change risk oversight manager

For the best Oliver Wyman website experience, please upgrade your browser to IE9 or later

• Global (English)
• India (English)
• Middle East (English)
• South Africa (English)
• Brazil (Português)
• China (中文版)
• Japan (日本語)
• Southeast Asia (English)
• Belgium (English)
• France (Français)
• Germany (Deutsch)
• Italy (Italiano)
• Netherlands (English)
• Nordics (English)
• Portugal (Português)
• Spain (Español)
• Switzerland (Deutsch)
• UK And Ireland (English)

This article was first published on May 17, 2021.

While change is the only constant in life, there are certainly periods where change is more amplified. We currently find ourselves in one of those periods. The world and our key industries are not immune to the ripple effects of the global pandemic. As an example, for the financial services industry, there are many drivers of change: in the short term, retail banks are facing downward pressures on net income due to record-low interest rates and increasing delinquency rates, and the need to trim costs quickly; in the medium term, new remote working routines are further accelerating digitization, automation, and disintermediation. As a result, business and operating models are trying to adapt to the “new normal.”

The firms able to effectively deliver change will thrive and are more likely to emerge stronger from these changes. However, as recent social science research has shown, delivering change is no easy task: humans have a natural bias against change. Failing to drive change is a challenge to the competitiveness and sustainability of any firm, creating monetary costs, eroding trust with customers and investors, and weighing on culture and employee engagement. On the flip side, firms that successfully deliver change set off a self-reinforcing feedback loop that increases profitability and productivity, builds trust with stakeholders, and attracts top talent.

An often forgotten institutional ‘muscle’ for firms is the ability to effectively manage change risk —the risk that a change program fails to deliver the desired goals. We believe that most firms do not proactively manage change risk in a way that commensurate with the benefits of success and the costs of failure. Effectively managing change risk is a necessary ‘muscle’ to reduce, preempt, mitigate, and manage the challenges that come with (intents of) transformation, without bringing decision paralysis or stifling innovation in the organization. We refer to change risk as a ‘silent risk’ because this ‘muscle’ is often neglected and, too often, that neglect is one of the root causes behind the inability to drive to the desired outcomes.

In our paper, we present an approach to proactively manage change risk, including:

• How to manage change across the end-to-end change lifecycle, to ensure firms develop fit for purpose mechanisms
• How change risk management is a key component of the journey, and the best ways to understand drivers of successful change
• Recommendation for four key change management capabilities, a change risk management framework, change delivery igniters, workforce change capacity management, and a process for initiative prioritization; and actions to help leaders make change management a priority

Below is an excerpt from the report, for the full PDF version, please click here .

Our views on successful change

Effective change boils down to directing energy and aligning efforts toward three key elements:

• The strategy and thinking
• The people and behaviors
• The underlying infrastructure

We call these elements the Head, the Heart, and the Guts of an organization. Successful change should have risk management embedded into these key elements.

Successful change occurs when the Head, the Heart, and the Guts are fully aligned, resulting in an organization that has: (1) the willingness to change—through leadership, personal drive, and the identification of strategic value; and (2) the ability to execute—through an adequate workforce, the right infrastructure, and a clear roadmap.

Too often, firms facing change tend to focus on the Head at the expense of the Guts and, especially, the Heart. Such firms often struggle to achieve successful change because lasting change requires individuals to collectively change behaviors. For example, a firm does not become more customer-centric when rolling out a new top-down campaign or training module. Rather, the firm becomes customer-centric when the workforce begins adopting customer-centric behaviors—the way customer interactions play out; the way products are configured; and the way senior leadership communicates and makes decisions.

Change is the only constant in life Heraclitus, c. 535 BCE – 475 BCE.

Experience and research indicate that, for change to occur, each level of the organization needs to understand the objectives and purpose of the change, as well as the new behaviors to adopt. Change experts across the globe call these “vital behaviors”—the smallest actions that, if consistently repeated, will lead to the intended outcomes.

In driving change , the ability to manage change risk needs to be developed in the Guts (through risk management capabilities); the Heart (through an understanding of the workforce stoppers and capacity in the firm); and the Head (through the incorporation of change risk into the firm strategy). Our research shows that, historically, neither risk managers nor front-line risk owners have paid enough attention to managing change risk. If firms believe—as we do—that a better managed change risk is a key success factor, firms must pay more attention to driving alignment between Heart, Head, and Guts in order to achieve successful change, and also appropriately embed risk management capabilities across these elements.

We have identified four capabilities for firms that can increase opportunities to drive effective change management:

1. Change risk management framework: Adapt the firm’s overall risk management framework to cover change risk across the lifecycle

2. Change igniters: Clear obstacles to build a change-oriented organization by diagnosing and addressing organizational weaknesses

3. Workforce change capacity management: Monitor change load and change fatigue, as well as improve organizational agility

4. Initiative prioritization: Develop a process for assessing change initiatives to maximize impact within change capacity

We believe firms that achieve these four capabilities will see an increased efficacy and decreased risk associated with the change programs. Returning to the change lifecycle in the exhibit below, we show how these capabilities can reinforce each stage and broaden the role risk management teams play well beyond the implementation and go-live steps.

Actions for effective change risk management

Given both, the necessity of achieving successful change in the current tumultuous world and the high cost of failure, organizations cannot afford to take a reactive or narrow approach to change risk management.

We recommend front-line and risk management leaders:

Overall, firms that succeed in incorporating change risk management into processes and culture will become more agile and more resilient, while firms that lag will run the risk of being caught flat-footed when the next disruption arrives. Firms that proactively manage change risk will be able to overcome the silent risk that hinders growth and emerge as winners.

The authors would like to acknowledge and thank Jonathan Lee and Rutger von Post for their contributions to this paper.

• Financial Services
• Risk Management for Financial Services
• Ramy Farha,
• Chris DeBrusk, and
• Antonio Tugores

Striving For Operational Resilience: The Questions Boards And Senior Management Should Ask

Operational resilience has become a key agenda item for boards and senior management. Increasing complexity in processes and IT, dependence on third parties, interconnectedness and data sharing, and sophistication of malicious actors have made disruptions more likely and their impact more severe. High-profile examples of business and operational disruptions abound, covering all segments of the financial services industry.

Non-Financial Risk Convergence And Integration

Non-Financial Risk Management has become more complex due to rapid shifts in technology, automation and greater dependence by banks on systems instead of people.

How to Conduct Change Management Risk Assessment

Are you preparing to transition your organization or team through a period of significant change?

With any change comes some inherent risk, which can be both exciting and anxiety provoking.

To ensure the success of such an endeavor it’s important to plan for, mitigate and manage risks as they arise throughout the process.

In this blogpost we’ll discuss why business leaders and managers needs to pay attention to potential risks and learn how to conduct change management risk assessment in order to execute a successful transition.

What is Change Management Risk?

The factors which can negatively affect achieving desired change outcome, primarily due to insufficient planning or lack of change-readiness among stakeholders.

Change management risk can lead to delays in implementation and results, increased costs and compromised quality standards, ultimately impacting an organization’s bottom line.

It is essential for organizations to mitigate change management risks by creating a clear change strategy with well-defined objectives, monitoring change goals and gathering feedback from stakeholders along the way.

Why it is important to identify change management risk?

Change is inherent in any business, and change management can be challenging. Adequately assessing change management risks helps to minimize unexpected outcomes, increases efficiency and effectiveness, and bolsters the flexibility of organizational processes.

It is essential that organizations acknowledge the need to identify change management risks, as failure to do so may lead to project delays, budget overruns and costly repair work.

By critically diagnosing change management risk associated with specific projects or events, an organization is better equipped to develop tailored strategies for successful change implementation. Ultimately, change management risk identification is a critical step for ensuring key change objectives are met on time and within budget.

Change Management Risk Assessment

Change management risk assessment is a crucial process for organizations to mitigate the risks associated with change. It involves looking at potential change initiatives, and examining how they may affect an organization’s resources and operations.

The results of change management risk assessment allow us to make well-informed decisions on the implementation and potential success of change initiatives.

To successfully complete change management risk assessment, it is important to determine objectives, analyze relevant data sources, identify risks and their root causes, and create viable response plans.

This is ultimately done through establishing processes that help organizations develop stability during a time of transition, enabling them to achieve successful outcomes more efficiently.

04 Steps to Conduct Change Management Risk Assessment

In order to conduct change management risk assessment, there are several key steps that need to be taken.

Step 1: Define change management risk assessment framework

It is important to have a clear understanding of what the change initiative is aiming to accomplish, as this will inform the risk assessment process. During this step, it is also important to establish a change management risk assessment framework. This framework should provide the foundation for identifying change management risks and understanding their potential impact on the organization.

The change management risk assessment framework should be tailored to the specific change initiative and take into account any existing organizational change processes. This will ensure that all stakeholders are fully aware of the change objectives, can recognize change management risks, and have an understanding of the steps needed to effectively address risk.

Step 2: Analyze data

The second step to conducting change management risk assessment is to analyze data sources. This involves gathering information from a variety of sources such as internal documents, reports, and interviews with stakeholders. It is important to identify the key change components and assess their potential impacts in order to recognize change management risks.

Through data analysis, organizations can gain greater insight into change management risks and their impacts on their operations. Data analysis allows organizations to identify change management risks and the underlying causes, evaluate the solutions available to them, and make informed decisions when managing change initiatives.

Step 3: Identify and analyze risks

The third step to conducting change management risk assessment is to analyze the change management risks identified. This involves understanding their root causes and evaluating their potential impacts on the organization. It is important to identify any assumptions, dependencies, or interdependencies that could affect change management risk assessment outcomes.

Organizations should also assess whether existing change processes are adequate enough toeffectively manage change risk. This includes considering the impact that change initiatives will have on existing structures, processes and systems, as well as understanding the resources available to address change risks.

Step 4: Develop response plans

The next step to conducting change management risk assessment is to develop response plans. This involves formulating strategies and tactics to mitigate change risks, as well as determining possible contingencies in the event that change initiatives do not succeed. During this stage, organizations should identify resources necessary for successful change implementation, such as personnel and technology.

It is important to prioritize change management risks in order to ensure that the most critical risks are addressed first. This involves understanding the potential impact of each change risk on the organization, and identifying which risks should be addressed to mitigate their effects.

What are common risks of change management

Following are some common risks of change management:

lack of understanding or buy-in from stakeholders

The lack of understanding or buy-in from stakeholders is one of the most common change management risks. This risk can arise when stakeholders are not fully aware of change objectives, or do not agree with the change initiatives being undertaken. In such cases, stakeholders may resist change initiatives or take actions that undermine their success.

Inadequate change management practices and processes

Inadequate change management practices and processes can also be a major risk to change initiatives. Organizations must ensure that change strategies are understood, agreed upon, and implemented effectively in order to maximize the chances of change success. Without an effective change management process in place, organizations may find themselves unable to adjust quickly enough to address risks.

Ineffective communication

Organzations often make mistake by having one-way communication with employees and other stakeholders. This is one of the biggest risk of change management. Change is not successful if its message is only coming from top and voices of employees or other stakeholders are unheard. If organizational culture fails to exchange ideas and share experience then it’s hard to implement transformative change.

An excessive change implementation timeline

An excessive change implementation timeline can pose a serious risk to change management, as it often leads to delays, slowdowns, and potential abandonment of change initiatives. When change initiatives take too long to implement, they can become costly and complex affairs that may not yield the desired results.

Inadequate change control measures

Inadequate change control measures are one of the most common change management risks. These typically arise when change initiatives are not reviewed and approved on a timely basis. Without proper change control mechanisms in place, change initiatives can go unchecked and progress without proper risk assessment and validation.

Misaligned change initiatives with organizational objectives

Misaligned change initiatives with organizational objectives can be a major change management risk. When change initiatives are not in alignment with the organization’s overall goals and objectives, they can lead to wasted resources, reduced efficiency, and even failure of the change initiative.

Final Words

Assessing risks is a key component of successful change management. By understanding what could go wrong and taking steps to mitigate those risks, you can increase the chances of your change initiative being successful. There are many different ways to assess risks and some common risks associated with change management initiatives include resistance to change, lack of resources etc. By taking the time to understand these risks and develop a plan to address them, you can set your change initiative up for success. Do you have a plan in place to assess risks to your change management initiative? What are some of the most common risks you’ve encountered during past initiatives?

About The Author

Tahir Abbas

Related posts.

Why Change Management is Important in an Organization

Emotional Reactions to Change in the Workplace

From Crisis to Comeback: Maggi Crisis Management Case Study

What Could Go Wrong? How to Manage Risk for Successful Change Initiatives

David Shore, instructor of Strategies for Leading Successful Change Initiatives, shares six steps to effective risk management.

David Shore

Every change initiative comes with inherent risk. But too often we shy away from exploring the potential pitfalls at the outset. If we are to succeed, however, we should embrace risk. After all, change initiatives are born from a risk analysis — a conclusion that the risk of doing nothing is higher than the risk of embarking on an experimental initiative.

