8 There’s no reward without risk — EY’s global governance, risk and compliance survey 2015 | 9 Advance | Optimize | Embed Advance | Optimize | Embed An organization needs to assess each identified risk to determine its likelihood, potential impact or time to realization. For example, the likelihood of a natural disaster (an external risk) occurring that could negatively impact critical IT infrastructure may be low, but the potential impact to an organization launching new customer-facing IT platforms could be catastrophic. In another example, the likelihood and impact of disruptions to business and customer support processes arising as part of a major transformation program (a strategic risk) may be relatively high; but the benefits associated with such a program are also significant. To make the right assessments, organizations need to directly address risk management in strategic and business planning discussions. They also need to routinely evaluate their risk profile and its impact on their business strategy, enabling the organization to readily identify new and emerging risks and adapt their strategy accordingly. Getting organizations to think differently about the risks to their business by strategically applying the three risk categories (as depicted in the table and graphic) enables them to identify risks they may not have otherwise thought of. Organizations are able to clearly identify the key risks to “own” that not only result in negative consequences, but also those that generate value, enabling a direct linkage between risk and business performance. It is encouraging that 85% of survey respondents indicated opportunity exists to further improve the linkage between risk and business performance. 2. De signing risk response plans Once an organization has identified and assessed its key risks, it can manage them by designing cost-effective and efficient risk response plans based on the organization’s risk appetite and each risk category — strategic, preventable and external. For instance, the amount of risk an organization is willing to accept as part of a transformation program may be low, but disruptions to business and customer support processes could negatively impact the organization’s reputation/brand and ROI: as a result, the organization must employ cost-effective risk management to balance the mitigation of risk with the expected benefits of the program. Likewise, an organization may be willing to accept a greater amount of risk in complying with new legal or regulatory requirements if the cost of noncompliance is relatively low or can be avoided all together. An organization developing digital platforms to better interact with its customers can take advantage of the upward potential of risk by not only designing responses to monitor for negative publicity that could harm its reputation, but also design responses that monitor for positive publicity that it can capture and highlight in the marketplace. Advanced strategic thinking enables organizations to manage the risks that directly impact their business strategy and performance. This strategic approach makes it easier to then coordinate functions, align talent and design processes to support the organization’s overall risk strategy. 90% of respondents indicated their company’s risk profile slightly or significantly influences their capital allocations. 85% of respondents indicated opportunity exists to further improve the linkage between risk and business performance. “ Companies that think about risk in the context of their business decisions are better positioned to manage the risks that drive performance.” Matt Polak, EY Global Risk Transformation Leader Advance strategic thinking Purpose Business strategy Risk appetite Disruptive forces creating risk and driving change What risks impact our business? — Identify risks What do I do about it? — Respond Are they relevant? — Assess risks Risk Social Political Environmental Technological Legal Economic Preventable risks Strategic risks External risks