1 Transforming change: four steps toward more effective change management
2 Table of contents Executive summary...3 Speed and risk: challenges for IT change...3 Transforming change: requirements for better IT change management...3 Step 1: standardize the change process...3 Step 2: consolidate service desk and CAB functionality...4 Step 3: understand your environment...4 Step 4: use automation to extend the boundaries of change...5 The end-to-end change process with HP Software...6 HP Service Manager and the HP IT Change Management suite software...6 Change in the real world: increasing service uptime at Kellogg Company...8
3 Executive summary Poorly managed change frequently accounts for more than 50 percent of the outages and performance-related problems organizations face on a regular basis. Implementing a structured, enforceable change management process augmented with automation can help your organization bring down the cost and risk of change while improving overall business performance. This paper explores some steps you can take to advance along the IT change maturity path. Speed and risk: challenges for IT change Change is hard. For IT organizations seeking to meet the demands of business on a daily basis, it can also be extremely fast. The fact is, IT organizations everywhere struggle to keep pace with demand. New developments such as virtualization, cloud computing, self-service requests, and capacity-on-demand only exacerbate the problem offering little hope to overtaxed IT organizations seeking relief. According to an IDC survey sponsored by HP, more than 75 percent of respondents expect the rate of change to increase by 10 percent or more in their organizations. Almost 30 percent expect an increase of 25 percent or more. 1 Continued adoption of virtualization and cloud sourcing options further exacerbates this. At the same time, many IT organizations must address this challenge in the context of flat or declining resources. Such pressure can lead IT to take shortcuts which can result in poorly executed change. Even for relatively simple IT infrastructures, changes made in one place can cause problems elsewhere. This can result in service disruptions or the introduction of bugs into the IT infrastructure, which can adversely impact performance. This, in turn, leads to elevated risk for IT and the business as a whole. Auditors both internal and external know all too well the risk factors associated with poorly managed change, hence the need for more audits to hedge against possible compliance failures. For organizations operating in highly regulated industries such as finance or health care, the burden of audit preparation tends to tax limited resources still further. And, if change is implemented in a haphazard, ad hoc fashion in the first place, collecting the required information for each audit can take days, weeks, or even months, depending on the size and complexity of the IT landscape. In the end, this state of affairs impedes IT s efforts to help the larger organization execute its business strategy effectively. The business and IT fall out of alignment, costs run higher, and control and security are compromised. Transforming change: requirements for better IT change management How can you approach IT change with greater efficiency and effectiveness? The answer is to implement a clear, repeatable, enforceable change management process that extends across all aspects of the IT infrastructure adding automation wherever possible to improve controls and increase IT productivity. The following describes some steps your organization can take to advance along the IT change maturity path. Step 1: standardize the change process The first step in effective IT change management is establishing a clear process with enforceable workflows that pragmatically leverages industry best practices such as IT Infrastructure Library (ITIL) v3. A typical starting point is to implement service desk functionality to standardize workflows associated with incident, problem, and change management. This can start at the departmental level and work its way out to other parts of the organization in phases as the business benefits become known. For many organizations, the long-term goal will be to implement a comprehensive end-to-end process that extends across management and technology domains and incorporates otherwise isolated silos within IT. Thus, the service desk should also be open enough to take in requests for change from a variety of different inputs. These inputs may come from end users, change requests that result from unresolved incidents, planned upgrades, new implementations, or even automatically generated change requests. 1 IDC Research, Optimizing IT and Delivering Business Value with Service Management and Automation, Tim Grieser, September
4 By standardizing the change process, you can improve change efficiency and effectiveness. You can also enforce controls making auditing easier and reducing the risk associated with change. Throughout the change process, the service desk should be able to track people and change activities to allow successful, on-time releases into the production environment on a consistent basis. It should also be intelligent enough to prioritize change based on impact to the business, and flexible enough to trigger different change workflows based on the criticality of the change requested. Simple requests, for example, should have accelerated paths with fewer steps, less required information, and automated pre-approvals. More critical changes, such as an update to an enterprise application, should follow a more rigorous process. In the end, standardized change workflows help to improve efficiency and effectiveness while reducing IT cost. Gone are the ad hoc processes that require IT staff to invent the wheel over and over again. Standardization also forms the basis for effective controls and a clearly documented change process. Auditors find it easier to review the overall record of change within your organization and IT staff finds it easier to provide the information auditors require. The result: lower IT risk. Step 2: consolidate service desk and CAB functionality As the benefits of a standardized change process make themselves evident on a departmental level, many organizations move toward consolidating change across the enterprise. One important aspect of change consolidation involves the service desk. Here, all requests for change are funneled into a single service desk for centralized management. Serving as the point of contact between business users and IT, such a consolidated service desk provides a single source of information regarding all change activity. It also enhances information sharing, helps foster communication across IT functions, and enables meaningful reporting by providing consistent metrics for IT to gauge the success of services and the efficiency of operations. Another aspect of change consolidation focuses on helping change advisory boards (CABs) do their jobs more effectively. The simple fact is that CABs are largely overwhelmed