Professional Documents
Culture Documents
It Optimize IT Change Management Phases 1 4 R4
It Optimize IT Change Management Phases 1 4 R4
It Optimize IT Change Management Phases 1 4 R4
Management
Right-size IT change management to protect
the live environment.
Contents 5
26
Executive Summary
51 Step 2.1: Determine Roles and 131 Appendix II: Optimize IT Change
Responsibilities Management in a DevOps Environment
EXECUTIVE BRIEF
Analyst
Perspective
Balance risk and efficiency to Change management (change enablement, change control) is a balance of efficiency and
risk. That is, pushing changes out in a timely manner while minimizing the risk of
optimize IT change management. deployment. On the one hand, organizations can attempt to avoid all risk and drown the
process in rubber stamps, red tape, and bureaucracy. On the other hand, organizations can
ignore process and push out changes as quickly as possible, which will likely lead to change
related incidents and debilitating outages.
Right-sizing the process does not mean adopting every recommendation from best-practice
frameworks. It means balancing the efficiency of change request fulfillment with
minimizing risk to your organization. Furthermore, creating a process that encourages
adherence is key to avoid change implementers from skirting your process altogether.
Benedict Chang
Research Analyst, Infrastructure and Operations
Info-Tech Research Group
10
This research is designed to help organizations
9 8.6
who need to:
8
7
6.2
• Build a right-sized change management practice that encourages 6
adherence and balances efficiency and risk. 5
1
• Communicate the benefits and impact of change management to
0
all the stakeholders affected by the process. 1 2
organizations:
“We’ve been
doing this for
years. Why do
• Gaining buy-in can be a challenge no matter how well the process “We don’t need
we need more
bureaucracy?”
is built. change
management if
we’re Agile.”
• The complexity of the IT environment and culture of tacit
knowledge for configuration makes it difficult to assess cross- “We don’t have the right
dependencies of changes. tools to even start change
management.”
Plan
“The scope of change Use an objective framework Integrate your change Change management and
management is defined by each for estimating risk process with your IT DevOps can work together
service management effectively
organization…the purpose of system
change management is to
Simply asking, “What is the
maximize the number of risk?” will result in subjective Change management in Change and DevOps tend to be at
successful service and product responses that will likely isolation will provide some odds, but the framework does not
changes by ensuring that the risk minimize the perceived risk. stability, but maturing the have to change. Lower risk changes
The level of due diligence process through service in DevOps are prime candidates for
have been properly assessed, the pre-approved category. Much of
should align to the criticality integrations will enable
authorizing changes to process, the responsibility traditionally
of the systems or departments data-driven decisions,
and managing the change assigned to the CAB can be diffused
potentially impacted by the decrease bureaucracy, and
throughout the software
schedule.” proposed changes. enable faster and more development lifecycle.
stable throughput.
– ALEXOS Limited, ITIL 4
IT satisfaction with change management will drive business satisfaction with IT. Once the process is working
efficiently, staff will be more motivated to adhere to the process, reducing the number of unauthorized changes.
As fewer changes bypass proper evaluation and testing, service disruptions will decrease and business satisfaction
will increase.
Effectiveness Importance
Info-Tech Research Group | 14
Source: Info-Tech 2020; n=5,108 IT Professionals from 620 organizations
Executives and directors recognize the importance of • Info-Tech’s IT Management and
Governance Diagnostic (MGD) program
change management but feel theirs is currently assesses the importance and effectiveness
of core IT processes. Since its inception,
ineffective the MGD has consistently identified change
management as an area for immediate
improvement.
8.9 8.8 8.8
8.6
Importance Scores
No importance: 1.0-6.9
6.5 6.6 6.4 Limited importance: 7.0-7.9
6.1
Significant importance: 8.0-8.9
Critical importance: 9.0-10.0
Effectiveness Scores
REALITY
• 25% of changes are realized as planned. • Over 80% of changes are realized as planned
• Implementation challenge: Engaging the business so that formal change freeze • KPI: Decrease in the number of failed deployments.
periods and regular maintenance windows can be established.
1. Define Change 2. Establish Roles and 3. Define the RFC and Post- 4. Measure, Manage, and
Management Workflows Implementation Activities Maintain
1.1 Assess Maturity 2.1 Determine Roles and 3.1 Design the RFC 4.1 Identify Metrics and Build
Phase Steps 1.2 Categorize Changes and Build Responsibilities 3.2 Establish Post-Implementation the Change Calendar
Your Risk Assessment 2.2 Build Core Workflows Activities 4.2 Implement the Project
Engaging in a Guided Implementation doesn’t just offer valuable project advice, it also results in significant cost savings.
Phase 1: • We estimate Phase 1 activities will take 2 FTEs 10 days to complete on their own, but the time saved
by using Info-Tech’s methodology will cut that time in half, thereby saving $3,100 (2 FTEs * 5 days *
Define Change Management $80,000/year).
Phase 2: • We estimate Phase 2 will take 2 FTEs 10 days to complete on their own, but the time saved by using
Establish Roles and Info-Tech’s methodology will cut that time in half, thereby saving $3,100 (2 FTEs * 5 days *
Workflows $80,000/year).
Phase 3: • We estimate Phase 3 will take 2 FTEs 10 days to complete on their own, but the time saved by using
Define the RFC and Post- Info-Tech’s methodology will cut that time in half, thereby saving $3,100 (2 FTEs * 5 days *
Implementation Activities $80,000/year).
Phase 4: • We estimate Phase 4 will take 2 FTEs 5 days to complete on their own, but the time saved by using
Measure, Manage, and Info-Tech’s methodology will cut that time in half, thereby saving $1,500 (2 FTEs * 2.5 days *
Maintain $80,000/year).
Total savings $10,800
Info-Tech Research Group | 21
Case Study INDUSTRY SOURCE
Technology Daniel Grove, Intel
Intel implemented a robust change management program and experienced a
40% improvement in change efficiency.
