{"id":25637,"date":"2019-06-10T11:48:00","date_gmt":"2019-06-10T11:48:00","guid":{"rendered":"https:\/\/kepner-tregoe.com\/developing-a-risk-mitigation-discipline-in-it-change-management-part-1\/"},"modified":"2026-03-18T11:11:26","modified_gmt":"2026-03-18T11:11:26","slug":"developing-a-risk-mitigation-discipline-in-it-change-management-part-1","status":"publish","type":"post","link":"https:\/\/kepner-tregoe.com\/zh-hans\/blogs\/developing-a-risk-mitigation-discipline-in-it-change-management-part-1\/","title":{"rendered":"Developing a Risk Mitigation Discipline in IT Change Management (Part 1)"},"content":{"rendered":"\n

This is the first of two posts on Risk Mitigation. <\/p>\n\n\n\n

The change management process in IT organizations has two main goals: to maximize the effectiveness of change implementation and to manage risk to the business. IT organizations have generally adhered to a documented change process, mostly focusing on process compliance rather than thinking consistently about anticipating and mitigating risks when and where required.<\/p>\n\n\n\n

IT teams create and enforce these processes following frameworks like ITIL\u00ae. The governance that stems from this approach has made organizations very reactive. Traditional processes are too slow for today\u2019s level of change and innovation.<\/p>\n\n\n\n

It was fine when the speed of change was slower. A Change Advisory Board (CAB) could meet once a week or even once a month and come to grips with these changes. But the rate of change, both external (driven by competition) and internal (driven by opportunity for innovation), have accelerated to the point where that cadence no longer works.<\/p>\n\n\n\n

As a result, important changes are put on hold because IT and the business cannot keep up. Management now recognizes the importance of the business risks these changes can introduce. Change requests get stuck in the review process, until the risks are understood. Increasingly the business feels the imperative to make these changes anyway to meet competitive threats and capitalize on opportunities, but views its overtaxed IT function as an obstacle, rather than an ally. Business people start looking for ways to work around IT, rather than engaging with it.<\/p>\n\n\n\n

That\u2019s why in the days of Agile, the traditional CAB approach has been put into question. New management philosophies like DevOps have brought accelerated change and innovation, breaking down the risks inherent in each new release into much smaller increments by dramatically reducing the scope of releases. This reduces the impact on the business if something does go wrong \u2014 which, inevitably, it will.<\/p>\n\n\n\n

In this new environment, it is important for IT organizations to assess risks against three different dimensions:<\/p>\n\n\n\n