CHANGE MANAGEMENT AND RISK MANAGEMENT – CONCEPT NOTE
Modernisation Committee on Organisational Frameworks and Evaluation
(Prepared by ISTAT)
“Change” and “Change Management”
“Change” is an inherent characteristic of any organization: all organizations whether in the
public or private sector must constantly evolve and adapt to changes that can originate from
external sources (for example, government legislation, general social or economic pressures,
technological
innovation,
changes
in
consumer
requirements/expectations/tastes,
competitor/supply chain activities) or take place in response to internal events, such as
changes related to costs, human resources or performance issues. It can affect the entire
organisation or one single area/scenario, for example, structural change, cultural change, IT
based process change.
In any case, all changes involve adopting new mindsets, processes, policies, practices and
behavior.
“Change management” is a comprehensive, cyclic and structured approach to transitioning
individuals, teams and organizations from a current state (how things are done today) to a
desired future state (the new processes, systems, organization structures or job roles defined
by 'the change').
Irrespective of the way the change originates, Change management always includes the
management of uncertainty both as a threat and an opportunity. Without adequate
management, changes will occur randomly, resulting in uncoordinated modifications to the
workplan that may have a negative impact on timing and costs.
Change management offers a standardized method that efficiently evaluates the potential
positive and negative impact of change, and allows for the prompt handling of all changerelated activities; if well managed, change can lead the organization towards a condition of
improvement, in terms of efficiency and productivity.
Change Management versus Project Management
Both project management and change management support moving an organization from a
current state, through a transition state to a desired future state.
“Project management” focuses on the tasks to achieve the project requirements.
1
“Change management” mainly focuses on tools and techniques to manage the people-side of
change to achieve the required business outcome.
More specifically, Change management in the context of project management is a formal
process to ensure that any need for changes to the baselines (scope, schedule or cost) are
controlled and approved by the proper authority, and communicated appropriately.
In order to enable transformation, Change management aligns groups’ expectations,
communicates, integrates teams and manages people training. It makes use of performance
metrics, such as financial results, operational efficiency, leadership commitment,
communication effectiveness, and the perceived need for change to design appropriate
strategies, in order to avoid change failures or resolve troubled change projects.
Figure 1: Project Management and Change Management
It’s goal is to apply a systematic approach to helping the individuals impacted by "the change"
to be successful by building support, addressing resistance and developing the required
knowledge and ability to implement the change (managing the 'people' side of the change).
The underlying basis of change management is that people’s capacity to change can be
influenced by how change is presented to them: their capacity to adapt can shrink if they
misunderstand or resist the change, causing barriers and ongoing issues. If people understand
the benefits of change, they are more likely to participate in the whole process and see that it
is successfully carried out, which in turn means minimal disruption to the organization.
2
In addition, change management not only helps ensure that the transition being implemented
is successful, it will also help managers diagnose problems with the transition before they
become a crisis, and in doing that risk management is a powerful key system.
Change Management versus Risk Management
“Risk” is an inherent element of change: innovation and changes require risk, therefore every
change strategy comes with its own levels of risk; on the other hand, just because change is
perceived as risky, often individuals, teams and then the entire organization are resistant to
radical change, even as the external environment evolves rapidly. For this reason, certain risks
should be allowed and encouraged, but at the same time adequately managed: to mitigate
the risk of failure due to organizational issues, adoption of proper change and risk
management process, plays a crucial role.
Effective change management is interconnected with risk management which minimizes risk
of failure and ensures avoidance of unpleasant surprises, both during implementation and
post implementation phases.
In fact, any change entails risk and the actions aiming at reducing risks are themselves
changes; so the relationship between risk and change management is characterized as having
circular nature from the beginning. It means that to describe this relationship we can break
this circularity at any useful stage of the cycle that could focus on a particular aspect.
So we can consider risk management as a part of the wider cycle of change management,
according to the following perspective (figure 2).
Figure 2: Risk Management in Change Management
Next change planning
Change planning
Evaluation of risk impact on
the organization
Risk Management
in
Change Management
Risk assessment
Response action monitoring
Response actions
Organizational change + Impact risk reduction
3
Similarly, we consider change management as a component of the risk management cycle.
During any activity of an entity, risk management identifies the critical parts of the production
and management processes, in order to plan fitting response activities.
In this perspective, change management acts as a subsystem of risk management; in fact, to
reduce the likelihood of incoming risky events, some changes are expected to be done,
especially concerning the phase of treatment during risk management process (figure 3).
Figure 3: Change Management in Risk Management
Starting point
Risk Management
Process risk/criticality
detection
Response action planning
= CHANGE PLANNING
Criticality reduction/
elimination
Change Management
Change impact assessment
(«understanding and controlling
the exposure to hazards»)
Change risk reduction
Organization improvement
(next point)
Risk Management
Risks represent uncertain events that could affect the project objectives. This uncertainty is
measured in terms of the probability of the risk and the possible impact the threat or
opportunity might have on the project. The effect of the event on the project could be either
beneficial or damaging. Therefore, risks need to be identified, assessed, and controlled taking
into account the nature of the risk itself, the project context and complexity, and the objective
at risk; furthermore, adequate responses need to be planned and where the case might
require it implemented.
4
In order to manage change, an organization must not only plan and implement an effective
and structured process of transition from the present state to a future condition, but it also
must be able to rule the uncertainty that is inherent in the process of change, together with
its risks and opportunities.
The ability to target the change towards a favorable outcome, basically depends on the
administration's ability to neutralize the negative factors, which result from a situation of
uncertainty and impede the achievement of objectives, and convert them into opportunities.
Organizations need to adopt an effective and structured system to manage risks that are
inherent into the process of change; therefore, Risk Management must be considered as a
tool aiming at implementing the overall Change Management strategy, since it sustains the
administration in addressing the transition towards innovation, in order to protect it from
potential adverse events that could occur along that path. It is also suitable for support the
modernization of business production processes, as it allows to prevent and counteract
management inefficiencies, by monitoring and re-engineering procedures and internal control
systems in force in the organization.
"Risk Management" refers to the coordinated activities that rule and keep under control the
administration with reference to risk. It is a continuous and iterative process carried out at
different levels of the organization, in order to identify and manage potential risky events and
to provide a reasonable assurance on the achievement of the objectives.
The risk management process is divided into the following phases:
1. Analysis of the internal and external context. Definition of internal and external
parameters to be taken into account when managing risk and setting the scope for risk
management policy (external context: cultural, social, political, legal, regulatory,
economic, technological, financial, and competitive nature, international and national,
regional and local levels, relationships with external stakeholders; internal context:
governance, organizational structure, roles and responsibilities, relationships with
internal stakeholders, policies, objectives and strategies adopted, etc.).
2. Hazards identification. Detection, recognition and description of risk sources, events,
causes and potential consequences; it may include historical data, theoretical analysis,
expert opinions and stakeholder’s needs.
3. Analysis and evaluation. Analysis is needed to understand the nature of risk and to
determine its own level (risk value). The risk value is given by the product of likelihood
of event occurrence and its consequences (impact) with reference to an economic,
financial, and reputational perspective. However, evaluation concerns with comparing
the results of risk analysis with the risk criteria defined beforehand by the
Organization, in order to decide if the risk and/or its size is acceptable or tolerable.
Risk assessment is useful to prioritize risk treatment.
5
4. Treatment. Is the process to modify risk and, according to the strategy adopted by the
Organization, it can involve:

avoiding the risk by deciding not to start or continue with the activity that gives
rise to the risk;

taking or increasing the risk;

remove the risk source;

changing the likelihood;

changing the consequences;

sharing the risk with another party or parties (including contracts and risk
financing);

retaining the risk informed decision.
5. Monitoring. It refers to control, supervision and continual checking, with the aim of
identify differences between the level of performance required or expected and actual
one. Monitoring can be applied to specific risks, risk management framework, process,
controls and treatment actions.
6. Communication and consultation. It concerns with continuous and iterative process
that an organization carry on to provide, share or obtain information and to engage a
dialogue with stakeholders and other parties regarding the management of risk.
While Change Management can be considered a comprehensive approach, fitting to provide
an overall strategy to manage the organizational set-up change, Risk Management is a tool
complying with the best European and international practices oriented to the modernization
and standardization of production processes (such as GSBPM – Generic Statistical Business
Process Model), since it represents a good example of organizational and managerial
innovation that engages the administration as a whole.
It is grounded in international standards, the most qualified of them include ISO 31000 : 2009,
UNI 11230 : 2007, ISO/TR 31004 : 2013, ISO/IEC 31010 : 2009 and the Enterprise Risk
Management (ERM), published in 2004 by Committee of Sponsoring Organizations of the
Treadway Commission (CoSO)1.
1
ERM is based on Internal Control-Integrated Framework, the international standard and best known
for the system of internal controls, published in 1992. The latest updates of the standard are the COSO ERM
– Internal Control – Integrated Framework (2011) and COSO ERM – Executive Summary (2013).
6