# Change Management Runbook

**VantagePoint Networks**

---

| Field              | Value                                      |
|--------------------|--------------------------------------------|
| Document ID        | VPN-CM-RB-001                              |
| Version            | 1.0                                        |
| Classification     | <CLASSIFICATION_LEVEL>                     |
| Author             | <AUTHOR_NAME>                              |
| Approved By        | <APPROVER_NAME>                            |
| Effective Date     | <EFFECTIVE_DATE>                           |
| Review Date        | <REVIEW_DATE>                              |
| Organisation       | <ORGANISATION_NAME>                        |

---

## Table of Contents

1. [Purpose and Scope](#1-purpose-and-scope)
2. [References and Standards](#2-references-and-standards)
3. [Change Types and Definitions](#3-change-types-and-definitions)
4. [Roles and Responsibilities](#4-roles-and-responsibilities)
5. [Change Lifecycle](#5-change-lifecycle)
6. [Change Request Form](#6-change-request-form)
7. [Risk Assessment Matrix](#7-risk-assessment-matrix)
8. [Approval Flows](#8-approval-flows)
9. [Change Advisory Board (CAB)](#9-change-advisory-board-cab)
10. [Pre-Change Checklist](#10-pre-change-checklist)
11. [Post-Change Checklist](#11-post-change-checklist)
12. [Rollback Checklist](#12-rollback-checklist)
13. [Maintenance Window Communications](#13-maintenance-window-communications)
14. [Emergency Change Procedure](#14-emergency-change-procedure)
15. [Key Performance Indicators](#15-key-performance-indicators)

---

## 1. Purpose and Scope

### 1.1 Purpose

This Change Management Runbook provides <ORGANISATION_NAME> with a structured process for managing changes to IT infrastructure, applications, and services. It is aligned with ITIL v4 Change Enablement practices and designed to maximise the value of changes while minimising risk, disruption, and unplanned downtime.

### 1.2 Scope

This runbook applies to all changes affecting:

- Network infrastructure (routers, switches, firewalls, wireless controllers, load balancers)
- Server infrastructure (physical and virtual, on-premises and cloud)
- Applications and databases (production and staging environments)
- Security configurations (firewall rules, access policies, certificates)
- Cloud infrastructure (<CLOUD_PROVIDER> accounts and services)
- DNS, DHCP, and directory services
- Monitoring and alerting configurations
- Backup and disaster recovery systems

### 1.3 Out of Scope

- Desktop software updates managed by endpoint management (refer to <ENDPOINT_POLICY_REF>)
- Content changes to websites or CMS (refer to <CONTENT_CHANGE_PROCESS_REF>)
- Pre-approved standard changes listed in the Standard Change Catalogue (Section 3.2)

---

## 2. References and Standards

| Reference                    | Description                                    |
|------------------------------|------------------------------------------------|
| ITIL v4 Foundation           | Change Enablement Practice                     |
| ITIL v4 Create, Deliver, Support | Change Management Processes                |
| ISO/IEC 20000-1:2018        | IT Service Management                          |
| ISO/IEC 27001:2022           | Information Security Change Management (A.12.1.2) |
| <INTERNAL_CHANGE_POLICY_REF> | Organisation change management policy          |
| <CMDB_REFERENCE>             | Configuration Management Database              |

---

## 3. Change Types and Definitions

### 3.1 Change Type Summary

| Change Type  | Definition                                                      | Approval Required        | Lead Time         |
|--------------|-----------------------------------------------------------------|--------------------------|--------------------|
| Standard     | Pre-authorised, low-risk, well-documented, repeatable change    | Pre-approved (catalogue) | As scheduled       |
| Normal       | Scheduled change requiring assessment, approval, and planning   | CAB or delegated         | Minimum <NORMAL_LEAD_TIME> business days |
| Emergency    | Urgent change to resolve a P1/P2 incident or critical vulnerability | ECAB (expedited)     | Immediate          |

### 3.2 Standard Change Catalogue

Standard changes are pre-approved and do not require individual CAB review. They must follow the documented procedure exactly. Any deviation makes the change a Normal change.

