Change Request Procedures

🔄 𝐖𝐡𝐚𝐭 𝐇𝐚𝐩𝐩𝐞𝐧𝐬 𝐖𝐡𝐞𝐧 𝐚 𝐍𝐞𝐰 𝐂𝐡𝐚𝐧𝐠𝐞 𝐨𝐫 𝐅𝐞𝐚𝐭𝐮𝐫𝐞 𝐈𝐬 𝐈𝐧𝐭𝐫𝐨𝐝𝐮𝐜𝐞𝐝? Let’s decode the Change Control Framework from a Business Analyst’s lens — practically and step-by-step 👇 🧩 𝐈𝐦𝐚𝐠𝐢𝐧𝐞 𝐭𝐡𝐢𝐬: You're working on an online banking application, and halfway through development, a stakeholder proposes a new feature: ➡️ "Add biometric login for mobile users." As a Business Analyst, this isn’t just about noting the request. It triggers the Change Control Process. 💡 𝐒𝐭𝐞𝐩-𝐛𝐲-𝐒𝐭𝐞𝐩 𝐂𝐡𝐚𝐧𝐠𝐞 𝐂𝐨𝐧𝐭𝐫𝐨𝐥 𝐅𝐫𝐚𝐦𝐞𝐰𝐨𝐫𝐤 (𝐁𝐀 𝐏𝐞𝐫𝐬𝐩𝐞𝐜𝐭𝐢𝐯𝐞): 1️⃣ 𝐂𝐡𝐚𝐧𝐠𝐞 𝐑𝐞𝐪𝐮𝐞𝐬𝐭 𝐋𝐨𝐠𝐠𝐢𝐧𝐠 The change request (CR) is formally captured — often via tools like Jira, ServiceNow, or a Change Request Form. 🧾 “Add biometric login support for iOS and Android apps.” 2️⃣ 𝐈𝐦𝐩𝐚𝐜𝐭 𝐀𝐬𝐬𝐞𝐬𝐬𝐦𝐞𝐧𝐭 BA collaborates with the Solution Architect, Dev, QA, and PM to assess: 📌 Functional impact 🔄 Integration needs 📉 Timeline & budget changes 🔐 Risk to current features 👥 Impact on users ✅ Adding biometric login impacts login module, user settings, authentication API, and testing timelines. 3️⃣ 𝐃𝐨𝐜𝐮𝐦𝐞𝐧𝐭𝐚𝐭𝐢𝐨𝐧 & 𝐂𝐡𝐚𝐧𝐠𝐞 𝐀𝐧𝐚𝐥𝐲𝐬𝐢𝐬 BA updates key documents: 👉 Updated BRD / FRD / User Stories 👉 RTM to link new requirements 👉 Process flows or wireframes 📝 New user story created: As a mobile user, I want to log in using fingerprint or Face ID so that I can access my account securely. 4️⃣ 𝐒𝐭𝐚𝐤𝐞𝐡𝐨𝐥𝐝𝐞𝐫 𝐑𝐞𝐯𝐢𝐞𝐰 & 𝐀𝐩𝐩𝐫𝐨𝐯𝐚𝐥 BA facilitates review with key stakeholders: Product Owner, Business, Compliance, Tech Teams. 🎯 Discussion on value vs. cost, urgency vs. delivery impact. Change is either: 👉 Approved 👉 Deferred 👉 Rejected 5️⃣ 𝐂𝐡𝐚𝐧𝐠𝐞 𝐈𝐦𝐩𝐥𝐞𝐦𝐞𝐧𝐭𝐚𝐭𝐢𝐨𝐧 & 𝐂𝐨𝐦𝐦𝐮𝐧𝐢𝐜𝐚𝐭𝐢𝐨𝐧 Once approved: 👉 BA ensures user stories are prioritized in the product backlog 👉 Updates communication in Sprint Planning 👉 Ensures QA understands new test scenarios 📣 “Team, biometric login is now in scope for Sprint 6. QA, please add test cases for device compatibility.” 6️⃣ 𝐂𝐡𝐚𝐧𝐠𝐞 𝐓𝐫𝐚𝐜𝐤𝐢𝐧𝐠 & 𝐂𝐥𝐨𝐬𝐮𝐫𝐞 BA tracks the change until delivery, gathers feedback, and updates documentation accordingly. 📋 Change status: Deployed in Prod on July 12, Feedback: 94% users preferred biometric login. 🧠 𝐏𝐫𝐨 𝐓𝐢𝐩 𝐟𝐨𝐫 𝐁𝐀𝐬: Always ask: ✅ Is the change aligned with business goals? ✅ Can it be deferred post MVP? ✅ Is it a requirement or a preference? 🔍𝐖𝐡𝐲 𝐓𝐡𝐢𝐬 𝐅𝐫𝐚𝐦𝐞𝐰𝐨𝐫𝐤 𝐌𝐚𝐭𝐭𝐞𝐫𝐬 It brings: ✅ Structure ✅ Accountability ✅ Transparency ✅ Traceability — Especially in Agile or evolving project environments. BA Helpline

Many organizations struggle with implementing changes effectively, often due to the absence of a well-documented change management process tailored to their specific activities. Additionally, a lack of awareness and technical expertise among those responsible for executing changes further complicates the process. Regardless of whether changes are normal, emergency, or unplanned, every organization should have a clear, documented approach detailing how these changes will be managed. Without this, poor change management can lead to delays in decision-making, reduced productivity, misalignment of tools with change objectives, insufficient change execution, or even wasted time and resources. Top management must play a critical role by ensuring that a robust change management process is in place and that competent personnel who are trained, skilled, and experienced are entrusted with driving and managing this process. This applies to all changes, whether small or large, technical or non-technical, process-related or system-related. To