An introduction to the MOF Manage Layer
The guidance in Microsoft Operations Framework (MOF) encompasses all the activities and processes involved in managing an IT service. It’s conception, development, operation, maintenance, and ultimately its retirement. MOF organises these activities and processes into Service Management Functions (SMFs), which are grouped together in phases that mirror the IT service lifecycle. Each SMF is anchored within a lifecycle phase and contains a unique set of goals and outcomes supporting the objectives of that phase. An IT service’s readiness to move from one phase to the next is confirmed by management reviews, which ensure that goals are being achieved in an appropriate fashion and that IT’s goals are aligned with the goals of the organisation.
MOF begins with the Plan phase and our previous blog articles in this series explain the role of the Microsoft Operations Framework (MOF), service management functions (SMF’s) and introduce the Planning SMF which is the first step in implementing MOF within your business. If the topics introduced below don’t make sense or perhaps you feel they’re missing context then please refer to the following articles for background context and explanation.
Overview of the Manage Layer
How is IT activity coordinated? What ultimately determines the way IT gets work done? That is the primary focus of the Microsoft Operations Framework Manage Layer, which integrates the decision making, risk management, and change management processes that occur throughout the IT service lifecycle. The Manage Layer promotes consistency in planning and delivering IT services and provides the basis for developing and operating a resilient IT environment. It also holds the processes related to defining accountabilities and associated roles.
The Manage Layer represents the foundation for the three phases of the lifecycle which are Plan, Deliver, and Operate. As such, it is called a layer rather than a phase. A phase consists of processes and activities that have mutual dependencies and are most effective when they occur within a bounded period of time. A layer is less bounded by time, pervades all phases, and influences how activities are performed.
The Manage Layer is focused on setting the appropriate management context, controls, processes, and activities that will result in additional business value, managed risk, and clear accountabilities when employing the SMFs in the phases.
The Manage Layer contains the following three service management functions (SMFs):
- Change and Configuration (CC)
- Governance, Risk, and Compliance (GRC)
For more information on these SMFs, see the “Service Management Functions Within the Manage Layer” section.
Figure 1. The Manage Layer
Goals of the Manage Layer
The primary goal of the Manage Layer is to establish an integrated approach to IT service management activities. This approach helps to coordinate processes described in the SMFs in the three lifecycle phases.
This coordination is enhanced by establishing decision making processes, employing risk management and controls as part of all processes, promoting change and configuration processes that are appropriately controlled, and dividing work so that accountabilities for results are clear and do not conflict.
Specific guidance is provided to increase the likelihood that:
- The investment in IT delivers the expected business value.
- Investment and resource allocation decisions involve the appropriate people.
- There is an acceptable level of risk.
- Controlled and documented processes are used.
- Accountabilities are communicated and have clear ownership.
- Policies and internal controls are effective and reliable.
Meeting these goals is most likely to be achieved if IT works toward:
- Explicit IT governance structures and processes.
- IT organisation and business sharing the same approach to risk management.
- Period management reviews of policies and internal controls.
The Manage Layer
To help IT professionals effectively plan and optimise IT strategy, MOF provides service management functions (SMFs) that identify the processes, people, and activities required to align IT services to business requirements. SMFs identify and describe the primary activities that IT professionals perform within the various phases of the IT service lifecycle. Although each SMF can be thought of and used as a stand alone set of processes, it is when they are combined that they most effectively ensure that service delivery is complete and at the desired quality and risk levels.
Service Management Functions Within the Manage Layer
As a foundation of all the lifecycle phases, the Manage Layer integrates the separate activities of all the SMFs through its own SMFs:
- Governance, Risk, and Compliance Service Management Function (GRC SMF)
- Change and Configuration Service Management Function (CC SMF)
- Team Service Management Function
The following table explains these SMFs in more detail.
