first element is ‘Control ‘. Top management focus and involvement is very much essential in initiating a strong Information Security Management system. In this direction the key areas of this element are: Establishing a management framework to initiate and manage Information security in the organisation Establishing an organisation structure to prepare, approve and implement the information security policy Allocating responsibilities to appropriate and relevant people Establishing and controlling all documentation The second element is ‘Planning’. This involves Devising and recommending the appropriate security measures based on an understanding of the requirements of the organisation. These requirements are gathered from business and service risks, plans and strategies, service level agreements, operational level agreements, and legal, moral and ethical responsibilities that are generally applicable for information security. The third element is ‘Implementation’. The key objective of ‘Implementation’ is to ensure that appropriate procedures, tools and controls are in place to underpin the Information Security Policy. This includes, establishing accountability for assets and guidelines for information classification.

3.151 Elements of ISMS

The fourth element is to ‘Evaluate ‘. Once the policy, processes, procedures and controls are implemented, the next logical step is to regularly monitor, audit and ensure compliance. Hence, this element covers: Supervision and regular checking of compliance with the security policy and security requirements in Service Level Agreements and Operational Level Agreements Carrying out regular audits of the technical security of IT systems Providing information to external auditors and regulators, where required The fifth element is to ‘Maintain’. Based on non-compliances identified in audits, recommendations from staff and industry best practices the established Information Security Management Systems should be continuously improved to meet the evolving and changing business, legal and ethical requirements. This includes: Improving security agreements as specified in Service Level Agreements and Operational Level Agreements Improving the implementation of security measures and controls across the organisation. Let’s look into the framework for managing security.

3.152 Framework for Managing Security

Framework for Managing Security The information security management system and the five elements that we discussed so far are presented diagrammatically in this slide. Two important points that we need to observe here are: We need to recognise that customer requirements and business needs are the most important inputs based on which, the complete framework and system should be designed, implemented and managed. ‘Control’ element is the key driver around which the remaining four elements operate. It indicates management intention, commitment and involvement in the whole process of establishing an effective Information Security Management System. Let’s learn about the security governance in the next slide.

3.153 Security Governance

Security Governance By now we clearly understand that Information Security Management is an important component of the overall corporate governance framework. In this context, the Information Security Governance is concerned with providing strategic direction for security activities and ensuring that the security objectives are achieved. Information security governance, when properly implemented, is expected to provide the following outcomes: The first and foremost outcome is ‘Strategic alignment’. This includes: Ensuring that the security requirements are driven by enterprise requirements; and Ensuring that the security solutions are well integrated into enterprise processes. The second expected outcome is ‘Value delivery’. By implementing Information Security Management, the value delivered to business and customers basically involves: Establishing a standard set of security practices which are in line with industry best practices; and The effort involved in executing Information Security activities are properly prioritised and distributed to areas with greatest impact and business benefit. The third outcome is ‘Risk management’. Corporate governance should focus on ascertaining that risks are properly managed. In this direction the Information Security Governance is responsible for: Agreeing the risk profile with the business; Creating an awareness of risk management priorities amongst top management and the business; and Ensuring that appropriate risk responses like mitigation, acceptance or deference are in place.

3.154 Security Governance

The fourth expected outcome from Information Security Governance is ‘Performance Management’. The processes, the risk reduction and response measures put in place should be continuously monitored and reports generated to ascertain if these are performing as desired to meet the set objectives. The key deliverables are: Defined, agreed and meaningful set of metrics covering all areas of information security; and A well designed and implemented measurement process that will help identify shortcomings and provide feedback for course corrections and improvements. The fifth outcome is ‘Resource management’. This includes: Capturing all relevant knowledge and ensuring that it is available to the right people at the right time; and A well-documented and up-to-date security processes and practices which are version controlled and managed as configuration items, if required. The sixth and final expected outcome, which is a very vital, is ‘Business process assurance’. This is possible by enforcing appropriate security controls in all areas of IT and by managing IT risk in line with business and corporate risk management processes and guidelines. Let’s move on to the security control in the next three slides.

3.155 Security Controls

Security Controls We are very well aware that security is an important element of the ‘warranty’ of a service. Hence, information security must be an integral part of all services and systems. It is an on-going process that needs to be continuously managed using appropriate security controls. A set of security controls should be designed to support and enforce the information security policy and to mitigate all identified risks and threats. The following are the various measures that can be adopted to prevent or handle security incidents that may occur. Preventive Measures: ‘Prevention is better than cure’ is an age old adage and the same is applicable to information security as well. Appropriate security measures should be put in place to prevent security incidents from occurring. These include control of access rights, authorisation, identification and authentication. An example of preventive measure is: allocation of access rights to a limited group of authorised people. Reductive Measures: Further measures can be taken in advance to minimise any possible damage that may occur. These are proactive measures to ensure that impact to business is reduced and services can be restored as soon as possible in case of security incident. Examples of reductive measures that we can think of are: taking regular backups and the development, testing and maintenance of contingency plans.

