What are the ITAM Maturity Assessment Governance Dimensions?
We’ve split the SAS questions into several ITAM-related dimensions to make it easier to focus on the underlying set of capabilities required to produce the most commonly requested ITAM outcomes.
Let’s look at the definition of each of these dimensions and how they are important in achieving ITAM outcomes.
Governance
Governance refers to how ITAM activities are directed and controlled. Strong governance ensures that ITAM activities are aligned to the broader technology and organisational strategy and operating model. It also ensures that ITAM scope and desired ITAM outcomes are enshrined in policy that is enforced throughout the organisation. Good governance requires a strong sponsor to ensure the resources and authority to implement and improve ITAM is in place. A good ITAM sponsor will not necessarily be directly involved in the management of ITAM but will be focused on managing up towards the senior leadership team to build their support for the ongoing improvement of ITAM within the organisation.
Governance also ensures that there is a clear sense of the improvement ‘journey’ for ITAM within the organisation. In mature organisations this will be documented at a high level in a strategic ITAM plan and at a more detailed level in an operational ITAM plan. These documents should be approved by the senior leadership team and become a guiding light for all ITAM improvement activities.
The governance dimension impacts our strategic drivers in an unusual way – it is in the performance of the governance processes that we come to understand which strategic drivers are the priority areas for us to address.
Control
Control refers to the ways in which governance is implemented and enforced on the ground. It covers the ways in which we assess our ITAM processes to identify when they are no longer operating to the required standard, or whether they can be improved to increase the productivity and efficiency of ITAM.
The control dimension is how we implement the famous Deming cycle – Plan > Do > Check > Act within the ITAM management system.
Controls start with measuring how well our processes are operating. We do this by defining and measuring critical success factors (CSFs) and key performance indicators (KPIs). We also need to determine how to measure our KPIs and communicate the results. The control dimension also dictates what happens when process failures, or potential improvement opportunities, are identified.
In less regulated or mature organisations and industries, control may be less formal – there may not be a comprehensive set of KPIs and they may not be measured routinely. Although a policy may exist, it may not be linked directly to the KPIs.
On the other hand, in highly regulated organisations, the way a process should be performed may be mandated in a set of controls, which relate directly back to policy. An independent auditor (usually internal, but sometime external) may work with operations teams on a regular cycle to assess the way the processes are performed in practice, and identify non-conformance. Process and procedure changes may be mandated to ensure process conformance in future.
Most organisations sit somewhere between these two extremes.
Organisations which have strategic drivers of information security and organisational risk management are most likely to require a strong control dimension.
Financial management
For many organisations, this is a key dimension and business driver in and of itself. IT assets cost money to purchase and maintain, so keeping a tight control on the pennies is critical. In this dimension we assess the ability of organisations to capture what they are spending, maximise the benefit (return on investment) they receive from the assets they acquire, and ensure there is as little money wasted on IT assets as possible.
We also measure the degree to which the ITAM team capture and report on the financial benefits of their hard work – are they recording and reporting on cost savings / cost avoidance? Do they establish savings targets and track whether or not they are achieving their savings targets? Finally, very mature organisations may make efforts to quantify and measure the return on investment of their IT assets and make decisions regarding the disposition of their assets based on these calculations.
The financial management dimension is driven very much by the need for cost control and organisational risk management. The degree to which organisations are focused on this dimension reflects real world issues that, in the worst case scenario, can become an existential threat. Examples of organisations where this dimension becomes important include organisations with a low profit margin, government departments and organisations which face scrutiny from taxpayers, and firms with a poor cashflow position, because it is perfectly possible for even profitable firms to go out of business if they run out of cash in the bank to pay wages and suppliers.
Data and systems
Even at the most basic level, performing ITAM activities is impossible without technology of some sort, even if it is a simple excel spreadsheet (in fact, excel is without a doubt the most commonly used ITAM tool!).
This dimension casts judgement not so much on the tools themselves, but on whether we have the correct tooling and data management processes in place to manage ITAM related risks and support the achievement of the organisation’s ITAM related goals. We don’t care what tools you use, or what you do with them, as long as they get the job done. If you’re a tiny firm with only a small number of employees, then excel may be the right ITAM tool for you!
There are many specialist ITAM tools out on the market, and they all do basically the same thing. They will all be able to discover what IT assets are deployed on the estate, compare those with what our records show have been purchased, and flag up the differences so the ‘why’ can be investigated and remediated so we get accurate asset data. This basic rule of the game applies to both hardware and software assets.
Less mature organisations often have their ITAM tools operating in a silo, working independently of other IT Service Management (ITSM) and IT Operations Management (ITOM) tools that are also installed on the estate. As organisations mature, tooling may be consolidated and automation increased, while ITAM tools may be integrated more with the ITSM and ITOM counterparts, making asset tracking and management more accurate, and less labour intensive. The more mature ITAM tooling, the easier it is to realise the benefits of ITAM in the long term, although of course sophisticated tools cost money, both in terms of the cost of purchasing and maintaining them, but also because of the process re-engineering that may need to happen prior to their deployment. Mature organisations will also try and automate tooling and data management as much as possible… but there is a caveat: you can’t automate a bad process (or if you do, you get bad outcomes!).
Ultimately, highly mature organisations manage their tools and data to build a virtuous cycle of trustworthy data, where people within the organisation know they can rely on the tools and data because issues are prioritised for remediation as soon as they are identified.
The data and systems dimension is critical for achieving all strategic drivers, because this is the dimension that drives trustworthy data. Without trustworthy data ITAM goals cannot be achieved.
HAM & SAM Lifecycle
The lifecycle processes do what it says on the tin – they move asset through their lifecycle. They tend to fall into two categories: 1) processes which are owned by non-ITAM teams, but which have an ITAM impact, and 2) those which are specifically ITAM processes.
Processes which fall into the first category are things such as asset purchase processes (owned by procurement), supported software / hardware catalogue management processes (owned by enterprise architecture), and operations processes such as deployment, installation and uninstall (owned by ITSM). When improving these processes, we must work with these process owners to ‘tweak’ their processes to achieve ITAM outcomes as well as their own process specific outputs. Processes which are not owned by ITAM teams tend to critical for achieving business agility and optimising employee satisfaction, and it may be that compromises must be made and risks must be accepted to achieve a high standard in these areas, unless the organisation is willing to throw lots of money at the problem!
The purely ITAM lifecycle processes are those where ITAM directly owns the process themselves, although they may not always operate the process. These processes include the license compliance processes, the hardware disposal process, and the hardware asset refresh process. The outputs of these processes form the ‘raison d'être’ for ITAM.
These processes are critical for achieving cost control, supporting information security and organisational risk management, and achieving sustainability goals.
In the SAS, we have allocated each process to a primary dimension to simplify reporting and analysis. However, do bear in mind that many processes also include capabilities that could happily sit in other dimensions, for example, there is considerable cross-over between the governance and control processes. It is also important to recognise that there is no one to one relationship between the dimensions and ITAM outcomes – while the dimensions are a convenient way to structure the report and illustrate inter-process relationships, it is the achievement of ITAM outcomes that matter. ITAM dimensions are purely labels to help categorise and present the results of the questionnaire to enhance understanding of the role different processes play in achieving ITAM outcomes and support your organisations business and IT strategies.