Purpose

The purpose of the Change Management process is to enable beneficial changes to be made with minimum disruption to business operations, ensuring that the best possible levels of service quality and availability are maintained. 

What is Change Management?

IT Change Management process is to enable beneficial changes to be made with minimum disruption to business operations, ensuring that the best possible levels of service quality and availability are maintained.

• IT Change Management should apply a consistent approach to risk assessment, business continuity, change impact, resource requirements, and change approval.
• The approach should maintain a proper balance between the need for a change and the timing of its integration into the live environment.

Scope

The scope of Change Management includes managing all changes to the live environment, including both services and technology

Objectives

The objectives of Change Management are to:

• Provide a systematic approach to control the lifecycle of all changes.
• Facilitate beneficial changes to be made with minimum disruption to IT services.
• Control changes to the Configuration Management Database (CMDB).

Change Types

• Normal change - Any service change that is not a standard change or an emergency change.
• Emergency change - A change that must be implemented as soon as possible, for example to resolve a major incident or implement a security patch.
• Standard change - A pre-authorized change that is low risk, relatively common and follows a procedure or work instruction.

Roles and Responsibilities

IT Change Management Process Owner

The Change Management Process Owner’s primary objective is to own and maintain the Change Management process. The role of Process Owner is usually a senior manager with the ability and authority to ensure the process is rolled out and used by all stakeholders.

Responsible for:

• Defining the overall mission of the process.
• Establishing and communicating the process mission, goals, and objectives to all stakeholders.
• Documenting and maintaining the process and procedures.
• Resolving any cross-functional (departmental) issues.
• Ensuring proper staffing and training for execution.
• Ensuring consistent execution of the process across the organization.
• Monitoring, measuring, and reporting on the effectiveness of the process to senior management.
• Continually improving the process.

IT Change Manager

The IT Change Manager handles the day-to-day facilitation of the change process.  This role is focused on the management and administration of all changes.

Responsible for:

• Reviewing standard change proposals.
• Reviewing all change requests and audits for completeness per defined requirements.
• Ensuring change status, progress and issues are communicated to the appropriate groups.
• Facilitating post implement reviews of all changes not completed as successful.
• Coordinating and chairing all regular meetings.
• Managing meeting agendas.
• Facilitating emergency change approvals.
• Reviewing retrospectively raised changes for process compliance.
• Managing the overall schedule of changes.
• Manage escalations of change requests to senior leadership.

Change Requester / Change Implementer

The Change Requester/Implementer 

• may be from inside or outside the primary IT organization.
• may create a request for change (RFC) or engage with an IT staff member who can assist or submit the change request on behalf of the requester. 
• may also be the sponsor or advocate for the change (a campus constituent or another IT team).

Responsible for:

• Raising change records.
• Providing a justification for the change. 
• Providing a detailed business impact.
• Providing detailed implementation steps.
• Providing a communication plan including the methods used to communicate.
• Creating or providing input to test plan(s).
• Providing detailed risk information and mitigation approaches.
• Providing a backout plan where possible.
• Implementing the change following the approved plan at the approved time.
• Reviewing the change after implementation and confirming outcomes.
• Taking appropriate steps if the change has not gone as intended.

Change Tester

Responsible for:

• Providing pre-and post-implementation testing.
• Responsible for pre and/or post testing of the change
• Creating or providing input to test plan(s)
• Records testing results

Change Approver

The Change Approver must decide if a change has been well planned to have mitigated any risks to services.  All non-Standard change requests have one or more Change Approvers.  The primary approver is the group/team manager who validates the change for technical accuracy and completeness.

Responsible for:

• Reviewing the full contents of the change and ensuring completeness.
• Dispositioning changes and providing reason for rejection, if applicable.
• Requesting further information if an approval decision cannot be made.
• Validating the business impact, urgency and risk.
• Reviewing the change after implementation and confirming the proper close code.

Change Advisory Board (CAB) Manager (if applicable)

The CAB Manager will facilitate the CAB meeting or can delegate the responsibility. 

Responsible for:

• Generating the weekly CAB meeting agenda for scheduled CAB meetings.
• Reviewing the full schedule of changes to identify concerns with potential change conflicts. 
• Providing approval/rejection of all changes presented at the CAB meeting.

Change Advisory Board (CAB)

The CAB performs the assessment and authorization of changes. CAB members are approvers.  The CAB reviews, authorizes, prioritizes and dispositions requests.  The CAB is typically made up of representatives from all areas within the IT service provider and may include stakeholders from business units, partner IT teams and third parties such as suppliers.   If a standing member of the CAB is unable to attend, a delegate may be assigned to the CAB meeting.  The CAB is considered a change authority.

