The role of assurance in managing change risks

Change is a major source of operational risk within organisations.

On the face of it, research shows many change initiatives - acquisitions, restructuring, reengineering, new products, new markets - fail to deliver. Anyone involved in managing change will bear witness to the uncertain outcome of these endeavours. This is so, despite increased control and formality introduced over decades of experience. Why should this be and what can we do about it?

Why is change risky

Change risk can come from a number of factors, including:

Great strides have been made in managing delivery risk through greater formality in project and programme management. This enables costs and resources to be managed to meet specified requirements. With this greater understanding, organisations at least know what they need to strive for, even if many still haven't attained the highest levels of maturity.

However in other areas, arguably, progress has been more hit and miss. Areas that can present problems include:

We return to these issues in more detail in separate articles.

How can we manage the risk of change

With our clients we are developing an approach to managing investment in strategic change initiatives that borrows ideas from corporate finance and financial risk management and uses them alongside more traditional practices for managing change.

Firstly we see the investment allocation process as one of investing in a change portfolio of real options.

An important concept here is recognising that each project can be structured as an option. There are well defined points in execution and operation where we evaluate whether a project will meet its objectives. Depending on the outcome of this analysis, we have well defined options to continue as is, to make changes, to postpone or to abandon the initiative. There are strict tolerances applied from the outset that will guide the outcome of the review.

A second concept we use is that of value at risk. Each project is evaluated in terms of a range of possible outcomes depending on the risks we identify, uncertainties in our knowledge and assumptions we make. This not only helps us to respond quickly to events but also allows us to value alternative courses of action that remain. The use of statistical techniques and monte-carlo simulation also allows us to identify the principle sensitivities which helps focus risk management activities.

A third concept that we exploit is the diversification of risk within the portfolio. The portfolio is constructed in such a way that is is possible to achieve the overall returns on investment and strategic objectives even if some of the projects are abandoned. Indeed some of the optional projects within the portfolio are constructed to hedge against the risk of failure in other initiatives.

It can be demonstrated that these approaches can significantly improve the returns on investment as well as making organisations more agile in responding to the environment in which they operate.

Change governance is the set of controls put in place to manage change risk. Our approach to change governance is build on COSO principles. Change governance encompasses business case; portfolio, project and programme management; compliance reviews; quality assurance (testing); communications management; configuration management; release management; and operational controls. This helps to ensure correct function according to service level requirements; to track benefits realisation; and to ensure objectives are achieved.

Change assurance is the process by which responsible management can gain assurance that the risk from change is being properly managed. It holds those responsible for managing these risks to account. It also provides a mechanism for ensuring outcomes stay within tolerances agreed at the outset. Change assurance starts with defining processes for each of the controls. It then puts in place independent mechanisms for monitoring performance in relation to the control processes. Monitoring isn't purely mechanistic. Eyeball to eyeball contact should be maintained throughout, to review performance and decide what corrective action is required.

Change assurance should be directed firstly towards identifying risks and ensuring success through coaching, knowledge transfer and peer review. Performance is assessed, reported and escalated if need be with sufficient frequency that potential problems (and opportunities) can be identified in time to manage them effectively. Mechanisms are required also for ensuring that the response to the problems/opportunities is executed effectively.

©Aoxomoxoa Limited 2007