Transcription
Yale University Change Management ProcessGuideYale UniversityChange Management Process1 of 29
Table of ContentsIntroduction . 3Purpose . 3Scope . 3Change Management Overview . 3Change Management Key Concepts . 4Change Management Policies . 5Change Management Process Flow . 6Roles and Responsibilities . 6Process Procedures . 81.0 Request Change . 82.0 Review and Accept Change . 93.0 Assess Technical and Business Impact & Risk . 104.0 Approve Change for Build . 115.0 Build and Test Change. 136.0 Confirm Implementation Schedule and Impact/Risk Review . 147.0 Approve Change for Implementation . 168.0 Implement and Validate Change. 179.0 Close Change . 20Change Process Components. 22Change Types . 22Risk and Impact . 23Change Source . 24Change Submission Priorities . 24Assessment Condition Codes . 25Task Completion Codes . 25Approval Condition Codes . 26Completion / Implementation Codes . 26Closure Condition Codes . 27Process Metrics . 28Document History . 29Yale UniversityChange Management Process2 of 29
IntroductionPurposeThis document will serve as the official process of Change Management for Yale University. Thisdocument will introduce a Process Framework and will document the workflow, roles, procedures, andpolicies needed to implement a high quality process and ensure that the processes are effective insupporting the business. This document is a living document and should be analyzed and assessed on aregular basis.ScopeThe scope of this document is to define the Change Management Process, and process inputs from, andoutputs to, other process areas. Other service management areas are detailed in separatedocumentation. This document includes the necessary components of the Process that have beenconfirmed for the organization.Change Management OverviewWhat is Change Management? Process to coordinate the change needed by businessAuthorizes changes and coordinates change timelines to avoid conflictResponsible for governance, not execution activitiesUltimately to support the change owner and the implementation of a successful changeWhy is Change Management Important? Yale UniversityManages risk and priorityo On average, 80% of incidents caused by changeo Compliance (SOX, ISO9000, etc)o Prioritizes to implement most important changes firsto Rapid change capability for businessMaintains a complete view of change in the organizationChange Management Process3 of 29
Change Management Key ConceptsChange RequestService RequestConfiguration Item Release (andDeployment)Management Request for Change(RFC) Forward Schedule ofChange (FSC) Submission Priority Change Type Yale UniversityOptimize risk exposure.Minimize the severity of any impact and disruption.Proactive: Improve services, reduce costs,maintenance/prevention.Reactive: Resolve known errors and adapt to business changes.Something that can usually be planned for Standard, low/known risk, highly repetitive changes.Well-defined activities that result in the fulfillment.Access to an existing service, requests for information, orsomething that has been pre-approved by the Change AdvisoryBoard.Any Component that needs to be managed in order to deliver an ITService.An IT asset that is deemed valuable to track and manage throughchange control.Either a physical (e.g. server) or logical (e.g. policy) recordrepresenting the actual asset.CI’s are controlled through the change process (or through requestmanagement when changes are deemed to be standard).Release and Deployment Management aims to build, test anddeliver the capability to provide the services specified by ServiceDesign and that will accomplish the stakeholders’ requirements anddeliver the intended objectives.Packaging/bundling of Changes.Provides additional QA and oversight to ensure successful releases.A Request for ChangeRepresents what is being changed, optimally expressed as a CI, whoowns the change, when/where the change is occurring and how it isbeing implementedForward Schedule of ChangeA Document that lists all approved Changes and their plannedimplementation dates.Typically shows upcoming (i.e. non-implemented) changesThe relative priority that a change needs to be implementeddefined by its proposed implementation date/time and the time thechange was submittedChanges logged without optimal time to assess are typically definedas urgent changesThe scope and criticality of a given change, derived from thetechnical impact and riskOften requires some form of assessment to be conducted, coveringa number of key areas to derive a consolidated valueChange Management Process4 of 29
