IT Governance – A Quality Boost with ISO 9001, ISO 27001 & ISO 20000
With the ISO triple certification, deploy the same Merck IT processes, with the same quality. Author: Philippe Leroy, IT Governance, Merck KGaA
Merck at a glance Merck conducts its operations in four divisions: – Merck Serono: Prescription drugs – Consumer Health: Over-the-counter products for preventive health care and self-treatment of minor ailments – Merck Millipore: Products for protein research and cell biology; laboratory chemicals, consumables, services; products used in the production of chemical and Pützer Tower and Pyramid biopharmaceutical drugs at Darmstadt headquarters – Performance Materials: Materials for displays and lighting; pigments for the plastics, printing, coatings and cosmetics industries
More than 40,000 employees in 67 countries Merck manages its operating activities under the umbrella of Merck KGaA, which was listed on the Frankfurt Stock Exchange in 1995 and admitted to the DAX® in June 2007 Around 30% of the total capital is publicly traded, while the Merck family, as general partner, indirectly holds around 70% www.merckgroup.com 2
Merck KGaA - CIO Office - ISO 56K Certification
Facts and figures on IT @ Merck IS is organized as a global Group function.
~ 1100 employees worldwide ~ 120 local IT units in ~60 countries 3 Corporate Service Centers 8 units reporting to CIO: - Business Processes, Data & Systems Harmonization - IS Pharmaceuticals, - IS Chemicals, - IS Group Functions - IS Global Shared Services, Technology & IS International - IS Strategy, Performance & Governance - IS Change & Value Management - Global IT Enterprise Architecture 30 core IT processes certified according to ISO 9.001, 27.001 and 20.000
3
Merck KGaA - CIO Office - ISO 56K Certification
Why best practices ? Why compliance ? Merck IT has 2 good reasons to deploy best practices and to ensure compliance:
Merck IT Vision: to become the best IT for Merck Best practices make sense
Compliance is part of Merck’s business mission Compliance is part of the IT mission With best practices, let’s industrialize IT processes and compliance 4
Merck KGaA - CIO Office - ISO 56K Certification
Agenda An innovative way for ISO certification 2007-08: 1
… and why did Merck start this initiative ? … and how has Merck realized it ?
Keep, optimize and gain from the ISO certification 2009-11: 2
The value and competitive advantage over the years The continual improvements
The long and winding road: 3
Success stories and challenges during the certification process
Tools: 4
5
IT Governance, Project and Service Management tools
Merck KGaA - CIO Office - ISO 56K Certification
ISO Triple Certification for IT Services – Charter Merck Corporate Information Services (CIS) wants to become the best IT Organization of the Pharma and Chemical Industries. The ISO Certifications contribute through worldwide recognized norms. Program Setup: • Half a year for planning and communication in 2007 • 2008: a year for implementation • Final Certification Audit on December 3rd, 2008 • Certification cycle: - Surveillance for 2009 & 2010 - Certification of Millipore and recertification for 2011, and so on…
Program Scope: • ISO 9’001 Quality Management System • ISO 27’001 Information Security Management System
Program Team: • A Program Leader and 3 Norm Owners • 22 Process Owners for 25 core processes • 17 Internal Auditors
• ISO 20’000 IT Service Management (~ITIL) 9+27+20=56 ISO 56K Covering 1’100 IT staff in 90 sites / locations
• Colleagues from the HQ and the sites Project Team: ~ 200 people worldwide • With strong involvement of: - CIO and IT Senior Management - IT Regional Managers & Business
6
Merck KGaA - CIO Office - ISO 56K Certification
ISO 56K – Set the ISO Strategy Short dead line and focus on the result Strong support from the CIO Make it global and sustainable Do a global certification (all Merck IT or no one)
Empower people and give them responsibilities Reveal departmental and local talents, and they are many Do a pilot to fine-tune the training and the internal audits Be pragmatic and provide the right support Start with the 80/20 rule Have a central repository - Do once, use many times
Keep it simple and respect the existing good practices 7
Merck KGaA - CIO Office - ISO 56K Certification
2007 Huge IT Transformation during M&A (Serono)
ISO 56K – Set the ISO Processes Central Quality Management System Map the ISO requirements with 29 integrated processes Teach and deploy processes beyond the 3 norms Examples: -Incident Management is common to the 3 norms -Availability Management is common to ISO 27’001 and 20’000
2/3 of our processes are common to the 3 norms
The SM processes are based on ITIL 8
Merck KGaA - CIO Office - ISO 56K Certification
ISO 56K – Set the ISO Target Level
Impact
The same 29 processes but an adapted way of deployment
Impact
What is new for 2009 Maturity
Planned Maturity and Risk Rules, P&P People
Planned improvements
Tools Measurem ent Deployme nt Likelihood
Impact
Implemented Controls
Maturity
0 1 2 3 4 5 na 1 Process Improvement Maturity and Risk Assessment Improvement Plan Tasks, Activities, Business Value, Impact and Risks
Rules, P&P People
Sub process
Tools Measurem ent Deployme nt Likelihood
Processes
Process Description
Input from audits / CAPAs / To Dos / Specific attention
Likelihood
FYI, in 2008, we had 5 NCs and 21 Findings on this process from the SGS. Get Management support. Effective date: 01-Apr-2007 MerckDocs. A. Quality Read the Quality Manual. ITQMS Management The CI Managers cascade and ensure the 5 4 5 4 5 0 1 5.0 Get all staff read the policies. Read the Continual Improvement Policy. System effectiveness of the Quality Management Ensure alignment of local Quality System to all CI Staff. documents to the ITQMS.
Organization chart of the Business and the IT shall be available. Management Review is perfomed using 5 5 5 4 5 0 1 5.0 ITQMS_5TPL_015 Local Management Review. It should be the conclusion of at least one meeting with the management. e-Learning post T3: Re-read all column Q "Planned Improvements".
Get Management support.
ITQMS B.10
Quality Manual is read and understood. ITQMS B.11
9
Merck KGaA - CIO Office - ISO 56K Certification
Management supports the ISO 56K. GMC's Management (at least the Line Manager of the IT Manager) is ready to welcome the auditor, do an introduction 5 5 na na 5 0 4 5.0 about the CMG at the beginning of the audit and participate to the closing meeting of the audit.
Why not taking the opprotunity of the 5 5 na na 5 0 4 5.0 certificates to raise the management support.
ITQMS_1PCY_001 is read, understood, communicated and applied accordingly and 5 4 na na 5 0 0 5.0 Get all staff read the policies. understood by CI Staff and CMG's Line Manager(s).
5 5 na na 5 0 0 5.0
Quality is hard to define, impossible to measure, easy to recognize. Quality means the customer comes back, not the product.
ISO 56K - Planning 2008-11
•16 training sessions for 150 people •75 internal audits and 25 internal reviews 4’000 actions closed 2009, 2010, 2011, etc… Jan 19
26
February 2
9 16 23
P Owners
HQ
6
May
13 20 27
4
June
11 18 25
1
8
July
15 22 29
6
August
13 20 27
3
September
10 17 24 31
Wksp
T3
T3
T1 T2
North America
T1 T2
Europe & ROW
T1 T2 T1 T2
I1
I1
Ip
T3
Ip
T3
Ip
Ip
Ip
I1
I1
I1
I1
Ip
Ip
Ip
Ip
I1
I1
I1
I1
I1
Ip
Ip
Ip
Ip
I1
I1
I1
Ip
Ip
Ip
Ip
Ip
I1
T3
T3
Training
S1
&
I1
I1
I1
I1
I1
I1
November 2
9
16
S2
S2
Ip
T3
&
12 19 26
S2
S1
S2
I2
S1
S2
I2
S2
I2
I1
I1
I1 S1
External Audits
I2
S2
S2
Europe
T1 T2
Latin America
October 5
NAM
Asia Pacific
14 21 28 Wksp
T1 T2
Pilot: Lyon
7
Latam
Merck KGaA - CIO Office - ISO 56K Certification
April
16 23 30
Asia P
10
9
Pilot
....and beyond
2010-11 another IT Transformation during M&A (Millipore)
March 2
ISO 56K – Certification Audit The ISO Auditors 2 senior auditors from the SGS Expertise on the 3 norms Huge experience on IT Business and Operations
The ISO Audits 25 External Audits – Stage 1 for Assessment 25 External Audits – Stage 2 for Certification The same team for all the audits
11
Merck KGaA - CIO Office - ISO 56K Certification
ISO 56K – Results Beyond the Certification, we have improved our:
Skills Knowledge / Know-how – The human factor was, is and will be the best result
Way to work together: One global team – Consistent & integrated processes, common language – Sharing of the good practices, improve quality – Improving the team work and intercultural relationships, including making the HQ closer to the sites
IT speed in Service Delivery – Strong support for the other IT programs and agility in changes
12
Merck KGaA - CIO Office - ISO 56K Certification
ISO 56K A key structure for IT Agility
Agenda An innovative way for ISO certification 2007-08: 1
… and why did Merck start this initiative ? … and how has Merck realized it ?
Keep, optimize and gain from the ISO certification 2009-11: 2
The value and competitive advantage over the years The continual improvements
The long and winding road: 3
Success stories and challenges during the certification process
Tools: 4
13
IT Governance, Project and Service Management tools
Merck KGaA - CIO Office - ISO 56K Certification
ISO 56K – Optimization – Keep the pace Optimize the benefits of ISO for IT & Business and reduce re-certification costs
Shift from “on top of our job” (or “additional workload”) to become “part of our job” (or possibly “instead of” some former tasks) From process maturity to organization maturity ISO Rightscoping & Rightsizing with more maturity, we can better optimize processes and their documentation
IT Governance for Business Growth 2007 Harmonize IT processes
2009-10: Develop a Service Oriented Organization
2008: Obtain IT industry certifications
Business Unit / Customer
2011-12 Realize the CIS vision
End User
SLA
Relationship Mgr.
File & Print
Business IT Service
Demand
Supply
Service Category eWorkplace eConnectivity ERP Services Corporate Services Pharma Services Chemical Services
IT Projects:
14
Merck KGaA - CIO Office - ISO 56K Certification
Service Owner
1st
OLA …
Support
…
Service Desk
E-Mail
Database
Operation
Maintenance
Storage
Hosting
SAP Basis
BSD
Internet
WAN/LAN
IM / IT Manager
Group of Specialists
Best for Merck
ISO 56K – CEO’s feedback This video was recorded in March 2009 after the ISO Certification Dear Colleagues, Back in 2007, the GL has commissioned Merck’s IT to turn into a strong, corporate function, and to optimize the quality and costs of our global IT services. For me, IT is like the heart of the company and the basis for structures and business processes. Your work is therefore essential for the company’s growth and success! In this context, the ISO56K program has been a key contributor, and I would like to congratulate you and thank you very much for this outstanding achievement. You can be truly proud of having achieved these ISO certifications together as one global team – I consider this not just as a success for Corporate Information Services but for Merck as a whole. Quality is not a destination, it is a journey. I’m convinced that we will keep capitalizing on the benefits of the ISO56K program and improve even more through continual The video’s of the CEO recertification. Please keep with the pace of the program. I regret not being with you today but I personally wish you all the best for the future and for the audits to come. Dr Karl-Ludwig Kley, Chairman of the Merck Executive Board
15
Merck KGaA - CIO Office - ISO 56K Certification
ISO 56K - Sustainable Results Benchmark
Audit Results
CA IT Auditing: Half Year Report 2010
User Satisfaction Overall Satisfaction in 2011
IT Strategy Award Award criteria Process of strategy development Implementation status Interplay between corporate & IT strategy Involvement of departments and users Adjustments of IT strategy
Overall Satisfaction in 2008
Consideration of today’s technology standards Strategy accelerators & barriers Lessons learned
Interview SA Survey Report, 2008/2011
16
Merck KGaA - CIO Office - ISO 56K Certification
Handelsblatt „IT Strategy Award 2010“
Agenda An innovative way for ISO certification 2007-08: 1
… and why did Merck start this initiative ? … and how has Merck realized it ?
Keep, optimize and gain from the ISO certification 2009-11: 2
The value and competitive advantage over the years The continual improvements
The long and winding road: 3
Success stories and challenges during the certification process
Tools: 4
17
IT Governance, Project and Service Management tools
Merck KGaA - CIO Office - ISO 56K Certification
ISO 56K – A few challenges ‘World of Individuals’
Creativity?