When leading a change initiative, you should focus on acknowledging, anticipating, and managing risk — instead of avoiding it at all costs.

The good news is that risk management is not rocket science. Through my extensive work with change initiatives, I’ve identified six key steps to effective risk management. By following these steps on your initiative, I hope you’ll discover how embracing risk can lead to success.

Six Steps to Effective Risk Management

1. at the start, identify the risks you face..

Make a list. Formalize this process by holding a  premortem . Just as a  postmortem  enables the team to assess what went right or wrong after the fact, a  premortem  provides a space for thinking in advance about what could go wrong during the project. As you and your team brainstorm, you should cast a wide net. Consider factors intrinsic to the project and also those outside the team’s control. For example, consider the risk of potential resistance from stakeholders, which nearly always arises in change initiatives.

2. Quantify the Risks.

Not all risks are created equal. The risk of a slight delay in funding might be very different from the risk of a major partner pulling out of a joint venture. By quantifying the risk, you decrease the influence emotions can play and allow different risks to be compared. One method is to assess the risk along two dimensions: the probability of the risk occurring, and the impact the risk would have if it actually occurred. Using a scale from one to five, you can evaluate each of these dimensions for the risks you’ve identified. Then, you can multiply the two numbers to produce a risk factor from 1 to 25.

3. Establish a Risk Threshold.

Consider your initiative’s tolerance for risk and then establish a threshold. If you are not sure where to start, set your threshold at the center of your risk scale. For example, on a scale of 1 to 25, start with 12 as your threshold. Compare your quantified risks to the threshold and then spend some time thinking about the ones that exceed the threshold and then adjust as needed.

Search all Business Strategy programs.

4. Create Contingency Plans.

For each risk, engage in a thought experiment. First, think about what steps you can take, if any, to eliminate or mitigate the risk. It may be that a small adjustment to your plan will reduce the probability to zero. Second, think about what you plan to do if that possibility becomes reality — in other words, if the risk becomes an issue. Will the team be able to work around it easily? Or will the magnitude of that risk require rethinking your entire initiative? The more you plan for risks ahead of time, the better prepared you will be — and the more successful you will be in keeping your initiative on track

5. Monitor Risks over Time.

Along with the Gantt charts, status reports, dashboards, and other tools that help you assess your progress, you can also create a Risk Register (also called a Risk Log) that sets out all the risks, their risk factors, and current status. As you reach a particular milestone, perhaps one risk can be eliminated from consideration because it is no longer possible. Perhaps another risk has created an issue that needs to be dealt with. Or perhaps a new risk has been identified and should be evaluated. Your goal is to keep a close eye on risk throughout the project.

6. Consider Assigning a Risk Watcher.

You may want to identify a particular team member who has the responsibility to monitor risks and raise flags. Teams working on change initiatives are by definition optimistic. While everyone else on the team might be saying, “This will go fine,” someone needs to be able to say, “Clouds are rolling in” or “We’ve said that for the last six meetings and it hasn’t happened.”

To manage risk successfully, you need to be proactive in anticipating it. And to lead a change initiative successfully, you need to be an honest communicator. Talk with your team and with upper management about risks to the project and issues that crop up along the way. As a manager, you can improve your ability to manage risk by fostering a culture that values positive thinking while encouraging open discussions about problems.

Embracing change means embracing risk. With the right pragmatic approach, you can become a more effective change agent by understanding risk as a natural part of change — and by anticipating and managing it.

Find related Business Strategy programs.

Browse all Professional & Executive Development programs.

About the Author

Shore is an authority on change management recognized as distinguished professor at Tianjin University of Finance and Economics and 2015 Top Thought Leader in Trust.

Why Marketers Should Start Thinking Like Designers

Follow this 5-step process for applying design thinking to your marketing strategy.

Harvard Division of Continuing Education

The Division of Continuing Education (DCE) at Harvard University is dedicated to bringing rigorous academics and innovative teaching capabilities to those seeking to improve their lives through education. We make Harvard education accessible to lifelong learners from high school to retirement.

Jira Software

Project and issue tracking

Content collaboration

Jira Service Management

High-velocity ITSM

Visual project management

• View all products

Marketplace

Connect thousands of apps and integrations for all your Atlassian products

Developer Experience Platform

Jira Product Discovery

Prioritization and roadmapping

You might find helpful

Cloud Product Roadmap

Atlassian Migration Program

Work Management

Manage projects and align goals across all teams to achieve deliverables

IT Service Management

Enable dev, IT ops, and business teams to deliver great service at high velocity

Agile & DevOps

Run a world-class agile software organization from discovery to delivery and operations

BY TEAM SIZE

Small Business

BY TEAM FUNCTION

Software Development

BY INDUSTRY

Telecommunications

Professional Services

What's new

Atlassian together.

Get Atlassian work management products in one convenient package for enterprise teams.

Atlassian Trust & Security

Customer Case Studies

Atlassian University

Atlassian Playbook

Product Documentation

Developer Resources

Atlassian Community

Atlassian Support

Enterprise Services

Partner Support

Purchasing & Licensing

Work Life Blog

Support for Server products ends February 15, 2024

With end of support for our Server products fast approaching, create a winning plan for your Cloud migration with the Atlassian Migration Program.

Assess my options

Atlassian Presents: Unleash

Product updates, hands-on training, and technical demos – catch all that and more at our biggest agile & DevOps event.

• Atlassian.com

ITSM for high-velocity teams

How teams share change management roles and responsibilities.

The primary objective of any change management practice is reducing incidents as updates are shipped so customers stay happy and you stay ahead of the competition. Today, customers have heightened expectations for always-on, high-performing services.

It is critical to properly manage service interruptions and ship frequent improvements with care. Today’s teams have embraced risk mitigation tactics while delivering customer value in the most streamlined, agile manner possible, often leveraging tools like Jira Service Management .

To achieve these goals, companies have designated various roles and responsibilities associated with change management. For enterprise companies, these roles are typically shared by multiple employees or teams. 

For smaller companies, a single employee may take on change management responsibilities alongside other duties. Someone with change management responsibilities may also be a developer or team lead, for example. Alternatively, change management responsibilities might be integrated into the role of an IT administrator. In other cases, automated processes may be slowly built and shared among existing teams. 

While there is no one-size-fits-all model for assigning change management responsibilities, companies should adopt a framework that best suits their needs. Teams of every size can benefit from reevaluating the practice of giving change responsibilities to individuals with specific titles, especially when they are far removed from the projects they are reviewing.

By embracing new opportunities to automate change processes and integrate best practices into existing workflows, team members assuming change management responsibilities can step into more strategic roles and recoup precious time better spent on pursuing core business objectives.

Common change management roles

The roles involved in change management depend on a number of factors, including the type and size of an organization. Below are several common change management roles.

Change manager/coordinator

Change managers—sometimes called change coordinators—are typically responsible for managing all aspects of IT changes. They prioritize change requests, assess their impact, and accept or reject changes. Jira Service Management can significantly enhance these tasks by providing advanced ticketing systems and streamlined communication channels. Change managers also document change management processes and change plans. Most importantly, they organize change management strategies and act as chairs of change advisory board (CAB) meetings. A change manager’s success is typically assessed by whether they meet timing and budget objectives.

Change manager job description

Change managers within an organization take charge of change management initiatives, guiding their implementation. They design and execute strategies to facilitate employee adoption of workplace changes, such as overseeing the smooth transition to a new project management software or implementing a flexible remote work policy.

These senior leaders collaborate closely with other key stakeholders to ensure changes align with corporate strategic objectives. They also work with project managers to ensure smooth operations, continuously monitor progress and make necessary adjustments. Change managers may also analyze employee experiences and offer solutions for a smooth transition.

What is the difference between a change manager and a project manager?

The change manager's primary focus is on minimizing the adverse effects of organizational changes and optimizing positive results. This role places a strong emphasis on addressing the human aspect of change, including understanding its impact on individuals and facilitating their adaptation to new circumstances. In contrast, the project manager concentrates on delivering the actual product, ensuring it is completed within established timelines, budget constraints, and in line with stakeholder expectations.

Change authorities/approvers

A change authority is a person who decides whether or not to authorize a change. Sometimes, this is a single person—usually a senior manager or executive. Sometimes, it’s a group on a change advisory board. Sometimes, it’s a peer reviewer.

According to ITIL 4 , “In high-velocity organizations, it is common practice to decentralize change approval, making the peer review a top predictor of high performance.”  Jira Service Management supports this approach, providing a platform for effective peer reviews and decentralized decision-making.

Change managers typically work closely with the change authority to approve and implement strategies to move changes forward. In some cases, particularly in small companies, the change manager is the change authority and, as such, has the power to make decisions without looping in additional teams.

Business stakeholders

Business stakeholders are often involved in change management and may be looped into the authorization process. This is increasingly common, given the critical importance of software services to most enterprises. For example, suppose a change impacts the connection between the finance team’s payment tracking software and the sales team’s CRM. In that case, senior leaders from the finance and sales teams may need to be involved in CAB meetings and the decision-making process.

Engineers/developers

Development teams typically submit changes for approval and document the case for its necessity. Once a change is approved, change managers or CABs adopting the you-built-it-you-run-it approach may direct dev teams to deploy changes, monitor them, and respond to any incidents arising from them. In other cases, an incident management team may be responsible for responding to any problems. This team may be separate from the development team.

Service desk agents

Service desk agents play a vital role in change management, offering a unique front-line perspective on incidents and common service issues that may arise due to changes. Their close interaction with end-users equips them to identify potential challenges and gather valuable feedback, making them essential in ensuring smooth transitions during change implementation. Their insights help craft effective communication strategies and swift problem resolution, ultimately contributing to the overall success of change initiatives. Jira Service Management, a comprehensive service desk solution , further enhances the capabilities of service desk agents in change management. By leveraging its robust features, such as advanced ticketing systems and streamlined communication channels, service desk agents can efficiently track and manage change requests, ensuring a smooth integration of changes while maintaining a high level of customer satisfaction.

Operations managers

Operations managers, responsible for the continuous functioning of systems on a daily basis, play a pivotal role in assessing and managing risk and dependencies. Their expertise in maintaining system stability and performance allows them to provide project managers with critical insights into the potential impact of changes, ensuring a balanced approach to change management that prioritizes innovation and operational reliability.

Customer relationship managers

With exceptional communication skills, customer relationship managers act as a bridge between the organization and its customers, enabling them to represent the voice of the customer effectively to key stakeholders. They offer valuable insights into customer mindsets, concerns, and evolving requirements, helping companies stay attuned to the ever-changing needs of their clientele. By providing this essential feedback, they contribute to shaping customer-centric change initiatives and enhancing overall customer satisfaction.

Information security officers and network engineers

Information security officers and network engineers, possessing specialized expertise in network security and cloud infrastructure, play a critical role in identifying and addressing threats and vulnerabilities. Their insights and recommendations help strengthen an organization’s security posture, ensuring that changes are implemented with a keen awareness of potential risks. 

By collaborating with these professionals, companies can fortify their defenses and maintain the integrity of their digital infrastructure and business processes in the face of evolving security challenges.

Transforming the role of change advisory boards (CABs)

Change advisory boards have historically played a crucial role in assessing the risks associated with change requests and approving or rejecting them. Traditional CABs often acted as gatekeepers controlling the release of proposed changes.

However, they have been criticized for poor time management skills, lengthy change request backlogs, and their detachment from the actual work. Fortunately, CABs are evolving to become more strategic advisors, transforming their role in the change management process.

Challenges of traditional CABs

Traditional CABs have often been criticized for their inefficiency, resulting in unproductive meetings that waste time and involve too many stakeholders. This is likely due to the fact that they have been burdened with broad responsibilities.

Consider a control tower at an airport. Its sole purpose is to clear planes for landing, not assess aircraft safety or pilot credentials. Many CABs, on the other hand, are tasked with making extensive safety decisions about various changes, often during the week when participants are eager to leave for the weekend. This setup hinders their effectiveness.

Furthermore, CABs often prioritize the risk of changes causing incidents but may overlook the risk of delaying valuable changes, which can harm customers and have a negative impact on an organization’s ability to compete within the market.

Repositioning CABs as strategic advisors

To transform CABs into strategic advisors, companies should reconsider the traditional, heavyweight change management processes that often hinder software delivery performance. Data from the State of DevOps Report 2019 indicates that procedures requiring CAB approval can negatively affect performance, with no evidence suggesting lower change fail rates due to formal approval processes.

