MBA thesis Final 06042016

MBA thesis Final 06042016
How outsourcing affects ICT-Service Maturity
Tor Bergholm
Master’s Thesis
Degree Programme in
Information Systems Management
Date 06.04.2016
Tor Bergholm
Degree programme
Master’s Degree Programme in Information Systems Management
Report/thesis title
Number of pages
How outsourcing affects ICT-Service Maturity
and appendix pages
69 + 32
The objective of this thesis is to explore how outsourcing affects IT Service Maturity. The thesis
provides the answer by analysing the results of a series of IT Services Maturity Reviews performed at a large corporation during the first half year of 2014. The focus of the study is
to show in detail the answers of what scenarios was taken into account while building the
assessment survey. The author of the thesis works for Microsoft Finland as an IT Service Management and Program Management Consultant, specialising in IT Strategy and Process analysis.
The purpose of the Services Maturity Reviews was to do an assessment of the current IT
Services operational maturity or the large corporation, identifying areas which had suffered
from the recent changes like the outsourcing of major IT functions operational parts, restructuring of the IT services organisation and so forth, so to find the changes, in maturity, if any. While
the changes in maturity also could be issues and risks for further operations, the aim was also to
provide recommendations of what to improve and how. In addition, maturity reviews were
also used to help the customer define the future desired state of maturity.
Outsourcing, ITIL, MOF, Enterprise Application Model, Infrastructure Optimization Model,
Change Management
Table of contents
1 Introduction .................................................................................................................... 1
Background of the thesis ........................................................................................... 1
Aim and purpose ...................................................................................................... 1
Research problem, question, and time-perspective ......................................................... 2
Scope of the Study .................................................................................................... 3
Structure of the thesis ............................................................................................... 3
Author’s role and contribution.................................................................................... 4
2 Theoretical framework ...................................................................................................... 5
Information Technology Infrastructure Library V3.0 revision 2011 by Axelos & Cabinet of
Commerce....................................................................................................................... 6
What is the Information Technology Infrastructure Library (ITIL)? ....................... 6
The Main Idea: The Service Lifecycle ................................................................ 6
The Strategy of aligning business with IT: ITIL Service Strategy. ........................... 7
The Delivery of good ITIL Service Management: Service Design........................... 7
The Delivery of good ITIL Service Management: Service Transition. ..................... 7
The Core of ITIL Service Management: Service Operation. .................................. 8
Service Operation: Event Management ............................................................. 9
Service Operation: Incident Management ........................................................ 10
Service Operation: Request Fulfillment ........................................................... 12
2.1.10 Service Operation: Problem Management ........................................................ 13
2.1.11 Service Operation: Access Management .......................................................... 15
2.1.12 Continual Service Improvement ..................................................................... 16
2.1.13 Continual Service Improvement, Total Quality Management and PDCA .............. 16
Microsoft Operations Framework version 4.0 by Microsoft ........................................... 18
What is MOF? ............................................................................................ 18
The IT Service Lifecycle ............................................................................... 18
The Plan Phase ........................................................................................... 21
The Deliver Phase ....................................................................................... 22
The Operate Phase ...................................................................................... 23
The Manage layer ........................................................................................ 24
The Core Infrastructure Optimization Capability Model (IOM) by Microsoft ................... 25
What is the Infrastructure Optimization Concept? ............................................ 25
Basic Infrastructure level maturity in the IO Model ........................................... 26
Standard Infrastructure level maturity in the IO Model ...................................... 27
Rationalized Infrastructure level maturity in the IO Model ................................. 28
Dynamic Infrastructure level maturity in the IO Model ...................................... 29
2.4 The Enterprise architecture Model ............................................................................ 30
What is the Enterprise architecture as strategy model? ....................................... 30
The Synthesis of frameworks and models in the study .................................................. 32
Why use so many tools and frameworks? ......................................................... 32
3 Research Methods mix .................................................................................................... 34
Sample width ......................................................................................................... 34
Research time-schedule ........................................................................................... 35
4 How to eat an elephant, or how to understand how a Corporation IT is doing? ........................ 36
The target Corporation of the Research ..................................................................... 36
Using Microsoft Operations Framework as the main framework .................................... 37
Best past, current, and desired maturity levels ................................................... 38
IO-Core maturity levels ................................................................................ 38
Commenting outside of the predefined question-answer units ............................. 39
The assessment questions theoretical basis ....................................................... 39
The Analysis of handling Services in The Plan Phase of IT Services ................................ 40
Strategy and IT............................................................................................ 41
Supporting Business with IT ......................................................................... 41
How does business know what services are available? ........................................ 42
How is capacity management of IT services currently done? ............................... 43
How should Disaster Recovery (DR) and Business Continuity (BC) be taken into
account in planning? ............................................................................................... 44
How well does the strategic planning plan security and IT service reliability? ......... 44
How are IT policies planned and used? ........................................................... 45
How is IT funded: Yearly, monthly, upon consumption? ................................... 45
The Analysis of handling Services in the Deliver Phase ................................................. 47
How well is the IT Services organization initiating projects? ............................... 48
How have the solution requirements been created? ........................................... 48
Is measuring, that planning before a project is started, sufficient? ........................ 49
What kind of operational requirements was taken into account in project planning? 49
What kind of testing is done and what about pilot testing?.................................. 50
What kind of a release process is used for changes when a service is mature? ......... 50
Is a process which includes a formal signoff utilized? ......................................... 50
How should the transition of new solutions from development to operations happen
in a mature organization? ......................................................................................... 51
The Analysis of handling the Services in the Operate Phase of Services ........................... 51
How is the service able to handle day-to-day operations?.................................... 52
Is information, like operation recommendations, provided by vendors, used? ........ 52
What is monitored in Operations? .................................................................. 53
How is monitoring tools utilized for monitoring SLA and OLA targets? ............... 53
How well defined is the Incident Management Process? ..................................... 54
How well have incident escalations been defined? ............................................. 54
How has knowledge management been done at Operations? .............................. 54
How is the staff trained to be able to do what is required from them? .................. 55
What does the Problem Management process for the services look like? ............... 55
4.5.10 How much was the service using defined Key Performance Indicators (KPIs) and
taking into account Critical Success Factors (CSFs)? ..................................................... 56
The analysis of the Manage Layer of Services .............................................................. 57
What kind of Change Management strategy was the Service using? ...................... 58
Was the Service making differences between how different kind of changes were
handled? ............................................................................................................... 58
What did services think about standard changes? .............................................. 59
What do the Services do with emergency changes? ............................................ 59
How much are the Services utilizing change and configuration management tools?. 59
How had Problem Management been defined and what was done? ...................... 60
Did the Service use the best practices by using Knowledge Management and the
Corporation Service Request Catalogue structure?........................................................ 60
Was the Service using the Corporation concept of best practices for Support? ....... 61
Was the Service using an Asset & Configuration Management Process? ................ 61
5 Summary ....................................................................................................................... 62
The questions ........................................................................................................ 62
The scaling ............................................................................................................ 63
The level 1 or the Silo-type maturity ............................................................... 63
The level 2 or Standardized technology maturity level. ....................................... 63
The level 3 or Optimization of solutions maturity level ...................................... 64
The level 4 or the Service Oriented Approach of maturity .................................. 64
What was missing ........................................................................................ 64
6 Discussion..................................................................................................................... 66
Future discussion above all grades: The Customer Centric Approach .............................. 66
Afterthought ......................................................................................................... 66
References ......................................................................................................................... 67
Appendix 1. Company internal result spreadsheet (Confidential) ................................................. 70
Appendix 2. Company internal report draft (confidential) .......................................................... 70
Background of the thesis
In 2014 Microsoft Finland was contacted by a customer due to their problems in measuring
their current IT Services. The customer, the target organization in this MBA-study, is the IT
Services organisation of a multinational corporation. The corporation, which is a major player in its own market. had earlier, in year 2013, decided to organize a competitive tendering
where major parts of the ICT would be outsourced to a partner.
The Customer IT organization had already earlier done major outsourcing efforts, but this
time the emphasis was on gaining major savings. whereas earlier outsourcing had also had a
strong quality focus. The organization had at the point of contacting reached a point where
the tendering and changing the responsibilities of the operations of services to the outsourcing
partner was finalized. Now the challenges for the remaining in-house ICT organization was,
about regaining control of the ICT Services and, to be able to recognize how the services were
doing. As the target organization of the study already earlier had used an ITIL-based service
management type of ICT administration, a large part of the service managers had been kept as
in-house employees to assure continued services at the levels agreed with business in Operating Level Agreements. Service Level Agreements with vendors had been structured according
to ITIL recommendations as Orand and Villareal express (2011).
The challenge for the new organization was two folded: first to be able to re-organize the own
modus operandi to the new situation, and secondly, to know what the status of the outsourced
services was. As a result of this unclear situation, it was agreed with the author of this study,
that a series of maturity assessments should be organized.
Aim and purpose
The IT Services transition to outsourcing partners, during the years 2012 and 2013, including
proper planning of agreements with Key Performance Indicators and Critical Success Factors,
had not been implemented in the Corporation in an organised way. As a result, the maturity of
the IT Services was unclear. This MBA-study, conducted during the year 2014, evaluates the
maturity of those IT Services at that point. The objective for this study was to do research and
report how mature the IT services of the Corporation had been in the past, what was the current status, and to get building blocks to pinpoint which areas should be targeted as improvement areas, for setting strategic targets for the next foreseeable planning period. The objectives of the assessments which are the basis for this research, as agreed with the Corporate
customer, was to get a comprehensive sample and hence assessment of the situation of the
customers’ IT Services. The research would provide answers of the IT Services health in all
the phases of a service lifecycle according to the best practices view on Services according to
IT Infrastructure Library (ITIL) V.3.0 rev. 2011 and Microsoft Operations Framework ver.
4.0. (MOF). The scale of the maturity assessment would be adopted from the Microsoft Infrastructure Optimization (IO) Model, which in essence is based on the Enterprise Architecture
Strategy Maturity(EAM) Model from Sloan School of Management at Massachusetts Institute
of Technology (Ross et al. 2006). These frameworks divide the Services lifecycle into several
different areas: Management-Strategy, Planning-Design, Deployment-Transition, and Operations (MOF 4.0, ITIL 3.0). ITIL also separates one additional area to be structured: Continual
Service Improvement, whereas MOF handles this area as one part of the Management Layer.
(Microsoft Corporation. 2009. MOF – Cross Reference ITIL ® V3 and MOF 4.0. Seattle.).
IT Service Management as change in services is a constant. To simplify the target for IT to
exist, there are only two reasons, the flipsides of the same coin, namely producing added value, or producing savings. What is an IT Service then? According to the Information Technology Infrastructure Library version 3.0 (ITIL), “A means of delivering value to customers
by facilitating outcomes that customers want to achieve, without ownership of specific costs
or risks” (Orand and Villareal, 2011).
The IT services maturity research done at this customer was focused on analysing the status of
the IT services after the optimizing efforts executed by the corporation to decrease their IT
spending. The research raised the awareness of their current IT operational maturity, and at
the same identified possible issues and risks. The target was to provide some recommendations of what to improve and how. A research like this allows customers to define their desired state of IT Services maturity. This research aimed at helping the customer focus scarce
resources during a recession where they matter most. The aim of the study was to recognize
the most effective and efficient changes needed to the IT service management with none or
minimum amount of additional resources.
Research problem, question, and time-perspective
IT Service management as a process was something that had been done by the customer since
2005, when ITIL v. 2.0 was largely introduced to the customer IT. The continuous reorgani2
zations due to recession, but also due to the need of new solutions, has made the organization
unclear, and the maturity of the IT Services was not known, at least for the entity.
The effectiveness and efficiency of service management. in this study is measured by its ability to handle reactive non-planned activities as incident management, incident escalation management, problem management, change & configuration management, but also proactive processes for pre-emptive work.
The research questions were as follows:
Q1: How has service management been done at the customer in the past?
Q2: How is service management been done at the customer currently?
Q2: How should service management be done at the customer in the future?
Q4: How should the maturity of service management be measured in the aforementioned time
Scope of the Study
The Customer IT handles 468 different IT Services which could be verified by business to be
active, and as such, trying to get a holistic view of the IT Services by interviewing all representatives for each IT service was not doable. To be able to get a representative view of the
entity, a select amount of 40 major Services was chosen to represent the majority. Of the 40
Services chosen 32 was able to participate in the set timeframe. Research of the customer corporation IT Service would not extend to the Customer business representatives (internal customers). The study would produce an internal report to IT of the maturity, and propose a
limited one-time solution, with improvement points. Actual changes were left for the customer to implement.
Structure of the thesis
The thesis is divided into six chapters. An overview of the chapters is summarized in this subchapter.
Chapter 1 presents the background of the study, the aim and purpose, and the scope of the
study and the research questions that the study aims to answer.
Chapter 2 present the theoretical frameworks for this study.
Chapter 3 focuses on research methods, the thinking for the choice of research methods,
ways of measurement, and description of the ways data was gathered.
Chapter 4 illustrates the empirical part of the study and analyses the results of each part of the
Chapter 5 summarizes the findings of the study, offers the conclusions,
Chapter 6 provides some possible direction for development and afterthought.
Author’s role and contribution
The author is a full time employee of Microsoft, working in the area of IT Service Management assessments of customer IT-related processes and strategies. In the case of this thesis
the author that was asked by the customer corporation representative to do the aforementioned research of the customer IT maturity. To satisfy the customer needs, the author created the model how to use methodologies developed by Microsoft to be able to analyse the situation, agreed the scope with the customer, held the planning workshops, created a SharePoint
site together with a SharePoint-expert to be able to do offsite-evaluations, did a series of interviews with Service Manager representatives for the Services, and finally analysed and reported the results of the assessment to the customer. This study was not part of the project,
but was agreed to happen and to be delivered to be read and accepted by the customer.
Theoretical framework
To do the research successfully in the allotted timeframe and in the width according to
customer wishes, a fundamental understanding of the following frameworks was necessary to
implement at the IT organization. This required some basic introductions to customer
representatives to be performed to have the same initial level for evaluation. The following IT
Service Management Frameworks and models were used to do the analysis of the customer
Microsoft Operations Framework version 4.0(MOF).
ITIL version 3. revision 2011
Infrastructure Optimization Model (IOM).
Deming’s Plan-Do-Check-Act management cycle
Enterprise Architecture Model
The synthesis of the frameworks in this study
The ADKAR model, developed by the ProSci Learning Center, and the SECI model developed by Nonaka & Takeuchi are mentioned in the summary. These models could have been
used in further studies, but were not used during this research, and hence are not further explained in the study methodology chapter.
Information Technology Infrastructure Library V3.0 revision 2011 by Axelos &
Cabinet of Commerce
What is the Information Technology Infrastructure Library (ITIL)?
The Information Technology Infrastructure Library (ITIL) offers a governing approach to the
delivery of quality IT services. In this study ITIL is comprehensively used as a reference
framework, and due to that the main parts of the framework need to be explained.
ITIL was created in the 1980's by the UK governments CCTA (Central Computer and
Telecommunications Agency) with the objective of ensuring better use of IT services and
resources. ( 2015) The current name for the administering
party is now the Cabinet Office, part of HM Government. For a period of time it was
referred to as Office of Government Commerce (OGC). Since 2013 Axelos, a join operation
between HM Cabinet Office, and a private Company called Capita Plc. ITIL has been the de
facto standard for the IT industry in Service Management, and has provided good practices as
a framework.
As the introduction to the ITIL by Cabinet Office (Cabinet Office 2011) expresses, ITIL is
the most widely recognized framework for ITSM in the world. In the now already 25 years
since it was created, ITIL has evolved and changed its breadth and depth as technologies and
business practices have developed. ISO/IEC 20000 provides a formal and universal standard
for organizations seeking to have their service management capabilities audited and certified.
While ISO/IEC 20000 is a standard to be achieved and maintained, ITIL offers a body of
knowledge useful for achieving the standard (Cabinet Office 2011).
The Main Idea: The Service Lifecycle
ITIL Version 3 (2011) is a minor upgrade to the version 2007, and approaches IT service
management from the lifecycle perspective of a service. The older version 2.0 of ITIL did only
cover practices for the Operations phase. The IT Service lifecycle organization model (Figure
1) that ITIL 3.0 brings, provides structured thinking in how IT service management can be
managed, the way the various lifecycle components can be linked to each other, and hence, a
way grab the structure of the entire lifecycle system.
The ITIL Service lifecycle consists of five areas. The five volumes of the ITIL V3 core books
describe these five components:
Service Strategy
Service Design
Service Transition
Service Operation
Continual Service Improvement
As ITIL is a large framework, not all, but only the parts interesting for this study will be presented
The Strategy of aligning business with IT: ITIL Service Strategy.
ITIL expresses that the service strategy stage purpose of the service lifecycle is to define the
perspective, position, plans and patterns that a service provider, should it then be an internal
service provider or an external service provider, needs to be able to execute to meet an organization’s business outcomes (ITIL Service Strategy 2011, p.17).
For the purpose of this study, measuring Service Strategy implementation is crucial for understanding the maturity of the services.
The Delivery of good ITIL Service Management: Service Design.
ITIL expresses the primary purpose of the service design stage of the service lifecycle to be
taking care of that service solutions are designed to meet the current and future needs of the
business. Requirement handling in its all phases: from identification, to detailed description to
agreement with customer of priorities are fundamental to the production of good service solution designs (ITIL Service Design 2011, p.10).
The Delivery of good ITIL Service Management: Service Transition.
One can express, that the most common thing for IT to happen, is change. The Service Transition stage of the service lifecycle aims at ensuring that any modifications or transitions to the
live operational environment – is it then a new service, a modification to a service, a retiring
service or retired services – do not at least intentionally harm business, and do meet the agreed
expectations of the business, customers and users. For this to happen, all modifications to
operational environments should be managed, planned and coordinated through service transition processes. With the transition steps and processes recommended in the Service Transition, IT is facilitating the smooth transitions of changes to live operation (ITIL, Service Transition, 2011, p.10).
The Core of ITIL Service Management: Service Operation.
As expressed earlier ITIL V 3.0(2011 edition) is an upgrade to an earlier ITIL Framework.
The core part of the new ITIL is in the Service Operation part, which was constructed already
in the version 2.0 of ITIL. Service Operation is according to ITIL Service Operation phase
the critical stage of the service lifecycle. It is the stage of the lifecycle where the service really
starts to deliver benefit and value to the business, customers and users. (ITIL Service Operation, 2011, p.10). Within Service Operation are the processes to ensure that the added-value
can be provided effectively, and efficiently (Orand and Villareal, 2011)..
The most important processes in ITIL Service Operation are:
Event Management
Incident Management
Request Fulfillment
Problem Management
Access Management
Basically these processes are the de-facto standard to Service Desks, globally. However, how
the quality of services is measured, varies largely in Service Desks due to the varieties and challenges of Service Management as defined in Service Integration and Management (SIAM,
Figure 1: ITIL version 3.0, 2011 Enhanced.
Service Operation: Event Management
The Event Management purpose according to ITIL can be defined to be a process where
events are detected, the events are analyzed and made sense of, and deciding what control
should be provided or what the appropriate control action is (Orand and Villareal2011, p.229).
Event Management is according to ITIL the basis for Operational Management. Controls
defined in Event Management are used for automating Operations Management activities.
Some key Concepts work as a basis for Operations Management. Conceptualizing an event
ITIL describes an event as a change of state which has significance for the management of a
Configuration Item or IT Service. The event in this concept is related to the service, and
should be significant to the service, but it may be of no importance to us. (Ibid, 2011:229).
When the Event Management identifies an event, it should notify appropriate resources,
though some means, typically through alerts. The alert is defined as a warning that a something has changed, it might be a pre-defined threshold, that has been reached, or a failure of
Service component has occurred
Service Operation: Incident Management
According to ITIL the purpose of the Incident Management process restores normal service
operation as quickly as possible and minimizes the adverse impact on business operations,
thus ensuring that the best possible levels of service quality and availability are maintained.
Incident Management should not focus on fixing the underlying problem. Instead, Incident
Management should restore service as quickly as possible. This rapid restoration of service can
be done by the use of workarounds and other solutions like fast boot etc. The aim for Incident Management is to minimize the negative impact to business and maintain customer and
user satisfaction according to agreed standards. Incident Management is guided by the Service
Level Agreements (SLA), and due to that SLAs are of interest for any research of Service Operations (ITIL – Service Operation 2011, p.73).
According to Orand and Villareal (2011) the SLAs are the written statements that document
the expected levels of service for response targets for Incident Management. SLAs are also
beneficial in that they express the priorities and relative value of different Incidents. In an organization defined according to ITIL, the Service Desk should initiate the Incident Management process based on calls, emails or other contacts made. In scenarios where the incidents
can be resolved by the Service Desk, the Service Desk handles the entire Incident Management Process of the incident from recording to closure. In scenarios where incidents are beyond the technical ability of the Service Desk or that are multifaceted or complex, other resources are utilized, typically by an escalation. The Service Desk, is by using the Incident Management Process according to specification, helping to ensure that correct resources are utilized only when needed. by using specialized staff only for the incidents that cannot be resolved by the Service Desk. (Orand and Villareal 2011, p. 235)
The Incident Management process should record every incident that occurs for the environment which Service Desk is responsible for. Tracking the incidents should be done to ensure
that no incident is lost, forgotten, or ignored. The incidents should also be managed to see
that they are handled according to the Service Level Agreements. (Orand and Villareal 2011,
Incident Management is one of the most visible processes to the business and due to that
business values the Incident Management process. Incident Management creates or restores
value to business through the ability to detect and resolve incidents. It is done according to
SLAs results in reduced downtime to the business which, in turn, means higher availability of
the service. The key to maintained business value is the proper prioritization of incidents that
can provide understanding to Service Desk and alignment between IT and real-time business
priorities. This requires that the Incident Management process has been built including the
knowledge about the business processes and any changes to those processes. This information should be included in the Service Level Agreements.
The ability to identify potential improvements to services. This happens as a result of understanding what constitutes an incident and also from being in contact with the activities of
business operational staff.
An incident can basically be reported from any source – by users, technicians, administrators
monitoring tools and so forth. An incident is always handled regardless of the source, as an
incident: an incident is an incident. The channel for the incoming incident or the role of the
one reporting something to the Service Desk does not make it a problem, but an incident.
As a part of the Incident Management there is a need to define Key Performance Indicators
(KPIs). By focusing on specific targets, KPIs for Incident Management aim at improving the
Incident Management process to ensure that incidents are resolved in the best interest for the
The most typical KPIs measured according to Orand and Villareal (2011) are:
Total number of incidents
Breakdown of incidents at each stage of the lifecycle
Size of current incident backlog
Number and percentage of major incidents
Mean elapsed time to resolve
Percentage of incidents handled within agreed response times
Average cost per incident
Number and percentage of incidents reopened
Number and percentage of incidents incorrectly assigned
Number and percentage of incidents incorrectly categorized
Percentage of incidents closed by the Service Desk without referring to other groups
Number and percentage of incidents processed per Service Desk agent
Number and percentage of incidents resolved remotely without requiring a visit
Number of incidents handled by each incident model
Breakdown of incidents by time of day to help pinpoint peaks and ensure matching of
(Orand and Villareal 2011, p. 241)
Service Operation: Request Fulfillment
According to ITIL, the term ‘service request’ is used as a generic description for many different types of demands that are placed upon the IT organization by the users. Many of these are
typically requests from a user for information or advice or for a Standard Change or access to
an IT service. Requests are typically for small changes that are low risk, frequently performed,
low cost etc. (e.g. a request to change a password, a request to install an additional software
application onto a particular workstation, a request to relocate some items of desktop equipment) or may be just a request for information (ITIL Service Operations 2011, p.99).
The Service requests typically occur on a regular basis, such as adding software to a computer,
requesting toner for a printer, or requesting a cell phone or pager, along with many other types
of requests. Most Service Requests are based on services that are documented in the Service
Catalog. (Orand and Villareal2011, p.245)
Typically, the objectives of the Request Fulfillment Process (Figure 2) are about providing a
channel for users to request and receive standard services. Standard Services in this context
are services for which a predefined approval and qualification process exists.
Shortly put, the purpose of Request Fulfillment is to handle requests from users. The requests
might at this point be about what say not. The Request Process is responsible to verify what
kind of request type is in question. Often standardization as a part of the request process
means that many, if not all, service requests are initiated according to the presence of a product or service published in a Service Catalog. The Request Process typically does state which
team should provide the service requested, but services can be supplied by an internal support
team, or, and often are, supplied through external support teams. The model to use a Request
Process is established to automate responses to commonly occurring requests. The process,
once recognized to be needed to fulfil a request, might vary depending upon exactly what is
being requested, but can usually be broken down into a set of activities that have to be performed (ITIL Service Operation 2011, p.87)
Figure 2: Request Fulfillment Process.
2.1.10 Service Operation: Problem Management
According to Orand a problem in ITIL is defined as the unknown cause of one or more incidents. Problems, again once diagnosed and the root cause is found, result in the Problem
Management process (Figure 3) enforcing the documentation of a Known Error. A Known
Error is defined as a fault in the infrastructure for which a permanent solution or temporary
workaround has been found (Orand and Villareal 2011, p.250).
ITIL states that the purpose of problem management is to manage the lifecycle of problems.
