Change management is a formal process that ensures changes to a product, process, or system, and is introduced
and implemented in a controlled and coordinated manner. It reduces the possibility that unnecessary changes will be introduced without planning and analysis, which can result in faults in the system or processes. The goals of change management in disaster recovery (DR) and business continuity (BC) planning include minimal disruption to operations, reduction of back-out (return to a previous state) activities and cost-effective use of resources for implementing changes.
Change management is an important process for business continuity and disaster recovery for several reasons. Change management can deliver benefits by improving disaster recovery plans and updating critical information. Also, it helps avoid potential problems such as failure to respond to an incident appropriately because the plan was not up to date. Maintaining business continuity/disaster recovery plans as part of an existing change management program can increase the likelihood that BC/DR plans will receive the attention they deserve.
Change management activities
Six principal activities form the change management process: 1) identify potential change; 2) analyze change request; 3) evaluate change; 4) plan change; 5) implement change; and 6) review and close out the change process. These activities are accomplished through four roles: customer, project manager, change committee and change designer (see "Table 1: Change management process roles"). Change management activities are described in Table 2.
|Table 1: Change management process roles|
|Customer||The customer requests a change due to issues encountered or new requirements; this can be a person or an organization, and can be internal or external to the company|
|Project manager||The project manager is assigned to the change request. There may also be a change manager, who is responsible for change management.|
|Change committee||The change committee decides whether the change request will be implemented or not.|
|Change designer||The change designer plans and implements the change; this can also be done by the project manager.|
|Table 2: Change management activities|
|Potential change identified||Problem or issue experienced||A customer experiences a problem or other issue in a business continuity/disaster recovery plan or related activity; this generates a problem report.|
|New activity required||Based on the issue encountered, the customer desires a modification to the BC/DR plan.|
|Change request||The customer prepares and distributes a change request.|
|Analyze change request||Determine technical feasibility||Project manager reviews the request and determines the technical feasibility.|
|Determine costs and benefits||Project manager determines costs, benefits and time frames of proposed change request.|
|Change evaluation||Depending on the request, its benefits and associated costs, the change committee makes a go/no-go decision.|
|Develop change plan||Analyze impact of proposed change||Conduct an analysis of the potential impact of the proposed change to the BC/DR program.|
|Develop change plan||Develop a plan to implement the proposed changes; secure necessary approvals.|
|Implement proposed changes||Schedule and deploy changes||Establish a project plan, set a time frame and implement the proposed changes.|
|Validate the changes||Conduct an exercise or audit to ensure that the implemented changes work as designed.|
|Update documentation||Ensure that all business continuity/disaster recovery plan documentation is updated with the changes.|
|Disseminate the changes||Distribute details on changes to all employees and other relevant parties, such as key clients and vendors.|
|Review and close change||Verify change||Determine that no further actions are needed relevant to the changes; close out the request; and schedule a follow-up review for six months.|
While many organizations have a formal change management process, business continuity and disaster recovery are rarely included in the mix. To ensure that business continuity and disaster recovery plans and their associated databases are kept up to date, it is a good idea to include them as part of the overall change management process.
Although we are examining the change management process, it's important to note that the leading industry standards and guidance on business continuity/disaster recovery all advocate plan maintenance. The following section presents how business continuity and disaster recovery standards address maintenance. Incorporating the following guidelines into an existing change management process can help improve the likelihood that business continuity/disaster recovery plans will be properly maintained.
Change management as addressed in business continuity/disaster recovery standards
The following section includes references to change management as defined in the British Standard (BS 25999), the American National Standard for business continuity (NFPA 1600) and the DRI/DRJ Generally Accepted Principles. While the term change management is not specifically stated in the codes, the term maintenance appears in them, and is generally assumed to include the change management process.
