ICT Governance Board 26-03-2012 Agenda Item No. 5 Process Improvement Update Report by: Charlie Anderson Purpose This report presents the next stage in developing the use of the COBIT framework to support the improvement of processes within IT Services. Recommendation(s) The Board is asked to consider the contents of this report and agree it as the basis for developing a detailed action plan for process improvement within IT Services Resource Implications Improvements in processes are supported by existing resources. Legal & Risk Implications No implications are quantified within this report. Impact Assessment Not applicable. Consultation The report reflects the views of IT Management team. Internal Audit has reviewed the existing maturity levels of the processes. 1.0 Background 1.1 The use of the COBIT framework for managing IT delivery processes was considered by the Board on the 23rd January 2012 and we are now reporting on progress in it’s use. In particular IT Services has undertaken a review of the existing level of maturity for each process and the levels we consider achievable in the future. 1.2 The COBIT framework includes a set of statements describing six possible maturity levels for each of the 34 processes. These statements are built up from a generic maturity model: 0 Non-existent – Complete lack of any recognisable process. The enterprise has not even recognised that there is an issue to be addressed. 1 2 3 4 5 Initial/ Ad hoc – There is evidence that the enterprise has recognised that the issues exist and need to be addressed. There are, however, no standardised processes; instead there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to management is disorganised. Repeatable but intuitive – Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures, and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and therefore, errors are likely. Defined Process – Procedures have been standardised and documented, and communicated through training. It is mandated that these processes should be followed; however, it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalisation of existing practices. Managed and Measurable – Management monitors and measures compliance with procedures and takes action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way. Optimised – Processes have been refined to a level of good practice, based on the results of continuous improvement and maturity modelling with other enterprises. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making an enterprise quick to adapt. Relevant elements from the following attributes are then progressively added to each level to customise them to the particular process: 1.3 The processes are structured into four areas in line with the overall framework: 1.4 Awareness and communication Policies, plans and procedures Tools and automation Skills and expertise Responsibility and accountability Goal setting and measurement Plan and Organise – 10 processes Acquire and Implement – 7 processes Deliver and Support – 13 processes Monitor and Evaluate – 4 processes IT Services undertook a maturity assessment in 2010 and this was refreshed over the last few weeks to take account of changes since then. The assessment of the present position was then shared with Internal Audit to undertook an assurance exercise and have confirmed the accuracy of the current position as shown in appendix 1. The existing maturity levels are: Level one – 5 processes Level two – 14 processes Level three – 15 processes 2.0 Planned Maturity 2.1 IT management have identified the target maturity levels they believe are achievable including indicative timescales. All processes should be at level three with 19 targeted for level four and 9 level five. The following sections highlight overall maturity level and key issues in each of the four areas. 2.2 Plan and Organise – The processes here are at a reasonable base line with six already at level 3 (Defined). The targets are mostly for level four (Managed and Measurable) and should be achievable over the next year however there are two areas of particular weakness. Firstly our Information Architecture is not well defined meaning that we are not organised to make the best use of the data we have and are continuing to hold the same information in multiple locations. Improving this will allow for more streamlined processes and reduce the need for re-keying data into different systems. Secondly there is no clear effective focus for managing the quality within IT Services. This effects both how we do things with the Service and the end user experience of the services we provide. 