IT Delivery and Support Maintaining Service Levels and Business Objectives

1
IT Delivery and SupportMaintaining Service
Levels and Business Objectives

• CARTAC/CGBS IT Workshop for Regional Bank
  Examiners 2009
• Peter Quinn
• June 22, 2009

2
Agenda

• Service Levels and Measurement
• Business Objectives? Do we understand?
• Psychology of Delivery
• Trends in measuring performance, delivery
• Risk
• What do we need to do

3
Service Levels and Measurement

• Most common measurements/Metrics
• Uptime98.5...or something
• Reflects availability of systems
• Sort of a group measurement
• Meaningful?.....we will explore
• Peak vs. Non-peak
• Understanding the critical business hours of
  activity or need for systems
• I.E. Branch hours of 830am to 300pm
• Relevant in an e-World?

4
Service Levels and Measurement cont.

• What does IT really need to deliver today?
• Core systemssure
• But what about
• Very specific time windows in the enterprise?
• Individual PC performance
• Excel?
• Network and system (what is the system today?)
  access on weekends
• And is availability just within a traditional
  corporate facility?

5
Business Objectives? Do We Really Understand?

• Simply put
• We are in the business to make money
• And profits are a cost of doing business
• IT Perspective
• What are business objectives?
• Defined by whom
• Prioritized by who and or what corporate bodies?
• Delivered how?
• Measured as delivered by what metrics?
• All about meaningful Governance, often very
  illusive

6
Business Objectives? Do We Really Understand?

• My very simple definition
• Delivering what you require, when you require it,
  in a form usable for that context in a secure
  manner..this is a mouthful!
• Challenges
• Successfully getting the business to define what
  it is they real want and require
• Getting IT to deliver what the business has said
  they require and doing it when, in usable
  context and securely, consistently bad English
  but you get the gist

7
The Psychology of Delivery

• Lets start with 98.5 uptime
• Does 2.5 matter? In what context?
• If I say 98.5 is good enough, does that
  automatically allow me to dismiss minor
  aberrations?
• Is striving for anything less than 100
  acceptable today?
• And, by the way, is it achievable?
• Is 98.5 good enough for NASA, a surgeon, a
  policemen, a Lexus?

8
The Psychology of Delivery cont.

• Projects
• Critical Success Factors
• 99.999 of transactions correct?
• Contract Delivery terms
• Severity 1 We are in the toilet Fix time?
• Severity 2 Substantial impact but systems are
  operating Fix time?
• Severity 3 Some impact but with workarounds
  available Fix time?
• Severity 4 Minor impact with workarounds
  available Fix time?

9
The Psychology of Delivery cont.

• Contract Delivery Times cont.
• Severity 1
• Acknowledge in, say one hour fix within 4 hours?
• Severity 2, 3, 4
• Remedial Efforts requiring parts
• Same severity criteria as above logistics are
  defined by MTBF
• Depot (s) on island
• Spares on other islands no spares!!!!!!
• At Fed Ex, UPS, DHL, etc.

10
The Psychology of Delivery cont.

• Critical psychological impact of all of this
• Service organizations are, on average, getting
  worse at fixing issues, timely and correctly
• The Urgency of Now has been lost
• Less than excellence is an ingrained mindset
• We, IT (all areas.internal, external, etc.) talk
  in techno babble and lace our lack of performance
  with woes of complexity, bad vendors, well you
  dont understand with no real relevance to the
  business context. I can ping the router.
• Systematic Problem Determination is a lost art,
  sciencewe have forgotten the basics

11
Trends in Measurement

• Think Service Catalog What are you doing
• Meaningful and usable frameworks available
• ISO
• ITIL
• Substantive umbrella vendor offerings
• CA UniCenter
• IBM Tivoli
• EMC
• HP OpenView
• Landscape is filled with failed initiatives

12
Trends in Measurement cont.

• Goals
• Comprehensive view of the entire enterprise
• System performance
• Availability
• Server (CPU, Memory, Channel, etc.)
• Storage ( used, s of access where, what, ILM,
  etc.)
• Switches, Routers (Bandwidth Used,
  Re-transmissions, etc.)
• SLA Management
• Asset Management
• Change Management
• Application performance (availability, module
  access, etc.)
• Database performance (s,
• Predictable and Sustainable financials

13
Trends in Measurement cont.

• First Global Financial 8 Dimensions of Customer
  Service
• CUSTOMER-CENTRIC ARCHITECTURE
• EXTENDED ENTERPRISE SECURITY
• TRANSACTION EFFICIENCY
• TRANSACTION PERFORMANCE
• VALUE FOR COST
• ANYTIME, ANYWHERE SERVICE
• AN ETHICAL AND COMPLIANT PARTNER
• CONSTANT STREAM OF NEW SOLUTIONS

