Professional Documents
Culture Documents
Publication Date:
ID Number:
9999 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction of this publication in any form without prior
written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable.
Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no
liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader
assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed
herein are subject to change without notice.
TABLE OF CONTENTS
Analysis...........................................................................................................................................4
1.0Governance Introduction...............................................................................................4
1.1Mission.............................................................................................................4
1.2Strategy and Objectives...................................................................................4
1.3Scope...............................................................................................................5
2.0Change Management Definitions, Roles, Classifications and Procedures....................5
2.1Change Definition.............................................................................................5
2.2Change Policy Document Management...........................................................5
2.3Change Management Guiding Principles.........................................................5
2.3.1Change Agility Principle....................................................................6
2.3.2Common Change Management Principle.........................................6
2.4Define Individual Roles and Responsibilities....................................................7
2.4.1Change Process Owner...................................................................7
2.4.2Change Process Manager................................................................7
2.4.3Change Owner/Requestor................................................................7
2.4.4Change Implementer........................................................................7
2.4.5Change Coordinator/Administrator...................................................8
2.4.6CAB Member....................................................................................8
2.5Define CAB and E-CAB Roles and Responsibilities.........................................8
2.5.1CAB Guiding Principles....................................................................8
2.6Define RFCs, Types, Categories and Classifications.......................................8
2.6.1Change Types..................................................................................9
2.6.2Priority..............................................................................................9
2.6.3Risk................................................................................................10
2.6.4Impact.............................................................................................10
2.6.5Additional Categorization and Classification...................................11
2.6.6Documenting RFCs........................................................................12
2.6.7RFC Documentation Principles......................................................13
2.7Process Workflows.........................................................................................13
3.0Integrative Process Partners.......................................................................................18
3.1Business Continuity Management and Disaster Recovery.............................19
3.2Configuration Management............................................................................20
3.3Incident and Problem Management................................................................20
3.4Project Management......................................................................................20
3.5Release Management....................................................................................20
3.6Examples of Key Policy Integration................................................................20
4.0Schedule/Calendar......................................................................................................20
4.1Scheduling Key Policy Attributes....................................................................21
4.2Change Measurement....................................................................................21
4.3Critical Success Factors.................................................................................21
4.4Quality and Efficiency Metrics........................................................................21
4.5Compliance and Control.................................................................................21
5.0Communications, Coordination and Education Methods.............................................22
5.1Key Meetings..................................................................................................22
5.2Cross-Departmental Collaboration and Coordination.....................................22
5.3Training Programs..........................................................................................22
LIST OF FIGURES
Figure 1. Revision History...............................................................................................................5
Publication Date: /ID Number:
9999 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
Page 2 of 22
Page 3 of 22
Analysis
1.0
Governance Introduction
1.1 Mission
The documentation of IT change management governance should provide succinct guidance for
everyone to follow when a change is introduced that could affect client service. The change
management process is intended to manage any change that might prevent a system from
behaving as the client expects or from delivering the services stated in the service-level
agreement. Typically, the IT change management process will apply to all situations or proposed
alterations to an IT service. Any deviations require a change record that can be tracked through
the process until a successful change is installed. Because any change may have complications,
each change should be addressed in the same manner.
Page 4 of 22
1.3 Scope
The IT change management process encompasses the companywide computing environment.
This includes any alteration to any IT asset or configuration item (CI) in the production
environment, such as:
IT change management includes the tasks necessary for planning, testing and implementing
alterations to minimize effects (integrating with configuration and release management
processes).
2.0
Status
Date
Author/
Reviser
Changes/
Justifications
1.00
1.01
Source: Gartner (February 2008)
Page 5 of 22
The use of these guiding principles can seem simplistic if not properly detailed. To help focus the
organization on what will be critical for change management policy, Gartner recommends that
guiding principles be articulated at several levels:
Implications: How does this principle affect behavior through the process?
2.3.1
Change management processes and procedures must be flexible and agile enough to
accommodate emergencies.
2.3.2
Rationale:
To expedite change for emergency situations, the change must follow documented
processes.
Implications:
Policies:
All changes implemented in the production environment will follow the change management
process.
Rationale:
To ensure complete adherence by all staff to change processes and activities, all
changes will be tracked, trended, monitored and analyzed for compliance, success
and efficiency.
