During my work training or advising organizations on how to use ISO/IEC 20000, I often get asked about the roles required by the standard. This blog provides such a list with some helpful hints.
Remember that the standard does not dictate an organizational structure. This allows it to be applicable to any size or type of organization.
The term ‘role’ is used in the 2011 edition in conjunction with the term ‘authorities and responsibilities’. Sometimes there is a requirement to specify ‘authorities and responsibilities’ without the use of the term ‘role’. A role description and RACI matrix can be used to show responsibilities and authorities. The use of ‘authorities’ is new to the 2011 edition.
Defined roles or parts of the organization
There are various parts of an organization that are critical to understanding the context of the scope of the service management system. These are defined in clause 3 of ISO/IEC 20000-1 and are illustrated in this diagram – Clause 3
Customer – defined as ‘organization or part of an organization that receives a service(s)’. There is a note to say that the customer can be internal or external to the service provider.
Interested party – defined as ‘organization or part of an organization that receives a service(s)’. Examples are marketing department, regulators, customers, suppliers.
Internal group – defined as ‘part of the service provider’s organization that enters into a documented agreement with the service provider to contribute to the design, transition, delivery and improvement of a service or services’. The internal group is outside the scope of the SMS.
Organization – defined as ‘group of people and facilities with an arrangement of responsibilities, authorities and relationships’. The service provider, internal customers and internal groups sit within the same organization. External customers and suppliers are in different organizations to the service provider.
Service provider – defined as ‘organization or part of an organization that manages and delivers a service or services to the customer’. The service provider can provide services internally in the same organization or externally outside of its organization. It is the service provider who is the subject of ISO/IEC 20000-1.
Supplier – defined as ‘organization or part of an organization that is external to the service provider’s organization and enters into a contract with the service provider to contribute to the design, transition, delivery and improvement of a service or services or processes’. Sub-contracted suppliers are managed by the supplier. The service provider checks that the supplier is managing their sub-contracted suppliers.
Top management – defined as ‘person or group of people who direct and control the service provider at the highest level’. See clause 4.1 for responsibilities of top management as well as activities required in 220.127.116.11 (management review) and 8.1 (major incidents).
Other non-defined roles required
Management representative – required by clause 4.1.4 to ensure that the SMS is operated and to report to top management. This is in effect the person responsible for the operation of the SMS. The role may be shared between more than one person for an SMS with a wide scope. For example, an application manager and an infrastructure manager.
Process owner – not specifically named but roles concerning processes are covered in 4.5.2 e) ‘framework of authorities, responsibilities and process roles’. The process owner will typically design, document, ensure compliance of and improve the process. The process owner does not necessarily operate the process.
Process manager – another role not specifically named. The process manager is in charge of the operation of the process on a day to day basis. The process manager will work with the process owner. The process manager may have process practitioners supporting the work of the process.
Service owner – not a specifically named role but mentioned in 4.5.2 f) ‘authorities and responsibilities for plans, service management processes and services’. The service owner is responsible for ensuring that the service operates to deliver its expected outcomes.
Internal auditor – required in clause 18.104.22.168 to conduct internal audits of the SMS. Internal auditors can come from within the organization or can be external staff who act on the organization’s behalf. There may be an internal audit department in larger organizations. Otherwise the internal audits can be done within the service department but auditors cannot audit their own work.
Business relationship manager – Clause 7.1 specifies ‘For each customer, the service provider shall have a designated individual who is responsible for managing the customer relationship and customer satisfaction.’ There can be one manager per customer or one manager can look after many customers.
Supplier manager – Clause 7.2 specifies ‘For each supplier, the service provider shall have a designated individual who is responsible for managing the relationship, the contract and performance of the supplier.’ There can be one manager per supplier or one manager can look after many suppliers. The role of supplier manager may be split with the procurement department who deal with initial procurement, contractual issues and change of contract. The service provider can deal with operational management of the supplier. Note that procurement of suppliers is specifically excluded from the standard.
Major incident manager – Clause 8.1 specifies ‘Top management shall ensure that a designated individual responsible for managing the major incident is appointed.’ This can be a different person for each major incident or the same person who always manages major incidents.
Other roles – other roles can be allocated. For example, a manager for a new or changed services project in clause 5 (design and transition of new or changed services) or an improvement manager for requirements in clause 22.214.171.124.
In summary, there are many roles and each has to be defined in terms of responsibility and authority. Every service provider will organize themselves in a slightly different way but this blog explains the roles that are required.
Lynda Cooper, an independent consultant and trainer, is one of the first people in the world to hold the ITIL Master qualification. Lynda chairs the BSI committee for IT service management (ITSM) and is one of the authors of ISO/IEC 20000. Lynda sits on various ISO/IEC committees and is the project editor for ISO/IEC 20000-1 and ISO/IEC 90006.