by their change management responsibilities. Often comprised of representatives from wide-ranging, geographically dispersed teams, CABs have little time to meet and evaluate the risk of each change request. To make matters worse, CAB members will often have varying degrees of interest or involvement with particular changes. The result is that many CAB members spend precious time sitting through change review meetings when they re interested in only a fraction of the changes being evaluated. To improve CAB efficiency, organizations can extend centralized change information stored in the service desk to support virtual CAB teams. CAB members should be able to analyze the change requests most relevant to them, view scheduled changes, and even conduct meetings in a remote context. The results of such efforts will be a higher percentage of successful changes, more changes made in a shorter amount of time, and a greater percentage of changes handled through standard processes as opposed to emergency procedures. Step 3: understand your environment To understand the impact of any given change request, you have to first understand the state of your IT environment. In practical terms, this requires accurate discovery and dependency mapping capabilities. A dependency map models how elements in the IT landscape relate to one another down to the configuration item level. This helps CABs and other parties involved in the change process to visualize the environment and make more informed decisions with greater speed. A dependency map helps in three specific areas that are critical for successful, efficient change management: Collision detection: With what-if scenario capabilities, a dependency map can quickly highlight the ramifications of potential change activities. This can help CABs make sound change decisions and protect IT from self-inflicted headaches that stem from poorly executed change. Change validation: Once a change is implemented, discovery functionality can run a check to validate the change, making sure that it complies with established policies and procedures. This helps speed the auditing process and reduces IT s risk exposure. 4
5 Consolidating service desk and CAB functionality helps you push through a higher percentage of changes in less time in a standardized manner that lowers risk. Unplanned change detection: By maintaining a record of the approved state of the IT infrastructure and comparing it against the actual state, a dependency map can detect unauthorized changes and take appropriate action such as opening a new change request, alerting relevant parties, or automatically generating an incident. All of this assumes that the dependency map in question is accurate and up to date which makes automated discovery a key requirement. In the past, dependency mapping has often failed due to manual approaches that require highly paid IT experts to spend tremendous amounts of time updating the dependency model and describing the rules that govern infrastructure events. This requires far too much overhead, and most organizations tend to neglect the responsibility as IT gets pulled in multiple directions. HP automated discovery uses unobtrusive probes to nearly continuously monitor the evolution of applications, services, and the IT infrastructure components that support them. By mapping the relationship between IT elements as changes occur, automated discovery capabilities make possible a nearly continuously updated dependency map that forms the basis for sound change management. The result is more efficient change management and the ability to make decisions based on an understanding of the impact to the business. Step 4: use automation to extend the boundaries of change To facilitate change effectiveness and efficiency across the enterprise, it is a good idea to incorporate as many entities as possible into the mix. Change automation capabilities enable you to do this without relinquishing change control. Take, for example, the idea of a service catalog which extends the request fulfillment and change process to non-technical business users. Through such a catalog, IT can advertise available services and provide a standardized way of ordering that collects all necessary information. Standard requests that meet predefined criteria can be automatically approved and implemented. This allows for faster change execution and provisioning. It also reduces the potential for human error while leaving behind a fully auditable record to help speed compliance-related activities. You can also extend the change process to the program management office to better incorporate strategic-level decisions. Here, the primary challenge is coordinating change activities between IT and upper-level business decision makers. To facilitate a smooth change process at this strategic level, executives and project managers need broad visibility into the portfolio of currently running and planned projects in order to better understand the impact of proposed changes under consideration. Once decisions are made with input from IT and a clear understanding of the trade-offs involved the business can hand off the change project to IT, including all documentation to support the rationale for the changes requested. This helps generate buy-in across the extended change process and better supports IT in its role as a service-providing business partner. Automation helps at the change execution level as well. The workflow for common change activities such as applying patches, executing run book procedures, or managing standard release and deployment processes can be orchestrated in an automated fashion to alleviate demand on overworked IT staff members. Such automated processes also reduce the potential for human error by strictly enforcing controls that adhere to internal policies. The result is better governance, less risk, and more time for IT staff to dedicate to value-added activities. The change management maturity path Step Step 1: standardize the change process Step 2: consolidate service desk and CAB functionality Step 3: understand your environment Step 4: use automation to extend the boundaries of change Results Lower IT risk More successful changes made in less time More efficient change management based on an understanding of impact to the business Better governance, less risk, and more time for IT staff to dedicate to value-added activities 5
