Eric Dubois

1. Service Research in Luxembourg:
a focus on Service System Governance and
Enterprise Architecture
Eric Dubois
Dept of Service Science & Innovation
1

2. Area
2,586 km2
Total population
600.000 inhabitants,
including 229,900
foreign residents
Main activities related to:
• Financial centre
• Digital economy, media and
audiovisual production
• Logistics
• Industry

3. Luxembourg is a leading Service Economy
3
Source: IBM, Paul Van Droogenbroeck
AGORIA, 4th Round Table on Service Innovation, Brussels, September 2008
National Strategy: IT is a key enabler for the next generation
of innovative data intensive services

4. TUDOR: a Luxembourg Research and
Technological Organisation (RTO)
4
Service Science & Innovation : a department of 130
multi-disciplinary people (IT, information, management,
organization, economics)
Coming in January 2015: « IT & Innovation Service » a
new department of 180 people

5. TUDOR: the SSI department
Like Fraunhofer, VTT, or TNO in Europe, TUDOR is a RTO operating in
Luxembourg. The Service Science and Innovation (SSI) dept has the
following missions:
Innovation
• Co-design of innovative services in a private/public bilateral or network
partnership
• Support to service innovation in companies by training them and making
available appropriate management processes and tools
Research
• Contribution to Service Science
Policy Support
• Policy support to the development of the Services Economy in
Luxembourg (including aspects related to standards and regulations)
5

6. The SSI Research, Development and
Innovation expertise in a nutshell
6
Dynmic Knowledge
Technology enhanced adaptive
learning and decision support
making in a context of complex and
dynamic data exploitation
Data Intensive Services
Trusted Service Systems
Digital Models for the Governance,
Risk and Compliance (GRC) of
service systems at design time and run
time
Service Supply Chain QoS

7. The SSI Research, Development and
Innovation expertise in a nutshell
7
Dynmic Knowledge
Technology enhanced adaptive
learning and decision support
making in a context of complex and
dynamic data exploitation
Data Intensive Services
Trusted Service Systems
Digital Models (IT) for the
Governance, Risk and
Compliance (GRC) of service
systems at design time and run
time
Service Supply Chain QoS
Service Innovation in
a Living Lab setting
Finance, Construction, Health, Mobility, Public
Management, Transport and Logistics, Human
Capital, EcoTechnology, Manufacturing Industry

8. The SSI Research, Development and
Innovation expertise in a nutshell
8
Dynmic Knowledge
Technology enhanced adaptive
learning and decision support
making in a context of complex and
dynamic data exploitation
Data Intensive Services
Trusted Service Systems
Digital Models (IT) for the
Governance, Risk and
Compliance (GRC) of service
systems at design time and run
time
Service Supply Chain QoS
Service Innovation in a Living Lab setting
According to a Service system design Science
research method [1]
Service
Exposition
Service
Design
Service
Value
Service
Deployment
Service
Capitalization
Service
Engineer
ing

9. Service System Governance and
Enterprise Architecture
9
Trusted Service Systems
Digital Models (IT) for the
Governance, Risk and
Compliance (GRC) of service
systems at design time and run
time
Service Supply Chain QoS
The Finance Centre:
an example of service system

10. The Finance Service
System in Luxembourg
Banks
Fund Mgt
Institutions
PSF
(Finance
Service
Providers
e-Archiving
Services
Data
Center
Services
Telco
Sevices
Regulators
CSSF: risk management
ILNAS: Luxembourg Law on e-
Archiving
CNPD/EU: data protection
ILR/EU: risk management

11. The Finance Service
System in Luxembourg
Banks
Fund Mgt
Institutions
PSF
(Finance
Service
Providers
e-Archiving
Services
Data
Center
Services
Telco
Sevices
Standards, Norms and
Best Practices
IT Service
Management (ITIL)
Security Management
(ISO 27000)
Risk Management
(ISO 15408, Basel III)

12. Banks
Fund Mgt
Institutions
PSF
(Finance
Service
Providers
e-Archving
Services
Data
Center
Services
Telco
Sevices
Regulators/
Standards
Best Practices
Customer/
Provider
Research Question
Support the implementation
of regulations and standards
at design and run time

