.png)
Change Management Risk Assessment Framework: A Step-by-Step Guide for Strategic Execution
- Julien Haye
- Feb 13, 2023
- 19 min read
Updated: Jul 13
Change is necessary for growth, but poorly executed change introduces risk and often, real harm. According to the UK Financial Conduct Authority (FCA), an estimated 17% of business incidents are linked to technology change failures. The FCA’s 2019 is clear: organisations are not only underprepared, but also underestimating the complexity and risk embedded in their change portfolios.
The 2018 TSB outage was a watershed moment. It triggered significant scrutiny from regulators and catalysed the development of the UK’s Operational Resilience regime, which now requires firms to consider the broader impact of change on important business services. But the problem isn’t confined to technology. From process reengineering and operating model shifts to regulatory compliance and business transformation, change risk touches every part of the enterprise.
Yet in many firms, change risk management remains fragmented. It is treated as a delivery checklist, and often perceived as red tape, rather than a strategic enabler or resilience safeguard. Risk assessments are often retrospective, disconnected from strategy, or overly focused on tactical project issues. As a result, early warning signals are missed, resources are misaligned, and leadership is left without a clear line of sight into the true cost and consequences of change.
This article offers a comprehensive introduction to change management risk, why it matters, and how it links to broader governance and operational resilience frameworks. It also outlines a step-by-step framework for assessing and managing change risk across strategic, regulatory, and operational dimensions.
TABLE OF CONTENTS
What Is Change?
Change, in the context of organisational management, refers to any adjustment that alters how a firm operates whether through systems, structure, people, processes, or products. It can range from incremental workflow improvements to full-scale strategic transformations or regulatory-driven overhauls.
At its core, change is about transitioning from one state to another. As defined by the SHRM Foundation:
“Change management” is a structured approach to transitioning individuals, teams, and organizations from a current state to a desired future state. It can be applied to situations such as downsizing, introducing a new internal process, or adding new technology.— SHRM Foundation, Leading Effective Change: A Primer for the HR Professional (2015)
This definition aligns closely with the view of Harvard Business School professor John P. Kotter, a leading authority on change leadership, who describes change as:
“The process by which organisations move from their present state to some desired future state to increase their effectiveness.”— John P. Kotter, Leading Change (1996)
Both perspectives highlight the same essential point: change is not just about delivery; it is about effectiveness. Whether the goal is cost optimisation, growth, compliance, or resilience, change must move the organisation meaningfully forward.
Each initiative carries risk including the risk of failure, the risk of misalignment, inefficiency, or unintended consequences. In an environment where change is constant, the ability to manage that risk becomes a critical organisational capability.
How Can Aevitium LTD Help You? At Aevitium, we support leaders in embedding effective risk assessment into change execution. Whether you need to strengthen your framework, build alignment across teams, or apply this model to a complex change portfolio — we can help.
👉 Contact us to explore how we can support your strategy and discover more about our risk management solutions and advisory services.
What Is the Impact Of Change On An Organisation?
Change affects far more than systems or processes. It influences how people work, how decisions are made, and how the organisation delivers on its goals. When managed effectively, change can strengthen resilience, support innovation, and create alignment with strategic priorities. When poorly delivered, it often results in confusion, misaligned effort, weakened governance, and a loss of trust across teams.
The cumulative effect of change is often underestimated. Most organisations face a constant flow of initiatives—strategic, regulatory, operational—that compete for attention and resources. Without clear prioritisation and oversight, these efforts can create friction, slow execution, and dilute impact. Managing change well requires understanding where it affects people, culture, and capacity, and whether it is moving the organisation in the right direction.
What Are the Core Requirements to Manage Change Effectively?
