Audit of Demand and Relationship Management
Audit Report
Office of Audit and Evaluation
December 2017
Executive summary
What we examined
The objective of this audit was to provide assurance that appropriate controls, processes and functions had been defined for Shared Services Canada (SSC) to proactively manage the demands of, and relationships with, its partners and clientsFootnote 1 .
The scope of the audit included the controls, processes and functions within the Information Technology Infrastructure Library (ITILFootnote 2 ) service lifecycle related to demand and relationship management with SSC’s partners and clients. Controls and processes in place from April 2014 to April 2015 were assessed against the ITIL Maturity Model.
Why it is important
Approximately 1,300 information technology (IT) employees from Public Works and Government Services Canada transferred to the new department in the summer of 2011. An additional 5,000 IT and internal services employees from 43 other federal organizations were transferred in November 2011. This experienced workforce operates under a new business model, one that encourages partnerships and that is based on service excellence, innovation and value for money.
Demand and business relationship management are critical parts of service management at SSC. The Department has based service management, including processes for demand and relationship management, on the ITIL service lifecycle. At the time that this audit was launched, SSC was engaged in a number of parallel policy and process activities that were prerequisites to the development of a Service Management Strategy.
What we found
We found that SSC established an initial framework for controls, processes and functions for the management of service demand and partner relationships; however, it had not reached a higher level of process maturity to manage service demands and meet the requirements of its partners and clients.
Strategy management for IT services, service portfolio management, financial management for IT services and demand management were in the early stages of maturity. SSC documented and communicated a strategy management process as well as a service portfolio. However, there was no process to assess the effectiveness of the enterprise service strategy and processes and service portfolio processes have not been consistently followed. An Enterprise Cost Management Framework was being developed during the audit examination. SSC’s demand management function was being tracked using various tools and systems; service requests were received through multiple channels and there was no process in place to communicate updates on the status of services.
Business relationship management and service catalogue management had reached a moderate state of maturity. Standardized business relationship management processes were used to communicate information to SSC’s partners and clients. SSC published its initial service catalogue March 31, 2015.
Finally, capacity management was assessed at the time as absent; there was no centralized capacity management function in place and SSC had not developed a capacity plan. We also found that SSC did not have a centralized service management information management system to allow for information sharing and the development of service metrics.
Developments outside of Audit Scope Period
Immediately following the scope period of the audit, in April 2015, SSC re-aligned a number of business functions, including those for demand management, relationship management, service design and service delivery. Following the realignment:
- SSC’s Strategy branch was given responsibility for relationship management; acting as the primary point of contact for partners and clients, they will voice partner concerns, educate, advocate, engage and manage expectations
- demand management was made the responsibility of the Service Management and Data Centres branch who engages partners on the technical front, triaging requests, sequencing activities, recovering costs and building solutions
- service delivery and design became a multi-branch initiative involving the cooperation of many employees across SSC. Ongoing communication between all branches in SSC is necessary for demand and relationship management processes to be effective
The April 2015 reorganization of the Department demonstrated SSC’s commitment towards developing a more mature process framework to proactively manage its integrated service function.
The audit work was completed by 2016 but due to changes within the Office of Audit and Evaluation at SSC, the report was not finalized. As a result in 2017 it was decided to do a full follow-up review of all outstanding management action plans before the publication of the audit report. Subsequent changes were not applied to the overall findings presented in the audit; however, recommendations and management responses were adjusted to better reflect recent circumstances.
As a result of this review, the Office of Audit and Evaluation found that all elements of the management action plans were complete with the exception of one, concerning the implementation of a Customer Relationship Management Tool. Overall management has implemented sufficient improvements to address the recommendations made in this audit report through:
- the establishment of a multi-year service management strategy
- the establishment of appropriate governance processes (the Service and Project Review Board and the Account Management Board)
- an organization structure has been put in place to support implementation and ongoing service management process management
- performance metrics including operational and service reviews have been established in alignment with the broader departmental performance management framework
- the introduction and implementation of the Enterprise Business Intake and Demand Management to standardize demand management
- the SSC service catalogue was implemented as the single window for SSC service information and processes established to communicate and maintain the catalogue management process
- a client feedback process was established to collect information to improve on service delivery
- a process maturity assessment was conducted and SSC management prioritized the management of demand, tracking of business requests and implementation of standardized tools and processes
Of important note is that in the longer term, the implementation of a new Information Technology Service Management system (ITSM), currently under development, will integrate and enhance SSC’s ability to manage this critical aspect of its operations.