3.156 Security Controls

Detective Measures: These are specific measures put in place, especially through monitoring and event management tools, to detect a security incident as soon as possible. This is essential to reduce the impact and for early resolution of the incident. Examples are: Monitoring linked to an alerting procedure or virus-checking software. Repressive Measures: These are used to counteract any continuation or repetition of the security incident. It is essential to restrict the incident from impacting more systems, components or users. Examples of repressive measures are: Temporarily blocking of an account or network address after numerous failed attempts to log on or the retention of a credit card when multiple attempts are made with a wrong PIN number.

3.157 Security Controls

Corrective Measures: These are measures put in place or identified to repair the damage caused by security incidents. The resolutions provided should be properly tested to correct the issue completely. Examples are: Restoring a backup, or returning to a previous stable situation through roll-back or back-out. Let us now understand the process activities in the next slide.

3.158 Process Activities

Process Activities We now understand the importance of Information Security within IT service management and appreciate the fact that the information security management process is mainly concerned with aligning IT security with business security. It ensures that the confidentiality, integrity and availability of the organisation’s assets, information, data and IT services always matches the agreed needs of the business. All the process activities designed should focus on achieving this purpose. The key activities of the Information Security Management Process are: Production and maintenance of an overall Information Security Policy and a set of supporting specific policies covering all areas of security. The information security policy should have the full support of top executive IT management. Communication, implementation and enforcement of the security policies and providing advice and guidance to all other areas of the business and IT on all information security-related issues. Assessment and classification of all information assets and documentation. This classification should be based on the sensitivity of information and the impact of disclosure. Implementation, review, revision and improvement of a set of security controls and risk assessment and responses. This includes assessment of the impact of all changes on information security policies, controls and measures and implementation of proactive measures to improve information security wherever it is cost-justifiable and meets business requirements. Monitoring and management of all security breaches and major security incidents. Relevant detective, repressive and corrective actions should be implemented. Analysis, reporting and reduction of the volumes and impact of security breaches and incidents. It should be integrated into and performed through the Incident Management process. Schedule and completion of security reviews, audits and penetration tests. This includes preparation of reports and subsequent follow-up of actions to rectify non-conformances. In the next two slides we will learn about the role of information security management process manager.

3.159 Role - Information Security Management Process Manager

Process Activities We now understand the importance of Information Security within IT service management and appreciate the fact that the information security management process is mainly concerned with aligning IT security with business security. It ensures that the confidentiality, integrity and availability of the organisation’s assets, information, data and IT services always matches the agreed needs of the business. All the process activities designed should focus on achieving this purpose. The key activities of the Information Security Management Process are: Production and maintenance of an overall Information Security Policy and a set of supporting specific policies covering all areas of security. The information security policy should have the full support of top executive IT management. Communication, implementation and enforcement of the security policies and providing advice and guidance to all other areas of the business and IT on all information security-related issues. Assessment and classification of all information assets and documentation. This classification should be based on the sensitivity of information and the impact of disclosure. Implementation, review, revision and improvement of a set of security controls and risk assessment and responses. This includes assessment of the impact of all changes on information security policies, controls and measures and implementation of proactive measures to improve information security wherever it is cost-justifiable and meets business requirements. Monitoring and management of all security breaches and major security incidents. Relevant detective, repressive and corrective actions should be implemented. Analysis, reporting and reduction of the volumes and impact of security breaches and incidents. It should be integrated into and performed through the Incident Management process. Schedule and completion of security reviews, audits and penetration tests. This includes preparation of reports and subsequent follow-up of actions to rectify non-conformances. In the next two slides we will learn about the role of information security management process manager.

3.160 Role - Information Security Management Process Manager

Developing and documenting procedures for operating and maintaining security controls Participating in any security reviews arising from security breaches and instigating remedial actions Ensuring that confidentiality, integrity and availability of the services are maintained at the levels agreed in the Service Level Agreements and that they conform to all relevant statutory requirements Ensuring that all access to services by external partners and suppliers is subject to contractual agreements and responsibilities Acting as a focal point for all security issues. We will now learn about the key triggers to information security management process.

3.161 Triggers

Triggers Process activities are trigged by events. The key triggers to Information Security Management Process are: New or changed corporate governance guidelines and business security policy New or changed corporate risk management processes and guidelines New or changed business needs or new or changed services New or changed requirements within agreements, such as Service Level Agreements, Operational Level Agreements or contracts Review and revision of business and IT plans and strategies Review and revision of designs and strategies Service or component security breaches or warnings, events and alerts, including threshold events, exception reports Periodic activities, such as reviewing, revising or reporting, including review and revision of information security management policies, reports and plans Recognition or notification of a change of risk or impact of a business process, vital business function, an IT service or component Requests from other areas, particularly Service Level Management for assistance with security issues. Let us now learn about the key inputs required to ensure the efficient performance of the process activities.

