Risk-managing change checklist
- 4 June 2020
As part of our study on how operational risk can facilitate and enable organisations to change and keep pace with a constantly-evolving operating environment, we worked with Chief Risk Officers (CRO) to identify the key questions that operational teams should ask themselves to help them address change-risk management.
While this isn't a comprehensive list of things you must do, it's a very useful list of topics that you can think about and is a great starting point.
8 questions to ask yourself to see if you and your team are ready to support your organisation's change
1. Change scope
Is it clear to your teams what change risk is and when to flag concerns?
Everyone needs a clear understanding of change-risk priorities, so they know what risks to look for and flag. The key delivered risks of concern may be, for example, reputation or information security.
2. Focus on risk
Are there gaps in your existing processes through which risk can fall?
If the scope of change risk is defined by aggregating the output of existing change processes, it’s useful to think about what might be falling through the gaps between processes.
3. Get in there early
Is risk proactive or reactive in risk-managing change?
Consider whether risk currently gets involved early enough, before the decision to change has been made, and whether it has a mandate to make a difference.
4. Use risk champions
Is the risk champion model worth considering?
This is a model for how risk partners with the business, providing a single point of contact that can triage risks and make decisions at speed.
5. Build on what you have
How can you best use what you've got?
There is likely no need to create a new risk silo. Existing tools and approaches are probably perfectly acceptable, but they might need tailoring to this new change-led environment.
6. Consider the delivery environment
Is the business ready to receive the change?
Using existing assessments, consider whether a change is going to be delivered into a high- or low-resilience environment.
7. Aggregate capacity
Are you able to aggregate risk to understand your capacity for change?
Understanding the organisation's capacity for change means aggregating the change-risk portfolio (how much change is too much?). It is more important to be effective than to be precise.
8. Learn from outcomes
Are outcomes in line with your risk assessments and, if not, why?
Examining what happened in previous change-risk situations focusing on delivered risks. Introducing a change-risk angle to incident reviews and post-mortem analyses.