Killing CAB, Part 2: Delegated Change Authority

What if I told you there’s a way to effectively manage changes without CAB reviewing each one? Would you be interested?

Yeah, you and everyone else in the IT world.

In this second article in the Killing CAB series, I’m going to talk about delegated change authority to further reduce changes coming to CAB, while maintaining or improving the overall quality of changes. (If you’ve not read Killing CAB, Part 1, you may want to read that first.)

Goal of change management

Let’s start with a clear set of objectives for change management:

  1. Supporting timely and effective implementation of business-required changes
  2. Appropriately managing risk
  3. Minimizing negative impact
  4. Ensure changes achieve desired business outcomes

So, whatever we do in managing IT changes, it must accomplish these. Notice that CAB isn’t mentioned? Weekly meetings aren’t mentioned. Neither are RFC forms, ITSM tools or a host of other change management stalwarts?

What we do have are desired outcomes of change management.

So, here a radical thought:

If it’s about achieving outcomes, what if we could do so without bringing all changes to CAB?

Role of subject matter experts

The very premise of the traditional CAB reveals an underlying belief that changes must be individually inspected by a third party to ensure quality. An antiquated thought that Edwards Deming, along with a host of other thought leaders dispelled decades ago. In modern terms, changes are built by subject matter experts, in many cases the very ones who sit on CAB.

For Change Management to mature as an organizational capability, it must become increasingly concerned with the overall change process (and less about individual changes.) It’s a balancing act, because the average CAB spends most of it’s time reviewing changes, with very limited focus on the bigger picture and higher risk changes.

The antidote? Delegate part of CAB’s responsibility.

Finding the right balance is the challenge, and it’s time to take a fresh look, with an eye to how we can most effectively achieve the outcomes, without undue bureaucracy and delay.

Any reasonable form of CAB is comprised of subject matter experts who collectively review proposed changes. Their combined knowledge and experience can uncover hidden risks or likely problems.

Which is fine as far as that goes, but subject matter experts are just that – expert in a specific area of technology. They take pride in what they do, and work very hard to ensure the success of their teams. In other words, they’re undoubtedly already doing their best to ensure changes work as intended.

So… if your SMEs are already doing what they do in the course of their primary job, aren’t they doing the work of CAB, only embedded in the technical teams?

It’s a really good question.

Delegated change authority

For many changes, the answer is yes, CAB adds very little in the way of impact reduction and risk management. In these cases, CAB is little more than communication and coordination, which can be readily done outside CAB with well orchestrated delegated change authority.

Establishing a clear and well-understood structure for delegating change authority is an effective way to achieve change outcomes without CAB review of every change.

The concept is pretty straight forward, really: authority to review and approve certain changes is pushed to the lowest appropriate level.

When building a delegated change model, consider:

  • Organizational risk ownership – who is responsible for what levels of business impact risk
  • Scope of change – who’s impacted
  • Expectations for change documentation (compliance, audibility, transparency, coordination)
  • Communication and coordination of changes

In practice, delegated change authority can take many forms.

Hierarchal Delegation

One very common approach is a hierarchal delegation. Pretty straightforward – as business impact and risk rise, the level of approval required elevates as well.

Domain Delegation

Another common delegation model is domain delegation, where changes within a certain, defined domain are delegated.

This model acknowledges that many changes have localized risk and can be effectively reviewed and authorized by a local authority.

For instance, a company with offices in multiple locations may have local network operations managers at each site, in which case change authority can be delegated for network changes that only impact the local site.

If changes could potentially impact other sites – when making changes on wide area routers, or a regional data center – elevate to the next level.

The tension between local change authority, and with it the agility to respond quickly to business needs, and the accountability of potentially losing that autonomy creates an effective balance of managing risk in delegated authority.

Obviously similar delegation can be implemented for infrastructure and applications, significantly reducing the changes that come to CAB.

Naturally, if a delegate is not completely sure of the impact of a proposed change, or is not entirely convinced there may not be impact to other parts of the business, they will likely choose to escalate the change to the higher level “to be safe”.

Challenges with delegated change authority

While effective delegation of change authority can greatly streamline and simplify effective change implementation, it is not a fix-all.

Delegated change authority can introduce ambiguity and opportunities for confusion and conflict. Keep the structure as simple as possible and easy to communicate. Ensure roles and responsibilities are clear and understood by all staff.

Delegated domains should be logical groupings with few exceptions. For instance, all network changes at a remote office are delegated to the local operations manager.

Inconsistent handling of delegated changes opens the door to:

‘I thought it was yours’,

‘no it was clearly yours’

Kinds of misunderstandings.

Likewise, change delegation can become a game of blamesmanship – introducing new opportunities to blame others when things go wrong. This is the exact opposite of the desired result.

Delegated changes can create blind spots where a change approved by one authority may not be visible to other change authorities. Worse, operational staff may be unaware that an issue they’re troubleshooting was caused by a change approved elsewhere.

Making delegation work

Keep in mind that change authority is always delegated from higher to lower authorities, and if changes are approved that cause issues or negatively impacts the business, delegated authority can be revoked.

Keep change delegation  as simple as possible. Well-understood domains (like network, infrastructure, etc.), and clear criteria are key.

Keys for success:

  • Culture – take into account the org’s culture around ownership and accountability
  • Clarity – create clear documentation of the delegation model. Establish clear criteria to delineate what changes must be escalated, and to what level.
  • Simplicity – make the model simple and repeatable. Eliminate unnecessary bureaucracy and complexity.
  • Consistency — eliminate exceptions and variance in how changes are handled.
  • Communicate – ensure all parties clearly understand delegated change roles, responsibilities and expectations
  • Coordination – change management retains responsibility for coordinating all changes. Make corrections if problems arise with delegated authority, All changes must be visible to all stakeholders.
  • Accountability – all stakeholders must understand and be held accountable for fulfilling their role.
  • Transparency – maintain and review operational metrics to ensure desired results are achieved.

In this second of three Killing CAB articles, I’ve covered delegated change authority. As change management shifts its focus away from individual changes to building an effective change capability, fewer and fewer changes are brought to CAB. This allows change management to begin fulfilling it’s intended role as an organizational capability to ensure timely and effective implementation of business required changes while minimizing negative impact and increasing business value.

Photo Credit: barnimages.com Flickr via Compfight cc