For the best Oliver Wyman website experience, please upgrade your browser to IE9 or later

Oliver Wyman

This article was first published on May 17, 2021.

Editor's note: Oliver Wyman is monitoring the COVID-19 events in real time, and we have compiled resources to help our clients and the industries they serve. More of our latest Financial Services thought leadership and industry expertise can be found here .

While change is the only constant in life, there are certainly periods where change is more amplified. We currently find ourselves in one of those periods. The world and our key industries are not immune to the ripple effects of the global pandemic. As an example, for the financial services industry, there are many drivers of change: in the short term, retail banks are facing downward pressures on net income due to record-low interest rates and increasing delinquency rates, and the need to trim costs quickly; in the medium term, new remote working routines are further accelerating digitization, automation, and disintermediation. As a result, business and operating models are trying to adapt to the “new normal.”

The firms able to effectively deliver change will thrive and are more likely to emerge stronger from these changes. However, as recent social science research has shown, delivering change is no easy task: humans have a natural bias against change. Failing to drive change is a challenge to the competitiveness and sustainability of any firm, creating monetary costs, eroding trust with customers and investors, and weighing on culture and employee engagement. On the flip side, firms that successfully deliver change set off a self-reinforcing feedback loop that increases profitability and productivity, builds trust with stakeholders, and attracts top talent.

An often forgotten institutional ‘muscle’ for firms is the ability to effectively manage change risk —the risk that a change program fails to deliver the desired goals. We believe that most firms do not proactively manage change risk in a way that commensurate with the benefits of success and the costs of failure. Effectively managing change risk is a necessary ‘muscle’ to reduce, preempt, mitigate, and manage the challenges that come with (intents of) transformation, without bringing decision paralysis or stifling innovation in the organization. We refer to change risk as a ‘silent risk’ because this ‘muscle’ is often neglected and, too often, that neglect is one of the root causes behind the inability to drive to the desired outcomes.

In our paper, we present an approach to proactively manage change risk, including:

  • How to manage change across the end-to-end change lifecycle, to ensure firms develop fit for purpose mechanisms
  • How change risk management is a key component of the journey, and the best ways to understand drivers of successful change
  • Recommendation for four key change management capabilities, a change risk management framework, change delivery igniters, workforce change capacity management, and a process for initiative prioritization; and actions to help leaders make change management a priority

Below is an excerpt from the report, for the full PDF version, please click here .

Our views on successful change

Effective change boils down to directing energy and aligning efforts toward three key elements:

We call these elements the Head, the Heart, and the Guts of an organization. Successful change should have risk management embedded into these key elements.

change risk oversight

Successful change occurs when the Head, the Heart, and the Guts are fully aligned, resulting in an organization that has: (1) the willingness to change—through leadership, personal drive, and the identification of strategic value; and (2) the ability to execute—through an adequate workforce, the right infrastructure, and a clear roadmap.

Change is the only constant in life Heraclitus, c. 535 BCE – 475 BCE.

Too often, firms facing change tend to focus on the Head at the expense of the Guts and, especially, the Heart. Such firms often struggle to achieve successful change because lasting change requires individuals to collectively change behaviors. For example, a firm does not become more customer-centric when rolling out a new top-down campaign or training module. Rather, the firm becomes customer-centric when the workforce begins adopting customer-centric behaviors—the way customer interactions play out; the way products are configured; and the way senior leadership communicates and makes decisions.

Experience and research indicate that, for change to occur, each level of the organization needs to understand the objectives and purpose of the change, as well as the new behaviors to adopt. Change experts across the globe call these “vital behaviors”—the smallest actions that, if consistently repeated, will lead to the intended outcomes.

In driving change , the ability to manage change risk needs to be developed in the Guts (through risk management capabilities); the Heart (through an understanding of the workforce stoppers and capacity in the firm); and the Head (through the incorporation of change risk into the firm strategy). Our research shows that, historically, neither risk managers nor front-line risk owners have paid enough attention to managing change risk. If firms believe—as we do—that a better managed change risk is a key success factor, firms must pay more attention to driving alignment between Heart, Head, and Guts in order to achieve successful change, and also appropriately embed risk management capabilities across these elements.

