Milkyway moving through portals in different shapes, in minimalistic studio setting in vivid colours
Very Large Array satellite dish under the Milky Way

GLOBAL RISK TRANSFORMATION SERIES

When the world shifts overnight, can you operate at the speed of trust?

Authors

Contributors

23 minute read 05 Mar 2026
Related topics
Risk
Transformation

In a nonlinear, accelerated, volatile and interconnected environment, trust is earned through real-time decisions, not periodic reviews.

In brief

  • Risk operating models must shift from oversight and reporting to decision support embedded in the business and activated by defined triggers.
  • Strategy-first, trigger-based and governance-forward approaches allow firms to respond safely at speed.
  • Transactions, growth and crises are the practical moments that create permission to modernize.

This article is Chapter 2 in the Risk Transformation Series. For Chapter 1, see How can reimagining risk prepare you for an unpredictable world?

In November 2025, as a record-breaking US government shutdown stretched into its sixth week, the Federal Aviation Administration (FAA) ordered a temporary reduction in flights — first by 4%, and a week later by 10% — across 40 high-traffic US airports. While the scale of the action was remarkable, the stated justification was not. The FAA’s press release explained that its response had been prompted by “staffing triggers” that were creating “increased reports of strain on the system.”1

The use of data-driven triggers to manage systemic risk is common in the aviation industry. This is both a sector in which incidents can set off chain reactions across intricate networks and one in which precise protocols govern everything from airplane maintenance to cockpit checklists. So, many airlines have identified a series of risk-based triggers, ranging from IT failures and inclement weather to aviation accidents — along with predefined response protocols, such as preplanned rerouting, backup IT systems and standardized communications procedures.

A couple of months before the FAA action, a different trigger — a technology issue with a US-based airline’s flight tracking and resource management system — had prompted the carrier to ground flights at many major hubs. If you’re having trouble recalling the incident, it’s for good reason. The protocols did their job, and the issue was resolved within hours. It barely made a blip in the day’s news coverage. That’s what effective triggers produce: controlled, fast containment that prevents escalation and preserves trust.

Contrast that with more memorable and infamous incidents in which events expanded into full-blown crises that dragged on for days, costing stricken airlines dearly — not just in financial performance and fines, but also in damaged reputations and diminished stakeholder trust. 

Trust is the outcome stakeholders experience when risk is managed well. Today’s nonlinear, accelerated, volatile and interconnected (NAVI) operating environment has implications for both. The familiar saying — that trust is built slowly but can be destroyed in an instant — is more relevant than ever in a world in which crises strike more frequently, escalate rapidly and cascade in unforeseen ways. Add to that a backdrop in which trust has been steadily diminishing, and the stakes are higher than ever. 

Traditional risk operating models — slow and periodic — are fundamentally misaligned with an external environment that is accelerated and nonlinear. To operate at the speed of trust, risk operating models need to become:

  • Strategy‑first, grounding risk priorities, appetite, and metrics in strategic assumptions about future value — not past performance
  • Trigger‑based, establishing signals, thresholds and pre‑authorized decision rights, so owners can automatically spring into action when conditions change
  • Governance-forward, clarifying governance related to triggers ahead of time, to establish accountability and escalation without slowing execution

Together, these shifts move risk from reactive response to proactive design, enabling decisive action under uncertainty without losing control.


The benefits of such an approach are clear. “Risk Strategist” companies — which, by definition, frame their risk function as an enabler of strategic growth — are better prepared for the shocks of the NAVI operating environment than their “Risk Traditionalist” counterparts. These firms report that their approach has improved performance across several benchmarks, from incident identification and response time (77% of Strategists relative to 57% of Traditionalists) to proportion of risks that are unexpected (74% of Strategists; 50% of Traditionalists) and appropriate risk escalation and decision-making (74% of Strategists; 55% of Traditionalists).


Women tourists sit at the top of the rock with Northern Lights or Aurora Borealis, Beautiful landscape.
1

Chapter 1

Strategy-first: relevance starts upstream

Anchor risk management decisions in your organization’s envisioned future state.

