BMC Remedy Change Management has several features to help assess risk. This post will describe those features, how they work, and how to use them effectively.
Before we look at risk assessment features, let’s consider the case of a change management process which does not include any risk assessment features. A basic feature of Change Management is the ability to define categories of changes, and to designate which changes require approval. Approval may be required for different reasons – to approve budget, to notify affected groups, or to approve the change to the infrastructure. In the latter case, the manager may receive the approval request and have very little information required to make the decision whether to approve or not. The change request has two attributes – Risk Level and Impact – which indicate the risk. How can the change process collect more granular information, and establish a consistent way of assigning the risk of a change?
This is the motivation for the Risk Assessment questions as they provide a way of collecting answers to standard questions in the change evaluation process, and assigning a risk level and impact based on the value provided. There are no out of box or standard risk assessment questions because the answers depend on the company size and prioritization. For example, a common risk assessment question is:
- How many users will be impacted by this change?
- Does this change need to be done during business hours?
- Can this change be rolled back easily?
Next, let’s work through an example of risk assessment questions, and how they work.
Risk assessment questions can provide a lot of consistency in assigning risk to proposed changes, but there are some limitations. First, questions which may be relevant for some changes are not relevant for others. Second, the assignment of risk or impact is subjective – it is forward looking assessment with incomplete information of future events. It is common to underestimate risk by failing to account for execution failures, conflicts or unforeseen factors. So the next feature we want to discuss in this post is Derived Risk.
- Implement risk assessment questions first. This provides a first step of assessing risk across all changes.
- Ensure all changes update the Performance Rating as they are closed. This is the right time to evaluate how smoothly the change was performed. It also is a good step to reinforce the process of focusing on lesson-learned.
- Periodically query for changes with poor performance values to understand how risk was under estimated, and how to account for it in future change requests.
- Add new risk assessment questions if appropriate, based on common causes of poor performance.
- Encourage a culture of continuous improvement, where new questions and unforeseen failures are addressed both in procedures, and in assessing risk.
The Change form includes the following fields for risk management:
- Risk Level: Enter the anticipated risk that this proposed change has —from 5 (highest risk) to 1 (lowest risk).
- Impact: Determine the impact of this change based on the number of affected users.
- Performance Rating: When using the Classic view, in the Classification tab, rate the work done by support staff or the manager in completing the change request. Usually, the manager of the support staff assigned to the change request enters this rating after the change request is closed. This field is not displayed in the Best Practice view.
Risk assessment involves computing the total risk of making a change based on risk related questions and the derived risk.
The change coordinator's responses are recorded and associated with the change entry in the "CHG:ChangeRiskFactors" form. This back-end form is for reference only, and it not intended to be viewed by the users or administrator.
Steps to configure Risk Questions:
- Go to Application Administration Console -> Change Management -> Risk Factors -> Change Risk Selection
- Select the Company and then go to the Questions Tab.
- Numeric Values for each Risk Level.
- Go to Application Administration Console --> Foundation --> Advanced Option --> Approval Process Configuration
- If you have configured the approval process for your Company then the same needs to be verified if they are enabled, for example you have OOB default Global.
- Go to Application Administration Console --> Change Management --> Approval --> Approval Mappings
- You can configure the approvals that will be generated based on the Approve if Risk <= (Risk Level 1,2,3,4,5)
process does not use the Approver Lookup record, nor does the Change Management Chain process.
becomes more meaningful as more changes are accomplished. The performance rating becomes an average of the performance of the assigned manager or the chosen operational categorization. This in turn helps a more accurate risk
assessment to be performed on new changes.
One of the derived risk aspects that can be configured allows for tracking of the performance of the change manager. When a change is completed a performance rating will be entered. This rating is stored on the change and when the change closes, the status becomes ‘closed’, the performance rating is then averaged into the existing performance rating for the CAB Manager. The lower the performance, the higher the risk.
- In the Derived Risk Factors Template for the Risk Factor Type option Derived Rating there are 5 choices available in the Field Name list (Change Coordinator, Change Implementer, Change Manager, Operational CTI, Support Group Name) and for Risk Factor Type option Derived there is 1 choice available (CI Priority).
- On the Infrastructure Change form, the View Risk Report navigation item will be hidden on New and Search windows
- Risk Level 1 is the low value and Risk Level 5 the high value, to use the computed value of risk set the Risk Level field to
NULL and save the change record.
- Risk Weight contains % values of (20/40/60/80/100).
- The formula for computing risk is as follows: if RF1, RF2 and RF3 are the risk levels of three risk factors associated with the change, and if w1, w2 and w3 are the respective weightings for the risk levels, total risk (Risk Level) is computed using the following formula:
RF1*w1 + RF2*w2 + RF3*w3
w1 + w2 + w3
- This version of the formula is used rather than just taking the % weightings alone since the sum of the weights is not required to be 100. This formula ensures that each risk factor contributes the specified fraction (weight) to the overall Risk Level.
Note that if only a single risk factor is associated with the change, its effective weighting is 100% regardless of its actual specified weight.
- High performance rating corresponds to a low risk value and vice versa. In other words, if a Change Manager had a performance rating of 5 (highest) and weighted at 100%, the Risk Level corresponding to this rating is Risk Level 1 (lowest risk).
- The performance rating given to a change request is used for computations starting only when the next change request is submitted. The performance rating given to a change request does not affect its own Risk Level.
- Certain updates to child records will be rolled back if closing without saving. In Risk Determine, if child template entries are created (via Add) or deleted (via Delete), closing the Risk Determine entry without saving will restore the entry to its prior state. Any modifications made to child entries opened via the View button will not be rolled back. This includes setting the status of a child entry to "Delete", which will cause it to be immediately deleted.
- A similar mechanism has been implemented for Risk Factors Template and Answer Choices (risk menu items). Additions and Deletions can be rolled back.
- Create a CI, example: Impact: 1-Extensive/Widespread, Priority: 5, Service Type: Business Service
- The CI as mentioned above associates with the CRQ in the Service+ field.
- Select a Risk Level from the questions from the Risk Level icon
- Submit the Change Request.
- So based on the Questions and Derived Factor the Risk Value gets created.
Add a 'Risk Factor Test Tool' to Application Administration for Change
You can find more content like this about BMC Remedy products on the BMC Remedy Pulse Blogs page.