OGFI 2015 Group Project BAI06

FIRST REPORT

68158 – João Sousa 76627 – Hélder Titosse 79262 – Nuno Roboredo 79467 – Mário Fernandes

Summary: This report is a proposal to make an assessment of the process of change management, implemented in “Instituto de Informática” (II,I.P.). We will follow the Process Assessment Model (PAM), according to the process BAI06 ­ Manage Changes, proposed by COBIT5. The goal of this report is to present the II,I.P. context, their actual organization, a brief description of the BAI06 process, a first approach how to we intend to perform the assessment, and a business case to present the value added that we expect to deliver to II,I.P.. This is a academic work performed by a student group, composed by four elements, for theOrganisation and Management of the Informatic Function course (OGFI) taught by Instituto Superior Técnico.

1. Introduction

1.1 Area – IT governance

Organizations need ways to ensure that the IT function sustains the organization’s strategies and objectives. To ensure the efficient use of IT to achieve strategic objectives and goals, it’s worthful to have IT governance processes implemented within the organization. Such processes enable the organization to align IT strategy with business strategy. IT governance also ensures that all stakeholders’ needs are taken into account and provide them measurable results.[1]

There are several IT Governance Frameworks to provide guidelines for an organization to adopt [2]. An IT governance framework should answer how the IT department is functioning overall, what key metrics management needs and what return IT is giving back to the business from the investment it’s making.[1]

1.2 Topic – COBIT Assessment

COBIT is an IT governance framework that helps organizations to create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use [2].

A COBIT assessment is an evidence­based process for assess the organization’s IT process capabilities against COBIT process reference model. It aims to support IT process improvement, by providing indicators of process performance and process capability[3]. The assessment collects evidences to show if the organization reaches the process purposes and outcomes as defined in COBIT and the process attributes as defined in ISO/IEC 15504­2[3].

1

OGFI 2015 Group Project BAI06

A COBIT assessment gives insights about the level of capability in each process, implemented within the organization, showing the consequences of not have an higher capability level (what the organization are losing), and the way of reach an upper level (which practices, work products and outputs are missing to reach the desired outcomes of the process).

1.3 Problem ­ Manage Changes Process

Business processes, applications and IT infrastructure of a living organization are in permanent evolution. The business context change (e.g. the organization develops new products), new applications appear or/and are developed inside the organization, the technology evolves, failures in critical systems require immediate actions, etc. The survival of the organization depends on their ability to adapt to the constant evolving environment. However, the evolution of an organization need to be managed in a controlled way, otherwise ad hoc changes can negatively impact the business by many reasons: one change in a system breakdown other systems or stop a business process; resources are spent in changes that are not aligned with the IT strategy and the business strategy and don’t deliver relevant value to the business, etc.

The problem that the BAI06 COBIT process aims to solve is how to manages all changes in business processes, applications and IT infrastructure, in a controlled manner.

1.4 Proposal – Process assessment

Our proposal is to make an assessment of the implementation of the change management process in II,I.P. to evaluate their capability level according to the COBIT process BAI06. We will assess whether the implemented process achieves the process purpose and outcomes stated in BAI06, and a measure of a process’s capability to meet an organization’s current or projected business goals for the process.

1.5 Result – Next steps

Analysing the results of the process assessment we intend to provide information about what are the outcomes that are not achieved and what is the impact on the business goals. We will show what is missing to achieve those outcomes and a possible way to help II,I.P. to reach the next capability level in the Measurement Framework for Process Capability stated in ISO/IEC 15504:1.

1.6 Structure of the report

Section 2. Industry describes the context in which the II,I.P is inserted and operates. Section 3. Organization describes the structure of II,I.P, their vision and mission, their goals, what are their products and services, and who are their clients. We summarise and analyse the process BAI06 in section 4. Process BAI06, that will be used for the assessment. Section 5.Process Assessment describes how the assessment will be performed. In the Section 6.Business Case we describe the expected value added that the assessment will provide to II,I.P. Finally, in the last section 7. References we list the references used to perform this report.

