Questions for conducting an effective CMDB Assessment

Many CMDB programs are considered failures because they don’t appear to provide significant business value to organizations. A common reason for this is considering CMDB as a one-time implementation project. The usefulness of a CMDB is based on the availability of reliable, up-to-date, and accurate data. Hence, the implementation and management of a CMDB should be treated as an ongoing initiative. 
Based on organizations’ current maturity and business objectives, there are typically different types of CMDB initiatives that they undertake. i.e., there can be initiatives for CMDB process assessment and definition, CMDB implementation (greenfield and brownfield), CMDB clean-up and data quality improvements, ongoing CMDB operations management, etc. During the initial workshop sessions of such CMDB initiatives, it is important to ask relevant questions and gather responses from various stakeholders. Such questions will also be useful to collect information during new opportunity pursuits with prospective customers so that scoping and solutions can be defined in a better way.
In this article, I have compiled a list of questions under different categories that can be asked to the organization's stakeholders to gather useful information required before getting started with various kinds of CMDB initiatives. 

Note: The actual list of questions that you need to ask will be based on the type of CMDB initiative as well as your present understanding of the current state (of the process, data, instance configurations, etc.). 

Process Design and Documentation

• Do you have a documented process for configuration management? If yes, is this process followed by all the teams involved in configuration management?
• Is the configuration management process followed globally across all your entities and locations?
• What are the major gaps or issues that you are facing in your current configuration management process?
• What are the business objectives supported by your CMDB program? Have you documented these?
• Is the CMDB data model defined and documented?
• Are the various CI classes which you are tracking, their relevant attributes, and data sources clearly defined and documented?
• Does each CI class and attribute that you have populated support some business objective?
• Are the roles and responsibilities for configuration management clearly defined and documented?
• Have you defined and documented the process for managing CI lifecycle (creation, modification, and retirement)?
• Have you defined and documented the processes for configuration identification and configuration control?
• Which all processes interact with configuration management? Are the interactions of configuration management with all these processes clearly defined and documented? Note: The examples of other processes which typically interact are IT asset management, incident management, problem management, change management, request management, vulnerability management, event management, etc.
• Have you defined and documented the procedure and frequency for CMDB audits?
• Have you defined and documented the procedures for CMDB data quality monitoring and improvements?
• Do you have any documentation about how you are currently following the Common Service Data Model (CSDM)? Are you maintaining any roadmap for your CSDM alignment initiatives?

Data management and Automation

• What are the various CI classes and attributes that you want to populate in the CMDB? What is your business objective for populating those? (Note: This question is relevant only for a fresh CMDB implementation in ServiceNow.)
• Approximately how many CI records are you currently tracking in your CMDB? Which are the CI classes and attributes that are populated?
• Which are the different data sources for each CI class that is populated in your CMDB?
• Are you using ServiceNow Discovery? If yes, which all CI classes are populated by Discovery, and how frequently is the data in each CI class updated by Discovery?
• How many of your CI classes are populated and updated using other automated data sources? Which are those sources? How frequently is the data updated by each source?
• Which are the various third-party data sources integrated to populate the CMDB? Are you using Service Graph Connectors to integrate with those sources?
• For the CI classes which are populated manually, do you have any procedures to periodically monitor and ensure that the data is current and accurate?
• What are the data validation and verification procedures that you follow?
• Are you using Data certification feature? If yes, are data certification tasks assigned for verification of most of your important CI attributes (especially those which are manually maintained)?
• How are you performing your manual CMDB data updates? Are you using integration hub ETL?
• How are new data loads and existing data updates done currently for each CI class?
• What steps do you take to maintain CMDB data accuracy and completeness?
• How is duplicate CI data detected and resolved currently? Are you using deduplication tasks? If yes, how frequently are they monitored and remediated?
• What metrics are used to assess the quality of the data in the CMDB?
• What are the CMDB data quality issues that you are facing currently?
• Are you using the CMDB health dashboard? If yes, are you monitoring the health metrics proactively and taking any actions to improve the CMDB data based on that?
• Are you using the CMDB Data Foundations dashboard? If yes, are you monitoring the metrics proactively and taking any actions to improve the CMDB data based on that?
• Have you reviewed and refined the CI identification rules for each CI class that is populated? Are these rules reviewed periodically to check if changes are needed?
• Have you defined reconciliation rules and data refresh rules for CI classes which are populated by more than one data source? Are these rules reviewed periodically to check if changes are needed?
• What are the procedures that you follow for data archiving and retention?
• Are you using CMDB data manager? If yes, what all policies have you created?
• Do you have proper access control mechanisms in place regarding who can create, modify, view, and delete data from the CMDB?
• How is sensitive information in the CMDB protected?
• Are you using any naming conventions or standard formats for CMDB data?
• How is data consistency maintained across different regions or business units?
• How is CI relationship data maintained and updated?
• Is the data quality of foundation tables, which are referenced by various attributes in the CMDB tables (like Companies, Locations, Groups, Users, Cost Centers, Departments, Models etc.), reviewed and improved periodically?
• Is the CI data synchronized with asset data? Which all fields are synchronized? Do you periodically review the synchronization to check if any changes are needed?
• How many custom CI classes and attributes have you created? Have you evaluated the business need for creating these and checked the availability of OOB classes and attributes before creation?
• Are you following the Common Service Data Model (CSDM) currently? Do you have an ongoing initiative to improve your alignment with CSDM guidelines?
• Are you using the CSDM Data Foundations dashboard? If yes, are you monitoring the metrics proactively and taking any action items to improve the CSDM alignment based on that?
• Are custom CI classes and attributes created at the right level of the CI class hierarchy as per what is needed to support your requirements? (For example, create an attribute in a parent class if you need a custom attribute in multiple child classes.)
• Are you using the CMDB 360 feature to track the complete history of various discovery sources and their proposed values that are involved in updating the CI attributes?
• Is the ‘Assigned to’ field (indicating the end user) populated for all the end user devices tracked in your CMDB?
• Do all the CI classes and records have proper ownership defined? i.e., are fields like ‘Owned by’, ‘Managed by', and ‘Managed by Group’ populated?
• Does all the CIs have incident management group (‘Support group’ field) and change management group (‘Change Group’ field) information populated?
• Are the fields related to CMDB (Service, Service Offering, and Configuration Item) populated for your Incidents, Problems and Changes?
• What is the process for onboarding new integrations to populate the CMDB?
• How are the issues with CMDB data sources identified and resolved?

Governance and Operations

• Do you have executive sponsorship and support for the CMDB program?
• What policies and procedures govern the use and maintenance of the CMDB?
• How are roles and responsibilities for CMDB management defined?
• What is the governance structure for decision-making related to the CMDB?
• How is compliance with CMDB policies monitored and enforced?
• Do you have periodic governance meetings regarding CMDB management with key stakeholders like the configuration manager, service owners, application owners, other process owners, etc.?
• How are communication and coordination managed between the different teams involved in CMDB management?
• Is the implementation of all enhancements related to the CMDB going through formal change management and release management processes?
• Is there a communication plan during the implementation of enhancements to the CMDB and for any important incidents or defects affecting the CMDB?
• How are risks associated with CMDB data managed?
• What are the escalation procedures for issues related to CMDB governance?
• Are there regular CMDB audits and data quality checks? If yes, how frequent are they, and what is their scope?
• How is the governance model adapted to changing business needs?
• Do you think you have enough resources with adequate skills for the configuration management process, implementation of CMDB enhancements, CMDB data management, and CMDB operational activities?
• Do you have a training program for CMDB implementers, operators, and administrators?
• Are KPIs and metrics for evaluating the effectiveness of CMDB defined and tracked? Are the operations teams monitoring these periodically and taking actions to improve them?
• Are there regular reports about CMDB usage and data quality? Do the stakeholders and operations teams monitor these and take action for improvements?
• Are you using the CMDB query builder to build complex queries on the CMDB data?
• Do the operational activities include regularly checking and acting on applicable tasks like deduplication tasks, stale tasks, data certification tasks, attestation tasks, etc.?
• Is there a continuous improvement plan for the CMDB?
• Are your incident support teams making use of information from the CMDB for incident impact analysis and root cause analysis?
• Are your problem management teams making use of information from the CMDB for problem root cause analysis?
• Are your change management teams making use of information from the CMDB for change planning and impact analysis?
• What are the other business processes that are making use of information from the CMDB? (e.g., Vulnerability management, Customer service management, etc.)
• Is there a process for gathering feedback from CMDB stakeholders and users?

User experience and training

• Do you consider the CMDB interface for end-users to be user-friendly? If not, list a few pain points that make it less user-friendly.
• What training and resources are provided to the users of the CMDB?
• What documentation is available to help users understand CMDB processes and features?
• How often are training curriculum and documentation updated to reflect changes in the CMDB?
• How are user roles and permissions for CMDB communicated and managed?
• Are there self-service Catalog items for users to request information or support related to the CMDB?
• What support channels are available for users who are encountering issues with the CMDB?
• How is the adoption of the CMDB by users measured and encouraged?
• What customization options are available to users for viewing and interacting with CMDB data?
• How is user satisfaction with the CMDB assessed and addressed?