| ID    | Standard Change                              | Procedure Document        | Authorised Roles           |
|-------|----------------------------------------------|---------------------------|----------------------------|
| SC-01 | Add/modify firewall rule (non-critical zone) | <FIREWALL_SOP_REF>        | <AUTHORISED_ROLE>          |
| SC-02 | Create/modify user account                   | <USER_MGMT_SOP_REF>       | <AUTHORISED_ROLE>          |
| SC-03 | Apply vendor security patch (tested)         | <PATCH_MGMT_SOP_REF>      | <AUTHORISED_ROLE>          |
| SC-04 | Add VLAN to existing switch                  | <VLAN_SOP_REF>            | <AUTHORISED_ROLE>          |
| SC-05 | Update DNS record                            | <DNS_SOP_REF>             | <AUTHORISED_ROLE>          |
| SC-06 | Modify monitoring threshold                  | <MONITORING_SOP_REF>      | <AUTHORISED_ROLE>          |
| SC-07 | Deploy to staging environment                | <DEPLOY_SOP_REF>          | <AUTHORISED_ROLE>          |
| SC-08 | Certificate renewal (automated)              | <CERT_MGMT_SOP_REF>       | <AUTHORISED_ROLE>          |
| SC-09 | VM resource scaling (within limits)          | <VM_SCALING_SOP_REF>      | <AUTHORISED_ROLE>          |
| SC-10 | Backup configuration change                  | <BACKUP_SOP_REF>          | <AUTHORISED_ROLE>          |

### 3.3 Change Categories

| Category          | Description                                          | Examples                                |
|-------------------|------------------------------------------------------|-----------------------------------------|
| Network           | Changes to network devices, topology, or addressing  | Router config, VLAN changes, BGP peers  |
| Security          | Changes to security controls or policies             | Firewall rules, IDS signatures, ACLs    |
| Server / Compute  | Changes to server OS, virtualisation, or compute     | OS patching, VM migration, resource change |
| Application       | Changes to business applications or databases        | Code deployment, DB schema change       |
| Cloud             | Changes to cloud infrastructure or services          | IAM policy, resource provisioning       |
| Monitoring        | Changes to monitoring, alerting, or logging          | Dashboard changes, alert thresholds     |

---

## 4. Roles and Responsibilities

| Role                      | Responsibilities                                                        |
|---------------------------|-------------------------------------------------------------------------|
| Change Requester          | Submits the change request with complete information                    |
| Change Owner              | Responsible for planning, executing, and verifying the change          |
| Change Manager            | Oversees the change process, facilitates CAB, ensures compliance       |
| CAB Chair                 | <CAB_CHAIR_NAME> -- leads CAB meetings, makes approval decisions       |
| CAB Members               | Review and assess changes, provide technical and business input        |
| Technical Approver        | Validates technical feasibility and risk assessment                     |
| Business Approver         | Validates business justification and accepts business risk             |
| Change Implementer        | Executes the change according to the approved plan                     |
| Test / Validation Lead    | Verifies the change has been implemented correctly                     |

---

## 5. Change Lifecycle

### 5.1 Lifecycle Stages

```
Request --> Assess --> Approve --> Plan --> Implement --> Review --> Close
    |          |         |                    |
    |          |         +--> Reject          +--> Rollback
    |          |
    |          +--> Return for more info
    |
    +--> Withdrawn
```

### 5.2 Stage Descriptions

**Stage 1: Request**
- Change Requester completes the Change Request Form (Section 6)
- Submit via <CHANGE_MGMT_TOOL>
- Incomplete requests are returned to the requester

**Stage 2: Assess**
- Change Manager reviews the request for completeness
- Risk assessment is performed using the Risk Matrix (Section 7)
- Impact analysis identifies affected CIs, services, and stakeholders
- Change is categorised and prioritised

**Stage 3: Approve**
- Route to appropriate approval path based on change type and risk (Section 8)
- Standard changes: pre-approved, proceed to Plan
- Normal changes: CAB review and approval
- Emergency changes: ECAB expedited approval

**Stage 4: Plan**
- Detailed implementation plan documented
- Rollback plan documented and validated
- Pre-change checklist completed (Section 10)
- Communication plan executed (Section 13)
- Change window confirmed

