|
|
Change Management Table of Contents
|
|
Change introduces potential sources of inaccuracies and failures into the infrastructure which, if not controlled through process and diligent effort, would soon overpower an organization. No matter how minor or beneficial a change may be, it should always be approached with a healthy dose of caution. Change management is a set of policies and procedures that can be used and followed to formalize
that caution into a repeatable, consistent process.
Process Requires Re-writing for conformance with ITIL Version 3.
More...
|
|
|
Introduction to Change Management
Change Management is a process within the Transition module of the ITIL Service Lilfecycle.

The ability to effectively management an IT infrastructure can be generalized into one of three primary functional groupings:
- Knowing perfectly the current environment - components, services, business operations - that is "it’s known and trusted state"
- Highly reliable predictions of when elements of the infrastructure will wear and eventually fail and the organization's ability to proactively do something about it
- Since no environment will exist at an optimal state (if only because the definition of ’optimal’ will continue to be re-defined to higher performance levels), the need to introduce and manage Changes to the environment is crucial to sound management
.
No matter how large or small your network environment, change is inevitable. Hiring new
employees, adding new offices, supporting new network services, improving security, fixing bugs—all of these activities result in change, especially to your network infrastructure devices, such as routers, switches, hubs, firewalls, and so forth. Although change is almost always a good thing in the end, change can cause bad things to happen. The enterprise must learn to live and manage change on a continuing basis. This vastly complicates it's attempts to maintain the "known and trusted state" of it's environment since each change must be reviewed in the context of all other components. Frequently, the need for early product releases will preclude complete assurances around component compatabilities. The organization can quickly loose any accumulated confidence in the stability and trustworthiness of its' environment.
“People hate change, and with good reason. Change makes us stupider, relatively speaking. Change adds new information to the universe; information we don’t know. Our knowledge - as a percentage of all the things that we know - goes down a tick every time something changes.”
Dilbert Principle, pg 18
|
Without the ability to introduce and manage change the organization would, indeed, become stupider. Change introduces potential sources of inaccuracies and failures into the infrastructure which, if not controlled through process and diligent effort, can soon overpower an organization. Changes are the single largest cause of incidents in the infrastructure and the organization's ability to handle change effectively will provide the highest return on investment of any ITIL process.
International Data Corp. says that 78% of all downtime is caused by changes made by duly authorized IT personnel.
Reported in Top ITIL Myths, January 5, 2004, By George Spafford and Gene Kim
|
At its simplest, change management simply means keeping track of the changes you make and
evaluating proposed changes for their effect before actually implementing them. In practice, change management involves some fairly well-defined tasks:
- Maintaining documentation that describes the current configuration of all network devices
- Maintaining documentation that describes the purpose and details of any changes
- Maintaining an archive of older configurations so that they can be used in an emergency
- Implementing policies that control the rate of change
- Implementing policies that control who may perform changes
![[To top of Page]](../images/up.gif)
Change Management
Objectives
The objectives of Change Management are to institute formalized processes which ensure:
- that all proposed changes undergo appropriate risk assessments based upon established categories and that the assessments include a wide perspective of opinion including those of customer and business operations
- that business operations are informed of and provided adequate opportunity to adjust workload to minimize the business impacts of changes
- that all problematic changes can be restored to their condition prior to the initiation of change procedures
- reduced risk of change implementation by using established, tested and trusted procedures whenever possible
- that changes are implemented in time periods that minimize potential business disruption
- increased change success rates as a result of planning and testing
- that change costs are controllable and subject to productivity measures over time
- that change procedures are integrated within the context of the organization’s overall processes
Critical Success Factors
- Change policies are clear and known and they are rigorously and systematically implemented
- Change management is strongly integrated with release management and is an integral part of configuration management
- There is a rapid and efficient planning, approval and initiation process covering identification, categorization, impact assessment and prioritization of changes
- Automated process tools are available to support workflow definition, pro-forma workplans, approval templates, testing, configuration and distribution
- Expedient and comprehensive acceptance test procedures are applied prior to making the change
- A system for tracking and following individual changes, as well as change process parameters, is in place
- Well documented current configurations makes it possible to recover gracefully from failed change procedures
- A formal process for hand-over from development to operations is defined with a distinct segregation of duties between development and production
- Changes take the impact on capacity and performance requirements into account
- The ability to coordinate different changes, recognizing interdependencies
- An independent process for verification of the success or failure of change
![[To top of Page]](../images/up.gif)
Change Management involves assessing the impact of proposed changes, prioritizing and categorizing changes, determining courses of action, and monitoring the planning, development, testing, and implementation of changes.
Best practices, as represented by the ITIL framework, promote a more "process-focused" approach to IT management. ITIL Change Management advances a systematic framework to introduce and manage IT Changes so that risks associated with change (ie. alteration of working Known state) are controlled and reduced as much as possible.
This is done by ensuring that...
- all changes are discussed, reviewed and managed to reduce disruptions to business operations and impact on the "production environment"
- changes can be backed out if a problem occurs - ie., the original environment can be restored
- proper authorization is obtained prior to the implementation of all changes
- all parties involved adhere to the change management guidelines
- all staff affected by a change are informed before the change occurs and given ample opportunity to plan accordingly
- an audit trail of all changes is maintained
- trends are analyzed and meaningful reports provided to senior management
- Continually reviewing and improving the change process
Scoping
A change is always initiated and tracked by a Request For Change (RFC). A Change is necessary when there is an alteration to the defined state of the infrastructure that could, in any way, affect a Production environment.
In Scope
- software release to production (whether full, delta or packaged releases),
- changes to application scripts which might potentially change more than a single record and hence corrupt or overburden indexing tables and increase network traffic
- instances of break/fix (which do not result in an Emergency Change requirement - covered separately) for an application or desktop productivity package
- a modification of a 'dll' or other application program component resident on a server attached to the infrastructure
- modification of supported hardware including upgrading of standard machine offerings
- revisions and changes to standard images placed on those machines
- resolution of known errors resulting from incidents and root cause analysis
- a service request
- acceptance of new or modification to existing routine procedures (eg. password reset)
- acceptance of new or modification of existing Business Continuity Plans (ie. Disaster recovery)
- a pre-production environment may be included in order to impose the rigour of Change Management on build and test procedures.
Usually Excluded
All changes to the production environment are covered by Change Management. However, practically many types of changes have pose minimal risk and may be covered by a 'standard change' expedited, initiated and monitored by the Service Desk without Change Management intervention (following approval of the process descriptions on which they are based). Such items include...
- Corporate and Vendor Changes - Parts of the infrastructure may be controlled by other service partners. Some, (eg., wide-area network), may even be administered at a higher organizational level than the IT Provider with responsibility for Change Management. The organization's role in Changes affecting these resources is as a reviewer of Changes controlled by the higher body. This might be accomplished through representation on a CAB representing the larger organization.Note
- Changes to Project Plans - There are related Change Management processes and procedures in project management methodologies. Testing of new applications MUST always take place in environments dedicated to testing and should follow a strict set of rules and procedures before they become candidates for "release" into the ""live" (ie. production) environment. These processes are beyond the scope of Change Management process which deals exclusively with the "live" or production environment.
- Test Environments - Test environments and associated change processes pertaining to their use are controlled by application change builder(s). They are normally outside the domain of Change Management. However, if and when testing environments and/or processes might affect the live environment they become candidates for Change Management.
Discretionary
- Pre-production environment typically involve frequent modifications to simulate new production environment. Re-establishing the environment to its' original configuration may, or may not, be an explicit requirement of using the environment. Organizations may place the pre-production environment under Change Management to infuse rigour and control to the environment so that its' condition at any point in time is 'known and trusted'.
- the manner in which third party infrastructure participants establish Change Management may be a contractual condition. There may be established protocols for the movement of RFCs and Change documentation between respective systems as well as agreements on reciprocal representative on CABs
Relationship to Other Processes
Relationship with Release and Configuration Management processes
Most commentaries, frameworks and models treat Configuration, Change and Release Management either together
[Note] or inextricably linked .
"Change management will prove to be a critical process integration point with release management, enabling the effective coordination of smaller alterations with larger releases. In fact, through 2007, many ITOGs will extend/use their enterprise change-management process for release-management functions. Because change and release management share many of the same activities (e.g., requests, risk assessment, scheduling, distribution), it is logical that releases could be viewed as top priority changes."
META Practice 2197, Release Management: The IT Operations Perspective, May 11, 2004
|
Discussion of area to be emphasized
The processes or Release and Change Management are integrally interwoven as demonstrated in the diagram below which highlight how the Change process is inter-connected with Release Management. Compare the normal Change process with the process when a Release is involved.


Release Management is responsible for implementing approved Releases. Release Management is normally represented on Corporate and is integrally involved in Local CABs whose purpose is to approve and/or pass on corporate change requests. Although Release Management oversees the details of the roll out of a Change, it is under the control and authority of Change Management.
When software is accepted from developers or suppliers, it is placed into the DSL and registered in the CMDB. Release Management is responsible for building Releases from the DSL into the controlled test environment. When testing has successfully concluded, Release Management should distribute the Release into the live environment through normal Change Management processes.
Service Desk and Incident Management
The Change Management process can help reduce incidents in the production environment by subjecting change requests, and their implementation, to a higher level of scrutiny. Further, when information on scheduled changes is shared with the Service Desk, the company can achieve a higher degree of incident resolution and corresponding end-user satisfaction.
The service desk provides efficient and high-quality user support and incident management. The service desk should provide support during the pilot program and immediately following full release implementation. Defect Lists and Known Errors should be made available to the Service Desk as these are a prime source of possible failures and, hence, reported incidents. If adequate forewarning is not provided users frustration will be aggravated.
Problem Management
At the completion of a change, various records in the Problem Management system need updating as follows:
- any related Problems or enhancement requests should be closed
- Problem Management staff should be informed of the new Release or hardware upgrades so that they can support its' use in the live environment. Such staff should receive training in any new or revised support procedures.
Problem Management is also often involved in identifying faults that will lead to Requests for Change (RFC)s.
Availability Management
Availability management focuses on the availability and reliability of the live computing environment. Implementation of a change into the live environment should be managed by the availability manager in order to minimize disruptions to system availability during the pilot and full releases.
Capacity Management
Capacity management ensures that appropriate IT resources are available to meet business requirements. Capacity management plans for additional resources as use of current system resources increases and nears the point of full capacity. Based on the change scope, the capacity manager determines the infrastructure modifications that are required to maintain system performance and availability after the change is implemented. This individual coordinates all modifications with other release team members.
Security Administration
Security administration develops, implements, and manages security controls, including software controls and technical infrastructure, to ensure the safe and secure operation of the live environment. The security manager must review all changes before implementation in the live environment. Additional software or hardware modifications to the change or to the live environment may be required to ensure that proper system security is maintained following implementation.
![[To top of Page]](../images/up.gif)
- The current and proposed state (i.e., pending changes) of the infrastructure should be defined and maintained in a Configuration Management Database (CMDB)
- All changes to Configuration Items (CIs) should be controlled through Change Management
- The rigor in which changes are evaluated and approved for implementation into the infrastructure is primarily determined by the risk associated with them.
- All changes should be submitted through a Request for Change (RfC) form.
- All changes must be approved by the Change Manager or by one of the following Change Advisory Boards (CABs), either during the RfC process or in advance in the case of blanket changes...
- an Executive CAB will normally approve changes with major financial and/or customer implications
- a Corporate CAB will approve "significant' and 'major' severity changes. The Corporate CAB is also responsible for approving which changes represent a low enough risk to the business that they would not have to be reviewed again by the Corporate CAB at the time of implementation. These changes fall in to the following two categories:
- Severity = Standard: low risk changes that are performed on a regular basis in the normal course of providing service (e.g., computer Moves/Adds/Changes). Standard changes are not required to be scheduled through the change management process and are recorded directly in the CMDB.
- Severity = Low: low risk changes that require a high degree of technical knowledge and must be scheduled through the change management process and approved by a Local CAB.
Although Standard and Low changes will not require Corporate CAB approval at the time of change, they both should be initially approved for a specific period of time and will be reviewed on a periodic basis by the Corporate CAB to determine the appropriateness of their status.
- Local CAB: approves changes that have a Severity = Low.
- Emergency CAB: approves Emergency changes with short timeframes that, based on business or risk considerations, cannot meet the documented lead times.
- Change Manager - approves minor changes.
- Release to production processes for IT Provider-owned CIs should be approved for introduction into the infrastructure through the Change Management process.
- Change Management should assist in coordinating project schedules when there are dependencies that require concurrent application and/or infrastructure releases.
- Service Partners should comply with the Change Management process when making changes that could impact the organization's IT environment.
- All change initiators should review the Forward Schedule of Changes (FSC) for the most appropriate time to implement their change.
- Wherever possible business applications should be encouraged to follow Change Management to minimize any impact to overall IT environment.
- All pre-defined business contacts, as maintained in the CMDB, should be informed of Changes which may affect their ability to operate at peak efficiency levels and, in other than emergency situations, should be given sufficient lead time to make contingency plans.
- Business Units should participate in test plan development and functional testing when appropriate.
- Changes should be implemented in pre-established, regular change windows whenever possible.
![[To top of Page]](../images/up.gif)
Project Change Management
An organization's earliest experiences with Change Management principles will usually be associated with major releases - hardware rollouts, application upgrades, etc. In these contexts, Change Management is embedded in the project and reflects an accommodation between 'freezing a design' and permitting modifications to the business or technical specifications. Changes in project requirements can occur for a number of reasons:
- the expanded quantity of requirements associated with higly complex systems. Because of the large scope of a system, less rigor is applied to applying essential system functions.
- The increased interaction and information sharing within and between systems.
- Poorly or loosely defined requirements from the onset (including failure to discover and to emerge the real requirements).
- Changes in business objectives and plans.
- Technology changes.
- Changes in law, policies, directives, and so forth.
- Customers and users who change their minds about things or learn of "neat" ways to do things.
- Developers who add their own special twists or even make requirements decisions.
Effective Requirements Practices, Ralph R Young, Addison Wesley, 2001, ISBN: 0-201-70912-0
|
Forward looking project managers will institute a Change Process which includes:
- mechanisms to control and priorize requirement changes,
- the identification of a single change control channel,
- participation by both developers and business users,
- an impact study to evaluate the effect of the requested change.
These principles have direct parallels in controlling changes in the production environment.
Awareness of the Need
Changes in the production environment, however, are usually much smaller in scope and overall impact. On their own, no single change may garner the attention that a major release might. It may be recognized that changes should be managed and controlled, but there is no consistent process to follow. Practices vary widely and it is likely that unauthorized changes will take place. There is poor or non-existent documentation of change and configuration documentation is incomplete and unreliable. Errors are likely to occur together with interruptions to the production environment caused by poor change management.
If the environment is relatively stable then the volume of changes may be controllable without creating an undue number of incidents following the change. However, as the environment increases in the number of users or the complexity of the infrastructure there is increasing risks of failure caused by a Change. The need to test changes prior to introducing them increases exponentially with the number of failure points and the inherent complexity of the infrastructure. The Return on Investment on improving Change Management procedures makes it an increasingly attractive measure for the organization.
Network operations, application support, desktop management may undertake to standardize and re-use change procedures. While cooperation between these respective organizations may not be well coordinated, within each unit there may develop an awareness of the need
to coordinate change activities - if only to distribute the workload.
These initiative will usually involve planning meetings amongst the change implementers and the creation of local change calendars denoting change activities to be implemented in Change windows associated with each area. Over time some cross-representation amongst the groups may appear.
Consolidating Change Management Activities
The ability to correlate incidents with changes leads to a recognition of the need to better manage changes. Therefore, a necessary pre-condition for Change Management is an established Incident Management system capable of logging and tracking incidents by cause.
Initial attention will be devoted to managing changes in the most important parts of the infrastructure - the organization's mission critical systems.
![[To top of Page]](../images/up.gif)
Change Priority
The Change Priority assigns an importance to a change in order to select amongst change recommendations competing for scheduling and/or resources for implementation. The Priority is derived from considering the following characteristics of risk to the infrastructure:
- The Impact of the CIs undergoing the change on the total infrastructure.
- The continuing exposure to the organization without the change being implemented.
- How quickly the change must be implemented.
- How easily the change can be implemented - i.e. its' complexity and costs.
- Business considerations.
- The ability to schedule the change in coordination with other changes happening to the infrastructure.
![[To top of Page]](../images/up.gif)
Severity
Change Severity is an assessment of the significance of implementing the change into the infrastructure.