3.162 Inputs

Inputs The Information Security Management team should adopt an investigative and analytical approach and seek all relevant inputs to ensure that the process activities are performed in the most efficient way. The key inputs to this process are: Business information from the organisation’s business strategy, business plans, financial plans, and information on their current and future requirements Governance and Security information from corporate governance and business security policies and guidelines, security plans, risk analysis and responses IT information from the IT strategy and plans and current budgets Service information from the Service Level Management process with details of the services from the Service Portfolio and the Service Catalogue and service level targets within Service Level Agreements Risk Analysis information and reports from Availability Management and IT Service Continuity Management Details of all security events and breaches from all areas of IT and Service Management, especially Incident Management and Problem Management Change information from the Change Management process, including Change Schedule and requests for assessment of changes for their impact on all security policies, plans and controls Configuration Management System containing information on the relationships between the business, the services, supporting services and the technology Details of partner and supplier access from Supplier Management and Availability Management on external access to services and systems Let’s learn about the outputs generated by the information security management process in the next slide.

3.163 Outputs

Outputs A number of important outputs are generated by the Information Security Management Process which is used by many other service management processes, business areas and executive management. These include: An overall Information Security Management Policy, together with a set of specific security policies A Security Management Information System, containing all the information relating to Information Security Management Revised security risk assessment information and reports A set of security controls, together with details of the operation and maintenance and their associated risks Security audits and audit reports, both internal as well as external Security test schedules and plans, including security penetration tests and other security tests and reports A set of security classifications and a set of classified information assets Reviews and reports of security breaches and major incidents Policies, processes and procedures for managing partners and suppliers and their access to services and information Let’s learn about interfaces in the next slide.

3.164 Interfaces

Interfaces Integration of the various service management processes is the key for the success of individual processes as well as the overall service management. Information security management interfaces and interacts with a number of other processes. The key interfaces are as follows: Information Security Management helps Service Level Management in determining the security requirements and responsibilities and their inclusion within Service Level Requirements and Service Level Agreements. This process also helps in the investigation and resolution of service and component security breaches. Access management process is concerned with granting and revoking access to facilities, systems, applications and repositories. These are based on the policies defined by information security management. Information security management assists Change Management with the assessment of every change for impact on security and security controls. Also Information Security Management can provide information on unauthorised changes that resulted from security breaches. Information security management assists Incident and Problem management with the resolution and subsequent justification and correction of security incidents and problems. Service Desk and Incident Management teams must be able to ‘recognise’ security incidents and escalate them as required. Information security management works collaboratively with IT Service Continuity Management on the assessment of business impact and risk, and the provision of resilience, fail-over and recovery mechanisms. Security is an important element that needs to be considered when continuity plans are tested or invoked. Service Asset and Configuration Management provides accurate asset information and this helps Information security Management with proper classification of assets. This will further determine the security controls required for these assets. Availability management is responsible for ensuring that the security requirements are defined and incorporated within the overall availability design. And Information Security Management works collaboratively with availability management to conduct integrated risk assessment and management exercises. Capacity management must consider security implications when selecting and introducing new technology. This process should also analyse as to how security requirements can impact or influence capacity sizing. Financial management for IT services is responsible for providing adequate funds for meeting security requirements or implementing security controls. Information Security Management collaborates with Supplier management to ensure security aspects are considered while providing access to services and systems, and the terms and conditions to be included within contracts concerning supplier security responsibilities. Information Security Management should work closely with Legal and Human Resource departments to ensure that adequate measures are put in place to ensure that employees are trained and made aware of security requirements and also to deal with security breaches caused by employees or other parties. In the next slide we will learn about the critical success factors and key performance indicators.

3.165 CSFs and KPIs

CSFs and KPIs Critical success factors are those elements that need to invariably happen for the success of the process. These are determined based on the objectives of the process. The key performance indicators are used to measure the achievement of the critical success factors. These achievements should be monitored and used to identify opportunities for process improvements. The most relevant critical success factor that should be considered for the Information Security Management process is to ensure that “the Business is protected against security violations”. The related key performance indicators are “Percentage decrease in security breaches reported to the Service Desk”; “Percentage decrease in the impact of security breaches and incidents”; and “Percentage increase in SLA conformance to security clauses”. Another important critical success factor for this process is to have “a clear and agreed Information Security policy that is integrated with the needs of the business”. The relevant key performance indicator would be “Decrease in the number of non-conformances of the Information Security Management process with the business security policy and process”.