If change is to deliver meaningful and lasting impact, it must be supported by a set of core capabilities. Too often, organisations focus on individual projects without building the strategic and cultural foundations required to manage change at scale. In practice, effective change management requires seven interdependent elements:
1. Clear Strategy and Alignment
Change must support a defined purpose. Each initiative should align with business goals, resolve a known issue, or support a specific strategic objective. Without this clarity, change portfolios become dense and fragmented, with teams pulling in different directions or responding to tactical needs without long-term value. I have seen organisations allocate less than 10% of their change resources to strategic priorities. While activity levels appeared high, the results were neither sustainable nor strategically aligned. A clear strategy, combined with structured portfolio oversight, allows firms to evaluate which changes matter most and whether they reinforce or contradict one another.
Beware of strategic underfunding: if only a fraction of change resources support your strategic roadmap, you may be investing heavily in tactical noise rather than long-term value - Julien Haye
2. Strong Leadership and Sponsorship
Ambitious business strategy usually requires a shift in capability, structure, or both. Leadership must do more than sign off on budgets. Sponsors should set expectations, model behaviours, and support the cultural shift needed to embed change. Without visible and consistent leadership, momentum fades and teams revert to old patterns. In transformational programmes, strong leadership becomes the anchor that keeps effort focused through long delivery cycles. In my experience, inadequate or weak sponsorship is a major source of project or programme failure.
3. Structured Governance and Oversight
Governance should enable oversight, challenge, and coordination across the entire change portfolio. This includes clarity on roles, escalation paths, and decision-making rights. Governance structures must also be able to differentiate between types of change (e.g. regulatory, technology, growth, or business-as-usual) and apply the right level of scrutiny. The FCA’s analysis found that firms with well-established governance arrangements had higher success rates in delivering change. Conversely, unmanaged or overlapping BAU activity often introduces risk below the radar, despite representing a significant portion of actual change taking place. I am sharing below a view on an effective change portfolio structure.
4. Cultural Readiness and Engagement
Change only creates value when it reaches people. The most well-designed programmes still depend on individual employees adopting new ways of working. Long-term change requires a shift in behaviours, norms, and mindset, especially for initiatives that unfold over an extended period. Agile ways of working can support this shift by promoting collaboration, transparency, and continuous learning, but only if the culture is ready to adapt. Engaging people early, supporting their transition, and building trust are essential to embedding change and sustaining it across teams.
5. Integrated Risk and Impact Assessment
Effective change risk management starts early. Risk should be assessed during strategic planning, not just implementation. This allows firms to identify misalignments, control gaps, and regulatory implications before they escalate. Without structured oversight, even minor changes can undermine controls or introduce hidden risks. Ongoing monitoring is essential especially for third parties, tech dependencies, and compliance.
Evidence from the FCA shows that firms who invest in change, modernise systems, and adopt agile practices experience fewer incidents. A dedicated risk assessment framework is key to embedding this discipline. The next section introduces a step-by-step approach to help you put this into action.
For a detailed exploration of inherent risk and how to address it, see the article Managing Inherent Risk: A Comprehensive Guide.
6. Operational and Resource Capacity
Effective delivery requires capacity, not just intent. Stretching teams too thin, layering complex initiatives without coordination, or relying on overstretched capabilities creates execution risk. In some cases, I have seen organisations invest heavily in long-dated growth programmes, diverting attention and resources from more immediate operational weaknesses. Change portfolios must be reviewed holistically to assess whether the business can absorb what is planned both in terms of financial cost and internal bandwidth.
7. Clear Communication and Feedback Loops
Successful change is underpinned by consistent and targeted communication. People need to understand the rationale behind change, what is expected of them, and how success will be measured. Communication strategies should not be one-off announcements. They should be iterative, transparent, and backed by clear feedback loops that allow for adaptation, escalation, and course correction as needed. This is especially important in multi-year transformations where fatigue, shifting priorities, or resistance can emerge over time.
Why Does Change Management Fail?
Despite significant investment and effort, many change initiatives fail to deliver their intended outcomes. Research from McKinsey & Company found that 70 percent of complex, large-scale change programmes fall short of their goals (McKinsey, 2015). The failure rate rises even higher for digital transformation efforts, reaching up to 85 percent. Similarly, Harvard Business Review has highlighted that approximately 70 percent of change efforts break down, often due to weak engagement and lack of behavioural alignment (Beer & Nohria, 2000).
In practice, failure rarely stems from poor intent. It is more often the result of gaps in alignment, execution, and oversight.
One of the most consistent issues is a lack of strategic clarity. When change initiatives are not linked to clear business priorities, portfolios become fragmented. Resources are directed toward tactical needs without long-term value, and competing programmes risk working at cross purposes. As mentioned earlier, some organisations allocate less than 10 percent of their change budget to strategic initiatives, only to realise that while activity is high, the overall strategic and operational enablement is low.
Leadership sponsorship is another common weakness. Change needs visible, ongoing support from senior leaders not just at the point of approval, but throughout design, execution, and embedding. When that sponsorship fades or becomes inconsistent, teams are left with uncertainty, conflicting priorities, and reduced accountability.
Cultural factors are often underestimated. Change management is ultimately about people, yet many organisations struggle to engage their workforce or create the conditions for behavioural change. Low levels of trust, psychological safety, or engagement can slow down delivery and prevent change from being sustained. Change becomes something that happens to people, rather than something they help shape.
For a deeper exploration of how psychological safety shapes risk governance, challenge, and decision-making, see:
Psychological Safety in Risk Management, which outlines why silence undermines effective oversight and how risk leaders can foster cultures of openness and trust.
The Four Stages of Psychological Safety in Risk Management, which applies Timothy R. Clark’s framework to risk teams, showing how Inclusion, Learner, Contributor, and Challenger Safety each play a role in enabling effective change and governance.
The Risk Within provides a roadmap for embedding psychological safety into risk management. It identifies critical touch points across the risk lifecycle and offers clear actions to align leadership, culture, and governance. It is designed to help risk functions integrate more deeply into the business and strengthen decision-making at every level.
In its 2019 paper, the FCA identified a number of practices that contributed to failed delivery of technology change, including (extract from the paper)
Most firms do not have complete visibility of third-party changes
Firms’ change management processes are heavily reliant on manual review and actions
Legacy technology impacts firms’ ability to implement new technologies and innovative approaches
Major changes were twice as likely to result in an incident when compared with standard changes
These findings are not limited to technology. They reflect broader issues in change governance and risk identification that apply across transformation programmes.
Other common failure points include:
Poor cross-functional collaboration, leading to siloed delivery,
Inadequate risk assessment early in the process, particularly around regulatory or control impacts,
A lack of accountability for outcomes, especially where responsibilities are split across teams, and
The compounding effect of unmanaged business-as-usual change that quietly adds pressure to already stretched teams.
Leadership transitions can also derail change. A shift in strategic direction or sponsorship partway through a programme can undermine momentum, reduce buy-in, and send mixed signals about what matters.
Understanding why change fails is not about blame. It is about identifying where organisations fall short in connecting strategy, risk, people, and delivery. In the next section, I will introduce a practical, step-by-step framework to help teams assess change risk consistently, challenge assumptions early, and strengthen alignment across the portfolio.
What Is Change Management Risk Assessment?
Change management risk assessment is the structured process of identifying, analysing, and challenging the potential risks, impacts, and interdependencies of change initiatives. It is not a compliance exercise or a one-off checklist. It is a critical tool for aligning change with strategy, anticipating unintended consequences, and ensuring that the organisation is prepared to absorb and sustain the impact of transformation.
Effective change risk assessment begins upstream, during the strategic planning process. It helps decision-makers understand the full implications of a proposed initiative, including the inherent risks it introduces, the control adjustments it requires, and the capacity constraints it may expose. This is particularly important when firms are running multiple initiatives in parallel, each with different levels of risk appetite, urgency, and regulatory expectation.
