Presentation to Institute of IT Professionals New Zealand on 31 May 2018. Covers IT Change Management best practice, possible interactions and value gained by interaction between IT Change Management and Business Continuity processes.
It Change Management and Business Continuity in a as-a-service world
1. Presentation to ITP Wellington Forum
Presenter:
Paul Monk
Performance & Quality Assurance Manager
Fujitsu New Zealand
IT Change Management and Business
Continuity in a “as a Service” World
2. Introduction
Paul Monk
Performance and Quality Assurance Manager (NZ)
Fujitsu New Zealand
Paul.Monk@nz.fujitsu.com
www.linkedin.com/in/paul-monk-a666352
Citrix Innovation Award for Partners Winner 2017
2 Copyright Fujitsu NZ 2018
3. Summary
Theory
IT Change Management best practise
Lessons from continuous improvement of Processes
When should IT Change affect BC and DR plans?
Keeping Production and DR/BC environments Synchronised
What can go wrong
Tips for DR Practitioners and Change Managers
Possible interactions between Change and BCP processes
IT Change Management function during DR
Is your IT Change Management function resilient?
Suggested Quality Measures
3 Copyright Fujitsu NZ 2018
4. Theory
IT Change Management
(source: Wikipedia)
Change Management ensures that standardised methods and procedures are used
for efficient and prompt handling of all changes to control IT infrastructure, in order to
minimise the number and impact of any related incidents upon service.
Change Management
(source: ITILv3 – Service Transition)
Ensures that:
Standardised methods and procedures are used for efficient and prompt handling of
all changes
All changes to service assets and configuration items are recorded in the
Configuration Management System
Overall business risk is optimised.
4 Copyright Fujitsu NZ 2018
5. Theory
Business Continuity Planning
(source: Wikipedia)
Business continuity planning is the process of creating systems of prevention and
recovery to deal with potential threats to a company. BCP is a subset of Risk
Management.
IT Service Continuity Management
(source: ITILv3 Service Design)
The goal of ITSCM is to support the overall Business Continuity Management process
by ensuring that the required IT technical and service facilities can be resumed within
required, and agreed, business timescales.
5 Copyright Fujitsu NZ 2018
6. Theory
Disaster Recovery
(source: Wikipedia)
Disaster recovery (DR) involves a set of policies, tools and procedures to enable the
recovery or continuation of vital technology infrastructure and systems following a
natural or human-induced disaster.
Disaster recovery focuses on the IT or technology systems supporting critical business
functions, as opposed to business continuity, which involves keeping all essential
aspects of a business functioning despite significant disruptive events. Disaster
recovery is therefore a subset of business continuity.
6 Copyright Fujitsu NZ 2018
7. IT Change Management Best Practise
It is good practise to have the following KPIs for the IT Change Management process:
< 5% failed changes per month
> 20% Standard changes implemented per month
Zero unauthorised changes per month
< 4 business hours for the outcome of Changes
Zero Change window extensions requested after the Change Window ends
CAB panel that understand relevant risks from Technical and Business perspective
Formal induction of staff and third parties who participate in the Change process
Source: Fujitsu NZ data and experience(2014 – 2017), supported by ISO20000 certified processes and Fujitsu
Oceania quality review of data.
7 Copyright Fujitsu NZ 2018
8. IT Change Management Best Practise
The scope of the IT Change process must be easy to explain and enforce:
O/S
VM Guest or OVM
Server Hardware
SAN
Chassis
Switch
Network
Firewall
Test
(includes System Test, Pre-Prod)
Development
Production
(Includes Training, DR and
Production Data if not anonymised)
Desktop Environment
Application client side
Application server side
Middleware/Web Server
Database
O/S
VM Guest or OVM
Server Hardware
SAN
Chassis
Switch
Network
Firewall
O/S
VM Guest or OVM
Server Hardware
SAN
Chassis
Switch
Network
Firewall
Desktop Environment
Application client side
Application server side
Middleware/Web Server
Database
Desktop Environment
Application client side
Application server side
Middleware/Web Server
Database
8 Copyright Fujitsu NZ 2018
9. IT Change Management Best Practise
As-a-Service maintenance activity can be recorded as an “Advisory Change”
Contributing Infrastructure
CustomerProduct
ServiceVeil
Engineer
Underlying Infrastructure Revealed Service
! Advisory Change
!
