A widely cited Gartner research report concludes that "80 percent of mission-critical application service downtime is directly caused by people or processes failures. The other 20 percent is caused by technology failure, environmental failure or a disaster" Often these failures result from the modification of software, loading a software patches to fix a security flaw or add some new functionality or the mis-configuration of critical servers or network devices. For example, important information services may be cutoff by mis-configuring security or communications devices such as network firewalls or routers.
IT management best practices such as those provided in ITIL emphasize the importance of change management. While often derided by IT practitioners as consisting of unnecessarily bureaucratic procedures that actually impede the practitioner's ability to quickly respond to customer requests, change management processes are intended to ensure that system changes are properly authorized, prioritized and tested, and that all interested parties are informed regarding proposed changes. Element of an effective change management process include:
- Selection of the appropriate and qualified staff to participate on the change management team.
- Establishment of formal change request and tracking system.
- Regular scheduling of change management team meetings.
- A formal means of ensuring that approved changes, including their implementation schedules) are communicated relevant stakeholders.
- A formal means, such as regularly scheduled system audits, to ensure that change management practices are being followed.
When system outages cost $20,000 a minute (see mini-case insert) the need to invest in a disciplined change management system becomes much clearer. Organization must assess the consequences of particular system failures to determine the level of investment in change management that warranted for the particular system. While recognizing that highly formalized procedures can pose an unacceptable burden on small- and medium-sized organizations, these organizations are still likely to benefit from managing change.
The Potential Costs of Poorly Managed Change: Results of an Untested Software Upgrade
A firm conducting much of its business over the internet suffered a IS service failure during its peak sales season just before Christmas. The failure, the firm's web servers began to lockup so tightly that they could not even reboot themselves. This particular firm conducts almost 80% of its annual business in the weeks preceding Christmas. Losses were estimated at approximately $20,000 a minute. The cause of the failure was a supposedly “minor” software upgrade that a programmer made just prior to departing on holiday. It took the firm over 24 hours to discover the changes that had been made and even more time to back out the change to restore service. The programmer, once contacted, insisted that it was “inconceivable” that his change would have caused this outage (Behr, Kim and Spafford, 2004).
Before leaving the topic of change management, it is also useful to introduce the closely related topic of configuration management. While the term is sometimes used interchangeably with change management, configuration management refers specifically to implementation of a database that records critical elements of the IT infrastructure and applications necessary for the provision of IT services. The database should not simply be viewed as an IT inventory. Properly conceived and implemented, a configuration management database (CMDB) will include information documenting movement, maintenance, and problems experienced with various configuration items. Configuration items, those elements under configuration management and recorded in the CMDB, can include policies and procedures, human resources in addition to the hardware and software one would typically expect to find in an asset inventory database. Configuration management provides a necessary foundation for an effective change management process and as we shall see below contributes to the effectiveness of multiple service, infrastructure and security management processes.
- 2129 reads
