Growth thrives on change, and in the dynamic financial services industry, change is not only inevitable but essential.
Institutions of all sizes regularly deal with changes. While some changes are minor, others significantly impact a financial institution’s (FI) critical activities, which can lead to increased risk in multiple areas across many departments. So, how can FIs effectively manage these changes and mitigate risk?
Enter enterprise change management. In this post, we’ll explore what qualifies as a significant change, how enterprise change management (ECM) works, what regulatory agencies say about ECM, and how FIs can use those insights to create an ECM plan to meet their needs.
Let’s get started.
Enterprise change management is a structured approach to identifying, managing, tracking, and responding to changes that have a significant impact on operations. The goal of ECM is to ensure changes are implemented efficiently and effectively, with minimal disruption to the business.
ECM is a process for dealing with all kinds of change – whether from external sources, such as updated regulations, or internal sources within the FI’s control, such as evolving business strategies or new products and services. Often, these types of changes produce a domino effect across multiple departments and risk areas. They also often happen at the same time, which makes having an effective ECM program essential for managing the complexity.
Traditional change management focuses on a specific department, topic, or minor regulatory change. For example, regulatory change management is the process financial institutions use to identify, evaluate, and implement new or amended rules and regulations. Traditional change management focuses on a particular initiative, ensuring that the change is adopted successfully with minimal disruption within and outside of the project or department.
Related: What Is Regulatory Change Management at Financial Institutions?
ECM, on the other hand, oversees change on a larger scope and scale by establishing a framework that permeates the entire organization. Rather than a one-and-done approach to addressing change, enterprise change management provides a standardized process for managing change by integrating tools, processes, and expectations so change is implemented uniformly across the FI.
Some other differences between traditional and enterprise change management include:
ECM addresses significant changes to an FI’s leadership, operations, risk management, and business activities, including using critical third-party vendors. Examples of changes that might fall under this category include:
Related: Risk Management Controls in Banking | Ncontracts
When considering whether a situation requires enterprise change management, assess the potential impact of the proposed changes on your institution. For instance, minor regulatory adjustments that entail straightforward tasks, such as training or minor procedural updates, may not necessitate an ECM approach due to their low material impact. In contrast, regulatory changes that could result in significant negative consequences—such as regulatory scrutiny, enforcement actions, or costly fines—typically warrant an enterprise change management strategy.
ECM is necessary whether a change means adding something new or taking something away. For instance, if a regulation is rolled back, it ultimately means less compliance work for a financial institution – but only if the rollback is implemented effectively. If the full impact of the rollback isn’t evaluated and implemented across the institution, the FI could be wasting resources complying with elements of a regulation that isn’t in force anymore – whether it’s sending unneeded disclosures or staff following procedures that no longer serve a purpose. The same holds true if a product is discontinued due to minimal consumer demand or if the FI transitions to a new critical vendor. Using an ECM approach ensures resources aren’t wasted on programs, policies, and products that are no longer needed.
Change management has become a topic of interest (and concern) for regulators over the past several years. In 2019, the Federal Reserve System (FRS) released an issue of its Consumer Compliance Outlook focusing on how FIs can promote effective change management within their organizations.
As financial services continue to evolve to meet the demands of consumers and technology, regulators’ views on change management have grown, leading to increased attention on ECM. In its 2025 Bank Supervision Operating Plan, the OCC named ECM a key area of operational risk alongside cybersecurity, third-party risk, payments, and operations. This is the first time the agency has focused on ECM as a focus of its risk-based supervision principles.
Given the scope of ECM, the OCC identifies a few critical areas for a successful ECM program. Effective ECM ensures that changes are implemented smoothly, efficiently, and with minimal disruption, helping to meet strategic objectives and maintain operational continuity.
Related: Business Resiliency: Your Guide to Business Continuity Management
As your FI undergoes significant changes, your board and management teams ensure the strategy continually aligns with the institution’s mission, vision, values, and risk tolerance level. For example, if an FI acquires a third-party payment service provider, the acquisition will have far-reaching impacts from the top down, including operations, human resources, information technology, marketing, and frontline employees, among others.
As your FI changes internal and external procedures and processes, ECM requires that you communicate the vision and reasons for the updates to your team, so everyone is informed.
The OCC often mentions weak internal controls, along with poor risk oversight and repeat findings, in its enforcement actions. Internal controls are people, processes, and systems put in place to mitigate risk. This includes documents, procedures, and policies put in place to monitor the overall condition of the institution, its risk profile, and compliance, such as audit reports, investment activities, operating policies and procedures, and Bank Secrecy Act/Anti-Money Laundering (BSA/AML) reports.
Controls are an important part of ECM, and failing to thoroughly address them can lead to problems down the road. Enterprise changes may call for designing, redesigning, and implementing effective controls. Reevaluate your FI’s current internal controls and make updates as needed. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has an internal controls framework that can be used for reference.
Remember: an ounce of prevention is worth a pound of cure. If your ECM program isn’t built to ensure internal controls (and other elements) are done right the first time, the fix is likely to end up costing more than doing it right in the first place.
Related: Board Members: Keep an Eye on Internal Controls
Team members come and go so it’s crucial to ensure the onboarding, training, controls access, communication, and content management processes are streamlined.
When making changes in a specific area, such as a system conversion, staff must be trained in how to use the new systems, the potential for new or emerging risks, and how to address challenges. It’s also crucial to have procedures and policies when key employees are absent or leave the organization. An understaffed or ill-equipped department is a liability during an unexpected incident, such as a data breach or a software outage.
Related: Are You Struggling to Keep Employees Engaged?
Organizational maintenance refers to the maintenance of “structures” the board and senior management create to ensure internal controls are followed. Oversight and responsibility, performance measures, and accountability make up the control environment.
It’s important to note that words like “oversight” and “accountability” are not vanity metrics. Board directors and members have legal and fiduciary responsibilities. When examiners knock at the doors of financial institutions, they’re looking for strategic direction and robust enterprise risk management plans, which fall under the board and leadership team’s responsibilities.
Related: ERM 101: What’s COSO, and Why Should I Care?
If managing enterprise change sounds like a big job, it’s because it is. Regardless of the type of change and the environment surrounding it, the change will significantly impact the entire organization. As such, FIs must be prepared to tackle the changes and mitigate any potential risk as seamlessly as possible.
A customizable enterprise risk management (ERM) solution enables your organization to continuously evaluate, measure, and report on risk in real time. Whether your institution is implementing changes, such as introducing a new product line or simply updating your compliance policies to meet upcoming regulations, an ERM system can help you navigate the changes with risk ratings and reporting and complete visibility into controls so you have confidence that all aspects of a change have been addressed and implemented properly.
Want more insights on your FI can navigate changes, including new technologies, increased regulatory scrutiny, and workforce challenges? Read the Enterprise Risk Management Buyers Guide.