Introduction: From Strategy to Action
Clause 6 is where organizational strategy and service management policy are translated into concrete action. It contains three distinct but interconnected planning requirements: identifying risks and opportunities (6.1), setting measurable objectives and planning to achieve them (6.2), and planning changes to the SMS itself (6.3). Together, these three requirements produce the most important documented output of the entire standard: the Service Management Plan (SMP). The SMP is the bridge between policy and practice. It is the document that answers: "Given our context, policy, and objectives, how will we actually manage services?"
Clause 6.1: Risks and Opportunities
Clause 6.1 requires the organization to identify what could prevent the SMS from achieving its objectives (risks) and what opportunities exist to improve the SMS. This is not a full ISO 31000 enterprise risk management framework—the SMS team does not need to assess geopolitical or market risks—but rather a focused assessment of risks and opportunities directly relevant to service management.
SMS Operational Risks
Risks to the SMS itself include:
• Process failure: A critical service management process (change management, incident management) breaks down or is circumvented, resulting in uncontrolled changes or slow incident resolution
• Resource loss: Critical staff members leave; budget for SMS tools is cut; a key vendor goes out of business
• Technology failure: The service desk system crashes; the CMDB becomes unreliable; monitoring tools fail
• Compliance drift: As the organization changes, the SMS is not updated; controls are gradually relaxed; documented information falls out of date
• Skill erosion: Competence in service management practices is lost as experienced staff leave and are not replaced with trained staff
• External pressure: New regulatory requirements emerge (e.g., a new POJK ruling); customer expectations shift suddenly; market competition demands new services before SMS is ready
Service Delivery Risks
Risks to service delivery quality include:
• SLA breach: Services fail to meet availability, response time, or quality targets defined in SLAs, resulting in customer dissatisfaction or contractual penalties
• Customer churn: Competitors offer better services or lower cost; customers migrate services elsewhere
• Security incident: Data is breached, compromising customer data or intellectual property; incident response is slow or ineffective
• Regulatory non-compliance: The organization fails to meet POJK, BSSN, UU PDP, or SPBE requirements, resulting in regulatory sanctions
• Cost overrun: Delivery costs exceed budget; unplanned expenses arise from poor change or problem management
Risk Assessment and Treatment
The organization should conduct a structured risk assessment, ideally as a facilitated workshop with representatives from service management, operations, and business units. For each identified risk, assess:
• Likelihood: How probable is this risk to occur in the next 12 months?
• Impact: If it occurs, how severe will the consequences be?
• Risk level: Likelihood × Impact determines priority
• Risk treatment: What actions will be taken to prevent or mitigate the risk?
Opportunities for Improvement
Alongside risks, organizations should identify opportunities: where can the SMS be strengthened, where can services be improved, where can costs be reduced? For example: "An opportunity exists to automate incident categorization, reducing mean time to resolution by 20%." or "We could adopt a cloud service for configuration management, reducing on-premises infrastructure costs and improving data integrity." Opportunities, once identified, may be converted into improvement objectives.
Clause 6.2: SMS Objectives and Planning to Achieve Them
Service management must have clear, measurable objectives aligned to organizational strategy. Examples include: "Achieve 99.5% uptime for critical services," "Reduce mean time to resolution for P1 incidents from 4 hours to 2 hours," "Deploy changes to production on average 2x per week," "Reduce IT cost per user by 15%," or "Complete 100% of annual security awareness training."
SMART Objectives vs. Vague Aspirations
A common mistake is to define objectives that sound good but are not measurable. "Improve service quality" is not an objective because you cannot assess whether it has been achieved. "Achieve 98% SLA compliance by end of Q4" is an objective because you can measure it: either you achieved 98% or you did not. SMART objectives are:
• Specific: What exactly is being improved? (e.g., uptime of business-critical services)
• Measurable: How will success be defined and measured? (e.g., 99.5% availability)
• Achievable: Is this realistic given current resources and constraints? (e.g., achievable given current infrastructure investment)
• Relevant: Does this matter to the business or customers? (e.g., these services are revenue-generating)
• Time-bound: By when must this objective be achieved? (e.g., by December 31, 2026)
Planning to Achieve Objectives
For each objective, the organization must plan how it will be achieved. The plan should include:
• Who is responsible for achieving the objective (which person or team)
• What resources are needed (budget, tools, staff, training)
• What activities or changes must occur (process improvements, technology investments, organizational changes)
• Timeline: What milestones and target completion date
• How results will be measured and monitored (metrics, review cadence, reporting)
Monitoring and Updating Objectives
Objectives are not set once and forgotten. They must be monitored throughout the year through a management review process. If an objective is at risk of not being achieved, corrective actions must be taken. If circumstances change (e.g., a customer leaves, reducing the demand for a particular service), the objective may need to be revised. At year-end, the organization reviews whether objectives were achieved and sets new objectives for the following year.
