5 ITIL management practices
Key Message: In ITIL, a management practice is a set of organizational resources designed for performing work or accomplishing an objective. The origins of the practices are as follows:
- General management practices have been adopted and adapted for service management from general business management domains.
- Service management practices have been developed in service management and ITSM industries.
- Technical management practices have been adapted from technology management domains for service management purposes by expanding or shifting their focus from technology solutions to IT services.
ITSM in the modern world: high-velocity service delivery
In business innovation and differentiation, speed to market is a key success factor. If an organization takes too long to implement a new business idea, it is likely to be done faster by someone else. Because of this, organizations have started demanding shorter time to market from their IT service providers.
For service providers that have always used modern technology, this has not been a big challenge. They have adopted modern ways of scaling their resources and established appropriate practices for project and product management, testing, integration, deployment, release, delivery, and support of IT services. These practices have been documented and have triggered the development of new IT management movements and practices, such as DevOps. However, for organizations bearing a legacy of old IT architectures and IT management practices focused on control and cost efficiency, the new business demand has introduced a greater challenge.
The high-velocity service delivery paradigm includes:
- focus on fast delivery of new and changed IT services to users
- continual analysis of feedback provided for IT services at every stage of their lifecycle
- agility in processing the feedback, giving rise to continual and fast improvement of IT services
- an end-to-end approach to the service lifecycle, from ideation, through creation and delivery, to consumption of services
- integration of product and service management practices
- digitalization of IT infrastructure and adoption of cloud computing
- extensive automation of the service delivery chain.
High-velocity service delivery influences all the practices of a service provider, including general management practices, service management practices, and technical management practices. For example, an organization aiming to deliver and improve its services faster than others needs to consider:
- Agile project management
- Agile financial management
- product-based organizational structure
- adaptive risk management, and audit and compliance management
- flexible architecture management
- specific architecture technology solutions, such as microservices
- complex partner and supplier environments
- continual monitoring of technology innovations and experimenting
- human-centred design
- infrastructure management focused on cloud computing.
Even if only some of the services in a provider’s portfolio need high-velocity delivery, organizational changes of a significant scale are required to enable this, especially if the organization has a legacy of low-velocity services, practices, and habits. Moreover, bi-modal IT, where high-velocity service management is combined with traditional practices, introduces even more complexity and greater challenges. However, for many modern organizations, high-velocity service delivery is no longer an option but a necessity, and they must improve their service management practices to respond to this challenge.
5.1.1 Architecture management
Key Message: The purpose of the architecture management practice is to provide an understanding of all the different elements that make up an organization and how those elements interrelate, enabling the organization to effectively achieve its current and future objectives. It provides the principles, standards, and tools that enable an organization to manage complex change in a structured and Agile way.
Architecture types
Business architecture
The business architecture allows the organization to look at its capabilities in terms of how they align with all the detailed activities required to create value for the organization and its customers. These are then compared with the organization’s strategy and a gap analysis of the target state against current capabilities is performed. Identified gaps between the baseline and target state are prioritized and these capability gaps are addressed incrementally. A ‘roadmap’ describes the transformation from current to future state to achieve the organization’s strategy.
Service architecture
Service architecture gives the organization a view of all the services it provides, including interactions between the services and service models that describe the structure (how the service components fit together) and the dynamics (activities, flow of resources, and interactions) of each service. A service model can be used as a template or blueprint for multiple services.
Information systems architecture, including data and applications architectures
The information architecture describes the logical and physical data assets of the organization and the data management resources. It shows how the information resources are managed and shared for the benefit of the organization.
Information is a valuable asset for the organization, with actual and measurable value. Information is the basis for decision-making, so it must always be complete, accurate, and accessible to those who are authorized to access it. Information systems must therefore be designed and managed with these concepts in mind.
Technology architecture
The technology architecture defines the software and hardware infrastructure needed to support the portfolio of products and services.
Environmental architecture
The environmental architecture describes the external factors impacting the organization and the drivers for change, as well as all aspects, types, and levels of environmental control and their management. The environment includes developmental, technological, business, operational, organizational, political, economic, legal, regulatory, ecological, and social influences.