Much of risk management is based on backward-looking — or, at best, contemporaneous — data, but strategy is about building the future. In an environment of accelerated disruption, as companies pivot to new markets, business models and sources of value, risks that appeared immaterial based on historical financial impact can undermine strategic objectives. More than ever, it’s critical for the risk function to be not just strategy-aligned, but strategy-first.

Strategy‑first framing makes the company’s strategic vision — its future commercial offerings, business model and market position — the starting point for everything from risk appetite to risk prioritization and action. Rather than relying on past performance or historical loss experience, it articulates embedded assumptions about customers, channels, regulation, technology, supply chains and partners — and asks how those assumptions could break as conditions change.


How EY can help

  •  Enterprise Resilience

    The EY Enterprise Resilience solution helps organizations navigate disruption with agility — reducing risk and driving long-term value. Learn more.

    Read more

An automotive company might identify oil prices or dealer carryover (unsold) inventory as key risks based on its current business model. A strategy-first risk function would instead look at the company’s projected future state in a sector disrupted by electric vehicles and mobility-as-a-service (MaaS) business models. In this context, MaaS utilization rates, access to rare earth and other critical minerals, and dependency on charging infrastructure ecosystems may be far more material to the company’s forward-looking financial performance and strategic viability — despite having limited historical data to draw on.

 

Electrolux, a Swedish home appliance manufacturer, has proactively built resilience into risk management and strategic investment planning based on how future climate scenarios may develop. “We have always assessed how near-term weather-related risks impact our production sites, warehouses and suppliers, but now we are considering multiple climate risks 20-30 years in the future and how we should shape our strategy plans around them,” says Ulrich Adamheit, Head of Group Risk Management at Electrolux.

Powerful hurricane seen from space
2

Chapter 2

Trigger-based: matching today’s velocity

Shift from calendar-driven reviews to trigger-based action.

How EY can help

  • Risk

    Discover how leading risk management practices create value and a competitive advantage by embracing disruption with trust and confidence.

    Read more

If a strategy‑first approach defines what matters, a trigger‑based operating model defines the risk architecture that makes fast, trusted action possible. This does two things. First, it defines when decisions must happen and who can act, using signals, thresholds and pre-authorized decision rights. Second, it defines no-regret resilience moves that strengthen readiness (e.g., clarifying decision authority, identifying mitigation levers, rehearsing protocols through simulations including tabletop exercises, and closing gaps) before a trigger fires.

 

This is not a question of predicting every outcome or scripting every response. No model can anticipate every shock; unexpected risks and losses will still occur. The point is to give the organization a default pathway for most conditions and the discipline and capacity to improvise when it must.

 

This is the shift from describing risks to designing the conditions under which decisions are made. Organizations that adopt triggers create a faster, more coherent operating rhythm anchored in explicit thresholds rather than managerial discretion.

 

It begins with translating strategic assumptions into signals that indicate when conditions are shifting in ways that matter for value creation. Those signals are continuously monitored and paired with objective thresholds that define when attention is required and what level of response is appropriate. The level determines four things: decision authority, response actions, escalation path and communications cadence.

 

Most Risk Strategist organizations benefit from three trigger levels: monitor, mitigate and mobilize. Each level includes defined owners, required actions, escalation paths and communication protocols. Every signal needs a data owner, measurement logic, refresh frequency and a single accountable decision owner once thresholds are crossed.

 

To see this approach in practice, consider a large organization preparing for the possibility of cross-border conflict in a region marked by growing geopolitical tensions. The company may begin by establishing a monitoring framework tied to a range of escalation scenarios, from low‑intensity political and economic pressure to hybrid warfare and full-scale armed conflict. Based on these scenarios, the company might define both no‑regrets actions to take immediately (such as diversifying critical dependencies) and pre‑authorized countermeasures that activate at each escalation level (for example, bifurcating technology stacks to isolate local operations as conditions deteriorate).

 

This is where speed becomes structural. The organization is not deciding “who owns this” during disruptions. Ownership, authority and escalation are pre‑wired. The only task during activation is execution.

 

When a crisis hits, the organization does not debate process; it activates the pre-defined playbook. Risk does not run the play; it designs the playbook, convenes the right owners, and keeps the design current through rehearsal, post‑event learning and periodic refresh.

