Global Risk Transformation series

How can reimagining risk prepare you for an unpredictable world?

Authors

Scott McCowan

EY Global Consulting Risk Markets Leader
Famke Krumbmüller

EY-Parthenon EMEIA Geostrategic Business Group Leader
Gautam Jaggi

Director, Business and CXO Insights, Ernst & Young LLP

25 minute read 10 Sep 2025

Related topics

Strategy by EY-Parthenon

Forward-thinking Risk Strategists are positioning their organizations to thrive in a more complex operating environment.

In brief

We are in a risk environment that’s increasingly nonlinear, accelerated, volatile and interconnected.
While six in 10 firms agree risk management must transform to adapt to the new risk climate, only 14% have completely changed their approach.
A group of “Risk Strategists” are achieving better outcomes — and their best practices provide valuable insights for others.

What if we told you a group of companies has seemingly cracked the code for navigating through these turbulent times? They’re half as likely to be surprised by external shocks, and a third better at swiftly identifying incidents and mounting a rapid response.

These firms aren’t luckier. They’re not operating in safer markets. They’re simply approaching risk differently.

These companies are led by “Risk Strategists,” who integrate risk with strategy, and approach risk with an entirely different mindset.

The need to align risk and strategy has grown in recent years, as a series of global shocks has fundamentally reshaped risk. Many materialize seemingly overnight — from leaps in AI to successive geopolitical shocks. They can set off cascades of downstream impacts, culminating in often-unexpected outcomes. Increased volatility is visible in trends ranging from tariff uncertainty and “fast fashion” to extreme weather.

“The risk environment has completely changed since the pandemic,” says Michael Berberich, Vice President, Group Risk Management & ICS at Fresenius Group. “Before this shift, we were focused mostly on reporting financial risks. Now, we are responding to a spate of crises. These aren’t simple one-off incidents; they are instead deeply interconnected with other risks, creating implications for everything from supply chains and energy prices to sanctions compliance. And, compared to a few years ago, we are now in a world where multiple crises strike at the same time — stretching risk functions thin, and challenging us to do more with less.”

We call this the NAVI world, after its four defining characteristics. This is an environment in which risks are increasingly:

Nonlinear, triggering sudden tipping points that can catch companies by surprise
Accelerated, demanding increased speed of response
Volatile, with frequent changes in direction that test companies’ agility
Interconnected, setting off multiple Nth-order downstream impacts and risks

Since 2020, mentions of NAVI-related keywords in companies’ public documents have jumped by 50%, and have remained elevated.

This environment requires profoundly rethinking foundational elements of business, since many existing practices will no longer be fit for purpose. Two of the biggest are strategy and risk management.

“In a world of accelerated change and increased volatility, effective transformation requires a dual approach,” says Errol Gardner, EY Global Vice Chair – Consulting. “This involves not only the foresight to develop comprehensive multi-year plans but also the agility to implement shorter, adaptive sprints. Organizations should embrace this balance to navigate risks and seize opportunities, ensuring that their transformation efforts are both visionary and responsive to the evolving landscape.”

Meanwhile, traditional risk management is fundamentally misaligned with the NAVI world, requiring a significant overhaul. In a time of accelerating change and increased volatility, it relies on slow and intermittent processes. In a world of increased interconnectivity, it is both siloed across the enterprise and inclined to manage risks as independent, not interconnected, forces. In an environment of nonlinear change, it has been slow to adopt methodologies suited to identify low-probability risks, or model and manage nonlinearity.

But thriving in the new risk environment doesn’t just entail new approaches to strategy and risk management — it also requires aligning the two like never before. Companies will thrive amid this increased volatility and uncertainty with strategy that is risk-informed, and risk management that is aligned with strategic objectives and metrics. This symbiosis is at the heart of the Risk Strategist.

This article, the first in a new EY Global Risk Transformation series we are launching this year, explores the symbiosis of risk and strategy by identifying and learning from the behaviors and mindsets of Risk Strategists. In the current environment, all stages of the risk management lifecycle — identification, assessment, response and governance — are critical. The focus of this first article is on the sensing, foresight and adaptation capabilities that become the decisive edge, enabling organizations to anticipate risks earlier, adapt faster and respond with greater precision.

This is relevant not just for professionals within the risk management function, but also for executives from across the C-suite, senior leaders in business units, and members of the board and relevant committees. For some years, approaches such as enterprise risk management (ERM) and the “three lines” model have emphasized that risk management is a team sport. This is even truer in the NAVI world, where the alignment of risk and strategy across the enterprise is a key growth driver.

The 2025 EY Global Risk Transformation Study is based on a combination of quantitative and qualitative research.

Quantitative research included a survey of 1,200 risk professionals conducted by the global EY organization in April and May 2025. Respondents span 21 sectors and 12 countries and represent organizations with over $1 billion in annual revenue. To participate in the survey, risk professionals were required to have responsibility for risk management at their organization with a role in their organization’s C-suite, head of business unit, board member, or part of audit, risk, compliance, or nominating and governance committees.

Qualitative research included more than 40 interviews with risk professionals, including 28 with senior risk management executives, as well as over 15 with leaders from the EY Risk Consulting practice. Some of these interviews form the basis for guest perspectives by Risk Strategists that are featured in this article.

