Week 11: Change Management, Development

Below is the consolidation of the breakout session responses from yesterday’s class.  Some excellent comments and useful ideas.

Change Management practices may seem bureaucratic and time summing.  How do you manage the trade-off of added work vs. needed controls?

• Compliance requirements for highly regulated industries (i.e. Health, Finance and Insurance)
• By following change management practices it will help ensure the Quality of the product or service is better or at the same standard as it was previously.
• Software automated testing prior to integration
• A well-designed schedule – e.g. everyone knows what’s going to happen for preparation
• Electronic approval process – e.g. IT help desk; approval by email
• Update the documentation in order to assign approval align with the new work (changes are review)
• Define option and response document  and clear and concise roles in align with new work
• The date of when the change management practices are going to occur. what is affected
• An emergency change process is in place
• Changes are submitted for approval
• Categorize everything
• Quantify controls
• Identify the risks that not checked.
• Clients justify very easily
• Prioritize controls
• Put automated systems in place to that automated controls can be helpful
• Training for employees
• Perform change out of business hours if required so that it does not pile up and miss SLA
• Prioritize changes based on risks mitigated, criticality of issue & solutions.
• Perform Changes outside of Business Hours so that work is not affected and neither are large # of users impacted.
• Streamline the change management process so that there is minimal disruption to services and hence fewer service requests to attend to as well, also changes should be reviewed thoroughly to ensure the change is successful.

What are the ramifications of managing change management in the scenario where the changes (e.g. development, etc.) are outsourced?

• Cultural differences in the Company and the vendor organization
• Security issues w.r.t Change performers having high privileged access to the system and messing it up.
• Whether there is sufficient expertise in the outsourcing vendor implementing the changes
• Cultural difference will affect process
• Time zones can be different and hence SLA breach is possible
• Security and privacy issues during change management
• Schedule change control-the project schedule has been affected somehow and events in the project are being delayed.
• Cost change control-the scope contents have not change, but the price for the items in the scope have increased or decreased.
• Giving up control of the change management process
• Adjusting to the new team and learning what each individual are skilled in.
• Communication back and forth could be a challenge if there is a difference in time zone.
• Granting access to the members who are outsourced to the programs used within the company, could take some time and are there security in place to mitigate risk.
• Production of quality, control
• Customer satisfaction of the service
• Compliance standard align with our business objective
• Application able to run on their system
• Confidentiality of our sensitive data can be affected
• Understanding of the required change (The ‘why’ is not consistently communicated by upper management to all team members)
• makes monitoring adherence more difficult if things aren’t done in the same standard or by the same protocols that the main organization is enforcing or following
• They may lack the understanding of the “business” it’s goals and vision of the organization as well as local employees
• Design and functionality are out of control
• Increase need of quality assurance
• Data management issues
• System uniformity

Continuing great job on the discussions. Keep up the good work.   You raised most of the important points but let me summarize my view.

Q1: What key components of ERP change management controls should auditors review?  You provided some good background and details of the systems change management process.  From my experience the key components to focus on are: 1) defined policies and procedures (and proof they are followed)  2) Solid documentation of requirements (what the change should be) 3) testing and more testing and 4) strong approval / governance process.

Q2: Does your company use blueprints as documentation?  Why important? From the few responses it’s a mixed bag about organizations use of blueprints.  My experience is that the blueprints are very useful in implementing successful, complex processes.  They are excellent communication tools and help define for people new to the process or changing it later how it’s supposed to work.  It takes discipline and work to keep the blueprints up to date but in the long run are very useful as ERP systems and processes outlast those originally developing them.

Q3: How have your seen change mgmt work?  How would you improve? Only a few comments but they highlight some keys of good change management: clear communication about the ‘Why’ of change, Methods that those affected by the change can get their questions answered and employee involvement.

Q4: What questions would you like to ask auditors?   Some very good questions.  We’ll include some of them in coming weeks discussion.

Change management is one of the necessary evils of good systems management.  Doing it well requires lots of discipline, hard sometimes tedious work but in the end ERP systems won’t survive well without it.

1. What are the key components of SAP change management controls you would expect the auditor to review?  Why?
2. In your company, do you use any blueprints as documentation?  Why are process blueprints important in the documentation?
3. How have you seen change management work in your organization?  What improvement recommendations do you have?
4. In future weeks we may have the privilege of having real world auditors join us for our discussions.  What questions would you like to ask the Auditors to answer for us?