Change Management SOP

Key Terms & Definitions

Term Definition
Action Items The purpose of the Action Items is to provide detailed change
implementation steps. Action Items are not a replacement for
project plans, design reviews, or other planning activities. Action
Items should be utilized to indicate the activities group(s) or
individual(s) that are responsible for completing the requested
change. They also provide a historical record for future reference
and lessoned learned.
Approver A member of the Approval Groups for the platform or service
being changed or affected. Responsible for assuring the total
quality of all requests including all documentation requirements.
Has the authority to approve or reject changes.
Approver Group Group of individuals authorized and responsible for the review and
approval of Change Requests.
Back Out Plan A contingency plan of step-by-step instructions with defined
success criteria (with sufficient detail to allow an individual with
similar skills to execute the plan and is understood by all
approvers) to minimize any disruption of service if a change
implementation does not go as planned.
Change Approval Board (CAB) A team whose goal is to provide cross-functional visibility to all
standard change requests (SCRs), to assist the change
management team in the assessment and prioritization of SCRs,
and to ultimately approve or deny SCRs.
Change Manager(s) Person or persons assigned to review changes for completeness
prior to review by the CAB.
Change Management The process used to ensure that any modifications to the NUIT
environment are performed in a controlled and approved manner.
Configuration Item (CI) Configuration Item or CI refers to the fundamental structural unit
of a configuration management system. Examples of CIs include
documents, hardware, software, models, plans, and people.
Emergency Change Approval Board A subset of the CAB that will review and approve emergency
(E-CAB) requests for change (RFC)
Emergency Change A change required to immediately restore service or to avoid an
(i.e., Break/Fix) outage where no other workaround is available. Authorization for
Emergency changes generally takes place outside the Change
Management Procedure (e.g. the Incident Management Process).
Upon approval, a Change Request must be entered after change
implementation for tracking and documentation purposes.
Filtered Changes A pre-defined subset of changes that have been identified as
having no impact or outside the scope of the Change
Management process. They require the submission of a Request
for Change for tracking and recordkeeping purposes.
Implementation The enactment of a change to a platform service or facility.
 Term Definition
Implementation Plan A step-by-step set of instructions detailing information on how the
proposed change will be implemented and tested. Level of detail
must be sufficient for a person with similar skill to execute the
implementation successfully and be understood by all
reviewers/approvers.
Implementer The person/assignee or group of individuals who perform
implementation of a change activity. If the Implementer does not
have Change Management system access, it is the responsibility
of change owner to close the Change Request with
success/failure detail.
Lead Time The required amount of time between when a Change Request is
submitted and the change start date/time.
Post Implementation Review (PIR) Review of changes from the prior change period. Should include
noting any problems/resolutions with changes performed during
that period.
Request for Change (RFC) Tickets submitted to request a change to systems, infrastructure,
hardware, software, or services defined in the NUIT service
catalog. Also known as a Change Request.
Requester/ Owner The person responsible for documenting, planning, coordinating,
implementing (or assigning an implementer) and closing a
Request for Change This person inputs the Change Request into
toolset.
Risk Assessment Matrix A matrix of the level of risk for each aspect of a change – scope,
impact, complexity, severity, users and location.
Service Manager A tool implemented at Northwestern to facilitate service
management. The current implementation is a repository for all
service desk interactions, incidents (both from callers and alerts),
service desk knowledge, and (Tentative) on-call support contacts.
Standard Change Request (SCR) A document that describes the requested change and why it is
important. This can originate from problem reports, system
enhancements, other projects, changes in underlying systems,
and senior management.
Technical Change Approver The person responsible for the change process for a
department or group, typically a Technical Manager within the
requester’s organization. The person will:
Ensure their changes are properly represented at CAB meetings
Be an approver on all changes submitted by their department or
group prior to the submittal to the CAB.
Appointed by the Approver Group and has the responsibility for
reviewing all technical aspects of the change including success
criteria.
Change Management Process Flow

Change Management includes the following processes:

1. Ticket Creation
2. Change Review
3. Change Assessment and Planning
4. Change Approval
5. Coordinate Change Implementation
6. Change Evaluation and Closure
7. Emergency Change Handling

The following graphic depicts a simplified Change Management flow:

Figure 1: Change Management Flow

Change Approval Board (CAB)

The Change Approval board (CAB) delivers support to the Change Management team by approving
requested changes and assisting in the assessment and prioritization of changes. This body is generally
made up of IT representatives that include: the Change Manager, User managers and groups, technical
experts, and possible third parties (if required).

