Risk has always outpaced risk management by a few steps, but the scale, complexity, and interconnectedness of risk today mean that businesses need a new approach.
  • This new risk management approach is built on three pillars: growing, steering, and protecting the company.
  • It embeds risk awareness front and center throughout the organization and positions risk management as an immune system that is built into all operations and decision processes.
  • The goal is risk management operating as a control function that prevents individual risks from reaching threatening levels while supporting the right risk-reward decisions.
You may also be interested in:
" "

Consider three events in the last three years: the COVID-19 pandemic, Russia’s invasion of Ukraine, and the sudden availability of plain-speaking generative artificial intelligence (GenAI). Then look forward to the growing impact of climate change and the possibility of more severe droughts, floods, and fires. Now think about your company’s risk management capability. Is it organized, and does it possess the capabilities it needs for today’s world—and tomorrow’s?

The answer for very few companies will be yes. Risk has always outpaced risk management, but the scale, complexity, and interconnectedness of risk today presents companies with new challenges. (See “Risky Business.”)

Risky Business

Companies worldwide need a new model to approach risk and integrate risk assessment into decision making at all levels. Here’s how to go about building it.

A New Vision for Risk Management

This new and comprehensive approach to risk management starts with a risk function that is anchored in the C-suite and involved directly in strategic decision making. It also requires mature business functions that blend risk management into day-to-day decision making. The risk function must be tightly connected with both the business and the finance functions and include the assessment of financial and non-financial risks (such as supply chain and other process-related risks). The technical and analytical capabilities of the risk function should be used for decision making at all levels, making operations and processes more resilient.

The goal is for risk management to operate as a control function that prevents individual risks from reaching threatening levels while actively supporting the right risk-reward decisions. This risk management approach is built on three pillars. (See the exhibit.)

Growing the Company. To support a company’s growth agenda, risk and business functions need to work together for timely and accurate decision support. The risk function can provide the necessary data and decision-relevant information for analytics to have impact, such as scenario analyses. Doing so requires new models of collaboration between risk and business that integrate the two more closely while maintaining the risk function’s required independence. Analytics at customer or transaction level enable best risk-return business decisions. Agile approaches, with their cross-functional team make-up and regular people rotation, are two ways to facilitate better understanding and collaboration between risk and business.

Several banks are deploying advanced-analytics models to provide forward-looking information on the loan portfolio and risk-return analyses for commercial opportunities. These banks use customer-level transaction data to update old or unavailable financials, project future customer cash flows in real time, and assess the interconnections of clients with their customers and suppliers to identify supply chain risks. This real-time analysis helps make the right revenue-risk tradeoffs at the transaction level, generating significantly higher value from the portfolio. The banks use the same customer data and related analysis (such as customer cash flow projections) for commercial needs (such as lending) and risk assessment (affordability for the client), for example.

To support a company’s growth agenda, risk and business functions need to work together for timely and accurate decision support.

Energy companies can benefit from strategic decision making that is informed by continuous monitoring of external metrics as they undertake large-scale transitions to renewable sources and new technologies. For one global energy player, this involved developing a detailed and well-defined risk appetite and clear governance with common understanding of the roles and responsibilities of relevant actors, enabling timely escalation in case of changing signals or alerts on the external environment. The new risk function provides an analytic infrastructure of metrics to monitor the evolution of various scenarios and support a dynamic approach to portfolio management. Using risk-based analyses the company can deal more effectively with uncertainties in context and allocate resources optimally. Management can also manage the risk of stranded assets and assess options based on the economic viability of the business models in the portfolio.

Steering the Company. To further interconnect risk management and enterprise planning and help build a more resilient organization, the risk function can support the finance function in understanding the tradeoffs between risk and return in balance sheet planning. Companies need to be prepared for multiple stress scenarios.

In banking, the risk function traditionally has built and maintained a set of models for regulatory purposes. Finance and risk management can join forces and use these models, which often include alternatives to the baseline financial planning exercise, to optimize the deployment of financial resources, including capital, liquidity, and funding. The planned P&L follows. To be effective, however, this collaboration requires integrated data platforms, structured processes, and strong teaming between the two functions.

In other industries, the use of multiple scenarios to inform the planning process is equally applicable and will become more important over time. Companies can put in place a concrete framework that enables them to screen, assess, and monitor potential internal and external adverse events that can impede the achievement of defined strategic objectives, such as entering a new market or boosting revenues. This type of risk steering initiative is particularly valuable when the organization has deployed an ambitious strategic plan, embarked on a wide transformation program, or made a game changing investment decision. It involves a scenario-based assessment of the probability and likely financial impact of potential adverse events, based on historical observation, current market trends, and expert judgement.

In a world of risk-based multi-scenario planning, GenAI can dramatically transform planning activities.