3.166 CSFs and KPIs

Another critical success factor that can be considered is establishing “Security procedures that are justified and supported by senior management”. The related key performance indicators are “Increase in the acceptance and conformance of security procedures” and “Increased support and commitment of senior management”. The next critical success factor that may be considered is putting in place “A mechanism for continuous improvement”. The related key performance indicators are “The number of suggested improvements to security procedures and controls” and “Decrease in the number of security non-conformances detected during audits and security testing”. Let us move on to the challenges faced by organisations while establishing information security policy, process and control.

3.167 Challenges

Challenges Organisations may face a number of challenges while establishing Information Security Policy, Process and controls. The key challenge is to ensure that there is adequate support from the business, business security and senior management. IT services and assets are mainly used by business and customers. If support is not available from business and senior management, it is extremely difficult to implement an effective Information Security Management process. Another challenge that may be faced is ‘the Business perception that security is an IT responsibility’ and hence IT should take care of all aspects of information and service security. This perception can only be changed by conducting awareness sessions and senior management support. Another challenge could be ‘Alignment and integration of Information Security with business security process’. Information security management must ensure that accurate information is obtained from the business security process on the needs, risks, impacts and priorities of the business and that the information security management policies, plans, processes and control are aligned and integrated with those of the business. We will now learn about risks in the next slide.

3.168 Risks

Risks A number of risks may be associated with the implementation and maintenance of the Information Security Management process. Some of the key risks are: Growing potential for misuse and abuse of information systems affecting privacy and ethical values External dangers from hackers, leading to denial-of-service and virus attacks, extortion, industrial espionage and leakage of organisational information or private data. A lack of commitment from the business to the information security management process and procedures and a lack of appropriate information on future plans and strategies A lack of senior management commitment or a lack of resources and/or budget for the information security management process The processes focusing too much on technology issues and not enough on the IT services and the needs and priorities of the business Risk assessment and management being conducted in isolation and not in conjunction with availability management and IT Service Continuity Management Information security management policies, plans, risks and information becoming out of date and losing alignment with the corresponding relevant information and plans of the business and business security Security policies becoming bureaucratic and/or excessively difficult to follow, discouraging compliance Security policies adding no value to business Let’s learn about supplier management in the next slide.

3.169 Supplier Management

Supplier Management In present global and competitive market environments, IT organisations have to depend on external suppliers for vast and varied types of requirements ranging from small infrastructure components to sophisticated services to market research and analysis to transformational solutions. Hence, suppliers are more formally treated as partners rather than mere providers of goods and services. It is therefore essential to establish a robust supplier management process which should be integrated across all lifecycle phases. The purpose of Supplier Management process is to obtain value for money from suppliers and to provide seamless quality of IT service to the business by ensuring that all contracts and agreements with suppliers support the needs of the business and that all suppliers meet their contractual commitments. We’ll now learn about the objectives of supplier management in the next slide.

3.170 Supplier Management

Objectives The objectives of this process are to: Obtain value for money from suppliers and contracts for the goods and services sourced and used for delivering services required by the business and customers; Ensure that contracts with suppliers are aligned to business needs, and support and align with agreed targets in Service Level Requirements and Service Level Agreements, in conjunction with Service Level Management; Manage relationships with suppliers as relevant at strategic, tactical and operational levels; Manage supplier performance through regular monitoring, review and analysis; Negotiate and agree contracts with suppliers and manage them through their lifecycle; and Maintain a supplier policy and a supporting supplier and contract management information system to support selection, performance management and contract renewal decisions. Let’s learn about the scope of supplier management process in the next slide.

3.171 Supplier Management

Scope The supplier management process should include the management of all suppliers and contracts needed to support the provision of IT services to the business. It should ensure compliance with organisational or corporate standards, guidelines and requirements, particularly those related to legal, finance and procurement. In particular the scope should cover: Implementation and enforcement of the supplier policy Maintenance of a Supplier and Contract Management Information System Supplier and contract categorisation and risk assessment Supplier and contract evaluation and selection Development, negotiation and agreement of contracts Contract review, renewal and termination Management of suppliers and supplier performance Identification of improvement opportunities for inclusion in the Continual Service Improvement register, and the implementation of service and supplier improvement plans Maintenance of standard contracts, terms and conditions Management of contractual dispute resolution Management of sub-contracted suppliers Let’s learn about adding value to business in the next slide.

3.172 Value to Business

Value to Business Treating suppliers as partners by itself shows the importance given to this process in the overall service management. The key benefits derived from establishing a formal Supplier Management process are: Provides value for money from suppliers and contracts by ensuring that all targets in underpinning supplier contracts and agreements are aligned to business needs and agreed targets within Service Level Agreements; Ensures the delivery to the business of end-to-end, seamless, quality IT services that are aligned to the business’ expectations; and Ensures alignment with all corporate requirements and the requirements of all other IT and service management processes. Let’s learn about the supplier policies adopted by the organisation in the next slide.

3.173 Policies

Policies The supplier policies adopted by an organisation are the documented management directions that will guide supplier related decisions and ensure the correct execution of the defined strategy. These documented policies must be circulated and made available to all concerned so that they may be adhered to while performing supplier management activities. Supplier policies may cover areas such as: The acceptable methods for communication with potential suppliers before and during the solicitation, bidding and procurement; Allocation of roles and responsibilities – who is authorised to interact with suppliers and who is not; Rules regarding accepting gifts or promotional items from suppliers; Supplier standards, legal and government regulations to be followed where specifically required; Standards and guidelines for various supplier contract types and/or agreement types; and Data ownership and access policies, when suppliers are involved, developed in collaboration with Information security management. Let’s learn about the supplier in the next slide.

3.174 Supplier

Supplier Ever changing global markets, emerging technologies and complex business demands require a variety of skills and capabilities to support provision of a comprehensive set of IT services to the business and customers. Before we proceed with discussing the Supplier Management process activities, let us understand some basic concepts related to this process. First let us look at the definition of a ‘Supplier’. A supplier is a third party responsible for supplying goods or services that are required to deliver IT services. The suppliers for required goods and services are selected through a defined process of solicitation, bidding and selection. The relationship with suppliers can exist at various levels like strategic, tactical and operational. Some examples of suppliers are: Commodity hardware and software vendors Network and telecom providers Outsourcing Organisations. Next, we will learn about underpinning contracts and agreements.

3.175 Underpinning contracts and agreements

Underpinning contracts and agreements A contract is a legally binding agreement between two or more parties, more specifically between the customer and supplier. An underpinning contract is a contract between an IT service provider and a third party supplier. The third party supplier provides goods or services that support delivery of IT services to a customer. The underpinning contract defines targets and responsibilities that are required to meet agreed service level targets in the service level agreements. The contents of a basic underpinning contracts or service agreements are: The basic terms and conditions covering the duration of the contract, the parties involved, locations covered, scope of services or deliverables, definitions and commercial basis. The service description and scope which includes the functionality of the services being provided, its extent and constraints on the service delivery. The service standards detailing the service measures and the minimum levels that constitute acceptable performance and quality. These service levels must be realistic, measurable and aligned with the organisation’s business priorities and underpin the agreed targets within Service Level Requirements and Service Level Agreements. The workload ranges, which are basically the volume ranges within which service standards apply, or for which particular pricing regimes apply. The management information covering the most important reporting measures on which the relationship will be assessed. Key Performance Indicators related to supplier Critical Success Factors and balanced scorecards may form the core of reported performance data. A responsibilities and dependencies section describing the obligations of the service provider and of the supplier including communication, contacts and escalation. An extended service agreement may also contain: The service debit and credit regime or incentives and penalties applicable; and Additional performance criteria based on which supplier performance will be evaluated. In the next slide we will continue with the legal and commercial topics covered in the underpinning contracts and agreements.

3.176 Underpinning contracts and agreements

Underpinning contracts and agreements A contract is a legally binding agreement between the service provider and the supplier. The nature and extent of an agreement between a service provider and supplier depends on the relationship type and an assessment of the risks involved. Hence, it should be ensured that the contract document should be as comprehensive as possible so that it minimises the risk of disputes arising from a difference of expectations and understanding. The legal and commercial topics typically covered by a service or contractual agreement include: Scope of services to be provided Service performance requirements Division and agreement of responsibilities Contact points, communication and reporting frequency and content Contract review and dispute resolution processes Price structure Payment terms Commitments to change and investment Agreement change process Confidentiality and announcements Intellectual property rights and copyright Liability limitations Termination rights of each party Obligations at termination and beyond We will next learn about supplier and contract management information system or SCMIS.

3.177 Supplier and Contract Management Information System(SCMIS)

Supplier and Contract Management Information System (SCMIS) A supplier and contract management information system is a set of tools, data and information that is used to support the supplier management process. Establishing this management information system helps achieve consistency and effectiveness in the implementation and execution of the supplier policy and the supplier management process. Ideally the Supplier and contract management information system should form an integrated element of a comprehensive Service Knowledge Management System, recording all supplier and contract details, the type of services or products provided by each supplier, and all other information and relationships with other associated service components. This information within the supplier and contract management information system will provide a complete set of reference information for the supplier management procedures and activities including: Definition of new supplier and contract requirements Evaluation and set up of new suppliers and contracts Supplier categorisation and maintenance of the Supplier and contract management information system Establishing new suppliers Management of suppliers and their performance and of the associated contracts Contract renewal or termination Let’s learn about the supplier categories in the next slide.