With close to 4,000 changes occurring each week, managing Intel’s Establish Roles and
environment is a formidable task. Before implementing change management Workflows
within the organization, over 35% of all unscheduled downtime was due to
errors resulting from change and release management. Processes were ad hoc
or scattered across the organization and no standards were in place. Define RFC and Post-
Implementation
Results Activities
Guided Implementation
DIY Toolkit Workshop Consulting
“Our team has already made this “Our team knows that we need to “We need to hit the ground “Our team does not have the time
critical project a priority, and we fix a process, but we need running and get this project or the knowledge to take this
have the time and capability, but assistance to determine where to kicked off immediately. Our project on. We need assistance
some guidance along the way focus. Some check-ins along the team has the ability to take this through the entirety of this
would be helpful.” way would help keep us on over once we get a framework project.”
track.” and strategy in place.
Diagnostics and consistent frameworks are used throughout all four options.
1. Maturity Assessment 1. Change Manager Job 1. Request for Change (RFC) 1. Metrics Tool 1. Change Management
Description Form Template Standard Operating
2. Risk Assessment 2. Communications Plan
Deliverables
Procedure (SOP)
2. Change Management 2. Pre-Implementation 3. Project Roadmap
Process Library Checklist 2. Workshop Summary Deck
3. Post-Implementation
Checklist
• IT Managers
• Change Manager
Activities • Members of the Change Advisory
Board
1.1.1 Outline the Organization’s Strengths and Challenges
1.1.2 Complete a Maturity Assessment
As seen in the context diagram, change management interacts closely with many other IT processes including release management and configuration
management (seen below). Ensure you delineate when these interactions occur (e.g. RFC updates and CMDB queries) and which process owns each task.
Change Management
RF
RF
RF
RF
C
C
C
C
Release and Build and Post-
Release Release Deploy to Verify
Deployment Configure Test Implementation
Policy Planning Production Deployment
Design Release Activities/Review
Deploy to Communicat
Backout or
Test e and Train
Remediate
Environment Test users
Request for
Release
User
Acceptance
Testing
CM
CM
CM
DB
DB
DB
Configuration Management (CMDB)
Info-Tech Research Group | 29
Avoid the challenges of poor change
management
1 2 3
Deployments Incidents End Users
• Too frequent: The need for frequent • Too many unauthorized changes: If • Low user satisfaction: Poor
deployments results in reduced availability of the process is perceived as communication and training result in
critical business applications. cumbersome and ineffective, people surprised and unhappy users and
will bypass it or abuse the emergency support staff.
• Failed deployments or rework is required:
designation to get their changes
Deployments are not successful and have to be
deployed faster.
backed out of and then reworked to resolve
issues with the installation. • Changes cause incidents: When new “With no controls in place, IT gets the blame for
releases are deployed, they create embarrassing outages. Too much control, and IT is
• High manual effort: A lack of automation
problems with related systems or seen as a roadblock to innovation.”
results in high resource costs for deployments.
applications. – Anonymous, VP IT of a federal credit union
Human error is likely, which adds to the risk of
a failed deployment.
• Organizational chart(s)
1. As group, discuss and outline the change management challenges facing the
organization. These may be challenges caused by poor change management
processes or by a lack of process.
2. Use the pain points found on the previous slide to help guide the discussion.
3. As a group, also outline the strengths of change management and the strengths of
the current organization. Use these strengths as a guide to know what practices to
continue and what strengths you can leverage to improve the change management Materials Participants
process.
4. Record the activity results in the Project Summary Template. • Whiteboard/flip charts (or • CIO
shared screen if working
• IT Managers
remotely)
• Change Manager
• Markers/pens
• Members of the Change
• Project Summary Template
Advisory Board
Download the Optimize IT Change Management
Improvement Initiative: Project Summary Template
Solution
Thankfully, engineers were actively monitoring As part of a routine maintenance procedure, Google engineers moved App Engine
the implementation of the change and were able
applications between data centers in the Central US to balance out traffic.
to spring into action to halt the problem.
• Infrastructure/Applications Manager
Activities
Successfully managed changes will optimize risk exposure, severity of impact, and
disruption. This will result in the bottom-line business benefits of removal of risk,
early realization of benefits, and savings of money and time.
In organizations without formal
• IT change is constant; change requests will be made both proactively and
change management processes,
reactively to upgrade systems, acquire new functionality, and to prevent or resolve about 80%* of IT service
incidents. outage problems are caused
by updates and changes to
• Every change to the infrastructure must pass through the change management
process before being deployed to ensure that it has been properly assessed and
systems, applications, and
tested, and to check that a backout /rollback plan is in place. infrastructure. It’s crucial to
track and systematically
• It will be less expensive to invest in a rigorous change management process than to
manage change to fully
resolve incidents, service disruptions, and outages caused by the deployment of a
bad change.
understand and predict the risks
and potential impact of the
• Change management is what gives you control and visibility regarding what is change. Info-Tech Research Group | 36
introduced to the live environment, preventing incidents that threaten business
*Source: The Visible Ops Handbook
Attributes of a change Is this in the production environment of a business
Differentiate changes from other IT requests process?
The core business of the enterprise or supporting functions may be affected.
week?
As a general rule, if it takes longer than 40
hours of work to complete, it’s likely a
project.
2. Have each participant write the examples on sticky notes and populate the following chart on the
whiteboard/flip chart.
3. Use the examples to draw lines and define what defines each category.
• What makes a change distinct from a project?
• What makes a change distinct from a service request?
• What makes a change distinct from an operational task?
• When do the category workflows cross over with other categories? (For example, when
does a project interact with change management?)
Materials Participants
• Record the definitions of requests and results in section 2.3 of the
Change Management Standard Operating Procedure (SOP).
• Whiteboard/flip charts (or • Infrastructure Manager
shared screen if working
Change Project Service Operational Release • Change Manager
remotely)
Request Task • Members of the Change
(User) (Backend) • Service catalog (if
Advisory Board
applicable)
Changing ERP upgrade Add new user Delete temp files Software release
Configuration • Sticky notes
• Markers/pens
Download the Change Management Standard
• Change Management SOP
Operating Procedure (SOP).
Info-Tech Research Group | 39
Each RFC should define resources
needed to effect the change Categories include
Normal
In addition to assigning a category to each RFC
Emergency Pre-Approved
based on risk assessment, each RFC should also be
assigned a priority based on the impact of the The majority of changes will be pre-approved or normal
changes. Definitions of each category are provided on the
change on the IT organization, in terms of the next slide.
resources needed to effect the change.