Today’s teams are taking the following steps to improve their CABs:

• Customized approach : Stop treating change requests uniformly. Each change request presents an opportunity to gather valuable data, allowing for pre-approval and automation of less consequential changes.
• Integration of change and release management : Bring change and release management closer together and avoid bundling large packages of changes for review and approval, which can lead to significant incidents and delays.
• Progressive releases : Implement progressive deploys to test and iterate changes on a small subset of users, reducing the scope of potential incidents and ensuring deployment success.
• Automation : Rethink approval models and embrace automation to streamline change management processes, making them more efficient and reducing manual tasks.
• Shift left : Implement peer review as a common strategy to replace or reduce CAB approvals, putting the responsibility for identifying issues in the code on those who understand it best. Ensure meticulous documentation to comply with regulations.
• Convene experts : Rather than approving individual requests, CABs can focus on process improvement, offering recommendations, providing resources, and using change management tools to enhance performance and speed up value delivery to the market.

Defining change management principles and responsibilities

When defining roles and responsibilities in change management teams, there is no one-size-fits-all approach. Consider your company’s culture, team structures, skills, and regulatory requirements. Engage teams in discussion to understand their essential contributions and needs, considering various frameworks like DevOps, CI/CD, and ITIL. Evaluate your current change process, identify areas for improvement, and work on shifting regular changes to standard or pre-approved status.

Change management is an essential practice, and there is always room for improvement. Whether you are just starting in business management or seeking to enhance your change management practices, there are ways to track changes, implement risk assessment and automation systems, and empower your operations teams to manage change with tools like Jira Service Management .

Atlassian's guide to agile ways of working with ITIL 4

ITIL 4 is here—and it’s more agile than ever. Learn tips to bring agility and collaboration into ITSM with Atlassian.

Knowledge Management Explained | Atlassian

Knowledge management processes create, curate, share, use, and manage knowledge across an organization and even across industries. Learn more here.

Don’t stop deploying: Practicing change management in uncertain times

Some companies are reverting to heavy-weight change management processes. Here’s guidance on how you can avoid adding controls and even improve your practice.

Value and resilience through better risk management

Today’s corporate leaders navigate a complex environment that is changing at an ever-accelerating pace. Digital technology underlies much of the change. Business models are being transformed by new waves of automation, based on robotics and artificial intelligence. Producers and consumers are making faster decisions, with preferences shifting under the influence of social media and trending news. New types of digital companies are exploiting the changes, disrupting traditional market leaders and business models. And as companies digitize more parts of their organization, the danger of cyberattacks and breaches of all kinds grows.

Stay current on your favorite topics

Beyond cyberspace, the risk environment is equally challenging. Regulation enjoys broad popular support in many sectors and regions; where it is tightening, it is putting stresses on profitability. Climate change is affecting operations and consumers and regulators are also making demands for better business conduct in relation to the natural environment. Geopolitical uncertainties alter business conditions and challenge the footprints of multinationals. Corporate reputations are vulnerable to single events, as risks once thought to have a limited probability of occurrence are actually materializing.

The role of the board and senior executives

Risk management at nonfinancial companies has not kept pace with this evolution. For many nonfinancial corporates, risk management remains an underdeveloped and siloed capability in the organization, receiving limited attention from the most senior leaders. From over 1,100 respondents to McKinsey’s Global Board Survey for 2017 , we discovered that risk management remains a relatively low-priority topic at board meetings (exhibit).

A long way to go

Boards spend only 9 percent of their time on risk—slightly less than they did in 2015. Other questions in the survey revealed that only 6 percent of respondents believe that they are effective in managing risk (again, less than in 2015). Some individual risk areas are relatively neglected, and even cybersecurity, a core risk area with increasing importance, is addressed by only 36 percent of boards. While many senior executives stay focused on strategy and performance management, they often fail to challenge capabilities or strategic decisions from a risk perspective (see sidebar, “A long way to go”). A reactive approach to risks remains too common, with action taken only after things go wrong. The result is that boards and senior executives needlessly put their companies at risk, while personally taking on higher legal and reputational liabilities.

Boards have a critical role to play in developing risk-management capabilities at the companies they oversee. First, boards need to ensure that a robust risk-management operating model is in place. Such a model allows companies to understand and prioritize risks, set their risk appetite, and measure their performance against these risks. The model should enable the board and senior executives to work with businesses to eliminate exposures outside the company’s appetite statement, reducing the risk profile where warranted, through such means as quality controls and other operational processes. On strategic opportunities and risk trade-offs, boards should foster explicit discussions and decision making among top management and the businesses. This will enable the efficient deployment of scarce risk resources and the active, coordinated management of risks across the organization. Companies will then be prepared to address and manage emerging crises when risks do materialize.

A sectoral view of risks

Most companies operate in a complex, industry-specific risk environment. They must navigate macroeconomic and geopolitical uncertainties and face risks arising in the areas of strategy, finance, products, operations, and compliance and conduct. In some sectors, companies have developed advanced approaches to managing risks that are specific to their business models. These approaches can sustain significant value. At the same time companies are challenged by emerging types of risks for which they need to develop effective mitigation plans; in their absence, the losses from serious risk events can be crippling.

• Automotive companies are controlling supply-chain risks with sophisticated monitoring models that allow OEMs to identify potential risks upfront across the supply chain. At the same time, auto companies must address the strategic challenge of shifting toward electric-powered and autonomous vehicles.
• Pharma companies seek to manage the downside risk of large investments in their product portfolio and pipeline, while addressing product quality and patient safety to comply with relevant regulatory requirements.
• Oil and gas, steel, and energy companies apply advanced approaches to manage the negative effects of financial markets and commodity-price volatility. As social and political demands for cleaner energy are increasing, these companies are actively pursuing growth opportunities to shift their portfolios in anticipation of an energy transition and a low-carbon future.
• Consumer-goods companies protect their reputation and brand value through sound practices to manage product quality as well as labor conditions in their production facilities. Yet they are constantly challenged to meet consumers’ ever-changing tastes and needs, as well as consumer-protection regulations.

Toward proactive risk management

An approach based on adherence to minimum regulatory standards and avoidance of financial loss creates risk in itself. In a passive stance, companies cannot shape an optimal risk profile according to their business models nor adequately manage a fast-moving crisis. Eschewing a risk approach comprised of short-term performance initiatives focused on revenue and costs, top performers deem risk management as a strategic asset, which can sustain significant value over the long term. Inherent in the proactive approach are several essential components.

Strategic decision making

More rigorous, debiased strategic decision making can enhance the longer-term resilience of a company’s business model, particularly in volatile markets or externally challenged industries. Research shows that the active, regular reevaluation of resource allocation, based on sound assessments of risk and return trade-offs (such as entering markets where the business model is superior to the competition), creates more value and better shareholder returns. 1 See, for example, Yuval Atsmon, “ How nimble resource allocation can double your company’s value ,” August 2016; William N. Thorndike, Jr., The Outsiders: Eight Unconventional CEOs and Their Radically Rational Blueprint for Success , Boston, MA: Harvard Business Review Press, 2012; Rebecca Darr and Tim Koller, “ How to build an alliance against corporate short-termism ,” January 2017. Flexibility is empowering in a dynamic marketplace. Many companies use hedging strategies to insure against market uncertainties. Airlines, for example, have been known to hedge future exposures to fuel-price fluctuations, a move that can help maintain profitability when prices climb. Likewise, strategic investing, based on a longer-term perspective and a deep understanding of a company’s core proposition, generates more value than opportunistic moves aiming at a short-term bump in the share price.

Debiasing and stress-testing

Approaches that include debiasing and stress-testing help senior executives consider previously overlooked sources of uncertainty to judge whether the company’s risk-bearing capacity can absorb their potential impact. A utility in Germany, for example, improved decision making by taking action to mitigate behavioral biases. As a result, it separated its renewables business from its conventional power-generation operations. In the aftermath of the Fukushima disaster, which sharply raised interest in environmentally friendly power generation, the utility’s move led to a significant positive effect on its share price (15 percent above the industry index).

Higher-quality products and safety standards

Investments in product quality and safety standards can bring significant returns. One form this takes in the energy sector is reduced damage and maintenance costs. At one international energy company, improved safety standards led to a 30 percent reduction in the frequency of hazardous incidents. Auto companies with reputations built on safety can command higher prices for their vehicles, while the better reputation created by higher quality standards in pharma creates obvious advantages. As well as the boost in demand that comes from a reputation for quality, companies can significantly reduce their remediation costs—McKinsey research suggests that pharma companies suffering from quality issues lose annual revenue equal to 4 to 5 percent of cost of goods sold.

Comprehensive operative controls

These can lead to more efficient and effective processes that are less prone to disruption when risks materialize. In the auto sector, companies can ensure stable production and sales by mitigating the risk of supply-chain disruption. Following the 2011 earthquake and tsunami, a leading automaker probed potential supply bottlenecks and took appropriate action. After an earthquake in 2016, the company quickly redirected production of affected parts to other locations, avoiding costly disruptions. In high-tech, companies applying superior supply-chain risk management can achieve lasting cost savings and higher margins. One global computer company addressed these risks with a dedicated program that saved $500 million during its first six years. The program used risk-informed contracts, enabling suppliers to lower the costs and risks of doing business with the company. The measures achieved supply assurance for key components, particularly during market shortages, improved cost predictability for components that have volatile costs, and optimized inventory levels internally and at suppliers.

Stronger ethical and societal standards

To achieve standing among customers, employees, business partners, and the public, companies can apply ethical controls on corporate practices end to end. If appropriately publicized and linked to corporate social responsibility, a program of better ethical standards can achieve significant returns in the form of heightened reputation and brand recognition. Customers, for example, are increasingly willing to pay a premium for products of companies that adhere to tighter standards. Employees too appreciate being associated with more ethical companies, offering a better working environment and contributing to society.

The three dimensions of effective risk management

Ideally, risk management and compliance are addressed as strategic priorities by corporate leadership and day-to-day management. More often the reality is that these areas are delegated to a few people at the corporate center working in isolation from the rest of the business. By contrast, revenue growth or cost savings are deeply embedded in corporate culture, linked explicitly to profit-and-loss (P&L) performance at the company level. Somewhere in the middle are specific control capabilities regarding, for example, product safety, secure IT development and deployment, or financial auditing.

Would you like to learn more about our Risk Practice ?

To change this picture, leadership must commit to building robust, effective risk management. The project is three-dimensional: 1) the risk operating model, consisting of the main risk management processes; 2) a governance and accountability structure around these processes, leading from the business up to the board level; and 3) best-practice crisis preparedness, including a well-articulated response playbook if the worst case materializes.

1. Developing an effective risk operating model

The operating model consists of two layers, an enterprise risk management (ERM) framework and individual frameworks for each type of risk. The ERM framework is used to identify risks across the organization, define the overall risk appetite, and implement the appropriate controls to ensure that the risk appetite is respected. Finally, the overarching framework puts in place a system of timely reporting and corresponding actions on risk to the board and senior management. The risk-specific frameworks address all risks that are being managed. These can be grouped in categories, such as financial, nonfinancial, and strategic. Financial risks, such as liquidity, market, and credit risks, are managed by adhering to appropriate limit structures; nonfinancial risks, by implementing adequate process controls; strategic risks, by challenging key decisions with formalized approaches such as debiasing, scenario analyses, and stress testing. While financial and strategic risks are typically managed according to the risk-return trade-off, for nonfinancial risks, the potential downside is often the key consideration.

Finding the right level of risk appetite

Companies need to find the right level of risk appetite, which helps ensure long-term resilience and performance. Risk appetite that is too relaxed or too restrictive can have severe consequences on company financials, as the following two examples indicate:

Too relaxed. One nuclear energy company set its standards for steel equipment in the 1980s and did not review them even when the regulations changed. When the new higher standards were applied to the manufacture of equipment for nuclear power plants, the company fell short of compliance. An earlier adaptation of its risk appetite and tolerance levels would have been significantly less costly.

Too restrictive. A pharma company set quality tolerances to produce a drug to a significantly stricter level than what was required by regulation. At the beginning of production, tolerance intervals could be fulfilled, but over time, quality could no longer be assured at the initial level. The company was unable to lower standards, as these had been communicated to the regulators. Ultimately, production processes had to be upgraded at a significant cost to maintain the original tolerances.

As well as assessing risk based on likelihood and impact, companies must also assess their ability to respond to emerging risks. Capabilities and capacities needed to manage these risks should be evaluated and gaps filled accordingly. Of particular importance in crisis management is the timeliness of an effective response when things go awry. The highly likely, high-impact risk events on which risk management focuses most of its attention often emerge with disarming velocity, taking many companies unawares. To be effective, the enterprise risk management framework must ensure that the two layers are seamlessly integrated. It does this by providing clarity on risk definitions and appetite as well as controls and reporting.