5.1.2 Continual improvement
Key Message: The purpose of the continual improvement practice is to align the organization’s practices and services with changing business needs through the ongoing improvement of products, services, and practices, or any element involved in the management of products and services.
5.1.3 Information security management
Key Message: The purpose of the information security management practice is to protect the information needed by the organization to conduct its business. This includes understanding and managing risks to the confidentiality, integrity, and availability of information, as well as other aspects of information security such as authentication (ensuring someone is who they claim to be) and non-repudiation (ensuring that someone can’t deny that they took an action).
5.1.4 Knowledge management
Key Message: The purpose of the knowledge management practice is to maintain and improve the effective, efficient, and convenient use of information and knowledge across the organization.
5.1.5 Measurement and reporting
Key Message: The purpose of the measurement and reporting practice is to support good decision-making and continual improvement by decreasing the levels of uncertainty. This is achieved through the collection of relevant data on various managed objects and the valid assessment of this data in an appropriate context. Managed objects include, but are not limited to, products and services, practices and value chain activities, teams and individuals, suppliers and partners, and the organization as a whole.
Definition:
- Critical success factor (CSF) A necessary precondition for the achievement of intended results.
- Key performance indicator (KPI) An important metric used to evaluate the success in meeting an objective.
5.1.6 Organizational change management
Key Message: The purpose of the organizational change management practice is to ensure that changes in an organization are smoothly and successfully implemented, and that lasting benefits are achieved by managing the human aspects of the changes.
5.1.7 Portfolio management
Key Message: The purpose of the portfolio management practice is to ensure that the organization has the right mix of programmes, projects, products, and services to execute the organization’s strategy within its funding and resource constraints.
Agile portfolio management
The success of programmes and projects has historically been gauged by the extent to which implementation has been completed on time and within budget, and has delivered the required outputs, outcomes, and benefits. In many cases, however, organizations have struggled to demonstrate a return on their investment from change, and there is an increasing recognition that true success is only possible if the programme or project was the ‘right’ initiative to implement in the first place. Agile portfolio management takes this further, with an increased focus on visualizing strategic themes and the ability to reprioritize the portfolio swiftly, increase workflow, reduce batch sizes of work, and control the length of longer-term development queues.
Traditional portfolio management is focused on top-down planning with work laid out over longer time periods, but Agile portfolio management takes the concept of build–measure–learn cycles used by individual Agile teams and applies it on an organization-wide basis. Teams work together, use modular design, and share findings. This results in tremendous flexibility, which shifts the focus from continuing to execute an inflexible plan to delivering value and making tangible progress according to business strategy and goals.
Organizations practising Agile portfolio management communicate as much as possible across the business. They share knowledge and break barriers between organizational silos.
5.1.8 Project management
Key Message: The purpose of the project management practice is to ensure that all projects in the organization are successfully delivered. This is achieved by planning, delegating, monitoring, and maintaining control of all aspects of a project, and keeping the motivation of the people involved.
5.1.9 Relationship management
Key Message: The purpose of the relationship management practice is to establish and nurture the links between the organization and its stakeholders at strategic and tactical levels. It includes the identification, analysis, monitoring, and continual improvement of relationships with and between stakeholders.
5.1.10 Risk management
Key Message: The purpose of the risk management practice is to ensure that the organization understands and effectively handles risks. Managing risk is essential to ensuring the ongoing sustainability of an organization and creating value for its customers. Risk management is an integral part of all organizational activities and therefore central to the organization’s SVS (see section 2.5.3 for a definition of risk).
ISO 31000:2018 Risk management
These guidelines provide an overall and general perspective of the purpose and principles of risk management. They are applicable at all levels in any type of organization. ISO 31000 states that ‘the purpose of risk management is the creation and protection of value’ and that risk management ‘improves performance, encourages innovation and supports the achievement of objectives’.
5.1.11 Service financial management
Key Message: The purpose of the service financial management practice is to support the organization’s strategies and plans for service management by ensuring that the organization’s financial resources and investments are being used effectively.
