IT Process Practices in Kenya

IT processes are the functions and duties that Information Technology (IT) performs. These activities include development and maintenance of applications, supporting infrastructure (e.g., hardware, systems software and networks) as well as managing human resources. All of these activities have some dependency among each other. Information Technology processes is a practice of ensuring that IT organization serves the needs of the business in a systematic manner so that good performance of the enterprise is guaranteed. It is a set of practices and procedures brought together in unison to ensure IT alignment with business needs. Some widely acknowledged and used IT process frameworks to make IT efficient and effective are Control Objectives for Information and related Technology, (COBIT), IT Service management (ITSM) and IT infrastructure library (ITIL) and ISO 38500.


Introduction
IT processes are the strategic, tactical and operational activities/tasks that IT performs. Type of such processes, amount of devoted resources and its total number employees involved might vary from one firm to another based on the scale and the emphasis of that firm. Whether you are a Global 1,000 organization, or you are managing a single PC at home, there is always some set of processes to be managed properly. Organizations over the world have realised that IT can help transform an organization's business performance. More and more organizations are leveraging on IT to bring about innovative ways of competing in the industry. IT is being seen as an enabler and driver of business. Some organizations have been employing proven IT process frameworks to help align IT with business for improved business performance. Some of the most popular IT process frameworks that have been touted as helping make IT efficient and effective are Control Objectives for Information and related Technology, (COBIT), IT Service management (ITSM) and IT infrastructure library (ITIL) and ISO 38500.

Project planning
The project planning defines technically feasible and manageable projects that will reflect enterprise's strategic goals and direction; it translates all the plans into manageable projects.

Service Level Planning and Management
The service level planning process defines and negotiates individual service agreements using the service volume forecasts and service charge rates established by the service marketing planning process.

ITIL (Information Technology Infrastructure Library) Counterpart Incident Management
An incident is a deviation from the expected standard operation of a system or service. When it needs to be managed, it becomes a service request and needs to be handled as soon as possible. Incident Management is enterprise-wide process, which influences the system availability and continuity. The general steps for Incident Management are detection, investigation, diagnosis, resolution, recovery, recording and classification.

Problem Management
A problem is a condition that is defined or identified from one or more incidents exhibiting common symptoms for which the cause is unknown. It is different from the definition of a known error which is a condition identified by the successful diagnosis of the root cause of a problem. Problem Management improves stability and reduces downtime in IT services by identifying and removing errors in IT infrastructure.

Service Level Management
Service Level Management is a primary vehicle for communication with the business partners and it ensures the arrangements between internal IT Support Providers and external suppliers.

Availability Management
The primary objective of this process is to optimize the accessibility of IT infrastructure, services and supporting organization. It enables the delivery of a cost effective and sustainable level of accessibility enabling the business to meet their objectives; ensuring all of the current and future capacity and performance aspects of the business requirements are provided effectively. Availability is critical. Because, for an IT operation running 24 hours per day (365 days per year), a decimal place can mean a great deal. An availability of 99% means 3.7 days of cumulative unplanned downtime per year and an availability of 90% means more than one month's downtime. Even an availability of 99.99% means 53 minutes of downtime a year, which may seriously influence customer experience.
The total availability of multiple components in series is the product of availability of each component. The availability of five components in series, with 98 percent available each, is 90 percent; that is significantly less than the availability of any single component. Actually, combining components in a series decreases overall availability. It does not take many components to place the entire service at risk. If five components are placed parallel, the overall availability is 99.99999968%. Three components can provide high redundancy efficiently. However, more than three components do not significantly increase the availability.

Business Continuity Planning
The Business Continuity Planning process works towards a way to ensure continuation of business operations in the case of failure or disaster. Since, many companies still have problems with IT business continuity, it is critical for companies to prepare solutions for the possible risks in advance.

