Three key elements of assessment and evaluation of changes according to ITIL
Changes necessitate the recruitment of many resources inside your organization – management, developers, technicians, operations people… etc. But, are they all important enough? Do they all need the same approach? This question can sound tricky, but it’s not. Neither is the answer – no, they do not all have the same importance.
To recall the basics of the change management process, read the article Elements of Change Management in ITIL. In that article, we said that there are three types of changes: standard, emergency, and normal change. But, the types of changes still don’t say anything about the importance of the particular change, or rather, the request for such a change (which is a trigger for the change process). We need to assess and evaluate changes to set the importance of a particular Request for change.
Once there is a Request for change, you have to log it with all relevant data. That will be your Change record, which must be kept up to date throughout the lifecycle of the change (i.e., from creation until implementation and review). I usually find that every organization defines its own content for the Request for change. It usually happens that different categories of changes should record different sets of information. Once your change is logged, its initial category should be assigned. The change category depends on a few parameters:
- Level of risk – there are no changes without risk. So, here you will assess the risk associated with the change.
- Costs – every change has its costs. Some of them are minor, but it could be that significant financial resources are required.
- Scope and relation to other changes – changes that are requested or are in development need to be considered in order not to overlap the activities or, even worse, to come into conflict with changes that have already begun.
The category will dictate the authorization of the change, which can even go outside the Change Management process. ITIL sets another process related to changes: the Change Evaluation process (you can learn more about this process in the following article: ITIL – Change Evaluation Process).
According to the above-mentioned parameters, there are a few categories of changes:
- Minor – low level of risk and costs
- Significant – moderate level of risk and costs
- Major – high level of risk and costs
How do assessment and evaluation work?
First of all, assessment and evaluation are critical to proceeding further. Can you imagine what would happen if evaluation of a proposed change on, e.g., an ATM service as a critical banking system in an international bank wasn’t performed, and once the change started – the ATM service stopped?
Because every change has its authority for approval, the same body (or person) is in charge of assessing and evaluating change. Let’s see what is required to assess and evaluate change.
Risk evaluation – I noticed that larger organizations have well-developed risk assessment procedures. But, if you are not a large organization, there are many “simpler” risk assessment methodologies. Basically, the risk of the change depends on its impact and probability. A simple matrix can be used:
Figure: Risk categorization matrix (1 = the highest risk category)
When considering risk, you should see it from a business point of view.
Costs – Some of the changes require little, while some require significant costs. Take, for example, a change of the firmware on the firewall (one or several of them) and change of the operating system for all computers inside the organization. Costs associated with each of the examples are quite different, aren’t they?
Impact on services – There is a nice “tool” that can help you to assess the impact of the change on other services or service assets – 7 Rs, which basically requires that you ask yourself the following seven questions:
- Who raised the change?
- What is the reason for the change?
- What is the return required from the change?
- What is the risk involved in the change?
- Who is responsible for the build, test, and implementation of the change?
- What is the relationship between this change and other changes?
The 7 Rs will help you assess the change from all aspects. Further on, when evaluating the impact of the change, you should consider other RfCs or changes in progress, the impact of the change on other services, and (also very important) the impact of not implementing the change.
What to do afterwards?
Once you are finished with assessment and evaluation – priority should be assigned.
Assigning priority will help you to decide about further courses of action. This means that changes with higher priority will be implemented first. Assigning priority depends on your own situation. For one person, software used in logistics may be of medium priority, but for someone else – of highest priority. As long as you know why you assigned a particular priority to the change, the situation is under control.
Priority has a direct influence on the change schedule, which is your implementation plan.
Assessment and evaluation are crucial steps in the change lifecycle. It’s not necessarily a complex task, but one thing is certain – you have to do it, and you have to do it carefully, because change can require a lot of effort (read: investment). Don’t waste it with clumsy assessment and evaluation.
To see how you comply with ITIL recommendations regarding Change Management, use our free ITIL Gap Analysis Tool.