Change and Configuration SMF Overview
Published: April 25, 2008 | Updated: October 10, 2008
Change management is very important. To deliver reliable and effective IT service, organizations need to ensure that change is planned and purposeful. The business relies on IT to embrace change management processes that take into consideration the needs for prompt action, reliable services, and compliance with policies and regulations.
Change in any form carries risk—risk of failure, cultural resistance, disruption of operations, technical challenges, resource constraints, and unanticipated consequences. But many IT organizations fail at change management, either because they find it so big and onerous that they don’t try it at all, or because they make it so complicated that no one will use it.
It doesn’t have to be that way.
The Change and Configuration Management SMF offers best-practice guidance to help IT manage change through repeatable, predictable, and measured processes while addressing risk. An organization’s tolerance for risk determines the appropriate level of detail and formality to apply to change processes for each type, size, and timing of change.
When an IT organization determines how restrictive and how formal change management should be at any point in the IT service lifecycle, it must balance the cost of controlling the change against the benefit of the control. This balance depends on the impact of making or not making the change, the organization’s risk tolerance, and the speed with which the decisions must be made. Costs of change management controls may include time, money, and speed. Another cost may be limiting exploration of alternatives too soon. Benefits of restricting changes include more efficient work, more stable environment, and minimized impact to related services—all of which have financial and timing implications.
Change management applied at the appropriate level throughout the IT service lifecycle establishes boundaries within which flexibility exists. These boundaries narrow from the Plan through the Deliver and Operate phases, as impacts and risks to the production environment and IT services become more immediate.
The risk of a change is determined by the classification and place in the IT service lifecycle of the change. The level of identified risk determines the rigor required in change control.
Risk is driven, in part, by the place in the IT service lifecycle where the change is requested. Change controls should be looser for change requests in Plan and the beginning of Deliver, and tighten toward the end of Deliver and in Operate. In the Plan Phase and early in the Deliver Phase, there are risks that come from not allowing exploration and evaluation across a range of alternatives. As an IT service moves through Deliver, risk increasingly evolves into a disruption of the work that is being done or into an expansion of scope so that the decisions made in the Plan Phase are overturned. In the Operate Phase, the biggest risk is destabilizing well functioning IT services.
Changes can be organized in the following categories:
- Major. A change where the impact on the group could be massive—for example, a departmental or corporate-wide change, or a network-wide or service-wide change.
- Significant. A change where the effect is widespread, but not massive—for example, a change affecting a group within a department or a specific group of configuration items (CIs).
- Minor. A change affecting small numbers of individuals or CIs—for example, a change to a printer used by a department consisting of just a few members.
- Standard. A change that has been performed before and that is part of the operational practice of the business—for example, an update to a user profile.
Standard changes provide agility within the boundaries of change management in the Operate Phase. Every organization should develop a collection of standard changes, ensuring predictability and the efficient use of resources by using a “tried, tested, and true” standard process for common change requests. This is accomplished by identifying common recurring changes and optimizing their execution. Ideally, 80 percent or more of all Operate Phase changes should be standard—this signals a mature change management process.
A standard change begins as a minor, significant, or major change. After the change has been thoroughly tested, deployed, and validated and the execution steps have been documented, a change may become standard. Examples of standard changes include desktop refresh, standard software deployment, password reset, and patch management.
As changes are approved and implemented, it is critical to record an accurate picture of the production environment configuration before and after each change is made. With configuration information readily available, IT is better equipped to:
- Evaluate proposed changes.
- Understand the current state of the production environment.
- Troubleshoot problems by analyzing recent changes made to the production environment.
- Return the configuration to a previously known state to address chronic problems or to meet regulatory requirements.
- Test changes outside of the production environment with the confidence that the production environment will be similar to the test environment.
Change and Configuration SMF Role Types
The primary Team SMF accountability that applies to the Change and Configuration SMF is the Management Accountability.
The following table lists the role types associated with the Management Accountability, as well as the responsibilities and roles for each role type.
Table 1. Management Accountability and Its Attendant Role Types
Role Type |
Responsibilities |
Role in This SMF |
Change Manager |
|
|
Configuration Administrator |
|
|
Goals of Change and Configuration
The primary goal of change and configuration management is to create an environment where changes can be made with the least amount of risk and impact to the organization.
Table 2 shows the desired outcomes of the Change and Configuration SMF goals and lists measures that you can use to gauge how successfully you have achieved these goals.
Table 2. Outcomes and Measures of the Change and Configuration SMF Goals
Outcomes |
Measures |
Have a predictable process for managing changes to the production environment to improve reliability and customer satisfaction. |
|
Eliminate unnecessary change. |
|
Reduce unintended side effects. |
|
Enable IT to revert to a previous environment state in response to service disruptions by keeping accurate knowledge of the configuration and changes made. |
|
Enable troubleshooting problems through an analysis of recent changes. |
|
Key Terms
The following table contains definitions of key terms found in this guide.
Table 3. Key Terms
Term |
Definition |
Change |
The addition, modification, or removal of approved, supported, or baselined hardware, networks, software, applications, environments, systems, desktop builds, or associated documentation. |
Change advisory board (CAB) |
A cross-functional group set up to evaluate change requests for business need, priority, cost/benefit, and potential impacts to other systems or processes. |
Change category |
Measurement of a change’s release impact on IT and the business. The change complexity and resources required, including people, money, and time, are measured to determine the category. |
Change log |
A log of Requests for Change (RFCs) submitted for all changes in a service that tracks the progress of each change from submission, through review, approval, implementation, and closure. A change log can be managed manually with a document or spreadsheet, or it can be managed automatically with a tool. |
Change Manager |
The role that has the overall management responsibility for the change management process in the IT organization. |
Configuration item (CI) |
An IT component that is under configuration management control. Each CI can be composed of other CIs. CIs may vary widely in complexity, size, and type; their scope can range from an entire system (including all hardware, software, and documentation) to a single software module or a minor hardware component. |
Configuration management system (CMS) |
A set of tools that is used to manage IT service management data such as changes, releases, known errors, and incidents. |
Definitive software library (DSL) |
A secure software library where all versions of software CIs that the CAB has approved for deployment are held in their definitive, quality-controlled form. |
Forward Schedule of Change (FSC) |
A record of upcoming approved changes, also known as a change/release calendar, which may help you understand the impact that already approved changes might have on any new proposed changes. This can also be accomplished using the service portfolio described in the Business/IT Alignment SMF. |
Post-implementation review (PIR) |
A review that occurs after release of a new or updated service. This review evaluates and measures the success of the release in the production environment. |
Release |
A collection of one or more changes that includes new and/or changed configuration items that are tested and then introduced into the production environment. |
Release Manager |
The role that is responsible for managing and coordinating the activities of the release management process for the IT organization. |
Request for Change (RFC) |
The formal change request, including a description of the change, components affected, business need, cost estimates, risk assessment, resource requirements, and approval status. |
Risk value |
A part of the RFC that captures the assessments of risk for a change. |
Service map |
A representation of a service from the perspective of the business and user that shows critical dependencies, settings, and areas of responsibility (for more information about service maps, see the Business/IT Alignment SMF). |
Standard change |
A change category that describes changes that are pre-approved and that can bypass the authorization process to proceed directly to release. |