The Australian National Audit Office (ANAO), like its counterparts in New Zealand and elsewhere, is set up to run the rule over other government agencies' processes, including their ICT.
As such, the department's computing is in the proverbial "glasshouse", says CIO Gary Pettigrove. "If we cast aspersions on other departments' IT delivery, security controls and risk. They're going to come back and say 'what are you doing in your IT'?"
Pettigrove recalls that when he joined ANAO in 2005, the picture was not encouraging. "I thought: it will be best practice; I'll be able to enjoy my time ticking it along. I didn't realise they wanted to change their IT programme and I had a reputation as a change management agent.
"There were no enterprise applications, 550 computers for about 320 staff, no management; all the [separate business units'] services did their own thing."
There were multiple desktop and laptop images and "more than 2000 Lotus Notes databases in the place that nobody managed or controlled". As well, there was no designated refresh cycle for the ICT infrastructure.
Pettigrove drew up a three-year strategic plan, beginning with an immediate upgrade. "I refreshed the network infrastructure, looked at server hardware, and looked at virtualisation then business applications," says Pettigrove at a recent CIO Insights Luncheon.
However, the organisation really needed to examine its processes. To subject these to a rigorous scrutiny and reorganisation, he had the ANAO ICT department adopt ITIL, with the aid of existing major supplier Unisys.
Pettigrove's presentation was a practical counterpoint to principles set out at the same event by Unisys NZ CEO Brett Hodgson (See sidebar on 'Pathways to a single source of truth').
A useful matrix
Pettigrove is qualified as an ITIL master and had implemented ITIL productively at other departments, such as the Australian Trade Commission. "I can't help but recommend it to you," he tells the audience. "I put all my staff through ITIL courses at Austrade and even paid for my Unisys staff to be trained."
The Audit Office has a number of ICT vendors providing parts of the system, so a key part of the improved processes is a joint responsibility matrix (JRM).
Brett Hodgson of Unisys had previously explained the idea in his presentation: By breaking services down to individual delivery tasks, a matrix is created that shows at a glance which provider is responsible for which task and the hand-off points between providers. Sharing this matrix with all providers helps give clarity around their responsibilities.
The matrix enables multi-sourcing integration, which allows Pettigrove to hand responsibility for the practical delivery to Unisys, but still keep the relationship, the network and the contract with Unisys and the other vendors in his own hands. "That has been a very positive move," he says.
The provider-process relationships used to be "all in my head", he says. "I would be out there contacting vendors and Unisys was trying to catch up with me and saying 'what is this vendor doing for us?'
"Now I can go to Unisys and say 'here is the vendor that is doing this; this is the work they're doing. This is how they fit into the JRM, here are the SLAs [service level agreements] they deliver to." This means Unisys and the ANAO can implement multi-sourcing integration.
Linked into the matrix is an ITIL-based service architecture improving collaboration and communication among the providers and the overall coordination, in the hands of Unisys.
"Unisys knows which provider to contact for which section of our service, or which ITIL process," explains Pettigrove.
Providers commit to a service charter, "that says we'll deliver to solve the problems of the Audit Office," says Pettigrove.
"For most of these vendors, we don't have penalties or rebates [in case of non-performance] but they're all willing to commit, so that I buy more services from them [in the future]." If a supplier doesn't sign up to the service charter, they don't get the business.
"We had SLAs, but in 2005 they were not measurable," he states. "One, for example, was '80 percent client satisfaction'. That's easy to do; you just go round and be nice to people and solve their [day-to-day] problems. But that didn't solve the underlying policies. We didn't have incident management or problem management right. We had reasonably happy clients, but we couldn't get any project work done because our people were running in circles.
"That didn't work for us, so we changed to end-to-end user SLAs; SLAs that were achievable and effective and helped achieve business objectives."
Now when a problem is solved, he says, it is solved permanently for everyone. Other problems will obviously occur but there are no repeat incidences of the same problem.
"I have a central service desk in Queensland, at the Queensland TAFE [technical college]," he says. Unisys supports the TAFE's ICT "and I pay a pittance to run this desk".
"We can't run user desktops remotely from there; but they log the call, they pass it on quickly, they prioritise it according to impact and urgency. They go through all the ITIL [processes], they escalate internally as quickly as they need to, based on the SLAs, and I have a single support contract for all my issues.
"I can look into this with a BMC tool to see exactly what my incident level is, how many [priority] 1s, 2s and 3s I've got; it aggregates them into categories and I can see what is where.
"I could never do that before. I used to get a monthly report six weeks after things happened and I'm trying to make judgements about how I manage going forward, when all I can see are incidents resolved and closed. I spent a lot of time worrying about things I didn't need to. Now I worry about things that happened today."
Pettigrove and his team did a lot of work in root-cause analysis as part of problem management "We have the capability to say, 'Here's a problem; it is affecting two-thirds of the organisation; it has got to be a priority. Who needs to be involved? These three vendors. Bring them to the table and ask them to resolve my problem for me."
Previously, Unisys was not completely informed about the root cause of any problem, he says. It could put a workaround in place, but didn't have enough visibility of the problem and its cause to implement a speedy, permanent fix.
Under the new processes, Unisys has "gone from just being a service provider, to a fully-integrated problem resolver", says Pettigrove.
Well-defined governance is an essential element: "At a strategic level we have quarterly executive meetings; we bring in our own executives; the Auditor-General or deputy Auditor-General attends and we brief them with where we're up to and what the issues are and we ask for their directions."
The Auditor-General does his part in pushing the IT team for further innovation. "Annually, we bring in our senior executives from Unisys to talk with the Auditor-General. At the operational level we have a committee that looks at strategy and performance. It's setting strategy going forward for three years; there is an annual review and then the committee looks at performance of each of the projects and strategies as we go through, on a monthly basis.
"Performance and reliability from a user point of view has lifted markedly. User response time has gone from 80 percent to 98 percent within the SLAs," says Pettigrove. "So my users are happy. Part of that is that a lot of the problems have gone away, because the problem management [process] is solving them. Incident resolution times have improved from 85 percent to 94 percent within the SLA."
There has been a 30 percent reduction in the number of incidents lodged monthly, and now they are being reported properly.
When Pettigrove joined ANAO, he found more than 85 percent of incidents -- the ones that didn't go through the service desk -- weren't being recorded. "We fixed that up," he says.
"Problem resolution was a nightmare; it's now gone from 28 days to eight days," he says, and network availability has improved from 99.7 to 99.99 percent.
In its own audits -- conducted by KPMG -- the Audit Office now shows up as "an outlier" on the positive side against other government agencies' ICT performance, says Pettigrove.
ANAO is where it should be now, he says, no longer a glasshouse but a "lighthouse of best practice"
Sidebar: Pathways to a single source of truth
Organisations that struggle most in evolving mature service management are those whose infrastructure operates in silos, often with different service providers for each.
They lack "a single source of truth", a common understanding of processes and elements of information used across the organisation, says Brett Hodgson, managing director, Unisys New Zealand.
He divides the process of achieving maturity into four steps:
"Step 1 begins with aligning IT infrastructure and services with your strategic business objectives and setting business-focused Key Performance Indicators for your IT department.
"Step 2 is about multi-sourcing management to drive collaboration and cooperation among providers," he says. By breaking a service down to its individual delivery tasks, a Joint Responsibility Matrix is created. This shows at a glance which provider is responsible for each task, and the hand-over points between providers, he says. "Sharing this matrix with all of the providers will help give them clarity around each other's responsibilities."
Even with this clear definition, there can still be confusion, because people don't always communicate or collaborate well.
"So an important part of mature service management involves having strong IT governance to ensure all parties are working to the same goals, communicating about important decisions, collaborating effectively and delivering results," says Hodgson.
Step 3 involves building an integrated ITIL-based service architecture. This gives a common understanding of people's roles in governance forums, a clear understanding of processes and service levels, along with a standard set of tools with common interfaces between the service management toolset and the various service providers' toolsets, he says.
The tools are at the centre of Step 4 -- creating a "single pane of glass" for everyone; an end-to-end view of the performance of the whole environment. This should include an ability to drill down to look at the performance of: particular business services; individual 'towers' of processes and data within each business unit; individual systems or applications; and each service provider.
"This information represents the core truths - the hard data about the IT environment's ability to support the business." CIO New Zealand
Unisys kindly sponsored the CIO Insights Luncheon on 'Delivering IT value' in Wellington.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.