Evolution of financial management with new technology
Financial management refers to the efficient and effective management of money in the most appropriate manner to accomplish the financial objectives of the organization. Since its inception, the financial management discipline has gone through various degrees of change, improvement, and innovation. A key component of this change has been the emergence of new technology. Many technological developments have impacted upon financial management, but the three key innovations are the introduction of a greater number of digital technologies, blockchain, and IT budgets and payment models.
Digital technologies
Major financial institutions are now analysing and using the latest technologies such as the cloud, big data, analytics, and artificial intelligence (AI) to gain, or even just to maintain, competitive advantage in the market place. However, new financial organizations are also using these technologies and starting operations without any legacy IT, technical debt, or bureaucratic processes, which means they tend to be more Agile.
Big data and analytics are being used by financial organizations to gain deeper insight into, and understanding of, their customers. The amount of data being captured is phenomenal and requires scalable computing power to process the data efficiently and cost-effectively. In return, this deeper customer understanding is causing financial organizations to develop new and innovative products and services. Data is now being referred to as the ‘new oil’, as organizations are scrambling to capture, analyse, and exploit it.
Blockchain
Another evolution in financial management is happening through a specific innovation called blockchain, again enabled only through cloud-based services. Initially blockchain was developed to enable the de-centralized management of crypto-currencies, allowing transactions to be audited and verified automatically and inexpensively.
Blockchain technologies are used to manage public digital ledgers. These digital ledgers record transactions across many globally distributed computers. The distribution of records ensures that each record cannot be changed without the alteration of all subsequent records (also known as blocks) and without the consensus of the entire distributed ledger (also called the network).
Global financial institutions are researching how this blockchain technology can provide them with competitive advantage by streamlining back-office functions and reducing settlement rates for banking transactions. New financial organizations are investigating blockchain to deliver alternative banking functions at a fraction of the cost and overheads of traditional banks.
IT budgets and payment models
The emergence of new technology has not just affected financial organizations, but also the way that every organization manages its IT services from a financial perspective. Much of the current wave of technological evolution has been enabled by cloud computing, and this seems likely to continue for the foreseeable future. This has led to a major change in how IT services are obtained, funded, and paid for by organizations.
Traditionally, IT resources were obtained using upfront capital expenditure (CAPEX). However, under the cloud model, the provision of IT infrastructure, platforms, and software is provided ‘as a service’. This model generally uses subscription-based or pay-as-you-use charging mechanisms which are paid for out of operational expenditure (OPEX).
Another area that has seen change is the organization’s approach to setting and managing IT budgets. Flexible IT budgets are required to meet the costs of scaling cloud-based services in an Agile and on-demand way. Fixed IT budgets, often forecast months in advance, struggle to account for the scaling of IT resources in this way.
Procurement rules within organizations are also having to change. There remains a place for fixed-price IT projects and services; however, cloud-based digital services are generally sold under a variable-price model, i.e. the more you use and consume, the more you pay, and vice versa. Therefore, those organizations that have not updated their procurement rules to allow them to buy variable-priced IT resources will face a large self-made barrier preventing them from using cloud-based digital services. To be as effective as possible, organizations must update their policies and educate their staff to ensure that they can purchase IT under a variable-priced model.
5.1.12 Strategy management
Key Message: The purpose of the strategy management practice is to formulate the goals of the organization and adopt the courses of action and allocation of resources necessary for achieving those goals. Strategy management establishes the organization’s direction, focuses effort, defines or clarifies the organization’s priorities, and provides consistency or guidance in response to the environment.
5.1.13 Supplier management
Key Message: The purpose of the supplier management practice is to ensure that the organization’s suppliers and their performances are managed appropriately to support the seamless provision of quality products and services. This includes creating closer, more collaborative relationships with key suppliers to uncover and realize new value and reduce the risk of failure.
5.1.14 Workforce and talent management
Key Message: The purpose of the workforce and talent management practice is to ensure that the organization has the right people with the appropriate skills and knowledge and in the correct roles to support its business objectives. The practice covers a broad set of activities focused on successfully engaging with the organization’s employees and people resources, including planning, recruitment, onboarding, learning and development, performance measurement, and succession planning.