In addition, this research was informed by the annual EY Risk Transformation Awards, conducted by EY member firms across several markets, which helped identify innovative risk management practices and Risk Strategist organizations. Other EY research also contributed to the study, in particular the EY-Parthenon Geostrategy in Practice Survey 2025.¹

Total Lunar Eclipse

1

Chapter 1

Risk Strategists and Risk Traditionalists

A cohort of the study’s respondents take a fundamentally different approach to risk, better preparing them for an unpredictable future.

To better understand the changing risk environment and how organizations are transforming their risk management practices to adapt to the new operating environment, the global EY organization conducted a survey of 1,200 risk professionals (see “Research methodology” for details).

We found that, while the future of risk management may already be here, it isn’t evenly distributed. Many organizations are still approaching risk management with a compliance rather than strategic mindset.

However, we identified a subset of respondents, “Risk Strategists,” whose relationship between risk and business strategy and growth is reciprocal. They not only align the risk function with their organization’s strategy but also inform strategic decisions with risk insights to drive business growth. Unlike their “Risk Traditionalist” counterparts, Risk Strategists have aligned risk with the business and are making the investments needed for success in the new risk environment. The Risk Strategist mindset begins with the individual but, can define risk functions — and ultimately entire organizations — through vision, cultural change and incentives.

To help us identify companies that closely link risk with strategy and the business, we captured the extent to which organizations:

Align the risk management function with overall business strategy.
Make business decisions based on a risk-informed strategy.
Incentivize risk management professionals using business metrics.
View risk management as an enabler of business growth.

After running latent class segmentation to understand how the responses to these questions were grouped, we created an index to reflect these relationships. Each question was asked on a five-point scale and we scored each response based on level of agreement or the extent the statement describes their organization. Aggregating these scores and normalizing the scale from 0 to 100 formed the basis of the index. Through statistical testing, we identified Risk Strategists as the top 32% of index scores and Risk Traditionalists as the bottom 25%.

Risk Strategists are ahead at recognizing and responding to NAVI

Risk Strategists are consistently more aware of changes in the post-pandemic environment. Not only do they recognize the risk climate has become more nonlinear, accelerated, volatile and interconnected, they are also more likely to have controls in place to address these changes.

This reflects a broader shift in their organization’s approach to risk management in response to these shifts, with 58% of Risk Strategists having moderately or completely transformed their approach in the post-pandemic risk environment (versus 36% of Traditionalists). This includes 20% that have completely transformed their approach (versus only 7% of Traditionalists).

Risk Strategists are achieving better outcomes

The new risk environment is having material impacts on business outcomes. The EY-Parthenon Geostrategy in Practice Survey 2025 finds political risk has negatively impacted sales and revenue for 54% of organizations, while 52% say geopolitical risk has caused them to delay or cancel a planned investment or divestment. According to APQC, average financial losses resulting from risk events were 1.9% of revenue in 2024.² For an average Global Fortune 500 company, this amounts to $1.6 billion in losses.

Against this backdrop, Risk Strategists are showing resilience and achieving superior outcomes as a result. Strategists outperform Traditionalists by the widest margins on metrics that are most critical for resilience in the new risk environment, such as reduced proportion of risks that are unexpected, risk accountability and culture, and better incident identification and response time. The smallest gaps are in cost of risk management activities, operational efficiency, and compliance with regulatory requirements, indicating that Traditionalists view risk management mostly as a cost center and a compliance exercise.

Financial services institutions, particularly banks and insurers, are recognized as leaders in risk management, and for good reason. Their core business revolves around managing or pricing risk. The sector is highly regulated. Regulations such as the Basel Capital Accords, the US’ Dodd-Frank Act, and the EU’s Digital Operational Resilience Act, combined with active supervision by regulators, mandate stringent risk management standards, practices and controls. Quantitative analysis is a core competency for financial services firms, allowing them to more readily adopt sophisticated risk management models and tools.

Indeed, the survey results show that financial services companies are ahead of other sectors when it comes to key metrics, such as adopting innovative approaches and frameworks, as well as having appointed a CRO and, more critically, giving the CRO a strategic and equal voice in the C-suite. Data from the 2024³ and 2025⁴ editions of the annual EY/Institute of International Finance global bank risk management survey of CROs highlight just how strategic CROs at financial services firms are, managing a wide spectrum of risks and playing a range of roles.

However, in our survey, financial services respondents assessed themselves as no better than companies in other sectors in their ability to respond to emerging risks of the new risk environment. Even companies that are clear leaders in many aspects of risk management recognize the risks associated with complacency and the need to remain vigilant to maintain their leadership in the NAVI world.

Read more

“Viewing strategic decision-making through the lens of geopolitical and other risks puts companies in a stronger position to drive organic and inorganic growth,” says Oliver Jones, EY-Parthenon Global Strategy and Transactions Markets, Sustainability and Geostrategy Leader. “A better understanding of risks enables companies to have a stronger M&A appetite and carry through on their planned transactions at a higher rate. Aligning risk and strategy makes it more likely that strategic plans will stay on course and deliver their intended return on investment.”

Obstacles faced by Risk Traditionalists

Many organizations — and especially Risk Traditionalists — face significant obstacles to risk transformation.