The Office of Audit and Evaluation plans to conduct a follow-up audit of Demand and Relationship Management as part of its 2017-2020 risk based audit plan.
Sharon Messerschmidt
Chief Audit and Evaluation Executive
Background
The Government of Canada established Shared Services Canada (SSC) on August 4, 2011, to modernize how the federal government manages its information technology (IT) infrastructure in order to better support the delivery of programs and services to Canadians.
As mandated by the Shared Services Canada Act, SSC is supporting business continuity and improving IT operations for 43 federal partner departments and agencies. That responsibility includes keeping the mission critical systems operational across the government. Approximately 1,300 IT employees from Public Works and Government Services Canada transferred to the new department in the summer of 2011. An additional 5,000 IT and internal services employees from 43 other federal organizations were transferred in November 2011. This experienced workforce operates under a new business model, one that encourages partnerships and that is based on service excellence, innovation and value for money.
This audit was approved by the President of SSC after being recommended by the Departmental Audit and Evaluation Committee as part of the 2014–2017 Risk-based Audit and 2014–2019 Evaluation Plan.
Demand and business relationship management are critical parts of service management at SSC. The Department has based service management, including processes for demand and relationship management, on the Information Technology Infrastructure Library (ITIL) service lifecycle. ITIL provides a cohesive set of best practices, drawn from the public and private sectors internationally, which have been adopted by individuals and organizations across the world to align IT services with the needs of business (ITIL v.3, 2011 edition).
SSC’s demand management processes involve receiving service requests from 43 partner organizations and 137 client organizations. These requests come from three main sources: end users, departmental Chief Information Officers (CIO) (managed as projects, these requests are generally more complex and larger in scope) and requests generated internally by SSC employees. Some requests are completed on a cost recovery basis while others assumed by SSC. Some examples of typical requests include: increasing server capacity, setting up IT workspaces during a building relocation, and purchasing and setting up telecommunication devices or teleconference facilities.
SSC’s relationship management is complex; our partners and clients span a range of demographics and support a variety of industries from weather forecasting to security/policing. SSC provides a range of support and services to small clients with less than 50 employees and large partners with more than 50,000 employees. Understanding the needs of these partners and clients and maintaining positive working relationships is essential for SSC to succeed in delivering its mandate.
In April 2015, SSC realigned a number of business functions, including those for demand management, relationship management and service design and delivery. Following the realignment, SSC’s Strategy branch became responsible for relationship management; acting as the primary point of contact for partners and clients, they will voice partner concerns, educate, advocate, engage and manage expectations. Demand management was made the responsibility of Service Management and Data Centres (SMDC) Branch, who engages partners on the technical front, triaging requests, sequencing activities, recovering costs and building solutions. Service delivery and design is a multi-branch initiative involving the cooperation of many employees across SSC. Ongoing communication between all branches in SSC is necessary for demand and relationship management processes to be effective.
Objective
The objective of this audit was to provide assurance that appropriate controls, processes and functions have been defined for SSC to proactively manage the demands of, and relationships with, its partners and clientsFootnote 3 .
Scope
The scope of the audit included the controls, processes and functions within the ITIL service lifecycle related to demand and relationship management with SSC’s partners and clients. Controls and processes in place from April 2014 to April 2015 were assessed against the ITIL Maturity Model.
Methodology
During the planning of the audit, we:
- interviewed managers and technical experts
- reviewed relevant documents, including flowcharts, reporting dashboards, decision‑making committee’s terms of reference, functional guidance and action plans
- mapped processes, controls and risks
- interviewed SSC’s partners in small, medium and large departments
Field work for this audit was substantially completed by May 31, 2015.
