You’ve probably heard the phrase “if it ain’t broke, don’t fix it” – but when it comes to your business technology, this mindset can lead to serious problems. Let me explain why.
Every technology change in your business carries some level of risk, whether it’s updating software, adding new hardware, or tweaking system settings. The key is understanding which changes need formal oversight and which can proceed through standard processes.
How we assess risk – Impact vs Likelihood
At Grassroots IT we assess the risk of any technology change by looking at two key factors. First, what would happen if something went wrong? We consider how many users would be affected, whether it would stop critical business processes, and how long recovery might take.
Second, we evaluate the likelihood of issues arising based on the complexity of the change, whether it’s been done before, and any known compatibility concerns.
Most low-risk changes can proceed through normal support channels. Updating a single user’s monitor or installing standard software updates are routine, well-understood, and easily reversed if needed, and generally don’t need to go through the formal change control process.
But when either the impact or likelihood of issues increases, that’s when formal change control becomes crucial. Think of changes like:
- Server upgrades
- Network reconfigurations
- Business-critical software updates
- Changes affecting multiple users or locations
The Change Advisory Board (CAB)
For significant changes, we bring together the Change Advisory Board – think of it as your technology brains trust. This group can typically include key stakeholders from your business, our technical experts who understand your systems, and project managers and team leaders who can coordinate the work. Their job is to review proposed changes, challenge assumptions, identify risks that might have been missed, and ensure the change plan is solid. It’s like an insurance policy against expensive mistakes.
What about Emergencies?
Sometimes we need to act fast – like when there’s a critical security patch for an active threat. For these situations, we have streamlined emergency procedures that allow rapid response while maintaining basic control measures. We always follow up with a thorough review to ensure everything went well and to document lessons learned for future reference.
The Change Control Process
Our change control process follows these key steps:
1. Request & Planning:
We begin by documenting exactly what needs to change and why. This includes identifying systems affected, expected benefits, and potential business impacts. Importantly, we also develop a roll-back plan, which is crucial for reverting any changes if unforeseen issues arise during implementation. Clear documentation here prevents misunderstandings later.
2. Risk Assessment:
Our team evaluates the potential risks and complexity of the proposed change. We consider factors like service disruption, data integrity, security implications, and resource requirements. This helps determine the level of control needed.
3. Review & Approval:
The change is reviewed by appropriate stakeholders – from technical specialists to business leaders, depending on the impact. High-risk changes go through our Change Advisory Board for additional scrutiny.
4. Implementation:
The change is carried out according to the approved plan, typically during predetermined maintenance windows to minimise business disruption. We maintain constant communication throughout this phase.
5. Verification:
We thoroughly check that the change achieved its objectives and didn’t cause any unexpected issues. This includes testing affected systems and gathering feedback from users.
6. Documentation:
Finally, we update our system records and document any lessons learned. This builds our knowledge base for future changes and maintains a clear audit trail.
The Real Business Value
Good change control isn’t about bureaucracy – it’s about protection and business value. Changes are planned and communicated in advance, minimising surprises. Work happens outside core business hours when needed, reducing disruption. Everyone knows who’s doing what and when, providing clear accountability. And if something does go wrong, we can quickly restore things to normal.
The Bottom Line
Smart businesses understand that change control is essential for protecting operations while enabling progress. By matching the level of control to the level of risk, and maintaining streamlined procedures for urgent situations, you get the best of both worlds: careful control when possible, rapid response when needed.
Technology changes are inevitable. The question isn’t whether to manage them, but how well you’ll manage them. A robust change control process helps ensure those changes drive your business forward rather than hold it back.