Many organisations still treat risk assessment as a formality at project approval or during implementation. This approach misses the opportunity to challenge assumptions, surface conflicts across the change portfolio, and design more resilient delivery plans. A reactive posture leads to firefighting and late-stage escalation. A strategic approach enables better decisions, clearer accountability, and more effective prioritisation.
Change risk assessment also plays a key role in regulatory compliance and board oversight. Increasingly, regulators expect firms to demonstrate that they understand not just what they are changing, but how that change affects operational resilience, conduct, third-party dependencies, and customer outcomes. Without a structured framework, this level of visibility is difficult to achieve.
In the next section, I introduce a practical, step-by-step framework for assessing change risk. It is designed to help organisations move beyond ad hoc reviews and toward a more consistent, forward-looking approach to identifying and managing the risks that matter most.
How Change Risk Assessment Supports Operational Resilience
In the UK, operational resilience is a regulatory expectation. The FCA, PRA, and Bank of England require firms to ensure they can continue to deliver important business services during severe but plausible disruptions. Change is a key part of that equation. A single transformation, technology upgrade, or outsourcing decision can push a firm outside its impact tolerances if not carefully assessed and managed.
This is where change management risk assessment becomes essential.
Integrating Resilience into Change
Regulators have been explicit: firms must be able to identify and assess how proposed changes could affect their ability to remain within impact tolerances. As outlined in PRA SS1/21 and FCA PS21/3, this includes understanding how change might alter service delivery chains, introduce new third-party dependencies, or degrade the effectiveness of existing controls.
A forward-looking risk assessment helps firms do this by:
Challenging whether the change introduces new resilience vulnerabilities
Highlighting changes that affect identified important business services
Testing whether the change has been designed with adequate fallback plans and mitigations
Without this integration, resilience becomes reactive. The organisation only discovers issues when they emerge under pressure.
Strengthening Scenario Testing and Mapping
Scenario testing is a core pillar of the UK’s operational resilience framework. Change-related risks—such as cloud migration, systems integration, or restructuring—should be reflected in test scenarios. A structured change risk assessment helps identify which changes are most likely to impact resilience, and informs scenario selection, impact modelling, and response design.
It also supports better mapping by uncovering where service delivery is affected by upcoming or ongoing initiatives. This is especially important when multiple programmes intersect with the same service or dependency.
Enhancing Board Oversight
Regulators expect boards and senior leaders to have clear sight of how change affects resilience. This includes evidence that risks have been considered early, mitigated appropriately, and monitored throughout delivery. Change risk assessments provide the visibility and structure needed to support this oversight and enable more informed challenge and decision-making.
Avoiding Fragmentation
In many organisations, change and resilience are treated as separate workstreams. Risk teams review project risks, while resilience teams focus on service delivery and impact tolerances. But resilience cannot be retrofitted once change is underway. Change risk assessment acts as a connecting discipline. It ensures that resilience is embedded into change planning, not added as an afterthought.
For additional insights and practical guidance, explore the following resources:
🏗️ Building Operational Resilience – defines resilience from a strategic and structural perspective, and outlines the seven core capabilities firms must develop.
🧠 Webinar Recap: Navigating the Intersection of Operational Resilience, Consumer Duty, and Regulatory Compliance – explores how regulatory expectations across resilience, governance, and customer outcomes increasingly overlap.
📘 Operational Resilience in the UK: CP17/24 on Incident and Third-Party Reporting – breaks down the Bank of England’s evolving rules on resilience, outsourcing, and third-party risk management.
📺 Webinar Recap: Operational Resilience, DORA, and Third-Party Risk – provides strategic and regulatory perspectives on harmonising resilience practices across UK and EU frameworks.
📄 White Paper: Operational Resilience and Consumer Duty – co-authored to explore how firms can integrate resilience planning with conduct regulation and strategic oversight.