Definition:
- Organizational velocity The speed, effectiveness, and efficiency with which an organization operates. Organizational velocity influences time to market, quality, safety, costs, and risks.
- Competencies The combination of observable and measurable knowledge, skills, abilities, and attitudes that contribute to enhanced employee performance and ultimately result in organizational success.
- Skills A developed proficiency or dexterity in thought, verbal communication, or physical action.
- Ability The power or aptitude to perform physical or mental activities related to a profession or trade.
- Knowledge The understanding of facts or information acquired by a person through experience or education; the theoretical or practical understanding of a subject.
- Attitude A set of emotions, beliefs, and behaviours towards a particular object, person, thing, or event.
5.2.1 Availability management
Key Message: The purpose of the availability management practice is to ensure that services deliver agreed levels of availability to meet the needs of customers and users.
Definition:
- Availability The ability of an IT service or other configuration item to perform its agreed function when required.
5.2.2 Business analysis
Key Message: The purpose of the business analysis practice is to analyse a business or some element of it, define its associated needs, and recommend solutions to address these needs and/or solve a business problem, which must facilitate value creation for stakeholders. Business analysis enables an organization to communicate its needs in a meaningful way, express the rationale for change, and design and describe solutions that enable value creation in alignment with the organization’s objectives.
Definition:
- Warranty requirements Typically non-functional requirements captured as inputs from key stakeholders and other practices. Organizations should aim to manage a library of pre-defined warranty acceptance criteria for use in practices such as project management and software development and management.
- Utility requirements Functional requirements which have been defined by the customer and are unique to a specific product.
5.2.3 Capacity and performance management
Key Message: The purpose of the capacity and performance management practice is to ensure that services achieve agreed and expected performance, satisfying current and future demand in a cost-effective way.
Definition:
- Performance A measure of what is achieved or delivered by a system, person, team, practice, or service.
5.2.4 Change control
Key Message: The purpose of the change control practice is to maximize the number of successful service and product changes by ensuring that risks have been properly assessed, authorizing changes to proceed, and managing the change schedule.
Definition:
- Change The addition, modification, or removal of anything that could have a direct or indirect effect on services.
- Standard changes These are low-risk, pre-authorized changes that are well understood and fully documented, and can be implemented without needing additional authorization. They are often initiated as service requests, but may also be operational changes. When the procedure for a standard change is created or modified, there should be a full risk assessment and authorization as for any other change. This risk assessment does not need to be repeated each time the standard change is implemented; it only needs to be done if there is a modification to the way it is carried out.
- Normal changes These are changes that need to be scheduled, assessed, and authorized following a process. Change models based on the type of change determine the roles for assessment and authorization. Some normal changes are low risk, and the change authority for these is usually someone who can make rapid decisions, often using automation to speed up the change. Other normal changes are very major and the change authority could be as high as the management board (or equivalent). Initiation of a normal change is triggered by the creation of a change request. This may be created manually, but organizations that have an automated pipeline for continuous integration and continuous deployment often automate most steps of the change control process.
- Emergency changes These are changes that must be implemented as soon as possible; for example, to resolve an incident or implement a security patch. Emergency changes are not typically included in a change schedule, and the process for assessment and authorization is expedited to ensure they can be implemented quickly. As far as possible, emergency changes should be subject to the same testing, assessment, and authorization as normal changes, but it may be acceptable to defer some documentation until after the change has been implemented, and sometimes it will be necessary to implement the change with less testing due to time constraints. There may also be a separate change authority for emergency changes, typically including a small number of senior managers who understand the business risks involved.
5.2.5 Incident management
Key Message: The purpose of the incident management practice is to minimize the negative impact of incidents by restoring normal service operation as quickly as possible.
Definition:
- Incident An unplanned interruption to a service or reduction in the quality of a service.
TIP:
Some organizations use a technique called swarming to help manage incidents. This involves many different stakeholders working together initially, until it becomes clear which of them is best placed to continue and which can move on to other tasks.