The ITIL process maturity framework (PMF) which provides a common, best practice process maturity assessment approach widely used in the IT industry, was used as the main tool to assess the maturity of the service management in the organization. ITIL V.3 is the Framework used by SSC for IT service delivery. The organization strives to achieve a proactive service supply, with services being supplied ahead of demand rather than being demand-driven. The ITIL Service Management practices are based on the idea of achieving service quality and considering services to be assets from which the customer gains value. ITIL standards also contain a PMF, which can be used to measure the maturity of the Service Management process as a whole.
Based on our risk assessment, and in consultant with process owners, we selected seven ITIL processes within the lifecycle stages of “service strategy” and “service design” and applied the ITIL maturity model high-level self-assessmentFootnote 2 to obtain a rating of the Department’s functions related to demand management. The high-level assessment is designed to provide maturity score ratings to 0.5 of a decimal place. The seven processes covered by our assessment were:
- Strategy management for IT services
- Service portfolio management
- Financial management for IT services
- Demand management
- Business relationship management
- Service catalogue management
- Capacity management
Based on the results of the ITIL Maturity Model high-level assessmentFootnote 2 , each of the six lifecycle processes was assigned a level of maturity:
- Level 0: absent (chaos)
- Level 1: initial (reactive)
- Level 2: repeatable (active)
- Level 3: defined (proactive)
- Level 4: managed (pre-emptive)
- Level 5: optimized
We expected to find that SSC would be at a Level 3 for each of the seven processes.
Figure 1 - Text version
Figure 1 is a graphical representation of the ITIL process maturity levels with each level placed higher and to the right of the previous one to represent progression and increased maturity:
Levels 1 through 5 are each represented by a labelled blue square box while level 0 is a represented through text. The axis of the graph are not labeled but point upwards and to the right indicating an upwards and to the right maturity progression. Vertical grid lines space the boxes at equal intervals. Each maturity level box is placed in increasing order on the graph: level 0 (absent) is located below the horizontal axis between the origin and the first grid line, level 1 (initial) is located with its lower edge on the horizontal axis and one grid line away from the origin, level 2 (repeatable) is located two grid lines away from the origin with its left lower corner touching the level 1 (initial) box’s right top corner. Level 3 (defined), level 4 (managed), and level 5 (optimized) are similarly placed in relation to each other, with each box’s lower left corner touching the previous box’s right top corner.
Statement of Assurance
Sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion were based on a comparison of the conditions that existed as of the date of the audit, against established criteria that were agreed upon with management. This engagement was conducted in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing. At the time of the audit practice inspection had not been conducted.
Detailed Findings and Recommendations
Strategy Management for Information Technology Services
To best support the business needs, IT services should be managed from an enterprise perspective. The strategy management process defines and maintains perspective, position, plans and patterns related to services, as well as management of the organization’s services. Executive accountability and responsibility is critical to the success of this process. In addition, each business unit needs to buy in and support the strategyFootnote 5 .
We expected the strategy management process at SSC to be managed proactively. This included having a documented strategy that was communicated internally and externally, with exceptions to the process being logged and used as a basis for improvement.
We found that strategy management for IT services was a Level 1.5 (between initial and repeatable).
SSC had a strategy management process which was documented and communicated by means of a “Functional Direction for the following enterprise services: Data Centre, Telecommunications, Distributed Computing, Cyber and IT Security”. This Functional Direction outlined SSC’s transformational initiatives aimed at improving IT across the Government of Canada. The strategy management for IT Services at SSC was based on the principle of increasing business value of the IT services delivered. The process was also directly related to all the services contained within the service portfolio, including customer-facing services and supporting services.
The Functional Direction was updated following a bi-annual cycle of gathering feedback; the latest Functional Direction version 4.0 was slated for release June 2015. The Functional Direction was linked to the SSC website and with each iteration of service transformation the size of the Functional Direction is reduced, as services are dropped off the Functional Direction when added to the Service Catalogue. While a process was in place to gather internal feedback, there was no external process in place to gather feedback from partners.
