International Journal of Management Science and Business Administration
Volume 1, Issue 7, June 2015, Pages 48-59
IT Process Practices in Kenya
Stanley Mwangi Chege
Head QA, Co-operative Bank of Kenya
Abstract: IT processes are the functions and duties that Information Technology (IT) performs. These activities include development and maintenance of applications, supporting infrastructure (e.g., hardware, systems software and networks) as well as managing human resources. All of these activities have some dependency among each other. Information Technology processes is a practice of ensuring that IT organization serves the needs of the business in a systematic manner so that good performance of the enterprise is guaranteed. It is a set of practices and procedures brought together in unison to ensure IT alignment with business needs. Some widely acknowledged and used IT process frameworks to make IT efficient and effective are Control Objectives for Information and related Technology, (COBIT), IT Service management (ITSM) and IT infrastructure library (ITIL) and ISO 38500.
Keywords: IT Process, COBIT, ITIL, ITSM, ISO 20000, COSO, CMMI, ISO 38500
IT processes are the strategic, tactical and operational activities/tasks that IT performs. Type of such processes, amount of devoted resources and its total number employees involved might vary from one firm to another based on the scale and the emphasis of that firm. Whether you are a Global 1,000 organization, or you are managing a single PC at home, there is always some set of processes to be managed properly. Organizations over the world have realised that IT can help transform an organization’s business performance. More and more organizations are leveraging on IT to bring about innovative ways of competing in the industry. IT is being seen as an enabler and driver of business. Some organizations have been employing proven IT process frameworks to help align IT with business for improved business performance. Some of the most popular IT process frameworks that have been touted as helping make IT efficient and effective are Control Objectives for Information and related Technology, (COBIT), IT Service management (ITSM) and IT infrastructure library (ITIL) and ISO 38500.
Figure 1: 38 IT Management Processes
Source: Adapted from J. Luftman, Managing Information Technology Resources, 3rd edition, 2012.
We can see from the above diagram that in order to address IT processes in a coherent fashion, the processes are categorized into three distinguishing layers for added clarity. The first layer is the strategic layer. IT processes associated with the strategic layer focus on determining long-term goals of the firm and how IT can enable/drive their achievement. The second layer is the tactical layer. The tactical layer consists of IT processes that work towards achieving the strategic goals. The third layer is the operational layer. IT processes that comprise the third layer deal with day-to-day production activities. These processes affect the maintenance and monitoring of services, systems, applications and networks. Here, processes that involve training, staffing, accounting, scheduling and administration are included. The list of 38 processes comprises all of the planning, organizational and administrative processes that are required to effectively and efficiently manage IT (Luftman, 2012).
By categorizing IT processes into above-given three layers, it is easier to see the interdependencies among IT functions. For example, it is apparent that the strategic layer influences the tactical layer by changing the services, technologies, tools and methodologies those are applied in the tactical processes. As an additional consequence, new services, technologies, tools and methodologies also affect the operational level by changing the requirements of staff, their training and job functions. As the tactical processes are completed and moved to production, there is a visible impact of the operational layer in adding or subtracting schedules, changes and maintenance processes. It is also easier to see the interdependencies of IT processes in this layer. For example, processes such as problem control, change control, production scheduling and service evaluation may discover problems happening in production areas and require interactions between those processes to resolve these issues (Luftman, 2012).
2. An overview of the 38 IT processes
Business Strategic Planning
This process defines a business strategy that is enabled/driven by IT. It defines the enterprise’ IT function demands through the strategic plan period and the opportunities IT has in meeting these demands.
Architecture Scanning and Definition
Using the information obtained in the Business Strategic Planning process and considering the whole enterprise, this process redefines IT terms, the architectural goals of IT organization. The creation of an Architectural Definition provides a common understanding of the path to be followed for the members of IT staff.
