How to Increase Business Value by Changing Your Approach to IT Process Management
Business needs from IT after the startup stage
Many financial startups are currently developing in the Western market, and increasing the maturity level of IT processes according to international standards allows not only to obtain an IT department understandable for business, but also to increase the value of the company if it is planned to be sold. And I am ready to share my experience of organizing the work of the IT department in a financial company, which led to an increase in its value upon sale.
A little about myself: I started my career as a programmer, and after 5 years of work I decided to change my activity and went to work for an insurance company as a manager, where over time I became an IT director, having worked there for a total of 11 years.
I joined the company quite early, just a few years after its launch. At that time, the company was already in a stable growth phase, and the business was facing challenges of scaling, getting a reliable picture of IT costs, and protecting against risks and cyber threats.
I will describe the approach to organizing IT service management processes, but I will not touch upon the tools with which this can be done. The text may also contain terms in English, this is due to the fact that the company belonged to foreign shareholders who aimed to build a company with mature processes, so all documents were initially created by me in English and translated as required by Russian legislation.
Business needs from IT after the startup stage
Since the company had already passed the formation stage and was at the growth stage, it was necessary to provide the company with the ability to adapt to the changing market and it was necessary to build an IT management system to support the company's growth.
In addition, there were internal needs of the IT department. When I arrived, all the IT documentation consisted of a dozen instructions for the systems used and was neatly folded into a folder on a shared disk. As the company developed and processes became more complex, it became obvious that it was difficult to navigate the set of instructions. The following questions also arose:
How to make your company's IT department ready for scaling?
How to determine which processes can be outsourced and how to manage them?
How to organize asset accounting and knowledge base?
How to be prepared for audits?
How to onboard new personnel?
And how to transfer control in case bass factor?
IT Service Management Standards
When creating an IT directorate, it is important to consider what frameworks and standards can be used as a guide in your work. At that time, I was considering the IT service management (ITSM) frameworks COBIT and ITIL.
COBIT (Control Objectives for Information and Related Technologies) is known as an “umbrella framework” that provides a comprehensive approach to IT governance and management. It focuses on aligning IT objectives with business objectives and ensuring effective risk management and control. However, COBIT does not provide detailed guidance on how to implement processes.
ITIL (Information Technology Infrastructure Library) is a set of best practices for IT service management. The third edition (ITIL v3) states that it helps organizations manage IT based on the business objectives of the company through the introduction of a business service management process. The process includes IT asset inventory, end-to-end management, business process definition, and dynamic service binding to the infrastructure.
Although COBIT focuses on linking IT to business objectives, I first needed to build the IT management processes themselves. ITIL 3rd Edition provides practices and also provides a link between business and IT, so I settled on it.
Stages of ITSM implementation
Service Development Strategy
The first stage of the service lifecycle is strategy development, which includes creating an IT service catalog and developing service level agreements (SLAs).
Who can I get experience from in compiling a catalog of IT services?
Professionals organize their work best – these are outsourcers. A short search led to the Catalog of IT services of the non-profit partnership “ASTRA”, which included the largest outsourcers of the Russian Federation. I am writing in the past tense, because I am not sure that the partnership exists in the same form now. For the partnership, the prerequisite for the creation of an industry document was the community's desire to unify the approach to the services provided. Since the Catalog was developed by outsourcers, the word Customer is used in it, but this does not prevent it from being used as a basis for developing internal documentation, understanding that Customers are business units of the company.
The model described in the catalog is built on a hierarchical structure, where business services are represented at the top level, technical services supporting them are in the middle, and configuration elements are located at the bottom.
Business IT services are tied to business processes and may include a variety of technical services. This is the presentation level for top management, contains requirements and consideration of stakeholders (Stakeholders).
At this level, services that are important for business can be divided into separate categories:
The level below this is Technical Services, which describes the details of the services provided with reference to all supporting components of the IT infrastructure. This level is used by IT management, and at this layer you can define:
responsible
the level of service provision based on the underlying services provided, for example, by external providers
measured parameters
composition of configuration elements
service characteristics
Configuration elements describe the activities that underpin the daily work of IT professionals. This level should provide the ability to select a set of services that will allow for defining responsibilities for different aspects of an IT service between internal IT departments and different third-party IT service providers.
As an example, we can take the provision of telephone services:
For the finance department, this is one service that can be taken into account in aggregate.
For IT management, this service includes the provision of mobile and office communications.
For specialists at this level, activities and instructions for performing their work are presented.
In this way, it is possible to detail the IT service and responsibility for it down to the level of the service object and, if necessary, to a separate type of activity that can be outsourced.
Service design
This stage includes the development of policies, architectures, documentation and the development of a plan to manage them through quality metrics.
Ensuring the quality of services provided
According to ITIL v3, the definition of approaches to ensuring the quality of IT services is included in the design stage. To control the quality of service provision, an evaluation system is created. IT management should focus on what the business expects:
During the service design process the following should be defined:
what is subject to measurement
what metrics to use
how to use measurement results to demonstrate achievements
Quality indicators:
Availability of service
Time to solve the problem
SLA Violation Rate
User/Customer Satisfaction
You can also introduce other metrics, such as cost per contact, first-call resolution rate, etc., depending on the service, context, and requirements.
