TFT 14 - Best Practice Frameworks and Standards - Why complicate? Be Pragmatic

Best Practice Frameworks and Standards adoption- Why complicate? Be Pragmatic

Today we have several compelling best practice frameworks like ITIL, CobiT, CMMI and industry standards like ISO 20000 that makes organizations ponder the best way to go about and leverage maximum benefits. This talk would focus with pragmatic case study to illustrate a simplified approach and methodology to fit the framework and standard to the Organizational environment.

This talk is available as part of TFT14, done on 18th Feb 2014. Hope you enjoyed and feel free to share to your friends and colleagues

Link to recording: http://tomorrowsfuturetoday.com/tft14/suresh-gp

Slides: http://www.slideshare.net/ServiceDeskInstitute/tft14-suresh-gp

Beware – Don’t Let Branding Make you Blind

This blog stems from my recent experience and insight of how two of the best reputed companies in the globe delivered an unbelievable customer service experience.
As you might be well aware, Emirate airlines was named as the World`s Best airline in 2013 and the recent narration makes me wonder, if we are being misled by branding and awards
Five of the passengers had lost their baggage and did not receive it even after 40 hours, first update of missing baggage came after 36 hours, paid phones for customer service had a wait time of 25 minutes with no response, none of the emails sent to the service desk or twitter postings were even acknowledged. On top of all these, the staff were rude to passengers. More detailed insights from Vinod`s blog


While I can understand that there are technical and logistical glitches likely to happen, the aspects detailed above clearly indicate a fundamental failure to provide a supporting and courteous customer experience.
This cannot be termed as a one-off incident because there are clear disconnects at various touch points making it a pathetic and frustrating end-user experience.  From a Service Management perspective, I would focus on 4 main issues.


a)     Lack of ownership of the Service Desk to acknowledge, update progress and communicate to the user
b)     Staffing & Role fitment issues for various modes of email, phone, social media in addressing queries
c)     Behavior and attitude of customer service staff demonstrates lack of training, enablement and more importantly basic customer service etiquette
d)     Lack of Customer Liaison Champion or leader to be in charge, manage customer expectation and bring situation under control

The 2nd case is that of Fiat India where there was no customer redressal policy when one of its dealers, was at fault.
My friend had taken his Fiat Linea for service to get a break-fix done for an issue that occurred during his long distance travel. The dealer’s service engineers diagnosed it wrongly, suggested the owner should pay the charges without approaching insurance agency in order to save the no-claim bonus. After a few days, the issue reoccurred and highlighting that the dealer had done a shoddy job in fixing the root cause. During the time the car was with the dealer the front panel of dashboard buttons had been mishandled by technicians. So now the dealer does not own the charges even when they admit their carelessness and negligence in fixing it right first time. So when we escalated it to the customer service manager of Fiat India, there was a shocking excuse that they don’t have a customer redressal system if the dealer is at fault.

These reveal some startling aspects of Service (mis)management that can be summarized as follows

a)     Setting up of prerequisite criteria of requirements & compliance aspects before qualifying authorized dealers was not done in the first place.
b)     Absence of governance and control of dealer performance to the Fiat end users (Actions on feedback from customer, Customer redressal system, penalties)
c)     Lack of a clearly defined escalation path to get control of the situation and  address customer pain swiftly

Would not the lack of ownership by Fiat for the dealer`s mistake cost them dearly in terms of reputation and good faith?

Let’s not get carried  away by terms like value, customer delight when we are struggling to get the basics right and in spite of following the modus  operandi and standard escalation protocols, no result has happened for a month.

What can we do about it? As consumers, you have every right to voice your pain and publicize when the branded companies are refuse to admit and remediate for inconvenience.

So provide checks and balance to highlight the pathetic service and pass on the note to your friends and peers to be extra vigilant without blindly falling into a trap.

With the social media advantage, exercise your weapons to force companies to be accountable for their shortcoming and deliver corrective action and prevent such things happen in future.
Finally don’t get carried away by branding and certified standards.  Let’s ensure companies do not stay complacent on and rely on past laurels and history.   Will this be a wakeup call?

This blog post was published on Shift on 5th March 2014 Beware-dont-let-branding-make you blind

ITSM India Podcast - Meeting with AXELOS CEO

On 5th March 2014, I had the opportunity of having 1-1 with Peter Hepworth, CEO of AXELOS as part of 4th ITSM India Podcast discussing about ITIL Roadmap, ITSM in academia, Cost of Exam impact to Indian Market, Ways & Means India can contribute to the best practice roadmap and means to get engaged to take it forward.  Peter was candid enough to be open and transparent in his communications and highlighted the importance of India as a Strategic Important Market for AXELOS.

http://shiftmediainc.com/2014/03/03/itil-india-podcast-peter-hepworth-axelos/

Can ITSM Help to Organize Events Better? A Case Study

As a practitioner of IT Service Management, I am often questioned on the relevance of ITIL^® beyond IT, and here is a classic example of my experience .

Recently, I had the experience of attending the Edinburgh International Science Festival at Bangalore and it was quite an eye opener. The event organizers had offered tickets online through a couple of websites, and also in person. I happened to sign up for this event on the last day and was left with only the option to book through ticketgenie.com. We reached the venue to get our e-vouchers validated with credentials only to find a long queue at the entrance.
I was surprised to see that there were two Service Desk staff sitting idle as they were monitoring the tickets from other websites, while one person at ticketgenie was struggling to take care of a few hundred.
A simple option of Capacity Planning based on requests received could have handled the validation and issue of hard copy tickets much faster.
I did go and talk to the other folks working about the option of adding more counters to facilitate quick processing, but nobody seem to pay attention. This clearly demonstrated that there was no Incident Management process in place to resolve requests and yield better customer satisfaction.
After a heated debate, we did enter the premises to find that each activity or experiment had a specific time slot to be adhered and booked in person. Each slot could accommodate only specific number of people for the 35- 40 minute interval. This meant that parents had to do the standing on the queues while children would go on their own to watch the experiments and science shows. So the fun of parent and child watching and working together on robotics, electronics, light and sound experiments was totally missed. This demonstrated absence of understanding customer requirements and expectations which is the fundamental prerequisite of hosting a Service Desk.
One striking difference in the whole episode was the food service (Chinese, Indian, Continental, Asian), which had provisions in plenty to accommodate the rise in demand with ease. This confirmed that good business practice was driving things from the front (with the customer in mind) . It was evident that Demand Management process had been well ingrained to facilitate business outcomes.
As expected, a monsoon played the spoilsport and had the last laugh with a heavy downpour. People were forced to stick to indoor events, and then persistent rain caused a total power outage. It was shocking (pun intended) to note that the backup generator did not start as expected which means neither IT Service Continuity nor business continuity plan were in place. The rest of the experiments and shows had to be suspended indefinitely as there was no target resolution. I wondered to myself whether, if they had understood the principles of Problem Management or Knowledge Management, they could have have effectively handled these issues based on previous experiences and best practices.
I hope that these aspects would at least be considered in alignment with ITSM during the next event to make it a rewarding and memorable customer experience.

This post was published originally on Sep 18 at HDIConnect  http://www.hdiconnect.com/blogs/servicemanagement/2013/09/can-itsm-help-to-organize-events-better-a-case-study.aspx

ISO 27001:2005 - 10 Lessons Learnt from the Journey!

I have had my share of consulting/implementing and auditing experience on a few of the ISO standards and to me ISO27001 has been the most difficult and significant learning experience.
As I talk about the information security standard ISO27001:2005, the 2013 version is due sometime later, but the final draft suggests it is going to remain pretty much intact with easy integration with other management standards.
Here are my 10 lessons learnt during my journey towards driving ISO27001 certification at various organizations worldwide.

Basis:  Service provider has 2 categories of project: type a) managed projects, and type b) resource augmentation projects, to deliver goods/services to customers.

1. Scope & Exclusions
   Though scope is a common aspect of all ISO standards, I would caution to explicitly mention exclusions.  Some of the common functional groups might not be willing to participate directly or indirectly in audits and it is imperative to have them cleared prior to stage 1 audit. 
2. SOA
   With scope being finalized, the statement of applicability needs to be run with all project teams and functional stakeholders to qualify applicability of annex controls and justify with reason of exclusion.  I have seen this to be an iterative exercise and until everybody understands the rationale, the whole exercise becomes futile.
3. Risk assessment & risk methodology
   I have seen most organizations have some standard risk management framework and templates  handy for the projects or at business unit level, however the support functional risk assessment is not available.  It would be imperative to take stock of how risk is managed at support function as their lapse would affect the outcome of your certification.
4. Security plans
   This is the trickiest of documents from practicability standpoint. For example, managed projects would need to have a robust security plan considering the fact of meeting contractual requirements and SLAs. For resource augmentation projects, it would be a choice to make a security plan adhering to your service provider organization and spell out clearly to third party/client about non availability of resource means, SLAs cannot be met.  This has to be documented clearly and approved at the memorandum of understanding (MoU) between 2 parties.
5. Security controls for offshore and onsite resources
   Today most organizations have employees work at client locations (onsite) and also deliver work from offshore (remote) locations.  Be clear on the scope of your ISO27001 certification including locations. E.g., if you only have offshore locations in scope, but all resources for both onsite/offshore covered, onsite security controls would still be applicable and needs to be demonstrated for compliance.
6. Business continuity plan (BCP)
   Identifying the criticality of service and contractual need will ascertain the business continuity plan at your center or business unit level.  Is it not applicable for projects?  I would say it depends mostly on how you have signed contract with your client or your account teams before arriving at BCP for projects.
7. Effectiveness measurement
   This is one of the fundamental differentiators to show senior management why institutionalizing ISMS yields us real benefits.  With regular review of corrective and preventive actions, it gives all involved the urge to follow and adhere to security controls.
8. Training, awareness and education
   This is an ongoing exercise and there needs to be a specific focus on enablement and readiness for all regular and contract workforce (CWF) working in organizations. Most importantly the process of onboarding and exit checklist must be specific to projects of both categories.
9. Cooperation and collaboration
   With 11 domains and 133 controls to be complied, it is lot of hard work from all project and functional teams to cooperate and collaborate and meet SOA requirements.  Mutual respect and willingness to go the extra mile would be essential to go over brooding issues and stalemates.
10. ISMS standard has to become part of culture
    All these steps and controls are aimed to create that culture of information security among all the teams.  This has to be adopted in true spirit to inculcate the culture and provide the clients and customers the required confidence and trust in all dealings.

These are some of the aspects that I have seen to be critical, to get your certification and ISMS institutionalization a repeatable success

This post was published earlier on July 22nd at ITSM Portal http://www.itsmportal.com/columns/iso-270012005-%E2%80%93-10-lessons-learnt-journey#.Uj_t2mW6bZ4

Take control of your ABCs to make your governance initiatives successful!

What is your company culture? How does your organization view change? Is change accepted or do employees drag their heels and fight it like a child throwing a temper tantrum? COBIT5.0 talks about seven enablers; one of these is “Culture, Ethics and Behavior”. Today I want to discuss Attitude, Behavior and Culture (ABCs) and discuss their impact on your organization.

Why is culture important?

The adoptability of change is determined by the culture of the organization. This adaptability can include:

• Enterprise risk appetite
• Organizational appetite to change enablement
• History and legacy of the organization
• Deep rooted values and principles governing the business
• And many other factors

With many organizations having global presence, one size does NOT fit all and initiatives have to be tailor-made to suit to the culture. This is the only way to gain acceptance and facilitate institutionalization.

Culture has a bearing on the communication methodologies to be adopted (Vocal/Non Vocal), preferred leadership styles and above all, understanding what appeals to the task force to get things done. When I conduct Management of Organizational Change (MoC) programs, I spend considerable time and effort understanding the culture of the organization. When I design a facilitate approach for enabling change, I look at their previous success with enabling change, their organizational structure and leadership styles.

How do Ethics and Values contribute?

Ethical behavior cascades from the CIO or executive board of the organization down to the people. Employees closely follow how the senior management addresses unethical behavior as they conduct business with customers/partners and fellow employees. When upper management takes serious actions against undesirable behavior and immediately communicates it to the task force, it sends a strong message. Employees hear, “Be vigilant and on-guard; or else be ready to meet dire consequences.”

Many organizations have mandatory trainings and refresher courses on “Ethics and Compliance” every year to reinforce the standard of business conduct and encourage people to conduct business in fair and ethical manner. The CEO and the leadership team must walk the walk and implement the values of the organization in all dealings. This helps to institutionalize it as part of the organizational culture

The spirit of upholding the organizational values must be acknowledged and rewarded among employees to set the precedence and follow in day-to day practice. In addition, there has to be an Ethical and Compliance Team that provides assistance for employees and people to solicit advice anonymously and take decisions appropriately. These aspects will strengthen the code of discipline and institutionalize a value system throughout the organization culture.

How do you inculcate desirable behavior?

Behavior of the people is driven by four essential parameters:

• a) Policy
• b) Process
• c) Values
• d) Objectives

These have to be linked together and feedback has to be solicited to promote desirable behavior. If there is a report of non-adherence, it is important to identify the true reason and rational behind not following. Then work on a consensus to make amendments for people to adopt and follow without inhibitions.

A good starting point would be to have a mandatory training on “Professionalism and Etiquette of Corporate life” for all employees/partners joining the organization to illustrate desired behavior. A handy handbook at the local Intranet site would serve as ready reckoner. In order to demonstrate consistent behaviors, it has to become a habit to get the desired behavior. This means providing a platform to reward employees with the right attitude. Remember, you can train people and get them the required skills and competencies, but attitude has to come from within. With this understanding, an organization’s hiring process should lay emphasis on attitude more than aptitude to recruit the right resources with positive attitude and reliance on team work.

You need to take control of your ABCs (Attitude, Behavior and Culture) to make your Governance Initiatives successful

What has been your take on Culture, Ethics and Behavior in the context of IT Governance? I want to hear about your experiences, share them in the comments section below

This article was published at HP Software Blog on 25th January
 http://h30499.www3.hp.com/t5/HP-Software-Solutions-Blog/Take-control-of-your-ABCs-to-make-your-governance-initiatives/ba-p/5944231
 

Top 10 Considerations for your ISO 20000 Certification Journey

Many Customers that I have consulted across the globe are quite apprehensive of the fact that ISO 20000 consumes laborious effort and investment to achieve the milestone. In reality it is not a difficult proposition, if you have the basics and fundamentals right. This blog talks about some key aspects one has to take control to lay a strong foundation.

1. ISO 20000 Certification is a Journey & not a Destination
   Getting an organization certified on ISO 20000 is not the end destination. It is a journey that requires continual service improvement & sustenance. So the buck does not stop once you reach the certification. Hence do not burn yourself for getting certified. Collectively as a team, plan for it and continue to strive for improved business outcome and consistent delivery for your customers.
2. Focus on why you need to get ISO 20000 Certification
   The number one reason, organizations fail to deliver value even after ISO 200000 is lack of purpose. Obtaining a certification, just for means of satisfying your customer is nothing but digging your own graveyard. The culture of the organization must be tuned to the intended purpose of delivering against customer expectations and bring about true business value.
3. ISO 20000 goes beyond ITIL V3
   Though ISO 20000 has a fair share of processes picked up from ITIL V3, it contains elements of ISO 9001 and ISO 27001 that cannot be ignored. Also your existing Quality Management System has a great bearing to help you on your certification journey. So have them accountable to drive the initiative within the organization. Start leveraging from your existing quality management frameworks and documentations instead of reinventing collaterals.
4. Embark on management of organizational change program (MoC)
   This is a critical element to start from the beginning to get the Communication & Engagement Process appropriate for the organization. Everybody in the organization have a role to play, but the important question is “why should the people change ? “and “what do they get by institutionalizing the change”?. So design an appropriate MoC program understanding the culture, value and behavior of the Implementing organization. If your people do not participate, you are not going to make it happen. It is important to work as a team, identify gaps and work towards a consensus.
5. Start with small number of services
   Organizations are ambitious to have all the services added to the scope for certification and this is humongous task and likely to fail. It is recommended to start with 4-5 services first and have them ready for your first certification. You can always expand your scope of services in the surveillance audit that happens once a year.
6. Operationalize the processes in phased manner
   It is recommended that processes are logically grouped and operationalized before moving to the next set. E.g) Incident, Problem, Request Fulfillment & Configuration can be done as batch 1 to get them not only operationalized but also identify areas for improvement and take remedial action.
7. Assess maturity of processes
   After operationalization of processes, it is recommended to do an Independent Assessment of maturity of the respective ITIL Process in terms of effectiveness and efficiency rather than documentation. This gives the ground reality and road ahead to accomplish your milestones.
8. Do not underestimate the Power of Internal Audits
   The Internal audits serve as your magnetic compass to guide you in the right direction of compliance. These internal audits are recommended to be done by the quality management/Service excellence team which does not have vested interest in your compliance. The internal audits have to be stringent and apply draconian measures to get you geared up for the actual audit. The Idea being, if the Internal audit has captured all the possible areas that goes wrong, your organization stands a great chance to face the external audits with more ease and confidence
9. Enablement using training & Interview sessions
   It is recommended that process owners and service managers are trained and certified on the respective ITIL processes, preferably at intermediate Level. This will enable them to create the right value proposition. Rigor has to be built through awareness session, scenario based discussions and Interviews to get the task force ready to face audits.
10. Reasonable Time Frame & Tracking Progress
    Based on the process Maturity of the organization, the whole effort of getting certified might take anywhere between 10 to 24 months. So it is critical to manage the project with buy-in from stakeholders with a reasonable time frame and measure and report progress against schedule and cost variance.

In my experience, I have seen these steps lay a solid foundation for Customers to gain the Certification be it 2005 or 2011 standard and would love to hear from others to enable customers achieve this important milestone. So what has been your experience with customers?

This article was published at www.itsmportal.com on 22nd Jan 2013
http://www.itsmportal.com/columns/top-10-considerations-your-iso-20000-certification-journey