 

Crucially, governance follows the trigger. Oversight and assurance activate in proportion to severity, preserving accountability without re‑introducing latency. Outcomes, near‑misses, and true surprises feed a learning loop that refines signals, resets thresholds, updates protocols and strengthens the no‑regret posture over time. In this way, the organization becomes faster and more coherent with each activation.

View on astronomic telescopes on Mauna Kea summit at sunset, Big Island, Hawaii
3

Chapter 3

Governance-forward: clarifying and coordinating

Define accountability, oversight, escalation and assurance to move safely at speed.

While triggers define when decisions must occur, governance determines who acts and who escalates. Traditional frameworks such as enterprise risk management (ERM), integrated risk management (IRM) and the three lines remain essential, but they must operate at the speed set by triggers, not the calendar. Governance becomes the accountability layer that keeps decision‑making fast, coherent and auditable without slowing execution.

In many organizations, governance still reflects periodic risk cycles. Trigger‑based operating models require something different. They require clarity of authority, clear escalation paths tied to severity, and assurance that activates in real time rather than quarterly. The challenge is not to replace existing governance structures, but to realign them so that roles, oversight and assurance flow from the trigger architecture.

This reframes the evolution of the three lines. The original design focused on separation of duties to avoid conflicts. In a NAVI operating climate, the goal is synchronized accountability across the first and second lines, with independent assurance from the third line preserved where required. The emphasis shifts from static boundaries to coordinated decision flow once thresholds are crossed.

The way leading organizations are already adapting illustrates this shift.

While regulated industries such as financial services tend to use bright lines to separate the third line, many companies in other sectors have been actively moving toward closer alignment across the three lines. One company benefitting from closer alignment is Marathon Petroleum Company, as highlighted by Kelly Niese, Vice President, Treasury, and Kelly Wright, Vice President, Audit, during a joint interview. “Our formal alignment between ERM and internal audit started several years ago, motivated by the need to have a similar view of risk and a common risk language,” says Niese. “This alignment has helped create a dynamic risk assessment environment where we can adjust our audit plans based on enterprise-level risks,” added Wright.

The direction of travel is clear. “I see the three lines becoming more synchronized and integrated over time,” says Satish Kumaraswami, Vice President of Global Model Risk Management at Scotiabank. “As we invest heavily in the first line to ensure business managers truly understand and own risks, we are building a solid risk foundation in the first line. The second line can then become more of a challenge function — taking on some of the third line’s traditional role — to ensure appropriate focus on emerging risks, self-identified gaps and testing. Meanwhile, the third line would focus on driving continuous monitoring instead of conducting traditional, periodic audits.”

David Hildebrand, Chief Audit Executive at ServiceNow, also sees walls between the lines blurring. “Five years from now, I don’t think we will need a distinct second line as it has existed in the past,” says Hildebrand. “We could see the first and third lines working together more closely, while the second line takes on more of an advisory role into the third line, or even disappears altogether. Ultimately, we need risk management that can drive business outcomes.”

Five years from now, I don’t think we will need a distinct second line as it has existed in the past. We could see the first and third lines working together more closely, while the second line takes on more of an advisory role into the third line, or even disappears altogether. Ultimately, we need risk management that can drive business outcomes.

David Hildebrand

Chief Audit Executive at ServiceNow

These perspectives reinforce a common pattern. Governance is most effective when it flows with the operating model, not against it. It clarifies ownership. It accelerates escalation. It allows auditability at speed.

Organizational structures will still vary. Some companies centralize ERM to create consistency. Others push responsibility into the business to increase agility. Most Risk Strategists adopt a hybrid approach that combines enterprise standards with local ownership. What differentiates them is not structure but coherence: a shared language, aligned methodologies, and risk roles designed to operate at variable speed.

A global semiconductor integrated device manufacturer uses a hybrid approach. “Risk management responsibilities are embedded in executive roles, with the support of a network of ERM and resilience champions who drive the process in their respective scopes,” the company’s Group Vice President responsible for corporate risk explained. “This networked approach balances a central drive with local deployment and allows us to address the interconnectedness between risks.”

