By DEREK SMITH

Business transformation is no longer optional. Whether driven by digital disruption, market shifts or internal inefficiencies, change is constant. However, too many transformation efforts stall or cause harm because executives overlook a critical factor: Risk.

This article outlines reasons why transformation should be led from a risk-based perspective. It then explores the types of risks introduced during change, how early risk involvement strengthens planning, and the specific actions that executives can take to lead responsibly. Finally, it shares data showing why risk-aware leadership results in stronger outcomes.

Change brings exposure, not just opportunity

Transformation initiatives introduce risk. Whether it is an updated system, a vendor relationship, an expansion into another market or a shift in internal processes, exposure increases. Three key areas of exposure are cyber security, regulatory risk and operational risk.

* Cyber security becomes more vulnerable with digital platforms and third-party integrations. IBM’s 2024 ‘Cost of a data breach’ report puts the average cost at $4.45m, representing a 15 percent increase in three years.

* Regulatory exposure increases when entering new jurisdictions or launching expanded services. This may trigger licensing, data protection or anti-money laundering obligations. Poor oversight in these areas can lead to fines, investigations or business restrictions.

* Operational risk arises when automation or restructuring is done without redesigning internal controls. In these cases, small failures become systematic.

Despite the above, many companies delay involving risk professionals until after decisions are made. This leads to compliance issues, control gaps and rework that could have been avoided.

Risk should anchor the process, not chase it

Risk is not about stopping change. It is about making change more stable and better aligned with a company’s limits and obligations. A risk-based approach provides structure. When risk is integrated from the start, it becomes a strategic advantage. It improves the quality of decisions, reduces disruption likelihood and builds trust with Boards, regulators and customers.

Five practical steps to leading with risk in mind

1. Make risk part of transformational governance: Include risk leaders on steering committees. Use their input to map potential exposures and align success metrics with the company’s risk appetite.

2. De-risk before implementing technology: Review existing processes to control weaknesses before automating them. Fixing problems after roll-out costs more and causes delays.

3. Strengthen data governance and vendor oversight: Cloud-based systems and external vendors increase dependency and reduce direct control. Classify data, enforce encryption protocols and monitor vendors throughout the relationship, not just once a year.

4. Frame risk in terms of impact and outcome: Use clear, practical language when communicating with senior leadership. Explain how risks affect delivery, financials or reputation, and present mitigation options.

What the research shows

Deloitte’s 2023 Global Risk Management Survey showed that 67 percent of firms with strong risk integration had met their transformation targets. In comparison, only 42 percent of those with limited risk governance did so. Companies with mature risk programmes were also twice as likely to avoid major disruptions, with 76 percent reporting resilience compared to just 38 percent of their counterparts.

In 2024, the Financial Stability Board added further weight, stating that risk oversight during transformation is a Board responsibility. It cannot be delegated or ignored. In short, transformation must be deliberate and not rushed. When risk is part of the design, companies reduce risk failure and avoid costly fixes. They also send a clear message to regulators and stakeholders that change is managed strategically.

• NB: About Derek Smith Jr

Derek Smith Jr has been a governance, risk and compliance professional for more than 20 years with a leadership, innovation and mentorship record. He is the author of ‘The Compliance Blueprint’. Mr Smith is a certified anti-money laundering specialist (CAMS) and holds multiple governance credentials. He can be contacted at hello@pineapplebusinessconsultancy.com