Reed College
Reed College

Information Technology

Change Advisory Board (CAB) Standard

Associated Documents

The Change Advisory Board (CAB) ensures that changes to IT services are implemented efficiently, safely, and with minimal disruption to the organization. This standard outlines the roles, classifications, and responsibilities required for all significant IT changes.

Change Classifications

All changes must be categorized into one of the following three types to determine the required approval path.

Change Type

Description

Approval Requirements

Routine (Standard)

Low-risk, repetitive, and well-documented tasks (e.g., monthly security patching).

Pre-approved by the CAB; no individual ticket approval needed.

Normal

Non-routine changes that vary in risk and impact (e.g., system upgrades, new features).

Requires full CAB review and scheduled implementation.

Emergency

Critical changes required to restore a failed service or patch a high-severity security hole.

Approved by the Emergency CAB (ECAB) or implemented immediately with a retroactive review.

The Change Advisory Board (CAB)

The CAB is a cross-functional group that meets regularly to assess, prioritize, and schedule changes.

Key Responsibilities:

  • Verifying that change requests contain complete technical and communication plans.
  • Identifying potential risks or cross-system conflicts.
  • Voting on the approval or rejection of Normal changes.
  • Reviewing Post-Implementation Reports (PIRs) for failed or emergency changes.

Roles and Responsibilities

To ensure accountability and separation of duties, the following roles are defined:

  • Change Requester: Identifies the need for change and prepares the submission. They are responsible for the accuracy of the technical plan and stakeholder communication.
  • Change Implementer: Executes the technical steps of the change. (Often the same person as the Requester).
  • Change Approver / Technical Peer: A subject matter expert or supervisor who validates that the change is technically sound and has a viable rollback plan before it reaches the CAB.
  • Change Manager: Facilitates the CAB meetings, manages the Change Calendar, and ensures the process remains efficient.
  • Process Owner: Accountable for the overall strategy and high-level compliance of the Change Management process.

Risk and Impact Analysis

Every change request must include a risk assessment based on:

  1. Impact: How many users or business processes will be affected?
  2. Risk: What is the likelihood of failure, and what is the "blast radius" if the rollback plan fails?

Changes with "High" impact or "High" risk require more rigorous documentation and potentially longer lead times for approval.

Post-Implementation Review (PIR)

All failed changes or Emergency changes must undergo a PIR at the following CAB meeting. The goal is not to assign blame, but to identify technical or procedural gaps to prevent future service disruptions.