Implications:
Change management must be a global policy that is adhered to by all groups and
resources.
Page 6 of 22
Policies:
2.4.1
For large organizations, this might be the management team sponsor with change process
development and organizational leadership responsibility. In small and midsize businesses, one
person can take the change owner and manager roles. The change process owner:
Develops and delivers senior leadership of change management strategies and IT-wide
communication plans
2.4.2
The change process manager is the policy guardian for the change management process, and is
responsible for standards issuance and revision of procedures or forms. He or she also:
Executes, manages and reviews change management process activities on a daily basis
Chairs the change advisory board (CAB) and the emergency change advisory board (ECAB)
2.4.3
Change Owner/Requestor
This person initiates a request for change (RFC) and may reside within the business unit or the IT
organization.
2.4.4
Change Implementer
Page 7 of 22
2.4.5
Change Coordinator/Administrator
This person is responsible for assisting in RFC documentation review for an IT group, department
or division. He or she is sometimes referred to as a change agent, coordinator or administrator.
2.4.6
CAB Member
This person attends scheduled meetings or sends a deputy, and is empowered to make decisions
on behalf of the area he or she represents. The CAB may ask participants to take on
responsibilities such as a change technical reviewer a CAB member who provides technical
guidance during CAB assessment and authorization stages of one or more RFCs. This role
usually requires broad technical knowledge from the overall IT service to the CI level.
2.5.1
The CAB is comprised of at least one representative and alternate from each IT
functional area and appropriate non-IT functional areas, including line-of-business
representatives. The enterprise system management group maintains member listings
on the change intranet site. The change specialist and CAB decide whether more or
fewer groups are represented.
The change manager will schedule regular meetings of the CAB to be attended by the
designated representative or alternate from each identified functional area.
If the owner or a designated substitute does not represent a change that requires
representation at a CAB meeting, then the change is postponed and the change
specialist informs the owner.
The CAB is not allowed to stop a change because of disagreement with the technical
methods proposed by subject-matter experts assigned to a specific change request.
The CAB or change coordinator can postpone a change if it is determined that the
change does not follow change policy or is logistically unworkable. The change
specialist informs the owner.
Page 8 of 22
Fundamentally, the change record becomes the source of truth regarding information from the
initial documentation RFC to the subsequent recording of data as it progresses through the RFC
life cycle. Therefore, it is essential to pre-define the various attributes of an RFC. The IT change
management policy document needs to ensure that appropriate definitions and procedures are
described to cover the range of potential RFCs.
The formal change request includes a description of the change, components affected, business
needs, cost estimates, risk assessment, resource requirements and the approval status.
2.6.1
Change Types
To ensure standardized methods and procedures, a common taxonomy is required to define the
various RFC attributes. Even with IT Infrastructure Library (ITIL) recommendations, names and
definitions vary. The identification of these attributes is critical because it determines the
appropriate procedures for dealing with a particular type of RFC, such as emergency RFCs,
which may have different authorization and documentation requirements. The following examples
leverage basic ITIL concepts:
Unplanned: A change request not compliant with policy for documentation, review
and lead time
To assess the impact of an RFC on an IT service, a matrix evaluation is executed via a set of
categories (impact, risk and priority). There is a relationship among impact, risk and priority
from philosophical and mechanical perspectives.
2.6.2
Priority
Based on an ITIL definition, this classification identifies the relative importance of an RFC. The
RFC priority status is based on RFC classification variables, with input from the change manager.
Typically, this assignment is used to sequence an RFC to address an incident or problem that
needs to be resolved, based on impact and urgency. This can also be used to meet business
demands, such as the implementation of an enhancement to an application. Typical priority level
descriptions include:
Page 9 of 22
Low: An RFC is necessary; however, it can wait until the accepted policy release
timelines. The problem has minimal impact or the application change enhancement has
limited business impact.
High: The RFC addresses a severe problem that affects production systems and
demands immediate attention. Customer or IT service has been partially disrupted.
Business risk is high to medium (for example, slowed business operations).