The severity will most often be associated with specific Configuration Item(s) impacted and, as such, a default Severity designation can be assigned to CIs maintained in the CMDB.
The following criteria are usually associated with Disaster Recovery and business continuity planning and can be applied to specific CIs or assessed manually when developing the RfC:
- Non Essential - applications that can be interrupted and integrity of the data is not essential. To the system user work stops and uncontrolled shutdown occurs. Data may be lost or corrupted.
- Business Essential - Highly Reliable - applications that can be interrupted as long as integrity of the data is assured. To the system user work stops and uncontrolled shutdown occurs.
- Mission Critical - Highly Available - applications requiring no more than minimal interruption during essential time periods, or during most hours of the day or week throughout the year. To the system user work is interrupted but they can quickly log back onto the system. However, some transactions may need to be re-run from a journal file and users may experience performance degradation
- Survival Critical - Continuously Available. This is accomplished through a High Availability Design:
- Fault Resilient - applications requiring uninterrupted computing during essential time periods, or during most hours of the day or week throughout the year. Comprehensive monitoring tools are used to notify support staff to take corrective action. This means that the user stays on-line. However, the current transaction may need restarting and user may experience performance degradation.
- Fault Tolerant - applications demanding continuous computing (7x24 operation), and where the application has been engineered to detect most causes of failure before they occur and take corrective actions automatically. This means no interruption of work, no transactions lost and no degradation in performance.
- Disaster Tolerant - applications that absolutely must be available and where any failure must be transparent to the user. This means no interruption of work; no transactions lost; no degradation in performance and continuous computing services that are even safe from disasters because computing capability is available in multiple data centers/sites. Disaster Recovery is inherent.
The following categories are example codes which can be employed in establishing Severity:
Severity | Impact
|
Major | Major functions of a Survival or Business Critical application are unavailable or working below specified parameters. Needed capabilities may be unavailable. Workaround may be missing or inefficient and/or recovery may be difficult. The solution requires significant resources be allocated or has serious implications to the customer.
|
Significant | Major functions of a Business essential system are unavailable or working below specified parameters. Needed capabilities may be unavailable. Workaround may be missing or inefficient and/or recovery may be difficult.
|
Minor | Minor functions of the system are unavailable, unusable or overall performance of the system is below maximum load specification. There must be a correction but it can wait for a subsequent or packaged release. Work can proceed but with diminished efficiency and/or inconvenience. There may be temporary workarounds available which are acceptable.
|
Low | Low risk changes that require a high degree of technical knowledge and must be scheduled through the change management process and approved by a Local CAB.
|
Standard | Low risk changes that are performed on a regular basis in the normal course of providing service (e.g., computer Moves/Adds/Changes). Standard changes are not required to be scheduled through the change management process and are recorder directly in the CMDB.
|
![[To top of Page]](../images/up.gif)
Lead Times Required to Implement a Change
Type
|
Lead Time
|
Description
|
Major or Significant
|
Minimum 15 business
days
|
Most Major and Significant
changes have the tendency to contain higher levels of risk, cost and
complexity. However,
this might also include special low priority items of great complexity. This
would require Change Management to provide more communication to those who
will potentially be impacted by the change. Business areas would also need more
time to communicate to their customers and allow their technical support
areas to prepare for the change and to develop test plans for post
implementation testing.
|
Minor
|
Minimum 5 business days
|
Minor changes are at a level of
risk or complexity that would require a greater lead time than Low and Standard
changes. These
may only impact a single piece of hardware or one LOB but may cause a
performance or availability issue. This would require advanced
notification to those customers that may be affected so that they can prepare
accordingly.
|
Low/Standard
|
Minimum 2 Business Days
|
This type of change is normally
approved and handled by the Local CAB and has been determined to have a low
level of impact upon failure. This allows us the flexibility of being
able to perform this change with a reduced lead time. Automated notification built into
the system should be sufficient communication in most cases.
|
Unscheduled
|
Less than standard
lead times
|
There are occasions in which a
shorter timeline may need to be accommodated because of business and/or
technical considerations. The Change Coordinator in consultation with the Change
Initiator and any impacted Service Providers will determine what needs to be
in place for a shortened timeline. These types of changes may not have been
anticipated in the Scheduled Change windows.
These changes will also follow
the normal process, but, they must be done in a shorter time frame. This may
require expediting the assessment and approval process in order for the
change to be implemented. The RfC's may be prepared and reviewed earlier than
the scheduled change meetings, but they will still be formally approved
before implementation.
|
Emergency
|
ASAP
|
Although this type of change is
being done through the change process, there are no lead times associated
with it. The
risk of waiting must be compared to the risk associated with implementing with
a short lead time. At
all times it should be the goal of implementers and Change Management to
provide as much advance notice as possible prior to implementing a change.
|
![[To top of Page]](../images/up.gif)
Heightened Awareness Period(s)
Business interests may dictate the explicit creation of Change heightened awareness periods (e.g. holidays, labor disruptions, etc.). During these periods only Emergency Changes should be permitted. Critical business applications will have different hours of operation and hence availability requirements, which, with the advent of e-commerce and the internet are increasingly moving from 9 to 5 to 24x7 availability. However, redundancies designed to remove single points of failure often imply that a single machine can be off-line for short periods of time.
Recognized "busy times" should be identified and avoided when planning changes to the production environment. This issue is managed through the requirement to have change schedules approved by all owners of critical applications.
![[To top of Page]](../images/up.gif)
Maintenance Window(s)
Routinely required changes or updates (or frequent Changes which may be associated with a phased application release) are typically scheduled for the same time each week/month/quarter. This minimizes the amount of unprepared disruption to application users permitting them to adjust to a known schedule. Since this window is always during period(s) of minimum usage, it also reduces the occurrence of incidents and problems during critical production periods. Care must be exercised in scheduling Changes in a maintenance window to ensure that a schedule of Changes can be completed within the specified window. The amount of time needed should be gauged during the implementation testing of the Change and must accommodate all other Changes scheduled within the maintenance window. Any extension to the length of the maintenance window must be considered itself a Change (since service is not available) and approved through the normal Change Management procedures. (e.g., the normal maintenance window is 6 hours but due to the amount of work that must be accomplished this window is not sufficient , an RfC would have to be submitted to expand the maintenance window to 8 hours).
![[To top of Page]](../images/up.gif)
Change Initiator
The initiator is person responsible for submitting the RfC (e.g., the Change Implementer, Service Desk, Problem Manager, Corporate or Local Change Manager or Service Provider).
Change Advisory Boards (CABs)
Change Advisory Boards have pivotal roles to play in the Change Management process. Their primary duty is to ensure that IT representatives have exercised appropriate diligence in assessing risks and in planning, authorizing and implementing Changes. Additionally, they are responsible to ensure that the change related risks are communicated and understood by the parties they represent when participating on a CAB. Where disagreements arise involving both business and technical matters there is recourse to escalate in order to expedite resolution efforts. For the Change Management process to meet its objectives while allowing the technical areas to manage their workload and resources, the process must allow approval to occur at various levels. The following describes four sources for Change approval and the responsibilities associated inherent in each process.
-
Local CAB
- The Local CAB has overall responsibility for all changes submitted and implemented by their unit. This board is chaired by the Local Change Manager. The following is a list of their responsibilities.
- Works with the change initiator to understand the impact, resources required, and to ensure that the change has the support of the business area and that it is a necessary and practical change.
- Reviews the change and approve moving to the Planning stage.
- Ensures that all Build Plans, Test Plans, and Back-out plans have been created. (Unless not required for that CTI). This must be completed prior to the status being changed to Scheduled.
- Ensures adequate testing has been done in accordance with the test plan. This must be completed prior to the status being changed to Scheduled.
- Ensures appropriate lead times are provided in accordance with the documented Change Management process.
- Ensures that documented processes are followed for all changes implemented by their unit.
- Has complete approval and scheduling responsibilities for all RfCs assigned to their unit and designated as Severity = Low.
- Works with the Change Manager and the Corporate CAB as to which changes can be considered as a Severity = Low for a unit.
- Designates changes as an Emergency.
- Participates in the Emergency Change process for all Emergency changes submitted from a unit.
A Local CAB is made up of the following members.
- A Local Change Manager (should be a SME or Manager designated by the management of that technical unit).
- Subject Matter Expert (SME) for a unit.
