Who owns the risk of an IT change?

Stuart Rance posted an interesting blog about What Is Change Management For?. Then we had an excellent discussion about it on Google+, where some great stuff came up that I want to capture here in my IP repository (or "blog" for short). Tell me what you think:

Rob England

I'm working in the heart of [change management] right now. I agree with every single word, except for one thought:
This article talks of my favourite dilemma - To Protect and Serve. They are often contradictory.
If some part of the business - or some development team - wants to go faster than is safe for the organisational IT assets, then Change's primary role is protection. There are lots of cogs in the machine that move change along, there is only one devoted to mitigating the risk. Where a conflict emerges between Protect and Serve for the Change function, Protect wins.

Stuart Rance

Thanks for the comment +Rob England. I have some sympathy for your position. As you say the issue is trying to get the balance right, but I have very rarely seen IT change management that is too focussed on agility and too little on protection.

What I see all too often is IT that thinks it understands business risk better than the people who should be owning that risk.

This is why I have more time for some of the Agile and DevOps stuff than you, I think that for some types of service they can deliver greater agility AND more protection.

Rob England

I'm interested in your views on "people who should be owning the risk". I agree Change Management dont own it, they are merely custodians. But nor do Dev, in fact in my experience they have little or no true perception of risk. True quote: "just because we have had a few problems why does Change pick on our team?"
In theory "the business" do but they have no expertise to assess IT risk.
So who? 
I think the IT service owner/manager 

Stuart Rance

Great question Rob. This is clearly a governance issue and can only be solved in the context of governance of IT. Maybe recent focus on cybersecurity can help us make organisations aware of their governance responsibilities.

Rob England

Ultimately, calibrating the risk profile sits with governance.
I think day-to-day ownership of risk of IT changes sits with the IT service owner/manager/whateveryoucallthem responsible for the specific IT service being impacted.
Or perhaps the CAB have shared ownership? personally i hate group accountability but my friend +Pat Ryan has taught me a very effective mechanism combining committees and escalations

Stuart Rance

There are ways to help the business input to this. For example define three classes of change profile high stability/balanced/high agility and let them choose between them when agreeing the SLA. 

Rob England

Yeah but who owns the risk of an individual change?

Stuart Rance

I think who owns the risk assessment of an individual change should be defined in each organization. I know one org where the change submittor owns this for low risk changes - but they are measured on change success and held accountable.

ITIL describes selection of a change authority for each change based on an initial risk assessment by the submitter and the change Admin.

What are your thoughts?