2.6.3
Risk
Risk defines the potential disruption of business operation associated with a given change
request. A risk is measured by the probability of a threat or the vulnerability of the IT service to
that threat. Typical risk definitions are:
2.6.4
Impact
Impact measures the pain caused by a defective IT service. In most cases, variables such as
geography, users and so on help identify the scale. Typical impact classification definitions are:
Publication Date: /ID Number:
9999 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
Page 10 of 22
2.6.5
Low:
Affects a few CIs (for example, one to 10 desktops and one server)
Medium:
Affects CIs
High:
Affects multiple and/or a variety of CIs (for example, desktops and servers, multiple
services and/or a mission-critical service, such as three mission-critical applications,
50 servers and 250 desktops)
Accurate information regarding the IT service and CIs enables the CAB to assess the affected
and potential collision of a proposed RFC. To improve consistency from a data integrity and
workflow perspective, this section offers guidance on common IT services, assets and/or CI
groups.
Infrastructure: This typically covers network devices and other WAN "plumbing,"
including:
Page 11 of 22
Mainframes
Based on the various attributes documented in the RFC record, these groups define the change's
impact on the infrastructure, users or business. The change complexity and resources required,
and analysis of risk, impact and priority, are measured to determine the category. These are
aligned with specific procedure models that detail the steps needed to handle review and
authorization:
Major: Major changes potentially affect the department or entire company. They may
affect multiple CIs. Multiple IT departments and multiple business sites need to be
notified.
Significant: These changes may affect a group or department and multiple CIs.
Notification is needed for a few IT departments and business departments.
Minor: These changes affect a few users and CIs (for example, one to 10 desktops or
one server). Notification is needed for one IT department.
Standard: A pre-approved change that is low risk and adheres to an approved, typically
well-tested procedure or work instruction, is relatively common and is the accepted
solution for a specific requirement.
2.6.6
Documenting RFCs
Documenting an RFC enables organizations to manage the process flow and control changes.
Also, documentation creates a record that will retain the complete history of a given change.
Different types of RFCs will require different degrees of data documentation. However, there
tends to be a baseline of required data based on type class, category and the service affected.
Typical baseline RFC record data fields include:
Class, category, priority, risk and impact as defined in the policy document.
CIs: The requesting group should provide a list of items to the remote group for input
into the inventory or configuration management database on a regular basis.
Page 12 of 22
Approver: Key groups and individuals required to provide approval prior to the
implementation.
Closure: The requestor closes request. If the person makes the request on behalf of a
business unit, then he or she must receive acknowledgement from that unit once the
issue is closed.
2.6.7
All changes have a business justification, documented resource and a defined feasible
technical solution.
Maximum use of templates must occur for standard and repetitive changes.
Use established change priorities as guidelines in the decision. The change manager is
the neutral arbiter for assignment review. If an agreement cannot be reached with the
change manager, then appeal to the next-most-senior level of management.
For specified change types, such as high risk/high impact, changes require documented
plans for testing, implementation, backout, notification and verification of success.
Operating or support procedures, such as rerun instructions, problem resolution scripts
and other information, may also be required, and support staff must be involved.
Emergency changes are usually the result of a problem and require a problem ticket.
Page 13 of 22
Assess
Assess
Change
Change
Authorize/Reject
Authorize/Reject
Change
Change
Schedule/Implement
Schedule/Implement
Change
Change
Review
Review
Change
Change
Close
Close
Change
Change
Page 14 of 22
RFC Document
Yes
Emergency?
Go to emergency
workflow
No
Identify
CIs
Assess Change
No
Yes Minor
Approve/
Reject Change
Significant
Major
CAB
Change Mgr.
Schedule/
Implement
Change
Change
Development
Update
Records
Configuration
Management
Change
Review
Capture
Release
Baselines
Build Change
Release
Management
Test Change
Change Mgr.
Yes
Review
Change
Success?
Working?
No
Backout Change
Audit CIs
No
To Start
Review
Updated
Records
Yes
Close Change
Statistics and Reporting
Source: Gartner (February 2008)
The macrostages can be decomposed to specific activity or task flows. Figure 4 represents an
example of an approval stage and the established tasks required to complete it. Note the task
level integration with configuration management that acknowledges the update to configuration
management based on the RFC approval.
Page 15 of 22
Assessment
Correct
Approvers?
No
Modify
Approver List
Yes
Evaluate RFC
and Impact
Assessment
Collect
Individual
Approvers
CAB Review
and Approval
if Needed
Approved?