13. Banks
Fund Mgt
Institutions
PSF
(Finance
Service
Providers
e-Archving
Services
Data
Center
Services
Telco
Sevices
Regulators/
Standards
Best Practices
Customer/
Provider
Research Question
How to report compliance
elements through
comparable (standardised)
SLA
Research Question
Support the implementation
of regulations and standards
at design and run time

14. Banks
Fund Mgt
Institutions
PSF
(Finance
Service
Providers
e-Archving
Services
Data
Center
Services
Regulators/
Standards
Customer/
Provider
Research Question
Improve the confidence
through transparent
and comparable
(standardised)
SLA
Research Question
Support the implementation
of regulations and standards
in terms of the
enterprise architectures
Provide
objectively measurable
reference models

15. The Proposed Solution
15
Infrastructure
External infrastructure services
Application components and services
Roles and actors
External application services
External business services
Damage claiming process
Client Insurant InsurerArchiSurance
Registration PaymentValuationAcceptance
Customer
information
service
Claims
payment
service
Customer
administration
service
Payment
service
CRM
system
Financial
application
Customer
information
service
Claim
registration
service
Claim
registration
service
Claims
administration
service
Policy
administration
Claim
files
service
zSeries mainframe
DB2
database
Financial
application
EJBs
Customer
files
service
Sun Blade
iPlanet
app server
Claim
information
service
- Regulations
- Laws
- Standards
- Norms
- Best Practices
- …
Enterprise
Architecture
Process Reference Framework
for supporting the
- Definition of a compliant organisation at design time
- Measure of the compliance at run time

16. The Proposed Solution
16
Infrastructure
External infrastructure services
Application components and services
Roles and actors
External application services
External business services
Damage claiming process
Client Insurant InsurerArchiSurance
Registration PaymentValuationAcceptance
Customer
information
service
Claims
payment
service
Customer
administration
service
Payment
service
CRM
system
Financial
application
Customer
information
service
Claim
registration
service
Claim
registration
service
Claims
administration
service
Policy
administration
Claim
files
service
zSeries mainframe
DB2
database
Financial
application
EJBs
Customer
files
service
Sun Blade
iPlanet
app server
Claim
information
service
- Regulations
- Laws
- Standards
- Norms
- Best Practices
- …
Enterprise
Architecture
Process Reference Framework
[2,3]
16
Based on ISO 15504 principles
Business Process
INDICATORS:
RESOURCE/WORKPRODUCTS
Process:
Set of activities correlated or interactive that transforms inputs into outputs
INPUT OUTPUTS
Outcomes

17. 17
Infrastructure
External infrastructure services
Application components and services
Roles and actors
External application services
External business services
Damage claiming process
Client Insurant InsurerArchiSurance
Registration PaymentValuationAcceptance
Customer
information
service
Claims
payment
service
Customer
administration
service
Payment
service
CRM
system
Financial
application
Customer
information
service
Claim
registration
service
Claim
registration
service
Claims
administration
service
Policy
administration
Claim
files
service
zSeries mainframe
DB2
database
Financial
application
EJBs
Customer
files
service
Sun Blade
iPlanet
app server
Claim
information
service
- Regulations
- Laws
- Standards
- Norms
- Best Practices
- …
Enterprise
Architecture
Process Reference Framework
17
Based on ISO 15504 principles
Business Process
INDICATORS:
RESOURCE/WORKPRODUCTS
Process:
Set of activities correlated or interactive that transforms inputs into outputs
INPUT OUTPUTS
Outcomes
Excerpt of the ITIL 2011 TIPA Process Framework

18. Excerpt of the ITIL 2011 TIPA Process Framework
Event
Management
Process Attribute 1 P.A.
2.1
Process Attribute 2.2
Purpose Ensure that any event that has significance for the
management of CIs and IT services is dealt with.
… The event definition, recording and
handling are adequately documented
Outcomes 1. All changes of state that have significance for
the management of a CI or IT service are detected
and logged as an event;
2. The significance of each event is understood;
3. The appropriate response actions for each event
are determined and communicated to the
appropriate target group.
… a) Significant events are documented
b) Event documentation is internally
reviewed
c) Events related actions are tracked
and documented
Indicators Practices:
Define events, implement notification facilities,
record events…
Work Products:
Event categories, event record, event trends…
… Practices:
Define event documentation
Define event trend report
Work Products:
Event documentation
Event trend report contents
Superior SLA
Normal SLA

19. Building a Process Reference Framework
19
- Regulations
- Laws
- Standards
- Norms
- Best Practices
- …
Process Reference Framework
19
Based on ISO 15504 principles
Business Process
INDICATORS:
RESOURCE/WORKPRODUCTS
Process:
Set of activities correlated or interactive that transforms inputs into outputs
INPUT OUTPUTS
Outcomes
Op. Risk
Assess.
1 2.1 2.2 …
Purpose
Identified operational risks are
qualitatively assessed. [Source: 141,
..., 662, …, 859]
… The loss exposure, the risk
profile, … are appropriately
managed.
…
Out-
comes
a) an operational risk assessment
strategy is developed, including
the principles of how operational
risk is to be assessed, according
to the size, the sophistication,
the nature and the complexity of
the bank’s activity; [Source: 1, ...,
357]
b) bank is aware of the loss
exposure (qualitatively) of each
identified risk on its business;
[Source: 139, …, 248]
c) identified risks are organized (7
loss event types in Basel II); and
[Source: 139, 455]
d) bank’s risk profile is determined.
[Source: 140]
… a) WP Req.: The risk profile
must defined for each of the
7 loss event type;
b) Control Req.: risk
probabilities must be
consistent across months;
c) Control. Req.: Historical
differences of loss
exposures must be
documented;
d) Loss exposures must be
reviewed once a month by
peers under supervision of
operational risk
management department
e) …
…
Indica-
tors
Practices:
Risk probabilities are self-assessed.
WorkProducts:
Risk probabilities with defined
probabilities categories
Resources:
Risk assessor has knowledge in
risks and self-assessment
techniques used.
Practices:
Peer-review of risk probabilities
WorkProducts:
Peer-review report of risk
probabilities
Resources:
Peer reviewer has knowledge in
risks and peer-revieuw
technique
Goal Oriented Requirements
Engineering based on i* and
traceability [4,5]

20. Support to the deployment of the Framework
at Design Time
20
Process Reference Framework
20
Based on ISO 15504 principles
Business Process
INDICATORS:
RESOURCE/WORKPRODUCTS
Process:
Set of activities correlated or interactive that transforms inputs into outputs
INPUT OUTPUTS
Outcomes
Op. Risk
Assess.
1 2.1 2.2 …
Purpose
Identified operational risks are
qualitatively assessed. [Source: 141,
..., 662, …, 859]
… The loss exposure, the risk
profile, … are appropriately
managed.
…
Out-
comes
a) an operational risk assessment
strategy is developed, including
the principles of how operational
risk is to be assessed, according
to the size, the sophistication,
the nature and the complexity of
the bank’s activity; [Source: 1, ...,
357]
b) bank is aware of the loss
exposure (qualitatively) of each
identified risk on its business;
[Source: 139, …, 248]
c) identified risks are organized (7
loss event types in Basel II); and
[Source: 139, 455]
d) bank’s risk profile is determined.
[Source: 140]
… a) WP Req.: The risk profile
must defined for each of the
7 loss event type;
b) Control Req.: risk
probabilities must be
consistent across months;
c) Control. Req.: Historical
differences of loss
exposures must be
documented;
d) Loss exposures must be
reviewed once a month by
peers under supervision of
operational risk
management department
e) …
…
Indica-
tors
Practices:
Risk probabilities are self-assessed.
WorkProducts:
Risk probabilities with defined
probabilities categories
Resources:
Risk assessor has knowledge in
risks and self-assessment
techniques used.
Practices:
Peer-review of risk probabilities
WorkProducts:
Peer-review report of risk
probabilities
Resources:
Peer reviewer has knowledge in
risks and peer-revieuw
technique
Infrastructure
External infrastructure services
Application components and services
Roles and actors
External application services
External business services
Damage claiming process
Client Insurant InsurerArchiSurance
Registration PaymentValuationAcceptance
Customer
information
service
Claims
payment
service
Customer
administration
service
Payment
service
CRM
system
Financial
application
Customer
information
service
Claim
registration
service
Claim
registration
service
Claims
administration
service
Policy
administration
Claim
files
service
zSeries mainframe
DB2
database
Financial
application
EJBs
Customer
files
service
Sun Blade
iPlanet
app server
Claim
information
service
- Regulations
- Laws
- Standards
- Norms
- Best Practices
- …
Enterprise
Architecture

