Back in 2007 I completed a study and wrote a paper titled “The impact of Regulatory Compliance on Software System Development” At that time the market was concerned with the relationship between emerging business and industry regulations such as SOX, Basel 2, MiFID, IFRS & FDA-CFR 11 and also the emergence of IT related Frameworks such as ITIL, CMM, & COBIT as examples. I was in the business of providing software QA & Testing solutions to many different sectors including Life Sciences, ICT, Financial Services, Transportation, Industry and Public sector. At the time the big question from medium and large enterprise clients were ; How do I know my IT is in control? and won’t cause or enable a breach of my key industry regulations? & How can I use my IT resources to enable conformance to industry regulations, best practices and standards?
I recently completed an assignment where I was asked to consider the business and commercial value of IT Frameworks and related maturity models. The depth, quality and adoption rates for Frameworks has moved forward significantly and the drivers to consider the adoption of a Framework have moved to “How Can IT create greater measurable impact on the performance of the business with the use of IT Frameworks and maturity models?”
This paper is less about the detail of each of the Framework types, though I do refer to where each of the main types have application value and more about the business case for adopting a Framework.
Business Information Technology
Whether your organisation is an SME or large global enterprise , it’s likely that ICT is strategically important either as a your product, a component of your product or as an important enabler of your products and services. Yet many organisations still view and manage IT as a service function to the business. The fact is that IT is pervasive in most organisations and their business, touching directly or indirectly on all stakeholders (Staff, Management, Shareholders, Customers, Suppliers, Partners etc.). The IT systems determine; What stakeholder users do? when they do it ? how they do it? and how well they do it? In addition it co-ordinates & connects all the actions of the different user types to deliver the business outcomes and performance.
“For most organisations ICT is a strategic CSF to create Advantage and Strong business performance”
Organisations exist in an environment that has become digital centric, the stakeholders are digitally aware and competent they have skills and expectations where their device(s) are the focal point for connecting within the environment both socially and professionally. The pace of change and volume of new ICT technologies, products and services enables significant business innovation and competitiveness and in fact is, and can be the root driver for innovation and performance improvement in an organisation and its business. Failure of an organisation to leverage IT, or just manage ICT leads to much more rapid decline in the organisations business relative performance in the Digital Age.
“Failure to leverage and/or manage ICT in an organisation in today’s Digital world leads to more rapid decline in their relative business performance”
Leaders in organisations now recognise that ICT is actually business technology that is both strategically and tactically important, and that it should be managed in a way that releases the innovation potential of the business while ensuring that the investments are connected to the key organisation value creation & realisation. The ICT investment options are changing all the time, the technology and its application can be complex, the risks are high and the importance is strategic, so the leadership team needs members who know how to connect the technology with the business results, and maximise the ROI from ICT investments. So what we need is a CBT “Chief of business technology” rather than a CIO “Chief Information Officer” , a role that includes the CIO functions expanded to include the business functions.
Business Drivers for ICT within an Organisation
- The business seeks visible ROI and benefits realisation from current and future spend on IT. CIO’s are expected to deliver solutions that impact the KPI’s for the organisation.
- Transformation & Digital Transformation in organisations, enabling new business models, products, services and channels to markets. (Cloud, Big Data, Social business, Mobile etc.)
- New sets of generic IT building Blocks XaaS, Analytics, Collaboration and Crowd, leading to new generic processes requiring a holistic framework to benchmark and align the enterprise IT ecosystem and drive further value into the business.
- The need for a framework that enables a collaborative engagement and alignment with the business and its stakeholders, in IT enabled programs that are driving transformation and continuous improvement.
- A key stakeholder(s) requires some level of adoption and/or conformance to a specific Framework and/or standard such as a customer/client, or regulatory authority.
- There is dissatisfaction from some or all key stakeholders with the performance of IT, the ROI and/or its impact on the business and the CIO (Current and/or New) is given a goal to resolve the issues.