3.178 Supplier categories

Supplier Categories Categorisation of suppliers is an essential factor for the efficient management of suppliers and supplier performance. This helps in planning the appropriate level of focus towards the different types of suppliers. Suppliers can be categorised in many ways. However, it is a good practice to categorise them based on assessing the risk, impact, value and importance of the supplier and its services to the business. The amount of time and effort required for managing the supplier and the relationship can then be appropriate to its categorisation. The typical supplier categories can be – Strategic, Tactical, Operational and Commodity suppliers. Let us now discuss the parameters of each of these categories. Strategic Suppliers are those with whom the service provider organisation enters into significant ‘partnering’ relationships that involve senior managers sharing confidential strategic information to execute long-term plans. These relationships would normally be managed and owned at a senior management level and would involve regular and frequent contacts and performance reviews. Tactical Supplier category normally represents areas that involve significant commercial activity and business interaction. These relationships are managed by middle management and would involve regular interactions and performance reviews including on-going improvement programmes.

3.179 Supplier categories

Operational suppliers are suppliers of operational products and services. Normally managed by junior operational management, this relationship also requires regular interactions and performance reviews. Commodity supplier category includes suppliers providing low-value and readily available products and services that could be procured from alternative sources as well. We’ll move on to next slide to understand process activities, methods and techniques.

3.180 Process activities, methods and techniques

Process activities, methods and techniques The supplier management process ensures that suppliers and the services they provide are managed to support IT service targets and business expectations. A prerequisite to supplier management process is establishing supplier strategy and supplier policies. When dealing with external suppliers, it is strongly recommended that a formal comprehensive contract with clearly defined, agreed and documented responsibilities and targets is established and managed through the stages of its lifecycle, from the identification of the business need to the operation and cessation of the contract; this minimises the risk of disputes arising from a difference of expectations. The contracts and agreements with suppliers should also be flexible so that they are maintainable and support changes with a minimum amount of renegotiation. We shall now discuss the Supplier Management Process activities in a logical flow. The first activity is ‘Definition of new supplier and contract requirements’. This involves identifying the business need and preparation of the business case. The sourcing options are identified and evaluated, costs and timescales are estimated, targets and benefits are listed and an initial risk assessment performed. This activity is also responsible for producing the 'statement of requirements' and the 'invitation to tender'. The next activity is ‘Evaluation of new suppliers and contracts’. The tasks involved are identification of purchase or procurement method and establishing the evaluation criteria. Based on the evaluation criteria, the suppliers are shortlisted and final supplier is selected. The required contracts, targets, terms and conditions are negotiated, agreed and documented. The contract is finally awarded to the selected supplier. The third activity is ‘Supplier categorisation and maintenance of the supplier and contract management information system’. This activity is performed initially as well as on an on-going basis. In this activity, the supplier and contract are assessed and changes required in the contract, targets, responsibilities or terms and conditions are mutually agreed and incorporated. This activity also includes categorisation of the supplier as strategic, tactical, operational or commodity supplier based on the value and risk associated with the relationship. The supplier and contract management information system is updated with all relevant documents and details and the information maintained on an on-going basis. The fourth activity is ‘Establishment of new suppliers and contracts’. This involves setting up the supplier service and contract in the service provider organisation and the supplier and contract management information system. The service is transitioned and if any transfer of service from current incumbent or service provider is required, it is executed. All relevant contacts and relationships between service provider organisation and the supplier organisation are established. The fifth and most crucial activity is ‘Supplier, contract and performance management’. This involves managing and controlling the operation and delivery of service or products. The services delivered by the supplier are regularly monitored, reported, reviewed and improvement actions taken if required. This activity is also responsible for managing the relationship and periodic review, at a minimum annually, of the service scope against business need, targets and agreements. The final activity is ‘Contract renewal or termination’. This is mainly concerned with planning and executing either the termination of the contract or the renewal or extension of the contract. An analysis of the benefits derived in comparison with the initial objectives and expectations is performed along with a definition of on-going requirements. Where required the contracts are renegotiated and renewed, else, the contract is terminated. This activity also takes care of transitioning the service to new supplier or internal resources where required.

3.181 Supplier Management Process

Supplier management process You can now see the supplier management process flow chart in this slide. It depicts all the activities of the process we discussed, the sequence in which these are performed along with the relationships to supplier strategy and policy and the supplier and contract management information system. Please spare a few minutes to go through, analyse and relate the flow to the discussion we made earlier. In the next slide we will discuss about the role of supplier management process manager.

