There is no formal rule about how often changes should be released. The important question is not how often changes are released but how well the change process is managed and controlled.  Every organization comes to some balance between available resources to track and implement changes and change frequency.  There is always a tension between those requesting changes and the ability of those who actually implement the change to do so in an orderly fashion.  For example, if there’s only one technician available to perform software builds for the production environment, and there are hundreds of requests to process, it’s obvious that someone’s work will have to wait.

Many companies eventually develop a “gating” process that defines a rule such as …”all changes for next week need to be submitted by Friday at 10 am and then reviewed at the 2PM weekly CAB meeting.”  Any requests that don’t make the cut need to be postponed until the following week.

When to Use an Emergency Change Request

A change request is only an emergency request assuming there are rules and schedules in place that need to be overridden for this particular change.  Most organizations have rules that prohibit production changes during a critical period, such as month end or quarter end because any change during that time may interfere and cause time critical processes to be delayed.  For example, there may be tight timeframes in which reports need to be produced for clients or regulators and the idea is that no unnecessary changes to the system should be made that might jeopardize those goals.

If however, a problem is discovered that is deemed so serious that it should be fixed immediately, despite the standing rules and procedures, then emergency procedures are followed.  Typically such a so-called emergency change requires approval from a higher level of management than a normal change request would.  This ensures that the rule is not being abused and that managers at the proper level are aware of all emergency changes that are implemented.

Share on Facebook

According to a 2005 Gartner report[i], “IT change management is a formalized process with documented procedures and work flows…. The goal is to enable controlled changes while preserving the integrity and service quality of the production environment.”  An important part of this process is the Change Advisory Board (CAB), whose charter is to review requests for change and ultimately, either approve or reject such requests for change.  Let’s examine the top 10 reasons why a CAB might reject a change request.

1. REQUIRED APPROVALS NOT ATTACHED

Any IT change control process worth its salt will require approval for a change from someone other than the change submitter.  Typically, each major subsystem, or even application, is assigned an “owner,” who is responsible for approving every change to the subsystem or application.  This type of structured procedure keeps the chain of responsibility intact and prevents unannounced or unauthorized changes from disrupting a production environment.

2. NO BACK-OUT PLAN INCLUDED

Another basic part of any sensible change control process is the inclusion of a back-out or fallback plan.  With any proposed change to a controlled IT environment, there is always a chance that some unforeseen circumstance may prevent the successful implementation of the change, whether it be large or small.  A clear statement of how to return the environment to its original, pre-change state is a critical component of every well-planned change.

3. REQUEST SUBMITTED PAST STATED DEADLINE

In any operative enterprise or organization, IT change management is a continuous process that evolves with the needs of the company.  In order to manage change effectively and smoothly, everyone must comply with his or her deadlines so that other people responsible for other steps of this continuous process have a reasonable amount of time to properly perform their function. 

For example: at Company A, software changes are managed on a weekly basis; therefore, a reasonable deadline would be that all changes scheduled for next Monday be submitted by Friday at noon, so that they can be reviewed at the weekly Friday 2:00 p.m. Change Meeting.

If some such logical schedule is not followed, chaos is sure to ensue.

4. EVIDENCE OF SUCCESSFUL TESTING NOT INCLUDED

Another vital requirement of a well-managed change system is that all change requests must include associated and relevant testing evidence.  Change to a controlled environment should not ever be made “on faith.”  There are, of course, situations where the exact actions that will occur in the controlled environment cannot be performed in the test environment (like sending money to a client), but all changes should be simulated to the utmost degree possible to reduce the likelihood of errors in the controlled system.  Change requests with no testing evidence attached should be rejected by the CAB – except where special and well-understood circumstances apply.

5. IMPLEMENTATION INSTRUCTIONS MISSING OR INCOMPLETE

To standardize and further automate your change process, you will need a plan that describes what the change action is.  Some companies refer to this plan as an implementation plan.  Regardless of what you call it at your company, you will need this plan.  As your organization changes over time, the implementation plan should evolve with such changes.  Moreover, it also has to capture all the standard change actions that have occurred company-wide.  It is the responsibility of the change requester to add the required information to the plan.  It is the responsibility of the CAB to assure that the plan is valid before anyone tries to act on the instruction it contains.  In sum, it makes perfect sense that an incomplete implementation plan will cause a change request to be rejected.

