Change Management is a key ITIL Transition stage process and one of the most important processes in service management. The Change Advisory Board (CAB) plays a major role in the initiating phase of change management, so a few more things should be said about it here.
- Review the minutes from the last meeting
- Review/assessment of proposed Requests For Change (RFCs)
- Resources involved
- RFC prioritization
ISO/IEC 20000 is a process-oriented standard and it doesn’t mention the CAB role specifically, but it has a set of specific requirements which have to be fulfilled. To define the roles for meeting specific assessment requirements, it is only logical to turn to the ITIL best practices.
Why do we need the CAB?
The Change Management process must have an owner. In ITIL, he/she is called the Change Manager. In smaller organizations, this role can be combined with other non-conflicting roles: Service Manager is a good example. The Change Manager can efficiently handle preapproved and smaller standard changes, no sweat. But, when it comes to assessing, prioritizing, authorizing and scheduling of complex changes with higher impact and risks, a group of competent people is needed. They will attend periodically scheduled meetings, address the proposed changes and review the resolved changes.
Who are the CAB members?
Membership of the CAB can vary with the change complexity, impacted business processes and technology. There are usually a few permanent members, with the Change Manager being the first of them. The next one is the Configuration Manager, the person who knows everything about infrastructure. Others can vary: all IT people competent in the impacted service technology, business representative, vendor representative providing underpinning support to the service, etc. Other usual suspects who can help include:
- Service Desk Manager or Analyst
- Operation Manager
- Application Manager
- Information Security Officer
- Superman (If you can get him, no need to read further.)
In case of an emergency change, a CAB subgroup called the Emergency CAB (ECAB) will be in charge. Remember, in ITIL V2 they were called the emergency committee (CAB/EC).
In my opinion, the best place to define the CAB membership is in the Change Management Policy.
How does the CAB operate?
Well, during day-to-day service management the CAB meetings will be scheduled and chaired periodically by the Change Manager. Depending on the organization size and change frequencies, they can be conducted monthly, weekly or daily. Smaller organizations usually can live with a CAB meeting every two weeks, or weekly, to keep the rhythm and flow. I have seen even very large organizations operating smoothly with weekly CAB meetings. A tip: it helps if the change approval cycle is defined as longer than the period between CAB meetings.
During the CAB meetings, a typical agenda will look like this:
- Review the minutes from the last meeting
- Review changes implemented during the previous period
- Failed changes
- Backed-out changes
- Successful changes
- Incidents resulting from implemented changes
- Review/assessment of proposed Requests For Change (RFCs)
- Risk and impact in terms of:
- Service and Service Level impact
- Capacity and performance
- Security and compliance
- Financial
- Etc.
- Resources involved
- RFC prioritization
- Risk and impact in terms of:
It might be handy to keep a template in the template database that defines the CAB meeting agenda/meeting minutes specific for the organization’s needs.
Conclusion
In case it was not clear from the above, CAB members attend the meetings, and provide advice to the Change Manager. The decision is always up to the Change Manager. Too often I notice the misunderstanding of the CAB acronym as Change APPROVAL Board, as opposed to its actual title of Change ADVISORY Board. The Change Manager is responsible for the change approval, based on all the ADVICE provided by the CAB. That’s why the appointment of the members is so important. And I feel it should be defined in the Change Management Policy.
If you choose a less-than-competent business representative, the meetings will drag along, waiting for approval by his/her superior. On the other hand, if you choose a person too high in the hierarchy ladder, he/she might often be unavailable for the meeting due to more important things he/she has to attend to. The same goes for the technology representative. How does your organization deal with this?
To comply with all ISO 20000 requirements, use this helpful ISO 20000 Documentation Toolkit that provides all IT service management documents.