One of the most common questions I get from customers is around how to measure what 'good looks like'. Once you've implemented your ITAM/SAM strategy, whether you're at the beginning of your journey, or well on your way and hoping to mature, having metrics and KPI's are vital to be able to show results. But how do you do that?
The first step is to look at your mission statement - don't have one? write one! now! - This is the statement that defines what your goals and objectives are. It may be as simple as "be ready for an audit from our top three vendors by spend". Just have something that everyone has agreed is your goal.
Second, you look at those policies which directly support your mission statement or goal. For example, if we use the audit readiness goal, then your policies around compliant use, data reporting and provisioning around consumption, and your change management policies should all directly support your goal statement. Identify those policies which are directly in line, make sure they are fully implemented and being adhered to, and make any adjustments needed.
Next, you drill down into those processes which directly support your policies. Building on the example above, let's pick out Change Management. Does your Change Management process include a review of the rules, rights, grants and restrictions of the software usage case, and does the proposed change (IMACD) align? Have any impacts been identified, approved (both from a licensing and cost perspective), and do the owners understand and agree to the requirements of same?
The final step then is to identify what the measurement of that process is; the metric, and what the KPI should be to be able to report success. Same example: Change Management process includes a ITAM review for each vendor where the change results in a cost/risk over X. (X can be defined as a dollar spent, an audit risk exposure, or other ITAM requirements) You've now defined the metric: the review. Then what's the KPI? Out of all the times when an ITAM review should have occurred during the Change Management process, how many times was it actually done? And, set a goal for it. KPI: We will perform an ITAM review of 90% of the Change Management events which meet the metric requirement, and where there is no review, approval for same was obtained and documented.
Now, when a change management review is done, you can report on the KPI and metric, but you can also gather data about the success of it. For example: In FY18, we performed 100 Change Mangement reviews, acheiving our goal of 90% coverage. During those reviews, we identified over $1m in cost and risk. We were able to further identify a savings of $500K, resulting in a 50% reduction of cost attributed to ITAM, and supporting our audit readiness goals.
Things to remember:
Be reasonable in your metrics and KPI's. I've often seen where a metric was set that was actually not able to be measured and so it failed. Also, where KPI's are too aggressive. If you're just starting out, be generous with your KPI's. Shoot for 60% of the time rather than 90% - but make sure your stakeholders know that 90% will be the goal for the future.
This is a marathon - not a sprint. Take your time, be transparent and collaborative, and show your success through KPI's and Metrics!
Rebecca Horton, Regional Director lg6.ca