Welcome back! In the first part of this two-part blog series, we dealt with training and awareness, making it easy to raise changes, and streamlining approvals. This leads us nicely on to the next five of our eight areas for reducing the level of change enablement process avoidance. Starting with emergency change situations.
4. Ensure that you have enough provision for emergencies
With the best will in the world, not everything can be planned, tested, and communicated in advance. Sometimes things will fail in the middle of the day and we need to get them fixed. Here, sometimes changes don’t get raised when they should because the technician makes the call that there’ll be a delay in restoring service. After all, the full change process involving a change advisory board (CAB) must be followed before corrective action can be taken. Right? Wrong!
The last thing anyone needs when a business-critical system is down is for a delay in service because someone thinks that a full change process has to be followed. Having said that, if we don’t document what we did to fix the issue, how will we know what to do if it happens again?
Make sure that whatever your change process looks like, it has provision for emergency changes. This could be allowing colleagues to raise changes retrospectively in the event of a crisis. The trick is to make it clear, with examples that are relevant to your business as to what constitutes an emergency and what doesn’t. Examples could include:
- A business-critical service is down, and end users are unable to work.
- A service is at risk of being disrupted unless immediate preventative action is taken.
- A compliance risk has been identified – for example responding to a data breach or emergency security patching.
If your colleagues know that there is a sensible provision for emergency situations, then they’re much less likely to go rogue when the going gets tough.
5. Give people the gift of clarity
Know and communicate the impact of out-of-process change. If folks understand the real impact of skipping a step in the process, then they’ll be less likely to do it. Here are some things that can help:
- Causes of major incidents – a simple search for the most common causes of major incidents will give you horror stories of a simple configuration change taking down a major bank or corporate system. There’s no such thing as zero risk, but at least if you follow the correct process your change will be visible and the correct support teams are aware. Such that if things do go wrong the right people are on standby to either fix-on-fail or to roll back the deployment. If you don’t follow the change process and something fails mid-implementation how will the rest of IT know what the issue is and how to fix it?
- Regulatory – some industries are more regulated than others, but chances are if you have to work to any regulatory standard such as SOX then out-of-process changes will have regulatory and legal repercussions.
6. Work to a change policy
Have a change management policy so that everyone knows exactly what is expected of them. Every company will have slightly different rules – highly regulated industries such as financial services or pharmaceuticals will have very tightly controlled environments. Whereas other sectors will have fewer restrictions. So, create your change policy accordingly.
Set out what needs to be done at each stage of change enablement such that the rules are clear and easy to follow for different types of changes. We know it sounds obvious but make sure that you provide contact details for people to access change management guidance and make it clear that if someone is unsure it’s ALWAYS best to ask for help.
7. Check your numbers
To truly understand the scale of the change-dodging problem you need to report on it such that you can understand what is happening and how often. If your ITSM tool has a status that you can use to tag changes as unauthorized, then use it.
Another way to identify potentially unauthorized change activity is to attend problem management meetings and major incident review sessions. Sometimes an incident or problem will be closed off as being caused by change but not linking the change in question or specifically calling out that someone went rogue. Make a point of attending these meetings so nothing is missed.
8. Get management buy-in
Unregulated change hurts everyone but if there are no consequences for an unauthorized change why would people make the effort to follow the agreed process? Make it unacceptable to go the cowboy route.
No one wants to invoke disciplinary action in the event of a genuine mistake but if someone is repeatedly circumventing the process then that needs to be addressed. Have a plan for how to escalate these situations so that the right corrective action can be taken whether it’s in the form of more training or support from human resources (HR).
So, that’s all of our eight areas now covered. How do you manage engagement with your change process and those who dodge the agreed process? Please let us know in the comments.