Can resilience help you grow opportunities before they become risks?

Tonny Dekker

EY Global Consulting Enterprise Risk Leader

Excited to serve as a Global Client Service Partner with over 25 years working to transform the businesses of our big Global Clients. Straight-talker with a big heart.

Frank Leenders

EY Global Digital and Innovation Leader

Passionate about serving clients across the globe. Trusted advisor through transformation. Proud father, husband and beach fanatic.

10 minute read 21 Jan 2021

CROs that focus on resilience can turn risks into opportunities to reimagine and repurpose the organization for agility and long-term value.

In brief
  • Organizational resilience has reemerged atop the board agenda following a high-impact, high-likelihood event for which few had prepared.
  • Given the waves of disruption ahead, resilience needs to be an organizational priority every day, not just in times of crisis.
  • CROs that look beyond managing risk to building stakeholder trust can reposition their organizations for long-term value creation.

What happened? Why didn’t you see this coming? How could you have missed this? Why didn’t you warn us? These are some of the pointed questions boards have been asking their Chief Risk Officers (CROs) in the wake of COVID-19. They’re valid questions, but they need to be directed beyond the CRO to themselves, the C-suite and every level below — because risk is everyone’s responsibility.

Scientists have been warning of the risk of a global pandemic for some time. Yet, a substantial majority of organizations were unprepared when the risk became reality early in 2020. This is likely for one of two reasons: 1) They saw it coming, but assessed the risk as low likelihood, high impact, meaning that if it happened it could devastate the organization, but because of its unlikelihood, the priority was determined to be low and therefore not acted upon; or 2) It wasn’t on their radar at all. Companies believed that since they had navigated their way through previous epidemics, such as SARS and Ebola they could navigate their way through another.

As it turned out, COVID-19 was less a Black Swan (catastrophic but highly improbable) than a Gray Rhino — a big grey beast lumbering along the horizon and then suddenly charging ahead as a high-likelihood, high-impact event.

Interestingly, there is evidence that prior to the pandemic, boards were concerned that their organizations were insufficiently prepared for such an event regardless of its likelihood. In EY’s Global Board Risk Survey, which was published shortly before the COVID-19 crisis, only 40% of board respondents said that enterprise risk management (ERM) was effective in managing atypical and emerging risks. Only 21% of boards said their organization was very prepared to respond to an adverse risk event from a planning, communications, recovery and resilience standpoint.

ERM effectiveness


of board respondents said that ERM was effective in managing atypical and emerging risks.

The reemergence of resilience on the board agenda

Now that the pandemic is here, organizational resilience has reemerged atop the board agenda. It was a top priority during the global financial crisis in 2008 too, but disappointingly forgotten once the crisis had passed. They did not take advantage of the lessons the financial crisis taught them.

Organizations that place importance on resilience now, only to let become an afterthought later, will do so at their peril. COVID-19, with all its indirect impacts, is the most immediate critical event organizations face today, but it is hardly the only one. Globalization (geopolitical power shifts and populism), environmental shifts (climate change and COVID-19), demographic shifts (the rise of Generation Z) and technological shifts (5G, quantum computing and precision sensors) are the primary forces (pdf) creating new and constant waves of disruption — creating both opportunities and risks.

Meanwhile, the days of going it alone as an organization are long gone. Today’s organizations are part of a much larger ecosystem of clients, vendors, suppliers, alliances, partners and other stakeholders. The end-to-end value chain nature of a networked ecosystem offers transparency and visibility. However, the dependencies each member of the ecosystem has on one another means that that ERM has to reach well beyond the confines of the organization. In today’s environment, each ecosystem member’s risk becomes everyone’s risk and everyone’s responsibility.

In this way, a corporate ecosystem can be likened to nature’s ecosystem. Natural ecosystems are ecological communities that include all the organisms living in a particular area and all the physical characteristics of that environment, such as sun, temperature and oxygen. The living and physical elements are inextricably linked. As EY’s Global Markets Digital and Business Disruption Leader Gil Forer argues in What can businesses learn from nature about ecosystems, “knowing the species and environmental elements of an ecosystem is just the beginning; understanding their effects on each other, and how these propel evolution of the ecosystem, is the essence of ecological thinking.”

