The New Role of Change Advisory Boards in an Automated World
In a constantly changing world, processes that worked well a short time ago no longer function as intended. One such process is how your Change Advisory Board (CAB) operates.
The purpose of adopting frameworks like DevOps was to accelerate value by enabling continuous integration and continuous delivery (CI/CD). But by requiring every change to go before the CAB for review and approval, it defeats the agile intent of the process.
Using the CAB to evaluate every change also ties up valuable employee resources. CAB members are often the organization's top-level IT and tech leaders, and their time and talents are precious.
Organizations can take pressure off of members by shifting the CAB's role in the change process. Instead of evaluating every change, the CAB can convene on an ad-hoc, as-needed basis. Certain standard changes can be designated for review by individual CAB members and marked for pre-approval or further discussion in advance of the deployment stage. Shifting the CAB's focus allows for more-rapid value creation and efficient use of resources, while still allowing the CAB to function as necessary.
These 4 steps will further reduce CAB dependence and accelerate value creation in IT Ops.
- Develop a model for standard changes that don't need manual approval
- Identify and monitor key metrics that reveal change risk through Artificial Intelligence (AI) and Machine Learning (ML) backed analytics
- Identify opportunities to automate change approvals where possible, and have one change enablement manager to manage low-level risks
- Call the CAB only for high-risk situations or top-level strategic calls, and have the team meet virtually rather than in-person
These actions free up the CAB members' time, accelerate value creation, and positively affect CI/CD goals within the organization.
Developing Change Models to Make More Changes Standard Changes
Within the ITIL v3 and v4 are three main types of changes. These are:
- Standard Changes, which are low-risk and pre-authorized, with a well-known procedure for resolutions
- Emergency Changes that be implemented immediately, such as in the event of a major incident
- Normal Changes, or anything not covered under standard or emergency change categories
Any changes that have a low risk of failure should be handled as standard changes. The majority of changes within an organization should be standard, with resolution and rollback procedures in place in the event of a problem. Standard changes following a known procedure can be pre-approved and resolved without the CAB. This lets the CAB spend its time on emergency changes and other duties.
Normal changes shouldn't be a common occurrence. When they do arise, they don't necessarily need CAB review to resolve. They should be evaluated and modelled so that they can act like standard changes in the future. Sometimes, breaking up the change into smaller components can facilitate the process. That way as many components of the change can fit a standard model as possible, while truly novel components can be considered in isolation.
The goal is modelling changes so they can be pre-approved quicker and implemented. As the volume of standard changes increases, there's an opportunity for more change automation with less need for CAB involvement.
Even if the CAB may have originally reviewed every change in your organization, it doesn't have to continue operating like that.
"Having the CAB sign off every change request might have been the only way the organization knew how to address the auditing requirement in the past," says DevOps consultant Kaimar Karu. "This was definitely not the advice in the ITIL guidance."
Using Analytics to Monitor Change Risk
Organizations can leverage data to analyze changes for sources of risk. Developing a model for change risk allows IT operations leaders to create and monitor metrics that "take the temperature" of changes. Leadership can rapidly assess risks, eliminate delays in evaluating and resolving changes, and create more intuitive IT change risk management in the organization.
Some metrics can be derived directly from the data, while others can be the result of complex ML modelling. ML can evaluate the predictive power of given change risk factors, gradually developing causation models that focus on the best predictors. Over time, ML modelling can correlate incidents and problems with risk factors, generating more-accurate results and piecing together a narrative that can isolate which factors and development practices give rise to change risks.
One Numerify customer accomplished this goal by assigning a "change risk credit score" to each change manager in the organization. This numerical score was derived from a number of risk factors and could be improved through the manager's actions and results. This behavioral KPI revealed cause-and-effect relationships, which resulted in faster resolutions with less time, money, and effort spent on addressing change-related issues.
Organizations can develop additional predictive models and KPIs using ML and AI to enhance the process. Having an objective risk score assigned based on modelled risk factors streamlines responses and allows change management to make decisions without delay. In this scenario:
- Low to medium risks can be accepted
- High risks can be reviewed by CAB, frozen, broken up, or dealt with using other strategies, as appropriate
The change risk model should be accessible for evaluation using clear visualizations, with a self-service dashboard for follow up investigations. This will cut down on labor-intensive manual data extraction and analysis, which can lead to decision delays of days — if not weeks.
Reducing the Need for a CAB Meeting to Obtain Change Approvals
It's important to remember that CAB stands for change advisory board, not change approval board. The intent of the CAB was never to run every change through it, nor to use it on standard changes.
Risk management can be streamlined using analytics, metrics monitoring, and a scoring system, as well as automating low level changes. The CAB should only be called for regular strategic updates, and CAB meetings should be held virtually.
This shift also reduces the need for emergency CAB meetings. Instead, change enablement managers can monitor changes proactively. High risk changes can have rollback measures in place when implemented, with top IT experts on call for a possible response.
Giving the CAB a Strategic Role in IT Organizations
This new role for the CAB is strategic, as Google suggests: "By shifting detailed code review to practitioners and automated methods, the time and attention of those in leadership and management positions is freed up to focus on more strategic work. This transition, from gatekeeper to process architect and information beacon, is consistent with the practices of organizations that excel at software delivery performance."
The strategic focus reduces the strain on precious human resources, while allowing for the constant flow of CI/CD. This has become especially important during a time of global crisis, when the majority of organizational teams are working remotely.
Organizations can employ strategic thinking that's guided by IT analytics and processes modelled on past successes, creating a CAB review model that's effortless rather than painful. Using it only as needed, they will preserve value while accelerating creation through the delivery of constant updates that improve product and customer satisfaction.
Learn more about how the Change Advisory Board's role must evolve in a DevOps world in our webinar: "DevOps & AI: Do we still need ITIL Change Management?"