The importance of conforming to SSC’s IT service strategy was communicated to employees with the issuance of each new update to the Functional Direction. There was an exception process documented in the Functional Direction but there was no tracking of exceptions or evidence to support that the exception process was being regularly followed across all service portfolios. To rectify this issue, the Chief Operating Officer has escalated the exception approval to the Assistant Deputy Minister level, but there was still no central tracking of exceptions in place, as they were tracked by service lines.
In order for SSC to achieve a proactive process, there is a need to define service strategy objectives and metrics to assess process performance against agreed process targets. In addition, an exception tracking process is required to ensure that the process is followed consistently and the impact of any exceptions assessed. This can be accomplished by developing a multi-year departmental service management strategy which includes an annual progress reporting in alignment with the Management Accountability Framework and the Treasury Board (TB) Policy on Service requirements.
Recommendation 1
The Senior Assistant Deputy Minister, Strategy, should develop a multi-year departmental service management strategy, which includes regular reporting against agreed performance objectives and targets.
Recommendation 2
The Assistant Deputy Minister, Data Centre Services, should develop a centralized process to track and report to senior management exceptions to SSC’s Functional Direction. The Senior Assistant Deputy Minister, Strategy, should evaluate or determine the impacts of these exceptions on SSC’s Transformation Programs.
Service Portfolio Management
Service portfolio management is a dynamic method for governing investments in service management across the enterprise and managing them for value. A service portfolio is the complete set of services that are managed by SSC and describes these services in terms of business valueFootnote 6 .
We expected that service portfolio processes were documented and carried out consistently across portfolios, performance metrics were defined and reported internally and externally allowing for the proactive management of business functions.
We found that service portfolio management was a Level 1.5 (between initial and repeatable).
SSC’s service portfolio was documented and followed a regular review and updating process. The services list had been approved by SSC management and contained service definitions, interdependencies and a break-down of services between “partner-facing services” and “technical (enabling)” services.
SSC’s organizational service lines were realigned April 1, 2015, from a partner portfolio model to a service portfolio model. Process activities and decision making were not consistently undertaken within and across portfolios, particularly with regard to legacy systems. Portfolios were not using a standardized set of tools to record decisions, cost services and monitor transactions. With the exception of incident reporting, service metrics were not consistently collected or reported by portfolio.
To reach a proactive level of maturity, SSC’s service portfolios will need to follow documented, consistent and repeatable processes and develop service metrics to measure the efficiency and effectiveness of processes.
Recommendation 3
The Chief Operating Officer (COO) should establish governance processes to ensure alignment with strategic and service objectives.
Recommendation 4
The Senior Assistant Deputy Minister of Service Delivery and Management, should implement consistent procedures for service management across SSC.
Recommendation 5
The Senior Assistant Deputy Minister, Service Delivery and Management, should develop performance metrics which are regularly reported to senior management.
Financial Management for Information Technology Services
Financial management provides the value of IT services, the value of the assets underlying the provisioning of those services and the qualification of operational forecastingFootnote 7 .
We expected the financial management process for IT services at SSC to be managed proactively. This included having a documented costing framework, with accurate costing metrics, and automated tools to ensure efficiency and consistency of processes.
We found that financial management at a Level 1.5 (between initial and repeatable).
We found that the process roles and responsibilities for the financial management of IT services were assigned and documented. However, we identified weaknesses with the current state of the costing aspect of the financial management process, in particular, regarding cost recovery. Few areas had defined costing requirements and there was no centralized costing guide. This led to inconsistent costing of business requirements and inconsistent decision making on when to charge partners for services. A project charter has been developed to establish an Enterprise Cost Management Framework (ECMF) and the draft conceptual costing model had been approved by the Senior Management Board.
While there were plans to include unit cost measures in future service listings, the Finance directorate had difficulties obtaining metrics and cost drivers from SSC’s service portfolios necessary for the development of the costing model.
