Increasing dependency on suppliers
As we depend increasingly on third parties to provide to our customers the services they expect, the capability of a service provider to manage those parties and govern the overall network of suppliers increases in importance proportionally. There has been a slow, but steady, adoption of practices as defined by ISO/IEC 20000 for managing suppliers. Unfortunately, that standard is not always well understood, especially in terms of the scope that it covers. Any organization concerned with compliance with this standard must maintain a clear understanding of what it requires.
ISO/IEC 20000 references
ISO/IEC 20000 provides requirements and advice for supplier management in several documents:
- ISO/IEC 20000-1:2011, Service management system requirements
– provides a definition for the term “supplier” (§3.35)
– it positions supplier processes as subject to governance by the service provider (§4.2)
– it names suppliers as the recipient of the information security policy (§6.6.1)
– it defines a supplier management process, with various required practices (§7.2)
- ISO/IEC TR 20000-3:2011, Guidance on scope definition and applicability of ISO/IEC 20000-1, provides extended guidance on supply chains and the scope of the service management system.
ISO/IEC 20000 does not concern all suppliers!
The casual reader of ISO/IEC 20000 may believe that this standard addresses the management and governance of all suppliers of a service provider. A more careful reading indicates, however, that the standard explicitly limits its requirements to those suppliers responsible for one or more service management processes or functions.
The first sentence of Part 1, §7.2, reads:
The service provider may use suppliers to implement and operate some parts of the service management processes.
Thus, the standard is concerned only with the suppliers of one or more service management processes. This is why the contract with the supplier “…shall contain or include reference to…b) dependencies between services, processes and the parties;…e) interfaces between service management processes operated by the supplier and other parties…”
Part 3 provides further information that eliminates any ambiguity. For example (§6.7.2):
The service provider is required to have governance of the processes operated by the “Direct supplier of services” if they wish to include the direct supplier’s processes in the scope statement.
When it discusses the role of a lead supplier in the supply chain, part 3
Finally, part 3 provides a set of scenarios to help define scope. Scenario 1 describes an internal service provider that has three external suppliers. However, these external suppliers “…do not supply services relevant to service management.” They are therefore put outside the scope of the SMS. Scenario 2 makes this point crystal clear. It envisions a case similar to scenario 1, with the addition of a supplier (Supplier 1) that provides the service desk function to the service provider. Therefore, continues the document, “if the internal service provider can demonstrate governance of the processes that span the boundary between the service provider and Supplier 1, e.g. those used for incident management” then the internal service provider may be able to demonstrate conformity to ISO/IEC 20000-1. In order to so, it must provide “evidence that the processes operated by the outsourced service desk function and the interfaces between processes are defined”. Scenario 3 only reconfirms the same point. It cites an example similar to Scenario 2 where the external supplier (Supplier 2) provides application management services as well as the service desk function. However, “Application management services do not have to be included in the scope of service management to demonstrate conformity to ISO/IEC 20000-1.”
This concept of scoping may be astonishing for those who do not consider carefully the objective of ISO/IEC 20000. The standard has nothing to say about suppliers of IT services or goods, per se. For example, virtually every IT service provider organization depends on one or more suppliers for wide area networking and Internet connectivity. It is unlikely that any service provider builds its own hardware, depending again on a series of suppliers. While many service providers do develop certain applications in house, all of them also license applications from third parties, or use applications provided as a service. Indeed, we increasingly see the use of IaaS and PaaS, too. And yet, none of these suppliers are covered by the ISO/IEC standard for service management. The supplier management process that the service provider is required to have is not specifically intended to manage any of these third parties.
And yet, this is perfectly understandable. ISO/IEC 20000 is simply not concerned with the delivery of IT services. It is only concerned with the system used to manage those services. In other words, ISO/IEC 20000 says nothing whatsoever about how to transport data, how to send an email from place to place, how to create a balance sheet or a profit and loss statement using a computer—all of them good and noble IT services. It is only concerned with the service management processes.
There is not, to my knowledge, any ISO standard specific to the management of all suppliers. To find a standard applicable to them all, one would have to look at generic quality systems, such as described in the ISO 9000 family of standards.
Simplified scope means simplified compliance
In conclusion, a clear understanding of the scope of supplier management in ISO/IEC 20000 may have a significant impact on the work involved in achieving conformity to its requirements. A typical IT service provider organization has a very large number of suppliers, in the hundreds if not the thousands. However, the number of suppliers executing one or more service management processes for the account of the service provider will probably be very small. For each of those suppliers, the service provider is required to have a contract containing many required details, a designated supplier manager and activities to manage the performance of the supplier.
Very good post, I was really searching for this topic, as I wanted this topic to understand completely and it is also very rare in internet, that is why it was very difficult to understand.
I think the difficulty comes from the fact that although the various parts of ISO 20000 are very explicit, it is hard for many to believe that what is said there is what is really needed.
Hi there! great post. Thanks for sharing some very interesting and informative content it is a big help to me as well, keep it up!!!
Hello Robert, thx for the post! I am the process owner of Supplier Management in my organisation. As no supplier is here for executing one of the service management processes (all of them are only hardware / software vendors), so isn’t it true that we actually don’t require a supplier management process but still can make my service management system conform to the ISO 20000 standard?
That’s a very interesting question. If your objective is conformity, without a formal compliance audit, then I would say, “sure, no problem.” But if you need to be certified as compliant with ISO20000, then it might be very difficult to convince the auditor that you do not need such a process. There are two reasons for this. First, that fact that you might not have outsourced any service management activities today does not mean that you will not do so tomorrow. Second, I suspect that the many, many people misunderstand the scope of application of supplier management according to ISO20000. They probably think it covers all suppliers to the IT service provider, which is certainly not what it says in the standard or in the complimentary explanations.
Whether or not ISO20000 should include all IT suppliers within its scope is a different issue. I rather think that it would be very useful to do so and I have received a concurring opinion from one of the original authors of the standard. But we should base our understanding, not on what we think the standard ought to have said, but on what it really does say.
It seems the best approach is to implement Supplier Mgmt for all suppliers, but include in the scope of your ISO20000 program only “those suppliers responsible for one or more service management processes or functions.” An unnecessary increase in scope = increased risk of a non-conformity.