The Importance of Change Advisory Boards

A key part of managing changes in IT is to have a change advisory board (CAB). A CAB offers multiple perspectives necessary to ensure proper decision making.

For example, a decision made solely by IT may fail to recognize the concerns of accounting. The CAB is tasked with reviewing and prioritizing requested changes, monitoring the change process and providing managerial feedback. This article discusses the role and composition of a CAB.

A CAB is an integral part of a defined change management process designed to balance the need for change with the need to minimize inherent risks. For example, the CAB is responsible for oversight of all changes in the production environment. As such, it has requests coming in from management, customers, users and IT. Plus the changes may involve hardware, software, configuration settings, patches, etc.

The Change Process Itself

A change process often has requests forwarded to a change manager who then makes a rough-cut determination about whether the changes should be allowed to go further in the process. Assuming they are, a CAB may meet and review requested changes, including those that involve further testing.

It then delegates the discovery and testing phases to an engineering group to document what needs to be done. When the discovery and testing are complete, a report is made to the CAB, which then makes a final determination regarding whether the change should be allowed to proceed. Now this process as defined is very high-level. The ITIL has a great discussion of the change management process in section 8.3 of the Service Support book (also known as the "Blue Book").

In situations where there is a crisis and the whole board cannot be convened, there should be a change advisory board/emergency committee (CAB/EC) made up of a core team of people that can make a decision. For example, it is Sunday at 5 p.m. and a major worm hits that blows through the firewall: Who do you call to discuss the patches? Is there an accelerated emergency change process and a CAB/EC?

Obviously, you need a way to rush emergency changes into production and then a means to review them after the fact. Tracking the total number of changes, the number of emergency changes and success rates are all good metrics to monitor. If emergency changes are increasing and the success rate is falling, then a serious analysis of the situation is required.