Why do you need to implement an IT change management policy?

Why do we need an IT change management policy?

The answer to this question may seem clear and straightforward to many: we need to implement an IT change management policy to prevent the risk of loss of system and data integrity. Nobody wants to have corrupt, erroneous or failing information systems. That’s why we need to control IT change management, to prevent these things from happening.

The more challenging question is why we need an administrative process (and burden) based on a standard such as ITIL to document our change management procedures? If everyone strictly follows the rules and makes no mistakes, then why document our decisions and steps in IT change management processes and set up audit trails? We can trust our employees, right?

Responsibility & accountability

To understand this, we need to ask ourselves a somewhat controversial question. One that is two-fold. First, we need to ask who’s responsible for preventing a failure in the IT change management process. Secondly, we should ask ourselves who is to be held accountable if a mistake is made along the way, resulting in a negative impact.

Let’s see how organizational responsibility and accountability works in practice. We take the example of a financial information system (ERP) for which we do IT change management. First, we need to have two things crisp and clear:

  1. Who is responsible for preventing the risk of loss of integrity in our financial systems and data that may potentially result in incorrect financial reports?
  2. If there is a loss of integrity due to a failure in the change management process, who should be held accountable?

In answering these questions, let’s see how responsibility differs from accountability. Responsibility is about who is supposed to do what in order to… (prevent the risk of loss of integrity by implementing change management controls). Accountability is about who’s to blame if something bad happens.

Internal and external stakeholders

Since the implications of both responsibility and accountability strongly depend on the eco-system of an organization, we need to put this in perspective. For instance, for a private organization the eco-systems is quite different from a public company. Because there are no shareholders that can hold the organization accountable. Let’s compare both private and public companies with respect to their internal and external stakeholders to see what this means for IT change management.

Accountability in private companies
In private companies, accountability of financial health of the company stops at the board. The owners of the company, board of directors, are aware of the financial risks they are taking. Financial accountability stops at their level. If things go wrong, it’s their problem.

Accountability in public companies
When we consider public companies however, the board of directors is appointed by and has a reporting obligation towards its shareholders. This changes things. Because shareholders will make decisions on their investments, based on the periodic financial status reports of the company they are investing in.

If the shareholders are unable to rely on the integrity of financial reports, their speculations on market capitalization will be off! Worst case scenario is that shareholders lose interest and confidence in the company. And then what? Who is to be held accountable for that?

Why we need to implement IT change management policies

This quickly leads us to why we need a well-documented IT change management process in (public) companies. We need to document our IT change management procedures, so that the people in charge of the company can be held accountable by the external stakeholders in case the IT change management process fails. In this example, the external stakeholders are the shareholders.

Let’s clarify where the roles and responsibilities in each part of the IT change management process lies (taking above example):

  • The responsibility of implementing change management controls lies with the IT owner and business process owner (= 1st line of defense).
  • The responsibility of defining and coordinating the IT change management policy, perhaps based on information security standards like ISO27001, lies with the CISO.
  • The Risk & Compliance dept have the responsibility to verify whether the change management process and controls are implemented in accordance to the policy design (= 2nd line of defense).
  • An internal audit ensures the change management controls are tested independently on operating effectiveness. Its findings are reported to the board of directors (= 3rd line of defense).
  • The CFO assumes the accountability of financial misstatements, which could impact market capitalization and with that, the company’s shareholders.
  • An external auditor independently tests the operating effectiveness of change management controls to ensure integrity of financial reports to the shareholders.

Necessary after all

IT change management policy making is all about allocating responsibility to prevent the loss of integrity in the information system under maintenance. The underlying administrative burden of documenting this process is about identifying accountability in case the process fails and has a potential impact on external stakeholders.

Join 1400+ ServiceNow professionals

Sign up to our monthly Flow@Work Exclusive newsletter to get free access to our expertise and lots of tips and tricks to make work flow on the Now® Platform.

Contact person

Carel Jansen
GRC Platform Consultant
+31 (0)30 76 02 670 Get in touch

Related solution

Governance, Risk & Compliance

Learn more