The True Value of Change Management
"The only constant is change."
Certainly that is a saying with which many IT pros are familiar. Yet it is surprising that IT organizations often lack a fundamental understanding of the need to manage change. Too many believe that change management stops with budgetary planning.
Change is pervasive through the organization and has huge impacts on the operations of the business. People at all levels in IT must understand and value the fact that as the level of complexity increases in a system, the value of effective change management processes increases.
Studies have shown that 80 percent of the fires that IT fights and 80 percent of security breaches are caused by human error. The vast majority of the problems in IT, and thus for the overall organization, will arise from human limitations in the face of escalating systemic complexity.
To understand potential solutions, real or perceived, we must first recognize that the solution space has three dimensions -- people, technology and process. For now the focus will be on the use of change management to reduce the probability of errors into production.
Simply put, the change management process is one of the most important processes in IT. The ITIL Service Support volume's change management model is considered the de facto standard by many, including the author.
Rather than restate the standard here, suffice it to say that change requests are formally submitted, reviewed, planned, tested, scheduled, implemented and then the results reviewed. The intent is to make sure that the change has been fully thought through, impacts assessed and then communicated.
In complex systems, it is highly likely that specialization in jobs will result in the compartmentalization of knowledge and that the only way to truly assess the impacts of change to the organization is to work with stakeholders representing the groups that both maintain and use the system.
This vetting process is intended to make a reasonable effort to turn up any errors that would otherwise have been overlooked. As with any control, change management cannot make an absolute guarantee that it will catch all errors. Indeed, the change management process should be implemented in such a manner that risks are reduced to an acceptable level. Trying to implement a process with the goal of eliminating risk will result in a slow, costly process that may not be warranted.
In talking with groups that are implementing change management for the first time or are trying to revitalize their efforts, there are some common concerns that need to be noted:
In other words, there can be one model for every day, low-risk changes that flow through with minimal oversight and the models can become increasingly sophisticated as the level of risk increases. For example, an organization may have low-risk, medium-risk and high-risk change models to safeguard systems. There are organizations that have even more numerous and detailed change models. The point is that to be flexible, keep costs down and remain responsive, consider adopting multiple change models.
The CABs allow for scrutiny of change requests and plans by the various stakeholders and reduce the probability of an oversight. Furthermore, the CAB serves to facilitate communication between IT and the various other business units. To fulfill these responsibilities, the CAB must be comprised of people aware of the systems and the organization's needs. They must not be filled with people who were simply available at the time.
The need to manage change in the face of increasing complexity will continue to be a challenge for organizations. The use of formal change management processes grounded in best practices from the ITIL is the best response to the challenge. Groups should begin with processes that appropriately balance costs, risks and resources for their organizations and evolve from there.