Journal Review : Using COBIT and the Balanced Scorecard as Instruments for Service Level Management
Wim Van Grembergen, Ph.D., Steven De Haes and Isabelle Amelinckx
In today’s service-driven economy, organizations increasingly rely on third parties for a variety of information technology (IT) services. However, organizations often are not pleased with the service received and sometimes are dependent on third parties whose future is uncertain, especially in this period of time characterized by economic decline. This article will show how organizations can respond to this problem through service level agreements (SLAs) and service level management (SLM), supported by mechanisms such as COBIT (Control Objectives for Information and related Technology) and the balanced scorecard (BSC). The main conclusion
of this article is that an appropriate SLM process should be in place in the organization and that, to avoid problems of not getting the service(s) required, service levels should be expressed in business terms. Implementing an SLM process is not an easy and quick task. An approach using supportive mechanisms such as COBIT and the balanced scorecard may help in defining or fine-tuning the SLA(s).
The first part of this article provides basic definitions of SLM and SLA and briefly describes the components of the SLM process. COBIT also is introduced as a framework to support the SLM process. Finally, the balanced scorecard concept.
Definitions of SLM and SLAs
According to the Foundations of Service Level Management, service level management is “the disciplined, proactive methodology and procedures used to ensure that adequate levels of service are delivered to all IT users in accordance with business priorities and at acceptable cost.”1 The instrument for enforcing SLM is pre-eminently the service level agreement. “A service level agreement is a written contract between a provider of a service and the customer of the service. The purpose of the SLA is to establish measurable
targets of performance with the objective of achieving a common understanding of the nature of and level of service required,”2 according to the International Federation of Accountants. Generally speaking, there are three basic types of SLAs— in-house, external and internal. The differences among the types refer to the parties involved in the definition of the SLA. The first and most common type of SLA is an in-house service level agreement. An in-house SLA is an agreement negotiated between an in-house service provider, such as an IT department, and an in-house client or department, such as marketing, finance or production. The second most common SLA is an external SLA, which is an SLA between an external service provider (third party) and an organization. Finally, an internal SLA is used by a service provider to measure the performance of the groups within its own organization.3 No matter what type of SLA is chosen, it always should be negotiated by an experienced and multidisciplinary team with equal representation from the user group and the service provider. Many user group negotiators see the negotiations as a zero-sum challenge, going for maximum service levels at a minimum cost, but service provider negotiators seek to get the deal at any cost to gain market share with minimum effort and maximum margin. Seeking a balance between these two positions is a vital but very difficult job for a solid SLA and SLM. An SLA is a necessity between a service provider and service beneficiary because a service can be called “bad” or “good” only if this service is clearly described. Moreover, it formalizes the needs and expectations of the organization and serves as a kind of guarantee for both parties. In this way, potential misunderstandings are reduced and a clear view is given on the priorities of the service and its delivery. is tailored to measure and manage the SLM process.
SLM and SLAs Through COBIT
COBIT, developed by the IT Governance Institute, includes the COBIT Framework5 which defines 34 IT processes, spread into four IT domains—planning and organization (PO), acquisition and implementation (AI), delivery and support (DS) and monitoring (M) (see appendix 1). COBIT defines one high-level control objective for each process, and three to 30 detailed control objectives. These control objectives contain statements of the desired results or purposes to be achieved by implementing specific control procedures within an IT activity and provide a clear policy for IT control throughout the industry.6 One of the IT processes identified in the framework is defining and managing service levels (delivery and support domain). A summary of the control objectives for this IT process is shown in table 2. These control objectives emphasize the importance of an SLA framework and the need to agree on the components of an SLA. Performance, monitoring and reporting procedures should be in place, and the contracts should be revisited regularly. Finally, the COBIT control objectives stress the necessity of chargeable items in the SLA (to enable trade-offs between service and cost) and the need for a program to continuously improve the SLAs.
