Assessment Control Page
FUJ00080712
FUJ00080712
Assessment Type Internal Assessment Reference GHQ/POA/090304
Area POA Processes Assessed Various (see
assessment scope)
Contact(s) Jan Holmes Process Owner(s) Various (see
assessment scope)
Planned Date 09/03/04 Lead Assessor Alan Clapson
Start Date 09/03/04 Full Report Title
ment Summary
1. Objectives of Assessment
This Fujitsu Services Internal Assessment focused on key business functions performed in the
Customer Services unit of the Post Office Account (POA) and considered, through the assessment of
local processes and working practice:
= The compliance of those functions with relevant aspects of the ISO 9001:2000 standard.
= The compliance of those functions with relevant Fujitsu Services Corporate Policies and Processes
* Any areas suitable for promotion as good business practice across Fujitsu Services.
In addition, every opportunity was taken to give advice and guidance on ISO 9001 and corporate
process deployment.
2. Scope of Assessment
This Fujitsu Services Internal Assessment was conducted over I days, within the BRAO1 offices, and
involved the following members of staff :
Function / Role Interviewee
Operations & Support Services Peter Burden
Management
Systems Support Centre Mik Peach
Reference Data Dave Wilcox / Aileen Davis
Business Continuity & Disaster Tony Wicks
Recovery
3, Management Summary
During this Assessment a total of 2 Observations were raised.
In summary, the main findings, and recommendations where appropriate, were as follows:
© ...Management review, analysis and corrective action in POA Customer Service has been
maintained at a good level since the last Internal Assessment and Customer Focus is maintained
through an established system of peer level forums.
© ...It was recognised that opportunities now exist to move to being more pro-active in using the
good level of statistical data gathered and trend analysis performed to implement more preventive
than corrective actions.
« — ...The SCC was seen to be well managed and continually meeting its SLTs. Effective call
measurement, trend analysis, potential root causes of increasing call volumes and proposed
preventive actions have been documented by the SSC Manager. This is a potential opportunity
where preventive action may avoid possible SLT failure in the future.
_ ...The POA organisation has moved on since previous visits, with many staff having moved into
Core Services. The interfaces between POA and Core was seen to be well maintained and
formally reviewed as part of monthly Ops reviews.
¢ — ...Underlying issues over the use of draft documentation and guidance in the live environment are
still being observed, despite having been raised in previous assessment reports.
e _ ...The level of documentation associated with the Business Continuity & Disaster Recovery area is
very high. Attempts have been made to reduce the document control overheads by combining test
plans and reports into annual documents. However this has introduced an issue over version
control (see section 4.4 of Assessment Commentary). It was recommended that the POA Quality
Manager assist the BC Manager in achieving the desired savings in overheads, without losing
document controls.
4, Assessment Commentary
4.1 Operations & Support Management
Assessment Criteria : Strategic direction & Cascade of Objectives, KPI Measurement, Analysis &
Corrective Action, Internal Comms, Customer Comms, Local Process review & improvement,
Interfaces with other FS Units, ISO 9001 sections 4,5,6,8.
© Customer Services top management were last assessed in 2001 when it was reported that their
management processes were in good order. It was encouraging to see that this still being
maintained.
© The Ops and Support Services Manager was well aware of POA strategic direction and CS’s
role in it, Common, “strategic” objectives were seen to be cascaded through the organisation
within staff's personal objectives. While not all were measured on these, it ensured that all
could see how their personal objectives mapped onto the Business Unit’s.
© Management review, both internally (eg. monthly reports, team meetings, Core Services (Ops)
Reviews, etc) and with the customer (eg. Service Review Book, Service Management Forum,
Operational Forums, etc) is comprehensive and records readily available.
© Customer Satisfaction is gauged via a top level CSIP and a tailored Monthly Scorecard.
Management objectives reflect a target of moving from 7 to 8.
© Reports and forum output show evidence that identified issues are being addressed and
corrective actions pursued, but there is a recognised opportunity for the unit to become more
pro-active in recognising trends and moving more to preventive, rather than corrective, action
(see SSC section for example).
4.2 System Support Centre
Assessment Criteria : Cascade of Key Objectives, Management Review, Perf + & Staff
Competencies, Key Performance Measurement, Analysis & Action, Resource Management, Incident
Management, Sharing Lessons Learnt, Record Control, Continual Improvement, ISO 9001 sections 4.2,
5.4, 5.6, 6, 7.1,7.2, 7.3.6, 7.5, 8.
« As above, both the SSC Manager’s objectives and those sampled of his staff, contained
reference to common POA objectives, as well as personal ones.
© The unit is primarily call driven. The current PinICL system is about to be replaced with a
new, POA developed, PEAK system. The justification for the new development included the
rejection of use of Peregrine on the basis of cost and level of tailoring required. The assessor
will raise this with corporate Peregrine owner as the system is company preferred system and
therefore should be a viable option to all units.
* Ahigh level of call stats are generated from the current system and comprehensive analysis
was seem to take place. A baseline feed to the stats system is the daily SLT (Service Level
FUJ00080712
FUJ00080712
Targets) report which identifies all SLT misses, the responsible unit and the penalty incurred.
While the SSC are consistently meeting the SLTs related to their area, stats show that call
volumes are constantly rising (doubled in last 12 months). Analysis by the SSC Manager
indicates that this is partly due to the number of new functional releases being introduced, at
customer demand, in preference to maintenance / bug fix releases. The new functional
releases inevitable result in a rise in new calls, which compound those still being raised on
problems that already have a corrective action waiting to be implemented (aprox. 300 bugs
outstanding at the time of this assessment). A justification paper for more SSC staff also
identifies that they are now supporting some 70 products, compared with an original 40 and
that the SSC is running at around 3 heads worth of overtime in order to maintain their current
level of service. While it is a POA business decision as to whether the SSC proposals are
implemented, this is an example of where effective analysis of available data might be used to
instigate preventive action before service levels potentially decline.
The SSC website was seen to be very well structured and user friendly. It is the hub for the
unit’s change control systems, it’s Known Error Log (KEL) and customer / systems
background information. Examples taken from the Operational Change Proposal (OCP)
system were seen to be well documented, controlled and effectively approved using a digital
signature function.
It was noted that, due to the scope of their support role, SSC staff are able to access any part
of customer data, including that deemed secure. Unit processes demand that authorisation be
obtained from the manager, or nominated team leaders, before accessing such data but there
are no “physical” restrictions stopping staff access. A full audit trail of all access to customer
data is available via secure server records, but these are only checked on request. On the
theme of pro-activity and prevention, it may be appropriate to introduce a process of routine
analysis of the server logs and sampling of reasons for access.
SSC staff are associated with TSS3 to 5 role descriptions within the Service Delivery
Professional Community. Ata working level, the manager maintains a unit skills matrix
which cross references the experience, training and skills of each member of staff against the
elements of the POA deliverables that the SSC support. This was regarded as a good method
of ensuring general community and business related competencies were maintained.
Development needs identified on this matrix were seen to be referenced in staff's development
needs within Perf + records. Staff are encouraged to maintain their skills records on the
Corporate Skill Database, but this is mandated of monitored by management.
Several key suppliers are used in providing support to the PO (eg. Eicon, Metron, Utimaco,
Interstage, QAS). While their costs come out of the SSC budget and the SSC Manager is
involved with establishing the support contracts with them, due to their contribution to
development and subsequent 4" support role, their main POA interface is the
4.3 Reference Data
Assessment Criteri:
Customer Property, Security Considerations, Performance Measures (analysis & action), Interface with
other Units, ISO 9001 sections 4.2, 5.4.1, 6.3, 6.4, 7.2, 7.5, 8.
: Cascade of Key Objectives, Local Procedures, Customer Interface, Control of
Changes to Reference Data supporting the PO systems is passed to POA via the Ref Data
Management Centre (RDMC) system, which resides on the customer’s network but to which
the unit has access. A prompting tool has been introduced to avoid POA having to check for
new requests.
Requests follow an 8 stage cycle through RDMC which covers receipt to implementation and
includes POA validation and customer approval for release. RDMC is the key record
repository with movement between stages, by appropriately authorised users (audit trail
recorded in system) seen as authorisation to proceed.
Reference systems are used by POA to validate the changes and the customer to verify, prior
to release(by the delivery team within Data centres, once change reaches stage 8 in RDMC).
The level of testing performed on a change is, to a degree, governed by the nature of the
change, as indicated by the prefix on the RDMC reference number. Description of these
prefixes is held in the local procedure, CSPRD/108, part of which is the “OBC Naming
Conventions”. This is obviously an important reference document, and was seen to be pinned
up beside staff's desks. However, the copies seen were still draft versions (“2.3 - Dra!
FUJ00080712
FUJ00080712
FUJ00080712
FUJ00080712
While the stages of the requested changes are tracked via the RDMC, more detail regarding
the workflow of individual changes is maintained within the Ref Data Change Catalogue
(RDCC). This internal POA system is used to manage resources and internal activity
associated with each change, data to be tested having been transferred from the RDMC, via
floppy, to the local system.
© The manager of the Ref Data Team was not aware of any contractual targets associated with
his area. SLTs are set for timely distribution of changes once they are delivered to the
Delivery Team, but there are none relating to processing the changes prior to that. However,
performance data is captured in a monthly RDORD (Ref Data Ops Review Forum) report and
this is reviewed with the customer every 2 months. A top level objective is that no release is
late (could have serious impact on PO trading). Lead times for issue of changes have been
agreed with the customer and the RD Team generally have releases ready for delivery in
advance of required dates. This is a key measure within the RDORD report, demonstrating
that, regardless of lack of contractual requirement, the team is generally exceeding customer
expectation.
4.4 Business Continuity & Disaster Standby
Assessment Crit : Cascade of Key Objectives, Local Procedures, Customer Interface, Interface
with other Units, Contractual Requirements, KPIs, Business Continuity Master Policy, Risk
Assessment, Testing (resourcing), Continual Improvement, ISO 9001 sections 4.2, 5.4, 6.3, 6.4, 8.
© The manager interviewed is responsible for Business Continuity, Disaster Recovery, Major
Business Continuity Incident and Problem management. This assessment focused mainly on
the business continuity (BC) aspects of his role.
¢ Key documentation associated with this area include: Risk Assessments, BC Framework
Document, BC Plans, BC Test Schedule, Test Scripts and Test Reports. Paper samples were
viewed on the day but it was also seen that masters were kept in PVCS.
¢ — Itisa contractual requirements that POA provide a BC service and customer business critical
systems are the subject of a contract schedule. The BC Manager interviewed does not have
direct access to the schedule but critical systems are listed in the BC Framework Document,
and this is approved by the customer prior to issue.
«An annual schedule of tests was seen to be in place and being actioned. It was also stated that
this schedule is used to provide operational units with early warning of planned tests and to
ensure resources are available.
e Based on Risk Analysis and history of service elements, tests will either be walkthrough, in
the development environment or in the live environment. At least annually a campus outage
is simulated and continuity plans tested.
e BC Plans for each service element are produced and supported by test scripts detailing
differing disaster scenarios. Results of running the tests are recorded in Test Reports and
Observations raised where corrective / improvement actions are identified. Plans and Reports.
are copied to the customer and POA management. The BC Manager is in the sign-off loop for
all new service developments and can therefore amend BC plans as appropriate.
© Apart from approval and visibility of documents, the customer is sometimes involved with
actual testing. A 2 monthly Business Continuity Forum is held between POA and the
customer.
«The BC area has limited resources and attempts have been made to reduce the document
management overheads by merging plans and reports into higher level, annual document. The
BC 2003 Operational Test Plan and Report (CS/PLA/078 & CS/REP/151) were both still in
draft (v 0.2) at the time of this assessment. It was stated that the reason for this was that the
test scripts used for individual service elements were constantly being amended and it was
therefore impractical to issue the document as definitive. However, this creates a situation
where tests are being performed from a draft document, with the inherent risk that operators
will use the wrong version. In addition, it was stated that test operators would often work
from the previous, individual, versions of test scripts, instead of those now embedded in the
annual documents.
FUJ00080712
FUJ00080712
s this was the first Internal Assessment visit to this area of Customer Services and the scope
of responsibilities exceeded the time available,
5. Observations & Non-conformances
The following Observations and Non-conformances were raised during the course of this assessment :-
FUJ00080712
FUJ00080712
Obse n Details
Reference / Sequence 1 Date of Observation 09/03/04
Category Observation Standard / Section 1s09001_ I 8.5.3
Corporate Process Manage Calls & Local Process
Incidents
Unit cs Country UK
Location BRAOL Division POA
Interviewee Mik Peach Interviewee's Role SSC Manager
Area Contact Jan Holmes Assessor's Name Alan Clapson
Observation
Effective measurement and analysis has resulted in an awareness of continually rising call levels within
the SSC. Further analysis has identified the potential root cause of functional releases being
implemented in advance of maintenance (bug fix) releases. The SSC manager has produced papers on
the potential problem and solutions but there is little evidence that preventive action is planned to
address underlying issues, or resourcing, before SLTs start to be missed.
See section 4.2 of Assessment Commentary for further detail.
Notes
Corrective Action Details
Corrective Action To Be Taken
Actionee
Reviewing Manager
Forecast Completion Date
Actual Completion Date
Verified By
Date Verified
FUJ00080712
FUJ00080712
Observation Details
Reference / Sequence 2 Date of Observation 09/03/04
Category Observation Standard / Section ISO 9001 [42
Corporate Process
Document Standard
Local Process
Unit cs Country UK
Location BRAOL Division POA
Interviewee Dave Wilcox / Tony Interviewee's Role Ref Data Mng / Business
Wicks Continuity Mng
Area Contact Jan Holmes Assessor's Name Alan Clapson
Observation
Key documents in the Reference Data team and the Business Continuity were in draft status, although
already in use within the units. Examples seen included:
OBC Naming Conventions — Draft 2.3, in Reference Data area
Business Continuity 2003 Operational Test Plan — CS/PLA/078 — Draft 0.2 — 19/12/03
Business Continuity 2003 Operational Test Report — CS/REP/151 — Draft 0.2 — 19/12/03
Notes
Tt was recommended that all key documentation in use in these areas be checked for document status.
Also that the general approach to documenting business continuity test scripts and reports be reviewed
in terms of achieving savings in documentation overheads, while maintaining document control.
See sections 4.3 & 4.4 of Assessment Commentary for further details.
Corrective Action Details
Corrective Action To Be Taken
Actionee
Reviewing Manager
Forecast Completion Date
Actual Completion Date
Verified By
Date Verified