A key constraint is the mindsets of those in the risk function. Risk management has historically attracted professionals who tend to be cautious and risk-averse. Much of risk management is driven by consensus, both in identification of risks and in the approaches used to manage risk. In the words of the CRO of a leading financial services company, “the challenge is how to change the mindset from ‘we are just checking the box on regulation’ to being an added value.”

This mindset problem is particularly acute among Risk Traditionalists. While 62% of Risk Strategists say that “risk management attracts individuals with conservative mindsets rather than innovative ones,” only 40% of Traditionalists agree. When it comes to mindsets, Risk Traditionalists aren’t just further behind in addressing the issue; many don’t even recognize there is an issue to fix.

As a result, many Risk Traditionalists are guided by tradition and inertia, and are more likely to stick with legacy ways of operating. As one risk leader at a manufacturing company expressed candidly in their interview with us: “I know I need compliance. I need risk management because it’s the law, but that’s all I care about.”

Traditionalists are less likely to adopt risk management approaches and methods suited for the new risk environment. They are half as likely as Strategists to agree that in the coming months and years, it will be important for employees in the risk function to use nontraditional modalities and frameworks (37% of Traditionalists, versus 75% of Strategists). By similar margins, Risk Traditionalists are also less likely to say that it will be important for employees in the risk function to be innovation-oriented (42% of Traditionalists, versus 73% of Strategists).

Several structural problems undermine the ability of companies to transform risk management. Many Traditionalist firms have a siloed or fragmented organizational structure. They frequently lack a cohesive view of risk and clear ownership of risks. Risk Traditionalists are less than half as likely to say that there is a clear owner responsible for each type of risk their organization faces (27% of Traditionalists, versus 66% of Strategists) or that their CRO has equal standing with other C-Suite officers (25% versus 76%).

Finally, a perennial challenge for risk functions is measuring and demonstrating value. Risk has traditionally been viewed as a cost center in organizations, and a big reason is that it is hard to quantify much of the value risk management delivers to the business. How do you measure the value of preparing for something that never happened? How do you evaluate up-front investments in mitigating risks that will likely play out over many years or decades?

“The trouble with functions that support essentially a governance-related role is you're doing fine when nothing happens,” says a CRO at a company in the healthcare and pharmaceuticals sector. “And it’s very hard to celebrate that nothing is happening. It won’t really be seen as a success. You still cost the same to the organization. And then when something happens, usually it’s something negative — you’ve either lost money, you’ve been scammed, you’ve been hit with a big fine, and you have to pay contractual penalties.”

To the extent they are used, risk value metrics tend to be easily available numbers (such as reductions in insurance premiums or regulatory fines) or confined to domains where it is easier to measure the number of incidents and the quality of response (such as cybersecurity). These measures significantly understate the value the risk function delivers to the enterprise.

Overcoming this challenge is more important than ever. Measuring the value delivered by the risk function can change how it is perceived in the rest of the organization, and increase willingness to invest in risk transformation as a driver of strategic growth.

“A lot of people see compliance or risk as just an insurance policy in case something goes wrong,” says the CRO of a technology and telecommunications firm. “But when I can show them some return on investment … and how it actually works and gains ground, I get more credibility; I can get resources.”

These obstacles can be a pernicious challenge. For Risk Strategists, the convergence of strategic mindsets, innovative cultures, coordinated incentives, and aligned organizational structures creates a positive feedback loop and makes it easier to demonstrate value delivered to the business. For Traditionalists, the opposite is true: the lack of all these positive factors creates a negative cycle that is hard to break.

The good news is that we are in a moment when it may be easier to break out of this traditionalist trap. As organizations grapple with the challenges of operating in the new business climate, closer alignment between risk and strategy can help address many of these challenges. This creates an opportunity to directly demonstrate the value delivered by risk and create the business case for the investments needed to transform into a Risk Strategist organization.

Risk transformation is an extended journey, but there are concrete actions you can take now to get started. (For more, see Chapter 3.)

Arch of the milky way in a lavender field

2

Chapter 2

Building a Risk Strategist organization

Risk Strategists employ certain approaches and best practices that help their organizations outperform their peers across risk metrics.

risk

risk
Read more

Value and vision

“At the center of any successful transformation is value,” says John van Rossen, EY-Parthenon Global Strategy and Execution Leader. “It begins with value identification: articulating a precise and purposeful vision of the value opportunity you plan to pursue. Achieving this opportunity requires value orchestration — aligning people and capabilities from within and beyond your organization, and iterating between strategic goals and execution when turning points in the process require intervention. And ultimately, of course, the goal of transformation is value realization — achieving tangible and enduring results by, among other things, focusing on details such as the human aspects of change experience.”

This value-based approach can be challenging for many risk functions and, by extension, for risk transformation. As already discussed, the value of the risk function has historically not been well quantified or articulated — making value identification challenging. In addition, organizational alignment has often been lacking — such as across business functions or between risk and strategy — which can hamper value orchestration.

To the extent this is a challenge for risk functions, it’s a useful one, because becoming a Risk Strategist is, at its core, about driving value for the rest of the enterprise. Leaders can enable the shift by framing key questions about their transformation in value-first ways.

