Booklet: Operations Section: Risk Mitigation and Control Implementation Subsection: Change Management

Previous Subsection Table of Contents Next Subsection

Technology operations environments are dynamic, and processes, procedures, and controls should be in place to manage change. Change management broadly encompasses change control, patch management, and conversions. It also includes the institution's policies, procedures, and processes for implementing change, which are discussed more fully in the IT Handbook's “Management Booklet” and “Development and Acquisition Booklet”.

Large and complex institutions should have a change management policy that defines what constitutes a "change" and establishes minimum standards governing the change process. Processes and procedures for implementing change may be universal for the institution—applicable to all business lines and environments—or may be stratified, such as changes affecting the entire institution and those affecting a business line, support area, or affiliate.

Smaller and less complex institutions may successfully operate with less formality, but should still have written change management policies and procedures. Because mainframe, network, client-server, and application changes are different, institutions may choose to develop individualized procedures. However, individualized procedures do not instill consistency in the change management process. Consistency contributes to a change management process that is defined, managed, repeatable, and optimized.

CHANGE CONTROL
Increasingly, technology systems are tightly integrated and interdependent. As a result, creating a central change control oversight function is a sound practice for management of the change process. This may be a specialized change control or management committee in a large, complex institution, or a technology steering committee in a small, noncomplex institution. All changes should flow through the oversight function, which should include appropriate representation from business lines, support areas, technology management, information security, and internal audit. In establishing a framework for managing change, a policy should be present describing minimum standards and including such factors as notification, oversight, and control. Control standards should address risk, testing, authorization and approval, timing of implementation, post-installation validation, and back-out or recovery.

PATCH MANAGEMENT
Vendors frequently develop and issue patches to solve problems, improve performance, and enhance security of their software products. Management should establish procedures to stay abreast of patches, to test them in a segregated environment, and to install them when appropriate. Change management procedures should require documentation of any patch installations. Management should develop a process to ensure version control of operating and application software to ensure implementation of the latest releases. Management should also maintain a record of the versions in place and should regularly monitor the Internet and other resources for bulletins about product enhancements, security issues, patches or upgrades, or other problems with the current versions of the software.

CONVERSIONS
Conversions involve major changes to existing systems or applications, or the introduction of systems or data sets resulting from acquisitions or mergers. Conversions are a unique and more complex type of systems change, which may span multiple platforms. Consequently, they have a higher level of risk requiring additional, specialized controls. Strong conversion policies, procedures, and controls are critical. Improperly handled, conversions can result in corrupt data. Moreover, because the ramifications of conversion span technology operations, it is important for management to re-evaluate periodically all operations processes and consider the appropriateness of process re-engineering. Conversions require management to draw on a number of control disciplines involving change processes and strategic planning, including project management, change control, testing, contingency planning, back-up, vendor management, and post-implementation review. An improperly executed conversion can create inefficiencies including serious degradation of IT performance, internal and external user dissatisfaction, accounting problems, customer dissatisfaction, reputation damage, and critical operational disruptions.

Previous Subsection Table of Contents Next Subsection           Home IT Booklets Glossary Resources Presentations