The CAB members should selectively be chosen to ensure that the requested changes are thoroughly
checked and assessed from both a technical and business perspective. The considered change will
dictate the required personnel to convene in a CAB meeting. CAB meetings will by held at regularly
scheduled intervals, typically weekly.

A CAB offers multiple perspectives necessary to ensure proper decision-making. For example, a decision
made solely by IT may fail to recognize the concerns of accounting. The CAB is tasked with reviewing
and prioritizing requested changes, monitoring the change process and providing managerial feedback.
 A CAB is an integral part of a defined change management process designed to balance the need for
change with the need to minimize inherent risks. The CAB is responsible for oversight of all changes in
the production environment. As such, it has requests coming in from management, users and IT. The
changes may involve hardware, software, configuration settings, patches, etc.

The CAB is comprised of (but not limited to):

 Change Approval Board Chairperson or designate

 Change Control Manager(s) or designate(s)
 Technical Department representative(s)
 Applications representative(s) - if applicable
 Business representative(s) - if applicable

The CAB Chairperson is responsible for preparing the meeting agenda, which includes a list of all
Change Requests to be reviewed during the meeting. It is the responsibility of CAB participants to obtain
and review the meeting agenda prior to each CAB. Changes may be rejected by the CAB if a change is
not represented at the CAB, lacks appropriate approvals, lacks appropriate documentation, or if
issues/concerns are raised during the CAB.

The following criteria should be used to address conflict resolution:

 Change Requester or delegates are responsible for negotiating conflict resolution

 If possible, reach agreement or assign an accountable individual for resolving conflict

Change Requesters are responsible for communicating conflict resolution to appropriate individuals.
Leadership (CAB) has the final approval. If conflicts cannot be resolved or impact is determined to be too
severe, the Change Request may be rejected or rescheduled.

Following the CAB meeting, the Change Manager updates the Change Request as scheduled or rejected
for all reviewed changes. The outputs of the CAB meeting are mailed and updated Change Records.

Emergency Changes

The Emergency Change Approval Board (E-CAB) makes decisions about high-impact Emergency
Changes. Emergency Changes are authorized only to repair an IT service error that is severely
impacting the business, when a situation has occurred that requires immediate action to either restore
service or prevent an outage. Membership of the E-CAB may be decided at the time a meeting is called,
and depends on the nature of the Emergency Change. E-CAB’s may be held via teleconference for
expedited approvals.

The emergency change process differs from a normal change process in:

 Approval is given by the authorized Emergency Change Approvers (See Appendix for roles with
authorization) rather than waiting for a regular CAB meeting
 Testing may be reduced or in extreme cases eliminated, if necessary to deliver change
immediately
 Updating of the change request and configuration data may be deferred, until normal business hours
Change Management Process

This section outlines the activities that encompass Change Management. Each activity in the Change
Management process is described in detail in this section.

Figure 2: Change Management Hierarchy

Submit/Resubmit Change Request (1.0)

The person or group responsible for the implementation of a change has the responsibility of
documenting and submitting the Change Request.

Prior to preparation of a Change Request, all technical aspects of a change should be coordinated
between the Requester and the personnel whose responsibility it will be to implement the change.
Changes should be tested prior to implementation and information regarding the success/failure of tests
included in the Change Request.
Once the Change Request Start Date/Time has passed, if a scheduled change is not to be implemented
the change must be cancelled. If the change will be attempted at a later date/time, a new request must
be opened with the new implementation date/time and approvals obtained.
Changes staged for automatic implementation at boot, refresh, or cycle of the application must be
approved and scheduled prior to staging.

Define Scope (1.1)

Defining the scope of a change includes identifying the platforms impacted, duration of any outage
requirements, business units or departments affected and an assessment of risk. This data is used at
many decision points within the process.

The complexity of changes must be understood and communicated to change Approvers. Appendix A
contains a list of Change Request details that should be considered when drafting a Change Request.
Any additional information that is vital to understanding of a change must be included when defining a
change.

Draft Change Request (1.2)

Once the scope of a change is defined, the data should be drafted into a Change Request as soon as it is
available. Drafting a Change Request as soon as information becomes available allows data to be
reviewed at an early stage.

All details pertaining to implementation, testing and backup plans must be documented within the change
record itself. Attachments are permissible for supporting documentation only. (i.e., test scripts, project
plans, etc.).

In addition to providing details of the change, it is the responsibility of the Requester to identify the level of
risk associated with the change. The Risk Assessment in Appendix B must be used to identify risk of all
changes.
 Change Categories

There are three main designated categories of Change Requests (Normal, Filtered, and Emergency).
These categories are based on both the Risk Level Assessment (RLA) and time between submission of a
Change Request, and the Start Date of the change. Change Categories are reviewed in PIR and
reported in Change Management metrics.