According to ITIL problems should be handled in an organized way from the first identification of a problem existing, through further investigation, documentation of the problems and
in the end handling the solving of the problem. Problem management handles underlying
errors in a managed way and seeks to minimize the adverse impact of incidents and problems
on the business. Problem management also strives to proactively prevent recurrence of incidents related to these errors. In Problem Management the Problem Manager seeks to find the
root cause of incidents, documenting the behavior, and communicating the then known errors. In the end Problem Management aims at initiating actions to improve or correct the
problems found (ITIL Service Operation 2011, p. 97).
According to Orand &Villarreal the value for Business in Problem Management comes from
the reduction of Known Errors (KE) in the Service Environment, and thus prevents problems from happening before they occur, resulting in improved resource availability and fewer
incidents. Through this reduction in Known Errors, IT services can establish higher availability, increase productivity for users of IT, and gain reductions in the costs of Incident Management by reducing the amount of incidents due to problems (ITIL Service Operation 2011,
Figure 3: Problem Management Process.
2.1.11 Service Operation: Access Management
The Access Management (AM) is one of the processes related to security. Access Management
is a wide Service Management area that according to Orand and Villareal (2011) has overall
responsibility for maintaining the access of services through ensuring that access is granted to
only the people who require access for legitimate reasons. The decision who is granted access
is not done in the Access Management process, but instead operates according to the policies
developed for access. Access policies are according to ITIL developed during the Service Design stage of the service lifecycle (Orand and Villareal 2011, p.127). In Service Design the emphasis is on security management and availability. When these processes are defined and executed one can determine what kind of access should be provided and to whom it should be
provided. Simply put, the purpose of Access Management is to provide access for services
that users are entitled to while preventing access to users that are not entitled. From a business
perspective, Access Management is regulating the access to confidential information to the
appropriate persons. Another important aspect is the regulatory requirements, like the Payment Card Industry standard (PCI), which might be audited for compliance, and if security
has been breached, might mean serious repercussions to business.
2.1.12 Continual Service Improvement
A core question for Services reliability is the amount of work which is used to do Continual
Service Improvement. How well does IT understand what reliability is, how is it measured,
and does IT aim at doing Continual Service improvement? ITIL has seen Continual Service
Improvement (CSI) so crucial for maintaining IT Services health, that ITIL ver. 3.0 has a separate book handling everything what comes to CSI. According to ITIL, Continual Service
Improvement must penetrate and become woven into every stage of the service lifecycle and
into every process, function, activity, tool, supplier and member of staff (ITIL Continual Service Improvement 2011:10).
ITIL lists functions that are needed to maintain or update IT services according to specifications. The functions include monitoring, measurement, analysis and reporting. At the same
time ITIL recommends actions to ensure processes also are under CSI. According to ITIL the
CSI should even ensure that the overall IT strategy itself is updated continuously. At the same
time ITIL now pinpoints that the Personnel and its knowledge, skills, qualifications and experience equally should be updated and maintained (ITIL Continual Service Improvement 2011,
2.1.13 Continual Service Improvement, Total Quality Management and PDCA
Both MOF and ITIL in their current versions recognize continual improvement as an underlying paradigm. According to MOF, at the highest level, both lifecycles are illustrations of the
Plan-Do-Check (PDCA) concept. The PDCA can easily be recognized in the structures of
these lifecycles. (MOF, Cross Reference 2008, p.31)
According to ITIL Service improvements are governed by the improvement lifecycle, which is
modelled on the PDCA cycle. The PDCA model establishes a clear pattern for continual improvement efforts. (ITIL Continual Service Improvement 2011, p.78)
The PDCA-model (plan-do-check-act, sometimes seen as plan-do-check-adjust) is a repetitive
four-stage model for improving the quality of repetitive functions. PDCA-model is the core
of the Continual Service improvement (CSI) strategy in ITIL version 3.0 lifecycle thinking and
also more generally modern business process management. The PDCA model is also known
as the Deming circle/cycle/wheel. Other popular names for this model is Shewhart cycle,
control circle/cycle, or plan–do–study–act (PDSA). (What is PDCA 2016)
PDCA, as an old concept, was brought to larger public attention by Dr. W. Edwards Deming,
a management consultant, who also is often considered the father of modern quality control.
Deming's work is seen forming the basis for Total Quality Management (TQM) and ISO 9001
quality standards. Deming himself did not credit himself as the creator of the PDCA cycle, but
expressed Walter Andrew Shewhart as the creator. Shewhart who is not as largely known as
Deming, was a physicist, engineer and statistician who however is often considered the father
of statistical quality control. (What is PDCA 2016)
The PDCA-model is divided into the four sequential categories as a lifecycle: plan, do, check,
and act.
Plan: The phase where one defines the problem to be addressed, collect problem
data, and verify the problem's root cause.
Do: The phase when the solution is developed and implemented; the appropriate
methods of measurement to explore the solutions effectiveness are also decided at
this phase.
Check: Verify that the results strived for have been achieved by comparison of before-and-after data.
Act: The phase where documentation of the solution results is done. Process
changes are informed to stakeholders and the initiation of the next PDCA cycle is
started by giving recommendations for the remaining found problems to be addressed.
Microsoft Operations Framework version 4.0 by Microsoft
What is MOF?
Microsoft released the first version of Microsoft Operation Framework (MOF) in 1999. In
this study MOF together with ITIL is used as a reference framework, and due to that the main
parts of the framework need to be explained in the same way ITIL has been described.
Microsoft Operations Framework is an attempt, to with a structured approach, give IT
professionals knowledge and processes of good practices, and help its customers achieve
operational maturity through the entire IT service lifecycle.
The Microsoft Operations Framework is a framework based on development work to align a
practical operations framework or the how to do things, in a compliant manner with the
methods listed by the developers of the Information Technology Infrastructure Library (ITIL
v 3.0). Where ITIL is a framework of explaining good or best practise, so is MOF. Both
concentrate on good practice, rather than process as such. The main difference could be
epxressed as that where ITIL focuses more on the “what” or descriptive ways to express good
practises, MOF aims at giving more answers to the “how” or a prescriptive way to implement
good practises.
Microsoft Operations Framework (MOF) is a collection of good practices, principles, and
concrete activities. In the MOF (Figure 4) the developers have developed practical guidelines
for services and solutions to achieve consistent reliable entities. MOF is using an approach
of leading the discussion with question-based guidance that allows the organization
implementing MOF to find actual improvement activities, to increase maturity and do
continual service improvement. With this approach Microsoft provides organizations a way
to better their services reliability through the service lifecycle to assure that activities that will
keep the IT organization in function are done efficiently and effectively for the future.
The IT Service Lifecycle
As is the thought of Service lifecycle in the ITIL Framework, it is also the thought of the
lifecycle structured in MOF. The thought construct of a IT service lifecycle describes the
complete lifespan of an IT service. MOF uses a waterfall project model approach, advancing
in phases from planning the IT service to aligning it with the business strategy. Then by the
design, and delivery of the IT service, MOF assumes the advancement to create a draft service
which should reflect customer requirements. While transferring it into ongoing operation
one should according to MOF make final reviews and, hence, make the support organization
able to support it, delivering it to the user community. The major foundation of this model
lies upon strict IT governance, including risk management, compliance, change management
and other Service Management Functions (SMF) done in the Management layer.
The IT service lifecycle of MOF is comprising of three ongoing phases, Plan, Deliver, Operate
and one foundational Manager layer that operates throughout all of the other phases:
Plan phase: planning and optimization of an IT service, including operational strategy in
order to support business goals and objectives.
Deliver phase: ensure that IT the services are developed effectively, deployed successfully
by reviewing results, and are ready for Operations.
Operate phase: ensuring operational, maintainable, and supportable IT services, in a way
that meets business needs and expectations.
Manage layer: the construct which is present in all phases of the IT service lifecycle. The
Manager layer is comprising of IT governance, risk, compliance, roles and responsibilities,
change management, and configuration. Reviews of Continual Service Improvement is also a responsibility listed in the Manage layer. Processes in this layer must be applied to all
phases of the lifecycle.
According to MOF, the activities and processes are organized into Service Management
Functions (SMFs). The material in the Microsoft Operations Framework includes all the
major activities and processes involved in managing an IT service during its lifecycle. The
major phases are divided into conception of the service, development of the service, operation
of the service, maintenance, and also retirement. For all these major activities and processes
MOF recognizes different Service Management Functions (SMFs). The SMFs are grouped
together in phases that are following the IT Service lifecycle phases. The SMF: s in the
lifecycle phases are providing a view through goals and outcomes supporting the objectives of
that phase.
Readiness of each IT service to move from one phase to the next phase is assessed by
management reviews, where a review is done that goals are achieved and that goals of IT are
aligned with the goals of the customer organization (MOF overview 2008, p.12).
Figure 4: MOF.
The Plan Phase
The Plan Phase (Figure 5), is where business and IT do the biggest joint effort in determining
how IT should be focused to deliver the value add services that enable the business to
Why would business be interested in using IT? What is IT needed for? All businesses, might
it then be companies, public organizations or other forms organized operations, there is
always a value in the efforts done in that area. To be interesting for these efforts that also
could be called functions, IT must be able to provide means to provide addition to that value.
In services that means being able to the right things when needed which is the same as
reliability, doing it according to the rules and practices of the society doing things in a
Compliant manner. Naturally cost-effectiveness is a major driver: there must be a value add
and benefits from the resources used to provide the Service. To not become obsolete IT
must also be able to adapt to the ever- changing needs of the business (MOF Plan overview
2011, p. 5).
Doing that requires:
Strategy and requirements understanding
Understanding how well the current IT services support the business.
Understanding what reliability is, but also what value it may be to this organization
Understanding the policies and requirements derived from the IT strategy.
Providing the prioritization structure and a IT Service Portfolio to be able to do the right
things in IT and drive the right planning decisions.
Creating and maintaining an IT strategy aligning it with the business strategy.
According to MOF, the IT strategy is the plan that aligns the organization’s objectives,
policies, and procedures into an overarching approach to deliver the desired set of services
that support the business strategy.
Good enough quality, cost efficiency, and reliability for the functions needed the most,
should be balanced in order to achieve the business and overall organization’s desired outcomes. The IT strategy is the result of the work done in the Plan phase. The IT strategy
should also according to MOF continually evolve and improve as business refocus and
practice its optimizing skills and ability to adapt to business changes (MOF Plan overview
2011, p.5).
Figure 5: Plan Phase.
The Deliver Phase
The Deliver Phase is the part of the service lifecycle where the service projects or infrastructure projects are functionally planned, designed according to requirements, built by developers, and deployed together with Operations. The Deliver Phase is also the part of the lifecycle
process through which any change must go, large or small. The degree of change priority,
change process and methodology will depend on the nature and size of the change. Often,
also, changes which are known and tested i.e. standard changes will be moved directly through
the Deliver Process without separate handling in the Change Advisory Board. Other typical
types with more emphasis in the deliver phase are minor, significant, or major change (MOF
Deliver Overview 2011, p.5).
The Operate Phase
The Operate Phase (Figure 6), is the part of the service lifecycle where Business should get
its return on investment. and it represents the culmination of the work done in planning
and delivery phases that precede it. The Operate Phase shortly put focuses on how to
handle the service after the services are in place and operational (MOF Operate Overview
2011, p.5).
Microsoft Operations Framework has published separate practice overviews called Service
Managment Functions(SMFs) per phase. For the Operate Phase MOF contains the
following SMFs: Operations SMF, Service Monitoring and Control SMF, Customer Service
SMF, and Problem Management SMF. From the Study perspective this phase is essential,
including handling of service requests and incident management in the Customer Service
SMF. and Problem Management SMFh, which is self expalanatory named.
Figure 6: The Operate Phase.
The Manage layer
The Manage layer (Figure 7), is the part of the service lifecycle where Business and IT is
focused on setting the management in place for the service, using controls, processes, and
activities (MOF Manage overview 2011, p.5). As the meaning for IT is added value or savings
i.e. additional business value, the better managed layer is handled, the lesser the risk, the
clearer the accountabilities are and better value business gets.
Figure 7: The Manage Layer.
The Core Infrastructure Optimization Capability Model (IOM) by Microsoft
What is the Infrastructure Optimization Concept?
The Microsoft Infrastructure Optimization (IO) Concept was developed by Jeanne Ross and
Patrick Weill to Microsoft, based upon the Enterprise Architecture as Strategy Model developed at the Center for Information Systems Research at MIT Sloan, Massachusetts Institute
of Technology. The Infrastructure Optimization Concept is structured around three information technology models: Core Infrastructure Optimization, Application Platform Infrastructure Optimization, and Business Productivity Infrastructure Optimization.
