Formally accept and make operational new solutions, including implementation planning, system and data conversion, acceptance testing, communication, release preparation, promotion to production of new or changed business processes and IT services, early production support, and a post-implementation review.
Process Purpose Statement Implement solutions safely and in line with the agreed-on expectations and outcomes.
Establish an Implementation Plan
Create an implementation plan that reflects the broad implementation strategy, the sequence of implementation steps, resource requirements, inter-dependencies, criteria for management acceptance of the production implementation, installation verification requirements, transition strategy for production support, and update of BCPs.
Confirm that all implementation plans are approved by technical and business stakeholders and reviewed by internal audit, as appropriate.
Obtain commitment from external solution providers to their involvement in each step of the implementation.
Identify and document the fallback and recovery process.
Formally review the technical and business risk associated with implementation and ensure that the key risk is considered and addressed in the planning process.
Plan Business Process, System and Data Conversion
Define a business process, IT: service data, and infrastructure migration plan. Consider, for example, hardware, networks, operating systems, software, transaction data, master files, backups and archives, interfaces with other systems (both internal and external), possible compliance requirements, business procedures, and system documentation in the development of the plan.
Consider all necessary adjustments to procedures, including revised roles and responsibilities and control procedures, in the business process conversion plan.
Incorporate in the data conversion plan methods for collecting, converting, and verifying data to be converted, and identifying and resolving any errors found during conversion. Include comparing the original and converted data for completeness and integrity.
Confirm that the data conversion plan does not require changes in data values unless absolutely necessary for business reasons. Document changes made to data values and secure approval from the business process data owner.
Rehearse and test the conversion before attempting a live conversion.
Consider the risk of conversion problems, business continuity planning, and fallback procedures in the business process, data, and infrastructure migration plan where there are risk management, business needs, or regulatory/compliance requirements.
Co-ordinate and verify the timing and completeness of the conversion cutover, so there is a smooth, continuous transition with no loss of transaction data. Where necessary, in the absence of any other alternative, freeze live operations.
Plan to back up all systems and data taken at the point prior to conversion. Maintain audit trails to enable the conversion to be retraced and ensure that there is a recovery plan covering rollback of migration and fallback to previous processing should the migration fail.
Plan retention of backup and archived data to conform to business needs and regulatory or compliance requirements.
Plan Acceptance Tests
Develop and document the test plan, which aligns with the program and project quality plan and relevant organizational standards. Communicate and consult with appropriate business process owners and IT stakeholders.
Ensure that the test plan reflects an assessment of risk from the project and that all functional and technical requirements are tested. Based on an evaluation of the risk of system failure and faults on implementation, the plan should include requirements for performance, stress, usability, pilot, and security testing.
Ensure that the test plan addresses the potential need for internal or external accreditation of outcomes of the test process (e.g., financial regulatory requirements).
Ensure that the test plan identifies the necessary resources to execute testing and evaluate the results. Examples of resources include the construction of test environments and the use of staff time for the test group, including potential temporary replacement of test staff in the production or development environments. Ensure that stakeholders are consulted on the resource implications of the test plan.
Ensure that the test plan identifies testing phases appropriate to the operational requirements and environment. Examples of such testing phases include unit test, system test, integration test, user acceptance test, performance test, stress test, data conversion test, security test, operational readiness test, and backup and recovery tests.
Confirm that the test plan considers test preparation (including site preparation), training requirements, installation or an update of a defined test environment, planning/performing/documenting/retaining test cases, error and problem handling, correction and escalation, and formal approval.
Ensure that the test plan establishes clear criteria for measuring the success of undertaking each testing phase. Consult the business process owners and IT stakeholders in defining the success criteria. Determine that the plan establishes remediation procedures when the success criteria are not met (e.g., in a case of significant failures in a testing phase, the plan provides guidance on whether to proceed to the next phase, stop testing or postpone implementation).
Confirm that all test plans are approved by stakeholders, including business process owners and IT, as appropriate. Examples of such stakeholders are application development managers, project managers, and business process end users.
Establish a Test Environment
Create a database of test data that are representative of the production environment. Sanitise data used in the test environment from the production environment according to business needs and organizational standards (e.g., consider whether compliance or regulatory requirements oblige the use of sanitized data).
