Plan, Do, Check, & Act – The reality of standing up an ITAM Program

Achieving ITAM excellence following the successful rollout of an ITAM program is not a quick or simple task. In our previous article “ITAM Program Success: Elevating IT Asset Management” we explored common causes of program failure and how to get back on track.  We discussed the tactical use of the Deming Cycle (that forms the basis for the ISO 19770-1 standard) to drive success. That process is the continuous loop of Plan, Do, Check (Study), Act ), allowing your ITAM program to be adapted and improved as business and external requirements change. It also enables you to proactively identify and manage risks and potential blockers to stay relevant.

In this article, we will take a closer look at what the PDCA cycle involves and how it is applied to ITAM in the context of transforming and operating your program.

Plan

The Plan phase is arguably the most critical, as it determines the needs of the organization and the over-arching scope of IT Asset Management. Do we have a repeatable, living plan to ensure our “north star” exec goals are being met and tracked?  This means that aims are defined, policies are developed, risks are assessed, and a detailed plan is created that identifies all required resources. The ITAM Program Transformation work of planning and defining the road map (explored in depth in our eBook “Best Practice ITAM Program Transformation”,combines the program assessment, target operating model design, RACI and KPIs and marks the initial Plan stage. When defining aims and desired outcomes for your ITAM Program, best practice recommends that you ensure cross-functional requirements are taken into account.  If you build a wide coalition of stakeholders from various parts of the business, you can more easily ensure that the Management System you will employ to address IT Asset Management challenges can also support and satisfy Risk and Regulatory Framework requirements.

Do

The Do phase involves implementing the ITAM program plan that has been developed in the Plan phase. This phase includes carrying out all actions to optimize and operate the plan as well as ensure the organization is informed. This can be defined as ITAM Program Operation and is often a tricky step as it requires resources and skills that may not be readily available. It includes four key areas:

• Program Implementation Management – Starting very tactically where high value will be driven isn’t a bad thing, high rewards can and should be reaped in the first year. This will drive into ongoing program operations (scope alignment, tracking and reporting) and enablement for core processes (KPI creation, policy and process governance support). This area is related to the Operate phase aligned to the ISO standard.
• Inventory and Compliance Monitoring – If nobody trusts the data, the program will fail. This phase includes the normalization of all required data points to deliver the outcome required and may include license compliance management and tracking, and should include a renewal calendar across all business applications. This area is related to the Operate phase aligned to the ISO standard.
• Stakeholder Intelligence – If people aren’t getting value from the information presented to them, support will decline over time. This tracks key areas that are important to stakeholders, such as cost savings, risk avoidance, and accurate data management (demonstrating the importance of properly configured tooling and the removal of data gaps). Other common areas of consideration may be policy and process adherence to regulatory or risk framework requirements (e.g. NIST), or reduction of technical debt. This area is related to the Inform and Optimize phases aligned to the ISO standard.
• Verification and Compliance – This phase determines the effectiveness of the ITAM program by tracking KPIs and identifying discrepancies, policy failures, and risks. These issues should be prioritized and mitigated, or fixes executed. Having a functioning steering committee is critical for this, or accountability can fall down. This area is also related to the Inform and Optimize phases aligned to the ISO standard.

Check

The Check phase focuses on continuous monitoring and review of the ITAM program’s performance to ensure it meets stakeholder and organization expectations. It involves three stages to gauge progress and provide constant analysis to drive improvement.

• Measure, Monitor, Analyze, & Report findings

A key use case for a highly functioning management is demonstrating strong regulatory compliance requirements such as estate visibility or end-of-life.  This phase involves continuous monitoring of program performance aligned with the KPIs developed (eg 99% of estate seen with validated no end-of-life applications) in the Plan phase and is based on a stakeholder-defined risk framework (not always software compliance!) as well as program and process objectives. This will require near real-time dashboards and information readily available based on accurate and trustworthy data. This step will then flag up near real-time reporting of anomalies, exceptions, and incidents that can indicate a failed risk or regulatory control.

• Conduct Effective Internal Software Audits

Regular software audits and reviews can be carried out by a different internal department or outsourced and should be completed, at the very least, annually. Quarterly or monthly audits are recommended in the early stages of the ITAM Program Operation phase. The audits will assess conformance against the ITAM Plan, and proactively focus on KPI or policy nonconformities. An added layer of best practice verification can be the ISO/IEC 19770-1 requirements that our experts recommend leveraging to ensure interoperability, industry-standard benchmarking, and common language in ITAM. All findings and recommendations can be recorded and tracked against remediations from prior findings to uncover trends and needed actions as a result. This information is then reported in an executive summary comprising a presentation and detailed report.

• Perform periodic management reviews

These reviews will ensure that the right level of management is in place and is appropriate for the organization. The steering committee structure including key executive stakeholders should be reviewed regularly to ensure the necessary roles and functions represent various areas in the organization. KPIs should be reviewed regularly to ensure they are still aligned with desired business, risk, and regulatory outcomes and that the defined road map is still appropriate. This includes making sure the right resources are in place. As above, this should all be tracked with prior management decisions and documented with new management decisions.

Act

The purpose of the Act phase is to remediate any nonconformities identified in the Check phase. This will include taking any corrective or preventative actions, as well as making continual improvements and including new and additional management strategies.

This image shows how these 4 phases work together in an ITAM program. ITAM Program Transformation is the Plan phase, while ITAM Program Operations comprise the other phases.