No
Return to
Requestor
Yes
Update RFC
Status
Configuration
Management
Scheduling
For some change management policies, workflows can be very detailed and cover processes,
tools and individual roles. These tend to be presented in a "swimlane" structure (see Figure 5).
Page 16 of 22
Research
ID Number:
Publication Date:
Change
Requestor
Status: Document
Status: Classify
Status: Assess
Create Minor
Request for
Change
Determine RFC
Implementation
Date/Time
Change
Authorization
Approver
RFC "Not
Approved"
Status: Document
Meet With
Requestor/
Owner to Resolve
Issues
Status: Approve
Mgr. Receives and
Reviews RFC
for Approval
Close
RFC
Yes
Can Issue Be
Resolved?
No
No
Approve
RFC?
Yes
Status: Schedule
Change
Coordinator
Change
Implementer
Tools/Data
Place RFC as
Submitted in
Calendar
Status: Implement
Assign Submitted
RFC to Change
Coordinator
RFC to
Implem.
Notify Requestor of
Submission Approval
9999 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein
has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no
liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials
to achieve its intended results. The opinions expressed herein are subject to change without notice.
Research
Publication Date:
3.0
ID Number:
This section identifies integration exchanges between IT change management and other core IT
processes. Although these integration points are critical for long-term IT change management
maturity and effectiveness, many supporting process partners can be at varying degrees of
maturity within the IT organization. This small list focuses on a few key processes where high
levels of integration will be required and may require IT change management re-engineering
efforts as the process integration evolves.
Figure 6 is not exhaustive and is a typical representation of ITIL-specific process integrations.
This can include facilities, manufacturing plant processes, internal audits, third-party vendors and
so on. The figure describes the typical key processes and integration points specific to inputs or
outputs to IT change management.
9999 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction of this publication in any form without prior
written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable.
Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no
liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader
assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed
herein are subject to change without notice.
IT Service Delivery
Incident
Management
Service-Level
Management
IT Change
Management
Problem
Management
Capacity
Management
TBD fiscal 200X.
Configuration
Management
Financial
Management
Availability
Management
TBD fiscal 200X.
Release
Management
Service Continuity
Management
Place documented disaster
recovery workflows under
change control. Use ITCM for
disaster recovery test
communication.
Disaster recovery
Business recovery
Business resumption
Contingency planning
Crisis management
Disaster recovery management restores access to production applications and data following a
partial or complete interruption of data center operations. It is fundamental to successful BCM,
Publication Date: /ID Number:
9999 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
Page 19 of 22
whose focus is the overall resumption of business operations following the occurrence of one or
more disruptive events.
The design of these procedures and plans should be under strict change control to ensure that
they are consistent and accurate, and that all stakeholders are aware of changes. In the case of
disaster recovery activity, testing activity can leverage IT change management for communication
and may be required to submit a change request.
4.0
Release events must be reviewed, scheduled, tracked and measured. Any changes
identified as emergency, off-calendar or that have missed required lead times are
approved and negotiated by the IT change manager and executive CAB.
Schedule/Calendar
IT change management should coordinate the production and distribution of a change schedule
and a projected service impact or availability. A change schedule, formerly referred to as a
Publication Date: /ID Number:
9999 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
Page 20 of 22
forward schedule of change in ITIL v.2, contains information about future changes, as well as
those that have already been implemented.
Changes must adhere to the approval lead times published in this process guide.
Cost of change
Changes must be submitted in a change control tool by day and time, in compliance
with policy lead times, to be considered for review in the weekly CAB meeting.
Page 21 of 22
5.0
After implementing a change, the change implementer should set the status to "post
review," add any appropriate notes about the implementation to the change request
and execute appropriate communication regarding the status of the change.
RFC closure requires verification that an approved RFC was executed according to
documentation. This can be done via various change management roles in concert
with auditing or configuration management tools.
Coordination with support groups that perform changes must be done with adequate
lead time for the support group to schedule resources. When resources are not available
to implement all requested changes in the desired time frames, the support group
manager and change owner decide on resource allocation.
Prior to review by the change review team, project teams, support groups, business
partners and the change specialist plan and coordinate changes.
Key IT change management meeting led by the IT division attending ITIL certification
Page 22 of 22