As the COVID-19 pandemic has shown, robust resilience programs play a critical role in an organization’s adaptation and survival. Boards need to understand the organisms and environmental elements of their corporate ecosystem, how each impacts the other, and what steps they can take to adapt and evolve. They then need to demonstrate decisiveness in their decision-making. Yet, in a poll EY conducted of more than 2,000 corporate leaders as part of its Reshaping your organization for sustainable growth, 47% said they were either passive or reactive when it came to responding to disruptors.

As Chief Resilience Officer, CROs will play a more strategic role, looking beyond risk to trust and how the sea of challenges ahead can be reframed as opportunities to reimagine or transform the organization with renewed purpose and vision to generate long-term value.

Changing the ‘R’ in CRO from risk to resilience

As organizations shift their focus from risk to resilience, the role of the CRO will need to change with it. As Chief Resilience Officer, CROs will play a more strategic role, looking beyond risk to trust and how the sea of challenges ahead can be reframed as opportunities to reimagine or transform the organization with renewed purpose and vision to generate long-term value.

There are several examples of companies that have reimagined themselves over the years to respond to disruptive forces and prevail to sustain their competitive advantage. In the Netherlands, DSM began its organizational journey more than 100 years ago as Dutch State Mines, a coal mining company. When the Netherlands began phasing out coal as a major fuel source, DSM saw an opportunity to reinvent itself as a chemical company. More recently, based on new global environmental shifts, it has transformed its organization again as a life sciences company.

By its own admission, Nokia has been “adapting to the needs of an ever-changing world for over 155 years.” From its roots as a paper mill, Nokia has repurposed and reimagined itself several times over, remaining resilient through ever-changing times. In the 1990s, its name became synonymous with mobile phone devices. When the competition in that market became fierce, Nokia pivoted again, expanding its market focus to telecommunications networking. The company is now positioned to be an industry leader in the transition to 5G wireless technology.

A risk can be an opportunity an organization saw too late.
Tonny W. Dekker
EY Global Consulting Enterprise Risk Leader

In the wake of COVID-19, and with primary forces pushing a host of disruptive megatrends forward at a rapid clip, every global organization will need to reimagine their futures by identifying opportunities before they become risks, and managing risks before they become catastrophes in ways that build and sustain stakeholder trust. A Chief Resilience Officer can help to lead the way.

Three steps Chief Resilience Officers can take to reframe the future of their organizations

Here are three ways Chief Resilience Officers, with the support of the rest of the C-suite and the board, can reframe the future of their organizations.

1. Reimagine enterprise resilience

Trust is the primary currency in today’s uncertain world. Customers, employees, suppliers, partners, shareholders, regulators and governments need to feel as if they can trust the organization they’re buying from, working for or with, investing in or overseeing. All stakeholders want to have confidence that no matter the disruption, the organization has the agility and resilience to thrive in the long term. Trust will only be rewarded to organizations that have robust resilience built into their organizations.

Yet, organizations tend to think about resilience as a blueprint for getting through a crisis. Once the crisis is gone, they revert back to the old way of doing things. It’s time to reimagine resilience in the context of anticipating and identifying opportunities to grow before they become risks, and having the agility to respond to and mitigate the risks before they can have a shattering impact on the organization.

EY’s Trust by Design (TxD) framework offers a practical approach for building a resilience program that reaches for the opportunities while considering the upside, downside and outside risks. Considering risks across these categories is a first step. As its next step, organizations need to build a resilient infrastructure that uses data and technology to remove human bias and provides insights and transformative mechanisms that can signal when a Grey Rhino is starting its charge. Today’s cloud-based technology framework, combined with artificial intelligence (AI), machine learning and advanced analytics, opens up a new world of possibilities to unlock a powerful source of information at speed and forecast future scenarios.

At the same time, organizations will need to nurture a transformative and agile culture and develop a talent management framework that ensures they have the right people with the right skills in the right places.

With sensors in place to detect the weak signals, organizations can implement practices and controls that allow them to act early to either prevent or minimize the impact of emerging risks, even as their transformative culture enables them to pivots to seize the opportunities that can help the organization grow.