Architecture Scanning and Definition consists of:
- Defining the data, information and knowledge architecture for the enterprise;
- Defining the application architecture for the enterprise;
- Defining IT technology (e.g., networks, computers, et al.) architecture for the enterprise;
- Integrating architectures.
Information Technology Strategic Planning and Control
Based on the business goals of the firm and architectural goals of IT group, this process defines the general direction regarding how to attain these goals via IT Strategic Plan.
The application plan is a portfolio and schedule of applications to be built or modified within a set period of time.
The data planning process reviews the application plan and determines the data (including information and knowledge) needs for the applications planned.
The comprehensive system plan is a translation of the enterprise’s strategic goals and directions into a scheduled update of the enterprise’s hardware, software, network and facilities to enable applications to meet the strategic goals of the enterprise.
ITIL (Information Technology Infrastructure Library) Counterpart
Configuration Management is the process that tracks/monitors all of IT assets in IT infrastructure. This process helps coordinate hardware depreciation and support.
The network planning process focuses on the network connectivity demands of the enterprise.
The project planning defines technically feasible and manageable projects that will reflect enterprise’s strategic goals and direction; it translates all the plans into manageable projects.
Service Level Planning and Management
The service level planning process defines and negotiates individual service agreements using the service volume forecasts and service charge rates established by the service marketing planning process.
ITIL (Information Technology Infrastructure Library) Counterpart
An incident is a deviation from the expected standard operation of a system or service. When it needs to be managed, it becomes a service request and needs to be handled as soon as possible. Incident Management is enterprise-wide process, which influences the system availability and continuity. The general steps for Incident Management are detection, investigation, diagnosis, resolution, recovery, recording and classification.
A problem is a condition that is defined or identified from one or more incidents exhibiting common symptoms for which the cause is unknown. It is different from the definition of a known error which is a condition identified by the successful diagnosis of the root cause of a problem. Problem Management improves stability and reduces downtime in IT services by identifying and removing errors in IT infrastructure.
Service Level Management
Service Level Management is a primary vehicle for communication with the business partners and it ensures the arrangements between internal IT Support Providers and external suppliers.
The primary objective of this process is to optimize the accessibility of IT infrastructure, services and supporting organization. It enables the delivery of a cost effective and sustainable level of accessibility enabling the business to meet their objectives; ensuring all of the current and future capacity and performance aspects of the business requirements are provided effectively. Availability is critical. Because, for an IT operation running 24 hours per day (365 days per year), a decimal place can mean a great deal. An availability of 99% means 3.7 days of cumulative unplanned downtime per year and an availability of 90% means more than one month’s downtime. Even an availability of 99.99% means 53 minutes of downtime a year, which may seriously influence customer experience.
The total availability of multiple components in series is the product of availability of each component. The availability of five components in series, with 98 percent available each, is 90 percent; that is significantly less than the availability of any single component. Actually, combining components in a series decreases overall availability. It does not take many components to place the entire service at risk.
If five components are placed parallel, the overall availability is 99.99999968%. Three components can provide high redundancy efficiently. However, more than three components do not significantly increase the availability.
Business Continuity Planning
The Business Continuity Planning process works towards a way to ensure continuation of business operations in the case of failure or disaster. Since, many companies still have problems with IT business continuity, it is critical for companies to prepare solutions for the possible risks in advance.
ITIL (Information Technology Infrastructure Library) Counterpart
Continuity Management is a systematic approach to the creation of a plan and/or procedures (which are regularly updated and tested) to prevent, cope with and recover from the loss of critical services for extended periods. It ensures that the required IT technical and services facilities can be recovered within required, agreed time scale.
Security Planning and Management
The security planning process builds an overall plan to ensure that agreed levels of security for systems and services are met.