ITIL (Information Technology Infrastructure Library) Counterpart Continuity Management
Continuity Management is a systematic approach to the creation of a plan and/or procedures (which are regularly updated and tested) to prevent, cope with and recover from the loss of critical services for extended periods. It ensures that the required IT technical and services facilities can be recovered within required, agreed time scale.

Security Planning and Management
The security planning process builds an overall plan to ensure that agreed levels of security for systems and services are met.

Audit Planning and Management
The audit planning process builds an overall plan to ensure that continuation of the agreed levels of audit and compliance for systems, applications, services and laws wil be met. The Enterprise Risk Management (ERM) processes are on focus here. Migration of information in electronic forms increases storage volume exponentially and therefore, there is a need for transformation in information management. Physical space is no longer the limiting factor. In the repository, electronic records are organized by application type rather than content which traditional record retention is based on. The records carry different degrees of risk for a company. For example, archived data related to criminal investigations has a higher level of risk than that on consumer class action. Even records similar in risk can be different in evidence handling.

Capacity Planning And Management
The capacity planning process uses a forecast of loaded demand from new projects or from the evolution of existing services; this process defines how system resources support the demand.

ITIL (Information Technology Infrastructure Library) Counterpart Capacity Management
Capacity management ensures that IT infrastructure is delivered at the right service performance and in an efficient manner to meet the business requirements. Capacity can be divided into business capacity, service capacity and resource capacity. There have been numerous examples of companies experiencing infrastructure capacity preparedness problems. These include Delta Air Lines in advertising new discount fares and incentives to book online tickets; Red Cross in supporting the tsunami relief effort; Amazon in pre-Christmas volumes; Walgreen in pre-Christmas volumes; and Hallmark in Valentine's Day online requests. These examples of lost business due to system overload should teach IT and business executives to ensure they have an appropriate capacity planning process in place. There is always a gap between the current capacity and future demand for system's service. Insufficient capacity may lead to loss of business opportunity, while the excessive capacity means waste of resource and excessive costs. A balance between the capacity and cost needs to be found for each individual organization to identify the appropriate Economic Order Point (EOP) (Luftman, 2012).

Skills Planning and Management
The skills planning process uses the requirements identified in the project and service plans to define the human resources to meet the enterprise needs to compete in this tactical time horizon. Skills can be obtained from existing staff by applying their current expertise or through training of existing staff, hiring new staff, outsourcing or acquiring a new organization. The process also needs to identify education plans for existing staff that would enable the enterprise to meet skill requirements in the near future.

Budget Planning and Value Management
The budget planning process converts individual plans into financial terms and identifies how funds will be obtained and allocated.

ITIL (Information Technology Infrastructure Library) Counterpart Financial Management
Financial Management for IT is the process that ensures that IT related software and hardware are obtained at an effective price and ensures that the organization understands the total cost of their IT services.

Vendor Planning and Management
The vendor planning and management process deals with the companies that are providing outsourcing, hardware and software. It must also measure and monitor performance against the Service Level Agreements (SLAs) and contracts to determine if any corrective action is necessary.

Management Systems Planning and Monitoring
The management systems planning process uses the strategic plans and an assessment of the existing IT plan to define a new prioritized portfolio of projects and plans. It improves the management systems through a project management approach. IT Process Practices in Kenya 53 ISSN 1849-5664 (online) http://researchleap.com/category/international-journal-of-management-science-and-business-administration ISSN 1849-5419 (print) International Journal of Management Science And Business Administration Vol. 1, No. 7, June 2015, pp. 48-59

Tuning and system balancing
This process tunes the systems resources to ensure proper performance of individuals or groups of resources within the framework of a project. This process includes periodic regression testing to ensure that new changes have not caused undesired performance results in existing resources.

Financial Performance
This process applies service rates to systems resources to determine total costs applicable to individual business units (including IT), accumulates these costs, charges the individual user organization (where appropriate) and matches against the budget. The process also includes maintaining contractual agreements for project work, hardware and software leasing and other supportive efforts.

