We have been hearing about Change management and the process to implement the same. But we all are aware, how challenges with change management were consistent across all of the enterprises irrespective of vertical focus and still persist to some extent. As observed, few very evident themes around these challenges were generally related to difficulty handling emergency changes to material systems, unauthorized changes, and problems dealing with security and unauthorized access. We also well aware know that auditors tend to focus on particular areas or known processes. Auditors are in a constant quest of trying to answer the questions such as; did the work get completed as planned; why was the approved request not completed; and why was there no request for a particular change? A tiny but very important key to meeting many of these challenges is to have tight control on the change management process. We cannot deny that there may be loopholes in approval procedures or in the change management guidelines. Also, reporting and tracking can be a limitation due to various reasons such as; insufficient automation in change management solutions and a lack of capabilities for tracking change history.
Below listed are few of the areas that require more focus on managing change process:
- Process Management
- Approval Matrix
- Security Measures
- Unplanned emergency access/changes
Refer below listed details on the areas of concern:
- Process Management:
A very important question to be answered is to determine a start point; who will initiate the change, how the workflow for the change will be managed? Help desk has been the primary requesting application used on a larger scale by organizations for initiating and tracking changes and this can work well. Organizations are traversing into the market with many other automated process oriented applications as means for tracing the change through its workflow steps.
- Approval Matrix:
One of the most difficult aspects of change management is the change approval matrix (Team Hierarchy). Taking necessary precautions in approving any change is the base of change management process that includes; involving the right people, and evaluating implications to the best of your ability. It is also important to focus on creating a simple to follow process, without too many gates, and not involving too many people so that it becomes inefficient and not leading the staff to look out for ways to avoid the change process itself. Many organizations have established a Change Advisory Board (CAB), which is a cross-section of individuals that meet on a periodic basis, usually weekly, to plan and approve changes that will be needed over the coming week. CAB establishment works well for important changes. A well arched process to set multiple gates for change approval. This would maintain different levels for different approval processes. This gives the organization the freedom to keep lower approval dependencies for smaller changes. The level of approval required depends upon the nature of the business.
- Security Measures:
One of the crucial focus areas that needs to be focused and managed are the security measures. Unauthorized system access, data visibility and database access are few concerns that need to be governed. Also, maintaining the confidentiality of super-user credentials is highly required. During the Change implementation phase, employees and their respective roles change frequently, and controlling that appropriate access to all types of systems is a tedious task. However, in the given scenario these challenges are dealt as part of administration. Staff training and user guidelines are to be very well framed for meeting the security levels and controlling users from any breach of policies.
- Unplanned emergency access/changes:
Major tripping areas in a change management process is determining how to deal with unauthorized and unplanned emergency changes. The 2 major concerns in resolving this issue; difficulty in collating and documenting the change that has already taken place and resistant that the staff members portray to the change management process itself.
Unplanned emergency cases will always be part of any organizational process that will also require staff to work outside of the formal process to address a problem situation. Similarly, a decent number of staff members will also take the decision that the change management process does not apply to them. Basic considerations are; how will one document this unplanned changes? How will one monitor the staff for failing to comply with the process? The much expected solution is a penalty for failing to operate according to the process that needs to be relatively severe.
Regardless of the consequence, it is important for the change management process to have in place a continuous evaluation process for this unauthorized and unplanned changes to work towards identification and reduction of these changes. Few companies attempt to handle these changes just prior to an audit. In such cases, it is generally obvious to an auditor that these types of changes are not being managed. A new process of providing a post-change report, can be formally replaced for emergency changes.
Conclusion:
A change management process is the most tedious phase for a new implementation. This process needs well traced plans and motivated leaders to drive the teams towards achieving organizational goals. The major key factors that help in managing change management in an organization and needs to be well thought about are Process Management, Approval Matrix, Security Measures and Unplanned emergency access/changes.
About Author:
Mrudula Palyekar is a consultant in Systems Plus Pvt. Ltd. Within Systems Plus, she actively contributes to the areas of Technology and Information Security. She can be contacted at: mrudula.palyekar@spluspl.com
Thanks for sharing infrastructure solutions services
ReplyDelete