Info-Tech uses the term pre-approved rather than
the ITIL terminology of standard to more
accurately define the type of change represented by
this category.
Info-Tech Best Practice
Do not rush to designate changes as pre-approved. You may have a A potential fourth change category of expedited may
good idea of which changes may be considered pre-approved, but be employed if you are having issues with process
make sure they are in fact low-risk and well-documented before adherence or if you experience changes driven from
moving them over from the normal category. outside change management’s control (e.g. from the
CIO, director, judiciary, etc.) See Appendix I for
more details.
Info-Tech Research Group | 40
The category of the change determines the process it follows
Pre-Approved Normal Emergency
• Tasks are well-known, • All changes that are not • The change is being requested to
documented, and proven pre-approved or resolve a current or imminent
• Budgetary approval is emergency will be critical/severity-1 incident that
Definitio preordained or within control of classified as normal threatens business continuity
n change requester • Further categorized by • Associated with a critical incident or
Pay close
• Risk is low and understood priority/risk problem ticket
• There’s a low probability of attention to
failure defining your
• The same change is built and • Upgrade or new • A current or imminent critical pre-approved
changed repeatedly using the functionality that will incident that will impact business changes. They
same install procedures and capture a business continuity are going to be
Trigger resulting in the same low-risk benefit • Urgency to implement the change critical for
outcome • A fix to a current must be established, as well as lack
running a
problem of any alternative or workaround
smooth change
• Pre-established • Dependent on the • Dependent on the change management
Workflo • Repeatable with same sequence change
practice in a
of actions, with minimal • Different workflows
w judgment or decision points depending on DevOps
prioritization Environment
• Change Manager (does not need • CAB • Approval from the Emergency
to be reviewed by CAB) Change Advisory Board (E-CAB) is
Approval sufficient to proceed with the change
• A retroactive RFC must be created Info-Tech Research Group | 41
1. Discuss the change categories on the previous slide and modify the types of
descriptions to suit your organization.
2. Once the change categories or types are defined, identify several examples of
change requests that would fall under each category.
3. Types of normal changes will be further defined in the next activity and can be left
blank for now.
IMPACT
• Priority should be decided with the change requester and with the CAB, if necessary.
• Don’t let the change requester decide priority alone, as they will usually assign it a higher priority Mediu
Low Minor Minor
than is justified. Use a repeatable, standardized framework to assess each request. m
• Time frames and escalation processes should be defined for each risk level.
• RFCs need to clearly identify the risk level of the proposed change. This can be done through statement LIKELIHOOD
of impact and likelihood (low/medium/high) or through pertinent questions linked with business rules to
assess the risk.
• Risk always has a negative impact, but the size of the impact can vary considerably in terms of cost, Info-Tech Research Group | 44
number of people or sites affected, and severity of the impact. Impact questions tend to be more objective
Input Output
1.2.3 Build a Classification Scheme to Assess
Impact • Current risk assessment (if • Tailored impact assessment
available)
2. For each question, assign a weight that should be placed on that factor.
3. Define criteria for each question that would categorize the risk as high, medium,
or low.
2. For each question, assign a weight that should be placed on that factor.
3. Define criteria for each question that would categorize the risk as high, medium,
or low.
two activities
1. Draw your risk matrix on a whiteboard Mediu 1
High Major Major
or flip chart. m
IMPACT
within your organization. Depending on 6 Mediu 7
the number of people participating, each Low Minor Minor
8 9 m
person could identify one or two changes
and write them on sticky notes. Mediu
Low High
m
3. Take turns bringing your sticky notes up Materials Participants
to the risk matrix and placing each where # Change Example
LIKELIHOOD
it belongs, according to the assessment 1 ERP change
criteria you defined. 2 Ticket system go-live • Whiteboard/flip charts (or • CIO
3 UPS replacement shared screen if working
4. After each participant has taken a turn, • Infrastructure Manager
4 Network upgrade remotely)
discuss each change as a group and • Change Manager
5 AD upgrade • Markers/pens
adjust the placement of any changes, if
6 High availability implementation • Members of the Change
needed. Update the risk assessment • Change Management Risk A
Advisory Board
7 Key-card implementation ssessment Tool
weightings or questions, if needed.
8 Anti-virus update
Download the Change Management 9 Website
Rick Assessment Tool
Info-Tech Research Group | 47
Case Study
A CMDB is not a prerequisite of change management. Don’t let the INDUSTRY SOURCE
absence of a configuration management database (CMDB) prevent Manufacturing Anonymous Info-Tech member
• IT Managers
• Change Manager
Activities • Members of the Change Advisory
Board
2.1.1 Capture Roles and Responsibilities Using a RACI Chart
2.1.2 Determine Your Change Manager’s Responsibilities
2.1.3 Define the Authority and Responsibilities of Your CAB Outcomes of this step
• Clearly defined responsibilities to
2.1.4 Determine an E-CAB Protocol for Your Organization form the job description for a Change
Manager
• Provides downtime • Advises on proposed changes • Approves/rejects RFCs for • Reviews RFCs for
window(s) prior to RFC submission normal changes completeness
• Advises on need for change • Reviews draft RFC for • Reviews lessons learned from • Ensures RFCs brought to the
(prior to creation of RFC) technical soundness PIRs CAB have a high chance of
approval
• Validates change (through • Assesses backout/rollback • Decides on the scope of
UAT or other validation as plan change management • Chairs CAB meetings,
necessary) including scheduling, agenda
• Checks if knowledgebase has • Reviews metrics and decides
preparation, reporting, and
• Provides approval for been consulted for prior on remedial actions
follow-ups
expedited changes (needs to lessons learned
• Considers changes to be
be at executive level) • Manages post-
• Participates in the PIR, if added to list of pre-approved
implementation reviews and
necessary changes
reporting
• Ensures that the service desk • Communicates to
• Organizes internal
is trained on the change organization about upcoming
communications
Info-Tech(within IT)
Research Group | 52
changes
Input Output
2.1.1 Capture Roles and Responsibilities Using a
RACI Chart • Current SOP • Documented roles and
1. As a group, work through developing a RACI chart to determine the roles and responsibilities in change
responsibilities of individuals involved in the change management practice based management in a RACI
on the following criteria: chart
• Responsible (performs the work)
• Accountable (ensures the work is done)
• Consulted (two-way communication)
• Informed (one-way communication)
2. Record your results in slide 14 of the Project Summary Template and section 3.1
of your Change Management SOP.
