Change management involves understanding and controlling exposure to hazards so that the overall risk to the business is handled in an efficient and effective manner. The intent is to act as an enabler that provides a mechanism by which the business can quickly adapt and respond to changing conditions without the negative consequences that are often associated with hasty action.
Change management supports business adaptation in several ways.
- Effective change management offers a standardized method that evaluates the potential positive and negative aspects of change and allows for the prompt handling of all change-related activities.
- Change management makes sure that all changes are recorded, evaluated, properly planned and accounted for so that the organization has an ongoing living history of change-related activities.
- Change management minimizes the disruptions often associated with change at all levels.
ITIL v3 describes a formal change management process that includes steps to make sure changes are formally described, adequately reviewed for their impact on the business, assessed and coordinated with other changes and ongoing business activities. Even the simplest changes could cause risk. For example, a regular update to a desktop operating system can result in users being unable to use desktop applications, which could cause unanticipated downtime and impact the business.
The risk of change can often be identified in five ways.
- The risk of unauthorized and properly assessed changes
- The risk of unplanned outages
- The risk of a low change success rate
- The risk of high numbers of emergency changes
- The risk of significant project delays
The ITIL change management best practices propose that to address these five risks, seven questions must be answered about every change. By following a standardized process that answers these questions, organizations can reduce the numerous risks associated with change.
For example, let’s consider a change that many organizations frequently face: an update to a set of firewall rules driven by an updated security policy. Using the seven questions, we might arrive at the following answers.
- Who raised the change? This identifies both the business and IT sponsors of the change.
- What is the reason for the change? Firewall rules are being updated to match recent security policy changes.
- What is the required return? The policy changes were specific to a new business partner, so the expected return is that Internet traffic from this new business partner will be allowed through the firewall, which facilitates new business transactions at an estimated daily value of $25,000.
- What are the risks? The firewall rules could be incorrectly set, resulting in malicious traffic being allowed into the enterprise and/or resulting in an inability to accept traffic from the new business partner.
- What are the required resources? This identifies the specific tools and equipment used to deploy the change as well as the target configuration items for the change.
- Who is responsible for the build, test and implementation? This identifies the people responsible for making sure that the change is correctly built, tested and implemented.
- What is the relationship between this and other changes? Are any other mutually exclusive changes occurring at or near the same time as this change? Is there any known interaction between this change and any other changes?
As you can see, an effective change management process uses these seven questions to generate enough information so that critical aspects of proposed changes are understood and informed decisions can be made about whether or not to proceed with a proposed change or if significant additional planning must occur before carrying out any specific change.
Change management provides a mechanism by which organizations can understand and control their exposure to risk and, where possible, effectively coordinates aspects of change while considering interactions between changes as well as the impact of change upon business operations.
Excerpted from the Global Knowledge white paper Understanding and Managing the Risk of Change.