Change is inevitable in any organisation; and with change comes risk. When one actively stops to think about change, one can be surprised at how big a part it plays within IT operations, ‘Run the Business’ as well as the ‘Change the Business’ function. Whether it is reactive to resolve errors or to adapt to changing circumstances; or proactive to provide new services or functions to increase performance; or to reduce costs or increase efficiency.
Such change is generally a good thing; however, as far too many organisations have learned, uncontrolled or poorly managed changes can (and probably do) lead to business-affecting incidents and problems. Thus they need to be closely managed to minimise exposure to risk, to minimise disruption, and to ensure success at the first attempt. Hence, given the potential gains from its adoption, a formal Change Management system (of policies, processes, procedures, and technology) is often lauded as a top priority for IT organisations. However, its implementation isn’t easy or, more precisely, implementing effective Change Management isn’t easy.
Whilst many might consider formal Change Management processes and procedures overly bureaucratic, it is relatively easy to quickly formulate a list of the issues caused by the absence of a Change Management process, or a poorly designed or deployed one – the main one being the adverse impact of change-related incidents on business operations (the unexpected and unwanted side-effects of deployed changes). Beyond this, even though one can’t help thinking that this is reason enough for the introduction of ITIL-based Change Management, an organisation is still subject to the risks and impact of unauthorised changes, rush jobs to deploy poorly planned changes, the inability to back-out changes, rush jobs to deploy fixes (or even fixes of fixes), and change scheduling conflicts.
The lack of effective Change Management within an organisation can also be a major stumbling point in corporate IT governance and compliance initiatives, particularly the inability to consistently demonstrate that change requests are approved and prioritised by appropriate owners, there is appropriate segregation of duties between all key elements of the change management process, critical changes can be tracked and escalated as needed, change impact is appropriately assessed, and audit trails are sufficient to meet the requirements of both internal and external scrutiny.
From an IT Service Management (ITSM) perspective, Change Management is one of the lynchpins of the IT Infrastructure Library (ITIL) best practice framework. Sitting within ITIL’s Service Transition quintile, it is defined as the process that ensures that standardised methods and procedures are used for the efficient, prompt, and successful handling of all changes. Its importance can be demonstrated by the fact that it is often one of the first processes implemented as part of a green-field ITIL implementation – with common implementation starting points either Incident and Change Management, or Configuration and Change Management – and that it is the second most implemented ITIL process (after Incident Management) in both v2 and v3 adoptions.
There are obviously financial benefits associated with minimising the volume and business-impact of change-related incidents and problems but effective Change Management also enables greater visibility and collaboration, supporting the ultimate aim of achieving the ITIL and ITSM Holy Grail of IT-Business alignment. The financial benefits, in the main, relate to the avoidance of costs associated with lost IT service availability such as the business cost of business-critical service downtime (reduced productivity or lost revenue); or the IT costs of dealing with associated incidents and problems, backing out the change or deploying change fixes, or on-the-fly code fixing. However, another which cannot be understated is the business cost of delays to important or mandated changes.
Beyond these top-level financial benefits, the business case for the introduction of ITIL-based Change Management should also include those associated with improved visibility, control, and speed. These include greater understanding of the change pipeline and the ability to handle a greater volume of changes, the communication of the Schedule of Changes to interested parties, a stage-gate approach to change approval, and prioritisation and fast-tracking through the use of Change Models and a purpose-built Emergency Change process. Finally, business-wide collaboration benefits offer the opportunity for better cost, risk, and impact assessment, and improved change prioritisation and scheduling.
From a practical perspective, it is not always necessary for an organisation to reinvent the wheel with ITIL-based Change Management – most organisations have some semblance of control over IT change even if informal, inconsistently applied, and lacking sufficient documentation – and to facilitate adoption it should build on these existing practices wherever possible. It should cover the Seven ‘R’s of Change Management – who ‘raised’ the change; what are the ‘reasons’ for the change; what is the ‘return’ required from the change; what are the ‘risks’ involved with the change; what ‘resources’ are required to deliver the change; who is ‘responsible’ for the build, test, and implementation of the change; and what ‘relationships’ exist between this and other changes? Beyond this, it should be a documented, repeatable, and scaleable process, facilitated by technology that provides capabilities to monitor and manage change progress, collaborate across functional barriers, measure performance, and identify opportunities for improvement.
Importantly, any Change Management initiative needs to be supported by top-level business backing such that there is a single, business-mandated Change Management process which applies to everyone and every change, with no exceptions – no matter who you are or who you know. In addition to this, Butler Group recommends that Change Management is driven through policy, which explicitly states how changes should be processed within the organisation, by whom, and by what method. With technology-enable workflows that move the change through the process, from Change Request logging and recording through categorisation and prioritisation, evaluation, approval and scheduling, implementation, and Post Implementation Review (PIR).
It is imperative, however, that an IT organisation, pursuing effective Change Management ensures that it has placed sufficient consideration into the avoidance of common Change Management pitfalls. The toughest and the most frequent of these is making the cultural change required to support the effective utilisation of the new Change Management process and enabling technology. As an extension of the already mentioned top-level business support, everyone within the organisation contributing to, and/or impacted by changes needs to be signed up to the diktat of a single, enterprise-wide Change Management system for the production environment (as a minimum). To this extent, the relative weight of the Change Management process is vital, and an over-bureaucratic process will not only stifle adoption but also its operation.