Clause 6.3: Planning of Changes to the SMS
When the organization makes changes to the SMS itself—expanding scope to new services, restructuring the change management process, adopting a new service desk tool, or shifting to a new organizational model—these changes must be planned with defined purpose, resource consideration, and clear responsibility. This prevents ad-hoc SMS drift where the system gradually decays without intentional management.
For each planned SMS change, the organization should document:
• What is changing and why
• Who is responsible for implementing the change
• What resources are required
• What risks or impacts could result
• How the change will be communicated and staff trained
• How success will be verified (what evidence will show the change was effective)
Clause 6 (continued): The Service Management Plan—The Centerpiece of SMS Documentation
The Service Management Plan (SMP) is the most important documented output of Clause 6 and arguably of the entire standard. The SMP is a comprehensive document that describes how the organization will establish, implement, and maintain the SMS to achieve its objectives and meet the requirements of ISO 20000. It is not a detailed procedure manual (that level of detail belongs in separate process descriptions and work instructions) but rather a high-level roadmap.
Required Content of the SMP
The service management plan must include:
• The scope of the SMS (which services, components, customers, and organizational units are in scope, as defined in Clause 4)
• How service management objectives will be achieved (strategy and key initiatives)
• Roles and responsibilities (who is accountable for different aspects of the SMS)
• Required resources (budget, staffing, tools, infrastructure)
• Timeline: When the SMS will be implemented and key milestones
• Governance arrangements (who makes decisions, how the SMS is monitored and improved)
• The service management practices that will be implemented (incident management, change management, problem management, etc., as required by Clause 8)
• How the SMS will be aligned with business strategy and customer expectations
• Risk management approach (how risks to the SMS will be managed)
• Quality criteria for service management processes
The SMP as a Living Document
A critical distinction that many organizations miss: the SMP is not a static implementation artifact to be filed away after the SMS goes live. It is a living document that must be reviewed, updated, and re-communicated regularly—at least annually and whenever significant changes occur. If the organization adds a new service to the SMS scope, the SMP must be updated. If a change management process is revised, the SMP is updated. If objectives are revised, the SMP is updated. An organization that updates the SMP annually and maintains version control demonstrates that it takes SMS planning seriously. An organization where the SMP was written for certification and never touched again demonstrates weak commitment.
Relationship Between SMP and Service Portfolio
The Service Portfolio (used in service design and planning) and the Service Management Plan are related but distinct. The Portfolio lists the services the organization delivers; the SMP describes how those services will be managed. The SMP should reference the service portfolio and explain how each service in the portfolio is governed, supported, and improved through the SMS.
Common Clause 6 Findings
In our audit experience, the most frequent Clause 6 findings are:
• Objectives that are not measurable ("improve efficiency" without defining what metric will be measured)
• Risk register created for initial certification but never updated as context changes
• Service Management Plan not maintained after initial SMS implementation; outdated SMP that does not reflect current practices
• No evidence that SMS objectives are monitored; SMP sits on a shelf while actual practices diverge from the plan
• Objectives defined by the SMS team without input from top management or business units; objectives lack business alignment
• Insufficient resources allocated to achieve stated objectives; objectives are aspirational but unrealistic
Practical Guidance: Running an Objective-Setting Workshop
To establish effective SMS objectives, conduct a facilitated workshop with top management, business unit leaders, service managers, and customer representatives. Present the organization's strategic priorities and current service management maturity. Brainstorm potential objectives that would support strategy and close capability gaps. For each candidate objective, apply the SMART criteria. Estimate resources required and timeline. Prioritize (not all objectives can be pursued simultaneously). Document the final set of objectives with clear ownership and resource commitments. Communicate the objectives widely and include them in performance reviews and compensation where applicable.