Start by developing a vision that articulates the future state of risk management for your enterprise. Organizing around four key principles — business-focused, aligned, nimble/curious and technology-enabled — will both make the risk function more strategic and help identify, orchestrate and realize value. These principles are discussed in greater detail below.

Once you have a workable version of your future vision, the next step is to chart a course to get from here to there. Future-back planning is a critical tool for this, and particularly valuable in overcoming failures of imagination and incremental thinking. This flips the script on the traditional business planning process — which typically starts with your current state, then develops plans to drive organic and inorganic growth and build out to a future state. Future-back planning instead starts with your future state, then identifies what additional assets and competencies you will need to succeed in that future state, and creates a plan to fill gaps and make investments to build these new competencies.

Future-back planning therefore inevitably involves answering several questions related to investments in capabilities and assets. Frame each in value-centric ways. What elements of risk transformation do you see as most strategic and value-adding for your business? When, and to what extent, should your risk function invest in AI and other technologies to realize the most value? Which risk management methodologies are most strategic and value-adding? How could you partner with external parties to orchestrate value?

Key principles for building a strategic risk organization

Risk Strategists will identify, orchestrate and realize value by building organizations that are defined by some core principles. While the specifics of risk transformation will vary from one company to the next, these four principles provide some general guidance for what good looks like. They are recurring themes across Risk Strategist approaches, as identified from survey responses and multiple interviews.

Business-focused
Aligned
Nimble and curious
Technology-enabled

We are confident we can be nimble and ready for whatever comes our way.

Chief Risk Officer, European utilities company

The below perspective was written by the Chief Risk Officer of a European utilities company.

While the risk environment has changed dramatically in the post-pandemic world, our company already had practices in place that allowed us to respond to external shocks more nimbly than most firms.

We are in the utilities sector, so we make large investments, often with a lifespan of 60-80 years. These assets are fixed in place — you cannot relocate a hydropower plant like you can an automotive factory. This gives us a longer-term and more strategic perspective on risk.

We initiated an ERM program in 2000. Over time, we expanded the use of multiple methodologies to focus on strategic and emerging risks, including risk appetite frameworks, risk-bearing capacity, stress testing, and early warning indicators.

Using these methodologies has allowed us to be more resilient to multiple external shocks, from the pandemic to tariff uncertainty. This starts with having a culture and mindset where we take risks seriously early on. Often, there are signals that predate the risk’s emergence, and paying attention to them is critical. We first added pandemic risk to our risk register after the Asian bird flu outbreak of 2003. President Trump communicated his intent on tariffs during the campaign, long before they were first implemented. The European energy crisis started about six months before it really hit.

With this early identification in place, we can respond quickly when we see the first signs of a risk’s emergence. When the energy crisis started to become real, we initiated weekly calls and set up extra lines of credit. We began discussing the COVID-19 pandemic in earnest in January 2020 and, by the time it went global in March, we were ready to move quickly. We developed several growth scenarios, which we tied back to potential impact on demand, interest rates, electricity prices, supplier bankruptcies, and so on. We continued to monitor the situation and evaluate the impact on our strategy. The pandemic did not limit our business — to the contrary, because of our approach aligning risk and strategy, we could afford to be more aggressive with strategic moves during the crisis.

In recent years, our risk management and strategy have become even more connected. We prioritize demonstrating how our risk approach adds strategic value, which builds support from the top of the organization. As our company undertook more mergers and acquisitions, the risk function increasingly became part of due diligence for any big investments. We now produce risk management reports for all our M&A targets. The same holds true for other future challenges like climate change — our focus is not only on regulatory compliance; we aim to create value and be resilient for the future, which is reflected in an aligned and forward-thinking approach in our risk management and company strategy, to tackle this major task.

Our approach continues to evolve in the new risk environment. We are looking more closely at analyzing interconnections between different risks to understand their direct and indirect consequences. Our short-term risk management, which traditionally relied on quarterly reports, has become more real-time. You can no longer wait until the end of the quarter to write a report. You have to make quick calculations and move swiftly. Speed is more important than being perfectly precise.

We don’t expect to identify every black swan out there. But, with an approach that takes emerging risks seriously early on, uses multiple analytical methodologies, and closely aligns risk management with strategy, we are confident we can be nimble and ready for whatever comes our way.

1. Business-focused

“At its core, a strategic risk enterprise is one that’s focused on supporting the company’s strategy and growth,” says Rohit Mathur, EY EMEIA Risk Consulting Leader. “Risk Strategists drive value for the business — for instance, by enabling informed risk-taking and innovation, or boosting business resilience and competitive advantage. They see risk management as a business catalyst, not a compliance exercise.”

This focus on driving value for the business is visible across our survey results and Risk Strategist interviews. These companies recognize that an approach focused primarily on regulatory compliance is no longer sufficient. Regulations are generally slow to evolve, making them lagging indicators that reflect past crises, not future risks. In a world where those future risks are evolving faster than ever, waiting for regulatory guidance means you’re already behind — while focusing exclusively on compliance can create a false sense of security.

2. Aligned

Another recurring theme with Risk Strategists is their focus on achieving an aligned risk perspective across the enterprise and various business functions — critical for orchestrating and realizing value. The LEGO Group, for instance, uses cross-functional forums with representation from a wide variety of business units to better identify risks and explore their implications from multiple perspectives.

