Skip to content

Risk management is at the heart of change management

One of my many roles at work is that of change coordinator for a large subset of our customers. I have learned a lot in this capacity, and have come to feel that, while Incident Management is the natural first step in ITIL implementation, until you start implementing Change Management, the majority of your effort is largely spent firing fires.

At its heart, change management is all about managing and balancing risks, and by asking some simple questions of proposed changes, you are well on your way to implementing a system of change management. These questions are linked to the change itself, to time, and to risk:

  • What is the change, and why is it necessary?
  • How long does the change take, and how long would a rollback take?
  • What systems are affected, and how are you managing the risks this represents?
  • What potential issues have you identified, and what is their frequency of incidence?

These questions are all formulated in two parts, and both parts are important. The first question asks you to provide description and justification for the change. It does not, however, have to be a long one. In the case of routine maintenance, e.g. patching a system, the answer could simply be “system patching, to keep the system up to date”.

The second question is all about the time required to perform the change itself, as well as how long it would take to undo what you do in the change. The resulting period of time should have a one-to-one relationship with the duration of the proposed change (at least, though adding buffer at the tail end of the change period is not unheard of).

Mapping what systems are affected is crucial to understand the risk(s) involved with a change. Understanding these, and having a plan for how to address them is important, and this is where the four T’s of Business Continuity Planning (Treat/Transform/Tolerate/Terminate) comes into play.

Finally, planning the change necessarily involves identifying what issues may arise from the change, how often they have been known to occur in our own organisation, as well as in the industry as a whole. This should be mapped in a matrix where one axis is the severity of the issue, and the other is the rate of incidence.

There is – or at least can be -a lot more to change management than this, but the outline above is a good first step, and gives you something to build on.

By posting a comment, you consent to our collecting the information you enter. See privacy policy for more information.

This site uses Akismet to reduce spam. Learn how your comment data is processed.