The process
maturity in the IO models contains four levels, and also capability classifications as groupings
of requirements for each level of maturity. The different areas of the IO concept are divided
1. Core IO, which focuses on the foundational elements of IT services and components,
2. Application Platform IO, which focuses on good practices for software development
3. Business Productivity IO, which focuses on the infrastructure requirements.
(, 2015)
Core Infrastructure Optimization Capability Model
In Figure 8 the requirements for different maturity levels according to the Core IO are presented related to capability in the different optimization levels.
Figure 8: Core IO Model.
Basic Infrastructure level maturity in the IO Model
The basic infrastructure (IT) and platform is typically characterized by work done in silos.
From a work perspective this is the lonely guy sitting in the corner behind the wall of computing books. Work tasks are performed manually instead of using automatic scripts for monitoring and other tasks. Processes, if they have been discovered, are performed in a local
mode, and the central control is minimal or non-existent. One typical signal of lacking maturity is also the poor governance of licenses and overlapping applications, where different departments may have competing applications to perform the same task. Each department
claim to have so special needs that standardization is not possible. Data, developed with the
applications, can be found on personal drives and personal shares, but poorly in centralized
shared storage. The need for sharing storage has typically been recognized, but the means to
solve the need have not been put in place on a general level. A weak Service Management
Maturity typically also shows as weak enforcement strategies for standardization, which is the
next level of maturity (, 2015).
Standard Infrastructure level maturity in the IO Model
Being able to move to the standardized level of maturity from the silos clearly benefits the ITorganizations, and their customers. Costs can be substantially reduced by using standardized
ways of working, standard processes, and controlling the entity, instead of working each and
everybody separately. Overlapping processes, applications, workstation and server purchases
and can be diminished, and a centralized management can be introduced. Typically, this also
means that directory services, like Microsoft Active Directory are taken into use, so that the
users can get access to right resources, like network segments and Common Server-based applications, and other shared resources.
IT-organizations that have been able to reach the standardized state, normally have realized
the value of standardization, and have implemented some policies. At this point however,
there is still not a proactive way of handling the patches, hardware and software assets, but
most cases are handled only when something occur i.e. reactively.
The afore mentioned reactive handling still means that there already is an inventory of hardware and software, desktop services have been standardized and license management has been
understood to be needed. There also already is a basic security process implemented at least
for perimeters, but internal security issues have not necessarily been understood. Hence, there
are savings that have been achieved by the measures typically done in the standardization
state, but mostly with mediocre savings, due to large amount of manual labor and manual
methods. Content is typically exposed to users through basic search capabilities in consolidated storage solutions, with content retention build in (, 2015).
Rationalized Infrastructure level maturity in the IO Model
At the standardized state the Customers of the IT organization typically become cost aware,
which leads to attempts to do rationalization. While it might be that this is just a natural development of understanding, often it is a sign of poorly done cost control of the standardization. Searching for cost benefit the IT organizations start looking for means of optimization
and rationalization. By proactive policies and processes, typical for optimization, that express
the most common usage scenarios with a scale from opportunity to business case to end of
lifecycle to eventual catastrophe and disaster recovery, the IT organization, if it succeeds, can
show it is a recognized counterpart to business, and it can produce services as intended.
When the optimization of the infrastructure and platform is actively handled, costs of managing desktops and servers are typically at their lowest. Processes and policies have also matured
enough to begin playing a large role in supporting and expanding the business, and business
has started to rely on IT as a crucial part of business.
Additionally, security is handled in a holistic way, with an ability to respond to threats, and a
proactive approach, where updates, and patches to environments are done in a well-controlled
As Ross, Weill, and Robertson (2006) expresses, automation plays a pivotal role in optimization, and manual deployments are avoided as much as possible. With this approach to deployments, the IT organization minimizes costs, the time from ready to deploy, and technical
challenges due to human mistakes.
Organizations that are in a rationalized level of Service Management maturity have a clear inventory of hardware and software, mostly as a Configuration Management Database (CMDB),
and are able to maintain a license database to only purchase licenses at real need. Information
stored in the IT Storage, as documents, data records etc. are seen as part of the Corporate IP,
and as such strategic explicit enablers for the business. Due to the importance, the information is handled in ways that ensure easy access, retention, accurate privacy, and search ability. In the rationalized level investments are normally based on business process thinking enabling line-of-business applications. These investments are also often integrated with business
productivity infrastructure investments, and IT has defined processes and procedures for the
holistic view on information to provision search integration. With these new Business Case
aware- Information integration aware line-of-business applications. Customers can get the
benefits from this rationalized state, and even aim at working at a dynamic state (, 2015).
Dynamic Infrastructure level maturity in the IO Model
In a well measured IT organization, the well-defined scorecard tools enable active business
case evaluation. With a continuous business case awareness, the benefits of implementing
new or alternative technologies can be evaluated. This level of awareness helps is taking on
such business challenges or opportunities that otherwise without proper information could be
deemed as risks where benefits are bigger than the incremental cost.
IT organizations who have been able to achieve a dynamic infrastructure and platform are
fully aware of the strategic business value their infrastructure provides.
The value realization can be measured in business cases and can be seen in the customers of
the IT organization being able to run their business efficiently and staying ahead of competitors. The Rationalization level is also recognized by that costs can be fully controlled. With
integration between users, applications and data, desktops, networks and servers, Cooperation and productivity is increased. Collaboration tools are common and pervasive
communication tools are enabling the users to work almost regardless of time and space.
Automation tools that are integrated with the larger environment enable business process
IT uses technology to automate processes, and the target is to align IT, as much as possible
with business, and manage IT leveraging what business needs. The business case is taken into
account when investing in new technology, but only after a re-evaluation of the processes to
be automated. All new investments are measured against the business case to be able to provide measurable benefits. For the customers using dynamic infrastructure, a new level of flexibility can be reached, bringing easily exploitable high maturity services, thus enabling competitive and comparative advantage. The modularity and scalability enables the business flexibility which supports business expansion and scaling business risks. To be able to provide
dynamin infrastructure, all critical services which are to be dynamic, should be well steered
including service level agreements and recurring operational reviews. This level of IT maturity
is not easy to reach, and is often not even aimed to be reached (, 2015).
2.4 The Enterprise architecture Model
What is the Enterprise architecture as strategy model?
The Enterprise Architecture Model (EAM) was developed by Jeanne Ross, Patrick Weill, and
David C. Robertson at the Center for Information Systems Research (CISR) at MIT Sloan,
Massachusetts Institute of Technology. The model was published in 2006 in the book ‘Enterprise Architecture as Strategy, creating a business for business execution’, and has been used
as a basis for the IO Core model. The Enterprise Architecture model (Figure 9) was the result
of 200 studies of enterprise architecture in different companies (Ross, Weill, and Robertson
2006, p.IX). Additionally, ‘The Enterprise Architecture as strategy foundation’-concept, which
is presented in the book, is based on earlier surveys done to more than 100 U.S. and European
The key findings of the studies and surveys revealed that those companies (1/3 of all companies studied), who at the time of the study had digitized their core processes, had higher profitability, could do faster time to market efforts, and still had 25 % lower IT costs. (Ross, Weill,
and Robertson 2006, p. 1) As these results were remarkable, the material was used as a basis
for research to create a model which could explain the success of these successful companies.
The differentiators were found to be on a high level, namely the companies’ ability to create
an architectural view IT, and of how to perform operations, and hence the Enterprise architecture model was born. While this study is not directly based upon the EAM, but on the
derivate model, namely IOM used by Microsoft, the maturity stages of the EAM model are
not explained here, but the study references to the IOM, and the IOM is explained in detail.
The core thought, the grading and the structure of the EAM and the IOM are still the same.
The core idea of the EAM is that Enterprise Architecture should be the organizing logic for
business process and IT infrastructure capabilities. This logic should directly reflect the integration and standardization requirements of the firm’s operating model. This naturally means
that the operating model should also be understood. By being able to mature the IT environment handling structure, the EAM should be able to provide clear benefits (Figure 10).
Figure 9: Enterprise Architecture Model.
Figure 10: EAM Benefits.
The Synthesis of frameworks and models in the study
Why use so many tools and frameworks?
The agreed scope of the assessment and this study was to analyze the maturity of the IT services. IT services typically are matured by implementing ITIL good practices. ITIL does not
offer readymade assessment models, but suggests the use of either Capability Maturity Model
Integration (CMMI), Control Objectives of IT (COBIT) or ISO/ IEC 20 000. (ITIL Continual Service Improvement 2011, p.75). According to ITIL, a well-designed maturity assessment
framework should evaluate the all aspects of the process environment including the people,
process and technology. The framework should also evaluate factors affecting overall process
effectiveness within and close to the business – grade culture of acceptance, and be able assess existing processes, strategies and vision. Additionally, the assessment framework should
be able to assess the process organization, process governance, business/IT alignment, process reporting/metrics and decision-making. (ITIL Continual Service Improvement 2011,
ITIL as a descriptive type of framework was not enough to be able to analyze the maturity of
the customer services without starting to build an assessment model from scratch, Microsoft
Operations Framework (MOF) as a more prescriptive operations framework was offering
example scenarios which could be used in the grading of the maturity. Microsoft (MS) could
offer an assessment model-template based upon MOF scenarios, and while MOF is ITIL ver.
3.0 2011 edition compliant, the customer agreed to use the MS template and working methods
from the MS maturity review as a base for developing a customized questionnaire. However,
MOF did not offer a scale for maturity as did not ITIL, but the template developed by MS
had solved this bringing in another dimension, by using the Core Infrastructure Optimization
Model (IOM). The IOM offers a measurement scale for maturity of Services, ranging from 1
to 4. This scale was better suited to be used instead of the ITIL suggested CMMI, which
would have measured repetitive actions variances, whereas IOM measures the service maturity.
The target in using these aforementioned frameworks was reflected in the final version of the
questionnaire. The questions were based upon ITIL, like incident management related questions, problem management questions etc. The answers were given according to the prescriptive scenarios provided by MOF, and the scaling and maturity analysis was adapted from the
Research Methods mix
The way the study used methods was a mixture of qualitative methods and quantitative methods. This was agreed upon to be able to not only express a hypothesis for the quality of the
Service, but there was also a need for collecting expressed opinions. At the same time there
was also a need for quantitative methods, since the answers should be measurable on a preset
scale. The structured questions with predefined answers steered the participants to answer
the questions with close-ended answers on structured questions. Only when the participants
had already answered with a close-ended answer, did they additionally have the possibility to
clarify their thinking by expressing their opinion in free form. The way the methods are used
are more closely explained in the empirical part, where the questions and predefined answers
are presented.
A couple of words for those not that familiar with the differences between qualitative research
and quantitative research is needed. A qualitative research mainly tries to answer to questions
like why, what kind of, and how. Qualitative research helps to understand the target setting,
and the corresponding phenomena. The results of qualitative research aim at presenting a holistic view of the study object, and showing cause and effect relationships. At its most general
form qualitative research might be only a non-numeral way of description. (Tilastokeskus,
The way of working with qualitative research may vary largely, like doing interviews, or simply
observing the study target. The results are not quantifiable, but more relying on interpretation.
Quantitative research relies upon verifiable data. Often quantitative research is bases upon
large quantities that are analyzed. The structure of the data is well defined and typically based
upon a theory or like in this study frameworks. High level of reliability is a requirement, and
the hypothesis can be tested. (Tilastokeskus, 2015).
Sample width
To get a comprehensive sample to the research, representatives for 32 different IT Services
participated. The questionnaire consisted of altogether forty questions representing, the three
lifecycle phases of IT Services with ten (10) questions each, and additionally ten (10) questions
about the Management of Services. The answers were given as numerical values of maturity
on a scale from one (1) to four (4) as set for maturity levels of the Infrastructure Operating
(IO) Model. Each question represented a specific scenario, which could or could not be typical in the target organization. To get a comprehensive sample of the IT Services participating
in the research the target organization was agreed to be the customer’s complete IT organization. At the starting point of the research the customer had 476 different active IT Services,
and because of this amount it has been agreed that the Customer would assign one business
representative who would choose the most important services that should participate
Research time-schedule
The research for the customer was agreed upon during December 2013. Planning and Development of the assessment material was done during January and February 2014. The actual
research interviews were held during the first half of the Year 2014 after the development of
the assessment methodology, assessment website, and assessment time schedule were finished
in the end of February. The final results of the assessment were presented in August 2014.
The study is based upon the results of the assessment, and is a post-mortem deep analysis of
the outcomes of the assessment project.
How to eat an elephant, or how to understand how a Corporation IT is doing?