The results of a survey performed by ISACA in 2002 revealed that the maturity level for defining and managing service levels for most organizations is situated in the 2 to 2.5 bracket. Filtering the results by size, geography and industry revealed that large companies, global working companies, organizations in the finance industry and IT service providers achieve on average a higher maturity (between 2.5 and 3) in defining and managing service levels.8 These data can be very useful benchmarks for organizations when evaluating their own maturity in defining and managing service levels against industry best practices. Management Guidelines also provides critical success factors, key goal indicators and key performance indicators that can be helpful when striving for a certain maturity level (e.g., achieving maturity in the SLM process). Critical success factors are the most important elements an organization can target
to contribute to the IT process achieving its goals. Key goal indicators are business-driven elements indicating what has to be accomplished. They represent the IT process goals. The key performance indicators are process driven, focusing on the how, and indicating how well the IT process enables the goal to be reached. The CSFs, KPIs and KGIs for defining and managing service levels are described in table 4. There is an important cause-and-effect relationship between key performance indicators and key goal indicators. KGIs, such as customer satisfaction that the service level meets expectations, without KPIs, such as the time lag of resolution of a service level change request, do not communicate how the outcomes will be achieved. And KPIs without KGIs may lead to significant investments without a proper measurement indicating whether the chosen SLM strategy is effective. Some KPIs will of course have a higher impact to specific KGIs compared to others. It is important to identify the most important KGIs for the specific environment and closely monitor the KPIs that contribute most to it.
SLM Through the Balanced Scorecard
One way of simplifying the SLM process is to use a balanced scorecard (BSC).9 The balanced scorecard, developed by Kaplan and Norton in the 1990s, is based on the idea that the evaluation of an organization should not be restricted to the traditional financial performance measures, but also should be
supplemented with measures concerning customer satisfaction, internal processes and the ability to innovate. Results achieved
within the additional perspectives should assure future financial results. Kaplan and Norton propose a three-layered structure
for these perspectives—mission, objectives and measures. To put the BSC to work, organizations should translate each of the perspectives into corresponding metrics and measurements that assess the current situation. These assessments have to be
repeated periodically and have to be confronted with the goals set beforehand
SLM process. The future orientation perspective represents the human and technology resources needed by the SLM process
to deliver its services over time. The corporate contribution perspective captures the business value created from the SLM
process with the percentage of business processes covered by SLAs. In building an organization-specific SLM balanced scorecard,
several steps need to be followed. First, the concept of the SLM balanced scorecard technique has to be presented to senior management, IT management and the coworkers involved in the SLM process, and then an SLM project team has to be established. Second, during the data-gathering phase, information is collected on SLM metrics. The metrics identified have to be specific, measurable, actionable, relevant and timely (SMART). In this manner, the organization avoids developing or accepting metrics for which accurate or complete information cannot be collected, or which lead to actions contrary to the best interests of the organization.13 Finally, the organization-specific SLM scorecard, based on the principles of Kaplan and Norton and a generic model, as presented here, can be developed.14 Essential components of the SLM BSC are the cause-andeffect relationships between measures. These relationships are articulated by two key types of measures: outcome measures and performance drivers. These outcome measures and performance drivers are the equivalent of the key goal indicators and key performance indicators that are used in the Management Guidelines. This implies that COBIT’s KGIs and KPIs easily could be used as basic components (measures) when building an SLM balanced scorecard. The cause-and-effect relationships have to be defined throughout the whole scorecard, i.e., a higher SLM educational budget (future orientation) is an enabler (performance driver) to achieve a higher SLM maturity level (operational excellence) that in turn is an enabler for increased user satisfaction (user orientation) that eventually will lead to a higher business value through SLM (corporate contribution).
SLAs and SLM are effective mechanisms for an organization to mitigate to the problem of not getting the proper service
it requires. Establishing an efficient and effective SLM process is a complex and difficult task, requiring experienced and multidisciplinary resources. COBIT certainly is a useful and supportive mechanism for defining and implementing a mature
SLM process by identifying control objectives, maturity models, key goal indicators, key performance indicators and critical success factors. The generic BSC concept also is a useful instrument that, through translation into an SLM BSC, can simplify the SLM process. Both COBIT and the BSC can enable any organization to attain more balanced SLAs and a more mature SLM process with an end objective of achieving the business goals.