Audit Planning and Management
The audit planning process builds an overall plan to ensure that continuation of the agreed levels of audit and compliance for systems, applications, services and laws wil be met. The Enterprise Risk Management (ERM) processes are on focus here. Migration of information in electronic forms increases storage volume exponentially and therefore, there is a need for transformation in information management. Physical space is no longer the limiting factor. In the repository, electronic records are organized by application type rather than content which traditional record retention is based on. The records carry different degrees of risk for a company. For example, archived data related to criminal investigations has a higher level of risk than that on consumer class action. Even records similar in risk can be different in evidence handling.
Capacity Planning And Management
The capacity planning process uses a forecast of loaded demand from new projects or from the evolution of existing services; this process defines how system resources support the demand.
ITIL (Information Technology Infrastructure Library) Counterpart
Capacity management ensures that IT infrastructure is delivered at the right service performance and in an efficient manner to meet the business requirements. Capacity can be divided into business capacity, service capacity and resource capacity. There have been numerous examples of companies experiencing infrastructure capacity preparedness problems. These include Delta Air Lines in advertising new discount fares and incentives to book online tickets; Red Cross in supporting the tsunami relief effort; Amazon in pre-Christmas volumes; Walgreen in pre-Christmas volumes; and Hallmark in Valentine’s Day online requests. These examples of lost business due to system overload should teach IT and business executives to ensure they have an appropriate capacity planning process in place. There is always a gap between the current capacity and future demand for system’s service. Insufficient capacity may lead to loss of business opportunity, while the excessive capacity means waste of resource and excessive costs. A balance between the capacity and cost needs to be found for each individual organization to identify the appropriate Economic Order Point (EOP) (Luftman, 2012).
Skills Planning and Management
The skills planning process uses the requirements identified in the project and service plans to define the human resources to meet the enterprise needs to compete in this tactical time horizon. Skills can be obtained from existing staff by applying their current expertise or through training of existing staff, hiring new staff, outsourcing or acquiring a new organization. The process also needs to identify education plans for existing staff that would enable the enterprise to meet skill requirements in the near future.
Budget Planning and Value Management
The budget planning process converts individual plans into financial terms and identifies how funds will be obtained and allocated.
ITIL (Information Technology Infrastructure Library) Counterpart
Financial Management for IT is the process that ensures that IT related software and hardware are obtained at an effective price and ensures that the organization understands the total cost of their IT services.
Vendor Planning and Management
The vendor planning and management process deals with the companies that are providing outsourcing, hardware and software. It must also measure and monitor performance against the Service Level Agreements (SLAs) and contracts to determine if any corrective action is necessary.
Management Systems Planning and Monitoring
The management systems planning process uses the strategic plans and an assessment of the existing IT plan to define a new prioritized portfolio of projects and plans. It improves the management systems through a project management approach.
This process defines the project goals, scope, leadership and business partner involvement necessary to ensure successful project completion. The project definitions are placed in a document containing project objectives and organization based on the tactical plan that was created in the Tactical Plan management‖ process.
Important components of this process are the selection of a project leader, defining IT and business involvement and obtaining management commitment for the completion of the project.
This process prepares a detailed project plan including objectives, resources, time scale, tasks, organization and deliverables. This process must be consistent with the objective and organization of the project that was defined in the process project definition.
This process monitors the project through its phases by conducting reviews, evaluating progress, resolving any problems and documenting and communicating its life cycle. The process uses the detailed project plan developed in the Project Scheduling process.
This process will include the submission of change requests to move the deliverable to the system inventory.
Project Requirements Control
This process accepts or rejects requests for changes and adjusts the detailed project plan as necessary. These changes result from modified objectives, new procedures, new technologies, or errors in the original project scope.
This process documents the completion of a project and ensures that all promised deliverables are actually provided. This process uses the detailed project plan developed in Project Scheduling and the project history that was produced during project development.
This process identifies, assesses, coordinates, groups, monitors and takes actions to all changes to information system resources and procedures in such a way that there is either minimal impact on IT operation or minimal risk.