The target Corporation of the Research
The target Corporation is a major multinational player in its field. The IT Department of the
Corporation has evolved, from originally being a silo approach with local IT personnel working on local solutions, towards a centralized well defined added value driven separate organization. The IT in the Corporation has in the past been seen as a core enabler of competitive
advantage. This has resulted in IT solutions having widely been used for solving various
problems, resulting in a high level of automation, including a highly developed DemandSupply chain, from sub-suppliers, through hub-suppliers all the way to the automated tools for
sales forecasting of resellers. Due to various changes in the market for the products of the
Corporation, major changes in Corporation Strategy, the sales of an entire division due to the
strategy change, and general recession, the Corporation in 2013 did a decision to cut costs for
IT. The cost savings were done by competitive tendering of the current outsourced services
with current vendors against other vendors, but also by implementing the new aggressive costcutting outsourcing strategy to services which earlier had not been outsourced.
As a result of the new strategy the IT Department worked heavily with outsourcing efforts
during the end of year 2012, but also largely during the year 2013. After these efforts, especially the outsourcing of services which earlier not had been outsourced, the team responsible
for IT Service Management, felt the quality of services was endangered, and the management
of the IT Service Management Team decided to try to get done an audit or at least an assessment of the current quality of IT Services provided to business. After some negotiations with
some partners and other vendors, the IT department realized there was already existing
agreements with Microsoft Premier Services that could be utilized, for the purpose and an
assessment project was scoped.
The assessment project would produce the needed input for maturing the services provided.
The biggest areas of interest were the operational phase of the lifecycle, while the outsourcing
efforts were targeted at finding savings in support and maintenance costs of services.
The core structure created for the research was the survey. The survey was based on a survey
originally developed by Microsoft, namely a Proactive Services Maturity Review (PSMR). This
survey template was refurbished and altered to suit the needs of the customer. Due to the
geographically divided structure of the customer organization, the survey was done using two
different techniques. The main method was a structured interview with formal 40 questions
divided according to Service Management areas. The survey was divided into four areas,
to evaluate the use of best practices at the customer for IT Service Management. T h e
s u r v e y w a s structured to handle all the phases of an IT service lifecycle, with an emphasis
on the operations phase. The main framework to evaluate the maturity of the customer
ITSM was the Microsoft Operations Framework (MOF) with its phase-structure. Each of
the MOF phases describe industry good practices taking into consideration
(ITIL/MOF/ISO20000), how the good practises for management of an IT service throughout its lifecycle had been implemented. The maturity levels for these phases was evaluated
using the maturity levels defined in the Microsoft Infrastructure Optimization (IO) Maturity
Model (see Figure 11 for maturity definitions).
Infrastructure Optimization (IO) Levels
Non-existent or
Processes are
IT Processes are
IT is strategic
unforced, manual and
centralized and are
partner of Business.
localized IT
enforced. More
Organization is
Business is involved
processes. Overall
insight in health and
focused on IT
in the IT processes.
health of IT is
costs of IT
Services. Business is
IT Services are part
unknown/unclear or
clearly represented by
of Business Services.
IT Staff (e.g. Service
IT is strategic Asset.
Manager). There is
alignment between
IT Services and
Business Services.
Figure 11: Infrastructure Optimization (IO) Levels.
Using Microsoft Operations Framework as the main framework
Working for Microsoft, MOF was readily available, and free of cost to use, and hence was the
preferred framework structure for the research questionnaire. Still the main purpose was not
to have the discussion be about MOF or any other framework. The questions of the
questionnaire were not supposed to steer towards a theoretical discussion around frameworks,
but instead be a tool to be used to facilitate a discussion around how the customer different
services were running their IT and Service Management functions.
Facilitating the assessment discussions
At the pre-engagement meetings one of the important decision concerning participants, was
that the value of the assessment discussions was seen to increase if many of the recommended
attendees attended the session at the same time. As a result of this the most important
stakeholders for each service to be assessed were decided to be interviewed, and so core
stakeholders for each evaluated service were asked to participate in the engagement sessions to
answer to the survey. By having as many as possible of the stakeholders’ present, the
assessment was able to develop an educated comprehensive opinion of the maturity of the
services. At the same time a common understanding of what the possible issues were, and
what should be done to solve the issues, was typically discussed. As a result, the survey often
pinpointed improvement points, by expressing them as alternatives answers.
Best past, current, and desired maturity levels
To be able to get a better perspective to the services maturity, some changes in the Assessment method was needed. The MS developed method of asking for evaluations of the current
status and what would be the desired level of maturity was by the customer not seen as good
enough. Consequently, the assessment model was enhanced with a third question of what had
been the maturity in the foreseeable past. The expression foreseeable was used, since continuous changes had created many different places in time which could have affected the maturity. The outer limits of foreseeable were defined as three years, so either three years in the past
or three years in the future. The IT department had in the past used a rolling fifteen-month
planning model, and so most service representatives used 15 months as the time period for
foreseeable past or future.
IO-Core maturity levels
The maturity assessment was using the IO-Core maturity level scale: Basic, Standardized,
Rationalized and Dynamic. Current and desired maturity levels are determined based on how
the customer responds to the survey questions.
Microsoft Operating Framework is according to Microsoft encompassing all of the activities
and processes involved in managing an IT service through the entire lifecycle: its conception,
development, operation, maintenance, and—ultimately—its retirement. To analyze the
Services holistically, not only the Operational phase, but also getting a grip of the surrounding
reality of the services, using MOF was seen as beneficial.
Figure 12: Maturity levels and questions in the Maturity Review.
However, to be able to have the participants in the assessment sessions to focus the discussion
on the scenarios presented, in the past, in current time, and in the preferable future, the
maturity levels were not specifically called out.
Commenting outside of the predefined question-answer units
For some areas, the customer service representatives were not expected to feel any one of
the four possible responses to the survey questions sufficiently describing their situation. For
those scenarios the service representatives were told that a roughly right answer was the right
one, where’s a precise answer lacking something was wrong, and asked to choose the response
that best described their situation and then comment in free form to the response using the
Comments field.
The assessment questions theoretical basis
The questions were divided into four areas according to the phases of the MOF Framework,
including the management layer. In each phase questions were pinpointing at some specific
work sub process, with an aim to show what has been, what is now, and where should the
customer IT be.
The Analysis of handling Services in The Plan Phase of IT Services
According to Microsoft Operations Framework, planning is the key to a successful implementation of Services. The planning success is constructed by defining Service Management
Functions (SMF), that define the good practice for this phase. The key structure for the
study in planning, was about analysing how well planning of IT functions was performed together with business
According to MOF (MOF Plan overview, 2008) Business should get IT Services from IT that
are reliable, compliant, and cost-effective and that continuously adapt to the constantly
changing needs of the business. The Plan Phase is where business and IT should work as
partners to determine how IT will be focused to deliver added-value services that enable the
organization to succeed. For the target corporation, due to the outsourcing and
reorganization efforts done, the functionality of planning was not clear, and needed to be
In the study, the following things were measured:
How well was IT Services understanding the business strategy and requirements?
How did the current IT services support the business?
How does business know what services are available?
How does IT plan prioritizations and take pre-emptive actions by using Portfolio Management?
What best describes how capacity management of IT service currently is done?
How is Disaster recovery and Business Continuity taken into account in planning?
How well does the strategy plan security and IT service reliability?
How well does IT understand what policy requirements exist and how they impact the IT
How is IT funded: Yearly, monthly, upon consumption?
Strategy and IT
Analyzing the co-operation between business and IT, by asking for the business strategy and
requirements, gives a good picture of the perceived maturity of the IT. If IT is showing a
clear own strategy, which is aligned with the Business Strategy, the co-operation model exists.
If the IT Organization does not have a formal documented IT strategy, and the IT strategy
and the goals for IT is not aligned with Business, this is a clear indication of that the service
maturity is low.
In the other extreme, assessing the existence of Strategy, is that a clear strategy is defined, metrics for measurement of the IT initiatives have been defined and the benefits realization of the
business objectives and business case are defined. That is according to MOF a mature organization what comes to planning (MOF Overview, 2008).
The answer revealed that the current status was perceived as 1.85 on the scale from 1 to 4.
The situation for planning and co-operation had not been better during the last three years,
showing a slight increase in co-operation when the best past state in average was 1.78. The
difference was small, in comparison to the expressed wish of what the situation should be if
the alignment would be done according to the Stakeholder wishes: The desired level of Cooperation was a clear 3, which means a clear 1.15 level discrepancy between current and desired. On the IO Maturity ladder, 1.85 equals to ability to grasp the entity and providing an
almost standardized service, whereas level 3 equals to organizational maturity which by clear
communication and know-how is able to do optimization of the services and hence effectively
provide better added value for the money spent.
Supporting Business with IT
The question which is essential for any existence of IT is if it is able to provide added value by
providing IT services that really are aligned with business needs? IT Organizations which are
not mature do provide only basic technology according to basic local wishes, where a mature
IT organization provides the users with a maintained catalog of all services which is fully up to
date. This catalog is integrated with the Service Desk software solutions and regular catalog
maintenance and addition of new services is defined. By defining a clear Service Catalog, the
IT Organization is handling expectation management. Service Level Management is also automated where possible, and all Services service level measurement can be read from real time
The answers for business alignment were in line with the answers for the strategy alignment.
The difference between current and desired state were 0.9 levels with a current level of 2.5 and
desired level of 3.4. This time there was a slight difference between the current and the best
past in favor of the current: The best past in business support had been 0.1 levels higher in the
How does business know what services are available?
Both MOF and ITIL describe the usage of Service Catalogues as crucial for expectation management. Measuring how the stakeholder communications is done what comes to services
measures the ratio between IT Tactics (Parts of organization) and real IT Strategy (Organization wide). At its lowest some areas might be run with only operational tasks planned. The
interesting question is how the stakeholders see their service published to customers via a Service Portfolio, and is it expressing not only current services, but also planned services, as well
as services that are in development or have been retired? Organizations do need to prioritize
their actions due to scarce resources. During the assessments several time the same question
was presented: If users do not know a service exist, does the service then actually exist?
Planning of the functions through a centralized Portfolio Management function is according
to ITIL and MOF good practice. The assessment needed to analyze how the IT plan, handle
projects and prepare prioritizations and take pre-emptive actions where needed? The immature level in the assessment assumed that services existed independently in silos with no integration to the larger entity whereas the mature solution in the assessment was assuming that
an up to date service portfolio exists and is integrated with the current Service Catalogue. In
the mature level the Portfolio was assumed to offer a view to the whole lifecycle of services
describing new services planned, starting with ideas, through projects phase, to services in
their end of lifecycle. A Service Portfolio is this context should be used by the IT Management, and giving a full picture of the current IT being provided. A holistic Service Catalogue
and Portfolio Management also should reduce the risk for reduces duplication of similar IT
services, and lead to adoption of larger integration of common technologies.
The assessment results showed that the Portfolio Management process had been working
better in the past, with a 10% level drop to 2,3 from 2.55 best past. Also the information was
said not to be accurate, since some of the services expressed that the answer only could be a
guestimate, due to not having new updated information since last organizational change,
which had happened one year back. Again, the desired level showed a clear wish from service
representatives to be able to produce better management with a desired level Portfolio Management of 3.3.
How is capacity management of IT services currently done?
The mature level of capacity and performance requirements shows a process which identifies
current needs but also plans for future needs. This level of maturity at the organization also
should show consistent requirement handling, which should be documented in a capacity
plan. The capacity usage should be monitored; pre-emptive automation should be in place
with automatically triggered warnings before capacity shortcomings. Capacity issues should be
remediated proactively based on monitoring trends and future capacity should be planned and
adjusted in alignment with the IT strategy and portfolio plan.
Looking at the results, the comment expressed by several services stakeholders whose services
had outsourced hosting was that capacity planning in the current situation after the reorganization was difficult to do. The biggest obstacle was according the stakeholders that the current
Indian partner providing the hosting services did not provide accurate information of the status of the hosted environment. Business was giving requirements for Servers, mainly about
reactive measures, at least what came to the outsourcing partner, but the IT Service Management responsible for the service got little answers from the hosting partner. Many answered;
A strong -1 current. Still looking at the numbers, according to answers, capacity planning had
matured a lot before the outsourcing, so the current situation was 2.37 whereas the past had
been only 1.77 three years back. The desired state again, was no surprise, showed a desire to
mature a complete level to 3.4.
How should Disaster Recovery (DR) and Business Continuity (BC) be taken into account in planning?
The question in the assessment was trying to find an answer to the way the IT Department
was doing disaster recovery planning for IT services. A mature solution was agreed to include
that a disaster recovery plan has been defined, and also the overall business continuity plan has
been defined. This plan should be approved by IT and the business, and it should be supporting the IT Strategy. The critical system backups should be stored off-site; and it should be
clear what services need to be restored in the 1st 24, 48 and 72 hours if a disaster happens.
The plan should also include alternate work locations; alternate procedures should be documented, and disaster recovery procedures should be reviewed and tested.
