Harness Configuration Management Superpowers

Create a configuration management practice that will provide ongoing value to the organization.

EXECUTIVE BRIEF

Analyst Perspective

A robust configuration management database (CMDB) can provide value to the business and superpowers to IT. It's time to invest smartly to reap the rewards.

IT environments are becoming more and more complex, and balancing demands for stability and demands for faster change requires visibility to make the right decisions. IT needs to know their environment intimately. They need to understand dependencies and integrations and feel confident they are making decisions with the most current and accurate view.

Solutions for managing operations rely on the CMDB to bring visibility to issues, calculate impact, and use predictive analytics to fix performance issues before they become major incidents. AIOps solutions need accurate data, but they can also help identify configuration drift and flag changes or anomalies that need investigation.

The days of relying entirely on manual entry and updates are all but gone, as the functionality of a robust configuration management system requires daily updates to provide value. We used to rely on that one hero to make sure information was up to date, but with the volume of changes we see in most environments today, it's time to improve the process and provide superpowers to the entire IT department.

Sandi Conrad, ITIL Managing Professional
Principal Research Director, IT Infrastructure & Operations, Info-Tech Research Group

Executive Summary

Your Challenge

• Build a configuration management database (CMDB): You need to implement a CMDB, populate it with records and relationships, and integrate it with discovery and management tools.
• Identify the benefits of a CMDB: Too many CMDB projects fail because IT tries to collect everything. Base your data model on the desired use cases.
• Define roles and responsibilities: Keeping data accurate and updated is difficult. Identify who will be responsible for helping

Common Obstacles

• Significant process maturity is required: Service configuration management (SCM) requires high maturity in change management, IT asset management, and service catalog practices.
• Large investment: Building a CMDB takes a large amount of effort, process, and expertise.
• Tough business case: Configuration management doesn't directly provide value to the business, but it requires a lot of investment from IT.

Info-Tech's Approach

• Define your scope and objectives: Identify the use cases for SCM and prioritize those objectives into phases.
• Design the CMDB data model: Align with your existing configuration management system's data model.
• Operationalize configuration record updates: Integrate your SCM practice with existing practices and lifecycles.

Start small

Scope creep is a serial killer of configuration management databases and service configuration management practices.

Insight summary

Many vendors are taking a CMDB-first approach to enable IT operations or sometimes asset management. It's important to ensure processes are in place immediately to ensure the data doesn't go stale as additional modules and features are activated.

Define processes early to ensure success

The right mindset is just as important as the right tools. By involving everyone early, you can ensure the right data is captured and validated and you can make maintenance part of the culture. This is critical to reaching early and continual value with a CMDB.

Identify use cases

The initial use case will be the driving force behind the first assessment of return on investment (ROI). If ROI can be realized early, momentum will increase, and the team can build on the initial successes.

If you don't see value in the first year, momentum diminishes and it's possible the project will never see value.

Keep the initial scope small and focused

Discovery can collect a lot of data quickly, and it's possible to be completely overwhelmed early in the process.

Build expertise and troubleshoot issues with a smaller scope, then build out the process.

Minimize customizations

Most CMDBs have classes and attributes defined as defaults. Use of the defaults will enable easier implementation and faster time to value, especially where automations and integrations depend on standard terms for field mapping.

Automate as much as possible

In large, complex environments, the data can quickly become unmanageable. Use automation as much as possible for discovery, dependency mapping, validation, and alerts. Minimize the amount of manual work but ensure everyone is aware of where and how these manual updates need to happen to see continual value.

Configuration management will improve functionality of all surrounding processes

A well-functioning CMDB empowers almost all other IT management and governance practices.

Service configuration management is about:

• Building a system of record about IT services and the components that support those services.
• Continuously reconciling and validating information to ensure data accuracy.
• Ensuring the data lifecycle is defined and well understood and can pass data and process audits.
• Accessing information in a variety of ways to effectively serve IT and the business.

Configuration management most closely impacts these practices

Info-Tech Research Group sees a clear relationship.

When an IT department reports they are highly effective at configuration management, they are much more likely to report they are highly effective at these management and governance processes:

The data is clear

Service configuration management is about more than just doing change management more effectively.

Source: Info-Tech Research Group, IT Management and Governance Diagnostic; N=684 organizations, 2019 to July 2022.

Make the case to use configuration management to improve IT operations

Consider the impact of access to data for informing innovations, optimization efforts, and risk assessments.

75% of Uptime's 2021 survey respondents who had an outage in the past three years said the outage would have been prevented if they'd had better management or processes.(1)

It doesn't have to be that way!

Enterprise-grade IT service management (ITSM) tools require a CMDB for the different modules to work together and to enable IT operations management (ITOM), providing greater visibility.

Decisions about changes can be made with accurate data, not guesses.

The CMDB can give the service desk fast access to helpful information about the impacted components, including a history of similar incidents and resolutions and the relationship between the impacted components and other systems and components.

Turn your team into IT superheroes.

CMDB data makes it easier for IT Ops groups to:

• Avoid change collisions.
• Eliminate poor changes due to lack of visibility into complex systems.
• Identify problematic equipment.
• Troubleshoot incidents.
• Expand the services provided by tier 1 and through automation.

Benefits of configuration management

For IT

• Configuration management will supercharge processes that have relied on inherent knowledge of the IT environment to make decisions.
• IT will more quickly analyze and understand issues and will be positioned to improve and automate issue identification and resolution.
• Increase confidence and reduce risks for decisions involving release and change management with access to accurate data, regardless of the complexity of the environment.
• Reduce or eliminate unplanned work related to poor outcomes due to decisions made with incorrect or incomplete data.

For the Business

• Improve strategic planning for business initiatives involving IT solutions, which may include integrations, development, or security concerns.
• More quickly deploy new solutions or updates due to visibility into complex environments.
• Enable business outcomes with reliable and stable IT systems.
• Reduce disruptions caused by planning without accurate data and improve resolution times for service interruptions.
• Improve access to reporting for budgeting, showbacks, and chargebacks as well as performance metrics.

Measure the value of this blueprint

Fast-track your planning and increase the success of a configuration management program with this blueprint

"The workshop was well run, with good facilitation, and gained participation from even the most difficult parts of the audience. The best part of the experience was that if I were to find myself in the same position in the future, I would repeat the workshop."

– University of Exeter

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is between 8 to 12 calls over the course of 4 to 9 months.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Configuration Management Project Charter

Detail your approach to building an SCM practice and a CMDB.

Use Cases and Data Worksheet

Capture the action items related to your SCM implementation project.

Configuration Manager Job Description

Use our template for a job posting or internal job description.

Configuration Management Diagram Template Library

Use these diagrams to simplify building your SOP.

Configuration Management Policy

Set expectations for configuration control.

Configuration Management Audit and Validation Checklist

Use this framework to validate controls.

Configuration Control Board Charter

Define the board's responsibilities and meeting protocols.

Key deliverable:

Configuration Management Standard Operating Procedures Template

Outlines SCM roles and responsibilities, the CMDB data model, when records are expected to change, and configuration baselines.

Phase 1

Configuration Management Strategy

This phase will walk you through the following aspects of a configuration management system:

• Scope
• Use Cases
• Reports and Analytics

This phase involves the following participants:

• IT and business service owners
• Business/customer relationship managers
• Enterprise architects
• Practice owners and managers
• SCM practice manager
• SCM project manager
• SCM project sponsor

Harness Service Configuration Management Superpowers

Establish clear definitions

Ensure everyone is using the same terms.

What is a configuration management database (CMDB)?

The CMDB is a system of record of your services and includes a record for everything you need to track to effectively manage your IT services.

Anything that is tracked in your CMDB is called a configuration item (CI). Examples of CIs include:

• User-Facing Services
• IT-Facing Services
• Business Capabilities
• Relationships
• IT Infrastructure Components
• Enterprise Software
• End-User Devices
• Documents

Other systems of record can refer to CIs, such as:

• Ticket database: Tickets can refer to which CI is impacted by an incident or provided as part of a service request.
• Asset management database (AMDB): An IT asset is often also a CI. By associating asset records with CI records, you can leverage your IT asset data in your reporting.
• Financial systems: If done well, the CMDB can supercharge your IT financial cost model.

CMDBs can allow you to:

• Query multiple databases simultaneously (so long as you have the CI name field in each database).
• Build automated workflows and chatbots that interact with data across multiple databases.
• More effectively identify the potential impact of changes and releases.

Do not confuse asset with configuration

Asset and configuration management look at the same world through different lenses

• IT asset management (ITAM) tends to focus on each IT asset in its own right: assignment or ownership, lifecycle, and related financial obligations and entitlements.
• Configuration management is focused on configuration items (CIs) that must be managed to deliver a service and the relationships and integrations with other CIs.
• ITAM and configuration management teams and practices should work closely together. Though asset and configuration management focus on different outcomes, they may use overlapping tools and data sets. Each practice, when working effectively, can strengthen the other.
• Many objects will exist in both the CMDB and AMDB, and the data on those shared objects will need to be kept in sync.

*Discovery, dependency mapping, and data normalization are often features or modules of configuration management, asset management, or IT service management tools.

Start with ITIL 4 guiding principles to make your configuration management project valuable and realistic

Focus on where CMDB data will provide value and ensure the cost of bringing that data in will be reasonable for its purpose. Your end goal should be not just to build a CMDB but to use a CMDB to manage workload and workflows and manage services appropriately.

ITIL 4 guiding principles as described by AXELOS

Step 1.1

Identify use cases and desired benefits for service configuration management

Activities

1.1.1 Brainstorm data collection challenges

1.1.2 Define goals and how you plan to meet them

1.1.3 Brainstorm and prioritize use cases

1.1.4 Identify the data needed to reach your goals

1.1.5 Record required data sources

This step will walk you through the following aspects of a configuration management system:

• Scope
• Use cases

This phase involves the following participants:

• IT and business service owners
• Business/customer relationship managers
• Enterprise architects
• Practice owners and managers
• SCM practice manager
• Project sponsor
• Project manager

Identify potential obstacles in your organization to building and maintaining a CMDB

Often, we see multiple unsuccessful attempts to build out a CMDB, with teams eventually losing faith and going back to spreadsheets. These are common obstacles:

• Significant manual data collection, which is rarely current and fully accurate.
• Multiple discovery solutions creating duplicate records, with no clear path to deduplicate records.
• Manual dependency mapping that isn't accurate because it's not regularly assessed and updated.
• Hybrid cloud and on-premises environment with discovery solutions only partially collecting as the right discovery and dependency mapping solutions aren't in place.
• Dynamic environments (virtual, cloud, or containers) that may exist for a very short time, but no one knows how they should be managed.
• Lack of expertise to maintain and update the CMDB or lack of an assigned owner for the CMDB. If no one owns the process and is assigned as a steward of data, it will not be maintained.
• Database that was designed with other purposes in mind and is heavily customized, making it difficult to use and maintain.

Understanding the challenges to accessing and maintaining quality data will help define the risks created through lack of quality data.

This knowledge can drive buy-in to create a configuration management practice that benefits the organization.

1.1.1 Brainstorm data collection challenges

Involve stakeholders.
Allot 45 minutes for this discussion.

1. As a group, brainstorm the challenges you have with data:
2. Accuracy and trustworthiness: What challenges do you have with getting accurate data on IT services and systems?
   1. Access: Where do you have challenges with getting data to people when they need it?
   2. Manually created data: Where are you relying on data that could be automatically collected?
   3. Data integration: Where do you have issues with integrating data from multiple sources?
   4. Impact: What is the result of these challenges?
3. Group together these challenges into similar issues and identify what goals would help overcome them.
4. Record these challenges in the Configuration Management Project Charter, section 1.2: Project Purpose.

Download the Configuration Management Project Charter

Info-Tech Maturity Ladder

Identify your current and target state

INNOVATOR

• Characteristics of business partner
• Integration with orchestration tools

BUSINESS PARTNER

Data collection and validation is fully automated

Integrated with several IT processes

Meets the needs of IT and business use cases

TRUSTED OPERATOR

• Data collection and validation is partially or fully automated
• Trust in data accuracy is high, meets the needs of several IT use cases

FIREFIGHTER

• Data collection is partially or fully automated, validation is ad hoc
• Trust in data accuracy is variable, used for decision making

UNSTABLE

• Ad hoc or manual data collection and verification process
• Trust in data accuracy is low, and data is not easily or commonly used
• A more detailed assessment can be completed using Info-Tech's Configuration Management Audit and Validation Checklist.

INNOVATOR Characteristics of business partner Integration with orchestration tools BUSINESS PARTNER Data collection and validation is fully automated Integrated with several IT processes Meets the needs of IT and business use cases TRUSTED OPERATOR Data collection and validation is partially or fully automated Trust in data accuracy is high, meets the needs of several IT use cases FIREFIGHTER Data collection is partially or fully automated, validation is ad hoc Trust in data accuracy is variable, used for decision making UNSTABLE Ad hoc or manual data collection and verification process Trust in data accuracy is low, and data is not easily or commonly used A more detailed assessment can be completed using Info-Tech's Configuration Management Audit and Validation Checklist.

Define goals for your CMDB to ensure alignment with all stakeholders

• How are business or IT goals being hindered by not having the right data available?
• If the business isn't currently asking for service-based reporting and accountability, start with IT goals. This will help to develop goals that will be most closely aligned to the IT teams' needs and may help incentivize the right behavior in data maintenance.
• Configuration management succeeds by enabling its stakeholders to achieve their outcomes. Set goals for configuration management based on the most important outcomes expected from this project. Ask your stakeholders:
  1. What are the business' or IT's planned transformational initiatives?
  2. What are your highest priority goals?
  3. What should the priorities of the configuration management practice be?
• The answers to these questions will shape your approach to configuration management. Direct input from your leadership and executives, or their delegates, will help ensure you're setting a solid foundation for your practice.
• Identify which obstacles will need to be overcome to meet these goals.

"[T]he CMDB System should be viewed as a 'system of relevance,' rather than a 'single source of truth.' The burdens of relevance are at once less onerous and far more meaningful in terms of action, analysis, and automation. While 'truth' implies something everlasting or at least stable, relevance suggests a far more dynamic universe."

– CMDB Systems, Making Change Work in the Age of Cloud and Agile, Drogseth et al

Identify stakeholders to discuss what they need from a CMDB; business and IT needs will likely differ

Define your audience to determine who the CMDB will serve and invite them to these conversations. The CMDB can aid the business and IT and can be structured to provide dashboards and reports for both.

Nondiscoverable configuration items will need to be created for both audiences to organize CIs in a way that makes sense for all uses.

Integrations with other systems may be required to meet the needs of your audience. Note integrations for future planning.

1.1.2 Define goals and how you plan to meet them

Involve stakeholders.

Allot 45 minutes for this discussion.

As a group, identify current goals for building and using a CMDB.

Why are we doing this?

• How do you hope to use the data within the CMDB?
• What processes will be improved through use of this data and what are the expected outcomes?

How will we improve the process?

• What processes will be put in place to ensure data integrity?
• What tools will be put in place to improve the methods used to collect and maintain data?

Record these goals in the Configuration Management Project Charter, section 1.3: Project Objectives.

It's easy to think that if you build it, they will come, but CMDBs rarely succeed without solid use cases

Set expectations for your organization that defined and fulfilled use cases will factor into prioritization exercises, functional plans, and project milestones to achieve ROI for your efforts.

A good use case:

• Justifies resource allocation
• Gains funding for the right tools
• Builds stakeholder support
• Drives interest and excitement
• Gains support from anyone in a position to help build out and validate the data
• Helps to define success

In the book CMDB Systems, Making Change Work in the Age of Cloud and Agile, authors Drogseth, Sturm, and Twing describe the secrets of success:

A documented evaluation of CMDB System vendors showed that while most "best case" ROI fell between 6 and 9 months for CMDB deployments, one instance delivered ROI for a significant CMDB investment in as little as 2 weeks!