14
Trends in Measurement cont.

• More is available today than ever
• Lots of work and hard to define for ROI
• Successful initiatives start small and grow
• Too many shops suffer from Their eyes are bigger
  than their stomachs
• Trend is to SASS or ASP solutions
• Value for the money expertise
• Faster implementations

15
Risk

• Really does need to be defined in each enterprise
  and be almost element driven
• Internal vs. External
• By application and its time impact
• s, reputation, regulatory
• Disaster Recovery vs. Business Continuity
  Planning
• People

16
Risk cont.

• Internal vs. External
• As it has always been, internal risk remains the
  highest (s of incidents, s, etc.), most
  frequent and maybe the hardest to guard against
• Most of us are externally focused and with a
  growing number of potential attackers spread over
  a much greater geographic landscape

17
Risk cont.

• Application Risk Assessment
• Importance of the application to the enterprise
• Time relevance of its importance
• Relationship to other applications raises or
  lowers the risk profile?
• Can you run your business, recover, or what if
  you have a problem?
• Stability, TCO, malleability, delivery risk
  profile
• Vendor support risk
• Internal staff risk

18
Risk cont.

• s, Reputation, Regulatory
• s
• Reputation risk
• ID theft
• Funds
• Regulatory
• Who needs this!
• How do you undo this if you get on the wrong side
  of regulators?

19
Risk cont.

• Disaster Recovery vs. Business Continuity
  Planning
• Too often, still mis-understood
• DR
• What is sufficient? Core only?
• Email Mission-Critical application?
• Business Continuity Planning
• How do you operate with without a data center?
• Access to documents?
• ??

20
Risk cont.

• People
• Do you know who is critical and why?
• Is anybody that critical?
• Succession planning for all disciplines
• Hurricane Andrew and people

21
What We Need To Do

• Have a meaningful discussion about what IT
  delivers, when, why
• Some simple questions to ask
• How does my business really operate?
• What is the impact of lack of application
  availability to the business at what point in the
  business day?
• What is the business day?
• What is a meaningful service level?
• What is mission critical and why?
• How do you make sure the answers remain relevant
  in a changing paradigm?

22
What We Need To Do cont.

• Business Objectives
• You figured out how your business really runs
• A given
• Application availability
• Information availability
• People availability
• All with relevant security
• But what information do you really need to make
  good decisions
• Hourly, daily, weekly, monthly, quarterly,
  annually?

23
What We Need To Do cont.

• If you understand your information requirements,
  does what you have (applications) and your
  business processes yield that information?
• Too often, IT is
• Creating another report.
• Another transaction
• Another application
• And or fixing some of or all of the above

24
What We Need To Do cont.

• But are the business processes cannibalizing any
  real opportunity to use information meaningfully
• How do I put Peter Quinn in the system
• Once, many?
• As Peter Quinn, Quinn Peter, P Quinn, etc.?
• Can I find the Peter Quinn everywhere in my
  enterprise? Easily?
• Do I have unique identifiers? Use them with
  consistency?

25
What We Need To Do cont.

• What happens in the real world
• We do not have repeatable, sustainable, efficient
  business processes thus
• I have full Banking Halls and I do whatever I can
  to move them through.correct idea of customer
  service?
• So what if I short cut the process, as long as I
  move the customer along and they are not
  frustrated because of the long wait
• Do you have Quality Assurance to make sure this
  doesnt happen?
• Have you done Data Cleanup only to find out as
  fast as you clean, the business process is
  propagating dirty data just as quickly?

26
What We Need To Do cont.

• What happens in the real world cont.
• And if I do have good governance of data and
  business processes
• Do our systems support that governance?
• Easily and cost effectively?
• And how important is this
• 360 view of the customer
• Customer profitability, liability
• Regulatory requirements

27
What We Need To Do cont.

• We need, at a present state
• An Application Map
• A Data Map
• Architecture Map (all enterprise components)
• Understanding of our standards (or lack there of)
• Security map (deserves its own attention)
• A business map (who, what, where, when, why)

28
What We Need To Do cont.

• We need to
• Map the present state unto itself
• Whats working and why
• What isnt working and why
• Create the short, medium and long term plan to
  create the sustainable enterprise
• All elements
• Business processes
• IT processes
• All IT elements
• Business process to sustain what it is you are
  creating

29
What We Need To Do cont.

• And you, as Bank Examiners
• Dig into the plans
• Challenge the status quo
• Is it real or is it Memorex what you are being
  told?
• In the new paradigm, what is secure, mission
  critical, sustainable recovery, real business
  continuity, the real risk?
• Ask the tough questions