Step-by-Step Change Risk Assessment Framework
A consistent and forward-looking change risk assessment framework helps organisations align strategy, execution, and resilience. It enables leaders to challenge assumptions, prioritise resources, and manage risks that may otherwise go unnoticed until delivery is underway or worse, until something breaks.
Below is a step-by-step approach I’ve used across large-scale transformation programmes and governance reviews. It is designed to be flexible enough to apply across different types of change, while ensuring rigour where it matters most.
1. Set the Strategic Context
Review the Change Portfolio and Strategic Fit
What initiatives are underway or planned?
Where does this change fit in the broader strategic and operational roadmap?
Are there overlaps, conflicts, or saturation risks?
Does it align with strategic and resilience priorities?
Not all change is - or should be - growth-oriented. Initiatives focused on simplification, automation, or incident reduction often have the highest ROI on resilience. - Julien Haye
Clarify the Purpose and Risk Drivers
What is driving this change—regulation, customer outcomes, growth, efficiency?
What specific risks is it introducing, addressing, or shifting?
📌 Why it matters: Without strategic context and clarity of intent, risk assessments lack purpose and perspective. Oversight must begin with visibility and intent. For instance, a lot of firms dedicate a lot of resources to the growth bucket, which depending on where the firm is on its journey, might be completely right or might be a material problem. For example, having a lot of long dated revenue generation bets can be a drain on the firm’s bottom line – immediate costs and potential revenues a few years down the line – and can divert management’s attention from sorting out more pressing issues.
2. Scope and Tier the Risk
Initial Impact Assessment and Tiering
How might this change affect key strategic and operational levers?
Does it involve or affect important business services under operational resilience requirements?
What functions, systems, locations, customers, or third parties could be impacted?
Could it introduce reputational, regulatory, or cross-jurisdictional exposure?
This early assessment is used to determine the appropriate depth of review. For low-risk changes, a light-touch process may be sufficient. For high-impact initiatives, a more comprehensive risk assessment is triggered. This approach ensures that resources are focused where they are most needed, in line with the risk profile of the project.
It is not possible to speak about impact without drawing on the distinction between change and transformation. Ambitious and bold business strategy must usually be met with a paradigm shift in capabilities and structure.
Transformational change is a process designed to create such significant change in culture and work processes, to produce significant improvement in performance. Long-term structural transformation has four characteristics:
scale (the change affects all or most of the organisation);
magnitude (it involves significant alterations of the status quo);
duration (it lasts for months, if not years); and
strategic importance.
Tiering the Change
Low-Risk Changes – minor updates with minimal business impact. A checklist and team-level sign-off may suffice.
Medium-Risk Changes – those affecting customers, systems, or controls. These require documented reviews, stakeholder input, and limited assurance.
High-Risk or Strategic Changes – large-scale transformations or regulatory programmes. These trigger full assessments, governance scrutiny, and assurance testing.
📌 Why it matters: Early scoping ensures proportionality and prevents wasted effort on low-risk initiatives or underestimating complex ones.
3. Assess Inherent Risk
What is the baseline risk before any controls or mitigations?
How significant would the impact be if the change failed outright?
What is the level of novelty, complexity, urgency, or external scrutiny?
Are there trade-offs between long-term growth bets and short-term operational needs? For example, does the change tie up resources in future revenue opportunities while more urgent or foundational issues remain unaddressed?
A robust change risk assessment must distinguish between different dimensions of risk. Before diving into analysis, clarify the categories to be reviewed:
Delivery and Execution Risks – project delays, budget overruns, resource gaps, technical feasibility, and implementation quality.
Outcome and Strategic Risks – the impact of the change on the business model, operations, customer outcomes, and long-term strategy.
Control Environment Risks – unintended weakening or duplication of controls, creation of new gaps, or misalignment with existing policies.
Regulatory and Compliance Impact – changes to obligations, licensing, consumer duty, data protection, financial crime risk, etc.
Risk Profile Implications – how the change alters existing risk appetite metrics, capital allocation, or key risk indicators (KRIs).
📌 Why it matters: Defining what you’re assessing ensures structure and relevance across stakeholders.
Linking Back to Risk Strategy
Each change initiative should also be assessed in the context of the organisation’s overall risk appetite and strategic risk profile. High-impact programmes, particularly those affecting critical business services or customer outcomes, may require formal alignment with enterprise risk limits, clear escalation triggers, and defined risk ownership across the three lines.
Where initiatives push the boundaries of risk appetite or tolerance, executive-level engagement and governance forums should be activated early to support proactive decisions. This ensures that change remains an enabler, not a blind spot, in the firm's long-term strategy.
👉 Read our Risk Strategy Tutorial to dive deeper into building effective risk frameworks, aligning change with organisational goals, and strengthening strategic oversight.
4. Map Dependencies and Readiness
Interdependencies and Change Saturation
What systems, processes, and people are affected?
Are other changes happening in parallel that could compound delivery risk?
Does the change introduce or modify any third-party arrangements?
Delivery and Control Readiness
Are mitigation controls well designed, tested, and monitored?
Will they hold under stress and BAU?
Does the organisation have the capacity, leadership, and cultural readiness to support delivery?
📌 Why it matters: Many initiatives fail not from flawed design, but from overstretched resources or unacknowledged fatigue.
5. Evaluate Organisational Capacity and Cultural Readiness
Does the organisation have the capacity to absorb this change now?
Are the right people, sponsors, and skills in place?
How does organisational culture, pace, or trust influence change readiness?
Even well-designed programmes can fail if cultural resistance or delivery fatigue is underestimated.
6. Apply Challenge and Define Conditions
Independent Challenge and Escalation
Has the change been reviewed by second line or assurance functions?
Has the risk been independently reviewed or stress-tested?
Are boards or sponsors aware of the full risk profile and assumptions?
Are escalation routes clear and effective?
Set Risk-Based Conditions for Approval
Proceed, pause, or re-scope?
What conditions, controls, or oversight must be in place?
Who owns delivery and monitoring?
📌 Why it matters: Challenge ensures decisions are informed, defensible, and owned.
7. Monitor, Review, and Adapt
Are risks being re-evaluated as delivery progresses?
Have new risks emerged or assumptions changed?
Are lessons learned being captured and applied to future change?
This final step supports learning loops, regulatory defensibility, and long-term change capability.
Integrating Change Risk into Operational Risk and Resilience Frameworks
Too often, change is managed in isolation. It is treated as a linear project with a beginning, middle, and end. But from a risk and resilience perspective, change is a source of uncertainty, pressure, and cumulative exposure. And unless it is tracked, tested, and governed as such, organisations risk being blindsided by their own ambitions.
Embedding change risk into your broader operational risk and resilience frameworks ensures that it is not assessed once and forgotten. Instead, it becomes part of how you monitor risk appetite, adjust tolerances, and support informed governance decisions.
Linking Change to Risk Appetite and Governance Thresholds
Each material change initiative should be reviewed against your firm’s risk appetite and related metrics. This includes thresholds for:
Key Risk Indicators (KRIs) related to resilience, capacity, or delivery risk
Control effectiveness scores and assurance outcomes
Tolerances set under operational resilience frameworks (e.g. impact tolerances for important business services)
As a programme evolves, it may push against these thresholds whether through increased delivery delays, resource strain, or unintended control degradation. These are signals, not just statistics. And they should trigger action through escalation and oversight.
Escalating Change Risk through the Three Lines Model
Material change risks should be embedded into existing risk management structures, not routed through separate project-only committees.
A few principles help make this real:
First Line: Programme and change leads must be trained to identify and escalate risk issues early, using standard risk language and aligned criteria.
Second Line: Risk and compliance teams should be embedded in the change lifecycle, providing independent review, challenge, and oversight at key stages.
Third Line: Internal audit should consider major change risks in their forward plans, particularly when previous transformation programmes have triggered operational issues or cultural fatigue.
Aligning Risk Reviews with Delivery Milestones
Change does not happen all at once. Neither should risk oversight. Align formal risk reviews with delivery gates such as:
Business case sign-off
Design and architecture reviews
Pre-launch readiness checks
Post-implementation reviews
This ensures that emerging issues are caught before they compound and that risk conditions for approval remain valid as delivery unfolds.
Integrating with Operational Resilience Obligations
Under the UK’s operational resilience framework, regulated firms must identify their important business services, set impact tolerances, and ensure they can remain within those tolerances during disruptions.
Any material change — whether regulatory, strategic, or technological — must be assessed for how it affects:
Service mapping and dependencies
Resource capacity and third-party arrangements
Scenario testing assumptions
Impact tolerance settings and monitoring
Change is a resilience risk. But with the right oversight, it can also be a resilience enabler including strengthening services, modernising controls, and reducing fragility.
Approaching from different lens, scalability and simplification - for example, risk event simplification case study - taken together are one of the biggest issues in the finance industry and are intrinsically linked to operational resilience weaknesses. These types of initiatives are usually complex and difficult to run, and “unsexy”, but can prove vital for a firm to build scalability and contain its cost base.
Spotting the Warning Signs: Common Risk Patterns in Change
By now, we’ve covered how to assess change risk methodically, from strategy to delivery. But even the best frameworks can fall short if recurring patterns of failure go unaddressed. Here is a short list of key warning signs that suggest change risk is being poorly managed in practice.
⚠️ Warning Sign | 📝 What to Watch For |
1. Recurring Delivery Failures | Repetition of the same issues across multiple programmes. No system for capturing or acting on lessons learned. |
2. Risk Assessment as Tick-Box | Risk logs filled out late or with vague entries. Risks not linked to delivery or outcomes. |
3. Inadequate Pre-Approval Challenge | Sign-offs happening without cross-functional review. No scrutiny of interdependencies, controls, or capacity. |
4. Go-Live = Done | Lack of follow-through after implementation. No adoption plan or metrics to assess whether change is effective. |
5. Ignored Assurance Findings | Audit or assurance teams flag previously known issues. No evidence of escalation or response. |
6. Repeat Findings in Reviews | “Lessons learned” reports show no real evolution. Risk signals acknowledged but not embedded into change process. |
Conclusion: Turning Change into a Strategic Asset
Change is a constant force. Yet too often, the risks associated with change remain invisible until delivery is well underway or something goes wrong. By treating change as a core part of your risk and governance agenda, you can move beyond reactive assessments and start embedding resilience into how your organisation evolves.
I learnt that top-down alignment was critical for resilient and sustainable change design and execution. Without common goals, each initiative might be ok in its own right, but the sum of the parts does not yield what the firm needs. In some situations, one initiative could undo what another one was trying to address.
So a clear change strategy, grounded in visibility, strategic intent, and cultural readiness, protects your licence to operate, strengthens decision-making, and ensures resources are aligned to what truly matters.
The framework shared here is about focusing attention where it matters most, challenging assumptions early, clarifying ownership, and supporting informed decisions about when and how to act.
Whether you are scaling growth, simplifying operations, responding to regulatory pressure, or investing in technology, a robust change risk assessment helps ensure that transformation is sustainable. Ambition should not come at the cost of resilience.
About the Author: Julien Haye
Managing Director of Aevitium LTD and former Chief Risk Officer with over 26 years of experience in global financial services and non-profit organisations. Known for his pragmatic, people-first approach, Julien specialises in transforming risk and compliance into strategic enablers. He is the author of The Risk Within: Cultivating Psychological Safety for Strategic Decision-Making and hosts the RiskMasters podcast, where he shares insights from risk leaders and change makers.
Comments