Cian Blackwell, partner, Business Risk Services with Grant Thornton, and Brian Hurley, director of services for Hewlett-Packard Ireland, offer their advice.
Jim may not have given Raul explicit answers but he has certainly pointed him in the right direction. Raul has to recognice that the business has lost confi- dence in the data centre and it is not seen as serving business needs. Raul's main objective should be to change this perception. He also should see that, worryingly from his perspective, the assessment from the business is essentially correct.
Raul will need to create, overhaul or replace key processes and procedures in the data centre in order to fix this and Raul can only achieve his main objective by being successful in the second.
EF Insurance have been hit with viruses on three occasions, this is a symptom of a poor security policy. Couple this with the lack of a change management procedure and you have a situation where any incident requires more and more emergency and unplanned changes, patches, updates or installations. This unplanned work consumes time and results in fewer resources being available for strategic project work, and would actually have contributed to the failure of the project which led to Raul's predecessor's departure. There is a vicious circle here which needs to be broken.
We know that Raul's teams spend a lot of their time managing day to day events at the data centre. Depending on what these events are, this could be perfectly acceptable. What is not acceptable however is spending the rest of their time coping with unplanned work. Unplanned work implies that things occur unexpectedly, and the unexpected in any IT department should be treated as the enemy.
Raul already suspects that his team may be the cause of a lot of the problems which they end up fixing. Studies conducted by the IT Process Institute (ITPI) have shown that organisations with low performing IT departments place a lot of reliance for stability and security on reactive controls. Organisations which are successful in responding to events are those that have mastered change control. Unfortunately, EF Insurance are in the former group.
Raul needs to implement a high quality and comprehensive change management process in order to stabilise the IT environment. Firstly he should impose a "Change Freeze" in the data centre, this will give him time to develop and implement this process. The change management process should be formalised as a policy and communicated to all staff in the data centre. Crucially, it needs to be strictly enforced - with clear consequences for individuals if it is not followed. The basics of his change management process should allow for logging, assessment, authorisation and scheduling prior to implementation.
After implementation, it will allow for review of change against planned outcomes. The purpose of the change management process is to respond to the business requirement of stability in the IT environment and therefore it needs to be able to prove its effectiveness. The changes should be traceable and reporting needs to be an integral part of the system. After all, it is the reporting of the success (hopefully) of the change management system that will ultimately be responsible for saving his job.
Once the change management system is up and running, Raul can lift the change freeze but he then needs to create an inventory of all IT systems and equipment so he can cross-reference change, successful or unsuccessful, with a particular piece of hardware, software or process. This way Raul can build up a picture of change and will be able to start proactively improving the IT environment by focusing on "repeat offenders".
Raul should find that as his change management system quickly becomes embedded in the culture of the data centre and that instead of constant individual and isolated reaction to events and issues, quality, security and availability will become built into his processes. Raul will become master of his domain not somebody chasing his virtual tail. Cian Blackwell
Get away from fire-fighting
With so many problems piling up, Raul's position may seem unenviable. But he should take heart. Two quick promotions and now the opportunity to turn things around in a department that has been giving them headaches is a vote of confidence, not something to despair about. The company could have closed the data centre when Raul's predecessor left. Instead they chose to put their faith in him.
Nonetheless, the problems are serious and a month has slipped by. He has six months before the visit from audit - but these are the last in a long line of people he needs to impress.
Raul's ability to influence people, to give them confidence in him and his department, is as important as his ability to create an enduring solution to the data centre issues. Raul should be looking to achieve some quick results in high-profile areas with a service improvement plan that has four or five projects embedded in it.
Quick wins over these six months buys time to focus on the longer-term issues later. He should concentrate on areas that have most business impact, like security, business continuity and automation, and also work with the internal communications team so that his aims are clearly and widely disseminated.
One problem is choosing what to focus on at these early stages. He should look at projects in which real headway can be made, then appoint project managers who are accountable for delivering results within that timescale. Regular review meetings would make sure each project is on track.
Initially, Raul should want to understand exactly what the situation is across everything he is responsible for - in a visible way that can be shared with everyone.
An executive dashboard, with a traffic light system - red, amber, green - could be used. To ensure that important areas are concentrated on, service level agreements could be discussed with internal clients to get their buy-in.
Another project stream should implement best practice service management, which is about putting some robust processes in place. Without effective processes, you're open both to attack and to things simply going wrong. It's just good business sense. And to really do it well, I'd be adopting an industry standard called the IT Information Library - ITIL - which is documentation that scores best practice for IT operations.
Another project stream should address security. Having three major viruses in nine years isn't as bad as it sounds, but what's concerning is that they caused downtime and they were high-profile. As well as virtual attack, you also have to address issues of physical security.
Because of the downtime alone, it's not surprising that the board is contemplating something as drastic as moving the data centre to Switzerland. But herein lies a solution - you can mirror one data centre in another, so if Shannon goes down, you have back-up elsewhere, on-tap, immediately. It should not be down as much anyway, with increased automation and a disaster recovery programme.
Automation contributes to your compliance obligations and releases you from fire-fighting, so you can plan for longer-term strategic issues which deliver better business outcomes. Brian Hurley
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/VR3765MFOBH2NMV2QNICYDF67M.png)