support this, I have attached a comprehensive Change Management Policy that outlines best practices and structured procedures to guide organizations through effective change implementation 𝗦𝘂𝗺𝗺𝗮𝗿𝘆 𝗼𝗳 𝘁𝗵𝗲 𝗔𝘁𝘁𝗮𝗰𝗵𝗲𝗱 𝗖𝗵𝗮𝗻𝗴𝗲 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 𝗣𝗼𝗹𝗶𝗰𝘆 The Change Management Policy provides a structured framework for managing changes to information systems, processes, and services, aligned with ISO 27001:2022 standards. Key highlights include: Scope: Applies to all changes impacting information systems, business processes, security controls, and personnel involved in change activities. Change Types: Categorizes changes as standard (pre-approved, low risk), normal (requiring formal assessment and approval), and emergency (urgent, expedited changes). Process Lifecycle: Covers stages from change request, assessment, approval, planning, implementation, verification, documentation, to post-implementation review. Governance: Establishes a Change Advisory Board (CAB) with representatives from IT, security, business units, and risk management to oversee significant changes. Risk and Security: Emphasizes thorough risk and security impact assessments before approval, with testing and rollback procedures to mitigate issues. Communication and Training: Ensures stakeholders are informed of changes and that personnel involved receive appropriate training on change management practices. Roles and Responsibilities: Defines clear roles for requesters, change managers, CAB members, technical teams, and security personnel. Compliance and Continuous Improvement: Mandates regular audits, performance measurement, and ongoing process enhancements. This policy ensures changes are implemented in a controlled, secure, and efficient manner, minimising disruption and aligning with organisational objectives. #RiskManagement #ISO27001 #ChangeManagement #Leadership #ProcessImprovement #OrganizationalCompliance

#VO VS #CR Variation Order (VO) and Change Request (CR) differ in purpose, scope, and processing: #Variation Order (VO) 1. Formal document: Issued by employer/owner or engineer. 2. Approved change: Implements an already-approved scope change. 3. Contractual requirement: Typically required by contract conditions (e.g., FIDIC). 4. Price and timeline adjustment: Includes adjusted prices and timelines. 5. Execution phase: Issued during project execution. #Change Request (CR) 1. Informal/semi-formal document: Submitted by various stakeholders (owner, contractor, engineer). 2. Proposed change: Requests a potential scope change or modification. 3. Pre-approval phase: Submitted for review, approval, or rejection. 4. No immediate implementation: Awaiting approval before implementation. 5. Flexible: Can be withdrawn or modified. #Key differences 1. Purpose: VO executes approved changes, while CR proposes changes. 2. Approval status: VO is approved, whereas CR awaits approval. 3. Timing: VO during execution, CR during planning/design. 4. Formality: VO formal, CR informal/semi-formal. 5. Implementation: VO immediate, CR conditional. #Industry-specific variations 1. Construction: VO (FIDIC), CR (AIA, AGC). 2. Engineering: VO (EPC contracts), CR (RFI/RFC processes). #Best practices 1. Define clear procedures for CR and VO. 2. Establish transparent communication channels. 3. Document all changes and requests. 4. Set clear approval processes. 5. Monitor and adjust project scope and timeline accordingly.

