Control 1.11: Organizational Change Management and Adoption Planning
Control ID: 1.11 Pillar: Readiness & Assessment Regulatory Reference: FFIEC IT Handbook (Management), Interagency AI Guidance (2023), OCC Heightened Standards Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated
Objective
Develop and execute an organizational change management framework for Microsoft 365 Copilot deployment that addresses stakeholder engagement, communication planning, user readiness assessment, adoption metrics, resistance management, and executive sponsorship. Effective change management supports compliance by building organizational understanding of Copilot's capabilities, limitations, and regulatory implications -- reducing the risk of misuse, non-compliant AI-generated content, and governance control circumvention.
Why This Matters for FSI
- FFIEC IT Handbook (Management): Expects financial institutions to manage technology changes through structured change management processes. Copilot deployment represents a significant technology change that affects how employees interact with institutional data and generate content.
- Interagency AI Guidance (2023): Calls for institutions to maintain appropriate governance frameworks for AI adoption, including organizational awareness and accountability structures. Change management builds the organizational infrastructure for responsible AI use.
- OCC Heightened Standards (12 CFR Part 30, Appendix D): Large institutions must maintain comprehensive risk management including talent management and organizational change capabilities. Copilot adoption is a strategic change requiring structured management.
- FINRA Rule 3110: Supervisory obligations extend to ensuring supervised persons understand how Copilot-generated content fits within compliance requirements. Change management programs help build this understanding.
- Operational Risk Management: Poorly managed technology adoption creates operational risk through user errors, workarounds, and inconsistent practices. Structured change management reduces this risk.
Control Description
Change Management Framework for Copilot
A structured change management approach for Copilot deployment should address five key dimensions:
| Dimension | Purpose | Key Activities |
|---|---|---|
| Awareness | Build understanding of what Copilot is, what it does, and what it does not do | Executive communications, town halls, FAQ documents, demo sessions |
| Desire | Create motivation to adopt Copilot appropriately | Use case showcases, productivity benefit examples, early adopter testimonials |
| Knowledge | Provide information on how to use Copilot responsibly | Training programs, quick reference guides, regulatory guidelines |
| Ability | Enable effective and compliant Copilot usage | Hands-on workshops, practice environments, support resources |
| Reinforcement | Sustain adoption and compliance behaviors | Adoption metrics, feedback loops, recognition programs, ongoing communication |
Stakeholder Communication Plan
| Stakeholder Group | Key Messages | Communication Channel | Frequency |
|---|---|---|---|
| Board / Executive Leadership | Strategic value, risk management approach, regulatory posture, investment justification | Board presentations, executive briefings | Quarterly |
| Compliance / Legal | Regulatory implications, control framework, supervisory considerations, liability management | Working sessions, control documentation | Monthly during rollout |
| IT / Security | Technical architecture, governance controls, monitoring capabilities, incident response | Technical briefings, architecture reviews | Bi-weekly during rollout |
| Business Line Leaders | Department-specific use cases, productivity benefits, deployment timeline, governance expectations | Department presentations, one-on-one sessions | Monthly |
| End Users | How to use Copilot, what to do and not do, how to get help, responsible AI principles | Training sessions, email communications, intranet updates | Weekly during rollout |
| Internal Audit | Control framework, audit approach, testing methodology | Working sessions, control documentation | As needed |
| Risk Management | Risk assessment, residual risk, mitigation measures, ongoing monitoring | Risk committee presentations | Quarterly |
User Readiness Assessment
Before assigning Copilot licenses, assess user readiness across multiple dimensions:
| Readiness Dimension | Assessment Method | Minimum Threshold |
|---|---|---|
| Data hygiene | User's primary sites pass readiness assessment (Control 1.1) | Top sites remediated |
| Sensitivity label awareness | User understands sensitivity labels in their workflow | Demonstrated understanding |
| Training completion | User has completed required Copilot training (Control 1.12) | Training module completed |
| Manager attestation | User's manager attests to readiness for AI-assisted workflow | Manager sign-off |
| Role-specific requirements | Additional requirements for regulated roles (compliance, trading, client-facing) | Role requirements met |
Adoption Metrics Framework
| Metric Category | Specific Metrics | Target | Source |
|---|---|---|---|
