Information Technology Change Management Policy (CMP) also known as Change Control is a critical process for all businesses that use IT and is often over looked, and sometimes completely forgotten. Big or small, regulated or not, on premise or in the cloud, all businesses should implement and most importantly, follow a CMP policy. Surprisingly, we find that many companies feel CMP only applies to large or publically traded organizations or industries such as Life Sciences, Healthcare, Financial, etc. Of course this line of thinking makes sense because these types of organizations are heavily regulated, constantly audited and a Change Management Policy is mandatory due to the nature of their business. However, once CMP is explained it becomes easy to see the benefits for even the smallest of companies.
The goal of developing a change management policy is to mitigate the risk that any change to a business’ Information Technology environment will have an adverse effect. Some of the more common risks to focus on are internal communications to the business units (i.e. no surprises), application and infrastructure functionality, system availability and security. It also provides an audit trail of all changes which can be very useful for troubleshooting purposes and internal or external auditing.
At a very high level here are the basic steps in developing and following a CMP:
- Developing a Request for Change (RFC) – Typically a change request is initiated due to an issue within the information system environment. This could be anything from an application error to degraded system performance. The business units can also drive change that can require modifications to the functionality of an application or initiating a new business program or just to stay current with new regulations.
- Change Review Deny / Acceptance – This is first approve / deny process as the request for change is reviewed by the different business units and the IT team. They identify risks associated to the change such as feasibility, cost, timing, and impact.
- Development and Testing – Typically driven by the IT department and tested by the user community. During this phase adjustments may be made to reduce risk or optimize the effects of the change. If significant modifications are required due to test results they should be reported to the team (step 2) and re-approved.
- Final Approval – Larger companies create a Change Advisory Board (CAB) for final review of a requested change. This group is typically made up of different department managers within the company. This group provides the final review of the change to ensure all risks have been identified and reasonably mitigated. This typically is not feasible for smaller companies and the CAB might be the same group mention in step 2.
If the change is denied by during this step reasons will be listed and the source of the original request may be able to address the issues listed for denial and resubmit and start the entire process over again.
- Implement the change into production – Once approved, the change will be scheduled, and implemented and documented according to plan.
- Document and report the results – The implementation process will be documented and the results reported back to the CAB or for smaller companies back to the group defined in step 2. All documentation and results should be stored for easy reference and future audits.
I know this sounds complicated and can be depending on the complexity of the change. However most changes are not that dramatic and the CMP makes it easy to follow. Regardless of complexity, the benefits are worth the effort. Here are just a few benefits of implementing and following a CMP:
Mitigating Risk to Business Productivity, Ensuring Internal Company Communication, Improved End User / Customer satisfaction, Fundamental IT Controls Compliance, and Reduced Outages.
If you have not implemented a change management policy yet, give it try. It’s easier than you think.