Your business is undergoing changes and that should be of no surprise. Heraclitus, a Greek philosopher, is quoted as saying ” The Only Constant in Life Is Change.”   I think it’s fair to say that this holds true for businesses as well.  Whether the amount of change is unprecedented or normal we should have a process in place for managing the risks generated from these changes.

Change Risk is Constant

Change Risk

The changes we experience in our business can be initiated by our internal strategic decisions and/or borne from external factors beyond our control. If we are not evolving our business to adapt to new norms, we run the risk of losing our competitive advantage or becoming obsolete, at worst. Therefore, not only should we expect and try to anticipate change inducing developments for our business, we should embrace the fact that they will most likely result in constant changes.

The decisions we make to adapt to new business norms can result in changes (to name a few) to our:

  • Products and services
  • Processes
  • Business model
  • Organization
  • IT systems
  • Supplier and third-party relationships

These changes have the potential to introduce new or affect our existing risks. We should be aware of these risks and their potential impact before the changes are implemented.  Therefore, you should maintain a register of your change initiatives. As well as, identify the potential risks associated with the change and conduct a risk assessment for each initiative.


In an ideal world, you would conduct thorough risk assessments for all changes.  But we all know that we do not live in an ideal world, and time and resources should be prudently managed.

Certainly, a risk assessment should be conducted for larger scale initiatives, but perhaps you can consider a scaled down approach for smaller initiatives. For this reason, you should design a methodology to determine the extent to which change initiatives should undergo a risk assessment. 

Change Risk Initiative Matrix

A change risk matrix or scorecard is a helpful tool to determine the riskiness of a change initiative. Similarly to your likelihood and impact risk matrix, I recommend two dimensions to assess or score the significance of a change initiative: complexity of the change initiative and impact should the implementation of the initiative fail.

Change Risk

Complexity of the Change Initiative

Consider the different factors that could influence the implementation success of the change initiative, such as its organizational reach, duration, and resource demand, for example. Determine the scales, both individually and collectively, that would represent a high, medium, low, etc. change complexity.

Impact Should the Change Initiative Fail

In terms of business impact, use the impact categories and thresholds determined when you developed your risk matrix. There is no need to reinvent the wheel or over complicate your risk management processes. Further, keeping your risk impact measurement standards consistent will make it easier for your employees to recognize and use.


Your complexity and impact dimensions can be plotted on a color-coded matrix to visually depict the combinations that you determine would necessitate a risk and control assessment.

Risk-Based Assessments and Governance

Risk Register

Change initiatives assessed to pose a large risk to your business should they fail should undergo a risk and control assessment.  They may even warrant the need for strong project and risk management governance structures that oversee the status of the change initiative and risk management efforts on an ongoing basis. 

The risks assessed to potentially be outside of your risk appetite should be monitored and mitigated accordingly. Preferably, before the change goes live. So be sure to add this to your go-live checklist.

While all change initiatives should be risk assessed to some extent, you may determine that changes that pose lower risks to your organization can undergo a less formalized risk assessment process. This could entail having a less rigorous risk management governance process, for example.

Visit our YouTube Channel