If there's a simple formula for quick time to value for a CMDB System, it's the following:

Mature levels of process awareness
+ Strong executive level support
+ A ready and willing team with strongly supportive stakeholders
+ Clearly defined and ready phase one use case
+ Carefully selected, appropriate technologies

All this = Powerful early-phase CMDB System results

Define and prioritize use cases for how the CMDB will be used to drive value

The CMDB can support several use cases and may require integration with various modules within the ITSM solution and integration with other systems.

Document the use cases that will drive your CMDB to relevance, including the expected benefits for each use case.

Identify the dependencies that will need to be implemented to be successful.

Define "done" so that once data is entered, verified, and mapped, these use cases can be realized.

"Our consulting experience suggests that more than 75% of all strategic initiatives (CMDB or not) fail to meet at least initial expectations across IT organizations. This is often due more to inflated expectations than categorical failure."

– CMDB Systems, Making Change Work in the Age of Cloud and Agile, Drogseth et al.

After identifying use cases, determine the scope of configuration items required to feed the use cases

On-premises software and equipment will be critical to many use cases as the IT team and partners work on network and data-center equipment, enterprise software, and integrations through various means, including APIs and middleware. Real-time and near real-time data collection and validation will ensure IT can act with confidence.

Cloud use can include software as a service (SaaS) solutions as well as infrastructure and platform as a service (IaaS and PaaS), and this may be more challenging for data collection. Tools must be capable of connecting to cloud environments and feeding the information back into the CMDB. Where on-premises and cloud applications show dependencies, you might need to validate data if multiple discovery and dependency mapping solutions are used to get a complete picture. Tagging will be crucial to making sense of the data as it comes into the CMDB.

In-house developed software would be beneficial to have in the CMDB but may require more manual work to identify and classify once discovered. A combination of discovery and tagging may be beneficial to input and classification.

Highly dynamic environments may require data collection through integration with a variety of solutions to manage and record continuous deployment models and verifications, or they may rely on tags and activity logs to record historical activity. Work with a partner who specializes in CI/CD to help architect this use case.

Containers will require an assessment of the level of detail required. Determine if the container is a CI and if the content will be described as attributes. If there is value to your use case to map the contents of each container as separate CIs within the container CI, then you can map to that level of detail, but don't map to that depth unless the use case calls for it.

Internet of Things (IoT) devices and applications will need to match a use case as well. IoT device asset data will be useful to track within an asset database but may have limited value to add to a CMDB. If there are connections between IoT applications and data warehouses, the dependencies should likely be mapped to ensure continued dataflow.

Out of scope

A single source of data is highly beneficial, but don't make it a catchall for items that are not easily stored in a CMDB.

Source code should be stored in a definitive media library (DML). Code can be linked to the CMDB but is generally too big to store in a CMDB and will reduce performance for data retrieval.

Knowledge articles and maintenance checklists are better suited to a knowledge base. They can also be linked to the CDMB if needed but this can get messy where many-to-many relationships between articles and CIs exist.

Fleet (transportation) assets and fixed assets should be in fleet management systems and accounting systems, respectively. Storing these types of data in the CMDB doesn't provide value to the support process.

1.1.3 Brainstorm and prioritize use cases

Which IT practices will you supercharge?

Focus on improving both operations and strategy.

1. Brainstorm the list of relevant use cases. What do you want to do with the data from the CMDB? Consider:
   1. ITSM management and governance practices
   2. IT operations, vendor orchestration, and service integration and management (SIAM) to improve vendor interactions
   3. IT finance and business service reporting needs
2. Identify which use cases are part of your two- to three-year plan, including the purpose for adding configuration data into that process. Prioritize one or two of these use cases to accomplish in your first year.
3. Identify dependencies to manage as part of the solution and define a realistic timeline for implementing integrations, modules, or data sources.
4. Document this table in the Configuration Management Project Charter, section 2.2: Use Cases.

Determine what additional data will be needed to achieve your use cases

Regardless of which use cases you are planning to fulfill with the CMDB, it is critical to not add data and complexity with the plan of resolving every possible inquiry. Ensure the cost and effort of bringing in the data and maintaining it is justified. The complexity of the environment will impact the complexity of data sources and integrations for discovery and dependency mapping.

Before bringing in new data, consider:

• Is this information available in other maintained databases now?
• Will this data be critical for decision making? If it is nice to have or optional, can it be automatically moved into the database and maintained using existing integrations?
• Is there a cost to bringing the data into the CMDB and maintaining it? Is that cost reasonable for its purpose?
• How frequently will this information be accessed, and can it be updated in an adequate cadence to meet these needs?
• When does this information need to be available?

Info-Tech Insight

If data will be used only occasionally upon request, determine if it will be more efficient to maintain it or to retrieve it from the CMDB or another data source as needed.

Remember, within the data sets, service configuration models can be used for:

• Impact analysis
• Cause and effect analysis
• Risk analysis
• Cost allocation
• Availability analysis and planning

1.1.4 Expand your use cases by identifying the data needed to reach your goals

Involve stakeholders.

Allot 60 minutes for this discussion.

Review use cases and their goals.

Identify what data will be required to meet those goals and determine whether it will be mandatory or optional/nice-to-have information.

Identify sources of data for each type of data. Color code or sort.

Italicize data points that can be automatically discovered.

Gain consensus on what information will be manually entered.

Record the data in the Use Cases and Data Worksheet.

Download the Use Cases and Data Worksheet

Use discovery and dependency mapping tools to automatically update the CMDB

Avoid manual data entry whenever possible.

Consider these features when looking at tools:

• Application dependency mapping: Establishing and tracking the relationships and dependencies between system components, applications, and IT services. The ideal tool will be able to generate maps automatically.
• Agentless and agent discovery: Scanning systems with both agent and agentless approaches. Agent-based scanning provides comprehensive information on applications used in individual endpoints, which is helpful in minimizing its IT footprint. However, agents require endpoint access. Agentless-based scanning provides a broader and holistic view of deployed applications without the need to install an agent on end devices, which can be good enough for inventory awareness.
• Data export capability: Easy exporting of application inventory information to be used in reports and other tools.
• Dashboards and chart visualization: Detailed list of the application inventory, including version number, number of users, licenses, deployment location, and other application details. These details will inform decision makers of each application's health and its candidacy for further rationalization activities.
• Customizable scanning scripts: Tailor your application discovery approach by modifying the scripts used to scan your systems.
• Integration with third-party tools: Easy integration with other systems with out-of-the-box plugins or customizable APIs.

Determine which data collection methods will be used to populate the CMDB

The effort-to-value ratio is an important factor in populating a CMDB. Manual efforts require a higher process focus, more intensive data validation, and a constant need to remind team members to act on every change.

• Determine what amount of effort is appropriate for each data grouping and use case. As decisions are made to expand data within the CMDB, the effort-to-value ratio should always factor in. To be usable, data must be accurate, and every piece of data that needs to be manually entered runs the risk of becoming obsolete.
• Identify which data sources will bring in each type of data. Where there is a possibility of duplicate records being created, one of the data sources will need to be identified as the primary.
• If the decision is to manually enter configuration items early in the process, be aware that automation may create duplicates of the CIs that will need to be deduplicated at some point in the process to make the information more usable.
• Typically, items are discovered, validated, then mapped, but there will be variations depending on the source.
• Active Directory or LDAP may be used to bring users and technicians into the CMDB. Data may be imported from spreadsheets. Identify efforts where data cleanup may have to happen before transferring into the CMDB.
• Identify how often manual imports will need to be conducted to make sure data is usable.

Identify other nondiscoverable data that will need to be added to or accessed by the CMDB

Foundational data, such as technicians, end users and approvers, roles, location, company, agency, department, building, or cost center, may be added to tables that are within or accessed by the CMDB. Work with your vendor to understand structure and where this information resides.

• These records can be imported from CSV files manually, but this will require manual removal or edits as information changes.
• Integration with the HRIS, Active Directory, or LDAP will enable automatic updates through synchronization or scheduled imports.
• If synchronization is fully enabled, new data can be added and removed from the CMDB automatically.
• Identify which nondiscoverable attributes will be needed, such as system criticality, support groups, groups it is managed by, location.
• If partially automating the process, identify where manual updates will need to occur.
• If fully automating the process, notifications will need to be set up when business owner or product or technical owner fields become empty to prompt defining a replacement within the CMDB.
• Determine who will manage these updates.
• Work with your CMDB implementation vendor to determine the best option for bringing this information in.

1.1.5 Record required data sources

Allot 15 minutes for this discussion.

1. Where do you track the work involved in providing services? Typically, your ticket database tracks service requests and incidents. Additional data sources can include:
   • Enterprise resource planning tools for tracking purchase orders
   • Project management information system for tracking tasks
2. What trusted data sources exist for the technology that supports these services? Examples include:
   • Management tools (e.g. Microsoft Endpoint Configuration Manager)
   • Architectural diagrams and network topology diagrams
   • IT asset management database
   • Spreadsheets
   • Other systems of record
3. What other data sources can help you gather the data you identified in activity 1.1.4?
4. Record the relevant data sources for each use case in the Configuration Management Standard Operating Procedures, section 6: Data Collection and Updates.

Info-Tech Insight

Improve the trustworthiness of your CMDB as a system of record by relying on data that is already trusted.

Step 1.2

Define roles and responsibilities

Activities

1.2.1 Record the project team and stakeholders

1.2.2 Complete a RACI chart to define who will be accountable and responsible for configuration tasks

This step will walk you through the following aspects of a configuration management system:

• Roles and responsibilities

This phase involves the following participants:

• IT service owners
• Enterprise architects
• Practice owners and managers
• SCM practice manager
• Project manager

Identify the roles you need in your SCM project

Determine which roles will need to be involved in the initial project and how to source these roles.

Leadership Roles
Oversee the SCM implementation

1. Configuration Manager – The practice owner for SCM. This is a long-term role.
2. Configuration Control Board (CCB) Chair – An optional role that oversees proposed alterations to configuration plans. If a CCB is implemented, this is a long-term role.
3. Project Sponsor or Program Sponsor – Provides the necessary resources for building the CMDB and SCM practices.
4. Architecture Roles
   Plan the program to build strong foundation
   1. Configuration Management Architect – Technical leader who defines the overall CM solution, plans the scope, selects a tool, and leads the technical team that will implement the solution.
   2. Requirements Analyst – Gathers and manages the requirements for CM.
   3. Process Engineer – Defines, documents, and implements the entire process.

Architecture Roles
Plan the program to build strong foundation

1. Configuration Management Architect – Technical leader who defines the overall CM solution, plans the scope, selects a tool, and leads the technical team that will implement the solution.
2. Requirements Analyst – Gathers and manages the requirements for CM.
3. Process Engineer – Defines, documents, and implements the entire process.

Engineer Roles
Implement the system

1. Logical Database Analyst (DBA) – Designs the structure to hold the configuration management data and oversees implementation.
2. Communications and Trainer – Communicates the goals and functions of CM and teaches impacted users the how and why of the process and tools.

Administrative Roles
Permanent roles involving long-term ownership

1. Technical Owner – The system administrator responsible for their system's uptime. These roles usually own the data quality for their system.
2. Configuration Management Integrator – Oversees regular transfer of data into the CMDB.
3. Configuration Management Tool Support – Selects, installs, and maintains the CM tool.
4. Impact Manager – Analyzes configuration data to ensure relationships between CIs are accurate; conducts impact analysis.

1.2.1 Record the project team and stakeholders

Allocate 25 minutes to this discussion.

1. Record the project team.

1. Identify the project manager who will lead this project.
2. Identify key personnel that will need to be involved in design of the configuration management system and processes.
3. Identify where vendors/outsourcers may be required to assist with technical aspects.
4. Document the project team in the Configuration Management Project Charter, section 1.1: Project Team.

2. Record a list of stakeholders.

1. Identify stakeholders internal and external to IT.
2. Build the stakeholder profile. For each stakeholder, identify their role, interest in the project, and influence on project success. You can score these criteria high/medium/low or score them out of ten.
3. If managed service providers will need to be part of the equation, determine who will be the liaison and how they will provide or access data.

Even with full automation, this cannot be a "set it and forget it" project if it is to be successful long-term

Create a team to manage the process and data updates and to ensure data is always usable.

• Services may be added and removed.
• Technology will change as technical debt is reduced.
• Vendors may change as contract needs develop.
• Additional use cases may be introduced by IT and the business as approaches to management evolve.
• AIOps can reduce the level of effort and improve visibility as configuration items change from the baseline and notifications are automated.
• Changes can be checked against requests for changes through automated reconciliations, but changes will still need to be investigated where they do not meet expectations.
• Manual data changes will need to be made regularly and verified.

"We found that everyone wanted information from the CMDB, but no one wanted to pay to maintain it. People pointed to the configuration management team and said, 'It's their responsibility.'

Configuration managers, however, cannot own the data because they have no way of knowing if the data is accurate. They can own the processes related to checking accuracy, but not the data itself."
– Tim Mason, founding director at TRM Associates
(Excerpt from Viewpoint: Focus on CMDB Leadership)

Include these roles in your CMDB practice to ensure continued success and continual improvement

These roles can make up the configuration control board (CCB) to make decisions on major changes to services, data models, processes, or policies. A CCB will be necessary in complex environments.

Configuration Manager

This role is focused on ensuring everyone works together to build the CMDB and keep it up to date. The configuration manager is responsible to:

• Plan and manage the standards, processes, and procedures and communicate all updates to appropriate staff. Focused on continual improvement.
• Plan and manage population of the CMDB and ensure data included meets criteria for cost effectiveness and reasonable effort for the value it brings.
• Validate scope of services and CIs to be included and controlled within the CMDB and manage exceptions.
• Audit data quality to ensure it is valid, is current, and meets defined standards.
• Evaluate and recommend tools to support processes, data collection, and integrations.
• Ensure configuration management processes interface with all other service and business management functions to meet use cases.
• Report on configuration management performance and take appropriate action on process adherence and quality issues.

Configuration Librarian

This role is most important where manual data entry is prevalent and where many nonstandard configurations are in place. The librarian role is often held by the tool administrator. The librarian focuses specifically on data within the CMDB, including:

• Manual updates to configuration data.
• CMDB data verification on a regular schedule.
• Processing ad hoc requests for data.

Product/Service/Technical Owners

The product or technical owner will validate information is correctly updating and reflects the existing data requirements as new systems are provisioned or as existing systems change.

Interfacing Practice Owners

All practice owners, such as change manager, incident manager, or problem manager, must work with the configuration team to ensure data is usable for each of the use cases they are responsible for.

Download the Configuration Manager job description

Assign configuration management responsibilities and accountabilities

Align authority and accountability.

• A RACI exercise will help you discuss and document accountability and responsibility for critical configuration management activities.
• When responsibility and accountability are not well documented, it's often useful to invite a representative of the roles identified to participate in this alignment exercise. The discussion can uncover contrasting views on responsibility and governance, which can help you build a stronger management and governance model.
• The RACI chart can help you identify who should be involved when making changes to a given activity. Clarify the variety of responsibilities assigned to each key role.
• In the future, you may need to define roles in more detail as you change your configuration management procedures.

Responsible: The person who actually gets the job done.
Different roles may be responsible for different aspects of the activity relevant to their role.

Accountable: The one role accountable for the activity (in terms of completion, quality, cost, etc.)
Must have sufficient authority to be held accountable; responsible roles are often accountable to this role.

Consulted: Those who need the opportunity to provide meaningful input at certain points in the activity; typically, subject matter experts or stakeholders. The more people you must consult, the more overhead and time you'll add to a process.

Informed: Those who receive information regarding the task but do not need to provide feedback.
Information might relate to process execution, changes, or quality.

Complete a RACI chart to define who will be accountable and responsible for configuration tasks

Determine what roles will be in place in your organization and who will fulfill them, and create your RACI chart to reflect what makes sense for your organization. Additional roles may be involved where there is complexity.

1.2.2 Complete a RACI chart to define who will be accountable and responsible for configuration tasks

Allot 60 minutes for this discussion.

