Ask any operations team where their incidents actually come from and the honest answer is rarely "the universe broke." It is "we changed something." A deploy went out, a config got flipped, a certificate was rotated, a feature flag was toggled — and minutes later the queue lit up with tickets. The uncomfortable truth behind most support fire drills is that they are self-inflicted: someone made a deliberate change without enough eyes on it, and the blast radius landed on customers and then on you. Change management is the discipline of putting a controlled path in front of those changes so the predictable ones stop catching everyone by surprise.
This is the part of service-desk practice that customer-facing teams skip the longest, because it feels like internal IT ceremony. It isn't. If a change your company ships can generate a wall of tickets, then change management is a support concern — you are the people holding the pager when it goes wrong.
What a "change" actually is
A change is any deliberate modification to a live service: a code deploy, an infrastructure tweak, a third-party integration update, a price change, a copy edit to a high-traffic flow. The defining trait is intent. An incident is something that broke; a change is something you chose to do. The whole point of managing changes is to catch the ones that will cause incidents before they do, rather than reverse-engineering them afterward from a pile of confused customers.
The trap teams fall into is treating every change the same. Requiring a formal review for a typo fix is how you teach engineers to route around the process entirely. The fix is to size the rigor to the risk.
Three classes of change, three different paths
Almost every workable change process sorts changes into three buckets, and the art is in drawing the lines so the common case stays fast.
- Standard changes are pre-approved, low-risk, and routine — the kind you have done a hundred times with a known-good runbook. A routine dependency bump, a documented config toggle, adding a user to a group. These need no per-instance approval; they need a runbook and a log entry. Pre-approving the boring stuff is what buys you the political room to be strict about the dangerous stuff.
- Normal changes carry real risk and need a review before they go out: a schema migration, a change to the billing path, anything touching authentication or data. These get a change ticket, a named reviewer or small board, and an explicit go/no-go.
- Emergency changes are the ones you make during an incident to stop the bleeding. You cannot wait for a committee while the site is down. The rule here is not pre-approval but post-review: the change happens fast under a clear on-call owner, and it gets documented and reviewed after the fact so the shortcut does not become a habit.
Get these three lines right and 80% of your changes flow through the standard lane untouched, leaving the review process to spend its attention only where it pays off.
The change ticket: what every change should carry
For normal and emergency changes, the change ticket is where the thinking lives. A good change record answers the questions an outage would otherwise force you to answer at 2am:
- What is changing, and why. One plain sentence a non-expert can read. "Rotating the payments API key" — not a diff.
- Blast radius. What breaks if this goes wrong, and who feels it. This is where linking the change to the affected assets and services pays off — a change ticket tied to "the checkout service" instantly shows you what depends on it.
- The rollback plan. Not "we'll figure it out" — the specific, tested steps to undo it. A change with no rollback plan is not ready to ship.
- The window and the owner. When it goes out, and exactly one named person accountable for watching it land.
Tracking changes as their own ticket type — distinct from incidents and service requests — keeps them visible and gives you a record to learn from. When a cluster of incidents traces back to a change, that linkage is the raw material for problem management.
The change advisory board, without the bottleneck
The "change advisory board" (CAB) has a deservedly bad reputation, because the classic version is a weekly meeting where a room full of people rubber-stamp changes they don't understand and block the ones they do. That ceremony is where velocity goes to die. But the underlying idea — that risky changes deserve a second set of informed eyes — is sound. The trick is to keep the function and drop the theater.
- Approve asynchronously by default. A normal change should be reviewable by the right person from the change ticket itself, in minutes, not held for a Thursday meeting. Synchronous review is for the genuinely contentious or cross-team change, not the routine one.
- Match the approver to the change, not the org chart. The person who should sign off on a database migration is whoever understands that database — not a manager three levels up who will approve it unread. Approval authority should track expertise.
- Make "no decision" expensive, not free. The failure mode of any approval step is silence — a change that sits unreviewed for days because no one owns the queue. Put an SLA on the approval itself and route stalled approvals to a backup, so the process speeds changes up to a safe pace instead of just slowing them down.
A CAB earns its keep when it catches the one change a quarter that would have caused a real outage, while being invisible the other 99% of the time. If your board is a recurring meeting that everyone dreads, you have built the bureaucracy without the benefit.
Tell support before customers tell support
The most common change-management failure that lands directly on a support team is the silent deploy: engineering ships something, and the first the support team hears of it is the tickets. Even a perfect change process is incomplete if it does not loop in the people who answer the phone.
Wire your change process so that any normal change posts a heads-up to support before it goes live — what's changing, when, and what customers might notice. This is the same instinct behind proactive customer support: the team that knows a change is coming can pre-write a saved reply, watch for the specific symptom, and turn what would have been a panicked scramble into a calm, informed response. For customer-visible changes, the same information feeds your incident and status communication if the change does go sideways.
The honest test
Change management is working when your incident reviews stop starting with the words "wait, who changed that?" — because every risky change already has a ticket, an owner, a rollback plan, and a support team that knew it was coming. The goal is not to slow change down; the fastest-shipping teams in the world have the most disciplined change processes, because discipline is what lets them ship confidently instead of cautiously. If your process is making people hide their changes to avoid the paperwork, you have built ceremony. If it is catching the dangerous ones while waving the boring ones through, you have built the real thing — and your queue will be quieter for it.