Education and Training
This process educates business and IT personnel on Information Technology related topics through job training or formal education.

Staff Performance
This process tracks staff performance and reports productivity.

Hiring and Retention
This process focuses on the activities necessary to acquire and maintain an effective, motivated and competent workforce to enable Information Technology to meet the needs of the business. Most large IT organizations will have their own Human Resource unit to work with them. This process is successful if the policies and practices of the firm are sound, fair and appealing to management and staff alike.

Production
This process schedules and executes jobs, transactions and data through the hardware and software to meet the agreed service levels. It monitors the progress of work against the schedule and takes corrective actions (based on the one through ninety day schedule defined in production and distribution scheduling).

Service marketing
This process markets services to business partners and identifies needs for future services. This includes the sale of products, resources or services developed and/or owned by IT. This process also provides an interface among IT and the business to facilitate the understanding of expectations and to help and guide them in realizing future needs and expectations.

Which processes are important?
All IT processes are important. Each process will contribute to the effective management and performance of IT. However, if it is examined from the perspective of the business, depending on the environment and demands, many of these processes important contribution to the firm's critical success. For example, application development is typically considered most visible to developing competitive and strategic advantage. The project management related processes are essential processes that enable the completion of application development. Strategy, architecture and the planning processes further enable IT to manage, anticipate and assemble technologies and methodologies to assure a stable and continuously improving IT environment.
Security and Recovery Planning have gained greater status because of the new threats to the stability of systems. Vendor management has also increased in importance, as many firms are outsourcing many of their activities. These processes are prominent because the business can see direct linkages between the activity of these processes and the activity of the business. Does this reduce the importance of the remaining processes?
If the remaining processes are not focused, often because they are done well, so they tend to be taken for granted. These processes would be creating great attention if they were done poorly. For example, if change control, problem control, or asset management will fail, there will be financial consequences and they will indirectly affect the production processes. If the production processes are affected, the business will suffer and the processes will be noticed. Like business processes, IT processes should be assessed based on their relative importance (e.g., impact to the critical success factors of the business) and their relative effectiveness (e.g., good, fair, poor). Hence, processes that are critical to the success of the business and in poor condition should be improved first. On the other hand, those processes which are not critical to the success of the business and in relatively good condition can be left unchanged.
How much resource will be applied to each of these processes?
The amount of resources that are applied to each process varies greatly by the relative importance and complexity of the process. Of the 38 IT processes that were discussed in this chapter, there are 21 processes that were placed in the operational level. These processes account for more than 60% of the activity within Information Technology, but fewer than 40% of IT staff work on operational activities. What enables IT to use fewer people in this area can be explained by the proliferation of many automated processes and tools that assist IT in maintaining equipment, networks and production applications. A lot of effort was made in the 1980's and 1990's to develop scheduling tools, version control systems and library maintenance applications, which make it easier for IT to handle operations with minimal staff.
The bulk of IT staff is centered on application development and other planning tasks associated in the tactical layer. Historically, it was easy to establish funding for hiring and maintaining staff that were supporting new business projects and applications. This too is changing, as IT has been applying new ways to increase the productivity of the individual programmers and analysts. In the past decade, dozens of new Computer Aided Software Engineering (CASE) tools, Rapid Application Development (RAD) methodologies and the introduction of Object-oriented programming languages have all helped in increasing productivity while decreasing staff. Now the focus is in improving the strategic processes and achieving alignment with the business to improve the firm's bottom line as well as creating strategic and competitive advantage.
What priority should be placed on improving each of these processes? Improving IT processes can always occur, but is it worth the cost? Over the past several decades, IT has had to manage their organization very closely because their budgets were always tight. This is not a trend that will likely go away. The business will always look to either reduce overhead/costs or spend their money on IT investments that have the best opportunity to be profitable. Making improvements to any IT process requires IT to present a business case. The financial gain must be quantifiable to get support from the business. IT process will require the same cost-benefit analysis that would be needed to establish a new application. An IT process improvement is not unlike any other project needing funding and there needs to be quantifiable results that will justify the expense for the job.