We have identified four capabilities for firms that can increase opportunities to drive effective change management:

1. Change risk management framework: Adapt the firm’s overall risk management framework to cover change risk across the lifecycle

2. Change igniters: Clear obstacles to build a change-oriented organization by diagnosing and addressing organizational weaknesses

3. Workforce change capacity management: Monitor change load and change fatigue, as well as improve organizational agility

4. Initiative prioritization: Develop a process for assessing change initiatives to maximize impact within change capacity

We believe firms that achieve these four capabilities will see an increased efficacy and decreased risk associated with the change programs. Returning to the change lifecycle in the exhibit below, we show how these capabilities can reinforce each stage and broaden the role risk management teams play well beyond the implementation and go-live steps.

change risk oversight

Actions for effective change risk management

Given both, the necessity of achieving successful change in the current tumultuous world and the high cost of failure, organizations cannot afford to take a reactive or narrow approach to change risk management.

We recommend front-line and risk management leaders:

Overall, firms that succeed in incorporating change risk management into processes and culture will become more agile and more resilient, while firms that lag will run the risk of being caught flat-footed when the next disruption arrives. Firms that proactively manage change risk will be able to overcome the silent risk that hinders growth and emerge as winners.

change risk oversight

The authors would like to acknowledge and thank Jonathan Lee and Rutger von Post for their contributions to this paper.

change risk oversight

Striving For Operational Resilience: The Questions Boards And Senior Management Should Ask

Operational resilience has become a key agenda item for boards and senior management. Increasing complexity in processes and IT, dependence on third parties, interconnectedness and data sharing, and sophistication of malicious actors have made disruptions more likely and their impact more severe. High-profile examples of business and operational disruptions abound, covering all segments of the financial services industry.

Non-Financial Risk Convergence And Integration

Non-Financial Risk Management has become more complex due to rapid shifts in technology, automation and greater dependence by banks on systems instead of people.


change risk oversight

Guide to change management risk assessment

Identify what is needed for a change to be successful  

Change management risk describes factors that may cause a project to not achieve the desired results. Understanding the risks can also illustrate what is necessary for a change to succeed.  

The initial risk assessment identifies gaps or barriers that may inhibit a successful outcome, and it sets the foundation for developing the change management strategy and plan. The process includes identifying the factors that are necessary for success and interviewing business and project leaders to understand what might be weak or missing. Input from additional people will be gathered in subsequent assessments and refinements of the plan.

To get started, below are the critical success factors that are necessary to improve the success of a change and a guide to evaluating a project’s risk.  

What is change management risk?

Every project has desired results, and there are two elements that contribute to successfully achieving those outcomes:

It is common to focus on the quality of the solution. Organizations thrive on innovation and many are veterans at developing superb solutions and managing any associated project risks.

Change management risks are factors that may inhibit or prevent the acceptance or adoption of that solution. These risks may involve any individuals involved or connected to the solution – both leaders and employees.  

Just as project risks may impede the quality of the solution, change management risks may obstruct the acceptance and adoption of the solution and can also jeopardize or hinder the desired results.

Consider success factors instead of risks

Risks are any factor that may contribute to failure. Instead of pointing out what may trigger failure, an alternative is identifying what is necessary for the outcomes to be successful.

Success factors are what is needed for a solution to be accepted or adopted – so what is needed to achieve the desired outcomes.  

This positive outlook achieves the same purpose as identifying the risks, and it has notable benefits for leaders and change practitioners. Use success factors in your risk assessment to:

Add credibility to change management : Instead of pointing out the negatives, success factors illustrate the big picture and what is crucial for success.

Reduce barriers with positive language : It is understandable that people may become defensive when negative feedback is attributed to them or their work. Success factors express how leaders and employees contribute to success – instead of failure.

Compare outcomes and evaluate success : Identifying the success factors creates a clear definition of success so outcomes can be evaluated.

This is the approach we use in our Managed Change methodology . It starts by understanding what is necessary for a change project to be successful, and then initiates an iterative process to identify and manage weak or missing success factors at every stage.  

Critical success factors

When a project is strong in every critical success factor, it is more likely to succeed. And of course, gaps or weaknesses show what can be improved to contribute to better results.

Strong case for change : The reason or purpose of the change make sense at the time to all audiences.  

Impact of history is acknowledged : The causes of poorly managed changes in the past are identified, analyzed and mitigated as needed.

Impact of culture is acknowledged : The culture of an organization is taken into consideration when planning the change, and this may require change as well.

Definition of desired state is clear : All elements of the desired state (structure, process, people and culture) are defined and understood by all impacted people.

Transition dip is acknowledged : The potential unwanted impacts of the transition are identified and mitigated if possible.

Impact of multiple changes is understood : Other concurrent or overlapping changes are identified, and the impacts are analyzed and mitigated as necessary.

Leaders are effective at all levels : Every leader involved understands the change and commits to fulfilling their role and responsibilities.

Change practitioners are capable and willing : Change practitioners are ready, competent and have the resources necessary to support the change.

Risk is identified and analyzed : Potential risks during and after the change are understood.

Risk is mitigated effectively : The change management plan includes strategies and resources to mitigate the identified risks.

Organization is competent in managing change : The organization has the resources and capability – from internal or external sources – to manage the entire change.

Project management is effective : The solution implementation team is engaged, capable and incorporates the change management plan into the overall project plan.

Decision making structure is operational : The role and responsibilities of all leaders are defined, and the change governance and decision-making structure are clear and operational.  

Together, the critical success factors describe the characteristics of a well-managed change.  

Assessing critical success factors

If you’re implementing change management in a new or in-progress project, the first step is to assess the critical success factors to determine what is weak or missing.

Complete a 10-minute assessment

Use this free tool from LaMarsh Global to quickly review your project for the critical success factors: 10-Minute Change Risk Assessment .

The speedy assessment is far from comprehensive, but it is a useful tool for practitioners and leaders to “take the temperature” of the state of a project.  

Interview leaders

Following a high-level evaluation, the next step is to talk to the leaders involved in the project to clearly identify the success factors that they see are strong or weak.

Leaders that are involved in a project can be the executive leaders, project sponsors, project management leads, team leads, department managers, or anyone responsible for the project or the employees that might be impacted. It is too early to talk with the impacted individuals, as many of them may have little to no information about the change at this point. For now, the goal is to understand what leaders perceive as risks and evaluate the alignment among leaders.

Chat one-on-one with the leaders. Here are some questions that can rouse a conversation to help you find out the necessary info.

Document the missing success factors

The purpose of the interviews is to learn from the perception and understanding of leaders that are experts in the solution and leaders that know the people that might be impacted.  

Take special note of any critical success factors that are weak or completely missing. No matter how many success factors your project is lacking, it is essential to know this information and share it with the project sponsor and leaders.

Every project is different, but there are trends that we’ve noticed that can help you predict potential gaps:

Common weak success factors

Share with project teams and sponsors

The information you collected speaks to the heart of a project: what is required for this change to be successful. Any following decisions – from project implementation to resourcing – depends on this assessment.

At this stage in the change management process, the assessment only identifies what is needed for a project to succeed. Be careful not to make promises that the risks will not be an issue, and instead rely on the data to appropriately resource and develop the change plan.

Review and update the success factors

As a project progresses, the high priority success factors will likely shift. Effective mitigation intends to strengthen what is missing, and there is the potential that new or unexpected risks may arise.  

Risks are relative to the time or stage of a project, and the prioritization of anticipated risks will shift as the project progresses. The goal is to anticipate the potential risks, and always use any new information to inform our understanding of the success factors.  

Start your assessment

This process of identifying and evaluating the critical success factors sets the foundation for effective change management. It’s a high-level assessment, but it provides a starting point for analysis and further exploration.  

Risk assessments are ongoing and iterative, but this process needs a starting point.  

Use our 10-minute change risk assessment tool to start an assessment of your own project .

Subscribe for exclusive insights for change leaders & practitioners 

Related posts.

change risk oversight

Start with the organizational change capability maturity assessment from LaMarsh Global

change risk oversight

Successful organizational change requires two key ingredients: the right solution and the...

change risk oversight

The 13 critical success factors describe what is necessary for a well-managed change

change risk oversight

Proactive change management is emerging as the key to success in Agile-based projects or...

Recent Posts

change risk oversight

2020 © Copyright LaMarsh Global - All Rights Reserved

Change Management System

ServiceNow Change Requests use a calculator to determine an overall Risk/Impact level based on 5 questions on the Risk Assessment tab. The answers are weighted and allow the Risk/Impact level to be standard across all changes.  All fields on the Risk Assessment tab must be completed before the Risk/Impact level is computed allowing the Change Request to be sent for approval.  The Risk/Impact is allows the CAB to concentrate on the highest two levels, 1 - Very High, 2 - High.

The Risk Assessment questions should be answered based on Risk/Impact during implementation of the Change as well as after the change is completed and take into consideration what would happen if the their were issues during the change. 

The Risk Analysis field is another important part of the Change Request.  This field describes specific impacts of doing the change are if it goes smoothly, has issues or ends in the worst case scenario.  This includes

University IT

UIT Web Editors

Stanford University

© Copyright Stanford University . Stanford , California 94305 .

Risk Oversight and the Role of the Board

Risk oversight is a primary board responsibility, and in the evolving business and risk landscape directors need to develop and continuously improve practices to establish a well-defined and effective oversight function, according to Deloitte’s 2018 Audit Committee Resource Guide .

Boards play a critical role in influencing management’s processes for monitoring risks, and as such they should clearly define which risks the full board should discuss regularly, versus risks that can generally be delegated to a board committee. While many boards have a defined risk governance structure, it is important to continually assess the structure as companies face new risks.

A leading practice is for management to maintain a list of all enterprise-wide risks, which are then mapped to specific board committees for oversight. For example, human resource and compensation risks may be delegated to the compensation committee for oversight, and the audit committee should have a key role in overseeing financial risks. In many instances, the full board takes direct responsibility for and regularly discusses the company’s most strategic risks, which include risks that could disrupt and materially impact the company’s business strategy. Committee charters should be updated to align with the defined risk governance structure .

Since many companies outside the financial services industry do not have a separate board risk committee, risks not assigned to a specific committee are often delegated to the audit committee. While it may be appropriate for the audit committee to take responsibility for reviewing management’s policies to manage risk, boards should take care not to overburden the audit committee with risk oversight responsibilities.

In addition, the SEC considers risk oversight a primary responsibility of the board and requires disclosure of its role in this area. Disclosures include whether the entire board is involved in risk oversight; whether certain aspects are executed by individual board committees; and whether the employees responsible for risk management report directly to the board. Such disclosures inform shareholders’ understanding of the board’s process for overseeing risk.

Overseeing Cyber Risk

It is often challenging for even the most tech-savvy business leaders to keep up with the scope and pace of developments related to big data, social media, cloud computing , IT implementations, cyber risk , and other technology matters. These developments carry a complex set of risks, and the most serious among them can compromise sensitive information and significantly disrupt business processes. The pervasiveness of cyber risk significantly increases concerns about financial information; internal controls; and a wide variety of risks, including the reputational risks that can result from a cyber incident.

Oversight of a successful cyber risk management program requires proactive engagement and is often the responsibility of the full board. In some organizations, a level of oversight may be delegated to a risk committee or the audit committee.

In companies where the audit committee holds some responsibility for cyber risk management, the committee should first obtain a clear understanding of the areas it is expected to oversee. In those organizations, the audit committee — in its capacity of overseeing financial risks and monitoring management’s policies and procedures — may have expertise and be asked to play a significant strategic role in monitoring management’s response to cyber threats, coordinating cyber risk management initiatives, and confirming their efficacy. Those audit committees may take the lead in monitoring cyber threat trends, regulatory developments, and major threats to the company. Other responsibilities may include setting expectations for management and assessing the adequacy of resources, funding, and focus on cyber risk management activities.

For those audit committees charged with this oversight, engaging in regular dialogue with the CIO, CISO, and other technology-focused leaders can help the committee determine where attention should be focused. Although cyber risk is frequently on the full board’s agenda, audit committees are increasingly receiving regular updates from relevant technology leaders, with some technology risk related topic on almost every meeting agenda.

The audit committee chairman can be a particularly effective liaison with other groups in enforcing and communicating expectations regarding cyber and financial risk mitigation.

Risk Oversight Questions to Consider

When the board or audit committee is considering the effectiveness of the company’s enterprise risk management — the process of planning activities to minimize the effect of downside risk on the organization — it may consider the following questions:

Leading Risk Oversight Practices and Trends

Audit committees have full agendas and require careful planning to focus on critical priorities. Some audit committees implement practices to help them stay on track and execute their oversight responsibilities more effectively by, for example:

The list is not all-inclusive, and certain activities may be the responsibility of the full board or another committee.

Rising Expectations

In today’s environment, the expectations of audit committees are higher than ever. Shareholders rely on audit committees to maintain oversight while keeping up with increasingly complex financial reporting requirements and a changing regulatory landscape. Setting the appropriate tone at the top has never been more important for audit committees and boards as a whole. Moreover, it is important for the audit committee to build strong relationships with a variety of internal and external stakeholders who have an impact on the company’s risk profile and ability to create value.

— Produced by Maureen Bujno , managing director, Center for Board Effectiveness at Deloitte LLP; Consuelo Hitchcock , principal, Audit Regulatory Affairs at Deloitte & Touche LLP; Krista Parsons , managing director, Center for Board Effectiveness at Deloitte & Touche LLP; Bob Lamm, independent senior advisor, Center for Board Effectiveness at Deloitte LLP; Deborah DeHaas , vice chairman and national managing partner, Center for Board Effectiveness at Deloitte; and Henry Phillips , vice chairman and national managing partner, the Center for Board Effectiveness at Deloitte & Touche LLP.

Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication. About Deloitte: Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the "Deloitte" name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see to learn more about our global network of member firms. Copyright © 2018 Deloitte Development LLC. All rights reserved.

More Deloitte Insights Articles

Reduce misstatement risk while creating value, it’s time for a controllership reboot, modernized reporting for a rapidly changing world, esg accountability disclosures on the horizon, search deloitte articles, about deloitte insights, newsletter sign-up, wsj | risk and compliance journal.

Our Morning Risk Report features insights and news on governance, risk and compliance.


  1. Risk Oversight: Business Internal Controls, Internal Audit, Compliance

    change risk oversight

  2. 8 Risk Oversight Practices to Master in 2017

    change risk oversight

  3. NACD Cyber Risk Oversight Handbook Endorses Quantification, Cites FAIR

    change risk oversight

  4. Risk Oversight Series: PwC

    change risk oversight

  5. Risk Oversight

    change risk oversight

  6. Credit Risk Assessment Template

    change risk oversight


  1. Executive Education

  2. Risk Estimation

  3. The Risks of AI (Will it take your job?)

  4. How To Know Your Risk Profile? Gaurav Jain


  1. Managing Change Risk

    Change risk management framework: Adapt the firm’s overall risk management framework to cover change risk across the lifecycle 2. Change igniters: Clear obstacles to build a change-oriented organization by diagnosing and addressing organizational weaknesses 3.

  2. Guide to change management risk assessment

    Risk is mitigated effectively: The change management plan includes strategies and resources to mitigate the identified risks. Organization is competent in managing change: The organization has the resources and capability – from internal or external sources – to manage the entire change.

  3. Managing the Execution Risks of Change Initiatives

    Change management includes the oversight and management of the entire portfolio of changes and the change process, including all the components of change control In a Pharmaceutical...

  4. Change Impacts and Risks

    Change Impacts and Risks ServiceNow Change Requests use a calculator to determine an overall Risk/Impact level based on 5 questions on the Risk Assessment tab. The answers are weighted and allow the Risk/Impact level to be standard across all changes.

  5. Risk Oversight and the Role of the Board

    Risk oversight is a primary board responsibility, and in the evolving business and risk landscape directors need to develop and continuously improve practices to establish a well-defined...