3.182 Role - Supplier Management Process Manager

Supplier Management Process Manager The role of Supplier Management Process Manager is very important within the overall service management practice. Service providers depend on different types of suppliers for a varied number of products and services. The process manager becomes a key link between the service provider organisation and the supplier ensuring that the goods and services delivered by suppliers are aligned to business needs. The key responsibilities of the Supplier Management Process Manager are: Coordinating interfaces between supplier management and other processes, especially service level management and corporate vendor management and/or procurement processes Providing assistance in the development and review of Service Level Agreements, contracts, agreements or any other documents for third-party suppliers Ensuring that value for money is obtained from all IT suppliers and contracts Ensuring that all IT supplier processes are consistent and interface with all corporate supplier strategies, processes and standard terms and conditions Maintaining and reviewing a supplier and contract management information system Reviewing and making risk assessments of all suppliers and contracts on a regular basis.

3.183 Role - Supplier Management Process Manager

Ensuring that any underpinning contracts, agreements or SLAs developed are aligned with those of the business Performing contract or Service Level Agreement reviews at least annually, and ensuring that all contracts are consistent with organisational requirements and standard terms and conditions wherever possible Updating contracts or Service Level Agreements when required, ensuring that the change management process is followed Maintaining a process for dealing with contractual disputes, expected end, early end or transfer of a service Monitoring, reporting and regularly reviewing supplier performance against targets, identifying improvement actions as appropriate and ensuring these actions are implemented Ensuring changes are assessed for their impact on suppliers, supporting services and contracts and attending Change Advisory Board meetings when appropriate In the next slide we will learn about the key triggers for supplier management process.

3.184 Triggers, Inputs and Outputs

Triggers, Inputs and Outputs The key triggers for Supplier Management Process and activities are: New or changed corporate governance guidelines New or changed business and IT strategies, policies or plans New or changed business needs or new or changed services New or changed requirements within Service Level Agreements, Operational Level Agreements or Contracts Review and revision of designs and strategies Periodic activities such as reviewing, revising or reporting, including review and revision of supplier management policies, reports and plans Requests from other areas, particularly Service Level Management and Information Security Management, for assistance with supplier issues Requirements for new contracts, contract renewal or contract termination Re-categorisation of suppliers and/or contracts Next, we will look into the key inputs for supplier management process.

3.185 Triggers, Inputs and Outputs

Triggers, Inputs and Outputs The supplier management process draws inputs and information from a number of sources. Some of the key inputs are: Business information from the organisation’s business strategy, plans and financial plans, and information on its current and future requirements Supplier and contracts strategy providing information on sourcing policy of the service provider and the types of supplier and contract used. This strategy is produced by the service strategy processes Supplier plans and strategies detailing the business plans and strategies of suppliers, together with details of their technology developments, plans and statements and information on their current financial status and projected business viability Supplier contracts, agreements and targets of both existing and new contracts and agreements from suppliers Supplier and contract performance information of both existing and new contracts and suppliers IT information from the IT strategy and plans and current budgets Performance issues, due to poor contract or supplier performance, captured and managed by the incident and problem management processes Financial information from financial management for IT services, the cost of supplier services and service provision, the cost of contracts and the resultant business benefit; and the financial plans and budgets, together with the costs associated with service and supplier failure Service information from the Service Level Management process, with details of the services from the service portfolio and the service catalogue, service level targets within Service Level Agreements, and possibly from the monitoring of Service Level Agreements, service reviews and breaches of the Service Level Agreements Configuration Management System containing information on the relationships between the business, the services, the supporting services and the technology Let’s learn about the outputs from the supplier management process in the next slide.

3.186 Triggers, Inputs and Outputs

Triggers, Inputs and Outputs The key outputs from the supplier management process are: Supplier and Contract Management Information System which holds the information needed to execute the activities within supplier management. Supplier and contract performance information and reports which are used as input to supplier and contract review meetings to manage the quality of service provided by suppliers and partners. This includes information on shared risks where appropriate. Supplier and contract review meeting minutes that are produced to record the minutes and actions of all review meetings with suppliers. Supplier Service Improvement Plans detailing all improvement actions and plans agreed between service providers and their suppliers. Supplier survey reports representing feedback collected and used to ensure consistency in the quality of service provided by suppliers in all areas. These can be published as league tables to encourage competition between suppliers. We will next learn about interfaces in the following slide.

