change risk oversight

For the best Oliver Wyman website experience, please upgrade your browser to IE9 or later

This article was first published on May 17, 2021.

Editor's note: Oliver Wyman is monitoring the COVID-19 events in real time, and we have compiled resources to help our clients and the industries they serve. More of our latest Financial Services thought leadership and industry expertise can be found here .

While change is the only constant in life, there are certainly periods where change is more amplified. We currently find ourselves in one of those periods. The world and our key industries are not immune to the ripple effects of the global pandemic. As an example, for the financial services industry, there are many drivers of change: in the short term, retail banks are facing downward pressures on net income due to record-low interest rates and increasing delinquency rates, and the need to trim costs quickly; in the medium term, new remote working routines are further accelerating digitization, automation, and disintermediation. As a result, business and operating models are trying to adapt to the “new normal.”

The firms able to effectively deliver change will thrive and are more likely to emerge stronger from these changes. However, as recent social science research has shown, delivering change is no easy task: humans have a natural bias against change. Failing to drive change is a challenge to the competitiveness and sustainability of any firm, creating monetary costs, eroding trust with customers and investors, and weighing on culture and employee engagement. On the flip side, firms that successfully deliver change set off a self-reinforcing feedback loop that increases profitability and productivity, builds trust with stakeholders, and attracts top talent.

An often forgotten institutional ‘muscle’ for firms is the ability to effectively manage change risk —the risk that a change program fails to deliver the desired goals. We believe that most firms do not proactively manage change risk in a way that commensurate with the benefits of success and the costs of failure. Effectively managing change risk is a necessary ‘muscle’ to reduce, preempt, mitigate, and manage the challenges that come with (intents of) transformation, without bringing decision paralysis or stifling innovation in the organization. We refer to change risk as a ‘silent risk’ because this ‘muscle’ is often neglected and, too often, that neglect is one of the root causes behind the inability to drive to the desired outcomes.

In our paper, we present an approach to proactively manage change risk, including:

• How to manage change across the end-to-end change lifecycle, to ensure firms develop fit for purpose mechanisms
• How change risk management is a key component of the journey, and the best ways to understand drivers of successful change
• Recommendation for four key change management capabilities, a change risk management framework, change delivery igniters, workforce change capacity management, and a process for initiative prioritization; and actions to help leaders make change management a priority

Below is an excerpt from the report, for the full PDF version, please click here .

Our views on successful change

Effective change boils down to directing energy and aligning efforts toward three key elements:

• The strategy and thinking
• The people and behaviors
• The underlying infrastructure

We call these elements the Head, the Heart, and the Guts of an organization. Successful change should have risk management embedded into these key elements.

Successful change occurs when the Head, the Heart, and the Guts are fully aligned, resulting in an organization that has: (1) the willingness to change—through leadership, personal drive, and the identification of strategic value; and (2) the ability to execute—through an adequate workforce, the right infrastructure, and a clear roadmap.

Change is the only constant in life Heraclitus, c. 535 BCE – 475 BCE.

Too often, firms facing change tend to focus on the Head at the expense of the Guts and, especially, the Heart. Such firms often struggle to achieve successful change because lasting change requires individuals to collectively change behaviors. For example, a firm does not become more customer-centric when rolling out a new top-down campaign or training module. Rather, the firm becomes customer-centric when the workforce begins adopting customer-centric behaviors—the way customer interactions play out; the way products are configured; and the way senior leadership communicates and makes decisions.

Experience and research indicate that, for change to occur, each level of the organization needs to understand the objectives and purpose of the change, as well as the new behaviors to adopt. Change experts across the globe call these “vital behaviors”—the smallest actions that, if consistently repeated, will lead to the intended outcomes.