Materials Participants
CAB Member
Service Desk
CIO/ VP IT
Originator
Technical
Change Management Tasks
Manager
Member
Change
E-CAB
System
Owner
SME
• Whiteboard/flip charts (or • CIO
shared screen if working
Review the RFC C C A C R C I R • IT Managers
remotely)
Validate changes C C A C R C I R
• Change Manager
Assess test plan A C R R C I I • Sticky notes
Approve the RFC I C A R C I I • Members of the Change
• Markers/pens
Create communications plan R I A I I I Advisory Board
Deploy communications plan I I A I R • Project Summary Template
Review metrics C A R C C I
Perform a post implementation review C R A I I • Change Management SOP
Review lessons learned from PIR activities R A C I
Info-Tech Research Group | 53
Designate a Change Manager to own the process,
change templates, and tools
Responsibilities
The Change Manager will be the point of contact for all 1. The Change Manager is your first stop for change
process questions related to change management. approval. Both the change management and release and
deployment management processes rely on the Change
Manager to function.
• The Change Manager needs the authority to reject change requests, regardless
of the seniority of the requester. 2. Every single change that is applied to the live
environment, from a single patch to a major change,
• The Change Manager needs the authority to enforce compliance to a standard
must originate with a request for change (RFC),
process.
which is then approved by the Change Manager to
• The Change Manager needs enough cross-functional subject-matter expertise proceed to the CAB for full approval.
to accurately evaluate the impact of change from both an IT and business
perspective. 3. Change templates and tools, such as the change
calendar, list of preapproved changes, and risk
assessment template are controlled by the Change
Info-Tech Best Practice
Manager.
Some organizations will not be able to assign a dedicated Change Manager, but
they must still task an individual with change review authority and with 4. The Change Manager also needs to have ownership
ownership of the risk assessment and other key parts of the process. over gathering metrics and reports surrounding
deployed changes. A skilled Change Manager needs to
have an aptitude for applying metrics for continual
improvement activities. Info-Tech Research Group | 54
Input Output
2.1.2 Document Your Change
Manager’s Responsibilities • Current Change Manager
job description (if available)
• Change Manager job
description and list of
responsibilities
1. Using the previous slide, Info-Tech’s Change Manager Job Description, and the
examples below, brainstorm responsibilities for the Change Manager.
2. Record the responsibilities in Section 3.2 of your Change Management SOP.
Example:
Change Manager: James Corey 9. Assemble the Emergency CAB (E-CAB) when
emergency change requests are received.
Responsibilities
10.Approve submission of RFCs for CAB review.
1. Own the process, tools, and templates.
11.Chair the CAB: Materials Participants
2. Control the Change Management SOP.
• Set the CAB agenda and distribute it
3. Provide standard RFC forms. at least 24 hours before the meeting.
4. Distribute RFCs for CAB review. • Ensure the agenda is adhered to. • Whiteboard/flip charts (or • CIO
5. Receive all initial RFCs and check them for • Make the final approval/prioritization shared screen if working
completion. • IT Managers
decision regarding a change if the remotely)
6. Approve initial RFCs. CAB is deadlocked and cannot come • Change Manager
to an agreement. • Markers/pens
7. Approve pre-approved changes. • Members of the Change
• Distribute CAB meeting minutes to all • Info-Tech’s Change
8. Approve the conversion of normal changes to members and relevant stakeholders. Advisory Board
Manager Job Description
pre-approved changes.
• Change Management SOP
Download the Change Manager Job Description
Info-Tech Research Group | 55
Create a Change Advisory Board (CAB) See what responsibilities in the CAB’s
process are already performed by the
to provide process governance DevOps lifecycle (e.g. authorization,
deconfliction etc.). Do not duplicate
efforts.
1 2 3
Protect the live environment from Prioritize changes in a way that Schedule deployments in a way that
poorly assessed, tested, and fairly reflects change impact and minimizes conflict and disruption.
implemented changes. urgency.
• CAB approval is required for all normal and • Change requests will originate from multiple • The CAB uses a change calendar populated
emergency changes. stakeholders, some of whom have competing with project work, upcoming organizational
interests. initiatives, and change freeze periods. They
• If a change results in an incident or outage,
will schedule changes around these blocks to
the CAB is effectively responsible; it’s the • It’s up to the CAB to prioritize these requests
avoid disrupting user productivity.
responsibility of the CAB to assess and effectively so that business need is balanced
accept the potential impact of every change. with any potential risk to the infrastructure. • The CAB should work closely with the
release and deployment management teams
• The CAB should seek to reduce the number
to coordinate change/release scheduling.
of emergency/expedited changes.
Info-Tech Research Group | 56
Use diverse representation CAB Representation Value Added
•
Identify change blackout periods,
change impact, and business urgency.
Assess impact on fiduciary, legal,
an effective CAB • Business Analyst
•
and/or audit requirements.
Determine acceptable business risk.
The CAB needs insight into all areas of the IT Operations • Managers representing all IT • Identify dependencies and downstream
functions impacts.
business to avoid approving a high-risk Members • IT Directors • Identify possible conflicts with pre-
• Subject Matter Experts (SMEs) existing OLAs and SLAs.
change.
Based on the core responsibilities you have defined, CAB Attendees • Specific SMEs, tech specialists, • Provide detailed information and
and business and vendor reps expertise related to their particular
the CAB needs to be composed of a diverse set of relevant to a particular change subject areas.
individuals who provide quality: • Only attend meetings when • Speak to requirements, change impact,
invited by the Change Manager and cost.
• Change need assessments – identifying the value
and purpose of a proposed change.
• Change risk assessments – confirmation of the
technical impact and likelihood assessments that Info-Tech Best Practice
lead to a risk score, based on the inputs in RFC. Form a core CAB (members attend every week) and an optional CAB (members who
• Change scheduling – offer a variety of perspectives attend only when a change impacts them or when they can provide value in
and responsibilities and will be able to identify discussions about a change). This way, members can have their voice heard without
potential scheduling conflicts. spending every week in a meeting where they do not contribute.