1. Open the Configuration Management Standard Operating Procedures, section 4.1: Responsibility Matrix. In the RACI chart, review the top row of roles. Smaller organizations may not need a configuration control board, in which case the configuration manager may have more authority.
2. Modify or expand the process tasks in the left column as needed.
3. For each role, identify what that person is responsible for, accountable for, consulted on, or informed of. Fill out each column.
4. Document in the SOP. Schedule a time to share the results with organization leads.
5. Distribute the chart among all teams in your organization.
6. Describe additional roles as needed in the documentation.
7. Add accountabilities and responsibilities for the CCB into the Configuration Control Board Charter.
8. If appropriate, add auxiliary roles to the Configuration Management Standard Operating Procedures, section 4.2: Configuration Management Auxiliary Role Definitions.

Notes:

1. Assign one Accountable for each task.
2. Have one or more Responsible for each task.
3. Avoid generic responsibilities such as "team meetings."
4. Keep your RACI definitions in your documents for quick reference.

Refer back to the RACI chart when building out the communications plan to ensure accountable and responsible team members are on board and consulted and informed people are aware of all changes.

Phase 2

Configuration Management Data Model

This phase will walk you through the following aspects of a configuration management system:

• Data Model
• Customer-Facing and Supporting Services
• Business Capabilities
• Relationships
• IT Infrastructure Components
• Enterprise Software
• End-User Devices
• Documents

This phase involves the following participants:

• IT service owners
• Enterprise architects
• Practice owners and managers
• CM practice manager
• CM project manager

Step 2.1

Build a framework for CIs and relationships

Activities

Document services:

2.1.1 Define and prioritize your services

2.1.2 Test configuration items against existing categories

2.1.3 Create a configuration control board charter to define the board's responsibilities and protocols

This step will walk you through the following aspects of a configuration management system:

• Data model
• Configuration items
• Relationships

This phase involves the following participants:

• IT service owners
• Enterprise architects
• Practice owners and managers
• CM practice manager
• Project manager

Making sense of data daily will be key to maintaining it, starting with services

As CIs are discovered and mapped, they will automatically map to each other based on integrations, APIs, queries, and transactions. However, CIs also need to be mapped to a conceptional model or service to present the service and its many layers in an easily consumable way.

These services will need to be manually created or imported into the CMDB and manually connected to the application services. Services can be mapped to technical or business services or both.

If business services reporting has been requested, talk to the business to develop a list of services that will be required. Use terms the business will be expecting and identify which applications and instances will be mapped to those services.

If IT is using the CMDB to support service usage and reporting, develop the list of IT services and identify which applications and instances will be mapped to those services.

Work with your stakeholders to ensure catalog items make sense to them

There isn't a definitive right or wrong way to define catalog items. For example, the business and IT could both reference application servers, but only IT may need to see technical services broken down by specific locations or device types.

Refer back to your goals and use cases to think through how best to meet those objectives and determine how to categorize your services.

Define the services that will be the top-level, nondiscoverable services, which will group together the CIs that make up the complete service. Identify which application(s) will connect into the technical service.

When you are ready to start discovery, this list of services will be connected to the discovered data to organize it in a way that makes sense for how your stakeholders need to see the data.

While working toward meeting the goals of the first few use cases, you will want to keep the structure simple. Once processes are in place and data is regularly validated, complexities of different service types and names can be integrated into the data.

Define the service types to manage within the CMDB to logically group CIs

Determine which method of service groupings will best serve your audience for your prioritized use cases. This will help to name your service categories. Service types can be added as the CMDB evolves and as the audience changes.

2.1.1 Define and prioritize your services

Prioritize your starting point. If multiple audiences need to be accommodated, work with one group at a time.

Timing: will vary depending on number of services, and starting point

1. Create your list of services, referencing an existing service catalog, business continuity or disaster recovery plan, list of applications, or brainstorming sessions. Use the terminology that makes the most sense for the audience and their reporting requirements.
2. If this list is already in place, assess for relevance and reduce the list to only those services that will be managed through the CMDB.
3. Determine what data will be relevant for each service based on the exercises done in 1.1.4 and 1.1.5. For example, if priority was a required attribute for use case data, ensure each service lists the priority of that service.
4. For each of these, identify the supporting services. These items can come from your technical service catalog or list of systems and software.
5. Document this table in the Use Cases and Data Worksheet, tab 3: Service Catalog.

Service Record Example

Service: Email
Supporting Services: M365, Authentication Services

Service Attributes

Availability: 24/7 (99.999%)
Priority: Critical
Users: All
Used for: Collaboration
Billable: Departmental
Support: Unified Support Model, Account # 123456789

The CMDB will be organized by services and will enable data analysis through multiple categorization schemes

To extract maximum service management benefit from a CMDB, the highest level of CI type should be a service, as demonstrated below. While it is easier to start at the system or single-asset level, taking the service mapping approach will provide you with a useful and dynamic view of your IT environment as it relates to the services you offer, instead of a static inventory of components.

Level 1: Services

• Business Service Offering: A business service is an IT service that supports a business process, or a service that is delivered to business customers. Business service offerings typically are bound by service-level agreements.
• IT Service Offering: An IT service supports the customer's business processes and is made up of people, processes, and technology. IT service offerings typically are bound by service-level agreements.

Level 2: Infrastructure CIs

• IT Component Set: An IT service offering consists of one of more sets of IT components. An IT component set allows you to group or bundle IT components with other components or groupings.
• IT Component: An IT system is composed of one or more supporting components. Many components are shared between multiple IT systems.

Level 3: Supporting CIs

• IT Subcomponent: Any IT asset that is uniquely identifiable and a component of an IT system.
• IT components can have subcomponents, and those components can have subcomponents, etc.

Assess your CMDB's standard category offerings against your environment, with a plan to minimize customization

Standard categorization schemes will allow for easier integration with multiple tools and reporting and improve results if using machine learning to automate categorization. If the CMDB chosen includes structured categories, use that as your starting point and focus only on gaps that are not addressed for CIs unique to your environment.

There is an important distinction between a class and a type. This concept is foundational for your configuration data model, so it is important that you understand it.

• Types are general groupings, and the things within a type will have similarities. For attributes that you want to collect on a type, all children classes and CIs will have those attribute fields.
• Classes are a more specific grouping within a type. All objects within a class will have specific similarities. You can also use subclasses to further differentiate between CIs.
• Individual CIs are individual instances of a class or subclass. All objects in a class will have the same attribute fields and behave the same, although the values of their attributes will likely differ.
• Attributes may be discovered or nondiscoverable and manually added to CIs. The attributes are properties of the CI such as serial number, version, memory, processor speed, or asset tag.

Use inheritance structures to simplify your configuration data model.

Assess the list of classes of configuration items against your requirements

Types are general groupings, and the things within a type will have similarities. Each type will have its own table within the CMDB. Classes within a type are a more specific grouping of configuration items and may include subclasses.

Review your vendor's CMDB documentation. Find the list of CI types or classes. Most CMDBs will have a default set of classes, like this standard list. If you need to build your own, use the table below as a starting point. Define anything required for unique classes. Create a list and consult with your installation partner.

Sample list of classes organized by type

Review relationships to determine which ones will be most appropriate to map your dependencies

Your CMDB should include multiple relationship types. Determine which ones will be most effective for your environment and ensure everyone is trained on how to use them. As CIs are mapped, verify they are correct and only manually map what is incorrect or not mapping through automation.

Manually mapping CMDB relationships may be time consuming and prone to error, but where manual mapping needs to take place, ensure the team has a common view of the dependency types available and what is important to map.

Use automated mapping whenever possible to improve accuracy, provide functional visualizations, and enable dynamic updates as the environment changes.

Where a dependency maps to external providers, determine where it makes sense to discover and map externally provided CIs.

• Only connect where there is value in mapping to vendor-owned systems.
• Only connect where data and connections can be trusted and verified.

Most common dependency mapping types

2.1.2 Test configuration items against existing categories

Time to complete: 1-2 hours

1. Select a service to test.
2. Identify the various components that make up the service, focusing on configuration items, not attributes
3. Categorize configuration items against types and classes in the default settings of the CMDB.
4. Using the default relationships within the CMDB, identify the relationships between the configuration items.
5. Identify types, classes, and relationships that do not fit within the default settings. Determine if there are common terms for these items or determine most appropriate name.
6. Validate these exceptions with the publisher.
7. Document exceptions in the Configuration Management Standard Operating Procedures, Appendix 2: Types and Classes of Configuration Items

2.1.3 Create a configuration control board charter to define the board's responsibilities and protocols

A charter will set the tone for meetings, ensure purpose is defined and meeting cadence is set for regular reviews.

1. Open the Configuration Control Board Charter. Review the document and modify as appropriate for your CCB. This will include:
   • Purpose and mandate of the committee – Reference objectives from the project charter.
   • Team composition – Determine the right mix of team members. A team of six to ten people can provide a good balance between having a variety of opinions and getting work done.
   • Voting option – Determine the right quorum to approve changes.
   • Responsibilities – List responsibilities, starting with RACI chart items.
   • Authority – Define the control board's span of control.
   • Governing laws and regulations – List any regulatory requirements that will need to be met to satisfy your auditors.
   • Meeting preparation – Set expectations to ensure meetings are productive.
2. Distribute the charter to CCB members.

Assess the default list of statuses for each state

Align this list with your CMDB

Minimize the number of customizations that will make it difficult to update the platform.

1. Review the default status list within the tool.
2. Identify which statuses will be most used. Write a definition for each status.
3. Update this list as you update process documentation in Step 3.1. After initial implementation, this list should only be modified through change enablement.
4. Record this list of statuses in the Configuration Management Standard Operating Procedures, Appendix 4: Statuses

Step 2.2

Document statuses, attributes, and data sources

Activities

2.2.1 Follow the packet and map out the in-scope services and data centers

2.2.2 Build data model diagrams

2.2.3 Determine access rights for your data

This step will walk you through the following aspects of a configuration management system:

• Statuses
• Attributes for each class of CI

This phase involves the following participants:

• IT service owners
• Enterprise architects
• Practice owners and managers
• SCM practice manager
• Project manager

Outcomes of this step

• Framework for approaching CI statuses
• Attributes for each class of CI
• Data sources for those attributes

Service mapping approaches

As you start thinking about dependency mapping, it's important to understand the different methods and how they work, as well as your CMDB's capabilities. These approaches may be all in the same tool, or the tool may only have the top-down options.

Model hierarchy

Automated data mapping will be helpful, but it won't be foolproof. It's critical to understand the data model to validate and map nondiscoverable CIs correctly.

The framework consists of the business, enterprise, application, and implementation layers.

The business layer encodes real-world business concepts via the conceptual model.

The enterprise layer defines all enterprise data assets' details and their relationships.

The application layer defines the data structures as used by a specific application.

The implementation layer defines the data models and artifacts for use by software tools.

Learn how to create data models with Info-Tech's blueprint Create and Manage Enterprise Data Models

2.2.1 Follow the packet and map out the in-scope services and data centers

Reference your network topology and architecture diagrams.

Allot 1 hour for this activity.

1. Start with a single service that is well understood and documented.
2. Identify the technical components (hardware and applications) that make up the service.
3. Determine if there is a need to further break down services into logical service groupings. For example, the email service to the right is broken down into authentication and mail flow.
4. If you don't have a network diagram to follow, create a simple one to identify workflows within the service and components the service uses.
5. Record the apps and underlying components in the Configuration Management Standard Operating Procedures, Appendix 1: Configuration Data Model Structure.

This information will be used for CM project planning and validating the contents of the CMDB.

Download the Configuration Management Diagram Template Library to see an example.

Build your configuration data model

Rely on out-of-the-box functionality where possible and keep a narrow focus in the early implementation stages.

1. If you have an enterprise architecture, then your configuration management data model should align with it.
2. Keep a narrow focus in the early implementation stages. Don't fill up your CMDB until you are ready to validate and fix the data.
3. Rely on out-of-the-box (OOTB) functionality where possible. If your configuration management database (CMDB) and platform do not have a data model OOTB, then rely on a publicly available data model.
4. Map your business or IT service offering to the first few layers.

Once this is built out in the system, you can let the automated dependency mapping take over, but you will still need to validate the accuracy of the automated mapping and investigate anything that is incorrect.

Sample Configuration Data Model

Every box represents a CI, and every line represents a relationship

Example: Data model and CMDB visualization

Once the data model is entered into the CMDB, it will provide a more dynamic and complex view, including CIs shared with other services.

CMDB View

2.2.2 Build data model diagrams

Visualize the expected CI classes and relationships.

Allot 45 minutes.

1. Identify the different data model views you need. Use multiple diagrams to keep the information simple to read and understand. Common diagrams include:

1. Network level: Outline expected CI classes and relationships at the network level.
2. Application level: Outline the expected components and relationships that make up an application.
3. Services level: Outline how business capability CIs and service CIs relate to each other and to other types of CIs.

2. Use boxes to represent CI classes.
3. Use lines to represent relationships. Include details such as:

1. Relationship name: Write this name on the arrow.
2. Direction: Have an arrow point to each child.

Review samples in Configuration Management Diagram Template Library.
Record these diagrams in the Configuration Management Standard Operating Procedures, Appendix 1: Configuration Data Model Structure.

Download the Configuration Management Diagram Template Library to see examples.

Determine governance for data security, access, and validation

Align CMDB access to the organization's access control policy to maintain authorized and secure access for legitimate staff performing their role.

2.2.3 Determine access rights for your data

Allot 30 minutes for this discussion.

1. Open the Configuration Management Standard Operating Procedures, section 5: Access Rights.
2. Review the various roles from an access perspective.

1. Who needs read-only access?
2. Who needs read/write access?
3. Should there be restrictions on who can delete data?

3. Fill in the chart and communicate this to your CMDB installation vendor or your CMDB administrator.

Phase 3

Configuration Record Updates

This phase will walk you through the following aspects of a configuration management system:

• ITSM Practices and Workflows
• Discovery and Dependency Mapping Tools
• Auditing and Data Validation Practices

This phase involves the following participants:

• IT service owners
• Enterprise architects
• Practice owners and managers
• SCM practice manager
• SCM project manager
• IT audit

Harness Service Configuration Management Superpowers

Step 3.1

Keep CIs and relationships up to date through lifecycle process integrations

Activities

3.1.1 Define processes to bring new services into the CMDB

3.1.2 Determine when each type of CI will be created in the CMDB

3.1.3 Identify when each type of CI will be retired in the CMDB

3.1.4 Record when and how attributes will change

3.1.5 Institute configuration control and configuration baselines

This step will walk you through the following aspects of a configuration management system:

1. ITSM Practices and Workflows
2. Discovery and Dependency Mapping Tools

This phase involves the following participants:

1. IT service owners
2. Enterprise architects
3. Practice owners and managers
4. SCM practice manager
5. Project manager

Outcomes of this step

• List of action items for updating interfacing practices and processes
• Identification of where configuration records will be manually updated

Incorporate CMDB updates into IT operations

Determine which processes will prompt changes to the CMDB data

	Change enablement	Identify which process are involved in each stage of data input, maintenance, and removal to build out a process for each scenario.
	Project management
	Change enablement	Asset management	Security controls
	Project management	Incident management	Deployment management
	Change enablement	Asset management	Security controls
	Project management	Incident management	Service management

Formalize the process for adding new services to the CMDB

As new services and products are introduced into the environment, you can improve your ability to correctly cost the service, design integrations, and ensure all operational capabilities are in place, such as data backup and business continuity plans.
In addition, attributes such as service-level agreements (SLAs), availability requirements, and product, technical, and business owners should be documented as soon as those new systems are made live.

• Introduce the technical team and CCB to the product early to ensure the service record is created before deployment and to quickly map the services once they are moved into the production environment.
• Engage with project managers or business analysts to define the process to include security and technical reviews early.
• Engage with the security and technical reviewers to start documenting the service as soon as it is approved.
• Determine which practices will be involved in the creation and approval of new services and formalize the process to streamline entry of the new service, onboarding corresponding CIs and mapping dependencies.

3.1.1 Define processes to bring new services into the CMDB

Start with the most frequent intake methods, and if needed, use this opportunity to streamline the process.