As governance accelerates, capabilities must evolve. Boards and risk leaders need deeper technology and AI literacy. First‑line leaders need stronger risk fluency. Curiosity, challenge orientation and contrarian thinking matter more as the environment becomes more dynamic. Mindsets become as critical as skill sets.

“When building a risk team, I don’t necessarily want people with deep expertise in risk,” says Mark Dingle, an independent advisor and former EY member firm Partner. “I’m more interested in smart, curious, driven individuals. It’s easier to teach someone about risk than it is to train them to have the right mindset.”

While employees at Risk Strategist and Risk Traditionalist firms have similar attributes today, Risk Strategists are more likely to recognize that innovative mindsets will be important in the future. They are roughly twice as likely as Traditionalists to say that in the future employees will need collaborative approaches and bold dispositions, and be innovation-oriented, encourage contrarian thinking, and use nontraditional modalities.


Technology ultimately unlocks the next stage of speed. AI and GRC platforms are shifting governance from periodic oversight to continuous visibility. The third line gains real‑time insight. The second line becomes more predictive. The first line gains self‑service risk intelligence. Strategists are already planning to grow their tech and data expertise by more than 20%.

“ERM largely falls into work that can be transformed by AI,” says Katie Timm, Chief Compliance and Risk Officer at Cigna. “We are deploying agents to customize risk information for employees, tailoring dashboards and scorecards to real time, role specific insights. The goal is self service where compliance and risk become enablers, with data and technology increasing efficiency and effectiveness across the operating model.”

ERM largely falls into work that can be transformed by AI. We are deploying agents to customize risk information for employees, tailoring dashboards and scorecards to real time, role specific insights. The goal is self service where compliance and risk become enablers, with data and technology increasing efficiency and effectiveness across the operating model.

Katie Timm

Chief Compliance and Risk Officer at Cigna

“Risk management should embrace AI, automation and continuous assessment,” says Vinod Madhavan, Chief Information Security Officer at Solstice Advanced Materials. “Manual qualitative reviews are being replaced by technology-driven quantification and continuous control monitoring. AI reveals new risks and trends and helps unify requirements and common controls across regulations, recommending actions and summarizing information to support decision making without replacing human judgment.”

The destination is not a new hierarchy. It is a governance system that activates at the speed of triggers, enables decisive action and builds accountability at every step. This is governance built for a NAVI world: faster, clearer, more coherent and tightly connected to strategy execution.

 

A commercial space traveler looking at the Earth through the window of a spaceship.
4

Chapter 4

Find your entry point

Growth, transactions and breaches provide opportunities to rethink the operating model.

Changing the risk operating model requires transformation, and no two organizations begin risk transformation from the same place. Strategy‑first and trigger‑based design offers a clear destination. The entry point depends on a company’s specific circumstances, including characteristics such as its sector, maturity, scale, legacy processes and culture.

The governing principle is simple. The first move does not need to be large. It needs to be directional. Every step should build toward a trigger‑based, strategy‑first architecture rather than reinforcing the slow, calendar‑driven model it replaces.

Not every company can redesign its full operating model at once. Some begin with growth milestones, others with major transactions, and others only after shocks create the urgency and mandate. Examples include:

1. Growth and maturation

“Building risk management in a fast-moving technology company presents unique challenges,” says Walid Sleiman, Digital Technology GRC Leader at ServiceNow. “There are three things risk leaders must get right. First, think big, start small, and move fast —  you do this by leveraging proven industry frameworks rather than reinventing the wheel, and by tailoring them to size, just to what your organization actually needs. Second, use technology as a force multiplier. Automation and AI are essential to scaling risk management, enabling continuous monitoring and decision-making at the speed of the business. Third, ensure strong stakeholder alignment. Effective risk management requires consistent alignment across teams — connecting individual and functional risks and translating them into a unified, enterprise-level view that leadership can act on. This alignment is essential to driving value out of your risk management program.”

Startups typically begin with a relatively narrow approach to risk management — for instance, focusing primarily on regulatory compliance, or on risk subtypes that are most critical for their sector or business. Over time, events such as increasing headcount, new rounds of venture funding, initial public offerings, or expansion into new sectors or regions can help make the case for a more robust approach.

