5 minute read 3 Oct 2018
group coworkers meeting office

How risk management can evolve to become the coveted business ally


EY Global

Multidisciplinary professional services organization

5 minute read 3 Oct 2018

Post financial crisis, regulators have forced the increased relevance of risk organizations and demanded a seat at the table.

Insurance and banking business models have continued to grow in complexity over the past 50 years – from simple and local risk exposures to the current environment of complex and global exposures. Risk management has evolved along with the business model changes, from individual, transaction‑based decisions based on a combination of judgment and underwriting criteria to looking at aggregated portfolios of risk enabled by more robust analytical tools. While the tools and techniques available to risk professionals have continued to evolve, the interaction model between risk and the business has largely remained the same – an “us versus them” dynamic. In the past, risk was present to say “yes or no” to business leaders based on what was seen to be risk’s perspective and desired profile, often leading to escalation with business leaders and revenue generators having a distinct advantage.

For today’s risk organization

The challenge is clear:

How to have an impactful seat at the table without turning into a “check the box” regulatory exercise.

The next step in the evolution of risk management:

To reframe the debate and the role of Risk within an organization from being a control and compliance function to being a valued business ally.

The goal: to move from “us versus them” to “just us”

The entire organization driving toward common enterprise objectives. If structured right, the risk management organization can be involved in the pursuit of business objectives and the optimization of outcomes across all relevant constraints and lenses.

Buy-in, talent, transparency

  1. First, there must be buy-in from the most senior levels of the organization and the board on the importance and necessity of an independent view of the risk profile. This includes both a broad enterprise view and, more narrowly, the risks within each product. Senior leaders must recognize the value provided by an effective risk function and understand that if executed properly, the value will exceed the cost of the added infrastructure.
  2. Second, a risk organization must be staffed with talent commensurate with the highest standards for technical competence across the company. This is important to building credibility with the business and will help to establish that opinions and views are respected and seen as adding value.
  3. Third, but likely most important, transparency must be the central tenet of a risk management organization — one that cuts across all aspects of decision-making. Transparency starts with the engagement of the entire organization at the beginning of the development process for models and metrics used in forming and managing the technical risk profiles. Regardless of who owns the models, their development must be open and transparent to all key constituents.

Once those three steps are completed, the role of Risk, and the professional knowledge embedded within, make it a valuable participant in the collaborative process and a critical ally in moving between constraints and stakeholders.

Key to achieving this is an effective Risk Appetite Framework that considers the balance of risks and resources across the firm and the perspectives of all relevant internal and external stakeholders. While Risk will serve as the scorekeeper, the entire organization must own the Risk Appetite Framework as a corporate asset so that the company remains within the desired risk profile while it pursues optimized financial outcomes.

Articulating the appetite

First, consider establishing broad expressions of risk appetite that account for the desired balance between risks and resources across all relevant economic, regulatory and accounting frameworks. The expressions should take into account that the balance might change when subjected to a variety of stresses over various time frames. Factors at play are the evolution of assets and liabilities through time, with varying severities.

Examples of such expressions include the following:

  • The organization wishes to preserve its ability to participate in markets in a moderate stress environment.
  • The organization seeks to remain solvent in a severe economic downturn.
  • Under normal market deviations, the organization seeks to limit earnings volatility

The final pieces of the puzzle

  1. Agree on what level of stress is articulated in the expression. Again, collaboration, transparency and inclusion of all stakeholder views must be part of the development of these scenarios, as they will define and constrain risk profiles and business activities. They must be designed so that they probe sensitivities of assets and liabilities across all relevant risks, yet do so in a way that aligns with external and internal views of a reasonable definition.
  2. Once the metrics and definitions of stress have been determined, the measurement can begin. The manifestation of risks can be complicated by the financial reporting rules, and it is important to have reliable processes with transparency into potential limitations and simplifications. For an organization to embrace the Risk Appetite Framework and use it to inform difficult business decisions, there must be credibility of, and confidence in, the models, scenarios, assumptions and output.
  3. Translation of the desired risk profile of the organization into meaningful limits on key risk-taking activities. This is where the broad macro and strategic expressions become operational. The objective is to align limits such that there is a comfortable likelihood that the actual outcomes in stress scenarios will be in line with expected outcomes. This doesn’t mean that all limits need to academically tie to the expressions. However, they should be set such that the business-as-usual risk-taking activities won’t materially change the shape or dimension of the risk profile.
  4. Once the Risk Appetite Framework is in place, it can be incorporated into business and capital planning – however with a twist on the traditional risk and business dynamic. No longer will there be an “us versus them” discussion, with Risk having the ability to say yes or no at their discretion. Rather, Risk will now provide transparency into the impact of business decisions on the commonly agreed-upon limits and constraints facilitating an open dialogue. It is no longer Risk’s role to make the “yes or no” decision, but rather the organization’s, with Risk providing full transparency into the impact on the commonly agreed-upon expressions. The framework provides a basis for evaluating the levers available to any organization — changing the risk profile, changing risk capacity, or changing risk appetite statement. The common evaluation of when and where to pull these levers will be grounded in the Risk Appetite Framework and transparent to all parties.


To move beyond the “yes vs. no,” “us vs. them” divide present in Risk’s relationship with the business, an organization must establish buy-in from the most senior levels, acquire top talent and enable transparency. The challenge of clearly articulating common goals and objectives for the enterprise through a functional Risk Appetite Framework continues to confront us all to varying degrees.

About this article


EY Global

Multidisciplinary professional services organization