2.3 Acquire and Implement – Existing maturity level is generally 2 (Repeatable but Intuitive) giving a major challenge to meet the dominant target level of 5 (Optimised). Central to making this shift are improving the ways we acquire and maintain our main applications together with controlling how changes are made. Effective engagement with the business change processes will be vital to ensuring that what IT provides matches the changing needs of the Council. Increasing the automation of solutions will also have a key impact on how we focus on adding value to all our processes. 2.4 Deliver and Support – This is the largest grouping of processes and broadly they have level 2 (Repeatable but Intuitive) or level 3 (Defined) as the existing assessment. The targets are mostly level 4 (Managed and measurable) with several areas needed significant improvement. Firstly in quantifying and managing service levels both for IT Service’s own products and the relationships with third party suppliers. The second key area is how we manage faults, issues and problems to deliver high quality cost effective services. Recent developments are moving us in the right direction but there will need be much more standardisation to deliver the desired improvements. 2.5 Monitor and Evaluate – The present maturity in this area is low and the it is not proposed to ain at level 5 (Optimised). This reflects the close integration needed between what IT Services does and the whole Council approach to this area of work. Effective governance and control of ICT activity across the whole organisation remains a real challenge for all of us. 3.0 Conclusions 3.1 IT Services assessment of the present maturity levels has been endorsed by Internal Audit and provides a secure baseline for us to develop from. 3.2 It target maturity levels and indicative timescales (Appendix 1) set out a clear direction of travel for improving our processes. While progress is needed in every process the exercise has highlighted the following key areas: - 3.3 Information architecture Managing quality Acquiring, maintaining and managing changes to applications Defining and managing service levels internally and with third parties Managing individual faults/ problems and standardising our products to minise them. Consistent governance of ICT across the organisation. Once there is agreement on the target levels of maturity and the processes we need to focus on most the next stage will be a detailed gap analysis to identify the specific actions needed. The resulting action plan will be brought back to this board for sign off in May. Report Contact Edmund Whiffen IT Manager Supply-Demand Carleton House Telephone: 08451 55 55 55 444278 Email – Edmund.whiffen@fife.gov.uk Appendix 1 Cobit Maturity Level Assessments PO1 Define a Strategic Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT processes, organisation and relationships PO5 Manage the IT investment Current Maturity 3 1 Maturity Target 4 3 Indicative Date to be achieved 3 4 4 December 2014 DECEMBER 2012 3 5 DECEMBER 2013 3 3 December 2012 ongoing 4 MARCH 2013 December 2012 PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks PO10 Manage Projects 3 4 Recognition that level 4 difficult to achieve as there appears to be little appetite across the rest of the organisation for formal costings. DECEMBER 2012 2 3 MARCH 2013 1 2 3 4 March 2013 March 2014 3 4 DECEMBER 2012 AI1 Identify Automated Solutions 3 4 March 2013 AI2 Acquire and Maintain Application Software 2 5 4 March 2014 December 2012 AI3 Acquire and Maintain Technology Infrastructure AI4 Enable Operation and Use 3 5 5 March 2014 March 2014 2 3 March 2013 AI5 Procure IT resources 3 4 4 March 2014 December 2012 2 5 4 March 2014 March 2013 5 3 Achievable assuming that there is greater integration with the business change process March 2013 4 March 2014 AI6 Manage Changes AI7 Install and Accredit Solutions and Changes 2 DS1 Define and Manage Service Levels DS2 Manage Third-party Services DS3 Manage Capacity and Performance DS4 Ensure Continuous Service DS5 Ensure Systems Security DS6 Identify and Allocate Costs DS7 Educate and Train Users Current Maturity 1 Maturity Target 3 Indicative Date to be achieved 3 4 4 June 2013 December 2012 5 December 2012 1 3 Achievable depending on discussions with the rest of the organisation December 2012 3 2 4 4 3 June 2013 December 2012 March 2013 September 2014 2 2 4 3 3 March 2014 3 4 Appetite of the rest of the organisation will be a factor in achieving this December 2012 3 2 5 4 3 March 2014 March 2014 September 2012 DS11 Manage Data 2 4 3 March 2013 September 2013 DS12 Manage the Physical Environment 3 4 5 September 2014 March 2013 (critical sites only) DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems March 2013 (all other sites) 3 DS13 Manage Operations 3 4 *List of sites needs defined* March 2013 ME1 Monitor and Evaluate IT Performance ME2 Monitor and Evaluate Internal Control ME3 Ensure Compliance with External Requirements ME4 Provide IT Governance 2 3 December 2012 1 3 September 2013 2 4 March 2014 2 3 March 2013 4 March 2014 EJW/IT Services 19-03-2012