• Final authority over the deployment • Evaluate all normal and emergency
of all normal and emergency changes. Materials Participants
changes. • Verify all normal change test, backout,
• Authority to absorb the risk of a and implementation plans.
change. • Verify all normal change test results.
• Authority to set the change calendar: • Whiteboard/flip charts (or • CIO
o Maintenance windows. • Approve all normal and emergency shared screen if working
changes. • IT Managers
o Change freeze periods. remotely)
o Project work. • Prioritize all normal changes. • Change Manager
• Markers/pens
o Authority to delay changes. • Schedule all normal and emergency
• Members of the Change
changes. • Change Management SOP
Advisory Board
• Review failed change deployments. • Project Summary Template
E-CAB members and business system owners Full documentation of the change
• When an emergency change request is received,
are provided with change details. No decision is (a retroactive RFC) is done after
you will not be able to wait until the regularly made without feedback from at least one E-CAB the change and is then reviewed by
scheduled CAB meeting. member. the CAB.
Materials Participants
Example:
Create • Whiteboard/flip charts (or • CIO
Assemble E- Assess Test (if Deploy Review With
Retroactive shared screen if working
CAB Change Applicable) Change CAB
RFC • IT Managers
remotely)
• Change Manager
• Markers/pens
• Members of the Change
• Change Management SOP
Advisory Board
• IT Managers
• Change Manager
Activities • Members of the Change Advisory
Board
2.2.1 Build a CMDB-lite as a Reference for Requested Changes
2.2.2 Create a Normal Change Process
2.2.3 Create a Pre-Approved Change Process
2.2.4 Create an Emergency Change Process
• Activities that occur in the process step that’s being • Other process steps that require the output.
Process analyzed.
RACI
• What does the process step produce? This can be a
Output document, data, information, or a decision. • Those who are Responsible, Accountable,
Consulted, or Informed (RACI) about the
Custome • Who or what organization(s) takes the output of the input, output, and/or process.
r process? The customer can be internal or external.
Info-Tech Research Group | 63
Establish change workflows: assess requested changes to
identify impact and dependencies
An effective change assessment workflow is a holistic process that leaves no stone unturned in an effort to
mitigate risk before any change reaches the approval stage. The four crucial areas of risk in a change
workflow are:
Identify all Frame the change from Each new change can Once risk has been
Business Impact
SLA Impact
Required Resources
Dependencies
An assessment of each change and a query of the CMDB • Has someone checked the CMDB to ensure all
needs to be performed as part of the change planning process dependencies have been accounted for?
to mitigate outage risk. • Have we referenced the service catalog so the
business approves what they’re authorizing?
• A version upgrade on one piece of software may require another
component to be upgraded as well. For example, an upgrade to the
database management system requires that an application that uses Technical Teams Impacted
the database be upgraded or modified. • Who will support the change throughout testing and
implementation?
• The sequence of the release must also be determined, as certain
components may need to be upgraded before others. For example, • Will additional support be needed?
if you upgrade the Exchange Server, a Windows update must be • Do we need outside support from eternal suppliers?
installed prior to the Exchange upgrade.
• Has someone checked the contract to ensure any
• If you do not have a CMDB, consider building a CMDB-lite, additional costs have been approved?
which consists of a listing of systems, primary users, SMEs,
business owners, and system dependencies (see next slide).
Info-Tech Research Group | 65
Build a dependency matrix to avoid change related collisions (optional)
A CMDB-lite does not replace a CMDB but can be a valuable tool to leverage when requesting changes if you
do not currently have configuration management. Consider the following inputs when building your own
CMDB-lite.
• System necessary to build and implement it successfully.
o To build a CMDB-lite, start with the top 10 systems in your • Tier 1 Dependency
environment that experience changes. This list can always be
o If the primary system experiences and outage, Tier 1 dependency
populated iteratively.
functionality is also lost. To request a change, include the business
• Primary Users system owner signoffs of the Tier 1 dependencies of the primary
o Listing the primary users will give a change requester a first glance at system.
the impact of the change. • Tier 2 Dependency
o You can also use this information when looking at the change o If the primary system experiences an outage, Tier 2 dependency
communication and training after the change is implemented. functionality is lost, but there is an available workaround.
• SME/Backup o As with Tier 1, this information can help you build a backout plan in
o These are the staff that will likely build and implement the change. case there is a change-related collision.
The backup is listed in case the primary is on holiday. • Tier 3 Dependency
• Business System Owner o Tier 3 functionality is not lost if the primary system experiences an
o The owner of the system is one of the people needed to sign off on the outage, but nice-to-haves such as aesthetics are affected.
Info-Tech Research Group | 66
change. Having their support from the beginning of a change is
Input Output
2.2.1 Build a CMDB-lite as a Reference for
Requested Changes • Current system ownership • Documented reference for
documentation change requests (CMDB-
1. Start with a list of your top 10-15 systems/services with the highest volume of changes. lite)
2. Using a whiteboard, flip chart, or shared screen, complete the table below by filling the
corresponding Primary Users, SMEs, Business System Owner, and Dependencies as
shown below. It may help to use sticky notes.
3. Iteratively populate the table as you notice gaps with incoming changes.
System Primary SME Backup Business Tier 1 Tier 2 Tier 3
Users SME(s) System Dependency (impaired Dependenc
Owner (system functionality/ y (nice to
functionalit workaround have)
y is down) available)
Change initiation allows for assurance that the request is in scope for change management and acts as a filter for out-of-scope changes to be redirected to the proper
workflow. Initiation also assesses who may be assigned to the change and the proper category of the change, and results in an RFC to be populated before the
change reaches the build and test phase.
The change trigger assessment is critical in the DevOps lifecycle. This can take a more
formal role of a technical review board (TRB) or, with enough maturity, may be For the full process, refer to the Change
automated. Responsibilities such as deconfliction, dependency identification, calendar Management Process Library.
query, and authorization identification can be done early in the lifecycle to decrease or
eliminate the burden on CAB.
Info-Tech Research Group | 69
Example process: Normal Change – Technical Build and
Test
The technical build and test stage includes all technical prerequisites and testing needed for a change to pass before proceeding to approval and
implementation. In addition to a technical review, a solution consisting of the implementation, rollback, communications, and training plan are also built and
included in the RFC before passing it to the CAB.
