The challenge for IT organisations today is to improve their services while simultaneously reducing the costs they incur, a challenge usually met with the continuous service improvement approach. This approach has two steps: (1) assess the maturity of the key ITIL processes to identify areas for improvement and (2) enhance the functionalities of the supporting ITSM platform.

However, improving ITIL processes should not be an individual exercise for each process (incident management, problem management, change management, etc.) but should be done holistically. To be successful, process improvement initiatives take into account interactions between individual processes, as well as the availability of accurate information on managed IT assets.

This is where a configuration management database (CMDB) comes into play. A CMDB is a data repository whose main function is to keep track of IT assets, their individual configurations, and the dependencies between them (for example, the link between business applications and underlying infra components—virtual servers, physical servers, network devices, etc.)

Although a robust CMDB is instrumental on the process improvement journey, its real benefits (and business case) extend beyond IT performance services: it can help reduce the overall risk exposure of the bank. As we've seen in recent advisory engagements on improving IT processes, many organisations have limited visibility on the impact of IT changes due to a low quality (or just inexistent) CMDB.

Some estimated figures to illustrate this: 60% of service unavailability is due to inconsistently configured data; 80% of unplanned outages are caused by unplanned changes.

CMBDs thus remain vital for any financial organisation, as they can mitigate risks related to:

  • misspecification or erroneous transition of complex changes within projects, which might put the target achievements at risk
  • insufficient quality of changes and thus of the overall change process, which might threaten other elements of the IT systems and restrict their availability

An accurate CMDB will allow organisations to see the impacts of changes on other IT assets and to ensure full predictability of the changes by preventing collateral damage.

Just to reinforce the message above, the existence of the CMDB is now seen by the European Central Bank (ECB) as a critical element for a better management of ICT risks1 and IT operations. In particular, the ECB sent an IT questionnaire to "significant institutions" in January 2018 to collect standardised information regarding the assessment of ICT risks. Following that, the KPMG-ECB Office produced, in September 2018, a European-wide benchmark on ICT risks and the related supervisory expectations, which showed that many respondents do not have strong CMDBs.

Based on our sample of respondents, we observe that:

  • 45% of respondents don't track critical assets or their recovery requirements
  • 50% of participating banks say they don't have proper configuration management in place

We can thus anticipate that the configuration management process and supporting CMDBs will come more and more under ECB scrutiny. ICT findings in this area are likely to feed the overall SREP conclusions, potentially leading to significant remediation plans for banks. ( Read more about the strongest and weakest performing ICT areas).

Finally, in helping clients shape their ITIL roadmaps, we have noticed that it's commonplace for many non-IT departments to develop and maintain their own, separate IT databases. One such department is often the one in charge of the business continuity plan (BCP), whose mission is to know which IT assets (desktops, servers, applications, etc.) are part of the IT crisis fall-back plan. This type of silo, however, ultimately hurts the company: without an up-to-date, single CMDB, BCP managers have a harder time mapping critical applications to the supporting IT infrastructure, which changes all the time (through refreshes, upgrades, update cycles, etc.)

Conclusion

The CMDB is the cornerstone of IT services delivery. It improves risk management, by mastering the IT services value chain, while identifying the service impacts of individual IT components that support mission-critical applications. .

Next up on the KPMG Blog:

Fighting cybercriminals with the updated SWIFT CSP

Footnote

1 Referring to the final version of the EBA guidelines on ICT Risk Assessment under the SREP, the EBA defined a taxonomy of five categories of ICT risks to be monitored: ICT Availability and Continuity Risk, ICT Security Risk, ICT Change Risk, ICT Data Integrity Risk, and ICT Outsourcing Risk.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.