Low Risk Change model

klpawlenty
Mega Contributor

How are others creating a Low Risk Change Model (lead times, notifications, approvals required, CAB or no CAB, etc.)?   These are not always Standard Changes, but changes that are deemed low risk from the Risk Assessment.

3 REPLIES 3

gyedwab
Mega Guru

What I've seen some companies doing is using the Record Producer in the Service Catalog as the front-end for a Change template.



The record producer has the standard information that needs to be filled in and the rules around lead time, so the user just has to fill in the relevant information and it's pre-approved.



That way, you can define a "catalog" of common, low-risk changes -- the CAB approves what those changes are rather than approving those changes individually.


Thank you Guy!   That would absolutely work for our Standard Changes and a better way then we are doing them now.   I am curious if others are taking those Planned Changes that are not Standard, but the Risk Assessment has calculated as Low Risk and defined a different approval model for these.   I suppose we could apply your same suggested concept and then add in the Risk Assessment questionnaire, however; we already have a Change process that routes creating a change through the Change module....


Jeff Boltz1
Mega Guru

We have all probably seen the itSMF statement to the effect of 80% of all incidents are caused by change, but what are the true measures?



If we were to test the association and dependence between changes and incidents, we would likely see a strong positive correlation between changes and incidents.


The question, is how do we delineate among the pool of changes to see what is high, medium or low risk?



The key is to identify variations among change records - which ones are likely to cause and incident and what would be the impact depending on the affected CI?



There is often an high degree of collinearity among the change feature set, and finding variation is difficult.   That's where dimension reduction comes in, such as principal components analysis which creates new component variables.



These new variables can be used in clustering, such as k-means to find similar within and dissimilar across sub-sets of changes that can be correlated to incidents by CI.



I used 3 clusters corresponding to high, medium and low risk, and then used those segments to check association and dependence to the rate of incidents.   I consistently found that the correlation coefficient was high, medium, low (e.g. r=.9734, .65743, .3458) meaning that high risk clusters could be identified.



Using the knowledge of the cluster ID, we can delineate between high, medium and low risk changes and take action accordingly.