5.2.6 IT asset management
Key Message: The purpose of the IT asset management practice is to plan and manage the full lifecycle of all IT assets, to help the organization:
- maximize value
- control costs
- manage risks
- support decision-making about purchase, re-use, retirement, and disposal of assets
- meet regulatory and contractual requirements.
Definition:
- IT asset Any financially valuable component that can contribute to the delivery of an IT product or service.
Types of asset management
Asset management is a well-established practice that includes the acquisition, operation, care, and disposal of organizational assets, particularly critical infrastructure.
IT asset management (ITAM) is a sub-practice of asset management that is specifically aimed at managing the lifecycles and total costs of IT equipment and infrastructure.
Software asset management (SAM) is an aspect of IT asset management that is specifically aimed at managing the acquisition, development, release, deployment, maintenance, and eventual retirement of software assets. SAM procedures provide effective management, control, and protection of software assets.
5.2.7 Monitoring and event management
Key Message: The purpose of the monitoring and event management practice is to systematically observe services and service components, and record and report selected changes of state identified as events. This practice identifies and prioritizes infrastructure, services, business processes, and information security events, and establishes the appropriate response to those events, including responding to conditions that could lead to potential faults or incidents.
Definition:
- Event Any change of state that has significance for the management of a service or other configuration item (CI). Events are typically recognized through notifications created by an IT service, CI, or monitoring tool.
5.2.8 Problem management
Key Message: The purpose of the problem management practice is to reduce the likelihood and impact of incidents by identifying actual and potential causes of incidents, and managing workarounds and known errors.
Definition:
- Problem A cause, or potential cause, of one or more incidents.
- Known error A problem that has been analysed but has not been resolved.
- Workaround A solution that reduces or eliminates the impact of an incident or problem for which a full resolution is not yet available. Some workarounds reduce the likelihood of incidents.
5.2.9 Release management
Key Message: The purpose of the release management practice is to make new and changed services and features available for use.
Definition:
- Release A version of a service or other configuration item, or a collection of configuration items, that is made available for use.
5.2.10 Service catalogue management
Key Message: The purpose of the service catalogue management practice is to provide a single source of consistent information on all services and service offerings, and to ensure that it is available to the relevant audience.
Definition:
- Request catalogue A view of the service catalogue, providing details on service requests for existing and new services,
which is made available for the user.
Tailored views
As described above, the service catalogue enables the creation of value and is used by many different practices within the service value chain. Because of this, it needs to be flexible regarding what service details and attributes it presents, based on its intended purpose. As such, organizations may wish to consider providing different views of the catalogue for different audiences.
5.2.11 Service configuration management
Key Message: The purpose of the service configuration management practice is to ensure that accurate and reliable information about the configuration of services, and the CIs that support them, is available when and where it is needed. This includes information on how CIs are configured and the relationships between them.
Definition:
- Configuration item Any component that needs to be managed in order to deliver an IT service.
- Configuration management system A set of tools, data, and information that is used to support service configuration management.
5.2.12 Service continuity management
Key Message: The purpose of the service continuity management practice is to ensure that the availability and performance of a service are maintained at sufficient levels in case of a disaster. The practice provides a framework for building organizational resilience with the capability of producing an effective response that safeguards the interests of key stakeholders and the organization’s reputation, brand, and value-creating activities.
Definition:
- Recovery time objective (RTO) The maximum acceptable period of time following a service disruption that can elapse before the lack of business functionality severely impacts the organization. This represents the maximum agreed time within which a product or an activity must be resumed, or resources must be recovered.
- Recovery point objective (RPO) The point to which information used by an activity must be restored to enable the activity to operate on resumption.
- Disaster recovery plans A set of clearly defined plans related to how an organization will recover from a disaster as well as return to a pre-disaster condition, considering the four dimensions of service management.
- Business impact analysis (BIA) A key activity in the practice of service continuity management that identifies vital business functions (VBFs) and their dependencies. These dependencies may include suppliers, people, other business processes, and IT services. BIA defines the recovery requirements for IT services. These requirements include RTOs, RPOs, and minimum target service levels for each IT service.
