Monday, March 14, 2011

Frameworks for IT Management

In the next few years, the transition from fee for service to accountable care organizations/global payments is going to require significant IT change at a time when budgets will become increasingly constrained.   We'll have the combination of Meaningful Use Stages 1/2/3, ICD10/5010, and healthcare reform all occurring at the same time.

IT organizations will be required to demonstrate their value, benchmark themselves against best practices, and justify their actions.

There are numerous frameworks that can support a standardized approach to project scope definition, resource allocation, and service provision.

Although you may not use these techniques now, you should be familiar with them as the pressure increases to absorb increasing demand in the face of decreasing supply.

Here's a brief overview of 3 leading frameworks.

Information Technology Infrastructure Library (ITIL)
ITIL grew out of work done by UK Government's Central Computer and Telecommunications Agency in the 1980s to document best practices.   Since then ITIL has had 3 major revisions and the current version consists of 26 processes and functions documented in 5 volumes.
1. ITIL Service Strategy
2. ITIL Service Design
3. ITIL Service Transition
4. ITIL Service Operation
5. ITIL Continual Service Improvement

The primary focus of ITIL is to provide best practice definitions and criteria for operations management.    As with any framework there is significant debate about the pros and cons of ITIL.   As long as you keep in mind that ITIL is a set of best practices, to be adopted and adapted as best fits your local needs, it can be useful.   ITIL does not aim to be comprehensive and universal - use it where it helps maintain your ongoing services.

Control Objectives for Information and related Technology (COBIT)
COBIT was first released in 1996 by the Information Systems Audit and Control Association (ISACA) and IT Governance Institute (ITGI).  COBIT has been used to evaluate security and controls during various audits of my IT organizations .  The current version of  COBIT has 34 high-level processes, covering 318 control objectives, categorized in four domains:
1. Planning and Organization
2. Acquisition and Implementation
3. Delivery and Support
4. Monitoring and Evaluation

COBIT focuses on the definition, implementation, auditing, measurement, and improvement of controls for specific processes that span the entire IT implementation life cycle.

Capability Maturity Model (CMM)
CMM was originally developed by Carnegie Mellon University researchers as a tool for objectively assessing the ability of government contractors to perform a contracted software project.   Now it is applied more generally to any organization's software development processes.  The predictability, effectiveness, and control of an organization's software development processes evolve over time through 5 stages:

1. Initial (chaotic, ad hoc, individual heroics) - the starting point for use of a new process.
2. Managed - the process is managed in accordance with agreed metrics.
3. Defined - the process is defined/confirmed as a standard business process
4. Quantitatively managed
5. Optimizing - process management includes deliberate process optimization/improvement.

CMM provides a framework for measuring and transforming software development.

What's the elevator speech about these various techniques? They are complementary frameworks.  COBIT systematically chronicles a checklist of all the things that an IT organization ought to be doing to implement appropriate controls and security.  ITIL explains how.   CMM measures the sophistication of the processes used along the way.

I'm very interested in hearing from the community - do your IT organizations use any aspect of these frameworks?   Have they been helpful to you to document the resource requirements of the IT organization and give users a transparent look into the work you perform?


Matt said...


I recently gave my CIO a presentation on the frameworks in the hope of generating some support for them in my organization.

I feel that I may end up investing a lot of my future into implementing the frameworks in healthcare settings.

I would love to share my presentation with you - it is very much in-line with what you already stated, but you may find it helpful and you may have feedback.

Can I email it to you?


Alex I said...

I've been involved in several CMM and CMMI assessments. The CMM has subsequently been replaced by the CMMI, which incorporates many of the ideas of ISO 15504, but also retains the benefits of the CMM. I think it was a way to make it more globally accepted. Level 2 is a good project management layer. Level 3 became more granular with the CMMI focus. It's all good.

Kevin Rosenjack said...


I think we might be interested in posing the same question to you. Are you using aspects of these frameworks within your own organizations and have they been a benefit?

