IT Change Advisory Board: How to Run a CAB That Works

July 15, 2026
5 min read

A change advisory board only adds value if it's run well. Learn who should attend, how to structure meetings, and which metrics keep your CAB improving.

The change advisory board (CAB) is one of the most misunderstood practices in ITSM — too many organisations treat it as a rubber-stamp meeting that slows everything down rather than a structured risk filter that protects service quality. This guide explains what a CAB is, how to structure it, who should attend, and how to run meetings that actually reduce failed changes without creating a bureaucratic bottleneck.

What Is a Change Advisory Board and Why Does It Matter

A change advisory board is a group convened to evaluate, prioritise and authorise significant changes to IT services and infrastructure. The concept comes directly from ITIL v4, where it sits inside the change enablement practice alongside standard and emergency change types.

The CAB exists for one reason: changes are the leading cause of unplanned outages. Without a formal review process, engineers and project teams push changes that conflict with each other, lack rollback plans, or have not been tested in a representative environment. The CAB forces those gaps to the surface before production is touched.

That said, a poorly run CAB creates its own problems. If every change — no matter how minor — goes through a slow weekly meeting, teams learn to work around it. Shadow changes, undocumented deployments and weekend "emergency" work become the norm, which is worse than having no CAB at all.

The goal is a CAB that is fast enough to stay relevant and rigorous enough to catch real risk.

CAB Roles and Who Should Attend

Blog image

Getting the right people in the room (or on the call) is the single biggest factor in CAB effectiveness. ITIL v4 does not prescribe a fixed membership list, but most well-run CABs include a consistent core with rotating technical representation.

Core CAB members

  • Change manager — chairs the meeting, owns the agenda and maintains the change schedule
  • Service desk manager — brings visibility of open incidents and known errors that a change might affect
  • Infrastructure or platform lead — evaluates technical risk and dependency conflicts
  • Security representative — assesses whether the change introduces compliance or vulnerability exposure
  • Application owner or business analyst — represents the business service impacted by the change

When to bring in additional reviewers

For changes touching a specific system, add the relevant subject-matter expert on a per-change basis rather than making them a permanent attendee. Permanent over-attendance is one of the fastest ways to kill CAB engagement — people stop preparing because the meeting rarely concerns them directly.

For large organisations, consider a virtual CAB model where reviewers submit written assessments before the meeting. The live session then focuses only on high-risk or contested changes.

The Three Change Types and What Goes to CAB

Blog image

Not every change needs a CAB review. ITIL v4 defines three change types, and understanding the distinction is essential for keeping the CAB focused.

Standard changes

Standard changes are pre-approved, low-risk, and follow a documented procedure. Examples include adding a new user account, installing an approved software package from a vetted catalogue, or rotating a service account password using a tested runbook. These never go to CAB — they are authorised by the change model itself.

Normal changes

Normal changes carry meaningful risk, affect production services, or have not been done before in this environment. These are the changes CAB exists to review. They arrive with a request for change (RFC) that documents scope, risk assessment, rollback plan, testing evidence, and implementation window.

Emergency changes

Emergency changes are raised to resolve a critical incident or close a severe security vulnerability when waiting for the next CAB cycle would cause unacceptable harm. Most organisations handle these through an emergency CAB (ECAB) — a smaller, faster group (often just the change manager, a technical lead, and a senior stakeholder) that can convene within hours. Emergency changes are reviewed in full at the next standard CAB meeting to close the loop.

Keeping these three lanes clearly separated prevents the most common CAB failure: normal changes being mislabelled as emergencies to skip the queue.

How to Run an Effective CAB Meeting

Blog image

The mechanics of the meeting matter as much as who attends. A CAB that runs well feels like a focused risk conversation, not a status update or an approval theatre.

Before the meeting

  • Publish the RFC template and submission deadline at least 48 to 72 hours before the meeting
  • Require change owners to complete all RFC fields before submission — incomplete RFCs should be returned, not reviewed
  • Circulate the agenda and RFC pack to all attendees in advance so they arrive prepared
  • Score each RFC against a consistent risk matrix before the meeting so discussion time is allocated to genuinely complex changes

During the meeting

  • Start with a review of the forward schedule of change to identify conflicts and freeze periods
  • Work through RFCs in risk order — highest risk first while attention is sharpest
  • For each change, ask three questions: what is the blast radius if this fails, is the rollback plan credible, and has this been tested in a non-production environment
  • Timebox each RFC to keep the meeting under 60 minutes wherever possible
  • Record decisions and conditions clearly — "approved subject to completing load testing by Friday" is a real decision; "approved in principle" is not

After the meeting

  • Update the change schedule and notify change owners of outcomes within hours, not days
  • Track changes through to completion and record whether they succeeded, failed, or required rollback
  • Review failed or rolled-back changes at the next CAB as part of a brief post-implementation review

Building a CAB Metrics and Continuous Improvement Loop

Blog image

A CAB without metrics is a meeting without accountability. Measuring CAB performance helps you identify whether the process is working and where it needs to be tuned.

Metrics worth tracking

  • Change success rate — the percentage of changes implemented without incident or unplanned rollback
  • Emergency change ratio — a rising proportion of emergency changes signals that teams are bypassing normal process
  • CAB cycle time — how long from RFC submission to authorisation decision; long cycle times drive shadow changes
  • Change-related incident rate — incidents caused by changes as a percentage of total incidents, often tracked as change-induced outage time
  • RFC rejection rate — high rejection rates may indicate poor RFC quality or a template that needs clarification

Using metrics to improve the CAB

Review these metrics quarterly with the change manager and service desk leadership. If the emergency change ratio is climbing, investigate root causes — it usually points to inadequate capacity in the normal change pipeline or a culture where teams feel the CAB adds no value. If cycle time is high, look at whether the RFC template is too burdensome or whether the meeting cadence needs to increase.

Most experts recommend moving toward a risk-tiered model over time, where low-risk normal changes are approved by the change manager alone without a full CAB session, reserving the group review for high-risk and complex changes. This keeps the CAB fast and credible.

Common CAB Pitfalls and How to Avoid Them

Blog image

Even well-intentioned CABs fall into predictable traps. Recognising them early saves significant pain.

  • Approving changes without a rollback plan — the CAB should not authorise any change that cannot be reversed within an acceptable timeframe
  • Treating the CAB as a formality — if the change manager pre-approves everything before the meeting, attendees disengage and the process loses its value
  • No connection to the CMDB — reviewing a change without knowing which configuration items it touches is guesswork; the RFC should always reference affected CIs
  • Ignoring the forward schedule — approving a database change during a peak trading window because no one checked the calendar is an avoidable failure
  • Never updating standard change models — if a change that used to be risky has been done successfully dozens of times, promote it to standard and remove it from the CAB queue

The TIKTING service management platform includes a built-in change management workflow with RFC templates, approval routing, and a forward schedule of change view, so CAB chairs can see the full change landscape without manually assembling spreadsheets. Odysseus asset discovery keeps the underlying CMDB current, which means change impact assessments are based on real configuration data rather than outdated records.

Key Takeaways

  • A change advisory board is a risk filter, not an approval bottleneck — its value depends entirely on how it is run
  • Separate standard, normal and emergency changes clearly so the CAB focuses only on changes that genuinely need group review
  • Core CAB membership should be small and consistent; bring in subject-matter experts per change rather than packing every meeting
  • Require complete RFCs before the meeting, timebox discussions, and publish decisions the same day
  • Track change success rate, emergency change ratio and CAB cycle time to identify where the process needs tuning
  • A live, accurate CMDB is a prerequisite for meaningful change impact assessment — without it, CAB decisions are made on incomplete information

Related Articles

IT Escalation Management: How to Build a Process That Works

IT Escalation Management: How to Build a Process That Works

A weak escalation process is behind most missed SLAs and burned-out teams. Learn how to design clear tiers, triggers, and workflows that actually hold up.

IT Asset Audit: How to Run One That Actually Finds the Gaps

IT Asset Audit: How to Run One That Actually Finds the Gaps

Learn how to plan and run an IT asset audit that finds real gaps — with a step-by-step process, common failure points, and tips for turning findings into lasting improvements.

ITSM for HR Teams: How to Run HR Service Delivery Like IT

ITSM for HR Teams: How to Run HR Service Delivery Like IT

HR teams drown in email requests with no SLAs, no tracking, and no self-service. Learn how ITSM principles transform HR service delivery step by step.

IT Change Management Process: A Step-by-Step Guide for 2026

IT Change Management Process: A Step-by-Step Guide for 2026

A poor IT change management process causes outages and compliance gaps. Learn the ITIL v4 workflow, change types, CAB best practices, and key metrics in this step-by-step guide.

ITSM for Facilities Management: Run a Smarter Helpdesk in 2026

ITSM for Facilities Management: Run a Smarter Helpdesk in 2026

Learn how ITSM practices — service catalogs, SLAs, and incident management — can transform a reactive facilities team into a structured, measurable operation.

ITSM for Sales Teams: Manage Requests and Approvals in 2026

ITSM for Sales Teams: Manage Requests and Approvals in 2026

Sales teams lose hours chasing approvals and IT requests. Learn how to apply ESM to sales service delivery, build a service catalogue, and automate deal desk approvals.

ITSM for Manufacturing Teams: Manage Requests and Downtime in 2026

ITSM for Manufacturing Teams: Manage Requests and Downtime in 2026

Discover how ITSM principles reduce unplanned downtime and bring order to manufacturing request management — from equipment faults to planned maintenance.

IT Incident Management Best Practices: A Complete Guide

IT Incident Management Best Practices: A Complete Guide

Cut downtime and missed SLAs with these proven IT incident management best practices — from triage and escalation to SLA tracking and post-incident review.

Showcases TIKTING at ITCN Asia 2026 in Lahore

Showcases TIKTING at ITCN Asia 2026 in Lahore

ITDEVTECH showcased its flagship solution TIKTING at ITCN Asia 2026 in Lahore, demonstrating how it streamlines IT operations and empowers organizations.

Why Email-Based IT Support Fails in Large Organizations

Why Email-Based IT Support Fails in Large Organizations

Email-based IT support fails in large organizations due to lost requests, no accountability, poor visibility, and compliance risks. Learn why.

CMDB Best Practices: How to Build and Maintain a Clean CMDB

CMDB Best Practices: How to Build and Maintain a Clean CMDB

A stale CMDB costs your team time and trust. Learn how to scope, build, and maintain a clean CMDB with practical steps and a maintenance checklist.

SLA Management in ITSM: How to Set, Track, and Meet Targets

SLA Management in ITSM: How to Set, Track, and Meet Targets

Missing SLA targets? Learn how to set realistic service level agreements, track compliance in real time, and fix the root causes of breaches in your ITSM environment.

IT Knowledge Management: Build a Self-Service KB That Reduces Tickets

IT Knowledge Management: Build a Self-Service KB That Reduces Tickets

A dusty wiki nobody reads won't reduce your ticket queue. Learn how to build and maintain a self-service knowledge base that actually deflects tickets.

IT License Compliance: How to Audit and Stay Audit-Ready

IT License Compliance: How to Audit and Stay Audit-Ready

A failed software audit can mean penalties and emergency spend. Learn how to build an IT license compliance programme that keeps you audit-ready year-round.

IT Onboarding and Offboarding: A Service Desk Process Guide

IT Onboarding and Offboarding: A Service Desk Process Guide

Ad hoc onboarding and offboarding leaves accounts open and assets untracked. Learn how to build a repeatable, ITIL-aligned process that closes both gaps.

IT Service Catalog: How to Build One That Actually Gets Used

IT Service Catalog: How to Build One That Actually Gets Used

Learn how to build an IT service catalog users actually adopt — with the right structure, intake forms, fulfillment workflows, SLA targets, and a quarterly review process.

IT Release Management: A Practical Guide for Service Desk Teams

IT Release Management: A Practical Guide for Service Desk Teams

A poorly managed release floods your service desk with incidents. This practical guide covers the full release management process, common mistakes, and a step-by-step checklist.

IT Configuration Management: Build a CMDB That Drives Real Value

IT Configuration Management: Build a CMDB That Drives Real Value

Most CMDBs fail within months of launch. Learn how to design, populate, and maintain a configuration management practice that teams actually trust and use.

IT Ticket Prioritization: How to Triage Service Desk Requests Right

IT Ticket Prioritization: How to Triage Service Desk Requests Right

Ad hoc ticket triage causes SLA breaches and burned-out teams. Learn how to build an ITIL-aligned priority framework that scales with your service desk.

IT Availability Management: How to Keep Services Up and SLAs Met

IT Availability Management: How to Keep Services Up and SLAs Met

Learn how to define availability targets, measure uptime accurately, and build a repeatable process that keeps services running and SLAs met.

IT Capacity Management: How to Plan Before Problems Hit

IT Capacity Management: How to Plan Before Problems Hit

Reactive capacity management causes incidents, SLA breaches, and budget surprises. Learn how to build a proactive process that keeps services ahead of demand.

IT Vendor Management: How to Govern Suppliers and Cut Risk

IT Vendor Management: How to Govern Suppliers and Cut Risk

Ungoverned suppliers cause outages and missed SLAs. Learn how to build a vendor management process that tracks contracts, measures performance, and integrates with ITSM.

IT Continual Improvement: How to Build a Process That Sticks

IT Continual Improvement: How to Build a Process That Sticks

Continual improvement is central to ITIL v4 but rarely done well. Learn how to build a register, prioritise work, and embed improvement into everyday ITSM.

IT First Contact Resolution: How to Improve FCR on Your Service Desk

IT First Contact Resolution: How to Improve FCR on Your Service Desk

Low first contact resolution drains your service desk. Learn what causes FCR to drop and the step-by-step process to improve it across your team.

IT Event Management: How to Cut Noise and Catch What Matters

IT Event Management: How to Cut Noise and Catch What Matters

IT event management turns monitoring noise into actionable signals. Learn how to categorise events, beat alert fatigue, and build a process that catches issues before users do.

IT Asset Depreciation: How to Track and Plan for End-of-Life Assets

IT Asset Depreciation: How to Track and Plan for End-of-Life Assets

Learn how to track IT asset depreciation, plan hardware end-of-life cycles, and connect retirement workflows to your ITSM process before budget surprises hit.

IT Service Desk Shift-Left Strategy: Reduce Escalations and Costs

IT Service Desk Shift-Left Strategy: Reduce Escalations and Costs

Learn how to build a practical shift-left strategy that reduces escalations, improves first-contact resolution, and cuts service desk costs — step by step.

IT Service Desk Reporting: Build Reports That Drive Real Improvement

IT Service Desk Reporting: Build Reports That Drive Real Improvement

Most service desk reports produce numbers, not decisions. Learn how to build IT service desk reports that drive real improvement across every audience level.

IT Demand Management: How to Plan for IT Work Before It Overwhelms Your Team

IT Demand Management: How to Plan for IT Work Before It Overwhelms Your Team

IT demand management makes all incoming work visible before it overwhelms your team. Learn how to build a practical intake, prioritisation, and planning process.

IT Service Desk Ticket Backlog: How to Clear It and Keep It Clear

IT Service Desk Ticket Backlog: How to Clear It and Keep It Clear

A growing ticket backlog signals a broken support process. Learn how to audit, clear, and prevent your IT service desk backlog with practical steps.

IT Mean Time to Resolve: How to Measure and Improve MTTR

IT Mean Time to Resolve: How to Measure and Improve MTTR

MTTR is a critical service desk metric — but most teams measure it wrong. Learn how to calculate, segment, and systematically reduce mean time to resolve.

IT Asset Tracking: How to Know Where Every Asset Is at All Times

IT Asset Tracking: How to Know Where Every Asset Is at All Times

Most IT teams think their asset tracking is reliable — until an audit proves otherwise. Learn how to build a process that stays accurate without manual effort.

ITSM for Finance Teams: Streamline Requests and Stay Compliant

ITSM for Finance Teams: Streamline Requests and Stay Compliant

Finance teams are internal service providers. Learn how applying ITSM for finance streamlines requests, enforces approvals, and builds the audit trail compliance demands.

ITSM for Legal Teams: Manage Requests, Contracts and Compliance

ITSM for Legal Teams: Manage Requests, Contracts and Compliance

Legal teams drown in emailed requests with no tracking or accountability. Learn how ITSM brings structure, SLAs and audit-ready workflows to in-house legal operations.

IT Service Desk Metrics That Actually Matter in 2026

IT Service Desk Metrics That Actually Matter in 2026

Tracking the wrong service desk metrics wastes time and hides real problems. Learn which KPIs actually improve outcomes and how to build a reporting cadence that drives action.

ITSM Tool Selection: How to Choose the Right Platform in 2026

ITSM Tool Selection: How to Choose the Right Platform in 2026

Choosing the wrong ITSM tool costs years of workarounds. This guide covers requirements, shortlisting, POC testing, and total cost of ownership to help you decide.

IT Self-Service Portal Best Practices: Reduce Ticket Volume in 2026

IT Self-Service Portal Best Practices: Reduce Ticket Volume in 2026

Most self-service portals go unused. Learn practical steps to design, populate and promote a portal that genuinely deflects tickets and improves service desk efficiency.

ITSM vs ITAM: Key Differences and Why You Need Both in 2026

ITSM vs ITAM: Key Differences and Why You Need Both in 2026

ITSM and ITAM solve different problems, but gaps between them cause incidents, audit risk, and failed changes. Learn the differences and how to connect them.

ITSM for Customer Support Teams: Deliver Better Service in 2026

ITSM for Customer Support Teams: Deliver Better Service in 2026

Customer support teams face the same problems ITSM solves. Learn how to apply ITIL practices, SLAs, and automation to deliver faster, more consistent support.

IT Service Level Management: A Practical ITIL v4 Guide for 2026

IT Service Level Management: A Practical ITIL v4 Guide for 2026

IT service level management is more than writing SLAs. Learn how to define targets, build OLAs, run reviews, and drive real improvement with this ITIL v4 guide.

IT Service Request Management: A Complete Process Guide for 2026

IT Service Request Management: A Complete Process Guide for 2026

Learn how to build a scalable service request management process — from service catalogue design and fulfilment workflows to SLAs, automation, and CMDB integration.

ITSM for Operations Teams: Streamline Requests and Work Orders in 2026

ITSM for Operations Teams: Streamline Requests and Work Orders in 2026

Operations teams still run on email and spreadsheets. Learn how ITSM principles — service catalogs, SLAs, and work order workflows — bring structure and visibility to operations.

IT Problem Management: How to Stop Recurring Incidents for Good

IT Problem Management: How to Stop Recurring Incidents for Good

Recurring incidents drain your team. Learn how IT problem management works, the five-step workflow to find root causes, and how to stop the cycle for good.

Shadow IT Discovery: How to Find and Manage Unauthorized Tools

Shadow IT Discovery: How to Find and Manage Unauthorized Tools

Shadow IT grows when users bypass IT to get things done. Learn how to discover unauthorized tools and devices, manage the risk, and fix the root cause.

Network Asset Discovery: How to Find Every Device on Your Network

Network Asset Discovery: How to Find Every Device on Your Network

Network asset discovery finds every device on your network and keeps your CMDB accurate. Learn how it works and how to build a process that lasts.

IT Service Desk Automation: What to Automate and Where to Start

IT Service Desk Automation: What to Automate and Where to Start

Learn which service desk tasks to automate first, how to prioritise them, and a practical checklist to reduce ticket volume and improve SLA compliance.

IT Service Continuity Management: A Practical ITSM Guide

IT Service Continuity Management: A Practical ITSM Guide

Learn how to build a practical IT service continuity management programme: BIA, recovery strategies, testing, and how ITSCM connects to your wider ITSM practices.

IT Major Incident Management: A Practical Process Guide for 2026

IT Major Incident Management: A Practical Process Guide for 2026

Major incidents need a process of their own. Learn how to declare, manage, communicate, and review major incidents with a practical step-by-step framework.

IT Asset Management Best Practices: A Complete 2026 Guide

IT Asset Management Best Practices: A Complete 2026 Guide

Discover the IT asset management best practices that keep your CMDB accurate, license costs controlled, and your IT estate fully visible in 2025.

IT Asset Lifecycle Management: A Complete Guide for 2026

IT Asset Lifecycle Management: A Complete Guide for 2026

Learn the six stages of IT asset lifecycle management, the most common failure points at each stage, and a practical checklist to improve visibility and control.

IT Asset Discovery Tools: How to Choose the Right One in 2026

IT Asset Discovery Tools: How to Choose the Right One in 2026

Choosing the wrong IT asset discovery tool leaves dangerous blind spots. Learn which discovery methods matter, what to evaluate, and how to avoid the most common mistakes.