Table 1. The Manage Layer SMFs
|Governance, Risk, and Compliance|
Deliverable: IT objectives achieved, change and risk managed and documented
Purpose: Support, sustain, and grow the organisation while managing risks and constraints
|IT services are seamlessly matched to business strategy and objectives|
|Change and Configuration|
Deliverable: Known configurations and predictable adaptations
Purpose: Ensure that changes are planned, that unplanned changes are minimal, and that IT services are robust
|IT services are predictable, reliable, and trustworthy|
Deliverable: Clear accountabilities, roles, and work assignments
Purpose: Agile, flexible, and scalable teams doing required work
|IT solutions delivered within specified constraints, with no unplanned service degradation, and with service operation that is trusted by the business|
Governance, Risk, Compliance (GRC) and Change and Configuration (CC) activities occur throughout the lifecycle, but the perspective, scope, and focus of these activities vary by phase. For example, change management activities in the Plan Phase will be of a different magnitude and will involve different factors and participants than the change management activities in the Operate Phase. Similarly, the concerns of GRC reflect the primary objectives of a phase. These will change focus in terms of decision making, risk analysis, and the specifics of compliance.
GRC and CC create more unified process flows in all areas of the lifecycle by establishing the means for making decisions, balancing trade offs, and grounding strategy by managing risks. As the foundation for the IT service lifecycle, the Manage Layer provides a structured and planned way for IT to contribute to the long term viability and improvement of the organisation.
Role of Manage SMF’s in the IT Service Lifecycle Phases
The following table lists specific ways that the Manage Layer SMF’s help meet the objectives of the three other IT service lifecycle phases. More detailed explanations of the role and value of the Manage Layer SMF’s can be found in each of the SMF’s as they are described in their respective phases.
Table 2. Focus of Manage Layer SMFs on IT Service Lifecycle Phases
|Phase and Its Objective||GRC Focus||CC Focus||Team Focus|
Ensure that services offered to the business are valuable, predictable, reliable, and cost effective, and that they respond to ever changing business needs
· Corporate strategy transfer to IT strategy
· Governance structure, decision rights
· High level risks
· General regulatory environment
· Policy definition
· Investment determination
· Definition of management objectives
· Leadership identified and asked to participate in change evaluation
· Business process change
· Architectural change
· Change evaluated across dimensions (financial, application portfolio, security, and so on)
· Decision makers identified and involved
· Responsibilities for determining risk tolerance assigned
· Financial management expertise
· Legal and compliance representation
Ensure that those services that the business and IT have agreed on are developed effectively, deployed successfully, and ready for operations
· Organisational requirements, both functional and operational, supported by solution architecture
· Project stakeholders, methodology, risks identified
· Value realisation process
· Service development lifecycle
· Risk mitigation
· Internal controls defined
· Procedures defined
· Solution scope
· Project management
· Financial impact
· Principles for effectively organising project teams
· Accountabilities and role types
· Alignment of responsibilities
· Assignment of roles
Ensure that deployed services are operated, maintained, and supported in line with the service level agreement targets agreed to between the business and IT
· Procedures and controls
· Recording and documentation
· IT environment and configuration
· Process and procedure
· Standard change
· Principles for organising operations work
· Principles for organising monitoring work
· Principles for organising support work
The concept behind internal controls is relatively simple. Suppose you know how to do a simple task from start to finish. You know it well and can reliably and consistently achieve the end result. Now suppose you need to have several other people perform the same task; the activities, checks, and balances you put in place to make sure those people do the same task and achieve the same goals make up the internal controls for that task.
But those initial controls address only the task itself. When multiple people are involved, complexity increases rapidly. Suppose it becomes more efficient to split the task up and have certain people address certain parts. Now controls are needed to ensure that individual results mesh as intended and that no one person has managed to defraud the process. In areas of finance, the control issues become even more pronounced. A lack of effective control could result in accounting errors, or even fraud or embezzlement. This is when added layers of control related to access, roles, and segregation of duty become part of the picture.
Internal controls are present in all areas within IT’s scope of responsibility. Some controls relate to the physical environment where the data center infrastructure is located. Other controls involve the technology itself, for example, its configuration and who has access to administrative functions. Some controls address data access and the lifecycle of the data across technologies, from encryption to authorisation to recoverability and chain of custody.