We struggle with the same 'black box' type criticisms as many other organizations. Currently we are headed down the ITIL path with an emphasis on Service Support and Service Delivery but it is far too early to have any significant insight.


Anonymous said...

As CIO at the last health system I worked at (11 hospitals)I spent 3 focused years implementing ITIL with my team (350+). We used a variant of the CMM to rank the ITIL processes and demonstrate improvement. ITIL is not a panacea but it is a very useful framework for improving and standardizing IT processes. Like any major endeavor it will require the passion of the CIO and a strong team who will hold each other accountable through the adoption journey. I believe it is well worth it. Now that I have returned to consulting we are working with multiple clients helping them begin their ITIL journey and many are seeing demonstrable benefits in the first 3 months. I absolutely believe health care IT is going to need a framework like ITIL to defend the expense and process and supporting our massively complex systems in a health reformed reality.

Matthew C said...

John -
Great intro! As a consultant myself, I just used these three same frameworks with a client CFO for the exact same discussion (e.g. the huge amount of change they needed to prepare for in IT).

He said something about it being "alphabet soup", to which I replied, "Exactly... but you wouldn't hire an accountant who didn't know GAAP, would you?"

Heather Deane Strickland said...


I am the Strategist for the Infrastructure and Operations group of a large, regional Integrated Delivery Network in Western Michigan. We are nearly four years* into our Service Management journey, in which we have applied five major frameworks, three of which you mentioned: ITIL, COBIT, and CMM**; we have also applied Lean***, and ISO/IEC 20000. Both Lean and ISO/IEC 20000 have helped us prioritize and focus our service management efforts – a critical success factor for a large organization to make sense of five books of guidance, as well as to be allowed the privilege of continuing the service management journey for any length of time.****

ISO/IEC 20000 is making the most significant contribution to our focus, although the analytical tools and the “continuous improvement” mindset available in the Quality frameworks are very useful, as well. We are using the 15 pages of “Shall” statements in Part 1 of the ISO/IEC 20000 Specification***** to help us sift through the five-ish inches of ITIL V3 guidance, allowing us to target precious resources in the areas that can best help us improve our ability to provide well-aligned, value-providing Services to our Customers.

The other comment I would make is that, unless you keep your Customers at the center of your attention, regardless of the framework(s) you apply, you risk being out-of-touch with your organization, rather than a Strategic Partner that is helping your organization meet the myriad of significant challenges you mentioned.

Thanks for starting this valuable dialog,


*We have been on this journey much longer, if you count the many years of dabbling/failing we spent before we developed a comprehensive Service Management strategy in 2007.

**We use the IT Service CMM® flavor of Capability Maturity Model.

***Six Sigma or any of the other Quality Management frameworks could be substituted just as easily for Lean, which we use because our clinical areas do.

****How many failed ITIL efforts have you heard of?

*****The other parts of the Standard are also very helpful: Part 2: Code of Practice,
Part 3: Guidance on Scope & Applicability,
Part 4: Process Reference Model,
Part 5: Exemplar Implementation Plan.

Michael said...

Thank you John (and my fellow commenters) for insight into these frameworks.

I'm wondering how you, or your readers, would fit an Enterprise Architecture practice such as TOGAF into this list of frameworks. Is EA a sibling framework offering equal capabilities, a "child" framework providing tools to realize some of the capabilities of a broader framework, or perhaps a parent framework?


Jason said...

I work for a health enterprise with about 20 hospitals and over 1M insurance members. We have aspects of all of these in our organization, but not a consistent application of them. COBIT is most used by our Internal Audit Department, CMMI is occasionaly used for application development, and ITIL is used for Infrastructure Services. Having all these similar (yet slightly different) frameworks has given me a new love of a unified approach somewhat offered (but not operational enough) by something like HITRUST. Love the blog by the way, great educational tool for me.

Unknown said...

Excellent post, John. Very interested in learning more about IT management frameworks. This is definitely an industry that will continue to evolve over the next few years.

- Jim
AlphaPoint Technology