Protect sensitive test data and results against disclosure, including access, retention, storage, and destruction. Consider the effect of the interaction of organizational systems with those of third parties.
Put in place a process to enable proper retention or disposal of test results, media, and other associated documentation to enable adequate review and subsequent analysis as required by the test plan. Consider the effect of regulatory or compliance requirements.
Ensure that the test environment is representative of the future business and operational landscape, including business process procedures and roles, likely workload stress, operating systems, necessary application software, database management systems, and network and computing infrastructure found in the production environment.
Ensure that the test environment is secure and incapable of interacting with production systems.
Perform Acceptance Tests
Review the categorized log of errors found in the testing process by the development team, verifying that all errors have been remediated or formally accepted.
Evaluate the final acceptance against the success criteria and interpret the final acceptance testing results. Present them in a form that is understandable to business process owners and IT, so an informed review and evaluation can take place.
Approve the acceptance with formal sign-off by the business process owners, third parties (as appropriate), and IT stakeholders prior to promotion to production.
Ensure that testing of changes is undertaken in accordance with the testing plan. Ensure that the testing is designed and conducted by a test group independent from the development team. Consider the extent to which business process owners and end-users are involved in the test group. Ensure that testing is conducted only within the test environment.
Ensure that the tests and anticipated outcomes are in accordance with the defined success criteria set out in the testing plan.
Consider using clearly defined test instructions (scripts) to implement the tests. Ensure that the independent test group assesses and approves each test script to confirm that it adequately addresses test success criteria set out in the test plan. Consider using scripts to verify the extent to which the system meets security requirements.
Consider the appropriate balance between automated scripted tests and interactive user testing.
Undertake tests of security in accordance with the test plan. Measure the extent of security weaknesses or loopholes. Consider the effect of security incidents since the construction of the test plan. Consider the effect on access and boundary controls.
Undertake tests of system and application performance in accordance with the test plan. Consider a range of performance metrics (e.g., end-user response times and database management system update performance).
When undertaking testing, ensure that the fallback and roll back elements of the test plan have been addressed.
Identify, log, and classify (e.g., minor, significant, mission-critical) errors during testing. Ensure that an audit trail of test results is available. Communicate the results of testing to stakeholders in accordance with the test plan to facilitate bug fixing and further quality enhancement.
Promote to Production and Manage Releases
Prepare for the transfer of business procedures and supporting services, applications, and infrastructure from testing to the production environment in accordance with organizational change management standards.
Determine the extent of pilot implementation or parallel processing of the old and new systems in line with the implementation plan.
Promptly update relevant business process and system documentation, configuration information, and contingency plan documents, as appropriate.
Ensure that all media libraries are updated promptly with the version of the solution component being transferred from testing to the production environment. Archive the existing version and its supporting documentation. Ensure that promotion to the production of systems, application software, and infrastructure is under configuration control.
Where distribution of solution components is conducted electronically, control automated distribution to ensure that users are notified, and distribution occurs only to authorized and correctly identified destinations. Include in the release process backout procedures to enable the distribution of changes to be reviewed in the event of a malfunction or error.
Where distribution takes physical form, keep a formal log of what items have been distributed, to whom, where they have been implemented, and when each has been updated.
Provide Early Production Support
Provide additional resources, as required, to end-users and support personnel until the release has stabilized.
Provide additional IT systems resources, as required, until the release is in a stable operational environment.
Perform a Post-Implementation Review
Establish procedures to ensure that post-implementation reviews identify, assess, and report on the extent to which:
Enterprise requirements have been met
Expected benefits have been realized
The system is considered usable
Internal and external stakeholder expectations are met
Unexpected impacts on the enterprise have occurred
Key risk is mitigated
The change management, installation, and accreditation processes were performed effectively and efficiently.
Consult business process owners and IT technical management in the choice of metrics for measurement of success and achievement of requirements and benefits.
Conduct the post-implementation review in accordance with the organizational change management process. Engage business process owners and third parties, as appropriate.
Consider requirements for post-implementation review arising from outside business and IT (e.g., internal audit, ERM, compliance).
Agree on and implement an action plan to address issues identified in the post-implementation review. Engage business process owners and IT technical management in the development of the action plan.