Project Management Software
Specialists in Project Infrastructure
Effective change management is vital to providing high-quality IT services in modern computing environments. Prior to Windows Active Directory, Windows was more of a departmental operating system. An organization could effectively manage its Windows infrastructure on a department by department basis. Now with Active Directory, Windows has become an enterprise operating system and cannot be managed effectively using a departmental model. Enterprise-wide IT governance is now essential. Changes at the departmental level can have an enterprise-wide impact and must be managed in a systematic manner.
The overriding theme of effective change control is communication. One's IT governance structure, change and configuration management processes, and supporting tools referenced in the best practices serve to ensure the integrity of the network infrastructure baseline, and the systematic communication of changes to that baseline. Integration of change control with problem management processes fosters communication of network service disruption information to those responsible for the design and configuration of the network baseline.
Operational Change Control Defined
Operational change control consists of the change management process and configuration management processes within an organization. Gartner has determined that operational change management is a prerequisite to providing high IT service quality. It is not optional. IT not only supports functional business processes, but it is an enabler that functional organizations rely on, and expect to be available, and expect to provide high service quality. These expectations cannot be met without change management processes.
Change management includes
Improving change management processes is one of the best investments enterprises can make.
Integrated Change Control
The Project Management Institute defines integrated change control at the project level as processes concerned with
The original defined project scope and the integrated performance baseline must be maintained by continuously managing changes to the baseline, either by rejecting new changes or by approving changes and incorporating them into a revised configuration baseline.
Integrated change control requires:
All organizations require standardized methods and procedures to manage change and guide day-to-day operations. IT systems in production are more stable when formal governance policies guide efficient and effective change management.
Awareness of the Impact of Change
Another key goal of the change management process is to ensure that all parties affected by a given change are aware of and understand the impact of the impending change. Effective communications is a principle of effective IT operations.
Since networks, applications, and operating systems are heavily integrated, changes in any component can have a profound affect on other components. Change management attempts to identify all affected systems and processes before the change is deployed in order to mitigate or eliminate any adverse effects. Typically, the target or managed environment is the production environment, but it should also include key integration, testing, and staging environments.
The categories of assets that should be placed under change control are broad and include, but are not be limited to, hardware, communications equipment and software, system software, applications software, processes, procedures, roles, responsibilities, and documentation that are relevant to the running, support, and maintenance of systems in the managed environment. In other words, any asset that exists in the environment and is necessary for meeting the service level requirements of the organization should be placed under change control.
Elements of Operational Change Control
There are several elements that compose an effective change and configuration control system in best-in-class IT environments. The change control system is a set of documented procedures for monitoring and evaluating performance. It documents the activities for changing systems documentation and the processes and tools necessary to authorize changes. The change control system must include provisions for emergency and routine changes, which may not require prior review. However, even those changes must be documented in order to maintain the integrity of the baseline. The following are elements of a change control system:
Change Control Policy
The foundation of effective change control within an enterprise is the change control policy. This policy must be developed specifically for the operating enterprise and requires input from all groups that are stakeholders in IT operations. These stakeholders include functional business units, end users, developers and engineers, systems and network administrators, and IT management. Senior management's endorsement and enforcement of this policy is mandatory to successful implementation.
Attributes of an effective change control policy should include:
Change management must provide a mechanism for performing emergency changes when necessary. This mechanism should be used minimally.
Operational Change Management
Operational change management activities include coordinating and scheduling enterprise infrastructure change requests in order to reduce downtime and risk. The Change Manager controls this process and normally reports to IT operations.
Project Change Management
Changes should be managed throughout the development and implementation life cycle, from planning through implementation, in order to prevent errors and reduce downtime. Complex and risky changes, such as deployment of new software and infrastructure upgrades, require rigorous change management. The Project Manager should document rollback plans and uninstall procedures to mitigate risks.
Complex projects should have their own change control board that manages changes to project scope, schedule, and cost. Less complex projects should manage the same functions, but less formally. Escalation procedures should be established for project change control such that changes that effect the overall operational environment are submitted to operational change management for disposition. Figure 1 below depicts the relationship between project change management and operational change management.
Figure 1: IT Change Management Processes (Source: Gartner Research)
Configuration management is any documented procedure used to apply technical and administrative direction and surveillance to:
Key IT components are referred to as Configuration Items (CIs). Configuration management processes identify, record, and track CIs, including the description, version, components, relationships to other CIs, and status. The items should include hardware, system software, application software, and the policies, operations procedures, and other documentation that support the CI. The basic activities of configuration management are:
Configuration management has proven to be very difficult to implement because of the manual effort needed, the constant changes to the IT environment and the lack of tools.
Change Control Board
A Change Manager and project level configuration control systems escalate enterprise-wide and critical changes to an operational Change Control Board. The CCB is a cross-functional group set up to evaluate change requests for business need, priority, cost/benefit, and potential impacts to other systems or processes. This group is responsible for approving or rejecting proposed changes in an effort to maintain a stable, available, and reliable IT infrastructure capable of meeting stakeholder functional requirements and performance expectations.
Typically the CCB will make decisions for deployment, further analysis, deferment, or cancellation of changes. The CCB is authorized by the enterprise's change control policy and is established and governed by a charter. Not all organizations define their change management committee as a CCB. Other common occurrences are the Engineering Review Board (ERB), Technical Review Board (TRB), Technical Assessment Board, and a variety of others.
Changes should be presented to the CCB in a prioritised manner such that the change category, risk, and expected results can be easily evaluated. The CCB should be presented with a summary of the low-risk changes, such as maintenance activities, and should severely scrutinize high-risk changes. A mechanism must be in place to handle emergency changes, which should be agenda items for the CCB meeting following the change. Proposed changes not on this agenda should not be implemented.
