Our developers feel that the traditional Change Advisory Board (CAB) is a "velocity killer." They want to push code daily, but our ITSM policy requires a week of lead time for approvals. How do you modernize Change Enablement to support DevOps while still maintaining the governance needed for a stable production environment? Are there ways to automate "Standard Changes" for low-risk deployments?
3 answers
The "Weekly CAB" is definitely an outdated model for modern software teams. You should move toward "Peer-Reviewed Change" and automated "Standard Changes." For any deployment that has passed automated testing and has a successful history, you should pre-approve it. This allows developers to move fast while the audit trail is still captured in your ITSM tool. The CAB should only meet to discuss "Normal" changes that are high-risk or cross-departmental. By decentralizing the approval process for low-risk items, you eliminate the bottleneck without sacrificing the quality or the security of your production environment.
Comment: Gary, defining those profiles was our first step. We used historical data to prove that 90% of our patches were zero-incident. We presented this to the auditors and got them to agree to "Automated Approval" for those specific categories. Now, our CAB meetings are only 15 minutes long instead of two hours because we only talk about the genuinely risky stuff. It has drastically improved the relationship between the ITSM team and the developers. It's all about using data to justify trust.
Move your CAB into your Slack or Teams channel. Real-time approvals for minor changes can keep the flow moving without waiting for a scheduled meeting.
Great idea, Sarah. Integrating the approval workflow directly into the communication tools the developers already use makes the whole process feel much less bureaucratic.
Gary, defining those profiles was our first step. We used historical data to prove that 90% of our patches were zero-incident. We presented this to the auditors and got them to agree to "Automated Approval" for those specific categories. Now, our CAB meetings are only 15 minutes long instead of two hours because we only talk about the genuinely risky stuff. It has drastically improved the relationship between the ITSM team and the developers. It's all about using data to justify trust.