- Implementer, if needed.
- Change Coordinator or Change Manager as needed (may be necessary to help with coordinating testing or communications across multiple business lines or technical areas).
Corporate CAB
- The Corporate CAB has the same responsibilities as the Local CAB, but only for RfCs that have been designated for their review. Although the majority of changes that will be presented to the Corporate CAB are categorized as Significant or Major, the Change Manager has the authority to have other RfCs reviewed by the board. This board is chaired by the Change Manager.
- CAB meetings should occur regularly but all of them do not need to be face-to-face. Teleconferencing will be used for members that cannot attend in person. Pagers will be used where necessary to assemble key staff for an Emergency CAB meeting to discuss Changes which might result from a high severity service outage. In some cases CAB members will be able to review RfCs and electronically be able to approve them, with overall responsibility of approving the change falling to the Change Manager.
- The following is a list of responsibilities of the CAB.
- Reviews all changes submitted to Corporate CAB for approval ensuring that there is an understanding of the impact, resources required, business areas involved, and that it is a necessary and practical change.
- Ensures that the Local CAB has verified and approved the build plan, test plan and back-out plan.
- Ensures adequate testing has been done.
- Ensures appropriate lead times have been provided in accordance with the documented Change Management Process.
- Provides the Change Manager with appropriate information to allow a decision to be made to approve or reject a submitted change.
- Reviews Forward Schedule of Changes (FSC) to assure the change will not conflict with other activities.
- Participates in the approval process for all submissions of new changes to be considered for a Severity = Low or Standard.
- Helps determine if there is a significant financial or customer impact to justify sending the RfC for review by the Executive CAB.
- The Corporate CAB is typically made up of the following members:
- All Local Change Managers.
- Change Manager.
- Change Coordinator.
- Representatives from the LOBs that wish to participate in the process.
- Representative from the Service Desk.
- Representative from Availability Services.
- Representative from Security Services.
- Representative from Finance.
- Local Change Managers for all areas that have a task associated with a change that is up for review at this board.
- Vendor support as required.
Executive CAB
- This board will review changes that the Change Manager or the Corporate CAB has determined to have a major financial or customer impact. This board will be chaired by the Change Manager and will only be called to session as needed. This board does not have any of the responsibilities of the CAB (although they will probably want assurances that those responsibilities have been met) and will basically be responsible for reviewing the impact, from a financial, customer and enterprise level, to determine if this change should proceed.
- The Executive CAB is made up of the following members:
- Senior level manager with financial responsibilities.
- managers (or their designates).
- Change Manager.
- Local Change Manager (for all areas with associated responsibilities to the change).
- Subject Matter Experts (for all areas with associated responsibilities to the change).
Emergency CAB
- This board will only review changes that have been marked as an Emergency. This board will be chaired by the Change Manager and will only be called to session as needed. Depending on the risk associated with delaying the time to implement the change, this board may be convened as a formal face-to-face meeting for approval, a conference call approval or electronic approval. Members will be notified by pager and a voicemail and or e-mail will be distributed specifying the type of approval method for their review and approval. Not all Emergency Changes require review by the Emergency CAB. The Change Manager will make this determination with the help of the Local Change Managers and SMEs.
- The following are the responsibilities of the Emergency CAB:
- Immediate response to a page to convene.
- Determine if adequate testing has been performed or if testing can be waived.
- Ensure build plan is adequate.
- Review back-out plan or waive the requirement of the plan.
- Assess impact of not performing the change.
- Assess impact of performing the change quickly.
- Review FSC to determine if requested time is appropriate.
- Determine actual approved time for implementation.
- Determine best means to communicate the change.
- The Emergency CAB is made up of the following members:
- A subset of CAB.
- Local Change Manager.
- SME.
- Change Manager.
- Representative from the Service Desk.
- Representative from Security Services.
- Representative from Availability Services.
Change Managers
The Change Manager controls the Change Management Process. Local Change Managers control their local department change implementation processes and maintain local change management guidelines for their responsible areas. Local Change Managers provide the primary liaison with the Change Manager and represent their respective departments on the Corporate CAB.
The following duties are the responsibility of both the Corporate and Local Change Manager:
- Ensures changes do not lead to unplanned unavailability of the IT environment.
- Ensures only authorized and necessary changes are implemented.
- Ensures changes do not lead to new incidents.
- Ensures that changes are sensitive to the needs of the business.
- Ensures that changes balance organizational risk and need.
- Ensures clear and effective procedures are in place.
- Review all changes that have not been completed with a code of Successful.
- Review all outstanding RfCs awaiting consideration or awaiting action.
- Participates in Configuration Management Process Review and Evaluation.
The following duties are exclusively the responsibility of the Change Manager:
- Recommends treatment for changes that are deemed as an Emergency.
- Convenes Emergency CAB meetings for all Emergency RfCs.
- Decides on CAB meeting attendance requirements based on content of scheduled RfCs and ensure review material is available.
- Chairs all Corporate and Emergency CAB meetings.
- Ensures accuracy and communication of the Forward Schedule of Changes.
- Ensures that all CABs are sufficiently authoritative and effective.
- Raises change related issues to the IT governing body.
- Tables all RfCs for a CAB meeting, issue an agenda and circulate all RfCs to CAB members in advance of meetings to allow prior consideration.
- Closes Unsuccessful, Backed Out and Canceled RfCs.
- Produces management reports citing performance statistics for Change Management.
- After consideration of the advice given by the CAB or Emergency CAB, authorizes acceptable Changes.
- Keeps informed of changes implemented by service partners which may impact the infrastructure. Imparts to those organizations any information on the impact of their changes and ensure that all such changes are included in the Forward Schedule of Changes.
- Keeps business areas contacts informed of Changes and help interpret Changes into "HOW THE CHANGE WILL AFFECT THEM" or "WHAT THEY MAY SEE" topics.
Change Coordinator
The Change Coordinator can be delegated some of the functions of the Change Manager. The Change Coordinators responsibilities include:
- Primary interface with Local CABs.
- Receive, log and allocate a priority, in collaboration with the initiator, to all RfCs.
- Reject any RfCs that are totally impractical or insufficiently documented.
- Work with implementer and business areas when necessary.
- Participate in CAB meetings and take minutes.
- Communicate minutes and attendance to all CAB members and management.
- Involvement in reviewing changes with a completed code other than Successful.
- Act on behalf of the Change Manager when unavailable.
Change Implementer
The Change Implementer may be anyone. The implementer, however, must seek the approval of the Local or Corporate CAB or the Change Manager. Where the implementer and initiator are different (e.g., application vendor performs the actual build) there should be a agreement or Contract outlining respective responsibilities so that the vendor can be held accountable for the success of the build, including assurances of follow-up should Incidents and Problems result from the Change implementation.
In general the responsibilities of the Change Implementer are:
- Provides preliminary information relating to the Change as early as possible to facilitate long range scheduling of the Change in relation to other pending and anticipated Changes.
- Firms up details of the Change by completing the RfC with appropriate information.
- Performs or arranges for testing of the Change in an environment as close as possible to the "live" environment - i.e., pre-production.
- Notes any risks which may result from the environment not being an exact replica of the production environment.
- Develop "Build Books" and back-out and recovery procedures.
- Tests back-out and recovery and certifies them for the implementation.
- Certifies that the Change is ready to be implemented into the Production environment.
- Presents Change Implementation Plan to CAB membership at a convened CAB meeting for approval.
- Supervises the Change implementation and certifies it as either:
- Completed successfully, or
- Completed with variations from Build procedures, or
- Backed out - original environment re-created exactly, or
- Backed out - differences from original environment - notes difference.
- leads post-implementation review of Change and logs results of review on RfC (or other vehicle for recording results).
Change Tester
- Provides independent assurance that a Change is technically advisable and that risks to implicated CIs have been properly considered
- Assures that testing includes adequate regression testing to ensure that other areas of the infrastructure are not adversely affected by the Change.
- The Tester role is responsible for the core activities of the test effort:
- Planning and management of test resources
- Assess the progress and effectiveness of the test effort
- Identify the test approach and use relevant test techniques:
- Defines appropriate tests and associated test data
- Implements and execute tests
- Evaluates the outcome of each test
Configuration Manager
The functions of the Configuration Manager with regard to the Change Management process are:
- Facilitates negotiation of the scope of the configuration management process, in collaboration with the project steering committee, Owner and IT business stakeholders.
