Why are there such large variations in adoption of industry standards across the world?
I have been reviewing the exploitation of international standards in the UK, specifically ISO/IEC 20000-1 for ITSM and ISO/IEC 27001 for information security, for many years now. Demonstrable and auditable compliance to an accepted standard is widespread in many professional areas including:
- Accounting
- Manufacturing
- Finance
- Software design
But for mainstream IT, where service management and security are so critical to success, the track record is much more uneven. Why is this?
The challenges of exploiting standards for ITSM remain:
- Ensuring a standardised approach to delivering service
- Addressing the ever-widening challenges of information security
- Supporting the increasing business reliance on information technology
- Accommodating our dependency on multiple suppliers. Gone are the days of an organisation relying on a single-source supplier for all their services, support, software, and hardware.
- Identifying a robust Governance, Risk & Compliance (GRC) programme that will enable businesses to manage compliance with regulations and internal policies.
The gold standard for ITSM is ISO/IEC 20000. Unfortunately, too many people see this more as a control framework rather than an opportunity for increased efficiency and effectiveness. The objectives are clear:
- To deliver consistent, standardised, efficient, and reliable services to the business
- To manage costs, reduce risk and increase organisational value, while continually improving services and ensuring that the investment in service and support is being fully leveraged
- To create a single-source database of knowledge relating to business services, software and hardware assets, their dependencies, relationships, capacity, and availability. A means of understanding the organisation’s critical assets.
I often get asked the question, “What is the difference between accepted good practices and ISO/IEC 20000.” Here, in my view are the 5 key differences:
- Good practice DOES NOT STATE WHAT YOU MUST DO but gives many suggestions on how to approach service management. ISO/IEC 20000 states what must be done, and each organisation decides how to do it
- Good practice DOES NOT insist on evidence to prove quality and progress – ISO/IEC 20000 does
- Good practice DOES NOT insist on evidence of continual improvement – ISO/IEC 20000 does
- Good practice usage and quality CANNOT BE EXTERNALLY AUDITED or benchmarked – ISO/IEC 20000 can
- Good practice is intangible and HARDER TO SELL TO THE BUSINESS – ISO/IEC 20000 is tangible and easier to sell.
Standards adoption: what’s happened to the UK and USA?
After reviewing the number of organisations that received accredited certifications in 2018 by country and business sector, I was somewhat surprised with the results. In summary:
- Service management (ISO/IEC 20000-1) certifications in Asia are in the thousands, whereas in the UK and the USA, they are in the hundreds.
- In the area of information security standards (ISO/IEC 27001), China, India and Japan are way ahead of the pack, with the UK and USA again having much lower numbers.
I believe the reasons these specific standards are more prevalent in Asia are:
- India – because of the large amount of outsourcing to India, service providers need to show that they are good at delivery of services and information security.
- China – owing to some historical distrust of Chinese goods and services around the world, there is now a strong focus on proving to potential customers that they can be confident to buy Chinese.
- Japan – there is a good fit with the use of processes and working to standards to achieve the high levels of quality that are expected by every aspect of their culture.
All these points feel like the UK many years ago. It is ironic that the international service management standard ISO/IEC 20000 (formally British Standard BS15000), the ITIL good practice framework and the information security standard ISO 27001 (formally British Standard BS7799) ALL originated in the UK.
So, I pose the question, “Why are the world’s fastest growing economies embracing these standards and we in the UK and the USA are NOT?”
Here’s a paradox.
While the adoption of ISO/IEC 27001 continues to grow exponentially in the UK and worldwide, we have witnessed a poor uptake of companies adopting ISO/IEC 20000 in the UK. Yet both standards complement and support each other. I believe that ISO/IEC 27001, due to the high profile of security breaches, scams and frauds, has a very high value to the business, with its adoption being mandated in many sectors. ISO/IEC 20000, on the other hand, has had a more limited profile as many of the major IT failures have been due to organisations’ internal weaknesses in infrastructure management and change control procedures.
From discussions with large organisations about why they believe the adoption of ISO/IEC 20000 will not help, I have established the following reasons:
- A misplaced belief that adopting standards is difficult, time consuming, expensive and not needed, since everything within the service department is working well and no improvements are required
- The business naively believes that IT is already in complete control of its service infrastructure investment and resources.
- The service or IT department is focused on embracing technology alone to improve their service and value to the business. At the moment a great deal of energy is spent on digital transformation, AI and machine learning trends when the basics of service quality and understanding business requirements have not yet been tackled.
- A belief that it would be simpler to change suppliers, tools or jump to the next “flavour of the month or framework” if things aren’t working out.
- A reluctance for suppliers to demonstrate what a great job they do and more importantly to be externally audited to prove or evidence this.
- A limited understanding and involvement with the business about what they regard as value, the required outcomes, and priorities.
I find these concerns and observations totally lacking in substance and reasoning, since in most cases the adoption of standards and structured ways of working are the reasons for the efficient running of business and support services.
Instead of alignment we need to think of the relationship in terms of convergence. IT does not just support the business but in fact, it enables and transforms the business. With true convergence, we want a strategic partnership with the business. The relationship between the business and IT is critical to the success of the organisation.
But all service providers understand the goal and benefits of service management: to deliver consistent, standardised, efficient, and reliable services to the business, manage costs, reduce risk and increase the organisational value, while continually improving services and ensuring that the investment in service and support is being fully leveraged.
Conclusion
One reason why the adoption of ITSM standards – as opposed to good practices like ITIL – has not been widely achieved (or simply embraced) is that you are first required to take a long, hard look at the way you do things, your culture, your processes and procedures. You have to be honest about your strengths and weaknesses, make some hard decisions, then make improvement based on evidence and compare your performance against a worldwide standard. And finally, you have to be audited to prove your adherence to the standard (e.g. “If you can’t prove it – you don’t do it”).
The adoption of ISO/IEC 20000 combined with ISO/IEC 27001 can be used and exploited in any area of the business requiring high-quality service delivery combined with information security. Once firmly embedded into the culture and psyche of every member of staff and the business culture, the use of the standards becomes business as usual. ISO/IEC 20000 is a superb toolset for your organisation to demonstrate what a great job your service departments do and, importantly, it highlights their on-going contribution to the success of the business as a whole and ensures organisational confidence in your value as a service provider.
You need to adopt ISO/IEC 20000 but remember – if you don’t deliver a first-class service, someone else will.
- All figures relating to accreditation numbers by country and industry sectors sourced and accumulated from the ISO Survey 2018 data and does not yet include 2019 figures.