We must raise a change request because we're heavily audited
No! The auditors are there to make sure you're doing the things you say you're going to do in your policies. From time to time they'll want you to demonstrate that your processes are fit for purpose. But that's not why we do change management.
"We must raise a change request because we're heavily audited." This is the lament I hear when a change has been sneakily pushed into live - successfully or unsuccessfully - without a change request ticket being raised beforehand. If that's the case then no wonder the IT team is bypassing the process and following the principles of JFDI. If the auditors have no record of it happening then they'll be none-the-wiser, will they?!
There are plenty of reasons why anyone making a change in live should want to make sure there is an authorised ticket before they push the button. The process is just too valuable to ignore.
Firstly, it's a record of the change that was made and the time when it was made. This can be extremely helpful when pinpointing the root cause of an problem, which can often be traced back to a change. It can also help to absolve you of the root cause if you can provide evidence the issues started happening before you made the change.
Secondly, a good change ticket will ask you all the right questions to make sure you're completely ready for the change: what exactly are you changing and why?; how are you implementing the change?; how will you back out the change if you need to?; who else will be working on the change with you?; what version are you deploying?; will the users of the service be affected?; where's your test evidence? etc etc. Once you have all these details worked out you'll be much better prepared to implement the change with less chance of it going wrong or getting into an unresolvable state.
Thirdly, you're covering your arse. You'll always be responsible for ensuring the change will be successful and not disruptive, but that second pair of eyes to review and ultimately approve a change request provides assurance that you're not just making changes willy nilly without any thought as to the consequences.
Finally, your change manager is going to have visibility of all the change requests in flight and will be able to help you schedule your change so it doesn't clash with any other changes and cause unplanned disruptions.
This is by no means an exhaustive list of why every change should have some form of record of it happening (at the very least). It does well to remind yourself from time to time of why exactly we create policies and processes in the first place.
- Previous: Service reviews are boring
- Next: Better is the enemy of good enough