- Identifying which CIs need to be managed and controlled from this base of inventory - asset (including contracts, costs, vendors and warranties) and Configuration Management.
- Ensures data integrity and compliance, distributing management reports and defining integration with other IT systems and processes.
- Continually reviews the configuration management process for efficiency and effectiveness.
- Plans and executes population of the CMDB (manual or automated), performing regular housekeeping and plans for growth.
- Defines which CI types and attributes are to be tracked within their respective technical domain.
- Uploads the data from existing data repositories into the central CMDB.
- Updates the CI records under their control on an ongoing basis.
- Maintains the system and service relationships of the CIs under their control.
- Assists with periodic integrity audits on the CIs within their domain.
Service Desk
The functions of the Service Desk with regard to Change Management are:
- Verify CI information related to user and assets are accurate and update if necessary.
- Remain aware of Change schedules and the impact areas which might be affected by Changes.
- Participates in CAB with the view of imparting a Service perspective to proposed Change requests.
- Is either direct responsibility for communicating information on Changes to Users and/or User Groups or for re-directing inquiries with regard to a Change to the appropriate person (e.g. Change Implementer and/or Change Coordinator).
![[To top of Page]](../images/up.gif)
The following table lists the Change Management performance measurements by critical success factors:
Critical Success Factors
|
Key Process Indicators
|
Metric
|
Application/ Fields
|
Protect Service
| Improvement in Customer Satisfaction Survey on Change
| Survey Results
| Manual Effort
|
Percentage reduction in Changes causing Incidents
| Changes causing incidents - by urgency
| Online Services/Related IM Tickets
|
Percentage reduction in Changes impacting SLA service hours
| Changes impacting SLA service hours
| Online Services/tbd & Manual Effort
|
Percentage reduction in failed changes that do not have a recorded back-out plan
| Failed changes without a back out plan
| Online Services/tbd
|
Percentage reduction in Incidents causing Change
| Incidents causing Change - by urgency
| Online Services/Related IM Tickets
|
Percentage reduction of unsuccessful changes
| Unsuccessful changes
| Online Services/tbd
|
Reduction in percentage of changes referred to the Emergency CAB
| Changes referred to Emergency CAB
| Online Services/tbd
|
Repeatable Process
| Percentage Change Requests implemented on time
| Changes Implemented on time
| Online Services/vs Actual Start times
|
Percentage fewer changes "backed out"
| Changes Backed out by reason
| Online Services/tbd
|
Percentage fewer rejected RfCs
| Rejected RfCs
| Online Services/Approval Status = Rejected
|
Percentage reduction in Changes required by previous Change failures
| Changes related to Change failures
| Online Services/tbd
|
Percentage reduction in unauthorized Changes detected
| Unauthorized Changes
| Manual Effort
|
Percentage reduction of Emergency Changes causing Incidents
| Emergency Changes Causing Incidents
| Online Services/Emergency CM & Related IM Tickets
|
Percentage reduction of Emergency Changes requiring back-out
| Emergency Changes backed out
| Online Services/tbd
|
Reduction in percentage of Changes implemented without being tested
| Changes Implemented without being tested
| Online Services/tbd
|
Show efficiency and effectiveness results
| Percentage efficiency improvement based on number of RfCs processed
| RfCs processed per unit time
| Online Services/RfCs Per Group
|
![[To top of Page]](../images/up.gif)
CM0 - Change Management Overview
![[To top of Page]](../images/up.gif)
Inputs
Request for Change
The RFC is the primary form on which all information related to the change is recorded or referenced from. This form represents the permanent record of the Change and should be reviewed for accuracy and completeness by the Change Manager or Change Coordinator prior to CLOSING the Change. The results of a post-implementation review should be recorded for all Changes resulting from outages to Mission Critical systems.
Change Calendar (FSOC)
The Change Calendar (Forward Schedule of Change) lists the dates, times and resources required for all past and upcoming changes. It provides a database to notify interested stakeholders and users of outages and periods of heightened risk to the work environment.
Incident Logs
Detailed file of all incidents reported and recorded. These logs can contain information on the importance of the Change which can be used to determine its' relative priority amongst Change requests competing for a Change window.
Cost Data
Cost data provides information on the financial stakes involved in a Change and can be used to determine the relative importance of a Change Request.
Problems
- Changes which are the result of a Root Cause Analysis performed by Problem Management will have valuable information for assessing the risks associated with a Change. Such factors might include:
- any outstanding issues related to the solution (eg. solution might not work under certain conditions which are deemed low probability or risk)
- the complexity of the solution and its' compatibility with products and services in use in the organization (perhaps as standards)
- any phasing characteristics required for the solution or Change process
- risk determination that the problem might re-surface in the future
CMDB
The Configuration Management Database contains the listing for all Configuration Items affected by the change and describes their inter-relationships and dependencies within the production environment. This information is used to assess the extent of the environment impacted by a Change and hence the risks associated with the Change. This assessment is recorded on the RFC by the Change Initiator and updated throughout the Change Process as the nature and extent of all risks become more apparent (eg. ability to back-out an implementation).
![[To top of Page]](../images/up.gif)
Controls
Service Commitments
Service Commitments determine how and when changes can be implemented. Ideally, they are expressed in SLAs outlining approved application change/maintenance windows. Associated Contracts with support vendors will also establish parameters around the change including timing, performance, backout procedures, etc.
Training
How well Change Implementers are trained in the specifics of particular changes will directly affect the degree of success in implementing changes. Foremost, amongst the qualifications should be a pre-disposition to plan and test a Change well so as to avoid unexpected results.
Resources
The availability of resources and specializations in the technologies and procedures of a change will affect the success of the venture. Specialized resources such as Testers and Risk Assessors will improve the outcomes from specific stages of the change lifecycle.
Guidelines
Documentation and guidelines for a change are important success factors. Build books and well established procedures used successfully in previous changes will go a long way to guaranteeing success. Building and updating a repository of Change material by type of change and the period review of this material will ensure that procedures are kept current and accurate.
![[To top of Page]](../images/up.gif)
Mechanisms
Risk AssessmentR
Change Management uses risk assessment to determine the extent of the potential threat and the risk associated with a change to the known and trusted state of the IT infrastructure. The output of this review helps to identify appropriate measures for reducing or eliminating risk during the change process or to avoid the risk entirely by not proceeding with the risk. To properly do this there must be a commensurate review of the risks associated with not doing the change.
To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system. Impact refers to the magnitude of harm that could be caused by a threat's exercise of a vulnerability. The level of impact is governed by the potential mission impacts and in turn produces a relative value for the IT assets and resources affected (e.g., the criticality and sensitivity of the IT system components and data). A risk assessment methodology encompasses nine primary steps:
- System Characterization
- Threat Identification
- Vulnerability Identification
- Control Analysis
- Likelihood Determination
- Impact Analysis
- Risk Determination
- Control Recommendations
- Results Documentation.
CAB Meetings
Minutes, decisions and notes are recorded following meetings of Change Advisory Boards. The mechanism by which this occurs will have a bearing on the effectiveness of a Change Management process. Variances may be attributable to:
- the degree of expertise and authority granted to the membership
- the extent of business representation
- the degree to which the membership functions as a Team
- the decision making model (eg. consensus, unanimity, etc)
Change Scheduling
The availability and accuracy of the Change Schedule will play a large role in determining customer and participant satisfaction with the Change Management process. To business the Change Calendar should be accompanied by broadcasts or selective e-mails noting any system outages or performance loss during change windows so that they can plan their business accordingly.
![[To top of Page]](../images/up.gif)
Outputs
![[To top of Page]](../images/up.gif)
Process Activities
CM1 - Log & Filter
CM1.1 - Initiate RfC
Objective: Complete Request For Change (RfC)
The Request for Change (RfC) serves as a formal record that is used to track the entire lifecycle of the change from initiation through completion recording the successes and failures of each step. RfCs should be submitted to the Change Coordinator and be assigned a unique identifier. At this time thed Change Coordinator or Local Change Manager will review and approval or reject them. The Change Coordinator or Local CAB may decide to appoint a different change implementer than the implementer designated by the change initiator.
An RfC should be submitted as soon as a change is contemplated including all know information at the time of submission and, over time, must contain all of the following information:
Change Initiator...
- A Categorization (Category, Type and Item [CTI]).
- The Severity (Major, Significant, Minor, Low).
