Without change, growth is impossible.

Whether it’s expanding the leadership team, launching in new markets, or developing a new product, at some point every successful organization experiences transformation.

And yet change often introduces risks. New processes increase the possibility for human error. Adopting new technologies introduces additional vendor risk. How do you build an agile, innovative organization that can seize new opportunities without taking on unnecessary or undue risk?

Being thoughtful and strategic about change management is essential, as is bearing in mind how changes in your business will impact your risk landscape and security posture. Below, we cover the essentials of organizational change management and share advice for navigating change while keeping your business secure. 

Use trust to accelerate growth


What is organizational change management?

Change management is the process of preparing for and implementing change within an organization. This might happen on a smaller scale, such as when bringing in a new team manager. Or it might happen on a much larger scale, such as when pivoting to a new market or business model. 

These refer to two distinct types of organization change: adaptive and transformation change. 

1. Adaptive change refers to incremental changes organizations adopt to improve over time. Examples include:

  • Iterative improvements on an existing product or service
  • Updating or upgrading current software
  • Hiring to backfill an existing open position
  • Launching a new product within an existing product line
  • Updating an existing workflow or business process

2. Transformational change refers to large-scale shifts in business strategies, structures, or processes. Examples include: 

  • Pivoting the business model
  • Rebranding 
  • Adopting new tools or software
  • Hiring new company or department leadership
  • Restructuring teams or departments
  • Company merger or acquisition

Even positive change can create uncertainty within an organization. Being proactive about change allows everyone involved to understand and prepare for what’s to come.

Without an effective change management process in place, employees may experience unnecessary disruption, confusion, and decreased productivity, all of which can negatively impact customers and partners and introduce security vulnerabilities. Poor change management can also result in increased risk, as well as wasted time and resources as teams struggle to understand and adopt the change.

While there are numerous approaches to organizational change management (more on those below), every change management process boils down to three phases: preparation, implementation, and review.


Preparation is arguably the most important phase of successful change management. During this time, company leaders review and discuss reasons for the upcoming change with other key stakeholders as well as develop a plan for the actual implementation process. This creates an opportunity for teams and departments affected by the change to voice any concerns or suggestions they may have about the upcoming transition.

It’s also a chance for everyone to collaborate and brainstorm ways to roll out change initiatives successfully. Will employees need to be trained on new processes or tools? How might roles or responsibilities evolve as a result of the change? A change risk assessment should always be conducted to identify and mitigate potential threats or vulnerabilities that may result from the proposed change.

This stage also allows leadership to get buy-in across the organization by creating a vision for change. Focus on the benefits of proposed changes, such as the opportunity to streamline processes, eliminate frustrating roadblocks, meet Key Performance Indicators (KPIs) faster, and/or enhance company culture. When people understand the various ways a proposed change will benefit them, they’re more likely to embrace it.


Once everyone is aligned on a plan and timeline, you’re ready to put it into action. Communication is essential in this step so everyone involved knows what they’re responsible for. Teams should know what’s happening, when, and why throughout the transition. 

After implementing changes, you’ll need to continue monitoring adoption and the success of KPIs. Old habits die hard, and some team members may find themselves falling back into old ways or circumventing new processes. This doesn’t mean the change initiative failed, it may just take some time to solidify changes and embed them into day-to-day work. 


As with any major project, a retrospective is important to make sure your overall change management strategy is sound and glean any lessons learned for the future. 

Solicit feedback from key stakeholders and affected employees to find out how to improve your approach to planning and implementing change within your organization. If any unforeseen risks or issues were introduced, reexamine your change risk assessment process to fill any gaps.

Types of change management models

If you’re wondering where to start, there are several popular change management frameworks and established methodologies you can follow. Here is a brief overview of some of the most prominent models to use as inspiration when building your own change management strategy:

  • ADKAR stands for Awareness, Desire, Knowledge, Ability, and Reinforcement. It emphasizes the need for everyone in your organization to understand and desire the change you’re implementing, and ensuring they have the tools and training to be successful with the change over the long term. 
  • Nudge theory takes a bottom-up approach to change. Rather than executives and senior leadership enforcing change from the top down, nudge theory is all about persuading employees to initiate changes they see as impactful. This theory involves a lot of soliciting and acting on employee feedback throughout the change management process. 
  • McKinsey 7-S model focuses on the seven “S”s involved with any change initiative:
  • John Kotter breaks the change management process into eight steps:
  • William Bridges’ model focuses on the emotions people feel throughout the change process. His model is broken down into three emotional phases. First, loss and letting go as employees react to the discomfort of change. Next, a neutral zone where people move from the old standard to the new. Lastly, a stage of acceptance and comfort with the new processes. 

5 elements of an effective change management plan

1. Buy-in from key stakeholders

People typically resist change for two reasons: they either don’t believe there’s a problem with the current way of doing things, or they don’t believe the suggested change will actually solve the problem. 

For change initiatives to succeed, the problem has to be felt within your organization. And those feeling the pain must understand your solution and believe that it will work. 

A big part of achieving buy-in is convincing people of those two facts — and actively listening to their point of view. Maybe stakeholders agree that there’s a problem, but have a different solution for solving it. Having a Change Control Board (CCB) could help decision makers evaluate changes and their associated risks. 

Open discussions allow for true buy-in to happen, and additional perspectives enable a deeper understanding of the problem you’re trying to solve. All of this makes your change initiative both more likely to succeed, and less likely to introduce unforeseen risk. 

2. Change risk assessment 

The change management team should evaluate for possible risks, priority, and potential impact on both internal and external stakeholders.

Risks of poorly managed or implemented change can range from minor, such as projects taking longer than necessary, to severe. These can include introducing undetected security vulnerabilities, employee churn, and lower productivity or quality of work — all of which negatively impact customers and partners and can do long-term damage to your business. 

Change management controls are often put in place to prevent these types of risks. For example, requiring a formal review and written approval before each change, proper access control and documentation, testing, and roll-back plans before deploying changes. 

A change risk assessment can help your team more fully identify, understand, and mitigate the risks associated with a certain change initiative. 

Like other risk assessments, change risk assessments involve a few key steps:

  1. Establishing an acceptable level of risk: How much risk are you willing to accept in the process of implementing the proposed change? 
  2. Identifying and analyzing risks: Consider any vulnerabilities or threats to data confidentiality, integrity, and availability that your change might introduce, as well as the potential it could be exploited. 
  3. Treating risk: Decide which of the identified risks you will mitigate. Typically, this is based on risks that have both a high likelihood of occurring and a significant potential impact on the business. 
  4. Controlling risk: Design and implement controls to reduce risks to an acceptable level. These can include new processes, policies, tools, and staff training. 

3. Consistent communication

Effective communication is important for building awareness and support throughout the organization, as well as gathering feedback and addressing questions. 

Stay in close communication with employees that will be directly affected by the change, and use multiple channels to make sure your message gets through. Keep them updated on current status and any upcoming milestones. Lastly, make it easy for them to share suggestions or ask questions throughout the process. Do they feel prepared to adopt the change? Is any additional training or education needed to support employees in taking on new responsibilities, processes, or tools?

4. Clearly defined success metrics

How will you know the change has been effective? What KPIs can be put in place to monitor success? Some common change management KPIs include team productivity, change testing results, number of IT tickets or support requests received, and employee satisfaction surveys, to name a few.  

Say your goal is to improve the new customer experience. You want to streamline the onboarding process by 30% and improve your average net promoter score by 2 points. Those benchmarks establish a clear goal for you to measure progress against. 

5. Long-term commitment to the change

Change doesn’t happen overnight. Periodically check in with stakeholders and affected employees after implementing a significant change to gauge adoption and mitigate any backsliding.

Use any feedback to improve the process for future changes.

Download: Change management policy template

Many security frameworks including SOC 2® and ISO 27001 require compliant organizations to have a formal change management policy in place. Writing and adopting a formal change management policy is crucial in helping every employee understand their role and responsibilities for protecting company and customer data during times of major change. But drafting one can be a challenge if you don’t know where to start. 

To help, we’ve worked with our team of information security experts to create a change management policy template you can customize to your needs. 

SOC 1®, SOC 2® and SOC 3® are registered trademarks of the American Institute of Certified Public Accountants in the United States. The AICPA® Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy is copyrighted by the Association of International Certified Professional Accountants. All rights reserved.