**Stage 5: Implement**
- Execute change according to approved plan
- Document actual steps taken and any deviations
- Perform validation testing
- Complete post-change checklist (Section 11)
- If failure: execute rollback plan (Section 12)

**Stage 6: Review**
- Verify change objectives have been met
- Confirm no adverse impact on services
- Update CMDB with configuration changes
- Failed or partially successful changes trigger review

**Stage 7: Close**
- Change Manager closes the change record
- Document final status, lessons learned, and any follow-up actions
- Update Standard Change Catalogue if applicable

---

## 6. Change Request Form

```
CHANGE REQUEST FORM
VantagePoint Networks

SECTION 1: REQUEST DETAILS
Change ID:              [Auto-generated by <CHANGE_MGMT_TOOL>]
Date Submitted:         ____________________________
Requester Name:         ____________________________
Requester Department:   ____________________________
Requester Contact:      ____________________________
Change Owner:           ____________________________

SECTION 2: CHANGE DESCRIPTION
Change Title:           ____________________________
Change Type:            [ ] Standard  [ ] Normal  [ ] Emergency
Change Category:        [ ] Network  [ ] Security  [ ] Server/Compute
                        [ ] Application  [ ] Cloud  [ ] Monitoring
Priority:               [ ] Critical  [ ] High  [ ] Medium  [ ] Low

Description of Change:
_________________________________________________________
_________________________________________________________
_________________________________________________________

Business Justification:
_________________________________________________________
_________________________________________________________

SECTION 3: IMPACT ANALYSIS
Affected Systems/CIs:
_________________________________________________________

Affected Services:
_________________________________________________________

Affected Users/Customers:
_________________________________________________________

Estimated Downtime:     ____________________________
Service Impact:         [ ] Full Outage  [ ] Partial Degradation  [ ] No Impact

SECTION 4: SCHEDULING
Proposed Date/Time:     ____________________________
Proposed Window:        [ ] Standard MW  [ ] Off-hours  [ ] Business hours
Estimated Duration:     ____________________________

SECTION 5: RISK ASSESSMENT
(Complete using Risk Matrix in Section 7)
Likelihood:             [ ] 1-Rare  [ ] 2-Unlikely  [ ] 3-Possible  [ ] 4-Likely  [ ] 5-Almost Certain
Impact:                 [ ] 1-Negligible  [ ] 2-Minor  [ ] 3-Moderate  [ ] 4-Major  [ ] 5-Critical
Risk Score:             ______ (Likelihood x Impact)
Risk Level:             [ ] Low  [ ] Medium  [ ] High  [ ] Critical

SECTION 6: IMPLEMENTATION PLAN
Step-by-step procedure:
1. ____________________________
2. ____________________________
3. ____________________________
4. ____________________________
5. ____________________________

SECTION 7: ROLLBACK PLAN
Rollback trigger criteria:
_________________________________________________________

Rollback steps:
1. ____________________________
2. ____________________________
3. ____________________________
4. ____________________________

Estimated rollback time: ____________________________

SECTION 8: TESTING AND VALIDATION
Pre-change tests:
_________________________________________________________

Post-change validation:
_________________________________________________________

SECTION 9: APPROVALS
Technical Approver:     _____________ Date: _____________
Business Approver:      _____________ Date: _____________
CAB Decision:           [ ] Approved  [ ] Rejected  [ ] Deferred
CAB Date:               _____________
Change Manager:         _____________ Date: _____________
```

---

## 7. Risk Assessment Matrix

### 7.1 Likelihood Scale

| Score | Likelihood       | Description                                        |
|-------|------------------|----------------------------------------------------|
| 1     | Rare             | Change procedure is well-tested, performed regularly |
| 2     | Unlikely         | Minor variations from standard procedure            |
| 3     | Possible         | New procedure or significant configuration change   |
| 4     | Likely           | Complex change with multiple dependencies           |
| 5     | Almost Certain   | Untested procedure, first-time change, high complexity |

