Standard : High-risk changes are identified and routed appropriately
Purpose and Strategic Importance
This standard ensures high-risk changes are proactively identified, evaluated, and routed through appropriate controls. It helps protect system stability while preserving delivery speed and team confidence. The goal is to avoid both reckless change and excessive bureaucracy.
Aligned to our "Architect for Change" and "Psychological Safety First" policies, this standard reduces the likelihood of failure while enabling fast, informed decision-making. Without it, high-impact issues may go undetected, or delivery may be hindered by unnecessary gatekeeping.
Strategic Impact
- Fewer incidents related to unassessed or unmanaged change risk
- Improved speed-to-safety ratio through contextual controls
- Higher confidence in release quality and operational readiness
- Stronger psychological safety through consistent, trusted processes
- More reliable system health and stakeholder trust
Risks of Not Having This Standard
- Risky changes causing outages or customer impact
- Overuse of manual approval gates that delay flow
- Poor signal-to-noise in change management processes
- Developer frustration and loss of ownership
- Limited insight into the effectiveness of risk-based routing
CMMI Maturity Model
Level 1 – Initial
| Category |
Description |
| People & Culture |
Risk is managed informally. Developers rely on experience or intuition. |
| Process & Governance |
Change approval varies by team and is inconsistently applied. |
| Technology & Tools |
No tooling exists to identify or assess risk in the pipeline. |
| Measurement & Metrics |
No visibility into impact, frequency, or outcomes of high-risk changes. |
Level 2 – Managed
| Category |
Description |
| People & Culture |
Teams are aware of risky change patterns but handle them reactively. |
| Process & Governance |
Some rules exist for flagging changes, typically based on prior incidents. |
| Technology & Tools |
Basic checks or manual signoffs are used on high-risk changes. |
| Measurement & Metrics |
Limited tracking of high-risk change outcomes. |
Level 3 – Defined
| Category |
Description |
| People & Culture |
Teams understand and follow risk classification practices. |
| Process & Governance |
Standardised risk-routing workflows are defined and implemented. |
| Technology & Tools |
Automated checks flag risky changes based on clear criteria. |
| Measurement & Metrics |
Change risk and approval cycle time are monitored and reviewed. |
Level 4 – Quantitatively Managed
| Category |
Description |
| People & Culture |
Risk decisions are data-informed and reinforced through learning loops. |
| Process & Governance |
Governance adapts based on impact analysis and performance trends. |
| Technology & Tools |
Tooling supports dynamic routing based on change complexity or scope. |
| Measurement & Metrics |
Trends in approval delay, incident rate, and rollback frequency are tracked. |
Level 5 – Optimising
| Category |
Description |
| People & Culture |
Teams proactively assess risk and engage in shared responsibility. |
| Process & Governance |
Change models evolve continuously based on system behaviour and feedback. |
| Technology & Tools |
Intelligent risk assessment and adaptive gating are integrated into pipelines. |
| Measurement & Metrics |
High-risk changes are traceable from detection through resolution, driving continuous improvement. |
Key Measures
- % of changes flagged and routed based on risk
- Approval lead time for high-risk vs low-risk changes
- Incident rate linked to high-risk change types
- Team confidence in change safety and routing logic
- Frequency of bypassed or overridden risk controls