--- name: change-management description: Manage IT changes through standardized approval, risk assessment, scheduling, implementation, and review processes. Use when submitting change requests, assessing change risk, coordinating change windows, managing CAB approvals, tracking change success, or handling emergency changes. Triggers on phrases like "change request", "CAB", "change approval", "maintenance window", "emergency change", "change advisory board", "change risk assessment", "deployment window". --- # IT Change Management Standardize and control IT changes to minimize risk while enabling efficient delivery of improvements. ## Workflow ### 1. Change Request Submission & Classification 1. **Change request creation**: - Submit via change management portal or ITSM system - Required fields: description, justification, implementation plan, rollback plan, affected services/CI, risk level, backout criteria - Attach: test results, vendor documentation, screenshots - Link related incidents, problems, or known errors 2. **Change classification**: - Standard change: pre-approved, low risk, routine (password reset, patch deployment, certificate renewal) - Normal change: requires review and approval (new deployment, configuration change, infrastructure addition) - Emergency change: urgent fix required, expedited process (security patch, critical bug fix, outage resolution) - Major change: high impact, broad scope, requires executive awareness (data migration, platform upgrade) 3. **Initial risk assessment**: - Automated risk scoring based on: systems affected, users impacted, change complexity, time of execution, historical similar changes - Risk categories: Low (score 1-3), Medium (4-6), High (7-9), Critical (10+) - Auto-approve standard changes with score ≤ 3 - Flag high-risk changes for additional review ### 2. Change Review & Approval 1. **Change Advisory Board (CAB) process**: - Weekly CAB meetings for normal changes scheduled within the week - Emergency Change Advisory Board (ECAB): ad-hoc for urgent changes - CAB members: infrastructure leads, application owners, security representative, change manager - Review criteria: business justification, risk assessment, testing evidence, rollback plan, scheduling conflicts 2. **Approval workflow**: - Standard changes: auto-approved (pre-authorized change model) - Normal changes: manager approval + CAB sign-off for medium/high risk - Emergency changes: change manager + one technical approver (post-facto CAB review within 5 business days) - Major changes: CAB + executive sponsor approval - Conditional approvals with specific requirements 3. **Peer review and validation**: - Technical peer review of implementation plan - Security review for changes affecting security controls - Compliance review for changes affecting audited systems - Performance impact assessment for infrastructure changes - Capacity impact analysis for resource-intensive changes ### 3. Change Scheduling & Coordination 1. **Maintenance window planning**: - Identify optimal maintenance windows (low traffic, business-impact consideration) - Check blackout periods (end of month, major releases, holidays) - Coordinate with related changes (dependency ordering) - Reserve window and block calendar - Communicate planned downtime to stakeholders 48 hours in advance 2. **Communication plan**: - Internal notification: affected teams, support staff, management - External notification: customers/clients for user-facing changes - Status page update for planned maintenance - Post-change verification communication - Rollback notification if change fails 3. **Readiness checklist**: - Implementation team briefed and available - All prerequisites met (dependencies, backups, testing) - Rollback plan validated and resources ready - Monitoring dashboards prepared - On-call coverage confirmed ### 4. Implementation & Monitoring 1. **Change execution**: - Follow documented implementation plan step-by-step - Document actual start/end times vs planned - Log each step completion and any deviations - Real-time monitoring of affected systems - Communicate progress at key milestones 2. **Quality gates during implementation**: - Verify each step completed successfully before proceeding - Health checks on affected services after each major step - Performance metrics comparison to pre-change baseline - Error rate monitoring for spike detection - Rollback trigger criteria defined and monitored 3. **Issue handling during change**: - Pause change if unexpected issues detected - Assess: proceed with modified plan, continue as planned, or rollback - Escalate to change manager for decision - Execute rollback if rollback criteria met - Document all deviations and decisions ### 5. Post-Implementation Review 1. **Verification and validation**: - Confirm change success criteria met - Monitor systems for 24 hours post-change - Check for related incidents or user complaints - Verify rollback plan no longer needed - Update CI records and documentation 2. **Post-Implementation Review (PIR)**: - Schedule for major changes within 5 business days - Attendees: change implementer, CAB members, affected service owners - Review: change outcome, actual vs planned, lessons learned - Document: what went well, what could improve, follow-up actions 3. **Continuous improvement**: - Track change success rate by type, team, and time period - Identify patterns in failed or problematic changes - Update standard change catalog based on proven changes - Refine risk assessment model based on