Define Requirements for Outsourcing the Service Desk

Prepare your RFP for long-term success, not short-term gains

Define Requirements for Outsourcing the Service Desk

Prepare your RFP for long-term success, not short-term gains

EXECUTIVE BRIEF

Analyst Perspective

Outsource services with your eyes wide open.

Cost reduction has traditionally been an incentive for outsourcing the service desk. This is especially the case for organizations that don't have minimal processes in place and those that need resources and skills to fill gaps.

Although cost reduction is usually the main reason to outsource the service desk, in most cases service desk outsourcing increases the cost in a short run. But without a proper model, you will only outsource your problems rather than solving them. A successful outsourcing strategy follows a comprehensive plan that defines objectives, assigns accountabilities, and sets expectations for service delivery prior to vendor outreach.

For outsourcing the service desk, you should plan ahead, work as a group, define requirements, prepare a strong RFP, and contemplate tension metrics to ensure continual improvement. As you build a project charter to outline your strategy for outsourcing your IT services, ensure you focus on better customer service instead of cost optimization. Ensure that the outsourcer can support your demands, considering your long-term achievement.

Think about outsourcing like a marriage deed. Take into account building a good relationship before beginning the contract, ensure to include expectations in the agreement, and make it possible to exit the agreement if expectations are not satisfied or service improvement is not achieved.

Mahmoud Ramin, PhD
Senior Research Analyst
Infrastructure and Operations
Info-Tech Research Group

Executive Summary

Your Challenge

In organizations where technical support is viewed as non-strategic, many see outsourcing as a cost-effective way to provide this support. However, outsourcing projects often fall short of their goals in terms of cost savings and quality of support.

Common Obstacles

Significant administrative work and up-front costs are required to outsource the service desk, and poor planning often results in project failure and the decrease of end-user satisfaction.

A complete turnover of the service desk can result in lost knowledge and control over processes, and organizations without an exit strategy can struggle to bring their service desk back in house and reestablish the confidence of end users.

Info-Tech's Approach

• First decide if outsourcing is the correct step; there may be more preliminary work to do beforehand.
• Assess requirements and make necessary adjustments before developing an outsource RFP.
• Clearly define the project and produce an RFP to provide to vendors.
• Plan for long-term success, not short-term gains.
• Prepare to retain some of the higher-level service desk work.

Info-Tech Insight

Outsourcing is easy. Realizing all of the expected cost, quality, and focus benefits is hard. Successful outsourcing without being directly involved in service desk management is almost impossible.

Your challenge

This research is designed to help organizations that need to:

• Outsource the service desk or portions of service management to improve service delivery.
• Improve and repatriate existing outsourcing outcomes by becoming more engaged in the management of the function. Regular reviews of performance metrics, staffing, escalation, knowledge base content, and customer satisfaction are critical.
• Understand the impact that outsourcing would have on the service desk.
• Understand the potential benefits that outsourcing can bring to the organization.

Info-Tech Insight

The outsourcing contract must preserve your control, possession, and ownership of the intellectual property involved in the service desk operation. From the beginning of the process, repatriation should be viewed as a possibility and preserved as a capability.

Your challenge

This research helps organizations who would like to achieve these goals:

• Determine objectives and requirements to outsource the service desk.
• Develop a project charter and build an outsourcing strategy to efficiently define processes to reduce risk of failure.
• Build an outsourcing RFP and conduct interviews to identify the best candidate for service delivery.
• Build a long-term relationship with an outsourcing vendor, making sure the vendor is able to satisfy all requirements.
• Include a continual improvement plan in the outsourcing strategy and contain the option upon service delivery dissatisfaction.

New hires require between 10 and 80 hours of training (Forward Bpo Inc., 2019).

A benchmark study by Zendesk from 45,000 companies reveals that timely resolution of issues and 24/7 service are the biggest factors in customer service experience.

These factors push many businesses to consider service desk outsourcing to vendors that have capabilities to fulfill such requirements.

Common obstacles

These barriers make this challenge difficult to address for many organizations:

• In most cases, organizations must perform significant administrative work before they can make a move. Those that fail to properly prepare impede a smooth transition, the success of the vendor, and the ability to repatriate.
• Successful outsourcing comes from the recognition that an organization is experiencing complete turnover of its service desk staff. These organizations engage the vendor to transition knowledge and process to ensure continuity of quality.
• IT realizes the most profound hidden costs of outsourcing when the rate of ticket escalation increases, diminishing the capacity of senior technical staff for strategic project work.

Many organizations may not get the value they expect from outsourcing in their first year.

Common Reasons:

• Overall lack of due diligence in the outsourcing process
• Unsuitable or unclear service transition plan
• Poor service provider selection and management

Poor transition planning results in delayed benefits and a poor relationship with your outsourcing service provider. A poor relationship with your service provider results in poor communication and knowledge transfer.

Key components of a successful plan:

1. Determine goals and identify requirements before developing an RFP.
2. Finalize your outsourcing project charter and get ready for vendor evaluation.
3. Assess and select the most appropriate provider; manage the transition and vendor relationship.

Outsource the service desk properly, and you could see a wide range of benefits

Info-Tech Insight

In your service desk outsourcing strategy, rethink downsizing first-level IT service staff. This can be an opportunity to reassign resources to more valuable roles, such as asset management, development or project backlog. Your current service desk staff are most likely familiar with the current technology, processes, and regulations within IT. Consider the ways to better use your existing resources before reducing headcount.

Info-Tech's Approach

Determine Goals

Conduct activities in the blueprint to pinpoint your current challenges with the service desk and find out objectives to outsource customer service.

Define Requirements

You need to be clear about the processes that will be outsourced. Considering your objectives, we'll help you discover the processes to outsource, to help you achieve your goals.

Develop RFP

Your expectations should be documented in a formal proposal to help vendors provide solid information about how they will satisfy your requirements and what their plan is.

Build Long-Term Relationship

Make sure to plan for continual improvement by setting expectations, tracking the services with proper metrics, and using efficient communication with the provider. Think about the rainy day and include exit conditions for ending the relationship if needed.

Info-Tech's methodology

Insight summary

Focus on value

Outsourcing is easy. Realizing all of the expected cost, quality, and focus benefits is hard. Successful outsourcing without being directly involved in service desk management is almost impossible.

Define outsourcing requirements

You don't need to standardize before you outsource, but you still need to conduct your due diligence. If you outsource without thinking about how you want the future to work, you will likely be unsatisfied with the result.

Don't focus on cost

If cost is your only driver for outsourcing, understand that there will be other challenges. Customer service quality will likely be less, and your outsourcer may not add on frills such as Continual Improvement. Be careful that your specialists don't end up spending more time working on incidents and service requests.

Emphasize on customer service

A bad outsourcer relationship will result in low business satisfaction with IT overall. The service desk is the face of IT, and if users are dissatisfied with the service desk, then they are much likelier to be dissatisfied with IT overall.

Vendors are not magicians

They have standards in place to help them succeed. Determine ITSM best practices, define your requirements, and adjust process workflows accordingly. Your staff and end users will have a much easier transition once outsourcing proceeds.

Plan ahead to guarantee success

Identify outsourcing goals, plan for service and system integrations, document standard incidents and requests, and track tension metrics to make sure the vendor does the work efficiently. Aim for building a long-term relationship but contemplate potential exit strategy.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

	Service Desk Outsourcing Requirements Database Library Use this library to guide you through processes to outsource
	Service Desk Outsourcing RFP Template Use this template to craft a proposal for outsourcing your service desk
	Service Desk Outsourcing Reference Interview Template Use this template to verify vendor claims on service delivery with pervious or current customers
	Service Desk Outsourcing Vendor Proposal Scoring Tool Use this tool to evaluate RFP submissions
Key deliverable:
	Service Desk Outsourcing Project Charter Document your project scope and outsourcing strategy in this template to organize the project for efficient resource and requirement allocation

Blueprint benefits

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

Workshop

"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting

"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is between 8 to 10 calls over the course of 4 to 6 months.

Phase 1

Define the goal

This phase will walk you through the following activities:

• Analysis outsourcing objectives
• Assess outsourcing feasibility
• Identify services and processes to outsource

This phase involves the following participants:

• Service Desk Team
• IT Leadership

Define requirements for outsourcing service desk support

Step 1.1

Identify goals and objectives

Activities

1.1.1 Find out why you want to outsource your service desk

1.1.2 Document the benefits of outsourcing your service desk

1.1.3 Identify your outsourcing vision and goals

1.1.4 Prioritize service desk outsourcing goals to help structure your mission statement

1.1.5 Craft a mission statement that demonstrates your decision to reach your outsourcing objectives

Define the goal

This step requires the following inputs:

• List of strengths and weaknesses of the service desk
• Challenges with the service desk

This step involves the following participants:

• CIO
• IT Leadership
• Service Desk Manager
• IT Managers

Outcomes of this step

• Service desk outsourcing vision and goals
• Benefits of outsourcing the service desk
• Mission statement

What is your rationale to outsource the service desk?

Potential benefits of outsourcing the service desk:

• Bring in the expertise and knowledge to manage tickets according to best-practice guidelines
• Reduce the timeline to response and resolution
• Improve IT productivity
• Enhance IT services and improve performance
• Augment relationship between IT and business through service-level improvement
• Free up the internal team and focus IT on complex projects and higher priority tasks
• Speed up service desk optimization
• Improve end-user satisfaction through efficient IT services
• Reduce impact of incidents through effective incident management
• Increase service consistency via turnover reduction
• Expand coverage hour and access points
• Expand languages to service different geographical areas

1.1.1 Find out why you want to outsource your service desk

1 hour

Service desk is the face of IT. Service desk improvement increases IT efficiency, lowers operation costs, and enhances business satisfaction.

Common challenges that result in deciding to outsource the service desk are:

Participants: IT Director, Service Desk Manager, Service Desk Team

Brainstorm your challenges with the service desk. Why have you decided to outsource your service desk? Use the above table as a sample.

1.1.2 Document benefits of outsourcing your service desk

1 hour

1. Review the challenges with your current service desk identified in activity 1.1.1.
2. Discuss possible ways to tackle these challenges. Be specific and determine ways to resolve these issues if you were to do it internally.
3. Determine potential benefits of outsourcing the service desk to IT, business, and end users.
4. For each benefit, describe dependencies. For instance, to reduce the number of direct calls (benefit), users should have access to service desk as a single point of contact (dependency).
5. Document this activity in the Service Desk Outsourcing Project Charter Template.

Download the Project Charter Template

Input

• List of challenges with the current service desk from activity 1.1.1

Output

• Benefits of outsourcing the service desk

Materials

• Whiteboard/flip charts
• Markers
• Sticky notes
• Laptops

Participants

• IT Director/CIO
• Service Desk Manager
• Service Desk Team
• IT Managers

Why should you not consider cost reduction as a primary incentive to outsourcing the service desk?

Assume that some of the costs will not go away with outsourcing

When you outsource, the vendor's staff tend to gradually become less effective as:

• They are managed by metrics to reduce costs by escalating sooner, reducing talk time, and proposing questionable solutions.
• Turnover results in new employees that get insufficient training.

You must actively manage the vendor to identify and resolve these issues. Many organizations find that service desk management takes more time after they outsource.

You need to keep spending on service desk management, and you may not get away from technology infrastructure spending.

Info-Tech Insight

In their first year, almost 42% of Info-Tech's clients do not get the real value of outsourcing services as expected. This iss primarily because of misalignment of organizational goals with outcomes of the outsourced services.

Consider the hidden costs of outsourcing

Determine strategies to avoid each hidden cost

Your outsourcing strategy should address the reasons you decided to outsource

A clear vision of strategic objectives prior to entering an outsourcing agreement will allow you to clearly communicate these objectives to the Managed Service Provider (MSP) and use them as a contracted basis for the relationship.

• Define the business' overall approach to outsourcing along with the priorities, rules, and principles that will drive the outsourcing strategy and every subsequent outsourcing decision and activity.
• Define specific business, service, and technical goals for the outsourcing project and relevant measures of success.

"People often don't have a clear direction around what they're trying to accomplish. The strategic goals should be documented. Is this a cost-savings exercise? Is it because you're deficient in one area? Is it because you don't have the tools or expertise to run the service desk yourself? Figure out what problem you're trying to solve by outsourcing, then build your strategy around that.
– Jeremy Gagne, Application Support Delivery Manager, Allegis Group

Most organizations are driven to consider outsourcing their service desk hoping to improve the following:

• Ability to scale (train people and acquire skills)
• Focus on core competencies
• Decrease capital costs
• Access latest technology without large investment
• Resolve labor force constraints
• Gain access to special expertise without paying a full salary
• Save money overall

Info-Tech Insight

Use your goals and objectives as a management tool. Clearly outline your desired project outcomes to both your in-house team and the vendor during implementation and monitoring. It will allow a common ground to unite both parties as the project progresses.

Mitigate pitfalls that lay in the way of desired outcomes of outsourcing

1.1.3 Identify outsourcing vision and goals

Identify the goals and objectives of outsourcing to inform your strategy.

Participants: IT Director, Service Desk Manager, Service Desk Team

1-2 hours

1. Meet with key business stakeholders and the service desk staff who were involved in the decision to outsource.
2. As a group, review the results from activity 1.1.1 (challenges with current service desk operations) and identify the goals and objectives of the outsourcing initiative.
3. Determine the key performance indicator (KPI) for each goal.
4. Identify the impacted stakeholder/s for each goal.
5. Discuss checkpoint schedule for each goal to make sure the list stays updated.

Use the sample table as a starting point:

1. Document your table in the Service Desk Outsourcing Project Charter Template.

Download the Project Charter Template

Evaluate organizational demographics to assess outsourcing rationale

The size, complexity, and maturity of your organization are good indicators of service desk direction with regards to outsourcing.

Organization Size

• As more devices, applications, systems, and users are added to the mix, vendor costs will increase but their ability to meet business needs will decrease.
• Small organizations are often either rejected by vendors for being too small or locked into a contract that is overkill for their actual needs (and budget).

Complexity

• Highly customized environments and organizations with specialized applications or stringent regulatory requirements are very difficult to outsource for a reasonable cost and acceptable quality.
• In these cases, the vendor is required to train skilled support or ends up escalating more tickets back to second- and third-level support.

Requirements

• Organizations looking to outsource must have defined outsourcing requirements before looking at vendors.
• Without a requirement assessment, the vendor won't have guidelines to follow and you won't be able to measure their adherence.

Info-Tech Insight

Although less adherence to service desk best practices can be one of the main incentives to outsourcing the service desk, IT should have minimal processes in place to be able to set expectations with targeting vendors.

1.1.4 Prioritize service desk outsourcing goals to help structure mission statement

0.5-1 hour

The evaluation process for outsourcing the service desk should be done very carefully. Project leaders should make sure they won't panic internal resources and impact their performance through the transition period.

If the outsourcing process is rushed, it will result in poor evaluation, inefficient decision making, and project failure.

1. Refer to results in activity 1.1.3. Discuss the service desk outsourcing goals once again.
2. Brainstorm the most important objectives. Use sticky notes to prioritize the items from the most important to the least important.
3. Edit the order accordingly.

Input

• Project goals from activity 1.1.3

Output

• Prioritized list of outsourcing goals

Materials

• Whiteboard/flip charts
• Markers
• Sticky notes
• Laptops

Participants

• IT Director/CIO
• Service Desk Manager
• Service Desk Team
• IT Managers

Download the Project Charter Template

1.1.5 Craft a mission statement that demonstrates your decision to reach outsourcing objectives

Participants: IT Director, Service Desk Manager

0.5-1 hour

The IT mission statement specifies the function's purpose or reason for being. The mission should guide each day's activities and decisions. The mission statement should use simple and concise terminology and speak loudly and clearly, generating enthusiasm for the organization.

Strong IT mission statements:

• Articulate the IT function's purpose and reason for existence
• Describe what the IT function does to achieve its vision
• Define the customers of the IT function
• Can be described as:
  • Compelling
  • Easy to grasp
  • Sharply focused
  • Inspirational
  • Memorable
  • Concise

Sample mission statements:

• To help fulfill organizational goals, IT has decided to empower business stakeholders with outsourcing the service desk.
• To support efficient IT service provision, better collaboration, and effective communication, [Company Name] has decided to outsource the service desk.
• [Company Name] plans to outsource the service desk so it can identify bottlenecks and inefficiencies with current service desk processes and enable [Company Name] to innovate and support business growth.

• Considering the goals and benefits determined in the previous activities, outline a mission statement.
• Document your outsourcing mission statement in the "Project Overview" section of the Project Charter Template.

Download the Project Charter Template

Step 1.2

Assess outsourcing feasibility

Activities

1.2.1 Create a baseline of customer experience

1.2.2 Identify service desk processes to outsource

1.2.3 Design an outsourcing decision matrix for service desk processes and services

1.2.4 Discuss if you need to outsource only service desk or if additional services would benefit from outsourcing too

Define the goal

This step requires the following inputs:

• List of service desk tasks and responsibilities

This step involves the following participants:

• CIO
• IT Leadership
• Service Desk Manager
• Infrastructure Manager

Outcomes of this step

• End-user satisfaction with the service desk
• List of processes and services to outsource

1.2.1 Create a baseline of customer experience

Solicit targeted department feedback on IT's core service capabilities, communications, and business enablement from end users. Use this feedback to assess end-user satisfaction with each service, broken down by department and seniority level.

1. Complete an end-user satisfaction survey to define the current state of your IT services, including service desk (timeliness and effectiveness). With Info-Tech's end-user satisfaction program, an analyst will help you set up the diagnostic and will go through the report with you.
2. Evaluate survey results.
3. Communicate survey results with team leads and discuss the satisfaction rates and comments of the end users.
4. Schedule to launch another survey one year after outsourcing the service desk.
5. Your results will be compared to the following year's results to analyze the overall success/failure of your outsourcing project.

A decrease of business and end-user satisfaction is a big drive to outsourcing the service desk. Conduct a customer service survey to discover your end-user experience prior to and after outsourcing the service desk.

Don't get caught believing common misconceptions: outsourcing doesn't mean sending away all the work

First-time outsourcers often assume they are transferring most of the operations over to the vendor, but this is often not the case.

1. Management of performance, SLAs, and customer satisfaction remain the responsibility of your organization.
2. Service desk outsource vendors provide first-line response. This includes answering the phones, troubleshooting simple problems, and redirecting requests that are more complex.
3. The vendor is often able to provide specialized support for standard applications (and for customized applications if you'll pay for it). However, the desktop support still needs someone onsite, and that service is very expensive to outsource.
4. Tickets that are focused on custom applications and require specialized or advanced support are escalated back to your organization's second- and third-level support teams.

Switching to a vendor won't necessarily improve your service desk maturity

You should have minimal requirements before moving.

Whether managing in-house or outsourcing, it is your job to ensure core issues have been clarified, processes defined, and standards maintained. If your processes are ad-hoc or non-existent right now, outsourcing won't fix them.

You must have the following in place before looking to outsource:

• Defined reporting needs and plans
• Formalized skill-set requirements
• Problem management and escalation guidelines
• Ticket templates and classification rules
• Workflow details
• Knowledge base standards

Info-Tech Insight

If you expect your problems to disappear with outsourcing, they might just get worse.

Define long-term requirements

Anticipate growth throughout the lifecycle of your outsourcing contract and build that into the RFP

• Most outsourcing agreements typically last three to five years. In that time, you risk outgrowing your service provider by neglecting to define your long-term service desk requirements.
• Outgrowing your vendor before your contract ends can be expensive due to high switching costs. Managing multiple vendors can also be problematic.
• It is crucial to define your service desk requirements before developing a request for proposal to make sure the service you select can meet your organization's needs.
• Make sure that the business is involved in this planning stage, as the goals of IT need to scale with the growth strategy of the business. You may select a vendor with no additional capacity despite the fact that your organization has a major expansion planned to begin two years from now. Assessing future requirements also allows you to culture match with the vendor. If your outlooks and practices are similar, the match will likely click.

Info-Tech Insight

Don't select a vendor for what your company is today – select a vendor for what your company will be years from now. Define your future service desk requirements in addition to your current requirements and leave room for growth and development.

You can't outsource everything

Manage the things that stay in-house well or suffer the consequences.

Info-Tech Insight

The need for a Service Desk Manager does not go away when you outsource. In fact, the need becomes even stronger and never diminishes.

Assess current service desk processes before outsourcing

Process standards with areas such as documentation, workflow, and ticket escalation should be in place before the decision to outsource has been made.

Every effective service desk has a clear definition of the services that they are performing for the end user. You can't provide a service without knowing what the services are.

MSPs typically have their own set of standards and processes in play. If your service desk is not at a similar level of maturity, outsourcing will not be pleasant.

Make sure that your metrics are reported consistently and that they tell a story.

"Establish baseline before outsourcing. Those organizations that don't have enough service desk maturity before outsourcing should work with the outsourcer to establish the baseline."
– Yev Khobrenkov, Enterprise Consultant, Solvera Solutions

Info-Tech Insight

Outsourcing vendors are not service desk builders; they're service desk refiners. Switching to a vendor won't improve your maturity; you must have a certain degree of process maturity and standardization before moving.

Case Study

INDUSTRY: Cleaning Supplies

SOURCE: PicNet

Challenge

• Reckitt Benckiser of Australia determined that its core service desk needed to be outsourced.
• It would retain its higher level service desk staff to work on strategic projects.
• The MSP needed to fulfill key requirements outlined by Reckitt Benckiser.

Solution

• Reckitt Benckiser recognized that its rapidly evolving IT needs required a service desk that could fulfill the following tasks:
• Free up internal IT staff.
• Provide in-depth understanding of business apps.
• Offer efficient, cost-effective support onsite.
• Focus on continual service improvement (CSI).

Results

• An RFP was developed to support the outsourcing strategy.
• With the project structure outlined and the requirements of the vendor for the business identified, Reckitt Benckiser could now focus on selecting a vendor that met its needs.

1.2.1 Identify service desk processes to outsource

2-3 hours

Review your prioritized project goals from activity 1.1.4.

Brainstorm requirements and use cases for each goal and describe each use case. For example: To improve service desk timeliness, IT should improve incident management, to resolve incidents according to the defined SLA and based on ticket priority levels.

Discuss if you're outsourcing just incident management or both incident management and request fulfillment. If both, determine what level of service requests will be outsourced? Will you ask the vendor to provide a service catalog? Will you outsource self-serve and automation?