### 7.2 Impact Scale

| Score | Impact     | Description                                                   |
|-------|------------|---------------------------------------------------------------|
| 1     | Negligible | No service impact, cosmetic or administrative change          |
| 2     | Minor      | Minor service degradation, single non-critical system         |
| 3     | Moderate   | Noticeable service impact, single critical or multiple systems |
| 4     | Major      | Significant outage, multiple critical systems affected        |
| 5     | Critical   | Complete service loss, customer-facing impact, data risk      |

### 7.3 Risk Matrix

|                    | Negligible (1) | Minor (2) | Moderate (3) | Major (4) | Critical (5) |
|--------------------|----------------|-----------|--------------|-----------|---------------|
| Almost Certain (5) | Medium (5)     | Medium (10) | High (15)  | Critical (20) | Critical (25) |
| Likely (4)         | Low (4)        | Medium (8) | High (12)   | High (16)     | Critical (20) |
| Possible (3)       | Low (3)        | Medium (6) | Medium (9)  | High (12)     | High (15)     |
| Unlikely (2)       | Low (2)        | Low (4)    | Medium (6)  | Medium (8)    | High (10)     |
| Rare (1)           | Low (1)        | Low (2)    | Low (3)     | Low (4)       | Medium (5)    |

### 7.4 Risk Level Actions

| Risk Level | Score Range | Approval Required         | Additional Requirements                              |
|------------|-------------|---------------------------|------------------------------------------------------|
| Low        | 1-4         | Change Manager            | Standard implementation plan                         |
| Medium     | 5-10        | CAB                       | Detailed rollback plan, enhanced monitoring          |
| High       | 11-16       | CAB + Senior Management   | Dedicated rollback resource, extended monitoring     |
| Critical   | 17-25       | CAB + CTO/CISO            | Full rehearsal required, dedicated rollback team     |

---

## 8. Approval Flows

### 8.1 Standard Change Approval

```
Requester --> Change Manager (validates against catalogue) --> Pre-Approved --> Implement
```

Requirements:
- Change matches a Standard Change Catalogue entry exactly
- No deviations from the documented procedure
- Change Manager validates within <STANDARD_APPROVAL_SLA> hours

### 8.2 Normal Change Approval

```
Requester --> Change Manager (assessment) --> CAB Review --> Approve/Reject --> Implement
```

**Low Risk (1-4):**
- Change Manager approval sufficient
- CAB notification only (no meeting required)

**Medium Risk (5-10):**
- CAB review at next scheduled meeting
- Technical and business approver sign-off required

**High Risk (11-16):**
- Full CAB review with detailed presentation
- Senior management approval required
- Rehearsal recommended

**Critical Risk (17-25):**
- Full CAB review with all stakeholders
- CTO and/or CISO approval required
- Mandatory rehearsal in non-production environment
- Dedicated rollback team assigned

### 8.3 Emergency Change Approval

```
Requester --> Incident Commander/Change Manager --> ECAB (phone/chat) --> Approve --> Implement --> Retrospective CAB Review
```

See Section 14 for full emergency change procedure.

---

## 9. Change Advisory Board (CAB)

### 9.1 CAB Membership

| Role                        | Member                    | Mandatory/Optional |
|-----------------------------|---------------------------|--------------------|
| CAB Chair                   | <CAB_CHAIR_NAME>          | Mandatory          |
| Change Manager              | <CHANGE_MANAGER_NAME>     | Mandatory          |
| Network Engineering Lead    | <NETWORK_LEAD>            | Mandatory          |
| Security Lead               | <SECURITY_LEAD>           | Mandatory          |
| Systems Engineering Lead    | <SYSTEMS_LEAD>            | Mandatory          |
| Application Development Lead | <APP_DEV_LEAD>           | Mandatory          |
| Service Desk Manager        | <SERVICE_DESK_MANAGER>    | Mandatory          |
| Business Representative     | <BUSINESS_REP>            | As needed          |
| Cloud Engineering Lead      | <CLOUD_LEAD>              | As needed          |
| DBA Lead                    | <DBA_LEAD>                | As needed          |