Other IT process frameworks ITIL (Information Technology Infrastructure Library)
ITIL was a collection of best practices for managing IT operations. Presented as a series of books, it provided a comprehensive set of processes, complete with goals, task checklists and procedures that collectively addressed the work needed to manage IT infrastructure. ITIL was not a standard like ISO 20000, for instance. Instead, it represented a framework and methodology to which existing processes and approaches to IT work could be adapted.
In May 2007, the third version of ITIL was published. Billed as a refresh of v2 and an extension of ITIL framework, ITIL v3 added new processes, developed more of a lifecycle approach to IT Service Management and emphasized the need for IT business integration more. Reflective of the lifecycle approach, ITIL v3 was organized into five books that follow a practical sequence:  Service Strategy: How to develop a business-driven strategy for IT service management;  Service Design: How to design a system to support the chosen strategy;  Service Transition: How to transition the newly designed system to the production environment (in terms of people and processes as well as technology);  Service Operation: How to support operations in an ongoing fashion  Continual Service Improvement: How to continue improving processes and operations. ITIL v3's lifecycle logic had implications for where to start when tackling IT service improvement. While ITIL v2 had recommended that organizations start with the operations focused Service Support processes, especially Incident and Change Management, ITIL v3 recommended starting with more strategy focused processes such as Demand and Service Level Management. By starting with these customer-facing processes it was anticipated that the business alignment goal would be achieved more effectively.  Among the 10 components, the latter 5 can form a roadmap cycle or process flow to deliver a new IT service request. After Service Level Management receives the request, Availability Management analyzes the new service, Capacity Management determines the appropriate capacity needed and IT Service Continuity Management identifies recover necessity. Finally, Service Level Management analyzes all this information and then negotiates services, service levels and costs with the customer.

ISO/IEC 20000 and IT Service Management
As a member of the ISO family, ISO/IEC 20000 is the first international standard for IT service management. Similar to other standardization bodies, the international organization for Standardization (ISO) provides best practices in IT service support and delivery. ISO/IEC 20000 consists of two parts: This allows the enterprise to use COBIT 5 as the overarching governance and management framework integrator. ISACA plans a capability to facilitate COBIT user mapping of practices and activities to third party references.   management processes have to meet their objectives in the domain of strategic, operations, reporting and compliance to ensure enterprise risks can be controlled in a complete yet cohesive body. IT is seriously involved in the ERM processes in the sense that, in today's business operations, a great deal of financial reporting and internal auditing are being performed by IT. One can hardly separate IT from day-to-day internal control activities. It requires full alignment between business and IT to, on one hand, effectively leverage IT in risk management processes and, on the other hand, embed risk management mechanisms in IT processes. On May 14 2013, COSO released an updated version that integrated with SOX compliance requirements. COSO is supported by five supporting organizations, including the Institute of Management Accountants (IMA), the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA) and Financial Executives International (FEI).

Figure 2-4 COSO cube
Source: Adapted from http://www.coso.org/documents The figure above shows that for an organization to develop a strong culture of internal controls, they need to deal with the five layers of enterprise risk management starting with the control environment. The organization must develop a risk assessment, controls activities, information and communication and finally monitoring activities. The five areas can be applied at the entity level, division, operating unit including a single function. The internal controls will help deliver effective and efficient operations, reporting and compliance.

