What Is ITIL?

I met with an acquaintance recently, who was looking for some input into forming a cohesive IT strategy, aligned more closely with business strategy and processes, and supporting the anticipated growth of the company.  I hope that she doesn’t mind my sharing some of our meeting dialogue as a learning experience for others.

The company that she presently works for is well established across Canada, and has started to reach into the states as it steadily grows.  My acquaintance is concerned that current growth may exceeded IT’s ability to keep pace shortly, and the company will be facing capacity, capability and security issues in the mid to long-term.  Better to identify and plan to address these issues now, than to wait for a major flame up.  I couldn’t agree more.

IT is all about providing, managing, measuring and changing services for the constituents within the organization.  The first question that I asked was, “how is change managed in the organization?”  There was a pause, and I followed up for clarity “do you manage change, using say, ITIL practices?”  It turns out that she has had little exposure to ITIL, and asked for a quick explanation of the term.  My short two sentence expansion was probably far too brief to offer any real guidance or expression of value, so I am following up in more detail, here.

ITIL is short for the Information Technology Infrastructure Library.  This library provides an organized set of core IT concepts and a framework of practices and processes for Information Technology Services Management (ITSM), development and operations.  Each of the core concepts and process groups inter-relate, with input and feedback linkages.  Each concept is designed to create order from chaos, improve service delivery and customer service, increase productivity, reduce complexity, and streamline costs.  ITIL gives detailed descriptions of a number of important IT practices and provides comprehensive checklists, tasks and procedures that any IT organisation can tailor to its needs.  Read this white paper for more information on ITIL basics.

A 2007 article in IT World Canada reports that an “implementation of ITIL was estimated to save 10 to 20 percent in technology support costs over a five-year period.  Actual returns have been higher, according to Senior Vice President of Enterprise Technology Operations, Robert Turned, but it’s difficult to attribute all of the savings directly to ITIL.”

ITIL does not require adoption of the entire body of its framework in order to be successful in bringing to light substantial benefits to the organization.  A company can choose what to adopt, how far to mature the model and framework, if and when to introduce automation, and can choose to adopt only a single module if that is all that it requires.  In fact I have been responsible for introducing select modules at several places of work, and have worked at others that had elected to introduce formal Change Management only, because that was all that they needed at the time.  CoBIT has been mapped to ITIL, as have other best practice sets, and Microsoft’s own Operational Framework is based directly on the ITIL model.

ITIL is published in a series of books, each of which covers an IT management topic.  Each topic contains one or more sub-processes.  Version 3 is a significant update to the framework and its processes.  The Version 3 IT Service Management core process group includes:

  1. Service Strategy – How to align  the IT service components
  2. Service Design – How to build service components
  3. Service Transition – How to move maturing processes and services forward through their life-cycle
  4. Service Operation – How to operate services
  5. Continual Service Improvement – How to analyze and optimize service offerings and processes

Service Strategy

  • Service Portfolio Management – Managing services as a portfolio is a new concept in ITIL V3, introducing strategic thinking about how the Service Portfolio should be developed in the future.
  • Financial Management  – The activities and process objectives of the Financial Management process are identical in ITIL V2 and V3.

Service Design

  • Service Catalogue Management – Service Catalogue Management lists and details the services provided, introducing a dedicated process to ensure that the Service Catalogue is up-to-date and contains reliable information.  ITIL V3 introduces a clear distinction in the Service Catalogue between Business Services (services visible to the customer, defined by SLAs), and Supporting Services (services visible only inside the IT organization, defined by OLAs or UCs).
  • Service Level Management – Essentially, the activities and process objectives of the Service Level Management process are identical in ITIL V2 and V3.  Define and meet your commitments.
  • Capacity Management – No major differences between ITIL V2 and ITIL V3.  Looks at how to anticipate and meet demand.
  • Availability Management – No major differences between ITIL V2 and ITIL V3.  Considers how to manage, measure, and report uptime.
  • IT Service Continuity Management – No major differences between ITIL V2 and ITIL V3.  Plan for and manage how major outages are handled.
  • IT Security Management – ITIL V3 treats IT Security Management as part of the Service Design core volume, resulting in a better integration of this process into the Service life-cycle.
  • Compliance Management – Compliance issues are addressed within several processes in ITIL V3; there is, however, no dedicated Compliance Management process.  Compliance is an increasingly important topic for IT organizations, so assign clear responsibilities for ensuring compliance.
  • IT Architecture Management – ITIL V3 provides guidance on IT architecture issues as part of a chapter on “technology-related activities”.  Having a well-defined architecture blueprint in place is very important for IT organizations.
  • Supplier Management – In ITIL V3, Supplier Management is part of the Service Design process to allow for a better integration into the Service life-cycle.