ITIL (Information Technology Infrastructure Library) Counterpart
A change is an event that results in a new status of one or more configuration items. Change management ensures that all the changes are handled efficiently and with standardized methods and procedures.
This process coordinates the activation of new software or new hardware or both. The primary goal of Release Management is the protection of the production environment. While pursuing the goal, the organization needs to check the release readiness from all perspectives, including technical, staff and business partners.
This process manages and monitors inventories of all IT resources (including hardware, software, personnel and financial resources). This process relies on change information.
Production and Distribution Scheduling
This process translates planned service agreements into a schedule of work and performance measurement for Production and Distribution. This process uses the tactical plan developed.
This process receives problems and monitors their resolution by requesting bypass actions and/or projects (maintenance or tuning). It informs the service evaluating process of the service impact of the problems.
This process translates the performance status and the problem impacts into business terms and compares them with service agreements. It also identifies and reports any variances to users and management.
Software procurement (Contracts and Vendors)
This process procures and modifies applications, operating systems software, other supporting software and all related documentation within the framework of a project. The process controls the basic buy cycle.
This process develops and upgrades applications, operating systems software, other support software and all related documentation within the framework of a project.
Hardware Procurement and Upgrade (Contracts and Vendors)
This process selects, installs, removes, modifies and upgrades Information Systems hardware and facilities within the framework of a project.
This process corrects defects in hardware, applications, software and facilities (including engineering changes and program temporary fixes) within the framework of a project.
Tuning and system balancing
This process tunes the systems resources to ensure proper performance of individuals or groups of resources within the framework of a project. This process includes periodic regression testing to ensure that new changes have not caused undesired performance results in existing resources.
This process applies service rates to systems resources to determine total costs applicable to individual business units (including IT), accumulates these costs, charges the individual user organization (where appropriate) and matches against the budget. The process also includes maintaining contractual agreements for project work, hardware and software leasing and other supportive efforts.
Education and Training
This process educates business and IT personnel on Information Technology related topics through job training or formal education.
This process tracks staff performance and reports productivity.
Hiring and Retention
This process focuses on the activities necessary to acquire and maintain an effective, motivated and competent workforce to enable Information Technology to meet the needs of the business. Most large IT organizations will have their own Human Resource unit to work with them. This process is successful if the policies and practices of the firm are sound, fair and appealing to management and staff alike.
This process schedules and executes jobs, transactions and data through the hardware and software to meet the agreed service levels. It monitors the progress of work against the schedule and takes corrective actions (based on the one through ninety day schedule defined in production and distribution scheduling).
This process markets services to business partners and identifies needs for future services. This includes the sale of products, resources or services developed and/or owned by IT. This process also provides an interface among IT and the business to facilitate the understanding of expectations and to help and guide them in realizing future needs and expectations.
Which processes are important?
All IT processes are important. Each process will contribute to the effective management and performance of IT. However, if it is examined from the perspective of the business, depending on the environment and demands, many of these processes important contribution to the firm’s critical success. For example, application development is typically considered most visible to developing competitive and strategic advantage. The project management related processes are essential processes that enable the completion of application development. Strategy, architecture and the planning processes further enable IT to manage, anticipate and assemble technologies and methodologies to assure a stable and continuously improving IT environment.
Security and Recovery Planning have gained greater status because of the new threats to the stability of systems. Vendor management has also increased in importance, as many firms are outsourcing many of their activities. These processes are prominent because the business can see direct linkages between the activity of these processes and the activity of the business. Does this reduce the importance of the remaining processes?
If the remaining processes are not focused, often because they are done well, so they tend to be taken for granted. These processes would be creating great attention if they were done poorly. For example, if change control, problem control, or asset management will fail, there will be financial consequences and they will indirectly affect the production processes. If the production processes are affected, the business will suffer and the processes will be noticed.
Like business processes, IT processes should be assessed based on their relative importance (e.g., impact to the critical success factors of the business) and their relative effectiveness (e.g., good, fair, poor). Hence, processes that are critical to the success of the business and in poor condition should be improved first. On the other hand, those processes which are not critical to the success of the business and in relatively good condition can be left unchanged.
