Change Management Policy

Overview

This article serves as a reference guide for what change management is for the Division of IT and how it should be applied by all IT departments.

Audience

Internal to IT

Information

Purpose

Change management is a formal process used to ensure that standardized methods and procedures are used for efficient and prompt handling of all changes to control IT infrastructure. The goal of change management is to increase awareness and understanding of proposed changes across the organization and ensure negative impact is minimized.

Change management generally includes the following steps:

  • Planning - Plan the change, including the design, scheduling, communications, testing, and roll-back plan.
  • Evaluation - Evaluate the change, including determining the priority level of the service and the risk of the proposed change; determine the change type and the change process to use.
  • Review - Review the change plan with peers and/or stakeholders.
  • Approval - Obtain approval of the change plan by the authorized approving body.
  • Communication - Communicate the change to the appropriate parties.
  • Implementation - Implement the change.
  • Post-change review - Review the change, complete any documentation, and look for future process improvements.

 

Scope

This policy applies to all changes to IT services at Saint Peter’s University except those intended for systems or services that are solely for development, testing, or are not yet in production.

 

Policy

The Chief Information Officer has authority over all changes and change management processes. Approval authority may be delegated to department heads within the Division of IT. This authority may be revoked or varied at any time at the discretion of the CIO (see “Appendix C - Change Management Roles”).

All changes to IT services within the Division of IT must follow a standard process to ensure appropriate planning and execution. Changes will be categorized as one of the approved types (see “Appendix A - Types of Changes and Definitions”). Appropriate process and levels of review shall be applied to each type of change commensurate with the risk to the University (see “Appendix B - Risk Assessment”)

It is the responsibility of the department head to ensure that all areas under their direction have documented processes that comply with this policy and that changes are made in a manner appropriate to their impact on the University.

 

Minimum Standards

  1. All changes must follow a process of planning, evaluation, review, approval, and documentation.
  2. All changes deemed Medium or High risk must be reviewed by the department head and then presented to the CAB for approval while other changes may be approved by the department head themselves.
  3. All changes deemed Emergency or Expedited must be presented to the CAB for review by the approving department head at the next CAB meeting.
  4. All changes must be documented in the approved change management system, except for Standard changes, which are documented in service requests through request fulfillment.
  5. All Standard change types must be identified in the Standard Change Log.

Appendix A - Types of Changes and Definitions

Types of Changes

  1. Standard Change - A very low or no risk change with well-understood output that is regularly made during the course of business. A Standard Change follows pre-determined processes, is pre-approved, and may be made at the discretion of the individual employee, provided it has been defined in the Standard Change Log. There are two types of standard changes:
    1. Customer-initiated - A Standard Change that is requested by anyone outside the Division of IT. These requests are handled through the request fulfillment process as service requests in order to ensure customer satisfaction.
    2. Self-initiated - A Standard Change that is requested by a member of the Division of IT. These requests are handled internally in the Division, but a service request may be raised, if needed.
  2. Normal Change - A change that has some level of risk or has not been defined as a Standard per the Change Management assessment process. These are changes where the risk is less understood, has less predictable outcomes, and/or is not regularly made during the course of business. There are two types of Normal Changes:
    1. Risk Based - There are three levels of risk as determined by the Risk Assessment process (see “Appendix B - Risk Assessment”).
    2. Special Purpose Changes - Certain types of changes that have specific needs requiring specialized processes.
  3. Emergency Change - Similar to Normal Changes, but where immediate action is required to mitigate or resolve an urgent risk with high impact. While Emergency Changes do not receive the same authorization before being implemented, they are reviewed in greater detail after completion.
  4. Expedited Change - Similar to Emergency Changes, but the immediate action is necessary to meet business needs expressed by the requestor rather than an urgent risk with high impact.

Appendix B - Risk Assessment

Performing a Risk Assessment is one of the most important aspects of the Change Review process. A combination of the priority of the service itself and the risk score will be used to determine the overall Change Risk.

Service Priorities

Priority 1 Service
Crosses organizational boundaries, serving the business functionality of many units. Is critical to the ability of the University to meet its business and regulatory obligations, support the delivery of education, or administer research. Has strategic value to the campus such that encouragement of widespread use is desirable.

Priority 2 Service
Is a feeder to Priority 1 services or does not cross organizational boundaries, but is still critical to the ability of the University to meet its business and regulatory obligations.

Priority 3 Service
Any departmental service that supports the internal operations of any department, or departmental function, and does not cross organizational boundaries.
 

Risk Score

Impact - Determined by potential disruption to customers and dependent systems.
  No Yes
Will this change be noticeable to customers? Risk Score + 0 Risk Score + 1
Could this change impact other services? Risk Score + 0 Risk Score + 1
Could this change result in an extended service interruption if it goes poorly? Risk Score + 0 Risk Score + 1
Assurance - The level of confidence that the change will go as planned and is determined by experience and complexity.
  Yes No
Have we done this change before? Risk Score + 0 Risk Score + 1
Is the change simple to make? Risk Score + 0 Risk Score + 1
Do we have a clear understanding of everything the change will do? Risk Score + 0 Risk Score + 1

Change Risk Matrix

How to use this matrix:

To determine the Change Risk, first select the appropriate Service Priority. Next, calculate your Risk Score. Finally, use the Change Risk Matrix to determine your Change Risk.

For example, on a Priority 2 Service with a Risk score of 4, the Change Risk is Medium.

  Risk Score 0-2 Risk Score 3-4 Risk Score 5-6
Priority 1 Service Medium High High
Priority 2 Service Low Medium High
Priority 3 Service Low Low Medium

Appendix C - Change Management Roles

Change Advisory Board (CAB)

The Change Advisory Board (CAB) supports change management in a multitude of ways. The CAB’s goal is to ensure that changes are managed in a rational and predictable manner by enforcing change management policies and procedures.

Members of the CAB are responsible for:

  • Assessment of normal changes
  • Review of Emergency and Expedited changes
  • Assessment of the enhancement change request backlog
  • Approval of changes to change management policies and processes
  • Periodic review of change success
  • Committing to ensuring a stable IT environment

 

Department Heads

Change Management responsibilities for department heads include:

  • Reviewing and approving changes when allowed by the Minimum Standards
  • Reviewing and preparing changes for the CAB when required by the Minimum Standards
  • Ensuring their staff understands their role in Change Management, including ensuring accurate and complete documentation of changes
  • Ensuring staff availability to complete approved changes in their department
Print Article