Risk Strategists also seek to align risk with strategy. “Our approach to ERM is increasingly focused on the intersection of risk, strategy, and performance,” says Shannon Clark, Director of Enterprise Risk at Corning Incorporated. “While we maintain a dynamic risk inventory, our emphasis is on fostering real-time conversations that prioritize the most relevant risks and their strategic implications, ensuring alignment with corporate performance and long-term value creation.”

Risk Strategists are more than one-third more likely to leverage risk appetite frameworks (55% versus 40% of Risk Traditionalists). They use these frameworks to define, in strategic terms, the level of risk their organization is willing to accept in pursuit of its objectives. When aligned with strategy, risk appetite becomes a growth enabler — not a compliance exercise — equipping the C-suite to make bolder, more informed decisions.

Achieving alignment across the organization requires building a pervasive risk culture — a critical focus and a theme that emerged repeatedly in our interviews with Risk Strategists.

In a world that’s more accelerated and volatile, we need to think of risk and strategy in new ways.

Chief Audit Executive

US manufacturing company

The below perspective was written by the Chief Audit Executive of a US manufacturing company.

The risk environment has changed extensively. It’s more volatile than ever before. The number of major risk events — everything from wars to climate events — is higher than at any point I can remember.

Technology is moving at an accelerated pace — this demands we be more agile, but with this agility comes increased risk. How do we ensure we meet the same standards and adopt technology with appropriate rigor? The talent landscape has shifted — we now routinely hire people we may never meet in person. How do we validate that they are who they represent themselves to be, and how do we ensure they aren’t working for several employers simultaneously?

In a world that’s more accelerated and volatile, we need to think of risk and strategy in new ways. Leaders no longer have the luxury of a three-year or five-year strategic plan. You can develop a data strategy and see it become obsolete within months — well before you’ve even had a chance to implement it.

In a world of nonlinear change, leaders need to constantly ask what’s around the corner. EY is helping us build a dynamic risk assessment to bring together multiple inputs — external and internal factors, key business metrics, stakeholder interviews, etc. — with a risk scoring methodology. This will help us identify the right risks for today; but building the ability to truly peek around the corner will take more. This ultimately needs to become a continuous process, so that if something changes, we can respond quickly and proactively.

Organizational alignment on risk is more important than ever. For the first time, we have defined a common taxonomy for risk. In the year ahead, we aim to streamline risk assessments so there’s just one point of view on each risk in the organization. I work closely with every function to understand their view on risk, including with the ERM organization. The ultimate opportunity, and need, is to align risk and strategy at the highest levels of the organization. We need to empower our executive leadership team to see how our strategy connects to our risk assessments, and how our view on risk can drive our strategy.

3. Nimble and curious

In the new operating climate, building a strategic risk organization requires developing processes and abilities to respond more quickly to fast-changing circumstances, as well as fostering the organizational curiosity to envision and prepare for multiple outcomes and downstream impacts.

Some firms are moving beyond quarterly reviews to more real-time and responsive approaches. The vast majority (84%) of Risk Strategists are using scenario planning to explore and prepare for multiple risk trajectories and outcomes. Three-fourths (74%) of Strategists say it will be important for their organization to prepare for unpredictable disruptions with an agile approach, compared to 41% of Traditionalists.

Building organizational curiosity also requires developing a comprehensive view across different types of risk. While many are understandably emphasizing geopolitical risk at the current time, companies should not lose sight of the fact that risks in the NAVI operating environment can also emerge from other drivers, such as technological, environmental or demographic shifts.

“Don’t focus on geopolitics at the expense of other drivers of risk,” says the Chief Audit Executive of a US manufacturing company in the energy industry. “If you have an overly narrow focus, you can put your strategy at risk. For instance, in our business, we track not just geopolitical risks but also risks related to the impact of GenAI on electricity demand, regulatory uncertainty and the speed of the energy transition, and the impact of interest rate volatility on project funding.”

Finally, organizational curiosity involves openness to experimenting and innovating to increase adoption of the risk management methodologies discussed earlier. As a CRO at a technology and telecommunications company put it, “from a risk standpoint, the fact that it worked yesterday does not mean that’s the right answer tomorrow. So, be really vigilant about not getting lulled by your success.”

4. Technology-enabled

“AI is both a catalyst for risk transformation and a critical tool for making the enterprise resilient and adaptive in a more complex risk environment,” says Amy Gennarini, EY Global Risk Consulting Technology Leader. “This includes everything from enhanced risk identification and predictive modeling, to unlocking insights from unstructured data, or enabling more sophisticated scenario planning.”

The use of technology varies across the Risk Strategists we interviewed. Some are achieving gains through technology adoption — such as the LEGO Group, which increased organizational alignment by incorporating risks and scenarios into Power BI dashboards already in use across business units, or Fresenius, which reinvented its scenario generation process from a weeks-long manual exercise to one that can be done in a couple of hours using a large language model (LLM).

Others have taken a wait-and-see approach to adopting AI — for instance, because of concerns about investing in platforms that could quickly be overtaken by newer models with more advanced capabilities, or difficulties in making the business case for investments. But, regardless of their current adoption levels, Risk Strategists recognize the potential of AI to revolutionize risk management and see it as a competitive differentiator in the near future.

