If your IT organization funnels every Request for Change (RfC) to a Change Advisory Board (CAB) for implementation approval, then you’re doing change management wrong.
If this is happening in your IT organization, do you even know why you’re doing that? What is the real value of sending every RfC to the CAB? I would agree that some RfCs do require review and advice from a CAB – but every RfC? Or even most RfCs? I think not.
In my experience, there are four reasons why organizations send all or the majority of RfCs to a CAB:
A well-designed change management process should facilitate, but not overly control, the implementation of changes. An effective change management processes removes as much friction as possible by providing clarity regarding how changes will be managed. At the same time, a good change management process strikes the right balance between protecting the managed environment from a malformed change and making changes to that environment.
If change management is well-defined and well-executed, only a select few RfCs (with the emphasis on ‘few’) should be brought before a CAB. Ever.
Why are many organizations frustrated with their change management process? Because how a CAB is positioned doesn’t work. The CAB has been positioned as an obstacle or gatekeeper and not as an enabler. That’s why, in many organizations, the CAB is set up for failure.
What are some of the symptoms of a CAB that has been set up for failure?
Want to know the reason why your CAB doesn’t work? Poor process design and a lack of management support.
Want to fix that?
Does your current change management process define the authorization model? What? You’ve not heard of the authorization model? Go have a look – it’s discussed in the ITIL® Service Transition book on page 78. (I will wait.)
The authorization model defines who authorizes or approves what type of changes. The level at which change is authorized “rests where accountability for accepting risk and remediation exists.”
Change management should not be a ‘throw it over the wall to IT and wait for something to happen (and complain when it doesn’t)’ scenario. Implementing a change is a business decision – and identifying and enabling the right people to make good decisions is critical. The change authorization model is a way to ensure that the right people can make good decisions.
Defining the change authority requires a formal definition of RfC evaluation criteria. Criteria such as cost, resource requirements, risk, scope, cost of delay, and other factors should be identified and defined as part of the criteria. Again, this is not a decision for IT alone – this is a business decision, so business colleagues must be involved in defining evaluation criteria.
Once the change authorization model is defined, everyone in the organization can understand not only how an RfC will be evaluated, but also who will be providing authorization. When an RfC meets the defined evaluation criteria for a specified level, then those individuals identified as being accountable for that level attend the CAB meeting that reviews that RfC. Defining the change authority also resolves a long-standing question for many change managers – ‘what business colleagues should be involved?’ The change authority helps answer that question.
So, how do you stop sending every flipping RfC to the CAB?
Simple. Stop sending every RfC to the CAB. Start sending only the right RfCs to the CAB.
I’ve long thought that the overarching goals for change management are to move the authority for change implementation as close as possible to those doing the work, while at the same time, maintain an appropriate degree of governance of changes.
By limiting the scope of an RfC to the minimally viable unit of work improves the manageability of the RfC – it becomes easier to design, build, test, and implement a change – because there is less to do. Because there is less to do, limiting the scope of the RfC also reduces the amount of risk associated with change.
If the scope is smaller and risk is minimal (and you’ve defined the change authorization model appropriately), the RfC will meet the defined evaluation criteria for a lower level of the change authority – ideally, those that are doing the work.
Designing and implementing the two improvements I just explained to your change management process not only improves the responsiveness of the process, but it also helps position a CAB for success.
Here are a few other things to do to further improve your change management process and get the best value of a CAB:
Enable your change management process to actually facilitate implementing, not preventing, changes. Defining the change authority is an often-overlooked, but critical factor for the success of an effective change management process.
 ITIL Service Transition, p 78.