In the assessment it was discovered that there was a large discrepancy between services. At
some services disaster recovery procedures were not known by the Service Managers. The
Service Managers were expressing that they should be informed of what they can do: At least
something! In other cases, the services representatives did know exactly what should happen,
and explained that All tests are not done, but all procedures are anyhow in place. Looking at
the numbers, the awareness of what DS meant, had increased slightly from the past being at a
level 2.46, whereas in the best past it had been 2.27. This equals to an increase of roughly 10%
in implementation of DS and BC.
How well does the strategic planning plan security and IT service reliability?
A well-defined strategy includes automated functions, where unauthorized access/security
breaches trigger response procedures. The services security should be audited within set repetitive intervals. In case of a security breach or file corruption one should be able restore critical
files or have them safely located. Security related patching should be done according to vendor
recommendations taking into consideration protection against vulnerabilities and confidentiality should be planned according to business and regulatory requirements.
Looking at the answers from the stakeholders of some services, expressed that there is not
quality reporting in place, so evaluation of the current situation is unclear. What is missing, is
that prioritizing has been so heavy that patching is not currently functioning. There is not
enough of resources to guarantee that there are necessary steps taken. The numbers of the
assessment do not support the expressed opinion for the entity with a current level 2.59 and
best past as 2.44. Still, you cannot say the services are safe, because security is only as functioning as the weakest spot and if some services are not patched according to recommendations, security breaches can actualize. This a clear risk for all services.
How are IT policies planned and used?
An immature environment could in the study alternative answers be recognised from that
there might be some IT policies but users and support staff are not necessary aware of them
due to missing communications, or the policies are implemented in a decentralized way in
silos. Clear ownership is typically missing. In a mature environment again the study was expecting that IT policies are handled in a centralized way. Communication is done according to
set intervals, the policies also have clear ownership and are based on co-operation with business expressing regulatory and business guidelines. The free form answers expressed that
business should decide to promote centralization. Centralization of policies does not currently
exist, knowledge may exist, but it is not centralized and if a level change is to be done, centralization needs to be done. The corporation IT policies, according to another service were said
to be 5 years old, and after the last reorganization a half year back, the service representatives
did not know what policies were to be used. This was seen as a business Action Point.
Looking at the numbers there was not any significant difference between current and best
past, with a current at 2.47. Desired level, as also expressed in free form answers was at a one
complete level higher with 3.4. As policies ensure that IT and business users are clear on
what is and is not acceptable use, this again is an action point for the IT Department of the
Corporation assessed.
How is IT funded: Yearly, monthly, upon consumption?
Typical for a mature IT department is that financial Management is done. The Business Cases
are evaluated well in advance, during the deliver phase while project work is done, and finally
the business benefits are evaluated against the knowledge of how much IT costs to run.
Financial Management is simply put that IT knows the cost of provision of services. Typically, there are two main ways of funding IT: One where the business pays a percentage of total
budget for IT, or secondly a more active full or part Financial Management, where services are
charged upon consumption. Knowing the Business Case and the cost of IT delivering e service, means that IT can provide added value creation back to the business.
The IT Department answers showed that the level of maturity varied a lot, and in general was
seen as immature. One service answered that the actual level is 0. After the last reorganization
the services themselves could not get the cost information for DBs HW, Backups. The service
only knew the cost of licenses. There also was a clear drop in financial management maturity
according to numbers. The current level was a 2.1, where it in the past had been 2.55. That
result equals to a full 20 % drop in financial management maturity. Naturally the service representatives did want the situation to get better and expressed the desired state to be 2.9.
The Analysis of handling Services in the Deliver Phase
One can think of the IT service lifecycle as a continuum that begins with the efforts of IT to
understand the services that the business needs and ends with those services operating in a
production environment. As MOF describes the Deliver phase, in this continuum, the Deliver
Phase is the part where the services are planned, designed, built, and deployed. In the target
corporation, the deliver phase has often been handled by external third party vendors, integrators etc. For this reason, analyzing the steering of the deliver phase was seen as extremely
important. As the IT Department used a standard lifecycle approach to implement projects,
releases, changes in general and so forth, the change management process was of large interest. Also, projects, done by external resources, cannot succeed if the initiation of projects is
not done with proper requirements, scheduling and scoping. Therefore, some emphasis was
put on analyzing how requirements handling is done. In general, the Deliver Phase is a crucial
step where various kinds of functions, like infrastructure projects, software projects or deployment of packaged products are planned, designed, built, and deployed. And to repeat the
most important, the Deliver Phase is the process through which any change must go, standard, large or small (Deliver overview, 2008, p.6).
The questions in the assessment that were used to be able to analyze the maturity of the steps
done at the customer were looking at:
How well is the IT Services organization able to initiate projects?
How have the solution requirements been created?
How does the organization measure that the planning before a project is started is sufficient?
What kind of operational requirements are taken into account in project planning?
What kind of testing is done of changes before actual deployment into production?
Does the organization see pilot testing as beneficial?
What kind of a release process is used for changes?
How are major releases approvals handled before deployment?
Does the Service use a process which includes a formal signoff?
How does the transition of new solutions from development to operations happen?
The foundation for functioning services is according to MOF done in the Deliver phase.
How well is the IT Services organization initiating projects?
The scale for immaturity versus maturity of initiating projects was in the assessment set to
variants from the scenario where projects might be initiated from almost any starting point
and there in practice is no initiation process to the other extreme, where projects are based on
well-defined requirements handling and projects cannot be initiated without being a part of
the strategic planning process for the business.
The average answer for the question was 2.5, but remarkable was the huge dispersion between
answers. I think it is too embarrassing to say, but -1, was the comment from one service
stakeholder group, whereas some services reported that their planning is fully strategically
aligned and, hence, valued as 4. Also some clear resistance to processes could be recognized,
where the answer for one stakeholder group was: If we create processes, each hour that we
use for some process, means increased time before the customer gets the advance out of the
product. This is a typical answer from an immature organization, so within the IT Department there could be found all levels of maturity.
The desired state was however clearly stated to be a reassuring whole level higher being 3.53.
That there still where services where stakeholders did not want any process improvements and
no increased maturity tells that there is a need to implement a IT Department wide reinforcement of compulsory processes in project delivery and trainings for those processes, because it
also was expressed by one service that in the current situation it was difficult to initiate a project when there was no clear information of what was expected.
How have the solution requirements been created?
The solution requirements maturity, preceding initiation of a project, was seen to be on level
2.15, with no clear difference from best past (2.1). Again a clear statement from the services
representatives was that the desired level should be more than one level higher with desired
level as 3.3. Remarkable was though that 20 % of the services evaluated the requirement handling to be only of basic level: Scope Creep was evaluated to be common, and requirement
handling was evaluated to not be done in a very systematic way.
Is measuring, that planning before a project is started, sufficient?
Measurement of project planning maturity sufficiency was measured on a scale where basic
level was the situation where projects just seemed to progress on their own, to the other extreme, where well planned model where advancement was reviewed against the agreed project
charter at each corporate widely agreed predefined process milestone. The requirements evaluation criteria in the mature organization was seen coming out of a portfolio management
review and the strategic plan. Resources at a high maturity level should be committed only to
strategic projects that are functioning according to set KPIs. Reviews should also be performed consistently to ensure alignment of resources, schedules and requirements across the
portfolio of projects. The maturity of projects requirements was evaluated to be 2.3 with no
clear change in the results from the past. The desired state was again a complete level higher
ending at 3.3. The answers by Service Managers expressed that the amount of resources for
this kind of work was very limited, so practice was lagging due to lacking resources. Also there
was a clear difference between projects operating in an agile model. and traditional waterfall
projects. Agile projects referred to the Agile methodology, which bases resource commitment
on priority of task list (product backlog), whereas older services projects expressed that the
first point for checking the requirement maturity situation was in meetings that was held only
after the project had started.
What kind of operational requirements was taken into account in project
The mature solution was expected to be one where operational requirements were based on
SLA targets and standard operations plan that existed were updated and included in the project. The immature version of operational requirements was as one respondent explained it:
Business simply says: Use enough hardware. The results revealed that the maturity of the operational requirements were of a level of 2.25. The situation had been even worse before, but
still was seen as inadequate, and the desired level was 3.21. According to answering Service
Managers, there was a clear problem in trying to influence this maturity, since the new operator of the Operational Services was withholding information needed and the adequate information needed could due to this not be acquired.
What kind of testing is done and what about pilot testing?
What kind of testing is done of changes before actual deployment into production and is pilot
testing seen as beneficial? For a project to show a mature level of functionality testing of all
changes before being deployed to production was seen as compulsory. Integrated, operational
and performance testing was all seen to be necessary either in a test environment modelling
the production environment or an equivalent. The test environment was expected to be maintained under change control and automation was supposed to be built into testing as much as
possible. At a current level of 2.47 the testing was seen as being at an “OK”- level, as one
respondent expressed. The trend was expressed to be that small changes was developed by
development, and if basic testing was successful, instead of larger testing, roll-back possibility
was secured, and so new features were not tested in QA, but were directly implemented in
production. Pilot testing again had been implemented only in select projects, when there had
been major technical questions which could be tested by piloting.
What kind of a release process is used for changes when a service is mature?
Assessing the release process is one of the milestone values for any project management
methodology. In a well-defined IT organization, it was seen that releases of projects should be
consistently and formally managed using an established process. Risk should be avoided by
bundling changes to minimize the rate of change in the operational environment. At the same
time a sign of a mature operation was seen to be how proactively reviews of the overall IT
plan was done and how other sources of upcoming changes was identified. The results were
showing that the IT Services were able to receive changes at a well standardized level of 2.56
and in major releases the level was 2.68. The trend was upwards, with best past at 2.3 and desired state at 3.4.
Is a process which includes a formal signoff utilized?
In the study the maturity was evaluated also by looking how a formal signoff was acquired
from business. In a mature environment the value of a formal acceptance signoff is understood. The signoff should be consistently obtained when a new IT service is deployed and by
that the IT organization gets a validation of that the project has delivered the requirements of
the functional specification. Good practice is also to do a post mortem review and capture the
learnings from the project. The results of the assessment again showed the general maturity
level of the delivery phase maturity as being of standardized level, and no clear changes in
maturity during the last years with best past and current level being 2.2, whereas desired state
was 3.4.
How should the transition of new solutions from development to operations happen in a mature organization?
A well-defined IT Organization uses a formal process for transitioning the solution from the
project team to the organization responsible of doing the operations. This process should be
well established and consistently followed. The results, once expressed that the IT Organization was not very successful operating even at a standardized level. The best past results had
been 1.88, and current was at level 1.96. The desired level showed a huge discrepancy in being
3.4. The reason for the IT Organizations not being able to produce high maturity handovers
was explained by the assessment participants by expressing that the Change Advisory Board
function (CAB) was functioning well, but the formal handover was not being used because
everybody was constantly in a hurry. As this also is the phase when the solution should be
stabilized the services representatives expressed a need to work on this area.
The Analysis of handling the Services in the Operate Phase of Services
According to MOF, the Operate Phase of the IT service lifecycle represents the culmination
of the two phases preceding it. The Operate Phase is in the center of this study, showing the
IT department output and maturity. It focuses on what to managing the services after the
services are in place. While the Plan Phase focuses on how to determine the business’s needs
for IT services, and the Deliver Phase focuses on how to design, plan, build, and deploy those
services, the Operate phase is, in effect, the state for the IT environment in which IT services
prove their Business Case (Operate overview 2008, p.5)
The following areas were analyzed as a part of the Operate phase assessment:
How is the service able to handle day-to-day operations?
Is information, like operation recommendations, provided by vendors, used?
What is monitored in Operations?
How is monitoring tools utilized for monitoring SLA and OLA targets?
How well defined is the Incident Management Process?
How well have incident escalations been defined?
How have knowledge management been done at Operations?
How is the staff trained to be able to do what is required from them?
What does the Problem Management process for the service look like?
How much was the service using defined KPIs and taking into account Critical Success
How is the service able to handle day-to-day operations?
The IT Operations must understand what tasks should be performed, and how, to successfully maintain and operate an IT service. This covers all activities might they be daily, weekly,
monthly or ad-hoc. The mature Operations organization identifies all tasks imposed by SLAs
and OLAs. The organization is also able to do tracking of task execution and aims at continuous optimization and seeing for opportunities to automate. According to the respondents the
current situation is far from optimal. There is a day to day problem with the new Operator
doing the stuff, not reporting adequately so some of the respondents had no visibility whatsoever to how the Services were doing, and that was combined with that there was a day to day
problem when it has not been expressed what the new Operator really was responsible for.
Due to the problems with the new Operator some of the most critical services have been internalized back to the original internal service owner, which could be from the results of this
question current being 2.5 best past being more than 10 % lower (2.27), and the comments
from respondents being critical.