As your process matures, begin creating a list of normal changes that might qualify for pre-approval. The most potential for value in gains from change
management comes from re-engineering and automating of high-volume changes. Pre-approved changes should save you time without threatening the live
environment.
IT should flag changes they would like pre-approved: Pre-approved changes are not exempt from due diligence:
• Once your change management process is firmly established, hold a • Once a change is designated as pre-approved, the deployment team should
meeting with all staff that make change requests and build changes. create and compile all relevant documentation:
• An RFC detailing the change, dependencies, risk, and impact.
• Run a training session detailing the traits of pre-approved changes and
ask these individuals to identify changes that might qualify. • Detailed procedures and required resources.
• Implementation and backout plan.
• These changes should be submitted to the Change Manager and
reviewed, with the help of the CAB, to decide whether or not they • Test results.
qualify for pre-approval. • When templating the RFC for pre-approved changes, aim to write the
documentation as if another SME were to implement it. This reduces
confusion, especially if there’s staff turnover.
Info-Tech Best Practice
• The CAB must approve, sign off, and keep a record of all documents.
At the beginning of a change management process, there should be
few active pre-approved changes. However, prior to launch, you • Pre-approved changes must still be documented and recorded in the
may have IT flag changes for conversion. CMDB and change log after each deployment.
Info-Tech Research Group | 74
Example process: Pre-Approved Change Process
• Emergency changes have one of the following triggers: Sample Change Quick Check Emergency?
o A critical incident is impacting user productivity.
Are the patches
o An imminent critical incident will impact user productivity. Install the latest critical
required to resolve or
patches from the No
prevent an imminent
• Unless a critical incident is being resolved or prevented, the change should be vendor.
critical incident?
categorized as normal.
• An emergency change differs from a normal change in the following key aspects: A virus or worm Is the patch required to
o An emergency change is required to recover from a major outage – there invades the network resolve or prevent an
Yes
and a patch is needed imminent critical
must be a validated service desk critical incident ticket. An urgent business to eliminate the threat. incident?
requirement is not an “emergency.”
o An RFC is created after the change is implemented and the outage is over.
o A review by the full CAB occurs after the change is implemented.
o The first responder and/or the person implementing the change may not be Info-Tech Best Practice
the subject matter expert for that system. Change requesters should be made aware that senior
management will be informed if an emergency RFC
• In all cases, an RFC must be created and the change must be reviewed by the full
is submitted inappropriately. Emergency requests
CAB. The review should occur within two business days of the event. trigger urgent CAB meetings, are riskier to deploy,
and delay other changes waiting in the queue.
• IT Managers
• Change Manager
Activities • Members of the Change Advisory
Board
3.1.1 Evaluate Your Existing RFC Process
3.1.2 Build the RFC Form
• The RFC should contain all the information required to approve a change. Some 3. References to external documentation
information will be recorded when the change request is first initiated, but not
4. Items to be changed, reason for the change, and impact of both
everything will be known at that time.
implementing and not implementing the change
• Further information can be added as the change progresses through its lifecycle.
5. Change type and category
• The level of detail that goes into the RFC will vary depending on the type of change,
the size, and the likely impact of the change. 6. Priority and risk assessment
• Other details of the change may be recorded in other documents and referenced in the 7. Predicted time frame, resources, and cost
RFC.
8. Backout or remediation plan
Info-Tech Insight
9. Proposed approvers
Keep the RFC form simple, especially when first implementing change
management, to encourage the adoption of and compliance with the 10. Scheduled implementation time
process.
11.Communications plan and post-implementation review
2. Show the participants Info-Tech’s Request for Change Form Template and compare it to the one
the organization is currently using. Materials Participants
3. As a group, finalize an RFC table of contents that will be used to formalize a new or improved
RFC.
• Whiteboard/flip charts (or • IT Director
4. Decide which fields should be filled out by the requester before the initial RFC is submitted to shared screen if working
• Infrastructure Manager
the Change Manager: remotely)
• • Change Manager
Many sections of the RFC are relevant for change assessment and review. What • Projector
information does the Change Manager need when they first receive a request? • Members of the Change
• Markers/pens
• The Change Manager needs enough information to ensure that the change is in scope Advisory Board
• Laptop with ITSM admin
and has been properly categorized.
access
5. Decide how the RFC form should be submitted and reviewed; this can be documented in • Request for Change Form T
section 5 of your Change Management SOP. emplate
Download the Request for Change Form Template • Change Management SOP
Info-Tech Research Group | 85
Design the RFC to encourage
Change requester
process buy-in
Requested date of deployment
Change risk: low/medium/high
• When building the RFC, split the form up into sections that follow the Risk assessment
normal workflow (e.g. Intake, Assessment and Build, Approval, Description of change
Implementation/PIR). This way the form walks the requester through Reason for change
what needs to be filled and when. Change components
• Revisit the form periodically and solicit feedback to continually improve Assess change:
• Dependencies
the user experience. If there’s information missing on the RFC that the • Business impact
CAB would like to know, add the fields. If there are sections that are not • SLA impact
used or not needed for documentation, remove them. • Required resources
• Query the CMS
• Make sure the user experience surrounding your RFC form is a top Plan and test changes:
priority – make it accessible, otherwise change requesters simply will not • Test plan
• Test results
use it. • Implementation plan
• Backout plan
• Take advantage of your ITSM’s dropdown lists, automated notifications,
• Backout plan test results
CMDB integrations, and auto-generated fields to ease the process of
filling the RFC Approve and schedule changes:
Legend • Final CAB review
• Communications plan
Draft CAB
Deploy changes:
• Post-implementation review
Technical Build Complete
3.1.2 Build the RFC Form • Current RFC form or stock • List of changes to the
ITSM RFC current RFC and RFC
process
1. Use Info-Tech’s Request for Change Form Template as a basis for your RFC form. • Current SOP (if available)
2. Use this template to standardize your change request process and ensure that the
appropriate information is documented effectively each time a request is made. The
change requester and Change Manager should consolidate all information
associated with a given change request in this form. This form will be submitted by
the change requester and reviewed by the Change Manager.
