Page 19 - Courses
P. 19

IT Change Management — IT Certificate

            Verify, Validate, and Review

            After implementation, the change needs to be verified and reviewed. The following questions should
            be asked, answered, and addressed, as appropriate:
              Was the change successful?
              Was the change process followed?
              What was the variance between the planned    and implemented change?
              Were internal control, operations, and regulatory compliance requirements maintained?
              What lessons were learned that may be used to prepare the process?

            Based on the outcomes of the verification and review, it may be concluded that the change was or
            will be unsuccessful. In such a case, the organization should back out of the change by following a
            detailed set of back-out procedures.

            Closing and Communicating

            A lesson learned exercise should be conducted. Once complete, the change request should be closed
            and communicated to affected parties — including management — making any necessary changes
            to the change management process, and publishing the change schedule.

            Reporting to Management

            Change management information should be reported to senior management regularly and
            objectively, using metrics and indicators such as in dashboard-type reports. Such reports allow
            senior management to gauge IT’s progress toward:
              Aligning end-users with IT changes to meet business needs.
              Creating defined, predictable, and repeatable processes with defined, predictable, and
               repeatable results.
              Coordinating and communicating with stakeholders affected by changes.

            More rigorous, formal measures and specific metrics should be reported to provide maximum
            visibility into the impact of the strategy on the effectiveness of IT change management. Key
            performance indicators (KPI) and key risk indicators (KRI) may include:
              Number of changes authorized over a specific period. (KPI)
              Number of changes implemented over a specific period. (KPI)
              Change success rate (percentage of changes made that did not cause outages, service
               impairments, or an occurrence of unplanned work). (KPI)
              Number of unauthorized changes that circumvent the documented change process. (KRI)
              Number of emergency changes (including patches). (KRI)
              Average duration from patch release date until patch is deployed to vulnerable IT systems. (KRI)
              Percentage of time spent on unplanned work. (KRI)
              Percentage of projects delivered later than planned. (KRI)

            Analyzing the results may indicate whether the organization has an effective change management
            process, whether the process benefits the business, and where to focus more resources.
            Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.
   14   15   16   17   18   19   20   21   22   23   24