The most recent version of ITIL, V3 represents an important evolutionary step in the life of Service Management.. The advocates say “ The refresh has transformed the guidance from providing a great service to being the most innovative and best in class¹”. The detractors say “Actually, much of Version 3 is a cry for acceptance at higher levels in the organisation (or a power grab for more of the business, depending on your perspective).”

My opinion having burnt the midnight oil reading the five new books is there is truth in both. I have not yet decided if I am an advocate or a detractor; the proof for me will be in the implementation, which I or anyone else have yet to attempt.

At a high level the changes reflect the way IT Service Management has matured over the past decades.

For example:

• Where V2 talked about a Collection of Integrated Processes, V3 emphasises a Holistic Service Management Life cycle

• Where V2 talked about Business and IT Alignment, V3 emphasises Business and IT Integration.

• Where V2 talked about Incident Management, V3 talks about multi-level Incident Categorization and Request Fulfilment.

• Where V2 talked about Value Chain Management, V3 emphasises Value Network Integration.

• Where V2 talked about Linear Service Catalogues, V3 emphasises Dynamic Service Portfolios.

In addition there are other significant differences, as the main focus is on the service life-cycle with a secondary focus on process. The ISO/IEC 20000 standard has been aligned to ITIL V2 but ITIL V3 also provides for support in the form of a balanced scorecard for the fulfilment of other compliance requirements such as SOX, Basel II, HIPPA, etc. It utilises The Deming Quality Cycle as the basis for quality management in the Continual Service Improvement Book.

Regardless of what anyone may try to tell you, ITIL V3 is much much more complex than V2. This is not only because ITSM is a deeper and more advanced discipline than a decade ago, but many areas that could be quietly neglected in simpler V2 installations are now more tightly integrated and brought back into prominence. V3 covers the entire IT Ecosystem and because of that it maps more clearly onto Sun Microsystems vision for the future of Technology Management..

Over the last fifteen plus years that ITIL has been around research has confirmed the benefits of its approach, it has also highlighted its deficiencies and ITIL V3 has sought to correct them. It is claimed that the new ITIL life cycle approach will;

• Establish the integration of business strategy with IT service strategy.

• Enable agile service design and an ROI blueprint.

• Provide transitional models that are fit for purpose

• Demystify the management of service providers and sourcing models.

• Improve the ease of implementing and managing services for dynamic, high risk, volatile and rapidly changing business needs.

• Improve the measurement demonstration of value.

• Identify the triggers for improvement and change anywhere in the service life cycle.

• Address the current gaps and deficiencies in ITIL today.

The new approach changes the relationship between IT and the business whereas before, ITIL worked to align service management with business strategy, V3 integrates both into a single ecosystem. Other developments include areas that we have all had to implement but were lacking in V2, for example;

• new concepts such as the Service Management Knowledge base that helps transform captured information into organisational intelligence;

• new processes such as request fulfilment;

• process expansion, such as event management;

• new practice areas and organisational structures

• and not least of all an entirely new strategy book.

The model contains the processes needed to manage services within the life cycle structure. The core practices of the Service Management life cycle are then supported by more detailed complementary content specific to industry, stakeholder and practice topics. This makes the library more practical, easier to use and provides guidance specific to various stakeholder viewpoints to help gain further traction in ITSM.

I have just started a piece of work to look at ITIL v3 and undertake a gap analysis against our current Service Management  portfolio.  From initial observations ITIL v3 appears to move from best practice to something that is largely theoretical and not proven best practice. It is difficult to understand why most companies would want to adopt it. ITIL v3 is now five books for a ridiculous price of approx £300 and on top of this the training and certification could cost you a further £2000 per person.
Having said that the new structure makes good sense the five books are now; Service Strategy, Service Design, Service Transition, Service Operations and Continual Service Improvement. This follows the service life-cycle much better than the process stove pipes that were created by ITIL v2. And in reality this is how many of us have thought about Service Management. I suppose my main concern is that it addresses none of the real issues Service Managers are facing,

- How to managed virtualised environments?