Normal
Change
9 Copyright Fujitsu NZ 2018
10. IT Change Management Best Practise
CAB meetings need the right inputs to make robust decisions
CAB Panel
Implementation
Plan
Approved
Design
Change
Owner
Supporting Information
Comms
Test Exit
report
Design and
Service Transition
panel
Forward
Schedule
10 Copyright Fujitsu NZ 2018
11. IT Change Management Best Practise
Right amount of due diligence is applied to the type of ChangeChangeFailureRisk
Due Diligence
Standard
Emergency
Urgent/Expedited
Non-Standard
Advisory
Release Management
can add more value here
(Workflow steps before approval )
11 Copyright Fujitsu NZ 2018
12. Lessons from continuous improvement of processes
Service Management processes need to evolve to meet new customer
requirements:
Communication is always key
Be curious about connected processes
Lead the Process
Shrinking to be Lean and Agile
Educate those affected
Remember the double-edged sword
Cut too much away and you are left with risk-based decisions being made by unqualified or
unauthorised staff
A controlled and auditable process will work with just enough paperwork and monitoring
Welcome the question Is
this in scope or not?
Improve throughput by 20% by running CAB
twice a week instead of once a week
Reduce admin by 20% by establishing
correct workflow size for the Change type
More Standard Changes means less deviation,
lowers risk and reduces CAB agenda
12 Copyright Fujitsu NZ 2018
13. When should IT Change affect BC and DR plans?
How does this IT Change affect BC and DR plans?
Example 1 – Upgrade to SharePoint
The DR plan should be tested to prove RTO is still feasible after the Change.
Example 2 – Setup of DR environment for Finance team
The DR plan should be tested to prove connectivity during DR from the secondary
location.
13 Copyright Fujitsu NZ 2018
14. Keeping Production and DR/BC synchronised
How should we keep Production and DR/BC environments synchronised?
Simple:
Configuration Management process to put environments into the CMDB as a service.
Maintain a Technical Service Catalogue that includes environment as an attribute.
Update the IT Change Management process to include:
Impact Assessment that confirms environments in scope
Architecture team added as quorum member to CAB panel
Implementation plan has validation steps that check both Prod and DR/BC environments
Maintain supporting documentation (Recovery plans, DR plans)
Complemented with:
Investment in automation that reports differences between Environments.
14 Copyright Fujitsu NZ 2018
15. What can go wrong
The consequence of lack of due diligence in our topic are many.
Here are some examples:
Production and DR at same site. WAN risk.
Recovery Plan not updated by Project. Not in scope.
IT Change Management not considering BCP update as relevant.
DR site firewall rules not updated Production upgrade. 3 week delay.
Using USB sticks to build PCs at BC site. Delay risk.
DR site not kept up to date. BCP will fail if tested.
15 Copyright Fujitsu NZ 2018
16. Tips for DR Practitioners
Some suggestions to start the conversation with your IT Change Manager:
How much do you as Change Manager know about our BCP?
What interaction exists between IT Change Management and BCP processes?
The common ground between IT Change Management and BCP/DR is:
The need to capture and record the current production state
BC/DR plans have similar information elements as an IT Change Implementation Plan.
Small steps to improve are always easier. Start small.
16 Copyright Fujitsu NZ 2018
17. Tips for IT Change Managers
Some suggestions to start the conversation with your BC co-ordinator:
Where to start?
1. Read your Organisation’s BC, IT Service Continuity and DR Plans
2. Ask for an invite to the next BC planning meeting to observe.
3. Decide what interaction IT Change should have with the BC process
4. Confirm the data needed to support these interactions)
17 Copyright Fujitsu NZ 2018
18. Possible interaction between Change and BCP processes
Risk Management
Business Continuity
Planning
(with ITSCM)
DR
IT Change Management Requests IT Change to
mitigate risks
Trigger update
to BIA and BCP
Update DR technical
environment to align with
Production
BIA
DR test BCP test
Change
record
Notify
through IT Change
Process?
Triggers updates to
risk records (incl. new)
Add to IT Change
schedule as information
only
Yes
Proactive Activities
BCP
18 Copyright Fujitsu NZ 2018
19. Possible interaction between Change and BCP processes
Reactive Activities
19 Copyright Fujitsu NZ 2018
Risk Management
Business Continuity
Planning
(with ITSCM)
IT Incident Management
Incident
record
Activate BC/DR Plan after
attempts to restore service
through:
• Technical escalation to L2
and L3 support
• IT Change confirmed as
cause
• IT Change Rollback
attemptedChange
record
Caused
Incident Change
record
Technical steps
Post DR to resolve
residual issues
DR
Plan
BC
Plan
20. IT Change Management function during DR
IT Change Management usually takes a backseat during DR.