To succeed, this needs to be done in ways that are adapted for and respect the nimble nature of the organization. The accompanying guest perspective by a risk management leader at a global life sciences company provides an example of an organization that used such an approach after undergoing a rapid growth spurt.

2. Transactions

For larger companies, a major transaction can be an entry point to transform the risk operating model. Since such transactions typically involve transformation and the restructuring of operating models across the larger enterprise, this can provide the opportunity to reexamine the risk operating model at the same time. Making the business case is easier if risk transformation is tied to business outcomes and the strategic goals of the organization.

The October 2025 spin-off of Solstice Advanced Materials from its parent company illustrates how a transaction creates opportunities to redesign the risk operating model. Solstice needed to stand up a new risk function, giving it the opportunity to decide on the optimal structure and approach for each component of its operating model. 

How EY can help

  • Risk Managed Services

    Risk Managed Services reimagines your risk function from defensive tool to strategic enabler, giving leaders the confidence to accelerate transformation.

    Read more

Whether in the context of a transaction, a rapidly growing startup, or a large company undertaking a significant transformation, partnering strategically with managed services providers — using them as a force multiplier and solution to bottlenecks, rather than a mere cost play — can help smooth over many of the rough patches in a transformation. Transform-then-transfer models can help a fast-growing company or newly spun-off entity build mature capabilities before transitioning them in house. Alternately, managed services can help companies undertaking a large risk transformation “run the engine while rebuilding it,” maintaining day-to-day execution while transformation is delivered in parallel — reducing exposure during the change journey and protecting momentum.

 

 

 3. Shocks and breaches

The maxim about never letting a good crisis go to waste applies in spades to risk management. In some ways, this is not new. Companies routinely use cyber breaches to reexamine and bolster cybersecurity controls.

In a more volatile and unpredictable operating climate, companies are likely to face external shocks with increasing frequency — not just company-specific incidents, but also systemic exogenous shocks such as pandemics and geopolitical crises. Each is an entry point for learning and reinvention.

The opportunity is to optimize not just for elasticity (the ability to deform under stress and rebound to the original state) but also for plasticity (the ability to respond to stress by achieving an entirely new shape). How does your operating model need to be reshaped to make the organization more resilient to similar shocks in the future?

The stakes are higher than ever before. Resilience in the NAVI world means not just protecting what exists but enabling what’s next. The organizations that win will be those whose risk operating models move at the same speed as their strategy, decisions and stakeholders.

This places the Risk function at a pivotal moment. Few functions have the enterprise‑wide mandate, cross‑functional vantage point, and institutional license to translate uncertainty into shared assumptions, decision thresholds, and escalation paths. Properly positioned, Risk is not a brake on speed but the mechanism that makes speed repeatable, trusted and aligned to strategy.


The authors would like to thank Kyle Lawless, Senior Manager – Risk Consulting, Ernst & Young LLP; AnnMarie Pino, Associate Director, Ernst & Young LLP; Joe Morecroft, Associate Director, EYGS LLP; and William Reid, Assistant Director, Ernst & Young LLP, for their contributions to this article.


Summary

Traditional, slow and periodic risk operating models are no longer fit for a NAVI risk environment. To operate at the “speed of trust,” organizations must redesign risk to be strategy‑first, trigger‑based, and governance‑forward. This involves anchoring risk in future strategic assumptions, using predefined signals and thresholds to activate action, and aligning governance to move at speed. To succeed, transformation initiatives will tailor their approach to their company’s specific constraints and circumstances.

Related articles

How superfluid enterprises reshape organizations for competitive edge

Superfluid enterprises use AI and automation to eliminate friction, boost agility and unlock new competitive advantages. Discover how.

Matt Barrington

How can reimagining risk prepare you for an unpredictable world?

The 2025 EY Global Risk Transformation Study explores how Risk Strategists see disruption earlier, adapt faster and respond with more precision.

Scott McCowan + 2

What if disruption isn't the challenge, but the chance?

Transform your business and thrive in the NAVI world of nonlinear, accelerated, volatile and interconnected change. Discover how.

Hanne Jesca Bax + 1

    About this article

    Authors

    Contributors

    Related topics
    Risk
    Transformation
    Contact us
    Like what you’ve seen? Get in touch to learn more.

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.