While DevOps speeds up software release cycles, change management often slows them down. So, how do you do change management in a fast-paced DevOps environment? Change control enables organizations to meet compliance and governance while managing changes at the speed of business.
In this interview for TechStrong TV, Greg Sanker, former CIO, IT Operations specialist, author, speaker and contributor to the “ITL4 Change Enablement Guide,” joins us to share his views on the tremendous impact of Agile, DevOps and CI/CD on traditional change control teams. Greg talks about the new role of change control and his contributions to the “ITL4 Change Enablement Guide.”
The video is immediately below, followed by the transcript of the conversation. Enjoy!
Transcript: Change Management in DevOps
Mitch Ashley:ย Well, I have the pleasure of being joined today by Greg Sanker who is former CIO, operations specialist, heโs a speaker/author, a bit of a futurist in leadership and digital transformation. Heโs also a contributor to the “ITIL4 Change Enablement Guide” and a reviewer of a lot of other contentโso, long introduction, there. Welcome, Greg, to [Cross talk].
Greg Sanker: Yeah, wowโthank you. Thatโs kind of awesome. Thanks for having me. I appreciate being on the show. I think we’re gonna haveโ
Ashley: Itโs alwaysโalways good to have a fellow musician. Anybody with a Telecaster in their background can be on this any time you want.
Sanker: Yeah.
Ashley: So, tell us, [Laughter] in addition to your wonderful guitar sitting behind you, tell us a little bit about yourself.
Sanker: Well, you mentioned, I amโI specialize in IT Operations. Thatโs what I’ve done for more decades than Iโd maybe like to admit. But service management has been a core part of that, and itโs become really clear to me that my view of service management is a lot more streamlined and agile than a lot of people perceive it as. And so, I’ve begun speaking at conferences and whatnot. I have a book of my own thatโs publishedโI’ll let you guys go find it if you’re interestedโabout change management.
But most recently, I was asked to work on the ITIL project on a number of ways, but most notably, the change, what we now call “Enablement Guide.” And one of my prerequisites to get engaged with the project was, if you’re gonna ask me to write it, Iโm gonna write it the way I see it, which is very different than what we’ve been doing in the past, and we’re gonna be pushing it forward, so. So, thatโs a bit about me.
Ashley: Thatโs wonderful. Thatโs definitely a consistent theme with ITIL4 and other folks, Mark Smalley and others that we’ve talked with is really recognizingโI think ITILโs had its sort of process moniker, right?
Sanker: Yeah, pretty much.
Ashley: But thereโs a huge emphasis on, you know, how do you fit ITIL and all of the aspects of operations into something that is more of a dynamic DevOps-y agile kind of world, if thatโs a way to describe it. And not to say that it didn’t fit in before, but I think itโs making it more prescriptive in that kind of setting is what a lot of the good work that you and others have done.
Sanker: You know, I was an early embracer of DevOps, and part of the reason for it is the mindset that explores possibility that ignores the boundaries in an organization to achieve outcomes. Thatโs, like, music to my earsโIโm all in. So, itโs a match made in heaven, but I can mention, itโs like, thereโs a lot of organizations that have adopted service management, they have used ITIL in ways that are very prescriptive, very heavy weighted, very bureaucratic and slowed down. And it was never intended to be that way.
Ashley: Mm-hmm.
Sanker: It just is, it got adopted that way, right?
Ashley: Well, and I think a lot of the work thatโs gone into ITIL4 will help make some of that shift.
Sanker: Yeah.
Ashley: Certainly, itโs positioned that way, and I know from other authors, that was the mindset of how the contributions were made. Now, you specialize around change management and we were chatting when we first got introduced about, you know, how do you do change management in a rapid development, agile, DevOps kinda world? If you were gonna be ask that at a conference by somebody, how would youโwhat guidance would you give them?
Sanker: Wow. So, I’ve got an hour and a half platform, right, for that?
Ashley: [Laughter] At least an hour and a half compressed into 20 minutes, yes.
Sanker: Twenty minutes, right? Yeah, absolutely. Well, seeโwell, let me put it this way. I think it really comes down to one fundamental paradigm that we need to change is, traditional change management, which is what I call your CAB-based, you know, Razor request for change, blah blah blah, is based on the idea that we inspect every single change. And as you probably know, Edwards Demingโs said many, many decades ago, โWe’ve got to cease reliance on mass inspection to get quality products.โ Well, thatโs exactly what we’re doing when we say, โHey, I need to make a change. Well, letโs just take a look at it,โ you know, so on Thursday, we’re gonna get together and look at that. But you know full well that, in a DevOps environment or a continuous integration, I mean, we are moving all the time. We donโt slow down and stop.
And so, that mindset, just the mindset of stop and letโs inspect is completely incompatible with a flow-based, whether itโs agile or DevOps or CI/CD or any of the others that are out there that are more flow basedโyou know, rapid feedback loops, short cycles, et ceteraโitโs just incompatible.
And so, what we have to do is elevate out of the inspect mindset into the expectation mindset. And that isโwhat is it that this organization needs from change management? And some of itโs governance and compliance, some of itโs operational stability and recoverability and some of those kinds of things. But letโs state what that is, we’ll state what those things are for the organization so that those that are working in the pipelines, the value streams can actually optimize how well we achieve those expectations and donโt dictate how they do it, letโs just dictate what the outcomes that are required by the organization. Thatโs the fundamental shift, and itโs big. I mean, itโs more than a 180-degree shift. Itโs very significant.
Ashley: Definitely a different mindset for sure, you know, the inspection versus not. Itโs not unfamiliar, thoughโthatโs what security is doing about shifting left and moving ______.
Sanker: Yeah.
Ashley: Iterating the process, DataOps is alsoโyou know, everyone wants to move early in the process, but itโs more than that, because you’re talking about a pretty different mind shift change. So, talk about compliance. Talk about governance from a change management standpoint in this new paradigm.
Sanker: Yeah. So, you jumped right to the jugular. That is the million dollar question.
Ashley: [Laughter] No, but it needs to be done and, you know, we all sort of pooh-pooh it.
Sanker: Right.
Ashley: But you know what? If you donโt do it, itโs really not fun doing it at the end, right?
Sanker: So, maybe you remember, because it certainly rattled my worldโDr. Forsgren said on stage at DevOps Enterprise Summit 2018, โCAB is useless.โ And everybody in the audience laughed and cheered and duh duh duh duh duh.
Ashley: You’re not talking about Cabernet, you mean change advisory board.
Sanker: No. [Laughter] I bet you probably would enjoy a good Cabernet, and Iโdโ
Ashley: CABs, yeah. Those others are still good, but anyway.
Sanker: Merlot, et cetera, they’re all good. But the thing is, sheโs not wrong. But she was looking at it from a very specific lens, and that lens was about failed changesโin other words, the success of changes and the recoverability of changes, two things that are really important to the stability of the business. And what she found in the data, sheโs a data expert, she has a Ph.D. in this, so thereโs no mistake, here.
Sheโs absolutely rightโhowever, CABs frequently are part of the compliance equation. In other words, itโs useless for those things, but it has a use elsewhere in the organization, and for many organizations, thatโs a very scary thought. Because thatโs where we’re able to document and demonstrate for internal and external auditors and validatorsโare we doing the things that we’re required to do? PCI DSS, HIPAA, GDPRโyou know, all of those other compliance framework, NIST 800-53, which hopefully we’ll get to in a minute, but they all have requirements around managing changes within your organization. So, if we donโt do it in the CAB, how do we do it? And thatโs precisely the point.
So, what I’ve sought to do is help organizations build those compliance points into the pipeline itself. In other words, we can point directly to where thatโs being done in the pipeline and donโt require a โletโs slow down and actually check the box, here.โ
You know, the governance isโwell, can I just say this? Thereโs a difference between governance and compliance. They’re two very different topics, right?
Ashley: Yeah.
Sanker: So, governance is about how organizations make decisions, and making sure that those decisions that are made throughout the organization align with or help fulfill the purpose of that organization, whereas compliance really has to do with the conformance. Are we conforming to applicable standards or expectations, either that the organization has or we have externally?
So, but when we talk about governance and compliance, we think about performance and conformance. Iโm sure you’ve heard thatโCOBIT and lots of other frameworks have talked about that for years. But performance is about, you know, your strategy and are you utilizing your resources in pursuit, or are you producing value or value creation? And I think thatโs fascinating.
I’ll bet you’ve read or heard of Mark Schwartzโ new book, “The Art of Business Value.” Itโs a fascinating read.
Ashley: I actually havenโt read that one. I’ll have to check it out.
Sanker: I would put it on your reading list, and I know that sometimes he rubs people the wrong way. I found out that he rubs me exactly the right way, because he asks some really challenging questions, like, โWhat is business value?โ Youโd think thatโs an easy question to answer, right? Itโs like, you know, for a for-profit corporation, itโs like, you know, making your market windows, making your profitability, adding features that attract and retain customers, those kinds of things.
But what if you’re inโas I was as a CIOโwhat if you’re in a government agency? Thatโs not a for-profit organization, so what is business value? Delivery of services to citizens, upholding environmental standards? Thereโs a lot of things that governments do, but they’re not profit motive. In fact, in some cases, itโs not even financial, so what is business value?
And so, when we’re running our backlog, you know, we’re scoring our user stories, like, how do we score that in that kinda context? And then, just when he, when I thought that he had confused me enough, he asked, โWell, what if your business strategyโโand I donโt wanna give away his book. Go buy his book. Butโ
Ashley: No, just tell me the last chapter, thatโs all I need.
Sanker: Exactly. [Laughter] I actually sent him an e-mail. Heโs a great guy and he thinks very, very big. But one of the things that he said was, โWell, what if your strategy is, we want to move customers off of this platform and onto one thatโs more profitable to us, or one thatโs in alignment with our roadmap and our strategy?โ
So, if we’re down in the value streams or in the pipelines, scoring our user stories against customer satisfaction, customer value, things that customers really, really demand and want, we’re actually creating negative valueโthese are my words, not his. We’re creating negative value because we’re making our customers like the platform that we want to get them off of.
Ashley: Mm-hmm.
Sanker: So, business value would actually beโno, do things that make them less likely to like this product. Make them want to migrate. Make it easy for them to say, โYou know, this is really getting old. Iโm gonna try your news service.โ And soโ
Ashley: Right, that behavior change.
Sanker: Yeah, exactly. And so, when we really start thinking about, we’re getting, you know, your governance, especially your governance and your compliance, we have to have adaptive, rapidly adaptive systems that allow us to, at any point in time, understand what the current strategy is and how it affects the decision making that we’re doing at any point in timeโall without, of course, getting your board of directors involved with every single decision throughout the organization.
Ashley: Well, let me ask you this. Iโm really interested, Iโm really curious about how you take this kinda shift in mindset and how you’ve woven that into the “Change Enablement Guide“ that you were the author of. So, you know, it isnโt a process discussion.
Sanker: No.
Ashley: You’re talking about viewing things a different way, valuing some things maybe we didn’t value before, maybe some other things less, and maybe delivering a different set of things. Let me just share, briefly. I remember a day, probably not too long ago, where CABs saw their role as saving us from developers and all the bad decisions and lousy code they were gonna create, so thatโs whatโ
Sanker: [Laughter] Oh, yeah! Absolutely.
Ashley: – thatโs what they say in those CAB meetings.
Sanker: Yes. Oh, absolutely.
Ashley: But, you know, thatโs not what we’re talking about. Tell me howโso, how do you build that into, in a way thatโs gonna help people make that shift through ITIL4?
Sanker: So, thank you for saying that, because there is some unspoken or lightly spoken or spoken only in factions kind of frustration, there. Itโs likeโlet’s be honest. I used to be a network engineer, I did network security, I did all things network. So, I used to be a change manager at one point in time, and who the heck are you, Greg, to cast judgment on this piece of code and decide whether thatโs gonna work appropriately? Everybody knows that I canโt add value to that, and everybody knows that this external body whoโs not familiar with it, certainly not at the paceโyou canโt add value, and yet you act like you do. And that justโthat doesnโt sit well with anybody.
So, we really need to, if we shift our focus to, โWhat is it that we’re trying to achieve?โโso, I talk about putting the right measures on the pipeline. How well is this pipeline producing outcomes, those outcome expectations? Is it producing consistently high quality changes? Is it consistently not delivering failed changesโor, for the failed changes that do go through, how quickly and easily can we recover from that with minimizing impact to the customers?
Those are the things that your CAB or whatever your body is should care about, not the individual changes. You’ve got to get away from the individual changes. You canโt add value to that.
And so, I get asked a lot of the times, itโs like, โWell, what do we do with our CAB?โ since, you know, they’re very unpopular. And in some cases, the best answer isโnow Iโm gonna say it publicly, so Iโm gonna be quoted on this, butโโBlow it up. Just get rid of it. And donโt ever use the C-A-B word again, because it has such a bad name.โ
But it isnโt without value. So, if you have a CAB and the CAB starts saying, โLook, developers, we canโt add value to what you’re doing, but what we really care about is some of these things. So, letโs talk about those things.โ And if you’re talking to, particularly DevOps, agile, automated pipeline folksโthey were gonna welcome that conversation because they’ve already got it covered. They just do. You know, like you know, Iโm the change managerโโWell, have you tested that code before you released it?โ Well, dude, thatโs the only way it gets in production, if it passed tests. Thereโs no way for it to make it into production. So, not only is it insulting, but itโs a dumb question, and undermines your credibility.
Ashley: Well, let me ask you this, then. I think where you’re goingโand tell me if this is rightโis, โWe have so much automation in this pipeline process, right? Thatโs the whole idea of being able to produce software more reliably, more rapidly.โ
Sanker: Oh, yeah.
Ashley: There is so much data thatโs generated and captured, but not leveraged.
Sanker: Yep.
Ashley: We treat it as data exhaust, right? Thatโs sort of this fancy term for it.
Sanker: Yep.
Ashley: In that is a lot of compliance, is a lot of governance informationโ
Sanker: Yeah.
Ashley: – that you can then elevate and connect, and basically save developers time and not having to produce reports at the end. โI’ve already got three-fourths of what I need or what you need, and let me help you put the finishing touches on it so you’ll sail through the next whatever NIST whatever it is.โ
Sanker: Yeah.ย So, there, you get to write a chapter in my next book, because thatโs exactly, exactly what we want to focus on is, we want to beโyou know, alright, this is potentially controversial, but change management is a feedback loop. It helps us understand the quality of changes that are coming through our pipeline. Sitting there and passing judgment and saying, โNothing passes until I say soโโthatโs not adding value. Thatโs absolutely antitheticalโyou know thisโto the DevOps continuous flow kinda mindset.
Ashley: So, they’ll go every way around you you can think possible, you know?
Sanker: Yeah, and the other thing, as we well know, is like, develop is most frequently used in the flagship products. โThis is the core business. Get out of our way. We have to deliver these changes to maintain our profitability, maintain our market windowsโall of those things that are core to the business, and you think Iโm gonna stop for three days when I went from, you know, a user story to a value in under 24 hours in some cases? There is no way Iโm gonna stop. Iโm just not going to. I will take the risk of it failing and you saying, โYou shouldnโt have done that.โโ And thatโsโ
Ashley: You can talk to the chief product officer aboutโ
Sanker: Exactly.
Ashley: – the stockโs direction. [Laughter]
Sanker: And I helped an organization who was, you know, they had agile coaches and they were doing all that. Itโs a large company, but Iโd rather not name them. And I was asked to come in and look at their change management.
Well, what they had done was, rather than having one CAB a week, we were having daily CABs. And we were having daily pre-CABs and then the CABs. And one of the things that I tried to get them to understand is, these two are entirely incompatible. If you’re going towards agile DevOps as a development methodology, then you must move away from CAB. CAB has got to go.
And what was interesting is, their flagship products, the ones that really made money for the organization, they could get away with murder. Why? Because it was so critical to massive revenue in the case of this organization.
Ashley: Mm-hmm.
Sanker: And so, we have a big outage, we recover, we move on, thatโs okay, itโs an acceptable risk. And change management will still know, we canโt have any defects or whatever in production.
And so, we’ve got to get ourselves wrapped around the idea of managing business risk. You know, you mentioned something about the compliance, and just this last weekโlike I said, Iโm working on a new book, but I was looking at the NIST 800-53. Everybodyโs familiar with it, but they finally released version 5. And so, Iโm reading through and the authorโs made a very fascinating statement, and I encourage everybody to go look at this. Version 5 is phenomenal, because what they said was, โWe have eliminated or reduced the specification of who actually does the activity, and we’ve instead focused on the outcomes that need to be achieved.โ In other words, some of the compliance requirements or the controls said, โIT will reviewโ or, โThe change manager will review.โ And so, if you’re gonna comply with NIST 800-53 previous versions, thereโs not a lot of wiggle room around that.
But I’ve been saying for over 10 years and others have been saying, itโs like, if we focus on the outcomes, then whoโs doing it, how they’re doing it is open for us to do it in the most effective way. And that gets us into the pipeline space. And itโs a major step forward, because we struggle with that. Like you said, we have to meet our compliance, you know? If you’re dealing with sensitive information, you know, pharmacy has HIPAA and credit cards and all that sort of stuff, you have to. Itโs just not optional. But you donโt have to do it the way we’ve always done it, and thatโs the piece that I like to bring to organizations. Itโs likeโhow are you doing it, and can we demonstrate that we’re doing it? Those are basic audit business controls minimums.
Ashley: Iโm curious about, we’re sort of talking also about the whole issue of agility and speed, and on the other end of it of the belief of the best way for something to be stable is donโt change it.
Sanker: Oh, yeah, absolutely.
Ashley: Which is antithetical to the environment we’re in, for sure. And so, itโs kinda like you have to embrace, you just have to say, โWe love change, and how do we be super effective at it?โ instead of, โHow do we not change so we donโt mess it up?โ
Sanker: So, thereโs two places, two things that Iโm gonna mention briefly, but we wonโt have time to explore them. Thereโs the field of study around complex, you know, and Cynefin is one of the most notable frameworks. And the idea that thereโs simplex, complexโor complicated, complex, and chaotic, and we treat changes frequently like they’re either simple or complex. Meaning, we need to get some eyeballs on this thing.
But the fact of the matter is, most systems, especially systems that we’re DevOps-ing, are more like a complex adaptive system. Thereโs a level of complexity that we’ve not seen in days of old, like back in the โ80s and โ90s and early 2000s where these systems were, we could actually try to understand them. Modern systemโ
Ashley: They’re not linear. They’re more, you know, dynamic and self-creating, if you will, in run time.
Sanker: Yeah, exactly. So, that hit me a number of years back. Itโs like, this whole mindset, itโs around the idea of, it either is simple or it should be simple, and we can understand it, and we can predict the outcomes, and you canโt. You cannot do that.
And so, we need to build adaptive systems that say, โHey, look, this is complex.โ And you’re not gonna send it to a board of examiners, you know, a CAB who are gonna say, โLetโs take a look at all the risk,โ because it would take you years to do that in a complex system. Thatโs justโthatโs not gonna happen.
So, we need to adopt practices that are more adaptive. And one of the things in that complex area within the Cynefin framework says that we need to run some experiments to better understand the mechanism. And how that applies to change managementโsee, this hit me between the eyes because it was like, โNo failures in production. No failures will be allowedโโthatโs antithetical to learning how the system works. If you donโt make some changes to see how the thing works in operation, you’re denying yourself learning and you’re probably deluding yourself that you’re actually actively controlling it, right?
The other piece of study that I’ve brought to the table isโand you’ve probably heard of itโthis study of anti-fragile. Thereโs a number of authors whose understanding is astronomically higher than my IQ, you know, Ph.D.s who actively debate such things. But I take complex things and make โem simple. Hereโs the thingโsome things, like a tree, when the wind is blowing, the tree is waving, but thereโs more than that going on. Itโs the actually fibers, the plant itself becomes more resilient to wind if itโs been exposed to wind.
Here in Oregon, often thereโs logging operations that have a lot of controls for the environmentโtrust me on that. Itโs changed a lot since the good, olโ days. But one of the things that we do hear is, we leave a segment of trees at the edge of a piece of property thatโs being logged, and we do that for the animals, for the environment, we protect the riparian areas. But one thing that you’ll notice is, within one year of leaving that stand of trees that used to be next to a large strand of treesโthey break. A storm comes, and they get hit. Why? Because they’ve relied on the strength of their neighbors up to this point, and they’re not suited to stand the wind alone, and so those trees break.
Hereโs the thingโif we donโt inject some failure into the system, for a system that is truly anti-fragile, we’re actually making our systems more fragile. And so, a mindset of change management that says, โNo errors, no problems, no failures ever, ever, everโโyou are making your system more fragile, and you’re treating a complex system like itโs simple. And so, we’ve got to change our mindset.
Now, you know full wellโand let me just blast into thisโyou know full well that, as we take these mammoth changes that we used to make in the old days, you know, it took 6, 8, 12 months to produce, and we’ve turned it into these microscopic things that can go through your pipeline and ours and produce values is your blast radius. What bad thing could happen in production has materially changed. The risk has become very, very small. If thatโ
Ashley: And your ability to fix itโ
Sanker: And your ability to fix it skyrockets.
Ashley: – your responsiveness, it isnโt six months to fix it or three, itโs three minutes.
Sanker: Yeah. So, one of the change outcome expectations that I encourage people to establish is, what are your expectations for recovery from any given change, and can we realistically do that?
So, for instance, if I put something in my flagship product that doesnโt work as desired, if I can recover within two minutes, no harm, no foul, is that okay? In a lot of cases, it is. If itโs a defibrillator keeping somebody aliveโprobably not, thatโs probably not okay. But in a financial transaction or a video streaming service or whatever, you know, modern digital services, itโs probably okay, especially if you’ve engineered the release in such a way that you do it like that. You know, blue/red switches, on/offโall of that kind of stuff that we’re engineering in become, you start seeing why we’re able to do that and what that actually does in production. Itโs wonderful.
Sorry, you got me excited about that.
Ashley: Yeah, boy, I could take you a lot of places with that. [Laughter]
Sanker: Yeah.
Ashley: So, letโs take it back to someone whoโs gonna pick up a digital version or a printed version of the “Change Enablement Guide” author.
Sanker: Yeah.
Ashley: How is that approachable for folks? Let me be honest. Iโm probably not gonna go download that to get my heart pumping to go work out, get a better workoutโor maybe I will.
Sanker: [Laughter]
Ashley: Maybe after listening to this, I willโbut how do you make that engaging for people?
Sanker: Yeah. Well, so, one of the thingsโwell, I’ll put it this way. Itโs like, we’re not selling a product, we’re selling an opportunity to solve some problems. Thatโs why we call it best practice, right? And thereโs a lot of best practices, and I donโt feel like they’re nearly at odds as maybe some of the industry might feel like.
But change enablement isโand I’ve been saying for years that this day has come and itโs now here is, change management is in the crosshairs of modern digital organizations. Itโs a pesky remnant of days past. And what the “Change Enablement Guide” isโand there are was more. I mean, for production reasons, I had to kind of limit it. But what I wanted to do was point in this direction of what Iโm talking about. Itโs likeโletโs get people moving towards that. Because like you said, we’re not gonna change overnight. Iโm not gonna read the “Change Enablement Guide” and go back to work the next day and say, โAlright, I can save all the worldโs problems.โ
And so, what I’ve subsequently started doing is writing guidance around, โBut what do I do today? You know, I went to a DevOps conference, Iโm excited, but what do I do when I go back to work? How do I start moving in that direction?โ And blowing up the CAB, while we might all celebrate that, thatโs not a good first step. Instead, what we need to do is start moving ourselves in a better direction. Itโs not more of same, itโsโwhat do we actually need to be doing here, and whatโs the best way to accomplish that?
And itโs difficult, culturally, because it becomes more of a culture. Like you said, there are CABs galore who despise developers probably as much as developers despise CAB. Itโs a match made inโ
Ashley: Cats and dogs, living together.
Sanker: – yeah, exactly. [Laughter] Good reference. And so, that group of people who are widely known for having that kind of mindset are not gonna be welcome when they show up to your spring and say, โHey, weโd really like to be involved earlier in your change management so that we can help you.โ Itโs likeโyeah, sorry, bud. Letโs start somewhere else.
So, if change management starts with, โWe’ve gotta get out of your way. We’re gonna start delegating more and more of your changes into your value stream, and instead, we’re gonna be focusing on, we’re gonna partner with you on, letโs look at the results of what you’re doing. Because we believe that you are optimizing your delivery and we believe that you have the right tools and controls in place.โ So, we are moving more towards, โAre we achieving all the outcomes that the organization has? Is the organization even clear on what those outcomes really, really are?โ
You know, the one that alwaysโI love this oneโโAll changes must be tested before going into production.โ Itโs likeโwell, how many shops have you been in where thatโs not true, at least in modern times?
Ashley: Mm-hmm, yeah. I call that the โmehโ policy. โWe’re gonna test it? Meh.โ No, of course we’re gonna test it.
Sanker: Yeah, we call it blow testing, right? You know, itโs like, โEh, okay, I think we’re alright.โ That is true. In modern terms, though? For flagship products, for things that are really, really core to the business, most organizations have some form of automated testing, or thatโs just part of the process. So, rather than make everybody say, โDid ya test it?โ at a CAB, just, like, โHeyโโ
Ashley: โOf course you did.โ
Sanker: Yeah, exactly. Is that happening in the value stream? If it is, Iโm notโdonโt worry about it. We’ll just move on. Is somebody with the appropriate authority approving that? And thatโsโI am gonna take a minute to talk about this one, Mitch, is that everybody talks about change approval in terms of whoโs gonna approve this idea going into production, this change going into production? Because if something goes bad, we wanna know who to blame, right? In fact, we used to say, โWho has enoughโwho is sufficiently authority that they’ll get fired if something goes bad?โ Which is, of course, the wrong question.
Ashley: Yeah, [Cross talk].
Sanker: Because the right question is, โWho has enough authority that, if it goes bad, they donโt get fired, because they have the authority to put on that level of business risk?โ Right?
But if we moveโand we could talk for hours, but the idea of product ownership or taking a product view of services or modern systems is, โIsnโt it true that the product owner is accountable to the organization to decide what things we’re going to move into production?โ So, to me, thatโs the change approval. We’re approving that we want this change to happen.
So, nobodyโs adding value by making approval at the end of the chain. We’ve already decided that. We already know that we’re gonna make this change.
So, those are two different approvals. One of them is about a product decision or a governance decision, the other is about a business risk decision of, โIs it actually going to achieve the results that we set out to do?โ I believe that most of the latter can be automated. If itโs passed its test, if the testing systems are appropriate, if we’ve doneโin some cases, I love peer reviews. Itโs like, you know, the code needs to be reviewed by a peer, stamp it, and we ship it out. It happens in a minute or two, you know, not hours or days or whatnot like that.
So, I think as we kind of retool or thinking around it, I think thatโs where we can start really solving actual problems that organizations have.
I am reminded, though, I saw thisโyou’ve seen these before, these overhead views of an Indy car or a Formula One car coming in for a pit stop and all this stuff happens and off they go. I saw one this week that was 1.8 seconds. It was awesome, right? And people like thus always share those on social media of, like, โThatโs an agile organization, doing the thingsโ and blah blah blah.
And so, you canโt really argue with 1.8 secondsโfour tires, top off the gas, and out you go.
Ashley: Impressive.
Sanker: But the question, to me, isโlike, Iโm a bit irreverent. Why isnโt it zero? Why canโt we make it zero? If faster is better, letโs make it zero. And the answer is, we wonโt make it to the end of the race unless we have fuel. We wonโt make it, because [Laughter] when you’re racing at 200 miles an hour around corners, your tires literally donโt last that long. Itโs not a matter of preference, itโs a matter of life and death, right? So, we have to change tires.
So, the question isnโt, โAre we balancing speed and agility against risk mitigation?โ Itโs what it is that we’re trying to accomplish here. And in the case of Formula One, we’re trying to win the race. And to do that, we have to take on certain activities that cause delayโthatโs a requirement.
So, the question isnโt, โDo we have to take a pit stop?โ We do. We need tires and we need fuel and sometimes minor adjustments. So, the question then becomes, โHow quickly can we achieve those outcomes?โ And putting four tires on in under two secondsโthat is phenomenal. Hats off to those folks that are doing that. And how do you get however many gallons of fuel we put in a Formula One car in two seconds, I don’t know, but thatโs amazing, right?
And I feel like thatโs the mindset that we need to adopt. We need to quit asking, โWhy do we have to do change management?โ We have to do change management because part of it is to be compliant. That keeps us in business. That keeps us out of trouble.
Ashley: But itโs a really good example, because itโs not an absolute, itโs not, โDo we need to fuel?โ but, โWhatโs just enough fuel for us to win?โ right?
Sanker: Exactly. Oh, and trust me, you’ve watched it. I know, I can see it in your eye, you watch Formula One or Indy and thereโs like a thousand computers over there and stopwatches and gauges and dials and they are calculating exactly how much fuel based on the game strategy or the race strategy, the conditions, who they’re up against, what they think their strategy isโthatโs how much fuel we need to take on, right? So, itโsโ
Ashley: Great model for us to think about of, you know, itโs not absolute quality or absolute whatever.
Sanker: Right.
Ashley: Itโs whatโs appropriate for the organization. We’re gonna have to leave it at there.
Sanker: Okay.
Ashley: And I want you to come back some time, because the next topic is Stevie Ray Vaughan or Eric Clapton. But Iโm gonnaโ
Sanker: Oh!
Ashley: You canโt answer it. You have to come back and answer that, so we’ll have you here another time. Itโs been a real pleasure talking to you, Greg Sanker, who is the author of the “Change Enablement Guide” of ITIL4. So, I think you really gave us some compelling reasons to go check it out. So, thanks a lotโit was great talking with you.
Sanker: Thanks for having me, Mitch.
Ashley: You bet.

Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.


