IT change management has been a significant source of debate over the years. I can say that change management is the number one source of the most uncomfortable, stressful, and irritating moments throughout my career. On one side, we have the IT service management (ITSM) thinking, which primarily focuses on a well-defined manual process, with process controls, policies, and an audit trail captured in a system of record to use to prove compliance with governance mandates. On the other side, we have seen the influence of agile thinking, where change management is embedded into the digital service pipeline, using automation to increase the speed and agility of change.
Most would agree that ITSM thinking needs to evolve (as evident in ITIL 4) to focus on value streams and agility. But many organizations struggle to evolve their existing management practices to ones that can support newly adopted guidance such as agile, DevOps, and site reliability engineering.
Organizations and people need to be willing to let go of (if not wholly, then at least lessen their grip on) the three significant myths lingering about change management to succeed in this transformation. Let’s explore each of these.
Myth Number One: More Governance Reduces Risk
Governance models are rigid and are the dog barking at the door, scaring everyone into compliance. These models have an overreliance on policies and are not easily adapted to support the use of automation that modern product teams need to increase release frequency. Organizations use governance as a shield to ensure that change does not introduce unplanned risk or downtime for the business. Auditors and governance models are stuck in the past and don’t know what to do with modern automation approaches.
Governance teams need to realize that a modern approach to change management can control and reduce change-related risk more effectively and faster than the restrictive policies in place today. There is a general reluctance to let go of the 169-page change policy document in exchange for the right level of automation. We got to this place because every time our policy let us down, we decided to add more layers, more gates, and more rules to ensure that an outage didn’t happen again. Instead, we have a monolithic policy that neither serves the business nor supports agility and transformation.
Myth Number Two: Well-Defined Processes Reduce Risk
Most ITSM platforms and change management processes are based on the workflow of the original ITIL publication from the 1990s. While the systems have evolved, the primary ITIL functionality is the main way work is managed. A typical change management process is filled with gates:
- First, create a ticket in the system based upon the type of change, categorize, and prioritize [delay].
- Next, complete the record with all the critical and required information [delay].
- Then, assess the risk with a given set of questions [delay].
- Attach all related documentation (test plan, backout plan, etc.) [delay].
- Send the change in for approvals [delay].
The design of each gate ensures the work is done, helps avoid downtime, minimizes change collisions, reduces security risks, and provides a detailed paper trail for the auditors — but does it completely mitigate risk? Not really. The complexity of the policy and the inherent delays introduce additional risk to the enterprise.
One could argue that the more complicated your process gates, the less likely you are to manage risk. Why? This is because we are relying on humans to do all this work across teams that don’t share information or work together. Instead of managing risk, we stifle change with limited effectiveness in preventing outages or ensuring that compliance mandates are adhered to and documented. To move to a more agile way of working, we must loosen the grip of an over-engineered process and instead embrace more automation, where appropriate, to minimize risk.
Myth Number Three: The Change Advisory Board (CAB) Reduces Risk
If you have never been to a CAB meeting, count yourself lucky. Representatives across the organization assemble to go through a list of changes. Each team member is allowed to examine a change, ask questions, and challenge the documented approach. The hours pass as each proposed change is evaluated and each unsuccessful change is dissected. And in an attempt to make change more agile in support of developers, this may be a daily process. It’s exhausting. But does it reduce risk?
The problem with the CAB is that in today’s complex infrastructure, it’s difficult to use this type of authority structure. which is designed for accountability, to have visibility into the infrastructure across teams and platforms to fully understand and manage the risk associated with a particular change. And if your organization is sending every change to the CAB, it could be increasing risk instead of reducing it. The CAB is an excellent instrument for examining more complex changes. Automation should be used for standard changes and to support releases from developers. With infrastructure as code, automated testing, and change risk scoring, organizations can support the agile practices of developers and manage risk more effectively than sending everything through the CAB.
It’s Change That’s Holding You Back
I have personally heard a change manager tell me that they can’t modernize their change management process because of governance teams and the auditors — their services and supporting infrastructure are too complex for organizations to continue to rely on humans to control change to mitigate risk. But it isn’t just governance, processes, or the CAB that is stifling modernization. It’s also our people who resist new ways of thinking. Just because we always have managed change through process and policy doesn’t mean that it’s scalable or meets the needs of the modern, resilient organization. It’s time to let go of the myths and embrace new ways of thinking and working.
For more on overcoming change management challenges, read my report, Overcome Change Management Paralysis.
Have questions? That’s fantastic. Let’s connect and continue the conversation! Please reach out to me through social media, or request a guidance session. Follow my blogs and research at Forrester.com.