BS 25999-1:2006 Code of practice
Section 9.4 Maintaining BCM arrangements
A clearly defined and documented business continuity management (BCM) maintenance program should be established. This program should ensure that any changes (internal or external) that impact the organization are reviewed in relation to BCM. It should also identify any new products and services and their dependent activities that need to be included in the BCM maintenance program. As a result of the BCM maintenance program, the organization should:
- Review and challenge any assumptions made in any components of BCM throughout the organization.
- Distribute updated, amended or changed BCM policy, strategies, solutions, processes and plans to key personnel under a formal change control process.
NOTE: If there are major business changes then a revision of the business impact analysis (BIA) ought to be undertaken. The other components of the BCM program may be amended to take account of these changes.
The outcomes from the business continuity management maintenance process should include:
- Documented evidence of the proactive management and governance of the organization's business continuity program.
- Verification that key people who are to implement the business continuity management strategy and plans are trained and competent.
BS 25999-2:2007 specification
6.0 Maintaining and improving the BCMS
The purpose is to maintain and improve the effectiveness and efficiency of the business continuity management system (BCMS) by taking preventive and corrective actions, as determined by the management review.
6.2 Continual improvement
The organization shall continually improve the effectiveness of the BCMS through the review of the business continuity policy and objectives, audit results, analysis of monitored events, preventive and corrective actions and management review.
Chapter 8 Program Improvement
8.1 Program reviews
8.1.1 The entity shall improve effectiveness of the program through management review of the policies, performance objectives, evaluation of program implementation and changes resulting from preventive and corrective action.
8.1.2 Reviews shall be conducted on a regularly scheduled basis, and when the situation changes, to evaluate the effectiveness of the existing program.
8.1.3 The program shall also be re-evaluated when any of the following occur:
(1) Regulatory changes
(2) Changes in hazards and potential impact
(3) Resource availability or capability changes
(4) Organizational changes
(5) Funding changes
(6) Infrastructure, economic and geopolitical changes
8.1.4 Reviews shall be conducted based on post-incident analyses, lessons learned and operational performance.
8.1.5 The entity shall maintain records of its reviews and evaluations, in accordance with the records management practices developed under Section 4.8.
8.1.6 Documentation, records and reports shall be provided to management for review and follow-up.
8.2 Corrective Action
8.2.1 The entity shall establish a corrective action process.
8.2.2 The entity shall take corrective action on deficiencies identified.
Generally accepted change management principals and DR/BC planning
The following chart can be used as a guide to best practices and procedures for implementing change management in business continuity/disaster recovery planning.
Maintenance: Establish a quality review program
|1. Compliance with minimum requirements of corporate standard(s)||Understand what your corporate standard(s) is(are).|
|2. Site self-assessment review of contact information||Require each location to review and update contact details quarterly.|
|3. Site self-assessment review of BC/DR requirements||Require each location to review and update plan requirements semiannually.|
|4. Site self-assessment review of BC/DR procedures||Require each site to review and update BC/DR procedures quarterly.|
|5. Schedule and conduct reviews when indicated by organizational change||Incorporate major organizational changes into plan.|
|6. Develop plan content guidelines||Determine need to review and update guidelines for BC/DR actions.|
|7. Management reporting||Report findings to designated senior management, steering committee, etc.|
|8. Base any quality requirements on existing regulations (e.g., audit, legal, ISO, Sarbanes-Oxley Act (SOX), HIPAA)||Consider all existing regulations governing the organization and build quality content around them.|
|9. Program Office conducts full annual audits of a percentage of existing plans||Develop a plan for corporate office to audit a percentage of BC/DR plans.|
Since plan maintenance is a critical activity, it should be performed at least annually and preferably on a quarterly basis. People who serve on teams may change jobs or leave the company. The same is true with vendors, which means these lists should be regularly updated. Change management is a key strategy in conjunction with the business continuity/disaster recovery maintenance process. By including business continuity and disaster recovery plans as part of your firm's change management process you can ensure they are always up to date and ready to use when a disaster strikes.
About this author: Paul F. Kirvan, FBCI, CBCP, CISSP, has more than 20 years experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter.