The Change Advisory Board (CAB) is the most widely known ITIL component. It’s also widely misunderstood. Here’s the quick lowdown on CAB.
What is CAB?
CAB – known formally as the Change Advisory Board, is a group of people who are tasked with evaluating changes to the IT environment. It can be as simple as an email distribution list, or as formal as a Chairman-led, take-minutes, raise-your-hand-to-speak board. The culture and the business needs of the organization determines what’s appropriate.
The CAB is comprised of technical staff and key decision makers. There’s no set rules for who’s on CAB. The Change Manager ensures the right people with the right information, knowledge, and background are there to effectively review each change.
It’s not uncommon for Subject Matter Experts to be called in to help review and advise on specific Change Requests because of the nature of the Change. ( i.e. Senior Network engineer for router changes.)
‘CAB’ and ‘Change Management’ are not the same. CAB is focused exclusively on reviewing Change Requests for risk and unintended consequences, and advising the Change Manager of their findings and recommendations. Change Management is the broader capability that manages the entire process of raising, reviewing, evaluating, approving, and tracking and overseeing all changes.
What’s a Typical ITIL CAB Look Like?
CAB should be staffed with representatives from all functional areas/technical disciplines, key decision makers, and business stakeholders, as appropriate. The Change Manager organizes and runs the CAB meetings.
- Senior Network Engineer
- Senior Application Development engineer
- All Operations Managers
- Service Desk
- Server/Infrastructure engineer
- Senior Security Engineer
- Information Security Officer
- Business Relationship Manager(s)
- Service Owners
- Business users
What’s the CAB do?
Let’s just get this out of the way up front – Change Advisory Board is often misunderstood to be the Change Approval/Authorization Board. It’s advisory because it’s job is to review proposed changes, and advise the Change Manager of the results of their findings.
It’s the Change Manager who ultimately approves (or rejects) Changes.
With that out of the way – here’s what the CAB does:
- Review Request for Change (RFC). Use knowledge, experience, and background to asses change for risks and unintended consequences
- Ask probing questions to fully understand the proposed change
- Evaluate proposed change for risks, and mitigation.
- Ensure that business outcomes are documented and well understood
- Schedule and prioritize changes
- Evaluate if the proposed Change will give the intended outcomes without adversely impacting the business.
- Ensure the proposed time is appropriate (doesn’t conflict with business needs, other change, or operational activities)
- Ensure technical and architectural standards are met
- Determine likelihood of unintended impacts
- Make recommendations to reduce risk, increase likely success, and minimize business impact.
- May request a more in-depth, formal Change Evaluation for a given change. CAB uses the findings of Change Evaluation to asses the Change.
What Changes have to go to CAB?
Generally, all changes to the production environment are brought to CAB for review. If there is delegated Change Authority, (which I highly recommend ~ See Five Lessons from Implementing ITIL Change Management), smaller changes may be reviewed by the delegate.
If every tiny tweak has to come to CAB for full review and approval, staff are likely to find ways to get around it.
Standard Change to the rescue! Standard Changes are well understood (generally have documented processes), and are low risk. The standard process is reviewed by CAB, and once approved, is used in daily operations to manage standard changes. (See Whats the difference between Standard and Normal Changes in ITIL.)
Whatever structure you put in place, be sure to document it, and make sure everyone understands it well.
What Authority Does CAB have?
Change Management is a control process – it’s intended to control changes to the environment. CAB is part of that process, but is not the decision maker. The Change Manager herself is ultimately accountable for approving/rejecting changes.
The Change Manager will generally follow the advice of the CAB, but can approve Changes (for many reasons) that the CAB has recommended against.
It’s best to make this clear early and often. Clarity in Ownership and Accountability is critical for a successful ITIL CAB.
What are you waiting for?
While Change Management may be more complex, CAB is pretty much CAB – as I’ve described here. Best to keep it simple and focused on quickly implementing business requested changes, while managing risks and minimizing unintended consequences.
Have a CAB? Thinking about implementing one? Let’s hear from you!