| Activation | License assigned, first Copilot use within 14 days | >80% activation within 30 days | M365 Usage Reports |
| Engagement | Weekly active Copilot users, sessions per user per week | >60% weekly active usage | Viva Insights Copilot Dashboard |
| Feature breadth | Number of Copilot surfaces used per user | >3 surfaces per active user | M365 Usage Reports |
| Quality | User satisfaction score, perceived productivity improvement | >3.5/5 satisfaction | User surveys |
| Governance | Training completion rate, incident count, policy violations | >95% training completion, <5% violation rate | LMS, Compliance dashboards |
| Impact | Time savings, content quality improvement, meeting efficiency | Measurable improvement in pilot metrics | Viva Insights, user surveys |
Resistance Management
| Resistance Type | Common Manifestation | Management Approach |
|---|---|---|
| Fear of job displacement | Reluctance to engage with Copilot | Communicate Copilot as assistant, not replacement; focus on augmentation narrative |
| Data privacy concerns | Worry about what Copilot can access | Transparent communication about permission model and data handling |
| Quality skepticism | Distrust of AI-generated content | Emphasize human-in-the-loop design; show quality examples and limitations |
| Compliance anxiety | Fear of regulatory consequences | Provide clear guidance on compliant use; connect to compliance team for questions |
| Workflow disruption | Resistance to changing established processes | Show Copilot integration within existing workflows; provide transition support |
| Technology fatigue | "Another tool to learn" sentiment | Demonstrate concrete time savings; make learning easy with micro-training |
Executive Sponsorship Model
| Role | Responsibility | Time Commitment |
|---|---|---|
| Executive Sponsor (C-suite) | Strategic direction, resource allocation, organizational messaging | 2-4 hours/month |
| Steering Committee | Cross-functional governance decisions, issue resolution, progress review | 2 hours/month (meeting) |
| Program Manager | Day-to-day execution of change management plan | Dedicated role |
| Champion Network | Department-level advocacy, peer support, feedback collection | 2-4 hours/month per champion |
| Compliance Liaison | Regulatory guidance, policy alignment, compliance monitoring | 4-8 hours/month |
Copilot Surface Coverage
Change management applies across all Copilot surfaces, with communication tailored to surface-specific use cases:
| Copilot Surface | Change Management Focus | Key Communication |
|---|---|---|
| Microsoft 365 Copilot Chat | Primary entry point for most users | How to query effectively, what data Copilot Chat accesses, prompt best practices |
| Word Copilot | Document creation and editing | Content review requirements, label application for generated content |
| Excel Copilot | Data analysis and formula assistance | Data validation expectations, limitations of AI analysis |
| PowerPoint Copilot | Presentation creation | Quality review before sharing, branded content considerations |
| Outlook Copilot | Email drafting and summarization | Supervisory review requirements for client communications (FINRA) |
| Teams Copilot | Meeting summaries and chat assistance | Meeting transcript privacy, information barrier awareness |
| SharePoint / OneDrive | Content discovery and management | Permission awareness, what Copilot can access |
| Copilot Pages | Collaborative AI content | Sharing governance, content ownership |
| Viva Copilot | Organizational insights | Data privacy, manager vs. individual insights |
Governance Levels
| Level | Requirement | Rationale |
|---|---|---|
| Baseline | Develop basic stakeholder communication plan. Identify executive sponsor. Create user FAQ document addressing key questions (what Copilot can access, responsible use guidelines). Establish basic adoption metrics tracking (activation, usage). | Minimum change management to support informed Copilot adoption with basic executive sponsorship and user communication. |
| Recommended | All Baseline requirements plus: implement full change management framework (awareness through reinforcement). Establish champion network across departments. Conduct user readiness assessment before license assignment. Track comprehensive adoption metrics. Implement resistance management strategies. Conduct quarterly adoption reviews with steering committee. | Structured change management that supports sustained adoption with governance integration and organizational learning. |
| Regulated | All Recommended requirements plus: obtain board-level awareness of Copilot deployment and governance approach. Integrate change management with regulatory compliance program. Establish formal user readiness certification process for regulated roles. Maintain change management documentation in regulatory examination file. Conduct annual change management effectiveness review. Include adoption and governance metrics in board risk reporting. | Comprehensive change management that meets regulatory expectations for governance of AI deployment with board oversight and examination readiness. |
Setup & Configuration
Step 1: Establish Governance Structure
Create the following organizational elements: - Appoint executive sponsor (CIO, CTO, or CDO recommended) - Form steering committee with representatives from IT, compliance, legal, risk, and business lines - Designate program manager for change management execution - Recruit champion network (1 champion per 50-100 target users)
Step 2: Develop Communication Plan
Create a communication calendar aligned with deployment phases:
| Phase | Communications | Audience | Channel |
|---|---|---|---|
| Pre-deployment (8-12 weeks before) | Awareness campaign | All employees | Email, intranet, town hall |
| Pre-deployment (4-6 weeks before) | Department briefings | Business leaders | Presentations |
| Deployment (Phase 1) | Pilot launch communications | Pilot users | Email, Teams, training |
| Deployment (Phase 2-3) | Expansion communications | Next wave users | Email, Teams, champion outreach |
| Post-deployment (ongoing) | Adoption updates, tips, success stories | All Copilot users | Newsletter, intranet, Teams |
Step 3: Implement Readiness Assessment
Create readiness assessment criteria and tools: - Define readiness dimensions per user role - Build assessment checklist (digital form recommended) - Establish approval workflow for license assignment - Track readiness completion rates
Step 4: Configure Adoption Monitoring
Set up adoption metrics dashboards: - Microsoft 365 Admin Center > Reports > Usage for activation and usage data - Viva Insights Copilot Dashboard for detailed usage analytics - Custom Power BI dashboard for governance-integrated metrics - User survey tool for qualitative feedback collection
Step 5: Launch and Iterate
Execute change management in alignment with deployment phases: - Launch awareness campaigns before each deployment phase - Conduct training sessions (see Control 1.12) before license assignment - Monitor adoption metrics weekly during initial rollout - Adjust communication and support based on feedback and metrics - Conduct retrospectives after each deployment phase
Financial Sector Considerations
- Regulatory Communication: Include regulatory context in all stakeholder communications. Financial services employees need to understand that Copilot operates within a regulated environment with specific compliance expectations that differ from general enterprise AI adoption.
- Compliance Team as Partners: Position the compliance team as enablers rather than gatekeepers. Early and deep compliance involvement in change management builds trust and avoids adversarial dynamics during deployment.
- Client Communication Sensitivity: Client-facing employees (relationship managers, advisors, traders) require additional change management attention due to the regulatory implications of Copilot-generated client communications (FINRA 2210, SEC Reg BI).
- Union and Labor Considerations: Some financial institutions have unionized workforces. AI deployment change management may need to address collective bargaining considerations and labor agreement provisions.
- Merger Integration: If the institution has recently completed a merger, change management should account for differing technology maturity and cultural norms across legacy organizations.
- Examination Communication: Prepare a concise briefing document that summarizes the institution's Copilot change management approach for regulatory examiners. This should be ready before the first post-deployment examination.
Verification Criteria
- Executive sponsor has been identified and is actively engaged in Copilot deployment oversight
- Stakeholder communication plan has been developed and is being executed per deployment phase
- User FAQ document or guide has been created and distributed to target user populations
- Champion network has been established with representatives across deployment departments (Recommended and Regulated levels)
- User readiness assessment process is defined and being applied before license assignment (Recommended and Regulated levels)
- Adoption metrics are being tracked and reviewed at established cadence (weekly during rollout, monthly ongoing)
- Resistance management strategies have been identified and are being applied as needed
- Steering committee is meeting at established cadence and reviewing adoption progress (Recommended and Regulated levels)
- Board-level awareness of Copilot deployment has been established (Regulated level)
- Change management documentation is maintained and accessible for regulatory examination (Regulated level)
Additional Resources
- Microsoft Learn: Microsoft 365 Copilot Adoption
- Microsoft Adoption: Copilot Success Kit
- Microsoft Viva Insights: Copilot Dashboard
- Prosci ADKAR Model (referenced framework)
- FFIEC IT Handbook: Management
- Related Controls: 1.12 Training and Awareness, 1.9 License Planning, 4.12 Change Management for Rollouts
- Playbooks: Playbook 1.11.1 (Communication Plan Template), Playbook 1.11.2 (User Readiness Assessment Checklist), Playbook 1.11.3 (Champion Network Guide), Playbook 1.11.4 (Adoption Metrics Dashboard Setup)
FSI Copilot Governance Framework v1.2.1 - March 2026