The answer to this question may seem clear and straightforward to many: we need to implement an IT change management policy to prevent the risk of loss of system and data integrity. Nobody wants to have corrupt, erroneous or failing information systems. That’s why we need to control IT change management, to prevent these things from happening.
The more challenging question is why we need an administrative process (and burden) based on a standard such as ITIL to document our change management procedures? If everyone strictly follows the rules and makes no mistakes, then why document our decisions and steps in IT change management processes and set up audit trails? We can trust our employees, right?
To understand this, we need to ask ourselves a somewhat controversial question. One that is two-fold. First, we need to ask who’s responsible for preventing a failure in the IT change management process. Secondly, we should ask ourselves who is to be held accountable if a mistake is made along the way, resulting in a negative impact.
Let’s see how organizational responsibility and accountability works in practice. We take the example of a financial information system (ERP) for which we do IT change management. First, we need to have two things crisp and clear:
In answering these questions, let’s see how responsibility differs from accountability. Responsibility is about who is supposed to do what in order to… (prevent the risk of loss of integrity by implementing change management controls). Accountability is about who’s to blame if something bad happens.
Since the implications of both responsibility and accountability strongly depend on the eco-system of an organization, we need to put this in perspective. For instance, for a private organization the eco-systems is quite different from a public company. Because there are no shareholders that can hold the organization accountable. Let’s compare both private and public companies with respect to their internal and external stakeholders to see what this means for IT change management.
Accountability in private companies In private companies, accountability of financial health of the company stops at the board. The owners of the company, board of directors, are aware of the financial risks they are taking. Financial accountability stops at their level. If things go wrong, it’s their problem.
Accountability in public companies When we consider public companies however, the board of directors is appointed by and has a reporting obligation towards its shareholders. This changes things. Because shareholders will make decisions on their investments, based on the periodic financial status reports of the company they are investing in.
If the shareholders are unable to rely on the integrity of financial reports, their speculations on market capitalization will be off! Worst case scenario is that shareholders lose interest and confidence in the company. And then what? Who is to be held accountable for that?
This quickly leads us to why we need a well-documented IT change management process in (public) companies. We need to document our IT change management procedures, so that the people in charge of the company can be held accountable by the external stakeholders in case the IT change management process fails. In this example, the external stakeholders are the shareholders.
Let’s clarify where the roles and responsibilities in each part of the IT change management process lies (taking above example):
IT change management policy making is all about allocating responsibility to prevent the loss of integrity in the information system under maintenance. The underlying administrative burden of documenting this process is about identifying accountability in case the process fails and has a potential impact on external stakeholders.
Sign up to our monthly Flow@Work Exclusive newsletter to get free access to our expertise and lots of tips and tricks to make work flow on the Now® Platform.
Governance, Risk & Compliance
Learn more