Materials Participants
• IT Managers
• Change Manager
Activities • Members of the Change Advisory
Board
3.2.1 Determine When the CAB Would Reject Tested Changes
3.2.2 Create a Post-Implementation Activity Checklist
• The change is actually a project. There was a request for an It’s too expensive to
update to a non-supported implement, despite the need
• The risk is too high. application, and the vendor for it. The CAB will wait for
• There could be regulatory issues. was asking for a premium an upgrade to a new
support contract that is very application.
• The peripherals (test, backout, communication, and training plans) costly.
are incomplete.
There was a request to update The risk outweighs the
application functionality to a business benefits.
Info-Tech Best Practice beta release.
Many reasons for rejection (listed above) can be caught early on in the
process during the technical review or change build portion of the
change. The earlier you catch these reasons for rejection, the less wasted
effort there will be per change. Info-Tech Research Group | 94
Input Output
Determine When the CAB Would Reject
Tested Changes • Current SOP (if available) • List of reasons to reject
tested changes
1. Understand that once a change reaches the CAB, it has already been
assessed, planned for, and tested (where possible).
2. The change manager should not be submitting RFCs with inadequate
assessments to the CAB, so we can assume that these RFCs are complete.
However, the CAB might still reject the request.
3. As a group, discuss possible reasons why the CAB would reject a change Materials Participants
request and document these on the whiteboard.
4. Document several sample RFCs on the whiteboard that the group feels
• Whiteboard/flip charts (or • IT Director
should be rejected and note the reasons for rejection. shared screen if working
• Infrastructure Manager
remotely)
5. Document the next steps after a rejection, e.g. consult with SME to • Change Manager
• Projector
rebuild or rework the change. • Members of the Change
• Markers/pens
Advisory Board
6. Capture the results of the discussion in your Project Summary Template.
• Laptop with ITSM admin
access
The implementation phase is the final checkpoint before releasing the new change into your live environment. Once the final checks have been
made to the change, it’s paramount that teams work together to transition the change effectively rather than doing an abrupt hand-off. This
could cause a potential outage.
Deployment resources identified, allocated, and
scheduled
1 2
Documentation complete 1. Verification – once the change has been
Support team trained implemented, verify that all requirements
are fulfilled.
Users trained
Business sign-off
2. Review – ensure that all affected systems
and applications are operating as predicted.
Target systems identified and ready to receive
changes 3. Update change log.
Implement
Target systems available for installation Change 4. Transition – a crucial phase of
maintenance window scheduled implementation that’s often overlooked.
Technical Checks: Once the change implementation is
complete from a technical point of view, it’s
Disk space available
imperative that the team involved with the
Pre-requisites met change inform and train the group
Components/Services to be updated are responsible for managing the new change.
stopped
All users disconnected
Every change process needs to plan for the potential for failure and how to address it effectively. Change management’s solution to this
problem is a backout plan.
• All changes should be reviewed to understand the reason behind them, • Changes may fail subtly and still need review.
appropriateness, and recommendations for next steps. • Changes that cause serious failures (i.e. unplanned
• The Change Manager manages the completion of information PIRs and downtime) receive analysis that is unnecessarily in-
invites RFC originators to present their findings and document the lessons depth.
learned.
2. What are the benefits?
• A proactive, post-implementation review actually uses
less resources than reactionary change reviews.
Info-Tech Best Practice • Root-cause analysis of failed changes, no matter what
the impact.
Review PIR reports at CAB meetings to highlight the root causes of issues, action
• Insight into changes that took longer than projected.
items to close identified gaps, and back-up documentation required. Attach the
PIR report to the relevant RFC to prevent similar changes from facing the same • Identification of previously unidentified risks affecting
issues in the future. changes.
Participants •
•
Change Manager
Originator
• SME/supervisor/impacted team(s)
Categories under Current deviations and action items from previous PIR:
• Complete
review • Partially complete
• Complete, late
• Change failed, rollback succeeded
• Change failed, rollback failed
• Major deviation from implementation plan
Output •
•
Root cause or failure or deviation
External factors
• Remediation focus areas
• Remediation timeline (follow-up at appropriate time)
Controls •
•
Reviewed at next CAB meeting
RFC close is dependent on completion of PIR
• Share with the rest of the technical team
• Lessons learned stored in the knowledgebase and attached to RFC for easy search of past issues.
Unfortunately, this software deployment Additionally, the configuration switch was Defined PIR activities enabled Microsoft
caused a service interruption in multiple incorrectly enabled for the Azure Blob to take swift action against the outage and
regions. storage Front-Ends. mitigate the risk of a serious outage.
Activities
Check the schedule and assess resource availability: • Whiteboard/flip charts (or • Change Manager
Will user productivity be impacted? shared screen if working
Are there available resources (people and systems) to • Members of the Change
remotely)
implement the change? Advisory Board
Is the vendor available? Is there a significant cost attached to • Projector
• Service Desk Manager
pushing change deployment before the regularly scheduled
• Markers/pens
refresh? • Operations (optional)
Are there dependencies? Does the deployment of one change • Project Summary Template
depend on the earlier deployment of another?
3. Record your results in your Project Summary Template.
Request
Approve
• Number of changes broken down by department What percentage of change requests are reviewed
(business unit/IT department to be used in by the CAB that should have been pre-approved or
making core/optional CAB membership more Plan emergency (i.e. what percentage of changes are in
efficient) the wrong category)?
• Number of workflows that can be automated
Average time between RFC lifecycle stages (by service/application) Advance planning for proposed changes
List of expedited changes Spotlighting poor planning and reducing the need for this category going
forward (“The Hall of Shame”)
CAB approval rate Change coordinator alignment with CAB priorities – low approval rate
indicates need to tighten gatekeeping by the change coordinator
Calendar of changes Planning
2. Starting with the CSF table, fill in all relevant CSFs that your group wishes to track and measure.
3. Next, work to determine relevant KPIs correlated with the CSFs and metrics needed to measure the KPIs.
Use the tables included below (taken from section 14 of the Change Management SOP) to guide the
process.
4. Record the results in the tables in section 14 of your Change Management SOP.
5. Decide on where and when to review the metrics to discuss your change management strategy. Designate
Ref#and owner and record in the RACI and Communications
Metric Ref# section of your
KPIChange Management SOP.
