Unwanted change to infrastructure is a leading cause of IT woes. Service availability outages, increased compliance costs, and the overall time and effort devoted to chasing change are just a few of the many problems faced by IT operations every day.
In an effort to “get in front” of the change problem, many organizations have invested heavily in solutions such as the change management components of BMC Remedy Service Management or BMC IT Service Management for Mid-sized Businesses (formerly “Magic”). These are widely deployed, market-leading products that do a great job of automating the process of managing change. So why do many organizations that have implemented these products fail to fully realize their expectations for control over change, and ultimately ROI?
The fact is that most change management implementations, regardless of vendor, fail to bring all change under control. Invariably, there is a gap between what the change management process says is happening and the change that is actually occurring across the IT infrastructure. This “Change Control Gap” is typically the result of process failure, not product failure. First of all, most processes are designed around the desired, and assumed change practices of the organization. They do not adequately consider actual change behavior, which is often largely unknown. This puts the process at odds with reality from the start. Secondly, the best process, even with a high-degree of automation, must be understood, socialized and religiously followed by the entire organization in order to succeed. This is a very difficult achievement even for mature organizations. Finally, most breakdowns to the process go undetected, at least until a major problem occurs. Even when detected there is no sustainable accountability mechanism. As a result, the process deteriorates over time and the gap widens.
The change control gap, in turn, creates an ROI gap for change management implementations. Even if 80% of change goes through process, it is the 20% of the change eluding process that keeps organizations from realizing much of their expected ROI. See Figure 1.
Closing the Gap
So is implementing a change management solution a waste of time and money? The answer is no. Change management solutions are absolutely necessary for the achievement of overall IT service management goals. However, to fully meet expectations, a change management implementation needs an additional ingredient: Closed-loop control.
Organizations that recognize the need to close the loop on their change management processes often assume the answer is additional process automation combined with periodic checks on the state of the infrastructure. They attempt to link the change management solution with a change provisioning or datacenter automation tool to close the loop between approval and deployment. They may also invest in a configuration management database (CMDB), which helps track the state of the infrastructure and its internal dependencies. Both of these approaches have great value and are recommended practices for achieving ITIL maturity. However, they do not close the change control gap. Change still happens outside of the process and the CMDB, even when fully implemented and fed by surrounding processes, typically has neither timely nor complete information about such change.
What’s needed to close the gap is a specific form of closed-loop control at the infrastructure level that is tightly integrated with the change management solution. Closed-loop control starts with three fundamental capabilities:
1. Continuous change auditing: This means capturing each relevant change to the infrastructure as it happens and capturing all the pertinent details regarding that change, including who made the change, what specifically was changed, exactly when the change was made, and what program was used to make the change. Note that continuously auditing change actions is fundamentally different from “periodically” auditing the state of the infrastructure.
2. Change validation against change requests: This involves using all the information captured about actual change to group changes intelligently and match them against change requests in the change management system.
3. Real-time change prevention: This is the capability to actually prevent change from occurring without a valid change request. This must be fine-grained and flexible to match the needs of different environments.