AI and predictive analytics let us define and develop scenarios in hours, not weeks.

Michael Berberich

Vice President Group Risk Management & ICS, Fresenius Group

The below perspective was written by Michael Berberich, Vice President Group Risk Management & ICS at Fresenius Group.

At Fresenius, we use a scenario-based approach to identify low-likelihood risks that could quickly develop into substantial threats.

We identify risks through continuous monitoring of global developments. For each risk, we develop three to four scenarios with differing assessed likelihood. We add company-specific data to these scenarios to analyze the likely exposure for Fresenius — and then prioritize them based on this assessment. The highest priority ones are presented to senior decision makers, while the others remain in our stockpile, and can quickly be deployed as needed if circumstances change.

In a rapidly changing and volatile environment, we use ongoing monitoring and defined scenario-specific triggers to track developments. The frequency and time frame for this monitoring can change as needed. Amid the US tariff volatility, we were assessing the situation and conducting updates on a daily, sometimes even hourly, basis.

Initially, scenario development was a laborious and manual process. It could take up to two weeks to develop a scenario, and an additional week or two to enhance and customize it with our data. Now, AI and predictive analytics let us define and develop scenarios in hours, not weeks, and the technology can prepare large numbers of scenarios simultaneously. If we decide to develop our own LLM in the future, we could also streamline the process of customizing scenarios with our company data, but we are not there yet. Agentic and newer AI models will take these capabilities to the next level. For instance, more advanced AI capabilities could help identify blind spots and gaps in our risk register.

In today’s risk environment, it’s more important than ever to stay close to the business. Risks happen in the business and the regions, not in the ivory tower of corporate headquarters. We launched a risk culture campaign three years ago to drive a cultural shift across the enterprise. The message to employees is that risk is good, and we encourage our people to actively identify and report risks. In an increasingly complex risk environment, making risk awareness pervasive across the enterprise is more important than ever.

Read more

NAVI-aligned risk management methodologies

Becoming a Risk Strategist will inevitably involve adopting and scaling up risk management methodologies most aligned with NAVI. We asked survey respondents about their adoption of several methodologies, which can be grouped into four categories:

Foundational building blocks

These are the core hard-wiring of Risk Strategists — they increase alignment across the enterprise and take stock of risks, controls and risk appetite. While familiar, they have newfound importance amid an increased imperative to align risk and strategy across the organization.
Relevant methodologies: ERM, IRM, risk appetite frameworks, risk registers and assurance mapping

Scanning and early warning

These help organizations increase readiness by scanning more widely or continuously for risks and building early detection capabilities.
Relevant methodologies: horizon scanning, sentiment analysis, data-based metrics and continuous risk monitoring

Scenario planning and resilience testing

These methodologies boost resilience by simulating and planning for multiple scenarios in a world of increased interconnectivity.
Relevant methodologies: risk scenario planning, Monte-Carlo simulations, stress testing, tabletop exercises, war gaming, risk velocity assessments and black swan analysis

Knowledge transfer

These incorporate learning and best practices from academic disciplines that are increasingly relevant for understanding and responding to the complex challenges of the new risk environment.
Relevant methodologies: graph analytics, behavioral economics, and complexity science

A US-based Industrials company with significant footprint in China and the US aimed to understand its exposure to a US-China escalatory scenario, as well as build future preparedness to manage potential impacts on business functions.

Given the client’s footprint in China, its ERM function sought to understand political risk exposure to US-China tensions and related business impacts. The company wanted to:

Increase awareness of any ongoing efforts within the firm to manage risks related to US-China geopolitical dynamics.
Assess the risk exposure of the company’s operations to a US-China escalatory scenario.
Trigger conversations between key business functions to understand the impacts of geopolitical scenarios, and build preparedness for future disruptions.

Working with the client, EY teams used a tabletop workshop to address these needs. EY professionals set up interviews and collected inputs from the firm across functions and geographies to increase awareness of ongoing efforts to manage exposure to US-China tensions. They then designed a geopolitical scenario around US-China tensions with two severity levels: a tariff escalation and a Taiwan military escalation.

They piloted a Geopolitical Risk Tabletop workshop for the client’s risk committee and other functions to catalog risks and potential impacts. To increase future preparedness, the workshop findings were leveraged to enable a response playbook.

As shown in the accompanying visualization, these methodologies fall along a spectrum. Risk leaders should explore opportunities to invest in methodologies that are less widely adopted but increasingly valuable in the new risk environment. There is a qualitative difference between cataloging writeups of scenarios, versus immersing your executives in tabletop or war gaming exercises that test and improve their real-time response to unfolding crises.

Ultimately, how you implement these methodologies makes a big difference. Are you using a risk register process to maintain dynamic, business-integrated registers that inform decision-making, or are you treating them as compliance documents that get updated quarterly and filed away? Building a Risk Strategist organization is about your overall approach more than anything else.

It’s important to us that risk management be aligned with the business and used to drive strategy and growth.

Director of Geopolitical Risk at a Global Consumer Goods Manufacturer

The below perspective was written by the Director of Geopolitical Risk at a Global Consumer Goods Manufacturer

Part of my role is to develop and lead a new competency in public affairs, to boost our foresight and resilience in a more complex geopolitical risk environment. Instead of creating huge processes, my small team looks to integrate awareness of emerging political risk and opportunity into the business by increasing alignment and working to ensure that relevant colleagues across business functions have a foresight mindset.