Questions for the C-suite
  • How do we act upon weak signals, aligning the increase in the organization’s intensity to the velocity of the underlying risk?
  • How do we balance building resilience “storage” while remaining lean and agile enough to respond to emerging risks?
  • How do we create insight and foresight in the dynamic risk landscape we are dealing with to optimize our responses?
  • Do we have the right digital capabilities to embrace real-time and forward-looking risk insights?
2. Embark on a trusted transformation

While building resilience and getting the strategic opportunities in sight, organizations can redefine their purpose and vision with a focus on long-term value creation. For most organizations, this will require a significant and complex business transformation. Yet, this is exactly where boards and CROs are struggling. Our research suggests that seven of 10 major strategic transformation programs fail to realize their intended business benefits. And the cost of that failure is increasing.

As boards and C-suite executives feel increasing pressure to successfully deliver large and complex transformation programs, they would do well to pair their business transformation with comprehensive program risk management. EY refers to this as “trusted transformation.”

Trusted transformation for long-term value creation combines business transformation anchored by three drivers that put humans at the center, deploy technology at speed and innovation at scale, with program risk management that emphasizes transparency and control as part of a positive organizational risk culture. By embedding transparency and control from planning until closure in a project lifecycle, organizations can better understand the project risk profile and complexity, bring together program risk, quality, benefit and performance management to help management make well-informed decisions, and articulate the benefits and value delivered.

Questions for the C-suite
  • How do we redesign our purpose, long-term value proposition, business strategy and associated risk awareness with our business ecosystem in mind?
  • How do we instill trust in the new technologies our organization is implementing, and the processes and information we’re using to make key decisions?
  • How can we build and maintain trust with regulators, investors, clients and third parties while addressing the current pace of change?
  • How are we fostering continuous transformation?
3. Sustain resilience through actionable insight and assurance

To sustain enterprise resilience, organizations need to demonstrate to their stakeholders that the actions they have taken will stick. This means implementing the internal controls and ERM protocols necessary to manage the upside, downside and outside risks, not only within the organization but across the ecosystem.

It also means using trusted intelligence from within and outside the organization to monitor, capture and evaluate market trends that can be used for future-back scenario planning. When an opportunity or risk emerges, organizations can put it through the lens of reimagining enterprise resilience and the cycle begins again, thereby creating a virtuous circle of resilience and long-term value creation that stakeholders can trust.

Questions for the C-suite
  • Are we getting the factual insights on risks evolving in our business ecosystem?
  • Are we able to objectively analyze and project these insights into our resilience operating model
  • Do we have the right agile governance and risk culture in place to act decisively and sustain organizational resilience?
  • Do the data technologies we have in place provide trusted intelligence that can compensate for the human bias when our people are confronted with the emotional impacts of disruption?

The future of business depends on resilience and trust

With some exceptions, organizations were unprepared for the catastrophic event that emerged in early 2020. While it’s easy to blame the CRO, risk wasn’t their responsibility to shoulder alone. Further, in a future where significant outside risks move from outliers into the mainstream, managing risks isn’t going to be enough.

Organizations will need to reframe their futures, and the role of the CRO, in terms of reimagined resilience, trusted transformation and actionable insight and assurance. Stakeholder trust and the future of business depends on it.


In the wake of the COVID-19 pandemic, many CROs have been facing questions asking why they didn't see this coming. It's prompted many to observe that the role of the CRO should now be that of Chief Resilience Officer rather than Chief Risk Officer. With the support of the rest of the C-suite, Chief Resilience Officers can reframe the future for their organizations by: reimagining enterprise resilience; embarking on a trusted transformation; and sustaining resilience through actionable insight and assurance.

About this article

Tonny Dekker

EY Global Consulting Enterprise Risk Leader

Excited to serve as a Global Client Service Partner with over 25 years working to transform the businesses of our big Global Clients. Straight-talker with a big heart.

Frank Leenders

EY Global Digital and Innovation Leader

Passionate about serving clients across the globe. Trusted advisor through transformation. Proud father, husband and beach fanatic.