Service continuity management versus incident management
Service continuity management focuses on those events that the business considers significant enough to be treated as a disaster. Less significant events will be dealt with as part of incident management or major incident management. The distinction between disasters, major incidents, and incidents needs to be pre-defined, agreed, and documented with clear thresholds and triggers for calling the next tier of response and recovery into action without unnecessary delay and risk.
5.2.13 Service design
Key Message: The purpose of the service design practice is to design products and services that are fit for purpose, fit for use, and that can be delivered by the organization and its ecosystem. This includes planning and organizing people, partners and suppliers, information, communication, technology, and practices for new or changed products and services, and the interaction between the organization and its customers.
Lean user experience
Lean user experience (Lean UX) design is a mindset, a culture, and a process that embraces Lean–Agile methods. It implements functionality in minimum viable increments, and determines success by measuring results against an outcome hypothesis. Lean UX is incredibly useful when working on projects where Agile development methods are used. The core objective is to focus on obtaining feedback as early as possible so that it can be used to make quick decisions.
Typical questions for Lean UX might include: Who are the customers of this product/service and what will it be used for? When is it used and under what circumstances? What will be the most important functionality? What are the biggest risks?
There may be more than one answer to each question, which creates a greater number of assumptions than it might be practical to handle. The team will then prioritize these assumptions by the risks they represent to the organization and its customers.
5.2.14 Service desk
Key Message: The purpose of the service desk practice is to capture demand for incident resolution and service requests. It should also be the entry point and single point of contact for the service provider with all of its users.
5.2.15 Service level management
Key Message: The purpose of the service level management practice is to set clear business-based targets for service levels, and to ensure that delivery of services is properly assessed, monitored, and managed against these targets.
Definition:
- Service level One or more metrics that define expected or achieved service quality.
- Service level agreement A documented agreement between a service provider and a customer that identifies both services required and the expected level of service.
The watermelon SLA effect
Traditional SLAs have been based on individual activities such as incident resolution times, system availability (‘99.9’), and volume metrics (e.g. number of incidents or requests handled). Without a business context these metrics are often meaningless. For example, although a system availability of 99.6% is impressive, this still needs to align with key business requirements. The system may have an acceptable unavailability of 0.4%, but if that time falls when there is an important process happening (such as a commercial transaction, an operating theatre in use, or point-of-sale tills in use), then customer/user satisfaction will be low, regardless of whether the SLA has been met.
This can be problematic for the service provider if it thinks it is doing a great job (the reports are all green), when in fact its customers are dissatisfied with the service received and also frustrated that the provider doesn’t notice this. This is known as the watermelon SLA effect, because like a watermelon, the SLA may appear green on the outside, but is actually red inside.
Service level management identifies metrics and measures that are a truthful reflection of the customer’s actual experience and level of satisfaction with the whole service. These will vary across organizations and the only way to learn what these are is to find out directly from customers.
5.2.16 Service request management
Key Message: The purpose of the service request management practice is to support the agreed quality of a service by handling all pre-defined, user-initiated service requests in an effective and user-friendly manner.
Definition:
- Service request A request from a user or a user’s authorized representative that initiates a service action which has been
agreed as a normal part of service delivery.
5.2.17 Service validation and testing
Key Message: The purpose of the service validation and testing practice is to ensure that new or changed products and services meet defined requirements. The definition of service value is based on input from customers, business objectives, and regulatory requirements, and is documented as part of the value chain activity of design and transition. These inputs are used to establish measurable quality and performance indicators that support the definition of assurance criteria and testing requirements.
Definition:
5.3.1 Deployment management
Key Message: The purpose of the deployment management practice is to move new or changed hardware, software, documentation, processes, or any other component to live environments. It may also be involved in deploying components to other environments for testing or staging.
5.3.2 Infrastructure and platform management
Key Message: The purpose of the infrastructure and platform management practice is to oversee the infrastructure and platforms used by an organization. When carried out properly, this practice enables the monitoring of technology solutions available to the organization, including the technology of external service providers.
Cloud service models
Cloud service models include:
- Software as a service (SaaS) The consumer can use the applications running in the cloud infrastructure without having to control or even manage the underlying cloud infrastructure.
