POL00337661
POL00337661
@
I.T. Service Design and
Transition Policy
Version — v2.5
INTERNAL 1of9 Service Design and Transition Policy
POL00337661
POL00337661
Contents
1 Introduction.
1.1 Purpose...
12 Goals
1.3
2 Roles and Responsibilities ...
3 Policy Statement...
4 — Governance..
41 Control Standards......
5 Policy / Process Reviews
6 Audits
7 Continual Process Improvement
8
Control
Policy Version...
Policy Approval
Company Details
INTERNAL 20f9 Service Design and Transition Policy
POL00337661
POL00337661
1 Introduction
1.1 Purpose
This IT Service Design and Transition (SD&T) Policy has been produced to detail and describe the rules
which must be followed by all parties involved in any change activity that has the potential to impact
on IT Service. The SD&T process provides a methodical and robust framework in which design and
transition activity can be effectively managed.
The SD&T process description specifies the SD&T processes and controls that are in place to minimise,
or, where possible, prevent, the exposure of the IT Service Management functions, and therefore our
Customer and Post Office (PO) Ltd, to any potential risk to or degradation of service as a result of the
introduction of new products, services or changes.
The purpose of the SD&T processes and controls are to ensure that requirements are input to enable
the service to be effectively and efficiently designed, is a cost effective and value for money service,
and to ensure that it can be supported through its lifecycle, including decommissioning.
The SD&T team will represent the interests of the IT Service and Operations team in order to ensure
that any changes do not impact the BAU run estate unexpectedly.
12 Goals
The goals of SD&T Team are to:
* Toensure any new, changed or decommissioned services follow a standard and consistent set
of IT policies and processes.
e Toensure the service(s) being deployed have an agreed set of Non Functional Requirements
that provides a support wrap suitable to ensure it continues to meet agreed Post Office’s
business SLAs, IT security and data protection guidelines
e Ensure that the service is designed to be the most cost effective, value for money service
e Ensuring the service is fit for purpose, widely understood, can be supported and runs as
expected.
e Ensuring all impacts on services, hardware and software whether that change is new, changed
or decommissioning has been correctly procured through Contract and Vendor Management
and adheres to Post Office procurement guidelines and rules.
Ensure that exposure of IT Service and Operations management, and therefore our customers
and Post Office LTD, to potential risk is minimised through the introduction of a methodical
framework for managing change and transition activity.
* Ensure collaborative working between Business recipients of IT managed services and the IT
Service and Operations management themselves, suppliers of IT services and technology, and
wider Project teams (inside and outside Post Office)
1.3 Scope
The policy applies to all Post Office employees, agents, contractors, suppliers and consultants who
may be involved with any transition activity or change with has the potential to impact on IT Service.
This policy applies to all changes that have an IT Impact. These can be delivered in a number of ways
including those methodologies known as Waterfall and Agile. The policy covers all sizes of change
including small changes, iterative releases, software releases as well as large changes, such as
procurement exercises, large vendors and bespoke contracts.
INTERNAL 30f9 Service Design and Transition Policy
POL00337661
POL00337661
2 Roles and Responsibilities
The Head of Service Design and Transition owns the policy and is responsible for:
o. Ensuring the policy is aligned with business needs
© Ensuring the policy is adhered to
o Ensuring that regular reviews of the policy’s content are carried out and that any
required updates are made in a timely manner
o Ensuring the most up to date version of the policy document is published and available
to stakeholders for use
o Ensuring all changes impacting IT are fully aware of and aligned to this policy
© The SD&T Team, reporting to Head of Service Design and Transition, are responsible for:
© Supporting the policy owner in their responsibilities
© Day to day implementation of and adherence to the policy
© Disseminating SD&T policy to a wider audience for any stakeholders for managing
change
© Providing sign posts for change initiators to others teams who are impacted, identified
as part of the IT Impact Analysis
¢ Heads of IT Service is responsible for
o Ensuring that any services in scope of IT Service Management are appropriately
covered with a service wrap.
o Ensuring that service changes are delivered in line with Business Requirements
co Ensuring that IT Requirements are communicated and agreed with all parties
co Ensuring that before any go live of a service in a live data environment (aka
production, live, in service, BAU, in operation, in operational support, etc)
= All Requirements placed on a change are met
= Any risks or issues are understood and accepted with mitigation plans
= All operational costs (OPEX) are understood and accepted
o Ensuring that any Warranty periods and exit criteria are met prior to closure of
change activities (i.e. project team exit, defects raised with planned resolution dates,
etc)
o Providing final approval for any service change to be moved into live (aka go live,
production, BAU, etc). Heads of Service may delegate this authority to Head of
SD&T or IT Service Manager.
Project, programme and business stakeholders are responsible for facilitating adherence to
or adhering to this IT policy
3 Policy Statement
The SD&T Team will:
e Provide lead subject matter expert capability on service design and transition activities
Provide Non Functional Requirements that are fit for purpose when the service moves to a
BAU run state.
INTERNAL 4of9 Service Design and Transition Policy
POL00337661
POL00337661
Assure all changes in service (whether new, changed or decommissioned) to agreed criteria.
Criteria will be derived from standard published ways of acceptance and, where required,
project specific criteria
Where requested, provide lead or subject matter experts on Service Design and Transition,
including modelling, planning, transition and early life support activities.
Engage with Business and Account teams (Business Relationship Manager’s, Portfolio
Managers, Programme and Project managers, Product Managers) on a regular basis to ensure
a shared understanding of roadmaps and future plans.
Contribute to all stages of delivery (initiate, assess, design, build, test, run) to ensure that the
IT service designed is both cost effective and value for money, for the Client, the Customer
and Post Office.
Work collaboratively with our internal stakeholders, (IT Service and Operations, other Post
Office Business and Account teams, etc) through the full project lifecycle, to ensure that
roadmaps, future plans are understood and associated service impacts are identified.
Work collaboratively with the Product, Portfolio and Project managers, and Project team
members, through the full project lifecycle to represent IT Service and Operations team. This
will ensure all service impacts are identified and included as deliverables in project plans
therefore ensuring that, at handover stage, the service...
o Is fit for purpose
o Is widely understood
© Can be supported
© Does not impact the business in any negative or unexpected way
Identify, manage and mitigate risks or issues with a concept, design, test or deployment,
escalating where appropriate.
Seek to ensure quality by adopting standard processes, deliverables and documentation.
(even where the vagaries of project requirements may require different levels of IT Service
Design and Transition activity)
Work collaboratively with our Customers, Clients, Stakeholders and Suppliers and expect that
they will adhere to the SD&T processes.
The SD&T Team will not provide approval or support the transition of a project through any Post Office
Governance gating unless all signed off SD&T specific readiness/acceptance criteria have been
satisfied. This may include the following documentation:
Service Design, including appropriate service modelling
Agreed SLA’s and other performance metrics and monitoring
Service Transition, release or deployment plans
Operational Level Agreements
Operational Acceptance Certificate
Warranty or Success criteria
Other certification or criteria as defined under the Service Design and Transition principles
INTERNAL Sof9 Service Design and Transition Policy
POL00337661
POL00337661
All stakeholders will:
Support the SD&T processes and procedures
Engage at the earliest opportunity with the SD&T team
Consult the SD&T Team at appropriate stages for sign off/concurrence to proceed (via any
formal Post Office governance gating)
Consider and adhere to the SD&T Principles
Adhere to the SD&T Guidelines
Contribute to and support the development of any transition, release or deployment plans
Include the Service Transition Plan in the overall project plan
Ensure free and open channels of communication with the SD&T team throughout the
project lifecycle.
Identify and own relevant risks and issues and escalate via appropriate, agreed channels.
4 Governance
There should be no exceptions to this policy. The Policy applies to all change and transition activity
and is a mandatory part of gaining concurrence to proceed to go live. Any service that interacts with
live production systems or data is covered.
This policy forms one component of the overall IT Policies within Post office. The policy will align with
other IT policies and Post Office policies to deliver changes in service. As a child of those policies
where a conflict arises it will managed as per Section 5 and/or 7 to conduct a review and ensure that
there is consistency in delivery between all Post Office functions.
The Post Office governance forums (aka Change Excellence programme) are support by and support
the SD&T processes. The governance forums will not support or approve projects through the relevant
gates without concurrence from the SD&T Team.
41
Control Standards
The control standards described below are derived from the IT Controls Framework (COBIT 5). The
controls are in place to manage the risks within the defined Risk Appetite statements, as contained
within the table below. To comply with this, mechanisms are in place within IT to demonstrate
compliance.
The table below sets out the relationships between identified risk, and the required minimum
control standards.