2

OGFI 2015 Group Project BAI06

2. Industry

II,I.P. is a public institution under the indirect administration of the Ministry of Solidarity, Employment and Social Security (MSESS). Is charged with the responsibility of provide products and services to all the institutions that compose the ministry, and their board is accountable to the minister. Figure 1 shows the organizations subordinated to the MSESS[4].

Figure 1 ­ Context diagram of II,I.P. (Social Security system ­ SS)

II,I.P. is a central body with intervention on the entire national territory. It provide IT services and products to the organizations ­ their customers ­ that constitute the portuguese Social Security system (SS). The SS provide social services to all portuguese (and some foreign) citizens. Some of the IT products are critical ­ downtimes are not acceptable.

As a public institution providing IT services to other public institutions, their competition is for public resources (funds and human resources). However their IT services can lead to save large amounts of these public resources, improving and automating the business processes of the SS, and providing all benefits that IT systems can deliver. That’s why it's so important to have the IT of the II,I.P. well governed and managed. Here the COBIT framework can play relevant role, giving worthful guidance to implement governance and management processes to optimize the value created by IT to the business.

3

OGFI 2015 Group Project BAI06

3. Organization

3.1 Structure

The II,I.P. organizational structure is regulated and its top is a directive board formed by a president, a vice­president and a vowel. Also, the structure is divided by departments and areas, each headed, respectively, by department directors and area coordinators [5].

Figure 2 presents the organizational chart at the 31st December of 2013 [6]:

Figure 2 ­ II,I.P. organizational chart. Alongside the directive board, II,I.P. has an advisory board, which provides support and consultancy for the directive board, and an auditor, who is responsible for legality control, regularity and finance management. The II,I.P. intern organization is represented in Figure 2 having the departments presented in light blue. Figure 3 shows the personnel evolution in II, I.P., the institute have, at January 1st of 2014, 272 effective workers.

4

OGFI 2015 Group Project BAI06

Figure 3: Effective workers evolution.

3.2 Vision and Mission

Figure 4: Vision, Mission and Values of II,I.P.

3.3 Goals

II, I.P. goals can be separated into three categories: Efficacy, efficiency and quality. Each one has its own goals and those goals are mapped in the strategic plan of the organization. The following table presents the goals for the year 2014 of the II, I.P.:

5

OGFI 2015 Group Project BAI06

Figure 5: Goals of II,I.P.

3.4 Products and Services

The list below has some products and services in execution powered by the II,I.P.: Monitoring of application support services; Management equipment and infrastructure; Information management and statistical production; SIGA: Attendance Management Integrated System; SIP: Pensions Information System; SEF, SID, SIF: Fund’s Systems; Creation of the Operations Control Center; Implementation, migration, optimization and extension of VoIP solutions and equipment.

They consider the necessity of Provide a good treatment to the visits of various public (public and private, national and foreign entities) will also be implemented actions and developed communication pieces to facilitate the presentation and understanding of the competence and performance of the Institute, focusing on information and development of technologies, operation and evolution of Information Systems.

3.5 Clients The II,I.P. provides services and supplies products to different customer segments, in a changing socio­economic and financial environment. They adopted a new positioning strategy and customer relationships, supported in their managerial model, the centralization of contact and promoting the image from the customer is promoted, understanding their needs and ensuring that the available solutions ensure adequate levels of provision and respective counterparts through regular and planned communication with customers. Some customers:

Instituto de Segurança Social (ISS);

6

OGFI 2015 Group Project BAI06

Instituto de Emprego e Formação Profissional (IEFP); Agência para a Modernização Administrativa (AMA); Instituto Nacional de Reabilitação (INR); Instituto de Gestão Financeira (IGFSS).