1. Discuss the methods for new services to be introduced to the IT environment.
2. Critique existing methods to assess consistency and identify issues that could prevent the creation of services in the CMDB in a timely manner.
3. Create a workflow for the existing processes, with an eye to improvement. Identify any changes that will need to be introduced and managed appropriately.
4. Identify where additional groups may need to be engaged to ensure success. For example, if project managers are not interfacing early with IT, discuss process changes with them.
5. Discuss the validation process and determine where control points are. Document these on the workflows.
6. Complete the Configuration Management Standard Operating Procedures, section 8.1: Introduce New Service and Data Model.

Possible intake opportunities:

• Business-driven project intake process
• IT-driven project intake process
• Change enablement reviews
• Vendor-driven product changes

Identify scenarios where CIs are added and removed in the configuration management database

New CIs may be introduced with new services or may be introduced and removed as part of asset refreshes or through service restoration in incident management. Updates may be done by your own services team or a managed services provider.
Determine the various ways the CIs may be changed and test with various CI types.
Review attributes such as SLAs, availability requirements, and product, technical, and business owners to determine if changes are required.

• Identify what will be updated automatically or manually. Automation could include discovery and dependency mapping or synchronization with AMDB or AIOps tools.
• Engage with relevant program managers to define and validate processes.
• Identify control points and review audit requirements.

Info-Tech Insight

Data deemed no longer current may be archived or deleted. Retained data may be used for tracing lifecycle changes when troubleshooting or meeting audit obligations. Determine what types of CIs and use cases require archived data to meet data retention policies. If none do, deletion of old data may be appropriate.

3.1.2 Identify when each type of CI will be created in the CMDB

Allot 45 minutes for discussion.

1. Discuss the various methods for new CIs to be introduced to the IT environment.
2. Critique existing methods to assess consistency and identify issues that could prevent the creation of CIs in the CMDB in a timely manner.
3. Create a workflow for the existing processes, with an eye to improvement. Identify any changes that will need to be introduced and managed appropriately.
4. Identify where additional groups may need to be engaged to ensure success. For example, if project managers are not interfacing early with IT, discuss process changes with them.
5. Discuss the validation process and determine where control points are. Document these on the workflows.
6. Complete Configuration Management Standard Operating Procedures, section 8.2: Introduce New Configuration Items to the CMDB

Possible intake opportunities:

• Business-driven project intake process
• IT-driven project intake process
• Change enablement reviews
• Vendor-driven product changes
• Incident management
• Asset management, lifecycle refresh

3.1.3 Identify when each type of CI will be retired in the CMDB

Allot 45 minutes for discussion.

1. Discuss the various methods for CIs to be removed from the IT environment.
2. Critique existing methods to assess consistency and identify issues that could prevent the retirement of CIs in the CMDB in a timely manner.
3. Create a workflow for the existing processes, with an eye to improvement. Identify any changes that will need to be introduced and managed appropriately.
4. Identify where additional groups may need to be engaged to ensure success. For example, if project managers are not interfacing early with IT, discuss process changes with them.
5. Discuss the validation process and determine where control points are. Document these on the workflows.
6. Discuss data retention. How long will retired information need to be archived? What are the potential scenarios where legacy information may be needed for analysis?
7. Complete the Configuration Management Standard Operating Procedures, section 8.4: Retire and Archive Configuration Records.

Possible retirement scenarios:

• Change enablement reviews
• Vendor-driven product changes
• Incident management
• Asset management, lifecycle refresh

Determine appropriate actions for detecting new or changed CIs through discovery

Automated detection will provide the most efficient way of recording planned changes to CIs as well as detected unplanned changes. Check with the tool to determine what reports or notifications are available for the configuration management process and define what actions will be appropriate.

As new CIs are detected, identify the process by which they should have been introduced into configuration management and compare against those records. If your CMDB can automatically check for documentation, this may be easier. Weekly reporting will allow you to catch changes quickly, and alerts on critical CIs could enable faster remediation, if the tool allows for alerting. AIOps could identify, notify of, and process many changes in a highly dynamic environment.

The configuration manager may not have authority to act but can inform the process owners of unauthorized changes for further action. Once the notifications are forwarded to the appropriate process owner, the configuration manager will note the escalation and follow up on data corrections as deemed appropriate by the associated process owner.

3.1.4 Record when and how attributes will change

These lists will help with configuration control plans and your implementation roadmap.

1. List each attribute that will change in that CI type's life.
2. Write all the times that each attribute will change. Identify:

1. The name of the workflow, service request, process, or practice that modifies the attribute.
2. Whether the update is made automatically or manually.
3. The role or tool that updates the CMDB.

3. Update the relevant process or procedure documentation. Explicitly identify when the configuration records are updated.

Document these tables in Configuration Management Standard Operation Procedures, Section 8.7: Practices That Modify CIs.

Institute configuration control and configuration baselines where appropriate

A baseline enables an assessment of one or more systems against the desired state and is useful for troubleshooting incidents or problems and validating changes and security settings.

Baselines may be used by enterprise architects and system engineers for planning purposes, by developers to test their solution against production copies, by technicians to assess configuration drift that may be causing performance issues, and by change managers to assess and verify the configuration meets the target design.

Configuration baselines are a snapshot of configuration records, displaying attributes and first-level relationships of the CIs. Standard configurations may be integral to the success of automated workflows, deployments, upgrades, and integrations, as well as prevention of security events. Comparing current CIs against their baselines will identify configuration drift, which could cause a variety of incidents. Configuration baselines are updated through change management processes.
Configuration baselines can be used for a variety of use cases:

• Version control – Management of software and hardware versions, https://dj5l3kginpy6f.cloudfront.net/blueprints/harness-configuration-management-superpowers-phases-1-4/builds, and releases.
• Access control – Management of access to facilities, storage areas, and the CMS.
• Deployment control – Take a baseline of CIs before performing a release so you can use this to check against actual deployment.
• Identify accidental changes – Everyone makes mistakes. If someone installs software on the wrong server or accidentally drops a table in a database, the CMS can alert IT of the unauthorized change (if the CI is included in configuration control).

Info-Tech Insight

Determine the appropriate method for evaluating and approving changes to baselines. Delegating this to the CCB every time may reduce agility, depending on volume. Discuss in CCB meetings.

3.1.5 Institute configuration control and configuration baselines where appropriate

Only baseline CIs and relationships that you want to control through change enablement.

1. Determine criteria for capturing configuration baselines, including CI type, event, or processes.
2. Identify who will use baselines and how they will use the data. Identify their needs.
3. Identify CIs that will be out of scope and not have baselines created.
4. Document requirements in the SOP.
5. Ensure appropriate team members have training on how to create and capture baselines in the CMDB.
6. Document in the Configuration Management Standard Operating Procedures, section 8.5: Establish and Maintain Configuration Baselines.

Step 3.2

Validate data within the CMDB

Activities

3.2.1 Build an audit plan and checklist

This step will walk you through the following aspects of a configuration management system:

• Data validation and audit

This phase involves the following participants:

• IT service owners
• Enterprise architects
• Practice owners and managers
• SCM practice manager
• Project manager
• IT audit

Outcomes of this step

• Updates to processes for data validation
• Plan for auditing and validating the data in the CMDB

Audit and validate the CMDB

Review the performance of the supporting technologies and processes to validate the accuracy of the CMDB.

CM Audit Plan

• CM policies
• CM processes and procedures
• Interfacing processes
• Content within the CMDB

"If the data in your CMDB isn't accurate, then it's worthless. If it's wrong or inaccurate, it's going to drive the wrong decisions. It's going to make IT worse, not better."
– Valence Howden, Research Director, Info-Tech Research Group

Ensure the supporting technology is working properly

Does the information in the database accurately reflect reality?

Perform functional tests during audits and as part of release management practices.

Audit results need to have a clear status of "compliant," "noncompliant," or "compliant with conditions," and conditions need to be noted. The conditions will generally offer a quick win to improve a process, but don't use these audit results to quickly check off something as "done." Ensure the fix is useful and meaningful to the process.
The audit should cover three areas:

• Process: Are process requirements for the program well documented? Are the processes being followed? If there were updates to the process, were those updates to the process documented and communicated? Has behavior changed to suit those modified processes?
• Physical: Physical configuration audits (PCAs) are audits conducted to verify that a configuration item, as built, conforms to the technical documentation that defines and describes it.
• Functional: Functional configuration audits (FCAs) are audits conducted to verify that the development of a configuration item has been completed satisfactorily, the item has achieved the functional attributes specified in the functional or allocated baseline, and its technical documentation is complete and satisfactory.

Build auditing and validation of processes whenever possible

When technicians and analysts are working on a system, they should check to make sure the data about that system is correct. When they're working in the CMDB, they should check that the data they're working with is correct.

More frequent audits, especially in the early days, may help move toward process adoption and resolving data quality issues. If audits are happening more frequently, the audits can include a smaller scope, though it's important to vary each one to ensure many different areas have been audited through the year.

• Watch for data duplication from multiple discovery tools.
• Review mapping to ensure all relevant CIs are attached to a product or service.
• Ensure report data is logical.

Ensure the supporting technology is working properly

Does the information in the database accurately reflect reality?

Perform functional tests during audits and as part of release management practices.

Audit results need to have a clear status of "compliant," "noncompliant," or "compliant with conditions," and conditions need to be noted. The conditions will generally offer a quick win to improve a process, but don't use these audit results to quickly check off something as "done." Ensure the fix is useful and meaningful to the process.
The audit should cover three areas:

• Process: Are process requirements for the program well documented? Are the processes being followed? If there were updates to the process, were those updates to the process documented and communicated? Has behavior changed to suit those modified processes?
• Physical: Physical configuration audits (PCAs) are audits conducted to verify that a configuration item, as built, conforms to the technical documentation that defines and describes it.
• Functional: Functional configuration audits (FCAs) are audits conducted to verify that the development of a configuration item has been completed satisfactorily, the item has achieved the functional attributes specified in the functional or allocated baseline, and its technical documentation is complete and satisfactory.

More frequent audits, especially in the early days, may help move toward process adoption and resolving data quality issues. If audits are happening more frequently, the audits can include a smaller scope, though it's important to vary each one to ensure many different areas have been audited through the year.

• Watch for data duplication from multiple discovery tools.
• Review mapping to ensure all relevant CIs are attached to a product or service.
• Ensure report data is logical.

Identify where processes break down and data is incorrect

Once process stops working, data becomes less accurate and people find workarounds to solve their own data needs.

Data within the CMDB often becomes incorrect or incomplete where human work breaks down

• Investigate processes that are performed manually, including data entry.
• Investigate if the process executors are performing these processes uniformly.
• Determine if there are opportunities to automate or provide additional training.
• Select a sample of the corresponding data in the CMS. Verify if the data is correct.

Non-CCB personnel may not be completing processes fully or consistently

• Identify where data in the CMS needs to be updated.
• Identify whether the process practitioners are uniformly updating the CMS.
• Discuss options for improving the process and driving consistency for data that will benefit the whole organization.

Ensure that the data entered in the CMDB is correct

• Confirm that there is no data duplication. Data duplication is very common when there are multiple discovery tools in your environment. Confirm that you have set up your tools properly to avoid duplication.
• Build a process to respond to baseline divergence when people make changes without following change processes and when updates alter settings.
• Audit the system for accuracy and completeness.

3.2.1 Build an audit plan and checklist

Use the audit to identify areas where processes are breaking down.

Audits present you with the ability to address these pain points before they have greater negative impact.

1. Identify which regulatory requirements and/or auditing bodies will be relevant to audit processes or findings.
2. Determine frequency of practice audits and how they relate to internal audits or external audits.
3. Determine audit scope, including requirements for data spot checks.
4. Determine who will be responsible for conducting audits and validate this is consistent with the RACI chart.
5. Record audit procedures in the Configuration Management Standard Operating Procedures section 8.6: Verify and Review the Quality of Information Through Auditing.
6. Review the Configuration Management Audit and Validation Checklist and modify to suit your needs.

Download the Configuration Management Audit and Validation Checklist

Phase 4

Service Configuration Roadmap

This phase will walk you through the following aspect of a configuration management system:
Roadmap
This phase involves the following participants:

• IT service owners
• Enterprise architects
• Practice owners and managers
• SCM practice manager
• SCM project manager

Harness Service Configuration Management Superpowers

Step 4.1

Define measures of success

Activities

4.1.1 Identify key metrics to define configuration management success
4.1.2 Brainstorm and record desired reports, dashboards, and analytics
4.1.3 Build a configuration management policy

This phase will walk you through the following aspects of a configuration management system:

• Metrics
• Policy

This phase involves the following participants:

• IT service owners
• Enterprise architects
• Practice owners and managers
• SCM practice manager
• SCM project manager

The value of metrics can be found in IT efficiency increases

When determining metrics for configuration management, be sure to separate metrics needed to gauge configuration management success and those that will use data from the CMDB to provide metrics on the success of other practices.

• Metrics provide accurate indicators for IT and business decisions.
• Metrics help you identify IT efficiencies and problems and solve issues before they become more serious.
• Active metrics tracking makes root cause analysis of issues much easier.
• Proper application of metrics helps IT services identification and prioritization.
• Operational risks can be prevented by identifying and implementing metrics.
• Metrics analysis increases the confidence of the executive team and ensures that IT is working well.

4.1.1 Identify key metrics to define configuration management success

Determine what metrics are specifically related to the practice and how and when metrics will be accessed.

Document metrics in the Configuration Management Standard Operating Procedures, section 7: Success Metrics

Use performance metrics to identify areas to improve service management processes using CMDB data

Metrics can indicate a problem with service management processes but cannot provide a clear path to a solution on their own.

• The biggest challenge is defining and measuring the process and people side of the equation.
• Expected performance may also need to be compared to actual performance in planning, budgeting, and improvements.
• The analysis will need to include critical success factors (CSFs), data collection procedures, office routines, engineering practices, and flow diagrams including workflows and key relationships.
• External benchmarking may also prove useful in identifying how similar organizations are managing aspects of their infrastructure, processing transactions/requests, or staffing. If using external benchmarking for actual process comparisons, clearly defining your internal processes first will make the data collection process smoother and more informative.

Info-Tech Insight

Using a service framework such as ITIL, COBIT, or ISO 20000 may make this job easier, and subscribing to benchmarking partners will provide some of the external data needed for comparison.

4.1.2 Brainstorm and record desired reports, dashboards, and analytics with related practices

The project team will use this list as a starting point

Allot 45 minutes for this discussion.

1. Create a table for each service or business capability.
   1. Have one column for each way of consuming data: reports, dashboards, and ad hoc analytics.
   2. Have one row for each stakeholder group that will consume the information.
2. Use the challenges and use cases to brainstorm reports, dashboards, and ad hoc analytic capabilities that each stakeholder group will find useful.
3. Record these results in your Configuration Management Standard Operating Procedures, section 7: Aligned Processes' Desired Analytical Capabilities.

Download the blueprint Take Control of Infrastructure and Operations Metrics to create a complete metrics program.

Create a configuration management policy and communicate it

Policies are important documents to provide definitive guidelines and clarity around data collection and use, process adherence, and controls.

• A configuration management policy will apply to IT as the audience, and participants in the program will largely be technical.
• Business users will benefit from a great configuration management program but will not participate directly.
• The policy will include objectives and scope, use of data, security and integrity of data, data models and criteria, and baseline configurations.
• Several governing regulations and practices may intersect with configuration management, such as ITIL, COBIT, and NIST frameworks, as well as change enablement, quality management, asset management, and more.
• As the policy is written, review processes to ensure policies and processes are aligned. The policy should enable processes, and it may require modifications if it hinders the collection, security, or use of data required to meet proposed use cases.
• Once the policy is written and approved, ensure all stakeholders understand the importance, context, and repercussions of the policy.

The approvals process is about appropriate oversight of the drafted policies. For example:

• Do the policies satisfy compliance and regulatory requirements?
• Do the policies work with the corporate culture?
• Do the policies address the underlying need?

If the draft is approved:

• Set the effective date and a review date.
• Begin communication, training, and implementation.

Employees must know that there are new policies and understand the steps they must take to comply with the policies in their work.

Employees must be able to interpret, understand, and know how to act upon the information they find in the policies.

Employees must be informed on where to get help or ask questions and who to request policy exceptions from.

