Advances in modern technology have provided new business frontiers which has elevated the technology side of the organization as a critical value driver as well as a source of competitive advantage. As companies and other entities embrace digital transformation, a critical differentiator is how to balance both:
- The need for agility and velocity in delivery of new products and services
- The resilience that comes with stability and predictability of existing operational activities
Management of systems change—change management—is therefore an important capability that modern organizations need to invest in, especially because technology change gone wrong can bring grief to businesses when a major outage or performance degradation results from it. A good example of such grief was that experienced by Meta back in October, when a configuration change disrupted Facebook, WhatsApp, and Instagram services for more than six hours.
Part of this capability involves putting in place the right roles that facilitate technology change in a way that is responsive to both customer and business needs, while at the same time managing risks. One of the famous (or infamous depending on one’s perspective) governance roles in service management when it comes to managing risks to change is the change advisory board (CAB).
What is the CAB and is it still relevant in the digital age? Let’s tackle that in this article.
What is the CAB?
The ITIL v3 Service Transition publication defined the CAB as:
“A group of people that support the assessment, prioritization, authorization and scheduling of changes.”
While the CAB is not expected to approve changes, their role is pivotal in advising whether a change should be approved. As such, the members of the CAB were expected to be experienced in both business and technology to point out any significant issues that a technical change could result in if not managed properly.
This group would be chaired by a change manager and mainly constituted of the technical leads involved in the changes as well as system owners and the change process coordinators. More members could be drawn from service owners drawn from business, compliance representatives as well as suppliers involved in the change as per need.
(Learn more about these change roles.)
In some organizations, the CAB had a fixed representation, while others adopted a flexible mix depending on the type of change. Other organizations adopted a two-tier approach that had:
- A Technical CAB where the subject matter experts deliberated the technical details of the change.
- A Business CAB where the business and service owners deliberated scheduling, resourcing, and risks of changes that had passed through the Technical CAB.
The CAB would meet on a regular basis depending on the velocity and scope of changes to be reviewed. So, this could range from daily, weekly, or monthly. The agenda of the CAB would cover:
- Review of upcoming changes. Considering architecture, priority, risk, impact, conflicts, emergency changes and scheduling.
- Review of past changes. Considering successes, failures, resultant incidents, fixed problems, unauthorized changes, etc.
- Review of change process. Considering dependencies, business needs, compliance needs, improvements etc.
Considering the diverse needs of the CAB, the kind of characteristics that a member would embody include the following:
- Fostering professional courtesy within the team and across the organization
- Presenting a number of different perspectives to offer the group variety
- Providing a strong desire to engage one another toward the goal of change
- Offering a committed approach to ensure that services and business continuity remains stable throughout the change process
Challenges facing the CAB
That said, organizations sometimes struggle to get on board with creating a CAB for a few of reasons.
First, business leaders can be leery of governance. People often misconstrue CAB as a board that deals in approvals and denials, causing red tape and roadblocks. In reality, CAB only stands to advise Change Managers on the best solutions after assessing all risks. Further, the diversity of a CAB panel offers a number of insights that make this process enriching.
Next, some organizations do not implement CAB because they struggle with ITIL® change management process as a whole. They may implement only one or two parts of the change management process as they see fit. However, this sometimes excludes best practices required to review, monitor, and implement change, like the creation of a CAB.
Given the wide scope of the CAB’s activities and decision level, many organizations struggled to find the right fit for what a CAB is, despite the fact that the ITIL framework advocates on adopting and adapting the guidance to individual needs. The term “advisory” is often substituted for “approval” where service providers with poorly defined change structures ended up overwhelming the CAB with many changes leading to fatigue or limited bandwidth to thoroughly assess and advise on change approach and risk.
Future of the CAB
In the digital age, value in management of changes can only be achieved when the practices facilitates rather than obstructs change through bureaucratic or timewasting activities. If an organization doesn’t take the time to clearly specify the relevant authority levels for different types of changes, then the CAB ends up as a scapegoat for inefficiency. In fact, the ITIL 4 change enablement publication references the CAB as a bottleneck to an organization’s value streams as it introduces delays and limits the throughput of technical changes.
As digital organizations adopt more product-centric structures, where small teams that are self-managed own the product lifecycle in its entirety, there doesn’t seem to be a place for the CAB. Truth be told, the role of the CAB seems destined to remain relevant only to laggard organizations with siloed structures, significant legacy systems or stringent compliance controls. Or maybe we will see the CAB evolving to emulate a sort of ‘swarm’ structure, where subject matter experts are pulled only when a cross-cutting type of change that impacts multiple products or services is being planned, and quickly disperse back into their product teams once their input is incorporated.
- BMC Service Management Blog
- Change Control Board vs Change Advisory Board: What’s the Difference?
- Introduction to ECAB: Emergency Change Advisory Board
- Agile ITSM: How Agile & Service Management Can Work Together
- Risk Management Practices in ITIL® 4 Environments
- The Gartner® Magic Quadrant™ for ITSM Tools