How much resource will be applied to each of these processes?
The amount of resources that are applied to each process varies greatly by the relative importance and complexity of the process. Of the 38 IT processes that were discussed in this chapter, there are 21 processes that were placed in the operational level. These processes account for more than 60% of the activity within Information Technology, but fewer than 40% of IT staff work on operational activities. What enables IT to use fewer people in this area can be explained by the proliferation of many automated processes and tools that assist IT in maintaining equipment, networks and production applications. A lot of effort was made in the 1980’s and 1990’s to develop scheduling tools, version control systems and library maintenance applications, which make it easier for IT to handle operations with minimal staff.
The bulk of IT staff is centered on application development and other planning tasks associated in the tactical layer. Historically, it was easy to establish funding for hiring and maintaining staff that were supporting new business projects and applications. This too is changing, as IT has been applying new ways to increase the productivity of the individual programmers and analysts. In the past decade, dozens of new Computer Aided Software Engineering (CASE) tools, Rapid Application Development (RAD) methodologies and the introduction of Object-oriented programming languages have all helped in increasing productivity while decreasing staff. Now the focus is in improving the strategic processes and achieving alignment with the business to improve the firm’s bottom line as well as creating strategic and competitive advantage.
What priority should be placed on improving each of these processes?
Improving IT processes can always occur, but is it worth the cost? Over the past several decades, IT has had to manage their organization very closely because their budgets were always tight. This is not a trend that will likely go away. The business will always look to either reduce overhead/costs or spend their money on IT investments that have the best opportunity to be profitable. Making improvements to any IT process requires IT to present a business case. The financial gain must be quantifiable to get support from the business. IT process will require the same cost-benefit analysis that would be needed to establish a new application. An IT process improvement is not unlike any other project needing funding and there needs to be quantifiable results that will justify the expense for the job.
Other IT process frameworks
ITIL (Information Technology Infrastructure Library)
ITIL was a collection of best practices for managing IT operations. Presented as a series of books, it provided a comprehensive set of processes, complete with goals, task checklists and procedures that collectively addressed the work needed to manage IT infrastructure. ITIL was not a standard like ISO 20000, for instance. Instead, it represented a framework and methodology to which existing processes and approaches to IT work could be adapted.
In May 2007, the third version of ITIL was published. Billed as a refresh of v2 and an extension of ITIL framework, ITIL v3 added new processes, developed more of a lifecycle approach to IT Service Management and emphasized the need for IT business integration more. Reflective of the lifecycle approach, ITIL v3 was organized into five books that follow a practical sequence:
- Service Strategy: How to develop a business-driven strategy for IT service management;
- Service Design: How to design a system to support the chosen strategy;
- Service Transition: How to transition the newly designed system to the production environment (in terms of people and processes as well as technology);
- Service Operation: How to support operations in an ongoing fashion
- Continual Service Improvement: How to continue improving processes and operations.
ITIL v3’s lifecycle logic had implications for where to start when tackling IT service improvement. While ITIL v2 had recommended that organizations start with the operations focused Service Support processes, especially Incident and Change Management, ITIL v3 recommended starting with more strategy focused processes such as Demand and Service Level Management. By starting with these customer-facing processes it was anticipated that the business alignment goal would be achieved more effectively.
Figure 2: ITIL Service management lifecycle
ITIL was originally organized into 10 major service management components. Since ITIL is regarded as a framework of best practice guidance for IT services management, each of these components is matched to the corresponding 38 processes. Incident Management, Problem Management, Service Level Management and Availability Management are discussed in Service Level Planning and Management. Configuration Management is described in System Planning. Change Management and Release Management are in Change Control. Capacity Management in ITIL corresponds to Capacity Planning and Management in this classification. Financial Management counterpart is Budget planning and Value Management and Continuity Management counterpart is Business Continuity Planning.
Among the 10 components, the latter 5 can form a roadmap cycle or process flow to deliver a new IT service request. After Service Level Management receives the request, Availability Management analyzes the new service, Capacity Management determines the appropriate capacity needed and IT Service Continuity Management identifies recover necessity. Finally, Service Level Management analyzes all this information and then negotiates services, service levels and costs with the customer.
ISO/IEC 20000 and IT Service Management
As a member of the ISO family, ISO/IEC 20000 is the first international standard for IT service management. Similar to other standardization bodies, the international organization for Standardization (ISO) provides best practices in IT service support and delivery. ISO/IEC 20000 consists of two parts:
- ISO/IEC 20000-1:2005 defines the requirements for an organization to deliver managed IT services of quality.
- ISO/IEC 20000-2:2005, defines the best practices for IT service management processes within the scope of ISO/IEC 20000-1:2005.
ISO/IEC 20000 describes eight IT service management processes focusing on IT service delivery and support. Therefore, ISO/IEC 20000 has been adopted in conjunction with ITIL for a more comprehensive IT service management solution. ISO/IEC 20000 was last updated in 2005
COBIT and IT Governance
Control Objectives for Information and related Technology (COBIT) was first introduced by the Information Systems Audit and Control Association (ISACA) in 1996. The core value of COBIT resides in the best practices in IT management and what it provides to the stakeholders of IT governance. The version 4.1 framework had 34 IT management processes that covered 318 control objectives. Both IT management processes and control objectives are derived from 5 focus areas: strategic alignment, value delivery, resources management, risk management and performance management. COBIT facilitates the evaluation of IT management practices by utilizing quality indicators, measures and scales correspondingly. COBIT 5 aligns with the latest relevant other standards and frameworks used by enterprises:
- Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC 31000
- IT related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series, TOGAF, PMBOK/PRINCE2, CMMI Etc.
This allows the enterprise to use COBIT 5 as the overarching governance and management framework integrator. ISACA plans a capability to facilitate COBIT user mapping of practices and activities to third party references.
Figure 3: Separating Governance and Management
Source: COBIT 5, figure 15. 2012 ISACA.
Source: COBIT 5, figure 16. 2012 ISACA
As depicted in figure 4, there are 5 processes under governance and 32 processes under management.
The GOVERNANCE domain contains five governance processes; within each process, Evaluate, Direct and Monitor (EDM) practices are defined.
The four MANAGEMENT domains are in line with the responsibility areas of plan, build, run and monitor (PBRM). The management domains are broken down to 4 domains namely, Align, Plan, Organize (APO), Build, Acquire and Implement (BAI), Deliver Service and Support (DSS) and finally Monitor, Evaluate and Assess (MEA).
2.1 The ERM framework and risk management
The ERM (Enterprise Risk Management) Framework was developed by the joint force of the Committee of Sponsoring organizations of the Treadway Commission (COSO) and PriceWaterhouseCoopers in 2001. The main purpose of the ERM framework is to help businesses and other entities evaluate and improve their organization’s internal control and risk management enterprise-wide. The framework is also considered as a systematic guideline for regulation compliance such as Sarbanes Oxley and HIPPA. The current version of the ERM framework (also called COSO II) covers 8 processes that are equally important in the scheme of risk management. COSO suggests that each of the risk management processes have to meet their objectives in the domain of strategic, operations, reporting and compliance to ensure enterprise risks can be controlled in a complete yet cohesive body. IT is seriously involved in the ERM processes in the sense that, in today’s business operations, a great deal of financial reporting and internal auditing are being performed by IT. One can hardly separate IT from day-to-day internal control activities. It requires full alignment between business and IT to, on one hand, effectively leverage IT in risk management processes and, on the other hand, embed risk management mechanisms in IT processes. On May 14 2013, COSO released an updated version that integrated with SOX compliance requirements. COSO is supported by five supporting organizations, including the Institute of Management Accountants (IMA), the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA) and Financial Executives International (FEI).
Figure 5: COSO cube
Source: Adapted from
The figure above shows that for an organization to develop a strong culture of internal controls, they need to deal with the five layers of enterprise risk management starting with the control environment. The organization must develop a risk assessment, controls activities, information and communication and finally monitoring activities. The five areas can be applied at the entity level, division, operating unit including a single function. The internal controls will help deliver effective and efficient operations, reporting and compliance.
2.2 SOA and the supporting initiatives
After years of leveraging information, some organizations have built many IT applications during different periods. Each has different purposes with varying functions and services. A framework is required to integrate these application silos. Service Oriented Architecture (SOA) is defined by IBM as a business-centric IT architectural approach that supports integrating your business as linked, repeatable business tasks, or services. With the Smart SOA approach, you can find value at every stage of the SOA continuum, from departmental projects to enterprise-wide initiatives. Service Oriented Architecture (SOA) is neither an international standard nor a management framework, but rather an architecture for IT service design. The core idea behind SOA is the transformation of IT management from a function-based approach to a service-based approach, where the functionalities of IT are grouped into atomic services. Services are the mechanism by which business needs and capabilities are brought together, integrated. Under SOA, IT services are designed to be independent in terms of system platforms, applications and different programming languages. To do that, a standard service description language is required (e.g. WSDL; Web Services Description Language) so that the services can be found and called by systems or applications from service pools in the network space. SOA also requires brokerage mechanisms by which the matching and mashing-up between IT services are made possible. Finally, IT services can interact with each other based on predefined behavioral patterns (e.g. process orchestration) to perform business tasks in common (Luftman, 2012).
2.3 Capability maturity model integration (CMMI)
The Capability Maturity Model Integration combines three main process improvement models:
- Product and Service Development (CMMI-DEV)
- Service Management, Establishment and Delivery (CMMI-SVC)
- Product and Service Acquisition (CMMI-ACQ)
There is also a People CMM model designed to help service organizations improve the management of their workforce. The CMMI was developed by the Software Engineering Institute with input from government and industry experts. There are five maturity levels with 16 core process areas that appear in all three main models (plus additional process areas that only appear in one or two of the three so-called constellations.) Examples of core process areas include Requirements Management, Project Planning, Measurement and Analysis, Configuration Management, Risk Management and Organizational Training. To measure their proficiency within CMMI process areas, organizations may periodically undergo formal appraisals that ultimately result in a level rating. The results of the appraisal process are then used by the organization to plan improvement efforts. CMMI v1.3 was released in 2010.
Figure 6: Overlapping Models
The above figure shows the organizational level reached on the Y axis and IT focus on the X axis. COBIT covers the whole organization at the management and executive levels. ISO 20000 focusses on tasks and IT management and deals with what to be accomplished. CMMI focusses on task and management levels and deals with how to accomplish the process.
2.4 IT process practices in Kenya
Leading organizations including TelCo and banks have implemented an array of IT process frameworks. Safari.com the leading TelCo has implemented SOA from TibCo. SOA at Safari.com has helped integrated the multiple silos of applications to a common enterprise service bus that feeds data to all applications from a central point. This has helped reduce complexity. Safari.com has also implemented IT service management tools for service desk and business service management (BSM) tools for systems management. In particular, bot HP Business Application Centre (BAC) for monitoring the whole IT infrastructure and BMC Remedy for managing IT service desk. In the future both these tools from HP and BMC will be integrated to a single framework called the business service management (BSM) tool aligned to ISO 20000. Safari.com is one of the first organizations to roll out BSM as they mature their business-IT alignment strategies.
