A Beginner's Guide to the Change Control Process

Making information technology (IT) system changes on the fly? You need a formal change control process. The Ascent covers five steps to implement controlled changes at your small business.

Our perception of the world is built upon shared beliefs -- good is rewarded, evil is punished, and the Dallas Cowboys are undoubtedly the best NFL team of all time -- that give us the illusion of control. In reality, the universe is a seething mass of chaos that lacks any semblance of cause and effect.

Okay, so maybe things aren't quite that grim.

Still, change -- especially unexpected change -- is a constant in the business world. You can't afford to be its victim, so you need defined procedures to manage it. We'll go over change control process basics, the bottom-line benefits, and how to implement them at your small business.

Overview: What is a change control process?

Change control processes minimize operational disruptions when changes are introduced into a system, everything from departmental workflow procedures to information technology (IT) environments.

IT change processes prevent unauthorized changes and include the evaluation of change requests by a change advisory board (CAB).

IT systems have four basic change types:

• Standard: A straightforward, low-risk change that doesn't require CAB approval and uses previously authorized implementation documentation.
• Normal: A change with system-wide impact and moderate risk that needs CAB approval.
• Major: A high-risk change that requires an impact study plus CAB and management approval.
• Emergency: A time-sensitive, high-risk change, typically triggered by a critical event and uses an emergency CAB to increase approval speed.

While each change type has its own set of steps based on projected change impact and implementation speed, the normal change process has seven steps. It begins with a change request, evaluation of the request, and, if approved, subsequent implementation.

The change control process helps minimize IT system disruptions. Image source: Author

Change control processes are ultimately about mitigating risk. Change is unavoidable, but instead of being its hapless pawn, IT management software and change management models help you achieve an optimal balance between risk and reward.

Change control vs. change management: What's the difference?

Change control and change management are sometimes used interchangeably, but they are different because change control falls under the umbrella of change management. Change control consists of the specific steps to introduce a particular change such as a software upgrade, patch, or hotfix.

Change management takes a wider view as one of several high-level IT Infrastructure Library (ITIL) processes that enhance overall IT service management (ITSM).

ITIL began in the 1980s as a set of best practices for IT departments and is not specific to any particular software or hardware. The difference between ITIL change management and change control boils down to scope and specificity.

Were you dieting, for example, the former would address overall calorie intake, and the ideal balance of protein, carbohydrates, and exercise, while the latter would comprise specific recipes, meal plans, and workout routines.

How to create a change control process

Implementing a change control management plan impacts your entire business and requires the participation of multiple stakeholders. Use the five steps below to create and use this process to produce the best results.

Step 1: Identify objectives

Change for change’s sake is not a rationale to implement new procedures. Instead, identify your specific goals for instituting a change control process. These explicit objectives will help achieve greater buy-in from stakeholders and provide benchmarks to measure results.

Change control process objectives include:

• Reducing critical incidents, downtime, and software rollbacks from failed deployments
• Improving compliance with industry and/or government standards and regulations
• Enhancing the customer experience

Improving performance in these areas will lead to a larger overall benefit: a positive impact on your bottom line. Without upfront goals and benchmarks, however, you're operating blindly about the impact of your change control process.

Step 2: Define procedures

The hallmark of a well-oiled change control process is consistency: Every small or large change follows a predefined process from beginning to end. Without standardized procedures, you're no better off than before.

Change control procedures and related elements to formalize include:

• Change request: Identify information to include such as cost, rationale, impact, and change category (standard, normal, major, or emergency).
• Change advisory board (CAB): Establish the number of members and makeup of the CAB, which should have representatives from departments outside IT such as marketing, accounting, and human resources.
• Change evaluation: Create an evaluation matrix, which can incorporate factors such as anticipated risk from action versus inaction, cost, scope, public perception, and financial repercussions.
• Change log: Maintain a record of each approved change's implementation, who performed it, time to complete, final cost, and results.
• After-action review: Perform a post-mortem analysis of each change to determine what worked well, what went wrong, and what to do the same or differently. Documenting successful normal changes can lead to their reclassification as standard changes, which don't require CAB approval.

You must also create accompanying forms such as a request for change, change log, and after-action review to document each change made and its results. IT management software lets you do this online, so relevant parties can easily access and input information.

An online change request form can track the entire change request and evaluation process. Image source: Author

Document management goes hand in hand with a change control system because it establishes a permanent record to inform your future efforts.

Step 3: Educate stakeholders

It's human nature to resist change, so even the best laid change control plan will go awry from the outset without buy-in from stakeholders such as frontline IT employees, CAB members, upper management, and customers.

Education is key -- why you're doing what you're doing and the expected benefits -- to prevent people from paying lip service before returning to the status quo.

Tips to gain this critical support include:

• Promote stakeholder involvement: Nobody likes having a new process or system dropped on them unannounced, so solicit feedback from everyone affected by the change control process at each stage of its development. This also gives you a wider perspective and the opportunity to address concerns you didn't previously identify.
• Train employees: The beauty of codified, proactive procedures instead of ad hoc, reactive actions is they can be taught to employees. Initial and ongoing training ensures everyone is on the same page and allows you to continually highlight change control process benefits.
• Publicize successes: Keep your change control process front and center by publicizing its results. When downtime is reduced, critical incidents are resolved more quickly, and customer satisfaction increases, your efforts will be publicly validated.

It's probably tempting to take a shortcut -- human nature at work again -- to justify this new policy to employees by saying, "Because I said so." The problem is, it doesn't work. Instead, the soft sell works better because stakeholders make their own decision to buy into the change control process.

Step 4: Implement change control process

Identified goals? Check. Defined procedures? Stakeholder participation? Check and check. Now you're ready to implement your change control process, putting everything you've planned in abstract into action.

Keys for successful implementation include:

• Appoint a change manager: The change control manager is usually an IT professional who understands the technical aspects of hardware and software changes but can also serve as a liaison between the IT department and the CAB, which has non-IT members.
• Schedule CAB meetings: Regularly scheduled CAB meetings acclimate members to evaluating proposed changes and help prevent a backlog of requests.
• Enforce policies: It's easy to follow the rules when everything is working well, but change control is designed equally for moments when things go awry unexpectedly. You must monitor employee adherence to these policies for every change type.
• Learn from failure: No system works all the time, so think of its failures as the production of unexpected knowledge. Dissecting where, when, how, and why things went wrong provides information to produce better future results.

A change control process has many moving parts, so you don't need to roll it out in one fell swoop. Instead, implement it piece by piece for a smoother transition.

Step 5: Measure results

Performance metrics are essential to track your change control process results. These not only indicate progress -- or lack thereof -- compared to established benchmarks, they provide actionable insights for continuous improvement.

Performance areas to track include:

• Organizational: Speed, results, costs, and ROI of IT changes measured against performance and customer satisfaction.
• Individual: Proficiency and compliance with change control processes, help desk service request efficiency, and readiness assessments.
• Change management: Training participation, tests, and effectiveness measures, and ongoing stakeholder feedback and involvement.

Developing your change control process is not a one-and-done activity. Instead, continuous evaluation is required for ongoing, productive results.

Control change instead of it controlling you

In business, you can only expect the unexpected, so a change control process is an essential component of your larger change management plan.

Sure, the world is a chaotic place where we have limited influence, but you'll leverage the most control possible. Plus, an effective change control process will leave you plenty of time to root for -- who else? -- the Dallas Cowboys on Sunday afternoons.