In driving change , the ability to manage change risk needs to be developed in the Guts (through risk management capabilities); the Heart (through an understanding of the workforce stoppers and capacity in the firm); and the Head (through the incorporation of change risk into the firm strategy). Our research shows that, historically, neither risk managers nor front-line risk owners have paid enough attention to managing change risk. If firms believe—as we do—that a better managed change risk is a key success factor, firms must pay more attention to driving alignment between Heart, Head, and Guts in order to achieve successful change, and also appropriately embed risk management capabilities across these elements.

We have identified four capabilities for firms that can increase opportunities to drive effective change management:

1. Change risk management framework: Adapt the firm’s overall risk management framework to cover change risk across the lifecycle

2. Change igniters: Clear obstacles to build a change-oriented organization by diagnosing and addressing organizational weaknesses

3. Workforce change capacity management: Monitor change load and change fatigue, as well as improve organizational agility

4. Initiative prioritization: Develop a process for assessing change initiatives to maximize impact within change capacity

We believe firms that achieve these four capabilities will see an increased efficacy and decreased risk associated with the change programs. Returning to the change lifecycle in the exhibit below, we show how these capabilities can reinforce each stage and broaden the role risk management teams play well beyond the implementation and go-live steps.

Actions for effective change risk management

Given both, the necessity of achieving successful change in the current tumultuous world and the high cost of failure, organizations cannot afford to take a reactive or narrow approach to change risk management.

We recommend front-line and risk management leaders:

Overall, firms that succeed in incorporating change risk management into processes and culture will become more agile and more resilient, while firms that lag will run the risk of being caught flat-footed when the next disruption arrives. Firms that proactively manage change risk will be able to overcome the silent risk that hinders growth and emerge as winners.

The authors would like to acknowledge and thank Jonathan Lee and Rutger von Post for their contributions to this paper.

• Financial Services
• Risk Management For Financial Services

Striving For Operational Resilience: The Questions Boards And Senior Management Should Ask

Operational resilience has become a key agenda item for boards and senior management. Increasing complexity in processes and IT, dependence on third parties, interconnectedness and data sharing, and sophistication of malicious actors have made disruptions more likely and their impact more severe. High-profile examples of business and operational disruptions abound, covering all segments of the financial services industry.

Non-Financial Risk Convergence And Integration

Non-Financial Risk Management has become more complex due to rapid shifts in technology, automation and greater dependence by banks on systems instead of people.

• Our approach to change
• Managed Change model
• Redefining change
• Expert on Demand
• Training and certification
• Upcoming workshops
• Corporate training
• About LaMarsh Global

Guide to change management risk assessment

Identify what is needed for a change to be successful  

Change management risk describes factors that may cause a project to not achieve the desired results. Understanding the risks can also illustrate what is necessary for a change to succeed.  

The initial risk assessment identifies gaps or barriers that may inhibit a successful outcome, and it sets the foundation for developing the change management strategy and plan. The process includes identifying the factors that are necessary for success and interviewing business and project leaders to understand what might be weak or missing. Input from additional people will be gathered in subsequent assessments and refinements of the plan.

To get started, below are the critical success factors that are necessary to improve the success of a change and a guide to evaluating a project’s risk.  

What is change management risk?

Every project has desired results, and there are two elements that contribute to successfully achieving those outcomes:

• The quality of the solution
• The quality of the acceptance or adoption of the solution

It is common to focus on the quality of the solution. Organizations thrive on innovation and many are veterans at developing superb solutions and managing any associated project risks.

Change management risks are factors that may inhibit or prevent the acceptance or adoption of that solution. These risks may involve any individuals involved or connected to the solution – both leaders and employees.  

Just as project risks may impede the quality of the solution, change management risks may obstruct the acceptance and adoption of the solution and can also jeopardize or hinder the desired results.

Consider success factors instead of risks

Risks are any factor that may contribute to failure. Instead of pointing out what may trigger failure, an alternative is identifying what is necessary for the outcomes to be successful.

Success factors are what is needed for a solution to be accepted or adopted – so what is needed to achieve the desired outcomes.  

This positive outlook achieves the same purpose as identifying the risks, and it has notable benefits for leaders and change practitioners. Use success factors in your risk assessment to:

Add credibility to change management : Instead of pointing out the negatives, success factors illustrate the big picture and what is crucial for success.

Reduce barriers with positive language : It is understandable that people may become defensive when negative feedback is attributed to them or their work. Success factors express how leaders and employees contribute to success – instead of failure.

Compare outcomes and evaluate success : Identifying the success factors creates a clear definition of success so outcomes can be evaluated.

This is the approach we use in our Managed Change methodology . It starts by understanding what is necessary for a change project to be successful, and then initiates an iterative process to identify and manage weak or missing success factors at every stage.  

Critical success factors

When a project is strong in every critical success factor, it is more likely to succeed. And of course, gaps or weaknesses show what can be improved to contribute to better results.

Strong case for change : The reason or purpose of the change make sense at the time to all audiences.  

Impact of history is acknowledged : The causes of poorly managed changes in the past are identified, analyzed and mitigated as needed.

Impact of culture is acknowledged : The culture of an organization is taken into consideration when planning the change, and this may require change as well.

Definition of desired state is clear : All elements of the desired state (structure, process, people and culture) are defined and understood by all impacted people.

Transition dip is acknowledged : The potential unwanted impacts of the transition are identified and mitigated if possible.

Impact of multiple changes is understood : Other concurrent or overlapping changes are identified, and the impacts are analyzed and mitigated as necessary.

Leaders are effective at all levels : Every leader involved understands the change and commits to fulfilling their role and responsibilities.

Change practitioners are capable and willing : Change practitioners are ready, competent and have the resources necessary to support the change.

Risk is identified and analyzed : Potential risks during and after the change are understood.

Risk is mitigated effectively : The change management plan includes strategies and resources to mitigate the identified risks.

Organization is competent in managing change : The organization has the resources and capability – from internal or external sources – to manage the entire change.

Project management is effective : The solution implementation team is engaged, capable and incorporates the change management plan into the overall project plan.

Decision making structure is operational : The role and responsibilities of all leaders are defined, and the change governance and decision-making structure are clear and operational.  

Together, the critical success factors describe the characteristics of a well-managed change.  

Assessing critical success factors

If you’re implementing change management in a new or in-progress project, the first step is to assess the critical success factors to determine what is weak or missing.

Complete a 10-minute assessment

Use this free tool from LaMarsh Global to quickly review your project for the critical success factors: 10-Minute Change Risk Assessment .

The speedy assessment is far from comprehensive, but it is a useful tool for practitioners and leaders to “take the temperature” of the state of a project.  

Interview leaders

Following a high-level evaluation, the next step is to talk to the leaders involved in the project to clearly identify the success factors that they see are strong or weak.

Leaders that are involved in a project can be the executive leaders, project sponsors, project management leads, team leads, department managers, or anyone responsible for the project or the employees that might be impacted. It is too early to talk with the impacted individuals, as many of them may have little to no information about the change at this point. For now, the goal is to understand what leaders perceive as risks and evaluate the alignment among leaders.

Chat one-on-one with the leaders. Here are some questions that can rouse a conversation to help you find out the necessary info.

• What are the goals of this project?
• Who owns this project? Or who is responsible for the project?
• What are you hoping to achieve?
• What are your peers hoping to achieve?
• What do you think of this project?
• What do you think your peers think of this project?
• What could cause this project to not succeed?
• How did previous projects go?

Document the missing success factors

The purpose of the interviews is to learn from the perception and understanding of leaders that are experts in the solution and leaders that know the people that might be impacted.  

Take special note of any critical success factors that are weak or completely missing. No matter how many success factors your project is lacking, it is essential to know this information and share it with the project sponsor and leaders.

