Many business leaders have responded to internal and external disruptions and the demand for growth by launching transformation programs or a broader agenda that, for example, implemented a new enterprise resource planning system, digitised their finance function, modernised procurement or accounts payable processes, moved certain legal and HR data to the cloud, or worked through a merger or business outsourcing program. These business transformations, regardless of scope or complexity, have often helped enterprises meet strategic goals, improve ROI, and — at times — provided the resiliency to continue operations.

However, corporate leaders are not yet done. The continual nature of transformation is emphasised in the findings of the Deloitte 2023 MarginPlus Survey, where more than 90 per cent of surveyed executives indicate their organisations are investing in permanent transformation capabilities to support their strategic agendas. Further, 59 per cent are looking to accelerate spend on transformation, while 44 per cent are seeking to expand the scope of transformation within their organisations.

If there is a significant takeaway from the experiences companies have had with transformation efforts, it is likely related to risk management and the importance of a multitiered risk management program. Done effectively, such a program prompts leaders to consider risks at project inception. For example, they might think about embedding risk management strategies and tactics into the planning process to capture intended benefits, accurately reflecting investment returns, and managing compliance and other risks throughout the project and when the implemented solution is up and running.

Risk Management Duo

Many companies can benefit from a risk management program that addresses two key sources of risk — one related to the substantial transition under way during a transformation initiative and the other related to management of the risks and controls during the transformation and enhancing the future steady state.

Consider how the two main risk management areas relate to transformation projects.

Transition risk management focuses on identifying and addressing potential impacts related to the planning, execution, and implementation of the transformation itself. These are risks that could prevent a project from meeting its intended goals and benefits. For example, they might include the level of uncertainty related to the project, the amount of behavioural change required, and time or resource constraints. These risks, if left unchecked, could result in missed objectives and unrealised benefits.

To effectively manage transition risks, leaders should think through the complexity of the transformation and tailor their project management and governance approach based on that assessment. For instance, is the project domestic or global? Who and how many individuals will be affected? How does the project align with broader business strategy?

Based on the complexity of the project, risk management leaders can determine what controls are required to manage the transition. With greater complexity comes a need for heightened project governance and associated controls.

This might include several decisions, such as the level of stakeholder management and the level at which project decisions should be made, identification of adequate and committed resources, an understanding of the impacts of change to the business, and a strong plan to communicate the effects of the change to internal and external partners.

Leaders may also want to consider the cadence and scope of stage-gate reviews or checkpoints to periodically determine the health of the project, if it is meeting stated objectives, and whether the project is ready to move to the next phase or sprint.

Risk and controls management focuses on the processes and systems that are being transformed, the transformation’s potential impacts to the business, and maintaining both an effective controls environment during the transformation as well as enhancing controls in what leaders expect to be the steady state — that is, the transformed process.

Depending on the size, scope, and complexity of the transformation, there may be strains on the business to deliver the project and business-as-usual processes and controls. It’s important to understand which risk domains, including compliance requirements, will be affected by the project and how it could affect the organisation’s current risk profile.

For instance, new or emerging risks — such as hand-offs with a third party, advanced technologies, talent retention, or added operational complexity — may be an unintended by-product of the transformation. Similarly, new controls may be enabled or required, which if not planned upfront can be expensive to retrofit after the fact.

A transformation program may unveil opportunities for enhancing the control environment, such as standardising controls globally across business units so that risks can be addressed in an easier or more streamlined fashion. It may also provide an opportunity for elevating where and how certain controls are performed or for considering which controls would be good candidates for automation.

Business transformations can also enable risk management professionals to extend their expertise into additional risk domains — for example, into operational risk.

Governance policies and frameworks may also need to shift, and — if so — they may be ineffective or create friction if relevant stakeholders have not been involved in the decision-making. Establishing a foundation for monitoring roles and for evaluating whether internal controls are operating as intended during and after the transformation is also essential for achieving transformation goals.

If the goal of the business transformation is ultimately to generate ROI in the form of greater efficiency, security, and resiliency, then leaders will likely need to address two critical risks in concert: those associated with the transition to a new way of working, and those related with supporting the transformation with a strong risk and controls environment.

— By Geoffrey Kovesdy, principal, Kristen Heikkinen, managing director, Shelby Millican, senior manager, and Nichol Astillero, manager, all with Deloitte & Touche LLP; and Steve Peck, partner, and Jane Connor, director, both with Deloitte Canada.

As published by the Deloitte US Chief Financial Officer Program in the 26 October 2024 edition of The CFO Journal in WSJ.  

Disclaimer     

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional adviser.  

Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.  

About Deloitte  

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.  

Copyright © 2025 Deloitte Development LLC. All rights reserved.  

More Coverage

How CFOs can build value from tech-centered transformations

Miles Ewing

Chief transformation officer survey: six ways to keep up with rapid change

Anne Kwan, Cristina Stefanita and Rohan Gupta

How CFOs can prep for tech trends in AI hardware, talent, and quantum

James Glover, Ranjit Rao, Gina Schaefer, Priya Ehrbar, Robyn Peters, and JoAnna Scullin

More related stories

CFO Journal

Green skills are the new CFO imperative

A significant number of Australian organisations lack the requisite skills and expertise needed to effectively tackle or report the climate challenge head-on.

Read more

CFO Journal

From corporate to creative: CFO Mark Harrison’s unconventional journey

Transitioning from the structured corporate world to leading the finance function at a creative startup required a fundamental mindset shift for Mark Harrison. He embraced the challenge.

Read more