Attention Specialty Contractors: This is a public service announcement. ✋ Raise your hand if you’ve ever sent a Change Order Request and felt like it vanished into the construction void. We talk to Subs all the time who bemoan slow Change Order approvals and the impact on cash flow. Maybe your GC is swamped. Maybe their inbox looks like a demolition site. Or maybe… just maybe… your COR got buried because your process made it harder to say yes. As a former receiver of Change Orders, here are a few incredibly basic ways to help your CORs rise to the top of the pile, get approved faster and help your GC customer: 1. Subject Lines Matter Inbox search is a GC’s best friend. We get hundreds of emails a day. If your subject line says “please see attached,” that COR is toast. Use: [Project] - [Your Company] - COR# - Short Description Help us help you. 2. File Names Aren’t Just for You Every COR you send, we download and save somewhere. If your file name doesn’t make sense, we have to open it to find out what it is and rename it ourselves. “IMG_453452.pdf” slows everyone down. Try: [Project] [Company] COR# [Title].pdf 3. Keep a COR Log That Makes Sense Your GC uses your COR log to make sure they’ve got everything accounted for. If it’s out of date or doesn’t exist, you’re adding risk and slowing things down. If the GC isn’t asking for a COR log… they likely don’t understand their own cost exposure, and all the more reason to keep one and send it to them. One clean, accurate log = fewer surprises and faster approvals. 4. Don’t Be Late Responding to Design Changes When you’re late submitting pricing, you don’t just slow down your GC, you hold up the entire project. That means every subcontractor’s COR gets delayed, and your GC looks bad to the client. 5. Break Down Your Pricing or Proceed at Your Own Risk No breakdown of labor, material, equipment, and markups? We assume you’re hiding something. And guess what? So does the owner. Yes, you might squeeze in a few extra bucks… But it’ll delay your cash flow, trigger a revision cycle, and plant seeds of mistrust. 6. Always Include Supporting Backup Photos, receipts, invoices, timecards, anything that backs up your costs. The GC isn’t just being picky. Their client often requires this for approval. No backup? Expect a bottleneck. 7. If Your T&M Tags Looks Like Chicken Scratch, Start Over Illegible, coffee-stained tickets = CORs in limbo. We have to show these as backup to our clients and advocate on your behalf. Help us. Go digital. Add photos. Make it easy to approve on the first pass. You don’t need Clearstory to make these improvements. But we do automate all of the above. The entire platform for Specialty Contractors was designed to help Subs communicate and present information more succinctly to their GCs. 📩 DM me if you want to see how it works.

