The findings of this study, based on 576 interviews with companies around the world and a review of more than 2,750 analyst and company reports, highlight that companies that succeed in turning risk into results will create competitive advantage. Furthermore, E&Y’s research suggests that companies with more mature risk management practices generated the highest growth in revenue, EBITDA and EBITDA/EV. The report is organized in three sections: where companies want to drive results, what differentiates top performers and how leading companies are turning risks into results.

Achieving Results from Risk in Three Interrelated Ways

According to the report, organizations achieve results from risk in three interrelated ways—risk mitigation, cost reduction, and value creation. In focusing on mitigating overall enterprise risk, companies must have the ability to identify and address key risk areas, as well as the readiness to close the gaps. Regarding cost reduction, which continues to be critical for survival, the report lists opportunities to achieve this. These opportunities include: reducing cost of control spend through improved use of automated controls and eliminating duplicative risk activities. Value creation involves ways where risk and control management can help improve business performance.

The RISK Agenda

According to the report, the top financial performers do more than the basic elements of risk management. Specifically, the top-performing companies (from a risk maturity perspective) implemented on average twice as many of the key risk capabilities as those in the lowest-performing group. These risk practices were organized into five challenge areas that make up The RISK Agenda. It is also noted that the research findings support E&Y’s experience with its clients that turning risk into results requires a multifaceted approach. The five components of The RISK Agenda are summarized below.

1. Enhance risk strategy

  • This component refers to strengthening risk governance and oversight.
  • It is essential that the proper oversight and accountability exist at the board and executive levels.
  • In addition, there is the need for ownership of risk throughout the organization. At the management level, executives need to play a crucial role in assessing and managing risk.
  • Leading practices that reflect this component include:
    • a common risk framework adopted and implemented across the organization, and
  • open communications about risks with external stakeholders.

2. Embed Risk Management

  • This component involves integrating risk and performance management.
  • According to the report, organizations that embed risk management practices into business planning and performance management are more likely to achieve strategic and operational objectives. Conducting an enterprise risk assessment can help to prioritize and identify opportunities for improvement.
  • Leading practices include:
    • a formal method for defining acceptable levels of risk within the organization,
    • stress tests to validate risk tolerances, and
  • an effective risk management program.

3. Optimize Risk Management Functions

  • This component is achieved through coordinating multiple risk functions.
  • By aligning and coordinating risk activities across all risk and compliance functions, organizations can reduce their risk burden (overlap and redundancy), lower their total costs, expand coverage and drive efficiency.
  • Leading practices include:
    • risk-related training incorporated into individual performance,
    • the use of standardized risk reporting and monitoring tools, and
  • integrated technology to help manage risk.

4. Improve Controls and Processes

  • Improving controls and processes aids in enhancing business-level performance.
  • By optimizing controls around key business processes, harnessing automated versus manual controls and continuously monitoring critical controls and KPIs, organizations can improve performance and reduce the cost of controls spend.
  • Leading practices include:
    • established key risk indicators to predict and model risk assessment,
    • controls are optimized to improve effectiveness and reduce costs, and
  • key risk and control metrics are established and updated to address impacts on the business.

5. Enable Risk Management, Communicate Risk Coverage

  • This component refers to helping shift the perspective within an organization from being risk-averse to risk-ready.
  • According to the report, moving an organization from being risk-averse to risk-ready will require an executive champion to lead it, as well as tone-from-the-top support and executives who lead by example. It is important to communicate openly and often with all stakeholders, provide third-party assurance and leverage technology for maximum benefit.
  • Leading practices include:
    • risk identification and assessment are regularly performed using GRC software, and
  • organizations provide assurance to stakeholders using independent reports (e.g., SOCR).