Risk Assessment in Change Control

Generally, risk assessment evaluates the potential hazards or risks involved in an activity or organization. As long as human and non-human components are involved in an activity or organization, there are bound to be risks. Therefore, risk assessment is used in a wide range of professions. The risk manager in a hospital would assess potential hazards within the hospital that could affect staff and patients, while an environmental risk assessor would determine, among other things, the likelihood of a business to cause harm to the environment.

For change control, risk assessment identifies, analyzes, understands, controls, and reports on the risks of a particular change.

The importance of risk assessment

The term “risk assessment” already defines how important the process is. “Risk” is a word that gets anyone uncomfortable. It often connotes a hazardous venture—one where something valuable can be lost. Thus, by intuition and logic, we perform risk assessment even in the tiniest details of our lives. We check the weather and other news reports (e.g., the state of the Covid-19 pandemic in other countries) before traveling. We check the expiry date of groceries before purchasing them. These are some of the common ways we perform risk assessment at the individual level. We want to ensure that we do not come in harm’s way, even if the action is one we have carried out many times in the past.

This is one of the reasons why we conduct risk assessments at a corporate level. Other important reasons include:

  • To create awareness on potential hazards: At a corporate level, your employees, clients, and stakeholders need to be aware of the potential risks that could occur. For instance, the World Health Organization (WHO) carried out a series of risk assessments to outline Covid-19 preventive measures to be followed in mass gatherings. WHO did not only carry out these assessments but provided a template for institutions to conduct their individual assessments.[1]
  • It is important to inform employees and stakeholders about the risks associated with a particular change program in change control processes. Some of these risks include high levels of resistance, lack of awareness or desire to support change, uncertainty, lack of stakeholder support, ambiguity about project milestones, budgeting risk, etc.[2] By creating awareness, concerned parties can determine if the change is necessary or not. If necessary, steps would be taken to mitigate the risks.
  • Preparation against risk is not a one-time process; it is continuous. Thus, even if the measures to protect those prone to these risks are already in place, regular assessments are still required to determine if the measures are current or if they should be changed.[3]

In change control, there are key areas you would need to focus on when preparing against risks.

Not all risks deserve attention. Some are inconsequential, while others can threaten the core of a business or a change program. This highlights another importance of risk assessment. Attending to risks requires using every resource available. Therefore, Channeling resources to a trivial risk is a waste, an unnecessary cost. A proper risk assessment will inform and guide you to channel resources effectively.

The goal of risk assessment

The goal of risk assessment is to identify and evaluate risks, then eliminate or mitigate these risks. In a change control process, risk assessment aims to identify and evaluate likely risks associated with a change program and check whether the organization should proceed with the change or not. Risk assessment is an activity of questioning because a change may look good to go on a surface evaluation, while in reality, it is a risky venture. Some of the questions asked during risk assessment include:

●      What are the likely outcomes?

●      Under what circumstances will these outcomes happen?

●      What are the likely consequences of the change process?

●      How likely will these consequences occur?

●      Can the risk be controlled effectively?

●      If no, what else can be done?

Providing honest answers to these questions is fundamental for successful risk assessment. Remember, there are no right or wrong answers; there are only realistic answers. To answer these questions realistically, you may need to apply lateral thinking, as we would see later.

How to conduct a risk assessment

Risk assessment is a stepwise process. Each step must be followed accordingly for the assessment to be successful. The steps include:

  1. Identify the risks: I have stated some of the common risks that can affect a change program. You cannot prevent or mitigate a risk you do not know. Some risks are obvious, while others are not. This is why the identification step is crucial. Overlooking a risk can lead to a breakdown of the entire change process. In my article titled, “Risk and Impact Assessment of Change,” I shared a story of Coca-Cola. The popular brand wanted to outperform its biggest competitor, Pepsi and decided to change its secret formula. The new formula received a hostile reception when it got into the market. The entire change was a flop. And this happened because the company ignored key risk factors like high resistance levels and the absence of desire to support the change.
  2. Determine the scope of the assessment: Here, you evaluate who can be affected and how they could be affected. Scope also deals with the component that needs to be changed. Here, it falls into three groups: (1) components that remain the same after the change, (2) components that are bound to change, and (3) components that could go either way. The first group are integral to the business process and do not pose any risk to the change control process. They do not change. Examples in this group include patents, machinery, and capital assets. They do not pose any risk during the change control process. The components of the second group add no value to the business process, thus are bound to change. Replacing or eliminating these components reduces expenses or increases revenue or both. Examples in this group include outdated products and redundant processes or services. The last group forms the major scope of risk assessment. They form the gray area. Risk assessment becomes more necessary in this group to determine if a change poses any risk.
  3. Perform the assessment: The first step to risk assessment is gathering information from every possible source and analyzing the information using all possible resources. At this point, you would have to consider certain factors mentioned earlier like readiness and availability of technology, data quality and integrity, budget requirements, extent of human resources readiness, human resource competencies and attitudes, impact on business operations, extent of customer acceptance, etc. There are different ways to perform a risk assessment. Common methods include statistical probability analysis, benchmarking, interviews with stakeholders, and conceptualization through lateral thinking.[4]

Branches of statistical probability analysis include (1) decision trees (2) statistical variations (3) correlations between past projects and present projects, and (4) program evaluation and review technique (PERT) and PERT Simulation for activity review and project risk.[5]

I believe there is an interplay, a cyclical relationship between change control and benchmarking as a risk assessment tool. The goal of benchmarking is to cause an improvement in deficient areas. Making an improvement is a change process on its own. And every change process must undergo change control—which leads to risk assessment and probably another benchmarking. For instance, let us assume that in 1985, Coca-Cola carried out a benchmarking exercise to compare their market share with Pepsi. The exercise made Coca-Cola seek improvement, which they thought would come by altering their secret formula. Seeking improvement to increase market share was a good thing, but the particular change that would lead to that improvement was risky.

Interview with stakeholders or stakeholders’ risk perception is at the same time, an easy and complex approach to risk assessment. It is easy because it requires no statistical or mathematical tool and can be done by anyone. It only involves getting the stakeholders and seeking their opinion on the likely risks of the change process. But the difficult part lies in its subjectivity. Stakeholders may perceive a change process as risky when, in truth, the risk is trivial. On the other hand, they may perceive a risk as inconsequential when it is threatening. One way of solving this conflict is through lateral thinking.

Through lateral thinking, you can assess the risk without bias. It makes you see diverse perspectives, makes you understand that a risk that seems inconsequential may be serious, and that which appears serious may be inconsequential. Lateral thinking enables you to evaluate your desire for change and also its necessity. One veritable approach to achieving this is to follow Edward DeBono’s concepts of Lateral Thinking. According to Edward:[6]

●      the nature of thought should be provocative, non-sequential, and nonlogical,

●      the process should seek additional options, exploring unlikely paths, and should not have to be “correct,”

●      the process should attempt to escape from established patterns, labels, and classifications,

●      results are unpredictable and/or probabilistic.

I think, in addition to statistical methods, lateral thinking is the surest path to successful risk assessment.


In carrying out risk assessment for change programs, you need to understand that all change programs are not the same. So the risks for one change program may be different from the risks for another change program. Risk assessments are a fundamental aspect of a change control process. Ask yourself[7] the necessary questions about the change program and its likely risks. Ensure you provide realistic answers to these questions.

[1] “WHO Mass Gathering COVID-19 Risk Assessment Tool – Generic Events.” World Health Organization, July 10 2020.

[2] Ut supra, 1

[3] ibid

[4] Ut supra, 6

[5] ibid

[6] ibid