2 There’s no reward without risk — EY’s global governance, risk and compliance survey 2015 | 3 Looking at risk differently Historically, risks have been categorized in many different ways. We believe that regardless of how they are organized, it is beneficial to consider risks in the context of your business and how best to respond to those risks. By categorizing risks according to their impact to the business, organizations are able to shift their focus with regard to how they identify and respond to the risks they face — both internal and external, as well as those with positive and negative impacts — and best respond to each risk appropriately. Until now, organizations have primarily focused on risks that can be managed through the implementation of controls, but offer little to no upside or benefit. However, with increasing stakeholder demands and an ever-evolving business landscape, leading organizations are now focusing more of their time and efforts on managing the risks that impact value creation. User adoption Adoption rate of new social media and mobile platforms by consumers Regulatory compliance Adherence to new laws and regulations 2 . Robert Kaplan and Annette Mikes, “Managing Risks: A New Framework,” Harvard Business Review Risks that offer benefits Risks significant to the organization’s ability to execute its business strategy and achieve its objectives: strategic risks often focus on the risk opportunity. Eliminating these risks, or transferring them, is therefore not an option: it is a balancing act which requires the organization to evaluate “risk vs. reward.” Risks that offer negative impacts Risks an organization is focused on eliminating, avoiding, mitigating or transferring in a cost- effective manner as they offer no strategic benefits. These types of risks typically result in a negative impact when an event occurs and can be most effectively managed via a controls-based approach. Risks that offer negative and/or positive benefits Risks beyond the organization’s control: these risks can be unpredictable as they originate outside of the organization and typically have a low rate of occurrence. Organizations should take actions to cost-effectively reduce the likelihood of occurrence and limit negative effects should the risk event occur. Return on assets Performance of assets relative to the cost of acquisition Market penetration Return on investment (ROI) relative to cost to achieve market penetration Competitive shifts Actions by competitors to block market penetration Talent management Achieving expected benefits while managing the impact to people, processes and technology Geopolitical Changes to politics, geography, demography and economics that influence a nation or region Employee fraud Deliberate efforts to inappropriately use one’s occupation for personal gain Natural disasters Acts of nature whose impacts are typically significant and result in immediate impact to the organization Information security Unauthorized activity occurring on an organization’s information systems and infrastructure Tax law Adherence to new tax codes and regulations Financial integration Integration of two previously disparate systems Strategic risks External risks Preventable risks Broadly, risks can be managed by applying the following three categories 2 : • Strategic risks that must be accepted as they offer positive benefits • Preventable risks that should be avoided or mitigated as they offer negative impacts • External risks that cannot be controlled, offering negative impacts and/or positive benefits Key Expansion into new emerging market Acquisition or divestiture Development of social and mobile platforms Transformation of finance function