Every project is different, but there are trends that we’ve noticed that can help you predict potential gaps:

Common weak success factors

• Desired state definition : The goal (or goals) of the change needs to be clear for the leaders, change practitioners and people that might be impacted.
• Leadership : Defined roles and responsibilities ensure leaders can make the necessary decisions and truly lead their people.
• Organization is competent in managing change : Many organizations are highly proficient at managing the implementation of a solution, but managing the adoption and acceptance of that solution is often overlooked.  
• Culture : The social fabric and people’s beliefs and attitudes within an organization makes the culture a potential challenge in many projects.

Share with project teams and sponsors

The information you collected speaks to the heart of a project: what is required for this change to be successful. Any following decisions – from project implementation to resourcing – depends on this assessment.

At this stage in the change management process, the assessment only identifies what is needed for a project to succeed. Be careful not to make promises that the risks will not be an issue, and instead rely on the data to appropriately resource and develop the change plan.

Review and update the success factors

As a project progresses, the high priority success factors will likely shift. Effective mitigation intends to strengthen what is missing, and there is the potential that new or unexpected risks may arise.  

Risks are relative to the time or stage of a project, and the prioritization of anticipated risks will shift as the project progresses. The goal is to anticipate the potential risks, and always use any new information to inform our understanding of the success factors.  

Start your assessment

This process of identifying and evaluating the critical success factors sets the foundation for effective change management. It’s a high-level assessment, but it provides a starting point for analysis and further exploration.  

Risk assessments are ongoing and iterative, but this process needs a starting point.  

Use our 10-minute change risk assessment tool to start an assessment of your own project .

Subscribe for exclusive insights for change leaders & practitioners 

Related posts.

Start with the organizational change capability maturity assessment from LaMarsh Global

Successful organizational change requires two key ingredients: the right solution and the...

The 13 critical success factors describe what is necessary for a well-managed change

Proactive change management is emerging as the key to success in Agile-based projects or...

Recent Posts

• Resources (21)
• For Leaders (20)
• For Practitioners (17)
• Case Studies (15)
• LaMarsh Global Insights
• Managed Change

2020 © Copyright LaMarsh Global - All Rights Reserved

Change Management System

• Change Impacts and Risks

ServiceNow Change Requests use a calculator to determine an overall Risk/Impact level based on 5 questions on the Risk Assessment tab. The answers are weighted and allow the Risk/Impact level to be standard across all changes.  All fields on the Risk Assessment tab must be completed before the Risk/Impact level is computed allowing the Change Request to be sent for approval.  The Risk/Impact is allows the CAB to concentrate on the highest two levels, 1 - Very High, 2 - High.

The Risk Assessment questions should be answered based on Risk/Impact during implementation of the Change as well as after the change is completed and take into consideration what would happen if the their were issues during the change. 

The Risk Analysis field is another important part of the Change Request.  This field describes specific impacts of doing the change are if it goes smoothly, has issues or ends in the worst case scenario.  This includes

• user impact after change (faster service, new form)
• user impact(s) during change (speed degradation, system down, no outage expected)
• impacts if the change fails (system will be down during restore)
• recycle required
• consider including prior issues as possible (missing certs may cause additional downtime, patch failing may requiring vendor support, addition firewall rules may be needed)
• Risk/Impact Excel Calculator : If you want to understand the Risk/Impact calculator, use this Excel workbook to see how adjusting your answers change the final level.
• Answer Risk Assessment questions correctly:   The Assessor (first approver on each Change) should review the risk questions to make sure they are are answered correctly.  In most cases, when answered correctly, the ratings are appropriate. 
• Still need to talk about your change : In some cases Change Owners will still need talk about a Change even though it's not a Risk/Impact of "1 - Very High" or "2 - High", please send an email to the UIT Change Management group .
• Change Urgency and Timing
• Change Lead Times
• Change Status and Transition
• Product Roadmap
• Change Management Notification Lists
• Change Management Types
• Explore all services
• Cloud Solutions Q&As
• Get started with IT
• Practice secure computing
• Technology Toolkit for Telecommuting and Remote Work
• Find answers
• Request something
• View system and project status
• Browser recommendations

University IT

• Organization chart
• Current job openings
• Communities of Practice
• UIT Community (UIT staff only)

UIT Web Editors

• Stanford Home
• Maps & Directions
• Search Stanford
• Emergency Info
• Terms of Use
• Non-Discrimination
• Accessibility

© Copyright Stanford University . Stanford , California 94305 .

• 中文 (Chinese)
• 日本語 (Japanese)
• Buy Side from WSJ

https://deloitte.wsj.com/riskandcompliance/2018/10/02/risk-oversight-and-the-role-of-the-board/

• ACCOUNTING AND FINANCIAL REPORTING
• RISK MANAGEMENT

Risk Oversight and the Role of the Board

Risk oversight is a primary board responsibility, and in the evolving business and risk landscape directors need to develop and continuously improve practices to establish a well-defined and effective oversight function, according to Deloitte’s 2018 Audit Committee Resource Guide .

Boards play a critical role in influencing management’s processes for monitoring risks, and as such they should clearly define which risks the full board should discuss regularly, versus risks that can generally be delegated to a board committee. While many boards have a defined risk governance structure, it is important to continually assess the structure as companies face new risks.

A leading practice is for management to maintain a list of all enterprise-wide risks, which are then mapped to specific board committees for oversight. For example, human resource and compensation risks may be delegated to the compensation committee for oversight, and the audit committee should have a key role in overseeing financial risks. In many instances, the full board takes direct responsibility for and regularly discusses the company’s most strategic risks, which include risks that could disrupt and materially impact the company’s business strategy. Committee charters should be updated to align with the defined risk governance structure .

Since many companies outside the financial services industry do not have a separate board risk committee, risks not assigned to a specific committee are often delegated to the audit committee. While it may be appropriate for the audit committee to take responsibility for reviewing management’s policies to manage risk, boards should take care not to overburden the audit committee with risk oversight responsibilities.

In addition, the SEC considers risk oversight a primary responsibility of the board and requires disclosure of its role in this area. Disclosures include whether the entire board is involved in risk oversight; whether certain aspects are executed by individual board committees; and whether the employees responsible for risk management report directly to the board. Such disclosures inform shareholders’ understanding of the board’s process for overseeing risk.

Overseeing Cyber Risk

It is often challenging for even the most tech-savvy business leaders to keep up with the scope and pace of developments related to big data, social media, cloud computing , IT implementations, cyber risk , and other technology matters. These developments carry a complex set of risks, and the most serious among them can compromise sensitive information and significantly disrupt business processes. The pervasiveness of cyber risk significantly increases concerns about financial information; internal controls; and a wide variety of risks, including the reputational risks that can result from a cyber incident.

Oversight of a successful cyber risk management program requires proactive engagement and is often the responsibility of the full board. In some organizations, a level of oversight may be delegated to a risk committee or the audit committee.

In companies where the audit committee holds some responsibility for cyber risk management, the committee should first obtain a clear understanding of the areas it is expected to oversee. In those organizations, the audit committee — in its capacity of overseeing financial risks and monitoring management’s policies and procedures — may have expertise and be asked to play a significant strategic role in monitoring management’s response to cyber threats, coordinating cyber risk management initiatives, and confirming their efficacy. Those audit committees may take the lead in monitoring cyber threat trends, regulatory developments, and major threats to the company. Other responsibilities may include setting expectations for management and assessing the adequacy of resources, funding, and focus on cyber risk management activities.

For those audit committees charged with this oversight, engaging in regular dialogue with the CIO, CISO, and other technology-focused leaders can help the committee determine where attention should be focused. Although cyber risk is frequently on the full board’s agenda, audit committees are increasingly receiving regular updates from relevant technology leaders, with some technology risk related topic on almost every meeting agenda.

The audit committee chairman can be a particularly effective liaison with other groups in enforcing and communicating expectations regarding cyber and financial risk mitigation.

Risk Oversight Questions to Consider

When the board or audit committee is considering the effectiveness of the company’s enterprise risk management — the process of planning activities to minimize the effect of downside risk on the organization — it may consider the following questions:

• Which board committees are responsible for various aspects of risk governance? Has the risk governance structure been defined?
• How do the various board committees oversee risk? Is there appropriate coordination and communication between all relevant stakeholders?
• Does the board consider the relationship between strategy and risk? What are the potential internal and external risks to the success of the strategy?
• Does management provide the board with the information needed to oversee the risk management process effectively?
• What are the company’s policies and processes for monitoring the major financial risk exposures on an enterprise-wide basis?
• Has management assigned owners for each risk that has been identified?
• How might the company’s compensation programs encourage inappropriate focus on short-term financial performance? Are the audit committee and compensation committee aligned on such risks?
• What mechanisms does management use to monitor emerging financial risks? What are the early warning mechanisms, and how effective are they? How, and how often, are they calibrated?
• Which framework has management selected for the financial risk management program? What criteria were used to select it?
• What is the role of technology in the risk management program? How was it chosen, and when was it last evaluated?
• Is cyber risk receiving adequate time and focus on the audit committee agenda?

Leading Risk Oversight Practices and Trends

Audit committees have full agendas and require careful planning to focus on critical priorities. Some audit committees implement practices to help them stay on track and execute their oversight responsibilities more effectively by, for example:

• Focusing on financial risk oversight and assessment and understanding financial risk management policies and processes
• Periodically reassessing the list of top risks, including which member of management and which board committee (or the full board) is responsible for each
• Evaluating IT projects and related risks, particularly those with financial statement impact
• Considering post-acquisition reviews to evaluate the reliability of initial acquisition assumptions and make adjustments to future acquisitions, as a way to offset merger risks
• Having appropriate business leaders periodically provide overviews of their businesses, focusing on financial risks and other factors that may influence the financial statements
• Periodically visiting company locations and meeting with local management
• Communicating the company’s financial risk story to stakeholders
• Understanding the regulatory issues raised in SEC comment letters received by the company, as well as management’s response
• Understanding the company’s strategy for managing tax risk, tax controversy, and volatility in the effective tax rate
• Considering potential reputational risks associated with tax positions

The list is not all-inclusive, and certain activities may be the responsibility of the full board or another committee.

Rising Expectations

In today’s environment, the expectations of audit committees are higher than ever. Shareholders rely on audit committees to maintain oversight while keeping up with increasingly complex financial reporting requirements and a changing regulatory landscape. Setting the appropriate tone at the top has never been more important for audit committees and boards as a whole. Moreover, it is important for the audit committee to build strong relationships with a variety of internal and external stakeholders who have an impact on the company’s risk profile and ability to create value.

— Produced by Maureen Bujno , managing director, Center for Board Effectiveness at Deloitte LLP; Consuelo Hitchcock , principal, Audit Regulatory Affairs at Deloitte & Touche LLP; Krista Parsons , managing director, Center for Board Effectiveness at Deloitte & Touche LLP; Bob Lamm, independent senior advisor, Center for Board Effectiveness at Deloitte LLP; Deborah DeHaas , vice chairman and national managing partner, Center for Board Effectiveness at Deloitte; and Henry Phillips , vice chairman and national managing partner, the Center for Board Effectiveness at Deloitte & Touche LLP.

Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication. About Deloitte: Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the "Deloitte" name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/us/about to learn more about our global network of member firms. Copyright © 2018 Deloitte Development LLC. All rights reserved.

More Deloitte Insights Articles

Reduce misstatement risk while creating value, it’s time for a controllership reboot, modernized reporting for a rapidly changing world, esg accountability disclosures on the horizon, search deloitte articles, about deloitte insights, newsletter sign-up, wsj | risk and compliance journal.

Our Morning Risk Report features insights and news on governance, risk and compliance.