Change Advisory Board(CAB) Jurisdiction Change Advisory BoardAssists the change manager in prioritization, approval /authorization activitiesAssess business consequences of an unsuccessful changeAssist in scheduling the change, taking into account FSC andexternal factors (e.g. resource availability)An organizational entity that may have accountability over specificIT scopeOrganizations with multiple jurisdictions typically have multipleCIOsIT supported directly by the business is not a condition for multiplejurisdictionsChange Management PoliciesThe Change Owner is ultimately accountable for the success of their respective change.The approving Change Manager is accountable for the successful execution of the process, as a meansto mitigate impact and risk for stakeholders/customers.Change Management will manage all changes made to the production environment, including theoperational test environment. This includes changes implemented by vendors and externalorganizations.Effective Risk and Impact Assessment is enforced and is considered the foundation of ChangeManagement.All customers are informed of changes that affect the Service(s) they receive prior to changeimplementation.There is a mechanism to implement URGENT changes to the managed environment with minimumdestabilization of that environment.The number of changes deemed URGENT is reduced to a pre-specified and progressive metric throughproper planning.A CAB exists and the Change Manager is the ultimate decision making authority within the CAB.A Change implementation plan is required prior to change deployment.All Service Providers will fulfill their roles in compliance with the Change Management process.An RFC should not be approved for implementation unless relevant back-out plans are in place.Yale UniversityChange Management Process5 of 29
Change Management Process FlowChange ManagementAssess & EvaluateAuthorize & Plan UpdatesCoordinate Change ImplementationReview & CloseNo1.0 RequestChange2.0 Review& AcceptChangeBuild & TestRequired?StandardChange?NoYes3.0 Change forBuild7.0 ApproveChange forImplementation5.0 Buildand TestChange8.0ImplementAndValidateChange9.0 CloseChange6.0 ConfirmImplementationSchedule er/ d & Review RFCRoles and ResponsibilitiesThe following roles have been identified within the Incident Management Process.RoleChange RequestorDescription Change Owner Approving Change Manager Change Advisory Board (CAB)Yale University The individual asking for a change to be made. May or may not be the changeowner.The requestor should be the person sponsoring or advocating the change, usuallybusiness.Individual stakeholder ultimately accountable for the end result of change, seeingit through its lifecycle. Ex: A Network Engineer may be the change owner for arouter upgradeApproves changes for build-test and implementation for changed owned by theirjurisdictionAccountable for the execution of the change process in support of the changeownerConducts CAB meetingsOversees change processA body that exists to support the authorization and approval of changesAssists Change Management with assessment / prioritization feedbackProvides guidance to the Change ManagerChange Management Process6 of 29
RoleDescriptionChange Assessor Change Builder / ImplementerAuthorizing ChangeManager(s) Change CoordinatorFacilitates changes processAssists the Change Manager and Change Owner throughout the change processResponsible for contributing to the business and technical risk and impactassessment of a change for their domainIndividual responsible for performing the build/test and/or implementationAuthorizes changes where their jurisdiction is impactedParticipates in CAB meetings as requiredThe following illustrates the Responsibility, Accountability, Consulted and Informed (RACI) matrix relatedto the key Change Management Activities:ChangeRequester1.0 RequestChangeAR2.0 Review &Accept ChangeC3.0 AssessTechnical andBusinessImpact/ Risk4.0 ApproveChange forBuild5.0 Build andTest Change6.0 ConfirmImplementationSchedule andImpact / RiskReview7.0 ApproveChange forImplementation8.0 Implementand ValidateChange9.0 CloseChangeProcessMaturity andEvolutionYale angeBuilder AssessorChangeProcessOwnerRRRRRRCARRRRRCCCRChange Management ProcessCCCA7 of 29
Process Procedures1.0 Request Change1.0 Request ChangeRequesterChangeRequesterChange2.01.1 Create /Update RFC1.2 IdentifyImpactedStakeholders1.3 ClassifyChange1.4 IdentifySuccess Criteria1.5 Reference /AttachSupportingDocumentation1.6 Submit RFCFor Acceptance2.0StepActivities1.1 Create /Update RFCIdentify required information, such as contact information, requested schedule business rationale (eg.Functional enhancement to an application or service, increased performance/capacity/availability,resolution/fix to a known error ). It is possible some of these values may be updated by the changecoordinator/manager and/ or owner.1.2 IdentifyImpactedStakeholdersIdentify impacted stakeholders by identifying impacted CI's & services and indicate if they are located inother jurisdictions (change authorization required). Identify if resources will be required from otherjurisdiction(s) to assist in the change.1.3 ClassifyChangeChange requestor will provide the initial classification elements. This includes completing an initialimpact/risk assessment to determine the change type.1.4 IdentifySuccess CriteriaIdentify the Business objectives that will be used by to Validate Change Success after the change hasbeen implemented and prior to closure.1.5 Reference /AttachedSupportingDocumentationInclude all documentation appropriate to the nature of the change Project Charter, Business Case,detailed Change Description , etc) Note: If build-test is in-scope an Implementation plan, back-out plan,communication plan etc. may be included at this time, but are not mandatory.1.6 Submit RFC forAcceptanceOnce the request is complete, submit for acceptance.Yale UniversityChange Management Process8 of 29
