ITAM Program Success: Elevating IT Asset Management

A well-designed ITAM Management System will lay the foundation, defining the roles of people, processes and data in IT Asset Management,  delivering outcomes and supporting departmental, executive, and organizational goals aligned to a Control Framework.  This ITAM Management System drives business value through agile forecasting, elimination of waste, and enablement of strategic business outcomes such as improved security and bottom-line financial savings.  It can be tangibly tracked against a regulatory framework to demonstrate how the ITAM operating model effectively satisfies control objectives.  In our recent eBook, ‘ITAM Program Transformation’, we walk you through the process of assessing and defining the desired outcomes for your ITAM program. This eBook addresses the essential steps of garnering stakeholder buy-in to secure program approval and provides an operating model and RACI.

Once the program has been defined, it is not uncommon for the rollout and implementation to stall and stagnate. In this blog, we will discuss how to prevent this and roll out your ITAM Program successfully, keeping both your executives as well as the Governance, Risk, and Compliance executives happy.

Common Challenges Leading to ITAM Program Delays

Many factors can prevent an ITAM program from rolling out efficiently and effectively. Often, there is a lack of buy-in across the business, not just C-Level, which is crucial to driving lasting and impactful change. When different areas of the business do not understand how the change will positively impact them, or what they are being asked for, they have no incentive to support the program. The SAM/ITAM team may be perceived as a blocker to getting work done by putting new processes in place that slow or prevent business-as-usual activities. Software requests may not be completed in the required time frames and SAM may not even be consulted during software implementations, or software negotiations may be carried out late, without strong internal (deployment and usage info) and external (vendor incentives and behavior) intelligence.  There may be misalignment between internal departments and outsourcers.  The purpose of a SAM team isn’t only to create point-in-time compliance positions, but to drive business value from this intelligence.

 Misalignment can also occur on a departmental and organizational level.  When initially planning and designing the Management System it is critical to foster a broad-based, cross-functional stakeholder group.  One way to naturally align these sometimes disparate interests is to involve the Governance Risk and Compliance (GRC) function and understand their requirements relative to regulatory control and reporting.  A mature IT Asset Management program can be adapted and aligned to any number of Risk Control Frameworks (CIS, NIST, ISO 27001, FBA/FFIEC, NYDFS, etc).  This way, the trustworthy data proactively managed to create value in the IT Asset Management space can also be used to demonstrate regulatory compliance.  Involving GRC and aligning the ITAM Management System with your organization’s Risk Control Framework requirements is essentially killing two birds with one stone.

Visibility and transparency of value creation often pose challenges for ITAM departments. There will also be business-as-usual activities that need to be carried out by the SAM/ITAM team and this may mean that, despite a plan being in place to make the changes to drive greater program maturity and regulatory compliance, there is a lack of resources to deliver the program implementation, and a lack of effective communication to shift the mindset from reactive event-driven support (e.g. an audit) to proactive growing of business value over time. Anglepoint’s experts have seen organizations scale back to their pre-COVID size, trying to deliver unclear profit and growth targets without the justification and support for the resources required to make meaningful changes. Effective management of regular audit activities is critical to proactively address potential commercial, reputational and regulatory risks.  This constant firefighting approach can result in software asset management (SAM) not being perceived as a strategic value-added partner.

You may find that some or all of these challenges resonate with your situation. Addressing these issues is vital for achieving the organizational change outlined in your plan.

Getting your ITAM Program Back on Track

Getting your ITAM Program back on track will require ensuring that all stakeholders across the business take accountability and understand clearly how the program aligns with their specific business objectives and requirements. Through rolling out an awareness and plan (or playbook), you will be able to demonstrate how the ITAM program will meet all these objectives and ensure that the value can be recognized and easily understood by stakeholders in various functions and departments.  It is also recommended to engage key cross-functional stakeholders via focused 1-1 interviews to gain a deeper understanding of their insights, perspectives, and expectations of the Program. This approach will help secure the necessary support and internal resources for the implementation of your ITAM program. This plan’s successful implementation must also encompass all the processes, policies, procedures, controls, and tests of effectiveness that have been defined, including each department’s expectation (e.g., procurement to provide structured spend information). Clearly outlining these aspects, along with the resources, systems, data points, and technology required to measure the business changes, will align the different teams and allow them to better understand the reasoning behind what has been deemed as SAM ‘blocking’ or ‘slowing down’ necessary business activities.

The intelligence and business context required to make informed decisions and achieve business goals comes from information provided by the ITAM outputs.  Having a clear view of accurate and trustworthy data, understanding the data requirements, and translating this into actionable insights in the stakeholder’s language is what will help to deliver on the business and GRC stakeholder requirements.  Configuring tools and closing data gaps will provide information that drives this intelligence and provides visibility of cost and risks along with forecasting, tracking of optimization opportunities, as well as potential areas of regulatory non-conformance that can be flagged for remediation. Normalizing visibility of your inventory and consumption data in a consumable format mapped to an aligned set of controls and tests of effectiveness will prove a vital component in the delivery of this intelligence and risk remediation management.

Following the key areas and processes defined in the ISO 19770-1 standard will help the program track all activities that have been undertaken, building a log of risks and blockers that will feed regular executive reporting to summarize program progress and highlight key risks/escalations. This will ensure stakeholders are continuously informed, satisfied with progress and able to identify and manage risks and blockers proactively.  If you do not clearly define these, and bring the stakeholders on during planning and design, then the program is doomed for failure when you get to this stage, as all relevance will be lost.  This is especially true if there exists a very proscriptive risk or regulatory framework with detailed reporting requirements to demonstrate compliance.

Our recent article, “What is ISO 19770 and Why is it so Important – How do I get started” explores the ISO 19770 accreditation and educates the reader on what the ISO assessment includes, the benefits it offers, and why this is important to an organization and its stakeholders.