An IT organisation will also struggle to deliver effective Change Management without first ensuring that a robust management framework exists to support it. Firstly, business and IT ownership is key – specific people (or roles) need to own IT and business services, and the applications and infrastructure that deliver them where ownership is not just a title, but alternatively the ability, inclination, and authority to provide information and make decisions in the context of their charges. Without this, change impact assessments and scheduling, in particular, will be at best sub-optimal and at worst, dangerous to the enterprise.
Some semblance of Configuration Management is also vital to the success of any Change Management process, allowing not only the correct owners to be identified and consulted but also the necessary level of configuration item understanding (both individually and in the context of relationships) to ensure that risks are minimised through the comprehensive assessment of change impact. Finally, and importantly, the IT function needs to continually remember that they are not dealing with IT change; they are dealing with business change.
In terms of implementation best practice, getting the organisational approach right is critical. Before setting out on the journey to effective Change Management, senior management needs to fully understand and appreciate why the business needs it. As with the adoption of ITIL as a whole, Change Management should not just be introduced as a good thing to do; alternatively, it needs to address specific business issues or pain points.
Importantly, an organisation must also recognise that Change Management is not just the introduction of new processes and enabling technology; that alternatively, it is an organisational change which needs to be communicated to all levels within the organisation and bought-into by the key stakeholder groups affected by the delivery of change. Importantly, everyone within the organisation needs to understand that the corporate Change Management process is mandatory, with no exceptions, and best practice suggests that employees are made fully aware of the reasons for, and impact of the new Change Management system before it is ‘used in anger’ – maximising the opportunity to avoid resistance.
So where should an organisation start once focus, top-level support, and business mandate are in place? Butler Group recommends that an IT organisation starts with policy – developing, agreeing, and then communicating enterprise-level Change Management and Release and Deployment policies which explicitly state how changes should be processed within the organisation, by whom, and by what method.
Within this, an organisation needs to define various elements within the Change Management ecosystem: what a change is and the types of change that will fall within the remit of the new Change Management process. This should be followed by the creation of a Change Management process that both supports the policy and, importantly, is aligned to the organisation’s needs across the various areas of change initiation – such as requirements for new application features, security imperatives, demands for increased capacity, or incident and problem-driven fixes.
In dealing with different types and origins of change, an organisation should ensure that it benefits from the use of Change Models and technology-enabled workflows which predefine the way in which a particular change type should be handled. Common examples are Pre-defined/Pre-approved Change/Release, Standard Change, Non-Standard Change, and Major Incident Change. Emergency changes are inevitably needed but policy and process should ensure that these are both kept to an absolute minimum and managed differently, particularly in the level of approval and control.
An organisation must also not miss the opportunity to baseline the ‘as-is’ state before starting the transition to the desired future state. Without this baseline data it is nigh on impossible to fully quantify the benefits realised from the introduction of the new way of working – IT should be able to communicate the step change in Change Management performance as well as the ongoing, incremental improvements identified through the utilisation of Key Performance Indicators (KPIs) and Critical Success Factors (CSFs). Such ‘success stories’ will be vital in demonstrating the value derived from formalised change control in the context of the increased ‘pain’ of accommodating the additional internal controls, particularly in the early life of the new Change Management system. Ultimately, it may take time for the organisation as a whole to fully appreciate the benefits of the enforced formalisation of change.
However, even with the required Change Management ecosystem in place, there are also operational areas of best practice to consider. Firstly, not all changes were born equal. This is not just the fact that some applications, infrastructure, or IT services are more critical to the business than others, it is also that an analysis of Incident and Problem Management data, if available, or customer perceptions if not, will identify the areas of greatest business-impact caused by previous change failures. These problematic applications, infrastructure, or IT services should be short-term areas of focus to help ensure compliance with the new way of working and, more importantly, to maximise the benefits realised from the new Change Management system. It might be necessary to take action both within and outside of the Change Management process, such as focused monitoring of enacted changes (relative to authorised changes), additional education for offending individuals or IT groups, or even removing their access to the affected components.
Leading on from this, organisations need to realise that most change failures are people failures – whether it is an unauthorised security patch or failure to follow agreed work procedures that results in a business-affecting incident or problem. As with any other instance of employee negligence or deliberate failure to follow agreed processes, the IT organisation must make it clear that such behaviour is unacceptable and if consistently displayed, that it will be addressed through disciplinary action via agreed Human Resources-supported procedures. This will also need to be communicated as part of the overall transition, as part of a culture of personal and role-based accountability.
The knowledge, skills, experience, and capabilities of the people filling key Change Management roles are also critical. IT organisations should use the ITIL (or elsewhere-provided) guidance on Change Management roles and responsibilities to ensure that they slot in the right type of employees. Taking the Change Manager role as an example, a balanced mix of organisational, negotiation, communication, and analytical skills is required. Importantly, having the ability to see the bigger (business) picture and to repeatedly say ‘no’ when necessary is required for the benefit of the business.
Finally, in the area of operational best practice, the Change Management process stipulates the requirement for PIRs and an organisation should not view this final stage of the process as just a bureaucratic add-on that can be avoided to save time. Alternatively, it should use the reviews to not only identify what went wrong but also what went well; feeding findings into the ITIL-promoted Continual Service Improvement process to enable the ongoing improvement of change delivery across the enterprise.
Originally published on www.ovumkc.com