By Andrew Rowsell-Jones, CIO.com,
In the last two decades, we have seen the IS organization mature in its approach to software development. In the 1970s and 1980s, most business applications were developed and maintained at a cost. Many proprietary applications were unreliable, expensive to maintain and even more expensive to change. Now, most medium- and large-size organizations have increased efficiency, effectiveness, integrity and agility by extensive use of packaged software.
A similar transformation is also happening in the IS organization itself, and in its use of standards to improve IS processes. Enterprises are achieving significant results by using IT standards.
Standards are frameworks, guidelines and templates for improving the performance of IS processes and IT assets, including CobiT, ITIL, ISO20000, CMMi, TMM, ISO17799 and Six Sigma. They offer a solid base of best practice and collected wisdom that the CIO can apply to their IS organization, first to stabilize IS process and then to drive forward with process improvement.
Most of the better known standards are supported by mature standards bodies, dedicated to development and refinement. Most standards also enjoy a large and lively user community that provides help, insight and endless success stories.
Pity then that standards are so hard to get the value from, and so easy to turn into a mindlessly unhelpful bureaucracy.
First understand what problem you're trying to fix. In an ideal world, you would have one standard for IT management and improvement that covered all areas of IT governance, oversight and service delivery -- and was suitable for all enterprises. We are not in that ideal world. Few standards that exist are explicitly linked to business strategy.
Nor are their definitions much better. Most are so loosely defined that their implementation seems more a matter of personal choice rather than following a well-defined set of instructions. Neither are they much better on scope. No standard is comprehensive, or perfect for all situations, with many IS processes and activities not covered at all.
So what is the best approach to selecting and implementing standards and frameworks to drive business contribution from IS?
Rather than approaching standards in a reactive or piecemeal way, the best way to start is to figure out what outcome is it that you are looking for and work out how standards can help you. Typically, there are four big reasons why people look to standards.
First there's efficiency: Enterprise efficiency goals suggest a rigorous, prescriptive focus on a quality improvement standard (for example, ISO 9000, Six Sigma, Lean) to squeeze cost out of processes. In that context, IT service management standards (like ITIL) should be used tactically to make IT processes more efficient and create better transparency, which drives business efficiency.
Next there's integrity: If integrity goals such as regulatory compliance or major partner reliability dominate, lead with a control-focused standard like CobiT, using quality improvement standards to drive continuous improvement, and IT service standards such as ITIL and ISO 20000 to address control issues.
Thirdly, there's effectiveness: Where effectiveness is the major aim, such as driving organic top-line growth, use a service management standard targeted at boosting productivity, with quality improvement standards as the backdrop, ensuring that specific productivity gains do not compromise the overall business model.
Finally, there's agility: Where the enterprise wants agility - perhaps to manage significant changes in the enterprise such as mergers and acquisitions - employ a general quality improvement standard as the overall agility assessment and improvement engine, driving simplicity and visibility into commodity processes to aid change and integration.
So once the rationale for a standard has been determined, the next challenge is implementing it.
Standards are change management in disguise. Implementing a standard is really an exercise in organizational change management. The best way to implement standards is to start with a single lead standard -- say ITIL or Six Sigma -- and then add selected parts of other standards as needed. That way, change is easier because the purpose is clearer to everyone.
Nevertheless, the amount of change that can be absorbed should be factored strongly into standards decisions. As the benefits come from changes in people's behavior, standards that are too much of a stretch will rarely achieve the desired outcome. An evaluation of your change management capabilities should drive this understanding.
Implementing standards is both broad and deep. Broad in that most standards initiatives cut across many business functions. Deep in the sense that they entail major behavioral, process and sometimes technical changes. All this argues for a carefully tailored and phased approach.
Usually, not all of a standard is relevant for your business, and only some components will contribute to your business's current strategic objectives. Successful standards implementations typically start with some rational decisions about which parts will add value and which are unnecessary.
A CIO of a professional services firm we interviewed told us that his organization aggressively tailored the CobiT standard down to 55 key control objectives. This dramatically reduced the effort of conformance, but cost significantly more. It had a significant up-front "discovery" cost. It cost more to analyze and select which controls were needed to achieve the required benefit (regulatory compliance with Sarbanes-Oxley). And negotiations with auditors, who changed the "goalposts" a number of times, in terms of what they would be looking for in their audit, were difficult.
The interesting lesson to draw from this is that, in retrospect, it would have been better to have tailored less. This would have reduced effort and time (for discovery of the CobiT subset). And it would have reduced the need for such negotiation with the auditors, albeit at a higher compliance cost later on.
Don't go big bang either. Another CIO - this time from a health-care service provider -- started both ISO 9000 and CMMi work in early 2004 and went big bang. It didn't work out as the approach foundered. The initiative was brought to a successful conclusion by a deft change of focus, from enterprise-wide, to focusing on just one development department, achieving CMMi Level 2 in December 2005. This CIO is now shooting for CMMi Level 2 for all departments in a year, and Level 3 for the pioneer group in the same time frame.
It is tempting to leave third parties out of the standards and performance improvement picture such as your outsource partners. After all, you do not have direct control of their internal resources. But the goal is to improve the services delivered to your internal and external customers, no matter where they are sourced from. So while this is especially important in highly outsourced environments it also applies to all IS organizations.
So, we have implemented our chosen standards -- what now?
Standards are a journey, not a destination. The imperatives and opportunities presented by standards will not go away. CIOs who have the most experience with standards invest in capabilities that accentuate the benefits and mitigate the costs and risks of standards implementation.
Whatever approach you follow for identifying, selecting, rolling out and measuring standards, it is definitely not a "once-and-for-all" process. There are always opportunities to implement new standards to boost IS performance and business value.
Standards will continue to evolve over time, regulatory requirements are increasing in many industries and geographies, and many enterprises are globalizing.
Some CIOs we talk with note the ever-increasing audit requirements around standards, compliance and other issues. This is an inescapable part of running a highly professionalized IS organization. They say it creates the need to build a set of capabilities and practices that helps with standards implementation and process improvement that, in general, will pay off many times.
But will it?
What are the benefits of standards? Gartner research shows that the average development organization increases productivity by 30 percent in two years through consistent adoption of a standards-based approach.
Yet the cost of implementing standards is hard to estimate. It is embedded in daily work practices, such as documenting activities and following up more thoroughly. A number of CIOs we interviewed said that they deliberately don't try to measure the full cost of implementing and managing conformance standards, as that misses the point; standards should not be viewed as a "bolt-on", but as a fundamental change in the way work is performed.
However, there are direct, tangible costs to implementing and maintaining standards, such as the use of external consultants, experts, assessors and auditors; the procurement of software tools; and training for staff. Interviewees who were strong believers and implementers of standards said that these direct costs typically amount to 2 to 3 percent of their overall IT budget.
Use standards to drive performance improvement. Although IT standards focus on process, ultimately the value comes from people -- people understanding and adhering to standards. A standards implementation must be treated as a change initiative -- changing IS staff's behaviors.
Business needs from IS include ever greater reliability of services and support for transformational change. CIOs are increasingly focusing on IS process improvement to fulfill these needs. Standards offer a great deal of help, but must be selected and used judiciously.
Before embarking on any significant standards activities, you should assess your process improvement capabilities, identify issues and address them.
Andrew Rowsell-Jones is vice president and research director for Gartner's CIO Executive Programs.
Copyright © 2007 IDG. All rights reserved.