- There is a planned strategic business adjustment and/or a sudden shift that will be enabled by, or have broad implications for IT and how it is used to deliver value in the business. Example might include a new business model, rightsizing, M & A, new technology etc.
- The corporate strategy (such as growth by acquisition) requires group standards and benchmarks to be achieved.
- The Corporate structure and legal entity with high levels of external scrutiny such as Public, State related or Regulatory, demand more visible and transparent value for money and compliance.
Frameworks & Maturity Models
In using an analogy of “The rubix cube” frameworks help us align the multiple complex dimensions of a technology centric business for optimum performance and maturity models provide the fastest routes to that performance.
Maturity Models are about answering the questions:-
- How good are we versus some accepted standard or reference benchmark?
- What is important to improve?
- Where should we focus to improve?
- How far are we from being the best?
In looking at maturity models there are two major basis:-
- Normative:- A normative model is scientifically or mathematically based in that regardless of who or what is being measured there in an underpinning algorithm that gives a true value to each measurement and very strong basis for comparisons. The Holignment Organisation Maturity Index is one of the few normative models in existence.
- Descriptive:- Descriptive models are based on describing the conditions, behaviours and artefacts that exist and are recorded in the highest performing situations/organisations and then grouped into levels of performance from nothing/limited observable to the best standard. Determining the maturity level usually asks the user to select from pre-determined statements or from an audit. The majority of ICT maturity models are descriptive models , such as CMM, COBIT, IT-CMF as examples.
There are two major categories of ICT Frameworks & maturity models :-
- Open Standard such as CoBIT, ITIL, IT-CMF, CMM, TOGAF etc. These have been researched and developed in an open, independent manner by academia, industry/trade groups to come up with un biased and often certifiable assessments and guides to driving ICT performance improvement.
- Proprietary such as those provided by many industry analysts and some ICT service providers. There is often equal credibility given to these frameworks/models because of the brand associated with the provider but they are not open to detailed independent scrutiny and their IPR is there to leverage services revenues for the owner.
Frameworks are about answering the following questions:
- What are the important aspects we need to consider?
- What are all the important areas for improvement?
- How do we go about improvements?
- What do we need to do to implement the improvement?
Shortfalls in the current Frameworks Landscape:
- The proprietary segment designed to sell something else, which have perceived value but are not necessarily underpinned by sound independent, continuous primary and application research.
- The open standard segment such as the ITIL’s, CMMI’s and CoBITs which are very IT centric, do not cover all the areas individually, lack true business value creation and realization artefacts.
- The level and detail of each have different levels of relevance and usability depending on your management and/or professional role.
- The level and type of assessment/certification spans from self-certification , through to full independent accredited certification.
- There are overlaps between each and gaps in each
Some of the more acknowledged and popular open Frameworks/Models
IT-CMF (IT Capability Framework)
Developed by industry led research at the Innovation Value Institute in the National University of Ireland Maynooth, is a newer entrant. This is the broadest framework available which connects the business value relating to investments in IT capability. It is comprehensive in that it covers all aspects of business IT and includes a strong maturity assessment and model. It is probably one of the best frameworks for business IT management but is weaker than alternative models such as CMMI & ITIL when it comes to providing the detailed implementation guides for front line professionals. However it co-exists and can potentially pull together and leverage the strengths of some of the more focused frameworks.
IT-CMF has its strength around IT Value management
This is a process improvement training and appraisal program and service administered and marketed by Carnegie Mellon University (Now via the CMMI Institute) and required by many public & private contracts, especially software development. It can be used to guide process improvement across a project, division, or an entire organization. Under the CMMI methodology, processes are rated according to their maturity levels, which are defined as: Initial, Repeatable, Defined, Quantitatively Managed, Optimizing. CMMI has its roots in CMM which was in R & D for 10 years prior to the first release , for software development in 2002. CMMI currently addresses three areas of interest:
- Product and service development — CMMI for Development (CMMI-DEV),
- Service establishment, management, — CMMI for Services (CMMI-SVC), and
- Product and service acquisition — CMMI for Acquisition (CMMI-ACQ)
CMMI has its strengths around software and software related projects.