You submit a change order request, only to be told: “It’s too late.” “You didn’t follow the right process.” Or worse: “Do the work now, we’ll sort out payment later.” 📄 Contract Clause: Most subcontracts have strict change order procedures that require written approval before you start the work. If you proceed without that signature, you could waive your right to payment, no matter how valid your claim. 💡 Solution: Never rely on a verbal “we’ll take care of you.” Push for clarity in the clause and insist on written authorization before you mobilize. ✅ Actionable Takeaway: Next time you review a subcontract, highlight the change order procedure and make sure your team knows: ✔️ Who has authority to approve changes ✔️ What format the notice must take (email? formal form?) ✔️ The deadline for submission That way, you’re not chasing money after the fact, you’re protecting it upfront. ⸻ 👉 Want more practical tools to make contracts less of a gamble? Download my free Notice Clause Cheat Sheet, your quick-reference guide to tracking critical deadlines that keep your rights intact. 📥 Link in comments

#𝗜𝗧𝗜𝗟 - 𝗖𝗛𝗔𝗡𝗚𝗘 𝗠𝗔𝗡𝗔𝗚𝗘𝗠𝗘𝗡𝗧 Change Management is a process in ITIL (Information Technology Infrastructure Library) designed to 𝗺𝗮𝗻𝗮𝗴𝗲 𝗰𝗵𝗮𝗻𝗴𝗲𝘀 𝘁𝗼 𝗜𝗧 𝘀𝗲𝗿𝘃𝗶𝗰𝗲𝘀 𝗮𝗻𝗱 𝗶𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 𝗶𝗻 𝗮 𝗰𝗼𝗻𝘁𝗿𝗼𝗹𝗹𝗲𝗱 𝗺𝗮𝗻𝗻𝗲𝗿, 𝗺𝗶𝗻𝗶𝗺𝗶𝘇𝗶𝗻𝗴 𝗱𝗶𝘀𝗿𝘂𝗽𝘁𝗶𝗼𝗻 𝗮𝗻𝗱 𝗲𝗻𝘀𝘂𝗿𝗶𝗻𝗴 𝘁𝗵𝗮𝘁 𝗰𝗵𝗮𝗻𝗴𝗲𝘀 𝗮𝗹𝗶𝗴𝗻 𝘄𝗶𝘁𝗵 𝗯𝘂𝘀𝗶𝗻𝗲𝘀𝘀 𝗼𝗯𝗷𝗲𝗰𝘁𝗶𝘃𝗲𝘀. 𝗖𝗵𝗮𝗻𝗴𝗲 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 𝗟𝗶𝗳𝗲𝗰𝘆𝗰𝗹𝗲 𝟭. 𝗖𝗵𝗮𝗻𝗴𝗲 𝗥𝗲𝗾𝘂𝗲𝘀𝘁 (𝗥𝗙𝗖 - 𝗥𝗲𝗾𝘂𝗲𝘀𝘁 𝗳𝗼𝗿 𝗖𝗵𝗮𝗻𝗴𝗲) ○ Initiation: A formal request for a change is submitted, detailing the nature, impact, and justification for the change. 𝟮. 𝗖𝗵𝗮𝗻𝗴𝗲 𝗔𝘀𝘀𝗲𝘀𝘀𝗺𝗲𝗻𝘁 𝗮𝗻𝗱 𝗘𝘃𝗮𝗹𝘂𝗮𝘁𝗶𝗼𝗻 ○ Impact Analysis: Assess the potential impact of the change on the IT environment and business processes. 𝟯. 𝗖𝗵𝗮𝗻𝗴𝗲 𝗔𝘂𝘁𝗵𝗼𝗿𝗶𝘇𝗮𝘁𝗶𝗼𝗻 ○ Approval: The change request is reviewed and approved by the appropriate authority, such as the CAB or Change Manager. 𝟰. 𝗖𝗵𝗮𝗻𝗴𝗲 𝗜𝗺𝗽𝗹𝗲𝗺𝗲𝗻𝘁𝗮𝘁𝗶𝗼𝗻 ○ Execution: Implement the change according to the approved plan. This involves carrying out the technical steps required to effect the change. 𝟱. 𝗖𝗵𝗮𝗻𝗴𝗲 𝗥𝗲𝘃𝗶𝗲𝘄 𝗮𝗻𝗱 𝗖𝗹𝗼𝘀𝘂𝗿𝗲 ○ Post-Implementation Review: Assess the results of the change implementation to verify if the objectives were met and to identify any issues or improvements needed. 𝟲. 𝗖𝗵𝗮𝗻𝗴𝗲 𝗘𝘃𝗮𝗹𝘂𝗮𝘁𝗶𝗼𝗻 (𝗳𝗼𝗿 𝗠𝗮𝗷𝗼𝗿 𝗖𝗵𝗮𝗻𝗴𝗲𝘀) ○ Review: Conduct a thorough evaluation of major changes to ensure they have achieved the desired results and to assess their overall impact on the organization. 𝗠𝗲𝘁𝗿𝗶𝗰𝘀 𝗳𝗼𝗿 𝗖𝗵𝗮𝗻𝗴𝗲 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 𝟭. 𝗖𝗵𝗮𝗻𝗴𝗲 𝗦𝘂𝗰𝗰𝗲𝘀𝘀 𝗥𝗮𝘁𝗲 ○ Calculation: (Number of Successful Changes / Total Number of Changes) * 100 𝟮. 𝗖𝗵𝗮𝗻𝗴𝗲 𝗙𝗮𝗶𝗹𝘂𝗿𝗲 𝗥𝗮𝘁𝗲 ○ Calculation: (Number of Failed Changes / Total Number of Changes) * 100 𝟯. 𝗖𝗵𝗮𝗻𝗴𝗲 𝗟𝗲𝗮𝗱 𝗧𝗶𝗺𝗲 ○ Calculation: Total Time for All Changes / Number of Changes 𝟰. 𝗖𝗵𝗮𝗻𝗴𝗲 𝗜𝗺𝗽𝗹𝗲𝗺𝗲𝗻𝘁𝗮𝘁𝗶𝗼𝗻 𝗧𝗶𝗺𝗲 ○ Calculation: Total Implementation Time for All Changes / Number of Changes 𝟱. 𝗡𝘂𝗺𝗯𝗲𝗿 𝗼𝗳 𝗘𝗺𝗲𝗿𝗴𝗲𝗻𝗰𝘆 𝗖𝗵𝗮𝗻𝗴𝗲𝘀 ○ Calculation: Number of Emergency Changes 𝟲. 𝗣𝗼𝘀𝘁-𝗜𝗺𝗽𝗹𝗲𝗺𝗲𝗻𝘁𝗮𝘁𝗶𝗼𝗻 𝗥𝗲𝘃𝗶𝗲𝘄 (𝗣𝗜𝗥) 𝗖𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝗥𝗮𝘁𝗲 ○ Calculation: (Number of Changes Reviewed / Total Number of Changes) * 100 𝟳. 𝗖𝗵𝗮𝗻𝗴𝗲 𝗕𝗮𝗰𝗸𝗹𝗼𝗴 ○ Calculation: Number of Changes in Backlog 𝟴. 𝗖𝗵𝗮𝗻𝗴𝗲 𝗜𝗺𝗽𝗮𝗰𝘁 𝗮𝗻𝗱 𝗥𝗶𝘀𝗸 𝗠𝗲𝘁𝗿𝗶𝗰𝘀 ○ Calculation: Various metrics based on impact and risk assessment criteria.