21. 21
Process Reference Framework
21
Purpose
Identified operational risks are
qualitatively assessed. [Source: 141,
..., 662, …, 859]
… The loss exposure, the risk
profile, … are appropriately
managed.
…
Out-
comes
a) an operational risk assessment
strategy is developed, including
the principles of how operational
risk is to be assessed, according
to the size, the sophistication,
the nature and the complexity of
the bank’s activity; [Source: 1, ...,
357]
b) bank is aware of the loss
exposure (qualitatively) of each
identified risk on its business;
[Source: 139, …, 248]
c) identified risks are organized (7
loss event types in Basel II); and
[Source: 139, 455]
d) bank’s risk profile is determined.
[Source: 140]
… a) WP Req.: The risk profile
must defined for each of the
7 loss event type;
b) Control Req.: risk
probabilities must be
consistent across months;
c) Control. Req.: Historical
differences of loss
exposures must be
documented;
d) Loss exposures must be
reviewed once a month by
peers under supervision of
operational risk
management department
e) …
…
Indica-
tors
Practices:
Risk probabilities are self-assessed.
WorkProducts:
Risk probabilities with defined
probabilities categories
Resources:
Risk assessor has knowledge in
risks and self-assessment
techniques used.
Practices:
Peer-review of risk probabilities
WorkProducts:
Peer-review report of risk
probabilities
Resources:
Peer reviewer has knowledge in
risks and peer-revieuw
technique
Development of EA Reference Model
and traceability to their Implementation
[6,7]
Infrastructure
External infrastructure services
Application components and services
Roles and actors
External application services
External business services
Damage claiming process
Client Insurant InsurerArchiSurance
Registration PaymentValuationAcceptance
Customer
information
service
Claims
payment
service
Customer
administration
service
Payment
service
CRM
system
Financial
application
Customer
information
service
Claim
registration
service
Claim
registration
service
Claims
administration
service
Policy
administration
Claim
files
service
zSeries mainframe
DB2
database
Financial
application
EJBs
Customer
files
service
Sun Blade
iPlanet
app server
Claim
information
service
Enterprise
Architecture

22. Conclusion: associated works
22

23. • Input to IS0 20000/4
• Book publication: Van Haren
Publishing, December 2009
• Training provided by IT Preneurs
• Approx. 170 TIPA certified Assessors
• 24 countries: Japan, USA, Canada, Denmark, Australia ..
23
TIPA® - Tudor ITSM Process Reference
Framework www.tipaonline.org

24. ISO 15504 is a standard process assessment framework
 can be used in any field of activity / on any type of process
Financial sector
• Operational Risk (Basel III)
• Credit Risk Management
• Know Your Customer/AML
IT industry
• Information Security (ISO 27000)
• eArchiving
Others
• Business continuity
• Knowledge management
• Project management
Other Process Reference Frameworks

25. 25
Thanks for your attention
eric.dubois@tudor.lu

26. [1] Eric Dubois, Anne Rousseau, “Service Science: A Service System Design Science Research Method? “ ,
Exploring Services Science - 4th International Conference, IESS 2013, Porto, Portugal, February 7-8,
2013. Proceedings. Springer Lecture Notes in Business Information Processing, 2013
[2] Béatrix Barafort, Anne Rousseau: Sustainable Service Innovation Model: A Standardized IT Service
Management Process Assessment Framework. EuroSPI 2009: 69-80
[3] Michel Picard, Alain Renault, Stéphane Cortina: How to Improve Process Models for Better ISO/IEC 15504
Process Assessment. EuroSPI 2010: 130-141
[4] André Rifaut, Eric Dubois: Using Goal-Oriented Requirements Engineering for Improving the Quality of
ISO/IEC 15504 based Compliance Assessment Frameworks. RE 2008: 33-42
[5] André Rifaut, Sepideh Ghanavati: Measurement-oriented comparison of multiple regulations with
GRL. RELAW 2012: 7-16
[6] Eric Grandry, Christophe Feltus, Eric Dubois: Conceptual Integration of Enterprise Architecture
Management and Security Risk Management. EDOC Workshops 2013: 114-123
[7] Nicolas Mayer, Jocelyn Aubert, Hervé Cholez, Eric Grandry: Sector-Based Improvement of the Information
Security Risk Management Process in the Context of Telecommunications Regulation. EuroSPI 2013: 13-
24
References