4. Process BAI06 According to Cambridge Dictionary [7] change is “to stop having or doing one thing, and start having or doing another”. When managing change, two critical assessments are needed at the onset of the change [8]. The first assessment is of the change itself. This assessment examines the scope, depth and overall size of the change. Specific items that should be addressed by this change assessment are:

Scope of the change (workgroup, department, division, enterprise) Number of employees impacted Type of change (process, technology, organization, job roles, merger, strategy) Amount of change from where we are today

This assessment of the change and a thoughtful review of the nature of the change is essential to plan your change strategy. The second evaluation is an assessment of the organization. Each organization has unique characteristics that make change management either easy or challenging. These organizational attributes are important to understand so that you can educate your team and sponsors about potential obstacles. This assessment would cover areas such as:

Culture and value system Capacity for change (and how much change is already taking place) Leadership styles and power distribution Residual effects of past changes Middle management's predisposition toward the change Employee readiness for change

In order to guide organizations when it comes to managing change, COBIT5 uses the BAI06 process, called Manage Changes.

7

OGFI 2015 Group Project BAI06

Figure 6 ­ Process BAI06 summarization. The figure shows the process description and its summarization. On the top are the outcomes or the process goals. Inside the process, at center, are the process base practices, identified by purple inside the yellow box. Finally, on the right are the process outputs.

5. Process Assessment

In order to become possible to assess the change management in II,I.P., always taking into account the same process mapped in COBIT 5, one must understand if the incomes used by the Institute and the outcomes produced are aligned with the inputs and outputs described in COBIT.

We will start by analyzing the existing change management process of the II,I.P, to evaluate with COBIT 5 the level of compliance in the application of this process in the internal functioning of the institute. This will happen in several meetings arranged with the point of contact of II,I.P. for this process, Pedro Pinho. In the meetings we will also ask which inputs and outputs are considered by the Institute.

After the information gathering, the group will try to match the inputs with the inputs expected by the BAI06 process from COBIT. This makes possible to understand if the Base Practices of the process are already implemented in II,I.P. or if some of those practices are lacking. The same will be realized after the outputs, documents generated and documents expected, comparison.

8

OGFI 2015 Group Project BAI06

Taking into consideration the base practices successfully implemented in the II,I.P., alongside with the documents generated, it becomes possible to realize if the outcomes expected are obtained for the change management process of the Institute.

In the end, it is possible for the group to propose a solution for the problems encountered or to conclude that the process is completely implemented and correctly mapped with the COBIT 5 Manage Changes process.

6. Business Case

In this section we will describe: The jobs that need to be done in a change management process; Pains that II,I.P. eventually suffers (we will confirm or dismiss during the audit); Gains ­ outcomes and benefits that II,I.P. want to achieve with an audit of the change

management process; Products and services that we will deliver within the audit process; Pain relievers ­ how we expect our products and services will help II,I.P. alleviate their

pains; Gain creators ­ how we expect that our products and services will create expected or desired

outcomes and benefits for II,I.P.. Jobs: Promote changes in the business processes, applications and IT infrastructure of SS, that

optimizes the value delivered by IT; Evaluate the impact of proposed changes on the SS business processes, applications and IT

infrastructure, to determine their impact on business processes and IT services; Maintain an updated track of the status of all proposed changes; Obtain timely approval decisions to proposed changes; Schedule approved changes; Prioritize proposed changes; Control the emergency changes and ensure that they take place securely; Update all the documentation affected by the implemented changes; Keep key stakeholders informed of all aspects of the change; Assess emergency changes and decide the approval after the change; Document all the changes and maintain an updated record.

