True value of Change Management

The True Value of Change Management

"The only constant is change."

Certainly that is a saying with which many IT pros are familiar. Yet it is surprising that IT organizations often lack a fundamental understanding of the need to manage change. Too many believe that change management stops with budgetary planning.

Change is pervasive through the organization and has huge impacts on the operations of the business. People at all levels in IT must understand and value the fact that as the level of complexity increases in a system, the value of effective change management processes increases.

Studies have shown that 80 percent of the fires that IT fights and 80 percent of security breaches are caused by human error. The vast majority of the problems in IT, and thus for the overall organization, will arise from human limitations in the face of escalating systemic complexity.

To understand potential solutions, real or perceived, we must first recognize that the solution space has three dimensions -- people, technology and process. For now the focus will be on the use of change management to reduce the probability of errors into production.

Simply put, the change management process is one of the most important processes in IT. The ITIL Service Support volume's change management model is considered the de facto standard by many, including the author.

Rather than restate the standard here, suffice it to say that change requests are formally submitted, reviewed, planned, tested, scheduled, implemented and then the results reviewed. The intent is to make sure that the change has been fully thought through, impacts assessed and then communicated.

In complex systems, it is highly likely that specialization in jobs will result in the compartmentalization of knowledge and that the only way to truly assess the impacts of change to the organization is to work with stakeholders representing the groups that both maintain and use the system.

This vetting process is intended to make a reasonable effort to turn up any errors that would otherwise have been overlooked. As with any control, change management cannot make an absolute guarantee that it will catch all errors. Indeed, the change management process should be implemented in such a manner that risks are reduced to an acceptable level. Trying to implement a process with the goal of eliminating risk will result in a slow, costly process that may not be warranted.

In talking with groups that are implementing change management for the first time or are trying to revitalize their efforts, there are some common concerns that need to be noted:

ITIL is a reference. Organizations looking to implement change management for the first time or who want to refine their existing processes should look to ITIL for ideas and eclectically adopt them given their organization's risks and resources. Many groups lack the resources to implement ITIL's exact change management process recommendations and rather than give up, should do the best they can to begin and work on continuously improving.

Change management should have multiple models. Many groups think they can only have one change management process for all changes and balk at running everything through it due to the overhead. In fact, ITIL supports the use of multiple change models.

In other words, there can be one model for every day, low-risk changes that flow through with minimal oversight and the models can become increasingly sophisticated as the level of risk increases. For example, an organization may have low-risk, medium-risk and high-risk change models to safeguard systems. There are organizations that have even more numerous and detailed change models. The point is that to be flexible, keep costs down and remain responsive, consider adopting multiple change models.

An emergency change must not bypass change management. Emergency changes should have their own change models to ensure there is an appropriate balance of risk and responsiveness.

Change Advisory Boards (CABs) must have the right people. CABs are an integral part of the change process. Some groups may have one CAB and other organizations may have multiple CABS -- one CAB for each major service, system, etc.

The CABs allow for scrutiny of change requests and plans by the various stakeholders and reduce the probability of an oversight. Furthermore, the CAB serves to facilitate communication between IT and the various other business units. To fulfill these responsibilities, the CAB must be comprised of people aware of the systems and the organization's needs. They must not be filled with people who were simply available at the time.

The need to manage change in the face of increasing complexity will continue to be a challenge for organizations. The use of formal change management processes grounded in best practices from the ITIL is the best response to the challenge. Groups should begin with processes that appropriately balance costs, risks and resources for their organizations and evolve from there.

George Spafford is a Principal Consultant with Pepperweed Consulting and a long-time IT professional. He focuses on compliance, security, management and overall process improvement. More information is available here.