The value of including an experienced IT Change Manager in the BCP is:
Process experience
Key contacts they can draw from to get BCP activity done that was unforeseen
Awareness of current Production state through observation.
Holistic awareness about the IT environment and related processes.
Use that to your advantage!
20 Copyright Fujitsu NZ 2018
21. Is your IT Change Management function resilient?
What is your BC / ITSCM plan if your IT Change Management tool is down?
What happens when the IT Change Manager is on Annual Leave?
Do you have a succession plan for your IT Change Manager?
Are all your daily, weekly, monthly procedures documented?
21 Copyright Fujitsu NZ 2018
22. Quality Measure Checklist
If you answer “Yes” to the below questions this means your IT Change Management process is
adding value to your organisations BCP:
Is the BCP/DR infrastructure treated as in scope for the IT Change process?
Does your IT Change Management impact assessment check if:
BC/DR Plans need to be updated?
BCP/DR infrastructure need to be updated to align with Change to Production environment?
Does the BCP/DR co-ordinator attending your CAB meeting?
Does your template for Architecture Design cover a BCP/DR environment section?
Does your Technical Service Catalogue and CMDB recognise infrastructure for BCP/DR?
22 Copyright Fujitsu NZ 2018
23. Quality Measure Checklist
Organisations can reduce some BCP and DR costs by building up resilience and
monitoring capacity growth using current technology:
Are your servers all now virtual and highly available?
Capacity monitored and proactive IT Change raised to ensure head-room?
Have you virtualised your databases?
Are your virtual servers and/or storage managed with built-in DR solution?
Is your data secured by a vendor with their Data Centre ISO Standard certified
ISO Standard Reference Description
ISO27001 Security Management System
ISO9001 Quality Management System
ISO20000 Service Management System
23 Copyright Fujitsu NZ 2018
24. Conclusion
IT Change Management is important to BCP and DR processes.
Other effective Service Management processes/disciplines needed to support IT
Change Management and BC/DR processes. Refer to ITIL v3 books for further details.
Start the discussion between IT Change Management and BCP process owners at
your organisation and I am confident you will find it very useful.
Ref: https://www.axelos.com/best-practice-solutions/itil/what-is-itil
24 Copyright Fujitsu NZ 2018
27. Document Control
Attribute Value
Document Name The importance of IT Change Management to DR and BCP process
Confidentiality Uncontrolled
Document Status Final
Version Number 1.7
Summary This presentation is for Government Sector IT DR Forum presentation
Author Monk, Paul
Owner Monk, Paul
Version Date 30/5/2018
Date of Next Review N/A
Target Audience Participants of GSITDR Forum
Distribution As required.
Internal Repository M:Improvements2018Change Management presentation to GSITDR forum
Customer Repository N/A
Version Date Name Comments
0.1 12/2/2018 Paul Monk Initial Draft
0.2 9/3/2018 Paul Monk After input from GSITDR stakeholders.
0.3 12/3/2018 Paul Monk Rearranged sequence of animation on slide 12.
0.4 14/3/2018 Paul Monk Updated slide 19 on suggestion from Steve M. Updated theme and added footer.
0.5 28/3/2018 Paul Monk After feedback from Fujitsu Oceania BCP Co-ordinator
0.6 4/4/2018 Paul Monk After feedback from Fujitsu NZ Change Management team leader.
1.0 11/4/2018 Paul Monk After review feedback from GSITDR forum representatives.
1.1 11/4/2018 Paul Monk Removed video and slide related to Stats NZ story at request by Katie.
1.2 12/4/2018 Paul Monk After input from Fujitsu architect.
1.3 16/4/2018 Paul Monk After input from Fujitsu internal presentation
1.4 18/4/2018 Paul Monk After input from Pradeep Navalker
1.5 3/5/2018 Paul Monk Added image credit for TaiChi Sword image, slide#12.
1.6 16/5/2018 Paul Monk Updated for ITP audience.
1.7 30/5/2018 Paul Monk After review from rehearsal and feedback from GSITDR forum session.
Document Control Table
Change History
27 Copyright Fujitsu NZ 2018