IT change risk arises from an organization's inability to manage IT system changes in a timely and controlled manner, especially for large and complex change programs. Inadequate controls lead to incidents that go undetected. Systems become vulnerable due to a lack of testing or improper change management practices. For example, the release of insufficiently tested software or configuration changes can have an adverse effect on data (e.g., corruption, deletion) and IT system performance (e.g., breakdown, performance degradation). A weak IT architecture management when designing, building, and maintaining IT systems leads to complexity, added costs, and rigid systems. Assets that are no longer aligned with business needs also fall short of risk management requirements.
An organization's IT change risk framework should cover the risks associated with development, testing, and approval of IT system changes, including change of software, before they are migrated to the production environment and ensure an adequate IT lifecycle management.