Configuration Management IT Service Management

Validating Configuration Management Uses

Two weeks ago I discussed how the value of Configuration Management activities are derived from the improvements made to other processes.

I want to suggest another way that this can happen, borrowing concepts that recently starting to surface in Project Management communities. That concept is called PRUB and was introduced last year by a professor from New Zealand, Dr. Phil Driver, and published this year in the book “Validating Strategies: Linking Projects and Results to Uses and Benefits“. As a tool it is both simple and somewhat intuitive, but it provides a simple framework for eliminating disconnects between high-level desires of management the practical day-to-day realities of operations. It helps us ensure there exists a clear and understood path from the project charter to through the deliverables to uses and benefits.

PRUB is an acronym for Project, Results, Uses, and Benefits. Originally intended to map the projects that support a particular strategic direction, it is simple and flexible enough that we can map it to improvement initiatives IT Service Management. In this case I am starting to use it as a tool for validating the uses associated with Configuration Management implementations, because it can help eliminate some of the shortcomings common to attempts to improve Configuration Management activities.

I did also want to step through a specific case study from a recent implementation with a government entity. I should note that we did not perform a specific PRUB analysis for this set of use cases of the CMDB, but I mention it because their requirements clearly thought through the each step of the PRUB analysis. They built some novel functionality into their CMDB implementation that I really liked.

I wrote up this and another example in the attachment: PRUB for CMDB. It contains a use case for Configuration Management with the Access Management process that was based loosely on this government entity.



  • Project / Process: Configure the CMDB to improve Access Management (this is a novel usage).
  • Results: Create a Permission Configuration Item for each authorized access request to a system. Link the CI to access request ticket. Create a relationship between the Permission CI and the sytem CI. In addition, import historical Permissions (prior to system implementation) to the CMDB.
  • Uses: When visualizing planned changes to a CI, the relationships can show them who has been granted access. The CI’s can be reported for scheduled reviews or audits of valid accesses. The specific access history can be pulled up from each Permission CI (based on the Access Request ticket). More broadly this use of the CMDB provides a more flexible mechanism to visualize and view the access requests.
  • Benefits: Improved assessment of the impact of planned changes. Improved reporting, controls and auditability for CI’s.

There are other relationships associated with these Permission CI’s, but I just wanted to provide a flavor for how the PRUB tool can demonstrate specific uses and benefits of the Configuration Management process.

Are the benefits measurable? If you can identify measurable benefits you should include them in your analysis. If you come across a CMDB implementation that does not clearly map out the results, how those results will be used, and how those uses will bring benefits to the users or the organization, then that should be a red flag.

Configuration Management IT Service Management

IT Asset Management


Last week I discussed how organizations with low maturity in the processes that Configuration Management supports will not realize any value from Configuration Management activities.

  • Financial Management of IT Services
  • Availability Management
  • IT Service Continuity Management
  • Change Management
  • Release and Deployment Management
  • Incident Management
  • Problem Management

There is an exception to this observation: IT Asset Management.

Configuration Management

I have experience, both hands-on and consultative, with BMC tools that fit in both market spaces, and I know from experience there is often confusion among potential or actual customers, in how they should use one tool or the other for certain situations.

Let’s start with the ITIL definition anyway. Configuration Management is the process that ensures that assets required to deliver services are controlled, and that accurate information about those assets is available when required. That is a very broad scope, but the focus here is really on how are the assets are configured and the relationships between them.

Versus IT Asset Management

IT Asset Management is a process for tracking and reporting the financial value and ownership of assets throughout their life cycle. Generally IT asset management focuses on hardware and software, while Configuration Management may also track non-physical assets such as virtual servers, virtual containers (research Docker if you have any questions about containers), documentation such as policies or processes or contracts, or other non-physical assets for which the changes do need to be controlled.

The concept of Configuration Management is broad enough that you can think of IT asset management falling within its scope, as a sub-process of Configuration Management.

Most organizations who do not realize any value from Configuration Management activities still need to manage the IT Asset Management life cycle. This has implications on:

  • Utilization of IT Assets
  • Information Security
  • IT Service Continuity Management

Organizations to do not require a CMDB in order to manage the life cycle of IT assets. A CMDB can be used, but specialist tools are available, and these tools are preferred when they automate the discovery and inventory of IT assets.


Configuration Management IT Service Management

The Value of Configuration Management

Understanding Value

For the purpose of understanding the value of Configuration Management, we have to trace how value is added to transactions. The value transaction is important to the supplier because that is where value to the customer is measured. (Presumably the customers use value exceeds the transaction value, or the transaction is not sustainable.)

Adding Value to Value Transactions

  • Value Transactions are supported by Business Services
  • Business Services are supported by IT Services
  • IT Services are supported by IT Processes

The further down this chain we go, the harder it is to measure value to the customer, and the more care we must take to ensure that the supporting processes are adding value to the customer in the form of improvements to the Business Services or products.

Herein lies the pain point in measuring the value of Configuration Management. Value: Configuration Management

Configuration Management supports and improves IT processes:

  • Financial Management of IT Services
  • Availability Management
  • IT Service Continuity Management
  • Change Management
  • Release and Deployment Management
  • Incident Management
  • Problem Management

And Configuration Management is one more step away from the value transaction. We understand the value of Configuration Management by the improvements it makes to the other processes.

  • Few organizations measure the value of IT processes
  • Few organizations even measure key metrics such as the cost per minute of down time to IT Services, or value of a Problem Resolution.

The Chicken or the Egg

Which came first? Is Configuration Management a prerequisite to other processes its supports? No, it is not a prerequisite, though I know some people would disagree with this. Organizations can execute a Change Management process without relying on Configuration Management activities or a CMDB. In fact I know many organizations doing exactly this.

Could organizations improve their Change Management process with a CMDB in place to help assess the impact of changes? Certainly yes, but organizations who don’t have some maturity in other processes will not realize any value from Configuration Management.

I would say the opposite is true. You cannot have a working Configuration Management process without a mature Change Management process. Unless the data update is entirely automatic, and in my experience this is rare, then the data become stale and the data quality will degrade.

COBIT IT Governance IT Service Management ITIL

The Balanced Improvement Matrix

Two weeks ago I presented to a customer how their IT improvement program can be improved by adopting principles from ITIL. I used this slide to illustrate another way to think about the issue.

Benefit-Change-MatrixClick to expand

Recipient of Benefits

The Y-axis who receives most of the immediate benefit of the activity. “Inside” refers to IT, either a component of IT or the entire department.

Outside refers to the outside stakeholders for IT services. Generally they fall into one of these groups:

  • Users: those who directly use the services. Generally the users also request the service.
  • Internal customers: those who request or authorize services on behalf of the users. Generally customers are the users, but sometimes they are distinct.
  • External customers: The ultimate customer who exchanges value with the organization.

Focus of Change

The focus or perspective of change describes where most of the change or improvement takes place. We are also describing this as within IT or out of IT.

The change or improvement may or may not be limited to the primary location. There are often spillover benefits for related stakeholders that are less immediate.

Examining the Quadrants


This quadrant describes change or improvement activities that are limited exclusively to IT. Some examples may include:

  • Code refactoring
  • Recabling
  • Process improvement
  • Service Asset and Configuration Management
  • Training

Inside-In activities may be thought of as “charging the batteries”.¬† External stakeholders will not see immediate benefits, but the benefits will accrue over time as the IT organization becomes more agile, flexible, efficient and effective.


Inside-Out activities are those that modify the behavior of external stakeholders in order to maximize the capabilities of IT. Some examples may include Demand Management and Financial Management of IT Services, specifically charging for IT services in a way that encourages their efficient use.

Service Catalog Management and Service Portfolio Management also create activities in this quadrant, specifically those that describe prerequisites or costs to external stakeholders.


Outside-In activities are those that benefit external stakeholders by modifying the services or processes of IT. Service Level Management sits firmly in this area. The Service Improvement initiatives within CSI certainly fit here too. Alignment of IT with organizational strategy also reside predominantly in this quadrant.


Does IT ever perform Outside-Out activities? With a few exceptions, yes, all IT organizations do.

Outside-Out efforts or improvement activities take place whenever IT acts as a consultant to the organization by bringing its unique capabilities and resources to business problems.

Some examples may include:

  • Strategic planning
  • Creating new lines of business
  • Due diligence of partnerships or acquisitions
  • Enterprise Risk Management and Business Continuity Planning

From an ITIL process perspective,  Outside-Out quadrant is best illustrated by Business Relationship Management (SS) and Supplier Management (SD), and some activities of Change Management (ST) and Knowledge Management (ST).

Optimizing the matrix

In no case did we ever claim that any one quadrant is better than another. IT departments of the last century received criticism for focusing too much on inward benefits and losing focus on the broader context in which IT operates. That situation was expensive, frustrating to users, and ultimately untenable.

IT organizations in this century must and do perform activities in all four quadrants. Neglecting any quadrant can lead to the following outcomes.

Benefit-Change-Neglect-MatrixClick to expand

Using frameworks such as ITIL, COBIT 5, or ISO/IEC 20000 to guide improvement initiatives can help IT organizations balance their efforts in all quadrants.

IT Service Management ITIL

ITIL Certifications for 2013

The ITIL Exam Certification Statistics for 2013 are out, and we are now ready to present the final results.

All the images below may be expanded for higher resolution. All numbers are rounded to thousands (Foundation) or hundreds (Advanced) unless otherwise indicated.


A total of 245,000 certificates were issued in 2013, up 3.6% from 236,000 in 2012. There are now 1.73 million little ITIL’ers in the world.

Pass rates increased about 1% to 91%. The compound annual growth rates (CAGR) of annual certificates since 2008 was 1.69%.

The regional distribution of ITIL certificates shifted only slightly from North America and Europe to Asia, whose market share rose 1.1% to 33.8%.


Overall the Intermediate market is growing faster and changing more rapidly than the Foundations market.

A total of 33,300 Intermediate Lifecycle certificates were issued in 2013, up 26% from 2012. In addition 17,600 Intermediate Capability certificates were issued in 2013, up 10% from 2012. We don’t know how many unique individuals this represents, but we can assume that most individuals do not stop at one.

The market share of Lifecycle, adjusted by credit hours, increased from 55.3% in 2012 to 58.8% in 2013. Although gradual, the Lifecycle exams are slowly coming to dominate the Intermediate certification market.

The MALC (alt. MATL) exam was passed 4,500 times in 2013, up 21% from 2012. There are now 25,000 ITIL Experts in existence. (Please note, this number differs slightly from the official number, I assume due to time delays in conferring Expert certificate.)

The regional distribution of Intermediate exams is also shifting. The share of Intermediate certificates is still dominated by Europe, at 41%, down from 47% in 2010. North America declined from 32% in 2010 to 19% in 2013. Meanwhile Asia increased from 12% to 30.5% over the same period. The numbers here represent regional distribution. The number of certificates awarded is up in each market, they are just rising faster in Asia.


IT Service Management

ITIL Lifecycle or Capability Track?

For the ITIL V3 Expert I used Art Of Service’s e-learning program, and recommended it. If I were starting now I would seriously consider the HP VISPEL program. Candidates should probably should consider the 360 day license unless they have a lot of spare time to complete the 180 day program on time.

Regarding Lifecycle vs. Capability track, the Lifecycle track is more popular and aligned with the books. The Capability track uses other books for study, but is suitable for practitioners who will stay at Intermediate. Some certification figures are found on this site. I will update the stats once the June (mid-year) figures are released.

IT Service Management

Should Backups be Tracked as CIs?

Short answer: probably not.

Is there any business value in tracking backups? In other words, can you improve operational efficiency, increase revenue or defer costs in excess of expenses by doing so?

One scenario to track backups as CIs would occur if the cost of loss (I.e to reputation) is significantly in excess of tracking costs, and the status of the CIs can be updated throughout their life cycle. This is especially true if tracking can be automated.

I am not aware of any companies doing this. In most cases a process or operating manual provides sufficient control of backups.

IT Service Management

Six Steps to Successful CMDB Implementations

Have you been asked to implement a CMDB? Here are a few pointers for doing it successfully.


  1. Find the “low hanging fruit” where you will obtain the most benefit for the least cost. Implement that.
  2. Configuration Management should be focused on improving processes, not implementing a database. A database is the presumed tool, but you need to look at how your processes will be improved.
  3. The leading candidates for improvement include: Request Fulfillment, Incident Management, Change Management, Problem Management, Availability Management, and Capacity Management (not necessarily in that order).
  4. Configuration Management is not about building a database. Your CMDB can be a spreadsheet, if that provides the most benefit for the lowest cost. If necessary you can generate a more robust database later. However, see the next caveat.
  5. Maintaining the CMDB will be costly. This leads to two points: 1) make sure you understand what data you need and why, and 2) automate data collection as much as possible.
  6. Implement your CMDB in phases, in conjunction with Continuous Service Improvement.

Don’t expect your CMDB to include everything that it could conceivably contain according to ITIL. That would be too costly for the value provided to most organizations.

IT Service Management Service Design

Managing to Design

I realized yesterday that I almost didn’t buy my iPhone 5 because of a cable.


