This document summarizes the results of a May 2019 study on risk-managing change. It identifies three archetypes (content, concerned, active) in how institutions approach this issue. While most see change as an increasing risk, there is no consensus on how to address it. The study found concerns about the volume of change, lack of visibility, need to prioritize, and desire for an aggregate view of risk. Risk's role is seen as helping the business grow safely. The document provides a checklist for institutions to reference when managing change risks.
2. Risk-Managing Change
• Risk-managing change is a priority for most institutions and change is
seen as an increasing risk
• It is also seen as a fact of life, with several CROs going out of their
way to mention “the risk of not changing”
• There is no clear consensus on how to move forward;
we identified three architypes (content, concerned, active), and a
bias toward doing more
• We expected the principal challenge to be around velocity
• We heard much more about the volume of change, lack of good
visibility (potential for gaps), the need to prioritise and the search
for an aggregate view
• A common opinion is that risk’s role is to “help the business
grow safely”
• Our view (ORX/McKinsey) is that risk-managing change is an
emerging trend and presents a value opportunity for risk management
3. Archetypes
Commercial in Confidence
Content
Focus on delivery risks
Rely on traditional
change management
Content with
project view
Concerned
Focus on delivery and
delivered risks
Want to leverage
traditional change
management and
existing OR tools
Want an aggregate view
Active
Focus on
delivered risks
Developing new
OR tools
Want an aggregate view
25% 50% 25%
4. Checklist for Change
Scope of change:
Change risk is often defined by the scope of existing process and
those process often focus on the big stuff. This might be
comprehensive but maybe “Mind the gaps”.
Focus on risk:
Change risk often means time, budget and scope. If this isn’t the
focus you want then you need to state a positive focus.
We would propose delivered risk is a good place to start.
Build on what you have:
Most organisations have a good established change process. It
seems sensible to leverage the information produced on delivery
risk and potential information of delivered risk.
Get in early:
The current dialogue often seems to be, “We’ve decided to change,
what are the risks?” Should it be, “What are the risks if we change?”
1
2
3
4
5. Checklist for change
Use Risk Champions:
There is a strong positive case for Risk Champions,
especially where the project is moving fast. This is an unusual
case of good feedback from the business and from risk.
Delivery environment:
The information exists to identify high risk delivery being
delivered into a high-risk environments. Are you leveraging
this information?
Aggregate capacity:
Are you laying the foundations (standards) for an aggregate
assessment and allocation of the capacity for change?
Is change capacity a resource to be managed?
Learning from outcomes:
Review the delivered impact relative to your assessment.
Are you learning from the difference?
5
6
7
8
6. Concluding thoughts
• Overall, we are confident that this is an emerging
trend and an area where we expect firms to
build better practice
• To us (ORX/McKinsey) it presents an unusual
opportunity for operational risk to:
be proactive
make a difference
manage the future risk profile
• Risk-managing change would seem to be a strategic
priority and the capacity for change to be a
scarce resource to be managed well