Normal Changes are defined as changes that meet required lead-time, submission cut-off time, and
maintenance window (if applicable). Normal Changes must follow all Change Management Procedure
activities, unless they are defined and approved as Filtered Changes.

Filtered Changes are a pre-defined subset of Normal changes that have been identified as having no
impact, or outside the scope of the Change Management process. Filtered Changes require the
submission of a Filtered Change Request for tracking and recordkeeping purposes but will not have an
associated approval process.

Emergency Changes are defined as changes required to immediately restore service or to avoid an
outage where no other workaround is available. Upon approval, a Change Request may be entered after
change implementation.

Submit Request (1.3)

Changes must be submitted with the appropriate lead-time to ensure that appropriate individuals receive
adequate notice of changes. The maximum allowable change window (duration of a change) may not
exceed seven (7) calendar days for a single Change Request.

Review Change Request (2.0)

Once a Change Request is submitted it begins a review process. There is a minimum of two levels of
review prior to Change Requests being scheduled (approved for implementation . This section describes
the activities performed during leading to approval by the Technical Change Approver.

Perform Quality Assessment (2.1)

A Change Request should be evaluated in terms of required corrective action or system enhancement,
technical design, risk and impact analysis, and business case. The following are suggested questions to
facilitate performing quality assessment:

Who will the change affect?

 Information Technology resources

 Business Units
 Departments
 Schools

What will the change affect?

 Sites/locations
 System availability
 Application availability
  Business cycles
 Processes/practices
 Outage duration

What is impact on?

 Other scheduled changes

 System performance/capacity
 Other resources (manpower, security, etc.)

Verify Change Specifications (2.2)

Each Approver Group must have predetermined individuals (primary and backup) responsible for
reviewing all Change Requests that have specified their group as Approvers (either as an Approver or a
group to notify). This resource is responsible for reviewing all changes affecting their group that are
planned for implementation. The resource will assess the impact on their group and notify all members of
his/her workgroup. If the information in the Change Request is sufficient to warrant approval, the group
approves the request. If the information is not sufficient, follow the guidelines in the Review for Issues /
Conflict section below.
In addition to the Information to include in Change Requests in Appendix A, the following should be
considered during the evaluation of every change:

 Date/time/duration of the change

 Description of the change
 Risk assessment
 Technical validity of activities
 Justification for change
 Impact to schools/business units and to other scheduled changes
 Teams identified on Approver and Notification lists
 Potential conflicts – Owners of conflicting changes to resolve conflicts/escalate to management
 Detailed Test Plan – including detail of testing success/failure
 Detailed Implementation Plan
 Detailed Back out Plan - – including detail of testing success/failure
 Disaster Recovery impact
 Go/No-Go point (if necessary)
 Security Impact assessment – if security impacted, testing & approval from Security required

Review for Issues / Conflict

If an Approver has concerns or questions about a change and the information provided is not sufficient,
the Approver may either request further information be added to the record, request the Change Request
be rescheduled, or reject the change. Approvers must document any reason for rejection within the
change record.

Allocate Required Resources (2.3)

For any change to be successful, appropriate resources must be allocated to the implementation of that
change. The following are examples of resources to consider for all changes:

 Time within a scheduled change window

 Personnel to implement and support the change
 Logical and physical access
 Interfaces with other groups to ensure adequate testing facilities
 Interfaces with Schools and/or Business Units to negotiate and agree on service outages,
degradation of service(s) or additional requirements

Approve or Reject Change (2.4)

After review of a Change Request, Approvers may either approve or reject the request. Approvers should
contact change Requesters directly as soon as possible to resolve issues. If issues cannot be resolved,
the Requester may cancel or re-plan the work involved to address the issues or Approvers may reject the
Change Request. It is recommended that Approvers make every attempt to resolve issues or conflicts
prior to rejecting a change. Once a change is rejected, it must revert to the beginning of the process for
re-approval or be cancelled.
Coordinate Change (3.0)

The CAB is responsible for scheduling all changes (providing the final approval) and refining the final
Change Schedule related to all activities being performed. This section defines the process involved in
the CAB review of Change Requests.

Obtain Clearances (3.1)

During the CAB review of Change Requests, the CAB ensures that the technical aspects of Activities 2.1,
2.2, and 2.3 have been performed appropriately. If a change involves high risk, the CAB may request
that the Change Requester contact the appropriate management for additional authorizations prior to the
actual implementation.

