Home �   ITIL�  Index

Change Control vs. Change Management: Moving Beyond IT

Mar 14, 2005

ITSM Watch Staff

By Edward Stickel

The Limits of Change Control
A useful perspective on the distinction between change control and change management comes from the definitions of these terms used by the IT Infrastructure Library (ITIL) Service Support processes:

  • Change Control
    The procedures to ensure that all changes are controlled, including the submission, recording, analysis, decision making, and approval of the change
  • Change Management
    The Service Management process responsible for controlling and managing requests to effect changes to the IT Infrastructure, or any aspect of IT services, to promote business benefit while minimizing the risk of disruption to services
One can infer from these definitions that change control is a process that is largely internal to the IT department and focused on prioritizing and approving infrastructure changes based exclusively on their technical merit and technical impact. IT technicians, for whom change is a constant, almost daily occurrence, often see formalized change control as an administrative burden restricting their ability to react quickly to the rapid pace of change in an increasingly complex business/technology environment.

For the great majority of changes--routine changes with no great impact on users or the business (e.g., moving an application from one server to another because of a conflict, etc.), the change control protocol seems a pointless formality that stands in the way of getting the actual work done. After all, everyone in IT probably already knows through informal communications what has to be done and why and in what timeframe, so the approval process functions as little more than a bureaucratic exercise, and is often ignored or only receives minimal compliance.

The problem is that changes to the infrastructure are not always routine and light in terms of impact to the infrastructure and to the organization both inside and outside of IT. It is in these cases that simple change control does not have the appropriate depth of process or organizational reach to handle the complex change events it is charged with regulating. On top of this, the weak compliance that the process receives for low impact changes is often little better for changes with a significant organizational impact.

The results-poor decisions are made to go forward or deny changes, business impacts to areas of the business are not considered, changes are badly prioritized and implementations of changes are disruptive. In essence, many organizations with IT-focused change control process regimens have too much process for many simple changes and not enough process for the major changes that really matter.