To achieve a proactive level of financial management for IT services, SSC will need to implement its ECMF to allow for the consistent costing services and cost recovery decision making, and regularly update the framework based on service portfolio updates and stakeholder feedback. In addition, ITIL recommends that financial management works in conjunction with capacity management to align budgets with service demands and organization capacity plans. SSC has not yet developed an enterprise-wide capacity plan (see Capacity Management section); an SSC-wide capacity plan integrated with financial, resource management and partner planning would allow more proactive management of SSC partners’ needs.
Auditor’s note: In consultation with Corporate Finance, a recent assessment has indicated that the main deficiencies in this area have been addressed and no longer require a recommendation to resolve the issues. Audit work was not performed to determine whether the ITIL score would have improved in order to maintain the assessment as at the time the audit was conducted.
Demand Management
The purpose of demand management is to understand and influence customer demand for services and the provision of capacity to meet these demands. At a strategic level, this can involve analysis of patterns of business activity and user profiles. At a tactical level it can involve use of differential charging to encourage customers to use IT services at less busy timesFootnote 8 .
We expected to find that demand management was managed proactively, including processes to track and provide updates on all service requests, measure performance, provide training and receive feedback from partners. We expected that decision making was consistent and centralized, and that there were procedures for the regular reporting of service demands.
We found that demand management was a Level 1.5 (between initial and repeatable).
Multiple channels existed to receive service requests and SSC’s demand management function was being tracked using various tools and systems. Management considered these systems and tools to be interim solutions which should be replaced by centralized tracking and a single service window for partners and clients into SSC. Due to the lack of centralized intake and tracking, SSC was unable to produce a consolidated reporting of all service demands or analyze patterns of business activity. There was a risk that requests could get lost between tracking tools.
Standardized methodology and a centralized decision-making point for business intake have not yet been established. Decision-making roles and responsibility for previous decision-making committees were unclear; work is being done to clarify these roles and responsibilities. A lack of training and resources at the operational level also impacted the ability of the demand management function to make timely, effective and efficient decisions.
Updates on the status of services were often achieved through informal discussions; there were no automated tools to receive updates on the status of services and no channels for direct feedback from partners. Partners interviewed expressed frustration that they received little feedback from SSC and did not know how long it would take to receive a given service. Feedback is planned to be received from partners by involving partner CIOs in discussions about prioritization of resources and requirement of ranking for demand requests; however, these feedback strategies are not yet implemented.
For SSC to achieve a proactive level of demand management, a standardized intake process, with consistent, repeatable decision making and recognized roles and responsibilities are needed. ITIL processes are required to receive regular updates on the status of services and report these back to partners and clients. A lack of metrics, such as the measuring of business activity, leads to an incomplete picture of SSC’s demand-related needs and activity. Complete and quality information is required for analyzing patterns of business activity. Deviations from the demand forecasts should be reviewed and reported to reduce the impact of future deviations and, in conjunction with capacity management, balance resources to meet fluctuations in demand.
Recommendation 6
The Senior Assistant Deputy Minister, Service Delivery and Management, should develop, communicate and monitor standardized demand management processes consistent with SSC’s service strategy.
Recommendation 7
The Senior Assistant Deputy Minister, Service Delivery and Management should implement a single service window into SSC that will allow the centralized tracking of requests
Business Relationship Management
Business relationship management is the process by which business managers establish strong relationships with customers through communication, input to service portfolio management and ensuring that the IT service provider is satisfying the business needs of its customers. Business relationship management is key to understanding customer business needs and outcomesFootnote 9 .
We expected to find that business relationship management was managed proactively, consistent processes were employed to communicate with partners and clients, standardized reporting templates were used, adequate training was provided to business relationship managers, inter-process dependencies were recognized and performance was measured then reported to both internal and external stakeholders.
We found that business relationship management was a Level 2 (repeatable/active).