3.187 Interfaces

Interfaces Success of overall service management is to a large extent dependent on how well the individual processes integrate with other processes. A number of dependencies exist amongst these processes and it is essential to understand them and enable the interfaces for enhancing the efficiency of the processes as well as the overall service management. We shall now look at some of the key interfaces between supplier management process and other processes. Supplier Management process assists Service Level Management in determining the targets and responsibilities for suppliers that are aligned with business needs and for subsequent inclusion in the service level agreements and contracts. Service Level Management, on the other hand helps supplier management with the investigation of service level agreement breaches caused by poor supplier performance. Supplier contracts and agreements are controlled documents and fall within the scope of Change management. Any changes to these documents should follow change management process and approved by relevant change advisory boards. Also, changes to services and service components should assess the involvement of suppliers and be included in respective plans. Information Security Management analyses and defines the information security requirements for every supplier involved in IT service provision. Supplier management should ensure inclusion of these requirements in the contracts and agreement. These requirements include access to services and systems, confidentiality and non-disclosure clauses, and conformance to service provider’s information security policy. Financial management for IT services process provides adequate funds to finance supplier management requirements and contracts and provides financial advice and guidance on purchase and procurement aspects. It also enables relevant reports on budget allocation, budget vs. actuals, and value derived or cost-savings accrued by engaging external suppliers. Service portfolio management process uses supplier management input to ensure that all supporting services and their details and relationships are accurately reflected within the service portfolio. IT Service Continuity Management works closely with supplier management in screening and selecting suppliers required for executing disaster recovery and continuity activities.

3.188 CSFs and KPIs

CSFs and KPIs Let us now discuss some examples of critical success factors and key performance indicators relating to Supplier Management process. “Protecting Business from poor supplier performance or disruption” is a very important critical success factor for this process. This requires proper screening, analysis and selection of suppliers and subsequent regular monitoring of performance. The key performance indicators related to this critical success factor are “Increase in the number of suppliers meeting the targets within the contract” and “Reduction in the number of breaches of contractual targets”. Another critical success factors for this process is ensuring that “the supporting services and their targets are aligned with business needs and targets”. The relevant key performance indicators are: “Increase in the number of service and contractual reviews held with suppliers” and “Increase in the number of supplier and contractual targets aligned with Service Level Agreements and Service Level Requirements targets”.

3.189 CSFs and KPIs

Ensuring that “Availability of services is not compromised by supplier performance” is another important critical success factor. The relevant key performance indicators are: “Reduction in the number of service breaches caused by suppliers” and “Reduction in the number of threatened service breaches caused by suppliers”. Ensuring that there is “Clear ownership and awareness of supplier and contractual issues” is one important process control related critical success factor. The relevant key performance indicators are: “Increase in the number of suppliers with nominated supplier managers” and “Increase in the number of contracts with nominated contract managers”. Let’s look into the challenges faced during the supplier management process in the next slide.

3.190 Challenges

Challenges Proactively identifying process implementation and adherence challenges is a fundamental element of matured service management set up. The challenges relating to Supplier Management process are: Continually changing business and IT needs and managing significant change in parallel with delivering existing service; Working with an imposed non-ideal contract, a contract that has poor targets or terms and conditions, or poor or non-existent definition of service or supplier performance targets; Existence or continuance of legacy issues, especially with services recently outsourced; Insufficient expertise retained within the organisation on the services managed by suppliers; Being tied into long-term contracts, with no possibility of improvement, which have punitive penalty charges for early exit; Situations where the supplier depends on the organisation in fulfilling the service delivery can lead to issues over accountability for poor service performance; Poor communication – not interacting often enough or quickly enough or not focusing on the right issues; Personality conflicts and/or cultural conflicts; One party using the contract to the detriment of the other party, resulting in win–lose changes rather than joint win–win changes; and Losing the strategic perspective, focusing on operational issues, causing a lack of focus on strategic relationship objectives and issues. Let’s look into the risks associated with supplier management in the next slide.

3.191 Risks

Risks Risk assessment and management helps service management teams to proactively counter and mitigate the threats related to service provision. This helps in more efficient service management and decision making. The risks associated with Supplier Management are: Lack of commitment from the business and senior management to the supplier management process and procedures Lack of appropriate information on future business and IT policies, plans and strategies Lack of resources and/or budget for the supplier management process Legacy of badly written and agreed contracts that do not underpin or support business needs or Service Level Agreement targets Suppliers agree to targets and service levels within contracts that are impossible to meet, or suppliers fail or are incapable of meeting the terms and conditions of the contract Supplier personnel or organisational culture are not aligned with that of the service provider or the business Lack of clarity and integration by supplier with service management processes, policies and procedures of the service provider Suppliers are not cooperative and are not willing to partake in and support the required supplier management process The demands of corporate supplier and contract procedures are excessive and bureaucratic Poor corporate financial processes, such as procurement and purchasing, not supporting good supplier management Let’s look into the summary of this entire session.

3.192 Summary

Summary In this unit we learnt about the eight Service Design Publication, i.e. Design Coordination, Service Catalogue Management, Service Level Management, Availability Management, Capacity Management, IT Service Continuity Management, Information Security Management and Supplier Management; The interaction of service design processes; the flow of service design as it relates to the business and customer; and The five design aspects and how they are incorporated into the service design process.

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Name*
Email*
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Email*
Phone Number*
Company*
Job Title*