There’s No Reward Without Risk – EY’s global governance, risk and compliance survey 2015 by EY
Looking at risk differently
Historically, risks have been categorized in many different ways. We believe that regardless of how they are organized, it is beneficial to consider risks in the context of your business and how best to respond to those risks.
By categorizing risks according to their impact to the business, organizations are able to shift their focus with regard to how they identify and respond to the risks they face — both internal and external, as well as those with positive and negative impacts — and best respond to each risk appropriately.
Until now, organizations have primarily focused on risks that can be managed through the implementation of controls, but offer little to no upside or benefit. However, with increasing stakeholder demands and an ever-evolving business landscape, leading organizations are now focusing more of their time and efforts on managing the risks that impact value creation.
Building a risk-aware organization
Identifying, managing and responding to risk should be an integral part of an organization’s everyday activities.
This can be achieved by applying the three risk categories: strategic, preventable and external. Our global governance, risk and compliance (GRC) survey tells us that organizations are looking for a more comprehensive, coordinated and innovative approach to enable them to successfully manage the opportunities and the hardships presented by risk. This requires transforming the way the organization views and capitalizes on risk — we call this “building a risk-aware organization.”
With the knowledge that risks are a never-ending challenge and new risks will be encountered every day, a stepped approach to risk management is required:
- Step 1. Advance strategic thinking
The first step challenges the way organizations categorize, manage and respond to risk: thinking about risk in the context of their business decisions and designing risk response plans to appropriately manage identified risks.
- Step 2. Optimize functions and processes
The second step focuses on what organizations are doing to optimally align functions by allocating talent and design risk management processes to efficiently and effectively execute risk response plans across each of the lines of defense (see page 12).
- Step 3. Embed solutions
The third step highlights the importance of integrating sustainable solutions throughout the organization to prevent, balance or limit risk.
Advance strategic thinking to improve value creation
Organizations are not created to manage risk, they are created to generate value as part of a broader aspirational purpose; as a result, they need to focus on the risks that directly impact their purpose and business strategy.
Organizations that methodically identify, assess and respond to the risks that impact their business strategy are better equipped to define risk responses that reduce the negative impact of risk while maximizing its upward potential. They think strategically about risk.
Organizations that exhibit advanced strategic thinking:
1. Identify and assess the risks that impact their business
2. Design risk response plans
1. Identifying and assessing the risks that impact your business
Organizations need to continuously evaluate their business strategies and determine the level of risk exposure they are willing to accept to generate value, otherwise known as their risk appetite. This approach better enables organizations to effectively and methodically identify and assess their risk landscape in the context of their business, as depicted in the graphic on page 2. In this year’s GRC survey, 77% of respondents only evaluate their organization’s risk profile on an annual basis, limiting their ability to adjust their business strategy based on changes to their risk landscape.
In the table below, some of the potential risks associated with each business strategy are identified, applying the three risk categories — strategic, preventable and external. Each business strategy requires taking a strategic risk in search of higher reward (e.g., high ROI). They each also introduce preventable risks that must be dealt with as a result. Lastly, external risks may exist that could negatively impact each strategy.
An organization needs to assess each identified risk to determine its likelihood, potential impact or time to realization. For example, the likelihood of a natural disaster (an external risk) occurring that could negatively impact critical IT infrastructure may be low, but the potential impact to an organization launching new customer-facing IT platforms could be catastrophic.
In another example, the likelihood and impact of disruptions to business and customer support processes arising as part of a major transformation program (a strategic risk) may be relatively high; but the benefits associated with such a program are also significant.
To make the right assessments, organizations need to directly address risk management in strategic and business planning discussions. They also need to routinely evaluate their risk profile and its impact on their business strategy, enabling the organization to readily identify new and emerging risks and adapt their strategy accordingly.
Getting organizations to think differently about the risks to their business by strategically applying the three risk categories (as depicted in the table and graphic) enables them to identify risks they may not have otherwise thought of. Organizations are able to clearly identify the key risks to “own” that not only result in negative consequences, but also those that generate value, enabling a direct linkage between risk and business performance. It is encouraging that 85% of survey respondents indicated opportunity exists to further improve the linkage between risk and business performance.
2. Designing risk response plans
Once an organization has identified and assessed its key risks, it can manage them by designing cost-effective and efficient risk response plans based on the organization’s risk appetite and each risk category — strategic, preventable and external.
For instance, the amount of risk an organization is willing to accept as part of a transformation program may be low, but disruptions to business and customer support processes could negatively impact the organization’s reputation/brand and ROI: as a result, the organization must employ cost-effective risk management to balance the mitigation of risk with the expected benefits of the program.
Likewise, an organization may be willing to accept a greater amount of risk in complying with new legal or regulatory requirements if the cost of noncompliance is relatively low or can be avoided all together. An organization developing digital platforms to better interact with its customers can take advantage of the upward potential of risk by not only designing responses to monitor for negative publicity that could harm its reputation, but also design responses that monitor for positive publicity that it can capture and highlight in the marketplace.
Optimize functions and processes to effectively execute your risk strategy
Once an organization has determined its risk response plans or strategy, it needs to optimally align its functions, allocate resources and design risk management processes to efficiently and effectively execute its strategy.
Organizations have historically dispersed responsibility for risk activities to specific functions within the organization. This has resulted in silos, negatively impacting the effectiveness of risk management activities by preventing critical information from reaching key decision-makers. If a clear operating model and processes are not defined, then communication does not flow effectively through the organization.
Leading organizations optimize functions and processes by:
1. Establishing a well-defined and coordinated operating model
2. Aligning the right talent and