Change Management Tools
The use of tools is mandatory for effective communication across a large user base. Standardized change management tools provide a common repository to track the registration, status and history of change activity. These tools enforce configuration control, facilitate status accounting, and are used to perform verification and audit functions. A paper-based or manual system would severely inhibit any large enterprise's operational change integration process.
The following are needed:
Change Management Repository
(Baseline) An important automated tool is the change management repository. This repository is a central storage and retrieval system for configuration management and change control data. Current configuration information on all configuration items (CI) in the enterprise, including application software, systems software, databases, servers, and desktops, should be stored in this repository.
The CI data repository is referred to as the configuration management database (CMDB). Hardware specifications, assembly instructions, and network configurations are also stored in the CMDB. The contents of this repository are referred to as the 'configuration baseline'. The tools and procedures for accessing this repository are referred to as the 'configuration management library system'. Whenever possible, this database should be self-maintaining, with automated updates to CIs.
The focus of release management is to facilitate the introduction of software and hardware releases into managed IT environments. Typically this includes the production environment and the managed pre-production environments. Release management is the coordination point between the release development/project team and the operations groups responsible for deploying the release in production.
The Enterprise Configuration Control Board has the responsibility to develop and maintain a release schedule which orchestrates system deployments and upgrades. Managing the IT environment according to a release schedule facilitates effective communication and sets stakeholder expectations. Release management activities include acquisition, testing, integration, packaging, and documentation of IT components, obtaining deployment approval, deployment, and post deployment review.
Examples of routine maintenance activities that require release management included desktop image management, network device operating system maintenance, and deployment of security patches to desktops and servers.
The relationship between change management, configuration management, and release management is depicted in Figure 2.
Figure 2: Relationship between Change, Configuration, and Release Management (Source: Microsoft Operations Framework)
Operational Change Control Relationships to Other Processes
Event Management Event management is concerned with the identification, recording, tracking, analysis, and resolution of events that affect the IT infrastructure of an enterprise. An event is defined as an occurrence that, if not resolved, will eventually cause disruptions to IT services and/or dissatisfied IT stakeholders.
There are two types of events:
Service requests come from IT infrastructure users, such as requests for additional storage or new services. Incidents are disruptions to IT services, either caused by defects in the infrastructure design or configuration, hardware failures, software failures, or security breaches. Incidents always involve one or more IT configuration items and are resolved by action items. Incident management is also known as problem management.
Change control, configuration management, and problem management should all rely on the same configuration management database. The processes for these management areas are integrated as well as they are designed to reach the same goals . In most organizations, the service desk owns the incidents and their contribution to the change management and incident management processes reduce downtime and facilitate effective communication with end users.
The following diagram depicts this interrelationship.
Figure 3: The Relationship between Service Desk Incident Management and Change Control (Source: Microsoft Operations Framework)
The quality assurance function provides management visibility into the processes being used to deliver IT services. This function is responsible for reviewing and auditing the working procedures, standards, and server delivery activities, including the operational change control activities, to ensure they comply with applicable standards and procedures.
The quality assurance function is independent of the of the IT operations group and may be outside the enterprise altogether. Senior management is responsible for acting on the results of the quality assurance activities.
Configuration management is often confused with asset management. Microsoft defines asset management as an accountancy process that includes depreciation and cost accounting. Asset management systems typically maintain information on assets above a certain value, their business unit, purchase date, supplier, and location. The relationship to other assets is not usually recorded and the information is primarily used to track the whereabouts of expensive equipment. Many organizations start with asset management and then move on to configuration management.
Benefits of Operational Change Management
There are many benefits to implementing configuration control. According to Gartner, organizations have experienced the following benefits from instituting operational change policies:
Control Objectives for Information and Technology (COBIT)
COBIT is a framework of best practices developed to help bridge the gap between business risks, control needs, and technical issues. These practices represent a consensus of experts in IT management, providing assistance in optimising information technology investments and providing a standard to measure against when things go wrong. COBIT provides maturity models for control over IT processes to provide a measurement scale for organizational compliance with best practices.
IT Services Capability Maturity Model (CMM)
The IT Services CMM applies the Software CMM generic structure, developed by the Software Engineering Institute, to IT Services. The model was designed to give IT service providers and customers of IT services a method to determine the maturity level of the service provider. Customers can use this maturity level as a gauge to distinguish the quality of competing service providers, and service providers can use it to measure and improve the quality of their services.
About the Author
Byron Love received a Bachelors of Arts in Computer Science from Thomas Edison State College in 1991 and a Masters in Business Administration from Averett University in 1998. He is a Project Management Institute (PMI®) certified Project Management Professional (PMP®), he is CompTIA IT Project+ certified, he is an Institute of Certified E-Commerce Consultants (ICECC) Certified E-Commerce Consultant (CEC), and he is a Microsoft Certified Database Administrator (MCDBA). Byron is a Major in the US Air Force Reserves assigned to Headquarters Air Force, Directorate of Communications Operations and has 20 years of military service. He was Reserve Officer of the Year for this directorate in 2003. Byron is a member of the Project Management Institute, the IEEE Computer Society, and the Black Data Processing Association.
He is currently a Client Principal at Internosis, Inc. (www.internosis.com) where he leads knowledge management and infrastructure transformation engagements. He is currently leading knowledge management projects for the US Marine Corps and for the US Joint Forces Command Joint Battle Center. Committed to community service, Byron serves as Chairman of the Unity Economic Development Corporation, a non-profit, 501(c)3 organization chartered to promote community-business relationships and financial empowerment. Byron resides in Odenton, MD, USA and can be reached at IT-PM@byronlove.com.