The Keys to Agility
Failures are generally caused by changes made by IT personnel -- and these failures can threaten customer satisfaction and profitability. For example, an air traffic control software upgrade caused a system failure that grounded flights at an airport and halted traffic across the region for almost an entire business day.
In another case, a healthcare provider was making a patch update to an operating system and discovered that the upgrade unraveled the entire software stack. As a result, business-critical legacy lab results and prescription applications weren't available.
How did this happen? The systems and processes used to manage these changes were not systematic and repeatable, which creates risk of system failures.
Since change is inevitable in both business and technology, what can be done to make change a "friend?"
Agility is the key. As business strategy changes, the IT organization must have the agility to respond to new requirements. So, how do organizations balance control and agility, especially when approaches tend to optimize one at the expense of the other?
Consider a systematic and process-driven approach to achieving a balance to optimize both responsiveness and control.
The process starts with developing an integrated change and configuration management strategy to help the IT organization identify the relationship between the IT environment and critical business services.
When thinking about developing a change and configuration management strategy, here are ten things to consider:
Timing. Get started now. As business needs change, IT must be poised to change, as needed, to support the business. However, IT often cannot implement changes fast enough, and is frequently perceived as not responsive to changing business requirements.
Knowing what IT components support which critical business services is often difficult. Changes in one area can break things in another, causing system failures that can affect the business operations they are supposed to support.
IT also must implement changes to take advantage of technology innovation, improve applications, provide greater capacity, and counter security threats.
Unless they are carefully controlled, changes in the IT environment can create security risks or negate already implemented safeguards. The reverse is also true. Security patches can cause application failures if not coordinated with other activities.
Several factors influence the ability to manage change effectively. With tighter budgets, IT organizations must work more efficiently. Strategic initiatives that integrate and automate change and configuration best practices can free-up budget, reduce system failures, and achieve mandatory control objectives.
Pain. You are not alone. Many IT organizations experience similar issues: a change in one portion of the IT environment has often wreaked havoc in IT and on the business itself.
These happenstances are caused by changes related to databases, networks, operating systems, applications and other parts of the enterprise. Most organizations can benefit from improvements in their change and configuration practices.
By better coordinating and automating these activities, they can simultaneously improve both responsiveness and IT service quality.
Risk. Most IT organizations use some combination of approaches to try and mitigate the risk of failures caused by changes in IT. However, most current approaches reach a balance that is either controlled or responsive -- but not both.
Operating in an unresponsive or uncontrolled state poses significant risk for the IT-dependent business.
Adjusting operational processes to increase responsiveness often reduces control and increases risk of business-critical IT system failures. Adjustments that increase control can reduce system failures, but may impose a process burden on strapped IT resources, and cause business managers to wonder why IT isn't quickly responding to their changing needs.
Reduced responsiveness can leave companies vulnerable to more agile competitors. As a result, many organizations reach a compromise that leaves IT neither responsive to change nor in control of the complex IT environment.Vision. Build upon current approaches to reach a balance that enables the IT organization to be both responsive and controlled.
Through process integration and automation, and effective use of tools that aid IT professionals, organizations can increase their responsiveness to change and better control the IT environment to reduce IT failures.
An integrated change and configuration management strategy begins with a detailed understanding of the IT environment. It includes discovery of IT components, their relationship with each other, their relationship back to business services and how they combine to populate a dynamic service impact model.
Another key element is the capability to automate a workflow-based change management process. Automation can help ensure that IT professionals who implement changes are not burdened with process overhead.
A workflow-based change process should also be integrated and orchestrated with the tools that apply change and enforce configuration control across the organization. IT needs an automated, policy-based approach to maintain and enforce known good configurations including detection and resolution of nonstandard configurations throughout the IT environment.
Tools that facilitate effective change management should share information stored in a commonly accessed configuration management database (CMDB).
For example, in an ideal automated process, software would push an operating system patch update to a server, the change workflow tool would be informed that the patch has been applied, and the CMDB would be updated with the new configuration information and the change history.
The opportunity is significant. An integrated approach to change and configuration management can increase control, which will reduce critical system failures caused by change.
Visibility. Start with a clear understanding of which business services are dependent on the IT component that are about to be changed. Use automated discovery and a service impact model to help determine those relationships.
Discovery helps to identify what is in the IT infrastructure, what its settings and configurations are and should be, and what business service each component is linked to in the business.
That information can be used to populate a service impact model that identifies the interrelationships and dependencies of components, or groups of components in the infrastructure.
Once there is a clear picture of the IT components being changed, each change request can be effectively categorized, assessed for risks, communicated to potentially affected IT and business owners, and scheduled with other related or dependent change requests.
