Posted by: Scot Petersen
change management, COBIT, ISO, ITIL
This is a guest post by Laurence Anker, engagement manager, technology risk management, at Jefferson Wells International Inc.
The only constant in information technology today is change. The changes are broad and rapid across the domains of hardware, system software, application software, databases and data, telecom, networks, to name just a few. How well you manage and control change can be the difference between success and failure. In fact, the change management processes present significant and potentially costly risks to organizations. In a recessionary economy where decreases in IT spending and investment, combined with personnel reductions, are a fixture in the landscape, an efficient and effective mechanism surrounding your change management is more important than ever.
The fact that change management is a critical control does not mean that it needs to be complex. To the contrary, simple, well-designed controls are much more effective, and more likely to be performed consistently, than a complex, overengineered control. Regardless of whether your shop follows ISO, COBIT, ITIL or other guidance to control your change management process, it boils down to initiation, assessment, decision, execution and tracking and reporting. Let’s look at an example.
The client did not have a consistent change management process in place for a major program that utilized 150 resources. With multiple paths to request changes, both formal and informal, the organization was unable to maintain a comprehensive list of all requested changes. In turn, this impacted how their resources were utilizing their time and prioritizing their assignments. To further exacerbate the problem, key individuals supported the production environment and were hijacked for production issues, significantly impeding progress and schedules.
The organization had a rapidly growing backlog of requests, assigned projects were running late, resources were frustrated by the conflicting directions they were receiving, and the business community was unsatisfied with the level of service that IT was delivering.
To staunch the bleeding, the organization undertook a significant shift by establishing a Change Control Board (CCB) to oversee the change request process. While everyone was still allowed to initiate a request, it had to flow through the CCB for approval. The CCB would evaluate the cost, benefit and time estimates, as well as assess the risk to the organization (both by moving forward on the project and rejecting the project), and the potential impact to other projects that are already in process. The decision to approve, reject or postpone the request was now an informed decision based upon sound business logic. Approved projects would be given a budget and assigned the resources to move forward following the organization’s Project Life Cycle through build, test and promotion. To log, track, monitor and report the status of requests, the organization implemented Rational’s ClearQuest.
I will leave you with three key points to think about when instituting a change management process. First, the procedures, tools and formality will need to be “right-sized” for the size and culture of the organization. Second, tools are facilitators, not the solution. Organizations that expect to acquire and implement a tool or a Change Management Database as the silver bullet quickly learn that without the process and procedures that surround the tool, they are no better off at controlling and managing the change within the organization. And third, people are still the keystone to success. Communication and collaboration amongst the constituents throughout the organization are critical to making sure the right people have the right information at the right time to be able to make the right decision.
Laurence Anker has more than 30 years of experience supporting organizations’ IT requirements, addressing audit, control and security objectives, risk identification and mitigation, and business requirements definition. Anker led the insurance industry practice for Ernst & Young’s New York Information Systems Assurance and Advisory Services Group, was a senior manager at KPMG, and served as the EDP audit manager of North American operations for Swiss Reinsurance.