Review Implementation Schedule (3.2)

It is the responsibility of Change Manager and the CAB to review each Change Request for
completeness, appropriate approvals, and compliance to the Change Management Procedure prior to
granting final approval of changes. Change Managers may reject changes with inadequate information or
lacking required approvals and add reason(s) for rejection to the Change Request.

Assemble Finalized Schedule (3.3)

Following the CAB meeting, the Change Manager updates the Change Requests based on the
determination by the CAB. A final Change Schedule is an output of the CAB meeting.

The final Change Schedule should include:

 Change request #/ID

 Change title/description
 Change requester/implementer name(s) and department(s)
 Planned start and end time
 Device name
 Back out time requirement
 Planned outage start and end time

Implement Changes (4.0)

All changes require appropriate levels of approval prior to planned start date and time.

The Implementer, normally the Change Requester, performs the implementation of the change. It is the
responsibility of the Implementer to verify system availability prior to implementing the change. If the
implementation is not to be performed by the Requester, the Requester designates an assignee, which
may be a vendor. In cases where the assignee will not have access to the Change Management tool, it is
the responsibility of the Requester to update the Change Request with implementation results.
 Implement Change (4.1)

The Implementer should follow the implementation action items detailed in the Change Request. Any
deviation from the approved implementation plan, including requirements to extend the approved change
window, must be approved by a Technical Manager (who will verify appropriate approvals are obtained
prior to providing final approval for deviation).

Verify Change Success (4.2)

The Implementer must determine the success of the change based on execution of the post
implementation test plan and success criteria identified in the Change Request. If the change was not
completed successfully as planned or is incomplete, the Implementer must determine if the change
should be backed out. Technical Managers, Business Managers or anyone negatively impacted by the
implementation of a change may request to have a change backed out.

The criteria for a successful change:

 The change was implemented in accordance with the implementation plan

 The change was implemented within the planned implementation timeframe
 The change did not cause unplanned customer impact
 The change met anticipated objectives defined in the Change Request
 The change did not result in a system/application outage due to the execution of the back out plan

Back Out Change (4.3)

If a change fails during implementation, or cannot be completed within the approved implementation
period, it must be either backed out within the approved change window or a window extension may be
requested.

Back out plans should include:

 A detailed step-by-step procedure for reversing the change

 Timeframe needed to perform the back out
 Back out risk
 A plan to mitigate the severity of any potential negative impact resulting from implementation
reversal
 Detailed testing plans

If a change was not completed and backed out, all parties impacted by the unsuccessful completion of
the change must be notified. A backed out Change Request must be closed as a failed change and
updated to reflect issues requiring the back out. If the change activity will be re-attempted, a new request
must be submitted referencing the backed out Change Request.

In addition to reporting the final status of failed changes in the Change Record, Implementers/Requesters
of failed changes must review change implementation at the next CAB meeting where a review of failed
changes will occur.
Window Extension Request:

Window extensions should only be requested when the implementer believes that the additional
time necessary is minimal and that the impact of extending the window is less than that of
backing out the change. Window Extensions are granted through the approval of implementers’
management chain and others as needed. Window Extension Request approvals can be held
via conference call to expedite decision making and approvals. Window Extensions should be
noted in the completed Change Request.

Report Completion Data (4.4)

The Implementer is responsible for reporting the final status of the Change Request within 24 hours
of implementing the change:

 Actual start and end time

 Change implementation results (see Appendix F)
 If change was not completed successfully, additional detail:
 Failure description
 Incident # (if applicable)

Measure Change Results (5.0)

Measuring change results involves a review of Change Request documentation, final

implementation statuses and metrics. This review is used to refine criteria used for authorizing
changes, ensure consistent application of the process, and to make refinements to the process
itself.

Perform Post Implementation Review (5.1)

Change Managers, CAB Members, and Change Management Process Owners are responsible
for reviewing Change Management reports and metrics to monitor and improve the
performance and effectiveness of Change Management. This activity is performed during CAB
meetings.

It is the responsibility of Change Managers to review Change Management reports to identify

problem and out of process change activities as well as changes not implemented as planned.
The CAB reviews each of these activities with the Requester / Implementer. It is important to
compare the final results of a change against the original objective of the Requester. If a
change is unsuccessful, an analysis may be requested to identify problems encountered during
implementation and identify opportunities for improvement.

Audit Process (5.2)

The Change Management Procedure should be regularly monitored for effectiveness. If the
Procedure needs refining or adjustment, a request to modify the procedure should be submitted
through the appropriate CAB Chairperson.