outcomes - Training for teams with high change failure rates ## Templates & Frameworks ### Change Request Form ``` CHANGE REQUEST — [CR-2025-0412] ================================= DETAILED INFORMATION: Change Type: □ Standard □ Normal □ Emergency □ Major Risk Level: □ Low □ Medium □ High □ Critical Category: Infrastructure / Application / Security / Network / Other DESCRIPTION: [Detailed description of the change and its purpose] BUSINESS JUSTIFICATION: [Why this change is needed, what problem it solves] IMPLEMENTATION PLAN: Step 1: [Description, estimated time, owner] Step 2: [Description, estimated time, owner] Step 3: [Description, estimated time, owner] AFFECTED SYSTEMS: [List of CIs, services, applications, and users affected] ROLLBACK PLAN: [Detailed steps to revert the change if issues arise] Estimated rollback time: [minutes/hours] Rollback trigger criteria: [specific conditions] TESTING COMPLETED: [ ] Unit testing passed [ ] Integration testing passed [ ] Performance testing passed [ ] Security review completed [ ] UAT sign-off received (if applicable) SCHEDULED WINDOW: Start: [Date, Time, Timezone] End: [Date, Time, Timezone] Duration: [hours] ``` ### Change Success Metrics ``` CHANGE MANAGEMENT METRICS — April 2025 ======================================= CHANGE VOLUME: Total changes: 87 Standard: 45 (52%) Normal: 32 (37%) Emergency: 8 (9%) Major: 2 (2%) CHANGE SUCCESS RATE: Successful: 82 (94.3%) Failed (rolled back): 4 (4.6%) Failed (partial): 1 (1.1%) Target: >90% ✓ CHANGE-RELATED INCIDENTS: Incidents caused by changes: 3 (3.4%) Target: <5% ✓ Top cause: Database migration (2 incidents) TIMELINESS: On-time implementation: 85/87 (97.7%) Average approval time: 18 hours Average implementation time: 2.5 hours ``` ## Integration Points - ITSM platforms (ServiceNow, Jira Service Management, BMC Remedy): Change tracking and workflow - Configuration management database (CMDB): CI impact assessment - Monitoring systems: Post-change verification and alerting - CI/CD pipelines: Automated change creation for deployments - Communication tools: Stakeholder notification automation - CMDB and service mapping: Dependency analysis for change impact - Risk management platforms: Integrated risk scoring - Audit systems: Change evidence collection for compliance ## Edge Cases - **Emergency change during active incident**: Bypass standard approval; implement with change manager verbal approval; document and review in ECAB within 48 hours - **Vendor-mandated changes** (security patches with strict deadlines): Expedited review; leverage vendor testing evidence; pre-approved change model - **Change failure during business hours**: Assess rollback vs continued implementation risk; communicate to stakeholders immediately; escalate to management for decision - **Repeated failed changes**: Suspend change type for review; require enhanced testing; additional CAB scrutiny for future similar changes - **Decommissioning changes**: Extended verification period; data archival confirmation; DNS/service removal validation ## Integration Points - ITSM platforms (ServiceNow, Jira Service Management, BMC Remedy): Change tracking and workflow - Configuration management database (CMDB): CI impact assessment - Monitoring systems: Post-change verification and alerting - CI/CD pipelines: Automated change creation for deployments - Communication tools: Stakeholder notification automation - CMDB and service mapping: Dependency analysis for change impact - Risk management platforms: Integrated risk scoring - Audit systems: Change evidence collection for compliance ## Edge Cases - **Emergency change during active incident**: Bypass standard approval; implement with change manager verbal approval; document and review in ECAB within 48 hours - **Vendor-mandated changes** (security patches with strict deadlines): Expedited review; leverage vendor testing evidence; pre-approved change model - **Change failure during business hours**: Assess rollback vs continued implementation risk; communicate to stakeholders immediately; escalate to management for decision - **Repeated failed changes**: Suspend change type for review; require enhanced testing; additional CAB scrutiny for future similar changes - **Decommissioning changes**: Extended verification period; data archival confirmation; DNS/service removal validation ## Output ### Change Management Dashboard ``` CHANGE MANAGEMENT — April 2025 =============================== CHANGE VOLUME: Total changes: 87 Standard: 45 (52%) Normal: 32 (37%) Emergency: 8 (9%) Major: 2 (2%) SUCCESS METRICS: Success rate: 94.3% (82/87) ✓ Change-related incidents: 3 (3.4%) ✓ On-time implementation: 97.7% Average approval time: 18 hours PENDING CHANGES: Awaiting CAB review: 7 Approved, scheduled: 14 In implementation: 3 Emergency (ECAB): 1 UPCOMING MAINTENANCE: 2025-04-22 02:00 — Database migration (P2, 4hr window) 2025-04-25 01:00 — Security patch deployment (P3, 2hr window) 2025-05-01 00:00 — Major platform upgrade (P1, 8hr window) BLACKOUT PERIODS: April 28-30 — Month-end processing (no non-critical changes) May 23-26 — Memorial Day holiday CAB SCHEDULE: Next CAB: April 18, 10:00 AM Open action items: 5 Overdue PIRs: 1 (due April 16) ``` ## Trigger Phrases "change request", "CAB", "change advisory board", "change approval", "maintenance window", "emergency change", "change risk assessment", "deployment window", "change implementation", "rollback plan", "standard change", "change management", "post-implementation review", "change success rate", "ECAB"**