Is information, like operation recommendations, provided by vendors,
Vendors typically provide recommendations and best practices that should be followed to
maintain the reliability and security of critical IT services. Regular IT Software Updates Management (SUM) and service maintenance maximises service stability, reliability and availability.
In a mature environment regular SUM activities are taken into account and needed changes to
follow the SUM process are reviewed and consulted with vendor before implementation. Also
Risk Assessment Program (RAP) assessments or similar are regularly done. Again, no surprises, current situation is 2.25, best past state has been even worse being 2, and the desired state
is above 3. Remarkable was that six services evaluated that no recommendations or best practises were used by their service. Partly the evaluations also are guestimates, based on agreements, due to that the respondents did express that it was difficult to get information from the
current environment hosting provider, even though there was an expressed wish to get information. The SUM Process was seen as important, but the current situation was expressed as
complicated as the update handling, monitoring and backup-handling was among the outsourced functions, and the possibility to influence the process was perceived to be small.
What is monitored in Operations?
A mature organization understands that monitoring is a backbone of all functions. For service
to be able to understand and react the best services have a correlated automated monitoring
solution. The Service can then use the established monitoring function in real time with realtime service dashboards. The answers expressed that there was no proof on functionality in
current situation. The services did not currently know: The visibility to the new hosting provider was missing! The answers, which were evaluated as 2.9 for the entity for current were
based on agreements, not proof of functionality.
How is monitoring tools utilized for monitoring SLA and OLA targets?
For IT to serve Business according to what is beneficial it is of outmost importance to align
IT service monitoring with relevant OLA & SLA targets. Otherwise there is no way to prove
that services are provide according to customer expectations. A mature solution was seen as
an online dashboard solution. The results of the assessments were according to the respondents an educated guess, since they did not get a holistic report of current monitoring. There
was also a gap between Hosting supplier and IT, and a gap created by a tool which was not
calculating according to SLA: s and OLA: s. There was also no information available what
happens to the tickets that had been issued. The numeral result for this evaluation as a guestimate was 2.09, but reality was thought to be worse. According to the original maturity review
developed by Microsoft a scenario where information is not known is automatically concluded
as a result 1, or no maturity at all.
How well defined is the Incident Management Process?
Incident Management is simply put the backbone of all Help Desk activities together with
Service Requests. A well-functioning Service Desk (SD) should be the Single Point of Contact
(SPOC). The SD should consistently log all incidents; use defined models for support for all
services and prioritized incidents resolution according to SLA targets. Not surprising, while
there was no information available from the hosting vendor of ticket resolution times the current situation was evaluated as 2.43, best past as 2.33, and desired level above three with the
result 3.18. However, some services representatives also answered that SD usage is not consistent, and incidents are handled bypassing SD, the maturity level cannot be evaluated to be
higher than basic level 2.
How well have incident escalations been defined?
The true measurement of a SD is the ability to escalate incidents in a timely accurate manner.
The ability to escalate shows the readiness of Continual Service improvement. Case escalation
and severity should in a mature environment be reviewed with the business in relation to
agreed SLAs. The findings for several services was that there was no 1st-3rd ties support
structure: All incidents were handled by the same team, and same person were handling incidents, escalations and even problems. For the better organised services, the case escalations
were automatically triggered when cases reached an agreed age or when cases changed severity. This still equalled to a low maturity and so was the average for answers for current situation: 1.90. Again the best past was still not seen as better than the current situation, so best
past was evaluated to 1.83.
How has knowledge management been done at Operations?
In a mature organization the SD can rely upon a knowledge base which is indexed and searchable. The knowledge is constantly upgraded by users, and the knowledge base owner oversees
the process to improve quality, accuracy and relevance of the answers. In a mature environment business and IT work together to define and review the knowledge and have developed
a common strategy for each supported service. In a well-developed SD Knowledge management solution self-service capabilities for customers are consistently being developed. For the
IT Organization studied the current situation was evaluated as really low 1.78, the best past
had been a bit better 1.88, and finally the desired situation was evaluated as 2.78, so even as
low, still one complete level higher.
How is the staff trained to be able to do what is required from them?
Nothing in IT is as persistent as change is. IT justifies itself during change, and to be able to
do so training for IT staff needs to be frequent, and a priority Human Resource (HR) task of
an efficient company. These trainings do not necessarily need to be formal training accreditations, but HR and IT should ensure that trainings are aligned to new services needs as well as
maintaining the skills required to ensure optimal customer service outcomes. To assure a successful end result, the changes caused by the outsourcing should have been supported by appropriate trainings for that part of the personnel that was reallocated. According to the answers given, training had been on level 2 in the past, had dropped to 1.85, but was eagerly
awaited by people expressing the desired level to be at level 3. A drop in the level of trainings,
provided by Management to personnel during change, is a clear sign of bad change management know-how. Failure to train people during larger changes, causes uncertainty and brain
drain, and in the long run escalates a dissolving knowledge creation spiral. According to the
ADKAR model (Hiatt, 2006, Kindle Locations 478-479). There are four factors that should be
taken into account while implementing change:
The current knowledge base of an individual
The capacity or capability of this person to gain additional knowledge
The resources available for education and training
The access to, or existence of, the required knowledge
The study reveals that the change management had not been done in a way that would support long term targets, since the outsourcing efforts, did not provide the needed trainings to
maintain the old level of knowhow.
What does the Problem Management process for the services look like?
Problem Management is according to ITIL (Service Operation 2011, p.97) making sure that
IT Problem management takes care of the activities required to diagnose the root cause of
incidents and to determine the resolution to those problems. Problem Management is also
responsible for ensuring that the problem resolution is implemented according to appropriate
control procedures. The most important continuation of Problem Management is the change
management and release and deployment management for the problem resolution. Problem
Management should take a deeper look at recurring incident issues, and repeat problems to
ensure that underlying root cause is addressed and remediated against.
The resolution should according to ITIL (Service Operation 2011, p.97) also take care of that
the information about problems and the appropriate workarounds and resolutions is maintained, so that the IT organization is able not only recognise, but also reduce the number and
impact of incidents over time. In this area, problem management needs to influence
knowledge management routines and processes. Tools such as the Known Error Database
(KEDB) should be used for both. In a mature operation one should also understand that even
though incident and problem management are separate Service Operation phase processes,
they are closely related and will typically support each other by using a similar kind of parts of
the process like incident/problem categorization, incident/problem impact and incident/problem priority. The aligned processes would help to achieve larger common understanding when communicating about related incidents and problems.
A mature problem management process is also divided into reactive and proactive aspects.
Reactive problem management is a continuation of by trying to solve problems in response to
incidents. Proactive problem management is closely related to Continual Service Improvement
trying to identify and solve problems and known errors before further incidents related occur
again. This kind of activity can be planned compared to incident driven impulse driven actions. The study showed that the IT Organization best past to have been low 1,83, current
situation had improved to 2,03, which is a 10% increase in problem management maturity,
and finally the desired state showed a clear understanding for the need of increased efforts in
the area of problem management with a desired level maturity of full one degree higher to
4.5.10 How much was the service using defined Key Performance Indicators
(KPIs) and taking into account Critical Success Factors (CSFs)?
For the Services to become more mature, IT needs to prioritize its own Continual Service
Improvement (CSI)Program. If this is not done, the quality of the service will not become
better, it might even deteriorate over time due to updates and other change operations. An
Operations Management Review is a good indicator of service maturity, and needs to be
scheduled regularly. Reviews ensure that IT is business aligned and is delivering what it needs
to deliver in the most efficient manner. Therefore, reviews should periodically be performed
to capture learnings and translate them into improvement suggestions, and in the end change
management tasks. The study showed all too little interest in using well defined KPIs and
CSFs with an average of only 1,61 in the past, a slight increase to the current situation with a
still low 1,78, and an understanding for that it would be beneficial with huge increase desire of
1.3 maturity step levels to the state of 3,09. If services are not able to provide well measured
services, they also cannot prove that they are beneficial, so the study shows a clear area for
The analysis of the Manage Layer of Services
The biggest overall question for ICT Governance is how the IT activity is coordinated and
governed? According to MOF one should look at what ultimately determines the way IT gets
work done.
At the IT Department studied, management was not sure how well services were managed,
which already put emphasis on this area of the study. Using the MOF Manage Layer structure,
the study could do research about how well the different parts of management functioned.
Special interest was laid upon how well decision making, risk management, and change
management processes were integrated and influencing each other. These processes occur
throughout the IT service lifecycle, and give the Service Management tact. Using the Manage
Layer view, the study, also did research in how consistent planning and delivering IT services
was at the IT Department, and could give some input as a basis for development and
operations of the IT services. (Manage Overview 2008:5).
The following areas were analyzed as a part of the Manage layer assessment:
What kind of Change Management strategy was the Service using?
Was the Service making differences between how different kind of changes were handled?
What did services think about standard changes?
What did the Service do with emergency changes?
How much was the Services utilizing change and configuration management tools?
How had Problem Management been defined and what was done?
Did the Service use the best practices by using the Corporation Service Request Catalogue
Was the Service using the Corporation concept of best practices for Support?
Was the Service using an Asset & Configuration Management Process?
What kind of Change Management strategy was the Service using?
As a continuance of the IT maintenance of services it is important that IT has defined and
uses a formal change control process, as unplanned changes are often the underlying reason
for downtime. ITIL (ITIL Service Operation 2011, p.227) expresses that personnel in service
operations should be involved in the assessment of all changes to ensure that operational issues are fully taken into account. ITIL continues the description of a good change management practise, by explaining that in a mature environment, the involvement of Operations
personnel should start as soon as possible, not just at the later stages of change just before
deployment to production.
Change Management is the process that should cover all changes done to production environments, and it is the process that should succeed any work done in the Problem Management process, and it is crucial for the Continual Service Improvement process. To the IT services of the Corporation studied, the Change Management Strategy was evaluated to in the
past have been pretty good: 2.44, the current situation even a lot better with 2,9 and a high
desired state of 3.59. Clearly there was an understanding of the importance of change management.
Was the Service making differences between how different kind of changes
were handled?
The operations teams or teams together with a Change Advisory Board (CAB) in mature services environment should provide look into the impact of changes before its implementation
in order to minimize the adverse impact of changes. It is crucial for changes to be assessed
against risk, impact, and also cost before approval. At this point before deployment at its latest
all relevant parties should be aware of the change decision and participating in the approval.
The study showed that different changes were handled on a best past level of 2,5, a better
current level of 2,62 and a desire to do it at a level of 3, 15. In the free answers it was however expressed that descriptions for what is the categorization of different cases (critical, major
etc.) was missing for some services. The Infrastructure CAB was in this case the only one existing CAB. A decision of when to use CAB had not been clearly stated. It was also stated
that the new outsourcing partner had even made changes to production without asking anybody. So the actual level of maturity varied largely in between services.
What did services think about standard changes?
Using a process model which includes “Standard Changes" as defined by ITIL predefined,
means that each new change may not necessarily have to go through the CAB process, as it is
pre-assessed. This will enable faster throughput of minor changes and will save resources. By
giving the authority to users like administrators and senior operators to making low level
changes that have predefined or acceptable levels of risk the organization can be more flexible.
The answers showed that the method of using standard changes to speed up functions was
not largely used with a best past or 1,72 a current with 1,93, but a wish to develop this way of
working with a desired level of 2,9.
What do the Services do with emergency changes?
To be able to recover rapidly it is important that IT has a baseline configuration. Emergency
changes can then be done and in case failure a failback to an earlier implementation can be
done. IT should always have a baseline where one can identify the desired state of services,
setup model or patching level. Change Control can then be applied in a controlled manner
managing all variances away from this baseline so that it is clear what the configuration should
be. The same methodology should in a mature environment be used both for server environments and desktops including desktop-images for fast implementation in case of need for
failover. The baseline should be counted as a CSF, and be monitored for divergence and CSI.
The services reported a best past to be 2,61, current to be 2,93 and the desired state to be a
high 3.51.
How much are the Services utilizing change and configuration management tools?
There are many reasons for utilizing Configuration Managements Systems (CMS). It should
however be a centralized effort planned in Service Transition as ITIL expresses it (ITIL Service Operation 2011, p. 229) since many ITSM tools, discovery functions and event monitoring tools, may require changes in the environments, like client/agent software deployments,
before they can be used. These efforts are environment intrusive and should be carefully
planned before any execution. It is also a recommendation of ITIL that implementation efforts of CMS to environments should be handled through formal release and deployment
management. Change Management toolsets for managing change (and therefore configuration) will still assist in saving time, increase consistency and can provide records of how requests for change have been handled and how Configuration Items (CIs) have changed over
time. In the study the Service representatives were pointing out that the IT needed to be able
to maintain also app information components, not only infra information as was the current
situation. It was also stated that the structure was not ideal with a 3rd party supplier, which
went outside of the SAAS idea to have integrated tools. The past maturity in this question was
seen as 2,44, current with a slight decrease with the 3r party supplier to 2,37, and a desire level
of 3,34.