If the draft is rejected:

• Acquire feedback and make revisions.
• Resubmit for approval.

4.1.3 Build a configuration management policy

This policy provides the foundation for configuration control.

Use this template as a starting point.

The Configuration Management Policy provides the foundation for a configuration control board and the use of configuration baselines.
Instructions:

1. Review and modify the policy statements. Ensure that the policy statements reflect your organization and the expectations you wish to set.
2. If you don't have a CCB: The specified responsibilities can usually be assigned to either the configuration manager or the governing body for change enablement.
3. Determine if you should apply this policy beyond SCM. As written, this policy may provide a good starting point for practices such as:
   • Secure baseline configuration management
   • Software configuration management

Download the Configuration Management Policy template

Step 4.2

Build communications and a roadmap

Activities

4.2.1 Build a communications plan
4.2.2 Identify milestones

This phase will walk you through the following aspects of a configuration management system:

• Communications plan
• Roadmap

This phase involves the following participants:

• IT service owners
• Enterprise architects
• Practice owners and managers
• SCM practice manager
• SCM project manager

Outcomes of this step

• Documented expectations around configuration control
• Roadmap and action items for the SCM project

Do not discount the benefits of a great communications plan as part of change management

Many configuration management projects have failed due to lack of organizational commitment and inadequate communications.

• Start at the top to ensure stakeholder buy-in by verifying alignment and use cases. Without a committed project sponsor who believes in the value of configuration management, it will be difficult to draw the IT team into the vision.
• Clearly articulate the vision, strategy, and goals to all stakeholders. Ensure the team understands why these changes are happening, why they are happening now, and what outcomes you hope to achieve.
• Gain support from technical teams by clearly expressing organizational and departmental benefits – they need to know "what's in it for me."
• Clearly communicate new responsibilities and obligations and put a feedback process in place to hear concerns, mitigate risk, and act on opportunities for improvement. Be prepared to answer questions as this practice is rolled out.
• Be consistent in your messaging. Mixed messages can easily derail progress.
• Communicate to the business how these efforts will benefit the organization.
• Share documents built in this blueprint or workshop with your technical teams to ensure they have a clear picture of the entire configuration management practice.
• Share your measures and view of success and communicate wins throughout building the practice.

For a more detailed program, see Drive Technology Adoption

Formulate a communications plan to ensure all stakeholders and impacted staff will be aware of the plan

Communication is key to success in process adoption and in identifying potential risks and issues with integration with other processes. Engage as often as needed to get the information you need for the project and for adoption.

Identify Messages

Distinct information that needs to be sent at various times. Think about:

• Who will be impacted and how.
• What the goals are for the project/new process.
• What the audience needs to know about the new process and how they will interface with each business unit.
• How people can request configuration data.

Identify Audiences

Any person or group who will be the target of the communication. This may include:

• Project sponsors and stakeholders.
• IT staff who will be involved in the project.
• IT staff who will be impacted by the project (i.e. who will benefit from it or have obligations to fulfill because of it).
• Business sponsors and product owners.

Document and Track

Document messaging, medium, and responsibility, working with the communications team to refine messages before executing.

• Identify where people can send questions and feedback to ensure they have the information they need to make or accept the changes.
• Document Q&A and share in a central location.

Determine Timing

Successful communications plans consider timing of various messages:

• Advanced high-level notice of improvements for those who need to see action.
• Advanced detailed notice for those who will be impacted by workload.
• Advanced notice for who will be impacted (i.e. who will benefit from it or have obligations to fulfill because of it) once the project is ready to be transitioned to daily life.

Determine Delivery

Work with your communications team, if you have one, to determine the best medium, such as:

• Meeting announcement for stakeholders and IT.
• Newsletter for those less impacted.
• Intranet announcements: "coming soon!"
• Demonstrations with vendors or project team.

4.2.1 Build a communications plan

The communications team will use this list as a starting point.

Allot 45 minutes for this discussion.

Identify stakeholders.

1. Identify everyone who will be affected by the project and by configuration management.

Craft key messages tailored to each stakeholder group.

1. Identify the key messages that must be communicated to each group.

Finalize the communication plan.

1. Determine the most appropriate timing for communications with each group to maximize receptivity.
2. Identify any communication challenges you anticipate and incorporate steps to address them into your communication plan.
3. Identify multiple methods for getting the messages out (e.g. newsletters, emails, meetings).

3. Identify how feedback will be collected (i.e. through interviews or surveys) to measure whether the changes were communicated well.

Build a realistic, high-level roadmap including milestones

Break the work into manageable pieces

1. Plan to have multiple phases with short-, medium-, and long-term goals/timeframes. Building a CMDB is not easy and should be broken into manageable sections.
2. Set reasonable milestones. For each phase, document goals to define "done" and ensure they're reasonable for the resources you have available. If working with a vendor, include them in your discussions of what's realistic.
3. Treat the first phase as a pilot. Focus on items you understand well:
   1. Well-understood user-facing and IT services
   2. High-maturity management and governance practices
   3. Trusted data sources
4. Capture high-value, high-criticality services early. Depending on the complexity of your systems, you may need to split this phase into multiple phases.

Document this table in the Configuration Management Project Charter, section 3.0: Milestones

4.2.2 Identify milestones

Build out a high-level view to inform the project plan

Open the Configuration Management Project Charter, section 3: Milestones.
Instructions:

1. Identify high-level milestones for the implementation of the configuration management program. This may include tool evaluation and implementation, assignment of roles, etc.
2. Add details to fill out the milestone, keeping to a reasonable level of detail. This may inform vendor discussion or further development of the project plan.
3. Add target dates to the milestones. Validate they are realistic with the team.
4. Add notes to the assumptions and constraints section.
5. Identify risks to the plan.

Download the Configuration Management Project Charter

Workshop Participants

R = Recommended
O = Optional

Related Info-Tech Research

• Develop an IT Asset Management Strategy
• Implement Hardware Asset Management
• Implement Software Asset Management
• Optimize IT Change Management
• Drive Technology Adoption
• Improve Incident and Problem Management

Research Contributors and Experts

Thank you to everyone who contributed to this publication

Brett Johnson, Senior Consultant, VMware

Yev Khovrenkov, Senior Consultant, Solvera Solutions

Larry Marks, Reviewer, ISACA New Jersey

Darin Ohde, Director of Service Delivery, GreatAmerica Financial Services

Jim Slick, President/CEO, Slick Cyber Systems

Emily Walker, Sr. Digital Solution Consultant, ServiceNow

Valence Howden, Principal Research Director, Info-Tech Research Group

Allison Kinnaird, Practice Lead, IT Operations, Info-Tech Research Group

Robert Dang, Principal Research Advisor, Security, Info-Tech Research Group

Monica Braun, Research Director, IT Finance, Info-Tech Research Group

Jennifer Perrier, Principal Research Director, IT Finance, Info-Tech Research Group

Plus 13 anonymous contributors

Bibliography

An Introduction to Change Management, Prosci, Nov. 2019.
BAI10 Manage Configuration Audit Program. ISACA, 2014.
Bizo, Daniel, et al, "Uptime Institute Global Data Center Survey 2021." Uptime Institute, 1 Sept. 2021.
Brown, Deborah. "Change Management: Some Statistics." D&B Consulting Inc. May 15, 2014. Accessed June 14, 2016.
Cabinet Office. ITIL Service Transition. The Stationery Office, 2011.
"COBIT 2019: Management and Governance Objectives. ISACA, 2018.
"Configuration Management Assessment." CMStat, n.d. Accessed 5 Oct. 2022.
"Configuration Management Database Foundation." DMTF, 2018. Accessed 1 Feb. 2021.
Configuration Management Using COBIT 5. ISACA, 2013.
"Configuring Service Manager." Product Documentation, Ivanti, 2021. Accessed 9 Feb. 2021.
"Challenges of Implementing configuration management." CMStat, n.d. Accessed 5 Oct. 2022.
"Determining if configuration management and change control are under management control, part 1." CMStat, n.d. Accessed 5 Oct. 2022.
"Determining if configuration management and change control are under management control, part 2." CMStat, n.d. Accessed 5 Oct. 2022.
"Determining if configuration management and change control are under management control, part 3." CMStat, n.d. Accessed 5 Oct. 2022.
"CSDM: The Recipe for Success." Data Content Manager, Qualdatrix Ltd. 2022. Web.
Drogseth, Dennis, et al., 2015, CMDB Systems: Making Change Work in the Age of Cloud and Agile. Morgan Kaufman.
Ewenstein, B, et al. "Changing Change Management." McKinsey & Company, 1 July 2015. Web.
Farrell, Karen. "VIEWPOINT: Focus on CMDB Leadership." BMC Software, 1 May 2006. Web.
"How to Eliminate the No. 1 Cause of Network Downtime." SolarWinds, 4 April 2014. Accessed 9 Feb. 2021.
"ISO 10007:2017: Quality Management -- Guidelines for Configuration Management." International Organization for Standardization, 2019.
"IT Operations Management." Product Documentation, ServiceNow, version Quebec, 2021. Accessed 9 Feb. 2021.
Johnson, Elsbeth. "How to Communicate Clearly During Organizational Change." Harvard Business Review, 13 June 2017. Web.
Kloeckner, K. et al. Transforming the IT Services Lifecycle with AI Technologies. Springer, 2018.
Klosterboer, L. Implementing ITIL Configuration Management. IBM Press, 2008.
Norfolk, D., and S. Lacy. Configuration Management: Expert Guidance for IT Service Managers and Practitioners. BCS Learning & Development Limited, revised ed., Jan. 2014.
Painarkar, Mandaar. "Overview of the Common Data Model." BMC Documentation, 2015. Accessed 1 Feb. 2021.
Powers, Larry, and Ketil Been. "The Value of Organizational Change Management." Boxley Group, 2014. Accessed June 14, 2016.
"Pulse of the Profession: Enabling Organizational Change Throughout Strategic Initiatives." PMI, March 2014. Accessed June 14, 2016.
"Service Configuration Management, ITIL 4 Practice Guide." AXELOS Global Best Practice, 2020
"The Guide to Managing Configuration Drift." UpGuard, 2017.

Diagnose and Optimize Your Lead Gen Engine

Quickly and easily pinpoint any weakness in your lead gen engine so that you stop wasting money and effort on ineffective advertising and marketing.

EXECUTIVE BRIEF

Analyst Perspective

Quickly and easily pinpoint any weakness in your lead gen engine so that you stop wasting money and effort on ineffective advertising and marketing.

Senior digital marketing leaders are accountable for building relationships, creating awareness, and developing trust and loyalty with website visitors, thereby delivering high-quality, high-value leads that Sales can easily convert to wins. Unfortunately, many marketing leaders report that their website visitors are low-quality and either disengage quickly or, when they engage further with lead gen engine components, they just don’t convert. These marketing leaders urgently need to diagnose what’s not working in three key areas in their lead gen engine to quickly remedy the issue and get back on track, building new customer relationships and driving loyalty. This blueprint will provide you with a tool to quickly and easily diagnose weakness within your lead gen engine. You can use the results to create a strategy that builds relationships, creates awareness, and establishes trust and loyalty with prospects.

Terra Higginson

Marketing Research Director

SoftwareReviews

Executive Summary

Your Challenge

Globally, business-to-business (B2B) software-as-a-service (SaaS) marketers without a well-running lead gen engine will experience:

• A low volume of quality leads from their website.
• A low conversion rate from their website visitors.
• A long lead conversion time compared to competitors.
• A low volume of organic website visitors.

88% of marketing professionals are unsatisfied with their ability to convert leads (Convince & Convert), but poor lead conversion is just a symptom of a much larger problem with the lead gen engine. Without an accurate lead gen engine diagnostic tool and a strategy to fix the leaks, marketers will continue to waste valuable time and resources.

Common Obstacles

Even though lead generation is a critical element of marketing success, marketers struggle to fix the problems with their lead gen engine due to:

• A lack of resources.
• A lack of budget.
• A lack of experience in implementing effective lead generation strategies.

Most marketers spend too much on acquiring leads and not enough on converting and keeping them. For every $92 spent acquiring customers, only $1 is spent converting them (Econsultancy, cited in Outgrow). Marketers are increasingly under pressure to deliver high-quality leads to sales but work under tight budgets with inadequate or inexperienced staff who don’t understand the importance of optimizing the lead generation process.

SoftwareReviews’ Approach

With a targeted set of diagnostic tools and an optimization strategy, you will:

• Uncover the critical weakness in your lead generation engine.
• Develop a best-in-class lead gen engine optimization strategy that builds relationships, creates awareness, and establishes trust and loyalty with prospects.
• Build profitable long-term customer relationships.

Organizations who activate the findings from their lead generation diagnostic and optimization strategy will decrease the time and budget spent on lead generation by 25% to 50%. They will quickly uncover inefficiencies in their lead gen engine and develop a proven lead generation optimization strategy based on the diagnostic findings.

SoftwareReviews Insight

The lead gen engine is foundational in building profitable long-term customer relationships. It is the process through which marketers build awareness, trust, and loyalty. Without the ability to continually diagnose lead gen engine flaws, marketers will fail to optimize new customer relationship creation and long-term satisfaction and loyalty.

Your Challenge

88% of marketing professionals are unsatisfied with their ability to convert leads, but poor lead conversion is just a symptom of much deeper problems.

Globally, B2B SaaS marketers without a well-running lead gen engine will experience:

• A low volume of organic website visitors.
• A low volume of quality leads from their website.
• A low conversion rate from their website visitors.
• A longer lead conversion time than competitors in the same space.

If treated without a root-cause analysis, these symptoms often result in higher-than-average marketing spend and wasted resources. Without an accurate lead gen engine diagnostic tool and a strategy to fix the misfires, marketers will continue to waste valuable time and resources.

88% of marketers are unsatisfied with lead conversion (Convince & Convert).

Benchmarks

Compare your lead gen engine metrics to industry benchmarks.

Midmarket B2B SaaS Industry

Source: “B2B SaaS Marketing KPIs,” First Page Sage, 2021

Common obstacles

Why do most organizations improperly diagnose a misfiring lead gen engine?

Lack of Clear Starting Point

The lead gen engine is complex, with many moving parts, and marketers and marketing ops are often overwhelmed about where to begin diagnosis.

Lack of Benchmarks

Marketers often call out metrics such as increasing website visitors, contact-to-lead conversions, numbers of qualified leads delivered to Sales, etc., without a proven benchmark to compare their results against.

Lack of Alignment Between Marketing and Sales

Definitions of a contact, a marketing qualified lead, a sales qualified lead, and a marketing influenced win often vary.

Lack of Measurement Tools

Integration gaps between the website, marketing automation, sales enablement, and analytics exist within some 70% of enterprises. The elements of the marketing (and sales) tech stack change constantly. It’s hard to keep up.

Lack of Understanding of Marketing ROI

This drives many marketers to push the “more” button – more assets, more emails, more ad spend – without first focusing on optimization and effectiveness.

Lack of Resources

Marketers have an endless list of to-dos that drive them to produce daily results. Especially among software startups and mid-sized companies, there are just not enough staff with the right skills to diagnose and fix today’s sophisticated lead gen engines.

Implications of poor diagnostics

Without proper lead gen engine diagnostics, marketing performs poorly

• The lead gen engine builds relationships and trust. When a broken lead gen engine goes unoptimized, customer relationships are at risk.
• When the lead gen engine isn’t working well, customer acquisition costs rise as more expensive sales resources are charged with prospect qualification.
• Without a well-functioning lead gen engine, marketers lack the foundation they need to create awareness among prospects – growth suffers.
• Marketers will throw money at content or ads to generate more leads without any real understanding of engine leakage and misfires – your cost per lead climbs and reduces marketing profitability.

Most marketers are spending too much on acquiring leads and not enough on converting and keeping them. For every $92 spent acquiring customers, only $1 is spent converting them.

Source: Econsultancy, cited in Outgrow

Lead gen engine optimization increases the efficiency of your marketing efforts and has a 223% ROI.

Source: WordStream

Benefits of lead gen engine diagnostics

Diagnosing your lead gen engine delivers key benefits:

• Pinpoint weakness quickly. A quick and accurate lead gen engine diagnostic tool saves Marketing 50% of the effort spent uncovering the reason for low conversion and low-quality leads.
• Optimize more easily. Marketing executives will save 70% of the time spent creating a lead gen optimization marketing strategy based upon the diagnostic findings.
• Maximize marketing ROI. Build toward and maintain the golden 3:1 LTV:CAC (lifetime value to customer acquisition cost) ratio for B2B SaaS marketing.
• Stop wasting money on ineffective advertising and marketing. Up to 75% of your marketing budget is being inefficiently spent if you are running on a broken lead gen engine.

“It’s much easier to double your business by doubling your conversion rate than by doubling your traffic. Correct targeting and testing methods can increase conversion rates up to 300 percent.” – Jeff Eisenberg, IterateStudio

Source: Lift Division

True benefits of fixing the lead gen engine

These numbers add up to a significant increase in marketing influenced wins.

175%
Buyer Personas Increase Revenue
Source: Illumin8

202%
Personalized CTAs Increase Conversions
Source: HubSpot

50%
Lead Magnets Increase Conversions
Source: ClickyDrip

79%
Lead Scoring Increases Conversions
Source: Bloominari

50%
Lead Nurturing Increases Conversions
Source: KevinTPayne.com

80%
Personalized Landing Pages Increase Conversions
Source: HubSpot

Who benefits from an optimized lead gen engine?

This Research Is Designed for:

• Senior digital marketing leaders who are:
  • Looking to increase conversions.
  • Looking to increase the quality of leads.
  • Looking to increase the value of leads.

This Research Will Help You:

• Diagnose issues with your lead gen engine.
• Create a lead gen optimization strategy and a roadmap.

This Research Will Also Assist:

• Digital marketing leaders and product marketing leaders who are:
  • Looking to decrease the effort needed by Sales to close leads.
  • Looking to increase leadership’s faith in Marketing’s ability to generate high-quality leads and conversions.

This Research Will Help Them:

• Align the Sales and Marketing teams.
• Receive the necessary buy-in from management to increase marketing spend and headcount.
• Avoid product failure.

SoftwareReviews’ approach

1. Diagnose Misfires in the Lead Gen Engine

Identifying any areas of weakness within your lead gen engine is a fundamental first step in improving conversions, ROI, and lead quality.

2. Create a Lead Gen Optimization Strategy

Optimize your lead gen strategy with an easily customizable template that will provide your roadmap for future growth.

The SoftwareReviews Methodology to Diagnose and Optimize Your Lead Gen Engine

Insight Summary

The lead gen engine is the foundation of marketing

The lead gen engine is critical to building relationships. It is the foundation upon which marketers build awareness, trust, and loyalty.

Misalignment between Sales and Marketing is costly

Digital marketing leaders need to ensure agreement with Sales on the definition of a marketing qualified lead (MQL), as it is the most essential element of stakeholder alignment.

Prioritization is necessary for today’s marketer

By prioritizing the fixes within the lead gen engine that have the highest impact, a marketing leader will be able to focus their optimization efforts in the right place.

Stop, your engine is broken

Any advertising or effort expended while running marketing on a broken lead gen engine is time and money wasted. It is only once the lead gen engine is fixed that marketers will see the true results of their efforts.

Tactical insight

Without a well-functioning lead gen engine, marketers risk wasting valuable time and money because they aren’t creating relationships with prospects that will increase the quality of leads, conversion rate, and lifetime value.

Tactical insight

The foundational lead relationship must be built at the marketing level, or else Sales will be entirely responsible for creating these relationships with low-quality leads, risking product failure.

Blueprint Deliverable:

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Lead Gen Engine Diagnostic

An efficient and easy-to-use diagnostic tool that uncovers weakness in your lead gen engine.

Key Deliverable:

Lead Gen Engine Optimization Strategy Template

A comprehensive strategy for optimizing conversions and increasing the quality of leads.

SoftwareReviews Offers Various Levels of Support to Meet Your Needs

Included within Advisory Membership:

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Optional add-ons:

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Guided Implementation

What does a typical GI on lead gen engine diagnostics look like?

Diagnose Your Lead Gen Engine

Call #1: Scope requirements, objectives, and specific challenges with your lead gen engine.

Call #2: Gather baseline metrics and discuss the steering committee and working team.

Call #3: Review results from baseline metrics and answer questions.

Call #4: Discuss the lead gen engine diagnostic tool and your steering committee.

Call #5: Review results from the diagnostic tool and answer questions.

Develop Your Lead Gen Engine Optimization Strategy

Call #6: Identify components to include in the lead gen engine optimization strategy.

Call #7: Discuss the roadmap for continued optimization.

Call #8: Review final lead gen engine optimization strategy.

Call #9: (optional) Follow-up quarterly to check in on progress and answer questions.

A Guided Implementation (GI) is series of calls with a SoftwareReviews Advisory analyst to help implement our best practices in your organization. For guidance on marketing applications, we can arrange a discussion with an Info-Tech analyst. Your engagement managers will work with you to schedule analyst calls.

Workshop Overview

Contact your account representative for more information.

workshops@infotech.com1-888-670-8889

Phase 1

Lead Gen Engine Diagnostic

This phase will walk you through the following activities:

The diagnostic tool will allow you to quickly and easily identify the areas of weakness in the lead gen engine by answering some simple questions. The steps include:

• Select the lead gen engine optimization committee and team.
• Gather baseline metrics.
• Run the lead gen engine diagnostic.
• Identify and prioritize low-scoring areas.

This phase involves the following participants:

• Marketing lead
• Lead gen engine steering committee

Step 1.1

Identify Lead Gen Engine Optimization Steering Committee & Working Team

Activities

1.1.1 Identify the lead gen engine optimization steering committee and document in the Lead Gen Engine Optimization Strategy Template

1.1.2 Identify the lead gen engine optimization working team document in the Lead Gen Engine Optimization Strategy Template

This step will walk you through the following activities:

Identify the lead gen engine optimization steering committee.

This step involves the following participants:

• Marketing director
• Leadership

Outcomes of this step

An understanding of who will be responsible and who will be accountable for accomplishing the lead gen engine diagnostic and optimization strategy.

1.1.1 Identify the lead gen engine optimization steering committee

1-2 hours

1. The marketing lead should meet with leadership to determine who will make up the steering committee for the lead gen engine optimization.
2. Document the steering committee members in the Lead Gen Engine Optimization Strategy Template slide entitled “The Steering Committee.”

Download the Lead Gen Engine Optimization Strategy Template

Lead gen engine optimization steering committee

Consider the skills and knowledge required for the diagnostic and the implementation of the strategy. Constructing a cross-functional steering committee will be essential for the optimization of the lead gen engine. At least one stakeholder from each relevant department should be included in the steering committee.

For small and mid-sized businesses (SMB), because employees wear many different hats, assign people that have the requisite skills and knowledge, not the role title.

1.1.2 Identify the lead gen engine optimization working team

1-2 hours

1. The marketing director should meet with leadership to determine who will make up the working team for the lead gen engine optimization.
2. Finalize selection of team members and fill out the slide entitled “The Working Team” in the Lead Gen Engine Optimization Strategy Template.

Download the Lead Gen Engine Optimization Strategy Template

Lead gen engine working team

Consider the working skills required for the diagnostic and implementation of the strategy and assign the working team.

Step 1.2

Gather Baseline Metrics

Activities

1.2.1 Gather baseline metrics and document in the Lead Gen Engine Optimization Strategy Template

This step will walk you through the following activities:

Gather baseline metrics.

This step involves the following participants:

• Marketing director
• Analytics lead

Outcomes of this step

Understand and document baseline marketing metrics.

1.2.1 Gather baseline metrics and document in the Lead Gen Engine Optimization Strategy Template

1-2 hours

1. Use the example on the next slide to learn about the B2B SaaS industry-standard baseline metrics.
2. Meet with the analytics lead to analyze and record the data within the “Baseline Metrics” slide of the Lead Gen Engine Optimization Strategy Template. The baseline metrics will include:
   • Unique monthly website visitors
   • Visitor to lead conversion rate
   • Lead to MQL conversion rate
   • Customer acquisition cost (CAC)
   • Lifetime customer value to customer acquisition cost (LTV to CAC) ratio
   • Campaign ROI

Recording the baseline data allows you to measure the impact your lead gen engine optimization strategy has over the baseline.

B2B SaaS baseline metrics

Industry standard metrics for B2B SaaS in 2022

Unique Monthly Visitors

Industry standard is 5% to 10% growth month over month.

Visitor to Lead Conversion

Industry standard is between 0.9% to 2.1%.

Lead to MQL Conversion

Industry standard is between 36% to 48%.

CAC

Industry standard is a cost of $400 to $850 per customer acquired.

LTV to CAC Ratio

Industry standard is an LTV:CAC ratio between 3 to 6.

Campaign ROI

Email: 201%

Pay-Per-Click (PPC): 36%

LinkedIn Ads: 94%

Source: “B2B SaaS Marketing KPIs,” First Page Sage, 2021

Update the Lead Gen Optimization Strategy Template with your company’s baseline metrics.

Download the Lead Gen Engine Optimization Strategy Template

Step 1.3

Run the Lead Gen Engine Diagnostic

Activities

1.3.1 Gather steering committee and working team to complete the Lead Gen Engine Diagnostic Tool

This step will walk you through the following activities:

Gather the steering committee and answer the questions within the Lead Gen Engine Diagnostic Tool.

This step involves the following participants:

• Lead gen engine optimization working team
• Lead gen engine optimization steering committee

Outcomes of this step

Lead gen engine diagnostic and scorecard

1.3.1 Gather the committee and team to complete the Lead Gen Engine Diagnostic Tool

2-3 hours

1. Schedule a two-hour meeting with the steering committee and working team to complete the Lead Gen Engine Diagnostic Tool. To ensure the alignment of all departments and the quality of results, all steering committee members must participate.
2. Answer the questions within the tool and then review your company’s results in the Results tab.

Download the Lead Gen Engine Diagnostic Tool

Step 1.4

Identify & Prioritize Low-Scoring Areas

Activities

1.4.1 Identify and prioritize low-scoring areas from the diagnostic scorecard

This step will walk you through the following activities:

Identify and prioritize the low-scoring areas from the diagnostic scorecard.

This step involves the following participants:

• Marketing director

Outcomes of this step

A prioritized list of the lead gen engine problems to include in the Lead Gen Engine Optimization Strategy Template

1.4.1 Identify and prioritize low-scoring areas from the diagnostic scorecard

1 hour

1. Transfer the results from the Lead Gen Engine Diagnostic Scorecard Results tab to the Lead Gen Engine Optimization Strategy Template slide entitled “Lead Gen Engine Diagnostic Scorecard.”
   • Results between 0 and 2 should be listed as high-priority fixes on the “Lead Gen Engine Diagnostic Scorecard” slide. You will use these areas for your strategy.
   • Results between 2 and 3 should be listed as medium-priority fixes on “Lead Gen Engine Diagnostic Scorecard” slide. You will use these areas for your strategy.
   • Results between 3 and 4 are within the industry standard and will require no fixes or only small adjustments.

Download the Lead Gen Engine Diagnostic Tool

Phase 2

Lead Gen Engine Optimization Strategy

This phase will walk you through the following activities:

Create a best-in-class lead gen optimization strategy and roadmap based on the weaknesses found in the diagnostic tool. The steps include:

• Define the roadmap.
• Create a lead gen engine optimization strategy.
• Present the strategy to the steering committee.

This phase involves the following participants:

• Marketing director

Step 2.1

Define the Roadmap

Activities

2.1.1 Create the roadmap for the lead gen optimization strategy

This step will walk you through the following activities:

Create the optimization roadmap for your lead gen engine strategy.

This step involves the following participants:

• Marketing director

Outcomes of this step

Strategy roadmap

2.1.1 Create the roadmap for the lead gen optimization strategy

1 hour

1. Copy the results from "The Lead Gen Engine Diagnostic Scorecard" slide to the "Value, Resources & Roadmap Matrix" slide in the Lead Gen Engine Optimization Strategy Template. Adjust the Roadmap Quarter column after evaluating the internal resources of your company and expected value generated.
2. Using these results, create your strategy roadmap by updating the slide entitled “The Strategy Roadmap” in the Lead Gen Engine Optimization Strategy Template.

Download the Lead Gen Engine Optimization Strategy Template

Step 2.2

Create the Lead Gen Engine Optimization Strategy

Activities

2.2.1 Customize your lead gen engine optimization strategy using the template

This step will walk you through the following activities:

Create a lead gen engine optimization strategy based on the results of your diagnostic scorecard.

This step involves the following participants:

Marketing director

Outcomes of this step

A leadership-facing lead gen optimization strategy

2.2.1 Customize your lead gen engine optimization strategy using the template

2-3 hours

Review the strategy template:

1. Use "The Strategy Roadmap" slide to organize the remaining slides from the Q1, Q2, and Q3 sections.
   1. Fixes listed in "The Strategy Roadmap" under Q1 should be placed within the Q1 section.
   2. Fixes listed in "The Strategy Roadmap" under Q2 should be placed within the Q2 section.
   3. Fixes listed in "The Strategy Roadmap" under Q3 should be placed within the Q3 section.

Download the Lead Gen Engine Optimization Strategy Template

Step 2.3

Present the strategy to the steering committee

Activities

2.3.1 Present the findings of the diagnostic and the lead gen optimization strategy to the steering committee.

This step will walk you through the following activities:

Get executive buy-in on the lead gen engine optimization strategy.

This step involves the following participants:

• Marketing director
• Steering committee

Outcomes of this step

• Buy-in from leadership on the strategy

2.3.1 Present findings of diagnostic and lead gen optimization strategy to steering committee

1-2 hours

1. Schedule a presentation to present the findings of the diagnostic, the lead gen engine optimization strategy, and the roadmap to the steering committee.

Download the Lead Gen Engine Optimization Strategy Template

Related SoftwareReviews Research

Create a Buyer Persona and Journey

Make it easier to market, sell, and achieve product-market fit with deeper buyer understanding.

• Reduce time and treasure wasted chasing the wrong prospects.
• Improve product-market fit.
• Increase open and click-through rates in your lead gen engine.
• Perform more effective sales discovery and increase eventual win rates.

Optimize Lead Generation With Lead Scoring

In today’s competitive environment, optimizing Sales’ resources by giving them qualified leads is key to B2B marketing success.

• Lead scoring is a must-have capability for high-tech marketers.
• Without lead scoring, marketers will see increased costs of lead generation and decreased SQL-to-opportunity conversion rates.
• Lead scoring increases sales productivity and shortens sales cycles.

Build a More Effective Go-to-Market Strategy

Creating a compelling go-to-market strategy and keeping it current is a critical software company function – as important as financial strategy, sales operations, and even corporate business development – given its huge impact on the many drivers of sustainable growth.

• Align stakeholders on a common vision and execution plan.
• Build a foundation of buyer and competitive understanding.
• Deliver a team-aligned launch plan that enables commercial success.

Bibliography

“11 Lead Magnet Statistics That Might Surprise You.” ClickyDrip, 28 Dec. 2020. Accessed April 2022.

“45 Conversion Rate Optimization Statistics Every Marketer Should Know.” Outgrow, n.d. Accessed April 2022.

Bailyn, Evan. “B2B SaaS Funnel Conversion Benchmarks.” First Page Sage, 24 Feb. 2021. Accessed April 2022.

Bailyn, Evan. “B2B SaaS Marketing KPIs: Behind the Numbers.” First Page Sage, 1 Sept. 2021. Accessed April 2022.

Conversion Optimization.” Lift Division, n.d. Accessed April 2022.

Corson, Sean. “LTV:CAC Ratio [2022 Guide] | Benchmarks, Formula, Tactics.” Daasity, 3 Nov. 2021. Accessed April 2022.

Dudley, Carrie. “What are personas?” Illumin8, 26 Jan. 2018. Accessed April 2022.

Godin, Seth. “Permission Marketing.” Accenture, Oct. 2009. Accessed April 2022.