ITIL is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. ITIL is published in a series of five core publications, each of which covers an ITSM lifecycle stage. ITIL underpins ISO/IEC 20000 (previously BS15000), the International Service Management Standard for IT service management, although differences between the two frameworks do exist. ITIL was developed by the UK government in the 80’s in recognition of the core role IT plays and the need to improve and manage IT, and have some consistent standard that can be applied to supplier contracts.
ITIL describes IT processes, procedures, tasks and checklists that are not organization-specific, used by an organization for establishing integration with the organization’s strategy, delivering value and maintaining a minimum level of competency. It allows the organization to establish a baseline from which it can plan, implement and measure. It is used to demonstrate compliance and to measure improvement.
ITIL has its strength around IT Infrastructure and services
(COBIT) is a framework created by ISACA for information technology (IT) management and IT governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business and IT process owners.
It is positioned at a high level and has been aligned and harmonized with other, more detailed, IT standards and good practices, such as CMMI, ITIL, COSO etc.
COBIT has its strength around Governance and Risk Management
This is a framework for enterprise architecture which provides a comprehensive approach for designing, planning, implementing, and governing an enterprise information architecture. TOGAF is based on four interrelated areas of specialization called architecture domains:
- Business architecture which defines the business strategy, governance, organization, and key business processes of the organization
- Applications architecture which provides a blueprint for the individual application systems to be deployed, the interactions between the application systems, and their relationships to the core business processes of the organization with the frameworks for services to be exposed as business functions for integration
- Data architecture which describes the structure of an organization’s logical and physical data assets and the associated data management resources
- Technical architecture, or technology architecture, which describes the hardware, software, and network infrastructure needed to support the deployment of core, mission-critical applications
TOGAF strength is in architecture alignment
COSO is a joint initiative of five private sector organizations, established in the United States, dedicated to providing thought leadership to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting. COSO has established a common internal control model against which companies and organizations may assess their control systems.
COSO Strength is in Governance and financial controls
ISO, is an international standard-setting body composed of representatives from various national standards organizations. ISO’s main products are international standards (technical, product, process etc.). ISO also publishes technical reports, technical specifications, publicly available specifications, technical corrigenda, and guides. There are thousands of standards, including IT related, some of the most well-known IT related include ISO 20000 Information technology services management, ISO 27000 services Information Management security, ISO9000 series quality system management.
ISO strengths lie in Internationally defined and certifiable standard
These are just some of the most popular open, independent Maturity Framework Models, There are many more such as PMBOK (Project Management Body of Knowledge), BiSL (Business Information Services Library), ASL (Application Services Library) to name a few. Of course there are the proprietary Frameworks and maturity models such as MOF from Microsoft, Gartner maturity model etc.
So is there value in maturity Frameworks? How do I find that value? Where do I start?
Well the answer really depends on the context of your Business & Business IT. What is the current Status? What is the Target Status? How big is the gap? What do you need to achieve.
Generic value of maturity frameworks
- They represent a body of knowledge and expertise that has been researched and proven by practitioners in the field, therefore they are the common wisdom on what works best.
- Some but not all enable a better engagement and alignment with the under-lying business and business goals.
- All enable the ability to say we meet an accepted standard, or level within a standard
- They provide a roadmap and set of guides to improve performance and achieve a target standard
- They provide a common language and model that enable enhanced dialog and engagement between stakeholders when it comes to IT improvement.