Document your findings in the service desk outsourcing requirements database library.

Input

• Outsourcing project goals from activity 1.1.4

Output

• List of processes to outsource

Materials

• Sticky notes
• Markers
• Whiteboard/flip charts
• Laptops

Participants

• IT Director/CIO
• Service Desk Manager
• Service Desk Team

Download the Requirements Database Library

1.2.2 Design an outsourcing decision matrix for service desk processes and services

Participants: IT Director, Service Desk Manager, Infrastructure manager

2-3 hours

Most successful service desk outsourcing engagements have a primary goal of freeing up their internal resources to work on complex tasks and projects. The key outsourcing success factor is to find out internal services and processes that are standardized or should be standardized, and then determine if they can be outsourced.

1. Review the list of identified service desk processes from activity 1.2.1.
2. Discuss the maturity level of each process (low, medium, high) and document under the maturity column of the Outsource the Service Desk Requirements Database Library.
3. Use the following decision matrix for each process. Discuss which tasks are important to strategic objectives, which ones provide competitive advantage, and which ones require specialized in-house knowledge.
4. Identify processes that receive high vendor's performance advantage. For instance, access to talent, lower cost at scale, and access to technology.
5. In your outsourcing assessment, consider a narrow scope of engagement and a broad view of what is important to business outcome.
6. Based on your findings, determine the priority of each process to be outsourced. Document results in the service desk outsourcing requirements database library, and section 4.1 of the service desk outsourcing project charter.

Download the Requirements Database Library

Download the Project Charter Template

Maintain staff and training: you need to know who is being hired, how, and why

Define documentation rules to retain knowledge

• Establish a standard knowledge article template and list of required information.
• Train staff on the requirements of knowledge base creation and management. Help them understand the value of the time spent recording their work.
• It is your responsibility to assure the quality of each knowledge article. Outline accountabilities for internal staff and track for performance evaluations.

For information on better knowledge management, refer to Info-Tech's blueprint Optimize the Service Desk With a Shift-Left Strategy.

Expect to manage stringent skills and training standards

• Plan on being more formal about a Service Manager position and spending more time than you allocated previously.
• Complete a thorough assessment of the skills you need to keep the service desk running smoothly.
• Don't forget to account for any customized or proprietary systems. How will you train vendor staff to accommodate your needs? What does their turnaround look like: would it be more likely that you acquire a dependable employee in-house?
• Staffing requirements need to be actively monitored to ensure the outsourcer doesn't have degradation of quality or hiring standards. Don't assume that things run well – complete regular checks and ask for access to audit results.
• Are the systems and data being accessed by the vendor highly sensitive or subject to regulatory requirements? If so, it is your job to ensure that vendor staff are being screened appropriately.

Does your service desk need to integrate to other IT services?

A common challenge when outsourcing multiple services to more than one vendor is a lack of collaboration and communication between vendors.

• Leverage SIAM capabilities to integrate service desk tasks to other IT services, if needed.
• "Service Integration and Management (SIAM) is a management methodology that can be applied in an environment that includes services sourced from a number of service providers" (Scopism Limited, 2020).
• SIAM supports cross-functional integrations. Organizations that look for a single provider will be less likely to get maximum benefits from SIAM.

There are three layers of entities in SIAM:

• Customer Organization: The customer who receives services, who defines the relationship with service providers.
• Service Integrator: End-to-end service governance and integration is done at this layer, making sure all service providers are committed to their services.
• Service Provider: Responsible party for service delivery according to contract. It can be combination of internal provider, managed by internal agreements, and external provider, managed by SLAs between providers and customer organization.

Use SIAM to obtain better results from multiple service providers

In the SIAM model, the customer organization keeps strategic, governance, and business activities, while integrating other services (either internally or externally).

SIAM Layers. Source: SIAM Foundation BoK

Utilize SIAM to obtain better results from multiple service providers

SIAM reduces service duplication and improves service delivery via managing internal and external service providers.

To utilize the SIAM model, determine the following components:

• Service providers
• Service consumers
• Service outcomes
• Service obstacles and boundaries
• Service dependencies
• Technical requirements and interactions for each service
• Service data and information including service levels

To learn more about adopting SIAM, visit Scopism.

1.2.3 Discuss if you need to outsource only service desk or if additional services would benefit from outsourcing too

1-2 hours

• Discuss principles and goals of SIAM and how integrating other services can apply within your processes.
• Review the list of service desk processes and tasks to be outsourced from activities 1.2.1 and 1.2.2.
• Brainstorm a list of other services that are outsourced/need to be outsourced.
• Determine providers of each service (both internal and external). Document the other services to be integrated in the project charter template and requirements database library.

Input

• SIAM objectives
• List of service desk processes to outsource

Output

• List of other services to outsource and integrate in the project

Materials

• Sticky notes
• Markers
• Whiteboard/flip charts
• Laptops

Participants

• IT Director/CIO
• Service Desk Manager
• Service Desk Team

Download the Requirements Database Library

Download the Project Charter Template

Establish requirements for problem management in the outsourcing plan

Your MSP should not just fulfill SLAs – they should be a proactive source of value.

Problem management is a group effort. Make sure your internal team is assisted with sufficient and efficient data by the outsourcer to conduct a better problem management.

Clearly state your organization's expectations for enabling problem management. MSPs may not necessarily need, and cannot do, problem management; however, they should provide metrics to help you discover trends, define recurring issues, and enable root cause analysis.

For more information on problem management, refer to Info-Tech's blueprint Improve Incident and Problem Management.

PROBLEM MANAGEMENT

INCIDENT MANAGEMENT

INTAKE: Ticket data from incident management is needed for incident matching to identify problems. Critical Incidents are also a main input to problem management.

EVENT MANAGEMENT

INTAKE: SMEs and operations teams monitoring system health events can identify indicators of potential future issues before they become incidents.

APPLICATION, INFRASTRUCTURE, and SECURITY TEAMS

ACTION: Problem tickets require investigation from relevant SMEs across different IT teams to identify potential solutions or workarounds.

CHANGE MANAGEMENT

OUTPUT: Problem resolution may need to go through Change Management for proper authorization and risk management.

Outline problem management protocols to gain value from your service provider

• For example, with a deep dive into ticket trend analysis, your MSP should be able to tell you that you've had a large number of tickets on a particular issue in the past month, allowing you to look into means to resolve the issue and prevent it from reoccurring.
• A proactive MSP should be able to help your service levels improve over time. This should be built into the KPIs and metrics you ask for from the outsourcer.

Sample Scenario

Your MSP tracks ticket volume by platform.

There are 100 network tickets/month, 200 systems tickets/month, and 5,000 end-user tickets/month.

Tracking these numbers is a good start, but the real value is in the analysis. Why are there 5,000 end-user tickets? What are the trends?

Your MSP should be providing a monthly root-cause analysis to help improve service quality.

Outcomes:

1. Meeting basic SLAs tells a small part of the story. The MSP is performing well in a functional sense, but this doesn't shed any insight on what kind of knowledge or value is being added.
2. The MSP should provide routine updates on ticket trends and other insights gained through data analysis.
3. A commitment to continual improvement will provide your organization with value throughout the duration of the outsourcing agreement.

Phase 2

Design an Outsourcing Strategy

This phase will walk you through the following activities:

• Identify roles and responsibilities
• Determine potential risks of outsourcing the service desk
• Build a list of metrics

This phase involves the following participants:

• Service Desk Team
• IT Leadership

Define requirements for outsourcing service desk support

Step 2.1

Identify project stakeholders

Activity

2.1.1 Identify internal outsourcing roles and responsibilities

Design an Outsourcing Strategy

This step requires the following inputs:

• List of service desk roles
• Service desk outsourcing goals

This step involves the following participants:

• IT Managers
• Project Team
• Service Desk Manager

Outcome of this step

• Outsourcing roles and responsibilities

Design an outsourcing strategy to capture the vision of your service desk

An outsourcing strategy is crucial to the proper accomplishment of an outsourcing project. By taking the time to think through your strategy beforehand, you will have a clear idea of your desired outcomes. This will make your RFP of higher quality and will result in a much easier negotiation process.

Most MSPs are prepared to offer a standard proposal to clients who do not know what they want. These are agreements that are doomed to fail. A clearly defined set of goals (discussed in Phase 1), risks, and KPIs and metrics (covered in this phase) makes the agreement more beneficial for both parties in the long run.

1. Identify goals and objectives
2. Determine mission statement
3. Define roles and responsibilities
4. Identify risks and constraints
5. Define KPIs and metrics
6. Complete outsourcing strategy

A successful outsourcing initiative depends on rigorous preparation

Outsourcing is a garbage in, garbage out initiative. You need to give your service provider the information they need to provide an effective product.

• Data quality is critical to your outsourcing initiative's success.
• Your vendor will be much better equipped to help you and to better price its services if it has a thorough understanding of your IT environment.
• This means more than just building a catalog of your hardware and software. You will need to make available documented policies and processes so you and your vendor can understand where they fit in.
• Failure to completely document your environment can lead to a much longer time to value as your provider will have to spend much more time (and thus much more money) getting their service up and running.

"You should fill the gap before outsourcing. You should make sure how to measure tickets, how to categorize, and what the cost of outsourcing will be. Then you'll be able to outsource the execution of the service. Start your own processes and then outsource their execution."
– Kris Krishan, Head of IT and business systems, Waymo

Case Study

Digital media company built an outsourcing strategy to improve customer satisfaction

INDUSTRY: Digital Media

SOURCE: Auxis

Challenge

A Canadian multi-business company with over 13,000 employees would like to maintain a growing volume of digital content with their endpoint management.

The client operated a tiered model service desk. Tier 1 was outsourced, and tier 2 tasks were done internally, for more complex tasks and projects.

As a result of poor planning and defining goals, the company had issues with:

• Low-quality ticket handling
• High volume of tickets escalated to tier 2, restraining them from working on complex tickets
• High turn over and a challenge with talent retention
• Insufficient documentation to train external tier 1 team
• Long resolution time and low end-user satisfaction

Solution

The company structured a strategy for outsourcing service desk and defined their expectations and requirements.

They engaged with another outsourcer that would fulfill their requirements as planned.

With the help of the outsourcer's consulting team, the client was able to define the gaps in their existing processes and system to:

• Implement a better ticketing system that could follow best-practices guidelines
• Restructure the team so they would be able to handle processes efficiently

Results

The proactive planning led to:

• Significant improvement in first call resolution (82%).
• MTTR improvement freed tier 2 to focus on business strategic objectives and allowed them to work on higher-value activities.
• With a better strategy around outsourcing planning, the company saved 20% of cost compared to the previous outsourcer.
• As a result of this partnership, the company is providing a 24/7 structure in multiple languages, which is aligned with the company's growth.
• Due to having a clear strategy built for the project, the client now has better visibility into metrics that support long-term continual improvement plans.

Define roles and responsibilities for the outsourcing transition to form the base of your outsourcing strategy

There is no "I" in outsource; make sure the whole team is involved

Outsourcing is a complete top-to-bottom process that involves multiple levels of engagement:

• Management must make high-level decisions about staffing and negotiate contract details with the vendor.
• Service desk employees must execute on the documentation and standardization of processes in an effort to increase maturity.
• Roles and responsibilities need to be clearly defined to ensure that all aspects of the transition are completed on time.
• Implement a full-scale effort that involves all relevant staff. The most common mistake is to have the project design follow the same top-down pattern as the decision-making process.

Info-Tech Insight

The service desk doesn't operate in isolation. The service desk interfaces with many other parts of the organization (such as finance, purchasing, field support, etc.), so it's important to ensure you engage stakeholders from other departments as well. If you only engage the service desk staff in your discussions around outsourcing strategy and RFP development, you may miss requirements that will come up when it's too late.

2.1.1 Identify internal outsourcing roles and responsibilities

2 hours

1. The sample RACI chart in section 5 of the Project Charter Template outlines which positions are responsible, accountable, consulted, and informed for each major task within the outsourcing project.
2. Responsible, is the group that is responsible for the execution and oversight of activities for the project. Accountable is the owner of the task/process, who is accountable for the results and outcomes. Consulted is the subject matter expert (SME) who is actively involved in the task/process and consulted on decisions. Informed is not actively involved with the task/process and is updated about decisions around the task/process.
3. Make sure that you assign only one person as accountable per process. There can be multiple people responsible for each task. Consulted and Informed are optional for each task.
4. Complete the RACI chart with recommended participants, and document in your service desk outsourcing project charter, under section 5.

Input

• RACI template
• Org chart

Output

• List of roles and responsibilities for outsource project

Materials

• Whiteboard/flip charts
• Markers
• Laptops

Participants

• IT Director/CIO
• Service Desk Manager
• Service Desk Team

Download the Project Charter Template

Step 2.2

Outline potential risks and constraints

Activities

2.2.1 Identify potential risks and constraints that may impact achievement of objectives

2.2.2 Arrange groups of tension metrics to balance your reporting

Design an Outsourcing Strategy

This step will walk you through the following activities:

• Outsourcing objectives
• Potential risks

This step involves the following participants:

• IT Managers
• Project Team
• Service Desk Manager

Outcomes of this step

• Mitigation strategy for each risk
• Service desk metrics

Know your constraints to reduce surprises during project implementation

No service desk is perfect; know your limits and plan accordingly

Define your constraints to outsourcing the service desk.

Consider all types of constraints and opportunities, including:

• Business forces
• Economic cycles
• Disruptive tech
• Regulation and compliance issues
• Internal organizational issues

Within the scope of a scouring decision, define your needs and objectives, measure those as much as possible, and compare them with the "as-is" situation.

Start determining what alternative approaches/scenarios the organization could use to fill the gaps. Start a comparison of scenarios against drivers, goals, and risks.

Plan ahead for potential risks that may impede your strategy

Risk assessment must go hand-in-hand with goal and objective planning

Risk is inherent with any outsourcing project. Common outsourcing risks include:

• Lack of commitment to the customer's goals from the vendor.
• The distraction of managing the relationship with the vendor.
• A perceived loss of control and a feeling of over-dependence on your vendor.
• Managers may feel they have less influence on the development of strategy.
• Retained staff may feel they have become less skilled in their specialist field.
• Unanticipated expenses that were assumed to be offered by the vendor.
• Savings only result from high capital investment in new projects on the part of the customer.

Analyze the risks associated with a specific scenario. This analysis should identify and understand the most common sourcing and vendor risks using a risk-reward analysis for selected scenarios. Use tools and guidelines to assess and manage vendor risk and tailor risk evaluation criteria to the types of vendors and products.

Info-Tech Insight

Plan for the worst to prevent it from happening. Evaluating risk should cover a wide variety of scenarios including the worst possible cases. This type of thinking will be crucial when developing your exit strategy in a later exercise.

2.2.1 Identify potential risks and constraints that may impact achievement of objectives

1-3 hours

1. Brainstorm any potential risks that may arise through the outsourcing project. Describe each risk and categorize both its probability of occurring and impact on the organization as high (H), medium (M), or low (L), using the table below:

1. Identify any constraints for your outsourcing strategy that may restrict, limit, or place certain conditions on the outsourcing project.
   • This may include budget restrictions or staffing limitations.
   • Identifying constraints will help you be prepared for risks and will lessen their impact.
2. Document risks and constraints in section 6 of the Service Desk Outsourcing Project Charter Template.

Input

• RACI template
• Org chart

Output

• List of roles and responsibilities for outsource project

Materials

• Whiteboard/flip charts
• Markers

Participants

• IT Director/CIO
• Service Desk Manager
• Service Desk Team

Download the Project Charter Template

Define service tiers and roles to develop clear vendor SLAs

Management of performance, SLAs, and customer satisfaction remain the responsibility of your organization.

Define the tiers and/or services that will be the responsibility of the MSP, as well as escalations and workflows across tiers. A sample outsourced structure is displayed here:

Info-Tech Insight

If you outsource everything, you'll be at the mercy of consultancy or professional services shops later on. You won't have anyone in-house to help you deploy anything; you're at the mercy of a consultant to come in and tell you what to do and how much to spend. Keep your highly skilled people in-house to offset what you'd have to pay for consultancy. If you need to repatriate your service desk later on, you will need skills in-house to do so.

Don't become obsessed with managing by short-term metrics – look at the big picture

"Good" metric results may simply indicate proficient reactive fixing; long-term thinking involves implementing proactive, balanced solutions.

KPIs demonstrate that you are running an effective service desk because:

• You close an average of 300 tickets per week
• Your first call resolution is above 90%
• Your talk time is less than five minutes
• Surveys reveal clients are satisfied

While these results may appear great on the surface, metrics don't tell the whole story.

The effort from any support team seeks to balance three elements:

	First-Contact Resolution (FCR) Rate	Percentage of tickets resolved during first contact with user (e.g. before they hang up or within an hour of submitting ticket). Could be measured as first-contact, first-tier, or first-day resolution.
End-User Satisfaction	Perceived value of the service desk measured by a robust annual satisfaction survey of end users and/or transactional satisfaction surveys sent with a percentage of tickets.
Ticket Volume and Cost Per Ticket	Monthly operating expenses divided by average ticket volume per month. Report ticket volume by department or ticket category, and look at trends for context.
Average Time to Resolve (incidents) or Fulfill (service requests)	Time elapsed from when a ticket is "open" to "resolved." Distinguish between ticket resolution vs. closure, and measure time for incidents and service requests separately.

Focus on tension metrics to achieve long-term success

Tension metrics help create a balance by preventing teams from focusing on a single element.

For example, an MSP built incentives around ticket volume for their staff, but not the quality of tickets. As a result, the MSP staff rushed through tickets and gamed the system while service quality suffered.

Use metrics to establish baselines and benchmarking data:

• If you know when spikes in ticket volumes occur, you can prepare to resource more appropriately for these time periods
• Create KB articles to tackle recurring issues and assist tier 1 technicians and end users.
  • Employ a root cause analysis to eliminate recurring tickets.

"We had an average talk time of 15 minutes per call and I wanted to ensure they could handle those calls in 15 minutes. But the behavior was opposite, [the vendor] would wrap up the call, transfer prematurely, or tell the client they'd call them back. Service levels drive behavior so make sure they are aligned with your strategic goals with no unintended consequences."
– IT Services Manager, Banking

Info-Tech Insight

Make sure your metrics work cooperatively. Metrics should be chosen that cause tension on one another. It's not enough to rely on a fast service desk that doesn't have a high end-user satisfaction rate or runs at too high a cost; there needs to be balance.

2.2.2 Arrange groups of tension metrics to balance your reporting

1-3 hours

1. Define KPIs and metrics that will be critical to service desk success.
2. Distribute sticky notes of different colors to participants around the table.
3. Select a space to place the sticky notes – a table, whiteboard, flip chart, etc. – and divide it into three zones.
4. Refer to your defined list of goals and KPIs from activity 1.1.3 and discuss metrics to fulfill each KPI. Note that each goal (critical success factor, CSF) may have more than one KPI. For instance:
   1. Goal 1: Increase end-user satisfaction; KPI 1: Improve average transactional survey score. KPI 2: Improve annual relationship survey score.
   2. Goal 2: Improve service delivery; KPI 1: Reduce time to resolve incidents. KPI 2: Reduce time to fulfill service requests.
5. Recall that tension metrics must form a balance between:
   1. Time
   2. Resources
   3. Quality
6. Record the results in section 7 of the Service Desk Outsourcing Project Charter Template.

Input

• Service desk outsourcing goals
• Service desk outsourcing KPIs

Output

• List of service desk metrics

Materials

• Whiteboard/flip charts
• Sticky notes
• Markers
• Laptops

Participants

• Project Team
• Service Desk Manager

Download the Project Charter Template

Phase 3

Develop an RFP and make a long-term relationship

This phase will walk you through the following activities:

• Build your outsourcing RFP
• Set expectations with candidate vendors
• Score and select your vendor
• Manage your relationship with the vendor

This phase involves the following participants:

• CIO
• Service Desk Manager
• IT Managers
• Project Managers

Define requirements for outsourcing service desk support

Step 3.1

Prepare a service overview and responsibility matrix

Activities

3.1.1 Evaluate your technology, people, and process requirements

3.1.2 Outline which party will be responsible for which service desk processes

This step requires the following inputs:

• Service desk processes and requirements

This step involves the following participants:

• CIO
• Service Desk Manager
• IT Managers
• Project Managers

Outcomes of this step

• Knowledge management and technology requirements
• Self-service requirements

Develop an RFP and make a long-term relationship

Create a detailed RFP to ensure your candidate vendor will fulfill all your requirements

At its core, your RFP should detail the outcomes of your outsourcing strategy and communicate your needs to the vendor.

The RFP must cover business needs and the more detailed service desk functions required. Many enterprises only consider the functionality they need, while ignoring operational and selection requirements.

Negotiate a supply agreement with the preferred outsourcer for delivery of the required services. Ensure your RFP covers:

1. Service specification
2. Service levels
3. Roles and responsibilities
4. Transition period and acceptance
5. Prices, payment, and duration
6. Agreement administration
7. Outsourcing issues

In addition to defining your standard requirements, don't forget to take into consideration the following factors when developing your RFP:

• Employee onboarding and hardware imaging for new users
• Applications you need current and future support for
• Reporting requirements
• Self-service options
• Remote support needs and locations

Although it may be tempting, don't throw everything over the wall at your vendor in the RFP. Evaluate your service desk functions in terms of quality, cost effectiveness, and the value provided from the vendor. Organizations should only outsource functions that the vendor can operate better, faster, or cheaper.

Info-Tech Insight

Involve the right stakeholders in developing your RFP, not just service desk. If only service desk is involved in RFP discussion, the connection between tier 1 and specialists will be broken, as some processes are not considered from IT's point of view.

Identify ITSM solution requirements

Your vendor probably uses a different tool to manage their processes; make sure its capabilities align with the vision of your service desk.

Your service desk and outsourcing strategy were both designed with your current ITSM solution in mind. Before you hand the reins to an MSP, it is crucial that you outline how your current ITSM solution is being used in terms of functionality.

Find out if it's better to have the MSP use their own ITSM tools or your ITSM solution.

Info-Tech Insight

Defining your tool requirements can be a great opportunity to get the tool functionality you always wanted. Many MSPs offer enterprise-level ITSM tools and highly mature processes that may tempt you to operate within their ITSM environment. However, first define your goals for such a move, as well as pros and cons of operating in their service management tool to weigh if its benefits overweigh its downfalls.