ITIL on the run – Change Management   👉 Why change management process is crucial??? Imagine you login to your critical application and you find it functioning incorrectly or even worse, it is down and nobody knows why. Well, probably someone has changed something somewhere without informing anyone. That’s why you need to have a process in place which regulates this entire mess. The goal is to have a process which effectively manages changes to the environment in a controlled manner which assesses, plans, authorize, and implement changes.   Change Management will help you reduce the risk of disruption, maximize change success, promotes consistency and continuously improve.   👉Lifecyle of a change Propose change -> validate change -> Request change -> Approve change -> schedule change -> communicate change -> Perform change -> Track change -> Review and close   👉Key concepts 🔈 Types of change o  Standard – pre authorized, low risk, repeated steps o  Normal – approval required, goes through CAB o  Emergency – to fix a priority issue, has a different discussion board (ECAB) Note: All changes are categorized as significant, major, minor based on impact, risk, and cost   🔈 CAB – Change Advisory Board consists of various stakeholders who evaluate and approve the change. They could be your tech teams, vendors, suppliers, management layer, customers, etc   🔈 Freeze period – Agreed period where no changes are allowed in the production environment. Only critical changes that are extremely urgent can be passed under certain circumstances   🔈 PIR – Post Implementation Review usually conducted after a critical change to review its status. The outcome could provide with lessons learnt, feedback, gaps for improvement, any other observation   🔈 8Rs to manage a change effectively o  Who is Requesting the change o  Reason for this change o  Return expected from implementing this change o  Risk associated with the change o  Resource – required to carry out the change o  Roles & Responsibilities for each resource in the change o  Relationship between this change and other changes o  Rollback – if the change isn’t progressing the way you want   🔈 5Ws for communication o  Why – stakeholders can understand the change and prepare for any downtime o  Who – customers, management, tech teams, users, etc o  When – before and after the change o  What – details of the change. Level of details varies to different stakeholders o  Where – channels of communication

SAP Engineering Change Management (ECM) Process 1. Initiate Change • Change Request: Proposal for a modification by departments like engineering or production. 2. Create Change Master • Change Master Record (CMR): Tracks change with details like change number, reason, and validity dates. 3. Plan the Change • Identify Change Objects: Determine impacted objects (materials, BOMs, routings, documents). • Impact Analysis: Assess implications on other parts of the system. 4. Approve the Change • Workflow and Approvals: Route change request through necessary approval stages. • Change Status: Update status (e.g., initiated, approved, implemented). 5. Implement the Change • Effectivity: Set the effective date for the change. • Documentation: Update relevant documentation to reflect changes. 6. Communicate the Change • Notifications: Inform affected departments and individuals. 7. Monitor and Review the Change • Post-Implementation Review: Verify change implementation and outcomes. • Feedback and Continuous Improvement: Gather feedback to refine the process. Key Elements in SAP ECM 1. Change Numbers • Unique identifiers linking changes to objects and processes. 2. Engineering Change Orders (ECO) • Detailed orders specifying actions for change implementation. 3. Change Impact Matrix • Tool for assessing change impact across areas. 