- How to ensure good release management practices for High Performance Grids?

- How to manage the convergence in the telco market place?

These problems do not appear to have been considered by the authors of ITIL v3.


 

Over the last 24 hours there has been a lot of traffic on the ITSM alias about SAS70. SAS70 is an auditing standard designed to enable an independant auditor to evaluate and issue an opinion on a service organisations controls. The auditors report can then be used with the organisations customers and their respective auditors to demonstrate it has control objectives and activities in place and they are effective.

SAS 70 can also be related to Sarbanes-Oxley under certain circumstances. Under section 404 a company needs to ensure that the "managements quarterly certification of their financial results and managements annual assertion that internal controls over financial reporting are effective". However, even a full Type II SAS70 report does not mean compliance with Sarbannes-Oxley.

It appears that many of our customers have started to ask for our SAS70 report prior to doing business with us. The traffic on the alias has already suggested that this is quite a significant problem across the GEM's. So I  am currently pulling a small team together to understand how much this is causing problems for our customers and what we can do about it.

Most of my career I have been learning and applying new industry standards to the work I do. I started many years ago with BS5750 the then new data center standard, this was superceeded by ISO9000 with TickIT. Within a period of four years it was ITIL, BS7799, ISO 17799, ISO 27001 and then more recently ISO20000. With all these new standards no wonder customers (who have real day jobs) cannot navigate through the minefield. On top of these dependent on the industry you are in we also have SOX, CobIT, SAS70, HIPPA, or even CFR21 Part 11.

So recently I started to look at our Managed Services portfolio with a view to clearly mapping our services to these industry standards. The more I have reviewed and compared these standards I have found that there are very few significant differences. Of course if you make money by producing training certification and publications to support these standards or best practice then of course you have a vested interest in convincing people your best practice is significantly different and will bring major market advantage to anyone who implements it.

Or perhaps I am just getting cynical in my old age......................

Over the past few weeks I have been working on a new version of Sun's Service Management Best Practice.  Jon Ford and I have taken the SunTone v3 specification and updated and re-aligned it to the ISO20000 International Service Management Standard. The document is in final review and we are expecting to release it by the end of the month. We have also launched a new i-runbook called ITSMO which is basically an ITIL based runbook for customer or internal use.

Best Practice is "good working practice that has been proven to work based on results that can be measured", according to the CCTA. It also gives the customers and the providers of IT a common understanding and perhaps more importantly a common vocabulary when talking about IT provision which is increasingly important where a number of partners and/or providers have to work together. The theory is great and should make our life simple, we buy an IT solution and then use "best practice" to manage it!, but, which one and how do you decide.

Well currently there are many options you can choose from; ITIL, BS15000, ISO20000, cobIT, ISO17799, eTOM, ISO9000:2000, CMMI, etc. Then if you add to that the regulatory and legal requirements; SOX, HIPPA, CFR21 Part 11, DPA, BASELII, etc. To add to the complexity of the situation, many of the new requirements overlap or even contradict each other so translating them into specific business and IT changes usually proves to be extremely challenging for all involved. As a result, IT organisations are having to ensure that systems meet the specifics of each set of regulations and in many cases satisfy different sets of auditors that the rules are being adhered to.
Certification in many of these standards by itself does not appear to be of great benefit, the benfits can only be gained from really buying in to the ethos of process improvement.

I personally believe that ITIL used as it was intended as a framework can provide guidance to enable most of the problems encountered to be solved. However hard it may prove process improvement is not a choice Forrester estimate that 30% of $1bn+ companies are experimenting with ITIL alone with approx 13% having fully implemented it. IT by itself is no longer the differentiator it once was. Cost constraints around IT budgets mean that more and more companies are looking to maximise their IT investment using process optimization and continuous improvement over hardware and software spend.