Turning risk into results

How leading companies turn risk into results

  • Share
EY - The RISK Agenda

Companies that succeed in turning risk into results will create competitive advantage.

Risk needs to enable business performance, not simply protect the business.

EY - Risk Agenda

They will do a better job of deploying scarce resources, make stronger decisions and reduce exposure to negative events.

Enhance risk strategy

Effective risk management starts with clarity around risk strategy and governance. It is critical for companies to have proper oversight and accountability at the board and executive levels.

An enhanced governance structure, board-level reporting and communications result in improved visibility, accountability, transparency and strategic decision-making.

Enhancing risk strategy enables organizations to more effectively anticipate risk. However, it is equally important to develop reactive strategies that enable the organization to respond quickly if a risk does materialize.

What top performers are doing right

  • Two-way open communications about risk with external stakeholders.
  • Transparent and timely communication, providing relevant information that conveys the decisions and values of the organization.
  • The board or management committee plays a leading role in defining risk management objectives.
  • A common risk framework has been adopted and implemented across the organization.

Embed risk management

Risk is inherent in every business. Organizations that embed risk management practices into business planning and performance management are more likely to achieve strategic and operational objectives.

Several years ago, many organizations were focused on mitigating risks, controlling costs, keeping the business out of trouble and protecting the brand. Today, more and more organizations are focused on developing risk management strategies that enable the business.

For the first time, we are clearly seeing organizations identify the links among business, technology and risk strategies and how they all fit together.

What top performers are doing right

  • There is a formal method for defining acceptable risk thresholds within the organization.
  • Stress tests are used to validate risk tolerances.
  • Leadership has put in place an effective risk management program.
  • Planning and risk reporting cycles are coordinated so that current risk information is incorporated into business planning.

Optimize risk management functions

As an organization changes and grows, its risk, control and compliance activities often become fragmented, siloed, independent and misaligned.

This has an impact on both the governance oversight and the business itself.

By taking the following steps, an organization can reduce its risk burden (overlap and redundancy), lower its total costs, expand coverage and drive efficiency.

What top performers are doing right

  • Completion of risk-related training is incorporated into individual performance.
  • Risk monitoring and reporting tools are standardized across the organization.
  • Integrated technology enables the organization to manage risk and eliminates or prevents redundancy and lack of coverage.
  • Overlap and duplication of risk activities have been identified and are being addressed.

Improve controls and processes

Although organizations understand the value of building controls and processes that focus on risk, many organizations still struggle to create optimal control environments that balance cost with risk.

By optimizing controls around key business processes, harnessing automated versus manual controls, and continuously monitoring critical controls and KPIs, organizations can improve performance and reduce the cost of controls spend.

What top performers are doing right

  • Lines of business have established key risk indicators (KRIs) that predict and model risk assessment.
  • Self-assessment and other reporting tools are standardized across the business.
  • Controls have been optimized to improve effectiveness, reduce costs and support increased business performance.
  • Key risk metrics have been established at the business level.

Enable risk management, communicate risk coverage

Making a move from being risk-averse to risk-ready may require a significant shift.

Organizations will want an executive champion to lead it, as well as tone-from-the-top support and executives who lead by example.

Risk management is about changing the culture of the business. Organizations will want to communicate openly and often with all stakeholders. For greater assurance, organizations should provide stakeholders with independent, third-party verification.

Organizations also need to leverage their technology for maximum benefit. This does not mean risk initiatives should be technology-led. Rather, technology should be an enabler of change. Current GRC tools have the ability to enable an entire risk agenda.

However, organizations need to ensure that any risk-focused IT strategy aligns with broader risk and business strategies.

What top performers are doing right

  • Issue tracking, monitoring and reporting are regularly performed using GRC software.
  • Risk dashboards are automated and include governance, risk and compliance indicators.
  • Risk identification and assessment are regularly performed using GRC software.
EY - The RISK Agenda: research study leading practices×