Taking a page from ITIL's best practices

A 44-volume set of guidelines published by the British government 12 years ago may forever change the way IT is managed

In the 1970s, when the American auto industry found itself under attack by leaner, hungrier Japanese competitors, it fought back by adopting some of the very production processes the Japanese had pioneered. Using techniques such as statistical process control, quality circles, just-in-time inventory management, total quality management, lean manufacturing, and Six Sigma, the industry focused on improving how its people worked and how its processes operated. For example, workers were encouraged to stop the assembly line when anything went wrong so the process could be fixed permanently, rather than simply scrapping rejects at the end of the line.

Today, American IT organizations are at a similar crossroads, facing challenges from offshore outsourcers and from internal financial pressures. In response, they’re stealing a page from their global competitors’ playbooks -- a process framework developed in the United Kingdom called ITIL, or IT Infrastructure Library.

Like the CMM (Capabilities Maturity Model) for application development, ITIL is a set of best practices and standard methodologies for core IT operational processes such as change, release, and configuration management; incident and problem management; capacity and availability management; and financial management for IT. Although the datacenter is ITIL’s primary target, its best-practices templates apply across almost every IT environment, from the service desk to the corporate desktop.

ITIL adoption is growing like a weed. Four years ago, ITIL was already in high gear in Europe, but almost no one in the United States had heard of it. Today a rapidly growing North American industry of consultants, conferences, and training resources is spreading the ITIL gospel and helping customers implement it. “We can’t keep up with the demand from organizations like the big airlines, government departments, and banks and insurance companies,” says David Ratcliffe, CEO of Pink Elephant, an ITIL consultancy based in Toronto.

“It’s spreading like wildfire across large U.S. companies,” says Kathryn Pizzo, a group program manager at Microsoft’s consulting division. That growth raises some interesting big-picture questions about the future of IT: Could ITIL, with its concept of a CMDB (centralized configuration management database), be the catalyst for the widespread realization of utility computing? And will success with ITIL hinge more on automating processes, as vendors would like us to believe, or on getting human beings to work more efficiently?

Playing catch-up

In a sense, ITIL is nothing more than a reincarnation of the stringent management processes that evolved in the mainframe world before the proliferation of PCs, client-server, and Web-based architectures made those operational disciplines seem anachronistic.

So why is ITIL taking hold in the U.S. now after being virtually ignored for years? For one thing, its two biggest benefits -- improving service and reducing costs -- are right in line with the new marching orders IT organizations got when the economy slowed down in 2001. “It’s really about moving from being technology-centric to being services-centric,” says Regina Kershner, director of IT service management at HP Services.

Second, corporate mergers and outsourcing have made it more important for IT shops to speak the same process language. “ITIL provides a common language so you can work more effectively with your outsourcers for end-to-end service delivery,” Gartner Research Director Steve Bittinger says. Bittinger thinks that ITIL was slower to take off in the U.S. because American corporate culture is more entrepreneurial and less process-oriented than Europe’s.

Finally, the sheer scale and complexity of today’s IT operations -- including the need to have a better handle on IT processes in order to conform to standards such as COBIT (Control Objectives for Information and Related Technologies) -- demand the replacement of cobbled-together, homegrown processes with standardized, disciplined ones based on ITIL.

39FEit_ch.gif
Click for larger view.

Nationwide Mutual Insurance Company, one of the early U.S. adopters of ITIL, is a case in point. In 2001, Nationwide revaluated its IT operations processes and realized they desperately needed overhauling. Incident and change management were major pain points. Poor communication and fragmented “tribal knowledge” were widespread. “It was borderline crisis,” explains Doug LeMaster, director of IT program management. “Processes were ad hoc [and] customer expectations weren’t being met.”

After re-engineering key processes based on the ITIL framework, Nationwide saw major improvements in systems availability, Nationwide’s IT Process Officer Jack Probst says, estimating that downtime decreased by 50,000 user minutes. What ITIL did, he explains, was help standardize the language, process, and workflow of key operations. “ITIL provided the behavioral disciplines necessary to make it happen,” Probst says.

Getting started with ITIL

At its core, the ITIL framework is a set of 44 books originally published by the British government’s Stationery Office between 1989 and 1992 -- available on the IT Service Management Forum’s Web site -- each dealing with a different operational process. The framework can be implemented in stages and most experts recommend a phased deployment (see “Nationwide Drinks the ITIL Kool-Aid”).

Many companies have also turned to larger consulting organizations such as HP Services and IBM Global Services to provide training and packaged ITIL offerings, including suggested workflows, to help customers quickly get up to speed. These consultants also provide needs assessments and benchmarking to help customers determine how they’re doing. “There are no metrics police in ITIL, no independent British government-sponsored metrics for how good you are,” notes Pink Elephant’s Ratcliffe. But there is an official, all-or-nothing ITIL certification process called BS 15000, overseen by the British Standards Institute.

Once committed to the ITIL framework, companies must decide which technologies will best support their process re-engineering road map. Despite ubiquitous vendor claims of “ITIL compliance” and “ITIL compatibility,” the framework is technologically agnostic -- it stops short of prescribing technology standards. In fact, a basic level of ITIL can be implemented with almost any technology, even spreadsheets and -- believe it or not -- paper. “There’s no rocket science here,” says Ram Duraiswamy, vice president of IT Governance Strategies at Mercury Interactive.

Microsoft’s Pizzo concurs: “It’s about the processes, not the products. For example, whether they have any communication mechanisms in place in the datacenter to alert all the stakeholders that a change is in the pipeline, what the approval stage is, etc.,” she explains, emphasizing that you “don’t necessarily need to buy anything.”

Nonetheless, vendors have plenty to sell. In an attempt to ride the wave, they are building the ITIL taxonomies, workflows, and language into their products and reference models, while touting pre-built integration as an ITIL enabler. Microsoft, for example, has created the MOF (Microsoft Operations Framework), its own ITIL adaptation, and IBM and HP have similar schemes. “Our angle is to bundle these processes in with our tools and products, instead of expecting people to do stand-alone process improvement projects,” Pizzo says. In theory, an MOF deployment could automatically catch an error in Exchange Server, generate a trouble ticket, and automatically transfer that ticket to a Remedy help desk system.

But customers say they’re far from achieving full ITIL automation. “There isn’t just one tool that does it all,” Don McGinnis, an IT staff manager at State Farm Insurance says. State Farm implemented several ITIL processes using a variety of tools, including HP OpenView Service Desk, HP Network Node Manager, and a legacy mainframe automation tool called CA-OPS/MVS.

But McGinnis wishes there was a single tool, citing incident management as an example. “With incidents, you try to recover whatever’s not running, then go to a review group that looks at it from a problem management point of view and digs down into the root cause,” he explains. “Then you go into change once you’ve identified the problem, schedule it, get agreement, and then pass it on to release. That’s how they all work together, that’s why you need the tool. … The more ITIL processes you can put under one tool, the better off you’re going to be.”

Nationwide’s Probst recommends assessing your current and desired processes before selecting tools, as some do better than others at supporting the nuts and bolts of industry-specific, highly customized business processes. “If you select the tool before you have your processes down, you’re hosed,” he says.

CMDB: The black belt of ITIL

Unlike Six Sigma, ITIL doesn’t have a “black belt”-level designation for its most advanced practitioners. But if it did, it might very well go to those organizations that have successfully implemented ITIL’s configuration process utilizing a tool called the CMDB (configuration management database).

The CMDB, which the ITIL framework describes only conceptually, is a comprehensive master database describing all IT infrastructure components in a given environment and how they relate to each other, who owns them, what incidents are related to them, and so on. In its most sophisticated incarnation, a CMDB is similar to what a nerve center might look like for truly autonomous utility computing.

“It’s a big undertaking,” says John Long, Technical Strategist at IBM Tivoli’s Technical Strategy Organization. “Companies have to start small and then begin to link in lots of related data that they may already have.” Numerous vendors offer pieces of the puzzle, including traditional systems management vendors (CA, HP, IBM), traditional service desk vendors (Remedy, Peregrine), and smaller, niche companies, including Austin, Texas-based Troux Technologies and London-based Tideway Systems.

Vendors are leading the push to automate pieces of CMDB functionality, including asset discovery and inventory management. “Once you identify an event that spawns an incident, you want your infrastructure to begin reacting to that; there’s an automated workflow that should be there,” IBM’s Long says. “Most customers focus on the human workflow ... but increasingly they’re seeing the need for a more autonomic approach for solving incidents.”

Tim Howes, CTO of Opsware, agrees. “If you try to build a CMDB by hand, you end up with some pretty serious problems in terms of information accuracy. ITIL does a good job of flushing out each of the processes, but it doesn’t define a way to enforce the process, to ensure that the systems and information on which those processes depend are accurate and up to date,” Howes says.

Peregrine Systems Vice President of Product Marketing Craig Macdonald thinks ITIL configuration and change management processes should be built around a single integrated technology platform to avoid ad hoc workflow customization and to enable closed-loop capabilities that would go beyond the ITIL specifications, such as auditing of changes after they’ve been made.

“Change management tends to be very cross-functional in nature, requiring very complex workflows [and] approval processes,” Macdonald says. “When you start requiring customization to the workflows that come out of the box with many vendor products including our own, you’re adding complexity. What companies tried to do in the late ’90s and early 2000s was take out-of-the-box change management solutions and integrate them with other technologies to create a more robust process. But many such implementations failed,” he adds.

Larger vendors worry that ITIL will create a standard framework that would encourage shopping for best of breed vendor components instead of bundled solutions. “ITIL tends to help the smaller guys,” says Opsware’s Howes. “You take away the proprietary advantage that IBM has, all [its] different technologies that implement the processes you need. If you have a standardized process it’s easier to mix and match.”

Some vendors are hoping that the standards authorities who control ITIL -- namely the British Office of Government Commerce -- will get more specific about how to implement it. “We often wonder about how the ITIL standards are going to evolve,” says Mercury Interactive’s Duraiswamy. “Most of it is still at 10,000 feet and above. They leave a lot to interpretation.”

Copyright © 2004 IDG Communications, Inc.