2.0 Review and Accept ChangeRequesterChangeRequesterChange2.0 Review and Accept geCoordinatorChangeNoYes2.1 ValidateChangeSubmission2.4 IdentifyChange Owner2.2 RFC Valid?2.5EmergencyChange?No2.6StandardChange?No2.7 AssignRFC toChange Owner3.0YesYesYes9.0No2.3 ngeProcedureStepActivities2.1 Validate Change SubmissionVerify that all information required to process the RFC has been provided.2.2 RFC Valid?Verify that the RFC complies with Change Management Standards and any jurisdictionspecific policies and business requirements. Refer exceptions to Change Requestor forcorrection, otherwise notify the Change Manager.2.3 RFC Accepted?Verify that this is a legitimate RFC. If not, reject the RFC and if so, continue processing.It is possible to meet all validation requirements in 2.2 but still not be consideredlegitimate. This could include changes outside the scope of IT.2.4 Identify Change OwnerChange Coordinator identifies the Change Owner and confirms the accuracy of theselection with the Change Owner. If the Change Owner will come from anotherjurisdiction, the Change Coordinator will request the Change Manager/Coordinator fromthat jurisdiction to identify the Change Owner.2.5 Emergency Change?Determine if change meets emergency change criteria . If change is emergency, ChanceCoordinator notifies approving Change Manager who invokes local emergency changeprocedures, otherwise change is processed under normal procedures .2.6 Standard Change?Verify that this is a legitimate “standard” change and defer the to the Standard ChangeProcedures.Yale UniversityChange Management Process9 of 29
StepActivities2.7 Assign RFC to Change OwnerAssign RFC to Change Owner for subsequent Review and Assessment.3.0 Assess Technical and Business Impact & RiskAssessorChangeAssessorChange3.0 Assess Technical and Business Impact & Risk3.2 CompleteTechnical and/orBusiness Impactand RiskAssessmentChangeChangeOwnerOwnerYes4.03.5 Build-TestRequired?3.3 ConsolidateAssessmentResults3.4 Review andUpdate ChangeClassificationNo7.0Change Coordinator2.03.1 IdentifyImpactedTechnical andBusinessStakeholders andcirculateassessmentStepActivities3.1 Identify ImpactedTechnical and BusinessStakeholders andcirculate assessmentWith the assistance of the change owner jurisdiction, the change Owner requests appropriateparticipation to assess the change using the standard risk/impact assessment (RIA) model. IfRFC impacts other jurisdictions, the Change Owner requests their Change Managers tocoordinate a the jurisdictional assessment. By default a single assessment task is sent to eachjurisdiction but this may prompt additional tasks to be created by the jurisdictional changecoordinator.A specific “Release” task will be sent to the release manager to determine if releasecoordination activities are required for this specific change. Release criteria will be definedand managed separately.3.2 Complete Technicaland/or Business Impactand Risk Assessment Yale UniversityChange Owner uses the RIA model to conduct both Business Risk-Impactassessments and Technical Risk-Impact assessments. This may be updated followingresponses from assessors in 3.3.This may be a Re-Assessment prior to Implementation approval if significant scopechange encountered during Build-testOperational procedures resolve conflicts with scheduling.Change Management Process10 of 29
StepActivities3.3 ConsolidateAssessment ResultsChange Owner will consolidate input from all jurisdictions, which may inform updates to theoverall impact and risk assessment. If Assessments are provided from multiple jurisdictions,Change Owner will: Use worst case scenario to update the RIA to arrive at a single value for Risk, Impactand derived Change Type value. Consolidate Operational Discovery feedback which may influence build/test and/orimplementation plans.Following Assessment, Change Owner will confirm accuracy of Classification elements:3.4 Review and UpdateChange Classification Jurisdiction(s) Change Type reflects Risk-Impact valueIf Assessment tasks have identified additional impacted jurisdiction(s), the Change Owner willupdate RFC accordingly and request an assessment from each jurisdiction and reflect the inputin final classification.3.5 Build-Test Required?If Build-test activities are not required, or if this is a re-assessment following Build-testcompletion, then request approval for Implementation.4.0 Approve Change for Build4.0 Approve Change for BuildChangeChangeOwnerOwner4.7 Change OwnerAddresses ChangeApproval Issue(s) andUpdates RFC3.0AdvisoryChangeAdvisoryChangeBoardBoardChange CoordinatorChangeApprovingChangeAuthorizing Change ApprovingManagerManager(s)ManagerNoYale University4.1MinorChange?4.6 ChangeApproved?Yes5.0NoYesYes4.5 Review RFC4.4 ChangeAuthorized?4.8 UpdateChange Recordand CommunicateChange Approval4.3 ChangeAdvisory BoardReview of RFCNo4.2 Include RFCin ChangeAdvisory BoardAgenda andScheduleChange Management Process11 of 29
StepActivities4.1 Minor Change?Verify that this is a legitimate “minor” change.4.2 Include RFC in CAB Agenda andScheduleTake the steps necessary to include the RFC in the agenda for upcoming CABmeeting. This may be necessary across multiple CABs.4.3 Change Advisory Board Review ofRFCCAB members r
management when changes are deemed to be standard). Release (and Deployment) Management Release and Deployment Management aims to build, test and deliver the capability to provide the services specified by Service Design and that will accomplish the stakeh