Case Study

Lone Star College learned that it's important to select a vendor whose tool will work with your service desk

INDUSTRY: Education

SOURCE: ServiceNow

Challenge

Lone Star College has an end-user base of over 100,000 staff and students.

The college has six campuses across the state of Texas, and each campus was using its own service desk and ITSM solution.

Initially, the decision was to implement a single ITSM solution, but organizational complexity prevented that initiative from succeeding.

A decision was made to outsource and consolidate the service desks of each of the campuses to provide more uniform service to end users.

Solution

Lone Star College selected a vendor that implemented FrontRange.

Unfortunately, the tool was not the right fit for Lone Star's service and reporting needs.

After some discussion, the outsourcing vendor made the switch to ServiceNow.

Some time later, a hybrid outsourced model was implemented, with Lone Star and the vendor combining to provide 24/7 support.

Results

The consolidated, standardized approach used by Lone Star College and its vendor has created numerous benefits:

• Standardized reporting
• High end-user satisfaction
• All SLAs are being met
• Improved ticket resolution times
• Automated change management.

Lone Star outsourced in order to consolidate its service desks quickly, but the tools didn't quite match.

It's important to choose a tool that works well with your vendor's, otherwise the same standardization issues can persist.

Design your RFP to help you understand what the vendor's standard offerings are and what it is capable of delivering

Your RFP should be worded in a way that helps you understand what your vendor's standard offerings are because that's what they're most capable of delivering. Rather than laying out all your requirements in a high level of detail, carefully craft your questions in a probing way. Then, understand what your current baseline is, what your target requirements are, and assess the gap.

Design the RFP so that responses can easily be compared against one another.

It is common to receive responses that are very different – RFPs don't provide a response framework. Comparing vastly different responses can be like comparing apples to oranges. Not only are they immensely time consuming to score, their scores also don't end up accurately reflecting the provider's capabilities or suitability as a vendor.

If your RFP is causing a ten minute printer backlog, you're doing something wrong.

Your RFP should not be hundreds of pages long. If it is, there is too much detail.

Providing too much detail can box your responses in and be overly limiting on your responses. It can deter potentially suitable provider candidates from sending a proposal.

Request
For
Proposal

"From bitter experience, if you're too descriptive, you box yourself in. If you're not descriptive enough, you'll be inundated with questions or end up with too few bidders. We needed to find the best way to get the message across without putting too much detail around it."
– Procurement Manager, Utilities

Info-Tech's Service Desk Outsourcing RFP Template contains nine sections

1. Statement of work
   • Purpose, coverage, and participation ààInsert the purpose and goals of outsourcing your service desk, using steps 1.1 findings in this blueprint as reference.
2. General information
   • Information about the document, enterprise, and schedule of events ààInsert the timeline you developed for the RFP issue and award process in this section.
3. Proposal preparation instructions
   • The vendor's understanding of the RFP, good faith statement, points of contact, proposal submission, method of award, selection and notification.
4. Service overview
   • Information about organizational perspective, service desk responsibility matrix, vendor requirements, and service level agreements (SLAs).
5. Scope of work, specifications and requirements
   • Technical and functional requirements à Insert the requirements gathered in Phase 1 in this section of the RFP. Remember to include both current and future requirements.
6. Exit conditions
   • Overview of exit strategy and transition process.
7. Vendor qualifications and references
8. Account management and estimated pricing
9. Vendor certification

The main point of focus in this document is defining your requirements (discussed in Phase 1) and developing proposal preparation instructions. The rest of the RFP consists mostly of standard legal language. Review the rest of the RFP template and adapt the language to suit your organization's standards. Check with your legal departments to make sure the RFP adheres to company policies.

3.1.1 Evaluate your technology, people, and process requirements

1-2 hours

1. Review the outsourcing goals you identified in Phase 1 (activity 1.1.3).
2. For each goal, divide the defined requirements from your requirements database library (activity 1.2.1) into three areas:
   1. People Requirements
   2. Process Requirements
   3. Technical Requirements
3. Group your requirements based on characteristics (e.g. recovery capabilities, engagement methodology, personnel, etc.).
4. Validate these requirements with the relevant stakeholders.
5. Document your results in section 4 of the Service Desk Outsourcing RFP Template.

Input

• Identified key requirements

Output

• Refined requirements to input into the RFP

Materials

• Whiteboard/flip charts
• Markers
• Laptops

Participants

• IT Director/CIO
• Service Desk Manager
• IT Managers

Download the Service Desk Outsourcing RFP Template

Assess knowledge management and technology requirements to enable the outsourcer with higher quality work

Retain ownership of the knowledgebase to foster long-term growth of organizational intelligence

With end users becoming more and more tech savvy, organizational intelligence is becoming an increasingly important aspect of IT support. Modern employees are able and willing to troubleshoot on their own before calling into the service desk. The knowledgebase and FAQs largely facilitate self-serve trouble shooting, both of which are not core concerns for the outsource vendor.

Why would the vendor help you empower end users and decrease ticket volume when it will lead to less revenue in the future? Ticket avoidance is not simply about saving money by removing support. It's about the end-user community developing organizational intelligence so that it doesn't need as much technical support.

Organizational intelligence occurs when shared knowledge and insight is used to make faster, better decisions.

When you outsource, the flow of technical insight to your end-user community slows down or stops altogether unless you proactively drive it. Retain ownership of the knowledgebase and ensure that the content is:

1. Validated to ensure it accurately describes the best solution.
2. Actionable to ensure it prescribes repeatable, verifiable steps.
3. Contextual to ensure the reader knows when NOT to apply the knowledge.
4. Maintained to ensure the solution remains current.
5. Applied, since knowledge is a cost with no benefit unless you apply it and turn it into organizational intelligence.

Info-Tech Insight

Include knowledge management process in your ticket handling workflows to make sure knowledge is transferred to the MSP and end users. For more information on knowledge management, refer to Info-Tech's Standardize the Service Desk and Optimize the Service Desk With a Shift-Left Strategy blueprints.

Assess self-service requirements in your outsourcing plan

When outsourcing the service desk, determine who will take ownership of the self-service portal.

Nowadays, outsourcers provide innovative services such as self-serve options. However, bear in mind that the quality of such services is a differentiating factor. A well-maintained portal makes it easy to:

• Report incidents efficiently via use-case-based forms
• Place requests via a business-oriented service catalog
• Automate request processes
• Give visibility on ticket status
• Access knowledgebase articles
• Provide status on critical systems
• Look for services by both clicking service lists and searching them
• Provide 24/7 service via interactive communication with live agent and AI-powered machine
• Streamline business process in multiple departments rather than only IT

In the outsourcing process, determine your expectations from your vendor on self-serve options and discuss how they will fulfill these requirements. Similar to other processes, work internally to define a list of services your organization is providing that you can pass over to the outsourcer to convert to a service catalog.

Use Info-Tech's Sample Enterprise Services document to start determining your business's services.

Assess admin rights in your outsourcing plan to give access to the outsourcer while you keep ownership

Provide accessibility to account management to improve self-service, which enables:

• Group owners to be named who can add or remove people from their operating units
• Users to update attributes such as photos, address, phone number
• Synchronization with HRIS (Human Resource Information Systems) to enable two-way communication on attribute updates
• Password reset self-service

Ensure the vendor has access rights to execute regular clean up to help:

• Find stale and inactive user and computer accounts (inactive, expired, stale, never logged in)
• Bulk move and disable capabilities
• Find empty groups and remove
• Find and assess NTFS permissions
• Automated tasks to search and remediate

Give admin rights to outsourcer to enable reporting and auditing capabilities, such as:

• Change tracking and notifications
• Password reset attempts, account unlocks, permission and account changes
• Anomaly detection and remediation
• Privilege abuse, such as password sharing

Info-Tech Insight

Provide your MSP with access rights to enable the service desk to have account management without giving too much authentication. This way you'll enable moving tickets to the outsourcer while you keep ownership and supervision.

3.1.2 Outline which party will be responsible for which service desk processes

1-2 hours

This activity is an expansion to the outcomes of activity 1.2.1, where you determined the outsourcing requirements and the party to deliver each requirement.

1. Add your identified tasks from the requirements database library to the service desk responsibility matrix (section 4.2 of the Service Desk Outsourcing RFP Template).
2. Break each task down into more details. For instance, incident management may include tier 1, tier 2/3, KB creation and update, reporting, and auditing.
3. Refer to section 4.1 of your Project Charter to review the responsible party for each use case.
4. Considering the use cases, assess whether your organization, the MSP, or both parties will be responsible for the task.
5. Document the results in section 4.2 of the RFP.

Input

• Identified key requirements

Output

• Responsible party to deliver each task

Materials

• Whiteboard/flip charts
• Markers
• Laptops

Participants

• IT Director/CIO
• Service Desk Manager
• IT Managers

Download the Service Desk Outsourcing RFP Template

Step 3.2

Define your approach to vendor relationship management

Activities

3.2.1 Define your SLA requirements

3.2.2 Score each vendor to mitigate the risk of failure

3.2.3 Score RFP responses

3.2.4 Get referrals, conduct reference interviews and evaluate responses for each vendor

Develop an RFP and make a long-term relationship

This step requires the following inputs:

• Service desk outsourcing RFP
• List of service desk outsourcing requirements

This step involves the following participants:

• CIO
• Service Desk Manager
• IT Managers
• Project Managers

Outcomes of this step

• Service desk SLA
• RFP scores

Don't rush to judgment; apply due diligence when selecting your vendor

The most common mistake in vendor evaluation is moving too quickly. The process leading to an RFP evaluation can be exhausting, and many organizations simply want to be done with the whole process and begin outsourcing.

The most common mistake in vendor evaluation is moving too quickly. The process leading to an RFP evaluation can be exhausting, and many organizations simply want to be done with the whole process and begin outsourcing.

1. Call around to get referrals for each vendor
2. Create a shortlist
3. Review SLAs and contract terms
4. Select your vendor

Recognize warning signs in the MSP's proposal to ensure a successful negotiation

Vendors often include certain conditions in their proposals that masquerade as appealing but may spell disaster. Watch for these red flags:

1. Discounted Price
   • Vendors know the market value of their competitors' services. Price is not what sets them apart; it's the type of services offered as well as the culture present.
   • A noticeably low price is often indicative of a desperate organization that is not focused on quality managed services.
2. No Pushback
   • Vendors should work to customize their proposal to suit both their capabilities and your needs. No pushback means they are not invested in your project as deeply as they should be.
   • You should be prepared for and welcome negotiations; they're a sign that both sides are reaching a mutually beneficial agreement.
3. Continual SLA Improvement
   • Continual improvement is a good quality that your vendor should have, but it needs to have some strategic direction.
   • Throwing continual SLA improvement into the deal may seem great, but make sure that you'll benefit from the value-added service. Otherwise, you'll be paying for services that you don't actually need.

Clearly define core vendor qualities before looking at any options

Vendor sales and marketing people know just what to say to sway you: don't talk to them until you know what you're looking for.

Geography

Do you prefer global or local data centers? Do you need multiple locations for redundancy in case of disaster? Will language barriers be a concern?

Contract Length

Ensure you can terminate a poor arrangement by having shorter terms with optional renewals. It's better to renew and renegotiate if one side is losing in the deal in order to keep things fair. Don't assume that proposed long-term cost savings will provide a satisfactory service.

Target Market

Vendors are aiming at different business segments, from startups to large enterprises. Some will accept existing virtual machines, and others enforce compliance to appeal to government and health agencies.

SLA

A robust SLA strengthens a vendor's reliability and accountability. Agencies with special needs should have room in negotiations for customization. Providers should also account for regular SLA reviews and updates. Vendors should be tracking call volume and making projections that should translate directly to SLAs.

Support

Even if you don't need a vendor with 24/7 availability, vendors who cannot support this timing should be eliminated. You may want to upgrade later and will want to avoid the hassle of switching.

Maturity

Vendors must have the willingness and ability to improve processes and efficiencies over time. Maintaining the status-quo isn't acceptable in the constantly evolving IT world.

Cost

Consider which model makes the most sense: will you go with per call or per user pricing? Which model will generate vendor motivation to continually improve and meet your long-term goals? Watch out for variable pricing models.

Define your SLA requirements so your MSP can create a solution that fits

SLAs ensure accountability from the service provider and determine service price

SLAs define the performance of the service desk and clarify what the provider and customer can expect in their outsourcing relationship.

• Service categories
• The acceptable range of end-user satisfaction
• The scope of what functions of the service desk are being measured (availability, time to resolve, time to respond, etc.)
• Credits and penalties for achieving or missing targets
• Frequency of measurement/reporting
• Provisions and penalties for ending the contractual relationship early
• Management and communication structure
• Escalation protocol for incidents relating to tiers 2 or 3

Each MSP's RFP response will help you understand their basic SLA terms and enhanced service offerings. You need to understand the MSP's basic SLA terms to make sure they are adequate enough for your requirements. A well-negotiated SLA will balance the requirements of the customer and limit the liability of the provider in a win/win scenario.

For more information on defining service level requirements, refer to Info-Tech's blueprint Reduce Risk With Rock-Solid Service-Level Agreements.

3.2.1 Define your SLA requirements

2-3 hours

• As a team, review your current service desk SLA for the following items:
  • Response time
  • Resolution time
  • Escalation time
  • End-user satisfaction
  • Service availability

Use the sample table as a starting point to determine your current incident management SLA:

• Determine your SLA expectations from the outsourcer.
• Document your SLA expectations in section 4.4 of the RFP template.

Participants: IT Managers, Service Desk Manager, Project Team

Download the Service Desk Outsourcing RFP Template

Get a detailed plan from your selected vendor before signing a contract

Build a standard process to evaluate candidate vendors

Use section 5 of Info-Tech's Service Desk Outsourcing RFP Template for commonly used questions and requirements for outsourcing the service desk. Ask the right questions to secure an agreement that meets your needs. If you are already in a contract with an MSP, tale the opportunity of contract renewal to improve the contract and service.

Download the Service Desk Outsourcing RFP Template

Add your finalized assessment questions into Info-Tech's Service Desk Outsourcing RFP Scoring Tool to aggregate responses in one repository for comparison. Since the vendors are asked to respond in a standard format, it is easier to bring together all the responses to create a complete view of your options.

Download the Service Desk Vendor Proposal Scoring Tool

3.2.2 Score each vendor to mitigate the risk of failure

1-2 hours

Include the right requirements for your organization and analyze candidate vendors on their capability to satisfy them.

1. Use section 5 of the RFP template to convert your determined requirements into questions to address in vendor briefings.
2. Review the questions in the context of near- and long-term service desk outsourcing needs. In the template, we have separated requirements into 7 categories:
   • Vendor Requirements (VR)
   • Vendor Qualifications/Engagement/Administration Capabilities (VQ)
   • Service Operations (SO)
   • Service Support (SS)
   • Service Level Agreement (SLA)
   • Transition Processes (TP)
   • Account Management (AM)
3. Define the priority for each question:
   • Required
   • Desired
   • Optional
4. Leave the compliance and comments to when you brief with vendors.

Input

• Technical and functional requirements

Output

• Priority level for each requirement
• Completed list of requirement questions

Materials

• Whiteboard/flip charts
• Markers
• Laptops

Participants

• IT Director/CIO
• Service Desk Manager
• IT Managers

Download the Service Desk Outsourcing RFP Template

3.2.3 Score RFP responses

2-3 hours

1. Enter the requirements questions into the RFP Scoring Tool and use it during vendor briefings.
2. Copy the Required and Desired priority requirements from the previous activity into the RFP Questions column.
3. Evaluate each RFP response against the RFP criteria based on the scoring scale.
4. The Results section in the tool shows the vendor ranking based on their overall scores.
5. Compare potential outsourcing partners considering scores on individual requirements categories and based on overall scores.

Input

• Completed list of requirement questions
• Priority level for each requirement

Output

• List of top vendors for outsourcing the service desk

Materials

• Service Desk Vendor Proposal Scoring Tool

Participants

• Service Desk Manager
• IT Managers
• Project Managers
• IT Director/CIO

Download the Service Desk Vendor Proposal Scoring Tool

3.2.3 Get referrals, conduct reference interviews, and evaluate responses for each vendor

1. Outline a list of questions to conduct reference interviews with past/present clients of your candidate vendors.
2. Use the reference interview template as a starting point. As a group review the questions and edit them to a list that will fulfill your requirements.
3. Ask your candidate vendors to provide you with a list of three to five clients that have/had used their services. Make sure that vendors enforce the interview will be kept anonymous and names and results won't be disclosed.
4. Ask vendors to book a 20-30 minute call with you and their client.
5. Document your interview comments in your updated reference interview template.
6. Update the RFP scoring tool accordingly.

Input

• List of top vendors for outsourcing the service desk

Output

• Updated list of top vendors for outsourcing the service desk

Materials

• Service Desk Outsourcing Reference Interview Template
• Service Desk Vendor Proposal Scoring Tool

Participants

• Service Desk Manager
• IT Managers
• Project Managers

Download the Service Desk Vendor Proposal Scoring Tool

Compare pricing models of outsourcing services

It's a common sales tactic to use a low price as an easy solution. Carefully evaluate the vendors on your short-list and ensure that SLAs, culture, and price all match to your organization.

Research different pricing models and accurately assess which model fits your organization. Consider the following pricing models:

Pay per technician

In this model, a flat rate is allocated to agents tackling your service desk tickets. This is a good option for building long-term relationship with outsourcer's agents and efficient knowledge transfer to the external team; however, it's not ideal for small organizations that deal with few tickets. This is potentially an expensive model for small teams.

Pay per ticket

This model considers the number of tickets handled by the outsourcer. This model is ideal if you only want to pay for your requirement. Although the internal team needs to have a close monitoring strategy to make sure the outsourcer's efficiency in ticket resolution.

Pay per call

This is based on outbound and inbound calls. This model is proper for call centers and can be less expensive than the other models; however, tracking is not easy, as you should ensure service desk calls result in efficient resolution rather than unnecessary follow-up.

Pay per time (minutes or hours)

The time spent on tickets is considered in this model. With this model, you pay for the work done by agents, so that it may be a good and relatively cheap option. As quicker resolution SLA is usually set by the organization, customer satisfaction may drop, as agents will be driven to faster resolution, not necessarily quality of work.

Pay per user

This model is based on number of all users, or number of users for particular applications. In this model, correlation between number of users and number of tickets should be taken into account. This is an ideal model if you want to deal with impact of staffing changes on service price. Although you should first track metrics such as mean time to resolve and average number of tickets so you can prevent unnecessary payment based on number of users when most users are not submitting tickets.

Step 3.3

Manage the outsource relationship

Activities

3.3.1 Analyze your outsourced service desk for continual improvement

3.3.2 Make a case to either rehabilitate your outsourcing agreement or exit

3.3.3 Develop an exit strategy in case you need to end your contract early

Develop an RFP and make a long-term relationship

This step requires the following inputs:

• Service desk SLA
• List of impacted stakeholder groups
• List of impacts and benefits of the outsourced service desk

This step involves the following participants:

• CIO
• Service Desk Manager
• IT Managers
• Project Managers

Outcomes of this step

• Communication plan
• Vendor management strategy

Ensure formality of your vendor management practice

A service desk outsourcing project is an ongoing initiative. Build a relationship plan to make sure the outsourcer complies with the agreement.

Monitor Vendor Performance

Key Activity:

Measure performance levels with an agreed upon standard scorecard.

Manage Vendor Risk

Key Activity:

Periodical assessment of the vendors to ensure they are meeting compliance standards.

Manage Vendor Contracts and Relationships

Key Activity:
Manage the contracts and renewal dates, the level of demand for the services/products provided, and the costs accrued.

COMPLETE Identify and Evaluate Vendors

Key Activity:
Develop a plan with procurement and key internal stakeholders to define clear, consistent, and stable requirements.

COMPLETE Select a Vendor

Key Activity:
Develop a consistent and effective process for selecting the most appropriate vendor.

Manage Vendor Contracts and Relationships

Key Activity:
Contracts are consistently negotiated to ensure the vendor and the client have a documented and consistent understanding of mutual expectations.

Expect the vendor to manage processes according to your standards

You need this level of visibility into the service desk process, whether in-house or outsourced

Each of these steps requires documentation – either through standard operating procedures, SLAs, logs, or workflow diagrams.

• Define key operating procedures and workflows
• Record, classify, and prioritize tickets
• Verify, approve, and fulfill tickets
• Investigate, diagnose, and allocate tickets
• Resolve, recover, and close tickets
• Track and report

"Make sure what they've presented to you is exactly what's happening."
– Service Desk Manager, Financial Services

Manage the vendor relationship through regular communication

Regular contact with your MSP provides opportunities to address issues that emerge

Designate a relationship manager to act as a liaison at the business to be a conduit between the business and the MSP.

• The relationship manager will take feedback from the MSP and relate it back to you to bridge the technical and business gap between the two.

Who should be involved

• Routine review meetings should involve the MSP and your relationship manager.
• Technical knowledge may be needed to address specific issues, but business knowledge and relationship management skills are absolutely required.
• Other stakeholders and people who are deeply invested in the vendor relationship should be invited or at least asked to contribute questions and concerns.

What is involved

• Full review of the service desk statistics, escalations, staffing changes, process changes, and drivers of extra billing or cost.
• Updates to key documentation for the issues listed above and changes to the knowledgebase.
• Significant drivers of customer satisfaction and dissatisfaction.
• Changes that have/are being proposed that can impact any of the above.

Communicate changes to end users to avoid push back and get buy-in

Top-down processes for outsourcing will leave end users in the dark

• Your service desk staff has been involved in the outsourcing process the entire time, but end users are affected all the same.
• The service desk is the face of IT. A radical shift in service processes and points of contact can be detrimental to not only the service desk, but all of IT.
• Communicating the changes early to end users will both help them cope with the change and help the MSP achieve better results.
  • An internal communication plan should be rolled out in order to inform and educate end users about the changes associated with outsourcing the service desk.
• Your relationship manager should be tasked with communicating the changes to end users. The focus should be on addressing questions or concerns about the transition while highlighting the value gained through outsourcing to an MSP.
• Service quality is a two-way street; the end user needs to be informed of proper protocols and points of contact so that the service desk technicians can fulfill their duties to the best of their ability.

