service research in luxembourg: a focus on service system governance and enterprise architecture
TRANSCRIPT
Service Research in Luxembourg:
a focus on Service System Governance and
Enterprise Architecture
Eric Dubois
Dept of Service Science & Innovation
1
Area
2,586 km2
Total population
600.000 inhabitants,
including 229,900
foreign residents
Main activities related to:
• Financial centre
• Digital economy, media and
audiovisual production
• Logistics
• Industry
Luxembourg is a leading Service Economy
3
Source: IBM, Paul Van Droogenbroeck
AGORIA, 4th Round Table on Service Innovation, Brussels, September 2008
National Strategy: IT is a key enabler for the next generation
of innovative data intensive services
TUDOR: a Luxembourg Research and
Technological Organisation (RTO)
4
Service Science & Innovation : a department of 130
multi-disciplinary people (IT, information, management,
organization, economics)
Coming in January 2015: « IT & Innovation Service » a
new department of 180 people
TUDOR: the SSI department
Like Fraunhofer, VTT, or TNO in Europe, TUDOR is a RTO operating in
Luxembourg. The Service Science and Innovation (SSI) dept has the
following missions:
Innovation
• Co-design of innovative services in a private/public bilateral or network
partnership
• Support to service innovation in companies by training them and making
available appropriate management processes and tools
Research
• Contribution to Service Science
Policy Support
• Policy support to the development of the Services Economy in
Luxembourg (including aspects related to standards and regulations)
5
The SSI Research, Development and
Innovation expertise in a nutshell
6
Dynmic Knowledge
Technology enhanced adaptive
learning and decision support
making in a context of complex and
dynamic data exploitation
Data Intensive Services
Trusted Service Systems
Digital Models for the Governance,
Risk and Compliance (GRC) of
service systems at design time and run
time
Service Supply Chain QoS
The SSI Research, Development and
Innovation expertise in a nutshell
7
Dynmic Knowledge
Technology enhanced adaptive
learning and decision support
making in a context of complex and
dynamic data exploitation
Data Intensive Services
Trusted Service Systems
Digital Models (IT) for the
Governance, Risk and
Compliance (GRC) of service
systems at design time and run
time
Service Supply Chain QoS
Service Innovation in
a Living Lab setting
Finance, Construction, Health, Mobility, Public
Management, Transport and Logistics, Human
Capital, EcoTechnology, Manufacturing Industry
The SSI Research, Development and
Innovation expertise in a nutshell
8
Dynmic Knowledge
Technology enhanced adaptive
learning and decision support
making in a context of complex and
dynamic data exploitation
Data Intensive Services
Trusted Service Systems
Digital Models (IT) for the
Governance, Risk and
Compliance (GRC) of service
systems at design time and run
time
Service Supply Chain QoS
Service Innovation in a Living Lab setting
According to a Service system design Science
research method [1]
Service
Exposition
Service
Design
Service
Value
Service
Deployment
Service
Capitalization
Service
Engineering
Service System Governance and
Enterprise Architecture
9
Trusted Service Systems
Digital Models (IT) for the
Governance, Risk and
Compliance (GRC) of service
systems at design time and run
time
Service Supply Chain QoS
The Finance Centre:
an example of service system
The Finance Service
System in Luxembourg Banks
Fund Mgt
Institutions
PSF
(Finance
Service
Providers
e-Archiving
Services
Data
Center
Services
Telco
Sevices
Regulators
CSSF: risk management
ILNAS: Luxembourg Law on e-
Archiving
CNPD/EU: data protection
ILR/EU: risk management
The Finance Service
System in Luxembourg Banks
Fund Mgt
Institutions
PSF
(Finance
Service
Providers
e-Archiving
Services
Data
Center
Services
Telco
Sevices
Standards, Norms and
Best Practices
IT Service
Management (ITIL)
Security Management
(ISO 27000)
Risk Management
(ISO 15408, Basel III)
Banks
Fund Mgt
Institutions
PSF
(Finance
Service
Providers
e-Archving
Services
Data
Center
Services
Telco
Sevices
Regulators/
Standards
Best Practices
Customer/
Provider
Research Question
Support the implementation
of regulations and standards
at design and run time
Banks
Fund Mgt
Institutions
PSF
(Finance
Service
Providers
e-Archving
Services
Data
Center
Services
Telco
Sevices
Regulators/
Standards
Best Practices
Customer/
Provider
Research Question
How to report compliance
elements through
comparable (standardised)
SLA
Research Question
Support the implementation
of regulations and standards
at design and run time
Banks
Fund Mgt
Institutions
PSF
(Finance
Service
Providers
e-Archving
Services
Data
Center
Services
Regulators/
Standards
Customer/
Provider
Research Question
Improve the confidence
through transparent
and comparable
(standardised)
SLA
Research Question
Support the implementation
of regulations and standards
in terms of the
enterprise architectures
Provide
objectively measurable
reference models
The Proposed Solution
15
Infrastructure
External infrastructure services
Application components and services
Roles and actors
External application services
External business services
Damage claiming process
Client Insurant InsurerArchiSurance
Registration PaymentValuationAcceptance
Customer
information
service
Claims
payment
service
Customer
administration
service
Payment
service
CRM
system Financial
application
Customer
information
service
Claim
registration
service
Claim
registration
service
Claims
administration
service
Policy
administration
Claim
files
service
zSeries mainframe
DB2
database
Financial
application
EJBs
Customer
files
service
Sun Blade
iPlanet
app server
Claim
information
service
- Regulations
- Laws
- Standards
- Norms
- Best Practices
- …
Enterprise
Architecture
Process Reference Framework
for supporting the
- Definition of a compliant organisation at design time
- Measure of the compliance at run time
The Proposed Solution
16
Infrastructure
External infrastructure services
Application components and services
Roles and actors
External application services
External business services
Damage claiming process
Client Insurant InsurerArchiSurance
Registration PaymentValuationAcceptance
Customer
information
service
Claims
payment
service
Customer
administration
service
Payment
service
CRM
system Financial
application
Customer
information
service
Claim
registration
service
Claim
registration
service
Claims
administration
service
Policy
administration
Claim
files
service
zSeries mainframe
DB2
database
Financial
application
EJBs
Customer
files
service
Sun Blade
iPlanet
app server
Claim
information
service
What How Who Why
Motivates
- Regulations
- Laws
- Standards
- Norms
- Best Practices
- …
Enterprise
Architecture
Process Reference Framework [2,3]
16
Based on ISO 15504 principles
Business Process INDICATORS: RESOURCE/WORKPRODUCTS
Process:
Set of activities correlated or interactive that transforms inputs into outputs
INPUT OUTPUTS
Outcomes
17
Infrastructure
External infrastructure services
Application components and services
Roles and actors
External application services
External business services
Damage claiming process
Client Insurant InsurerArchiSurance
Registration PaymentValuationAcceptance
Customer
information
service
Claims
payment
service
Customer
administration
service
Payment
service
CRM
system Financial
application
Customer
information
service
Claim
registration
service
Claim
registration
service
Claims
administration
service
Policy
administration
Claim
files
service
zSeries mainframe
DB2
database
Financial
application
EJBs
Customer
files
service
Sun Blade
iPlanet
app server
Claim
information
service
What How Who Why
Motivates
- Regulations
- Laws
- Standards
- Norms
- Best Practices
- …
Enterprise
Architecture
Process Reference Framework
17
Based on ISO 15504 principles
Business Process INDICATORS: RESOURCE/WORKPRODUCTS
Process:
Set of activities correlated or interactive that transforms inputs into outputs
INPUT OUTPUTS
Outcomes
Excerpt of the ITIL 2011 TIPA Process Framework
Excerpt of the ITIL 2011 TIPA Process Framework
Event
Management
Process Attribute 1 P.A.
2.1
Process Attribute 2.2
Purpose Ensure that any event that has significance for the
management of CIs and IT services is dealt with. … The event definition, recording and
handling are adequately documented
Outcomes 1. All changes of state that have significance for
the management of a CI or IT service are detected
and logged as an event;
2. The significance of each event is understood;
3. The appropriate response actions for each event
are determined and communicated to the
appropriate target group.
… a) Significant events are documented
b) Event documentation is internally
reviewed
c) Events related actions are tracked
and documented
Indicators Practices:
Define events, implement notification facilities,
record events…
Work Products:
Event categories, event record, event trends…
… Practices:
Define event documentation
Define event trend report
Work Products:
Event documentation
Event trend report contents
Superior SLA Normal SLA
Building a Process Reference Framework
19
What How Who Why
Motivates
- Regulations
- Laws
- Standards
- Norms
- Best Practices
- …
Process Reference Framework
19
Based on ISO 15504 principles
Business Process INDICATORS: RESOURCE/WORKPRODUCTS
Process:
Set of activities correlated or interactive that transforms inputs into outputs
INPUT OUTPUTS
Outcomes
Op. Risk Assess.
1 2.1 2.2 …
Purpose Identified operational risks are qualitatively assessed. [Source: 141, ..., 662, …, 859]
… The loss exposure, the risk profile, … are appropriately managed.
…
Out-comes
a) an operational risk assessment strategy is developed, including the principles of how operational risk is to be assessed, according to the size, the sophistication, the nature and the complexity of the bank’s activity; [Source: 1, ..., 357]
b) bank is aware of the loss exposure (qualitatively) of each identified risk on its business; [Source: 139, …, 248]
c) identified risks are organized (7 loss event types in Basel II); and [Source: 139, 455]
d) bank’s risk profile is determined. [Source: 140]
… a) WP Req.: The risk profile must defined for each of the 7 loss event type;
b) Control Req.: risk probabilities must be consistent across months;
c) Control. Req.: Historical differences of loss exposures must be documented;
d) Loss exposures must be reviewed once a month by peers under supervision of operational risk management department
e) …
…
Indica-tors
Practices: Risk probabilities are self-assessed. WorkProducts: Risk probabilities with defined probabilities categories Resources: Risk assessor has knowledge in risks and self-assessment techniques used.
Practices: Peer-review of risk probabilities WorkProducts: Peer-review report of risk probabilities Resources: Peer reviewer has knowledge in risks and peer-revieuw technique
Goal Oriented Requirements
Engineering based on i* and
traceability [4,5]
Support to the deployment of the Framework
at Design Time
20
What How Who Why
Motivates
Process Reference Framework
20
Based on ISO 15504 principles
Business Process INDICATORS: RESOURCE/WORKPRODUCTS
Process:
Set of activities correlated or interactive that transforms inputs into outputs
INPUT OUTPUTS
Outcomes
Op. Risk Assess.
1 2.1 2.2 …
Purpose Identified operational risks are qualitatively assessed. [Source: 141, ..., 662, …, 859]
… The loss exposure, the risk profile, … are appropriately managed.
…
Out-comes
a) an operational risk assessment strategy is developed, including the principles of how operational risk is to be assessed, according to the size, the sophistication, the nature and the complexity of the bank’s activity; [Source: 1, ..., 357]
b) bank is aware of the loss exposure (qualitatively) of each identified risk on its business; [Source: 139, …, 248]
c) identified risks are organized (7 loss event types in Basel II); and [Source: 139, 455]
d) bank’s risk profile is determined. [Source: 140]
… a) WP Req.: The risk profile must defined for each of the 7 loss event type;
b) Control Req.: risk probabilities must be consistent across months;
c) Control. Req.: Historical differences of loss exposures must be documented;
d) Loss exposures must be reviewed once a month by peers under supervision of operational risk management department
e) …
…
Indica-tors
Practices: Risk probabilities are self-assessed. WorkProducts: Risk probabilities with defined probabilities categories Resources: Risk assessor has knowledge in risks and self-assessment techniques used.
Practices: Peer-review of risk probabilities WorkProducts: Peer-review report of risk probabilities Resources: Peer reviewer has knowledge in risks and peer-revieuw technique
20
Infrastructure
External infrastructure services
Application components and services
Roles and actors
External application services
External business services
Damage claiming process
Client Insurant InsurerArchiSurance
Registration PaymentValuationAcceptance
Customer
information
service
Claims
payment
service
Customer
administration
service
Payment
service
CRM
system Financial
application
Customer
information
service
Claim
registration
service
Claim
registration
service
Claims
administration
service
Policy
administration
Claim
files
service
zSeries mainframe
DB2
database
Financial
application
EJBs
Customer
files
service
Sun Blade
iPlanet
app server
Claim
information
service
- Regulations
- Laws
- Standards
- Norms
- Best Practices
- …
Enterprise
Architecture
21
Process Reference Framework
21
Op. Risk Assess.
1 2.1 2.2 …
Purpose Identified operational risks are qualitatively assessed. [Source: 141, ..., 662, …, 859]
… The loss exposure, the risk profile, … are appropriately managed.
…
Out-comes
a) an operational risk assessment strategy is developed, including the principles of how operational risk is to be assessed, according to the size, the sophistication, the nature and the complexity of the bank’s activity; [Source: 1, ..., 357]
b) bank is aware of the loss exposure (qualitatively) of each identified risk on its business; [Source: 139, …, 248]
c) identified risks are organized (7 loss event types in Basel II); and [Source: 139, 455]
d) bank’s risk profile is determined. [Source: 140]
… a) WP Req.: The risk profile must defined for each of the 7 loss event type;
b) Control Req.: risk probabilities must be consistent across months;
c) Control. Req.: Historical differences of loss exposures must be documented;
d) Loss exposures must be reviewed once a month by peers under supervision of operational risk management department
e) …
…
Indica-tors
Practices: Risk probabilities are self-assessed. WorkProducts: Risk probabilities with defined probabilities categories Resources: Risk assessor has knowledge in risks and self-assessment techniques used.
Practices: Peer-review of risk probabilities WorkProducts: Peer-review report of risk probabilities Resources: Peer reviewer has knowledge in risks and peer-revieuw technique
Development of EA Reference Model
and traceability to their Implementation
[6,7]
21
Infrastructure
External infrastructure services
Application components and services
Roles and actors
External application services
External business services
Damage claiming process
Client Insurant InsurerArchiSurance
Registration PaymentValuationAcceptance
Customer
information
service
Claims
payment
service
Customer
administration
service
Payment
service
CRM
system Financial
application
Customer
information
service
Claim
registration
service
Claim
registration
service
Claims
administration
service
Policy
administration
Claim
files
service
zSeries mainframe
DB2
database
Financial
application
EJBs
Customer
files
service
Sun Blade
iPlanet
app server
Claim
information
service
Enterprise
Architecture
Conclusion: associated works
22
• Input to IS0 20000/4
• Book publication: Van Haren
Publishing, December 2009
• Training provided by IT Preneurs
• Approx. 170 TIPA certified Assessors
• 24 countries: Japan, USA, Canada, Denmark, Australia ..
23
TIPA® - Tudor ITSM Process Reference
Framework www.tipaonline.org
ISO 15504 is a standard process assessment framework
can be used in any field of activity / on any type of process
Financial sector
• Operational Risk (Basel III)
• Credit Risk Management
• Know Your Customer/AML
IT industry
• Information Security (ISO 27000)
• eArchiving
Others
• Business continuity
• Knowledge management
• Project management
Other Process Reference Frameworks
[1] Eric Dubois, Anne Rousseau, “Service Science: A Service System Design Science Research Method? “ ,
Exploring Services Science - 4th International Conference, IESS 2013, Porto, Portugal, February 7-8,
2013. Proceedings. Springer Lecture Notes in Business Information Processing, 2013
[2] Béatrix Barafort, Anne Rousseau: Sustainable Service Innovation Model: A Standardized IT Service
Management Process Assessment Framework. EuroSPI 2009: 69-80
[3] Michel Picard, Alain Renault, Stéphane Cortina: How to Improve Process Models for Better ISO/IEC 15504
Process Assessment. EuroSPI 2010: 130-141
[4] André Rifaut, Eric Dubois: Using Goal-Oriented Requirements Engineering for Improving the Quality of
ISO/IEC 15504 based Compliance Assessment Frameworks. RE 2008: 33-42
[5] André Rifaut, Sepideh Ghanavati: Measurement-oriented comparison of multiple regulations with
GRL. RELAW 2012: 7-16
[6] Eric Grandry, Christophe Feltus, Eric Dubois: Conceptual Integration of Enterprise Architecture
Management and Security Risk Management. EDOC Workshops 2013: 114-123
[7] Nicolas Mayer, Jocelyn Aubert, Hervé Cholez, Eric Grandry: Sector-Based Improvement of the Information
Security Risk Management Process in the Context of Telecommunications Regulation. EuroSPI 2013: 13-
24
References