4. Version Control • Manages object versions for tracking changes and enabling rollbacks. Example Scenario 1. Initiate Change • Engineering team raises a change request for a design flaw. 2. Create Change Master • Record created with details about the proposed changes. 3. Plan and Analyze • Identify affected BOMs/materials and conduct impact analysis. 4. Approval • Route request through workflow and obtain approvals. 5. Implementation • Update BOMs and revise documents; set effective date. 6. Communication • Notify affected departments and distribute updated documents. 7. Monitoring • Monitor implementation, conduct review, gather feedback. This concise outline provides a brief overview of the ECM process in SAP, highlighting key steps and components involved.

Questionnaires for Automated IT Application Control Testing ITAC testing, with questions tailored to different control scenarios, including configurational and non-configurational controls, change override situations, and positive and negative testing. Questionnaires: 1. Configurational Control: What are the key configuration settings for automated application controls in the system? How are user access rights and permissions configured within the application? Is there a process in place to review and update control configurations regularly? How are segregation of duties (SoD) and least privilege principles enforced within the application? Are there any exceptions or deviations from standard control configurations? 2. Non-Configurational Control: How are automated application control tests initiated and executed? Is there a documented process for reviewing and interpreting test results? Are control testing procedures integrated with the organization's change management process? How are exceptions and anomalies identified and addressed during testing? Is there a mechanism in place for escalating control failures to appropriate stakeholders? Are there any manual interventions required for control testing and validation? 3. Change Override: What is the process for requesting changes to automated application controls? How are change requests evaluated, approved, and implemented? Is there a designated authority responsible for overseeing change overrides? Are there any restrictions or limitations on change overrides to ensure integrity and security? How are changes to control testing procedures documented and communicated? Is there a rollback mechanism in place for unauthorized or erroneous changes to control tests? 4. Positive Testing: Are automated control tests effectively validating the intended functionality of application controls? Is the test environment adequately configured to simulate real-world scenarios? Are control test results accurately captured and analyzed for compliance and effectiveness? How are control test failures and deficiencies remediated and tracked to closure? Is there a mechanism for validating the accuracy and completeness of control test coverage? Are control tests integrated with broader IT governance and risk management processes? 5. Negative Testing: Are control tests capable of detecting and preventing unauthorized access and transactions? How do control tests respond to invalid inputs and unexpected system behavior? Are there any weaknesses or vulnerabilities in control testing logic or execution? Is there a process for validating the resilience and robustness of control tests against potential threats and attacks? How are control test results used to enhance the organization's overall security posture? Are control tests continuously evaluated and updated to address emerging risks and challenges? #itac #itgc #risk