18
Merck KGaA - CIO Office - ISO 56K Certification
‘World of Compliance’
ISO 56K – A few objections No I have worked for 20 years without this ISO framework and I never felt the need
Yes but we are different from the other companies. This framework does not fit to us
19
Merck KGaA - CIO Office - ISO 56K Certification
Yes but later, we currently have too much to do
Yes but we are already good enough and we do not need ISO to do well our work
ISO 56K – Do What worked well at Merck Management & Team Get CEO / CIO / Senior Management support
Recognize the achievements
Have a strong core team: Leadership, Expertise, Seniority, Motivation, Passion
Training certificates with a letter signed by the CIO
Act as a global team, involve everybody, go to see people
ISO certificates for all with a message from the CIO
Empower people and give them responsibilities Reveal departmental and local talents and there are many Be true, trust people and do what you say Have a team ready to jump to support who needs it (help / task force on request)
20
Merck KGaA - CIO Office - ISO 56K Certification
Video from the CEO
ISO 56K – Do (continued) What worked well at Merck Training & Communication Do a pilot for training and do Regional Training (Respect, Team, Efficiency) Deploy processes instead of norms Teach to get results instead It is good to explain “Why” a process is important and “What” needs to be delivered But to get effective results, teach “How” to achieve Do videos and get “funny” videos Involve Facility Management, HR, Procurement, etc…and the Managing Director / General Manager, CFO, etc. Communicate with the Business and keep a Business oriented mind set 21
Merck KGaA - CIO Office - ISO 56K Certification
ISO 56K – Do (continued) What worked well at Merck Scope and Strategy
Do a global certification (all or no one) and don’t change the (short) target date Stay firm on the goals but allow flexibility & innovation for the execution Build as much as possible on existing good practices and put them in a central repository Keep it simple, apply the 80/20 rule (but do not stop there), focus on the delivery Have Process Owners and a Team ready to support processes and people Have a continual improvement process and prioritize the implementation steps Use the audits as recognition and motivational means IT Governance to accompany the external auditors in each site
22
Merck KGaA - CIO Office - ISO 56K Certification
ISO 56K – Don’t do… How to prevent failing ? Don’t do:
Don’t fail the Audit:
No fundamentalism
Let IT Governance to accompany the external auditors in each site to ensure consistency.
Don’t wait for any tool. Start as soon as possible. Excel/Word templates are fine. It is better to do an RFC on paper now than to wait for several months.
Don’t reinvent the wheel. Don’t let two Quality Management Systems exist together: - One to please the auditors - One to do the real work Don’t plan too much but go ! Empower people, delegate and be ready to react fast. 23
Merck KGaA - CIO Office - ISO 56K Certification
Perform training on audit behavior and communicate “areas of interest” of the auditors. Don’t try to pretend being perfect – the auditors know you are not (especially at the beginning) Cover each area with a reasonable set of controls and understand which gaps are the “no excuse”.
Agenda An innovative way for ISO certification 2007-08: 1
… and why did Merck start this initiative ? … and how has Merck realized it ?
Keep, optimize and gain from the ISO certification 2009-11: 2
The value and competitive advantage over the years The continual improvements
The long and winding road: 3
Success stories and challenges during the certification process
Tools: 4
24
IT Governance, Project and Service Management tools
Merck KGaA - CIO Office - ISO 56K Certification
Tools to support the processes HP Service Manager – Incident Management – Problem Management – Change Management – Configuration Management
•Incidents and Problems are recorded in HPService Manager •Change and Configuration Management are being deployed, as per the entities’ needs
– Service Level Management
HP-PPMC – Project & Portfolio Management Center 25
Merck KGaA - CIO Office - ISO 56K Certification
•Projects are managed with HPPPMC •Starting in 2010, HPPPMC is used to manage the IT Project Portfolio
Tools to support the Program • MerckDocs Web repository of Merck CIS Documentation: – Policies – Procedures – Templates – Annexes – Training Material – Records • ITGSS Web repository and tracking tool of the Risks and CAPAs (Corrective and Preventive Actions),
with e-mail notifications & workflow
26
Merck KGaA - CIO Office - ISO 56K Certification
Detail MerckDocs
27
Merck KGaA - CIO Office - ISO 56K Certification
Tools: the Statement of Maturity - SOM Maturity: – Effectiveness – Performance – Part / Top of the job
28
Merck KGaA - CIO Office - ISO 56K Certification
Risks: – Likelihood – Impact Improvement Plan
Questions ?
Philippe Leroy Program / Project Leader of ISO 56K IT Strategy, Performance and Governance Corporate Information Services Merck KGaA Email:
[email protected]
29
Merck KGaA - CIO Office - ISO 56K Certification