How to reduce business and IT risk while limiting security vulnerabilities!

If emergency changes aren’t already a big issue for your IT shop, they should be. Why? Well, let’s get clear on what an emergency change is in the first place. It is a change that is recorded after the change has been implemented. It has been recorded largely for compliance reasons. Often it can be a change to fix an implementation gone south. COBIT 5 worries enough about this category of changes that it has even created a KPI to measure emergency changes that are not approved post implementation.

 

Regardless of intention, these types of changes bear business risk because they did not go through any controls—the CAB process. Now, in most IT environments, there will always be a small number of emergency changes, but the greater the number, the more likely that the change process isn’t being managed and that the business and IT are being subjected to undue services and application risk. Given the importance of this measure, we asked several HP customers to share their opinion on this metric. Additionally, we asked them share (confidentially, of course) their actual performance. Today, I would like to share the aggregated benchmark as well as where customers are really performing.

 

What’s a good benchmark for change success rate?

By taking a weighted average of these customers’ responses, I determined that our participants as a whole felt the benchmark for the percentage of emergency change should be 4% or smaller. And, as important, 54% said it should be 2.5% or less. In terms of how many actually achieve this number, only 31% of respondents actually said their percentage of emergency changes was less than 5%. To really find out what the benchmark number should be, however, we would like a bigger group to participate in our survey. So as we said the last few weeks, we want you!

 

We want you.jpg

 

 

We would like you to vote on this and other service management benchmarks. Please click the link below and confidentially share what you think the benchmark performance should be for change success rate and other important service desk measures: http://svy.mk/QoeuES.

 

Why does this benchmark matter?

To me emergency changes are controllable, and so is the risk they entail.. A high number of emergency changes can also indicate that an IT environment is unstable and therefore, needs to be made more stable. The saying “just say no” comes to mind when I think of emergency changes and the resulting impact on the quality of the change process. You should just say no unless the change is needed to reestablish or protect services. Otherwise, changes should go through CAB processes so that the business and IT risks are considered. What do you think? I would love to hear back from you. Change is so important, it needs more consideration by you and me.

 

Related links:

Solution page:  IT Performance Management

Twitter: @MylesSuer

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author
Mr. Suer is a senior manager for IT Performance Management. Prior to this role, Mr. Suer headed IT Performance Management Analytics Product ...


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation