Understanding and Managing the Risk of Change
Every organization faces change. These changes include everything from regular, almost mundane modification to large-scale deployments of new IT services. Regardless of the scale of the change, all changes have one thing in common: risk. This white paper discusses how ITILŪ Change Management mitigates risk to ensure architectural integrity and enterprise focus, while discussing the tangible return on investment (ROI) and intangible value on investment (VOI) of effective Change Management.
What Is Change Management?
Change Management involves understanding and controlling the exposure to hazards such that overall risk to the business is handled in an efficient and effective manner. For example, if an organization were deploying a new desktop operating system across the enterprise, an effective Change Management process would understand the risks involved, assess the impact, and coordinate the change so impact to the business was minimized. Therefore, the intent of Change Management is to act as an enabler that provides a mechanism by which the business can quickly adapt and respond to changing conditions, without the negative consequences that are often associated with hasty action.
Change Management supports business adaptation in several ways. First, effective Change Management offers a standardized method that efficiently evaluates the potential positive and negative aspects of change, and allows for the prompt handling of all change-related activities. Second, Change Management ensures that all changes are recorded, evaluated, properly planned, and accounted for, such that the organization has an ongoing living history of change-related activities. Finally, Change Management minimizes the disruptions often associated with change at all levels.
A formal Change Management process is described by ITILŪ v3. This process includes steps that ensure that changes are formally described, adequately reviewed for their impact on the business, assessed, and coordinated in-line with other changes and ongoing business activities. Even the simplest changes entail risk. For example, even a regular update to a desktop operating system, if not properly assessed and coordinated, can result in users being unable to use desktop applications to complete the work of the business, resulting in unanticipated downtime and significant business impact. The ITIL Change Management best practices provide a mechanism by which organizations can control the risks associated with change. The risk of change often avails itself in five ways.
The risk of unauthorized and properly assessed changes
The risk of unplanned outages
The risk of a low change success rate
The risk of high numbers of emergency changes
The risk of significant project delays
The ITIL Change Management best practices propose that to address these five risks, seven questions must be answered about every change. These seven questions are:
Who raised the change?
What is the reason for the change?
What is the return required from the change?
What are the risks involved in the change?
What resources are required to deliver the change?
Who is responsible for the build, test, and implementation of the change?
What is the relationship between this change and other changes?
How do these questions reduce risk? How does knowing "who raised the change" affect my risk? By following a standardized process that answers these seven questions for every change, organizations regularly reduce the numerous risks associated with change.
For example, let's consider a change that many organizations frequently face; an update to a set of firewall rules driven by an updated security policy. Using the seven questions, we might arrive at the following answers.
Who raised the change? This identifies both the business and IT sponsors of the change.
What is the reason for the change? Firewall rules are being updated to match recent security policy changes.
What is the return required from the change? The policy changes were specific to a new business partner, so the return expected is that internet traffic from this new business partner will be allowed through the firewall, which facilitates new business transactions at an estimated daily value of $25,000.
What are the risks involved in the change? Firewall rules could be incorrectly set, resulting in malicious traffic being allowed into the enterprise, and/or resulting in an inability to accept traffic from the new business partner.
What resources are required to deliver the change? This identifies the specific tools and equipment used to deploy the change, as well as the target configuration items for the change.
Who is responsible for the build, test, and implementation of the change? This question identifies the people responsible for ensuring the change is correctly built, tested, and implemented as intended.
What is the relationship between this change and other changes? Are any other mutually exclusive changes occurring at or near the same time as that proposed for this change? Is there any known interaction between this change and any other changes?