Following the April 1, 2015 reorganization of the Department, SSC appointed account executives to be in charge of the business relationship management, to collect information on upcoming partner needs and to act as the primary point of contact for partners. Partner meetings were held regularly using a common agenda and partners were requested to participate in the planning service needs. We found that SSC had documented standard process templates but they were not used consistently. We sampled four departments and expected to find each of four required documents; we found that one of them was not prepared for a department. Dashboard reports of activities and performance were produced, reviewed and regularly reported to internal and external stakeholders.
We found that, prior to the April 1, 2015 reorganization of the Department, communication between relationship managers and partners was inconsistent. Some relationship managers did not have a good understanding of the tasks, activities, outcomes and constraints of SSC’s partners and stakeholders. Following the realignment, SSC established 13 new account executive positions to act as the primary point of contact between SSC and its partners. These account executives will provide a more intimate view on the priorities of our partners.
To achieve a proactive level of business relationship management, tools to collect information and analyse business patterns should be used to share information across SSC. Account executives will need to fully understand the tasks, activities, outcomes and constraints of their partners, as well as other internal and external stakeholders. A regular review of service outcomes, value of services and customer feedback gathered by account executives would enhance SSC’s business management function.
Recommendation 8
The Senior Assistant Deputy Minister, Strategy, should collect feedback from SSC’s partners and clients to ensure their needs, priorities and constraints are being understood by account executives and used to improve service delivery processes.
Service Catalogue Management
The purpose of service catalogue management is to provide a single source of consistent information on all of the agreed services, and ensure that it is widely available to those who are approved to access it. The service catalogue includes information about deliverables, prices, contact points, ordering and request processesFootnote 10 .
We expected to find that SSC had a published, up to date service catalogue that was proactively managed to ensure it was reliable, accurate, and met the needs of its partners and stakeholders.
We found that service catalogue management was a Level 1.5 (between initial and repeatable).
SSC published its initial service catalogue March 31, 2015. Available to partners and clients on SSC’s Serving Government website, this catalogue outlined the initial 14 services and related activities offered by SSC.
Processes to add new services or major updates to the catalogue have been documented in the service lifecycle artefact map which outlined the review approval processes. However, processes needed to achieve a proactive level of management for the service catalogue (e.g. reviews, approvals, customer feedback and metrics) have not been fully documented, communicated and implemented. The review and approval process for minor updates has not been defined and approved. A process is currently underway to gather internal and external feedback on SSC’s initial service catalogue. Metrics and costing have not yet been included in SSC’s service catalogue; however, plans have been made to define a unit cost of measure for every service with the intent to gather volumetric data.
SSC will need to define, communicate and consistently implement these feedback, review and approval processes to achieve a more mature, proactive state of service catalogue management and to maintain an accurate service catalogue.
Recommendation 9
The Senior Assistant Deputy Minister, Service Delivery and Management, should define, communicate and implement the process to maintain the service catalogue, based on information technology, business and partner / client needs.
Capacity Management
Capacity management is a critical aspect of service management which has a direct impact on the availability of services and assists in the planning of short-, medium- and long-term business requirements by considering all resources required to deliver the IT service. An analysis of business requirements and customer outcomes provides the predictive and ongoing capacity indicators needed to align capacity to demandFootnote 11 .
We expected to find that roles and responsibilities for the capacity management process at SSC were clearly defined, metrics for capacity planning had been defined within the service portfolios and results were being reported to management and external stakeholders.
While SSC has recognized the need for a capacity management function, it has not yet achieved an initial level of maturity as per the ITIL PMF; we found that capacity management was a Level 0.0 (absent).
The April 2015 reorganization of the Department saw the capacity management function being assigned to the SMDC branch; however, no one has been assigned responsibility for capacity management. Some processes for capacity management were previously conducted at the service portfolio level; however, the portfolios have since been realigned and any methods formerly used to collect, record or apply information remain decentralized, inconsistent and undocumented. SSC’s ability to collect and analyze information for capacity management is hindered by the lack of a standardized tool to collect, capture and disseminate information across its service portfolios and branches. Most processes to collect this standardized information on services or service metrics across service portfolios remain at the conceptual stage.