Many of the business related internal controls that affect IT professionals are seen in the line-of-business applications that make up financial, manufacturing, customer relationship, and human resource systems. In these areas the controls need to be expressed as business requirements that drive application features. On top of these business process related controls, IT professionals must address controls that are specific to the operation of systems and technologies that make up the application platform.
Classifying IT controls into general categories helps identify the nature of the controls while establishing the likely approach to monitoring, testing, and assessing the design and operating effectiveness of the controls. The following table elaborates on controls.
Table 3. Types of Controls, Their Content, and Examples
|Administrative||Standards, policies, and procedures, as well as ancillary controls such as communications and awareness training programs|
· Information classification policy: ensures classification of information and rights of access at each level
· Business continuance policy: ensures that all aspects of the business are considered in the event of a disruption or disaster
· Change management process: ensures that changes to the IT environment are applied in the correct manner
|Technical||Access controls, encryption mechanisms, and other technologies used to protect logical information assets from unauthorised use|
· Encrypting file system (EFS)
· Access control lists (ACLs)
· Physical access to computers controlled through password protected screensavers
|Physical||Controls that protect the physical devices on which the information is stored or transmitted|
· Security cables on computers inhibit unauthorised removal of equipment
· Locks on doors and windows help control physical access to devices
· Universal power supply is available to sustain business activity on computers in case of a power outage
· Data and OS are backed up and recoverable to a remote location for business continuance
Demonstrating that IT is a controlled service and accomplished throughout the IT service lifecycle by:
- Defining high level objectives for each lifecycle phase.
- Identifying risks to the achievement of those objectives.
- Identifying risk management approaches in the form of matching internal controls for mitigating risks.
Management Review for the Manage Layer
Management is responsible for establishing goals, evaluating progress, and ensuring results. In part, governance consists of the decision making processes (controls) that help management fulfill this responsibility. Each phase of the IT service lifecycle has one or more management reviews (MRs) that function as management controls. This means that the right people are brought together, at the right time and with the right information, to make management decisions. Every phase has different management objectives, so each phase has uniquely focused MRs with appropriate stakeholders, required decisions, and the type of data needed to make well-informed and fully weighed decisions. The Manage Layer is the same as the lifecycle phases when it comes to the need for management oversight, and there is a management review specifically for the Manage layer.
Policy and Control Management Review
The Policy and Control Management Review (MR) consists of at least biannual reviews that evaluate the effectiveness of the policies and controls in place across the IT service lifecycle. The performance of IT and its partners, the reliability and trustworthiness of services provided, and the ability of IT to respond to the business are all affected by the policy and control environment. Across all phases and SMFs in the IT service lifecycle, explicit attention is given to identifying management objectives, risks that could adversely impact these objectives, and controls put in place to mitigate these risks. This MR is management’s opportunity to assess policies and controls and their impact across the lifecycle in terms of achieving management objectives. The review yields a view of how well risk is being managed and of the likelihood that management objectives will be achieved, and it exemplifies “governance in action” for the Manage Layer.
Core questions for this review include:
- Are the right policies in place? (Considering management objectives, regulations, standards, and industry practices)
- Are the policies effective? (Compliance reporting, requests for changes to policies, and exceptions granted)
- Are the right controls in place? (Based on risk assessments and mitigations, events and incidents not addressed by controls, and costs and benefits of controls)
- Are controls operating effectively across the lifecycle?
- Focusing on change and configuration: Are the intended results occurring, any failed changes or rework needed to correct changes?
- Focusing on value realisation: Assess the fit between the policy and control environment and the value that the business needs to receive from IT. Is this the right level of control given identified risk impacts and expected returns?
While the Policy and Control MR provides a summary view into the policy and control environment, specific processes for managing policies are described in the MOF Policy SMF.
The purpose of the MR is to provide IT management:
- An understanding of how risks to achieving goals are being addressed.
- An assessment of the burden of control so that it can adjust appropriately for desired benefits.
- An evaluation of behavior as an indicator of policy communication and enculturation.
A set of appropriate controls should be in place to ensure the following goals:
- Implement the requirements of organisational policy, including information security policy.
- Manage risks associated with management goals and certain general IT controls, such as appropriate access to services or systems.
- Document controls and evidence of control activities.
Since controls are central to providing secure and trustworthy services, any changes to controls must be managed. The Policy and Control MR should evaluate the impact of changes to controls made since the previous review. Related effort should be given to reviewing the assessments of potential change impacts made prior to the actual implementation of the changes.
One goal of this MR is to assess the effectiveness of change management of the control environment. This is different than the activities that occur within the MOF Change and Configuration SMF. The focus is on management practices in terms of compliance to policy and control effectiveness.
This MR also evaluates policy and controls that are part of the agreements with external organisations. This includes such things as agreements and contracts related to access to information systems and data as well as security and privacy requirements for the services.
Participants in this MR should be mostly IT senior managers with support provided by Compliance, Policy, and Security team members. Auditors may provide useful insights into the effectiveness and efficiency of controls and considerations for compensating controls. Partners might participate to ensure that policy and control objectives are achievable in their environments. All parties need to understand the risks and mitigations that are being shifted among them and provide assurance that this is being done effectively.
Table 4. Components of the Policy and Control Management Review
· Operational and security policies
· Policy violations, compliance incidents, management action taken since last MR
· Policy change requests
· Results from the “Enforce and Evaluate” process in the Policy SMF
· Changes in regulations, standards, or industry practices
· Audit findings, recommendations, issues
· Unanticipated risks, incidents
· Controls failing or underperforming
· Control self-assessments
· Minutes and actions from last MR meeting
· Evaluate incidents and non-compliance, determine root cause
· Review policy enforcement activities
· Review audit findings and recommendations
· In each lifecycle phase, evaluate policy and control impacts to see if they:
· Plan: promote services that the business sees as valuable, predictable, reliable, and cost-effective
· Deliver: develop services effectively, deploy successfully, and are ready for operations
· Operate: services are operated, maintained, and supported in line with the OLA/SLA and are compliant with policy
· Review risk assessments and mitigations for completeness and effectiveness
· Whether policy and control performance meets management expectations
· Agreement as to root cause of non-compliance and any changes to policy management
· Whether control environment is appropriate or if changes are needed
· Documentation of MR with actions and accountabilities
· Requests for changes to specific policies or controls
· Requests for changes to policy management
· Requests for changes to control management
The Policy and Control MR should result in identified requests for changes that will improve the management and enforcement of policies as well as improve the management of risk and the overall control environment. Actions for improvements identified during this MR should be documented and a record retained to demonstrate IT engagement with the key processes related to risk, policy, and control management. This will provide transparency and evidence that executive management and the board of directors can use to assess IT management activities.
Team SMF Focus
There are two Team SMF accountabilities that are focal areas in the Manage Layer. They are the Management Accountability and the Compliance Accountability. These accountabilities are involved in each of the three SMFs in the Manage Layer. Each SMF has tables with responsibilities and goals that are more directly related to the activities in that particular SMF.
The following two tables show the role types and their general responsibilities and goals.