To achieve the specified quality indicators, activities can be divided into proactive and reactive.
Also, when creating a technical support business process, it is important to consider the following:
Requests related to information security should be assigned the highest priority (you've probably come across articles where even large companies ignore requests about discovered vulnerabilities).
It is necessary to set up a process for reminding about unclosed requests (it is unpleasant for everyone when they have to contact you several times).
It is necessary to provide for an escalation process (employees must clearly understand the boundaries of their competence).
Business directory of IT services
For the company, I have compiled the following list of IT services for business:
Technical support management (single point of contact).
Managing user workstations – ensuring and supporting the operability of workstation equipment and software.
Server hardware management – installation, configuration, etc.
Management of data storage and backup systems.
Management of data transmission networks – LAN, WAN.
Management of telephony and videoconferencing systems – office and mobile communications, as well as support for webinars.
Manage printing and copying.
Managing your email system.
Management of corporate systems (1C, CIS, ECM).
Management of company websites.
Engineering infrastructure management.
Monitoring infrastructure and services.
Information security management (including personal data protection).
Business Continuity Management.
This list formed the basis of the regulations on the IT department, thus the company received a list of areas of activity of the IT department.
As part of the Capacity management activity, I divided the areas of activity into 3 categories based on the volume of work performed and the competencies that can be allocated to the IT departments:
The Support Department is responsible for basic infrastructure services, which includes almost the entire range of services performed by administrators and technical support staff.
Development Department – headed by the project manager, is responsible for development.
Information Security Department – the information security and business continuity manager is responsible.
This is where the complexity of combining roles in small companies arises, which can cause a conflict of interest. Usually, the IS department reports directly to the company's CEO or shareholders, but in the company, only the strategy was defined at the shareholder level, so I was responsible for its implementation with the involvement of IS experts and outsourcers, because the amount of knowledge hidden behind the strategy was quite large.
Information Security Management
To manage information security in the company, it was decided to adhere to the ISO 27001 standard, which provides a framework for the creation, implementation, maintenance and continuous improvement of the Information security management system (ISMS).
Information Security Policies
The work on implementing ISMS took more than one year, and the goal was to bring some of the processes to a level of maturity, when the process is documented, has an owner, a scope of application and is used in most departments of the organization.
I will simply list the policies that have been put in place and that affect all aspects of the organization's operations:
ISMS Organization
Management of IS Specifications
IT-System and Network Operations
Cloud Security
Cryptography
HR Security
Identity and Access Management
Information Classification
IS Compliance
IS Incident Management and Response
IT Asset Management
Mobile Security
Physical Security
Procurement and Provider Management
Secure Software Development
Secure Use of Information and IT
Additional activities
As part of IT department management, we also have to deal with additional things, such as PCI DSS certification and issues of personal data protection under Federal Law No. 152. These activities fit perfectly into the information security management service.
According to PCI DSS, we received a certificate as E-commerce (SAQ-A EP). The standard defines requirements for processes, infrastructure and the site, and also requires ASV scanning, which allowed us to increase the level of security of the company's resources.
According to 152-FZ, certain policies and processes were also introduced that needed to be supported. I will leave this topic without details, since companies from the Russian Federation should already be well acquainted with the requirements and processes.
At the time of the introduction of the GDPR, which is extraterritorial, an assessment of the applicability and an assessment of the necessary improvements was carried out.
Business Continuity Management
Business continuity management (BCM), as well as the implementation of ISMS, is part of the implementation of a risk-oriented approach.
The business continuity management policy according to ISO 22301 declares the need to introduce 3 lines of defense in the form of the roles of the process owner, risk manager and auditors. As well as the introduction of the following activities:
Business impact analysis, risk assessment.
Business recovery plan (BRP), which is formed based on the analysis conducted.
Test plan for various scenarios and training calendar.
All activities are based on a risk-oriented approach, that is, on the probability and degree of risk, which allows us to exclude irrelevant activities.
Service transformation stage
At this stage, additional policies and processes are introduced:
change management
release management
configuration management
Validation and testing of services
knowledge management
There is an overlap here with the requirements of ISO 27001.
Related processes
It is important to take into account that the services provided do not exist in themselves, but are linked to processes, the provision of which also requires time and consideration of certain requirements.
Asset management
A company's IT assets consist of physical equipment and software licenses. For accounting, specialized programs must be used and regular inventory must be conducted. What is noteworthy is that ITIL v3 also allows services to be considered assets.
Knowledge base management
It is needed by employees to document the architecture, save instructions and features of the supported system.
Reporting procedures
It is necessary to be able to generate and save different reports depending on the recipients. For example, auditors need to be provided with change reports that indicate who is responsible for the change, the description, the date, and the approval.
Change management policy
A change process must be implemented in the company to make the process structured and controlled, minimizing the risks of downtime, reducing the number of incidents and complying with regulatory standards.
