Change Management

Description/Summary

Change Management deals with any kind of change to the IT infrastructure and services. A well-defined and controlled process leads to the effective handling of these changes. Change Management is triggered every time a request for change is received from one of the various of sources which make such requests. Each requested change is classified by determining its priority and impact, and afterwards the responsible change authority decides on the approval or dismissal of the change. Change Management coordinates the incidental tasks in the context of change building, testing and release. For this purpose, close collaboration between Change Management and Project, as well as Release Managementis critical for the success of this process.

Change Management in ...

Objectives

The purpose of Change Management is to establish standardized procedures for the handling of IT-related change requests and facilitates the assessment, scheduling, coordination, documentation and evaluation of all changes.

Change Management contributes to an integrated Service Management approach by achieving the following goals:

  • Every change and all required data is recorded.
  • Every change runs through a set of standardized activities and procedures in order to ensure effective and efficient processing.
  • Every change with a risk to normal service operation is carefully assessed and sufficiently tested to avoid service disruption or degradation of service quality, in particular in terms of SLA deviations.
  • Every implemented change is documented and reviewed.

Roles & Functions

Change Management specific roles

Static Process Roles

See Change Management section, Service Management Roles x Person for details

Change Process Owner

Initiator of the process, accountable for defining the process strategic goals and allocating all required process resources. See{Continual Process Improvement Management Process Description en} Continual Process Improvement Management for a detailed description of these activities

Change Process Manager (Change Manager)

Manager of the entire process, responsible for its effectiveness and efficiency. Team leader of the function "Change Management Team". See Continual Service Improvement Management for a detailed description of these activities.

Change Management Team

Team associated to the Change Management Process.

Emergency Change Advisory Board (ECAB)

Decision Maker in the case of an emergency change. It is recruited from the Senior Management.

Senior Management

Senior Management of the IT provider

Dynamic Process Roles

These roles are dynamically created during the Change Management Process. See the process-specific or activity-specific rules for details.

Change Owner

The attribute in the records contains the value of the Role/Function currently accountable for the change (but NOT for the Change Management Process). The Change Owner can be changed with the help of a Hierarchical Escalation.

Change Agent

The attribute in the records contains the value of the Role/Function currently responsible for either an activity or task within the overall activity of the change. The Change Agent can be changed with the help of a Functional Escalation , if permitted by the Rules.

Change Advisory Board (CAB)

Consulting body in category 2 and 3 changes. The members of the CAB are defined in the activity "classification" and recruited from:

  • Service Owner
  • Change Process Manager
  • Service Expert or Service Specialist
  • Customer
  • Other persons necessary
Change Authority (CA)
The authority (person or group) authorizing a change; Change Authorities vary depending on the change category. See the Activity Specific Rules in the activity Change Classification for details.
Change Requester (CR)
This is the person who triggers a change via a Request for Change (RFC) form. This can be identical with a service or customer specific role.

Service Specific Roles

Roles depending on the affected service are found in the Service Description. The Service Description, including the service specific roles, is delivered from the Service Portfolio Management.

Example: Service Description

Service Expert/Service Specialist
They can consult and/or act as
  • Change Builder
  • Change & Fallback Tester
  • Change Implementer

Service Owner

Customer Specific Roles

Roles depending on the affected customer(s) are found in the Service Level Agreement (SLA). The Service Level Agreement for the customer specific roles is maintained by the Service Level Agreement Management.

Example: Service Level Agreement

Customer(s)
Customers of the affected Service with a valid SLA

Information artifacts

This section describes information/data required or recorded by the process. In general, a Process Record (here: the Change Record) represents the current progress of a process and will contain all information related to the execution of that process. Additional information items (artifacts), such as the Request for Change (RFC) or the Forward Schedule of Change (FSC) in the context of Change Management, typically can be realized by considering the information out of one or more (up to all) process records and by either filtering, merging, correlating or interpreting these information (sometimes with regard to the context of other data and information sources).

Change Record

The Change Record is the record holding any management-relevant information and history of a specific change. On creation, it is based on (filled with) the information provided by the Request for Change (RFC).

