Is Change Control Killing Your Business? -- Redmondmag.com

Is Change Control Killing Your Business?

Change control can sound good on paper, but it can also be used to shut down change entirely. Here's the process controls you'll want to implement to make sure innovation stays alive and keeps you (and your employer) happy.

By Don Jones
07/01/2010

More and more of today's businesses are adopting change-control and IT-management frameworks. There are great reasons to do so; after all, change is the leading cause of problems and failures in IT, so putting some brakes on change -- and properly managing it -- can help add a lot of stability to an environment.

However, as I work with customers on consulting projects, I often see change control being used as a hammer to shut down change entirely. "Oh, you want a new virtual machine spun up, do you? Well, that's going to have to go through the [insert spooky voice] change-control process! Bwa ha ha!"

Why Use Change Control?
Typical change management processes look like this -- at least on paper:

Someone in the business asks for a change in the environment.
IT has to review the change and prioritize it.
Someone else in IT develops the change, and a third person in IT might review it for accuracy.
A final person in IT approves the change for deployment, and the change is implemented.

This process has three important components: First, changes are scheduled, meaning they're happening at a known time, presumably when there will also be time to deal with unforeseen negative consequences that may arise. Second, changes are deliberate, meaning one or more people think about them and what might go wrong, and try to implement the change in a way that won't break anything. Finally, changes are documented, so if something negative does happen, there's a written trail of what might have caused it.

Let's face it: We in IT have always used our superior technical knowledge to repress our users. If we could get away with wearing burlap robes with rope belts, chanting Latin in the datacenter, you know we'd do it. We know that some of the stuff our businesses ask of us is annoying and inefficient, and we just don't want to do it.

Change control, unfortunately, provides a wonderful shelter when IT just doesn't want to do something. We shunt users through endless forms and query cycles.

I recall one example, where a client of mine wanted a virtual machine (VM) that would host a Web site. After six months and back-and-forth with IT and its change-management process, the business unit paying for the VM decided to get a hosted server at GoDaddy. It was cheaper, and it was running in a couple of hours. That's a horrible thing for IT to drive the business to do.

Kinder Change Control
The solution is to put some controls on change control. While change control is absolutely beneficial, it shouldn't be stopping the business from getting what it needs. Consider adopting a "Business Bill of Rights" that outlines some key protections that the business can use to override spurious change-control objections such as this:

The change-control process will be as smooth and as easy as we can make it for the business, and it will not consume time without a tangible reason that can be mapped to a business benefit.
If the business is willing to pay for it, then the business can have it in a timely fashion.
When IT tells the business how much something will cost, IT will use real numbers based on actual costs -- not made-up numbers that reflect IT's unwillingness to do the work.
Security risks by themselves are no reason not to do something. Dig to find the underlying business reason, such as, "We can't expose that kind of data because we'll be fined by the government." Then let business decision makers pit the competing business requirements against each other.

Today's businesses need to wring more and more out of IT, and sometimes IT resents it. Don't: The more work you're doing, the more you're needed and the safer your job is. Never say "never," and never use change control as a way of saying "no" without saying it.

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author Evangelist for video training company Pluralsight. He’s the President of PowerShell.org, and specializes in the Microsoft business technology platform. Follow Don on Twitter at @ConcentratedDon.

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.