- Personal & Organisation credentials and capability can be developed and certified where the relevant independent certification exists
Specific Value of maturity Frameworks
Value ultimately comes down to quantitative and qualitative improvement in business and operational performance achieved for the investment in the change to achieve that improvement. And the gap between your current performance and best practice or the standard determines the value opportunity. There are of course other strategic views where strategic business advantage is enabled by ICT , so the question is do you need to achieve best practice standard in some or all areas, and/or to be the best and, the leader is some area of Business IT.
Below we consider the starting point opportunities offered by the main Frameworks
Ultimately a business case is required before you dive into adoption and implementation. In some scenarios it can be useful to do an early, pre adoption decision, maturity assessment. The reason I say this is that it can provide you and your organisation with the data and information to both set your goals and also quantify what adoption and implementation means as regards a program of improvement change.
Some of the costs associated with a maturity framework implementation are as follows:-
- Training and education for all stakeholders so they can understand and buy into the program
- Training and education for key stakeholder contributors for the specific elements of the framework to be adopted
- Examination & certification (Organisation and/or Individual)
- 3rd party external advice and services (Consultants & Framework agencies)
- Framework IPR access, subscriptions, purchases, licenses.
- Assigned resources and overheads directly related to adoption and implementation programs
- Program governance, sponsorship and support
- Learning curve for all stakeholders
- Staff time to execute and manage their specific changes and contributions
Adoption & Selection considerations
- The nature, scale and context of your organisation’s needs. Maturity Framework adoption requires investment and commitment often at a level that is only justified by the size and complexity of the business. Small IT centric organisations can often be best served by focusing on the more directly relevant technical focused frameworks such as ITIL, TOGAF etc. and selecting the relevant sections of these to impact the target result areas.
- The current level of organisation performance and maturity with respect to the short to medium term business improvement goal. Leadership often recognise and acknowledge when levels of performance and impact are low and, they have a good idea where improvements are needed, this often enables an adoption based on “let’s get the basics in place first, before we seek to boil the ocean with a target for best business practice”
- The current level of framework adoption and implementation, so many organisations may already have some or full adoption an implementation of one or more Frameworks and have derived some benefit. In the first instance make sure the current frameworks are delivering as intended and across all relevant functions (or drop or re initiate if there has been a lack of impact for whatever reason) before considering a change or a new addition. Because many of the listed frameworks are more point solutions for specific technology or control areas and may be working well, leadership may be seeking to address the gaps and/or expand the implementation, therefore they need to seek the right fit. Often in larger more mature organisations ITIL, or CMMI is implemented to higher levels of maturity and delivering operational benefit where management want to embrace and enhance this good work to have a greater impact on the total business performance and/or innovation. In this case they may want to consider IT-CMF or COBIT to further drive business advantage.
An Approach to adoption
- Strategic review and direction statement:-
- Key Management (business and IT) & Professional stakeholder group work to:-
- Understand the drivers for change
- State the short and long term business impact desired
- Understand the current capability of the organisation to take on a change of this nature.
- Understand the capacity of the organisation to take on this change in the short, medium and long term.
- Produce a feasibility project statement
- Initiate feasibility project team and study
- This team considers the strategy and options available
- This team makes a recommendation with facts and evidence to adopt a specific Framework (or not)
- This team prepares an initial business case and high level plan.
- Steering committee makes the initial adoption decision, and communicate this to the organisation stakeholders.
- Re-usable proof of concept implementation
- A section of the business and IT that is identified as low hanging fruit relevant to the adoption priorities is identified and scoped for a pilot project.
- Pilot/POC project is executed, monitored and controlled
- Outcome goals include
- Initial demonstration of target POC value
- An early motivational success and reference
- A body of learning and knowledge to inform a roll out plan
- A confirmation of the assumptions, estimates and business case for full implementation roll out.
- Full implementation rollout approved by steering/governance group
- Business Case
- Program and Project statement and plan
- Monitoring and control KPI’s
- Change program resources, accountabilities, responsibilities and roles
- Launch & Implementation
( IT maturity )
- Key Management (business and IT) & Professional stakeholder group work to:-