Service Transition

  • Change Management – ITIL V3 introduces “Change Models”, putting more emphasis on defining different types of Changes and how they are to be handled.   Emergency Changes in ITIL V3 are authorized by the Emergency Change Advisory Board (ECAB), which was known as the Emergency Committee (EC) in ITIL V2.
  • Release and Deployment Management – ITIL V3 provides considerably more details in the areas of Release planning and testing; There are two dedicated processes in ITIL V3:
    • Project Management (Transition Planning and Support) – TPS is a new process in ITIL V3; ITIL V2 covered some aspects of this process within Release Management but ITIL V3 provides considerably enhanced guidance. TPS is actually about managing service transition projects. ITIL V3 does not provide a detailed explanation of all aspects of Project Management but highlights the most important activities and assists in identifying interfaces with the other Service Management processes. Having a basic Project Management process defined will provide a good starting point for introducing best-practice Project Management frameworks like PRINCE2 or PMP.
    • Service Validation and Testing – Service Validation and Testing is new process in ITIL V3.   Major additions in ITIL V3 are details on the various testing stages during Service Transition and descriptions of the corresponding testing approaches.
  • Application Development and Customization – Application Development is barely mentioned in the ITIL V3 books, as ITIL V3 focuses on different topics like service design and rollout.  Introduce an Application Development process if required, which takes care of the actual application coding and the customization of standard software packages.
  • Knowledge Management – Knowledge Management was added as a new process in ITIL V3.   ITIL V3 defines KM as the one central process responsible for providing knowledge to all other IT Service Management processes

Service Operation

  • Event Management – ITIL V3 sees Event Management as an important trigger of the Incident and Problem Management processes.
  • Incident Management –  ITIL V3 distinguishes between Incidents (Service Interruptions) and Service Requests (standard requests from users, e.g. password resets).  Service Requests are no longer fulfilled by Incident Management; instead there is a new process called Request Fulfilment.   There is a dedicated process now for dealing with emergencies (“Major Incidents”).   A process interface was added between Event Management and Incident Management. Significant Events are now triggering the creation of an Incident.
  • Request Fulfilment – Request Fulfilment was added as a new process to ITIL V3 with the aim to have a dedicated process dealing with Service Requests
    This was motivated by a clear distinction in ITIL V3 between Incidents (Service Interruptions) and Service Requests (standard requests from users, e.g. password resets)
    In ITIL V2, Service Requests were fulfilled by the Incident Management process.
  • Access Management – Access Management was added as a new process to ITIL V3.  The decision to include this dedicated process was motivated by IT security, as granting access to IT services and applications only to authorized users is of high importance from an IT Security viewpoint.
  • Problem Management – Problem Management deals with events that have been elevated to problem status.   A new sub-process “Major Problem Review” was introduced to review the solution history of major Problems in order to prevent a recurrence and learn lessons for the future.
  • IT Operations Management – Outlines typical IT operational duties and processes.
  • IT Facilities Management – This function is outlined as above.

Continual Service Improvement – ITIL V3 expands this concept into a whole new book, introducing dedicated processes for service and process evaluation and improvement.