Unique identifier
Change ID
Change requester
Name of the Person triggering the change
Process instance
Unique Identifier of the Process Instance triggering the Change Management Process. This can be a Change Instance also.
Status
Status of the change. Is set when passing a Control Activity
Services
Service(s) affected by this change
Customer
Customer(s) affected by this change
Change Sponsor
Change Description
The description of the change including the Change Argument
Change Category
Change Priority
 
Change Authority
 
Risk & Impact analysis
 
Feasibility Study
 
Change Builder
Date and implementation time of the change
Implementation plan
Project Plan including concrete working instructions and time schedule
Implementation plan test results
True or False
Fallback plan
Fallback Plan including concrete working instructions and trigger for fallback
Fallback Test
True or False
Functional Test Plan
Functional Test Plan including concrete working instructions and expected results
Functional test plan results
True or False
Post Implementation Review results
True or False
Documentation Test
Test method and frequency for documentation test
Additional Remarks
Text for additional information

Forward Schedule of Changes (FSC)

The FSC is a structured report referring to all open changes. It contains user- and customer-relevant information on these changes and thus realizes a constricted view on all records of planned changes. Information to include in the FSC are:

  • Unique identifier of the change
  • Date and implementation time of the change
  • Description of the change
  • Expected impact on IT service operation (What will be impacted, and how, if change implementation proceeds successfully?)
  • Potential impact (What might be impacted, and how, if change implementation fails?)

Accomplished Change Overview

The Accomplished Change Overview is a structured report referring to all closed or cancelled changes. It is an important Information Resource for the Incident Management process and should include is:

  • Unique identifier of the change
  • Date and implementation time of the change
  • Description of the change

Key Concepts

Change Category & Standard Change

The following table outlines different category classes for changes.

Change_Management_tables_category

By definition, changes from category 2 and 3 are also called "major changes" and will be handled in a special way during the Change Classifikation.

Standard Changes help to accelerate process execution and thus increase the efficiency of Change Management. If a change of this category is requested, no delay is created through waiting for the change authorization (see below). This is because for each standard change, the required authorization has been given once in advance and will apply to all future changes of the same kind. It is essential that procedures are in place for the definition and administration of standard changes. This is achieved by the sub process Standard Change Admission.

In summary, a standard change is characterized as follows:

  • Low risk
  • Well-known costs
  • Well-established procedures (e.g. working instructions) for change implementation
  • Clearly defined roles:
    • who sponsors the respective change
    • who is allowed to request (trigger) the standard change (e.g. which users)
    • who is responsible for carrying the change into execution (e.g. the service desk)

Change Priority & Emergency Change

The following table gives an overview of priority classes and their relevance for Change Management.

800px-Change_Management_tables_priority

Emergency Changes are usually performed in order to avoid or resolve serious service disruption, degradation in service quality or to eliminate a potential security risk. Therefore, it is always related to one or more Major Incidents.

Change Controls

Change_Management_tables_control

Process

High Level Process Flow Chart

This chart illustrates the Change Management process and its activities as well as the status model reflected by the Change Record evolution.

Change_management_images_main

Critical Success Factors

Critical Success Factors (CSF):

  • Obey the process in every case
  • Cooperation with the Configuration Management
  • No personal union between Change- and Configuration Manager
  • High ratio of standard/minor changes
  • High ratio of changes with low/middle rated priority

Performance Indicators (KPI)

  • Details from audit
    • on time?
    • in budget?
  • Ratio Fallback/Total number of changes
  • Boost of Incidents/Problems after a change
  • Causes of the changes
  • Total number of non–authorized changes

These can be measured using the following measures: per service, per user, per customer, per location, per category, etc.

Process Trigger

Event Trigger

For more information see the relevant Process Interface Description in the Process Interfaces Overview

Time Trigger

  • None (Change Management is typically event-triggered)

Process Specific Rules

  • every RFC triggers the creation of a new Change Record.
  • the Change Agent is responsible for documenting each activity in the Change Record
  • the Change Owner has to control the Change Agent
  • the Change Owner and Change Agent can only transfer their duties if the new person or group agrees
  • the subsequent Change Owner or Change Agents must then be recorded in the appropriate attribute in the Change Record.
  • the Change Owner and Change Agent should preferably be a person rather than a group.
  • refer to the Service Description and Service Level Agreement in order to take service specific and customer specific rules into account

Note: for the different types of rules see Rules.

Process Activities

Change Recording

Change_management_images_recording

The Request for Change (RFC) is checked for completeness and formal correctness; i.e. it is verified that all mandatory information has been provided by the requester through the RFC form, with respect to the desired change. If this is not the case, or if the requester is not authorized to send RFCs in general, the RFC can be rejected. The Change Record is then shifted into the status "recorded-accepted", "recorded-emergency" or "recorded-rejected".

Activity Specific Rules

  • Change Requester is set to the person who triggered the change
  • Change Sponsor is set to the person who triggered the change if no other sponsor is known
  • Change Agent is set "Change Management Team" if there is not a person as change agent available
  • Change Owner is set "Change Management Team" if there is not a person as change owner available
  • Change Description The RFC must contain a meaningful description of the desired change as well as a comprehensible rationale stating the reasons for the change.
  • Change Priority is set to "3 (Middle)" if no other priority is known. When requesting an emergency change the priority has to be "1 (Emergency)"
  • Process Instance which triggered the change This should refer to the respective process instance e.g. Unique Identifier of the Incident (see also possible triggers of the change management process )
  • Affected Service At least one service must to be defined
  • Change Builder At least one person out of the Service Expert or Service Specialist group has to be set as Change Builder. This can be a group of experts/specialists if more then one service is affected.

Change Emergency Handling

Change_management_images_emergency

The Priority "emergency" has to be confirmed by the Emergency Change Advisory Board (ECAB). The testing can be skipped by the ECAB if necessary. The ECAB must allocate all resources and has the right to postpone other changes.

Activity Specific Rules

  • Change Agent is set to Emergency Change Advisory Board (ECAB)
  • Change Owner is set to ECAB
  • Change Change Authority is set to ECAB
  • if the priority "emergency" is Confirmed by the ECAB
    • the requester and customer are informed
    • the Change Builder, Change Tester and Change Implementer is defined by the ECAB
    • the Change Agent is set to Change Builder
    • after planning the change the Change Agent is set to Change Tester
    • after successful testing, the Change Agent is set to Change Implementer
  • if the priority "emergency" is NOT confirmed
    • the Change Agent, Change Authority and Change Owner are set to their previous values
    • the Change Priority is set to a value other than "emergency"

Change Classification

Change_management_images_classification
The classification of a change aims at providing a control factor for the change, which will be used for factual decision making with respect to change scheduling. In order to classify a change, its priority and category are determined. While the change priority often depends on the urgency and impact of related incidents and problems, reflecting the degree of importance to implement this change, the category also will depend on the risk of the change with respect to IT service operations, potential disruptions, or to degradations in quality. A recorded and accepted change needs to be categorized and then processed according to its resulting category.

A standard change ("Category 0") is preauthorized. The record has to be completed according to the standard change description.

For a minor change ("Category 1"), the next activity to be undertaken is a Risk Analysis and a Feasibility study. If assistence is needed, then the appropriated delivery processes can be triggered. e.g Security Implementation Assistance

Following the outcome of the Risk Analysis or Feasability study, the category of a change may need updating. However these studies may also confirm the current existing value for the change category. If the category is not changed, the next process step will be Change Authorization; if the catergory is changed, the Change Classification process needs to be repeated.

For major changes ("Category 2 or 3") it will be checked if there is an existing Service Design Package (SDP). The Service Portfolio Management needs to be involved as next activity if there is no existing SDP covering that change. The Service Design updates or creates the SDP according to cover the change. Next activity depends on whether category will be confirmed or updated.

Activity Specific Rules

  • if the category is "standard" the Change Owner and Change Agent is set to "Service Desk"
  • if the category is NOT "standard"
    • the Change Agent is set to the Change Builder.
    • the outcome of the "Risk Analysis" and the "Feasibility Study" has to be documented in the Change Record
    • the "Change Priority" is defined according to the outcome. The priority "emergency" is no longer possible
    • the "Change Category" is defined reflecting the risk as diagnosed in the Risk Analysis
    • at the end of the activity, the Change Agent is set to the Change Owner
  • if the category is "2 - Significant -" or "3 - Critical" - define the members of the Change Advisory Board (CAB)
  • define the Change Authority (CA)
    • for category 1 it is Service Owner
    • for category 2 it is Change Advisory Board (CAB)
    • for category 3 it is Senior Managment

Change Authorization

Change_management_images_authorization

In this activity, a change is approved, dismissed or cancelled. Change Authorization takes into account the priority and category of the change, as well as the projected costs, time and resource constraints. The decision concerning the Change Authorization must be reflected by the Change Record. The decision between approval or dismissal of the change is met by the Change Authority (CA) responsible for that respective change. The nature of the CA depends on the category (risk) of the change. That is why the CA can either be the Service Owner of the affected service, the CAB, or the Senior Management after a consultative meeting of the CAB. The Change Record is then shifted into the status "authorized-approved" or "authorized-dismissed" depending on the vote of the CA.

To authorize, the following factors have to be taken into account:

  • the change priority and category (Risk Analysis).
  • the projected costs, budgets, time and resource constraints (Feasibility Study)

Activity Specific Rules

  • if the category is "1 - Minor -" the Change Authority (CA) is set to Service Owner
  • if the category is "2 - Significant -" the Change Authority (CA) is set to CAB
  • if the category is "3 - Critical" the Change Authority (CA) is set to Senior Management (consulted by CAB)
  • after selecting the Change Authority (CA) the Change Agent is set to Change Authority (CA)
  • at the end of the activity the Change Agent is set to Change Owner

Change Building, Testing and Implementation

Change_management_images_building

Approved changes are coordinated during the building, testing and implementation tasks.