- Platform as a service (PaaS) The consumer can deploy onto the cloud acquired applications created using programming languages, services, libraries, and/or tools supported by the supplier without having to control or even manage the underlying cloud infrastructure. They have control over the deployed applications and sometimes the configuration settings for the application and hosting environment.
- Infrastructure as a service (IaaS) The consumer can get processing, storage, and/or any other computing resources without having to control the underlying infrastructure.
Cloud service deployment models
Every service model can be deployed in several ways, either independently or using a mix of the following:
- Private cloud This type of cloud may be located within the organization’s premises or outside of it. It is a cloud infrastructure or platform to be used exclusively by a specific organization which, at the same time, can have one or several consumers. This cloud is normally managed and owned by an organization, a provider, or a combination of both.
- Public cloud This type of cloud is located on the cloud provider premises. It is provisioned for open use and may be owned, managed, and operated by any type of organization interested in using it.
- Community cloud A community cloud may be owned, managed, and operated by one or more of the stakeholders in the community, and it may exist on or off the organization’s premises. This cloud deployment model consists of several cloud services that are meant to support and share a collection of cloud service customers with the same requirements and who have a relationship with one another.
- Hybrid cloud This cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability.
ITIL practices and cloud computing
The advent of the cloud has been one of the greatest challenges and opportunities within the IT world for decades. The promise of rapid, elastic storage and IT services available at the touch of a button is one that many organizations struggle to deliver internally, not because the benefits are not there to be had, but rather because their own ITSM processes and controls have not been adapted to support a radically different way of working.
The management and control of IT services is a key skill of IT departments no matter where those services are physically located, and the processes and controls offered by ITIL are readily adaptable to support the management of those cloud services.
A coordinated response to the management of cloud services is essential. Organizations that attempt to address only a cloud service provision as an operational issue will suffer on the tactical front, just as an organization that attempts to control cloud services on a tactical front will suffer at the strategic level. A joined-up approach covering all three levels, strategic, tactical, and operational, is required.
Apart from the infrastructure and platform management practice, the operation and management of cloud-based services involves many other practices. It should be noted that this is not a comprehensive list:
- Service financial management One of the adjustments that IT departments often have to make for cloud computing is to their fiscal planning, which typically uses both traditional capital expenditure (CAPEX) and operational expenditure (OPEX). With the advent of cloud computing, OPEX is preferred over CAPEX, as cloud services are often consumed as utilities and paid out of the operational budget. If cloud services are quicker and easier to access than in-house services, the costs associated with them will grow as more parts of the business use them. The IT cost model must be adjusted, and the service financial management practice can help to determine the techniques and controls required to ensure that the organization does not run out of OPEX unexpectedly.
- Supplier management The focus of this practice will need to change from simply selecting suppliers and onboarding them to acting as the front end for a full-on release management process. This will ensure that areas such as IT security, data protection, and regulatory compliance are routinely assessed prior to the onboarding of a new cloud offering.
- Capacity and performance management Coupled with service financial management, this practice should establish and monitor budgets, with thresholds tracked and warnings published if an upswing in demand leads to an increase in the cost of cloud services.
- Change control The boundaries of this practice will have to be redefined, as cloud service providers often make changes with minimal customer involvement, and almost no customer approval. Products and services built on top of cloud services will need to make far greater use of standard changes to unlock the benefits that cloud platforms (and associated business models) provide.
- Incident management The focus of this practice will change from knowing how to fix in-house issues, to knowing which service is supported by which cloud provider, and what information they will require to resolve an issue. Greater care will be needed to support impacted customers and teams.
- Deployment management This practice will continue to be critical to IT departments, but the ability to safely onboard or offboard a cloud provider will become a common requirement for IT departments. Deployment management will be a key capability for successful IT organizations, to ensure new cloud capabilities are rapidly deployed and embedded within the in-house service offerings.
5.3.3 Software development and management
Key Message: The purpose of the software development and management practice is to ensure that applications meet internal and external stakeholder needs, in terms of functionality, reliability, maintainability, compliance, and auditability.