Global professional services firm EY recently published a report highlighting the ongoing revolution in corporate risk management. Titled There’s no reward without risk, the new EY report discusses how organizations today are managing a rapidly changing risk landscape, with an in-depth look at the growing trend of companies not just mitigating risk, but also “taking advantage of the upside potential of risk.”
Risk management in a Brave New World
The 2015 EY risk survey found that that most businesses today are improving the way they manage risk in response to a rapidly changing risk landscape. That said, the survey also suggested there is still further room for improvement and a number of opportunities that could be taken advantage of. To do so, however, means enterprises will have to change the way they work and how they understand and categorize risk, so they become more efficient, risk-aware organizations.
Until the last few years, most businesses have focused on risks that can be managed by implementing controls, but this kind of risk mitigation rarely offers any “upside”. That is changing relatively quickly, given greater stakeholder demands and a constantly shifting business landscape, organizations have begun putting more of their time and effort into understanding and managing risks that lead to value creation.
Strategic risks are risks that offer benefits. These kind of risks are significant to the execution of business operations and objectives, and strategic risks typically focus on the opportunity relating to the risk. As the EY report notes: “Eliminating these risks, or transferring them, is therefore not an option: it is a balancing act which requires the organization to evaluate risk vs. reward.”
Preventable risks that have only a negative impact need to be eliminated, avoided, mitigated or transferred as possible as they offer no strategic benefit. These risks per se lead to a negative impact when an event occurs and can in most cases be effectively managed using controls.
Risks that offer negative and/or positive benefits are more difficult to quantify and manage. These risks are often external and out of the control of the business. They are typically very difficult to predict as they come from outside of the organization. The good news is that this type of risk is relatively rare. That said, in most cases, businesses should take cost-effective steps to reduce the likelihood of these risks occurring as well as limit any negative impacts of the risks.
Building a modern risk-aware organization
The EY report outlines three steps to building a more risk-aware enterprise:
- Step 1 is to constantly move forward with strategic thinking. This involves challenging how organizations categorize, manage and respond to risk, both in terms of considering risk in the context of their business decisions and creating risk response plans to manage known risks.
- Step 2 is to optimize organizational functions and processes This step focuses on how enterprises can optimally align functions by allocating talent and designing risk management processes to efficiently undertake risk response plans across the various lines of defense.
- Step 3 involves systematic embedding of solutions to risks. This means integrating sustainable solutions throughout the organization to prevent or limit risk.