How had Problem Management been defined and what was done?
Problem Management as a continuance of Incident Management escalations is an important
Service Management area, as discussed in the Operations Phase. From management point of
view, it was stated by some services that Problem Management process did not work in practice in the new environment with the new outsourcing partner, even though there was an old
process existing. However, on a maturity scale it was still stated that the best past had been
2.11 and current was better with 2,43, so the average perception by the service representatives
was that the situation was better than before. The desired state was expressed to be 3,34.
Did the Service use the best practices by using Knowledge Management
and the Corporation Service Request Catalogue structure?
In the study definition phase, the customer representatives wanted to define the Knowledge
Management (KM) Purpose according to following: The primary objective of the
“Knowledge Management" Process is to improve the quality of decision-making by enabling
reliable and relevant information availability during the service lifecycle. The KM should identify key knowledge capital for reuse within service. It also should submit knowledge capital
contribution to the knowledge management shared repository. Furthermore, the KM part
should do the review for new contribution content for active, archival, or delete mode. In
addition, KM work was to communicate new content upload to appropriate resources and
manage knowledge transfer. The service representatives saw the best past in the KM area to
have been 2,05, current to be 2,25, and desired level 3. It was stated that the new CMDB and
ticketing SAAS based tool (Service NOW), should be used for IT personnel but not necessarily for the end-user requests. The integrations to the internal systems were still not done, and
could prove a major problem for a deeper usage.
Was the Service using the Corporation concept of best practices for Support?
The Corporation had developed a Global Support Concept (GSC), which was in the implantation phase. The question was measuring how much service representatives did find the GSC
in use. The answers revealed that there was a problem using the concept, since the local Service Desk did not provide support for the GSC service, and so there was no support for end
customer for this service. The best past, which was defined as one year earlier when the service implantation had started was from the beginning at level 2, the current level was 2,4 and
the desired level 2,84.
Was the Service using an Asset & Configuration Management Process?
The question set was measuring how well the implantation of the Service NOW SAAS tool
had been done. According to the answers, there were some implantation problems. One major
issue was that the there was a need for enhancement in CMDB quality in general. The Configuration Items state was also poor: the Service representatives did know their CIs, and what
was right or wrong with them, but many of the CIs were currently incorrect, which was difficult to solve due to problems with the Service NOW tool. The evaluation of the usage told
that the best past state was 2,16, the current state had been improving to 2,68, and the desired
state was once more clearly higher at 3,46.
The questions
Taking a holistic three dimensional view, including the satisfaction, scope and also the time
perspective, of a Corporation level IT, is a major task. The methods defined by IT Governance Frameworks do help, but the realization and the value adding function of this work is up
to the individuals performing the work. In this study the goal was to answer the following
Q1: How had the service management been done at the customer in the past?
Q2: How was service management done at the customer currently?
Q2: How should service management be done at the customer in the future?
Q4: How should the maturity of service management be measured in the aforementioned time
Answering the first two questions revealed that Service Management in general in the past had
been on a standardized level with an average of 2.21. Current level of maturity was also on a
standardized level with an average of 2.35. The Service Representatives showed a clear wish to
develop and mature the Service Management work, and so the average for all future lifecycle
phases was 3.27 when combining all the lifecycle areas in the confidential result-spreadsheet
(Appendix 2). The actual answers to question 3 and 4 for how service management should be
done and measured in the future was embedded in the prescriptive answer-suggestions given
during the assessment. The confidential report also provided a list of suggestions to the customer (Appendix 1) for improvement, including issues and risks, to be evaluated for further
Well, what did this all mean? The average level shown by the answers of this study show that
there had been no clear decrease in IT Service Maturity due to the outsourcing efforts, actually
the contrary, the Services came out as more mature in the Service Management perspective
after the outsourcing had been done. There was no average decrease in the Services in the
overall lifecycle, nor the field of Operations, which was the area where the outsourcing was
most remarkable. An average result does however not tell the real story, but “The Devil lays in
the details”. The impact on maturity when measured with a quantitative method, was not as
big, as the perception of the change in maturity, when discussing with people who had been
involved with the outsourcing efforts. As a result, from the business perspective, one could
say that the outsourcing seemed to had been successful, since there was tangible savings in the
costs of IT services and the maturity entity did not seem to had been adversely affected.
The scaling
To understand the results of the research, and possible needed actions, it is necessary to explain more what the numbers in the evaluation grade from 1 to 4 indicate. How would one
easily be able to recognise what level an organization is at, and what are those levels?
The level 1 or the Silo-type maturity
In some parts of the IT department the research found very unorganized ways of running the
IT services, equaling level 1 in Service maturity. What is this level then?
If you can use one expression which would make the observer recognize basic maturity in
smaller entities, it would be finding the “Shy IT guy in the corner, hiding in his cubicle behind
his IT Manuals”. At the same time as this is our departments “own guy” who knows everything we need, he is a considerable risk for the business. The solutions might be based on
whatever and the solution maturity is solely dependent on his skillset. The next shy guy at the
next department works in a similar way, and so there might be no standards uniting the departments. This also means cooperation in between the departments and the organization as
an entity is difficult.
The level 2 or Standardized technology maturity level.
Major part of the answers given about the maturity of the IT Services current situation were at
this level of maturity in the research.
Simplified, one could say that this is the level of maturity where the IT specialists run the
House. IT has been standardized, people understand the benefits of common solutions, and
have taken care of that the IT Department is run in a technically well-defined way. At the
same time as standardization is well understood the work roles are defined according to IT
Application Know-how, not by a service centric thinking. On this level there easily is a mismatch between business and IT created due to that when the IT specialist run the IT show,
easily the business case and the customer is forgotten. When costs are rising due to misplaced
sources of interest and priorities, business might feel alienated from IT and badly served.
The level 3 or Optimization of solutions maturity level
If the IT Department is able to evolve and react by starting to think solution centric instead of
application centric, the maturity starts to steer the decisions towards more effective solutions
and continuous optimizations, which in turns if done right and not decreasing the servicequality to business, will increase business satisfaction. The Service representatives, interviewed
for the assessment representing the IT Department, in their choices for desired state, showed
a clear wish to develop the IT Services and Service Management in general to this level, but
the business strategy for IT had been changed not to exist, or as it had been expressed IT
should only support the Business strategy, not develop any own strategy or as was expressed:
“There is no direct IT Strategy, everything is based directly on the Business Requirements. All
applications are handled by business and all development was done as Scrum/Agile”. As
shown also in this Corporation hunting for savings optimization had made the company outsource their IT. The result, as typically is, was a minor saving, but a huge drop in know-how.
The level 4 or the Service Oriented Approach of maturity
This is the level where traditional Service Management reaches its optimal results and Service
Management based thinking is in the center. Clear signs of functioning 4-lvel maturity is well
defined SLAs, OLAs and UC-contracts. The personnel working with IT understand what a
Service centric approach means, and can operate according to that thinking contrary to IT
centric thinking and approach. Services are continuously evaluated, clear service portfolios
exist, and the whole lifecycle of services is aligned with business targets. Another clear signal
of the Service centric thinking is the scalability of services, increasing and decreasing services
are built into the service-structure, so capacity considerations are a breeze.
What was missing
The dissatisfaction amongst the Service representatives, and the expressed worries for the
future of the Services, revealed that the change management part including people in their
transit from technology centric work roles to service centric management roles had not been
supported. Decreasing possibilities to get trainings at the same time as new roles were imposed to many people was telling that there was lacking knowhow in how to do successful
Change Management for organizations like this. The failure could clearly be recognised in the
atmosphere and even though the Services as such were able to function as before, the trust
between parties had been eradicated. In the free discussion afterwards, several Service repre64
sentatives expressed their intention of leaving the company. One of the Service representatives even left at the end of the research period for an indeterminate period of time on a sick
leave due to a burnout.
The perception of trust, the change management efforts done while outsourcing, and the understanding of the meaning of knowledge creation as expressed by Nonaka & Takeuchi (1995)
in their SECI-model was not an agreed target to be studied in this study, but study of these
areas would have been extremely useful as there were clear signals of mistrust and a negative
SECI-spiral, with knowledge losses through employees leaving.
Future discussion above all grades: The Customer Centric Approach
This is the level which has not been established in the models used, but which is coming more
and more apparent in the new Customer centric world. In this future partnership between IT,
business and partners has been established through mutual trust. The customer centric approach differs from the Service centric approach or SOA by the level of automation: The IT
environment is highly automated. This also means that top level automation Know-how is
needed, but those roles are located at the third party or partner. The IT organization is the
orchestrator of services needed by the internal customers. IT is divided into commodities, and
added value-areas and the commodities are bought from outside. In some scenarios the combinatory combining different basic level services, like metadata for databases, and thus providing added value to the customers. At the same time, IT is not discussing services details anymore with the customers, but concentrating on the customer experience. This level of maturity is coming, due to customer demand. Simply put the IT Department of the future and people in IT concentrate partly on Service Management, buying service components, but more
importantly concentrating on value design combining these service components together with
At the point of finalizing the research, many of the Services of the IT Department depicted in
this study are been merged to a larger entity, and will cease to exist. The signals that were recognizable in the lack of interest of business to provide trainings to the IT people changing
roles and the lack of the IT Strategy, was a clear signal of the upcoming change. Also the representatives that ordered this assessment have since resigned, and so the benefits of this study
are not going to benefit the customer IT Organization anymore. Still, participating in the process without doubt benefitted the participants of the assessment, by the thought put into describing future requirements for IT professionals. The change hunting the added value is the
only thing that persists in IT.
Cabinet Office. 2011 edition. ITIL – Service Design. TSO London.
Cabinet Office. 2011 edition. ITIL – Continual Service Improvement. TSO London.
Cabinet Office. 2011 edition. ITIL – Service Operation. TSO London.
Cabinet Office. 2011 edition. ITIL – Service Strategy. TSO London.
Cabinet Office. 2011 edition. ITIL – Service Transition. TSO London.
CMMI History 2015. Available at: [Accessed 09.12.2015].
Figure 1: ITIL version 3.0, 2011 Enhanced. Available at: [Accessed
Figure 2: Request Fulfillment Process. Source: ITIL Service Operation 2011).
Figure 3: Problem Management Process. (Source: Orand and Villareal 2011).
Figure 4: MOF. Available at: [Accessed 15.03.2016].
Figure 5: Plan Phase. Source: MOF: Plan Overview (2008).
Figure 6: The Operate Phase. Source: (MOF Operate Overview 2011).
Figure 7: The Manage Layer. Source: (MOF Manage Overview 2011).
Figure 8: Core IO Model. Available at: [Accessed 15.03.2016].
Figure 9: Enterprise Architecture Model. Available at: CISR [Accessed 15.03.2016].
Figure 10: EAM Benefits. Source: Ross, J, W., Weill, P.; and Robertson, D, C., Enterprise
Architecture as Strategy 2006
Figure 11 – Infrastructure Optimization (IO) Source: Appendix 2, Company Internal report 2016
Figure 12: Maturity levels and questions in the Maturity Review. Source: MS Maturity Review
Delivery Guide 2014
Hiatt, J., 2006. ADKAR: A Model for Change in Business, Government and our Community.
Prosci Learning Center Publications. Kindle Edition.
History of ITIL 2015. Available at: [Accessed 20.12.2015].
History of ISACA 2015. Available at: [Accessed 18.12.2015].
Nonaka, I., and Takeuchi H., 1996. The Knowledge Creating Company, How Japanese Companies Create the Dynamics of Innovation, Oxford University Press, New York, USA
Orand, B., and Villareal J., 2011. Foundations of IT Service Management,,
Proactive IT Solutions, LLCPro, USA
Ross, J, W., Weill, P., and Robertson, D, C., 2006. Enterprise Architecture as Strategy, Creating a foundation for business execution. Harvard Business Press, USA
USC Libraries 2016. Available at: [Accessed 05.04.2016].
Service Integration and Management 2015. Available at: [Accessed 19.12.2015].
68 2015. IO Model, Available at: [Accessed 05.04.2016].
Tilastokeskus 2015. Available at: [Accessed
Software Engineering Institute 2012. CMMI. CMMI_DEV_vs1_2.pdf Available at: [Accessed 1.12.2015].
Soy, S, K., 1997. The case study as a research method. Available at: [Accessed 29.03.2015].
What is PDCA? 2015. Available at:
do-check-act [Accessed 15.03.2016].
Appendix 1. Company internal result spreadsheet (Confidential)
Appendix 2. Company internal report draft (confidential)
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF