Chapter 22. Change control

Decisions on change requests should be made by those who have the authority to do so, within their assigned tolerances and who own the affected configuration items. If the impact of the change request goes beyond their authority, then either a higher level of decision-maker is needed or agreement sought from the impacted owner. The change control manager normally coordinates such escalations, often working with a change control board which oversees the change control process. The change control manager and board view changes in the aggregate, channelling, and prioritising change requests. If the change impacts another portfolio, programme or project, the decision maker should have accountability for balancing the competing needs of the work. Under such circumstances, decisions are often made at an organisational level, for example a portfolio board or investment committee. 

To ensure effective decision-making a tiered system of delegation should be defined and established in the change control framework (see 22.6.3.2 on developing the change control framework). Portfolio, programme and project managers should have permissible tolerances within which they can approve changes without escalation. There are normally several levels for review and authorisation of changes depending on the level of impact of a change, for example, impact on baselined plans, approved business case or wider impacts on other projects, programmes or portfolios.  

The need for escalation and the complexity of assessing some changes can make the assessment of change requests seem lengthy. This can be mitigated through good traceability management practices, delegation and separation of the work into streams which are focused on objectives, thereby making decisions possible at a lower level without compromising other work. Nevertheless, timescales for assessments need to be realistic or the quality of information for decision makers could suffer.

The data needed to manage change requests can be effectively held in a change control register. The detail needed can vary depending on the individual portfolio, programme, or project’s needs. Enough information should be recorded to enable decisions to be made and action taken. The choice of tools and the experience of the team can also influence what needs to be collected and held.

Assessing and approving changes to the solution design can be managed more effectively if changes are grouped for implementation during specific periods. This is often the approach used for software changes. This period is called a ‘change window’ and it helps assess the aggregated impact of changes, which can then be implemented more efficiently. The use of change windows can help reinforce discipline around change control.

The record of changes should be open to the core team so they are aware of what is proposed, and can take a view on whether their work could be affected. Such openness can help identify undiscovered problems and promote collaboration within the team. A view on all the changes can also show how stable the work is, with multiple changes indicating that the solution and plans are volatile and that risks need managing. This can also serve as a source of lessons for improving future working practices. Progression in the register also shows achievement in the disciplined control of change.

Understand the wider governance and management framework for the sponsoring organisation, portfolio, programme or project, as appropriate. Within this, understand how change control, issue management and risk management work together (see Figure 21.1) and, importantly, how decisions for changes can be escalated from one level in the project delivery hierarchy to another. All the planning and control practices need to work together both within a level and across levels. Consider how change requests are to be reported, so that there is consistency within and across those levels.

In addition, it is necessary to understand how change control interfaces with:

• traceability management as it includes the management of configuration items and baselines (see Chapter 23: Traceability management)

• planning as it is essential for implementing a change (see Chapter 16: Planning)

Develop an understanding of the context and nature of the work, such as understanding its complexity, scale and interdependencies with other programmes, projects and work. This informs the choice about which aspects of the work should be subject to change control and who should have authority for decisions. 

The more complicated or complex the work is, the harder it is to control change efficiently and effectively and the change control process and tools need to be chosen to reflect this

Once the scale and complexity of the work is known, appropriate tools and processes can be defined, together with the resources needed to use them. For simple solutions or when the work is outsourced or contracted out, the data can be handled through spreadsheets. For more complicated solutions, specialist tools are needed to manage the volume of data and relationships and make it available to those who need it when they need it. The processes need to interface with the traceability management processes and are usually dependent on the same tool.

Change control requires a systemic approach to identifying, assessing, planning, making a decision on, implementing, and closing changes through the life cycle. It also requires a defined framework to govern and manage these activities, overseeing change control and closing the change control environment.

These related activities are shown in Figure 22.2. These may be sequential or iterative, depending on the nature of the portfolio, programme or project.  

The approach to change control should be defined including any processes, methods, tools and techniques to be used. This forms part of the overall governance and management framework for the work (see Chapter 4: Governance and management). The important considerations of this activity are discussed in more detail in 22.6.2. The framework should be maintained to address relevant feedback from its use.

Change requests can come from different sources and can relate to the same part of the work. It is therefore often not desirable to consider each of them in isolation nor, if approved, implement them immediately, as this can be inefficient or lead to contradictory requests being implemented. An important part of overseeing change control is to identify where change requests are better managed as a bundle (in aggregate), merged or redefined. Having good traceability makes this task easier. 

A systemic view also ensures that the change control continues to fulfil its purpose and meets the needs of the work. This also includes the maintenance of the control framework and providing periodic reports on changes and trends (see Chapter 18: Reporting).

The context and nature of the work could change throughout the life cycle. Therefore, the change control framework should be under continuous review to ensure it remains effective. 

Identifying a change is when a change is proposed and a change request is put forward, formally registered and verified.

A change request can originate from any stakeholder, including ministers, policy makers, executive management, end users, suppliers, or team members. Alternatively, a change might result from responding to a threat that is above tolerance, an opportunity that could be exploited or an issue that cannot be resolved within the current constraints.

Once put forward, the change request should be registered and an owner assigned by the change control manager. 

The change request should be assessed and validated to understand its impact on baselines for the plan, solution design and the management documentation, interdependent work and whether it is necessary or desirable. Where necessary, supporting information or evidence can be sought. If the impact is not fully understood decisions may be based on incorrect assumptions.

The change request should be classified in accordance with the pre-defined categorisations in the control framework. The assessment of a change request can either be simple or detailed, depending on the nature of the change. A preliminary simple assessment can help determine if a more detailed or impact assessment is needed. There are different techniques that can be used to evaluate the possible options (which should include doing nothing) and their impacts. The Government Functional Standard for Analysis and the Aqua Book (requires sign in) provide useful guidance on how to carry out such assessments.

The proposed change should be planned in draft (see Chapter 16: Planning), with an understanding of how to incorporate it into the wider work and implement it. Residual risks should be recorded and addressed. Those undertaking the assessment should make a recommendation on what course of action should be taken and why. Once the assessment and plan are ready for a decision, the change control register should be updated. 

After assessing a change request, a decision should be made on whether to approve, reject or defer the change. The decision should be backed by the impact assessment, supported by evidence where possible, including possible implementation options and taking account of the associated risks.  

Where a change is necessary but cannot be accommodated within existing baselines, a decision to replan or reset baselines may need to be sought through agreed governance. If inability to make the change threatens the viability of the work overall then, this should be escalated through governance such as to the portfolio director or senior responsible owner.   

The change register should be updated with the status and the change control manager, change owner, relevant team members and stakeholders notified. 

If a proposed change is approved, the change should be implemented in accordance with the plan, and the change control register updated. Relevant configuration items such as baselines, documentation, and deliverables should be updated (see Chapter 23: Traceability management).

Actions taken to implement the change should be monitored and reported to ensure that the change is being carried out effectively, and those who need to know about the change and its progress in implementation are informed, such as impacted team managers and stakeholders. Monitoring also enables changes to be made to the plan if any issues or additional risks are identified.

The change control register should be updated regularly to reflect the current understanding of the change as well as its impact and implementation.

A change request should be closed once the change has been confirmed as being implemented or rejected. The change control register should be updated.

Closed changes should be kept on the register, stating when and by whom as this information can be useful for identifying likely sources of risks when conducting lessons learned reviews (see Chapter 38: Learning from experience) and for maintaining traceability (see Chapter 23: Traceability management).

Once the work has been completed and change control is no longer needed, the change control manager should close the management framework, retaining information and data in accordance with the delivery and sponsoring body’s information retention policy (see Chapter 24: Information and data management).