Managing Change and Transformation Risk

An estimated 17% of business incidents are connected to poorly executed technology change, reported the FCA in 2019.

Managing change and transformation risk is critical for any firm and there is material room for improvement. The UK regulator, and many others, have taken notice and have also decided to take action – the outage at TSB in April 2018 being a key trigger to accelerate on building operational resilience regulation in the UK and beyond (see my article on Building Operational Resilience)

This article is an introduction to change risk management. It will be followed by a series of articles covering different approaches to sustainable and resilient change risk strategy and delivery.

Some Common Pitfalls in Managing Change and Transformation Risk

In its 2019 paper, the FCA identified a number of practices that contributed to failed delivery of technology change, including (extract from the paper)

1. Most firms do not have complete visibility of third-party changes

2. Firms’ change management processes are heavily reliant on manual review and actions

3. Legacy technology impacts firms’ ability to implement new technologies and innovative approaches

4. Major changes were twice as likely to result in an incident when compared with standard changes

More broadly, change is inherently about people. And as a result, it is highly dependent on the culture of the firm and the way it enables its people to be change agent. Research shows that 70% of complex, large-scale change programs don’t reach their stated goals. This figure goes up to 85% for digital transformation.

Common pitfalls – beyond the above findings – include a lack of employee engagement, inadequate management support, poor or non-existent cross-functional collaboration, and a lack of accountability. Furthermore, sustaining a transformation’s impact typically requires a major reset in mind-sets and behaviours—something that few leaders know how to achieve.

This results in a decrease in trust and morale from the workforce, a frustrated top management team, and back and forth to the drawing board to start the change process again.

Finally, and not the least in my experience, change in leadership can create an existential problem to management of change and exacerbate the above.

It Starts with a Clear Change Strategy

I believe it is necessary to overlay very clear structure and objectives to a firm portfolio of change. This is the fundamental starting point of any effective change risk management. Depending on the nature of change, the requirements regarding the set up and execution will vary. With that, figure 1 below provides an example of portfolio structure.

Figure 1. Change portfolio structure

A clear strategy is the starting point to align the firm’s resources and activities to common goals and vision. With strategy also comes the need to adapt the organisation by building or acquiring new capabilities and / or addressing existing pain points. It can also be about preserving the firm’s license to operate. Lack of strategy can lead to a very large array of change initiatives which deliver on tactical needs, with sometimes, diverging if not opposing objectives.

From an oversight and strategic standpoint, it is almost impossible to assess the merits of any change initiative without such clarity of direction. I have seen firms allocating less than 10% of their resources to their strategic roadmap; assuming they achieved what they wanted, none of the solutions delivered to get there were sustainable. This equated to significant resource waste and additional risks.

Ambitious and bold business strategy must usually be met with a paradigm shift in capabilities and structure. Transformational change is a process designed to create such significant change in culture and work processes, to produce significant improvement in performance. Long-term structural transformation has four characteristics:

• scale (the change affects all or most of the organization);

• magnitude (it involves significant alterations of the status quo);

• duration (it lasts for months, if not years); and

• strategic importance.

Yet companies will reap the rewards only when change occurs at the level of the individual employee. And with that come the common pitfalls I mentioned earlier.

Growth can be about the development of new products, reaching out to new markets and/or clients. In that context, it might also be necessary to build some track record on new products, like in asset management (ie. the change initiative might go much beyond “go-live”). In my experience, a lot of firms dedicate a lot of resources to this bucket, which depending on where the firm is on its journey, might be completely right or might be a material problem. For example, having a lot of long dated revenue generation bets can be a drain on the firm’s bottom line – immediate costs and potential revenues a few years down the line – and can divert management’s attention from sorting out more pressing issues.

Scalability and simplification - for example, risk event simplification case study - taken together are one of the biggest issues in the finance industry and are intrinsically linked to operational resilience weaknesses. These types of initiatives are usually complex and difficult to run, and “unsexy”, but can prove vital for a firm to build scalability and contain its cost base.

Any company working in a regulated industry must adhere and respond to regulatory expectations and requirements. This can be also very complex especially for multinational firms.

Then, technology change can happen at various degrees of complexity and impact. This area is covered at length in the above mentioned FCA paper. The FCA also identified a number of practices that contribute to successful delivery of technology change, including (extract from the paper)

1. Firms with well-established governance arrangements have a higher change success rate

2. Relying on high levels of legacy technology is linked to more failed and emergency changes

3. Firms that allocated a higher proportion of their technology budget to change experienced fewer change related incidents

4. Frequent releases and agile delivery can help firms to reduce the likelihood and impact of change related incidents

5. Effective risk management is an important component of effective change

Finally, Business-As-Usual change, which is more or less people making small incremental changes to their environment, is never accounted for, but represents the biggest (and usually unmanaged) chunk of change activities.

Each of these components require different risk and control frameworks to be effective.

What’s Next?

Over the years, I have used this portfolio structure as a basis to challenge participants in training courses and industry events I have attended – I asked them a simple question:

And invariably, less than 50% of the participants responded positively.

I learnt that top-down alignment was critical for resilient and sustainable change design and execution. Without common goals, each initiative might be ok in its own right, but the sum of the parts does not yield what the firm needs. In some situations, one initiative could undo what another one was trying to address.

So, effective change risk management requires vision and clear decision-making process to align the firm resources and activities to common goals. This enables effective strategic challenge of the firm’s change portfolio and resource allocation, as well as ensures strategic alignment of the risk a firm takes. This is the best chance a firm has to meet its vision!