A service impact model can identify the IT infrastructure that supports critical business functions. Protect that infrastructure so that the desired configuration is maintained and any changes are carefully managed.
Everything -- network routers, servers, a mainframe, desktops, and laptops -- that supports the business function must be protected. For example, three days before the end of the quarter, don't change an accountant's desktop settings, the application server, the network settings, or the database schema, since all of these support the critical accounting applications.
A clear picture of the IT environment also helps restrict access to the production environment, an important step in protecting business-critical systems.
Coordination. Change management is a powerful process that helps coordinate, automate, and streamline each request for change. Each change request can be managed using the change lifecycle, which has four stages: request, plan, implement, and verify.
With an optimized approach, a change request proceeds through the request stage, is scheduled for planning, and goes through the planning phase.
During implementation, the change might be applied using multiple tools and be carried out by multiple people at multiple times. Organizations must be able to track these things from start to finish, and at every point in time, have clear visibility into what was requested, who is working on it, how many sub-requests were created, how many components were affected, and so forth.
This capability is called orchestrated change lifecycle management.
An orchestration tool should group the requests and changes so that they can be handled as a single group. Other functions should include sequencing, staging, tracking, correlating, and logging.
Any change to hardware, operating systems, applications, or settings needs to proceed through the change lifecycle in all layers of the technology stack: databases, networks, servers, appliances, and desktops.
The further down the stack, the deeper into the technology, the bigger the potential impact of a change.
Configuration. Controlling the configuration of an infrastructure element is an obvious part of configuration management. However, changes sometimes occur outside the scope of a formal change process. As a result, configurations and settings drift from the desired state.
Desired state management helps implement changes, as well as control the state of the IT environment to prevent drift and optimize performance.
The state of an environment encompasses the elements in the environment, such as the hardware and applications, how the elements are interconnected, and the configuration of each element itself.
The desired state management process encompasses knowing the desired configuration and the current configuration, understanding the difference or the variance between them, and then fixing the variance so that a specific device comes back to the desired state.
Desired state management, even when performed manually, can bring benefits to an IT organization.
Integrated change and configuration management solutions save significant time and effort over manual approaches. They enable thousands of servers and their configuration to be checked, and with a single click, bring all of them into the desired state.Integration. When integrating change and configuration management, the solution should include process, activity and data.
Individually, these elements provide little savings. If all three are implemented but they don't work with each other, then the value is very small. Therefore design a holistic solution that spans all three.
Optimize the IT organization to be both responsive and controlled by bringing together processes, activities and data, and integrate and automate change lifecycle management, and desired state management.
When all the activities are truly process-aware and if all the data can be interchanged across the activities, then combine the power of all those tools to orchestrate a single optimized solution.
By combining process, activity and data, all the existing investments in change and configuration management tools are fully leveraged. Ultimately, an organization can gain greater efficiency and reduce the number of resources required in the IT environment.
ITIL. The IT Infrastructure Library (ITIL) provides a good foundation and framework for the delivery and support of IT services. Integrated change and configuration management builds upon that foundation to help IT organizations achieve greater control over their systems and greater agility to support business strategy.
Three areas in which change and configuration management extends ITIL best-practice definitions are:
The ITIL service support book establishes a number of goals related to the scope of configuration management. These goals focus on maintaining data integrity, or keeping configuration item data accurate, and they include updating and managing the configuration items, which are the different assets in the configuration management database.
Integrated change and configuration management extends this idea to include desired state management, where the focus is on defining known good configuration and then actively managing the configuration of IT components across the organization.
Although ITIL includes best practices for service level management, the combined discipline of change and configuration management extends IT and business alignment through a service impact model.
Associating IT elements with the business processes they support often can provide more guidance about the appropriate timing and potential impact of changes.
For example, knowing that a server is necessary for accounting processes should significantly affect how IT handles that server near the end of the quarter.
A service impact model emphasizes visibility into system dependencies and understanding the business impact of changes in the IT environment, and not just service levels.
Change and configuration management also broadens the scope of change requests. ITIL assumes or implies that most change requests come from incidents and problems.
In reality, only 10-to-15 percent of change requests are related to something that's broken and needs to be fixed. Change requests come from the business, patch management, application upgrades, and technology changes.
Benefits. Integrating change management and configuration management delivers on the promise of improved control and agility for business-critical IT environments. The opportunity for operational improvement is significant.
Many organizations that already have some solutions in place can significantly improve service levels and operations efficiency by expanding their current function to a fully integrated change and configuration management practice.
Enterprises can use an integrated change and configuration management strategy to solve many the most compelling problems faced by IT organizations. This can include responding to a number of issues, such Sarbanes-Oxley compliance, virus protection, server consolidation, application change management, software provisioning and patch management.
Kurt Milne is BMC Software's senior manager of Strategic Marketing.