Lebo, T. “Lead Conversion Statistics All B2B Marketers Need to Know.” Convince & Convert, n.d. Accessed April 2022.

Lister, Mary. “33 CRO & Landing Page Optimization Stats to Fuel Your Strategy.” WordStream, 24 Nov. 2021. [Accessed April 2022].

Nacach, Jamie. “How to Determine How Much Money to Spend on Lead Generation Software Per Month.” Bloominari, 18 Sept. 2018. Accessed April 2022.

Needle, Flori. “11 Stats That Make a Case for Landing Pages.” HubSpot, 10 June 2021. Accessed April 2022.

Payne, Kevin. “10 Effective Lead Nurturing Tactics to Boost Your Sales.” Kevintpayne.com, n.d. Accessed April 2022.

Tam, Edwin. “ROI in Marketing: Lifetime Value (LTV) & Customer Acquisition Cost (CAC).” Construct Digital, 19 Jan. 2016. Accessed April 2022.

Create a Post-Implementation Plan for Microsoft 365

You’ve deployed M365. Now what? Look at your business goals and match your M365 KPIs to meet those objectives.

Analyst perspective

You’ve deployed M365. Now what?

There are three primary objectives when deploying Microsoft 365: from a business perspective, the expectations are based on productivity; from an IT perspective, the expectations are based on IT efficiencies, security, and compliance; and from an organizational perspective, they are based on a digital employee experience and collaborative functionality. Of course, all these expectations are based on one primary objective, and that is user adoption of Teams, OneDrive, and SharePoint Online. A mass adoption, along with a high usage rate and a change in the way users work, is required for your investment in M365 to be considered successful. So, adoption is your first step, and that can be tracked and analyzed through analytics in M365 or other tools. But what else needs to be considered once you have released M365 on your organization? What about backup? What about security? What about sharing data outside your business? What about self-service? What about ongoing training? M365 is a powerful suite of tools, and taking advantage of all that it entails should be IT’s primary goal. How to accomplish that, efficiently and securely, is up to you!

John Donovan Principal Research Director, I&O Info-Tech Research Group

Insight summary

Executive summary

Info-Tech Insight

There are three primary areas where organizations fail in a successful implementation of M365: training, adoption, and information governance. While it is not up to IT to ensure every user is well trained, it is their initial responsibility to find champions, SMEs, and business-based trainers and to manage information governance from backup, retention, and security aspects of data management.

Business priorities

What priorities is IT focusing on with M365 adoption?

What IT teams are saying

• In a 2019 SoftwareONE survey, the biggest reason IT decision makers gave for adopting M365 was to achieve a “more collaborative working style.”
• Organizations must plan and execute a strategy for mass adoption and training to ensure processes match business goals.
• Cost savings can only be achieved through rightsizing license subscriptions, retiring legacy apps, and building efficiencies within the IT organization.
• With increased mobility comes with increased cybersecurity risk. Make sure you take care of your security before prioritizing mobility. Multifactor authentication (MFA), conditional access (CA), and additional identity management will maintain a safe work-from-anywhere environment.

Top IT reasons for adopting M365

61% More collaborative working style

54% Cost savings

51% Improved cybersecurity

49% Greater mobility

Source: SoftwareONE, 2019; N=200 IT decision makers across multiple industries and organization sizes

Define & organize post-implementation projects

Key areas to success

• Using Microsoft’s M365 adoption guide, we can prioritize and focus on solutions that will bring about better use of the M365 suite.
• Most of your planning and prioritizing should be done before implementation. Many organizations, however, adopted M365 – and especially Teams, SharePoint Online, and OneDrive – in an ad hoc manner in response to the pandemic measures that forced users to work from home.
• Use a Power BI Pro license to set up dashboards for M365 usage analytics. Install GitHub from AppSource and use the templates that will give you good insight and the ability to create business reports to show adoption and usage rates on the platform.
• Reimagine your working behavior. Remember, you want to bring about a more collective and open framework for work. Take advantage of a champion SME to show the way. Every organization is different, so make sure your training is aligned to your business processes.

Process steps

Info-Tech’s approach

Use the out-of-the-box tools and take advantage of your subscription.

Info-Tech Insight

A clear understanding of the business purpose and processes, along with insight into the organizational culture, will help you align the right apps with the right tasks. This approach will bring about better adoption and collaboration and cancel out the shadow IT products we see in every business silo.

Leverage built-in usage analytics

Adoption of services in M365

To give organizations insight into the adoption of services in M365, Microsoft provides built-in usage analytics in Power BI, with templates for visualization and custom reports. There are third-party tools out there, but why pay more? However, the template app is not free; you do need a Power BI Pro license.

Usage Analytics pulls data from ActiveDirectory, including location, department, and organization, giving you deeper insight into how users are behaving. It can collect up to 12 months of data to analyze.

Reports that can be created include Adoption, Usage, Communication, Collaboration (how OneDrive and SharePoint are being used), Storage (cloud storage for mailboxes, OneDrive, and SharePoint), and Mobility (which clients and devices are used to connect to Teams, email, Yammer, etc.).

Source: Microsoft 365 usage analytics

Understand admin roles

Prevent intentional or unintentional internal breaches

Secure your M365 tenant

A checklist to ensure basic security coverage post M365

• Multifactor Authentication: MFA is part of your M365 tenant, so using it should be a practical identity security. If you want additional conditional access (CA), you will require an Azure AD (AAD) Premium P1+ license. This will ensure adequate identity security protecting the business.
• Password Protection: Use the AAD portal to set this up under Security > Authentication Methods. Microsoft provides a list of over 2,000 known bad passwords and variants to block.
• Legacy Authentication: Disable legacy protocols; check to see if your legacy apps/workflows/scripts use them in the AAD portal. Once identified, update them and turn the protocols off. Use CA policies.
• Self-Service Password Reset: Enable self-service to lower the helpdesk load for password resets. Users will have to initially register and set security questions. Hybrid AD businesses must write back to AD from AAD once changes are made.
• Security Defaults: For small businesses, turn on default settings. To enable additional security settings, such as break- glass accounts, go into Manage Security Defaults in your AAD properties.
• Conditional Access (CA) Policies: Use CA policies if strong identity security and zero trust are required. To create policies in AAD go to Security > Conditional Access > New Policies.

Identity Checklist

• Enable MFA for Admins
• Enable MFA for Users
• Disable App Passwords
• Configure Trusted IPs
• Disable Text/Phone MFA
• Remember MFA on Trusted Devices for 90 Days
• Train Staff in Using MFA Correctly
• Integrate Apps Into Azure AD

Training guidelines

Identify business scenarios and training adoption KPIs

• Customize your training to meet your organizational goals, align with your business culture, and define how users will work inside the world of M365.
• Create scenario templates that align to your current day-to-day operations in each department. These can be created by individual business unit champions.
• Make sure you have covered must-have capabilities and services within M365 that need to be rolled out post-pilot.
• Phase in large transitions rather than multiple small ones to ensure collaboration between departments meets business scenarios.
• Ensure your success metrics are being measured and continue to communicate and train after deployment using tools available in M365. See Microsoft’s adoption guidelines and template for training.

Determine your training needs and align with your business processes. Choose training modalities that will give users the best chance of success. Consider one or many training methods, such as:

• Online training
• In-person classroom
• Business scenario use cases
• Mentoring
• Department champion/Early adopter
• Weekly bulletin fun facts

Don’t forget backup!

Providing 99% uptime and availability is not enough

Why is M365 backup so important?

Accidental Data Deletion.

If a user is deleted, that deletion gets replicated across the network. Backup can save you here by restoring that user.

Internal and External Security Threats.

Malicious internal deletion of data and external threats including viruses, ransomware, and malware can severely damage a business and its reputation. A clean backup can easily restore the business’ uninfected data.

Legal and Compliance Requirements.

While e-discovery and legal hold are available to retain sensitive data, a third-party backup solution can easily search and restore all data to meet regulatory requirements – without depending on someone to ensure a policy was set.

Retention Policy Gaps.

Retention policies are not a substitute for backup. While they can be used to retain or delete content, they are difficult to keep track of and manage. Backups offer greater latitude in retention and better security for that data.

Retire your legacy apps to gain adoption

Identify like for like and retire your legacy apps

To meet the objectives of cost reduction and rationalization, look at synergies that M365 brings to the table. Determine what you are currently using to meet collaboration, storage, and security needs and plan to use the equivalent in your Microsoft entitlement.

Managing M365’s hidden costs

Licenses and storage limits TCO

• Email security. Ninety-one percent of all cyberattacks come from phishing on email. Microsoft Defender for M365 is a bolt-on, so it is an additional cost.
• Backup. This will bring additional cost to M365. Plan to spend more to ensure data is backed up and stored.
• Email archiving. Archiving is different than backup. See our research on the subject. Archiving is needed for compliance purposes. Email archiving solutions are available through third-party software, which is an added cost.
• Email end-to-end encryption. This is a requirement for all organizations that are serious about security. The enterprise products from Microsoft come at an additional cost.
• Cybersecurity training. IT needs to ramp up on training, another expense.
• Microsoft 365 Power Platform Licencing. From low-code and no-code developer tools (Power Apps), workflow tools (Power Automate), and business intelligence (Power BI) – while the E5 license gives you Power BI Pro, there are limitations and costs. Power BI Pro has limitations for data volume, data refresh, and query response time, so your premium license comes at a considerably marked up cost.

M365 is not standalone

• While Microsoft 365 is a platform that is ”just good enough,” it is actually not good enough in today’s cyberthreat environment. Microsoft provides add-ons with Defender for 365, Purview, and Sentinel, which pose additional costs, just like a third-party solution would. See the Threat Intelligence & Incident Response research in our Security practice.
• The lack of data archiving, backup, and encryption means additional costs that may not have been budgeted for at the outset. Microsoft provides 30-60-90-day recovery, but anything else is additional cost. For more information see Understand the Difference between Backups and Archiving.

Compliance and regulations

Security and compliance features out of the box

There are plenty of preconfigured security features contained in M365, but what’s available to you depends on your license. For example, Microsoft Defender, which has many preset policies, is built-in for E5 licenses, but if you have E3 licenses Defender is an add-on.

Three elements in security policies are profiles, policies, and policy settings.

• Preset Profiles come in the shape of:
  • Standard – baseline protection for most users
  • Strict – aggressive protection for profiles that may be high-value targets
  • Built-in Protection – turned on by default; it is not recommended to make exceptions based on users, groups, or domains
• Preset Security Policies
  • Exchange Online Protection Policies – anti-spam, -malware, and -phishing policies
  • Microsoft Defender Policies – safe links and safe attachments policies
• Policy Settings
  • User impersonation protection for internal and external domains
  • Select priorities from strict, standard, custom, and built-in

Info-Tech Insight

Check your license entitlement before you start purchasing add-ons or third-party solutions. Security and compliance are not optional in today’s cybersecurity risk world. With many organizations offering hybrid and remote work arrangements and bring-your-own-device (BYOD) policies, it is necessary to protect your data at the tenant level. Defender for Microsoft 365 is a tool that can protect both your exchange and collaboration environments.

More information: Microsoft 365 Defender

Use Intune and Autopilot

Meet the needs of your hybrid workforce

• Using the tools available in M365 can help you develop your hybrid or remote work strategy.
• This strategy will help you maintain security controls for mobile and BYOD.
• Migrating to Intune and Autopilot will give rise to the opportunity to migrate off SCCM and further reduce your on-premises infrastructure.

NOTE: You must have Azure AD Premium and Windows 10 V1703 or later as well as Intune or other MDM service to use Autopilot. There is a monthly usage fee based on volume of data transmitted. These fees can add up over time.

For more details visit the following Microsoft Learn pages:

• Overview of Windows Autopilot
• Windows Autopilot registration overview
• Microsoft Intune fundamentals
• Tutorial: Walkthrough Intune in Microsoft Endpoint Manager

Intune /Autopilot Overview

Info-Tech’s research on zero-touch provisioning goes into more detail on Intune and Autopilot:
Simplify Remote Deployment With Zero-Touch Provisioning

M365 long-term strategies

Manage your costs in an inflationary world

• Recent inflation globally, whether caused by supply chain woes or political uncertainty, will impact IT and cloud services along with everything else. Be prepared to pay more for your existing services and budget accordingly.
• Your long-term strategies must include ongoing cost management, data management, security risks, and license and storage costs.
• Continually investigate efficiencies, overlaps, and new tools in M365 that can get the job done for the business. Use as many of the applications as you can to ensure you are getting the best bang for your buck.
• Watch for upgrades in the M365 suite of tools. As Microsoft continues to improve and deliver on most business applications well after their first release, you may find that something that was previously inefficient could work in your environment today and replace a tool you currently use.

Ongoing Activities You Need to Maintain

• Be aware of increased license costs and higher storage costs.
• Keep an eye on Teams sprawl.
• Understand your total cost of ownership.
• Continue to look at legacy apps and get rid of your infrastructure debt.

Activity

Build your own M365 post-migration plan

1. Using slide 6 as your guideline, create your own project list using impact and difficulty as your weighting factors.
2. Do this exercise as a whiteboard sticky note exercise to agree on impact and difficulty as a team.
3. Identify easy wins that have high impact.
4. Place the projects into a project plan with time lines.
5. Agree on start and completion dates.
6. Ensure you have the right resources to execute.

Related Info-Tech Research

Govern Office 365

• Office 365 is as difficult to wrangle as it is valuable. Leverage best practices to produce governance outcomes aligned with your goals.

Drive Ongoing Adoption With an M365 Center of Excellence

• Accelerate business processes change and get more value from your subscription by building and sharing, thanks to an effective center of excellence.

Simplify Remote Deployment With Zero-Touch Provisioning

• Adopt zero-touch provisioning to provide better services to your end users.
• Save time and resources during device deployment while providing a high-quality experience to remote end users.

Bibliography

“5 Reasons Why Microsoft Office 365 Backup Is Important.” Apps 4Rent, Dec 2021, Accessed Oct 2022 .
Chandrasekhar, Aishwarya. “Office 365 Migration Best Practices & Challenges 2022.” Saketa, 31 Mar 2022. Accessed Oct. 2022.
Chronlund, Daniel. “The Fundamental Checklist – Secure your Microsoft 365 Tenant”. Daniel Chronlund Cloud Tech Blog,1 Feb 2019. Accessed 1 Oct 2022.
Davies, Joe. “The Microsoft 365 Enterprise Deployment Guide.” Tech Community, Microsoft, 19 Sept 2018. Accessed 2 Oct 2022.
Dillaway, Kevin. “I Upgraded to Microsoft 365 E5, Now What?!.” SpyGlassMTG, 10 Jan 2022. Accessed 4 Oct. 2022.
Hartsel, Joe. “How to Make Your Office 365 Implementation Project a Success.” Centric, 20 Dec 2021. Accessed 2 Oct. 2022.
Jha, Mohit. “The Ultimate Microsoft Office 365 Migration Checklist for Pre & Post Migration.” Office365 Tips.Org, 24 June 2022. Accessed Sept. 2022.
Lang, John. “Why organizations don't realize the full value of Microsoft 365.“Business IT, 29 Nov 202I. Accessed 10 Oct 2022.
Mason, Quinn. “How to increase Office 365 / Microsoft 365 user adoption.” Sharegate, 19 Sept 2019. Accessed 3 Oct 2022.
McDermott, Matt. “6-Point Office 365 Post-Migration Checklist.” Spanning , 12 July 2019 . Accessed 4 Oct 2022.
“Microsoft 365 usage analytics.” Microsoft 365, Microsoft, 25 Oct 2022. Web.
Sharma, Megha. “Office 365 Pre & Post Migration Checklist.’” Kernel Data Recovery, 26 July 2022. Accessed 30 Sept. 2022.
Sivertsen, Per. “How to avoid a failed M365 implementation? Infotechtion, 19 Dec 2021. Accessed 2 Oct. 2022.
St. Hilaire, Dan. “Most Common Mistakes with Office 365 Deployment (and How to Avoid Them).“ KnowledgeWave, 4Mar 2019. Accessed Oct. 2022.
“Under the Hood of Microsoft 365 and Office 365 Adoption.” SoftwareONE, 2019. Web.