Incident management and response policy
The policy defines requirements for processes to minimise the negative impact of incidents and should include the following: Planning and preparation Detection and reporting Screening and decision making Countermeasures Lessons learned
Service Level Management (SLA management)
A process aimed at defining, negotiating, agreeing, monitoring and reporting the level of IT services provided to customers.
Operation of services
The service portfolio has been compiled, instructions have been created, the team has been assembled, what next? The fourth stage of the IT service life cycle is operational activity. The result of the service operation stage is the provision of high-quality IT services that meet the needs of the business and its customers. Effective and efficient IT service management allows organizations to ensure that IT services are in line with the business strategy and provide value to customers.
Continuous improvement of services
According to ITIL v3, the fifth stage of the service lifecycle is Continuous Service Improvement (CSI), which aims to identify and implement improvements to IT services to improve efficiency, effectiveness and business value. The CSI stage includes the following activities:
Defining a development strategy (to focus only on relevant services)
Defining metrics and key performance indicators
Collect and analyze data to identify trends, patterns, and areas for improvement
Presentation of analyzed data and recommendations to stakeholders
Implementing improvements
Monitoring the effectiveness of implemented changes
The outcome of the CSI phase is the continuous improvement of IT services and processes in line with the changing needs of the business and its customers. By identifying areas for improvement and implementing changes, organizations can ensure that their IT services deliver value to the business and are aligned with its strategies and objectives.
Planning the manager's workload
Not only do policies need to be implemented, they also need to be regularly reviewed to adapt to changing legislation, standards and the market. There are also additional processes such as: risk assessment, audit and closure of deficiencies, DRP testing, Business Impact Analysis, BCM Risk Assessment, archiving to the Central Bank, etc.
Understanding what activities exist allows us to plan our workload in such a way that we don't have to do anything in a rush. This allowed us to create a plan for the year, which describes in which month what activity should take place.
Increasing the level of process maturity
The above means that after implementing an IT service catalog, a complete picture of what services the IT department provides and what processes underlie them appears, and also allows you to define metrics for each of the processes. This makes it possible to create a roadmap for increasing the maturity level of IT processes.
The Challenges of Managing Politicians in International Companies
In the process of implementing policies, there are intersections of requirements under different standards and different legislation. For example, the requirements of ISO 27001 and FSTEC for encryption or the procedure for notifying regulatory authorities in the event of information security incidents differ (yes, there are certain requirements for banks and insurance companies to notify government agencies).
In this case, a List of non-conformities is compiled, where a list of impossibility of fulfilling the requirements is indicated and local legislation is taken as a priority. This list is approved at the level of the group of companies.
What can a manager do to increase the value of a company?
Determine what needs to be achieved with ITSM and how it aligns with business goals.
Assess the organization's current IT service management practices and understand where to start.
Create a strategy that outlines the steps needed to move from the current state to the desired state using ITSM. Put the plan into action and deploy the adapted ITSM processes across the organization. This may require training staff on new processes and technologies.
The key to ITSM is continuous improvement. Continuously measure and monitor the performance of IT services and processes, and use feedback to identify areas for further improvement.
Encourage collaboration and communication between IT teams and other departments to ensure alignment and maximum business value from IT services.
Consult with external experts when needed. Consider engaging consultants or ITSM experts who can provide guidance and support throughout the implementation process.
Results
For the company
[В душном корпоративном стиле]
The IT department became ready for scaling and introducing new processes and systems, engineers received a description of their responsibilities and a list of supported systems, it became possible to introduce metrics for management. The business also received the opportunity to allocate both entire areas and specific services for outsourcing with the ability to control them.
The main benefit of ITIL v3 is that it enables a company to get the most out of its IT investments. It enables it to increase innovation and business value by leveraging the full potential of the technology and the expertise of its IT professionals.
The benefits of such a combination for IT structures are that IT professionals play a more complete and satisfying role in the company's operations. Moreover, their authority and value to the company grows, as management begins to perceive the IT department as a structure that creates and increases business value.
The benefits for the company's management include closer relationships with IT structures and a better understanding of the capabilities of IT structures to use technology for business development. Through active interaction with IT structures, the company's management can implement new business processes that increase the competitiveness of their company.
For shareholders
Increasing the maturity level of processes increases the value of the company regardless of the business valuation methodology. The company successfully continues its activities after the sale, providing high-quality services to clients with a conscious contribution from the IT staff.
For me
Over 11 years of work I have gained experience as:
systems analyst when modeling information systems,
business analyst in business process modeling according to BABOK,
project manager in managing international Agile development teams,
as a security officer during the implementation of an information security system.
I also find the experience of working with people from different countries valuable. Management approaches are defined by standards, but the culture is different. The most important thing is the exchange of experience.
I am very grateful to my managers who created a very comfortable environment within the company and gave me the opportunity to learn so many new things. I still consider this company my second family.
After selling the company, I saw no growth opportunities for myself, so I decided to try myself in the international market, albeit in a different role. All the work was gradually transferred, so I can say with confidence that the quality will not suffer. And I still enjoy communicating with my colleagues.
