Automating Change Management to Ease Compliance Efforts

Failures in the area of Change Management have grave and far-reaching consequences. It has been widely recognized that poor Change Management practices can result in a failure to meet service commitments, but have you considered the impact if a poorly managed change affects your compliance efforts as well? This can put an organization in a precarious position involving audits and result in a negative public image.

Change Management is high in the list of IT priorities in 2008. Over the past decade, companies have been tackling Change Management for IT in a variety of ways. While most enterprises have taken steps to establish and refine Change Management procedures, more can be done. And the importance of doing so is not simply a management issue, but one of compliance with security, regulatory and audit provisions. No company can afford to take Change Management lightly.

Compliance refers to adhering to a variety of policies and measures for IT. It is often expressed in the context of security policies, yet it equally addresses policies that deal with adherence to regulatory requirements. IT governance, or running IT as a business, involves risk management, portfolio management, productivity and measuring financial results for IT investments. Change Management plays a role in both compliance and governance from an audit perspective and operationally to ensure that all changes meet established policies and the provisions for related regulations.

The adoption of process models such as ITIL plays a big role in Change Management evolution. Process models help IT to define "how it will manage itself as a business." Management technology offered by many solution providers now support the leading process models. Yet, many companies are not taking full advantage of opportunities to automate and integrate.

Controlling Change

Change Management, the service desk, workflow systems and the Configuration Management Database (CMDB) are all closely linked. Leveraging the value of each discipline and taking advantage of automated systems and pre-configured tools and templates is a great way to get started (or mature) in managing the Change process.

What kinds of issues arise with Change Management? As the table below illustrates, common themes are related to difficulty handling emergency changes to material systems, unauthorized changes and problems dealing with security and unauthorized access. Other concerns of particular interest to auditors tend to focus on answering the questions; did the work get completed as planned; why was the approved request not completed; and why was there no request for a particular change?

The key to meeting many of these challenges is tight control on the Change Management process. There may be loopholes in approval procedures or in the Change Management guidelines. Reporting and tracking can also be a limitation due to insufficient automation in change management solutions and a lack of capabilities for tracking change history.

Some specific areas to address in managing the change process are:

• Request Fulfillment - determining who will initiate the change and how the workflow for the change will be managed. Consider how the service desk can be effectively used for initiating and tracking changes, making certain to provide a means for the change through its workflow steps.
  
  
• Change Approval - change approval allows the organization to take the necessary precautions in approving any change, involving the right people, and evaluating implications to the best of your ability. At the same time, no company wants to create too many gates, and involve too many people so that it becomes inefficient.
  
  Many organizations have established a Change Advisory Board (CAB). The CAB is a cross-section of individuals that meet on a periodic basis, usually weekly, to plan and approve changes that will be needed over the coming week. This works well for important changes. However, lower thresholds should be established for more routine changes - this would allow, for example, department supervisors to approve smaller changes.
  
  
• Security and direct access - security-related issues are another big issue for Change Management. Unauthorized system and database access are a concern, as well as maintaining the confidentiality of information. It is true that employees and their respective roles change frequently, and controlling appropriate access to all types of systems is difficult and requires diligence on the part of administration.
  
  
• Unauthorized and emergency changes - Perhaps the stickiest part of Change Management is determining how you will deal with unauthorized and emergency changes. The problem is two-fold: it is difficult to document a change that has already taken place, and in many organizations staff members are resistant to the Change Management process itself. Decisions need to be made in advance as to the consequences of failure to follow procedures as well as those that cannot be foreseen.

Evolving Change

As organizations evolve and regulations continue to change, IT has no choice but to be more proactive in evaluating its existing methodologies, to address accountability for corporate executives and meet increasing legal demands. Defining a Change Management process needs to be done in the context of regulatory and business process constructs in your enterprise and there really is no right or wrong way to do it.

Corporations can look to published guidelines such as ITIL, but in the end, the specific steps involved will relate to a particular organization’s needs. Perhaps the most important recommendation to make is that a "closed-loop" process be created with review on a periodic basis.

Many steps can be taken to address Change Management in a step-by-step manner. Overall, enterprises should aim to reduce the number of unapproved changes and changes that collide with one another due to poor visibility. A focus on potential service impact is critical. Automated workflow engines can help to reduce the cycle time to review by delivering change request details to individuals promptly. These same systems can be used to improve efficiencies in validating less critical changes as well as documenting the audit trail for all changes.

Summary

While the job can be daunting, Change Management is a place where IT professionals and their management teams can gain real traction with the right toolsets. Using automation to jumpstart and streamline these processes, those responsible for Change Management are in a position to significantly support the business gain credibility for IT. The keys to be able to do so are effective use of toolsets and automation combined with investment in the area of best practices.