- Short description.
- Detailed description.
- Lines of businesses, application and users impacted.
- The configuration items (CIs) impacted.
- Cross references to any reported Incidents, other changes and/or Problem Tickets giving rise to the Change.
- A description of the impact if the change were to take place or not be implemented.
- An assessment of the complexity.
- The change implementer, builder, support and backup personnel.
- An estimate of the time required to implement a change including time to implement the back out plan if required.
- Description of the testing methodology (including user acceptance testing) either already conducted or planned.
- Cross-reference to build books and back-out plans.
- Implementation date preference(s) and stated reason(s) for dates (e.g., available change window).
As well, all service and business partner changes are coordinated in a Forward Schedule of Change (FSC) report.
CM1.2 - RfC Filtering & Approval
Objective: Review RfC to filter out unrealistic, redundant or incomplete retests and approve remaining to go into the Planning phase
The Local Change Manager is responsible for filtering and approving all Severity = Low RfCs. Working with the Local Change Coordinator, the Change Coordinator is responsible for filtering and approving all other RfCs. Filtering involves reviewing the RfCs for completeness including:
Change Coordinator or Local CAB...
- Determining if there is enough information to understand the Severity, urgency and priority.
- Estimating the likelihood of success and the potential effects of implementing.
- Comparing preferred dates with Forward Schedule of Change (FSC) to be aware of potential conflicts or redundant changes.
- Determining if this is a valid change and if resources can be assigned to this change.
Improperly filled out or incomplete RfCs will be returned to the Change Initiator for revision and the change log will be updated to reflect a status of "pending." This may occur if, for example, the change initiator did not provide enough information about the impact posed to the IT environment.
CM1.3 - Determine Treatment
Objective: Review Emergency RfCs to determine routing
Changes that have been validated as an Emergency by either the Change Coordinator or a Local Chang Manager will be review by the Change Manager to determine the next step in dealing with the emergency. Based on the uniqueness of the emergency the Change Manger may:
Change Manager...
- Bring it to the Emergency CAB for authorization to implement (All Severity = Major Changes must be approved by the Emergency CAB).
- Approve the Change for immediate implementation and then review it with the Emergency CAB.
- Send it though the Change Planning process to be built and or tested.
![[To top of Page]](../images/up.gif)
CM2 - Change Planning
CM2.1 - Validate or Build Test Plan
Objective: Validate or Determine User Acceptance Test Requirements<
Local Change Coordinator and Change Implementer...
- Document what is being changed
- Document what business areas will be impacted
- Work with impacted business areas to develop user testing requirements
- Work with business areas to coordinate the testing with the build process.
CM2.2 - Validate or Build Change & Back-out Plans
Objective: Plan and develop change in an environment separated from the Production environment in order to avoid outages caused by change implementations
Local Change Coordinator and Change Implementer...
- Coordinate with all areas that have tasks associated with the RfC to build change procedures.
- Validate existing (e.g., Severity = Low Changes) or document build procedures
CM2.3 - Test Change & Back-out Plans
Objective: Increase assurance that change will not have adverse impact on Production environment
Local Change Coordinator and Change Implementer...
- Develop a test plan
- Test build procedures in a test environment that closely simulates the production environment
- Document all discrepancies between the test environment and the production environment
- Document the anticipated impact due to the documented discrepancies
- Document test results
- If testing cannot be done, document the reasons to justify the waiver of testing requirements
CM2.4 - Local CAB Review
Objective: Review changes to authorize implementation, acquire additional information or reject
Local Change Manager...
- Working through the Local CAB, the Local Change Manager approves or rejects all Changes where the Severity = Low
- The Local Change Manager may defer approval/rejection of Changes to Corporate CAB due to complexity of the Change
![[To top of Page]](../images/up.gif)
CM3 - Determine Priority & Authorize
CM3.1 - Determine Priority, Validated Severity & Urgency Priority
Objective: Examine the impact of the approved Changes on the organization in terms of the resources needed to effect the Change and use prior examples of change to define change processes in order to mitigate risk
Scheduling of changes in order to ensure changes of the greatest importance are expedited with due consideration for budget and risk characteristics
Change Manager, Initiator, Local Change Manager...
- Review all RfCs and work together to validate Severity, Urgency and determine Priority
CM3.2 - Corporate CAB Review
Objective: Review changes to authorize implementation, acquire additional information or reject
Corporate CAB...
- Reviews all Severity = Major or Significant changes
- Is a combination of formal meeting and electronic approvals as determined by Change Manager
- May defer approval/rejection of Change to Executive CAB due to financial or customer impact implications.
- Recommends approval or rejection of all Changes reviewed
Change Manager...
- Chairs and publishes meeting minutes
- Approves or rejects Changes based on Corporate CAB recommendations
- Changes RfC status and updates ticket as appropriate
CM3.3 - Executive CAB Review
Objective: Review changes that have a major customer or financial impact, to authorize implementation, acquire additional information or reject
Executive CAB...
- Approval or rejection for all changes presented to them by the Change Manager
Change Manager...
- Chairs and publishes meeting minutes
- Changes RfC status and updates ticket as appropriate
CM3.4 - Emergency CAB Review
Objective: A subset of the Corporate & Executive CABs which is available on short notice to make immediate decisions in order to expedite the process of approving a change
Initiator...
- Submits RfC and marks the change as an Emergency
- Reviews RfC with Local Change Manager
Local Change Manager...
- Reviews RfC with Initiator and verifies that the change is an Emergency.
- Reviews RfC with Change Manager.
Change Manager...
- Calls and chairs emergency meeting and publishes meeting minutes
- Approves or rejects Changes based on Emergency CAB recommendations
- Changes RfC status and updates ticket as appropriate
Emergency CAB...
- Reviews all Emergency Changes
- Is a combination of formal meeting and electronic approvals as determined by Change Manager
- May defer approval/rejection of Change to Executive CAB due to financial or customer impact implications
- Recommends approval or rejection of all Changes reviewed
CM3.5 - Change Manager Review
Objective: Review Severity = Minor, changes to authorize implementation, acquire additional information or reject.
Change Manager...
- Approves or rejects all Changes where the Severity = Minor
![[To top of Page]](../images/up.gif)
CM4 - Implement Change
CM4.1 - Implement Change
Objective: Reduce risk of installing changes into the Production environment
Implementer...
- Start change at scheduled time
- Move the change status to WIP at start of implementation
- Follow documented build process
- Monitor activities and keep RfC log updated
- Test the success of the change (include user testing if necessary)
- If change is unsuccessful implement documented back-out plan
- Upon completion, change the status to completed with the appropriate completion code
- Update log with explanations for all changes with a completion code other than successful
- Participate in all reviews of your changes if necessary.
CM4.2 - Perform Back-ou
Objective: Restore Production environment to known (and trusted) state as expeditiously as possible following the implementation of a change which needs to be undone
Implementer...
- If it is determined that the change is unsuccessful, back-out plan should be implemented as soon as possible.
- Be aware of other changes that may have occurred between the time of implementation and the completion of the Back-out plan.
- Assure that the production environment has been restored to the previous known state.
- Change the status of the RfC to "Completed" with a completion code of Backed Out.
- Update the log with all information related the decision for backing out the change.
![[To top of Page]](../images/up.gif)
CM5 - Change Review
CM5.1 - Change Review
Objective: Apply lessons learned from Change to subsequent Change efforts
Corporate & Local Change Manager, Change Coordinator, CABs, SME, Implementer, Problem Management
- It is the responsibility of the Local Change Manager to review how well their area implements changes into the environment. The Change Manager will randomly review all changes that have a completion code of 'Successful'. (These are changes that have met their objectives, were completed within the scheduled time frame and have no known incidents related to the change). These will be looked at for content, accuracy and actual date and time stamps to view the flow through the process. This will help manage improvement to the process.
The Change Manager will be notified of all changes that are placed in a completed status with a completion code other than 'Successful'. These RfCs would not be automatically taken to a status of closed and must be manually closed by the Change Manager or Coordinator. The Change Manager will work with Incident Management, Problem Management, Implementer, Local Change Manager and SME to review these RfCs and determine what needs to be done to improve the success rate on changes of that type. There may be times when the CAB would be responsible for helping to provide a post mortem of the change because of the scope or impact of that change. A report will be created for each RfC reviewed that will contain answers to the following questions:
- Why was the completion code chosen?