6 With dependency and discovery mapping capabilities, you re better able to understand your IT environment in real time. This enables you to make better change decisions based on an understanding of the impact to the business. Greater auditability Standardizing your change management process and improving IT controls with enforceable workflows has a great side benefit: demonstrating compliance to auditors and regulators. Responding to requests for information, IT members can quickly generate audit and compliance reports based on a clear, up-to-date, electronic record of change. This helps increase IT productivity, drives down compliance costs, and fosters a relationship of trust between IT and auditors. It also frees up highly paid IT experts to focus on value-added activities that help the organization as a whole execute business strategy. The end-to-end change process with HP Software HP Software addresses the entire change lifecycle from request for change to implementation to evaluation and close. To help customers achieve success quickly, HP also offers professional services, including HP Software-as-a-Service (SaaS) and consulting offerings from HP and HP partners. With an integrated solution to simplify the change management process, HP helps you increase the efficiency of IT operations, reduce the risk associated with change, and improve costs to accelerate time to value. In the end, this empowers IT to undertake change management from a business perspective supporting better alignment between IT and the business. HP Service Manager and the HP IT Change Management suite software The HP approach to effective change management starts with HP Service Manager software specifically the HP IT Change Management suite. Offering powerful change management functionality that enables you to orchestrate and automate processes and workflow, this suite supports control and consistency over the entire change lifecycle. It also filters, prioritizes, and categorizes requests for change from a variety of inputs that involve multiple tasks, phases, and dependencies. Depending on type or criticality, different requests for change can trigger different change processes allowing standard requests that can be handled in a more automated fashion to move through the process uninhibited. Normal requests, regardless of the source, can follow more complete processes. All requests are integrated at a process and data level for incident, problem, catalog, request, release, and service level management. 6
7 Integrated IT change process End-to-end change management with built-in best practices User interaction, problem, and incident Log requests Review Assess and plan Approve Implement Evaluate and close Change advisory board (CAB) Release and deployment, request fulfillment, and configuration management One key component of the HP change management solution is HP Release Control software. Acting as a powerful CAB support tool, HP Release Control software provides complete and objective information so that CAB members can make informed decisions about change requests. Impact analysis and collision detection functionality enable CAB members to make these decisions based on a thorough understanding of the risk to the business. The software also provides a globally accessible forward schedule of change that brings all change requests into a single, common view for visibility and better planning. In conjunction with this calendar, the software provides powerful collaboration tools that support CAB virtualization so that you can better manage the CAB teams across geographies and time zones. HP Release Control is available individually and also included as part of all HP Service Manager change options. Through targeted use of automation, you can more effectively extend the change process to other parts of the organization. The result is better governance, less risk, and more time for IT staff to dedicate to value-added activities. Other HP products play a critical role in rounding out the end-to-end change management capabilities described above. These include: HP Discovery and Dependency Mapping software which provides a constantly and automatically updated picture of the IT environment, enabling a single version of the truth to support impact analysis, unplanned change detection, and change validation. HP Project and Portfolio Management software which improves coordination and alignment between the business and IT by providing an overview of projects and available resources and helping to facilitate a smooth transition from change planning to change execution. HP Operations Orchestration software which automates change execution across domains with flexible process flows that reduce administrative burden while supporting real-time inspection of results so that IT staff can monitor progress and analyze each step of the process. In the end, this change, configuration, and release management solution empowers your organization to reduce the need for emergency changes, avoid change-induced collisions, and meet compliance and audit reporting requirements with greater speed and efficiency. Automation and improved collaboration enable you to increase the efficiency of IT operations. Improved controls and automated impact analysis help reduce the risk associated with change. And embedded best practices help you implement a solution quickly while improving associated costs. Ultimately, this gives IT the ability and confidence to implement more successful changes in less time thus increasing its value to the business it serves. 7
8 Leveraging the HP change, configuration, and release management solution, Kellogg Company was able to increase the number of error-free changes processed by 40 percent. Change in the real world: increasing service uptime at Kellogg Company Kellogg Company (NYSE:K) is the world s leading producer of cereal and a leading producer of convenience foods, including cookies, crackers, toaster pastries, cereal bars, frozen waffles, and meat alternatives. As a globally dispersed company, the organization struggled with decentralized IT change management and a segregated IT environment that made it difficult to enhance IT performance in support of business needs. Driven in large part by a planned major migration of its global data center, Kellogg identified an opportunity to centralize change management. The decision to move forward was partly fueled by a desire to streamline processes associated with Sarbanes-Oxley Section 404 compliance. Accordingly, Kellogg engaged with HP Software to implement a more effective change management process. The results? Today, Kellogg enjoys an automated lifecycle solution for managing change across the globe. Leveraging the HP change, configuration, and release management solution, the company has been able to increase the number of error-free changes processed by 40 percent. In addition, it maintained 100 percent availability while relocating the data center. Well-documented processes and controls have also allowed the company to create a forward-looking schedule of change. Subsequently, Kellogg reduced the number of emergency changes, which are inherently risky, by 50 percent. Compliance with Sarbanes-Oxley Section 404 is now easier than ever. Providing documentation of change approvals, user testing, and other controls takes just half a day. To learn more about how your organization can improve change management with HP Software, visit us online at Get connected Get the insider view on tech trends, alerts, and HP solutions for better business outcomes Share with colleagues Copyright 2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. 4AA0-4245ENW, Created February 2010; Updated October 2010, Rev. 1 This is an HP Indigo digital print.