Build an IT Risk Management Program

Mitigate the IT risks that could negatively impact your organization.

Table of Contents

3 Executive Brief

4 Analyst Perspective

5 Executive Summary

19 Phase 1: Review IT Risk Fundamentals & Governance

43 Phase 2: Identify and Assess IT Risk

74 Phase 3: Monitor, Communicate, and Respond to IT Risk

102 Appendix

108 Bibliography

Build an IT Risk Management Program

Mitigate the IT risks that could negatively impact your organization.

EXECUTIVE BRIEF

Analyst Perspective

Siloed risks are risky business for any enterprise.

Valence Howden Principal Research Director, CIO Practice

Brittany Lutes Senior Research Analyst, CIO Practice

Risk is an inherent part of life but not very well understood or executed within organizations. This has led to risk being avoided or, when it’s implemented, being performed in isolated siloes with inconsistencies in understanding of impact and terminology.

Looking at risk in an integrated way within an organization drives a truer sense of the thresholds and levels of risks an organization is facing – making it easier to manage and leverage risk while reducing risks associated with different mitigation responses to the same risk events.

This opens the door to using risk information – not only to prevent negative impacts but as a strategic differentiator in decision making. It helps you know which risks are worth taking, driving strong positive outcomes for your organization.

Executive Summary

Your Challenge

IT has several challenges when it comes to addressing risk management:

• Risk is unavoidable. Without a formal program to manage IT risk, you may be unaware of your severest IT risks.
• The business could be making decisions that are not informed by risk.
• Reacting to risks after they occur can be costly and crippling, yet it is one of the most common tactics used by IT departments.

Common Obstacles

Many IT organizations realize these obstacles:

• IT risks and business risks are often addressed separately, causing inconsistencies in the approach.
• Security risk receives such a high profile that it often eclipses other important IT risks, leaving the organization vulnerable.
• Failing to include the business in IT risk management leaves IT leaders too accountable; the business must have accountability as well.

Info-Tech’s Approach

• Transform your ad hoc IT risk management processes into a formalized, ongoing program and increase risk management success.
• Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest risks before they occur.
• Involve key stakeholders, including the business senior management team, to gain buy-in and to focus on the IT risks most critical to the organization.

Info-Tech Insight

IT risk is business risk. Every IT risk has business implications. Create an IT risk management program that shares accountability with the business.

Ad hoc approaches to managing risk fail because…

If you are like the majority of IT departments, you do not have a consistent and comprehensive strategy for managing IT risk.

1. Ad hoc risk management is reactionary.
2. Ad hoc risk management is often focused only on IT security.
3. Ad hoc risk management lacks alignment with business objectives.

The results:

• Increased business risk exposure caused by a lack of understanding of the impact of IT risks on the business.
• Increased IT non-compliance, resulting in costly settlements and fines.
• IT audit failure.
• Ineffective management of risk caused by poor risk information and wrong risk response decisions.
• Increased unnecessary and avoidable IT failures and fixes.

58% of organizations still lack a systematic and robust method to actually report on risks (Source: AICPA, 2021)

Data is an invaluable asset – ensure it’s protected

Risk management is a business enabler

Formalize risk management to increase your likelihood of success.

By identifying areas of risk exposure and creating solutions proactively, obstacles can be removed or circumvented before they become a real problem.

A certain amount of risk is healthy and can stimulate innovation:

• A formal risk management strategy doesn’t mean trying to mitigate every possible risk; it means exposing the organization to the right amount of risk.
• Taking a formal risk management approach allows an organization to thoughtfully choose which risks it is willing to accept.
• Organizations with high risk management maturity will vault themselves ahead of the competition because they will be aware of which risks to prepare for, which risks to ignore, and which risks to take.

Only 12% of organizations are using risk as a strategic tool most or all of the time (Source: AICPA, 2021)

IT risk is enterprise risk

Accountability for IT risks and the decisions made to address them should be shared between IT and the business.

IT risks have a direct and often aggregated impact on enterprise risks and opportunities in the same way other business risks can. This relationship must be understood and addressed through integrated risk management to ensure a consistent approach to risk.

Follow the steps of this blueprint to build or optimize your IT risk management program

Start Here	PHASE 1 Review IT Risk Fundamentals and Governance		PHASE 2 Identify and Assess IT Risk		PHASE 3 Monitor, Report, and Respond to IT Risk
	1.1 Review IT Risk Management Fundamentals	1.2 Establish a Risk Governance Framework	2.1 Identify IT Risks	2.2 Assess and Prioritize IT Risks	3.1 Monitor IT Risks and Develop Risk Responses	3.2 Report IT Risk Priorities

Integrate Risk and Use It to Your Advantage

Accelerate and optimize your organization by leveraging meaningful risk data to make intelligent enterprise risk decisions.

Risk management is more than checking an audit box or demonstrating project due diligence.

Risk Drivers Audit & compliance Preserve value & avoid loss Previous risk impact driver Major transformation Strategic opportunities		Only 7% of organizations are in a “leading” or “aspirational” level of risk maturity. (OECD, 2021)	63% of organizations struggle when it comes to defining their appetite toward strategy related risks. (“Global Risk Management Survey,” Deloitte, 2021)	Late adopters of risk management were 70% more likely to use instinct over data or facts to inform an efficient process. (Clear Risk, 2020)	55% of organizations have little to no training on ERM to properly implement such practices. (AICPA, NC State Poole College of Management, 2021)
		1. Assess Enterprise Risk Maturity	3. Build a Risk Management Program Plan	4. Establish Risk Management Processes	5. Implement a Risk Management Program
		2. Determine Authority with Governance Unfortunately, less than 50% of those in risk focused roles are also in a governance role where they have the authority to provide risk oversight. (Governance Institute of Australia, 2020)
IT can improve the maturity of the organization’s risk governance and help identify risk owners who have authority and accountability. Governance and related decision making is optimized with integrated and aligned risk data.			ERM incorporates the different types of risk, including IT, security, digital, vendor, and other risk types. The program plan is meant to consider all the major risk types in a unified approach.		Implementation of an integrated risk management program requires ongoing access to risk data by those with decision making authority who can take action.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Key deliverable: Risk Management Program Manual Use the tools and activities in each phase of the blueprint to create a comprehensive, customized program manual for the ongoing management of IT risk.	Integrated Risk Maturity Assessment Assess the organization's current maturity and readiness for integrated risk management (IRM).		Centralized Risk Register The repository for all the risks that have been identified within your environment.
	Risk Costing Tool A potential cost-benefit analysis of possible risk responses to determine a good method to move forward.		Risk Report & Risk Event Action Plan A method to report risk severity and hold risk owners accountable for chosen method of responding.

Benefit from industry-leading best practices

As a part of our research process, we used the COSO, ISO 31000, and COBIT 2019 frameworks. Contextualizing IT risk management within these frameworks ensured that our project-focused approach is grounded in industry-leading best practices for managing IT risk.

Abandon ad hoc risk management

Blueprint benefits

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 6 to 8 calls over the course of 3 to 6 months.

What does a typical GI on this topic look like?

Phase 1

• Call #1: Assess current risk maturity and organizational buy-in.
• Call #2: Establish an IT risk council and determine IT risk management program goals.

Phase 2

• Call #3: Identify the risk categories used to organize risk events.
• Call #4: Identify the threshold for risk the organization can withstand.

Phase 3

• Call #5: Create a method to assess risk event severity.
• Call #6: Establish a method to monitor priority risks and consider possible risk responses.
• Call #7: Communicate risk priorities to the business and implement risk management plan.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Build an IT Risk Management Program

Phase 1

Review IT Risk Fundamentals and Governance

This phase will walk you through the following activities:

• Gain buy-in from senior leadership
• Assess current program maturity
• Identify obstacles and pain points
• Determine the risk culture of the organization
• Develop risk management goals
• Develop SMART project metrics
• Create the IT risk council
• Complete a RACI chart

This phase involves the following participants:

• IT executive leadership
• Business executive leadership

Step 1.1

Review IT Risk Management Fundamentals

Activities

• 1.1.1 Gain buy-in from senior leadership
• 1.1.2 Assess current program maturity

This step involves the following participants:

• IT executive leadership
• Business executive leadership

Outcomes of this step

• Reviewed key IT principles and terminology
• Gained understanding of the relationship between IT risk management and ERM
• Introduced to Info-Tech’s IT Risk Management Framework
• Obtained the support of senior leadership

Effective IT risk management is possible with or without ERM

Whether or not your organization has ERM, integrating your IT risk management program with the business is possible.

Most IT departments find themselves in one of these two organizational frameworks for managing IT risk:

Info-Tech’s IT risk management framework walks you through each step to achieve risk readiness

IT Risk Management Framework

Risk Governance Optimize Risk Management Processes Assess Risk Maturity Measure the Success of the Program		Risk Identification Engage Stakeholder Participation Use Risk Identification Frameworks Compile IT-Related Risks
Risk Response Establish Monitoring Responsibilities Perform Cost-Benefit Analysis Report Risk Response Actions		Risk Assessment Establish Thresholds for Unacceptable Risk Calculate Expected Cost Determine Risk Severity & Prioritize IT Risks

Effective IT risk management benefits

Obtain the support of the senior leadership team or IT steering committee by communicating how IT risk impacts their priorities.

1.1.1 Gain buy-in from senior leadership

Input: List of IT personnel and business stakeholders

Output: Buy-in from senior leadership for an IT risk management program

Materials: Risk Management Program Manual

Participants: IT executive leadership, Business executive leadership

The resource demands of IT risk management will vary from organization to organization. Here are typical requirements:

• Occasional participation of key IT personnel and select business stakeholders in IT risk council meetings (e.g. once every two weeks).
• Periodic risk assessments (e.g. 4 days, twice a year).
• IT personnel must take on risk monitoring responsibilities (e.g. 1-4 hours per week).
• Record the results in the Program Manual sections 3.3, 3.4 and 3.5.

Record the results in the Risk Management Program Manual.

Integrated Risk Maturity Assessment

The purpose of the Integrated Risk Maturity Assessment is to assess the organization's current maturity and readiness for integrated risk management (IRM)

Frequently and continually assessing your organization’s maturity toward integrated risk ensures the right risk management program can be adopted by your organization.

Integrated Risk Maturity Assessment A simple tool to understand if your organization is ready to embrace integrated risk management by measuring maturity across four key categories: Context & Strategic Direction, Risk Culture & Authority, Risk Management Process, and Risk Program Optimization.

Use the results from this integrated risk maturity assessment to determine the type of risk management program that can and should be adopted by your organizations.

Some organizations will need to remain siloed and focused on IT risk management only, while others will be able to integrate risk-related information to start enabling automatic controls that respond to this data.

1.1.2 Assess current program maturity

1-4 hours

Input: List of IT personnel and business stakeholders

Output: Maturity scores across four key risk categories

Materials: Integrated Risk Maturity Assessment Tool

Participants: IT executive leadership, Business executive leadership

This assessment is intended for frequent use; process completeness should be re-evaluated on a regular basis.

How to Use This Assessment:

1. Download the Integrated Risk Management Maturity Assessment Tool.
2. Tab 2, "Data Entry:" This is a qualitative assessment of your integrated risk management process and is organized by the categories of integrated risk maturity. You will be asked to rate the extent to which you are executing the activities required to successfully complete each phase of the assessment. Use the drop-down menus provided to select the appropriate level of execution for each activity listed.
3. Tab 3, "Results:" This tab will display your rate of IRM completeness/maturity. You will receive a score for each category as well as an overall score. The results will be displayed numerically, by percentage, and graphically.

Record the results in the Integrated Risk Maturity Assessment.

Step 1.2

Establish a Risk Governance Framework

Activities

• 1.2.1 Identify pain points/obstacles and opportunities
• 1.2.2 Determine the risk culture of the organization
• 1.2.3 Develop risk management goals
• 1.2.4 Develop SMART project metrics
• 1.2.5 Create the IT risk council
• 1.2.6 Complete a RACI chart

This step involves the following participants:

• IT executive leadership
• Business executive leadership

Outcomes of this step

• Developed goals for the risk management program
• Established the IT risk council
• Assigned accountability and responsibility for risk management processes

Review IT Risk Fundamentals and Governance

Create an IT risk governance framework that integrates with the business

Follow these best practices to make sure your requirements are solid:

1. Self-assess your current approach to IT risk management.
2. Identify organizational obstacles and set attainable risk management goals.
3. Track the effectiveness and success of the program using SMART risk management metrics.
4. Establish an IT risk council tasked with managing IT risk.
5. Set clear risk management accountabilities and responsibilities for IT and business stakeholders.

Key metrics for your IT risk governance framework

Info-Tech Insight

Metrics provide the foundation for determining the success of your IT risk management program and ensure ongoing funding to support appropriate risk responses.

IT risk management success factors

1.2.1 Identify obstacles and pain points

1-4 hours

Input: Integrated Risk Maturity Assessment

Output: Obstacles and pain points identified

Materials: IT Risk Management Success Factors

Participants: IT executive leadership, Business executive leadership

Anticipate potential challenges and “blind spots” by determining which success factors are missing from your current situation.

Instructions:

1. List the potential obstacles and missing success factors that you must overcome to effectively manage IT risk and build a risk management program.
2. Consider some opportunities that could be leveraged to increase the success of this program.
3. Use this list in Activity 1.2.3 to develop program goals.

Risk Management

Replace the example pain points and opportunities with real scenarios in your organization.

1.2.2 Determine the risk culture of your organization

Determine how your organization fits the criteria listed below. Descriptions and examples do not have to match your organization perfectly.

Be aware of the organization’s attitude towards risk

Risk culture is an organization’s attitude towards taking risks. This attitude manifests itself in two ways:

Info-Tech Insight

Organizations typically fall in the middle of these spectrums. While risk culture will vary depending on the industry and maturity of the organization, a culture with a balanced risk appetite that is extremely risk conscious is able to make creative, dynamic decisions with reasonable limits placed on risk-related decision making.

1.2.3 Develop goals for the IT risk management program

1-4 hours

Input: Integrated Risk Maturity Assessment, Risk Culture, Pain Points and Opportunities

Output: Goals for the IT risk management program

Materials: Risk Management Program Manual

Participants: IT executive leadership, Business executive leadership

Translate your maturity assessment and knowledge about organizational risk culture, potential obstacles, and success factors to develop goals for your IT risk management program.

Instructions:

1. In the Risk Management Program Manual, revise, replace, or add to the high-level goals provided in section 2.4.
2. Make sure that you have three to five high-level goals that reflect the current and targeted maturity of IT risk management processes.
3. Integrate potential obstacles, pain points, and insights from the organization’s risk culture.

Record the results in the Risk Management Program Manual.

1.2.4 Develop SMART project metrics

Create metrics for measuring the success of the IT risk management program.

1.2.4 Develop SMART project metrics (continued)

Attach metrics to your goals to gauge the success of the IT risk management program.

Replace the example metrics with accurate KPIs or metrics for your organization.

Create the IT risk committee (ITRC)

1.2.5 Create the IT risk council

1-4 hours

Input: List of IT personnel and business stakeholders

Output: Goals for the IT risk management program

Materials: Risk Management Program Manual

Participants: CIO, CRO (if applicable), Senior Directors, Head of Operations

Identify the essential individuals from both the IT department and the business to create a permanent committee that meets regularly and carries out IT risk management activities.

Instructions:

1. Review sections 3.1 (Mandate) and 3.2 (Agenda and Responsibilities) of the IT Risk Committee Charter, located in the Risk Management Program Manual. Make any necessary revisions.
2. In section 3.3, document how frequently the council is scheduled to meet.
3. In section 3.4, document members of the IT risk council.
4. Obtain sign-off for the IT risk council from the CIO or another member of the senior leadership team in section 3.5 of the manual.

Record the results in the Risk Management Program Manual.

1.2.6 Complete RACI chart

A RACI diagram is a useful visualization that identifies redundancies and ensures that every role, project, or task has an accountable party.

1.2.6 Complete RACI chart (continued)

Assign risk management accountabilities and responsibilities to key stakeholders: