The ITIL Change Management process is used to manage a Change through its entire lifecycle. A Change is defined as the addition, modification or removal of anything that could have an effect on IT Services. The scope should include items such as IT services, components that is used to support or deliver the services, processes and documentation.
Those new to ITIL will often think that the role of the CAB is to authorise the major or significant change. Well, yes and no.
The Change Advisory Board (CAB) is a concept defined in ITIL V2 and V3’s Change Management process and is a body that exists to support the authorization of change and to assist Change Management in the assessment and prioritization of change. The CAB is usually consulted for significant change that have a broad or major impact to the organisation. The CAB may be asked to consider and recommend the adoption or rejection of change appropriate for higher level authorization and then recommendations will be submitted to the appropriate Change Authority.
Similar in concept to the CAB is the Emergency Change Advisory Board (ECAB). This is done as part of the Emergency Change procedure which is used to process a change request related to fixing an error in the IT infrastructure that has major impact to the business if it is not fixed quickly, hence the Emergency Change. An ECAB is necessarily formed since there is often not enough time to convene a normal and larger scale CAB meeting.
So, who authorises change? ITIL defines the role of Change Authority that, as the name stated, authorises change. This is a role that may be given to a person (e.g. Change Manager, department manager) or a group of people (e.g. CAB or ECAB). The levels of authorization for a particular type of change should be determined by the type, size or risk. A major or significant change in a large enterprise that affects several distributed sites may need to be authorized by a higher-level authority such as the Board of Directors. A lesser one with limited scope and impact to the business or IT infrastructure may be authorised by a person. A simple, low risk change may even be pre-approved or pre-authorised.
Figure 4.5 in the ITIL V3 Service Transition book is misleading when taken out of context and often leads a reader to wrongly believe that the CAB or ECAB’s role is to authorise Change. That figure only shows an example where the CAB or ECAB is given the role as a Change Authority.
In summary, a CAB or ECAB’s main role is an advisory one, which is to support and assist the Change Authority in making to decision as to whether a request for change should be approved or rejected. The CAB or ECAB does not authorise a Change unless they are specifically given the role as a Change Authority as well.