The development of a capacity management function is necessary for SSC to prioritize and allocate resources to balance service delivery needs of partners while delivering its core mandate of transforming the Government of Canada’s IT infrastructure. There are plans to develop two new Government of Canada committees to discuss enterprise business strategic interests and, through collaborative prioritization, match business demand to collective capacity. An enterprise-wide capacity plan would help SSC to internally prioritize partner projects and assist these new committees in alignment of Government-wide demand to SSC’s capacity.
Recommendation 10
The Senior Assistant Deputy Minister, Service Delivery and Management, should ensure there is a centralized capacity management function within SSC to gather information from each client, create and analyze metrics for service capacity, inform service delivery managers of overall service constraints, and develop and communicate a capacity plan.
Overall Finding – Information Management
An important aspect of a proactive level of maturity is the ability to collect standardized information and measure performance using a range of metrics. To be effective, this information should be stored within a centrally controlled and maintained repository.
We found that many of the functions assessed lacked centralized systems and tools to collect standardized information and performance metrics. As a result, few processes had defined metrics, targets or regular reporting functions in place. The definition and development of standardized reporting tools and metrics would allow SSC to better assess performance, identify efficiencies and meet stakeholder needs.
Recommendation 11
The Chief Operating Officer should oversee the selection and implementation of centralized information systems and/or tools for: decision making; the collection, distribution and analysis of partner and client information; service metrics; and performance reporting.
Conclusion
The objective of this audit was to provide assurance that appropriate controls, processes and functions have been defined for SSC to proactively manage the demands of, and relationships with, its partners and clients.
We found that SSC had laid an initial framework for controls, processes and functions for the management of service demand and partner relationships; however, it had not yet reached a proactive level of process maturity to manage service demands and meet the requirements of its clients and partners.
Audit Criteria | Maturity Results | Level |
---|---|---|
Strategy Management for IT Services | 1.5 | Initial - Repeatable |
Service Portfolio Management | 1.5 | Initial - Repeatable |
Financial Management for IT Services | 1.5 | Initial - Repeatable |
Demand Management | 1.5 | Initial - Repeatable |
Business Relationship Management | 2.0 | Repeatable |
Service Catalogue Management | 1.5 | Initial - Repeatable |
Capacity Management | 0.0 | Absent |
We found that most ITIL processes reviewed had initial maturity level requirements in place. As most processes were in initial stages, we found weaknesses in terms of process activities being fully documented and consistently performed according to process documentation.
Strategy management for IT services, service portfolio management, financial management for IT services and demand management were between an initial and a repeatable stage of maturity. SSC has a documented and communicated strategy management process; however, there is a need to define service strategy objectives and metrics to assess the performance of the service management strategy.
SSC’s service portfolio was documented and followed a regular review and updating process; service management processes across portfolios were not consistent and service metrics will have to be developed to measure efficiency and effectiveness.
An ECMF was being developed for the financial management of IT services. To ensure proper development and updating of the framework, metrics and cost drivers from SSC’s service portfolios are required.
SSC’s demand management function was being tracked using various tools and systems; however, there was no process to communicate updates on the status of services. A standardized intake process, with a process for partners to receive regular updates on service status, is required.
Business relationship management had reached a repeatable state of maturity. Standardized business relationship management processes were used to communicate information to SSC’s partners and clients. Tools to collect partner feedback in addition to information to analyse business patterns are needed to improve service and relationship management processes.
SSC published its initial service catalogue March 31, 2015. Processes to update this catalogue should be documented, communicated and implemented in order to maintain its relevance.
Capacity management was assessed as absent. The development of a capacity management function and capacity plan is necessary for SSC to prioritize and allocate resources.
In addition to the seven ITIL processes reviewed, we also found that SSC did not have a centralized service management information management system to allow for information sharing and the development of service metrics.
To become more proactive, SSC needs to ensure compliance with the processes it has defined which will allow the performance of consistent processes. The April 2015 reorganization of the Department has demonstrated SSC’s commitment towards developing and implementing controls and functions based on the ITIL methodology to proactively manage the demands of, and relationships with, its partners and clients. However, work remains to be done to achieve a fully proactive and integrated service function.