Emergency Change Advisory Board (ECAB)

The ECAB is an ad-hoc gathering of individuals needed to make a decision on the timing, urgency, risk and impact of the change activity.   The ECAB may be a subgroup of the change advisory board that makes decisions about emergency changes. Membership may be decided when a meeting is called and depends on the nature of the emergency change.   The ECAB is considered a change authority.

Change Management Process

The change management process uses a state model which is designed to make it clear at what stage of the life cycle the change currently resides.  Specific activities occur at each state based on change type.  

Lifecycle (State Definitions)

• New : The Request for Change (RFC) is created.  The change documentation is developed and vetted with the implementation team and stakeholders.
• Assess : The group/team manager verifies the RFC for completeness and releases the RFC for subsequent approvals.  Emergency changes are routed to specific approvers based on change criteria (i.e. group/team, CI, risk value, etc.).
• Authorize : Normal changes are routed to the appropriate change authorities for authorization.  
• Scheduled : Approved RFCs are ready for implementation.
• Implement : Implementation of the RFC begins.
• Review : This is a post-implementation state where the customer or service owner can validate the RFC activity and accept the RFC.
• Closed : The RFC is dispositioned and closed.
• Canceled : A RFC can be canceled at any state prior to implementation.

Evaluating Risk

Identifying risks associated with change requests is critical for an effective change process. 

Assessing risk can be challenging especially if there is no history or sufficient data to support a level of risk.  

The risk value is defined as the risk of implementing the change - what effects could occur to disrupt the impacted service?

Examples

Is there redundancy?       

Low risk for implementing the change.

Impact to business services unknown?  

Potential high risk for implementing the change.

The expected or anticipated risk if the change is not implemented is a Justification for performing the change.  

High risk for not implementing a change may rise to the level of an emergency change.

When identifying risks, keep a business-impact focus in mind:

• What could happen that would have an adverse impact on the business?
• Could the change impact other services operating on the same infrastructure? 
• Could there be an unanticipated impact on business processes? 
• Will the change increase the support load? 
• Are there multiple changes happening at the same time, and are they compatible?
• Do the results from the test environment accurately predict what will happen in production?
• Will the changed service be able to meet its service level targets?

Impact, Urgency and Priority

Every change request includes the requester’s initial assessment of the impact and urgency of the change but may be modified in the change authorization process.

Impact values range from Low to High.  Impact is the measure of how critical the impacted service is to the business.  Widespread services affecting a large number of users would have a high impact value.  Impact may drive urgency.  When a large number of users are affected, urgency may be elevated.  Applying quantitative analysis or level of criticality for the impacted service may help to determine impact.  

Urgency values range from Low to High.  The more the business is reliant on the availability of the service and the need not to delay implementation, the higher the urgency to complete the change request.  Heavily utilized services that the user base is highly dependent on, are usually associated with a higher impact value.  For example, delaying the deployment of the change for two weeks implies low urgency.  Urgency is relative to the current time; the time the change request is submitted.

Guidance for selecting the impact and urgency for the change request is determined by applying judgment and knowledge. 

Priority is derived from the agreed impact and urgency.  If the Priority value is HIGH or CRITICAL, a emergency change may be required.

Process Flows 

Normal Change Process

Normal changes are not pre-authorized or pre-approved and there are no routine procedures or work instructions that have previously been approved by the Change Advisory Board or change authority. This type of Request for Change (RFC) is not routinely done and the outcome may not always be known.

Normal Change Workflow

1. The Requester or Implementer creates a change request and submits the request for approval. (New state)
2. The team or group manager assesses the change request and can approve or reject the change.  Rejected changes are sent back to the Requester or Implementer for review and resubmission.  Approved changes are advanced for authorization. (Assess state)
3. Change authorities review the change request and can authorize or reject the change.  Rejected changes are sent back to the Requester or Implementer for review and resubmission.  Authorized changes are advanced for scheduling. (Authorize state)
4. The Requester or Implementer prepares the change for implementation and executes the change per the schedule.  A post implementation review is performed and the change will be closed with the appropriate disposition. (Schedule, Implement, Review, Closed states)

Emergency Change Process

An emergency change is used when a change must be introduced as soon as possible.

An emergency change is reserved for changes intended to repair an error in an IT service that is negatively impacting the business to a high degree.  Emergency changes stress the IT change management system and should not be used to compensate for poor planning.   Emergency changes must be for exceptions and not become a shortcut to getting changes into production for any reason.

An emergency change is sometimes required and while time is of the essence, it should be designed carefully and tested as much as possible before implementation.  The impact of the emergency change may be greater than the original incident that instigated the change. 

• Emergency changes are sometimes required and should be designed carefully and tested as much as possible before use, or the impact of the emergency change may be greater than the original incident. Details of emergency changes may be documented retrospectively.  Depending on the urgency, emergency change documentation can be deferred no more than 1 business day after implementation of the change.
• Testing may be limited or not performed at all if this is considered a necessary risk to deliver the change immediately. 
• Any approver may reject the change request.  The Requester will need to review the disposition and resubmit.

Emergency Change Workflow

1. The Requester or Implementer creates a change request for approval. (New state)
2. The change authorities review the change request and can approve or reject the change.  Approved changes are authorized. (Authorize state)
3. The Requester or Implementer prepares the change for implementation and executes the change per the schedule.  A post implementation review is performed and the change will be closed with the appropriate disposition. (Schedule, Implement, Review and Closed states)

Emergency Change Advisory Board (ECAB)

The ECAB may be a subgroup of the regular change advisory board (CAB), or a different change authority that makes decisions about emergency changes. Membership may be decided at the time a meeting is called, and depends on the nature of the emergency change.   The Change Requester/Implementer contacts the appropriate change authority for approval.

Standard Change Process

A standard change is a routine change.  Standard changes are “a pre-authorized change that is low risk, relatively common and follows a procedure or work instruction” and the outcomes are well known and predictable.

By definition, standard changes should be repeatable, occur frequently, and are proven to be low risk.  Any procedure or work instruction for standard changes must be pre-approved by a change authority.  Approved proposals become standard change templates and can be implemented anytime without approval.

The Standard Change process offers a method to reduce some of the administration around changes.  This process allows certain changes to avoid a lengthy approval process and formal discussions and can be implemented in a much faster timescale.

Standard changes are those that are low risk, with repeatable implementation steps and a proven history of success.

Once a standard change is submitted into the lifecycle, the standard change does not require approvals.

Standard Change Proposal

A standard change proposal is a formal request to implement a common, low-risk change that follows a documented process.

Standard Change Proposal Workflow

1. The Requester or Implementer creates a standard change proposal.
2. The proposal is assessed by a change authority. Approved proposals are advanced.
3. Final change authority reviews the proposal.  Approved proposals are closed and become a standard change template.

Standard Change Templates

The proposal will be converted to a template and made available for use after full approval from the change authorities.

Standard change templates can also be modified or retired.  The IT Change Manager will monitor how frequently the templates are used and decide whether the template should be retired or temporarily withdrawn.  Modifying or retiring a template follows the same workflow as creating a standard change proposal.

Standard Change Workflow

1. The Requester or Implementer creates a standard change request.
2. The Requester or Implementer prepares the change for implementation and executes the change per the schedule.  A post implementation review is performed and the change will be closed with the appropriate disposition.

Related Processes

Incident Management

Incident Pending Change

Changes can be raised to resolve an existing incident.  Once the change is implemented the incident can be reviewed to confirm that it has been resolved.

Incident Caused by Change

Incidents may be caused by a recently implemented change.  These incidents are associated with the change that caused the incident.  To clear the incident(s), a new change will be raised to resolve the issue.

Configuration Management

The configuration management system (CMS) underpins all records and activities related to any configuration item (CI).  It contains details of the infrastructure vital to services, CIs, and any relationships. 

Affected CIs identified in the change record are the CIs that are being changed while the identified impacted CIs are those CIs that are affected by the changes made to the affected CIs.

The configuration management database (CMDB) is used within the change management process by relating CIs including services and service offerings to the change.  

Critical Success Factors

Risk and Impact Assessment: Consistently evaluate and document risks, business impact, and resource requirements for each change.

Thorough Change Approval Process: Ensure appropriate review and authorization to minimize disruption.

Effective Planning and Scheduling: Balance the urgency of changes with their impact on operations to maintain business continuity.

Stakeholder Communication: Inform and engage stakeholders at all stages of the change lifecycle.

Post-Implementation Review: Measure change success, analyze failures, and document lessons learned for continuous improvement.

Key Performance Indicators

Change Success Rate: Percentage of changes implemented successfully without causing incidents or disruptions.

Change Approval Time: Average time taken for changes to be reviewed and approved, reflecting process efficiency.

Number of Failed Changes: Number or percentage of changes resulting in failure or unplanned incidents.

Emergency Change Percentage: Proportion of changes classified as emergency, indicating the level of proactive planning.

Post-Implementation Review (PIR) Completion Rate: Percentage of changes with completed post-implementation reviews to analyze outcomes.

Governance and Support

Service Desk managers meeting
ITSM Advisory/steering teams