13 minute read 15 Oct 2021
A woman admiring Jellyfish

How risk managers can pivot from stabilization to transformation

By Tonny Dekker

EY Global Consulting Enterprise Risk Leader

Excited to serve as a Global Client Service Partner with over 25 years working to transform the businesses of our big Global Clients. Straight-talker with a big heart.

13 minute read 15 Oct 2021
Related topics Risk Technology Consulting

In times of unprecedented change, risk managers need to enhance core capabilities and align with the board’s priorities to drive growth.

In brief
  • Fifty-seven percent of risk leaders say their teams are, at best, just moderately effective at aligning risk and business strategy.
  • A deeper understanding of risk interdependencies is needed to foresee when an unlikely event might cascade into a full-blown crisis.  
  • Despite obvious capability gaps and board-level support, budget for technology investment is not being unlocked for the risk function.

After a protracted period of operating in survival and stabilization mode, CEOs are turning their attention to growth and transformation: 68% plan a major investment in data and technology in the next 12 months, and 61% plan to undertake a major transformation initiative. 

Risk leaders know that effective risk management is vital to support this strategic shift – the majority (59%) believe that improved risk management will be critical for their business to protect and build value in the next five years.

However, our survey of 120 risk leaders from around the world reveals that risk teams are not yet equipped to support this transition. It finds that they struggle to support the business in converting risk into opportunity, and that they have difficulty managing the newer threats that may undermine their business’s strategic plans. By comparing the perspectives of risk leaders with those of board directors and CEOs in the EY Global Board Risk Survey 2021, we have also unearthed different perspectives between the two groups on key risk issues. More specifically:

  • Risk managers are not aligned with board directors and CEOs on their business’s greatest strategic opportunities.
  • Almost half (46%) of risk leaders are, at best, only moderately effective at understanding how risks are interconnected.
  • More than half (53%) are, at best, only moderately effective at managing atypical and emerging risks.

The positive news is that risk managers can support their business’s new growth and transformation agendas by doing the following:

  1. Refocus on the upside
  2. Unearth risk interdependencies
  3. Utilize new technology and data
  4. Augment and diversify skillsets
Camping hut in the high mountains
(Chapter breaker)

Chapter 1

Refocus on the upside

By identifying the risks that double as opportunities, risk teams can play an important part in helping their businesses to grow.

Risk teams can help their business’s growth and transformation plans by thinking more strategically about risk. Practically speaking, this means spotting emerging risks early and communicating the potential upside to senior management.

“The role of the risk team is to constructively challenge ideas and push people to see both sides of the coin, that of opportunity and of the potential downside,” says Christian Okholm, Manager of Group Reporting & Insights at Novo Nordisk.

Take the example of changing customer expectations and preferences, which risk leaders rank as the greatest strategic opportunity for their business. As part of their risk mitigation efforts, risk teams should already be trying to predict how customer preferences might evolve to determine the potential negative impact on their existing set of products or services. But if detected and communicated to senior management early enough, the business may be able to innovate its offerings to better meet customers’ new preferences and therefore capture market share.

Chart breaking down overall survey responses by percentage to “Which of the following represent the greatest strategic opportunities for your organization?”

This is exactly what the ERM team at US convenience store chain Wawa is working to achieve.  Wawa’s risk around customer experience, trends and preferences centers “around effectively understanding, connecting and providing consumers with the products, services and experiences they need and expect in an ever-changing competitive landscape,” explains Michael Eckhardt, SVP, Chief Legal and Risk Officer at Wawa. “We are focused on ensuring the ERM process helps the business to understand how changing consumer preferences create opportunities by enabling us to bring products to market, advertise more effectively and build better customer focused experience.”

The role of the risk team is to constructively challenge ideas and push people to see both sides of the coin, that of opportunity and of the potential downside.
Christian Okholm
Manager of Group Reporting & Insights, Novo Nordisk

As another example, risk teams across various industries will likely already monitor potential new market entrants to gauge competition risk. If an emerging competitor is identified early enough –perhaps one that is venture-backed and has particularly disruptive technology – it could also represent an acquisition target and potential strategic opportunity for the business. 

Aside from alerting the business to looming threats that can be converted into opportunities, the risk team can contribute to growth and transformation by refocusing on more growth-orientated tasks. This may mean deploying the risk team’s analytical and modeling capabilities to evaluate new business models or growth markets, or conducting risk assessments to identify and measure potential issues when implementing new technology or launching a new product.

Business alignment and connection is crucial

Risk managers can only support their business’s growth and transformation plans if senior risk professionals and senior management outside the risk team are aligned on strategy. But our survey data shows that when it comes to aligning risk and business strategy, 57% of CROs are, at best, moderately effective at it.

The survey data also reveals a disconnect between senior business leadership and risk managers when it comes to their view of their business’s top strategic opportunities. For example, board directors and CEOs rank technology disruption as the number one strategic opportunity for their business. In contrast, risk managers rank this as their business’s least important strategic opportunity. Risk leaders are also much more likely than boards to consider changing consumer expectations as a major strategic opportunity. This may be because boards focus on opportunities that they can proactively seize by, for example, investing in new technology. In contrast, risk leaders may be more focused on opportunities associated with trends outside of their control that they have to react to, such as changing customer expectations. Whatever the reason, risk teams stand little chance of assisting the business with its strategic priorities with this disconnect.

Chart showing difference in responses between chief risk officers and senior leadership to “Which of the following represent the greatest strategic opportunities for your organization?”

Senior risk personnel also need to have a strong connection with the wider business to convey their views on potential opportunities. Eckhardt believes that regular meetings between the CRO or equivalent and other senior management can help achieve this. “We have an ERM internal steering committee that includes our CFO, our chief strategy officer, the chief risk officer and our director of internal audit,” he says. “We meet quarterly, and that ensures that we’ve tied strategy to risk and risk to strategy.”

Their relationship with the wider business aside, risk teams also need to have access to the internal and external data – and the technology that helps them to process and analyze it – in order to spot distant risks (see Chapter 3).  

A woman on bridge
(Chapter breaker)

Chapter 2

Unearth risk interdependencies

Gain insight into the true consequences of risk.

Major risk events can completely disrupt a business’s growth and transformation plans. The added challenge today is that risks are increasingly connected and can cascade quickly. A seemingly unlikely and low-probability risk event has the potential to rapidly snowball into an existential crisis. As Gautam Jaggi, an Insights Director at EYQ, argues, “We are at risk of underestimating ticking time bombs not just because they are correlated with time, but also because they are correlated with each other.” Understanding these correlations is critical because risks that appear unrelated to one’s business (and are therefore often dismissed) could set off other seemingly unlikely risks that do directly threaten the business. 

46% of risk leaders are, at best, moderately effective at understanding how different risks are interconnected.

The global pandemic is the most obvious example, with COVID-19 exacerbating multiple financial and operational risk categories. In addition, climate change risk has the potential to impact not only operations should an adverse weather event cause a power outage or flood, but also disrupt supply chains and displace customer bases. It also creates reputational risk if businesses are not perceived to address this issue.

It’s therefore vital for businesses to understand how risks are connected: a full appreciation of risk interdependencies provides businesses with a more accurate picture of the true potential impact of threats. However, the survey data reveals that risk leaders currently struggle in this area: almost half (46%) are, at best, only moderately effective at understanding how different risks are interconnected. Despite this shortcoming, the survey data shows that improving this capability is not a top priority.

This may not be high on risk managers’ agenda because they are unaware of the tools that are available to help them. Illustrating this, despite the majority (65%) of risk leaders being satisfied with their use of data and technology to identify and understand risk interdependencies, we know from our work with clients that many do not use the latest new technologies that provide completely new insights into risk interdependencies. Board directors certainly identify this as an area of improvement: compared with risk leaders, far fewer (45%) are satisfied with their organization’s use of data and technology to understand how risks are connected.

How can technology help? Advanced technology, such as artificial intelligence (AI), can be deployed to assist businesses in modeling and understanding connections between risks. For example, AI can be used to discover risk interdependencies through internet research. It can automate basic risk research, identify important risk statements in unstructured external documentation, compare this with internal data, and then undertake causal analysis to identify risk interdependencies.

Boy looking through viewpoint binoculars at the seaside
(Chapter breaker)

Chapter 3

Technology and data can help see around corners

Despite new technology’s vast potential, budget is unavailable.

The power of technology

New technology and data have immense potential to assist risk teams. As a starting point, automation technology can be used to process low-value manual tasks, including simple data processing or risk model verification. This frees up risk professionals’ time to focus on some of the growth-orientated initiatives described earlier.

Risk management platforms, which risk, non-risk professionals and even third parties can use to input and view key risk metrics across the business, can also be highly valuable in enabling risk teams to spot emerging risks. By creating standards about how key risk information needs to be entered by different teams across the business, analyzing risk trends becomes much easier.    

Besides the risk team, I see much more importance on how the business as a whole uses technology to mitigate risks.
Jeanne Cheng
Chief Risk Officer, SP Group

Software aside, cloud infrastructure can also be leveraged to give risk teams the data storage capacity and analytics firepower needed to conduct horizon scanning, scenario planning and stress testing based on multiple variables. This type of analysis enables risk teams to more effectively detect weak signals of an atypical and distant threat before it materializes into a major risk.

Technology can also be used to identify threats. Jeanne Cheng, Chief Risk Officer at energy company SP Group, provides an example. “Besides the risk team, I see much more importance on how the business as a whole uses technology to mitigate risks,” she says. “For example, we use technology to monitor and analyze the condition of gas pipes in our network for timely detection of anomalies, as this can be a precursor to an outage. This enables us to take a pre-emptive response. We also use new equipment like in-pipe CCTV cameras to locate weakness in the pipes, which enables us to do corrective maintenance more efficiently and effectively.”

Although the risk team won’t use these technologies directly, it can still play a role in overseeing how frequently they are being deployed and that the insights provided are acted upon.

Overcoming investment hurdles

Despite its vast potential, risk leaders currently do not fully utilize technology and data: almost half (48%) say they are, at best, only moderately effective at leveraging data and technology to be predictive, detect risks and opportunities early, and improve decision-making.

Although there appears to be a capability gap in this key area, risk leaders appear reluctant or unable to make the investment that is required. The survey reveals that less than half (47%) of risk managers intend to increase their level of investment in data and technology for risk management in the next 12 months, compared with 69% of board directors and CEOs. Risk leaders are hesitant to invest despite the willingness of board directors and CEOs to do so.  

Chart breaking down survey responses by percentage to “To what extent do you plan to change the level of investment in data and technology for risk management in the next 12 months?”

This may be because risk leaders are not aware of the value that technology can add, or because they have been unsuccessful in securing budget for technology investment in the past.

Either way, bringing new skills into the risk team can help (see Chapter 4). Data scientists will improve the risk team’s data and technology expertise, and open their eyes to the benefits that technology can deliver. Individuals with previous business experience outside of audit and risk functions can also help to make the case for technology investment because they will likely be better at articulating the business benefits.

It’s also vital to start small. Risk teams stand the best chance of securing budget for technology if they can demonstrate the benefits of a pilot technology implementation. 

Man sand boarding in desert
(Chapter breaker)

Chapter 4

Augment and diversify skillsets

Risk teams will have to upskill rapidly and strategically if they want to help their businesses transform and build value.

Even if they possess the most “bleeding-edge” technology, risk teams will fall short in their efforts to support the business’s growth and transformation plans if they don’t have the necessary diverse range of skills. Although risk leaders do not consider a lack of the necessary skills to effectively utilize data, technology and analytics to be important, board directors and CEOs identify this as the top obstacle.

According to the survey data, many risk teams struggle to raise the skills profile of their teams. Almost half (48%) are, at best, only moderately effective at upskilling the risk function. Despite this obvious capability gap, risk leaders rank upskilling the risk function as one of their lowest priorities in the next two years. Perhaps they are not sure which skills they will need in the future or lack the budget to obtain them. They may also simply be focused on other priorities. Whatever the reason, the apparent lack of focus on skills needs urgent reassessment.

Chart highlighting leading survey responses to “Which of the following will your business prioritize in the next two years to improve enterprise resilience?”

Plugging the skills gap

How can risk leaders augment and diversify skillsets? The first step is to carefully consider which capabilities will be needed in the future. This depends on the characteristics of the individual company and existing strengths and weaknesses, but technologists, data scientists and individuals with business analytics expertise will almost certainly be required.

In addition, risk leaders need to ensure that their teams possess a diverse array of hard and soft skillsets. This includes communication and collaboration capabilities and the ability to adapt and be agile so that the team can pivot to focus on new priorities as needed.

Being able to speak the language of business is also a must. Individuals who can understand business problems and translate often-complex risk metrics into business insights that are understandable by people outside of the risk function will be in high demand. “Rather than having employees skilled in a particular risk category, it is valuable to have a combined range of experience in different areas of the business and from other industries as well,” confirms Jeanne Cheng of SP Group. “Diversity of risk experience is helpful.”

Risk leaders also need to think through how to recruit these individuals, since many data scientists may not consider the risk function an obvious career destination. One practical way to achieve this is to establish secondments or placements so that data scientists recruited to the wider business are placed within the risk team on a short-term basis. This not only ensures that risk teams get access to the capabilities they need but also helps to establish connections between risk and the wider business.

Sometimes, the risk team may not need all of these capabilities within the function itself. For example, there is no need for risk teams to run supply chain scenario planning if the supply chain team already does so. In this case, the risk team has the opportunity to become a center of excellence, monitoring and overseeing that risk analysis is conducted effectively within the business. In addition, the risk team will need to evaluate potential correlations between risks being monitored by individual functions to ensure that weak signals of emerging threats are not missed. 


New business models and technological disruption. Risk cascades created by COVID-19. Inescapably urgent climate change crises. This is a time of rapid change and escalating risks. To succeed, businesses need a fundamentally different approach to risk: moving from risk management to risk strategy that is an integral part of business strategy. Risk leaders will thrive by exploring risk interdependencies. They will invest in AI and data capabilities to develop early warning systems and free their time for higher-order activities. Get this right, and you can transform your risk function from managing downside to becoming an engine of growth and innovation.  


To succeed, CROs must shift from risk management to creating a risk strategy by focusing on upside opportunities and risk interdependencies. The way forward will be through new technology and data and a more diverse set of skills within their teams.

About this article

By Tonny Dekker

EY Global Consulting Enterprise Risk Leader

Excited to serve as a Global Client Service Partner with over 25 years working to transform the businesses of our big Global Clients. Straight-talker with a big heart.

Related topics Risk Technology Consulting