Risk management

Mitigating risk in terms of change management is a crucial and important part of preparing the organization for change. Without the proper steps and procedures for mitigating risk, an organization is likely to face a much more difficult set of circumstances to overcome during the implementation process.

Remember, all change management comes down to is proper planning and consideration for variables. Risk, in this case, is the common but unnecessary adversity that often makes change-implementation much more difficult than it otherwise needs to be.

There is a standard framework for planning and mitigating risk that many change-managers use. It is comprised of multiple parts and considerations for risk that is meant to instigate thoughtful conversations that will ultimately lead to solutions for risk.

The basic layout that we will discuss today (piece by piece) is as follows. (Note: many people use this layout in more than just change-management situations. We are ultimately discussing what is called a “Risk-Register”)

Risk Register Layout:
1. Description of risk.
2. Risk-Assessment.
3. Mitigating Actions.
4. Owner. (Delegation)
5. Target Date. (Onset)
6. Status of Completion.

These components make up the fundamental layout for a risk register. Within this post, we will break down each component to determine how you can best plan and mitigate risky issues before they occur as you implement organizational change!

Section 1: Description of Risk

Keep a thought catalog to jot down potential risks as you come across issues in the change process.
Keep a thought catalog to jot down potential risks as you come across issues in the change process.

Obviously, no mitigating actions can be taken over the course of proper risk management without first describing what the risk consists of! You must describe the potential risk you are facing before you can build a detailed and comprehensive process to manage it.

Do your absolute best to describe the issue that risk poses for your organization, as well as the sole cause of the issue. For example, if I run an organization that is implementing multiple new projects at once, my “Description of risk” area of the risk-register could look like this.

Description of risk: Change fatigue occurs across multiple departments due to the attrition caused by a number of changes occurring simultaneously, as well as competing projects.

This way, I have a grasp on the nature of the risk as well as its main causes. This will become valuable in the future when we consider the points on risk-assessment and mitigating actions.

The single most important thing to consider when creating your risk description is the consequences you’d like to avoid. Despite all else, knowing the consequences you wish to avoid will help you make the proper plans for the future.

Section 2: Risk Assessment

Risk-assessments are likely the most useful and inspiring parts of the process. Why? Because they will give you an idea as to the scope of the risk in your organization.

Just like the scope of change management initiatives, the scope of risk is comprised of two parts: Likelihood, and Consequence.

Overall, the likelihood section is based on the inevitability of risk. Ask yourself, “Just how likely is it that this risk will occur WITHOUT mitigating actions?” This will help determine if the risk is truly worthy f your time and effort to mitigate, or if it is only speculation.

The consequence section is where you can begin to assess the risk-impact severity. Impact severity is, essentially, just how harsh the consequences of the risk will be to your organization or your change management initiatives. Ask yourself, “If everything goes wrong and we take the full force of this risk, what will the effect be on my organization?”

Often times, these scales are given numeric values on a basis of 1-5 or 1-10, and multiplied for an overall score.

For example, if I estimated that a risk-assessment likelihood was a 7 on the 1-10 scale, and that the consequences were a 4 on the same 1-10 scale, overall the risk assessment would give me a value of 28 out of a possible 100. If I divide 100 by 3 (for low, moderate, and high risk) then that value of 28 is considered a low-risk assessment.

Evaluating your risks in this fashion can benefit your prioritization of resources and resource delegation to the most important and crucial areas of your organization’s risk assessments.

If time is of the essence, you can also add a “proximity” section to your risk register which estimates how quickly a risk could occur, or even a “Residual risk” area for the possibility of secondary risk or risk that occurs despite its own resolution.

Section 3: Mitigating Actions

Using a planner will help you determine the mitigating actions you need to resolve potential issues.
Using a planner will help you determine the mitigating actions you need to resolve potential issues.

Mitigating actions are exactly what they sound like. After you have determined the possible risks, and prioritized them based on severity and likelihood, you can begin to form mitigating actions around the most vital risks that have the largest impact on your organization.

Preparing mitigating actions is similar to preparing a roadmap. You want to determine which actions are crucial and make the largest difference in resolving the risk and prioritize resources to fulfill those actions.

For example, if the risk description had to do with a lack of knowledge (how to apply new systems, etc.) and my risk assessment was high-priority, then I would delegate resources to mitigate this issue by providing materials, coaching, experts and others who could better prepare the organization for those systems.

Mitigating actions need to directly apply to resolve the description of the risk, if they don’t then they won’t be relevant to the issues that risk might pose.

There are various levels of “mitigation” that you can rely on. These are what I call, mitigation factors.

Mitigation Factors:
1. Acceptance: Don’t do anything; Reactionary; If the risk occurs, then we will take action.
2. Reduction: Actions that change the likelihood/severity of consequences.
3. Transfer: Risk is transferred to a separate entity. (Insurance, etc.)
4. Share: Risk is shared across multiple parties.
5. Contingency: Planning for responsive actions in the case of a change circumstance.

These factors make up the vast majority of mitigating actions you can take. Depending on the resources that your organization has, you can begin to delegate actions to the most important risks in order to lessen its impact or likelihood.

Section 4: Owner (Delegation)

Far and apart from delegating resources, you will often have to delegate responsibility also. No one person can take full responsibility for risk management alone, and the only effective way to make the most of your time is to delegate certain responsibilities to others.

This is why there is often a change management team comprised of multiple individuals. For more on forming a dedicated team, click here.

The Owner section simply answers the question, “Who will organize/perform the needed mitigating actions in order to resolve or handle this risk effectively?”

It needs to be someone with the resources to do so, and the know-how as well. Risk-mitigation is certainly not an easy task, but for somebody who knows the ins and outs of the organization, it can be wildly more simple than for an outside party to do so.

Consider who is tied to this risk. Are there department leads and project managers whom this risk directly influences? They likely have the most responsibility and direct knowledge of the resources and abilities they have to mitigate it.

The risk-owner can also be part of the change-team (if you formed one). Often, these people can be focused directly on the risk itself instead of trying to balance their casual workload with the risk at the same time.

Section 5: Target Date (Onset)

Determine when the best target onset time by planning key mitigating actions.
Determine when the best target onset time by planning key mitigating actions.

The target date, or onset time, is when the mitigation actions should begin to occur. A simple date is all that is needed, however, consider the nature of tactful risk-management in light of the projects you are attempting to implement during change.

Risk-mitigating actions are yet another thing that must be considered and added to the duties of the teams within your organization, try not to overload, and burnout, those people or teams.

It is quite easy to delegate all your immediate tasks to somebody who is competent and capable as an easy and trusted fix to certain issues, but this only magnifies the workload of that one person, especially if deadlines are put into place.

Consider delegating and setting onset times with tact. I mentioned earlier that you can add a “proximity” section to the risk-assessment area in section 2. This can give you a better idea as to how soon or quickly a risk might appear, and therefore, will reflect on the onset time of risk-mitigation actions.

Don’t attempt to take action now, when you don’t need to. Take a step back and assess the situation. We all want to be proactive, but the most important benefit of procrastination is having a larger influx of information with which to make decisions.

Setting an unrealistic onset time is like utilizing resources for something that is not at all guaranteed to occur in the near future. Often, certain risks are mitigated naturally in the change process due to unforeseen factors, put simply, mitigate risk by timing the mitigating actions to occur only when you know the risk is prominent.

Section 6: Status of Completion

The “status of completion” section is fairly straightforward. Considering the roadmap of actions you made, how far are you on your risk-mitigation journey?

Often, people use terms like “Not started, started, in progress, etc.” in order to determine where risk-management processes are in real-time. You can also use numbered segments to designate completion areas for more precise calculating. This can be beneficial if you are cutting it close in terms of resources and manpower for risk-management processes.

If 1 is not started, and 10 is completed (risk-mitigated), where is your process? It’s that simple.


All in all, properly managing risk is a necessity for any change management progress. Utilizing this simple 6-step framework for planning and assessing risk will benefit you and your ability to delegate, prioritize, and plan risk-mitigating actions.

Here is a recap of the 6 steps.

Risk Register Layout:
1. Description of risk.
2. Risk-Assessment.
3. Mitigating Actions.
4. Owner. (Delegation)
5. Target Date. (Onset)
6. Status of Completion.

With these steps, you will be well on your way with managing, and mitigating, risk within your organization during the change process!

Hopefully, I was able to help you manage change more effectively, to get in touch with me, please call (951) 833-2987 or send me a message on my website.

Thanks for reading!

-Austin Denison is a change management consultant from Southern California and founder/CEO of Denison Success Systems LLC. He is the author of The Essential Change Management Guidebook: Master The Art of Organizational Change as well as The Potential Dichotomy: The Philosophy of a Fulfilling Life.


Comments are closed

Work With Me! (951) 833-2987
Newsletter Subscription

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 3 other subscribers
Follow me on Twitter