### 9.2 CAB Meeting Schedule

| Meeting        | Frequency                    | Time                      | Duration     |
|----------------|------------------------------|---------------------------|--------------|
| Regular CAB    | <CAB_FREQUENCY>              | <CAB_TIME>                | 60 minutes   |
| ECAB           | As needed (emergency)        | Within 30 minutes of request | 15 minutes |

### 9.3 CAB Agenda Template

```
CHANGE ADVISORY BOARD MEETING AGENDA
VantagePoint Networks

Date:           <DATE>
Time:           <TIME>
Location:       <LOCATION_OR_MEETING_LINK>
Chair:          <CAB_CHAIR_NAME>

1. OPENING (5 minutes)
   - Roll call and quorum check
   - Approve previous meeting minutes

2. REVIEW OF OUTSTANDING ACTIONS (5 minutes)
   - Action items from previous CAB

3. POST-IMPLEMENTATION REVIEW (10 minutes)
   - Changes implemented since last CAB
   - Failed changes and lessons learned
   - Change success rate for the period

4. CHANGE REQUESTS FOR REVIEW (30 minutes)
   For each change:
   a. Change ID and title
   b. Change Owner presentation (5 min max)
   c. Risk assessment review
   d. Impact analysis
   e. Implementation and rollback plans
   f. Questions and discussion
   g. Decision: Approve / Reject / Defer / Return for info

   Changes for review:
   | # | Change ID | Title | Owner | Risk | Decision |
   |---|-----------|-------|-------|------|----------|
   | 1 |           |       |       |      |          |
   | 2 |           |       |       |      |          |
   | 3 |           |       |       |      |          |

5. UPCOMING CHANGE CALENDAR (5 minutes)
   - Changes scheduled for next <CAB_FREQUENCY>
   - Potential conflicts or blackout periods

6. ANY OTHER BUSINESS (5 minutes)

7. CLOSE
   - Next meeting: <NEXT_CAB_DATE>
```

---

## 10. Pre-Change Checklist

Complete all items before beginning change implementation.

- [ ] Change request approved and documented in <CHANGE_MGMT_TOOL>
- [ ] Implementation plan reviewed and understood by all implementers
- [ ] Rollback plan documented, reviewed, and validated
- [ ] Rollback trigger criteria clearly defined
- [ ] Backup of affected systems completed and verified
- [ ] Configuration backup of affected network devices taken
- [ ] Maintenance window confirmed and communicated
- [ ] All stakeholders notified (see Section 13)
- [ ] Monitoring dashboards open and baseline metrics recorded
- [ ] Out-of-band access to affected devices confirmed
- [ ] Contact details for all team members and escalation contacts confirmed
- [ ] Required tools and access permissions verified
- [ ] Test environment validation completed (if applicable)
- [ ] Change window has sufficient time for rollback if needed
- [ ] <CHANGE_MGMT_TOOL> ticket updated with "In Progress" status
- [ ] Communication channel established (<CHANGE_COMMS_CHANNEL>)
- [ ] Go/No-Go decision made by Change Owner

---

## 11. Post-Change Checklist

Complete all items after change implementation.

- [ ] All implementation steps completed as documented
- [ ] Any deviations from the plan documented
- [ ] Post-change validation tests executed and passed
- [ ] Service functionality confirmed by business owner or delegate
- [ ] Monitoring confirms no adverse impact on services
- [ ] Performance metrics within acceptable thresholds
- [ ] No new alerts generated as a result of the change
- [ ] CMDB updated with new configuration information
- [ ] Network diagrams updated (if topology changed)
- [ ] Documentation updated (SOPs, runbooks, knowledge base)
- [ ] Stakeholders notified of successful completion
- [ ] Change ticket updated with completion details
- [ ] Change ticket status set to "Completed" or "Completed with Issues"
- [ ] Lessons learned documented (if any)
- [ ] Follow-up actions identified and assigned

---

## 12. Rollback Checklist

Execute when rollback trigger criteria are met.

### 12.1 Rollback Decision

- [ ] Rollback trigger criteria met (as defined in the change request)
- [ ] Change Owner confirms rollback decision
- [ ] Change Manager notified of rollback
- [ ] Rollback communicated to all team members on <CHANGE_COMMS_CHANNEL>

### 12.2 Rollback Execution

- [ ] Rollback steps executed as documented in the change request
- [ ] Each rollback step verified before proceeding to the next
- [ ] Time of each rollback step recorded

### 12.3 Rollback Validation

- [ ] Service restored to pre-change state
- [ ] Monitoring confirms service is operating normally
- [ ] Business owner confirms service is functional
- [ ] No data loss or corruption occurred during rollback
- [ ] All temporary changes or workarounds removed

### 12.4 Post-Rollback Actions

- [ ] Stakeholders notified of rollback
- [ ] Change ticket updated with rollback details and reason
- [ ] Change status set to "Rolled Back"
- [ ] Root cause analysis scheduled for rollback trigger
- [ ] Revised change request to be submitted for future CAB review
- [ ] Lessons learned documented

---

## 13. Maintenance Window Communications

### 13.1 Communication Timeline

| When                              | Action                              | Audience                   | Template |
|-----------------------------------|-------------------------------------|----------------------------|----------|
| <MW_ADVANCE_NOTICE> before        | Initial notification                | All affected stakeholders  | 13.2     |
| 24 hours before                   | Reminder notification               | All affected stakeholders  | 13.3     |
| Start of window                   | Work commencing notification        | Technical team + management | 13.4    |
| Completion                        | Completion notification             | All affected stakeholders  | 13.5     |
| If issues arise                   | Delay / issue notification          | All affected stakeholders  | 13.6     |

### 13.2 Initial Maintenance Notification

**Subject:** [Planned Maintenance] <CHANGE_TITLE> -- <DATE>

```
Dear <STAKEHOLDER_GROUP>,

PLANNED MAINTENANCE NOTIFICATION

We are writing to inform you of upcoming planned maintenance
that may affect the following services:

SERVICE(S) AFFECTED:    <AFFECTED_SERVICES>
DATE:                   <MAINTENANCE_DATE>
TIME:                   <START_TIME> to <END_TIME> (<TIMEZONE>)
EXPECTED IMPACT:        <IMPACT_DESCRIPTION>
CHANGE REFERENCE:       <CHANGE_ID>

WHAT IS CHANGING
<Description of the change in business-friendly language>

WHAT TO EXPECT
<Description of any service impact during the window>

WHAT YOU NEED TO DO
<Any actions required by users, e.g., save work, log out>

If you have questions or concerns, please contact
<CHANGE_OWNER_NAME> at <CHANGE_OWNER_CONTACT> or raise a
ticket via <HELPDESK_SYSTEM>.

Regards,
<CHANGE_MANAGER_NAME>
Change Management
<ORGANISATION_NAME>
```

### 13.3 Reminder Notification (24 Hours)

**Subject:** [REMINDER] Planned Maintenance Tonight -- <CHANGE_TITLE>

```
This is a reminder that planned maintenance will take place:

DATE:               <MAINTENANCE_DATE>
TIME:               <START_TIME> to <END_TIME> (<TIMEZONE>)
EXPECTED IMPACT:    <IMPACT_DESCRIPTION>

Please save your work and log out of <AFFECTED_SERVICES>
before <START_TIME>.

Change Reference: <CHANGE_ID>
```

### 13.4 Work Commencing Notification

**Subject:** [IN PROGRESS] Maintenance Started -- <CHANGE_ID>

```
Maintenance for <CHANGE_TITLE> has commenced.

Start Time:     <ACTUAL_START_TIME> (<TIMEZONE>)
Expected End:   <END_TIME> (<TIMEZONE>)

Updates will be provided on <CHANGE_COMMS_CHANNEL>.
```

### 13.5 Completion Notification

**Subject:** [COMPLETED] Maintenance Complete -- <CHANGE_ID>

```
Planned maintenance for <CHANGE_TITLE> has been completed
successfully.

Completion Time:    <ACTUAL_END_TIME> (<TIMEZONE>)
Services Restored:  <RESTORED_SERVICES>

All services are operating normally. If you experience any
issues, please contact <HELPDESK_SYSTEM>.

Change Reference: <CHANGE_ID>
```

