Cost reduction programs while sometimes necessary all too often end up removing value and expose companies to unnecessary risk. Deferring maintenance, not doing critical improvements, pushing more work on employees, switching to cheaper suppliers, and even moving to the cloud may eliminate some costs in the short term, but may also impact future benefits and affect a company's ability to meet its compliance obligations.
As change can be a significant source of risk it is important that companies put in place an effective change process that covers possible impacts to critical programs, systems, and processes. An effective change process acts as a layer of defense against exposure to risks caused by changes to compliance systems. Embedding a risk assessment into this process also ensures that risks are properly identified, evaluated, and implemented along with the change itself.
The following diagram depicts a simplified change process to manage changes to critical programs, systems, and processes:
1. Scoping
define the proposed change
identify affected programs, systems and processes
identify alternatives
estimate savings and costs
2. Impact / Risk Assessment
identify impacts on identified programs, systems, and processes
identify impacts affecting critical to compliance objectives (CTCs)
identify threats and opportunities, evaluate risks, and determine prevention/mitigation and enable/exploit controls
create implementation and risk response plans
3. Approvals
obtain necessary approvals, based on accountability and level of risk, to proceed with implementation
4. Implementation
implement change and risk response plans
5. Verification
verify that changes were made according to plan and standard procedures
Implementing a change process requires that critical systems are identified first, followed by critical to compliance (CTC) objectives so that impacts can be identified and monitored.
CTCs are key results, activities, documented evidence, reports and so on, identified as critical to meeting agreed to compliance obligations. Identifying these is part of proactively managing overall compliance (shown in the following compliance map) to maintain a continuous state of compliance. Effects impacting CTCs can be anticipated and addressed to ensure that there are never any gaps in meeting compliance obligations.
Cost reduction programs benefit from an effective change process to ensure that potential savings are not offset by costs associated with increased exposure to risk. In addition, an effective change process can also provide the following benefits:
a stage and gate approach to properly sequence the work
a cross-functional team derived based on the identified scope and impacts
the tools and practices needed to implement changes safely
visibility of the level of risk associated with all changes being introduced
visibility as to the level of work and bottlenecks across all changes
All of these benefits help to ensure that risks are addressed, compliance is maintained, and that the promised savings are actually achieved.