Developments Outside of the Audit Scope Period
Immediately following the scope period of the audit, in April 2015, SSC re-aligned a number of business functions, including those for demand management, relationship management, service design and service delivery. Following the realignment:
- SSC’s Strategy branch was given responsibility for relationship management; acting as the primary point of contact for partners and clients, they will voice partner concerns, educate, advocate, engage and manage expectations
- Demand management was made the responsibility of the Service Management and Data Centres branch who engages partners on the technical front, triaging requests, sequencing activities, recovering costs and building solutions
- Service delivery and design became a multi-branch initiative involving the cooperation of many employees across SSC. Ongoing communication between all branches in SSC is necessary for demand and relationship management processes to be effective
The April 2015 reorganization of the Department demonstrated SSC’s commitment towards developing a more mature process framework to proactively manage its integrated service function. In addition, other organizational changes and developments outside of the audit scope period are worthy of mention including:
- SSC has implemented a multi-year customer satisfaction feedback initiative, which is a key element of the Service Management Strategy. In December 2015, a questionnaire was launched to obtain feedback on service delivery from the CIOs of partner organizations. This questionnaire will be completed annually to capture trends in service delivery performance and engagement practices over time
- In October 2015, the Service Management and Data Centres Branch was reorganized into two distinct branches: Service Delivery and Management and Data Centre Services. One branch now focuses on service management while the other continues to focus on the task of consolidating and modernizing data centres. This shift provides a more focused senior-level leadership to the service management and data centre functions
The audit work was completed by 2016 but due to changes within the Office of Audit and Evaluation at SSC, the report was not finalized. As a result in 2017 it was decided to do a full follow-up review of all outstanding management action plans before the publication of the audit report. Subsequent changes were not applied to the overall findings presented in the audit; however, recommendations and management responses were adjusted to better reflect recent circumstances.
As a result of this review, the Office of Audit and Evaluation found that all elements of the management action plans were complete with the exception of one, concerning the last recommendation regarding the implementation of a Customer Relationship Management Tool. Overall management has implemented sufficient improvements to address the recommendations made in this audit report through:
- the establishment of a multi-year service management strategy
- the establishment of appropriate governance processes (the Service and Project Review Board and the Account Management Board)
- an organization structure has been put in place to support implementation and ongoing service management process management
- performance metrics including operational and service reviews have been established in alignment with the broader departmental performance management framework
- the introduction and implementation of the Enterprise Business Intake and Demand Management to standardize demand management
- the SSC service catalogue was implemented as the single window for SSC service information and processes established to communicate and maintain the catalogue management process
- a client feedback process was established to collect information to improve on service delivery
- a process maturity assessment was conducted and SSC management prioritized the management of demand, tracking of business requests and implementation of standardized tools and processes
Of important note is that in the longer term, the implementation of a new Information Technology Service Management system (ITSM), currently under development, will integrate and enhance SSC’s ability to manage this critical aspect of its operations.
The Office of Audit and Evaluation plans to conduct a follow-up audit of Demand and Relationship Management as part of its 2017-2020 risk based audit plan.
Annex A: Audit Criteria
The following audit criteria were used in the conduct of this audit:
- Strategy management for IT services
- Service portfolio management
- Financial management for IT services
- Demand management
- Business relationship management
- Service catalogue management
- Capacity management
Annex B: Acronyms
- ADM
- Assistant Deputy Minister
- CIO
- Chief Information Officer
- COO
- Chief Operating Officer
- DCS
- Data Centre Services
- DG
- Director General
- ECMF
- Enterprise Cost Management Framework
- IT
- Information Technology
- ITIL
- Information Technology Infrastructure Library
- PMF
- Process Maturity Framework
- SADM
- Senior Assistant Deputy Minister
- SDM
- Service Delivery Management
- SSC
- Shared Services Canada
Page details
- Date modified: