Effective management of change provides a structured, consistent, and measurable change environment to be utilized across an organization and is a critical component in the success of its daily business. Its goal is to increase awareness and understanding of proposed changes across the organization and ensure that all changes are made in a thoughtful way that minimize negative impacts to services and customers. An organization should have a document that defines the implementation of Change Management procedures. The computing systems, networks, peripherals, and associated facilities are subject to continuous changes driven by new technology, evolving business requirements, changing contractual requirements, and growing regulatory policies. Effective change management applies to both systems and supporting infrastructure, and is a necessary component for the continuous success and growth of the organization.
Change Management - Roles and Responsibilities
In the previous blog we discussed the change definition and change categories which are part of the key elements of the change management process. They set the boundary and parameters of changes, and avoid vagueness and confusion. Today, we are discussing the roles and responsibilities in the change management process. Roles and responsibilities need to be clearly defined within the change management process to establish accountability. The roles and responsibilities discussed in this blog should serve as a guideline only because they may vary depending on the organization and their particular job functions.
Change Control Review Board (CCRB)
Some organizations call it Change Review Board (CRB) or Change Advisory Board (CAB). Regardless of the name, an CCRB reviews impact, assesses risk, proposes, considers, recommends and accepts or rejects change implementation actions for category for all changes. The CCRB membership consists of selected members of the IT management Team, the Change Manager, and the representatives from each IT Department, customer representatives and third party providers. The CCRB is crucial in the change management process because it engages the business and ensures the approval of changes are obtained from the business and IT management. CCRB is also an important key of communication between IT and business units, and between business units, so that IT and business units are on the same page of upcoming changes and the change risks are properly elevated by both IT and the business.
Change Manager/Change Coordinator
The change manager is a key central role in the change management process. The change manager is responsible for accepting, processing, and changing status of Change Requests (CR). The change manager also develops, coordinates, and performs the final quality check of the final implementation schedule for each CR. The change manager serves as the final authority for accepting or rejecting all change requests on behalf of the CCRB. The change manager may have delegated authority with regards to Alert and Emergency changes and to act as CCRB chairperson. The change manager can be a full time position in large organizations because of the change volume and more complicated change process. In smaller environments, it can be an additional responsibility for an IT manager, or it can be a rotated responsibility for IT staff. We suggest the rotated responsibilty (where the environment and policy allow) so that the IT staff can learn and better understand the change management process by taking on the responsibility.
The change requestor is the individual responsible for preparation and submittal of Change Requests (CR). The change requestor ensures that the change request form (CRF) is properly completed and submitted in the required time window for the change to get approved. The change requestor also needs to identify tester and implementor for the change and obtains approvals from identified approvers. Basically, there are two kinds of change requestors, the requestor from IT and the requestor from the business. The requests from IT normally associate technical changes, such as implement new patches and fixes or adding new network routers. The requests from business normally associate with additional business requirements within a system, application configuration changes, reports, or problems discovered by the end users. There should be a control implemented to restrict the access to change requests, which allows only identified and approved business users (normally super users) and IT staff to prepare and submit an CR. This control is for quality control of change requests and avoiding unnecessary changes being submitted.
The change developer is the individual responsible for developing the changes in the develop and testing environments and working with the identified end user or IT staff to test the changes. The change developer can be the same person as the change requestor, however the change developer should not be a change implementer who implements the change in the production for segregation of duties (SOD) purpose. However, if the change developer is the same person as the change implementer because of resource constraints, compensating controls must be implemented to ensure the integrity of the change. For example, an IT manager reviews the change or system logs after the change was implemented and approves it following its implementation.
The change implementer is the responsible individual for implementing approved changes. In some organizations, the change implementer is responsible for closing the CR with the Change Manager. In others, the change requestor is responsible for closing the CR. The change implementer is responsible for communicating with the change requester and change developer with the change status, and coordinating with the change developer should any issues arise during the implementation of the change. He/she is also responsible to roll back the change if the change fails.
The discussed roles and responsibilities are a basic guideline. Organizations have different change management processes which may result in different roles and responsibilities. Whatever the case, roles and responsibilities need to be clearly defined within the change management process to establish accountability, with an appropriate level of segregation of duties. In the next change management discussion, we will look into Change Request (CR) of change management process. Stay tuned!
To get a FREE copy of our suggested quick start "Change Management - Roles and Responsibilities.pdf" guide, simply click the button below.