18 There’s no reward without risk — EY’s global governance, risk and compliance survey 2015 | 19 Where are organizations now? Over the last five years, organizations have improved the way they identify, manage and respond to risk. They have created executive-level roles to provide risk oversight, established functions to deal with complex legal and regulatory requirements, and implemented supporting technologies. Reacting to increased market volatility and regulatory changes, organizations renewed efforts to enhance their internal controls. While organizations have demonstrated progress, further opportunity exists to better manage risk and drive performance — there is no reward without risk . Seizing the opportunity In summary, organizations exist to deliver on a purpose. That purpose is achieved through a series of business decisions that require taking risks — these risks impact business performance. Identifying, managing and responding to risk should be an integral part of an organization’s everyday activities. To drive performance, organizations must advance their strategic thinking. They need to identify and assess the risks that impact their business strategy. They also need to respond to those risks applying three categories — strategic, preventable and external. This enables organizations to shift their focus from the risks they can control to the ones they cannot or need to balance to drive performance. To efficiently and effectively respond to risk, organizations must optimize their functions and processes. They need to define an operating model with clear ownership and accountability, align the right talent and skillsets to that operating model and design processes to govern the execution of risk activities. This establishes the structure and mechanisms to facilitate coordination, communication and reporting throughout the organization. Once the functions and processes are properly in place, organizations can more easily embed and execute solutions that help them respond and manage risk as a core aspect of their business. These solutions, designed based on the three categories above, enable the organization to prevent, balance or limit the impact of risks. Leveraging enablers such as technology, organizations can support and sustain these solutions. EY can help organizations think differently about risk so that they can manage the risks that drive performance and success. Risk is a key part of strategic business planning and top of mind of many boards today; however, the board’s ability to provide oversight could be enhanced by more frequent evaluations of the organization’s risk profile. 77% of respondents evaluate their organization’s risk profile on an annual basis, limiting their ability to adjust their business strategy based on changes to their risk landscape. 83% of respondents identify, assess and develop plans to address risks to all key initiatives (43%) or identify and discuss the risks (40%). 88% of respondents indicate that the board or a board committee provides oversight of the organization’s risk management activities. A robust risk-aware organization “ W hen we help clients approach their risk management in this way, they are able to set themselves more challenging goals that can deliver better outcomes.” Paul van Kessel, Global Risk Leader Optimize Embed Advance Advance strategic thinking Purpose Business strategy Risk appetite Disruptive forces creating risk and driving change What risks impact our business? — Identify risks What do I do about it? — Respond Are they relevant? — Assess risks Risk Social Political Environmental Technological Legal Economic Strategic risks External risks Optimize functions and processes Lines of defense 1 Operations and business units 2 Management assurance Board and executive management 3 Independent assurance Operating model People Processes Objective Embed solutions Balance Enabler Technology Prevent Limit Preventable risks