Chapter 1
Why organizations need a new risk mindset
To drive growth, we should move from risk avoidance to risk mitigation – and ultimately risk optimization.
Traditionally, risk has been seen as a negative. But today, it makes more sense to think of risk as having three distinct aspects:
- Upside risks – representing positive opportunities such as through new disruptive technologies, including EY’s strategic workforce planning and change insight tools, or operating models
- Downside risks – representing threats such as the possibility of employee fraud or a cyber breach
- Outside risks – representing factors outside of an organization’s direct control, such as wider political, economic or regulatory trends
Understanding the distinctions between different types of risk has strategic implications– often the upside risks you don’t take are as important as the downside risks you avoid. But actually deciding on which risks to take can be complicated. This is particularly the case for organizations that need to maintain a balance between sustaining core business lines and investing in innovation (a challenge known as the innovator’s duality ).
It’s here that a repurposed, proactive and strategic risk function can add new value and give strategic decision-makers the confidence to take the risks that will allow their businesses to grow.
However, if risk functions are to become accelerators, rather than inhibitors of digital transformation, they will need to review how they are managed and what their role should be. This will involve:
- Developing new skill sets and mindsets that involve social thinking, innovation and creative capabilities, alongside technical capabilities. This will give organizations the capacity to innovate at pace, embrace upside risks and keep up with transformative disruption.
- Building new-look risk workforces, which feature a combination of full-time employees, third-party and contingent workers, and automation. This will give organizations the agility to quickly access and leverage the talent and resources they need to thrive, even as workforce demographics change.
- Forming effective risk communities and promoting the sharing of intelligence about potential threats, allowing sectors to stay a step ahead of cyber criminals, mitigating some of the most common downside risks.
Chapter 2
Re-skilling the risk professional
If risk professionals are going to be at the center of your growth strategy, they’ll need a new toolkit.
The risk function of the future will be a key strategic division working hand in hand with your wider business strategy, and one that is able to communicate significant value around risk analysis and decision-making. But for that to happen, the risk professionals of the future will themselves need to change. This means cultivating new skills, competencies and mindsets:
- Hard skills: These include the ability to use sophisticated data modeling and data mining tools, as well as other IT solutions. It means staying on top of new, emerging technologies, and assessing both the upside and downside risks these technologies could mean for their parent organization.
- Soft skills: The new risk professional will also require the soft skills needed to sell their insights across the organization, and the ability to coordinate risk responses across multiple functions and stakeholders.
- Thinking in fiction: In a world of dynamic risk, we need to think about what’s around the corner – to conceptualize not just what is, but what could be. To think around the wider ripple effects of what’s happening here, now and tomorrow.
The risk function will itself need to transform structurally if it is to provide holistic, strategic guidance to key stakeholders across the organization. This could include the creation of new kinds of dedicated risk units that focus narrowly on a small aspect of risk – such as security operations centers dedicated to cyber risk – and then coordinate responses throughout the organization. It could also mean ensuring the risk function is embedded within innovation or transformation projects to help identify and mitigate risks as the organization transforms.
Chapter 3
Why effective risk management goes beyond risk professionals
Align your organization’s risk culture so that day-to-day decisions support your strategic objectives – throughout your operations.
The sheer scale, velocity and pervasiveness of risk in the transformative age means it isn’t just the dedicated risk functions that need to take responsibility for risk. It’s a shared responsibility that falls on every part of the organization. The risk-ready organization of the future cannot afford for risk to be siloed.
Here are four key considerations for a successful risk function:
1. Build effective reporting lines
Creating an organization that has risk readiness in its DNA will mean the creation of efficient reporting lines between risk-facing business units and the centralized risk function. This enables a more nuanced understanding of the risks that different business units face on the ground.
For example, a manufacturing team on the factory floor will have a better idea of what can go wrong with industrial machinery than a risk team located hundreds of miles away in a central office. Similarly, that manufacturing team will have a better view of potential upside risks – like emerging operational technologies that can improve work processes – than corporate-level decision-makers. Communicating this information clearly is critical if risk functions are to effectively coordinate organization-wide strategic responses.
2. An organization of individuals
Building a risk-ready organization also means making sure every employee understands both the scale of the risks and what their individual responsibilities are in mitigating them. And this will involve lots of learning: how to spot phishing and social engineering techniques, what to do in the event of a cyber breach, how to engage with third-party providers and customers. For boards, it could also mean simulation exercises such as red-teaming – where outside teams perform real-time, multi-level attack simulations on an organization to gauge management’s preparedness and response times.
An organization that successfully incubates a culture of risk awareness needs to make sure every employee understands this and takes responsibility for risk triggers. It means promoting an environment of continuous learning. Once again, risks move fast, and companies will need to promote fast learning if they are to stay on top of that risk, whether it’s upside, downside or outside risk.
3. The future of work needs workers of the future
A risk-conscious talent strategy will also increasingly need to consider the transforming nature of the modern workforce. This is characterized by the rising number of contingent workers, an emerging millennial workforce and the increasing automation of workplace activities. All of these will have an impact on how risk is addressed.
It’s estimated that by 2020, as much as 40% of the US workforce will be contingent workers. Think about what this means for aligning people around a singular culture of risk. How will a coherent set of values be communicated and instilled if your workforce is continuing to rotate in and out of your company?
Of course, addressing risk itself may mean on-boarding new kinds of digital talent to help drive the right cultural change and knowledge acquisition in the organization as a whole. But then, what risks do these hires themselves bring?
Risk and talent are increasingly intimately linked. To understand how means asking the right questions again and again. In a time of change, this continual dialogue is essential to understanding the risks and building and maintaining the trust that will enable your business to flourish.
4. Your risk is no longer just your risk
Similarly, just as the organization itself will have to contend with a more fluid and dynamic workforce, so too will entire industries. The age of walled gardens is over, and traditional inter-organizational boundaries no longer hold. One organization’s risk is every organization’s risk.
And in the digital world, with the connectivity it brings, risks can travel at alarming speed. This can be within individual organizations, but also up and down value chains, between industries and across national boundaries. Valuable information can jump from capital equipment to IT systems to personal computers and back again. For example, the 2017 Wannacry hack ended up hitting sectors as diverse as railway lines, hospitals and government ministries, across more than 150 countries.
This means there will be a growing obligation on all stakeholders to work together to mitigate or control risks not just for themselves, but on behalf of all other stakeholders in the ecosystem.
This could involve the promotion of agreed-upon standards of risk best practices, or the creation of threat intelligence sharing networks. When risks come at the speed and scale as they do in the transformative age, teamwork within industries will be needed to mount a rapid defense at scale.
It could also mean disparate parties pulling together for industry-wide solutions. We’re already seeing this in action – EY recently worked with Maersk and blockchain company Guardtime to help implement blockchain insurance solutions for the shipping industry.
However, that same connectivity that can amplify (or control) downside risks can also help industry players leverage upside risks, through exploring collaborative partnerships and knowledge-sharing.
A new type of talent for the transformative age
For anyone looking to convert digital disruption into meaningful, long-term business value, building a bedrock of trust is key. And a better understanding of risk, and the risk professional’s role, is key to building that trust.
This requires trust by design, trust that is built into the functioning of multiple business units and underpinned by a dynamic and skilled risk function that intertwines with business culture and activities at every level of the organization.
Only by making risk-thinking integral to organizational culture and behavior will these transformative opportunities be fully realized.
Summary
As digital disruption continues to impact all sectors, the complexities of emerging risk are escalating. To manage, mitigate – and even take advantage of – this uncertain risk landscape requires new ways of thinking and working. Approached with the right mindset and culture, it’s possible to turn these risks into a driver of new forms of digital trust.
