The impact of Regulations
I received a question recently that read “ITIL has become increasingly popular as organizations continue efforts to align IT with business needs, and that one of the recent drivers to ITIL adoption is regulatory compliance and the need for greater controls. Any comment on that?”
First let me comment on the use of the word alignment to describe IT’s relationship with the business.
Alignment suggests that IT is a passive and to some degree a detached observer of the business. Alignment would mean that IT attempts to find ways to coordinate IT activities with the business but IT is engaged in other activities which may divert attention.
Instead, IT truly does focus on tightly meshing its deliverables and activities with those necessary to create value through support of business outcomes. That focus is the heart and soul of the definition of a service in version 3. So instead of using the term alignment, I would suggest a better word would be integration.
With respect to regulation, today most contemporary businesses would struggle to continue to function at high levels of operational performance without IT. IT is not a passive participant, but a deeply entrenched element of the business and ultimately a necessary component of business operational and (for more mature organizations) strategic success.
As for the question of ITIL adoption and the impact of regulations on adoption rates, I don’t think there is a question that there has been an impact - the question is how much. I may be guilty of oversimplification, but it seems that regulations are expecting or requiring degrees of control and governance over business processes and business reporting.
In light of my comments on IT and business integration, IT plays a key part in assuring that there are sufficient and underpinning controls for the IT systems which are integral to business processes (and reporting).
To illustrate this point, turn to COBIT (the apparent source de jour for most regulatory or compliance auditors) and the controls suggested across the 34 COBIT process areas, and it is relatively easy to understand how the ITIL processes and their appropriate implementation will play a substantive role in implementing and supporting necessary (and in some cases, mandated) controls.
That said, the question is how many organizations are basing their initiation of ITIL on regulatory demands. Based on what I have seen, the anecdotal evidence is that regulation is not a prime project driver. Instead, regulatory compliance and controls “comes along for the ride”.
Not to say that there isn’t benefit - it’s just that regulatory compliance is not at the head of the list when organizations describe to me why they feel it is important to put ITIL in play.
And this makes sense, right? If you were the CFO or CIO of an organization and you were prioritizing projects on the basis of ROI, it would be far easier to detail and justify (for the long haul) the benefits of implementing ITIL to address operational inefficiencies or ineffectiveness. Improvements across these dimensions can translate into hard dollars and cents. Instead, valuing the avoidance of indeterminate fines (or prison sentences), or a fuzzy idea of public censure would be difficult over the long term - not that avoiding fines, keeping the CEO out of jail or being seen as a good corporate citizen is not important - I’m not sure how regulatory challenges could be used to cost justify broad or organization-wide implementation of ITIL.
In summary, I can justify ITIL implementation to correct specific global Service Management improvement project.
Next entry: Can You Legislate Availability? Part 4