• Taxonomy. A company-wide risk taxonomy should clearly and comprehensively define risks; the taxonomy should be strictly respected in the definition of risk appetite, in the development of risk policy and strategy, and in risk reporting. Taxonomies are usually industry-specific, covering strategic, regulatory, and product risks relevant to the industry. They are also determined by company characteristics, including the business model and geographical footprint (to incorporate specific country and legal risks). Proven risk-assessment tools need to be adopted and enhanced continuously with new techniques, so that newer risks (such as cyberrisk) are addressed as well as more familiar risks.
• Risk appetite. A clear definition of risk appetite will translate risk-return trade-offs into explicit thresholds and limits for financial and strategic risks, such as economic capital, cash-flow at risk, or stressed metrics. In the case of nonfinancial risks like operational and compliance risks, the risk appetite will be based on overall loss limits, categorized into inherent and residual risks (see sidebar, “Finding the right level of risk appetite”).
• Risk control processes. Effective risk control processes ensure that risk thresholds for the specified risk appetite are upheld at all levels of the organization. Leading companies are increasingly building their control processes around big data and advanced analytics. These powerful new capabilities can greatly increase the effectiveness and efficiency of risk monitoring processes. Machine-learning tools, for example, can be very effective in monitoring fraud and prioritizing investigations; automated natural language processing within complaints management can be used to monitor conduct risk.
• Risk reporting. Decision making should be informed with risk reporting. Companies can regularly provide boards and senior executives with insights on risk, identifying the most relevant strategic risks. The objective is to ensure that an independent risk view, encompassing all levels of the organization, is embedded into the planning process. In this way, the risk profile can be upheld in the management of business initiatives and decisions affecting the quality of processes and products. Techniques like debiasing and the use of scenarios can help overcome biases toward fulfilment of short-term goals. A North American oil producer developed a strategic hypothesis given uncertainties in global and regional oil markets. The company used risk modelling to test assumptions about cash flow under different scenarios and embedded these analyses into the reports reviewed by senior management and the board. Weak points in the strategy were thereby identified and mitigating actions taken.

2. Toward robust risk governance, organization, and culture

The risk operating model must be managed through an effective governance structure and organization with clear accountabilities. The governance model maintains a risk culture that strongly reinforces better risk and compliance management across the three lines of defense—business and operations, the compliance and risk functions, and audit. The approach recognizes the inherent contradiction in the first line between performance (revenue and costs) and risk (losses). The role of the second line is to review and challenge the first line on the effectiveness of its risk processes and controls, while the third line, audit, ensures that the lines one and two are functioning as intended.

• Three lines of defense. Effective implementation of the three lines involves the sharp definition of lines one and two at all levels, from the group level through the lines of business, to the regional and legal entity levels. Accountabilities regarding risk and control management must be clear. Risk governance may differ by risk type: financial risks are usually managed centrally, while operational risks are deeply embedded into company processes. The operational risk of any line of business is managed by the business owning the product-development, production, and sales processes. This usually translates into forms of quality control, but the business must also balance the broader impact of risk and P&L. In the development of new diesel engines, automakers lost sight of the balance between compliance risk and the additional cost to meet emission standards, with disastrous results. Risk or compliance functions can only complement these activities by independently reviewing the adequacy of operational risk management, such as through technical standards and controls.
• Reviewing the risk appetite and risk profile. Of central importance within the governance structure are the committees that define the risk appetite, including the parameters for doing business. These committees also make specific decisions on top risks and review the control environment for enhancements as the company’s risk profile changes. Good governance in this case means that risk decisions are considered within the existing divisional, regional, and senior-management governance structure of a company, supported by risk, compliance, and audit committees.
• Integrated risk and compliance governance setup. A robust and adequately staffed risk and compliance organization supports all risk processes. The integrated risk and compliance organization provides for single ownership of the group-wide ERM framework and standards, appropriate clustering of second-line functions, a clear matrix between divisions and control functions, and centralized or local control as needed. A clear trend is observable whereby the ERM layer responsible for group-wide standards, risk processes, and reporting becomes consolidated, whereas the expert teams setting and monitoring specific control standards for the business (including standards for commercial, technical compliance, IT or cyberrisks) become specialized teams covering both regulatory compliance as well as risk aspects.
• Resources. Appropriate resources are a critical factor in successful risk governance. The size of the compliance, risk, audit, and legal functions of nonfinancial companies (0.5 for every 100 employees, on average), are usually much smaller than those of banks (6.9 for every 100 employees). The disparity is partly a natural outcome of financial regulation, but some part of it reflects a capability gap in nonfinancial corporates. These companies usually devote most of their risk and control resources in sector-specific areas, such as health and safety for airlines and nuclear power companies or quality assurance for pharmaceutical companies. The same companies can, however, neglect to provide sufficient resources to monitor highly significant risks, such as cyberrisk or large investments.
• Risk culture. An enhanced risk culture covers mind-sets and behaviors across the organization. A shared understanding is fostered of key risks and risk management, with leaders acting as role models. Especially important are capability-building programs on risk as well as formal mechanisms to assess and reinforce sound risk management practices.

An enhanced risk culture covers mind-sets and behaviors across the organization. A shared understanding is fostered of key risks and risk management, with leaders acting as role models.

3. Crisis preparedness and response

A high-performing, effective risk operating model and governance structure, with a well-developed risk culture minimize the probability of corporate crises , without, of course, completely eliminating them. When unexpected crises strike at high velocity, multinational companies can lose billions in value in the first days and soon find themselves struggling to keep their market position. A best-in-class risk management environment provides the ideal conditions for preparation and response.

• Ensure board leadership. The most important action companies can take to prepare for crises is to ensure that the effort is led by the board and senior management. Top leadership must define the main expected threats, the worst-case scenarios, and the actions and communications that will be accordingly rolled out. For each threat, hypothetical scenarios should be developed for how a crisis will unfold, based on previous crises within and beyond the company’s industry and region.
• Strengthen resilience. By mapping patterns that arose in previous crises, companies can test their own resilience, challenging key areas across the organization for potential weaknesses. Targeted countermeasures can then be developed in advance to strengthen resilience. This crucial aspect of crisis preparedness can involve reviewing and revising the terms and conditions for key suppliers, shoring up financials to ensure short-term availability of cash, or investing in advanced cybersecurity measures to protect essential data and software in the event of failures and breaches.
• Develop action plans and communications. Once these assessments are complete and resilience-building countermeasures are in place, the company can then develop action plans for each threat. The plans must be well articulated, founded on past crises, and address operational and technical planning, financial planning, third-party management, and legal planning. Care should be taken to develop an optimally responsive communications strategy as well. The correct strategy will enable frontline responders to keep pace with or stay ahead of unfolding crises. Communications failures can turn manageable crises into irredeemable catastrophes. Companies need to have appropriate scripts and process logic in place detailing the response to crisis situations, communicated to all levels of the organization and well anchored there. Airlines provide an example of the well-articulated response, in their preparedness for an accident or crash. Not only are detailed scripts in place, but regular simulations are held to train employees at all levels of the company.
• Train managers at all levels. The company should train key managers at multiple levels on what to expect and enable them to feel the pressures and emotions in a simulated environment. Doing this repeatedly and in a richer way each time will significantly improve the company’s response capabilities in a real crisis situation, even though the crisis may not be precisely the one for which managers have been trained. They will also be valuable learning exercises in their own right.
• Put in place a detailed crisis-response playbook. While each crisis can unfold in unique and unpredictable ways, companies can follow a few fundamental principles of crisis response in all situations. First, establish control immediately after the crisis hits, by closely determining the level of exposure to the threat and identifying a crisis-response leader, not necessarily the CEO, who will direct appropriate actions accordingly. Second, involved parties—such as customers, employees, shareholders, suppliers, government agencies, the media, and the wider public—must be effectively engaged with a dynamic communications strategy. Third, an operational and technical “war room” should be set up, to stabilize primary threats and determine which activities to sustain and which to suspend (identifying and reaching out to critical suppliers). Finally, a deliberate effort must be made to address and neutralize the root cause of the crisis and so bring it to an end as soon as possible.

In a digitized, networked world, with globalized supply chains and complex financial interdependencies, the risk environment has grown more perilous and costly. A holistic approach to risk management, based on the lessons, good and bad, of leading companies and financial institutions, can derive value from that environment. The path to risk resilience that is emerging is an effort, led by the board and senior management, to establish the right risk profile and appetite. Success depends on the support of a thriving risk culture and state-of-the-art crisis preparedness and response. Far from minimal regulatory adherence and loss avoidance, the optimal approach to risk management consists of fundamentally strategic capabilities, deeply embedded across the organization.

Daniela Gius is a senior expert in McKinsey’s Hamburg office, Jean-Christophe Mieszala is a senior partner in the Paris office, Ernestos Panayiotou is a partner in the Athens office, and Thomas Poppensieker is a senior partner in the Munich office.

Explore a career with us

Related articles.

The business logic in debiasing

Are you prepared for a corporate crisis?

Nonfinancial risk today: Getting risk and the business aligned

How To Mitigate Change Management Risk

Change Strategists

Affiliate Disclaimer

As an affiliate, we may earn a commission from qualifying purchases. We get commissions for purchases made through links on this website from Amazon and other third parties.

So, you’ve decided to make some changes in your organization. That’s great! After all, change is necessary for growth and progress. However, before you jump headfirst into the deep end of change management, it’s important to recognize the potential risks involved.

To mitigate change management risk, it is important to have a clear plan in place before implementing any changes. This includes identifying potential risks and developing strategies to address them. Communication and training are also key components, as they can help employees understand the changes and how to adapt to them.

It is also important to have a process for monitoring and evaluating the effectiveness of the changes, and making adjustments as needed.

Change management can be a tricky business. It’s not just about implementing new processes or technologies, but also about managing people’s emotions, expectations, and resistance to change. Without proper planning and execution, change can result in chaos, confusion, and even failure.

But fear not, dear reader! In this article, we will guide you through the process of mitigating change management risk, step-by-step.

From identifying potential risks to celebrating success, we’ll cover everything you need to know to ensure a smooth and successful transition.

So, let’s get started!

Identify Potential Risks

You need to start by looking for possible challenges that could come up in the process of change management. This is called risk assessment, and it involves identifying potential risks that may cause delays or failure of the project.

Some of the risks that should be considered during the assessment include employee resistance, lack of communication, inadequate training, and budget constraints.

Once you have identified the potential risks, you can then develop mitigation strategies to reduce the impact of these risks. For instance, to mitigate employee resistance, you can involve them in the change process by communicating the benefits of the change and providing them with adequate training.

To mitigate the lack of communication, you can establish clear communication channels and set up regular meetings to update stakeholders on the progress of the project.

In conclusion, identifying potential risks and developing mitigation strategies is crucial in mitigating change management risk. By doing so, you can ensure that the change process is smooth and successful, and that the project is completed within the set timeline and budget. Remember that risk assessment is an ongoing process, and it’s important to regularly review and update your mitigation strategies as the project progresses.

Develop a Change Management Plan

Crafting a solid plan is key to successfully navigating and adapting to any shifts in your organization. Change readiness is essential to ensure that your plan is effective and sustainable.

Assessing your team’s readiness for change will help you develop a plan that is tailored to their needs. To do this, consider conducting surveys, focus groups, or interviews to gain insights into how your team perceives the change, what they need to feel comfortable with it, and what challenges they anticipate. By taking these steps, you can ensure that your plan is well-informed and addresses any potential obstacles.

Stakeholder engagement is another crucial component of change management planning. Engaging stakeholders early on and throughout the change process can help you build buy-in and support for your plan. It can also help you identify potential resistance or challenges early on and address them before they become major roadblocks.

Consider involving stakeholders in planning, communicating, and implementing the change. This can include senior leaders, front-line employees, customers, and any other groups that may be impacted by the change. By engaging stakeholders in a meaningful way, you can ensure that your plan is well-informed, collaborative, and successful.

In summary, developing a change management plan requires careful consideration of change readiness and stakeholder engagement. Crafting a solid plan that is tailored to your team’s needs and involves stakeholders early on can help you mitigate risk and ensure long-term success. By investing time and effort in planning and engaging stakeholders, you can navigate change more effectively and build a stronger, more resilient organization.

Communicate Effectively

In this section, effectively communicating your change management plan is like a conductor leading an orchestra. Just as a conductor brings all the different instruments together in harmony towards a common goal, you must bring your team together towards a successful change implementation.

The importance of empathy and clarity cannot be overstated when it comes to effective communication. Empathy allows you to understand your team’s perspective and concerns, while clarity ensures that everyone is on the same page.

Building trust is crucial in any change management initiative, and effective communication is key to achieving it. Transparency and consistency are the building blocks of trust. Ensure that you communicate every step of the change process with transparency, keeping your team informed about what’s coming and what’s expected of them. Consistency in communication helps to establish trust, so maintain a regular cadence of communication with your team.

In summary, effective communication is vital to mitigate change management risk. Empathy and clarity are crucial components of effective communication, as is building trust through transparency and consistency. As you communicate your change management plan, remember that you’re the conductor leading your team towards a successful change initiative.

Build a Strong Team

Together, you’ll be assembling a team of skilled individuals who will work in harmony towards a common goal, much like a group of musicians in an orchestra. The success of your change management plan will depend on how effectively you build and lead your team.

To start, you should identify the key competencies required for your team and select individuals who have those skills. Once you have your team in place, it’s important to foster a culture of collaboration and communication.

To build a strong team, you can engage in team building activities that promote trust and open communication. This can be as simple as having regular team meetings or as elaborate as organizing a retreat or team-building workshop. The goal is to help your team members get to know each other better, understand their strengths and weaknesses, and develop a sense of camaraderie.

Additionally, it’s important to provide leadership development opportunities for your team members. This can include training, mentoring, and coaching to help them grow and develop their leadership skills.

In summary, building a strong team is essential to mitigating change management risk. By assembling a group of skilled individuals who work well together and providing leadership development opportunities, you can ensure that your team is equipped to handle any challenges that may arise during the change management process. Remember that team building is an ongoing process, so continue to foster a culture of collaboration and communication to maintain a high-performing team.

Monitor Progress

Monitoring progress is crucial to the success of your change management plan, so keep an eye on how things are going and adjust as needed. Set up regular feedback sessions with your team and stakeholders to ensure that everyone is on the same page. Use performance metrics to track progress and identify any areas that need improvement.

Stakeholder engagement is a critical component of change management, and regular feedback loops can help you keep your stakeholders informed and engaged. Make sure that you’re communicating with your stakeholders regularly and that you’re providing them with the information they need to understand the changes that are happening. Encourage feedback and be open to suggestions for improvement.

Using performance metrics to monitor progress is an effective way to ensure the success of your change management plan. By tracking key performance indicators, you can identify any areas that need improvement and make adjustments as needed. Regular feedback sessions with your team and stakeholders can also help you identify any issues early on and address them before they become major problems.

Remember that change management is an ongoing process, and monitoring progress is essential to ensuring that your plan is successful.

Anticipate and Address Resistance

Don’t let resistance hold you back – anticipate and address it head-on to ensure the success of your plan. Resistance is a natural part of change management, but it can also be a major obstacle.

To mitigate this risk, it’s important to have a clear understanding of the potential sources of resistance. This could include a fear of the unknown, a lack of understanding about the benefits of the change, or concerns about job security. Once you have identified these potential sources of resistance, you can develop targeted training strategies and communication plans to address them.

One effective strategy for mitigating resistance is to focus on leadership buy-in. If key leaders within the organization are on board with the change, they can help to create a culture that is supportive of the transition. This can include providing training and resources to help employees adapt to the change, as well as modeling the desired behaviors and attitudes.

By engaging these leaders early on in the process and making them part of the planning and implementation, you can help to build a coalition of support that can help to overcome resistance.

Another important aspect of addressing resistance is to be transparent and open to feedback. Employees are more likely to support a change if they feel that their concerns and opinions are being heard and valued. This means providing regular updates on the progress of the change, soliciting feedback from employees, and being willing to make adjustments as needed.

By creating a culture of openness and transparency, you can help to build trust and engagement, which can ultimately lead to a more successful change management process.

Manage Operational Disruptions

As you dive deeper into managing operational disruptions, it’s important to develop contingency plans to prepare for unexpected events. In doing so, you’ll be able to minimize disruptions and keep your business running smoothly.

Effective communication with customers and suppliers is also crucial. This will help maintain strong relationships and ensure that everyone is on the same page.

By taking a proactive approach and being prepared for potential disruptions, you can minimize their impact and keep your business moving forward.

Develop Contingency Plans

The key to successfully navigating unexpected obstacles is to have backup plans in place that are as solid as a rock. Developing contingency plans is a crucial step in mitigating change management risk. Here are three things to keep in mind when creating these plans:

Identify the potential risks: Start by conducting a thorough risk assessment to identify all possible risks that could disrupt your operations. This will help you develop contingency plans that address the most critical risks first.

Prioritize your response: Not all risks require the same level of response. Identify which risks are most likely to occur and which ones would have the greatest impact on your business. This will help you prioritize your response and allocate resources accordingly.

Test and refine your plans: Once you’ve developed your contingency plans, it’s important to test them regularly to ensure they’re effective and up-to-date. This will help you identify any weaknesses in your plans and refine them accordingly.

By following these steps, you can develop contingency plans that’ll help you navigate unexpected obstacles and minimize the impact of change management risk on your business continuity.

Minimize Disruptions

You can minimize disruptions by focusing on strategies to keep your operations running smoothly even when unexpected obstacles arise. One way to do this is by implementing change management best practices such as stakeholder engagement and training strategies. By involving stakeholders in the change process, you can ensure that their concerns and needs are addressed, which can help reduce resistance to change. Additionally, providing training and support to employees can help them understand the changes and adapt more quickly, which can minimize disruptions to daily operations.

To further minimize disruptions, you can also develop a contingency plan that outlines how your organization will respond to unexpected events. This plan should include specific actions to take in the event of a disruption, such as identifying backup systems or resources that can be used to maintain operations. By preparing for potential disruptions in advance, you can minimize the impact of these events and ensure that your organization can continue to function effectively.

Communicate Effectively with Customers and Suppliers

To continue minimizing disruptions during change management, it’s important to effectively communicate with customers and suppliers. This means coming up with strategies and tools to engage with them during the process. Effective communication is key to mitigating risks and ensuring a smooth transition.

One of the most important strategies is to engage with customers and suppliers early on in the process. This allows you to understand their needs and concerns, and address them proactively. You can also use various communication channels such as email, phone calls, or face-to-face meetings to keep them informed about the changes and how they may be affected.

Additionally, it’s important to provide them with adequate training and resources to help them adapt to the changes. By doing so, you can build trust and ensure their continued support throughout the transition.

Evaluate the Results

As you evaluate the outcomes of your change management strategies, you’ll gain valuable insights into their effectiveness and identify any potential roadblocks that may arise during implementation. This process involves analyzing data to measure success and determine whether your efforts are delivering the desired results. By doing so, you can identify areas for improvement and make any necessary adjustments to your approach.

To effectively evaluate the results of your change management initiatives, you’ll need to establish clear metrics and benchmarks to measure success. This may involve tracking key performance indicators such as employee satisfaction, productivity, and revenue growth. By regularly monitoring these metrics, you can identify any trends or patterns that may be impacting your outcomes and adjust your strategies accordingly.

In addition to analyzing data, it’s important to gather feedback from stakeholders and team members throughout the change management process. This can help you identify any potential issues or concerns before they become major roadblocks. By incorporating this feedback into your evaluation process, you can gain a more comprehensive understanding of the effectiveness of your strategies and make any necessary changes to ensure a successful implementation.

Celebrate Success

Let’s take a moment to celebrate the success of our change initiatives and acknowledge the positive impact they’ve had on our team’s morale and productivity. Did you know that employee satisfaction increased by 20% after implementing these changes?

It’s important to recognize achievements and to celebrate the progress we’ve made. By acknowledging the successes, we can motivate and inspire our team to continue to embrace change and push forward.

One way to celebrate success is to involve employees in the process. Employees who feel valued and appreciated are more likely to be engaged and committed to their work. By involving them in the celebration, we can build a sense of community and foster a collaborative culture. This can be achieved through team-building activities, recognition programs, and other initiatives that promote a positive and supportive work environment.

Incorporating a culture of celebration and recognition can also help mitigate change management risks. When employees feel supported and valued, they’re more likely to embrace change and adapt to new processes. This can lead to a smoother transition and a faster return on investment.

Celebrating success and recognizing achievements can also help build momentum and create a positive feedback loop that encourages continued improvement and growth. So, let’s take a moment to celebrate our successes, involve our employees, and continue to push forward towards our goals.

Continuously Improve

You can always find ways to improve and grow, whether it’s through seeking feedback from your team or staying up-to-date on industry trends and best practices.

Continuous improvement is an essential aspect of mitigating change management risks. By implementing strategies that foster a culture of continuous improvement, you can stay ahead of the curve and ensure that your team is always working towards optimal performance.

Below are the best practices for implementing a continuous improvement plan:

Gather Feedback: One of the best ways to improve is by gathering feedback from your team. Encourage an open-door policy where team members can share their ideas and concerns without fear of retribution. Regular check-ins and surveys will also help you gauge team morale and identify areas for improvement.

Set Goals: Goals help to provide direction and focus. Set clear, measurable, and achievable goals for your team and track progress towards these goals. Celebrate milestones and achievements along the way to keep motivation high.

Stay Informed: Staying up-to-date on industry trends and best practices is essential for continuous improvement. Attend conferences, read relevant publications, and network with peers to stay informed and bring new ideas back to your team. Continuous improvement is an ongoing process, and it requires a commitment to learning and growth.

Incorporating these best practices into your change management plan will help you mitigate risks and maximize success. Remember, continuous improvement isn’t a destination but a journey. By fostering a culture of continuous improvement, you can ensure that your team is always striving for excellence.

What Are the Potential Risks of Change Management and How Can They Be Managed?

When implementing change within an organization, there are potential risks that may arise, such as resistance from employees, communication breakdowns, and productivity disruptions. To manage these risks, employing effective mitigating change management strategies , including clear communication, involving employees in the process, providing necessary support and training, and continuously monitoring and adjusting the change plan, can help ensure a successful transition.

Now that you’ve gone through the steps of mitigating change management risk, it’s important to remember that this is an ongoing process. Change is inevitable, and the risks associated with it will always be present. Therefore, it’s crucial to continuously improve and refine your change management strategies.

One way to do this is by evaluating the results of your current change management plan. Analyze what worked, what didn’t, and why. This will help you identify areas that need improvement and make necessary adjustments.

Remember to also celebrate success. Acknowledge the hard work and dedication of your team and recognize the positive outcomes of your change management efforts. This will not only boost morale but also reinforce the importance of effective change management in your organization.

By following these steps and continuously improving your change management strategies, you can mitigate risk and ensure the successful implementation of organizational changes.

About the author

If you want to grow your business visit Growth Jetpack program . And if you want the best technology to grow your online brand visit Clixoni .

Latest Posts

Maximizing Efficiency Through Department Consolidation Strategies

Wondering how merging departments can revolutionize your organization's efficiency? Explore strategies to streamline processes and drive success through consolidation.

Unlocking Emotional Intelligence for Workplace Success

Leverage emotional intelligence for workplace success by enhancing communication and teamwork – discover how it drives positive outcomes.

Downsides of Poor Communication in Workplace Culture

Not addressing poor communication in the workplace culture?

NRMC | Find the answer here

Managing risk in a world of change: turn and face the strange.

By Melanie Lockwood Herman

Three of the questions we often ask during NRMC Risk Assessments or ERM Engagements are:

• What is the most significant, recent change in your organization?
• What disruptive changes are going on now?
• If we were to return a year from now, what would be decidedly different?

As you might have guessed, there’s a purpose to these questions: to identify areas where an organization might be vulnerable and not know it. In our experience, major changes in an organization often cause subtle or substantial changes in the nonprofit’s risk landscape. Consider these risk tips if your organization is going through a major change.

• Unearth unintended consequences: When we talk about major changes at a nonprofit, leaders are often frustrated (and surprised!) that they didn’t fully see what was coming. For example, a colleague recently described how a new payroll system for a national organization went haywire after launch: a recently terminated employee received two paychecks instead of one, and it now takes hours instead of minutes to process the payroll for his small chapter. As you anticipate changes that will happen in the next few months, as well as those that will take a year or longer to implement, remember to ask: “what are some of the possible unintended consequences or effects of this positive change?” Ask “what could go wrong?” as well as “how could that happen?” “What steps should we take to leverage positive potential consequences? What steps should we take to lessen the sting of negative consequences?”
• Fine tune by tuning in: We sometimes hear front-line and field staff members bemoan the fact that deafening silence often follows the announcement of a major change. For example, chapter team members might say of their national organization: “We’re expected to sit tight and wait for the painful consequences of the change announced by headquarters.” Whether it’s the implementation of an ERP, new structure for a Federation, streamlining of top priorities, or launch of a new program, build internal stakeholder support by listening and asking for real feedback from those who will help implement the change. Also remember that silence is not necessarily assent! Tuning in to how your team feels about and is experiencing change has another benefit: it builds the trust you need to be resilient when things don’t go as expected. (Did I mention that things never go as expected?!)
• Resolve to evolve: I’ve been a bit sensitive during my career to comments about my tendency to change my mind: I’m an admitted flip-flopper. I’ve witnessed too many smart leaders sticking to prior decisions despite loud warning signals that their chosen path was more dangerous than first imagined. Or that the unintended consequences of the decision eclipsed the value sought. Whatever the change taking place at your nonprofit, remember to be humble about whether it was the right call. Invite internal stakeholders to poke holes, question strategy, and offer up alternatives, even when the change is underway.
• Respect change fatigue: The topic of change fatigue often surfaces during NRMC consulting engagements . In her HBR article, Change Efforts Can Fail Unless They’re Coordinated , Rebecca Newton cautions that leaders should “investigate what other changes are going on” before launching any major change. Telling the team to “get with the program” doesn’t work; an unhappy, determined team member can easily undermine changes that others have embraced.
• Make room for change: A close friend who I can always count on for sage management advice recently told me that she uses a simple framework for staff goal setting and planning: her direct reports are asked to organize their annual plans into three buckets: 1. keep doing, 2. start doing, and 3. stop doing. At NRMC we’ve observed that one of the biggest impediments to successful change is the unwillingness to stop doing anything. Many nonprofit leaders resist the notion or fail to lead by example when it comes to making room for all that’s new. Organizational change can’t be simply additive: doing much more with less exposes a nonprofit to costly consequences, from plummeting morale to avoidable mistakes.

Change is hard. And it’s hard to change. Good intentions, lofty goals, and a detailed plan aren’t a vaccine for the stuff that can and will happen to disrupt or derail change. Be realistic about how much change you can handle, be honest about the stress of change and resistance to change, and keep a close eye for the new risks emerging in the changing landscape in which your mission lives.

Melanie Herman is Executive Director of the Nonprofit Risk Management Center. Melanie’s recent and upcoming speaking engagements cover a broad swath of topics, including: Risk Lessons from Cinema; Passing It On: How to Keep Organizational Knowledge from Walking Out the Door; Workplace Harassment: An Unacceptable Risk; Top 10 Risks Facing Nonprofits; and Another One Bites the Dust: Business Continuity Planning for Your Nonprofit. To book Melanie for a keynote, workshop or webinar, call 703.777.3504 or write to [email protected] .

Change Management Resources

• Read Douglas Ready’s article about 4 Things Successful Change Leaders Do Well in the January 2016 of HBR.
• To learn about the Theory of Change from an organization with the same name, visit www.theoryofchange.org . The Theory of Change is an approach to linking activities to long-term goals that encourages leaders to reflect on how change happens, as well as what changes are needed.
• To read more about linking outcomes to assumptions, strategies and results, see Theory of Change: A Practical Tool for Action Results and Learning from The Annie E. Casey Foundation.

Are you a ComplianceQuest Customer?

What is Change Management Risk?

Change Management Risk allows businesses to navigate transitions more effectively, capitalize on growth opportunities, and cultivate a resilient and adaptive organizational culture.

How does Change Management Risk Help Businesses?

The risk involved in Change Management helps to implement new organizational processes , technologies, or strategies to achieve specific goals or improve overall performance. Integrating Change Management Risk assessment into a business strategic planning makes it easier to 

• Navigate transitions more effectively,
• Capitalize on growth opportunities
• Cultivate a resilient and adaptive organizational culture better positioned for sustained success in a dynamic business environment.

However, this transformative process is not without its risks, and understanding and mitigating these risks is critical for successful change implementation.

What are the Four Steps to Conducting a Change Management Risk Assessment?

Conducting a Change Management Risk assessment is a systematic process. There are four major steps involved in identifying, analyzing, and mitigating potential risks associated with organizational change. 

• Define Change Management Risk Assessment Framework: Establishing a clear framework is the foundational step in the change management risk assessment process. This involves defining the scope, objectives, and methodology of the assessment. Determine the criteria for evaluating risks, such as impact and likelihood, and establish a timeline for the assessment. Additionally, identify key stakeholders and develop communication channels to inform all relevant parties.
• Analyze Data: Gather relevant data related to the proposed change. This may include historical data on previous change initiatives, organizational culture assessments, employee feedback, and market analysis. By collecting and analyzing this information, organizations can gain insights into potential challenges, resistance points, and areas where the change might impact the existing processes or workflows. This data-driven approach provides a solid foundation for understanding the context in which the change will occur.
• Identify and Analyze Risks: Systematically identify potential risks associated with the change initiative. This involves engaging key stakeholders to gather insights and perspectives, conducting risk workshops or interviews, and using risk matrices. Categorize risks based on their impact and likelihood, distinguishing between internal and external factors. Carefully analyze each identified risk to understand its root causes, potential consequences, and the likelihood of occurrence. This step helps prioritize risks and focus efforts on the most critical areas.
• Develop Response Plans: Once risks are identified and analyzed, develop response plans to mitigate or address them. These plans should outline specific actions to be taken if a risk materializes. Response plans may include communication strategies, contingency plans, and adjustments to the change implementation timeline. Assign responsibilities for executing response plans to individuals or teams, ensuring accountability. Regularly review and update response plans throughout the change process to adapt to new circumstances and new information.

What are the Common Risks of Change Management?

Few common risk of Change Management involves:

• Lack of Understanding or Buy-In from Stakeholders: Resistance occurs when stakeholders, such employees, executives, or external partners, do not understand the on-going change or its many benefits. Their lack of understanding could be due to
• Insufficient communication
• Failure to involve stakeholders in the decision-making process.
• Engaging stakeholders early, providing clear information, and addressing concerns can mitigate this risk.
• Inadequate Change Management Practices and Processes: Poorly defined or executed change management practices can lead to confusion, resistance, and inefficiencies. Successful change requires a structured approach, well-defined processes, clear roles and responsibilities, and practical training programs. Inadequate planning or execution in these areas can result in a lack of direction and hinder the organization's ability to adapt.
• Ineffective Communication: Communication breakdowns pose a significant risk in change management. Ineffective communication can lead to rumors, misinformation, and a lack of clarity, fostering resistance and uncertainty among employees. Organizations must establish transparent communication channels, convey the purpose and benefits of the change, and address concerns promptly to ensure a smooth transition.
• Excessive Change Implementation Timeline: Prolonged change implementation timelines can lead to fatigue, increased costs, and lost momentum. Employees may become disengaged, and the organization might miss opportunities or face increased competition. Striking a balance between a reasonable implementation timeline and swift adaptation is crucial for maintaining enthusiasm and achieving the desired outcomes.
• Inadequate Change Control Measures: Change initiatives carry inherent risks, and without proper control measures, organizations may struggle to manage and mitigate these risks effectively. Lack of oversight can result in unintended consequences, disruptions to business operations, and increased costs. Robust Change Control measures, including regular assessments and adjustments, are essential for minimizing negative impacts.
• Misaligned Change Initiatives with Organizational Objectives: If change initiatives are not aligned with the broader organizational goals and strategies, they may lack purpose or fail to contribute meaningfully to the organization's success. Ensuring that proposed changes are consistent with the overall vision, mission, and strategic objectives is crucial. Regular alignment assessments help organizations avoid pursuing changes that do not add value or align with their long-term goals.

Change Management Risk is crucial in facilitating business growth by providing a structured approach to identifying, analyzing, and mitigating potential challenges associated with organizational change. Through systematically evaluating risks, businesses can anticipate obstacles that may impede the success of change initiatives and proactively develop strategies to overcome them.

A thorough risk assessment enhances decision-making by providing leaders with a comprehensive understanding of potential hurdles. This informed decision-making allows for the implementation of effective change strategies that align with organizational goals, reducing the likelihood of costly errors and failures.

Businesses can foster a culture of collaboration and engagement by identifying and addressing stakeholder concerns and resistance during the risk assessment process. This ensures that employees, a vital asset in any organization, are actively involved and supportive during the change process, contributing positively to overall productivity and innovation.

A well-executed risk assessment helps manage financial implications, preventing unforeseen costs and budget overruns. This financial discipline allows businesses to allocate resources efficiently, maximizing the return on investment for change initiatives.

Request a Free Demo

Learn about all features of our Product, Quality and Safety suites. Please fill the form below to access our comprehensive Demo Video.

In Need of Smarter Ways Forward? Get in Touch.

Got questions we can help.

Chat with a CQ expert, we will answer all your questions.

Please confirm your details

By submitting this form you agree that we can store and process your personal data as per our Privacy Statement. We will never sell your personal information to any third party.

JavaScript seems to be disabled in your browser. For the best experience on our site, be sure to turn on Javascript in your browser.

Explore the Levels of Change Management

The Costs and Risks of Poorly Managed Change

Tim Creasey

Updated: March 2, 2024

Published: January 19, 2022

When the people side of change is ignored or poorly managed, the project and the organization take on additional costs and risks. When you consider it from this perspective, effective change management is a cost avoidance technique, risk mitigation tactic, and justifiable investment . Here's an overview of common costs and risks, and how to position change management to clearly communicate and share its benefits.

Consequences of Poor Change Management

It's likely that we have all experienced a poorly managed organizational change at some point, either as an offender or victim. We know from experience that when this happens, the individual changes that culminate in organizational change do not take place. We know that when the "people side of change" is mismanaged, projects don't realize the results and outcomes desired. We know that we have a lower likelihood of meeting objectives, finishing on time, and finishing on budget . And we know that speed of adoption will be slower, ultimate utilization will be lower, and proficiency will be lacking—all dragging down expected returns. 

Ignoring or mismanaging change manifests as costs and risks that play out on both the project level and organizational level. While some of these costs and risks may seem soft, many are quantifiable and can have a significant impact on financial performance for the project and the organization as a whole. 

Project-level costs and risks of mismanaged change

Project-level impacts relate directly to the specific project or initiative forgoing change management. These projects can impact tools, technologies, processes, reporting structures and job roles. They can result from strategic planning, internal stimuli such as performance issues, external stimuli such as regulation or competitive threats, or demands by customers and suppliers. The initiatives may be formalized as projects with project managers, budgets, schedules, etc., or they may be informal in nature but still impact how people do their jobs. 

While these projects can take on a number of different forms, the fact remains that ignoring or mismanaging the people side of change has real consequences for project performance:

• Project delays
• Missed milestones
• Budget overruns
• Rework required on design
• Loss of work by project team
• Resistance 
• Project put on hold
• Resources not made available
• Obstacles appear unexpectedly
• Project fails to deliver results
• Project is fully abandoned

When we apply change management effectively , we can prevent or avoid costs and mitigate risks tied to how individual employees adopt and utilize a change.

Organization-level costs and risks of mismanaged change

The organizational level is a step above the project-level impacts. These costs and risks are felt not only by the project team, but by the organization as a whole. Many of these impacts extend well beyond the lifecycle of a given project. When valuable employees leave the organization, the costs are extreme. A legacy of failed change presents a significant and ever-present backdrop that all future changes will encounter.

The organizational costs and risks of poorly managing change include:

• Productivity plunges (deep and sustained)
• Loss of valued employees
• Reduced quality of work
• Impact on customers
• Impact on suppliers
• Decline in morale
• Legacy of failed change
• Stress, confusion and fatigue
• Change saturation

Applying change management effectively on a particular project or initiative allows you to avoid organizational costs and risks that last well beyond the life of the project.

Costs and risks of failing to deliver results and outcomes

There is one final dimension of costs and risks to consider, beyond the project and organizational impacts. When we try to introduce a change without using effective change management, we are much less likely to implement the change and fully realize the expected results and outcomes. This final dimension provides answers to the question: What if the change is not fully implemented?

If the change does not deliver the results and outcomes—in large part because we ignored the people side of change —there are additional costs and risks.

Costs if the change is not fully implemented:

• Lost investment made in the project
• Lost opportunity to have invested in other projects

Risks if the change is not fully implemented:

• Expenses not reduced
• Efficiencies not gained
• Revenue not increased
• Market share not captured
• Waste not reduced
• Regulations not met

Change Risks and Change Management

Discussing the costs and risks of poorly managed change is yet another way to make the case for change management . Positioning change management as a cost avoidance technique or a risk mitigation tactic can be an effective approach for communicating change management's value or to get support for the resources you need for managing the people side of change.

Tim Creasey is Prosci’s Chief Innovation Officer and a globally recognized leader in Change Management. Their work forms the basis of the world's largest body of knowledge on managing the people side of change to deliver organizational results.

See all posts from Tim Creasey

You Might Also Like

Enterprise - 3 MINS

Cost-Benefit Analysis of Change Management

Are You Demotivating Your Front-Line Employees?

Subscribe here.

• SUGGESTED TOPICS
• The Magazine
• Newsletters
• Managing Yourself
• Managing Teams
• Work-life Balance
• The Big Idea
• Data & Visuals
• Reading Lists
• Case Selections
• HBR Learning
• Topic Feeds
• Account Settings
• Email Preferences

Why Playing It Safe Is the Riskiest Strategic Choice

• Steve Dennis

“Timid transformation” doomed certain retailers. There’s a better approach.

In the current era of digital disruption, the pace of change has dramatically accelerated, leaving traditional risk management wisdom lacking. Across a variety of industries, technology-enabled disruptors have changed the rules. Many brands that moved cautiously have dramatically increased their risk of irrelevance or set themselves on a path to extinction. The author thus argues that playing it safe is in fact the riskiest choice. He illustrates this with the example of traditional brick-and-mortar retail companies that chose a “timid transformation” — as well as those that effectively pivoted and avoided that fate. Moving faster doesn’t mean being reckless or endless moonshots, but cultivating a culture of experimentation and finding ways to “shrink the change” so that companies can better deliver value to customers.

­Traditionally, good corporate risk management has meant lots of study, careful analysis, and the flawless execution of well-honed implementation plans. A heavy focus on business optimization and continuous improvement was eminently sensible. Until it wasn’t.

• SD Steve Dennis is a strategic advisor, keynote speaker, podcast host, and author of Leaders Leap: Transforming Your Company at the Speed of Disruption and Remarkable Retail . He has been named a top global retail influencer by multiple organizations, and his thoughts on the future of shopping are regularly shared in his role as a Forbes Senior Contributor, as well as through other media, including CNN, The Wall Street Journal , and Bloomberg . Steve has delivered talks on six continents, sharing his unique perspective on what it takes to reignite customer growth in a world of unrelenting change and shifting consumer preferences. Steve is President of SageBerry Consulting, where he has advised dozens of brands on their growth strategies. Prior to founding SageBerry, he was chief strategy officer and SVP, multichannel marketing at the Neiman Marcus Group. He serves on multiple for profit and non-profit boards. Steve holds an MBA from the Harvard Business School and a BA in Economics from Tufts University. He lives in Dallas, Texas.

Partner Center

Compliance & Operational Risk Manager- Quality Assurance

Job Description:

At Bank of America, we are guided by a common purpose to help make financial lives better through the power of every connection. Responsible Growth is how we run our company and how we deliver for our clients, teammates, communities and shareholders every day.

One of the keys to driving Responsible Growth is being a great place to work for our teammates around the world. We’re devoted to being a diverse and inclusive workplace for everyone. We hire individuals with a broad range of backgrounds and experiences and invest heavily in our teammates and their families by offering competitive benefits to support their physical, emotional, and financial well-being.

Bank of America believes both in the importance of working together and offering flexibility to our employees. We use a multi-faceted approach for flexibility, depending on the various roles in our organization.

Working at Bank of America will give you a great career with opportunities to learn, grow and make an impact, along with the power to make a difference. Join us!

Job Description: This job is responsible for executing second line of defense compliance and operational risk oversight for a Front Line Unit, Control Function, and/or Third Parties. Key responsibilities include ensuring requirements of the Global Compliance Enterprise Policy, the Operational Risk Management Enterprise Policy (collectively “the Policies”), the Compliance and Operational Risk Management Program and Standard Operating Procedures are implemented and identifying, challenging, escalating, and mitigating risks in a timely manner.

Responsibilities:

Assesses risks and effectiveness of Front Line Unit (FLU) processes and controls to ensure compliance with applicable laws, rules, and regulations, while responding to regulatory inquiries, other audits, and examinations

Engages in activities to provide independent compliance and operational risk oversight of FLU or Control Function (CF) performance and any related third party/vendor relationships in alignment with the Global Compliance - Enterprise Policy, the Operational Risk Management - Enterprise Policy (collectively the Policies) and the Compliance and Operational Risk Management Program and Standard Operating Procedures

Identifies and escalates problems or issues that arise and drives actions to address the root causes that lead to compliance risk issues and/or operational risk losses

Manages inventory of processes, risks, controls, and associated metrics for risk appetite and limits, reporting violations of compliance or regulatory activities

Assists in the development of independent risk management reporting for respective area(s) of coverage as input into country/regional governance and management routines

Analyzes and interprets applicable laws, rules, and regulations to provide clear and practical advice to stakeholders, and identify and manage risks

Reviews and challenges FLU/CF process, risk, Single Process Inventory, and FLU/CF Risk and Control Self-Assessment related to themes or trends, while monitoring the regulatory environment to identify regulatory changes applicable to area(s) of coverage

Managerial Responsibilities: This position may also have responsibilities for managing associates. At Bank of America, all managers at this level demonstrate the following responsibilities, in addition to those specific to the role, listed above.

Diversity & Inclusion Champion: Models an inclusive environment for employees and clients, aligned to company D&I goals.

Manager of Process & Data: Demonstrates deep process knowledge, operational excellence and innovation through a focus on simplicity, data based decision making and continuous improvement.

Enterprise Advocate & Communicator: Communicates enterprise decisions, purpose, and results, and connects to team strategy, priorities and contributions.

Risk Manager: Ensures proper risk discipline, controls and culture are in place to identify, escalate and debate issues.

People Manager & Coach: Provides inspection, coaching and feedback to motivate, differentiate and improve performance.

Financial Steward: Actively manages expenses and budgets in alignment with objectives, making sound financial decisions.

Enterprise Talent Leader: Assesses talent and builds bench strength for roles across the organization.

Driver of Business Outcomes: Delivers results by effectively prioritizing, inspecting and appropriately delegating team work.

Monitoring, Surveillance, and Testing

Regulatory Compliance

Risk Management

Critical Thinking

Interpret Relevant Laws, Rules, and Regulations

Issue Management

Policies, Procedures, and Guidelines Management

Business Process Analysis

Decision Making

Negotiation

Process Management

Written Communications

Job Description Summary

The Compliance and Operational Risk (C&OR) Manager is responsible for engaging in activities to provide independent compliance and operational risk oversight of Front Line Unit or Control Function (FLU/CF) performance and any related third party/vendor relationships in alignment with the Global Compliance - Enterprise Policy, the Operational Risk Management - Enterprise Policy (collectively the Policies) and the Compliance and Operational Risk Management (CORM) Program and Standard Operating Procedures (SOPs). As a member of an FLU or CF C&OR officer team, the C&OR Manager is accountable for proactive identification, management and escalation of compliance and operational risks through the execution of some or all of the below identified activities. This role exercises judgment and influence, and may constructively challenge FLU and CF leaders to support the CORM Program objectives, balancing business strategy with appropriate controls.

The individual will be a Compliance and Operational Risk Manager in the Global Markets (GM) Compliance and Operational Risk (COR) Department on the Quality Assurance (QA) team. The primary responsibilities include developing and performing QA routines for adherence to various regulatory commitments and obligations, including new market conduct and surveillance-related standards related to coverage assessments, parameter settings, test scripts and escalated alerts referred to internal investigations.  

Role Responsibilities:

The individual will be expected to assist with:

Developing, maintaining and overseeing standard operating procedures for QA reviews, including:

Defining scope, statistical sampling and prioritization of QA reviews 

Establishing minimum requirements and standards for QA reviews

Documenting QA findings 

Facilitating remediation of deficiencies

Communicating the results of QA to key stakeholders and management (written reports/oral presentations).

Establishing and building working relationships with GM COR, GCOR Surveillance / Enterprise Independent Testing and internal audit teams

Participating in governance routines and meetings with key stakeholders to report on QA findings 

Contributing to metrics reporting related to QA

Maintaining key records for purposes of audit review

Organizing and preparing trainings on the QA processes, as needed

Driving deliverables on special projects and process enhancements for the team

Required and Desired Candidate Qualifications Including # of Years Prior Experience Needed:

Minimum Years of Business & Functional Experience: 7 Years Degree Required: Bachelor’s Degree; May require regulatory examination/registration or certification depending on jurisdiction and role

To perform the responsibilities associated with this position, the ideal candidate will have the following qualifications:

8+ years experience covering global markets compliance for U.S. institutional broker-dealer or bank

Bachelor's degree or equivalent work experience

An aptitude for learning and remaining current on industry rules, regulations and best practices impacting to help ensure that the firm’s compliance program meets regulatory standards and strives for a best-in-class industry standard

Understanding of market misconduct behaviors across Global Markets businesses, including Surveillance practices to detect for such behaviors

Strong oral/written communication skills and ability to effectively engage stakeholders and foster collaboration among GCOR, the business and other control functions

Ability to challenge and “ask the right questions” when performing QA and reporting on findings

Delivery-focused and disciplined approach, with an ability to be proactive

Strong analytical and organizational skills with a focus on attention to detail and accuracy

Ability to project confidence and professionalism in all dealings 

Experience in demonstrating and fostering critical and strategic thinking

Ability to work collaboratively across multiple stakeholders and deliver results in a timely manner

Self-starter with ability to multitask and manage competing priorities, managing effectively in a dynamic environment

Proficiency with Microsoft Word, Excel, SharePoint, PowerPoint, Tableau, SMARTS, Actimize

Experience with QA and statistical sampling a plus

Experience in an Audit or other testing function a plus

Hours Per Week:

Weekly Schedule:

Referral Bonus Amount:

Hours Per Week: 

Learn more about this role

JR-24010838

Manages People: No

Street Address

Primary location:, important notice: you are now leaving bank of america.

By clicking Continue, you will be taken to a website that is not affiliated with Bank of America and may offer a different privacy policy and level of security. Bank of America is not responsible for and does not endorse, guarantee or monitor content, availability, viewpoints, products or services that are offered or expressed on other websites.

You can click the Return to Bank of America button now to return to the previous page or you can use the Back button on your browser after you leave.

Risk Manager

A scalable healthcare business analytics solution and streamlined workflows that deliver actionable intelligence to support payment reform programs.

What’s Included in Risk Manager

Acg risk and prometheus engines.

• Stratifies and identifies populations
• Identifies risk drivers to help drive better patient care
• Supports commercial, Medicare, and Medicaid populations
• Helps determine likelihood of hospitalization

Cost and utilization analysis

• ED visits, including average cost, frequent visitors, and low acuity
• Inpatient stays, including average cost, readmits, and in vs. out of network
• Outpatient imaging
• Office visits

QRE NCQA-certified HEDIS engine

• Measures quality compliance and gaps in care
• Multiple measure sets (HEDIS, ACO, IHA)
• Multiple measure runs, including enrollment, time period, and user-entered data
• Patient-detail reporting and physician profiling
• Letter generation for outreach

Prometheus episode of care analytics

• Leverage clinically validated episode definitions
• Target providers with compelling data
• Optimize your network design
• Track referral patterns
• Compare physician performance

Transform data to support payment reform

Ingest data once to repurpose for multiple insights

Minimize your overhead by providing one data stream. Our healthcare business analytics solution executes a multitude of analytical engines against this data, including risk, cost, utilization, quality, and episode engines to support risk-based contracts.

Easily use analytics to find areas for opportunity

Utilize our healthcare business analytics platform to find the “needle in a haystack.” Discover actionable opportunities to bend the cost curve by utilizing high-level aggregation and at-a-glance guided analytics.

Use intelligence to accelerate behavior change

Help modify behaviors by combining scope and depth to provide actionable insights, from the big picture (across the network) to specific provider performance to individual patients who need outreach.

Powerful dashboards to drive informed decisions

Empower multiple types of users to accomplish their goal of finding actionable opportunities by offering a wide range of tools to help them accomplish their goals. Our healthcare business analytics can be used by medical directors, practice managers, providers, care coordinators, and analysts. Each group benefits from the dashboards, fixed reports, custom visualizations, three-dimensional report builders, and other advanced features.

PMPY average savings, with 97.2 average quality score 1

million in medical saving generated, $14.71 savings PMPM 2

fewer readmissions and 4% fewer ED visits 3

1 Achieved by three ACOs participating in MSSP

2,3 Regional health plan using Risk Manager to drive total cost of care

Our outcomes

Access Value-Based Care Analytics With Prometheus

Discover how Prometheus Analytics® helps organizations create, analyze, and deploy episodes of care that form the foundation of alternative payment models.

Infographic

Your To-Do List for No-Fuss HEDIS

Simplify HEDIS compliance with a helpful calendar infographic that outlines each monthly task.

On-demand Webinar

The Evolution of Value-Based Care

Learn how to use retrospective analysis to define equitable, empirically grounded Episodes of Care that you can successfully apply in a prospective context.

PRODUCT SUPPORT

Need support for this solution.

Join Community discussions

Find and share knowledge, exchange ideas, and collaborate with peers and Change Healthcare experts to drive your solutions to success.

Let’s start a conversation

We’re here to help you find out how this solution could benefit your organization. Complete the quick form to the right, and someone will reach out to you soon.

Our experts will:

• Discuss your individual use case and business needs
• Explain our features, benefits, and services
• Show how this solution can help achieve your goals

Want more information? Start here.

First Name *

Last Name *

Business Email: *

Job Function * " class="field-size-top-medium" > -- Please Select -- Administrative/Human Resources Administrator Billing/Coding Board Member/Director/Trustee Cardiology Care Management/Population Health Claims & Denials Consulting Dentistry EDI EHR Implementation/Management Engineering/Technical Staff Enrollment Executive Finance/Accounting General Management Information Systems/Technology Laboratory Legal/Regulatory/Compliance Medical Auditing Medical Practice Management Member Engagement Nurse/Nursing Executive Office Manager Operations Patient Access Patient Financial Services Pharmacy Physician Physician Practice Management Procurement/Purchasing/Supply Project Management Radiology Revenue Cycle Management Sales/Business Development/Marketing Training/Education Vendor Relationships Other

Job Level * " class="field-size-top-medium" > -- Please Select -- Analyst/Administrator Chief Compliance Officer Chief Executive Officer Chief Financial Officer Chief Information Officer Chief Medical Information Officer Chief Medical Officer Chief Operating Officer Chief Quality Officer Chief Technology Officer C-Level Department Chair Director Doctor Individual Contributor Manager President Senior Vice President Vice President Other

Claims Volume

Company Type * " class="field-size-top-medium" > -- Please Select -- Billing Service Dental Emergency Medical Service Government Agency Healthcare Information Exchange Home Health Agency Hospital Employed Practice Hospital/Health System Imaging Center Independent Practice Affiliated with Hospital Independent Practice Not Affiliated with Hospital Laboratory Partner/Reseller Payer Software Vendor Trust Other

Practice Specialty -- Please Select -- Anesthesia Cardiology Emergency Medicine Pathology Radiology Other

Number of Covered Lives

Practice Management Software Vendor

Business Phone *

Country * Please select United States United Kingdom Canada India Netherlands Australia South Africa France Germany Singapore Sweden Brazil -------------- Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil Brit/Indian Ocean Terr. Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, The Dem. Republic Of Cook Islands Costa Rica Côte d'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Terr. Gabon Gambia Georgia Germany Ghana Gibraltar United Kingdom Greece Greenland Grenada Guadeloupe Guam Guatemala Guinea Guinea-Bissau Guyana Haiti Heard/McDonald Isls. Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jordan Kazakhstan Kenya Kiribati Korea (North) Korea (South) Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar N. Mariana Isls. Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Norway Oman Pakistan Palau Palestinian Territory, Occupied Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russian Federation Rwanda Saint Kitts and Nevis Saint Lucia Samoa San Marino Sao Tome/Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovak Republic Slovenia Solomon Islands Somalia South Africa Spain Sri Lanka St. Helena St. Pierre and Miquelon St. Vincent and Grenadines Sudan Suriname Svalbard/Jan Mayen Isls. Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks/Caicos Isls. Tuvalu Uganda Ukraine United Arab Emirates United States US Minor Outlying Is. Uruguay Uzbekistan Vanuatu Vatican City Venezuela Viet Nam Virgin Islands (British) Virgin Islands (U.S.) Wallis/Futuna Isls. Western Sahara Yemen Zambia Zimbabwe

State/Location * Please Select... Alaska Alabama Arkansas American Samoa Arizona California Colorado Connecticut D.C. Delaware Florida Micronesia Georgia Guam Hawaii Iowa Idaho Illinois Indiana Kansas Kentucky Louisiana Massachusetts Maryland Maine Marshall Islands Michigan Minnesota Missouri Marianas Mississippi Montana North Carolina North Dakota Nebraska New Hampshire New Jersey New Mexico Nevada New York Ohio Oklahoma Oregon Pennsylvania Puerto Rico Palau Rhode Island South Carolina South Dakota Tennessee Texas Utah Virginia Virgin Islands Vermont Washington Wisconsin West Virginia Wyoming -- Other Locations -- Military Americas Military Europe/ME/Canada Military Pacific Alberta Manitoba British Columbia New Brunswick Newfoundland and Labrador Nova Scotia Northwest Territories Nunavut Ontario Prince Edward Island Quebec Saskatchewan Yukon Territory Other

Comments/How can we help?

Subscribe to Change Healthcare Communications

Web Analytics

We appreciate your interest in Change Healthcare. A member of our team will contact you to better understand your needs and discuss potential solutions.

Together, we are accelerating the journey toward improved lives and healthier communities.

We couldn’t find any results matching your search.

Please try using other words for your search or explore other sections of the website for relevant information.

We’re sorry, we are currently experiencing some issues, please try again later.

Our team is working diligently to resolve the issue. Thank you for your patience and understanding.

News & Insights

The April 2024 Dashboard: Our Three Layers of Risk Management

April 02, 2024 — 11:50 am EDT

Written by [email protected] (ETF Trends) for ETF Trends  ->

Our Cash Indicator methodology acts as a plan in case of an emergency. This is analogous to the multiple safety systems in a modern automobile, which includes an airbag. Importantly, each of these systems work together to potentially help smooth the ride.

We manage risk within our strategic, long-term allocations based on diversification across equity, fixed income, and alternative assets and a focus on more attractive relative values.

[wce_code id=192]

We manage risk tactically over the short-term by investing across a broad array of themes and asset classes including cash. We can either invest opportunistically or defensively depending on the environment.

Cash Indicator: Markets are functioning properly, but we expect continued volatility.

Our proprietary Cash Indicator (CI) provides insight into the health of the market by monitoring the level of fear using equity and fixed income indicators. This warning system is designed to signal us to either a 25% or 50% cash position to potentially protect principle and provide liquidity to reinvest at lower and more attractive valuations.

The CI level has elevated somewhat recently but remains near historic lows. This low level suggests financial market complacency and that markets may be susceptible to a shock. However, the positive fundamental backdrop makes equity market declines a buying opportunity.

Strategic View: Fixed income valuations remain attractive, as do value and dividend-oriented equities.

Equity Valuations: The recent market rally has pushed valuations broadly higher and extremely high for the narrow group of equities that led last year’s rally. On a risk-reward basis, other areas of the global equity market look quite attractive, especially the value style and dividends.

Equity Favorability: Recent broader U.S. equity market participation is a healthy sign. We expect this broadening to continue along with U.S. economic growth. We remain overweight U.S. equities relative to foreign, especially favoring the value style and dividend payers.

Fixed Income Valuations: At current interest rates, high quality fixed income looks very attractive while high yield is less attractive on a risk-reward basis.

Fixed Income Favorability: We have combined intermediate-term with short-term holdings to lock in higher interest rates. If short-term interest rates fall in the coming months as we expect, the income generated by intermediate holdings will remain stable even as these bond prices appreciate. In addition, the commercial mortgage back space offers compelling yields outside of office space and retail.

Tactical View: We favor defensive value, momentum equity, and investment grade fixed income.

Preliminary data suggests that U.S. economic growth has continued its solid run from the second half of 2023 into 2024. Persistent economic growth, falling inflation, and continued innovation have provided tailwinds to U.S. corporate earnings momentum. We expect these trends will lead to a broadening of corporate earnings growth to more sectors including industrials and health care, among others. To benefit from these trends, we recently increased our allocation to a U.S. momentum equity ETF as well as a core large cap U.S. equity ETF that seeks to enhance returns through an equity options overlay process depending on the Strategy. To balance the Strategies’ risk profiles, we also increased our positions in short-term Treasury ETFs in most of our Strategies.

* areas that we are tactically emphasizing

Global Broad Outlook: We remain cautious about the European market, but cautiously optimistic about most others.

For more news, information, and analysis, visit the ETF Strategist Channel .

DISCLOSURES

Any forecasts, figures, opinions or investment techniques and strategies explained are Stringer Asset Management, LLC’s as of the date of publication. They are considered to be accurate at the time of writing, but no warranty of accuracy is given and no liability in respect to error or omission is accepted. They are subject to change without reference or notification. The views contained herein are not be taken as an advice or a recommendation to buy or sell any investment and the material should not be relied upon as containing sufficient information to support an investment decision. It should be noted that the value of investments and the income from them may fluctuate in accordance with market conditions and taxation agreements and investors may not get back the full amount invested.

Past performance and yield may not be a reliable guide to future performance. Current performance may be higher or lower than the performance quoted.

Data is provided by various sources and prepared by Stringer Asset Management, LLC and has not been verified or audited by an independent accountant.

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.

More Related Articles

This data feed is not available at this time.

Sign up for the TradeTalks newsletter to receive your weekly dose of trading news, trends and education. Delivered Wednesdays.

To add symbols:

• Type a symbol or company name. When the symbol you want to add appears, add it to My Quotes by selecting it and pressing Enter/Return.
• Copy and paste multiple symbols separated by spaces.

These symbols will be available throughout the site during your session.

Your symbols have been updated

Edit watchlist.

• Type a symbol or company name. When the symbol you want to add appears, add it to Watchlist by selecting it and pressing Enter/Return.

Opt in to Smart Portfolio

Smart Portfolio is supported by our partner TipRanks. By connecting my portfolio to TipRanks Smart Portfolio I agree to their Terms of Use .

U.S. Department of the Treasury

U.s. department of the treasury releases report on managing artificial intelligence-specific cybersecurity risks in the financial sector.

WASHINGTON – Today, the U.S. Department of the Treasury released a report on  Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector. The report was written at the direction of Presidential Executive Order 14110 on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) led the development of the report. OCCIP executes the Treasury Department’s Sector Risk Management Agency responsibilities for the financial services sector.

“Artificial intelligence is redefining cybersecurity and fraud in the financial services sector, and the Biden Administration is committed to working with financial institutions to utilize emerging technologies while safeguarding against threats to operational resiliency and financial stability,” said Under Secretary for Domestic Finance Nellie Liang. “Treasury’s AI report builds on our successful public-private partnership for secure cloud adoption and lays out a clear vision for how financial institutions can safely map out their business lines and disrupt rapidly evolving AI-driven fraud.”

In the report, Treasury identifies significant opportunities and challenges that AI presents to the security and resiliency of the financial services sector. The report outlines a series of next steps to address immediate AI-related operational risk, cybersecurity, and fraud challenges: 

• Addressing the growing capability gap. There is a widening gap between large and small financial institutions when it comes to in-house AI systems. Large institutions are developing their own AI systems, while smaller institutions may be unable to do so because they lack the internal data resources required to train large models. Additionally, financial institutions that have already migrated to the cloud may have an advantage when it comes to leveraging AI systems in a safe and secure manner.
• Narrowing the fraud data divide.  As more firms deploy AI, a gap exists in the data available to financial institutions for training models. This gap is significant in the area of fraud prevention, where there is insufficient data sharing among firms. As financial institutions work with their internal data to develop these models, large institutions hold a significant advantage because they have far more historical data. Smaller institutions generally lack sufficient internal data and expertise to build their own anti-fraud AI models.
• Regulatory coordination.  Financial institutions and regulators are collaborating on how best to resolve oversight concerns together in a rapidly changing AI environment. However, there are concerns about regulatory fragmentation, as different financial-sector regulators at the state and federal levels, and internationally, consider regulations for AI.
• Expanding the NIST AI Risk Management Framework.  The National Institute of Standards and Technology (NIST) AI Risk Management Framework could be expanded and tailored to include more applicable content on AI governance and risk management related to the financial services sector.
• Best practices for data supply chain mapping and “nutrition labels.”  Rapid advancements in generative AI have exposed the importance of carefully monitoring data supply chains to ensure that models are using accurate and reliable data, and that privacy and safety are considered. In addition, financial institutions should know where their data is and how it is being used. The financial sector would benefit from the development of best practices for data supply chain mapping. Additionally, the sector would benefit from a standardized description, similar to the food “nutrition label,” for vendor-provided AI systems and data providers. These “nutrition labels” would clearly identify what data was used to train the model, where the data originated, and how any data submitted to the model is being used.
• Explainability for black box AI solutions.  Explainability of advanced machine learning models, particularly generative AI, continues to be a challenge for many financial institutions. The sector would benefit from additional research and development on explainability solutions for black-box systems like generative AI, considering the data used to train the models and the outputs and robust testing and auditing of these models. In the absence of these solutions, the financial sector should adopt best practices for using generative AI systems that lack explainability.
• Gaps in human capital.  The rapid pace of AI development has exposed a substantial AI workforce talent gap for those skilled in both creating and maintaining AI models and AI users. A set of best practices for less-skilled practitioners on how to use AI systems safely would help manage this talent gap. In addition, a technical competency gap exists in teams managing AI risks, such as in legal and compliance fields. Role-specific AI training for employees outside of information technology can help educate these critical teams.
• A need for a common AI lexicon.  There is a lack of consistency across the sector in defining what “artificial intelligence” is. Financial institutions, regulators, and consumers would all benefit greatly from a common AI-specific lexicon.
• Untangling digital identity solutions.  Robust digital identity solutions can help financial institutions combat fraud and strengthen cybersecurity. However, these solutions differ in their technology, governance, and security, and offer varying levels of assurance. An emerging set of international, industry, and national digital identity technical standards is underway.
• International coordination.  The path forward for regulation of AI in financial services remains an open question internationally. Treasury will continue to engage with foreign counterparts on the risks and benefits of AI in financial services.

As part of Treasury’s research for this report, Treasury conducted in-depth interviews with 42 financial services sector and technology related companies. Financial firms of all sizes, from global systemically important financial institutions to local banks and credit unions, provided input on how AI is used within their organizations. Additional stakeholders included major technology companies and data providers, financial sector trade associations, cybersecurity and anti-fraud service providers, and regulatory agencies. Treasury’s report provides an extensive overview of current AI use cases for cybersecurity and fraud prevention, as well as best practices and recommendations for AI use and adoption. The report does not impose any requirements and does not endorse or discourage the use of AI within the financial sector. 

In the coming months, Treasury will work with the private sector, other federal agencies, federal and state financial sector regulators, and international partners on key initiatives to address the challenges surrounding AI in the financial sector. While this report focuses on operational risk, cybersecurity, and fraud issues, Treasury will continue to examine a range of AI-related matters, including the impact of AI on consumers and marginalized communities.

Read Treasury’s AI Report here.