"When my company decided to outsource, I performed the same role but for a different company. There was a huge disruption to the business flow and a lack of communication to manage the change. The transition took weeks before any end users figured out what the new processes were for submitting a ticket and who to ask for help, and from a personal side, it became difficult to maintain relationships with colleagues."
– IT Specialist for a financial institution

Info-Tech Insight

Educate the enterprise on expectations and processes that are handled by the MSP. Identify stakeholder groups affected by the outsourced processes then build a communication plan on what's been changed, what the benefits are, and how they will be impacted. Determine a timeline for communicating these initiatives and how these announcements will be made. Use InfoTech's Sample Communication Plan as a starting point.

Build a continual improvement plan to make sure your MSP is efficiently delivering services according to expectations

Ensure that your quality assurance program is repeatable and applicable to the outsourced services

1. Design a QA scorecard that can help you assess steps the outsourcer agents should follow. Keep the questionnaire high level but specific to your environment. The scorecard should include questions that follow the steps to take considering your intake channels. For instance, if end users can reach the service desk via phone, chat, and email, build your QA around assessing customer service for call, chat, and ticket quality.
2. Build a training program for agents: Develop an internal monitoring plan to relay detailed feedback to your MSP. Assess performance and utilize KBs as training materials for coaching agents on challenging transactions.
3. Everything that goes to your service desk has to be documented; there will be no organic transfer of knowledge and experience.
4. You need to let your MSP know how their efforts are impacting the performance of your organization. Measure your internal performance against the external performance of your service desk.
5. Constant internal check-ins ensure that your MSP is meeting the SLAs outlined in the RFP.
6. Routine reporting of metrics and ticket trends allow you to enact problem management. Otherwise, you risk your MSP operating your service desk with no internal feedback from its owner.
7. Use metrics to determine the service desk functionality.

Consider the success story of your outsourced service desk

Build a feedback program for your outsourced services. Utilize transactional surveys to discover and tell outsourcing success to the impacted stakeholders.

Ensure you apply steps for providing feedback to make sure processes are handled as expected. Service desk is the face of IT. Customer satisfaction on ticket transactions reflects satisfaction with IT and the organization.

Build customer satisfaction surveys and conduct them for every transaction to get a better sense of outsourced service desk functionality. Collaborate with the vendor to make sure you build a proper strategy.

• Build a right list of questions. Multiple and lengthy questions may lead to survey taking fatigue. Make sure you ask the right questions and give an option to the customer to comment any additional notes.
• Give the option to users to rate the transaction. Make the whole process very seamless and doable in a few seconds.
• Ensure to follow-up on negative feedback. This will help you find gaps in services and provide training to improve customer service.

3.3.1 Analyze your outsourced service desk for continual improvement

1 hour

1. In this project, you determined the KPIs based on your service desk objectives (activity 2.2.2).
2. Refer to your list of metrics in section 7 of the Service Desk Outsourcing Project Charter.
3. Think about what story you want to tell and determine what factors will help move the narrative.
4. Discuss how often you would like to track these metrics. Determine the audience for each metric.
5. Provide the list to the MSP to create reports with auto-distribution.

Input

• Determined CSFs and KPIs

Output

• List of metrics to track, including frequency to report and audience to report to

Materials

• Service Desk Outsourcing Project Charter

Participants

• Service Desk Manager
• IT Managers
• Project Managers

Download the Project Charter Template

Reward the MSP for performance instead of "punishing" them for service failure

Turn your vendor into a true partner by including an "earn back" condition in the contract

MSPs often offer clients credit requests (service credits) for their service failures, which are applied to the previous month's monthly recurring charge. They are applied to the last month's MRC (monthly reoccurring charges) at the end of term and then the vendor pays out the residual.

However, while common, service credits are not always perceived to be a strong incentive for the provider to continually focus on improvement of mean-time-to-respond/mean-time-to-resolve.

• Engage the vendor as a true partner within a relationship only based upon Service Credits.
• Suggest the vendor include a minor change to the non-performance processes within the final agreement: the vendor implements an "earn back" condition in the agreement.
• Where a bank of service credits exists because of non-performance, if the provider exceeds the SLA performance metrics for a number of consecutive months (two is common), then an amount of any prior credits received by client is returned to the provider as an earn back for improved performance.
• This can be a useful mechanism to drive improved performance.

Measure the outsourced service desk ROI constantly to drive efficient decisions for continual improvement or an exit plan

Efficient outsourced service desk causes positive impacts on business satisfaction. To address the true value of the services outsourced, you should evaluate the return on investment (ROI) in these areas: Emotional ROI, Time ROI, Financial ROI

Emotional ROI

Service desk's main purpose should be to provide topnotch services to end users. Build a customer experience program and leverage transactional surveys and relationship surveys to constantly analyze customer feedback on service quality.

Ask yourself:

• How have the outsourced services improved customer satisfaction?
• How has the service desk impacted the business brand?
• Have these services improved agents' job satisfaction?
• What is the NPS score of the service desk?
• What should we do to reduce the detractor rate and improve satisfaction leveraging the outsourced service desk?

Time ROI

Besides customer satisfaction, SLA commitment is a big factor to consider when conducting ROI analysis.

Ask these questions:

• Have we had improvement in FCR?
• What are the mean time to resolve incidents and mean time to fulfill requests?
• Is the cost incurred to outsourced services worth improvement in such metrics?

Financial ROI

As already mentioned in Phase 1, the main motivation for outsourcing the service desk should not be around cost reduction, but to improve performance. Regardless, it's still important to understand the financial implications of your decision.

To evaluate the financial impact of your outsourced service desk, ask these questions:

• How much have the outsourced services impacted our business financially?
• How much are we paying compared to when it was done internally?
• Considering the emotional, time, and effort factors, is it worth bringing the services in house or changing the vendor?

3.3.2 Make a case to either rehabilitate your outsourcing agreement or exit

3-4 hours

1. Refer to the results of activity 2.2.2. for the list of metrics and the metrics dashboard over the past quarter.
2. Consider emotional and time ROI, assess end-user satisfaction and SLA, and run a report comparison with the baseline that you built prior to outsourcing the service desk.
3. Estimate the organization's IT operating expenses over the next five years if you stay with the vendor.
4. Estimate the organization's IT operating expenses over the next five years if you switch the vendor.
5. Estimate the organization's IT operating expenses over the next five years if you repatriate the service desk.
6. Estimate the non-recurring costs associated with the move, such as the penalty for early contract termination, data center moving costs, and cost of potential business downtime during the move. Sum them to determine the investment.
7. Calculate the return on investment. Discuss and decide whether the organization should consider rehabilitating the vendor agreement or ending the partnership.

Input

• Outsourced service desk metrics
• Operating expenses

Output

• Return on investment

Materials

• List of metrics
• Laptop
• Markers
• Flip chart/whiteboard

Participants

• IT Director/CIO
• Service Desk Manager
• IT Managers

For more information on conducting this activity, refer to InfoTech's blueprint Terminate the IT Infrastructure Outsourcing Relationship

Define exit conditions to complete your contract with your MSP

The end of outsourcing is difficult. Your organization needs to maintain continuity of service during the transition. Your MSP needs to ensure that its resources can be effectively transitioned to the next deployment with minimal downtime. It is crucial to define your exit conditions so that both sides can prepare accordingly.

• Your exit conditions must be clearly laid out in the contract. Create a list of service desk functions and metrics that are important to your organization's success. If your MSP is not meeting those needs or performance levels, you should terminate your services.
• Most organizations accomplish this through a clear definition of hard and measurable KPIs and metrics that must be achieved and what will happen in the case these metrics are not being regularly met. If your vendor doesn't meet these requirements as defined in your contract, you then have a valid reason and the ability to leave the agreement.

Examples of exit conditions:

• Your MSP did not meet their SLAs on priority 1 or 2 tickets two times within a month.
• If they didn't meet the SLA twice in that 30 days, you could terminate the contract penalty-free.

Info-Tech Insight

If things start going south with your MSP, negotiate a "get well plan." Outline your problems to the MSP and have them come back to you with a list of how they're going to fix these problems to get well before you move forward with the contract.

Try to rehabilitate before you repatriate

Switching service providers or ending the contract can be expensive and may not solve your problems. Try to rehabilitate your vendor relationship before immediately ending it.

You may consider terminating your outsourcing agreement if you are dissatisfied with the current agreement or there has been a change in circumstances (either the vendor has changed, or your organization has changed).

Before doing so, consider the challenges:

1. It can be very expensive to switch providers or end a contract.
2. Switching vendors can be a large project involving transfer of knowledge, documentation, and data.
3. It can be difficult to maintain service desk availability, functionality, and reliability during the transition.

Diagnose the cause of the problem before assuming it's the MSP's fault. The issue may lie with poorly defined requirements and processes, lack of communication, poor vendor management, or inappropriate SLAs. Re-assess your strategy and re-negotiate your contract if necessary.

Info-Tech Insight

There are many reasons why outsourcing relationships fail, but it's not always the vendor's fault.

Clients often think their MSP isn't doing a great job, but a lot of the time the reason comes back to the client. They may not have provided sufficient documentation on processes, were not communicating well, didn't have a regular point of contact, and weren't doing regular service reviews. Before exiting the relationship, evaluate why it's not working and try to fix things first.

Don't stop with an exit strategy, you also need to develop a transition plan

Plan out your transition timeline, taking into account current contract terms and key steps required. Be prepared to handle tickets immediately upon giving notice.

• Review your outsourcing contract with legal counsel to identify areas of concern for lock-in or breech.
• Complete a cost/benefit analysis.
• Bring intellectual property (including ticket data, knowledge base articles, and reports) back in-house (if you'd like to repatriate the service desk) or transfer to the next service desk vendor (if you're outsourcing to another MSP).
• Review and update service desk standard processes (escalation, service levels, ticket templates, etc.).
• Procure service desk software, licenses, and necessary hardware as needed.
• Train the staff (internal for repatriating the service desk, or external for the prospective MSP).
• Communicate the transition plan and be prepared to start responding to tickets immediately.

Info-Tech Insight

Develop a transition plan about six months before the contract notice date. Be proactive by constantly tracking the MSP, running ROI analyses and training staff before moving the services to the internal team or the next MSP. This will help you manage the transition smoothly and handle intake channels so that upon potential exit, users won't be disrupted.

3.3.3 Develop an exit strategy in case you need to end your contract early

3-4 hours

Create a plan to be prepared in case you need to end your contract with the MSP early.

Your exit strategy should encompass both the conditions under which you would need to end your contract with the MSP and the next steps you will take to transition your services.

1. Define the exit conditions you plan to negotiate into your contract with the MSP:
   • Identify the performance levels you will require your MSP to meet.
   • Identify the actions you expect the MSP to take if they fail to meet these performance levels.
   • Identify the conditions under which you would leave the contract early.
2. Develop a strategy for transitioning services in the event you need to leave your contract with the MSP:
   • Will you hand the responsibility to a new MSP or repatriate the service desk back in-house?
   • How will you maintain services through the transition?
3. Document your exit strategy in section 6 of the Service Desk Outsourcing RFP Template.

Input

• Outsourced service desk metrics
• Operating expenses

Output

• Return on investment

Materials

• List of metrics
• Laptop
• Markers
• Flip chart/whiteboard

Participants

• IT Director/CIO
• Service Desk Manager
• IT Managers

Download the Service Desk Outsourcing RFP Template

Summary of Accomplishment

Problem Solved

You have now re-envisioned your service desk by building a solid strategy for outsourcing it to a vendor. You first analyzed your challenges with the current service desk and evaluated the benefits of outsourcing services. Then you went through requirements assessment to find out which processes should be outsourced. Thereafter, you developed an RFP to communicate your proposal and evaluate the best candidates.

You have also developed a continual improvement plan to ensure the outsourcer provides services according to your expectations. Through this plan, you're making sure to build a good relationship through incentivizing the vendor for accomplishments rather than punishing for service failures. However, you've also contemplated an exit plan in the RFP for potential consistent service failures.

Ideally, this blueprint has helped you go beyond requirements identification and served as a means to change your mindset and strategy for outsourcing the service desk efficiently to gain long-term benefits.

if you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop

Contact your account representative for more information

workshops@infotech.com

1-888-670-8889

Additional Support

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

The following are sample activities that will be conducted by Info-Tech analysts with your team:

Identify Processes to Outsource
Identify service desk tasks that will provide the most value upon outsourcing.

Score Candidate Vendors
Evaluate vendors on their capabilities for satisfying your service desk requirements.

Related Info-Tech Research

Standardize the Service Desk

• Improve customer service by driving consistency in your support approach and meeting SLAs.

Outsource IT Infrastructure to Improve System Availability, Reliability, and Recovery

• There are very few IT infrastructure components you should be housing internally – outsource everything else.

Terminate the IT Infrastructure Outsourcing Relationship

• There must be 50 ways to leave your vendor.

Research Contributors and Experts

Yev Khovrenkov; Enterprise Consultant, Solvera Solutions

Kamil Salagan; I&O Manager, Bartek Ingredients

Satish Mekerira; VP of IT, Coherus BioSciences

Kris Krishan; Head of IT and Business Systems, Waymo

Kris Arthur; Infra & Security Director, SEKO Logistics

Valance Howden; Principal Research Advisor, Info-Tech Research Group

Sandi Conrad; Principal Research Director, Info-Tech Research Group

Graham Price; Senior Director of Executive Services, Info-Tech Research Group

Barry Cousins; Practice Lead, Info-Tech Research Group

Mark Tauschek; VP of I&O Research, Info-Tech Research Group

Darin Stahl; Principal Research Advisor, Info-Tech Research Group

Scott Yong; Principal Research Advisor, Info-Tech Research Group

A special thank-you to five anonymous contributors

Bibliography

Allnutt, Charles. "The Ultimate List of Outsourcing Statistics." MicroSourcing, 2022. Accessed July 2022.
"Considerations for outsourcing the service desk. A guide to improving your service desk and service delivery performance through outsourcing." Giva. Accessed May 2022.
Hurley, Allison. "Service Desk Outsourcing | Statistics, Challenges, & Benefits." Forward BPO Inc., 2019. Accessed June 2022.
Mtsweni, Patricia, et al. "The impact of outsourcing information technology services on business operations." South African Journal of Information Management, 2021, Accessed May 2022.
"Offshore, Onshore or Hybrid–Choosing the Best IT Outsourcing Model." Calance, 2021. Accessed June 2022. Web.
"Service Integration and Management (SIAM) Foundation Body of Knowledge." Scopism, 2020. Accessed May 2022.
Shultz, Aaron. "IT Help Desk Outsourcing Pricing Models Comparison." Global Help Desk Services. Accessed June 2022. Web.
Shultz, Aaron. "4 Steps to Accurately Measure the ROI of Outsourced Help Desk Services" Global Help Desk Services, Accessed June 2022. Web.
Sunberg, John. "Great Expectations: What to Look for from Outsourced Service Providers Today." HDI. Accessed June 2022. Web.
Walters, Grover. "Pivotal Decisions in outsourcing." Muma Case Review, 2019. Accessed May 2022.
Wetherell, Steve. "Outsourced IT Support Services: 10 Steps to Better QA" Global Held Desk Services. Accessed May 2022. Web.

Annual CIO Survey Report 2024

An inaugural look at what's on the minds of CIOs.

1. Firmographics

• Region
• Title
• Organization Size
• IT Budget Size
• Industry

Firmographics

The majority of CIO responses came from North America. Contributors represent regions from around the world.

n=354

Firmographics

A typical CIO respondent held a C-level position at a small to mid-sized organization.

Half of CIOs hold a C-level position, 10% are VP-level, and 20% are director level

38% of respondents are from an organization with above 1,000 employees

Firmographics

A typical CIO respondent held a C-level position at a small to mid-sized organization.

40% of CIOs report an annual budget of more than $10 million

A range of industries are represented, with 29% of respondents in the public sector or financial services

2. Key Factors

• IT Maturity
• Disruptive Factors
• IT Spending Plans
• Talent Shortage

Two in three respondents say IT can deliver outcomes that Support or Optimize the business

Most CIOs are concerned with cybersecurity disruptions, and one in four expect a budget increase of above 10%

How likely is it that the following factors will disrupt your business in the next 12 months?

Looking ahead to 2024, how will your organization's IT spending change compared to spending in 2023?

3. Adoption of Emerging Technology

• Fastest growing tech for 2024 and beyond

CIOs plan the most new spend on AI in 2024 and on mixed reality after 2024

Top five technologies for new spending planned in 2024:

1. Artificial intelligence - 35%
2. Robotic process automation or intelligent process automation - 24%
3. No-code/low-code platforms - 21%
4. Data management solutions - 14%
5. Internet of Things (IoT) - 13%

Top five technologies for new spending planned after 2024:

1. Mixed reality - 20%
2. Blockchain - 19%
3. Internet of Things (IoT) - 17%
4. Robotics/drones - 16%
5. Robotic process automation or intelligent process automation - 14%

n=301

Info-Tech Insight
Three in four CIOs say they have no plans to invest in quantum computing, more than any other technology with no spending plans.

4. Adoption of AI

• Interest in generative AI applications
• Tasks to be completed with AI
• Progress in deploying AI

CIOs are most interested in industry-specific generative AI applications or text-based

Rate your business interest in adopting the following generative AI applications:

There is interest across all types of generative AI applications. CIOs are least interested in visual media generators, rating it just 2.4 out of 5 on average.

n=251

Info-Tech Insight
Examples of generative AI solutions specific to the legal industry include Litigate, CoCounsel, and Harvey.

By the end of 2024, CIOs most often plan to use AI for analytics and repetitive tasks

Most popular use cases for AI by end of 2024:

1. Business analytics or intelligence - 69%
2. Automate repetitive, low-level tasks - 68%
3. Identify risks and improve security - 66%
4. IT operations - 62%
5. Conversational AI or virtual assistants - 57%

Fastest growing uses cases for AI in 2024:

1. Automate repetitive, low-level tasks - 39%
2. IT operations - 38%
3. Conversational AI or virtual assistants - 36%
4. Business analytics or intelligence - 35%
5. Identify risks and improve security - 32%

n=218

Info-Tech Insight
The least popular use case for AI is to help define business strategy, with 45% saying they have no plans for it.

One in three CIOs are running AI pilots or are more advanced with deployment

How far have you progressed in the use of AI?

Info-Tech Insight
Almost half of CIOs say ChatGPT has been a catalyst for their business to adopt new AI initiatives.

5. AI Risk

• Perceived impact of AI
• Approach to third-party AI tools
• AI features in business applications
• AI governance and accountability

Six in ten CIOs say AI will have a positive impact on their organization

What overall impact do you expect AI to have on your organization?

The majority of CIOs are waiting for professional-grade generative AI tools

Which of the following best describes your organization's approach to third-party generative AI tools (such as ChatGPT or Midjourney)?

Info-Tech Insight
Business concerns over intellectual property and sensitive data exposure led OpenAI to announce ChatGPT won't use data submitted via its API for model training unless customers opt in to do so. ChatGPT users can also disable chat history to avoid having their data used for model training (OpenAI).

One in three CIOs say they are accountable for AI, and the majority are exploring it cautiously

Who in your organization is accountable for governance of AI?

More than one-third of CIOs say no AI governance steps are in place today

What AI governance steps does your organization have in place today?

Among organizations that plan to invest in AI in 2024, 30% still say there are no steps in place for AI governance. The most popular steps to take are to publish clear explanations about how AI is used, and to conduct impact assessments (n=170).

Among all CIOs, including those that do not plan to invest in AI next year, 37% say no steps are being taken toward AI governance today (n=243).

6. Contribute to Info-Tech's Research Community

• Volunteer to be interviewed
• Attend LIVE in Las Vegas

It's not too late; take the Future of IT online survey

Contribute to our tech trends insights

If you haven't already contributed to our Future of IT online survey, we are keeping the survey open to continue to collect insights and inform our research reports and agenda planning process. You can take the survey today. Those that complete the survey will be sent a complimentary Tech Trends 2024 report.

Complete an interview for the Future of IT research project

Help us chart the future course of IT

If you are receiving this for completing the Future of IT online survey, thank you for your contribution. If you are interested in further participation and would like to provide a complementary interview, please get in touch at brian.Jackson@infotech.com. All interview subjects must also complete the online survey.

If you've already completed an interview, thank you very much, and you can look forward to seeing more impacts of your contribution in the near future.

Methodology

All data in this report is from Info-Tech's Future of IT online survey 2023 edition.

A CIO focus for the Future of IT

Data in this report represents respondents to the Future of IT online survey conducted by Info-Tech Research Group between May 11 and July 7, 2023.

Only CIO respondents were selected for this report, defined as those who indicated they are the most senior member of their organization's IT department.

This data segment reflects 355 total responses with 239 completing every question on the survey.

Further data from the Future of IT online survey and the accompanying interview process will be featured in Info-Tech's Tech Trends 2024 report this fall and in forthcoming Priorities reports including Applications, Data & EA, CIO, Infrastructure, and Security.

Take a Realistic Approach to Disaster Recovery Testing

Reduce costly downtime with a right-sized testing program that improves IT resilience.

Analyst Perspective

Reduce costly downtime with a right-sized testing program that improves IT resilience.

Most businesses make significant investments in disaster recovery and technology resilience. Redundant sites and systems, monitoring, intrusion prevention, backups, training, documentation: it all costs time and money.

But does this investment deliver expected value? Specifically, can you deliver service continuity in a way that meets business requirements?

You can’t know the answer without regularly testing recovery processes and systems. And more than just validation, testing helps you deliver service continuity by finding and addressing gaps in your plans and training your staff on recovery procedures.

Use the insights, tools, and templates in this research to create a streamlined and effective resilience testing program that helps validate recovery capabilities and enhance service reliability, availability, and continuity.

Andrew Sharp

Research Director, Infrastructure & Operations
Info-Tech Research Group

Executive Summary

Info-Tech Insight

If you treat testing as a pass/fail exercise, you aren’t meeting the end goal of improving organizational resilience. Focus on identifying gaps and risks so you can address them before a real disaster hits.

Process and Outputs

This research is accompanied by templates to help you achieve your goals faster.

1 - Establish the business rationale for DR testing.
2 - Review a range of options for testing.
3 - Prioritize tests that are most valuable to your business.
4 - Create a disaster recovery test plan.
5 - Establish a Test Program to support a regular testing cycle.

Outputs:

Orange activity slides like the one on the left provide directions to help you make key decisions.

Key Deliverable:

Disaster Recovery Test Plan Template

Build a plan for your first disaster recovery test.

This document provides a complete example you can use to quickly build your own plan, including goals, milestones, participants, the test-day schedule, and findings from the after-action review.

Why test?

Testing helps you avoid costly downtime

• In a disaster scenario, speed matters. Immediately after an outage, the impact on the organization is small, but impact increases rapidly the longer the outage continues.
• A quick and reliable response and recovery can protect the organization from significant losses.
• A DRP testing and maintenance program helps ensure you’re ready to recover when you need to, rather than figuring it out as you go.

“Routine testing is vital to survive a disaster… that’s when muscle memory sets in. If you don’t test your DR plan it falls [in importance], and you never see how routine changes impact it.”

– Jennifer Goshorn
Chief Administrative Officer
Gunderson Dettmer LLP

Info-Tech members estimated even one day of system downtime could lead to significant revenue losses.

Average estimated potential loss* in thousands of USD due to a 24-hour outage (N=41)

*Data aggregated from 41 business impact analyses (BIAs) conducted with Info-Tech advisory assistance. BIAs evaluate potential revenue loss due to a full day of system downtime, at the worst possible time.

Run tests to enhance disaster recovery plans

Testing improves organizational resilience

• Identify and address gaps in your plans before a real disaster strikes.
• Cross-train staff on systems recovery.
• Go beyond testing technology to test recovery processes.
• Establish a culture that centers resilience in everyday decision-making.

Testing keeps DR documentation ready for action

• Update documentation ahead of tests to prepare for the testing exercise.
• Update documentation after testing to incorporate any lessons learned.

Testing validates that investments in resilience deliver value

• Confirm your organization can meet defined recovery time objectives (RTOs) and recovery point objectives (RPOs).
• Provide proof of testing for auditors, prospective customers, and insurance applications

Overcome testing challenges

Despite the value of effective recovery testing, most IT organizations struggle to test recovery plans

Common challenges

• Key resources don’t have time for testing exercises.
• You don’t have the technology to support live recovery testing.
• Tests are done ad hoc and lessons learned are lost.
• A lack of business support for test exercises as the value isn’t understood.
• Tests are always artificially simple because RTOs and RPOs must be met to satisfy customer or auditor inquiries

Overcome challenges with a realistic approach:

• Start small with tabletop and recovery tests for specific systems.
• Include recovery tests in operational tasks (e.g. restore systems when you have a maintenance window).
• Create testing plans for larger testing exercises.
• Build on successful tests to streamline testing exercises in the future.
• Don’t make testing a pass-fail exercise. Focus on identifying gaps and risks so you can address them before a real disaster hits.

Go beyond traditional testing

Different test techniques help validate recovery against different threats

• There are many threats to service continuity, including ransomware, severe weather events, geopolitical conflict, legacy systems, staff turnover, and day-to-day outages caused by human error, software updates, hardware failures, or network outages.
• At its core, disaster recovery planning is about recovery. A plan for service recovery will help you mitigate against many threats at once. The testing approaches on the right will help you validate different aspects of that recovery process.
• This research will provide an overview of the approaches outlined on the right and help you prioritize tests that are most valuable to your organization.

00 Identify a working group

30 minutes

Identify a group of participants who can fill the following roles and inform the discussions around testing in this research. A single person could fill multiple roles and some roles could be filled by multiple people. Many participants will be drawn from the larger DRP team.

Start by updating your disaster recovery plan (DRP)

Use Info-Tech’s Create a Right-Sized Disaster Recovery Plan research to identify recovery objectives based on business impact and outline recovery processes. Both are tremendously valuable inputs to your test plans.

Overall Business Continuity Plan

01 Confirm: why test at all?

15-30 minutes

Identify the value recovery testing for your organization. Use language appropriate for a nontechnical audience. Start with the list below and add, modify, or delete bullet points to reflect your own organization.

Drivers for testing – Examples:

• Improve service continuity.
• Identify and address gaps in recovery plans before a real disaster strikes.
• Cross-train staff on systems recovery to minimize single points of failure.
• Identify how we coordinate across teams during a major systems outage.
• Exercise both recovery processes and technology.
• Support a culture that centers system resilience in everyday decision-making.
• Keep recovery documentation up-to-date and ready for action.
• Confirm that our stated recovery objectives can be met.
• Provide proof of testing for auditors, prospective customers, and insurance applications.
• We require proof of testing to pass audits and renew cybersecurity insurance.

Info-Tech Insight

Time-strapped technical staff will sometimes push back on planning and testing, objecting that the team will “figure it out” in a disaster. But the question isn’t whether recovery is possible – it’s whether the recovery aligns with business needs. If your plan is to “MacGyver” a solution on the fly, you can’t know if it’s the right solution for your organization.

Think about what and how you test

Find gaps and risks with tabletop testing

In a tabletop planning exercise, the team walks through a disaster scenario to outline the recovery workflow, and risks or gaps that could disrupt that workflow.

Tabletops are particularly effective because:

• It enables you to play out a wider range of scenarios than technology-based testing (e.g. full-scale, parallel) due to cost and complexity factors.
• It is non-intrusive, so it can be executed more easily than other testing methodologies.
• The exercise translates into recovery documentation: you create a workflow as you go.
• A major site or service recovery scenario will review all aspects of the recovery process and create the backbone of your recovery plan.

02 Run a tabletop exercise

2 hours

Tabletop testing is part of our core DRP methodology, Create a Right-Sized Disaster Recovery Plan. This exercise can be run using cue cards, sticky notes, or on a whiteboard; many of our facilitators find building the workflow directly in flowchart software to be very effective.

Use our Recovery Workflow Template as a starting point.

Some tips for running your first tabletop exercise:

1. Ahead of the exercise, decide on a scenario, identify participants, and book a meeting time.
   • For your first walkthrough of a DR scenario, we often recommend a scenario that considers a site failure requiring failover to a DR site.
   • For the first exercise, focus on technical aspects of recovery before bringing in members of the business. The technical team may need space to discuss the appropriate steps in the recovery process before you bring in business liaisons to discuss user acceptance testing (UAT).
   • A complete failover considers all systems, the viability of your second site, and can help identify parts of the process that require additional exercises.
2. Review the scenario with participants. Then, discuss and document the recovery process, starting with initial notification of an event.
   • Record steps in the process on white cards or boxes.
   • On yellow and red cards, document gaps and risks in people process and technology requirements.
3. Once you’ve walked through the process, return to the start.
   • Record the time required to complete each step. Consider identifying who is responsible for key steps. Identify any additional gaps and risks.
4. Clean up and record the results of the workflow. Save a copy with your DRP documentation.

Move from tabletop testing to functional exercises

See how your plans fare in the real world

In live exercises, some portion of your recovery plans are executed in a way that mimics a real recovery scenario. Some advantages of live testing:

• See how standby systems behave. A tabletop exercise can miss small issues that can make or break the recovery process. For example, connectivity or integration issues on a new subnet might be difficult to predict prior to actually running services in that environment.
• Hands-on practice: Familiarize the team with the steps, commands, and interfaces of your recovery toolset.
• Manage the pressure of the DR scenario: Nothing’s quite like the real thing, but a live exercise may be the closest your team can get to a disaster situation without experiencing it firsthand.

Examples of live exercises

Run local tests ahead of releases

Think small

Most unacceptable downtime is caused by localized issues, such as hardware or software failures, rather than widespread destructive events. Regular local testing can help validate the recovery plan for local issues and improve overall service continuity.

Make local testing a standard step in maintenance work and new deployments to embed resilience considerations in day-to-day activities. Run the same tests in both your primary and your DR environment.

Some examples of localized tests:

• Review backup logs and check for errors.
• Restore files or whole systems from backup.
• Run application-based tests as part of release management, including unit, regression, and performance tests.
  • Ensure application tests are run for both the primary and DR environment.
  • For a deep-dive on application testing, see Info-Tech’s research Automate Testing to Get More Done.

Info-Tech Insight

Local tests will vary between different services, and local test design is usually best left to the system SMEs. At the same time, centralize reporting to understand where tests are being done.

Investigate whether your IT Service Management or ticketing system can create recurring tasks or work orders to schedule, document, and track test exercises. Tasks can be pre-populated with checklists and documentation to support the test and provide a record of completed tests to support oversight and reporting.

Have the business validate recovery

If your business doesn’t think a system’s recovered, it’s not recovered.

User acceptance testing (UAT) after system recovery is a key step in the recovery process. Like any step in the process, there’s value in testing it before it actually needs to be done. Assign responsibility for building UATs to the person who will be responsible for executing them.

An acceptance test script might look something like the checklist below.

• Does the application open?
• Does the interface look right?
• Do you see any unusual notifications or warnings?
• Can you conduct a key transaction with dummy data?
• Can you run key reports?

“I cannot stress how important it is to assign ownership of responsibilities in a test; this is the only way to truly mitigate against issues in a test.”

– Robert Nardella
IT Service Management
Certified z/OS Mainframe Professional

Info-Tech Insight

Build test scripts and test transactions ahead of time to minimize the amount of new work required during a recovery scenario.

Beyond the Basics: Full Failover Testing

• A failover test – a full failover of your production environment to a secondary environment – is what many IT and businesspeople think about when they think of disaster recovery testing.
• A full test can validate previous local or tabletop tests, identify additional gaps and risks, and provide hands-on training experience with recovery processes and technologies.
• Setting a date for failover testing can also inject some urgency into otherwise low-priority (but high importance) disaster recovery planning and documentation exercises, which need to be completed prior to the test.
• Despite these benefits, full failover tests carry significant risk and require a great deal of effort and cost. Typically, only businesses that already have an active-active environment capable of supporting in-scope production systems are able to run a full environment failover.
• This is especially true the first time you test. While in theory a DR plan should be ready to go at any time, there will be documents to update, gaps to address, and risks to mitigate before you go ahead with the test.

Full Failover Testing

What you get:

• Provide hands-on experience with recovery processes and technology.
• Confirm that site failover works in practice as you assumed in tabletop or local testing exercises.
• Identify critical gaps you might have missed without a full failover test.

What you need:

• An active-active secondary site, with sufficient standby equipment, data, and licensed standby software to support production.
• A completed tabletop exercise and documented recovery workflow.
• A documented test plan, backout plan, and formal sign-off.
• An off-hours downtime window.
• Time from technical SMEs and business resources, both for creating the plan and executing the test.

Beyond the Basics: Site Reliability Engineering

• Site reliability engineering (SRE) is an application of skills and approaches from software engineering to improve system resilience.
• SRE is focused on “availability, latency, performance, efficiency, change management, monitoring, emergency response, and capacity planning” across a set portfolio of services (Sloss, 2017).
• In many organizations, SRE is implemented as a team that supports separate applications teams.
• Applications must have defined and granular resilience requirements, translated into service objectives. The SRE team and applications teams will work together to meet these objectives.
• Site reliability engineers (the folks that do SRE, and often also abbreviated as SREs) are expected to build solutions and processes to ensure services remain stable and performant, not just respond when they fail. For example, Google allows their SREs to spend just half their time on incident response, with the rest of their time focused on development and automation tasks.

Site Reliability Testing

What you get:

• Improved reliability and reduced frequency and impact of downtime.
• Increased use of automation to address problems before they cause an incident.
• Granular resilience objectives.

What you need:

• Systems running on software-defined infrastructure.
• Specialized skills in programming, infrastructure-as-code.
• Business & product owners able to define and fund acceptable and appropriate resilience objectives.
• Technical experts able to translate product requirements into technical design requirements.

Beyond the Basics: Chaos Engineering

• Chaos engineering, a term and approach first popularized by the team at Netflix, aims to improve the resilience of particularly large and distributed systems by simulating system failures and evaluating performance against a baseline.
• Experiments simulate a variety of real-world events that could cause outages (e.g. network slowdowns or server failures). Experiments run continuously, and the recommendation is to run them in production where feasible while minimizing the impact on customers.
• Tools to help you run chaos testing exist, including open-source toolkits like Chaos Monkey or Mangle and paid software as a service (SaaS) solutions like Gremlin.
• Deciding whether the long-term benefits of tests that can degrade production are worth the potential risk of system slowdowns or outages is a business or product decision. Technical considerations aside, if the business owner of a particular system doesn’t see the value of continuous testing outweighing the introduced risk, this approach to testing isn’t going to happen.

Chaos Engineering

What you get:

• Confidence that systems can weather volatile and unpredictable conditions in a production environment.
• An embedded resilience culture.

What you need:

• High-maturity IT incident, monitoring and event practices.
• Standby/resilient systems to minimize downtime impact.
• Business buy-in for introducing risk into the production environment.
• Specialized skills to identify, develop, and run tests that degrade production performance in a controlled way.
• Budget and time to act on issues identified through testing.

Beyond the Basics: Security Event Simulations

• Ransomware is driving demands for proof of recovery testing from customers, executives, auditors, and insurance companies. Systems recovery is part of ransomware recovery, but recovering from a breach includes detection, analysis, containment, and eradication of the attack vector before systems recovery can begin.
• Beyond technical recovery, internal legal and communications teams will have a role, as will your insurance provider, consultants specialized in ransomware recovery, or professional ransom negotiators.
• A tabletop exercise focused on ransomware incident response is a key first step. You can find Info-Tech’s methodology for a ransomware tabletop in Phase 3 of Build Resilience Against Ransomware Attacks.
• Live testing approaches can offer hands-on experience and further insight into how your systems are vulnerable to malware. A variety of open source and proprietary tools can simulate ransomware and help you identify problems, though it’s important to understand the limitations of different simulators (Allon, 2022).
• A “red team” exercise simulates an adversarial attack against your processes and systems. A specialized penetration tester will often take on the role of the red team and provide a report of identified gaps and risks after the engagement.

Security Event Simulation

What you get:

• Hands-on experience managing and recovering from a ransomware attack in a controlled environment.
• A better understanding of gaps in your response process.

What you need:

• A completed ransomware tabletop exercise and mature security incident response processes.
• For Ransomware Simulators: An air-gapped sandbox environment hosting a copy of your production systems and security tools, and time from your technical SMEs.
• For Red Team Exercises: A trusted provider, scope for your testing plans, and time from your security incident response team.

Prioritize tests by asking these three questions

1. Will the scope of this test deliver sufficient value?

• Yes, these are critical systems with low tolerance for downtime or data loss.
• Yes, major changes or new systems require validation of DR capabilities.
• Yes, there’s high probability of an outage, or recent experience of an outage.
• •Yes, we have audit requirements or customer demands for testing.

2. Are we ready for this test?

• Yes, recovery plans and recovery objectives are documented.
• Yes, key technical and business resources have time to commit to testing exercises.
• Yes, technology is currently able to support proposed tests.

3. Is it easy to do?

• Yes, effort required to complete the test is low (i.e. minimal work, few participants).
• Yes, the risks related to testing are low.
• Yes, it won’t cost much.

Info-Tech Insight

More complex, challenging, risky, or costly tests, such as full failover tests, can deliver value. But do the high-value, low-effort stuff first!

03 Brainstorm and prioritize test ideas

30-60 minutes

Even if you have an idea of what you need to test and how you want to run those tests, this brainstorming exercise can generate useful ideas for testing that might otherwise have been missed.

1. Review the slides above to develop ideas on how and what you want to test. These slides may be enough to kickstart a brainstorming process. Don’t debate or discount ideas at this point. Write down these ideas in a space where all participants can see them (e.g. whiteboard or shared screen).

The next steps will help you prioritize the list – if needed – to tests that are highest value and lowest effort.

1. Discuss where you have the greatest need to test. Assign a score of 0 – 3 for each test, with a score of 3 being high-need and a score of zero being low-need. Consider whether:
   • These applications have a low tolerance for downtime.
   • There’s a high chance of an outage, or recent experience with an outage.
   • There’s a need to train or cross-train staff on recovery for the system(s) in question.
   • Major changes require a review or validation of DR capabilities.
   • Audit requirements or customer/executive demands can be met via testing.
2. Discuss which tests will require the least effort to complete – where readiness is high and tests are easier to do. Assign a score between 0 and 3 for each test, with a score of 3 being least effort and a score of 0 being high effort. Consider whether:
   • Recovery plans and recovery objectives are documented for these systems.
   • Technical experts are available to work on testing exercises.
   • For active testing, standby/sandbox systems are available and capable of supporting proposed tests.
   • The effort required to complete the test is low (e.g. minimal new work, few participants).
   • The risks related to testing are low.
   • You will need to secure additional funding.
3. Sum together the assigned scores for each test. Higher scores should be the highest priority, but of course use your judgement to validate the results and select one or two tests to execute in the coming year.

“There are different levels of testing and it is very progressive. I do not recommend my clients to do anything, unless they do it in a progressive fashion. Don’t try to do a live failover test with your users, right out of the box.”

– Steve Tower
Principal Consultant
Prompta Consulting Group

04 Build a test plan

3-5 days

Building a test plan helps the test run smoothly and can uncover issues with the underlying DRP as you dig into the details.

The test coordinator will own the plan document but will rely on the sponsor to confirm scope and goals, technical SMEs to develop system recovery plans, and business liaisons to create UAT scripts.

Download Info-Tech’s Disaster Recovery Test Plan Template. Use the structure of the template to build your own document, deleting example data as you go. Consider saving a separate copy of this document as an example and working from a second copy.

Key sections of the document include:

• Goals, scenario, and scope of the test.
• Assumptions, constraints, risks, and mitigation strategies.
• Test participants.
• Key pre-test milestones, and test-day schedule.
• After-action review.

Download the Disaster Recovery Test Plan Template

05 Run an after-action review

30-60 minutes

Take time after test exercises – especially large-scale tests with many participants – to consider what went well, what didn’t, and where you can improve future testing exercises. Track lessons learned and next steps at the bottom of your test plan.

1. Start with a short (5-10 minute) debrief of the test and allow participants to ask questions. Confirm:
   • Did we meet the goals we set for the exercise, including RTOs and RPOs?
   • What was done well? What issues, gaps, and risks were identified?
2. Work through variations of the following questions:
   • Was the test plan effective, and was the test well organized?
   • Was the documentation effective? Where did we follow the plan as documented, and where did we deviate from the plan?
   • Was our communication/collaboration during the test effective?
   • Have gaps and issues found during the test been reported to the testing coordinator? Could some of the issues uncovered apply more broadly to other IT services as well?
   • What could we test next, based on what was discovered?
   • Are there other tools or approaches that could be useful?

Follow a testing cycle

All tests are expected to drive actions to improve resilience, as appropriate. Experience from previous tests will be applied to future testing exercises.

Use your experience to simplify testing

The fifth testing exercise should be easier than the first

Outputs and lessons learned from testing should help you run future tests.

• With past experience under their belt, participants should have a better understanding of their role, and of their peers’ roles, and the goal of the exercise.
• Facilitators will be more comfortable facilitating the exercise, and everyone should be more confident in the steps required to recover their systems.
• Gather feedback from participants through after-action reviews to identify what worked and what didn’t.
• Documentation from previous tests can provide a template for future tests.
• Gaps identified in previous tests can provide ideas for future tests.

Info-Tech Insight

Testing should get easier over time. But if you’re easily passing every test, it’s a sign that you’re ready to run more challenging tests.

06 Create a test program summary

2-4 hours

Regular testing allows you to build on prior tests and helps keep plans current despite changes to your environment.

Keeping a regular testing schedule requires expertise, a process to coordinate your efforts, and a level of governance to provide oversight and ensure testing continues to deliver value. Create a call to action using Info-Tech’s Disaster Recovery Testing Program Summary Template.

The result is a summary document that:

• Identifies key takeaways and testing goals
• Presents key elements of the testing program
• Outlines the testing cycle
• Lists expected milestones for the next year
• Identifies participants
• Recommends next steps

“It is extremely important in the early stages of development to concentrate the focus on actual recoverability and data protection, enhancing these capabilities over time into a fully matured program that can truly test the recovery, and not simply focusing on the testing process itself.”

– Joe Starzyk
Senior Business Development Executive
IBM Global Services

Research Contributors and Experts

• Bernard A. Jones, Business Continuity & Disaster Recovery Expert
• Robert Nardella, IT Service Management, Certified z/OS Mainframe Professional
• Larry Liss, Chief Technology Officer, Blank Rome LLP
• Jennifer Goshorn, Chief Administrative and Chief Compliance Officer, Gunderson Dettmer LLP
• Paul Kirvan, FBCI, CISA, Independent IT Consultant/Auditor, Paul Kirvan Associates
• Steve Tower, Principal Consultant, Prompta Consulting Group
• Joe Starzyk, Senior Business Development Executive, IBM Global Services
• Thomas Bronack, Enterprise Resiliency and Corporate Certification Consultant, DCAG
• Paul S. Randal, CEO & Owner, SQLskills.com
• Tom Baumgartner, Disaster Recovery Analyst, Catholic Health

Bibliography

Alton, Yoni. “Ransomware simulators – reality or a bluff?” Palo Alto Blog, 2 May 2022. Accessed 31 Jan 2023.
https://www.paloaltonetworks.com/blog/security-operations/ransomware-simulators-reality-or-a-bluff/

Brathwaite, Shimon. “How to Test your Business Continuity and Disaster Recovery Plan,” Security Made Simple, 13 Nov 2022. Accessed 31 Jan 2023.
https://www.securitymadesimple.org/cybersecurity-blog/how-to-test-your-business-continuity-and-disaster-recovery-plan

The Business Continuity Institute. Good Practice Guidelines: 2018 Edition. The Business Continuity Institute, 2017.

Emigh, Jacqueline. “Disaster Recovery Testing: Ensuring Your DR Plan Works,” Enterprise Storage Forum, 28 May 2019. Accessed 31 Jan 2023.
Disaster Recovery Testing: Ensuring Your DR Plan Works | Enterprise Storage Forum

Gardner, Dana. "Case Study: Strategic Approach to Disaster Recovery and Data Lifecycle Management Pays off for Australia's SAI Global." ZDNet. BriefingsDirect, 26 Apr 2012. Accessed 31 Jan 2023.
http://www.zdnet.com/article/case-study-strategic-approach-to-disaster-recovery-and-data-lifecycle-management-pays-off-for-australias-sai-global/.

IBM. “Section 11. Testing the Disaster Recovery Plan.” IBM, 2 Aug 2021. Accessed 31 Jan 2023. Section 11. Testing the disaster recovery plan - IBM Documentation Lutkevich, Ben and Alexander Gillis. “Chaos Engineering”. TechTarget, Jun 2021. Accessed 31 Jan 2023.
https://www.techtarget.com/searchitoperations/definition/chaos-engineering

Monperrus, Martin. “Principles of Antifragility.” Arxiv Forum, 7 June 2017. Accessed 31 Jan 2023.
https://arxiv.org/ftp/arxiv/papers/1404/1404.3056.pdf

“Principles of Chaos Engineering.” Principles of Chaos Engineering, 2019 March. Accessed 31 Jan 2023.
https://principlesofchaos.org/

Sloss, Benjamin Treynor. “Introduction.” Site Reliability Engineering. Ed. Betsy Beyer. O’Reilly Media, 2017. Accessed 31 Jan 2023.
https://sre.google/sre-book/introduction/

Create and Implement an IoT Strategy

Gain control of your IoT environment

Create and Implement an IoT Strategy

Gain control of your IoT environment

EXECUTIVE BRIEF

Table of Contents

Analyst perspective

IoT is an extremely efficient automated data collection system which produces millions of pieces of data. Many organizations will purchase point solutions to help with their primary business function to increase efficiency, increase profitability, and most importantly provide scalable services that cannot exist without automated data collection and analytical tools.

Most of the solutions available are designed to perform a specific function within the parameters of the devices and applications designed by vendors. As these specific use cases proliferate within any organization, the data collected can end up housed in many places, owned by each specific business unit and used only for the originally designed purpose. Imagine though, if you could take the health information of many patients, anonymize it, and compare overall health of specific regions, rather than focusing only on the patient record as a correlated point; or many data points within cities to look at pedestrian, bike, and vehicle traffic to better plan infrastructure changes, improve city plans, and monitor pollution, then compared to other cities for additional modeling.

In order to make these dramatic shifts to using many IoT solutions, it’s time to look at creating an IoT strategy that will ensure all systems meet strategic goals and will enable disparate data to be aggregated for greater insights. The act of aggregation of systems and data will require additional scrutiny to mitigate the potential perils for privacy, management, security, and auditability

The strategy identifies who stewards use of the data, who manages devices, and how IT enables broader use of this technology. But with the increased volume of devices and data, operational efficiency as part of the strategy will also be critical to success.

This project takes you through the process of defining vision and governance, creating a process for evaluating proposed solutions for proof of value, and implementing operational effectiveness.

Sandi Conrad Principal Research Director Info-Tech Research Group

Executive Summary

Early intervention will improve results. IoT is one of the biggest challenges for IT departments to manage today. The large volume of devices and lack of insight into vendor solutions is making it significantly harder to plan for upgrades and contract renewals, and to guarantee security protocols are being met. Create a multistep onboarding process, starting with an initial assessment process to increase success for the business, then look to derive additional benefits to the business and mitigate risks.

Your challenge

Point solutions may be installed and configured with support outsourced to vendors, where integrations may be light or non-existent. Each point solution will be owned by the business, with data used for a specific purpose, and may only require infrastructure support from the internal IT department. Operational needs must be met to protect the business’ investment, and without involving IT early, agreements may be signed that don’t meet long-term goals of high value at reasonable prices. To fully realize value from multiple disparate systems, a cohesive strategy to bring together data will be required, but with that comes a need to improve technology, determine data ownership, and improve oversight with strengthened security, privacy, and communications. Where IoT is becoming a major source of data, taking a piecemeal approach will no longer be enough to be successful. IoT solutions may be chosen by the business, but to be successful and meet their requirements, a partnership with IT will ensure better communications with the service provider for a less stressful implementation with governance over security needs and protection of the organization’s data, and it will ensure that continual value is enabled through effective operations.

(Source: Beecham Research qtd. in Software AG)

Common obstacles

These barriers make IoT challenging to implement for many organizations: Solutions managed outside of IT, whether through an operational technology team or an outsourced vender, will require a comprehensive approach that encourages collaboration, common understandings of risk, and the ability to embrace change. Technical expertise required will be broad and deep for a multi-solution implementation. Many types of devices, with varied connections and communications methods, will need to be architected with flexibility to accommodate changing technology and scalability needs. Understanding the myriad options available and where it makes sense to deploy cutting-edge vs. proven technologies, as well as edge computing and digital twins. External consultants specializing in IoT may need to be engaged to make these complex solutions successful, and they also need to be skilled in facilitating discussions within teams to bring them to a common understanding. Analysis skills and a data strategy will be key to successfully correlating data from multiple sources, and AI will be key to making sense of vast amounts of data available and be able to use it for predictive work. According to the Microsoft IoT Signals report of October 2020, “79% of organizations adopt AI as part of their IoT solution, and those who do perceive IoT to be more critical to their company’s success (95% vs. 82%) and are more satisfied with IoT (96% vs. 87%).“

(Source: Microsoft IoT Signals, Edition 2, October 2020 n=3,000)

Internet of Things Framework

GOVERNANCE

What should I build? What are my concerns?
Where should I build it? Why does it need to be built?

CONTROLS

How do I operate and maintain it?

BRIDGING THE PHYSICAL WORLD AND THE VIRTUAL WORLD

How should it be built?

Data Normalization' from physical to virtual and 'Instructions' from virtual to physical.">

Insight summary

Real value to the business will come from insights derived from data

Many point solutions will solve many business issues and produce many data sets. Ensure your strategy includes plans on how to leverage data to further your organizational goals. A data specialist will make a significant difference in helping you determine how best to aggregate and analyze data to meet those needs.

Provide the right level of oversight to help the business adopt IoT

Regardless of who is initiating the request or installing the solution, it’s critical to have a framework that protects the organization and their data and a plan for managing the devices.

The business doesn’t always know what questions to ask, so it’s important for IT to enable them if moving to a business-led innovation model, and it’s critical to helping them achieve business value early.

Do a pre-implementation assessment to engage early and at the right level

Many IoT solutions are business- and vendor-led and are hosted outside of the organization or managed inside the business unit.

Having IT engage early allows the business to determine what level of support is appropriate for them, allows IT to ensure data integrity, and allows IT to ensure that security, privacy, and long-term operational needs are managed appropriately.

Blueprint deliverables

Blueprint benefits

Evaluate digital transformation opportunities with these guiding principles for smart solutions

Info-Tech Insight

When looking for a quick win, consider customer journey mapping exercises to find out what it takes to do the work today, for example, map the journey to apply for a building permit, renew a license, or register a patient.

Measure the value of IoT

There is a broad range of solutions for IoT all designed to collect information and execute actions in a way designed to increase profitability and/or improve services. McKinsey estimates value created through interoperability will account for 40% to 60% of the potential value of IoT applications.

Info-Tech offers various levels of support to best suit your needs

Guided Implementation

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is between 4 to 8 calls over the course of 2 to 4 months.

What does a typical GI on this topic look like?

Create and Implement an IoT Strategy

Phase 1

Define your governance process

This phase will provide the following activities

• Create the steering committee project charter

Assemble the right team to ensure the success of your IoT ecosystem

Business stakeholders will provide clarity for their strategy and provide input into how they envision IoT solutions furthering those goals and how they may gain relevant insights from secondary data. As IoT solutions move beyond their primary goals, it will be critical to evaluate the continually increasing data to mitigate risks of unintended consequences as new data sets converge. The security team will need to evaluate solutions and enforce standards. CDO and analysts will assess opportunities for data convergence to create new insights into how your services are used.

IT stakeholders will be driving these projects forward and ensuring all necessary resources are available and funded. Operational plans will include asset management, monitoring, and support to meet functional goals and manage throughout the asset lifecycle. Each solution added to the environment will need to be chosen and architected to meet primary functions and secondary data collection.

Identify IoT steering committee participants to ensure broad assessment capabilities are available

The committee should include team members experienced enough to provide an effective assessment of IoT projects, and to provide input and oversight regarding business value, privacy, security, operational support, infrastructure, and architectural support. A data specialist will be critical for evaluating opportunities to expand use of data and ensure data can be effectively validated and aggregated. Additional oversight will be needed to review aggregated data to protect against the unintended consequences of having data combined and creating personas that will identify individuals. Additional experts may be invited to committee meetings as appropriate, and ideas should be discussed and clarified with the business unit bringing the ideas forward or that may be impacted by solutions. Invite appropriate IT and business leaders to the initial meeting to gain agreement and form the governance model.

Determine responsibilities of the committee to gain consensus and universal understanding

	STRATEGIC ALIGNMENT	Define the IoT vision in alignment with the organizational strategy and mission. Define strategy, policies and communication requirements for IoT projects. Assess and bring forward proposals to utilize IoT to further organizational strategy.
	VALUE DELIVERY	Define criteria for evaluating and prioritizing proposals and projects. Validate the IoT proposals to ensure value drivers are understood and achievable. Identify opportunities to combine data sets for secondary analysis and insights.
	RISK OPTIMIZATION	Evaluate data and combined data sets to avoid unintended consequences. Ensure security standards are adhered to when integrating new solutions. Reinforce privacy regulations, policy, and communications requirements.
	RESOURCE OPTIMIZATION	Identify and validate investment and resource requirements. Evaluate technical requirements and capabilities. Align IoT management requirements to operations goals within IT.
	PERFORMANCE MANAGEMENT	Assess validity of pilot project plan, including success criteria. Identify corner cases to assess functionality and potential risks beyond core features. Monitor progress, evaluate results, and ensure organizational needs will be met. Evaluate pilot to determine if it will be moved into full production, reworked, or rejected.

1.1 Exercise:
Define the committee’s roles & responsibilities in the IoT steering committee charter

Input: Current policies and assessment tools for security and privacy, Current IT strategy for introducing new solutions and setting standards

Output: List of roles and responsibilities, High-level discussion points

Materials: Whiteboard/flip charts, Steering committee workbook

Participants: IT executive, Privacy & Security senior staff, Infrastructure & Operations senior staff, Senior data specialist, Senior business executive(s)

1. Identify and document core and auxiliary members of the committee, ensuring all important facets of the IoT environment can be assessed.
2. Identify and document the committee chair.
3. Gain consensus on responsibilities of the steering committee.

Download the IoT Steering Committee Charter

1.2 Exercise:
Define the IoT steering committee’s vision statement and mandate

1 hour

Input: Organizational vision and IT strategy

Output: Vision statement

Materials: Whiteboard/flip charts, Steering committee workbook

Participants: Steering committee, which may include: IT executive, Privacy & Security senior staff, Infrastructure & Operations senior staff, Senior data specialist, Senior business executive(s)

1. Starting with the organizational mission statement, brainstorm areas of focus with the steering committee and narrow down the statement.
2. Make sure it’s broad enough to encompass your goals, but succinct enough to allow you to identify projects that don’t meet the vision.
3. Test with a few existing ideas.
4. Document in your steering committee charter.

Download the IoT Steering Committee Charter

Use the COPIS methodology to define your project review process

Customer Executive leadership Business leaders	Outputs Risk assessment Approvals to proceed Pilot plan Assessment to approve for production or reject	Process Review proposals Ask questions and discuss with proposer & committee Review pilot & testing plan Engage with IT Team to define requirements	Inputs Request form including: New idea Business value defined Data collected Initial risk assessment Implementation plan Definition of success	Suppliers IT operations team Device and software vendors IT leaders Risk committee
Agenda & process flow			Determine where people will access request form	Ending point

Create a committee charter to ensure roles are clarified and mandates can be met

The purpose of the committee is to quickly assess and protect organizational interests while furthering the needs of the business The committee needs to be seen as an enabler to the business, not as a gatekeeper, so it must be thorough but responsive. The charter should include: The vision to ensure clarity of purpose. IoT mandates to focus the committee on assessment criteria. Roles, responsibilities, and assignments to engage the right people who will provide the kind of guidance needed to ensure success. Procedures to make the best use of each committee member’s time. Process flow to guide evaluations to avoid unnecessary delays while reducing organizational risks.

1.3 Exercise:
Define procedures for reviewing proposals and projects

2-3 hours

Input: Schedules of committee members, Process documentation for evaluating new technology

Output: Procedures for reviewing proposals, Reference documentation for evaluating proposals

Materials: Whiteboard/flip charts, Steering committee workbook

Participants: Steering committee, which may include: IT executive, Privacy & Security senior staff, Infrastructure & Operations senior staff, Senior data specialist, Senior business executive(s)

1. Discuss as a group how often you will meet for reviews and project updates. Which roles will have veto rights on project approvals?
2. Define the intake process and requirements for scheduling based on average lead time to get the group together and preview documentation.
3. Identify where process documentation already exists to use for evaluation of proposals and projects, and what needs to be created to quickly move from evaluation to action phases.
4. Define basic rules of engagement.
5. Define process flow using COPIS methodology as a framework. Note the different stages that may be part of the intake flow. Some business partners may bring solutions to IT, and others may just have an idea that needs to be solutioned.

Download the IoT Steering Committee Charter

Create and Implement an IoT Strategy

Phase 2

Define the intake and assessment process

This phase will provide the following activities

• Define requirements for requesting new IoT solutions
• Define procedures for review proposals and projects
• Define service objectives and evaluation process for reviewing proposals and projects

Determine what information is necessary to start the intake process

2.1 Exercise:
Define requirements for requesting new IoT solutions

Input: Business requirements for requesting IT solutions

Output: Request form for business users, Section 1 of the IoT Solution Playbook

Materials: Whiteboard/flip charts, IoT Solution Playbook

Participants: Steering committee, which may include: IT executive, Privacy & Security senior staff, Infrastructure & Operations senior staff, Senior data specialist, Senior business executive(s)

1. Review template for the IoT Solution Playbook to ensure it meets your needs; modify as necessary.
2. Determine requirements for initiating an assessment.
   1. Will a business case be necessary to start, or can the assessment feed into the business case?
   2. How can you best access the work already done by the requester to not start over?
   3. Determine the right questions to understand how they will define success to ensure this solution will do what they need.
   4. Do you need a breakdown of the way they do the job today?
   5. What level of authorization needs to be on the request to move forward?
3. Try to balance the effort of the requester against their role. Don’t expect them to investigate solutions beyond the business value.
4. Provide them with a means to provide you any information they have gathered, especially if they have already spoken to vendors.

Download the IoT Solution Playbook

Define what role the BA or BRM will play to support the request process

Clearly articulate the business benefits to secure funding and resources

If the business users need to build a business case, the information being collected will help to define the value, estimate costs, and evaluate risk

IoT point solutions can be straightforward to articulate the business benefits as they will have very specific benefits which will likely fit into one of these categories: Financial – to increase profitability or reduce costs through predictive maintenance and efficiency. Business Development – innovation for new products, services, and methodologies Improve specific outcomes – typically these will be industry specific, such as improved patient health care, reduced traffic congestion or use of city resources, improved billing, or fire prevention for utility companies. As you start to look at the bigger picture of how these different systems can bring together disparate data sets, the benefits will be harder to define, and the costs to implement this next level of data analysis can be daunting and expensive. This doesn’t necessitate a complete alignment of data collection purposes; there may be benefits to improving operations in secondary areas such as updating HVAC systems to reduce energy costs in a hospital, though the updated systems may also include sensors to monitor air quality and further improve patient outcomes. In these cases, there may be future opportunities to use this data in unexpected ways, but even where there aren’t, applying the same standards for security, privacy, and operations should apply.

(Microsoft IoT Signals Report 2020, n= 3,000 IT Professionals)

2.2 Exercise – BA/BRM: Define procedures for reviewing proposals and projects

1 hour

Input: Process documentation for evaluating new technology, Business case requirements

Output: Interview questions and assessment criteria for BA/BRM

Materials: Whiteboard/flip charts, IoT Solution Playbook

Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive(s), Senior data specialist, Senior business executive(s)

1. Review template for the IoT Solution Playbook to ensure it meets your needs; modify as necessary.
2. Identify the questions that will need to be asked of the business to determine whether the request will be fit for purpose.
3. Additional questions may help to:
   1. Identify project sponsors to determine if requirements are defined or need to be, and who will champion this project through to implementation.
   2. Identify what additional work will be needed for you to shepherd the project through the various stage gates.
   3. Identify any prioritization criteria including business-specific milestones and outcomes.
4. Document when a formal business case needs to be created.

Download the IoT Solution Playbook

Assess the vendor’s solution for accessibility to ensure data will be available and useable

Determine how often you need to access and download data

Requirements will vary depending on whether sensors are collecting data for later analysis or if they are actuators that need to process data at the source.

Determine where the data will reside and how it will be structured. If it will be open and controlled within your own environment, confer with your data team to ensure the solution is integrated into your data systems. If, however, the solution is a point solution which will be hosted by the vendor, understand who will be normalizing the data and how frequently you can export or transfer it into your own data repository. If APIs will need to be installed to enable data transfer, work with the vendor to test them. Self-contained or closed solutions may be quick to install and configure and may require minimal technical support from within your own IT team, but they will not provide visibility to the inner workings of the solution. This may create issues around integration and interoperability which could limit the functionality and usability beyond the point solution. If the solution chosen is a closed system, determine how you will need to interact with the vendor to gain access to the data. Interoperability may not be an option, so work with the vendor to set up a regular cadence for accessing the data. Questions for the vendor could include: How often can we access the data? Will the vendor push it on a regular basis? Is it on demand? Or will we need to pull the data? Is there an API? Will the data be normalized? Will the data be transferred, or will the vendor keep a historical record? Are there additional fees for archiving or for data extraction?

Identify whether digital twins are needed

Create a virtual world to safely test and fail without impacting the real-world applications.

As actuators are processing information and executing actions, there may be a benefit to assess the effectiveness and impact of various scenarios in a safe environment. Digital twins enable the creation of a virtual world to test these new use cases using real world scenarios. These virtual replicas will not be necessary for every IoT application as many solutions will be very straightforward in their application. But for those complex systems, such as smart buildings, smart cities and mechanically complex projects, digital twins can be created to run multiple simulations to aid in business continuity planning, performance assessments, R&D and more. Due to the expense and complexity of creating a full digital twin, carefully weighing the benefits, and identifying how it will be used, can help to build the business case to invest in the technology. Without the skills in house, reliance on a vendor to create the model and test scenarios will likely be part of the overall solution. The assessment will also include understanding what data will be transferred into the model, how often it will be updated, how it will be protected and who will need to be involved in the modeling process. Download the blueprint: Double Your Organization’s Effectiveness With a Digital Twin. if you need more information on how to leverage digital twin technology.

To fully realize value in IoT, think beyond single use case solutions to leverage the data collected

• A single IoT solution can add hundreds of sensors, collecting a wide variety of data for specific purposes. If multiple solutions are in place, there may be divergent data sets that may never be seen by anyone other than their specific data stewards.
• Many organizations have started out with one or two solutions that support their primary business and may include some more mature offerings such as HVAC systems, which have used sensors for years. However, not all data is used today. In many cases, data is used for anomaly detection to improve operations, and only the non-standard information is used for alerting. McKinsey estimates less than 1% of data is used in these applications, with the remaining data stored or deleted, rather than used for optimization and predictive analysis.
• Thinking beyond the initial use cases, there may be opportunities to create new services, improve services for existing products, or improve insights through analysis of juxtaposed data.
• McKinsey reports up to $11.1 trillion a year in economic value may be possible by 2025 through the linking of the physical and digital worlds. Personal devices and all industries are potential growth areas – though factories and anywhere that could use predictive maintenance, cities, retail, and transportation will see the largest probable increases. Interoperability was identified as being required to maximize value, accounting for 40% to 60% of the potential value of IT applications.
• Where data is used to correct and control anomalies, very little data is retained and used for optimization or predictive analysis. By taking a deliberate approach to normalize, correlate, and analyze data, organizations can gain insight into the way their products are used, benefit from predictive maintenance, improve health care, reduce costs, and more.

By 2025 an estimated data volume of 79.4 zettabytes will be attributed to connected IoT devices. (Statistia)

Build data governance and analysis into your strategy to find new insights from correlating new and existing data

• Some industries, such as governments looking to build smart cities, will have a very broad range of opportunities for IoT devices, as well as high levels of difficulty managing very disparate systems; other industries, such as healthcare, will have very focused prospects for data collection and analysis.
• In any case, the introduction of new IoT solutions can create very large amounts of data quickly, and if used only for a single purpose, there may be lost opportunity for expanding use of data to better understand your product, customers, or environment.
• Don’t limit analysis to only IoT-collected data, as this can be consolidated with other sources for validation, enhancement, and insights. For example, fleet transponders can be connected to travel logs and dispatch records for validation and evaluation of fuel and resource consumption.
• Determine the best time and methods for consolidation and normalization; consider using data consolidation vendors if the expertise is not available in-house.
• As data combines, there may be unintended consequences of unique anonymous identifiers combining to identify employees or customers, and the potential for privacy breeches will need to be evaluated as all new systems come on-line.

“We find very little IoT data in real life flows through analytics solutions, regardless of customer size. Even in the large organizations, they tend to build at-purpose applications, rather than creating those analytical scenarios or think of consolidating the IoT data in a data lake like environment.” (Rajesh Parab, Info-Tech Research Group)

2.3 Exercise – data specialists: Define criteria for assessing proposals and projects

1-2 hours

Input: Process documentation for evaluating new technology, Data governance documents

Output: Interview questions and assessment criteria for data specialists

Materials: Whiteboard/flip charts, IoT Solution Playbook

Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive, Senior data specialist, Senior business executive(s), Privacy & Security senior staff, Infrastructure & Operations senior staff

1. Review template for the IoT Solution Playbook to ensure it meets your needs; modify as necessary.
2. Identify the questions that will need to be asked of the solution to ensure data governance and accessibility needs will be met.
3. Additional questions may help to:
   1. Identify data owners or stewards to determine who will have authority over data and ensure their needs will be met.
   2. Identify what additional work will be needed for the data team to access, validate, normalize, and centralize data.
   3. Identify any concerns that will identify the solution as unviable.
   4. Identify any risks to data accessibility which will require mitigation.

This initial review is designed to identify risks to data ownership or integrity and ensure data is available for additional uses as deemed appropriate to the organizational goals. This assessment is designed to find major flaws and to mitigate and integrate should the project be approved as viable.

Download the IoT Solution Playbook

Security assessments will need to include risk reviews specific to IoT

Align risk assessments to your existing risk registry, to quickly approve low-risk solutions and mitigate high risk

Physical security: Will these systems be accessible to the public, and can they be secured in a way to minimize theft and vandalism? Will they require additional housing or waterproofing? Could access be completely secured? For example, could anyone access and install malware on a disconnected camera’s SD card?

Security settings: For ease of service and installation, a vendor may use default security settings and passwords. This can create easy access for hackers to access the network and access sensitive data. Is there a possibility of IP theft though access by sensors? Determine who will have remote access to the system, and if the vendor will be supporting the system, will they be using least privilege or zero trust models? Determine their adherence to your security policy.

Internet and network access and monitoring: Review connectivity and data transmission requirements and whether these can be accommodated in a way that balances security with operational needs. Will there be a need for air gapping, firewalls, or secure tunnelling, and will these solutions allow for discovery and monitoring? Can the vendor guarantee there are no back doors built into the code? Will the system be monitored for unauthorized access and activity, and what is the response process? Can it be integrated into your security operations center?

Failover state: IoT devices with actuators or that may impact health and safety will need to be examined. Can you ensure actions in event of a failure will not be negatively impactful? For example, a door that locks on failover and cannot be opened from the inside will create safety risks; however, a door that opens on failover could result in theft of property or IP. Who controls and can access these settings?

Firmware updates: Assess the history of updates released by the vendor and determine how these updates are sent to the devices and validated. Ensure the product has been developed using trusted platforms with security lifecycle models. Many devices will have embedded security solutions. Ensure these can be integrated into organizational security solutions and risk mitigation strategies.

Enterprise IoT strategy will require a focus on privacy and risk

Don’t make assumptions about the type of data gathered with devices – ask the vendor to clearly state how and what is collected

Carefully review how this information can be used by machine learning, in combination with other solutions, and if there is a possibility of unintended consequences that will create issues for your customers and therefore your own data sets. Look for ways of capturing information that will meet your business requirements while mitigating risk of capturing personally identifiable information. Examples would be LiDAR to capture movement instead of video, or AI to blur faces or license plate numbers at time of image capture. This chart identifies data collected by smartphone accelerometers which could be used to identify and profile an individual and understand their behaviors.

Mobile device accelerometer data Overview of sensitive inferences that can be drawn from accelerometer data. (Source: Association for Computing Machinery, 2019.)

2.4 Exercise – Privacy & Security specialists: Define criteria for assessing proposals and projects

1-2 hours

Input: Process documentation for evaluating new technology, Data governance documents

Output: Interview questions and assessment criteria for Privacy & Security specialists

Materials: Whiteboard/flip charts, IoT Solution Playbook

Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive, Senior data specialist, Senior business executive(s), Privacy & Security senior staff, Infrastructure & Operations senior staff

1. Review template for the IoT Solution Playbook to ensure it meets your needs; modify as necessary.
2. Identify the questions that will need to be asked of the solution to ensure security and privacy needs will be met.
3. Additional questions may help to:
   1. Identify biggest risks created by a large influx of sensors and additional vendors.
   2. Identify options for mitigating risks for privacy and regulatory requirements.

This initial review is designed to identify risks to data ownership or integrity and ensure data is available for additional uses as deemed appropriate to the organizational goals. This assessment is designed to find major flaws and to mitigate and integrate should the project be approved as viable.

Download the IoT Solution Playbook

Review infrastructure requirements to proactively engage with vendors

Determine operational readiness to support and secure IoT solutions

Identify what needs to happen to onboard these solutions into your support portfolio

Evaluate support options to determine the best way to support the business. Even if support is completely outsourced, a support plan will be critical for holding vendors to account, bringing support in-house if support doesn’t meet your needs, and understanding dependencies while navigating through incidents and problem- and change-enablement processes. Regular maintenance for your team may include battery swaps, troubleshooting camera outages or intermittent sensors, or deploying patches. Understand the support requirements for the product lifecycle and who will be responsible for that work. If the vendor will be applying patches and upgrading firmware, get clarity on how often and how they’ll be deployed and validated. Ask the vendor about support documentation and offerings. Determine the best ways of collecting inventory on the solution. Determine what the solution offers to help with this process; however, if the project plan requires specific location details to add sensors, the project list may be the best way to initially onboard the sensors into inventory. Determine if warranty offerings are an appropriate solution for devices in each project, to schedule and record appropriate maintenance details and plan replacements as sensors reach end of life. Document dependencies for future planning.

2.5 Exercise – Infrastructure & Operations specialists: Define criteria for assessing proposals and projects

1-2 hours

Input: Process documentation for evaluating new technology, Data governance documents

Output: Interview questions and assessment criteria for Infrastructure & Operations specialists

Materials: Whiteboard/flip charts, IoT Solution Playbook

Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive, Senior data specialist, Senior business executive(s), Privacy & Security senior staff, Infrastructure & Operations senior staff

1. Review template for the IoT Solution Playbook to ensure it meets your needs; modify as necessary.
2. Identify the questions that will need to be asked of the solutions to ensure the solutions can be integrated into the existing environment and operational processes.
3. Additional questions may help to:
   1. Reduce risks and project failures from solutions that will be difficult to integrate or secure.
   2. Improve project planning for projects that are often driven by the vendor and the business.
   3. Reduce operational risks due to lack of integration with asset and operational processes.

This initial review is designed to identify risks to data ownership or integrity and ensure data is available for additional uses as deemed appropriate to the organizational goals. This assessment is designed to find major flaws and to mitigate and integrate should the project be approved as viable.

Download the IoT Solution Playbook

2.6 Exercise: Define service objectives and evaluation process

1 hour

Input: List of criteria in the playbook, Understanding of resource availability of solution evaluators

Output: Steering committee criteria for progressing projects through the process

Materials: Whiteboard/flip charts, IoT Steering Committee Charter workbook

Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive, Senior data specialist, Senior business executive(s), Privacy & Security senior staff, Infrastructure & Operations senior staff

Now that you’ve defined the initial review requirements, meet as a group once more to finalize the process for reviewing requests. Look for ways to speed the process, including asynchronous communications and reviews. Consider meeting as a group for any solutions that may be deemed high risk or highly complex.

1. Agree on what can be identified as a reasonable SLA to respond to the business on these requests.
2. Agree on methods of communication between committee members and the business.
3. Determine the criteria for determining when a proof of value should be initiated, and who will lead the process.

Download the IoT Steering Committee Charter

Create and Implement an IoT Strategy

Phase 3

Prepare for a Proof of Value

This phase will provide the following activities

• Create proof of value criteria
• Create proof of value template

A proof of value can quickly help you prove value or fail fast

Investing a small amount of time and money up front will validate the possibility of your proposed solution.

A proof of value will require a vision and definition of your criteria for success, which will be necessary to determine if the project should go ahead. It should take no longer than three months and may be as short as a week. When should you run a proof of value? When it is difficult to confirm that the solution is fit for purpose. When the value of the solution is indeterminate. When the solution is early in its lifecycle and not widely proven in the marketplace. When scalability is questionable or unproven. When the solution requires customization or configuration. Info-Tech Insight Where a solution is well known in the market, requires minimal customization, and is proven to be fit for purpose, a shorter evaluation or conversations with reference clients or partners may be all that is necessary.

(Microsoft IoT Signals Report 2020, n= 3,000 IT Professionals)

3.1 Exercise: Define the criteria for running a proof of value

Input: Agreement of steering committee members to create a process to mitigate risk for complex solutions.

Output: Proof of value template for use as appropriate to evaluate IoT solutions.

Materials: IoT Solution Playbook

Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive, Senior data specialist, Senior business executive(s), Privacy & Security senior staff, Infrastructure & Operations senior staff

1. As a group, review the circumstances for when to run a proof of value.
2. Determine who will help to build the proof of value plan.
3. Determine requirements for participation in the proof of value process. Consider project size, complexity and risk and visibility.

Download IoT Solution Playbook

Design your proof of value to test the viability of the solution

Engage the right stakeholders early to gather feedback and analysis and determine suitability

Define your objectives for the proof of value

Referencing documents submitted to the committee, continue to refine the problem statement.

Define use cases to test against current methods

Outline the solution to the problem

Determine the appropriate project team

Estimate the resources required for the pilot

Time, money, technology, resources

Conduct a post-proof of value review to finalize the decision to move forward

• The core working group is responsible for producing a vision of the future and outlining new technology’s disruptive potential. The actual implementation of the proof of value (purchasing the hardware, negotiating the SLA with the vendor) is beyond the committee’s responsibilities.
• If the proof of value goes ahead, the facilitator should block some time to evaluate the completed project against the key performance indicators identified in the initial plan.
• Use the Proof of Value Template section of the IoT Solution Playbook to document POV requirements as well as finalizing the feedback loop.
• Determine ratings for the proof of value to identify which solutions are not viable and which levels of viability are worth moving forward. Some viable solutions may need a different vendor, and some may need customization or multiple integrations. This is important for the project team to move ahead with the implementation.
• Encourage everyone to provide enough feedback on the various processes to be confident in their declarations of worthiness and to confirm the proof of value was thorough.
• Communicate your working group’s findings and success to a wide audience to gain interest in IoT solutions as well as to encourage the business to work with the committee to integrate solutions into the governance and operational structure.

3.2 Exercise: Create a template for designing a proof of value

1-3 hours

Input: Agreement of steering committee members to create a process to mitigate risk for complex solutions

Output: Proof of value template for use as appropriate to evaluate IoT solutions

Materials: Whiteboard/flip charts, IoT Solution Playbook

Participants: Steering committee, which may include: Business analyst or business relationship manager, IT executive, Senior data specialist, Senior business executive(s), Privacy & Security senior staff, Infrastructure & Operations senior staff

1. As a group, review the Proof of Value Template section of the IoT Solution Playbook to determine if it will meet the needs of your business and technical groups.
2. Determine who will work with the business to create the proof of value plan.
3. Modify the template to suit your needs, keeping in mind a need for clarity of purpose, communications throughout the POV, and clearly stated goals and definitions of success.
4. Set a target timeframe to run the POV, preferably no longer than 90 days.
5. Determine appropriate steps to take for POVs that do not garner the expected participation to qualify a solution to move forward.
6. Determine appropriate reporting for the evaluation process.

Download IoT Solution Playbook

Communications

As with any new product, marketing and communications will be an important first step in letting the business know how to engage IT in its assessments of IoT innovations. As these solutions prove themselves, or even as you help the business to find better solutions, share your successes with the rest of the organization.

Business units are already being courted by the vendors, so it’s up to IT to insert themselves in the process in a way that helps improve the success of the business team while still meeting IT’s objectives.

Your customers will not willingly engage in highly bureaucratic processes and need to see a reason to engage.

1. Keep the intake process simple.
2. Provide support to answer the tough questions.
3. Be clear on the benefits to the organization and the business unit by engaging with your group, and be clear about how you will help within a reasonable time frame.
   • IT will help navigate the vendor prerequisites, contracts, and product setup.
   • IT will assume some of the responsibility for the solution, especially around security and privacy.
   • The business unit will reap the rewards of the solution with minimal operational effort.

Info-Tech Insight

Consider building your playbook into your service catalog to make it easy for business users to start the request process. From there, you can create workflows and notifications, track progress, set and meet SLAs, and enable efficient asynchronous communications.

Research Contributors and Experts

	John Burwash Senior Director, Executive Services Info-Tech Research Group			INFO~TECH RESEARCH GROUP Info-Tech Research Group is an IT research and advisory firm with over 23 years of experience helping enterprises around the world with managing and improving core IT processes. They write highly relevant and unbiased research to help leaders make strategic, timely, and well-informed decisions. External contributors 4 external contributors have asked to remain anonymous.
	Jennifer Jones Senior Research Advisor, Industry Info-Tech Research Group		Aaron Shum Vice President, Security, Privacy & Risk Info-Tech Research Group
	Rajesh Parab Research Director, Applications, Data & Analytics Info-Tech Research Group		Frank Sargent Senior Director Practice Lead, Security, Privacy & Risk Info-Tech Research Group
	Scott Young Principal Research Advisor, Infrastructure Info-Tech Research Group		Rocco Rao Director, Research Advisor, Industry Info-Tech Research Group

Related Info-Tech Research

Understand and apply Internet-of-Things Use Cases to Drive Organizational Success A concise guide to understanding how IoT applications will create value in your firm.

Industry Coverage

Bibliography

Ayyaswamy, Regu, et al. “IoT Is Enabling Enterprise Strategies for New Beginnings.” Tata Consulting Services, 2020. Web.

“Data Volume of Internet of Things (IoT) Connections Worldwide in 2019 and 2025.” Statistia, 2020.

Dos Santos, Daniel, et al. “Cybersecurity in Building Automation Systems (BAS).” Forescout, 2020. Web.

Earle, Nick. “Overcoming the Barriers to Global IoT Connectivity: How Regional Operators Can Reap Rewards From IoT.” IoTNow, 30 June 2021. Web.

Faludi, Rob. “How Do IoT Devices Communicate?” Digi, 26 Mar. 2021. Web.

Halper, Fern, and Philip Russom. “TDWI IoT Data Readiness Guide, Interpreting Your Assessment Score.” Cloudera, 2018. Web.

Horwitz, Lauren. “IoT Enterprise Deployments Continue Apace, Despite COVID-19.” IoT World Today, 22 Apr. 2021.

“How Does IoT Data Collection Work?” Digiteum, 13 Feb. 2020. Web.

“IoT Data: How to Collect, Process, and Analyze Them.” Spiceworks, 26 Mar. 2019. Web.

IoT Signals Report: Edition 2, Hypothesis Group for Microsoft, Oct. 2020. Web.

King, Stacey. “4 Key Considerations for Consistent IoT Manageability and Security.” Forescout, 22 Aug. 2019. Web.

Krämer, Jurgen. “Why IoT Projects Fail and How to Beat the Odds.” Software AG, 2020. Web.

Kröger, Jacob Leon, et al. “Privacy Implications of Accelerometer Data: A Review of Possible Inferences” ICCSP, Jan. 2019, pp. 81-7. Web.

Manyika, James, et al. “Unlocking the Potential of the Internet of Things.” McKinsey Global Institute, 1 June 2015. Web.

Ricco, Emily. “How To Run a Successful Proof of Concept – Lessons From Hubspot.” Filtered. Web.

Rodela, Jimmy. “The Blueprint, Your Complete Guide to Proof of Concept.” Motley Fool, 2 Jan 2021. Web.

Sánchez, Julia, et al. “An Integral Pedagogical Strategy for Teaching and Learning IoT Cybersecurity.” Sensors, vol. 20, no. 14, July 2020, p. 3970.

The IoT Generation of Vulnerabilities. SC Media, 2020. E-book.

Woods, James P., Jr. “How Consumer IoT Devices Can Break Your Security.” HPE, 2 Nov. 2021.

Build Better Workflows

Go beyond draft one to refine and pressure test your process.

Analyst Perspective

Remove friction as you document workflows

Emily Sugerman Research Analyst, Infrastructure & Operations Info-Tech Research Group

You can’t mature processes without also documenting them. Process documentation is most effective when workflows are both written out and also visualized in the form of flow charts. Your workflows may appear in standard operating procedures, in business continuity and disaster recovery plans, or anywhere else a process’ steps need to be made explicit. Often, just getting something down on paper is a win. However, the best workflows usually do not emerge fully-formed out of a first draft. Your workflow documentation must achieve two things: Be an accurate representation of how you currently operate or how you will operate in the near future as a target state. Be the output of a series of refinements and improvements as the workflow is reviewed and iterated. This research will use the example of improving an onboarding workflow. Ask the right questions and pressure test the workflow so the documentation is as helpful as possible to all who consult it.

Executive Summary

Info-Tech Insight

Don’t just document – target your future state as you document your workflows. Find opportunities for automation, pinpoint key handoff points, and turn cold handoffs into warm handoffs.

Follow these steps to build, analyze, and improve the workflow

Insight Summary

Keep future state in mind.
Don’t just document – target your future state as you document your workflows. Find opportunities for automation, pinpoint key handoff points, and turn cold handoffs into warm handoffs.

Promote the benefits of documenting workflows as flowcharts.
Foreground to the IT team how this will improve customer experience. End-users will benefit from more efficient workflows.

Remember the principle of constructive criticism.
Don’t be afraid to critique the workflow but remember this can be a team-building experience. Focus on how these changes will be mutually beneficial, not assigning blame for workflow friction.

Don’t waste time building shelfware.
Establish a review cadence to ensure the flowchart is a living document that people actually use.

Benefits of building better workflows

Why are visualized workflows useful?

Use these talking points to build commitment toward documenting/updating processes.

Risk reduction
“Our outdated documentation is a risk, as people will assume the documented process is accurate.”

Transparency
“The activity of mapping our processes will bring transparency to everyone involved.”

Accountability
“Flow charts will help us clarify task ownership at a glance.”

Accessibility
“Some team members prefer diagrams over written steps, so we should provide both.”

Knowledge centralization
“Our flow charts will include links to other supporting documentation (checklists, vendor documentation, other flowcharts).”

Role clarification
“Separating steps into swim lanes can clarify different tiers, process stages, and ownership, while breaking down silos.”

Communication
To leadership/upper management: “This process flow chart quickly depicts the big picture.”

Knowledge transfer
“Flow charts will help bring new staff up to speed more quickly.”

Consistency
“Documenting a process standardizes it and enables everyone to do it in the same way.”

Review what process mapping is

A pictorial representation of a process that is used to achieve transparency.

This research will use one specific example of an onboarding process workflow. Before drilling down into onboarding workflows specifically, review Info-Tech’s Process Mapping Guide for general guidance on what to do before you begin:

• Know the purpose of process mapping.
• Articulate the benefits of process mapping.
• Recognize the risks of not process mapping.
• Understand the different levels of processes.
• Adopt BPMN 2.0 as a standard.
• Consider tools for process mapping.
• Select a process to map.
• Learn methods to gather information.

Download the Process Mapping Guide

Select the workflow your team will focus upon

Good candidates include:

• Processes you don’t have documented and need to build from scratch.
• An existing process that results in an output your users are currently dissatisfied with (if you run an annual IT satisfaction survey, use this data to find this information).
• An existing process that is overly manual, lacks automation, and causes work slowdown for your staff.

Info-Tech workflow examples

Active Directory Processes

Application Development Process

Application Maintenance Process

Backup Process

Benefits Legitimacy Workflow

Business Continuity Plan Business Process

Business Continuity Plan Recovery Process

Commitment Purchasing Workflow

Coordinated Vulnerability Disclosure Process

Crisis Management Process

Data Protection Recovery Workflow

Disaster Recovery Process

Disaster Recovery Plan/Business Continuity Plan Review Workflow

End-User Device Management Workflow Library

Expense Process

Event Management Process

Incident Management and Service Desk Workflows

MACD Workflow Mapping

Problem Management Process

Project Management Process

Ransomware Response Process

Sales Process for New Clients

Security Policy Exception Process

Self-Service Resolution Process

Service Definition Process

Service Desk Ticket Intake by Channel

Software Asset Management Processes

Target State Maintenance Workflow

Example: Onboarding workflow

Onboarding is a perennial challenge due to the large number of separate teams and departments who are implicated in the process.

There can be resistance to alignment. As a result, everyone needs to be pulled in to see the big picture and the impact of an overly manual and disconnected process.

Additionally, the quality of the overall onboarding process (of which IT is but one part) has a significant impact on the employee experience of new hires, and the long-term experience of those employees. This workflow is therefore often a good one to target for improvement.

“Organizations with a standardized onboarding process experience 62% greater new hire productivity, along with 50% greater new hire retention.”1

“Companies that focus on onboarding retain 50% more new employees than companies that don’t.”2

1. Carucci, “To Retain New Hires, Spend More Time Onboarding Them,” 2018

2. Uzialko, “What Does Poor Onboarding, 2023

Tabletop exercise: Generate first draft

In the tabletop exercise, your team will walk through your onboarding process step by step and document what happens at each stage. Prep for this meeting with the following steps:

1. Identify roles: facilitator, notetaker, and participants. Determine who should be involved in the working group in addition to IT (HR, Hiring Team, Facilities, etc.).
2. Decide what method of documentation you will use in the meeting. If meeting in person, cue cards are useful because they can be easily rearranged or inserted. If meeting remotely, the notetaker or facilitator will need to share their screen and capture each step with software (such as Visio, PowerPoint, or a whiteboarding software).
3. Before you even begin mapping out the process, conduct a quick brainstorming session. What are your current challenges with it? What is working? Document on a whiteboard (electronic or hard copy).
4. Document each step of the process as it currently happens. You will improve it later. Include task ownership.

Roles

Facilitator
Tasks:

• Guide discussion – restate contributors’ ideas, ask probing questions.
• Keep group on track – cut off or redirect conversation when off track.

Notetaker
Tasks:

• Ensure the steps are documented via the agreed-upon tools (e.g. cue cards). If the process is being documented in software, the notetaker may be solely responsible for documentation.
• The notetaker may be the same person as the facilitator.

Document your workflow challenges: Onboarding

Brainstorm and document. Group similar challenges together to pull out themes.

Establish flowcharting standards

If you don’t have existing flowchart standards, use the basic notation conventions used in the examples here.

Start, End, and Connector. Traditional flowcharting standards reserve this shape for connectors to other flowcharts or other points in the existing flowchart. Unified modeling language (UML) also uses the circle for start and end points. Start, End. Traditional flowcharting standards use this for start and end. However, Info-Tech recommends using the circle shape to reduce the number of shapes and avoid confusion with other similar shapes. Process Step. Individual process steps or activities (e.g. create ticket or escalate ticket). If it’s a series of steps, then use the sub-process symbol and flowchart the sub-process separately. Sub-Process. A series of steps. For example, a critical incident standard operating procedure (SOP) might reference a recovery process as one of the possible actions. Marking it as a sub-process, rather than listing each step within the critical incident SOP, streamlines the flowchart and avoids overlap with other flowcharts (e.g. the recovery process). Decision. Represents decision points, typically with yes/no branches, but you could have other branches depending on the question (e.g. a “Priority” question could branch into separate streams for Priority 1, 2, 3, 4, and 5 issues). Document/Report Output. For example, the output from a backup process might include an error log.

Map the current process

Prompt the working group with the following questions.

• What happens when the ticket comes in? Who submits it? Where is it coming from? What are the trigger events? Are there any input channels we should eliminate?
• What is the terminal event? Where does the workflow end?
• Do we have a triage step?
• Is the ticket prioritized? Does this need to be a step?
• Do we create child tickets? Separate tasks for different teams? Do we create a primary/main ticket and sub-tickets? How should we represent this in the flowchart?
• How should we represent escalations? How should we represent task ownership by different teams?
• What are our decision points: points when the path can potentially branch (e.g. into yes/no branches)?

Map the process: First pass

Tabletop exercise: Revise workflow

Time to review and revise the workflow. What gaps exist? How can you improve the process? What documentation gaps have been overlooked?

Consider the following refinements for the onboarding workflow:

• Identify missing steps
• Clearly identify task ownership
• Establish SLAs and timepoints
• Capture/implement user feedback
• Identify approval roadblocks
• Identify communication points
• Identify opportunities for automation
• Create personas
• Create onboarding checklist

Roles

Facilitator
Tasks:

• Guide discussion – restate contributors’ ideas, ask probing questions.
• Keep group on track – cut off or redirect conversation when off track.

Notetaker
Tasks:

• Ensure the steps are documented via the agreed-upon tools (e.g. cue cards). If the process is being documented in software, the notetaker may be solely responsible for documentation.
• The notetaker may be the same person as the facilitator, but this takes some practice.

Map the process: Critique draft

Solicit feedback from the group.

"

• Our workflow is slowed down by hidden approvals that we haven’t mapped.
• We have no efficient way to prevent submission of incomplete requests.
• Our workflow doesn’t clearly show how different tasks are assigned to different teams.
• We still don’t know how long this all takes.
• We’re missing some tasks – what about including facilities?
• We’re missing next steps for some of the decision points.

Review: Identify missing steps

Consider the following refinements.

Be complete.

The workflow should surface tacit knowledge, so make it explicit (Haddadpoor et al.):

• Where are the inputs coming from? Do you need to account for various input channels? Have you forgotten any?
• Are there any input channels that you want to eliminate?
• Have you overlooked any hardware, software, or services entitlements that should be called out?
• Have all decision paths been worked through? Do you need to add any missing decision points?
• Add information flows and annotations as needed.

Review: Task ownership

Identify task ownership.

The flow chart will be more useful if it clearly identifies who does what in the process.

• Consider organizing the sub-processes within the overall onboarding process into swim lanes, one for each team or group involved in the process.
• Swim lanes help clarify who does what in the overall process (e.g. all the tasks completed by HR appear in the HR swim lane, all the tasks completed by service desk appear in the service desk swim lane).
• They can also help draw attention to escalation points or handoff points between different teams. Assess the steps around the boundary of each swim lane. Does the working group experience/know of friction at these handoff points? What might solve it?
• In what order should the tasks occur? What dependencies do they have?

“Each task has an owner, and the task list is visible to the employee and other stakeholders, so there's visibility about whether each person has done their actions.”

Matthew Stibbe, qtd. in Zapier, 2022

Review: The time the workflow takes

For onboarding, this means setting SLOs/SLAs and internal timepoints.

Add internal timepoints for the major steps/tasks in the workflow. Begin to track these service level objectives and adjust as necessary.

• Review old onboarding tickets and track how long each main step/task takes (or should take). Every additional approval risks adding days.
• Consider where there are opportunities to increase automation or use templates to save time.
• Zero in on which task within the onboarding workflow is slowing down the process.
• Create an overall service level objective that communicates how many days the onboarding workflow is expected to take. Decide where escalations go when the SLA is breached.

When you have validated the service level objectives are accurate and you can meet them an acceptable amount of time, communicate the overall SLA to your users. This will ensure they submit future onboarding requests to your team with enough lead time to fulfill the request. Try to place the SLA directly in the service catalog.

“Tracking the time within the workflow can be a powerful way to show the working group why there is user dissatisfaction.”

Sandi Conrad, Principal Advisory Director, Info-Tech Research Group

Review: Capture user feedback

For onboarding, this means implementing a transactional survey.

The onboarding workflow will be subject to periodic reviews and continual improvement. Suggestions for improvement should come not only from the internal IT team, but also the users themselves.

• Transactional surveys, launched at the close of a ticket, allow the ticket submitter to provide feedback on their customer service experience.
• Onboarding tickets are somewhat more complex than the average incident or service request, since the ticket is often opened by one user (e.g. in HR) on behalf of another (the new employee).
• Decide whose experience you want feedback on – the submitter of the request or the new user. Investigate your ITSM tool’s capabilities: is it possible to direct the survey to someone who is not the ticket submitter?

Use Info-Tech’s Take Action on Service Desk Customer Feedback for more guidance on creating these surveys.

Review: Identify approval roadblocks

For onboarding, approvals can be the main roadblock to fulfilling requests

• How are the requests coming in? Do we have a predefined service catalog?
• What kinds of approvals do we receive (manager, financial, legal, security, regulatory)? Ask the team to think about where there are instances of back and forth and clean that up.
• Identify where approvals interrupt the technical flow.
  • Confirm that these approvals are indeed necessary (e.g. are certain approval requests ever declined? If not, follow up on whether they are necessary or whether some can be made into preapprovals).
  • Avoid putting agents in charge of waiting on or following up about approvals.
  • Investigate whether interruptive approvals can be moved.

Review: Identify communication points

A positive onboarding experience is an important part of a new employee’s success.

Though IT is only one part of an employee’s onboarding experience, it’s an important part. Delays for hardware procurement and a lack of communication can lead to employee disengagement. Ask the team:

• Are we communicating with our users when delays occur? When do delays occur most often?
• How can we mitigate delays? Though we can’t resolve larger supply chain problems, can we increase stock in the meantime?
• Can we start tracking delays to incorporate into the SLA
• Do we offer loaner devices in the meantime?

Place communication bullet points in the flow chart to indicate where the team will reach out to users to update or notify them of delays.

Review: Identify opportunities for automation

Where can we automate for onboarding?

Identify when the process is dragged out due to waiting times (e.g. times when the technician can’t address the ticket right away).

• Analyze the workflow to identify which tasks tend to stagnate because technician is busy elsewhere. Are these candidates for automation?
• Is our ITSM tool capable of setting up automatically routed child tickets triggered by the main onboarding ticket? Does it generate a series of tasks? Is it a manual process? Which teams do these tasks/tickets go to?
• Can we automate notifications if devices are delayed?
• Can we use mobile device management for automated software installation?
• If we have a robust service catalog, can we provide it to the users to download what they need? Or is this too many extra steps for our users?
• Can we create personas to speed up onboarding?

Avoid reinforcing manual processes, which make it even harder for departmental silos to work together.

Review: Automation example – create personas

Create role-based templates.

Does HR know which applications our users need? Are they deferring to the manager, who then asks IT to simply duplicate an existing user?

Personas are asset profiles that apply to multiple users (e.g. in a department) and that can be easily duplicated for new hires. You might create three persona groups in a department, with variations within each subgroup or title. To do this, you need accurate information upfront.

Then, if you’re doing zero touch deployment, you can automate software to automatically load.

Many HRIS systems have the ability to create a persona, and also to add users to the AD, email, and distribution groups without IT getting involved. This can alleviate work from the sysadmin. Does our HRIS do this?

• Review old onboarding tickets. Do they include manual steps like setting up mailboxes, creating user accounts, adding to groups?
• Investigate your ITSM tool’s onboarding template. Does it allow you to create a form through which to create dynamic required fields?
• Identify the key information service desk needs from the department supervisor, or equivalent role, to begin the onboarding request – employee type, access level, hardware and software entitlements, etc.

Revised workflow

How does the group feel about the revised workflow?

• Are any outputs still missing?
• Can we add any more annotations to provide more context to someone reading this for the first time?
• Do the task names follow a “verb-noun” format?
• Are the handoffs clear?
• Are some of the steps overly detailed compared to others?
• Does it help resolve the challenges we listed?
• Does it achieve the benefits we want to achieve?

Download the Workflow Activity: Onboarding Example

Remember the principle of constructive criticism.

Don’t be afraid to critique the workflow but remember this can also be a team-building experience. Focus on how these changes will be mutually beneficial, not assigning blame for workflow friction.

Post-review: Revised workflow

Final check

• Do we need to run this by Legal?
• Have we included too many sub-processes? Not enough?
• Is the flowchart easy to read and follow?

Decide how often this workflow will be revised.

• Is this workflow part of a larger piece of documentation that has a set review cadence? Where is it stored?
• If not, what is a realistic time frame for regular review?
• Who will own this process in an ongoing way and be in charge of convening a future review working group?

Validation with stakeholders

• What documentation does the flowchart belong to? When will you review it again?
• Who do you need to validate the flowchart with?

Share the flowchart and set up a review meeting.

• Walk through the workflow with stakeholders who did not participate in building it.
• Do they find it easy to follow?
• Can they identify missing steps?

Don’t waste time building shelfware.

Establish a review cadence to ensure the flowchart is a living document that people actually use.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Bibliography

Bushkill, Claire. “The top 5 ways to automate your onboarding checklist.” Rippling Blog. 18 Mar 2022. Accessed 29 Nov 2022. Ha https://www.rippling.com/blog/the-top-5-ways-to-automate-your-onboarding-checklist
Carucci, Ron. “To Retain New Hires, Spend More Time Onboarding Them.” Harvard Business Review, 3 Dec 2018
Haddadpoor, Asefeh, et al. “Process Documentation: A Model for Knowledge Management in Organizations.” Materia Socio-Medica, vol. 27, no. 5, Oct. 2015, pp. 347–50. PubMed Central, https://doi.org/10.5455/msm.2015.27.347-350.
King, Melissa. “New hire checklist: An employee onboarding checklist template for 2022.” Zapier. 14 Jul 2022. Accessed 29 Nov 2022. https://zapier.com/blog/onboarding-checklist/
Uzialko, Adam. “What Does Poor Onboarding Really Do to Your Team?” Business News Daily. 23 Jan 2023.
https://www.manageengine.com/products/service-desk...

Contributors

Sandi Conrad, Principal Advisory Director, Infrastructure and Operations, Info-Tech Research Group

Christine Coz, Executive Counselor, Info-Tech Research Group

Allison Kinnaird, Practice Lead, Infrastructure and Operations, Info-Tech Research Group

Natalie Sansone, Research Director, Infrastructure and Operations, Info-Tech Research Group

Build a Continual Improvement Program

Don’t stop with process standardization; plan to continually improve and help those improvements stick.

Analyst Perspective

Go beyond standardizing basics

IT managers often learn how to standardize IT services. Where they usually fail is in keeping these improvements sustainable. It’s one thing to build a quality process, but it’s another challenge entirely to keep momentum and know what to do next.

To fill the gap, build a continual improvement plan to continuously increase value for stakeholders. This plan will help connect services, products, and practices with changing business needs.

Without a continual improvement plan, managers may find themselves lost and wonder what’s next. This will lead to misalignment between ongoing and increasingly high stakeholder expectations and your ability to fulfill these requirements.

Build a continual improvement program to engage executives, leaders, and subject matter experts (SMEs) to go beyond break fixes, enable proactive enhancements, and sustain process changes.

Mahmoud Ramin, Ph.D. Senior Research Analyst Infrastructure and Operations Info-Tech Research Group

Executive Summary

Info-Tech Insight

Without continual improvement, any process maturity achieved around service quality will not be sustained. Organizations need to put in place an ongoing program to maintain their current maturity and continue to grow and improve by identifying new services and enhancing existing processes.

Benefits of embedding a cross-organizational continual improvement approach

Encourage end users to provide feedback on service quality.

Provide an opportunity to stakeholders to define requirements and raise their concerns.

Embed continual improvement in all service delivery procedures.

Turn failures into improvement opportunities rather than contributing to a blame culture.

Improve practice effectiveness that enhances IT efficiency.

Improve end-user satisfaction that positively impacts brand reputation.

Improve operational costs while maintaining a high level of satisfaction.

Help the business become more proactive by identifying and improving services.

Info-Tech Insight

It’s the responsibility of the organization’s leaders to develop and promote a continual improvement culture. Work with the business unit leads and communicate the benefits of continual improvement to get their buy-in for the practice and achieve the long-term impact.

Build a feedback program to get input into where improvement initiatives are needed

A well-maintained continual improvement process creates a proper feedback mechanism for the following stakeholder groups: Users Suppliers Service delivery team members Service owners Sponsors

An efficient feedback mechanism should be constructed around the following initiatives:

Stakeholders who participate in feedback activities should feel comfortable providing suggestions for improvement. Work closely with the service desk team to build communication channels to conduct surveys. Avoid formal bureaucratic communications and enforce openness in communicating the value of feedback the stakeholders can provide.

Info-Tech Insight

When conducting feedback activities with users, keep surveys anonymous and ensure users’ information is kept confidential. Make sure everyone else is comfortable providing feedback in a constructive way so that you can seek clarification and create a feedback loop.

Implement an iterative continual improvement model and ensure that your services align with your organizational vision

Build a six-step process for your continual improvement plan. Make it a loop, in which each step becomes an input for the next step.

1. Determine your goals

A vision statement communicates your desired future state of the IT organization.

Understand the high-level business objectives to set the vision for continual improvement in a way that will align IT strategies with business strategies. Obtaining a clear picture of your organization’s goals and overall corporate strategy is one of the crucial first steps to continual improvement and will set the stage for the metrics you select. Document your continual improvement program goals and objectives. Knowing what your business is doing and understanding the impact of IT on the business will help you ensure that any metrics you collect will be business focused. Understanding the long-term vision of the business and its appetite for commitment and sponsorship will also inform your IT strategy and continual improvement goals.

Assess the future state

At this stage, you need to visualize improvement, considering your critical success factors.

Critical success factors (CSFs) are higher-level goals or requirements for success, such as improving end-user satisfaction. They’re factors that must be met in order to reach your IT and business strategic vision.

Select key performance indicators (KPIs) that will identify useful information for the initiative: Define KPIs for each CSF. These will usually involve a trend, as an increase or decrease in something. If KPIs already exist for your IT processes, re-evaluate them to assess their relevance to current strategy and redefine if necessary. Selected KPIs should provide a full picture of the health of targeted practice.

KPIs should cover these four vectors of practice performance:

Quantity How many continual improvement initiatives are in progress Quality How well you implemented improvements Timeliness How long it took to get continual improvement initiatives done Compliance How well processes and controls are being executed, such as system availability

Examples of key CSFs and KPIs for continual improvement

Prepare a vision statement to communicate the improvement strategy

IT implications are derived from the business context and inform goals by aligning the IT goals with the business context. Business context encompasses an understanding of the factors impacting the business from various perspectives, how the business makes decisions, and what it is trying to achieve. IT goals are high-level, specific objectives that the IT organization needs to achieve to reach the target state. IT goals begin a process of framing what IT as an organization needs to be able to do in the target state. IT goals will help identify the target state, IT capabilities, and the initiatives that will need to be implemented to enable those capabilities. The vision statement is expressed in the present tense. It seeks to articulate the desired role of IT and how IT will be perceived.

Strong IT vision statements have the following characteristics: Describe a desired future Focus on ends, not means Communicate promise Work as an elevator pitch: Concise; no unnecessary words Compelling Achievable Inspirational Memorable

2. Define the process team

The structure of each continual improvement team depends on resource availability and competency levels.

Enable the continual improvement program by clarifying responsibilities

Determine roles and responsibilities to ensure accountability

The continual improvement activities will only be successful if specific roles and responsibilities are clearly identified.

3. Determine improvement initiatives

Businesses usually make the mistake of focusing too much on making existing processes better while missing gaps in their practices.

Gather stakeholder feedback to help you evaluate the maturity levels of IT practices You need to understand the current state of service operations to understand how you can provide value through continual improvement. Give everyone an opportunity to provide feedback on IT services. Use Info-Tech’s End User Satisfaction Survey to define the state of your core IT services. Info-Tech Insight Become proactive to improve satisfaction. Continual improvement is not only about identifying pain points and improving them. It enables you to proactively identify initiatives for further service improvement using both practice functionality and technology enablement.

Understand the current state of your IT practices Determine the maturity level of your IT areas to help you understand which processes need improvement. Involve the practice team in maturity assessment activities to get ideas and input from them. This will also help you get their buy-in and engagement for improvement. Leverage performance metrics to analyze performance level. Metrics play a key role in understanding what needs improvement. After you implement metrics, have an impact report regularly generated to monitor them. Use problem management to identify root causes for the identified gaps. Potential sources of problems can be: Recurring issues that may be an indicator of an underlying problem. Business processes or service issues that are not IT related, such as inefficient business process or service design issues.

Establish an improvement roadmap and execute initiatives

Activity: Use the Continual Improvement Register template to brainstorm responsibilities, generate improvement initiatives, and action plan

Download the Continual Improvement Register template

Activity: Use the Continual Improvement Register template to brainstorm responsibilities, generate improvement initiatives, and action plan

Identify “quick wins” that can provide immediate improvement

Prioritize these quick wins to immediately demonstrate the success of the continual service improvement effort to the business.

Activity: Prioritize improvement initiatives

2-3 hours

Input: List of initiatives for continual improvement

Output: Prioritized list of initiatives

Materials: Continual improvement register, Whiteboard/flip charts, Markers, Laptops

Participants: CIO, IT managers, Project managers, Continual improvement manager

1. In the CI Register tab of the Continual Improvement Register template, define the status, priority, effort/cost, and timeline according to the definition of each in the data entry tab.
2. Review improvement initiatives from the previous activity.
3. Record the CI coordinator, business owner, and IT owner for each initiative.
4. Fill out submission date to track when the initiative was added to the register.
5. According to the updated items, you will get a dashboard of items based on their categories, effort, priority, status, and timeline. You will also get a visibility into the total number of improvement initiatives.
6. Focus on the short-term initiatives that are higher priority and require less effort.
7. Refer to the Continual Improvement Workflow template and update the steps.

Download the Continual Improvement Register template

Download the Continual Improvement Workflow template

5. Execute improvement

Develop a plan for improvement

Make a business case for your action plan	Determine budget for implementing the improvement and move to execution.	Find out how long it takes to build the improvement in the practice.	Confirm the resources and skill sets you require for the improvement.	Communicate the improvement plan across the business for better visibility and for seamless organizational change management, if needed.	Lean into incremental improvements to ensure practice quality is sustained, not temporary.	Put in place an ongoing process to audit, enhance, and sustain the performance of the target practice.

Create a specific action plan to guide your improvement activities

As part of the continual improvement plan, identify specific actions to be completed, along with ownership for each action.

Info-Tech Insight

Every organization is unique in terms of its services, processes, strengths, weaknesses, and needs, as well as the expectations of its end users. There is no single action plan that will work for everyone. The improvement plan will vary from organization to organization, but the key elements of the plan (i.e. specific priorities, timelines, targets, and responsibilities) should always be in place.

Build a communication plan to ensure the implementation of continual improvement stakeholder buy-in

1. Throughout the improvement process, share information about both the status of the project and the impact of the improvement initiatives. Encourage a collaborative environment across all members of the practice team. Motivate every individual to continue moving upward and taking ownership over their roles. Communication among team members ensures that everyone is on the same page working together toward a common goal. The most important thing is to get the support of your team. Unless you have their support, you won’t be able to deliver any of the solutions you draw up.

2. The end users should be kept in the loop so they can feel that their contribution is valued. When improvements happen and only a small group of people are involved in the results and action plan, misconceptions will arise. If communication is lacking, end users will provide less feedback on the practice improvements. For end users to feel their concerns are being considered, you must communicate the findings in a way that conveys the impact of their contribution. Info-Tech Insight To be effective, continual improvement requires open and honest feedback from IT staff. Debriefings work well for capturing information about lessons learned. Break down the debriefings into smaller, individual activities completed within each phase of the project to better capture the large amount of data and lessons learned within that phase.

Measure the success of your improvement program

Continual improvement is everybody’s job within the organization.

How did we make improvements with our partners and suppliers? –› Look into your contracts and measure the SLAs and commitments. How could improvement initiatives impact the organization? –› Involve everybody to provide feedback. Rerun the end-user satisfaction survey and compare with the baseline that you obtained before improvement implementation. How does the improvement team feel about the whole process? –› What were the lessons learned, and can the team apply the lessons in the next improvement initiatives? How did the leaders manage and lead improvements? –› Were they able to provide proper vision to guide the improvement team through the process?

Measure changes in selected metrics to evaluate success

Measuring and reporting are key components in the improvement process.

Adjust improvement priority based on updated objectives. Justify the reason. Refer to your CIR to document it.

6. Establish a learning culture and apply it to other practices

Reflect on lessons learned to drive change forward

What did you learn? Ultimately, continual improvement is an ongoing educational program. By teaching your team how to learn better and identify sources of new knowledge that can be applied going forward, you maximize the efficacy of your team and improvement plan effort.

What obstacles prevented you from reaching your target condition? If you did not reach your target goals, reflect as a team on what obstacles prevented you from reaching that target. Focus on the obstacles that are preventing your team from reaching the target state. As obstacles are removed, new ones will appear, and old ones will disappear.

Compare expectations versus reality

Compare the EC (expected change) to the AC (actual change) Evaluate the differences: how large is the difference from what you expected? Things are on track and the issue could have simply been an issue with timing of the improvement. More reflection is needed. Perhaps it is a gap in understanding the goal or a poor execution of the action plan.

Info-Tech Insight Regardless of the cause, large differences between the EC and the AC provide great learning opportunities about how to approach change in the future.

Related Info-Tech Research

	Build a Business-Aligned IT Strategy Success depends on IT initiatives clearly aligned to business goals, IT excellence, and driving technology innovation.
	Develop Meaningful Service Metrics Reinforce service orientation in your IT organization by ensuring your IT metrics generate value-driven resource behavior.
	Improve Incident and Problem Management Rise above firefighter mode with structured incident management to enable effective problem management.

Works Cited

“Continual Improvement ITIL4 Practice Guide.” AXELOS, 2020. Accessed August 2022.

“5 Tips for Adopting ITIL 4’s Continual Improvement Management Practice.” SysAid, 2021. Accessed August 2022.

Jacob Gillingham. “ITIL Continual Service Improvement And 7-Step Improvement Process” Invensis Global Learning Services, 2022. Accessed August 2022.