IT Operating Model & Governanceit.operating_model
P0
Federated boundaries, decision rights, compliance backbone, and change-management readiness. Anchored in the 'no ticket, no service' principle.
Questions (39)
| id | prompt | scope | category | priority | artefact |
|---|---|---|---|---|---|
| it.operating_model.q01 | Confirm the target IT operating model is federated (group standards + subsidiary autonomy) and not full centralisation. Document explicit boundaries. | G | Federated Model | P0 | checklist |
| it.operating_model.q02 | Which decisions belong at GROUP level (e.g., identity, security policy, ITSM, EDR)? Which remain SUBSIDIARY level (e.g., engineering software, OT, local hardware)? | G | Federated Model | P0 | file |
| it.operating_model.q03 | What is the group's economy-of-scale ambition — naming and standardising 3–5 services (e.g., endpoint mgmt, ITSM, EDR, M365, SOC) versus broader coverage? | G | Federated Model | P0 | text |
| it.operating_model.q04 | Joint IT Steerco — proposed members, cadence, decision authority, quorum, voting. Existing forum or net-new? | G | Governance | P0 | entity-row |
| it.operating_model.q05 | Group IT policies that exist today (acceptable use, data classification, access control, BYOD, incident response). Provide latest versions. | G | Governance | P0 | table |
| it.operating_model.q06 | Compliance / regulatory drivers in-scope (SAMA / PDPL KSA · NIST / ISO 27001 · sector-specific OT)? Audit cadence and last findings? | G | Governance | P0 | text |
| it.operating_model.q07 | Data classification scheme — does one exist? Are cross-border transfer rules (e.g., KSA→India for GCC) documented? | G | Governance | P0 | checklist |
| it.operating_model.q08 | Standards adoption monitoring — how will group measure subsidiary compliance with shared policies (KPIs, dashboards, audit cadence)? | G | Federated Model | P1 | text |
| it.operating_model.q09 | Each subsidiary: list the top 3 IT pain points today with a recent concrete example. | S | Current State | P0 | table |
| it.operating_model.q10 | Outsourcing posture — which towers are open to outsource (e.g., L1/L2 helpdesk, network ops, endpoint mgmt, EDR mgmt, SOC)? Which stay in-house? | G | Service Strategy | P0 | text |
| it.operating_model.q11 | Existing strategic vendor relationships (incl. ours). Multi-year contracts, expansion clauses, exclusivity. | G | Service Strategy | P1 | text |
| it.operating_model.q12 | Leadership backing for the operating-model shift — who is the executive sponsor? How will mandate be communicated? | G | Change & Adoption | P0 | text |
| it.operating_model.q13 | HR involvement in compliance reinforcement — performance KPIs tied to ITSM usage? Disciplinary path for repeat non-compliance? | G | Change & Adoption | P0 | text |
| it.operating_model.q14 | Communication channels for IT change-management (town halls, email, intranet, WhatsApp, Teams)? Localisation needs (language, time-zone)? | G | Change & Adoption | P1 | text |
| it.operating_model.q15 | Confirm GCC absorbs only MATURE capabilities. List capabilities considered mature enough to migrate now vs. those that must stabilise centrally first. | GCC | Maturity Boundary | P0 | text |
| it.operating_model.q16 | How are technology decisions currently made across subsidiaries? Walk through 2–3 recent examples (who proposed, who approved, time taken). | S | Governance & Decision Making | P0 | text |
| it.operating_model.q17 | Is there any existing coordination between subsidiary IT teams (formal forum, informal channel, ad-hoc)? Cadence and effectiveness. | G | Governance & Decision Making | P0 | text |
| it.operating_model.q18 | How are exceptions to technology standards currently handled — approval path, frequency, top 3 exception themes? | G | Governance & Decision Making | P0 | table |
| it.operating_model.q19 | How are disagreements between local IT and Group IT typically resolved? Who decides; what is the escalation path? | G | Governance & Decision Making | P0 | text |
| it.operating_model.q20 | Are there areas where centralised governance may be beneficial today (security, identity, ITSM, vendor mgmt, BCP, data)? Rank by perceived value. | G | Governance & Decision Making | P0 | text |
| it.operating_model.q21 | Which IT decisions are typically made locally vs. centrally? Provide top 5 each per subsidiary. | S | Governance & Decision Making | P0 | table |
| it.operating_model.q22 | Are there business units with unique operational requirements that justify autonomy (e.g., plant OT, project sites, regulated business)? | S | Governance & Decision Making | P0 | text |
| it.operating_model.q23 | Are there challenges caused by decentralised IT operations today? One-paragraph summary per subsidiary, with 1–2 concrete examples. | S | Governance & Decision Making | P0 | table |
| it.operating_model.q24 | How are operational responsibilities currently distributed between teams (subsidiary IT vs Group IT vs vendor vs business)? | S | Operational Ownership | P0 | text |
| it.operating_model.q25 | Are there areas where responsibilities are unclear or overlapping (top 3 grey zones per subsidiary)? | S | Operational Ownership | P0 | table |
| it.operating_model.q26 | Are there dependencies on specific individuals for critical operations (key-person risk)? Name them and the capability at risk. | S | Operational Ownership | P0 | text |
| it.operating_model.q27 | Are operational processes formally documented anywhere today — SOPs, runbooks, wiki, tribal knowledge? Estimate documentation coverage %. | S | Operational Ownership | P0 | file |
| it.operating_model.q28 | How are after-hours / weekend / emergency support responsibilities managed today — on-call rota, vendor, ad-hoc? | S | Operational Ownership | P0 | text |
| it.operating_model.q29 | How are escalations currently handled across teams or subsidiaries — path, SLA, owner, last invocation? | S | Operational Ownership | P0 | date |
| it.operating_model.q30 | Are there areas where ownership clarification would immediately improve operations? Top 3 candidates with expected impact. | G | Operational Ownership | P1 | table |
| it.operating_model.q31 | Which systems or services are considered most critical to business operations? Top 5 per subsidiary with impact-of-outage rating. | S | Business Risk | P0 | table |
| it.operating_model.q32 | Are there areas where outages or downtime have had significant operational impact? Cite recent incidents (timeline, impact, root cause). | S | Business Risk | P0 | text |
| it.operating_model.q33 | Are there recurring operational challenges affecting productivity? Top 3 with frequency and user-impact estimate. | S | Business Risk | P0 | table |
| it.operating_model.q34 | Are there locations or subsidiaries experiencing repeated technology issues? Identify by geography or entity. | S | Business Risk | P1 | entity-row |
| it.operating_model.q35 | Are there dependencies on legacy systems or unsupported platforms? List vendor, version, end-of-support date, business owner. | S | Business Risk | P0 | date |
| it.operating_model.q36 | Are there operational processes currently dependent on manual activities that should be automated? Top 5 candidates. | S | Business Risk | P1 | table |
| it.operating_model.q37 | Are there concerns around scalability of the current IT operating model (specific bottlenecks — people, tooling, vendor, process)? | G | Business Risk | P0 | text |
| it.operating_model.q38 | Are management teams receiving sufficient visibility into operational issues across subsidiaries? Identify gaps and blind-spots. | G | Reporting & Visibility | P0 | text |
| it.operating_model.q39 | Are there challenges in consolidating information across subsidiaries — data definitions, tools, refresh cadence? Examples. | G | Reporting & Visibility | P0 | text |
Decisions related to this workstream (3)
| id | title | scope | priority | evidence questions |
|---|---|---|---|---|
| it.decisions.d01 | Confirm federated as the target operating model (not centralised). | G | P0 | 7 |
| it.decisions.d06 | Outsourcing tower list — which towers go out of house in Phase 1. | G | P0 | 4 |
| it.decisions.d10 | Confirm full subsidiary list and autonomy status per holding. | S | P0 | 2 |