Alan Prochaska
Tera Expert

We have a multi-stage change approval process:

 

We have defined the manager of the assignment group as the primary approver, who is accountable for the change end-to-end.  If the change blows up or disrupts something else, the primary approver is accountable and gets to provide explanations.  Primary approval happens during Assess.

 

After primary approval completes, the change moves to Authorize, where it could have some combination of compliance approval, CAB approval, and additional approvals.  If the lead CI of the change is in-scope and onboarded for a compliance regulation, then the workflow stages a compliance approval to the business application owner and their delegate.  Once complete, the workflow stages a CAB approval to the CAB assigned for the lead CI (Chg.Configuration Item.Approval Group).  Once CAB approval is complete, then if the change request included an Additional Approval, the change workflow stages and collects it.  

 

Compliance approval ensures the change complies with key regulatory controls for change, specifically that a) new content was successfully tested off production before implementation in prod, and b) approval was collected before new content was migrated to prod.

 

CAB approval ensures that appropriate communication and coordination with key stakeholders has been done, and there are no objections (ie. they agree that the content can be implemented per the defined scope and schedule).  This is different from many orgs' expectation of CABs.  We no longer make CABs accountable for changes, only responsible for communication and coordination.  Accountability lies with the primary approver.

 

Additional approval is typically a way to include additional CABs for broader oversight and awareness.

 

Compliance approval may or may not be required.  It depends on the CI.

CAB approval is required.

Additional approval may or may not be required.  it depends on whether the change manager (Assigned To) specified an Additional Approval on the change request.

 

CABs are typically not populated with VPs or even Exec Directors.  Levels below them are typically the ones reviewing and approving the changes to move forward.   VPs or EDs typically are not aware of change and impact specifics.

 

All approvals are "one must approve".  We have found that multiple approvals and shared accountability are not effective.  The basic model is "many reviewers, one approver" and "one throat to choke".  If a CI or deliverable has many stakeholders, the approver must be accountable for all stakeholders and incorporate their opinions and recommendations into their decision.  Trade-offs may be required, and decisions must be made.

Our 0.02

View solution in original post