For technology organizations, change is inevitable. From operational changes in the form of mergers and expansions to frequent software updates and bug fixes, change management is of utmost importance.
But, it’s this second aspect of change, at the level of the code, that takes increasing precedence in today’s software driven organizations because it affects day-to-day tasks as well as high-level management.
Today’s dynamic production environments are updated on a daily, sometimes hourly basis, calling for automation in the tracking, management, and control of changes to production environments. And this is a problem.
Boomer change theory
There are a variety of dated methods when it comes to change management. Tl;dr it’s lots of paper and lots of meetings. These practices are widely regarded as effective across the industry, but research shows this is a common delusion and change management itself needs to change.
As technology continues to advance and software delivery teams continue to accelerate, it is time to be more open-minded when it comes to change management automation. Because as we discovered in a previous feature - slower does not mean safer.
What exactly is the problem?
Changes at code level are increasingly difficult to handle. In the old days when you pushed a handful of changes once or twice a year it was easy to document them in a manual way. Someone with a clipboard can eyeball that easily enough.
But, today’s teams are releasing much more often - once every 11 seconds at Amazon, for example. When changes are made this frequently they cannot be managed with old school practices like meetings, long discussions, and pen-and-paper methods. The old ways don’t scale.
DevOps and change management
DevOps teams push lots of changes and this is creating a bottleneck as manual change management processes struggle to keep up. But, the great thing about DevOps is that it solves the problem it creates.
One of the key aspects where DevOps can be of great help in change management is in the implementation of compliance. If the old school ways of managing change are too slow why not automate them like everything else?
We already do this for building, testing and qualifying, so why not change? We can use the same automation to record change events in real time and implement release controls in the pipelines instead of gluing them on at the end.
Yes, it’s a challenge. But the alternatives are batching changes and using manual oversight - bad. Or, you can just not bother - worse. Maybe nothing will ever go wrong and the auditor will never show up? Yeah, maybe not.
Let’s consider these other approaches
The risk of manual implementation
Organizations usually have a standard, either a universal like ISO270001, or their own internal interpretation for managing change. But, if implementation is manual, these standards can be difficult to maintain, especially when the volume of changes is constantly increasing. When implementing compliance manually there are a lot of downsides. For example,
- Manual change management is bureaucratic and that makes it slow and inefficient.
- Changes have to be batched meaning longer lead times
- Workers spend time manually documenting changes instead of developing new features
- When failures do occur it can be very difficult to isolate the specific instance of non-compliance
- At best, a change management ceremony once every 3-6 months can only ever produce an unreliable snapshot of the true state of the software.
Frustratingly, organizations know all this but still struggle to conceive of an automated solution. It is worth noting that according to an FCA report earlier this year most organizations think that they have change management under control.
However, the report also revealed that change management is actually the biggest source of reported incidents. Wut?
The risk of non-compliance
Non-compliance is not a risk any business is willing to take. But, non-compliance does happen, and when it does it damages the reputation and credibility of an organization. Maybe even it’s ability to operate at all. It can lead to legal issues, financial penalties, and the absolute worst case scenario - withdrawal of your license to operate. Here’s just a few of the drawbacks…
- Legal issues and/or financial penalties
- Suspension of license to operate
- Lots of downtime and manual overhead to address non-compliance if something goes wrong
- Damage to brand and reputation. Who wants to be without their e.g. banking facilities for any length of time?
- With a lot of competition in the marketplace, non-compliance can be the key factor in whether the business succeeds or fails. Ultimately, trust is good for sales.
Automating compliance tasks to mitigate risk
A lot of organizations in regulated industries resist DevOps because they don’t think they have the change management capability to deal with the volume of changes that come with it. But, as we discussed, DevOps also provides the means with which to solve the change management bottleneck.
By automating change management in the pipelines instead of siloing it at the end, organizations can get rid of bureaucratic methods, save time and human effort, go faster, AND have a much more reliable process.
- Automation of change management tasks ensures that standards are in a state of continuous compliance - more than a periodic snapshot.
- Automation means the software is always ready for audit
- If a little thing goes wrong, it is easy to identify where and what went wrong in real time.
- Compliance automation liberates employees from a lot of repetitive tasks. They’re now free to do much more valuable work for organization
- There’s no need to batch changes and you can ship your software knowing it’s already in compliance.
Gartner estimates that by 2023 60% of organizations in regulated verticals will have implemented some form of compliance automation. It’s easy to see why. The ability to reduce lead times and ship features to users quickly means that DevOps offers a clear competitive advantage. But, that velocity will require the automation of change management to ensure compliance at DevOps speed. And that’s where Gartner sees over half the industry by 2023.
The old ways of managing change are no longer fit for today’s dynamic technology companies. Whether you’re regulated or not, it’s time to say “Goodbye Boomer!” to old school change management.