Save 20% on accredited ISO 27001 course exams.
Limited-time offer – ends July 18, 2024
Use promo code:

What should be on the SMS management review agenda according to ISO 20000?

There are a lot of people interested in the Service Management System (SMS) based on ISO 20000. But, there are also a lot of people who don’t like meetings. I understand them, but there is one meeting (required by ISO 20000-1, SMS requirements) that connects those two groups and their top management – it’s a management review meeting. I will say that, although it is mandatory, it’s not “just another meeting” that needs to be held.

I have to emphasize that the standard itself regulates quite well the content of the meeting. Meaning, you will find many direct inputs as standard requirements, so there will be no doubt as to whether some item is needed on the agenda or not. And, if you are involved in the meeting organization – that will make your life easier.

What are the inputs?

ISO 20000 contains quite an extensive list of mandatory inputs (one of the “shall” statements) – consider it as a help while preparing the meeting. So, the requirements are:

  • customer feedback – exists in various forms, e.g., annual customer satisfaction survey, customer complaints and/or compliments, or feedback received as a short survey contained in incident tickets (read the article ITIL Customer satisfaction – Design driven by outcomes to learn more).
  • service and process performance and conformity – most probably you use some of the tools to measure your organization’s activities and compliance to, e.g., Service Level Agreement (SLA) requirements. Well, that’s your input, particularly if you can proudly present compliance with all set targets.
  • resources and capabilities – these include analysis of current and forecasted needs for human, technical, information, and financial resource levels. The management review meeting is an excellent place to get confirmation for, e.g., new hiring. One of the most interesting capabilities are know-how requirements compared to the organization’s needs. For example, new technology in place showed that there is a gap in knowledge needed to fulfill SLA requirements. So, know-how buildup can be agreed on at the meeting (in the form of education, which requires financial resources).
  • risks – this is one of the critical elements of the meeting. Technology and people (both internal employees as well as external) are the biggest source of risk. So, thorough risk analysis and suggested mitigation actions should be prepared and their mitigation defined and confirmed (particularly when, e.g., financial resources are needed).
  • results and follow-up actions from audits, previous meetings, and preventive and corrective actions – this includes audits and previous management meetings and represents one of the must-do activities at the meeting. Namely, be it from an internal or external audit, non-conformities and/or observation are important information regarding what needs to be corrected, i.e., improved. By putting it on the management review meeting agenda – the importance of resolving those non-conformities gets full attention inside the SMS, i.e., the IT Service Management organization. By going through the AI (action item) list from previous meetings, management gets direct input about the SMS efficiency (fulfillment of agreed AIs and implementation of corrective and preventive actions).
  • changes that could affect the SMS and the services and improvements – here we talk about important changes. Due to their influence on the company’s operational activities, services offered and resources involved, they have management’s attention. When the meeting comes to service improvement initiatives, you will notice managements’ faces start to smile. They are highly interested in things that can be done better, and I’m sure you will get their full attention and support. Read the article ITIL V3 Change Management – at the heart of Service Management and ITIL Continual Service Improvement – don’t lose the momentum to learn more.

Here are the outputs

OK, these were the inputs, but how about outputs? What does the standard require? Well, the focus is on improvements and resources. The standard requires that the meeting results in “decisions and actions related to resources, improvement of the effectiveness of the SMS and improvement of the services” (quote from ISO 20000-1). Let’s clarify them:

  • resources – management is the one who approves resources; therefore, it’s logical that decisions related to resources are documented. Resources could include human resources (e.g., internal or external, like hiring a consultant company for an important project, money or investment in, e.g., hardware or software.
  • improvement of the SMS – management is responsible for the effectiveness of the SMS. Therefore, they will do whatever is possible to make it better. Another factor that influences the SMS are customers (remember that customer feedback is one of the inputs for the meeting – that could trigger SMS improvement initiatives).
  • improvement of the services – services bring financial resources, which are needed for the company to operate and exist. Sometimes, internal initiatives are started for service improvements, sometimes improvements trigger some malfunction of the service, and (quite often) changing business requirements are the trigger for improvement initiatives. No matter what is the trigger, management has its eyes wide open when services are in question.

Additionally, outputs of the management meeting include some form of an AI list and respective responsibilities. In that way, the SMS Manager (usually taking care to follow-up on those activities) uses this list and proves to the management that all AIs have been taken care of (as input for the next management meeting).

Burden or…?

The management meeting, like most meetings, can be seen as “just another meeting.” From my experience, it should be considered with particular care – firstly, because it involves top management of the company. Secondly, it’s an excellent place where most important decisions are made. Everyone should benefit from those decisions – management, people involved in the SMS, and (particularly) the SMS Manager. That means that there are no open questions after the meeting, just work on the AIs and decisions.

The management meeting should take place regularly, like once or twice a year. Good preparation and efficiency in the period before the meeting are prerequisites for qualitative inputs. The SMS Manager gets a chance to gain all necessary decisions and to show the result of his work – a chance that should not be taken for granted.

If you would like to check your compliance with ISO 20000 requirements, use this free  ISO 20000 Gap Analysis Tool.

Advisera Branimir Valentic
Branimir Valentic
Branimir is an expert in IT service management (consultancy, training and tools), IT governance (training and consulting), project management and consultancy in IT and telecommunication. He holds the following certificates: ITIL Expert, ISO 20000, ISMS Lead Auditor and PRINCE2.