INTERNAL 6o0f9 Service Design and Transition Policy
POL00337661
POL00337661
Risk Area
Description of Risk
Minimum Control Standards
Who is responsible
When
Establish an
effective
implementation
plan
Absence of well
defined and
communicated
implementation plans
may result in
implementation of
changes without a
structure and correct
instructions, lacking an
impact assessment of
interdependencies
with other systems/
processes. This may
result in business
service outage,
financial, reputational
and brand damage.
Ensure implementation plans reflect
the broad implementation strategy, the
sequence of implementation steps,
resource requirements and criteria for
management acceptance.
Defined - Service
Design and
Transition Manager
Ongoing oversight
— Release manager
Go Live
Quarterly
Plan
acceptance
tests - Delivery
Failure to plan testing,
including definition of
roles, responsibilities,
and entry/exit criteria
may result in
insufficiently tested
changes being
implemented in PO
production
environments resulting
in incidents and
unavailability of
business critical
systems.
INTERNAL
+ Align test plans to the program/project
plan and communicate and consult them
to appropriate PO business owners and
IT stakeholders.
+ Test plans must be derived from the
risk assessments from the project and
shall cover all functional and technical
requirements including requirements for
performance, usability, pilot, security
testing and fall-back or rollback
arrangements.
- Ensure test plans are approved by
stakeholders, including business process
owners and IT, as appropriate .Examples
of stakeholders are application
development managers, project
managers and business process users.
- Ensure test logs are reviewed by the
development team to that all errors
found have been remediated or formally
accepted as known errors before
migrating the change to Production.
- Validate that testing is designed and
conducted by a test group independent
from the development team.
- Ensure testing is conducted only within
the test environment.
7of9
Defined - Service
Design and
Transition Manager
Ongoing oversight
— Release manager
Service Design and Transition Policy
Go Live
Quarterly
POL00337661
POL00337661
- Ensure final acceptance is evaluated
against success criteria. Test results
must be presented in a form that is
understandable to business process
owners and IT so an informed review
and evaluation can take place.
5 Policy / Process Reviews
The effectiveness and efficiency of the SD&T process is reviewed on an ongoing basis. Post-
implementation reviews should take place for each transition of a service into live. Lessons learnt
and actions will be raised as a business change request, service request or process depending upon
the nature, feeding into the continual service improvement across the business.
At a minimum the SD&T policy and processes will be reviewed once per year. Next review date is as
a per stated in Section 8 Control
6 Audits
All business requests resulting in a need for a Service engagement are logged in the service
management tool and data is available for audits to take place. Internal and external audits may
occur on an ad hoc basis.
7 Continual Process Improvement
It is the responsibility of the allocated Service Design and Transition manager to capture information
that feeds into the continual service improvement plan for the SD&T policy and process.
INTERNAL 8of9 Service Design and Transition Policy
POL00337661
POL00337661
8 Control
Policy Version
Date Version Updated by Change Details
19/09/2018 2.0 Stuart Banfield Updated policy
13/11/2018 24 Stuart Banfield Updated to include reference to CobitS controls
06/12/2018 2.2 Stuart Banfield Update after review by Risk team
15/03/2019 23 Stuart Banfield Update
05/04/2019 24 Stuart Banfield Added notes for
* All project will adhere to this policy regardless
of delivery method (Waterfall or Agile)
* Heads of Service responsibilities and sign off
— Confirms to other policies and requirements
13/05/2019 25 Stuart Banfield Further updates after receiving feedback from
various areas of IT and business
Policy Approval
Group Oversight Committee: Risk and Compliance Committee and Audit and Risk Committee
Committee Date Approved
IT Leadership Team TBC
Policy Sponsor: Mick Mitchell
Policy Owner: Stuart Banfield
Policy Author: Stuart Banfield
Next review: May 2020
Company Details
Post Office Limited and Post Office Management Services Limited are registered in England and Wales. Registered numbers 2154540 and
08459718 respectively. Registered Office: Finsbury Dials, 20 Finsbury Street, London EC2Y 9AQ.
Post Office Management Services Limited is authorised and regulated by the Financial Conduct Authority (FCA), FRN 630318. Its
Information Commissioners Office registration number is ZAO90585.
Post Office Limited is authorised and regulated by Her Majesty's Revenue and Customs (HMRC), REF 12137104. Its Information
Commissioners Office registration number is 24866081.
INTERNAL 9of9 Service Design and Transition Policy