Risk Management (The missing link) – Risks are addressed within several processes in ITIL V3; there is, however, no dedicated Risk Management process.   ITIL V3 calls for “coordinated risk assessment exercises”, so consider assigning clear responsibilities and methods for managing risks.  Having a basic Risk Management process in place will provide a good starting point for introducing best-practice Risk Management frameworks like M_o_R (as recommended in the ITIL V3 books).

Other useful and recommended ITIL operational guidance:

  1. Infrastructure Management
  2. Security Managementt
  3. Performance Management
  4. The Business Perspective
  5. Application Management
  6. Software Asset Management
  7. Planning to Implement Service Management
  8. ITIL Small-Scale Implementation
  9. Guide to Software Asset Management
  10. ITIL Lite: A Road Map to Implementing Partial or Full ITIL
  11. Agile Project and Service Management – Delivering IT Services using PRINCE2, ITIL and DSDM Atern
  12. Building an ITIL based Service Management Department
  13. Release, Control and Validation Handbook
  14. Operational Support and Analysis Handbook
  15. Planning, Protection and Optimization Handbook
  16. Information Lifecycle Support: Wisdom, Knowledge, Information and Data Management (WKIDM)
  17. Service Offerings and Agreements Handbook

If you are considering a strategic framework that is flexible, service focused, and can be aligned with business strategy and growth, ITIL fits the bill.  It is important to consider the modules that you will want to implement, and the order of introduction.  It is my personal opinion that the following processes are critical to the success of any IT organization as the business and IT commitments become larger and more complex:

  1. Asset Management  (Hardware and Software)
  2. Configuration Management
  3. Incident, Problem, and Service Desk Management
  4. Change Management
  5. Service Level Management

I choose these core elements of IT Service Management and this order as you can only know what you can know, and can only control what you can control.  Asset Management will force your organization to examine what makes up the IT environment, what services your IT team provides, and what might be missing.  Configuration Management focuses on standardizing system design, reducing costs, and increasing security and compliance.  Incident, Problem and Service Desk Management are all very closely related and should be integrated.  Change Management extends Configuration Management to the next level, into the planning stages, forcing the organization to consider what affects and impacts, positive and negative, a change may have to the rest of the environment, plan actions to ensure success, and engage the right resources to get the job done right.   Service Level Management focuses on measuring performance, offering insights into improvement opportunities, and managing relationships with customers and vendors.  It is my opinion that these 4 process groups along with Service Desk Management, taken through all 5 of the core ITSM core sets above, would provide a solid strategical foundation to build upon for the future.

10 Steps to ITIL Success:

  1. Understand the model, framework and options.  Know what you want to do, and what modules will get you there.
  2. Set a clear vision, goals, and objectives and clearly define where you want to go.
  3. Get senior level buy-in.  Public support from the top down is always helpful.  Especially when the business is involved.
  4. Think of ITIL as a framework, not a set of instructions.  Focus on the processes you’re trying to improve, and apply the framework accordingly.
  5. Adapt the framework to your needs.  Each business has unique challenges and one size doesn’t fit all.  Think about your business’ unique needs when applying ITIL processes.
  6. Build bonds with the business.  Include the business when setting your ITIL goals and objectives, and ensure the business is involved in service improvements.
  7. Introduce ONE process at a time.  Many organizations jump into ITIL too aggressively, which can confuse and dilute ITIL’s overall impact.
  8. Develop key metrics.  Know what success looks like, how it will be achieved, what the indicators are, and provide reports.
  9. Look for quick wins.  Any ITIL initiative is usually a multi-phase project, so validate your strategy with tangible results.
  10. Train and evangelize.  Certify a core group or at least one employee in ITIL.  Make sure someone is evangelizing ITIL via town halls.

So who is using ITIL to successfully manage their IT services?   ITIL has been adopted by hundreds of organizations worldwide, including:

  • Microsoft
  • IBM
  • NASA
  • HSBC
  • Disney
  • Procter & Gamble
  • British Airways
  • Ministry of Defence
  • Shell
  • Hewlett Packard