- Was this issue caused by items within or outside of our control?
- What could we do in the future to correct or prevent this from occurring again?
- Process wise what can be done to correct or prevent this from occurring again?
Was this change reviewed at the appropriate CAB level?
![[To top of Page]](../images/up.gif)
Terms
Term | Definition
|
Active / Approved | Any change actively being worked on with a goal to complete the change within a defined time period, or any change prioritized by the appropriate and/or business personnel with the intention to complete work during a set time period. Some Scoping, Estimating, or other Project Initiation work may not be considered 'Active' as a part of the Release Process. A change request may not be 'Approved' until the business and management prioritizes it. Filler work, or work done when time allows may be considered not Approved and/or Active until a date can be proposed for the completion of Build and Test.
|
Availability | Ability of a component or service to perform its required function at a stated instant or over a stated period of time. It is usually expressed as the availability ratio, i.e. the proportion of time that the service is actually available for use by the Customers within the agreed service hours.
|
Build Book | A documented record of the sequence of steps involved in building a release from the version currently resident in the DSL.
|
Business Sign-off | Standard and Exception Releases include Business Signoff as part of completing the Production Entrance Criteria Checklist.
For Emergency Releases that occur during business hours, the Production Entrance Criteria Checklist is not required provided the Business agrees to the fix and acknowledges the risk of accepting the change.
Business Signoff of an Emergency Release is completed by an application Release Coordinator forwarding e-mails to the Release Process Owner and Change Manager.
|
Category, Type and Item (CTI) | Method for Classification of a group of Change documents according to three-fold hierarchical coding structure used by many organizations.
|
Change Advisory Board (CAB) | A group of people who can give expert advice to the Change Manager on the implementation of Changes. The rigor with which changes are considered is determined by the evaluated risk associated with the change. The degree of risk (as well as customer concerns and financial considerations) will determine the authority charged with approving changes into the infrastructure.
These bodies are:
- Emergency CAB - This CAB will be convened by the Change Manager (as needed) for changes that have been designated as Emergencies by the Initiator, Local Change Manager and Change Coordinator. This board is made up of Subject Matter Experts, Corporate CAB Members (as needed) and Senior Management representation.
- Executive CAB - Changes with a severity of Major. This board is chaired by the Change Manager and is made up of senior leadership with the ability to approve direction, financial and technical resources.
- Corporate CAB - Recommends the approval of Changes with a severity of Significant. This board is chaired by the Change Manager and is made up of Local Change Managers and representatives from business units. This board also pre-authorizes all Standard changes
- Change Manager - Changes with a severity of Minor.
- Local CAB - Changes with a severity of Low. This board is chaired by the Local Change Manager and is made up of Subject Matter Experts from that functional area.
|
Change Calendar | A record and forward schedule of past and planned changes into the production environment.
|
Change Management | Process of controlling Changes to the infrastructure or any aspect of services, in a controlled manner, enabling approved Changes with minimum disruption.
|
Configuration Item (CI) | Component of an infrastructure - or an item, such as a Request for Change, associated with an infrastructure - that is (or is to be) under the control of Configuration Management.CIs may vary widely in complexity, size and type, from an entire system (including all hardware, software and documentation) to a single module or a minor hardware component.
|
Configuration Management Database (CMDB) | A database that contains all relevant details of each CI and details of the important relationships between CIs.
|
Critical Success Factor (CSF) | Critical Success Factors - the most important issues or actions for management to achieve control over and within its' IT processes.
|
Customer | Payer of a service; usually theCustomer management has responsibility for the cost of the service, either directly through charging or indirectly in terms of demonstrable business need.
|
Emergency Change | Used for production changes that have a business or system driver that requires immediate implementation, regardless of time. This occurs when the business risk of not changing the production environment out-weighs the risk of making the change and the change cannot wait for the next standard Release Date.
|
Environment | A collection of hardware, software, network and procedures that work together to provide a discrete type of computer service. There may be one or more environments on a physical platform e.g. test, production. An environment has unique features and characteristics that dictate how they are administered in similar, yet diverse, manners.
|
Forward Schedule of Change | see Change Calendar
|
Incident | Any event that is not part of the standard operation of a service and that causes, or may cause, an interruption to, or a reduction in, the quality of that service.
|
Operational Acceptance Testing | Formal tests to satisfy the IT operations department that the developed system is of adequate quality to enter the live environment and go into live production.
|
Priority | Sequence in which an Incident or Problem needs to be resolved, based on impact and urgency.
|
Process | A connected series of actions, activities, Changes etc. performed by agents with the intent of satisfying a purpose or achieving a goal.
|
Process Control | The process of planning and regulating, with the objective of performing a process in an effective and efficient way.
|
Release | A collection of new and/or changed CIs which are tested and introduced into the live environment together.
|
Request for Change (RFC) | Form, or screen, used to record details of a request for a Change to any CI within an infrastructure or to procedures and items associated with the infrastructure.
|
Risk | A measure of the exposure to which an organization may be subjected. This is a combination of the likelihood of a business disruption occurring and the possible loss that may result from such business disruption.
|
Risk Analysis | The identification and assessment of the level (measure) of the risks calculated from the assessed values of assets and the assessed levels of threats to, and vulnerabilities of, those assets.
|
Risk Management | The identification, selection and adoption of countermeasures justified by the identified risks to assets in terms of their potential impact upon services if failure occurs, and the reduction of those risks to an acceptable level.
|
Role | A set of responsibilities, activities and authorizations.
|
Service Level Agreement | A written agreement between a service provider and Customer(s) that documents agreed services and the levels at which they are provided at various costs.
|
Severity | An assignment of the overall effect on the infrastructure that a change to a Configuration Item might have, based on the assessed risk and the scope of the requested activity.
- Major - A significant change that the Corporate CAB has determined the scope of the change has major financial, business or resource implications associated with the activity being performed.
- Significant - Changes that have company-wide implications which require coordination of activities and resources across multiple IT or Business areas. Where it has been determined that the risk of implementing this change is High due to limited or no experience implementing the change, providing an unknown outcome.
- Minor - Changes that have a moderate level of risk, are normally successful and may required expertise or resources beyond the functional area.
- Low - Changes where the impact or risk of implementing the change is low due to having a documented repeatable process and a high level of success.
- Standard - Changes that are routine and repeatable have a high level of success and do not require resources outside of the area implementing the change.
|
SME | Subject Matter Expert - A support resource highly knowledgeable in the infrastructure components undergoing a change.
|
System | An integrated composite that consists of one or more of the processes, hardware, software, facilities and people, that provides a capability to satisfy a stated need or objective.
|
System User Instructions | The detailed area system and process instructions that System Areas send to the Business Customers and system users who will be impacted by a release. These are typically targeted to the people who use the system and contain an overview of why a change is being made, a set of step-by-step instructions or other information that the system user will need once the change is in production.
|
Test Environment | A computer system, or a discrete part of a computer system (made up of hardware and system software), which is used to run, and sometimes to build, software releases for operational acceptance testing.
|
Test Plan | An action plan which provides an overview of the project, lists items to be tested and serves as a communication device between all members of the project team. The plan also identifies sufficient and proper tests to assure that previously tested related functions will execute properly.
|
Test Scenarios | A series of tests for an application designed to simulate the business demands on the application and its' components.
|
Urgent Change | An Urgent Change is used for production changes that have a business or system driver that requires immediate implementation, regardless of time. This occurs when the business risk of not changing the production environment out-weighs the risk of making the change and the change cannot wait for the next standard Release Date. A change is considered Urgent if there is a significant detrimental impact to the customer experience (external to the organization), with no reasonable workaround, and the issue causes a financial impact AND/OR the issue keeps one or more people from doing their job. An Urgent Change requires the approval of Corporate Emergency CAB.
|
User Acceptance Testing (UAT) | Testing of the full solution by the business / users to validate that it operates correctly and meets requirements. The implication is that this is the point at which the business agrees to take the solution as produced by the developers (whether internal or external).
|
![[To top of Page]](../images/up.gif)
Request for Change Processes
The following picture depicts the RfC lifecycle, highlighting the key information added during each step of the process:

Throughout this process the RfC status indicates its' progress through the change lifecycle. The table below defines the various RfC statuses:
STATUS | DESCRIPTION
|
New | The RfC is considered New while it is being created.
|
Assigned | Once the RfC is saved its status moves to Assigned and it is automatically routed to the appropriate Change Coordinator or a Local Change Advisory Board (CAB) for authorization to proceed.
|
Approved | The RfC is considered Approved after it has been reviewed and accepted by the Change Coordinator or appropriate Local CAB who grants approval for the change build to occur. (Note: This is not approval to proceed with implementation -- that is granted after the build when the Change Implementer returns to the Change Manager or appropriate CAB for approval to proceed with implementing the change.)
|
Planning | Once an RfC has been approved, the status is changed to Planning by the Implementer. During this stage all areas involved in implementing this change will be responsible for creating build, test and back-out plans. This is also the time when testing of the build and back-out plans would be performed
|
Pending | At any point in time the RfC may be placed in a Pending status awaiting additional information, materials or other resources required to process
|
Scheduled | Once the change is ready for implementation and its schedule approved by the Change Manager or CAB, its status is changed to Scheduled.
|
Work-in-progress | The RfC is placed in Work-in-progress by the Implementer at the actual start time of the change implementation.
|
Completed | Upon completion of the change the implementer moves the RfC to the Completed status and chooses one of the following completion codes:
- Successful - The change should meet the designed objectives, completed within the scheduled change window, and have no known incidents associated with the change.
