International Civil Aviation Organization FIRST INFORMATION MANAGEMENT PANEL (IMP/1) Montreal, Canada January, 25 30, 2015

Transcription

1 International Civil Aviation Organization WORKING PAPER 15/01/2015 rev. 0 FIRST INFORMATION MANAGEMENT PANEL (IMP/1) Montreal, Canada January, 25 30, 2015 Agenda Item 5: Review and elaborate on concepts, utilising a globally interoperable framework for the system-wide availability and management of information required to support flight and ANS system operations. SWIM READINESS ASSESSMENT Presented by Richard Williams Prepared by CANSO Information Working Group SUMMARY ICAO has defined a programme of information management change for ANSPs through the introduction of SWIM (system wide information management). The challenge with SWIM is it hasn t been clearly defined and understood. The CANSO Information Management Working Group has developed a maturity model to increase understanding of what SWIM enabled services ANSP s want and their readiness for those services. The model has been tested through an exploratory investigation which involved interviewing experts from five ANSP s. The exploratory investigation tested the model and led to a number of conclusions and concerns. These conclusions and concerns are presented, with recommendations for the ICAO Information Management Panel, in this paper and the accompanying PowerPoint presentation. 1. DISCUSSION Maturity Model 1.1 Undertaking large organisational change is difficult and fraught with risk. It is important to define your strategic target and understand the steps you need to take to get there. Maturity models are useful for showing the current capability and steps required to attain the target state. (9 pages)

2 This paper proposes the use of a maturity model to understand what SWIM enabled services ANSP s want and their readiness for these services. 1.3 SWIM consists of standards, infrastructure and governance enabling the management of ATM information and its exchange between qualified parties via interoperable services SWIM can be considered as a foundation that enables the delivery of ANSP services. These services are defined in the ASBU s and support the delivery of the GANP. It is expected that ANSP s will use the foundation provided by SWIM to deliver relevant services identified in the GANP and ASBU s. 1.5 Maturity models are usually (Cobit, CMMI) based on a 0-5 scale. After reviewing a number of maturity models the following scale has been developed for SWIM maturity. This model is based on COBIT (Control Objectives for Information and Related Technology). The COBIT maturity model was amended to include additional SWIM specific questions including web interface implementation and standards. The model was amended to 48 processes which were grouped into 12 categories. The maturity model questions are included in Appendix A. The scale used for assessing maturity is shown below: 5 Optimised Metrics are consistently gathered and are used to incrementally improve capability. Services are proactively maintained to ensure relevance and correctness. 4 Managed Capability is measured and quantitatively managed by governance structure, appropriate metrics are gathered and reported. 3 Systematic The SWIM approach has been reviewed and accepted across the ANSP. The SWIM approach is always (or almost always) followed. 2 Opportunistic A SWIM approach is defined and opportunistically applied. It is not widely accepted or adopted. 1 Ad Hoc Awareness of SWIM exists and some services are being built. There is no SWIM approach being followed. 0 No Swim There is no SWIM approach being taken. SWIM is not underway. Exploratory Investigation 1.6 An exploratory investigation of the maturity model was conducted using a sample of five ANSP s. Experts from these ANSPs were interviewed to understand their current and target process maturity for the 12 categories. The results for the categories are presented in the following area graphs.

3 The red area shows the current level of ANSP process maturity for the different categories, the blue shows the target maturity. The process maturity gap is the difference between the red and the blue. What is immediately observable from the graphs is all ANSPs have sizeable maturity gaps. Other high level observations include the difference between current maturity for the ANSP s and also the different maturity targets. This shows there is not a consistent view of the target maturity required for SWIM across ANSP s. 1.8 The process maturity gap for the ANSP s is shown in the following table. Based on the expert responses this is the expected level of process maturity improvement required. This has been sorted to show the highest average gap. Categories and s ANSP 1 ANSP 2 ANSP 3 ANSP 4 ANSP 5 Average Standards Planning Governance Strategy Relationships Monitoring Programme Resources Security Change Operations

4 The largest process maturity gaps were identified as the SWIM categories of web service implementation and standards. Delving into the individual questions for these categories highlights the difference in process maturity across ANSP S as presented in the following graph which shows the current maturity against the target maturity average The graph shows the lack of a common position amongst ANSP s for either current or target process maturity. The table below shows the actual process maturity gaps for each ANSP and an average maturity gap for each process. Process ANSP 1 ANSP 2 ANSP 3 ANSP 4 ANSP 5 Average External web service consumption External web service provision Internal web services Service management Service lifecycle management Service exception handling Standards Information Exchange Standards Adoption Standards roadmap and lifecycle management Standards are enforced

5 Each ANSP expressed sizeable maturity gaps for a number of SWIM specific processes. There is a range of different current and target maturity states across the ANSP s. This means that the ANSP s have different starting points, as well as different maturity targets It is important to note that all of the ANSP s that participated in the exploratory investigation had resources available to contribute to the working group. This may not be the case for all ANSP s. The maturity of other smaller or less well-resourced ANSP s may be lower. 2. CONCLUSIONS Preliminary Conclusions 2.1 A number of preliminary conclusions were drawn from the sample of ANSP s who participated in the exploratory investigation. There are substantial gaps between current and target process maturity. All of the ANSP respondents have different levels of process maturity and immaturity. Each ANSP respondent has a different perspective of what level of process maturity is required for SWIM. Finally no ANSP respondent appears fully prepared for adoption of web services. These preliminary conclusions should be tested against a wider group of ANSP s, and potentially other stakeholder groups. Concerns 2.2 Participation in SWIM will require substantial infrastructure investment by ANSPs. The preliminary conclusions led to discussions amongst the CANSO working group which identified a number of areas of concern that could impact ANSP willingness to invest in SWIM. These concerns should be addressed by the ICAO IM panel: Slow adoption by different parties Business service applicability Replacement Cycles (when funding is available) Scale of infrastructure required Risk appetite for adopting new ways of working Cost as a barrier to adoption These concerns are elaborated in the attached presentation. 3. ACTION BY THE IMP 3.1 Based on the exploratory investigation, the Information Management Panel is invited to: 1) note the differences between ANSP current and target maturity. 2) note the lack of respondent readiness to adopt s. 3) discuss and address the preliminary conclusions and concerns. 4) use the proposed maturity model to assess a wider sample of ANSP current and future maturity across all ICAO regions.

6 - 6-5) modify the model to assess current and future maturity for other groups including airlines, regulators, vendors and other stakeholders. 6) adopt the building block and domino interoperability models in the presentation. END

7 Appendix A: Maturity Model Questions Category Process Explanation Change Manage Organisational Change - Planning Plan and communicate ANSP wide organisational change quickly, covering the complete life cycle of the change and all affected stakeholders in the business and IT. Change Manage Changes Manage all changes in a controlled manner, including standard changes and emergency maintenance relating to business processes, applications and infrastructure. Governance Ensure Governance Framework Setting and Maintenance Governance Ensure Benefits Delivery Governance Ensure Risk Optimisation Governance Ensure Resource Optimisation Effective governance structures, principles, processes and practices, with clarity of responsibilities and authority to achieve the enterprise s mission, goals and objectives. Cost-efficient delivery of solutions and services; and a reliable and accurate picture of costs and likely benefits so that business needs are supported effectively and efficiently. Ensure ANSP risk appetite and tolerance are understood, articulated and communicated, and that risk to enterprise value related to the use of IT is identified and managed. Ensure that adequate and sufficient IT-related capabilities (people, process and technology) are available to support enterprise objectives effectively at optimal cost. Governance Ensure Stakeholder Increased information flow through new collaborative web services will require Transparency *new* identification of stakeholders and governance information sharing. Monitoring Manage Quality Ensure consistent delivery of solutions and services to meet the quality requirements of the enterprise and satisfy stakeholder needs. Monitoring Monitor, Evaluate and Assess Performance and Conformance Monitoring Monitor, Evaluate and Assess Internal Compliance Monitoring Monitor, Evaluate and Assess External Compliance Collect, validate and evaluate business, IT and process goals and metrics. Monitor that processes are performing against agreed-on performance and conformance goals and metrics and provide reporting that is systematic and timely. Plan, organise and maintain standards for internal control assessment and assurance activities. Monitor performance against standards. Auditability of internal services to ensure service accuracy and delivery. Evaluate that IT processes and IT-supported business processes are compliant with laws, regulations and contractual requirements. Obtain assurance that the requirements have been identified and complied with, and integrate IT compliance with overall enterprise compliance. Auditability of internal services to ensure service accuracy and delivery. Operations Manage Provide sufficient information about service assets to enable the service to be Configuration effectively managed, assess the impact of changes and deal with service incidents. Operations Manage Operations Deliver IT operational service outcomes as planned. Operations Manage Service Requests and Incidents Achieve increased productivity and minimise disruptions through quick resolution of user queries and incidents. Operations Manage Problems Identify and classify problems and their root causes and provide timely resolution to prevent recurring incidents. Provide recommendations for improvements. Operations Manage Continuity Timely respond to incidents and disruptions in order to continue operation of critical business processes and required IT services and maintain availability of information at a level acceptable to the enterprise. Planning Manage Requirements Definition Identify solutions and analyse requirements before acquisition or creation to ensure that they are in line with enterprise strategic requirements covering business processes, applications, information/data, infrastructure and services. Coordinate with affected stakeholders the review of feasible options including relative costs and benefits, risk analysis, and approval of requirements and proposed solutions. (9 pages)

8 - 2 - Planning Manage Availability and Capacity Maintain service availability, efficient management of resources, and optimisation of system performance through prediction of future performance and capacity requirements. Planning Manage Knowledge Plan for the identification, gathering, organising, maintaining, use and retirement of knowledge. Planning Service Roadmaps *new* Plans for the introduction of web services, integration and lifecycle management, including service retirement. Programme Manage Portfolio Execute the strategic direction and consider the different categories of investments and the resources and funding constraints. Evaluate, prioritise and balance programmes and services, managing demand within resource and funding constraints, based on their alignment with strategic objectives, enterprise worth and risk. Monitor the performance of the overall portfolio of services and programmes, proposing adjustments as necessary in response to programme and service performance or changing enterprise priorities. Programme Manage Programmes and Projects Programme Manage Solutions Identification and Build Relationships Manage Relationships Relationships Manage Service Agreements Manage all programmes and projects in alignment with enterprise strategy and in a co-ordinated way. Initiate, plan, control, and execute programmes and projects, and close with a post-implementation review. Establish and maintain identified solutions in line with enterprise requirements covering design, development, procurement/sourcing and partnering with suppliers/vendors. Manage configuration, test preparation, testing, requirements management and maintenance of business processes, applications, information/data, infrastructure and services. Manage the relationship between the business and IT in a formalised and transparent way that ensures a focus on achieving a common and shared goal of successful enterprise outcomes in support of strategic goals and within the constraint of budgets and risk tolerance. Base the relationship on mutual trust, using open and understandable terms and common language and a willingness to take ownership and accountability for key decisions. Ensure that IT services and service levels meet current and future enterprise needs. Relationships Manage Suppliers Manage IT-related services provided by all types of suppliers to meet enterprise requirements, including the selection of suppliers, management of relationships, management of contracts, and reviewing and monitoring of supplier performance for effectiveness and compliance. Relationships Manage Interorganisational Relationships *new* Resources Manage Budget and Costs Resources Manage Human Resources Manage information sharing and new service creation between ANSP's Met Offices, Airlines and other information providers to specified service levels. Foster partnership between IT and enterprise stakeholders to enable the effective and efficient use of IT-related resources and provide transparency and accountability of the cost and business value of solutions and services. Enable the enterprise to make informed decisions regarding the use of IT solutions and services. Provide a structured approach to ensure optimal structuring, placement, decision rights and skills of human resources. This includes communicating the defined roles and responsibilities, learning and growth plans, and performance expectations, supported with competent and motivated people. Resources Manage Assets Account for all IT assets and optimise the value provided by these assets. Security Manage Risk Continually identify, assess and reduce IT-related risk within levels of tolerance set by enterprise executive management. Security Manage Security Define, operate and monitor services for information security management. Keep the impact and occurrence of information security incidents within the enterprise s risk appetite levels. Security Manage Security Services Security Manage Business Process Controls Protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy. Establish and maintain information security roles and access privileges and perform security monitoring. Maintain information integrity and the security of information assets handled within business processes in the enterprise or outsourced.

9 Strategy Manage the IT Management Framework Consistent management processes, organisational structures, roles and responsibilities, reliable and repeatable activities, and skills and competencies. Strategy Manage Strategy Align strategic IT plans with business objectives. Clearly communicate the objectives and associated accountabilities so they are understood by all, with the IT strategic options identified, structured and integrated with business plans. Strategy Manage Enterprise Architecture Establish a common architecture consisting of business process, information, application and technology architecture layers for effectively and efficiently realising enterprise and IT strategies by creating key models and practices that describe the baseline and target architectures. Strategy Manage Innovation Achieve competitive advantage, business innovation, and improved operational effectiveness and efficiency by exploiting information technology developments. Standards External web service consumption *new* External web service provision *new* Internal web services *new* Service management *new* Service lifecycle management *new* Service exception handling *new* Information Exchange *new* Standards Standards Adoption *new* Standards Standards roadmap and lifecycle management *new* Standards Standards are enforced *new* Ability to consume external SOA web services Ability to provide external facing SOA web services Ability to of internal services to interoperate SOA using web services Maturity of service management including service catalogue and agreed levels. Lifecycle management of SWIM services including adoption, periodic review and retirement. Automated exception management, reporting and alerting. Adopted AIXM, FIXM and WXXM as standards for information exchange. Have mature standards adoption process that ensures standards adoption is monitored and reviewed. There is a roadmap for the adoption and retirement of information exchange standards across ATM systems. There are mature processes for organisational wide enforcement of standards. END