Case study HDI: “The benefits of ITAM are much broader than people think.”
HDI is a multi-brand insurance company based in Germany. Part of the Talanx Group, it provides private and commercial insurance. HDI operates through branches, subsidiaries, and affiliates in more than 175 countries, offering international industrial insurance programs.
HDI IT provides IT services for the whole group, supporting 16,500 employees and 21,850 managed devices around the world. With the company already being certified against ISO 27001 and ISO 9000, ISO 19770-1 certification was a logical next step in cementing the company’s continual management maturity.
In February 2023, HDI became the world’s first end-user organization to be certified against ISO 19770-1. It also won the Jury Award and the Overall SAM Project Award at SAMS DACH 2023 for its work (with partner TIMETOACT GROUP) towards ISO ITAM certification.
HDI’s ITAM story started in 2015 when the company established its first license management function. During 2017, it appointed the IT services company TIMETOACT GROUP to help it respond better to incoming software license audits, which were starting to become more frequent. By 2019, after four years of reactive license management, the company decided to take a more proactive approach to ITAM. To achieve this, it worked with TIMETOACT GROUP to put more processes and governance in place using ISO 19770-1 as its guide. HDI had first leveraged this ISO standard in 2015 when it established its license management function.
“With audits becoming more frequent, the license management function had become too reactive and focused on compliance,” commented Patrick Milas, Software License Manager at HDI. “But we knew there was more value we could bring. We needed to regain control so we could reduce the impact and frequency of audits and deliver tangible improvements to the business on an ongoing basis. A key part of this change was the appointment of TIMETOACT GROUP to conduct regular maturity assessments of our practice against the ISO 19770-1 standard. Their first audit was completed in 2017 and another one in 2021. Both audits were followed by significant investment and improvements in our practice, systems, and governance. By 2022, we were very confident in our processes, but without a globally recognized certification for ISO 19770-1, we had no way to test or prove our maturity to our stakeholders. As soon as we heard about The ITAM Forum’s plans to develop such a certification, we leapt at the opportunity to put ourselves to the test.”
Patrick cites the following reasons for engaging with the ITAM Forum to become the world’s first end-user organization to obtain ISO-19770-1 certification.
To create and maintain the most effective ITAM function: By aligning its management systems with the global standard, HDI is assured its services meet the highest standards of IT Asset Management.
The verification of an independent third party: The process for obtaining ISO 19770-1 involved a multi-stage audit by Brand Compliance, the scheme’s official auditor. The entire process was completed in three distinct phases during the course of many months, with gaps identified for remediation along the way and interviews conducted with around 20 different stakeholders across the business. Being independently audited ensured there was nowhere to hide and that HDI met the high standards it had been working to.
Improve the efficiency of ITAM: The gap analysis and continual improvements ensures HDI’s processes are as optimized as possible.
Reduce the impact and frequency of audits: By being better prepared, audits are less disruptive to the business and less likely to lead to an expensive, and unbudgeted, outcome.
Expanding the scope of existing ISO standards: Adding ISO 19770-1 to its existing certifications (ISO 27001 and ISO 9000) brings additional efficiencies and improvements to HDI’s management systems.
Commenting on TIMETOACT GROUP’s role in the development of HDI’s license management function, Dr. Jan Hachenberger, Head of the Business Unit “Performance Strategy” at TIMETOACT GROUP said, “My entire business unit was created to bring my dream of REAL ITAM to life. If you look at the bulk of ITAM and how it’s implemented in most organizations, it is very grassroots and most often focused on license reconciliation/compliance. In my view, this is the last step in the process. ITAM should start by defining the demands of IT and building the solutions to deliver that. Licenses/asset management comes much later. This is why we focused on performance strategy – not solely ITAM – at HDI, incorporating much broader elements like IT strategy, architecture, vendor management, sourcing, ITSM and ITAM and always keeping a governance/process perspective in view.”
Jan is a member of the ITAM Standards Committee’s WG21, the voluntary working group that developed ISO 19770-1. When the ITAM Forum announced its intention to develop the world’s first ISO ITAM certification scheme, Jan approached HDI to see if the team wanted to test themselves against the ISO standard.
Jan continued, “Since broad company support and stakeholder backing is a critical component of the ISO standard, HDI was a prime candidate for certification. I could see that the rest of the company understood the bigger picture of what Patrick and the team were looking to achieve. They were excited by the prospect of being able to test and prove their ITAM credentials.”
For HDI, gaining ISO certification is about demonstrating and proving the broader benefits of ITAM to the wider business. As Patrick explains, “The benefits of ITAM are much broader than people think. It is the nucleus for every other IT process. If you don’t know what you have, you can’t manage it. The audit process was the perfect way to get all the relevant stakeholders across the business in one room to make the case for ITAM and demonstrate its value.”
Advice for others
Patrick recommends that organizations have a good understanding of ISO/IEC 19770-1 before starting the certification process and should implemented as much as possible first. Ultimately though, starting from anywhere is better than doing nothing. “Just start. The certification process involves the identification of gaps in your compliance, with time provided to close the gaps before the next stage of the audit. So, you are guaranteed to improve simply by going through the process. No matter how mature your processes are, the audit will inevitably find gaps and improvement areas. Even if you don’t gain certification the first time around, you will benefit from the knowledge of where improvements are needed. It’s always a win for you, irrespective of the outcome.”
Working with Brand Compliance, the official auditor
Patrick commented, “We talked with Brand Compliance throughout the process and the communication was always very good. Our auditor was very switched on and would ask detailed and intelligent questions.”