To help achieve this, we have a cross-functional Foresight Working Group (FWG) composed of representatives from approximately 20 different business functions. The FWG works to improve our risk identification and risk assessment capabilities when it comes to political macro-risks, while creating a shared risk mindset. We meet every other month. Each colleague brings to the table any relevant developments from the perspective of their function. We have criteria for defining emerging risks and, if something meets the definition, it gets added to the Emerging Risks Tracker — our co-owned list of emerging macro-risks. At every meeting, we also assess whether there has been escalation or de-escalation of each risk in the tracker. Further exploration and risk mitigation happen elsewhere, to keep FWG meetings lean and focused.

Many of the risks in our tracker are low-likelihood/high-impact. These have to be a focus somewhere in a multinational company today due to the volatility and uncertainty of the geopolitical risk environment. We don’t expect to predict exactly what could happen. Instead, for each low-likelihood/high-impact risk we develop three basic scenarios (business-as-usual, decline, and worst-case) to enable risk owners to understand our critical dependencies and value at stake. This gives us line-of-sight to how we would be impacted if something happened and the chance to identify low regret moves and optimize our processes and set-up. We identify and track leading indicators and if we see movement towards our “decline” scenario, we can use that to identify steps we should take to prepare.

A commercial space traveler looking at the Earth through the window of a spaceship.

3

Chapter 3

Getting started: five actions leaders can take now

Vision, cultural change and incentives are critical elements for developing Risk Strategists and aligning risk with strategy.

Managed Services

EY Managed Services revolutionizes your noncore, but board-critical activities with easy-to-integrate solutions. Find out more.
Read more

If risk transformation is a journey, where do you start? What’s the low-hanging fruit you can go after in the immediate term, even as you embark on a longer-term transformation? Here is a series of actions leaders can start taking now, as well as thoughts about how to scale up from these first steps.

1. Define a vision and start creating a roadmap

Begin by bringing leaders together to develop your vision for the future state of risk management in your enterprise. Ensure this is co-developed and jointly owned by risk leadership and other senior leaders — being a Risk Strategist is equally about making your risk function strategy-aligned, and your strategy risk-informed.

Don’t get bogged down answering every transformation-related question on your list with pinpoint precision. In the uncertainty of the NAVI world, it’s perfectly fine to live with some ambiguity; it’s more important to move with necessary speed and agility. Even as you move ahead, some decisions can be deferred until you have more information; others can be made with the data you have available now and adjusted as you go.

One way of moving ahead despite uncertainty and volatility is by identifying no-regret moves: investments and approaches that will be relevant across multiple scenarios and versions of the future. Identify your organization’s no-regret moves and prioritize these.

Strategically deploy your ecosystem of external partners — this provides another path to move ahead despite uncertainty. “In an environment of rapid change and increased volatility, external partners can be an essential asset,” says Vivek Nijhon, EY Global Vice Chair, Managed Services. “Teaming with managed service providers and other external partners can empower you to close capability gaps, respond swiftly to fast-changing market circumstances, and scale up investments quickly. More than ever, thinking through what you ‘buy versus build’ — and how you strategically leverage the power of an external ecosystem — can be a source of competitive advantage.”

2. Initiate cultural change

Building a pervasive, enterprise-wide risk culture is a big undertaking that will not be achieved overnight. Still, here are some steps you can take now to get the process started.

Communicate to set the tone from the top. Use messaging to encourage cultural shifts such as moving from risk avoidance to intelligent risk-taking, and from a compliance mindset to one that views risk decisions as potential drivers of strategic value.

Share stories of risk insights leading to better business decisions and recognize and celebrate employees who behave strategically with respect to risk. Encourage teams to surface uncomfortable truths and reward early identification of emerging risks, even if they don't materialize. Seven in 10 Risk Strategists recognize the importance of encouraging dissent and contrarian thinking; make it safe to challenge conventional risk wisdom and propose new approaches.

Participate in scenario exercises and stress testing. Voting with your time and engagement will communicate more loudly than words how important such exercises are for driving growth.

3. Use incentives and metrics strategically

Metrics and incentives are valuable tools for driving behavioral change and building a risk culture. Critically, they are actionable in the near-term and can start delivering results as soon as the next performance cycle. Yet only 38% of Traditionalists have employee performance measures that include risk metrics across all business units (vs. 66% of Strategists).

Create innovation budgets for experimenting with new risk methodologies, and reward employee experimentation and learning.

Use incentives to make the risk function more innovative and strategy-aligned. Measure and compensate risk professionals based on business enablement, not just risk reduction.

Simultaneously, explore ways to integrate risk metrics and considerations into the larger organization. This will, of course, require coordination across risk and other business functions — for instance, to include risk considerations in the performance metrics used by other business units.

Make the case for such changes by making tangible the value risk adds to the rest of the enterprise, especially amid the challenges of the new risk environment. Integrate risk into existing business processes and dashboards, as well as strategic decisions — such as how and when to invest in new markets amid increased geopolitical volatility, or when to adopt new technologies at a time of accelerated technological innovation. Develop metrics to track the value risk delivers to the organization.

