I have my ITIL v3 cert, but still haven't
been employed in a shop that implements ITIL. What I learned looks like a good framework for organizing IT processes. What also seemed obvious to me is that implementing ITIL will magnify management: Good management will get better, bad management will get worse.
The one place where management still seems to get hung up is on Change Management. I've come to believe there are three types of Changes: Standard Changes, Semi-Standard Changes, Full Changes. Standard Changes are things like activating an internal network port. You do them routinely, the risks are well defined, the recovery process is well defined, and as long as you stay within your provisioning margins not a problem on that front either. Semi-Standard Changes are things like applying monthly MS patches - mostly routine but a little bit different each time, requires a bit more thought on risks, usually requires some testing both pre- and post- install. Full Changes are things like standing up a new SAN. Full risk analysis is required, as well as a extensive testing. Standard Changes should be implementable without the requirement for prior approval although they still need to go in the CMDB, Semi-standard require a light to medium review, and Full Changes require the full blown CMB review and at least a 14 day lead and an expectation that the process will require a month or more depending on the actual extent of the change.