IT Change Management Control Process: A Beginners Guide

The current business climate of fast paced change requires IT service providers to deliver products and services at a justifiable cost without negative impacts to the infrastructure and end user. To compete in the global marketplace, IT service professionals are required to manage their infrastructure using an end to end holistic approach to deliver reliable service on a consistent basis.

Many organizations of all industries have implemented ITIL to effectively compete. Of the multiple ITIL processes, Change Management is considered difficult to implement but often shows the greatest return on investment. This paper will address the following six questions in detail to aid IT practitioners in their Change Management planning and implementation process.

· How to start a Change Advisory Board?

· Is a tool required before we can start?

· Do we need a Change Coordinator?

· What metrics should be created?

· How do we involve the business customers in the process?

· How do we initiate a post-implementation review process?

The ITIL Concept

IT service providers, particular in the United States, have struggled for years to prove to its internal and external customers the value of "what we do." ITIL, or The Information Technology Infrastructure Library is a set of books outlining the most widely accepted best practice approach to IT Service Management in the world. This framework, developed from the international private and public sector, (OGC) Office of Government Commerce, U.K. and with collaboration from it SMF (Information Technology Service Management Forum), aides IT service providers in planning consistent, documented, and repeatable processes that improve service delivery to the business.

Our first order of business was to change the name of our "Help Desk" to "Service Desk" which within the ITIL framework becomes the single point of contact between the business customer and the service provider providing advice, guidance, and quick restoration of service. With the single point of contact concept, customer service is a consistent and repeatable method for service, as the staff should have strong technical skills, business savvy, and a service-based orientation. Additionally, customer problems can be logged and trended to provide valuable information to the business.

The next step was to implement Incident Management, which is the rapid restoration of normal services to limit the negative impact to the business. The ITIL definition of an incident is "Any event which is not part of the standard operation of a service and which causes, or may cause, an interruption to, or a reduction in, the quality of that service." This process helped move IT from a "hero" culture to one of a proactive, service based culture. We built a formal Incident Management process and the benefits are numerous. Once we established a formal Incident Management process we were ready to focus on Change Management, which is one of the most visible of the ITIL processes.

Change Management is the process of planning, coordinating, monitoring and communicating changes affecting production. Change Management ensures that standard methods and procedures are used for the efficient and prompt handling of all changes in order to minimize the impact of change related incidents and improve day-to-day operations. We will discuss Change Management in more detail later.

Configuration Management is considered the most challenging and time consuming process to successfully implement. Configuration Management is the process in which IT components are identified, logged and reported on and it provides significant benefits to any IT organization. In many companies, Configuration Management is considered the "foundation" of the ITIL processes.

Release Management's goal is to take a high level look at IT change and make certain that all the technical and non-technical details are considered and well thought out. A release is a collection of approved changes that may consist of multiple fixes or enhancements. Release comes in multiple types including Delta, Full and Package. Other components of Release include the Definitive Hardware Store, which is isolated and secure storage of hardware spares. Another component is the Definitive Software Library, which is a repository of master electronic copies of software and their respective license documents.

Service Level Management is the process whereby the IT service provider and customer define, negotiate, agree and monitor levels of service. The goal is to maintain and improve IT service quality in order to meet the customers' business related objectives. We have implemented components of Service Level Management and established key roles within the organization to continue to build on its success. The Account Manager is a pivotal role in educating the customer on the value of IT and negotiates the levels of service and pricing of the service offerings. Also, our Account Managers serve on our Change Advisory Board as non-voting members.

Change Management Questions

How to start a Change Advisory Board?

First you need to determine who needs to attend the CAB meetings. Who are the key stakeholders? Once you determine "who" should attend then you can determine whether or not they need to attend every CAB meeting or only those meetings in which their area of expertise is required. Also, you should ask yourself if the meetings would be open to everyone or only those who are involved in or impacted by the change.

Next, determine how often and when the board will meet. Will it be weekly, monthly, or only as needed? How will change control be maintained if you meet less than weekly? What are the possible consequences of this decision? Regardless of how often you decide to have your CAB meeting, you should have it at the same time and on the same weekday to maintain consistency. Other meetings should not be allowed to book over CAB meetings nor should CAB meetings be cancelled, if possible.

When there are Emergency changes will they go before an Emergency CAB? If so, who are those CAB members? Who determines if an Emergency CAB meeting is or isn't needed? What types of changes are considered emergencies? What needs to be completed to get an emergency approval? What are the procedures for an Emergency change during non-work hours?

Before you plan your first meeting, you will want to determine the meeting format. Will the meetings be in person, via telephone or a combination of the two? If the meetings will be held via telephone, check with your Telecom department to determine if they are any potential issues you may encounter or are unaware of? If you decide to use a combination of these formats, how will you ensure everyone's concerns and votes are registered?

Prior to the first "official" CAB meeting, you will want to bring the CAB members together to go over their roles, responsibilities, and meeting expectations. This will also give the Change Coordinator the opportunity to poll the CAB on policies and procedures. The CAB needs to determine what will constitute a quorum, what types of changes does the board want to approve? What types of changes is the Change Coordinator empowered to approve? Will CAB members have delegates? If so, what are the expectations for delegates? Will there be an Executive CAB? If so, who and when will changes be escalated to them for resolution? The Change Coordinator can also use this time to go over some of the documentation the CAB will be working with: Weekly Change Agenda, Forward Schedule of Changes and the Change Management reports.

Prior to the first CAB meeting the Change Coordinator will need to create and publish the Change Agenda and Forward Schedule of Change. CAB members will use this information to research and discuss changes on the agenda with their staff prior to the CAB meeting. Any issues encountered should be resolved preceding the CAB meeting to allow time for thoughtful discussions during the meeting.

Make sure your CAB meetings start and end on time and that all needed information is available. During the actual CAB meeting, keep the pace steady as you move through each change, this will allow ample time for discussion when needed. Most importantly, ensure you do a "reality check" at least once a month to ensure the meetings are still providing value for the members and see if there are areas for improvement.

The meetings need to have a facilitator, usually the Change Management Coordinator and a scribe to ensure the meeting flows freely and is accurately documented.

Is a Tool Required before we can begin?

As long as there is a consistent, documented, repeatable process you do not need a formalized tool for Change Management process to work. A basic Change Management system could involve Change Implementers filling out a paper form which outlines their change and the implementation plans. The change information could be routed to the Change Coordinator who would then maintain and file the information. All changes would need to be communicated throughout the IT organization and to the customers if they will be impacted; this could be accomplished via email. For smaller organizations, it is possible to implement Change Management with paper forms and email; a centralized access database that would enable everyone to input their change information or a combination of those tools. If you already have or will be implementing Incident Management, Problem Management or Release Management, you will want to ensure there is a way to cross reference the tickets.

Do we need a Change Coordinator?

In order for the Change Management process to be successful, you need a dedicated process owner who is responsible for administrating and monitoring the change process. The Change Coordinator ensures that all changes are recorded, scheduled, and that all parties involved with the change have the information that is needed for the change to progress through the process.

The Change Coordinator Responsibilities include:

· Review and update the Change Management process, as needed.

· Analyze change data and communicate to management potential exposures.

· Review all change requests to ensure completeness, accuracy, and clarity of information.

· Review the request for compliance to Change Management procedures.

· Prepare and distribute meeting information and complete change requests to the Change Advisory Board for business impact, priority and change readiness review.

· Facilitate Change Advisory Board meetings with Change Advisory Board personnel.

· Prevent potential conflict by maintaining a change schedule or calendar.

· Add the request to the schedule for change activity.

· Ensure changes are approved prior to implementation.

· Attempt to resolve change conflicts and escalate to management as necessary.

· Publishing change control meeting notes and helping communicate changes to appropriate technology and user groups.

· Ensure that only authorized changes are implemented, that changes are implemented in an acceptable time frame in accordance with business requirements, that changes are successful, and that no new incidents are created as a result of a change.

· Conduct Post Implementation Reviews.

· Assist departments in the change process.

· Coordinate and distribute Change Management reports and measurements.

· Provide education as needed.

What Metrics should be created?

Change Management provides ample opportunities for capturing metrics that will communicate the benefits and quantify the process for management and customers.

Some of those metrics include:

1. How many Request For Changes have been opened?

2. How many Changes were withdrawn?

3. How many Changes did the CAB deny?

4. How many successful changes were there?

5. How many unsuccessful changes?

6. How many changes were backed out and why?

7. If a change was backed out, what was the impact to the customer?

8. How many incidents have been related to changes?

9. How many post implementation reviews have been completed?

10. How many Emergency changes were there? What is the percentage?

11. How many changes were considered major, medium or minor? What is the percentage?

12. How many changes indicate which configuration item was affected?

13. Which configuration items are continually changing?

14. How many changes are pending other workgroups signoff or approval?

15. How many outstanding RFCs are there? Why are they still pending?

16. Does the RFC contain all relevant and required information? If not, was it approved?

17. How many RFCs is each work group creating? Are they being actively managed?

How do we involve the business customer in the process?

For the Change Management process to be fully successful and reach maturity the customer needs to be involved in the process. Customers can be encouraged to attend the CAB meetings; however, if you have more than one customer, you need to ensure their information is kept confidential. The CAB meetings can be structured to ensure this by blocking out specific times for specific customers to attend the meetings. The customer should receive their companies Weekly Change Agenda and Forward Schedule of Changes prior to the meeting to ensure they have time to go over the changes with their personnel. Also, your customers should be required to sign a Non-Disclosure Agreement prior to attending the meeting. Keeping customers involved in the change process will ensure they are informed and aware of your efforts to manage change on their behalf.

How do we initiate a Post-Implementation Review?

The CAB needs to determine the types of questions they would like answered regarding successful and unsuccessful changes and it is not necessary to review every change.

A typical Post Implementation Review form includes the following:

· Description of Business Change

· What was the desired benefit of the change?

· Did the change meet the customer's expectations?

· What part of the change was successful and why?

· If there were problems, what were they and how were they remedied?

· Lessons Learned