The Business of IT Blog

Change Control Board vs Change Advisory Board: What’s the Difference?

Joseph Mathenge
4 minute read
Joseph Mathenge
image_pdfimage_print

Technology is best described by the adage from Greek philosopher Heraclitus: The only constant thing is change. In this age of digital transformation, customers and competitors can find solutions and alternatives at the touch of a button. This speed means that service providers stay ahead only by embracing and executing change quickly, yet maintaining sufficient control to manage risk.

Download Now: ITIL 4 Best Practice e-Books

These all-new for 2020 ITIL e-books highlight important elements of ITIL 4 best practices. Quickly understand key changes and actionable concepts, written by ITIL 4 contributors.

In change management and execution, there are two key factors to your company’s success: your technology and your decision-making processes. We’ll explore two structures, or bodies, that focus on change-related decision making—the Change Control Board and the Change Advisory Board. The biggest difference between these two bodies is their scope:

  • The CCB primarily handles changes within projects
  • The CAB covers all changes related to the service lifecycle, including emergency changes

Let’s explore in more detail what they do and how they differ. We’ve also included additional resources at the end of this article.

Change management and decision making

When it comes to management and control of changes to services and service components, one of the biggest challenges is determining who has the authority to make change decisions.

IT service management has long suffered from bureaucratic approaches and general risk aversion—which results in layers of approvals, development delays and confusion, and, ultimately, failure to deliver value to customers in an agile manner. This situation is exacerbated in companies with legacy systems and structures that prohibit the flexibility for change that digital transformation requires.

The Change Control Board and the Change Advisory Board are similar organizational structures play vital roles in decision making. Both are comprised of teams whose role is to collectively help the organization make the right decisions of balancing need and risk of changes to technology that supports business processes, but they’re not the same.

What is a Change Control Board?

A Change Control Board (CCB), also known as the configuration control board, is a group of individuals, mostly found in software-related projects. The group is responsible for recommending or making decisions on requested changes to baselined work. These changes may affect requirements, features, code, or infrastructure.

Poor change control can significantly impact the project in terms of scope, cost, time, risk, and benefits. Therefore, it is crucial that the CCB members are sufficiently equipped with information, experience, and support necessary to make the best decisions.

Creating a Change Control Board

The CCB is created during the project’s planning process. The most successful CCBs include representatives for both the project implementer and the customer, whether they are from a single organization or different ones. In a software project, these would include management or leads from the following units:

  • Program or project managers
  • Product managers
  • Business analysts
  • Developers
  • QA
  • Operations

The Change Control Procedures and the Change Control Plan, established during the planning phase, will define the role of the CCB, which can range from simple recommendations to more holistic decision making. The procedures and plan documentation will also include:

  • The structure and authority of the CCB, such as:
    • Which levels of change require CCB approval
    • Whether lower levels of change can be made by the project manager, for instance
    • Whether higher levels of change must be elevated to a higher governing body, such as the board of directors
  • The frequency of meeting
  • The rules for decision making
  • Communication methods

How many Change Control Boards is enough?

Organizations may choose to have a single CCB handling change requests across multiple projects. For larger projects, you may want a dedicated CCB. Some projects might require multi-level CCBs. A low-level CCB could handle lower priority change requests, for instance non-customer-facing features or changes with low/no cost impact. A higher-level CCB could tackle major change requests that have significant impact on costs or customer.

What is a Change Advisory Board?

Mostly involved in decision making for deployments to IT production environments, the Change Advisory Board (CAB) is a body constituted to support the authorization of changes and to assist change management in the assessment, prioritization, and scheduling of changes.

The authority of the CAB can vary across organizations. Usually, if top leaders or C-suite executives sit in the CAB, then it has highest authority. The organization’s change management policy will define the CAB’s constitution and its scope, which can include anything from proposals and deployments to changes to roles and documentation.

Creating a Change Advisory Board

In most organizations, the Change Manager chairs the Change Advisory Board. The CAB will have a pre-determined schedule. Depending on the typical activity in your IT department, your CAB may meet as often as twice weekly. No matter the frequency of meetings, the Change Manager should communicate the scheduled change required well in advance of meetings, so individuals on the CAB are prepared to make the best decisions.

How a Change Advisory Board makes decisions

A Change Advisory Board typically makes decisions in three major areas, which we’ll review below:

  • Standard change requests
  • Emergency changes
  • Previously-executed change audits

Standard change requests. At every meeting, the Change Advisory Board reviews requested changes using a standard evaluation framework. That framework should consider all dimensions of the change, including service and technical components, business and customer alignment, and compliance and risk. The CAB must also look for conflicting requests—these cases in particular require CAB members to maintain holistic, business-outcomes views that don’t favor the particular team or individual seeking the change.

Emergency changes. Occasionally, the Change Advisory Board must handle an emergency change. This might happen when your company experiences:

  • A service outage (actual or potential)
  • A security breach
  • A compliance requirement

In these cases, an Emergency Change Advisory Board (eCAB) can be formed as a temporary subset of the routine CAB. The eCAB may include some or all individuals from the CAB, and this group will meet outside the normal schedule to review the necessary emergency change(s).

Previously-executed change audits. The CAB can also meet to review previously executed changes particularly those that were unsuccessful or unauthorized, as well as plan the forward schedule of future changes particularly with regard to projected service outage and customer/business plans.

Comparing CCB vs CAB

The Change Control Board and Change Advisory Board share a similar focus of reviewing and making decisions for change requests, though their scopes vary widely. Regardless of differences, the structure for both change bodies must be clear, effective, and efficient. Without these components, companies will fall behind competitors who make changes quickly and safely. Companies must continuously ensure the CCB and CAB succeed, and they’ll also want to prevent change-related bottlenecks, particularly when it makes sense to cascade ownership from decision teams to the teams that own solutions, such as product teams or joint technical teams.

Additional resources

 

New for 2020: ITIL 4 Best Practice e-Books

These all-new for 2020 ITIL e-Books highlight important elements of ITIL 4 best practices so that you can quickly understand key changes and actionable concepts. Download now for free!


These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.

See an error or have a suggestion? Please let us know by emailing blogs@bmc.com.

BMC Bring the A-Game

From core to cloud to edge, BMC delivers the software and services that enable nearly 10,000 global customers, including 84% of the Forbes Global 100, to thrive in their ongoing evolution to an Autonomous Digital Enterprise.
Learn more about BMC ›

About the author

Joseph Mathenge

Joseph Mathenge

Joseph is a global best practice trainer and consultant with over 14 years corporate experience. His passion is partnering with organizations around the world through training, development, adaptation, streamlining and benchmarking their strategic and operational policies and processes in line with best practice frameworks and international standards. His specialties are IT Service Management, Business Process Reengineering, Cyber Resilience and Project Management.