SOA and the supporting initiatives
After years of leveraging information, some organizations have built many IT applications during different periods. Each has different purposes with varying functions and services. A framework is required to integrate these application silos. Service Oriented Architecture (SOA) is defined by IBM as a business-centric IT architectural approach that supports integrating your business as linked, repeatable business tasks, or services. With the Smart SOA approach, you can find value at every stage of the SOA continuum, from departmental projects to enterprise-wide initiatives. Service Oriented Architecture (SOA) is neither an international standard nor a management framework, but rather an architecture for IT service design. The core idea behind SOA is the transformation of IT management from a functionbased approach to a service-based approach, where the functionalities of IT are grouped into atomic services. Services are the mechanism by which business needs and capabilities are brought together, integrated. Under SOA, IT services are designed to be independent in terms of system platforms, applications and different programming languages. To do that, a standard service description language is required (e.g. WSDL; Web Services Description Language) so that the services can be found and called by systems or applications from service pools in the network space. SOA also requires brokerage mechanisms by which the matching and mashing-up between IT services are made possible. Finally, IT services can interact with each other based on predefined behavioral patterns (e.g. process orchestration) to perform business tasks in common (Luftman, 2012). There is also a People CMM model designed to help service organizations improve the management of their workforce. The CMMI was developed by the Software Engineering Institute with input from government and industry experts. There are five maturity levels with 16 core process areas that appear in all three main models (plus additional process areas that only appear in one or two of the three so-called constellations.) Examples of core process areas include Requirements Management, Project Planning, Measurement and Analysis, Configuration Management, Risk Management and Organizational Training. To measure their proficiency within CMMI process areas, organizations may periodically undergo formal appraisals that ultimately result in a level rating. The results of the appraisal process are then used by the organization to plan improvement efforts. CMMI v1.3 was released in 2010.

Figure 2-5 Overlapping Models
The above figure shows the organizational level reached on the Y axis and IT focus on the X axis. COBIT covers the whole organization at the management and executive levels. ISO 20000 focusses on tasks and IT management and deals with what to be accomplished. CMMI focusses on task and management levels and deals with how to accomplish the process.

IT process practices in Kenya
Leading organizations including TelCo and banks have implemented an array of IT process frameworks. Safari.com the leading TelCo has implemented SOA from TibCo. SOA at Safari.com has helped integrated the multiple silos of applications to a common enterprise service bus that feeds data to all applications from a central point. This has helped reduce complexity. Safari.com has also implemented IT service management tools for service desk and business service management (BSM) tools for systems management. In particular, bot HP Business Application Centre (BAC) for monitoring the whole IT infrastructure and BMC Remedy for managing IT service desk. In the future both these tools from HP and BMC will be integrated to a single framework called the business service management (BSM) tool aligned to ISO 20000. Safari.com is one of the first organizations to roll out BSM as they mature their business-IT alignment strategies.
Equity, KCB, Co-operative, DTB Commercial Bank of Africa (CBA) banks have all rolled a semblance of business service management tools. Equity is running a mixture of BMC and HP business service management tools in alignment with ISO 20000. KCB is running a mixture of HP and IBM Tivoli service management tools. DTB is running mostly on HP OpenView IT service management tools CBA is running mostly on HP OpenView IT service management tools. Co-operative bank is in the process of implementing a holistic business service management tools from BMC. The bank is currently utilizing CA UniCenter service desk and other disparate network management tools including Oracle enterprise manager. Co-operative bank has also implemented a SOA enterprise architecture based on TibCo.
As can be seen from the above practices, each of the leading organizations is different stage of implementing on the frameworks at varying maturity levels. The frameworks mostly implemented are based on ITIL and the ISO 20000. COBIT has not been adopted quite well in Kenya as there no good skills here on this very comprehensive framework. Some leading consulting companies including the big 4 are starting to help organizations implement COBIT. This will be achieved by a combined effort of training and coaching and this will take time. As these frameworks are implemented successfully, there will be a shift in the maturity of IT-business strategic alignment maturity. This will lead to better business performance by leveraging on IT and organizations obtaining the requisite value from IT. By implementing these IT process frameworks, the organization are improving the overall IT governance which includes the five dimensions on value delivery, performance measurement, resource management, risk management and strategic alignment.