Table 5. Management Accountability and Its Attendant Role Types
|IT Executive Officer|
· Sponsors IT initiatives
· Approves structures and overall IT processes
· Owns metrics and benchmarking and board and executive relationships
· Well run and effective IT services
· IT continually improving performance with an improvement roadmap in place
· Manages processes
· Identifies and engages appropriate participants in the decision process
· Manages risk and IT business value realisation dependencies
· Owns business/IT relationship
· Effective management decisions
· IT compliant with directives
· Risk and value realised are appropriately balanced
· Metrics are used for reporting and improvement planning
|IT Policy Manager||· Sees that management decisions are informed by policy and that policy is effectively used across IT||· Policies effectively direct the organisation toward appropriate activities|
|IT Risk and Compliance Manager|
· Manages overall risk management and compliance programs
· Communicates GRC processes and requirements to the organisation
· Well communicated GRC processes and expectations
· Individuals understand their GRC responsibilities and take action accordingly
|Assurance and Reporting|
· Validates design and operating effectiveness of IT organisation, processes, and control environment
· Recommends changes for improvement
· IT organisation constantly under review and continually being improved
· Board and shareholders confident in management decision and resulting processes
|Change Manager||· Manages the activities of the change management process for the IT organisation||· Change that is planned and understood, with risks that are managed|
· Tracks what is changing and its impact
· Tracks configuration items (CIs)
· Updates CMS
|· Change is approved and results in a known state at all times|
Table 6. Compliance Accountability and Its Attendant Role Types
|IT Executive Officer|
· Communicates IT strategy and approves IT management objectives
· Approves policy
· Maintains ‘tone-at-the-top’ for culture of control and compliance
|· Consistent progress toward strategic goals achieved through appropriate and desired activities|
· Enforces policy compliance and communication
· Evaluates policy effectiveness
· Requests changes to policy or exceptions
· Compliance to directives and policies
· Predictable and reliable results achieved through appropriate means
· Policy violations addressed
|Risk and Compliance Manager||· Owns risk management, compliance roadmap, enforcement, and measurement|
· Organisation does not violate laws or regulations
· Risks are identified and managed
· Policies are enforced
|Assurance and Reporting|
· Audits design and operating effectiveness of processes
· Investigates non-compliance
· Owns reporting and recommendations
· Well understood control environment
· Independent validation of compliance program
· Fraud or undesired activity discovered
|Internal Control Manager|
· Manages internal control environment
· Documents control objectives and control design
· Retains evidence of control activity
· Effective control environment documented with audit trails
· Appropriate retention of control operating evidence
· Analyses regulations and determines policy impact
· Evaluates legal position related to compliance
· Represents legal opinion in decision making
· Policy reflects desired response to regulation
· Legal risks managed
|IT Policy Manager|
· Manages policy creation, change, and maintenance
· Owns policy communication and improvements to policy effectiveness
· Effective use of policy to guide actions
· Awareness through clearly written and communicated policies
This article provides a broad overview of the MOF Manage Layer and its related SMF’s, management reviews, and controls. The next step in putting MOF into practice is to consider your organisation’s needs, and then read and use the relevant SMFs. Their step by step guidance will be of value to IT organisations whose goal is reliable, efficient, and compelling IT services.
Manage Layer SMF’s
- Governance, Risk, and Compliance
- Change and Configuration
How can I implement ITIL IQ®?
Hopefully by now you’ll begin to understand the value that the Microsoft Operations Framework can bring to your business. The goals, outcomes and measures outlined above require many activities and considerations which form part of our day to day activities at First Solution. In fact, we’re experts in MOF and have even developed a unique ITIL IQ® process that benchmarks a business’s current state, identifies their desired state and provides an action plan (called a Service Delivery Plan) that helps organisations of all sises achieve their desired business outcomes. Most importantly, our unique ITIL IQ® process begins with a Proactive Services Maturity Review (PSMR) which identifies a score (out of 100) that clearly communicates the current state of your businesses IT operational maturity. Armed with your ITIL IQ® score, a non-IT professional such as a finance or procurement professional can concisely present to the IT Executive Officer the businesses current state, desired state, and ITIL IQ® score with an action plan to improve the ITIL IQ® score and thereby ensure that IT’s goals are aligned with the goals of the business and that both are progressing together. Once the IT Executive Officer has bought into the MOF concept we can help to develop an IT service strategy, IT service map, IT service portfolio and Service level agreements.
How can I better manage my IT?
Simply get in touch to arrange a free Proactive Services Maturity Review and one of our MOF experts will conduct an interview with the IT Manager or IT Executive Officer within your business and provide an ITIL IQ® score with which you can measure the performance of your IT function. Once you know your ITIL IQ® score we can provide a Service Delivery Plan to help you improve it each month and measure and report progress back to you during a Monthly Service Review. And there we have it, an ITIL based solution to simply identify and measure the performance of your IT function. So, are you ready to better manage your IT?
The Microsoft Operations Framework 4.0 is provided with permission from Microsoft Corporation.