I think the following is a really good article. It was sent via email to my work email account as part of the monthly Tripwire newsletter.
"Common Mistakes in Process Improvement Efforts" from Gene Kim, CTO, Tripwire:
Best-in-class IT organizations know it takes people, processes, and technology to achieve high levels of service availability, security, and sustained compliance. The question is, when an organization starts its process improvement efforts, what most often goes wrong? What are IT management's most frequent mistakes that cause their efforts to fail?
The Visible Ops methodology codifies a prescriptive approach to build IT processes and controls, simultaneously achieving compliance and increasing operational effectiveness and efficiency.
The Problem and Why it Happens
We've studied high performing IT operations and security organizations and looked at failed change management transformations to find out why the initiatives do not live up to their promise.
Visible Ops prescribes that IT management 1) lock down changes, and 2) implement detective controls to ensure that the change management process is followed. However, many IT managers don't implement these changes. Bud Campbell, a Principal IT Service Management consultant for Pepperweed Consulting, says "The biggest failure in any process engineering effort is accountability and true management commitment to the process."
When we ask IT managers why they don't lock down change, we hear two main
reasons: "We can't - we won't get anything done," and "The business pays us to make changes." However, unmanaged changes cause low success rates and high mean time to repair (MTTR). The perceived nimbleness and speed is an illusion.
We've also asked IT managers why they do not want to "electrify the fence"
around their change processes. They will answer, "We don't need to; we trust our people," or "Our people are professionals and don't need constant micromanagement," or "We already have a change management policy; there are no unauthorized changes. (But, don't make us bet our bonuses on that!)"
When IT managers will not bet their bonuses that there are no unauthorized changes, they indicate management by belief and good intentions, not facts.
A discussion about the business risks, such as security incidents and financial reporting integrity problems, resulting from uncontrolled and unmonitored change should lead to appropriate controls for mitigating those risks. These controls are what Visible Ops is all about.
The Solution: Visible Ops
Visible Ops can jumpstart implementation of IT change management controls and process improvement in IT organizations needing to increase service levels, security, and auditability while managing costs. The methodology is comprised of four prescriptive and self-fueling steps that take an organization from any starting point to a continually improving process. It helps IT managers answer the question, "where do I start?"
Visible Ops: 4 Steps to Implementing Change Control
Phase 1 - Stabilize the patient: Almost 80% of outages are self-inflicted.
Addressing change management and problem resolution will help control risky changes and reduce MTTR.
Phase 2 - Catch & Release: Inventory assets, configurations, and services, and identify those with the lowest change success rates, highest MTTR, and highest business downtime costs.
Phase 3 - Create a Repeatable Build Library: Create repeatable builds for the most critical assets and services, making it "cheaper to build than repair."
Phase 4 - Continual Improvement: The first three steps progressively build a closed loop between the Release, Control, and Resolution processes. The final step implements metrics to allow continuous improvement of all these process areas to ensure that business objectives are met.