If new hardware models or software products are needed, which have not yet been released, the Release Management process is then activated. Release Management is responsible for releasing the Configuration Items by testing their functionality and accuracy, as well as their compatibility and operability with other Configuration Items. Release Management should also provide a Deployment Plan to the Change Management.

Every change has to be delivered with relevant and current documentation. In the change record, it is stated how and when the documentation needs to be tested.

Activity Specific Rules

  • a Change Builder is defined from Expert/Specialist Group
  • a Change & Fallback Tester is defined from Expert/Specialist Group
  • a Change Implementer is defined from Expert/Specialist Group
  • the Change Builder has to be different from the Change & Fallback Tester
  • the Change Implementer has to be different from the Change & Fallback Tester
  • at the beginning, the change agent is set to the Change Builder
  • after the task "building", the Change Agent is set to the Change & Fallback Tester
  • if the task "testing" is successful, the Change Agent is set to the Change Implementer
  • an implementation plan is recorded and made available to Release Management.
  • the implementation plan is tested, and the test results are stored in the Change Record.
  • a fallback plan is recorded and made available.
  • the fallback plan is tested, and the test results are stored in the Change Record.
  • functionality test procedures are described.
  • documentation is developed and the test procedure for documentation verification is defined

Change Documentation

Change_management_images_documentation

In this activity, the change is documented in the CMDB using information supplied from the change record. The CMDB is then updated via the Configuration Management process. In particular, Configuration Management must record:

  • any change of a Configuration Item (CI) attributes
  • any change in the relationships between Configuration Items
  • in some cases guidelines and policies need to be adjusted

After a successful verification, the change record is shifted into the status "documented".

Activity Specific Rules

  • The change agent (which is the Change Implementer at the moment) triggers the Configuration Management Process to update CI attributes and/or relationships in the CMDB.
  • The change agent (which is the Change Implementer at the moment) triggers the responsible Process Manager to update guidelines and policies of a process if relevant.
  • It is not forbidden that Change Implementer and Configuration Librarian is the same person
  • The Change Owner has to verify the documentation, therefore the Change Agent is set to the Change Owner
  • If the verification is NOT OK, the Change Agent is set back to the Change Implementer to improve the documentation
  • Process Interface: Information about Services and Configuration Items affected by the change are updated in the CMDB via the help of Configuration Management

Change Evaluation and Closure (PIR)

Change_management_images_evaluation

In this activity, the success of an implemented change is evaluated. Therefore, a Post Implementation Review (PIR) is performed according to the testing procedures defined during the change building phase of Change Coordination. A PIR is performed, and its results are recorded. If the PIR does not attest to a successful change, a rollback must be triggered. The change record is shifted into the status "closed-verified" or "closed-failed" depending on the success of the change reflected by the post implementation review and the necessity of a rollback.

The following evaluation questionnaire should be considered for the PIR:

  • Did the change meet the desired targets?
  • Was the change implemented in time?
  • Did any incidents occur while the change passed through the process?
  • Was the change performed without exceeding the assigned budget of money?
  • Has the change been documented and the CMDB updated respectively?
  • Did everyone involved in the change follow the process?
  • Was any information missing, which was needed to make a decision at any stage of the process?
  • Have the stakeholders been informed about change progress in accordance to the RASCI chart?
  • Were changes (if applicable) to policies and rules monitored in the service documentation (Test of documentation)?

Activity Specific Rules

  • at the beginning the Change Agent is set to Change & Fallback Tester
  • if the task "testing" is successful, the Change Agent is set to Change Owner
  • the test result has to be recorded
  • if the task "testing" is NOT successful, the Change Agent is set to Change Implementer

Change Fallback and Documentation

Change_management_images_fallback

In case of a failed change, reflected by a negative result of the Post Implementation Review (PIR), the change is then revoked by putting the fallback plan into action. This rollback is performed according to the fallback plan that is part of the change record. The Change Record is then shifted into the status "Fallback Executed".

Activity Specific Rules

  • a Change & Fallback Tester is defined from Expert/Specialist Group
  • the Change Implementer must be different from the Change & Fallback Tester
  • after the execution of the fallback plan, the Change Agent is set to Change & Fallback Tester
  • the test result must be recorded.
  • if the task "testing" is successful:
    • the Change Agent is set to Change Owner
    • the Configuration Management Process is triggered for documentation in the CMDB
    • the requester of the change is informed about the rollback.
  • if the task "testing" is NOT successful, the Change Agent is set to Change Implementer