top of page
  • kunjannpatel

Resistance to change in Risk Transformation Programs

Updated: Jan 16

At XCF, the idea of a large Operational Risk transformation programme is the kind of challenge we thrive on.

Working with organisations to change people, process, technology, data from one (or more) way of doing things to another to ‘improve’, extract value, and reduce cost across the Three Lines, is essential for survival let alone for the growth and development of a firm.

A well-run programme requires a solid structure and framework that is reviewed and improved as we go along; a well defined plan and approach is essential but only scratches the surface in terms of structure required for success – otherwise resistance to change will set in quickly and set hard for the duration of the programme.

Owing to the evolving nature of Operational Risk and GRC, and the perception that it is something we ‘have to’ do, Risk and GRC transformation can be a particularly resistant path. Here, we look at some of the reasons and observations and some of the techniques we can use to help colleagues through the journey. There have been many papers and manuals written on this subject, presenting different observations in various ways, but here are some of the main observations we have made in GRC programmes.

Our Observations


Of perceived inaction - People and groups can feel guilty or have the misperception that they have been adjudged of not making the situation better themselves previously. What can transpire is groups defending what they currently have as best in class and ‘throw stones’ at the programme - and also the views and current practices of those people and groups in favour of the new way. This can lead to resistance and delays - and ties in with the vested interests / politics area of resistance found below.

Of loss of security – often, objectives of change will include cost savings and/or restructuring that can have the unfortunate effect of redundancy or moving to new management. Understandably the full outcome is not always disclosed at the beginning meaning that even when this is not an objective of the programme, some of those affected by the change will conclude that their security is threatened in some form and resist taking part.

Of the unknown – lots of people are not happy about uncertainty or when a full future outcome is not known. We have seen what can happen in the extreme, during the coronavirus pandemic when something is impacting us, and we have no idea what the end state will be. In the midst of a programme, rumours can circulate, and people draw conclusions without having the facts and this can impact people’s desire to take part and facilitate change. This can be exacerbated in GRC change programmes as the subject matter is often not fully understood by many colleagues who have to take part - but do not spend all their time on it and so do not have the opportunity to become experts.

Short term time and effort constraints

Some people and groups that embrace change and think the programme is a great idea, may simply struggle to make time to take part and change what they do in the short term, despite the long-term benefits. This is a particular challenge with Risk and GRC where the perception can be that it is an addition to the day job already.

Group Culture

Sometimes the culture of a particular group will cause challenges and resistance. For example, if the group has a culture of inertia, a lack of inspiration and incentivisation to take part in projects then this will create resistance to the programme. Some groups simply enjoy the status quo and simply do not want, or like, change.

Lack of trust / Success of previous projects

The organisation may have a perceived bad track record of delivery: either unsupported or miscommunicated handover to BAU leaving the business exposed; partial delivery leaving the business unable to perform all their day-to-day processes; delivering something that now requires more effort – a regression in efficiency. As a result, people and groups may want the programme to fail because the final outcome may make their working life less successful. We have seen and heard about many eGRC application implementations and roll outs going badly and then having a resistant affect on the next attempt to get it right.

Vested interests / politics

It’s part of human nature to look after one’s own interests, although this will take more extreme forms for some than others. In the workplace, this is represented by our career and future prospects. This can lead to resistance for two related reasons; i) risk and GRC are areas that rely heavily on knowledge, expertise, experience. Perceived knowledge is the currency of GRC because these departments are pure cost centres. I have rarely sat in a meeting with GRC people and heard someone say, “I don’t know”. Therefore, aligning with particular like-minded management can be viewed as critical for survival and progress - and if that management is not in favour of the change programme, you have a group of individuals that are now resistant.ii) The current risk processes and reporting presented to management will be defended as best in class so anything new being proposed by the programme (e.g., eGRC, reporting, data, fora) will be resisted.

How to overcome resistance?

Take everyone on the journey - Tone from the top and participation from everywhere else

The support of management is non-negotiable for success. The Chief Risk Officer is the most obvious exec who’s buy-in is key. The CRO will need to play an important role in guiding the vision for Operational Risk framework overhaul and any eGRC implementation. In many organisations, the CRO also runs policy framework and if successful, have a close relationship with the Chief Compliance Officer and Chief Operating Officer. Maybe less obvious is the key support of the Chief Financial Officer. Not merely because the Finance department are a critical control function – but because the CFO will ultimately have to give final advice and approval on if the programme is value for money. The Chief Operating Officer is another key manager to gain buy-in from for success – many first line teams will be important to gain support, not only as control performers and possible senior risk owners, but also because there will be a reliance on good data standards and clear data owners under the COO. The first line operations department are often some of the hardest to convince to come on the journey because of the perception that GRC is in addition to the day job - some senior contacts of ours actually feel that eGRC implementation should be owned by the first line, rather than the second, in order to overcome this. The Human Resources Exec is another important manager in order to support an incentives programme around risk culture and establish a trusted speak-up process. Chief Technology Officer will be key to providing the necessary internal technical expertise if an eGRC application is part of the solution. The Compliance Exec’s buy-in may differ according to how Compliance elements play into the programme.

These senior managers need to be part of the initiation and state exactly what needs to be achieved in, and provide final approval to, the Business Case - almost as a friendly but binding contract of their commitment.

Once senior management buy-in is established, middle management can then be engaged to help select appropriate groups and individuals to take part in working groups, workshops, steering committees, road testing and other interactive fora where members of all Three Lines contribute to decision making and solutions.

In addition, the involvement of groups like Audit Committees, Non-Executive Directors, Ethics Committees will all contribute to a less resistant implementation.

Communication - Explain the benefits

The Business Case needs to state what will get better for those who participate in risk management across all Three Lines. Automated and standardised reporting; integrated static corporate and risk data with/and ‘transactional’ (Assessments, Incidents/Events, Issues and Actions, Key Risk Indicators); transition to real time risk management if implementing eGRC - as opposed to periodic effort ‘crunches’ that totally absorb people’s time.

Keep allies close and give kudos for the bold participants – but don’t be afraid to report problems

Some textbooks will cynically call this ‘manipulation’. We prefer the more realistic carrot and stick analogy. However, some people will just recognise a good idea and want to do the right thing. If these colleagues receive the necessary kudos and ‘go first’ in pilots, other like-minded leaders will take notice and do the same. We have seen many programmes ramp up in this fashion by finding the right people and leaders. Others will respond to being graded as ‘RED’ on a dashboard and simply do not like that and feel it a little unfair and will offer to get more involved as a result. Others will dig their heels in, ignore and fight the red rating by attacking the integrity of the programme and this will need to be reported to management and relevant fora. Hence Exec Management buy-in is critical for giving kudos and the escalating of inertia.

Training and Education

Start to educate on the new approach, framework, system as soon as possible. Prepare easy to follow materials and involve as many people as possible from all Three Lines in workshops, steering groups and so forth. Don’t make the assumption that more senior folks understand GRC, eGRC and related subject matter and they will need guidance and demos too. In our experience, more senior folks are more honest and often they are a better place to start and will give you extremely value feedback. Design a structured training and education plan for implementation and rollout be it system or standards. Identify who needs it by talking to all levels of the organisation and plan accordingly. In our experience, most firms historically underspend on this critical element of overcoming resistance.

Ultimately, how many of these observations apply to an organisation and the techniques that can be used to overcome them will depend on culture and you have to be flexible. However, in our observation, most of these work the majority of the time and senior management are usually keen to develop the culture and happy to help overcome resistance where they can.

1 view0 comments


bottom of page