Pains: There are changes, made by users of SS systems, out of control of II,I.P., that affect

negatively business processes or IT services; There are implemented changes that are badly or not documented, which hinders the

maintenance and the implementation of next changes; There are changes implemented without formal approval, which denies the accountability

when problems arise and promote a blame culture;

9

OGFI 2015 Group Project BAI06 Approval decisions takes too long, which delays improvements and decreases the changing

motivation; Changes are not planed, which hinders the coordination of different changes, the resource

management and affects business which are not expecting changes; Proposed changes aren't well assessed and have unexpected impacts when implemented; Emergency changes occurs in an uncontrolled way, endangering systems affected; Emergency changes are not reviewed after implemented, which impacts other systems and

nobody understand why these systems behave differently; Emergency changes are not submitted to formal approval decisions after implemented,

which denies the accountability when problems arise and promote a blame culture; Key stakeholders are not kept informed of all aspects of the change and their concerns and

needs are not taken in account in the change processes; Nobody is accountable for maintaining the documentation of the systems updated after the

changes are implemented; People resist to update documentation because feel that this work is boring and worthless.

Gains: Discover opportunities to improve the change management process of II,I.P.; Know the capability level of the change management process implemented in II,I.P.; Rational support for motivate and influence people to adopt best practices proposed by

BAI06 COBIT process; Know ways to implement best practices proposed by BAI06, to increase the capacity level in

change management process; Obtain support from stakeholders to implement best practices proposed in BAI06.

Products and services: Audit the change management process implemented in II,I.P. against BAI06 COBIT

process; Map of the practices and work products of the II,I.P. change management process to

practices and work products of BAI06; Advice on how to implement COBIT best practices of the BAI06 process; Evidence based report on the capability level of the change management process according

to ISO/IEC 15504­2:2003; List of required actions to implement COBIT best practices of the BAI06 process.

Pain relievers: The demonstration of the value added by COBIT best practices, together with the evidence

of the weaknesses in the management process implemented in II,I.P., will motivate people to implement best practices;

Our audit will help II,I.P. to implement best practices proposed by COBIT in the process BAI06, which, if implemented, will help them to alleviate all the listed pain;

The audit assessment will increase the awareness of stakeholders to the relevance and the need to implement COBIT best practices, which contribute to alleviate all the listed pain;

10

OGFI 2015 Group Project BAI06

Gain creators: Give rational support for motivate and influence people to adopt best practices proposed by

BAI06 COBIT process; Show possible ways to implement best practices proposed by BAI06, to increase the

capacity level in change management process; Reveal weaknesses in the management process implemented in II,I.P., based on evidences; Discover opportunities to improve the change management process of II,I.P.; Show straights in the management process implemented in II,I.P., and their value added,

based on evidences; Demonstration of the risks of not follow the best practices proposed by BAI06; Demonstration of the benefits and value added of follow the best practices proposed by

BAI06; Give evidences of the value added by best practices proposed in BAI06.

7. References [1] CIO. IT Governance definition and solutions, Web Page, Available at: http://www.cio.com/article/2438931/governance/it­governance­definition­and­solutions.html#what [Assessed April 15, 2015].

[2]Seeburn, K., 2014. Basic Foundational Concepts Student Book: Using COBIT5, ISACA.

[3] ISACA, 2013. COBIT PAM ­ Process Assessment Model.

[4] Decreto­Lei n.º 167­C/2013, de 31 de dezembro

[5] II,I.P. ­ Instituto de Informática, I.P. Plano de Actividades 2014, Web Page, Available at:http://www4.seg­social.pt/documents/10152/8936574/Plano_Atividades_II_2014_2

[6]II,I.P. ­ Instituto de Informática, I.P. Organigrama out_2013, Web Page, Available at: http://www4.seg­social.pt/documents/10152/300756/Organigrama_outubro_13 [Assessed April 12, 2015].

[7] Cambridge Dictionary Online. Web Page, Available at: http://dictionary.cambridge.org/ [Assessed April 15, 2015].

[8] Prosci. Change Management Tutorial, Web Page, Available at: http://www.change­management.com/tutorial­change­management­assessments.htm [Assessed April 15, 2015].

[9] Cardoso, Mario. Casefier, WebApp, Available at: http://app.casefier.com/ [Assessed April 15, 2015].

11