### 13.6 Delay / Issue Notification

**Subject:** [UPDATE] Maintenance Delayed -- <CHANGE_ID>

```
An issue has been encountered during the maintenance window
for <CHANGE_TITLE>.

CURRENT STATUS:     <STATUS_DESCRIPTION>
REVISED END TIME:   <REVISED_END_TIME> (<TIMEZONE>)
ACTION BEING TAKEN: <ACTION_DESCRIPTION>

We will provide a further update at <NEXT_UPDATE_TIME>.

Change Reference: <CHANGE_ID>
```

---

## 14. Emergency Change Procedure

### 14.1 When to Use

Emergency changes are reserved for:

- Resolving an active P1 or P2 incident
- Patching a critical vulnerability under active exploitation
- Restoring a failed critical business service
- Addressing an imminent security threat

### 14.2 Emergency Change Process

1. **Request:** Change Requester contacts Change Manager (or on-call delegate) by phone
2. **ECAB Approval:** Change Manager convenes ECAB within 30 minutes via phone or <OOB_COMMS_TOOL>
   - Minimum ECAB: Change Manager + 1 Technical Approver + 1 Senior Manager
   - Verbal approval is sufficient; document in <CHANGE_MGMT_TOOL> afterwards
3. **Implement:** Execute change with available team
   - Document all steps taken in real-time
   - Maintain communication on <CHANGE_COMMS_CHANNEL>
4. **Validate:** Confirm service restoration and no adverse effects
5. **Document:** Complete full change request form within <EMERGENCY_DOC_SLA> hours
6. **Retrospective:** Present at next scheduled CAB for retrospective review

### 14.3 Emergency Change Constraints

- Emergency changes bypass the normal CAB process but NOT the documentation requirement
- All emergency changes must have a retrospective review at the next CAB
- Repeated emergency changes for the same root cause trigger a problem management investigation
- Emergency changes that introduce new risk require follow-up Normal change for proper assessment

---

## 15. Key Performance Indicators

### 15.1 Change Management KPIs

| KPI                                    | Target              | Measurement Frequency | Data Source           |
|----------------------------------------|---------------------|-----------------------|-----------------------|
| Change success rate                    | ><CHANGE_SUCCESS_TARGET>% | Monthly           | <CHANGE_MGMT_TOOL>   |
| Emergency change percentage            | <<EMERGENCY_TARGET>% | Monthly              | <CHANGE_MGMT_TOOL>   |
| Changes causing incidents              | <<INCIDENT_TARGET>%  | Monthly              | <CHANGE_MGMT_TOOL>   |
| Average change lead time (Normal)      | <<LEAD_TIME_TARGET> days | Monthly           | <CHANGE_MGMT_TOOL>   |
| Change backlog (pending approval)      | <<BACKLOG_TARGET>    | Weekly               | <CHANGE_MGMT_TOOL>   |
| CAB meeting attendance rate            | >90%                | Per meeting           | Meeting minutes       |
| Rollback rate                          | <<ROLLBACK_TARGET>%  | Monthly              | <CHANGE_MGMT_TOOL>   |
| Unauthorised changes detected          | 0                   | Monthly               | SIEM / audit logs     |
| Post-implementation review completion  | 100%                | Monthly               | <CHANGE_MGMT_TOOL>   |
| Standard change catalogue utilisation  | ><CATALOGUE_TARGET>% | Quarterly            | <CHANGE_MGMT_TOOL>   |

### 15.2 KPI Reporting

- Monthly KPI dashboard published by Change Manager to <KPI_DISTRIBUTION_LIST>
- Quarterly trend analysis presented to IT leadership
- Annual review of KPI targets as part of continual improvement

### 15.3 Continual Improvement

The Change Management process is subject to continual improvement through:

- Monthly KPI review and trend analysis
- Post-implementation reviews for all failed changes
- Quarterly process review with CAB members
- Annual external audit against ITIL v4 practices
- Feedback from change requesters and implementers
- Correlation analysis between changes and incidents

---

**Document End**

*This document is the intellectual property of VantagePoint Networks. Unauthorised reproduction or distribution is prohibited.*

*VantagePoint Networks -- Professional Network Security Solutions*