Change Management Approval

Blue · ‎08-26-2024

Hello all, we are interested in how you have approached your Change Management for the enterprise IT.

Who compromises your Change Authority Board (CAB)? Is it all IT Managers or IT Directors or IT VPs or etc.?

Do all of the CAB members need to approve CHGs in ServiceNow to allow it to progress? How have you configured the approval for CAB on a CHG in ServiceNow?

Option 1: One CAB member can approve

Option 2: All CAB Members must approve

Option 3: % of CAB Members must approve (ie. 100%, 75%, 51% etc.)

We are revisiting our approach.

Alan Prochaska · ‎08-26-2024

We have a multi-stage change approval process:

We have defined the manager of the assignment group as the primary approver, who is accountable for the change end-to-end. If the change blows up or disrupts something else, the primary approver is accountable and gets to provide explanations. Primary approval happens during Assess.

After primary approval completes, the change moves to Authorize, where it could have some combination of compliance approval, CAB approval, and additional approvals. If the lead CI of the change is in-scope and onboarded for a compliance regulation, then the workflow stages a compliance approval to the business application owner and their delegate. Once complete, the workflow stages a CAB approval to the CAB assigned for the lead CI (Chg.Configuration Item.Approval Group). Once CAB approval is complete, then if the change request included an Additional Approval, the change workflow stages and collects it.

Compliance approval ensures the change complies with key regulatory controls for change, specifically that a) new content was successfully tested off production before implementation in prod, and b) approval was collected before new content was migrated to prod.

CAB approval ensures that appropriate communication and coordination with key stakeholders has been done, and there are no objections (ie. they agree that the content can be implemented per the defined scope and schedule). This is different from many orgs' expectation of CABs. We no longer make CABs accountable for changes, only responsible for communication and coordination. Accountability lies with the primary approver.

Additional approval is typically a way to include additional CABs for broader oversight and awareness.

Compliance approval may or may not be required. It depends on the CI.

CAB approval is required.

Additional approval may or may not be required. it depends on whether the change manager (Assigned To) specified an Additional Approval on the change request.

CABs are typically not populated with VPs or even Exec Directors. Levels below them are typically the ones reviewing and approving the changes to move forward. VPs or EDs typically are not aware of change and impact specifics.

All approvals are "one must approve". We have found that multiple approvals and shared accountability are not effective. The basic model is "many reviewers, one approver" and "one throat to choke". If a CI or deliverable has many stakeholders, the approver must be accountable for all stakeholders and incorporate their opinions and recommendations into their decision. Trade-offs may be required, and decisions must be made.

Our 0.02

View solution in original post

Alan Prochaska · ‎08-26-2024

We have a multi-stage change approval process:

We have defined the manager of the assignment group as the primary approver, who is accountable for the change end-to-end. If the change blows up or disrupts something else, the primary approver is accountable and gets to provide explanations. Primary approval happens during Assess.

After primary approval completes, the change moves to Authorize, where it could have some combination of compliance approval, CAB approval, and additional approvals. If the lead CI of the change is in-scope and onboarded for a compliance regulation, then the workflow stages a compliance approval to the business application owner and their delegate. Once complete, the workflow stages a CAB approval to the CAB assigned for the lead CI (Chg.Configuration Item.Approval Group). Once CAB approval is complete, then if the change request included an Additional Approval, the change workflow stages and collects it.

Compliance approval ensures the change complies with key regulatory controls for change, specifically that a) new content was successfully tested off production before implementation in prod, and b) approval was collected before new content was migrated to prod.

CAB approval ensures that appropriate communication and coordination with key stakeholders has been done, and there are no objections (ie. they agree that the content can be implemented per the defined scope and schedule). This is different from many orgs' expectation of CABs. We no longer make CABs accountable for changes, only responsible for communication and coordination. Accountability lies with the primary approver.

Additional approval is typically a way to include additional CABs for broader oversight and awareness.

Compliance approval may or may not be required. It depends on the CI.

CAB approval is required.

Additional approval may or may not be required. it depends on whether the change manager (Assigned To) specified an Additional Approval on the change request.

CABs are typically not populated with VPs or even Exec Directors. Levels below them are typically the ones reviewing and approving the changes to move forward. VPs or EDs typically are not aware of change and impact specifics.

All approvals are "one must approve". We have found that multiple approvals and shared accountability are not effective. The basic model is "many reviewers, one approver" and "one throat to choke". If a CI or deliverable has many stakeholders, the approver must be accountable for all stakeholders and incorporate their opinions and recommendations into their decision. Trade-offs may be required, and decisions must be made.

Our 0.02

Blue · ‎08-26-2024

Alan, when the CAB approval occurs are you saying only 1 of the leaders (Director?) has to approve the change instead of all of them? Based on your statement of "one must approve" means if one CAB member approves then it can go forward, even if a peer in CAB wants to reject it.

Alan Prochaska · ‎08-26-2024

HI @Blue,

The CAB approves as a unit. One member may mark the approval record, but it represents the CAB a a whole. They discuss and agree amongst themselves. If there is disagreement, they have to work that out before rendering a decision and marking the approval record. It's not the process's responsibility to mediate or settle family squabbles within a CAB. That's their business, and their responsibility.

Chris Mildren · ‎08-27-2024

Hi @Blue
Our Changes rated as Minor risk are peer approved and then manager approved within the assignment group of the Change without going to CAB.

Major or Significant Risk Changes go to CAB. Whilst the approver on the record is one of the small group of Change Managers, similar to @Alan Prochaska , the expectation is that a full discussion and approval has happened at a CAB meeting. This meeting also includes senior non-IT representation from the Trust to ensure the Change does not impact on any operational activities of the hospital.

Blue · ‎08-27-2024

@Chris Mildren , @Alan Prochaska , Thank you. We are putting every IT Director in the CAB Approval group. They all 100% must click Approve prior to CAB. Once CAB arrives if everyone clicked approve (we want that audit trail in ServiceNow) and there is no issue, then CAB manager clicks approve and it progresses. If anyone Director rejects the CHG goes back to New. If anyone IT director does not click approve but does not reject we discuss that in CAB thoroughly. Only Moderate and High risk CHGs go to CAB.

Going back and forth on whether or not it 100% of directors or majority that have to approve. We want to empower any 1 director to stop a change if they feel it is not ready. However, concerned this may be too heavy.

Our Change Mgr does too much chasing for verbal responses.