日本語

Rollback Planning for CRM Migrations: Hope You Don't Need It

Hour 4 of a Saturday migration cutover. The data import had completed. Row counts looked right. Then the first integrity check failed: 23% of Opportunities had no associated Contacts. The field mapping for the junction object had been wrong, and it had been wrong for all 4,800 Opportunities imported over the previous three hours.

There was no rollback plan. The source system was still accessible, barely. IT started reversing access changes. But nobody had documented which access changes had been made, in what order. The communication to the sales team had already gone out at hour two ("migration complete, new CRM is live"). Now the team had to send a retraction.

It took 18 hours to get back to a working state. The sales team lost a Sunday. A data reconciliation project ran for two weeks afterward. The root cause (the field mapping error) would have been caught in a proper shadow import. The 18 hours of recovery were a consequence of not having a rollback plan.

This guide is the plan you build before you need it. The field mapping error that caused this rollback would have been caught by a shadow import test — that's the step that validates junction objects and relationship fields before production migration day.

The Rollback Decision: When to Pull the Trigger

The hardest part of rollback isn't the execution. It's the decision. Teams delay calling a rollback because it feels like admitting failure. Every hour of delay makes the rollback harder.

Define rollback trigger conditions before migration day.

Don't decide what warrants a rollback while you're in the middle of one. Decide in advance, in writing, and get sign-off from IT and sales leadership. When a trigger condition is met, the decision is already made. You execute, not debate. The Wikipedia article on rollback in database systems provides the technical foundation for understanding what rollback actually means at the data layer — and why pre-defined trigger thresholds are standard practice in professional database migration projects.

Sample rollback trigger conditions:

Trigger Threshold Rationale
Contact import failure rate More than 5% of records failed to import Core data loss
Missing required relationships More than 2% of Opportunities have no linked Contact Business functionality broken
Data integrity failure Critical field (email, stage, deal value) blank on more than 3% of records Systemic import error
System instability Destination CRM unavailable or throwing errors for more than 30 minutes Platform issue, not data issue
Unable to validate in time Hour 6 of planned 4-hour window, validation not complete Missed window; better to roll back than rush go-live

Who has authority to call a rollback:

Name two people. One primary, one backup. Both need to be reachable during the cutover window. Define the decision-making process: if the trigger condition is met, does one person have authority to call it unilaterally, or do both need to agree?

For most teams: the IT lead calls rollback on technical triggers (system unavailability, systemic import failure). The RevOps or Sales Ops lead calls rollback on data integrity triggers. Both should be looped in immediately when any trigger condition is approaching.

The 4-hour decision window:

Most migration problems become apparent within the first 4 hours of import, during the validation phase. Set a rule: if any rollback trigger condition is met before Hour 4, call the rollback immediately. After Hour 4, evaluate whether a fix is faster than a rollback (it often is, past a certain point of import completion). After Hour 8 with reps already in the system, rollback is almost always off the table.

Pre-Migration: Setting Up the Rollback Conditions

Rollback is only possible if you've preserved the source system correctly. Most teams that fail at rollback fail here, not during the rollback execution.

Keep the source system in read-only, not decommissioned.

The source CRM should remain accessible throughout the cutover window and for a defined period after go-live. The exact state of the source system at the moment you froze it for migration: that's your rollback target.

"Read-only" means:

  • All users can view records
  • No new records can be created
  • Existing records cannot be modified
  • The data hasn't changed since the migration snapshot

This is why the access control during the cutover window matters. If reps were still logging deals in the source system during migration, the rollback target is a moving one. A clean read-only freeze gives you a static, recoverable state. User access during migration: the least-privilege approach details how to implement that freeze cleanly — the Phase 2 access controls there are what make this read-only condition achievable.

Snapshot timing:

Take a snapshot of the source system immediately before the migration begins:

  1. Export a row count per object (Contacts, Accounts, Deals, Activities)
  2. Export the current pipeline view (all open deals with stage, value, close date)
  3. Export a sample of 100 records across objects for comparison
  4. Screenshot or export any reports that represent the "current state" benchmark

Store these snapshot files separately from the migration files. They're your evidence of what the source system contained at the moment migration began.

What "source system preserved" actually means:

  • CRM platform is still licensed and accessible
  • User credentials still work
  • No records have been deleted or modified since the migration snapshot
  • All integrations still pointing to the source system are documented (you'll need to re-enable them if you roll back)

If you canceled the source CRM subscription the moment the migration started, rollback is impossible. Keep it active until the destination system is validated and the post-migration audit is complete. Yes, you pay for both systems for a period. That's the cost of a recoverable migration. Gartner's IT risk management guidance recommends maintaining a viable fallback state during all major system transitions — the dual-system cost during the validation window is a standard risk mitigation cost, not an overhead to be optimized away.

The Rollback Execution Steps

If you call a rollback, execute in this order.

Step 1: Stop the migration immediately.

Halt any ongoing import jobs. Don't let more data flow into the destination system while you're executing rollback. If the import tool is still running batches, cancel it.

Step 2: Revoke destination system access.

Follow the reverse of your access rollout:

  1. Revoke all rep access to the destination CRM immediately
  2. Notify reps via the primary communication channel: "[New CRM] is temporarily unavailable — we're addressing a data issue. [Old CRM] is available now."
  3. Restore full access to the source system if it was read-only

Do steps 2 and 3 simultaneously. Reps need somewhere to work.

Step 3: Communicate to the sales team within 30 minutes.

(See the communication section below.) Don't leave reps without information for more than 30 minutes.

Step 4: Document the destination system state.

Before you touch the destination system for cleanup, export a record of what was imported. What did make it into the new system? This matters for data reconciliation: specifically, identifying any records that reps may have modified in the destination before rollback was called.

Step 5: Begin data reconciliation (if needed).

If reps added any data to the destination system before rollback was called (deals updated, notes added, contacts created), that data needs to be extracted and merged back into the source system. (See the next section.)

Step 6: Schedule the root cause review.

Don't start assigning blame in the middle of the rollback. Get the team back to a stable state first. Then schedule a 48-hour post-mortem.

Reconciling Data Entered During the Migration Window

The harder the rollback, the more data was entered in the destination during the migration window before rollback was called. Here's the realistic limit of what's recoverable.

What can be reconciled:

  • New Contact records created in the destination: export them, check for duplicates against the source system, import the new ones
  • Deal stage updates made in the destination: compare to the source system state, apply the changes manually
  • Notes and call logs added in the destination: export them, import as activities into the source system

What probably can't be reconciled cleanly:

  • Complex workflow changes (rep reassignments, multi-step updates) that happened rapidly
  • Deleted records in the destination (if any)
  • Anything where the timestamp matters for sequencing and the timestamps are ambiguous

The realistic limit:

If more than 20 records were modified in the destination before rollback, the reconciliation becomes a project, not a task. Document what you can, manually review the highest-impact records (open deals, top accounts), and accept that some data from the migration window may need to be re-entered from source system records.

The goal isn't perfect reconciliation. It's getting the source system back to a working state that's accurate enough for the sales team to function.

Communication During a Rollback

What to tell the sales team (within 30 minutes):

Subject: CRM migration paused — [Old CRM] is available now

We identified a data issue during the migration validation. Out of caution, we've paused the migration and restored full access to [Old CRM].

[Old CRM] is live and up to date. Please log all work there until further notice.

No data has been lost. We're investigating the issue now. I'll update you [in X hours] with a timeline for next steps.

For urgent questions, contact [name] at [contact].

What not to say:

  • Don't call it a "failure." Call it a pause.
  • Don't speculate about cause in the initial message. Say you're investigating.
  • Don't give a timeline you're not confident about. "I'll update you in 4 hours" is better than "we'll have this fixed by 3pm" if you're not sure.

What to tell leadership (within 1 hour):

Leadership needs more detail than reps. Your message to the VP of Sales or CRO should include:

  • What trigger condition was met (be specific: "23% of Opportunity records were missing Contact associations")
  • The current state: source system is live, reps have access, no data lost
  • What the recovery path looks like: identify root cause, fix it, re-run migration (estimated timeline if known)
  • What this means for the migration schedule

Keep the leadership message factual and forward-looking. The post-mortem is where you analyze what went wrong.

Post-Rollback: Root Cause and Re-Migration Planning

The 48-hour post-mortem. Run this with the full migration team.

Structure:

  1. What trigger condition was met? (Specific, measurable)
  2. At what stage in the process did the underlying problem originate? (Field mapping? Export? Import configuration? Shadow import skip?)
  3. Was this problem detectable before migration day? (Almost always: yes)
  4. What check, if it had been run, would have caught it?
  5. What do we add to the pre-migration checklist for the next attempt?

Common root causes that trigger rollbacks:

Root cause Prevention
Field mapping error Validate mapping against 100 test records before full import
Stage name mismatch Test stage values explicitly in shadow import
Junction object missed (e.g., OpportunityContactRole) Document all objects exported and verify all relationship objects are included
Character encoding issue Test import with records containing special characters, accents
API rate limit hit mid-import Schedule large imports during off-hours; check API limits in advance
Automation triggered on all imported records Disable automations before import; verify suppression is working with test batch

After the root cause is identified and fixed, re-run the shadow import against a fresh test environment before scheduling the second migration attempt. Don't skip the shadow import the second time. That's how teams roll back twice. The communicating the migration to the sales team guide covers how to set expectations for the re-migration window — reps who went through a rollback need a clearer picture of what's different before they trust the next attempt.

The Rollback Plan Document

Before your migration, create a rollback plan document and get sign-off from IT and sales leadership. Include:

Section 1: Trigger criteria

  • List every trigger condition with its specific threshold
  • Name the people with authority to call rollback

Section 2: Pre-migration preservation

  • Snapshot checklist (what to capture, when, where to store it)
  • Source system read-only configuration steps
  • Integrations list (what points to the source system that will need to be re-enabled on rollback)

Section 3: Execution steps

  • The numbered rollback sequence above
  • Assigned owners for each step
  • Time estimates per step

Section 4: Communication scripts

  • Rep-facing message (pre-written)
  • Leadership message (pre-written)
  • Channels to use for each audience

Section 5: Reconciliation approach

  • Threshold for manual vs. no-attempt reconciliation
  • Who owns the reconciliation work

Store this document somewhere the entire migration team can access, not just in the IT lead's email. On migration day, it needs to be findable within two minutes.

Common Pitfalls

Decommissioning the source system before the validation window closes. This is the mistake that makes rollback impossible. Keep the source system licensed and accessible until the 72-hour post-migration audit is complete. Budget for it.

No written trigger criteria. "We'll know a rollback if we see it" is not a plan. When you're four hours into a migration and the data integrity check is failing, a pre-defined threshold removes the debate. PwC's technology risk research found that organizations with documented decision criteria and escalation paths resolve IT incidents in less than half the time of organizations that rely on in-the-moment judgment calls.

Not having two admins available for the cutover window. One admin is a single point of failure. If the IT lead has an emergency during a migration window and the backup doesn't have credentials, you lose hours. Two separate credentials, both tested before migration day.

Skipping the rollback drill. Before the actual migration, run a tabletop exercise: "We've just hit [trigger condition X]. What are the next steps?" Walk through the first 30 minutes of rollback execution with the team. It takes an hour and surfaces gaps in the plan that would otherwise cost days.

What to Do Next

Complete the rollback plan document and get written sign-off from IT and sales leadership before scheduling the migration date. The migration date shouldn't be set without a rollback plan in place.

Connect the rollback plan to the access model in user access during migration: the least-privilege approach, specifically the Phase 2 cutover window access controls that determine whether rollback is clean or complicated.

Build the rollback trigger checks into the cutover day: the checklist that prevents disasters so the migration team knows exactly what to measure and at what threshold to call rollback.

And run a shadow import test that specifically validates the trigger conditions before migration day. Catching the field mapping error in the shadow import is worth infinitely more than catching it after a rollback.

Learn More