How can you turn digital risk into a source of competitive advantage?

By Amy Brachio

EY Global Vice Chair - Sustainability

A voice for working women. Passionate about diversity and inclusiveness. Mother. Wife.

15 minute read 7 Jan 2021

Show resources

  • Cybersecurity regained: preparing to face cyber attacks (pdf)

  • EMEIA Fraud Survey 2017 (pdf)

  • How can you be both the disruptor and the disrupted? (pdf)

  • Robotic process automation (pdf)

    Download 619 KB
  • There’s no reward without Risk - EY’s Global Governance, Risk and Compliance Survey 2015 (pdf)

In this transformative age, how risk is managed will become the key to unlocking the strategic upside of disruption.

This article is part of a collection of insights about digital trust.

Life in today’s transformative age is characterized by unprecedented speed and radical change, and keeping pace is difficult. Disruption is constant — but while it often begins gradually and can be hard to spot, it can rapidly speed up as new technologies and business models mature. The goalposts keep moving even as the players — and even the rules of the game — change.

Organizations that fail to embrace this disruption face an uncertain future — and may even find themselves obsolete. Many of the biggest changes of the digital age can have both upsides and downsides: opportunities that need to be embraced and dangers that need to be avoided.

Navigating between these two poles of disruptive change is something companies have always needed to do. But now, in an era where the world is more volatile — politically, economically, technologically, environmentally and demographically — we need to rethink the organizational culture, the mindset with which risk is considered and how the risk function itself operates.

Today, the biggest challenge is evolving the risk culture by integrating risk functions, the C-suite and the board to embed risk into strategic decision-making that will deliver real value. Risk professionals and their organizations need to be able to develop and trust their data, tools and skills to enable them to embrace disruption with confidence and create business value and market differentiation. While most organizations are already well-positioned to look back and learn from what went wrong, their mindset and culture are often focused on avoiding risk, without much consideration of the opportunity cost of that decision. To survive and thrive in the Transformative Age, risk functions need to be bifocal — learning from the past while looking to the future. 

But how can we make informed decisions when the landscape is constantly changing? And in a world where the biggest risk can be the risk of moving too slow or doing nothing, how can organizations know how far they can push the boundaries?

Person climbing rock with three part safety cord
(Chapter breaker)

Chapter 1

Understanding the three kinds of risk

Downside, upside and outside risks.

In my previous piece, I looked at how value and risk are entwined along all parts of an organization’s value chain.

The simple truth is, you can’t generate value if you don’t take risks. Similarly, if you can’t properly manage risks, organizations will stumble into catastrophe. However, it’s not just about finding a Goldilocks zone of the right amount of risks to take, but understanding the difference between the kind of risks you should and should not be taking.

The stakes couldn’t be higher. Business today moves at a breathtaking pace: according to one recent study, in 1964 the average life of a company in the S&P 500 was 33 years. That is predicted to drop to 12 years by 2027.

In such a fast-moving environment, understanding the nature and scale of different kinds of risk becomes a vital first step for any company serious about capitalizing on the volatility of the era of mass digital transformation.

Organizations that will succeed in this new transformative age will be the ones that can discern the differences between these three varieties of risk and chart a course between them that leads to real value. But to do this will require a more holistic and more nuanced understanding of how different types of risk are affecting not just your organization and its component parts, but your entire value chain. The risks come in these three distinct forms:

  1. Downside risks: which only represent a negative outcome for a company. There is no value in taking these risks, only the potential to preserve value (or reduce harm) by eliminating, controlling, mitigating or transferring them. They have little or no potential to be seized as an opportunity (without some clever PR to showcase how well the organization has responded to them). These risks include things like information security and cybercrime (pdf), employee fraud (pdf) and regulatory compliance (pdf).  These risks must be well-understood and mitigated.
  2. Upside risks: directly relate to an organization’s ability to execute its business strategy and objectives, and provide organizations with a positive opportunity for value creation and growth — using risk to identify the best ways to allocate capital to grow the business. These include the potential for innovations to grow consumer bases, increasing market share, or acquiring, managing and deriving value from new assets and talent. These upside risks should be considered hand-in-hand with an organization’s strategy — the organization should ask itself, “with which risk do we create the most value?”
  3. Outside risks: can have positive and negative impacts but are unpredictable, as they are beyond the organization’s control. These could include the actions of existing and emerging competitors, and geopolitical, economic, demographic and environmental megatrends that can impact your organization either directly or indirectly. Organizations must be well-aware of the upside or downside implications of these risks and be ready to respond more quickly and effectively than their peers to add value to the bottom line.

To effectively deal with these risks will require a change in both risk management tactics and cultural mindset.

In the past, risks have been evaluated on two dimensions, potential impact and likelihood. But in today’s transformative age, a third dimension — velocity — is critical. Velocity is the speed and rate at which downside risks you fail to prevent can cause damage/loss, or upside risks that you seize can drive rapid growth.

From a mindset perspective, this means risk professionals must evolve their culture from a focus on complete risk avoidance to one of identifying upside strategic risks — combining looking for ways to learn from the past while enabling progress toward the future. And they will need to do this in real time to ensure their agility can help their organizations move fast enough to intercept opportunities no matter their velocity. This is where we see the greatest level of disruption coming to risk functions, with technology helping risk functions themselves transform for the transformative age.

For example, through the adoption of robotic process automation, internal audit and compliance functions will be able to become more efficient and examine more data in a much shorter period of time. Better data management will allow for better and more real-time reporting that will support better leadership decision-making. Artificial intelligence will be used to predict where things go wrong before they go wrong.

Through this disruption, organizations will be able to have greater confidence in their ability to at worst identify issues quickly, and ideally prevent them from happening in the first place. With this, the risk professionals of the future will have more time to focus on outside and upside risks, enabling their organizations to make better decisions to help achieve long-term strategic objectives. 

Colleagues working on 3D printed cast
(Chapter breaker)

Chapter 2

Creating a value-adding risk function for the transformative age

New data, technologies, structures, ecosystems and skill sets.

Embracing risk and uncertainty is how organizations pursue radical growth and value creation. But this can’t be achieved by blindly running toward the unknown. The risk function needs to be there to provide strategic decision-makers with the confidence they need to seize the upside of risk when it appears.

To do that, the risk function itself needs to ensure its analysis is seen as robust, respected and trustworthy, even in the face of the many uncertainties of this era of rapid change. This transformation of the risk function will involve several interconnected elements:

  • New data: data has shifted from being a product or process outcome to being an asset that creates a competitive advantage to derive risk intelligence for strategic decision-making. Data is an organization’s most critical asset that is hard to value and also keep secure due to the complex technology environment and cybercrime always staying one step ahead. Increasingly, data aggregators, analytics and machine learning technologies are providing a new structural base that empowers all other data-related activities. Boards and C-suites are looking for risk functions to simplify massive amounts of data into predictive insights they can trust to influence strategic decisions.
  • New technologies: the disruption-ready risk professional of the future will be enabled by new digital technologies and products, allowing them to generate whole new fields of insight to inform business results: robotic process automation (pdf) (RPA) will free up analysts for more strategic work; drones will empower the physical audit of inventory and operations; and chatbots will provide new, efficient channels for customer engagement. The continuing emergence of more sophisticated forms of artificial intelligence and connected technology will further widen the toolkit available to the risk professional of the future. These technologies will enable predictive analytics and insights by modeling future scenarios to do planning and hypothesis testing and intercepting issues based on advanced intelligence rather than reacting and defending.
  • New structures: risk functions also face change around how they operate within organizations. Today, most organizations have either implemented or are working toward the classic “three lines of defense” model of risk management, which can feel restrictive in this age of rapidly evolving risks. While the guiding principles of this model will not go away, there is an increasing need to bake in more agility to meet the challenges of the highest-velocity risks. The advent of real-time risk reporting models and continuous monitoring may also necessitate modifications to reporting structures, so information can be delivered to the relevant parties in a time-effective manner, while there is also potential for convergence of functions and shifting of risk activities. As parts of the risk function are automated and risk professionals focus more on delivering strategic insight, organization-wide culture must also change to ensure risk awareness is part of everyone’s job.
  • New ecosystems: the complex and connected nature of digital risk — coming from every angle along the value chain — means future risk functions will need to take a more ecosystem-based approach to risk management. Different organizations, units within those organizations and specialist third parties will have to share risk intelligence with each other and coordinate responses as an interdependent network to keep pace with change. We are already seeing this come to life through utilities designed to collect the data needed for third-party risk management and sharing of cyber threat data. 
  • New skill sets: to leverage these new tools, structures and ecosystems, a new class of risk analyst is needed. They need to be aware of broader political, financial and environmental macro trends. They need to be able to operate in a diverse range of roles within their business — engaging with the C-suite and the board on strategic risk decisions while also working with vertical managers from across the supply chain. They should also have the soft skills to influence risk culture by promoting risk awareness and influencing strategic insights throughout the organization. Given the velocity of risk, this will also require a healthy level of intellectual curiosity. The risk professional of the future needs to be digitally savvy and data-smart, with just the right amount of skepticism of their automated tools’ findings. In order to be agile and relevant to the executives focused on digital, strategy and innovation, risk practitioners will need to have the thirst and stamina to keep up with the rapid pace of change.

The “art” of risk management will increasingly become successfully managing the balancing act needed to channel the intelligence that comes through enriched data analytics and automated processes into strategic insights that can unlock new opportunities to drive value. Great things await the agile risk professionals of the future, who can both seize opportunity and contain risk, building ecosystems, business models and corporate standards that inspire trust and confidence. Because with the right approach to risk, the risk function has a vital role to play in delivering future business growth.

Business woman showing colleagues data on her screen
(Chapter breaker)

Chapter 3

The new role of the risk function

Learning from the past while enabling the future.

Today, most organizations still think of their risk function as a largely reactive unit that mitigates downside risks — that is, it helps identify (as early as possible) bad things popping up, helps stop bad things from happening and helps sort out insurance claims.

But in a transformative age, the risk function needs to take on a more bifocal approach, learning from the past while enabling the future. It needs to engage with key stakeholders to help the organization understand its risk profile in a holistic sense that takes account of its place in a broader, constantly evolving ecosystem. It needs to help steer its organization down paths of radical, transformative growth even while maintaining existing revenue streams. It needs to rebalance its focus on downside risks and exploit efficiencies brought by effective use of new tools and ways of working to free up time and resources to enable greater focus on upside and outside risks.

Essentially, the risk function needs to disrupt itself. It needs to change from being a defensive tool into becoming a core component of strategic development, helping the organization find ways to both maintain existing product lines and invest appropriately in the new to find the holy grail of the transformative age that is the innovator’s duality.

This means the risk professional of the future needs to embrace duality as well.

She needs to be able to look at the past, understand it and learn from it. But she also needs to use a broader network of intelligence from across her organizational ecosystem to react to shifting risks as they emerge in real time.

She will need to be able to utilize new tools and a wider range of skills, to provide a trusted, comprehensive analysis of her organization’s full risk profile along every part of its value chain.

And — perhaps most importantly — she will need to be able to deliver her recommendations and findings in a way that will provide confidence to strategic leaders as they formulate the day-to-day and long-term decisions that will drive her organization’s long-term growth.

Electrician climbing up telephone mast structure
(Chapter breaker)

Chapter 4

The strategic role of risk

Seeing the wood and the trees.

By helping decision-makers understand the risk landscape, the risk professional of the future will be able to enable strategic decision-making by evaluating risk in the context of the organization’s risk appetite and assist with setting long-term strategic agendas. This means organizations also need to change how they think about both risk and strategy, with the two functions becoming more entwined than ever before.

What companies are seeing today is that small decisions made to avoid risk on a daily basis can get in the way of their ability to meet their longer-term strategic objectives. For example, onerous procurement processes may limit abilities to engage with start-ups to get an early jump on emerging technology. With agile governance, risk management and compliance, the organization can put into place the appropriate controls to mitigate the risk while gaining access to the newest technology, and so not miss out on the opportunity.

Seeing the wood and the trees

Digital risk transcends the business ecosystem across every part of the value chain. This means it also transcends traditional business units. And while a holistic view of risk is especially vital to understand how digital risk can impact an organization from every angle in this transformative age, the devil is in the detail.

A holistic view of digital risks and opportunities needs to be matched with a nuanced, expert one — because just as the risks posed by digital are different in every industry and every company, so too are they different in every department within an organization. A centralized risk function will inevitably lack that nuanced understanding — which means risk is not something that can just be left to risk professionals. Instead, just as executing strategy is a distributed responsibility throughout an organization, so must effective risk management be if an organization is to successfully navigate the transformative age.

Leading organizations that will succeed in today’s rapidly changing world are developing a multi-level strategy to understand their risk profiles — and their risk appetite — all aligned with where they want to go from a strategic perspective. They increasingly see risk analysis as a vital part of both strategy’s development and its execution. They are deploying agile risk management approaches to predict and respond to high-velocity risk to minimize downside and seize upside risks.

Every business should ask itself these questions:

  • Do we have a balanced risk strategy across risk categories — downside, upside and outside?
  • Is our risk appetite aligned to the organization’s culture and strategic priorities?
  • Are we harnessing emerging technology to better mitigate downside risks?
  • How is automation impacting the roles and responsibilities across our lines of defense?
  • Are we fully leveraging our data to drive better risk intelligence for strategic decision-making?
  • Is our talent pool equipped to meet the changing needs of the risk function?
  • Are we engaging with ecosystem partners to achieve better results?

A new risk mindset for the transformative age

The digital age presents opportunities for immense value creation. Taking advantage of this shift will mean a sea change in the way we think about doing business — both in terms of how value is created and how the attendant risk is managed, whether that means avoiding it or capitalizing on it.

At the spearhead of this paradigm shift will be a reimagined risk function: a unit that can enable the organizational agility needed to embrace risk, promote a more predictive risk approach, and harness new technologies and risk ecosystems to drive improved outcomes and lower costs without losing the independent perspective that is so important to managing risk.

But the biggest risk is moving too slow — or doing nothing at all at a time when the velocity of risk is higher than ever. This will not only make you more vulnerable to both current and future risks, but also lose the trust of shareholders, staff and customers, and see competitors overtake you.


Maintain stakeholder trust by understanding your risks and seizing opportunities with confidence. Discover more insights about digital trust.


In the future, digital will continue to come at us from every angle. Seizing the upside will only be possible if we build the risk capabilities that allow us to act with confidence.

About this article

By Amy Brachio

EY Global Vice Chair - Sustainability

A voice for working women. Passionate about diversity and inclusiveness. Mother. Wife.