Running a Risk Assessment Workshop
Conduct a facilitated risk workshop with representation from operations, service management, security, and business units. Use a structured approach:
1. Present the SMS scope and objectives
2. Brainstorm risks and opportunities without filtering (quantity first, quality later)
3. Group and consolidate risks (avoid duplication)
4. Assess likelihood and impact for each risk
5. Prioritize based on risk level (likelihood × impact)
6. Define treatments (prevent, mitigate, accept, or transfer) for high-risk items
7. Document the risk register with ownership and review dates
8. Communicate findings and planned treatments
| KEY CONCEPT | The Service Management Plan is a living document. It must be reviewed and updated annually at minimum, and whenever SMS scope or objectives change. An SMP that was created for initial certification and never updated again indicates weak planning discipline and is likely a Stage 2 audit finding. |
SMS Objective Examples
| Objective Area | Example Objective | Measurement Approach | Review Frequency |
|---|---|---|---|
| Service Availability | Achieve 99.5% uptime for critical business services | Monthly uptime reports from monitoring systems; calculate 99.5% threshold | Monthly |
| Incident Management | Reduce P1 incident MTTR (mean time to resolution) from 4 hours to 2 hours | Track MTTR for all P1 incidents; calculate monthly average | Monthly |
| Change Management | Achieve 95% successful change deployment rate (no rollbacks) | Track all changes; measure percentage completed without rollback | Monthly |
| Cost Control | Reduce IT cost per user by 10% by year-end | Calculate total IT cost / total user base; track quarterly | Quarterly |
| Compliance | Maintain 100% compliance with POJK service continuity requirements | Quarterly audit of BC/DR testing and documentation | Quarterly |
Sample Risk Register Template
| Risk Description | Likelihood | Impact | Risk Level | Treatment | Owner |
|---|---|---|---|---|---|
| Change management process circumvented; uncontrolled changes deployed to production | Medium | High | High | Implement automated control; enforce CAB approval; audit compliance quarterly | Change Manager |
| Service desk tool fails or loses data; ticket history lost | Low | High | Medium | Implement daily automated backups; quarterly disaster recovery testing; maintain vendor support contract | Operations Manager |
| Key incident manager leaves organization; expertise lost | Medium | High | High | Document incident management procedures; cross-train 2 backup staff; implement competence matrix | HR & Service Manager |
| New BSSN cybersecurity regulation published; SMS controls must be revised | Medium | Medium | Medium | Establish regulatory monitoring process; quarterly BSSN scan; plan for control updates | Compliance Officer |
| IMPORTANT | SMS objectives must be measurable and monitored. "Improve service quality" is not an objective; you cannot audit whether it was achieved. "Achieve 98% SLA compliance" is an objective; you can measure it monthly and assess progress. Objectives without measurement are a common Stage 2 finding. |
Risk Management and Clause 8 Integration
The risk assessment conducted in Clause 6.1 should directly inform the design of service management practices in Clause 8. If incident management is identified as a high-risk process (prone to failure), the SMS should implement more rigorous controls: formal procedures, manager review of incidents, regular competence assessment. If a particular service is high-risk (critical to business, complex, prone to outages), change management controls for that service should be more stringent. Risk assessment results should be referenced in the service management plan and in the detailed procedures for each service management practice.
| BITLION INSIGHT | Bitlion GRC provides templates for service management planning, objective tracking, and risk registers. Use the SMP template to document how your organization will achieve objectives and manage risks. The objective tracking dashboard allows monitoring of SMS objectives throughout the year and generates management review reports automatically. The risk register feature supports collaborative risk identification and treatment planning. |
Conclusion
Clause 6 bridges strategy and execution. It requires the organization to identify risks and opportunities, establish measurable objectives, and produce a comprehensive Service Management Plan that describes how the SMS will be implemented and evolved. Organizations that take Clause 6 seriously—updating their plans regularly, monitoring objectives rigorously, and treating the SMP as a living strategic document—have service management systems that actually deliver value and adapt as the business evolves. Those that treat Clause 6 as a checkbox exercise, creating a plan for certification and then abandoning it, find that the SMS gradually decays and fails to deliver business benefit. The quality of planning discipline, as demonstrated through objective setting, risk management, and SMP maintenance, is a leading predictor of SMS maturity and audit success.