FUJ00080529
FUJ00080529
Business Assurance co
Internal Assessment it - PSD RMG FUJITSU
Internal Assessment
Report
PSD - RMG -
Royal Mail Group Account
Pre-BSi Assessment Review (ISO
9001)
(oe)
FUJITSU
Fujitsu UK & Ireland Internal Assessment of Royal Mail Group Account, and associated
Core Division delivery units,
FUJITSU EYES ONLY
FUJ00080529
FUJ00080529
Business Assurance oo)
Internal Assessment - PSD FUJITSU
MANAGEMENT SUMMARY
At the request of the RMG Account management a short review of the state of readiness for a BSI
assessment was undertaken. This is against a background of the recent focus on security (ISO 27001)
and the HNG-X deployment.
The quality management role has been re appointed in May 2010 prior to which there has been lack of
focus on quality particularly in the resolution of some 50+ previous assessment findings and continuity of
the internal assessment programme.
It should ne noted that this review was conducted as a walkthrough not a detailed audit.
During this Assessment of Royal Mail Account no Non-conformities or Observations were raised against
the PSD or the Applications division. This was intentional as the time spent was limited due to RMGA
operational commitment. Observations, Notes and Opportunities for improvement are highlighted in the
text. Overviews below are not summarised as normal as the sections on each are not extensive therefore
a direct link has been established.
In summary, the main findings and recommendations, as appropriate, were as follows:
« There are some issues arising in this review in respect of record keeping and retention, process /
document reviews, implementation approach document, Management review and more generally
the process measures and analysis.
« Arecommendation of this overview assessment is to develop a better documentation index /
summary for the account so that it is clear what documents exist and are current.
« The process measures aspect may at assessment cause the raising of non conformity and
is an area where there is opportunity for improvement.
e Although the assessment looked primarily at the existence of processes and did not test
deployment the managers demonstrated that the sampled outputs are in place and were
confident of their deployment.
e Generally, the outcome is that the sampled areas are ready for external assessment.
The recent readiness review for ISO 27001 raised a number of Quality Management issues. These must
be addressed prior to the BSI assessment. Please see report for details:-
IRRELEVANT
Performance Plus and objective setting was not reviewed and it was stated that this is now in place.
PSD
¢ Release Management
¢ Please see section 4.1 for further details.
e Service Delivery Management
Please see section 4.2 for further details.
¢ Configuration Management:
Please see section 4.3 for further details.
© Quality Management
Please see section 4.6 for further details.
Applications Division
e Applications Development (AD)
Please see section 4.4 for further details.
Core Division
© PMO& Project Management (Core-PPM)
Please see section 4.5 for further details.
Ref: GHQ/PSD/RMGA/ROYAL MAIL-BRA01/230610- Issue 1.0 Uncontrolled if printed
FUJITSU EYES ONLY © Copyright Fujitsu Services Limited 2010 Page 2 of 9
FUJ00080529
FUJ00080529
Business Assurance oo)
Internal Assessment - PSD FUJITSU
MANAGEMENT SUMMARY
1, ASSESSMENT CONTROL
OBJECTIVES OF THIS ASSESSMENT..
‘ATION -DIVISION)
PMO & PROJECT MANAGEM.
QUALITY MANAGEMENT.
IN-CONFORMITIES AND OBSERVATIONS ....
Ref: GHQ/PSD/RMGA/ROYAL MAIL-BRA01/230610- Issue 1.0 Uncontrolled if printed
FUJITSU EYES ONLY © Copyright Fujitsu Services Limited 2010 Page 3 of 9
FUJ00080529
FUJ00080529
Business Assurance oo)
Internal Assessment - PSD FUJITSU
1. ASSESSMENT CONTROL
Assessment Ireterrend Assessment GHQ/PSD/RMG/Royal Mail
Type Reference 1020210
Area Nish accom? — Royal Processe 4 Various (See Scope of Assessment)
Contact(s) David Parker Process Owner(s) I Various (See Scope of Assessment)
Planned Date I 23/06/2010 Lead Assessor I John E Wright
Start Date I 23/06/2010 Issue 1.0
2 OBJECTIVES OF THIS ASSESSMENT
2.1 Objectives
This Fujitsu UK & Ireland Internal Assessment focused on key business functions performed in Royal Mail
Group Account, and associated Core Division delivery units, and considered, through the assessment of
local processes and working practice:
¢ The compliance of those functions with the Fujitsu UK & Ireland Business Management System
(BMS).
« The compliance of those functions with relevant aspects of the ISO 9001.
e Any areas suitable for promotion as good business practice across Fujitsu UK & Ireland.
In addition, every opportunity was taken to give advice and guidance on ISO 9001, and corporate process
deployment.
Ref: GHQ/PSD/RMGA/ROYAL MAIL-BRA01/230610- Issue 1.0 Uncontrolled if printed
FUJITSU EYES ONLY © Copyright Fujitsu Services Limited 2010 Page 4 of 9
FUJ00080529
FUJ00080529
Business Assurance oo)
Internal Assessment - PSD FUJITSU
3. SCOPE
This Fujitsu UK & Ireland Internal Assessment concentrated on the Royal Mail Account, and associated
Core Division delivery units, and was conducted over 0.5 days, within the Fujitsu Services BRA01 office,
and involved the following members of staff:
3.1 Interviewees
Function / Role Interviewee
Release Management Sarah Bull
Service Delivery Management & Configuration Gaeten Van Achte
Management
BU Review of Programme/Project Control Ravi Chambers, Alan
D’Alvarez, Leo Sapiets
Quality Management David Parker
SW Development Graham Allen
3.2 Assessment Sampling
The assessment was based on random samples and therefore non-conformities may exist which have
not been identified. Observations raised are categorised as Non-conformities and Observations.
3.3 Corrective Action
Following the Assessment, corrective action plans are required for all Non-conformities and Observations
raised and should be recorded within the Assessment Database, by the Quality Representative, within 10
working days of the issue of the Assessment Report.
Corrective action plans should also be sent to the Lead Assessor for review and agreement.
The normal target for the implementation of corrective action plans is 60 days from the date of issue of
the Assessment Report.
Ref: GHQ/PSD/RMGA/ROYAL MAIL-BRA01/230610- Issue 1.0 Uncontrolled if printed
FUJITSU EYES ONLY © Copyright Fujitsu Services Limited 2010 Page 5 of 9
FUJ00080529
FUJ00080529
Business Assurance oo)
Internal Assessment - PSD FUJITSU
4. ASSESSMENT COMMENTARY
41 Release Management
Assessment Criteria: Service Delivery Management Policies & Processes, Manage Releases Policy / Process /
Procedure, Local Release Procedures / Agreement, Manage Service Change Process; Configuration Management,
Resource Management, Risk Management, Customer & Internal Communications, Performance Plus, Measurement
Analysis and Continual Improvement, Document & Record Management,
ISO 9001 sections 4.1, 4.2, 6, 7.1/2/5, 8.
e Process SVM/SDM/PRO/0030 is operated and in place
e Asimple workaround was sampled and process discussion included: - Postmaster logging,
work around (evaluation & impact), RMF review, Integration, S/W control, LST, Regression
planning, UAT (customer rig tests), measures (fails in live), PEAK system.
¢ Process control and review was examined including, QFP, Release Delivery Board and
RMF forms.
¢ Records are retained in Sharepoint. Release notes were confirmed as available but it was
suggested that the evidence of test may need to be checked for completeness.
e Process measurement is limited to recording the fails in live. At this time there are no
incidents.
(Note: At assessment this area will need to be reviewed at the lower delivery level)
4.2 Service Delivery Management
Assessment Criteria: Service Delivery Management Policies & Processes, SDM Community Guidelines,
Performance Measurement (SLAs), Business Relations, Customer Satisfaction, Manage Service Change, Manage
Complaints & Alerts, Reporting & Review, Service Risk, Business & Service Continuity, Service Improvement,
Customer & Internal Communications, IT Finance Management, Incident & Problem Management, Configuration
Management, Supplier Management, Service Introduction, CSLC 10, Documentation & Record Control,
Performance Plus, Measurement Analysis & Improvement,
ISO 9001 sections 4.2, 5.4, 6, 7.1/2/5,8.
e The process set supporting this function includes all aspects of service delivery. The major
Incident process (SVM/SDM//PRO/0001) was sampled.
¢ ATriole help desk is operated for the client. This desk has links to the customer and third
party supplier desk. There is no automation in the linkage between these activities and this
may be highlighted as an area for improvement.
e Communication and education processes had been communicated at workshops however,
the attendees register had not been created and maintained. As a result it is not possible to
confirm the level of attendance. Record keeping of this kind can be used to analyse the
need for further events
« Measurement is aligned to the contractual requirements. The Service report contains a
thorough overview of the service ( this was not reviewed at this visit as this is already known
from previous visits) .
¢ Service reviews are conducted with the client.
e Aservice improvement plan is maintained.
4.3. Configuration Management
Assessment Criteria: Service Delivery Management Processes, SDM Community Guidelines, Manage
Configuration Policy / Process / Procedure, Customer Assets, Asset Management, Configuration Baselines, CM
Ref: GHQ/PSD/RMGA/ROYAL MAIL-BRA01/230610- Issue 1.0 Uncontrolled if printed
FUJITSU EYES ONLY © Copyright Fujitsu Services Limited 2010 Page 6 of 9
FUJ00080529
FUJ00080529
Business Assurance oo)
Internal Assessment - PSD FUJITSU
Plan, CMDB — Cls, CM Audits, Performance Measurement (SLAs), Manage Service Change, Customer Satisfaction,
Measurement Analysis & Continual Improvement, Performance Plus, Documentation & Record Control,
ISO 9001 sections 4.2, 6, 7./2/5, 8.
¢ The Configuration management process area has been placed under scrutiny and rigorously
reviewed during the root cause and corrective action associated with the recent account
Red Alert.
e Software configuration management is in place. Build levels are well controlled
¢ Hardware configuration management is operated but there are some weaknesses in the
activity.
¢ The MSC (Change toolset) is in place. Changes impacting Network diagrams are not
always maintained fully up to date. The Aperture configuration toolset is operated at the
data centres but there would appear to be is a weakness in the lower levels of build
configuration information.
e The level of configuration information required is not clearly expressed in the contract and
there would appear to be no audit sampling programme to check the configuration
information. There is an “Opportunity for Improvement” in this area.
¢ Branch configurations are controlled by a specific configuration tool (D1)
e Measurement is not defined and accordingly measures have not been deployed.
Note: It is most likely that the assessment will concentrate on S/W configurations as this is planned as a
TickIT assessment.
4.4 Applications Management - (Application -Division)
Assessment Criteria: ADBM / AIM, Local Procedures, Requirement, Incident Management, Management Review,
Change Management, Build and Integration, Test Cycle, Test Criteria, Re-test, Configuration Management,
Resource Management, Risk Management, Customer & Internal Communications, Authorisation / Approval,
Release Management Acceptance, Documentation & Record Control, Performance Plus, Use of Best Practice,
SolutionNET, Measurement, Analysis & Improvement,
ISO 9001 sections 4.1/2, 6.2/3, 7.1/2/3/5, 8.
e The process for Application Development is a hybrid of ADBM and IDBM called HNG-X
ADBM. This allows the integration of both S/W and H/W. The approach is a waterfall
methodology
e Coding standards are in place. Records and documents are retained in a formal
Dimensions library. Risks are assessed and recorded. Records of approvals and reviews
are formally retained.
¢ The recently closed Red Alert will probably be discussed and there will probably be some
discussion as to the preventative measures that will be taken to stop any reoccurrence. The
latest issue occurred due to an error in Oracle. Other software issues have been raised in
the past and care needs to be taken to ensure that the causes have been understood and
addressed with preventive activities.
e Software bugs are now in control and regular reviewed and reported. There is a bi-weekly
formal review.
¢ Measurement is considered to be quite weak although the number of Bugs is retained and
recorded from PEAK there would appear to be little analysis, trend or root cause being
undertaken. Improvement activities may not be demonstrable.
e Some lessons learned are understood, there may be an opportunity, to document them
more rigorously.
Note: It is most likely that we will be asked to present the lifecycle of a project(s) at the assessment as
this is planned as a TickIT assessment. (Release 2 may be suitable)
Ref: GHQ/PSD/RMGA/ROYAL MAIL-BRA01/230610- Issue 1.0 Uncontrolled if printed
FUJITSU EYES ONLY © Copyright Fujitsu Services Limited 2010 Page 7 of 9
FUJ00080529
FUJ00080529
Business Assurance oo)
Internal Assessment - PSD FUJITSU
45 PMO & Project management
Assessment Criteria: Project Management Policy, P&PM Processes (CMMI-PP/ PMC/REQM/RD) PM
Community Guidelines, Risk Management, Allocation of Resource, Use of “Doc library”, ProjectWeb / Spotlight,
Programme / Project Review, Configuration Management, Change Management, Supplier Management,
Infrastructure Deployment, Test Cycle, Release Management Customer Acceptance, Lessons Learnt & use of Best
Practice, Customer & Internal Communications, Performance Plus, Documentation & Record Control, CSLC 7-9,
Measurement, Analysis & Improvement,
ISO 9001 sections 4.1/2, 5.2/5.5, 6.2/3, 7.1/2/3/4/5, 8.
e This aspect is managed to the “Programme in a box” approach defined within P&PM.
e There is a framework of governance defined. Project boards are in place and these are
conducted jointly with the customer.
¢ Records of reviews are in place and records are retained
e Risk management is in place and linked to account level risk.
e Areview template has been developed and underpins the project reviews and is a derivative
of the project review template.
¢ Spotlight reporting is in place for appropriate projects.
e Measurement is consolidated into a scorecard (RAG status) report.
¢ Itwas stated that some records could be better and that a review is to be undertaken as a
precaution.
Note: It is most likely that the assessment will concentrate on S/W projects as this is planned as a TickIT
assessment.
46 Quality management
Assessment Criteria: Quality Master Policy, Local BMS, Linkage to Corp BMS, BMS Awarene sess & Review
BMS Process, BMS Implementation, Local Interaction of Assessments, Corrective / Preventive Action, Local
Process Management & Ownership, KPM Process, FS Standard for Policy & Process Management, Doc & Record
Control, Measurement Analysis and Continual Improvement, Risk Management, Performance Plus, Quality
Community,
ISO 9001 sections 4, 5, 6.2, 8.
¢ This aspect is improving week on week and there are a number of known gaps and failings.
¢ Quality management now has a monthly meeting. QA is also represented at the quarterly
leadership meeting .
e There is no local EPG at this time and as a result there is no formal mechanism to support
review of the numerous local processes.
e There are currently no internal audits taking place but a plan has now been drafted.
¢ Corrective actions have been a focus and the 52 open a few weeks ago reduced to 22. The
two BSI findings amongst them are aged and need to be addressed (CafeVik data out of
date believed to be in progress and Management Review — partially addressed).
¢ BMS awareness is an area of some difficulty and even some senior staff appear not to be
fully aware of its importance. It is proposed to consider a catch up session and also to look
at why account induction is not fully addressing this.
e The IAD (implementation Approach Document) is in draft and a review may be required to
ensure that it is fully accurate.
¢ Documentation is abundant but there is no structure or index that controls what should be
there.
¢ There would appear to be no up to date Quality Plan for the HNG-X & POL SAP services.
Ref: GHQ/PSD/RMGA/ROYAL MAIL-BRA01/230610- Issue 1.0 Uncontrolled if printed
FUJITSU EYES ONLY © Copyright Fujitsu Services Limited 2010 Page 8 of 9
FUJ00080529
FUJ00080529
Business Assurance oo)
Internal Assessment - PSD FUJITSU
5. NON-CONFORMITIES AND OBSERVATIONS
No Observations and Non-conformities were raised during the course of this assessment
Ref: GHQ/PSD/RMGA/ROYAL MAIL-BRA01/230610- Issue 1.0 Uncontrolled if printed
FUJITSU EYES ONLY © Copyright Fujitsu Services Limited 2010 Page 9 of 9