Manage Changes

Manage Changes

Purpose:

Manage all changes in a controlled manner, including standard changes and emergency maintenance relating to business processes, applications and infrastructure. This includes change standards and procedures, impact assessment, prioritization and authorization, emergency changes, tracking, reporting, closure and documentation.

Objective:

Enable fast and reliable delivery of change to the business and mitigation of the risk of negatively impacting the stability or integrity of the changed environment.

Description:

<?>

Inputs:

  • Integrated and configured solution components
  • Approved service requests
  • Approved requests for change
  • Proposed solutions to known errors
  • Identified sustainable solutions
  • Approved changes to the plans
  • Root cause analyses and recommendations
  • Record of all approved and applied change requests
  • <?>

Outputs:

  • Impact assessments Internal
  • Approved requests for change
  • Change plan and schedule
  • Post-implementation review of emergency changes
  • Change request status reports
  • Change documentation
  • <?>

Controls:

<?>

Task Instructions:

Evaluate, Prioritize and Authorize Change Requests

    1. Use formal change requests to enable business process owners and IT to request changes to business processes, infrastructure, systems, or applications. Make sure that all such changes arise only through the change request management process.

    2. Categorize all requested changes (e.g., business process, infrastructure, operating systems, networks, application systems, purchased/packaged application software) and relate affected configuration items.

    3. Prioritize all requested changes based on the business and technical requirements, resources required, and the legal, regulatory, and contractual reasons for the requested change.

    4. Plan and evaluate all requests in a structured fashion. Include an impact analysis on business process, infrastructure, systems and applications, business continuity plans (BCPs), and service providers to ensure that all affected components have been identified. Assess the likelihood of adversely affecting the operational environment and the risk of implementing the change. Consider security, legal, contractual, and compliance implications of the requested change. Consider also inter-dependencies amongst changes. Involve business process owners in the assessment process, as appropriate.

    5. Formally approve each change by business process owners, service managers, and IT technical stakeholders, as appropriate. Changes that are low-risk and relatively frequent should be pre-approved as standard changes.

    6. Plan and schedule all approved changes.

    7. Consider the impact of contracted services providers (e.g., of outsourced business processing, infrastructure, application development, and shared services) on the change management process, including the integration of organizational change management processes with change management processes of service providers and the impact on contractual terms and SLAs.

Manage Emergency Changes

    1. Ensure that a documented procedure exists to declare, assess, give preliminary approval, authorize after the change, and record an emergency change.
    2. Verify that all emergency access arrangements for changes are appropriately authorized, documented, and revoked after the change has been applied.
    3. Monitor all emergency changes, and conduct post-implementation reviews involving all concerned parties. The review should consider and initiate corrective actions based on root causes such as problems with business process, application system development and maintenance, development and test environments, documentation and manuals, and data integrity.
    4. Define what constitutes an emergency change.

Track and Report Change Status

    1. Categorize change requests in the tracking process (e.g., rejected, approved but not yet initiated, approved and in process, and closed).
    2. Implement change status reports with performance metrics to enable management review and monitoring of both the detailed status of changes and the overall state (e.g., aged analysis of change requests). Ensure that status reports form an audit trail so changes can subsequently be tracked from inception to eventual disposition.
    3. Monitor open changes to ensure that all approved changes are closed in a timely fashion, depending on priority.
    4. Maintain a tracking and reporting system for all change requests.

Close and Document the Changes

    1. Include changes to documentation (e.g., business and IT operational procedures, business continuity, and disaster recovery documentation, configuration information, application documentation, help screens, and training materials) within the change management procedure as an integral part of the change.

    2. Define an appropriate retention period for change documentation and pre- and post-change system and user documentation.

    3. Subject documentation to the same level of review as the actual change.