Product
Successful changes for a period of time
K1 M2 / M1 x 100%
(approach 100%)
M1
Number of changes implemented for a K2 Changes causing incidents (approach 0%) M3 / M1 x 100% Materials Participants
time period
K3 Average days to implement a change ΣM5 / M1
Number of changes successfully [1 - (M6 / M1)] x
M2 K4 Change efficiency (approach 100%)
implemented for a time period 100%
Quality of changes being implemented [1 - (M4 / M1)] x • Whiteboard/flip charts (or • Change Manager
K5
Number of changes implemented (approach 100%) 100% shared screen if working
M3
causing incidents [1 - (M7 / M1)] x • Members of the Change
K6 Change training efficiency (approach 100%) remotely)
100% Advisory Board
Number of accepted known errors • Markers/pens
M4
when change is implemented
Ref# CSF Indicator • Service Desk Manager
Successful change management process • Change Management SOP
C1 K1, K5
Total days for a change build (specific producing quality changes • Operations (optional)
M5 C2 Consistent efficient change process K4, K6
to each change)
1. Input metrics from the previous activity to track over the course of a year.
2. To record your metrics, open the tool and go to tab 2. The tool is currently primed to record and track
five metrics. If you need more than that, you can edit the list in the hidden calculations tab.
3. To see the progress of your metrics, move to tab 3 to view a dashboard of all metrics in the tool.
Materials Participants
• IT Managers
• Change Manager
Activities
• Many people fail before they even start because they are
Change management provides value by promptly buried in a mess created before they arrived – either
evaluating and delivering changes required by the because of a failed attempt to get change management
business and by minimizing disruption and rework implemented or due to a complicated system that has
always existed.
caused by failed changes. Communication of your new
change management process is key. If people do not • Many systems are maintained because “that’s the way
it’s always been done.”
understand the what and why, it will fail to provide
the desired value. • Organizations don’t know where to start; they think
change management is too complex a process.
Info-Tech Insight
The success of change communication can be measured by monitoring the number of
service desk tickets related to a change that was not communicated to users.
Management Why? What problems are you trying When? When will this be
to solve? happening? When will it affect me?
What? What processes will it affect How? How will these changes
Technicians (that will affect me)? manifest themselves?
Who? Who will be affected? Who do I Goal? What is the final goal? How
go to if I have issues with the new will it benefit me?
process?
Info-Tech Insight
Pay close attention to the medium of communication. For example,
Business stakeholders on their feet all day would not be as receptive to an email
Stakeholders communication compared to those who primarily work in front of a
computer. Put yourself into various stakeholders’ shoes to craft a tailored
communication of change management.
Now that you have completed your Change Management SOP, the final step is to get sign-off from
senior management to begin the rollout process.
2. Use this tool to identify each action item that will need to be completed as part of the change
management initiative. Chart each action item, assign an owner, define the duration, and set a
completion date.
3. Use the resulting rocket diagram as a guide to task completion as you work toward your future
state.
Materials Participants
Lastly, keep an eye on your progress with objective, data-driven metrics. Leverage
the trends in your data to drive your decisions. Be sure to revisit the maturity
assessment not only to measure and visualize your progress, but to gain insight into
your next steps.
Info-Tech analysts will join you and your team at your location or
welcome you to Info-Tech’s historic office in Toronto, Ontario,
Canada to participate in an innovative onsite workshop.
1.1.2 Complete a Change 2.2.1 Plot the Process for a
Management Maturity Normal Change
Assessment Build a normal change process using
Run through the change management Info-Tech’s Change Management
maturity assessment with tailored Process Library template with an
commentary for each action item analyst helping you to right size the
outlining context and best practices. process for your organization.
Info-Tech Research Group | 127
Related Standardize the Service Desk
BMC. “ITIL Change Management.” BMC Software Canada, 22 December 2016. Sharwood, Simon. “Google broke its own cloud by doing two updates at once.” The
Register, 24 Aug. 2016.
Brown, Vance. “Change Management: The Greatest ROI of ITIL.” Cherwell Service
Management. SolarWinds. “How to Eliminate the No: 1 Cause of Network Downtime.” SolarWinds Tech
Tips, 25 Apr. 2014.
Cisco. “Change Management: Best Practices.” Cisco, 10 March 2008.
The Stationery Office. “ITIL Service Transition: 2011.” The Stationary Office, 29 July 2011.
Grove, Daniel. “Case Study ITIL Change Management Intel Corporation.” PowerShow,
2005. UCISA. “ITIL – A Guide to Change Management.” UCISA.
ISACA. “COBIT 5: Enabling Processes.” ISACA, 2012. Zander, Jason. “Final Root Cause Analysis and Improvement Areas: Nov 18 Azure Storage
Service Interruption.” Microsoft Azure: Blog and Updates, 17 Dec. 2014.
Jantti, M. and M. Kainulainen. “Exploring an IT Service Change Management Process: A
Case Study.” ICDS 2011: The Fifth International Conference on Digital Society, 23 Feb.
2011.
Murphy, Vawns. “How to Assess Changes.” The ITSM Review, 29 Jan. 2016.
Nyo, Isabel. “Best Practices for Change Management in the Age of DevOps.” Atlassian
Engineering, 12 May 2021.
Building change from the ground up doesn’t meant the process has to
Continually be fully fledged before launch. Iterative improvements are possible
before achieving an optimal state. Having the proper metrics on the
Improve pain points and bottlenecks in the process can identify areas for
automation and improvement. Info-Tech Research Group | 135
Increasing the proportion of pre- Relative Change Proportions of Change Categories
approved changes
100
70
60
• To designate a change as a pre-approved change it must have a low risk
rating (based on impact and likelihood). Fortunately, many of the 50
changes within the Agile framework are designed to be small and lower
risk (at least within application development). Putting in the work ahead 40
of time to document these changes, template RFCs, and document the
dependencies for various changes allows for a shift in the proportion of 30
pre-approved changes.
20
• The designation of pre-approved changes is an ongoing process. This is
not an overnight initiative. Measure the proportion of changes by 10
category as a metric, setting goals and interim goals to shift the change
0
proportion to a desired ratio. Before After