Detection of uncontrolled changes

[changeborg]

We are working on a massive global expansion of our change process at the same time we are working on some major improvement steps for the overall process. One of the questions that has come up on multiple occasions is what steps are we taking to track and eliminate illicit changes, or rather those changes which occur off the books and outside the process. Overall I believe we have a good compliance rate but being realistic, I also know there are things happening outside the process and are essentially invisible to us unless they go absolutely pear shaped.

I'm curious what other groups are doing to not only track these sorts of changes but to keep it from occurring in the first place. Due to the massive size of our organization and the politics I don't think we can restrict access to the level we would like but am sure there are other options. One we have discussed is making compliance with the process a required portion of their yearly bonus to help encourage the overall usage of the process.

[DYbeach]

I have advocated the placement of gallows or at least stocks in the cafeteria, but have not as yet received budget for this incentive
_________________
DYbeach
ITIL V3 Release, Control & Validation,
ITIL V3 Operation SUpport & Analysis
PMI CAPM (R)

"In times of universal deceit, telling the truth will be a revolutionary act." George Orwell

[Diarmid]

Bonus? Try changing base salary by -5% whenever you catch them - "eye for an eye" method.

Education can be useful: tell everybody that the organization's rules, regulations and procedures are for following, not flouting. Also make sure everyone understands what change management is for.

Well designed time sheets can help if that is within your culture, but probably not for changes that only take a few minutes to execute.

You cannot actually track unauthorized changes, but you can detect them. You will detect them when another change is being actioned in the same area. You will detect them when they have unexpected consequences - that gives you a good excuse to come down hard. You will detect them through audits You need to do some kind of audit to confirm your compliance rate).

When you catch someone, have them do a presentation to the management team on how they ensured that the change they effected was safe, appropriate, able to be regressed, did not unduly impact on service, how they assessed the risk, how they informed everyone that might be affected, how they ensured it was not conflicting with another change, how they ensured that other staff were enabled to avoid doing anything that conflicted with their change, where they obtained budgetary authority to expend their time on that change, how they ensured that the CMDB was up to date, and about fifty other things just to be thorough.

Sometimes techies complain that CM is a waste of time for "minor" changes. Ask them to come up with slicker processes that ensure effective change management. When they fail that test, they have no excuses left.
_________________
"Method goes far to prevent trouble in business: for it makes the task easy, hinders confusion, saves abundance of time, and instructs those that have business depending, both what to do and what to hope."
William Penn 1644-1718

[SwissTony]

Within the company I currently work for if the change process is knowingly circumnavigated, or parts of it cut (eg implementing prior to full approval) then the RFC owner has a non-conformance raised against them and the change.

They are then expected to stand infront of senior management to explain the situation, & reasoning (this usually provides a good 'stick' method) & training is then provided to document that the person/s is fully aware of what should be done to prevent future f@@k ups.

But as with your company, I am sure that there a still numerous minor changes made by the tech ops guys that never come to light. By monitoring the origins of all changes (departments / teams) it can be apparent when certain teams that you would expect from their work to be creating RFCs on a regular bases have little or non showing in this type of report.

[Timo]

I really like that approach of having a techie standing in front of the management group explaing what they have done to eff up the change. Smack! Smack!

Thank you for this useful technique.

[Ed]

Diarmid

I just love the idea of a presentation to management, and of course the final question is always:- If they have enough info to do a presentation, why didn't they put all of it into a Request For Change?

Superb!!!!!
_________________
Regards

Ed

[changeborg]

I too like the smack method and in my particular region I sit in, is a method that is used although not quite in such a formalized method. It's usually a one on one smacking. They also will receive a reduction in bonus by circumventing the process (at least those caught) and a few have received formalized HR write-ups which is highly rare in our organization.

I'm curious for the two of you who make them stand up in front of management, do you work for a global organization? In ours, we are very global with silo'd internal groups. The most difficult part is sitting in the Northern Hemisphere and trying to lay the smack down on someone sitting in the South.

[Anticlue]

Hi,

I agree with Diarmid on the education. When reviewing the policy, perhaps also it would be wise to include audit requirements around change management and segregation of duties. It sounds like with the unauthorized changes your organization can have a finding.

Hope this helps,
Elyse
_________________
Collaboration is the key to success!

[DYbeach]

[changeborg]

[DYbeach]

Don't believe it.
Rumour has it that some of us are almost civilised.
_________________
DYbeach
ITIL V3 Release, Control & Validation,
ITIL V3 Operation SUpport & Analysis
PMI CAPM (R)

"In times of universal deceit, telling the truth will be a revolutionary act." George Orwell