Equity, KCB, Co-operative, DTB Commercial Bank of Africa (CBA) banks have all rolled a semblance of business service management tools. Equity is running a mixture of BMC and HP business service management tools in alignment with ISO 20000. KCB is running a mixture of HP and IBM Tivoli service management tools. DTB is running mostly on HP OpenView IT service management tools CBA is running mostly on HP OpenView IT service management tools. Co-operative bank is in the process of implementing a holistic business service management tools from BMC. The bank is currently utilizing CA UniCenter service desk and other disparate network management tools including Oracle enterprise manager. Co-operative bank has also implemented a SOA enterprise architecture based on TibCo.
As can be seen from the above practices, each of the leading organizations is different stage of implementing on the frameworks at varying maturity levels. The frameworks mostly implemented are based on ITIL and the ISO 20000. COBIT has not been adopted quite well in Kenya as there no good skills here on this very comprehensive framework. Some leading consulting companies including the big 4 are starting to help organizations implement COBIT. This will be achieved by a combined effort of training and coaching and this will take time. As these frameworks are implemented successfully, there will be a shift in the maturity of IT-business strategic alignment maturity. This will lead to better business performance by leveraging on IT and organizations obtaining the requisite value from IT. By implementing these IT process frameworks, the organization are improving the overall IT governance which includes the five dimensions on value delivery, performance measurement, resource management, risk management and strategic alignment.
- A. Marquis. Finishing Off IT, MIT Sloan Management Review. Cambridge: Summer 2006. Vol. 47, Iss. 4; p. 12.
- Cartlidge A. and Hanna A. and Rudd C. and Macfarlane I. and Windebank J. and Rance S., (2007), An Introductory Overview of ITIL V3, itSMF Ltd, Version 1.0
- Contingency Planning Research, Inc. Retrieved from com
- Dataquest/Gartner Group. retrieved from www.gartner.com
- Devenuti, R. (2008), OGC’s Best Practice Users: Testimonials and Case Studies, Best Management Practices
- Gartner Group. retrieved from www.gartner.com
- IBM ebook , (2008), IT Governance, United Business Media LLC.
- ISACA COBIT by Information Systems Audit and Controls Association (ISACA). Retrieved from org/COBIT
- Johnson, B., (2007), ITIL process success: Get people on your side, SearchCIO.com
- Lange, L., (2007). Why ITIL Rules, Smart Enterprise, United Business Media
- Liang, W-Y, The Analytical Hierarchy Process in Project Evaluation: A RandD. Case Study in Taiwan
- Longo, T., Hass, K., Cannon D.,(2008) “ITIL, Business Analysis and the Enterprise Requirements Hierarchy”, HP Education Services
- Luftman, J., Managing Information Technology Resources 3rdedition, 2012.
- Lutchen, M, (2005), Managing IT as a business. A survival guide for CEO’s, McGRAW-HILL
- McManus, M.,(2007), ITIL: Change Is Gonna Do You Good, IT Business Edge
- Meta Group retrieved from http://www.meta-group.com/
- Metzler, J., (2006) “The Movement to Implement ITIL”, IT Impact Brief, Issue 10.
- Michael Croy and Diane J. Laux, Are We Willing to Take That Risk: 10 Questions Every Executive Should Ask About Business Continuity, iUniverse 2008.
- OGC, (2007), Official Introduction to ITIL Service Lifecycle, Stationery Office Books
- Ritala, J., (2007), ITIL benefits and challenges, FIERCECIO
- Spalding, G. “ITILv3WhatsNew1“, Pink Elephant Presentation in Asia, July 2007
- Steinberg, R., (2007) What_Is_ITIL (Executive_Overview), Migration Technology
- Stoddard, J,(2005),”AIS implements ITIL best practices with IBM IT Service Management solutions“, IBM
- Trivedi, Rasesh, White Paper services architecture. Retrieved from rcgit.com/company/whitepaper/WebServicesArchitectureModelsWPv1.pdf
- Uppal, K. B., AACE International Transactions, Morgantown, 2004, PM31 – PM38