4. Prepare for technology adoption

Six in 10 survey respondents agree that emerging technologies have the potential to fundamentally change how their organization approaches risk management. Regardless of where you come out on timing-of-investment decision, your future vision should include AI as a major component of strategic risk management at your company.

Even if you aren’t investing in AI right away, take steps now to prepare your risk practice for AI adoption in the future.

Start exploring where and how you plan to use AI. Identify AI models and software solutions for risk management and familiarize yourself with their capabilities. If you find these currently lacking, identify the capabilities and price points you would need to see, and continue to monitor the space so you can move quickly when these thresholds are met. Make sure your vision for AI use is not limited to incremental efficiency gains but also includes an appreciation for how AI could fundamentally transform key aspects of risk management.

AI is a fast-changing space. Develop the ability to quickly adopt and scale up AI use by laying the groundwork now. Boost data readiness by cleaning and organizing your data. Identify and fill skills gaps and competencies.

5. Find and foster the people on whom success or failure will hinge

“Even with the huge potential of AI, risk management comes down to people,” says Smriti Jain, EY Global Risk Consulting Competency Leader. “Risk Strategists know it’s more critical than ever to find the right people, reward and promote them, continuously upskill them to maximize their catalytic power, and anticipate and meet the needs of your workforce as you shepherd them through significant transformation.”

Use ongoing recruitment and upskilling to expand your risk talent pool beyond the qualifications and skill sets you have traditionally used. Start building out the quantitative and technical skills you will need for adopting everything from AI to the NAVI-aligned analytical methodologies discussed earlier. Hire for strategic thinking, by seeking candidates who can connect risk insights to business strategy and demonstrate curiosity and adaptability. Build a culture in which people proactively upskill themselves on evolving technologies and relevant risk topics to stay relevant. Consider non-traditional backgrounds, including strategy consultants, data scientists, and scenario planners.

The right people in the right place can catalyze and supercharge your transformation. Develop risk business partners, not risk police. Train risk professionals to speak the language of business units. Create rotation programs between risk and business functions. Find evangelists who have a strategic mindset and are highly influential within the company and put them in key roles where they can influence and drive behavioral change across the organization.

Finally, the human element of transformation is about much more than hiring and promoting the right skill sets. Research conducted by the EY organization and the University of Oxford’s Saïd Business School finds that transformations can succeed or fail based on human factors.⁵

An environment of accelerated change and increased volatility creates more frequent turning points — when a transformation program can go off course. When leaders fail to take a human-centric approach to navigating such turning points, transformation programs are 1.6 times more likely to underperform and 3.4 times more likely to leave workers experiencing negative emotions, such as anxiety, fear, and apprehension toward future change.

Develop a sensing and listening function to identify early warning signs of brewing employee concerns. Communicate openly to allay fears and inspire your workforce with your transformation vision. Empower employees with ongoing upskilling opportunities, clear roles and responsibilities, as well as appropriate decision-making authority.

Becoming a Risk Strategist is — above all — a human endeavor that requires all hands on deck.

The authors would like to thank Kawther Haciane, EY MENA Digital Risk Leader; Kyle Lawless, Senior Manager – Risk Consulting, Ernst & Young LLP; AnnMarie Pino, Associate Director, Ernst & Young LLP; Joe Morecroft, Associate Director, EYGS LLP; and William Reid, Assistant Director, Ernst & Young LLP for their contributions to this article.

“The five habits of successful Geostrategists” https://www.ey.com/en_gl/insights/strategy-transactions/the-five-habits-of-successful-geostrategists
For organizations with $1B or more in revenue. Source: American Productivity & Quality Center (APQC) OSM Benchmarking Data
“Why today’s banking CRO must be master of many trades”, https://www.ey.com/en_us/industries/banking-capital-markets/ey-iif-global-bank-risk-management-survey
“Agility in volatility: Rebalancing CRO priorities in a shifting risk matrix” https://www.ey.com/content/dam/ey-unified-site/ey-com/en-gl/insights/banking-capital-markets/documents/ey-and-institute-of-international-finance-bank-risk-management-survey-02-2025.pdf
“How can the moments that threaten your transformation define its success?” https://www.ey.com/en_gl/insights/consulting/threats-to-a-business-transformation-can-define-its-success

Summary

A transforming world of risk requires transforming your approach to risk management. Risk Strategists are better positioned for resilience and growth in the NAVI risk environment. For companies lacking the positive feedback loop of supportive mindsets, cultures, incentives, and organizational structures, breaking out of the traditionalist trap can seem challenging. But moments of sweeping change also create opportunities for fresh starts. You can take tangible and immediate steps to reimagine risk, catalyze your transformation to a Risk Strategist organization, and shape your future with confidence.

Related articles

What if disruption isn't the challenge, but the chance?

Transform your business and thrive in the NAVI world of nonlinear, accelerated, volatile and interconnected change. Discover how.

Hanne Jesca Bax + 1

About this article

Authors

Scott McCowan

EY Global Consulting Risk Markets Leader
Famke Krumbmüller

EY-Parthenon EMEIA Geostrategic Business Group Leader
Gautam Jaggi

Director, Business and CXO Insights, Ernst & Young LLP

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.