Change Management Policy

Modified on Fri, 8 Nov at 1:53 PM

Scope of Change Management 

Change Management refers to a formal process for making changes to IT systems. The goal of change management is to increase awareness and understanding of proposed changes across an organisation and ensure that all changes are made in a thoughtful way that minimize negative impact to services and customers. 

Change management generally includes the following steps: 

  • Planning: Plan the change, including the implementation design, schedule, communication plan, test plan, and roll back plan. 
  • Evaluation: Evaluate the change, including determining the risk based in priority level of service and the nature of the proposed change, determining the change type and the change process to use. 
  • Review: Review change plan with peers and/or management as appropriate to the change type. 
  • Approval: Obtain approval of change by management or other appropriate change authority as determined by change type.
  • Communication: Communicate about changes with the appropriate parties.
  • Implementation: Implement the change. 
  • Documentation: Document the change and any review and approval information.
  • Post-change review: Review the change with an eye to future improvements.


Scope

This policy applies to all changes to architectures, tools and IT Services provided by Personal Audit Systems Ltd (PAS). Modifications made to non-production systems (such as testing environments with no impact on production IT Services) are outside the scope of this policy.


Policy 

All Changes to IT services must follow a structured process to ensure appropriate planning and execution. 

There are three types of changes:

  1. Standard Change
  2. Normal Change (of low, medium, or high risk)
  3. Emergency Change.


Minimum Standards 

  1. All Changes must follow a process of planning, evaluation, review, approval, and documentation. 
  2. The PAS management team have the authority to determine change type and risk level.
  3. All changes must be approved by the management team. 
  4. Emergency Changes may be authorized by a manager. NOTE: If services are down, the issue should be handled as an Incident according to the Incident Response Policy. 
  5. Documentation of Normal Medium, Normal High, and Emergency Changes must be made in a Process log that is stored in a common location so that coordination of changes across the organization can be managed appropriately. Low risk Normal and Standard Changes must be logged in a manner that can be audited for process improvement and root cause diagnosis as part of Problem Management.

   

Types of Changes 

There are three types of changes: 

  1. Standard Change – A repeatable change that has been pre-authorised by the management team by means of a documented procedure that controls risk and has predictable outcomes.  
  2. Normal Change– A change that is not an Emergency change or a Standard change. Normal changes follow the defined steps of the change management process. Low, Medium, or High priority is determined by the management team.
    1. Normal Low Changes can be authorised by a senior manager or the management team.  
    2. Normal Medium Changes must be reviewed and approved by the management team.  
    3. Normal High changes must be approved by the management team.
  3. Emergency Change – A change that must be introduced as soon as possible due to likely negative service impacts. There may be fewer people involved in the change management process review, and the change assessment may involve fewer steps due to the urgent nature of the issue; however, any Emergency Change must still be authorized by a senior manager.

 

Definitions 

Definitions adapted from Information Technology Infrastructure Library (ITIL).

Change - The addition, modification or removal of approved, supported or baselined hardware, network, software, application, environment, system, or associated documentation.  

Change Advisory Board - A group of people that support the assessment, prioritization, authorization, and scheduling of changes. 

Change Authority -The person or group authorizing a change. This role is designated for a non-classified position. 

Change Control - The procedure to ensure that all changes are controlled, including the submission, analysis, decision making, approval, implementation and post implementation of the change. 

Change History - Auditable information that records, for example, what was done, when it was done, by whom and why. 

Change Log - Auditable log of who, what, why, and when for all changes. This may be system specific as certain systems have the ability to automatically log changes in this manner. 

Change Management - Process of controlling changes to the infrastructure or any aspect of services, in a controlled manner, enabling approved changes with minimum disruption. 

Core Service - A service that users directly consume and the organization receives value from. 

Critical Operations Windows – Finals week starting on the Monday of that week for each quarter, first two days of classes for each quarter, graduation weekend starting on the Friday of that weekend, and fiscal year end close.  

Enabling Service – A service that must be in place for a core service to be delivered.  

Enhancing Service – A service that adds extra value to a service but is not absolutely required. 

Impact - Determined by potential disruption to users, departments, colleges and the organization as a whole. User means approximately 10 or less individuals.  

Peer - Another IT professional that can review a change and understand the technical elements involved.  

Process Log - A central repository of Changes that documents the process followed for a particular change. The purpose of the process log is to ensure that high impact changes have been carefully considered and to serve as a basis for process improvement when changes do not go as planned.  

Request for Change (RFC) – A formal proposal for a change to be made. It includes details for the proposed change. 

Service – A means of delivering value to customers by facilitating outcomes customers want to achieve without the ownership of specific costs and risks. Do we add value or assume risk? Then it is a service we provide. 

Urgency – How quickly a change must be implemented to maintain stated service level agreement (SLA). Low can wait until the next scheduled CAB meeting, Medium cannot, and High needs to be done ASAP. 


Risk and Change Type Matrix for Normal and Emergency Changes 

How to use this matrix: 

First, determine the impact of the change to the service. Then assess the Urgency of the proposed change (Low changes can wait until the next scheduled management meeting, Medium cannot, and High needs to be done ASAP). The matrix shows whether the type of change is then a Normal Low, Normal Medium, Normal High, or an Emergency change (Note: A Standard change does not need to use this matrix because risk is controlled by a pre-approved standardized process).

For example: A High Urgency change to a service that would impact the company would be considered an Emergency Change. A Medium Urgency change to a service that would impact customers would be a Normal Medium change. A Low Urgency change to a service that would impact some users would be a Normal Low change. 


Low UrgencyMedium UrgencyHigh Urgency

Impact - Everyone 

Change affects all customers and systems thought the business

Normal MediumNormal HighEmergency

Impact - Customers 

Change affects customers and operations.

Normal MediumNormal MediumNormal High

Impact – Some Users

Change affects some users from some customers.

Normal LowNormal LowNormal Medium


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article