- Successful with incident - The change has met the designed objectives, and has known incidents associated with the change or was not completed within the scheduled change window. Known incidents must be associated with the RfC responsible for those incidents.
- Backed out - The change was unsuccessful or when it has been determined that, even though the change was successful, the new state of the environment is not acceptable. The back out plan has been implemented and the system has successfully been returned to its state prior to the change having been applied. . If any other changes have been made to the CI during the interim period consideration should be given to having them removed as well since the environment cannot be definitively returned to a known state unless they too are removed
- Unsuccessful - if, after evaluation, the change did not meet the design objectives. Any change that is deemed to be unsuccessful will have the reasons for the failure documented in the Change Ticket.
- Cancelled - At any stage prior to moving to a status of Work-in-progress, the status of the change may be changed to Completed with a completed code of Cancelled. If the change is in progress then it must be closed with a status of Unsuccessful or Backed Out
.
|
Closed | All changes that have been marked completed with a completion code of Successful or Cancelled will automatically have their status changed to Closed, 10 days following implementation. RfCs with any other completion code will be reviewed by Change Management prior to closing. Rescheduling of Backed-Out, Unsuccessful, or Cancelled changes require a new RfC with the previous RfC related to it.
|
![[To top of Page]](../images/up.gif)
Change Action Summaries
Change Approval, Authorization & Scheduling Summary
In an effort to streamline the process and reduce the impact that the Change Management process has on workflow, accomplishing common tasks and being able to support the needs of our business partners, the approval process occurs at multiple levels. Although the authority to approve RfCs can be delegated to different levels and processes the overall approval of every change is the responsibility of the Change Manager. It will always be the responsibility of the Change Manager to monitor the success and functionality of this process and make adjustments where necessary.
The following outlines how the Change approval and scheduling process works:
- Initiator submits the RfC with approval of their management. Items to be aware of prior to submittal are need for change, lead time of change, resource requirements and items already on the forward schedule of change calendar.
- Change is reviewed and filtered for content and completeness by the Change Coordinator and or the Local Change Manager. At this point the RfC itself is either approved or rejected. This does not signify approval to perform the Change.
- If the RfC is authorized to move forward, the Status is changed to Approved and the initiator and implementer are notified of the status change.
- If rejected, the RfC is sent back to initiator with an explanation of why and what needs to be done prior to resubmission (All rejected RfCs must be resubmitted at the beginning of the process).
- Once approved, the implementer will change the RfC status to Planning.
- After the Change is planned (build and test change and back-out plans), depending on its Severity it must be authorized by one of the following approval authorities prior to implementation:
- Major Changes require authorization from the Executive CAB.
- Significant Changes require authorization from the Corporate CAB.
- Minor Changes require authorization from the Change Manager.
- Low Changes require authorization from the Local CAB.
- Standard Changes do not require additional CAB approvals during implementation.
- If authorized, the status will be changed to Scheduled and the Implementer and Initiator would be notified. Once placed in this status the proposed date and time of the change becomes the actual scheduled date and time and can only be changed by the Change Manager (this is required so that change Management can determine what level of review this change must undergo due to a date or time change). Prior to this RfC being moved to a Scheduled status the proposed date and time can be changed by the Initiator, Implementer or Change Manager.
- The proposed date and time is a required field in the RfC. This is the field that is used for the scheduled date and time in the Forward Schedule of Change (FSC). As this field is changed the scheduled date and time is changed accordingly in the FSC. This allows areas to submit a change as early as possible and provide them with the flexibility to move that date until the change has been approved for implementation.
- If rejected the RfC is sent back to initiator with an explanation of why and what needs to be done prior to resubmission (all rejected RfCs must be resubmitted at the beginning of the process).
- In the case of an Emergency Change, the Initiator will mark the RfC as an Emergency. The Change Manager will be automatically paged and review the change with the Local Change Manager and SME to determine if they will have to invoke a session of the Executive CAB. The session of the Executive CAB may be conference call, electronic approval or a formal meeting depending on the perceived risk associated with delaying the time to implementation.
- With the recommendations of the Local Change Manager and SME or of the Executive CAB, the Change Manager will approve the change update the status to Scheduled. In most cases the change would probably not be rejected but Change Management may determine that the requested window of the change be moved to accommodate customer needs or reduce the impact the change may have.
Severity, Urgency, Priority, Approval, and Authorization Relationships
The following table depicts the relationships between Severity, Urgency, Priority and Approval, and Authorization levels:
Severity:
(Degree of impact to
business)
|
*Urgency:
(Speed at which the
change should be made)
|
Approved by:
(Approved to move into
the planning phase)
|
Authorized by:
(Authorized to Implement)
|
**Priority:
(Speed at which the
change will be made in relationship to other pending Changes)
|
RfC Lead Time:
(Minimum time the RfC
should be submitted prior to the change implementation date)
|
Major
|
Emergency
|
Change Coordinator
|
Emergency CAB
|
Urgent
|
As Soon As Practical
|
Low, Medium, High, Urgent
|
Change Coordinator
|
Executive CAB
|
Set by the Change Manager
Low, Medium, High
|
Minimum 15 Business Days
|
Significant
|
Emergency
|
Change Coordinator
|
Emergency CAB
|
Urgent
|
As Soon As Practical
|
Low, Medium, High, Urgent
|
Change Coordinator
|
Corporate CAB
|
Set by the Change Manager
Low, Medium, High
|
Minimum 15 Business Days
|
Minor
|
Emergency
|
Change Coordinator
|
Emergency CAB
|
Urgent
|
As Soon As Practical
|
Low, Medium, High, Urgent
|
Change Coordinator
|
Change Manager
|
Set by the Change Manager
Low, Medium, High
|
Minimum 5 Business Days
|
Low
|
Low, Medium, High, Urgent
|
Local Change Manager
|
Local CAB
|
Set by the Local Change Manager
Low, Medium, High
|
Minimum 2 Business Days
|
Standard
|
Low, Medium, High, Urgent
|
Service Provider
|
Pre-Authorized by Corporate CAB
|
Service Provider
|
n/a
|
Change Severity Selection Guidelines
Severity | Guidelines
|
Standard |
- Routine and repetitive.
- Very high level of success.
- If unsuccessful it does not impact more than 5 users.
- Easily backed out.
- Does not require resources outside of area implementing the change.
|
Low | - High level of success (low risk).
- Have documented repeatable processes.
- Does not require resources or expertise outside of the control of the Local CAB.
- No outage\down time required to apply or back out.
- Will have no performance degradation to the production environment.
- Requires a maintenance window of less than 1 hour.
|
Minor | Experienced in implementing the change.
Normally successful (moderate risk).
Requires an outage/ down time for implementation or back out.
May require resources or expertise outside of the functional area.
May impact performance.
Impact more than one application or Mission critical application
Significant | - Very limited or no experience implementing the change.
- Unknown level of success (high or unknown risk).
- Very complex.
- If unsuccessful, would have a major impact on the production environment.
- Impact a Survival Critical application.
- Requires a large number of resources.
- May have enterprise wide impact.
- Requires customer testing.
| Major | - Major financial or customer impact.
| |
![[To top of Page]](../images/up.gif)