Apple introduced the new Lightening Connector with the iPhone 5 and iPad 3 to replace the older iPod connector. The new cable is smaller and reversible, but unlike Android devices supports only the slower USB2 standard.

Lack of higher speeds and incompatibility with earlier peripherals are flimsy excuses to switch platforms. The write speed of flash storage does not exceed USB2 performance, and I don’t have any incompatible peripherals anyway. Maybe it seemed Apple was simply advancing their agenda of incompatibility with the rest of the tech world.

The event is a reminder how easy it is to fixate on shiny objects and small road bumps, and to take our eyes off the goal. Whatever our specific intentions, our broad goals are similar: to improve our lives, and to make our businesses more productive in pursuit of their goals.

Technological developments are important. Like Apple, we build technical architectures in order to maximize  current use of technology as a function of cost, while maximizing our ability to adapt to change, also as a function of cost. Good design considers both current and expected future use of technology.

In my opinion, one of our worst behaviors is over-responding to user requests that compromise a designed service. I know this statement is heresy in our “customer service” culture, in which “the customer is always right.” In Real Business of IT, Richard Hunter and George Westerman explain it this way:

In the absence of a larger design, delivering without question on every request is a value trap. Over time, setting up IT as an order taker produces the complicated, brittle, and expensive legacy environments that most mature enterprises have. It hurts the business’s ability to deliver what’s needed for the future.

Our colleagues outside of IT are not customers. Our colleagues are just that–colleagues. We collaborate with each other as colleagues to create outcomes that deliver value to the customers who purchase our organization’s products. Like IT, our colleagues in HR, sales, marketing, and accounting consider the short-term and long-term ramifications of their decisions in the execution of their services.

This is not an excuse or empowerment to simply say no to our colleagues. There are correct and incorrect methods to refuse a request, and our reflexive action is not to push back. One way is to explain why we do things the way we do, and to offer alternatives that meet the objectives without compromising longer-term objectives. We can also offer to review our modes of operation if they appear incompatible with changing needs of the organization.

As a Project Manager for a call center and data center relocation, I remember the back and forth discussions between management and construction, with me in the middle, of laying out the new facility. The construction firm held traditional mindsets, but did not blindly refuse requests. Instead they politely and patiently described the byzantine fire and construction regulations and the cost implications of various design trade-offs.

We eventually achieved a design that met most current and future needs. Whatever Apple’s specific designs, I prefer the Lightening Connector.

Incident Management IT Service Management

Should Incidents Be Re-Opened?

Should Incidents be re-opened? The simple answer is: yes, if it was Closed incorrectly. Incorrect closure may include incorrect or incomplete testing or failure to confirm service restoration with the customer or user. However, IT environments are complex and reality is seldom so simple. I advocate instead against reopening Incidents, after a 2-3 day Resolved period.

The best trade-off, in general, is to allow a 2-3 day burn in period, during which the request is fulfilled or the Incident is Resolved. Resolved means service has been restored, the affected parties have been notified, and all records have been updated. The contact now has 2-3 days to test and validate before the Incident record is Closed, generally automatically by the tool workflow. Once Closed, the Incident cannot be reopened.

There exists perverse incentives to create multiple Incidents, particularly in a pay-per-issue billing model. On the other hand, there is also the opposite perverse incentive to re-open Incidents for new Incidents or requests, and to include multiple, unrelated requests in the same issue. Sometimes this happens just out of laziness, i.e. it is faster to reply to an existing email than to fill in a new one.

In addition there is gray area between what is a new Incident and what is an existing Incident. Some errors are intermittent. Restarting the device or application may restore service, but the Incident may occur again in a few hours, days, or weeks. In this case a Problem record should be raised, but the Incident may reoccur before the Problem Management and Change Management processes can run their course. Are these repeat Incidents new or existing? Every organization should have its own answer and it depends on the Incident. A 2-3 day separation between recurrences is a good, general policy to distinguish between new and existing ones.

Organizations who choose to re-open Incidents should track these Incidents. An independent party should verify they were re-opened appropriately, and any inappropriate activities should be managed through administrative or disciplinary actions, hand-slapping, or public humiliation. If this sounds bureaucratic or patriarchal, it is. In general it is easier to define in terms of time and enforce with a tool.

The 2-3 day Resolved period is not perfect for all situations and not suitable for all organizations. However, I have found through experience it is a good solution that is flexible, widely applicable, unbureaucratic, conceptually simple, and generally fair to all parties. Once Closed, the Incident should remain Closed.