Changes, regardless of their scale, carry inherent risks and may pose significant risks of loss of confidentiality, integrity, and availability of data, and could thus lead to severe business disruptions. To safeguard financial entitiesas defined in Article 2, points (a) to (t) from potential ICT vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; and weaknesses that could expose them to significant risks, a rigorous verification process is necessary to confirm that all changes meet the necessary ICT security requirements. Financial entitiesas defined in Article 2, points (a) to (t) referred to in Title II of this Regulation should therefore, as an essential element of their ICT security policies and procedures, have in place sound ICT change management policies and procedures. To uphold the objectivity and effectiveness of the ICT change management process, to prevent conflicts of interest, and to ensure that ICT changes are evaluated objectively, it is necessary to separate the functions responsible for approving those changes from the functions that request and implement those changes. To achieve effective transitions, controlled ICT change implementation, and minimal disruptions to the operation of the ICT systems, financial entitiesas defined in Article 2, points (a) to (t) should assign clear roles and responsibilities that ensure that ICT changes are planned, adequately tested, and that quality is ensured. To ensure that ICT systems continue to operate effectively, and to provide a safety net for financial entitiesas defined in Article 2, points (a) to (t), financial entitiesas defined in Article 2, points (a) to (t) should also develop and implement fall-back procedures. Financial entitiesas defined in Article 2, points (a) to (t) should clearly identify those fall-back procedures and assign responsibilities to ensure a swift and effective response in the event of unsuccessful ICT changes.