6. REQUESTED IMPLEMENTATION DATE IS IN A FREEZE PERIOD

Most organizations will block off certain days every month when any normal changes to the controlled environment are disallowed.  For instance, the change blackout period might be the end of each month when the company is closing out its financial records for the month.  During such a period, only emergency changes are permitted, and any such emergency change usually requires a high-level approval in order to move forward. 

The requirement of high-level approval accomplishes 2 objectives: 
1) Assures that senior managers are aware of the change
2) Discourages the misuse of the emergency change method by those who somehow did not complete a process on time.

7. REQUESTED CHANGE COLLIDES WITH ANOTHER SCHEDULED CHANGE

Another important function of the CAB is to prevent colliding change requests from being teed up at the same time. 

Example: The owners of System A are not fully aware of the plans and activities of System B.

Over time, the CAB should become sufficiently aware in all of the company’s systems that it can help prevent changes in one system that would negatively affect another. 

Example: System A produces output that is used by one or more other systems in the company.

Therefore, a planned change in System A might cause a problem in some downstream system that the owners of System A might not have considered.  The CAB can reject a change request when it detects such a situation.

8. REQUIRED CAVEATS/LANGUAGE NOT INCLUDED IN APPROVAL

A particular company may require that certain statements are included in every change approval form.  A federally regulated company may require, for example, that the Sarbanes-Oxley compliant controls be included in all change approval forms.  The lack of adhering to such controls would be a valid reason for rejecting a change request.

9. PROPER REQUEST ROUTING INFORMATION NOT SPECIFIED

A well-designed IT change request will include instructions that tell an analyst what group the change request should be sent to—that is, who will actually do the work described on the change form.  Without such information, the change request cannot be processed and should be returned to the requester.

10. CAB DECIDES THAT A REQUEST IS NOT COST-EFFECTIVE

The CAB can operate at a number of different levels.  In addition to processing the daily requests for change to existing processes, the CAB can also evaluate the cost-effectiveness of large, capital-intensive changes.  Some companies reserve such reviews for changes with an estimated cost over “X” dollars.  If the CAB decides that the proposal is not cost-effective, the project would be stopped.

The 10 issues described above are just some basic characteristics of a well-designed change process.  To delve deeper into ITIL-based change management, try the change management section at  IT Library .

---

[i] Gartner, Inc., Optimize Change and Configuration Management With People, Processes and Tools by Ronni Colville, Patricia Adams, Kris Brittain, August 3, 2005.

Share on Facebook

One of the main components of an ITIL ( Information Technology Infrastructure Library) configuration management process is the Configuration Management Database (CMDB).

A CMDB is a database that contains all the pertinent information about an organization’s technology components (called configuration items, or CIs) such as network equipment, computers, servers and peripherals and the relationships among those components. A CMDB gives enterprises an organized view as to how the various components interact to deliver applications and services for their customers. A CMDB can only be implemented in parallel with an effective Configuration Management Process. That means all data related to core IT operations must be appropriately stored and managed in order to ensure the integrity, validity, and accuracy of the configuration management data.

Here are five benefits of implementing a CMDB:

1. Breaks down the barriers between IT and the business—A CMDB removes IT silos and helps people, processes and technologies work more efficiently together. That’s because knowing what technology components you have, where they are and how they’re connected will let you better manage and improve your IT services.

2. Provides more proactive management—A CMDB allows organizations to better manage change in their IT environments. As the complexity of a organization’s IT infrastructure increases, a central database containing information about all the CIs and how they work together will help you avoid downtime by more efficiently planning and better appreciating how those changes affect the IT environment.

3. Helps better assess risk, improve security—IT organizations can use CMDB data to assess the risks to the business associated with known vulnerabilities on servers. That means your IT team can prioritize patches and secure the most critical vulnerabilities first.

4. Helps keep track of any changes in software—Data from the CMDB lets organizations know if there is any unauthorized or illegal software being used.

5. Makes compliance easier, more accurate—Using CMDB data, IT organizations can make sure that the information about their assets is accurate and up to date in order to comply with such initiatives as Sarbanes-Oxley and HIPAA. By keeping a close eye on CIs and their relationships and continually monitoring them to make sure they’re accurate, your IT organization can better ensure that your systems and their components comply with legislative mandates.

Share on Facebook