A leading international fashion and luxury goods company, for example, has recently used this approach to identify more than 20 forward-looking scenarios across multiple risk categories (such as supply chain, image and reputation, service channel, and business interruption). It prioritized scenarios more likely to endanger the new plan’s chances for success, according to the potential impacts at varying revenues level. For each of these “top scenarios,” the relevant risk management units and the business agreed on a set of KPIs and related mitigation actions in the event that identified thresholds are breached.

In a world of risk-based multi-scenario planning, GenAI can dramatically transform planning activities in multiple ways, enabling a new operating model and at the same time streamlining activities and costs. These include:

  • Generating first drafts of documentation, scenario descriptions, and potential regulatory impact analyses.
  • Streamlining decision making by using real-time comparisons and analysis of data against benchmarks and detecting anomalies at granular level in the business.
  • Reducing manual errors by automating data clean-up for processes such as budgeting or advanced scenario simulations, with the potential for efficiency gains of up to 50%.
  • Enabling a new reporting model that moves from individual what-if requests to a complete analysis leveraging the full set of company data.
  • Shifting work from low value to high value activities.

GenAI applications are already a reality, and many companies are piloting new use cases with the ultimate goal of transforming the planning operating model. But technology adds its own series of risk and concerns. Pressure to control the risks while still reaping the considerable rewards is fueling the integration of responsible AI, an approach to designing, developing, and deploying AI systems that is aligned with the company’s purpose and values while still delivering transformative business impact. Risk management in the firm needs to be front and center in this effort.

Protecting the Company. Risk’s traditional role is more important than ever. But the level of protection needed requires a significant upgrade of the entire company’s capabilities. In this updated version of protection, distributed and automated controls become the immune system that senses threats and issues responses. This requires a rethought control environment—the set of standards and processes that provide the foundation for internal controls within the organization and clear early warning indicators.

Risk’s traditional role is more important than ever. But the level of protection needed requires a significant upgrade of capabilities.

For many companies, new data that can identify fraud in very early stages may be necessary. Banking again provides a useful example since its business model and the large number of financial transactions taking place every day make banks particularly vulnerable to criminal attacks and other nefarious activity. Banks are increasingly taking a data-driven approach to address this challenge. They have automated their know-your-customer processes to source relevant customer data, perform news searches, and assess financial crime risks. They are leveraging AI to identify and block suspicious transactions out of the millions of legitimate transactions banks are processing.

Better use of data, analytics, and technology achieves more effective protection through a more efficient use of resources. For example, at one leading bank, boosting prediction and prevention by enabling cross-risk data intelligence led to a 20% decrease in alerts escalated to the second level. Such moves also help the business to embed streamlined controls in business processes to achieve compliance by design.

The range, complexity, and interconnectedness of threats today opens new mandates (and opportunities) for risk management to prove its value. A wide range of actors (governments, cybercriminals, and employees, for example) with a variety of motivations (such as data disclosure and asset destruction) have access to similar attack methods (such as hacking and phishing followed by theft and extortion). Growing numbers of connections among a company’s own IT function, its operational technology and the Internet of Things, as well as overlapping tools, data, and processes lead to threats that start in one environment more easily spreading to others.

Fusing risk management capabilities across the various types of risks and technologies can generate both effectiveness and efficiency benefits. The risk function needs to focus its enhanced capabilities upstream on prediction and prevention capabilities across risk types, such as threat monitoring and risk profiling, and downstream by focusing on detection and response capabilities, such as scenarios and rules and investigation and remediation. Advanced technology and data capabilities, including data management platforms and advanced analytics, are key to both efforts.

Companies in multiple industries have realized 20% to 30% staff synergies by joining forces in multidisciplinary teams. Integrating case management and documenting end-to-end decision making has helped reduce IT costs by removing redundancies and realizing synergies while cutting processing time by more than 30%.

Finally, companies today need to embed resiliency at the core of their operations, technology, and business. This requires a different logic from that of traditional operational risk management. Companies must consider how to maintain service continuity in the event of a major disruption, the potential for harm to customers and the broader market ecosystem from potential events, and how to redesign end-to-end critical business services embedding modularity, redundancy, contingency, and ability to react quickly to changes.

De-Risking the Future

CEOs can launch a practical set of actions today to de-risk their companies’ future:

  • Business functions can leverage customer- or product-level analytics to anticipate commercial opportunities and balance risks, making optimal tradeoffs. This will require structured collaboration models with the risk function and enhanced analytical capabilities.
  • Finance functions can build risk-based planning capabilities that use strategic scenario tools and can generate early warnings of evolving external changes or threats and signal the need to launch contingency or alternative actions. This will require structured collaboration models with the risk function, using shared data platforms and methodologies.
  • Operations will need to build end-to-end resilient processes, ensuring continuity and stability in the most critical client services and leveraging distributed controls mixing automation and human processes. This will require structured collaboration models with the risk function to define scenarios, sensible tolerances, and a proper control framework.
  • The risk function will need to leverage technology to shift away from reporting and monitoring tasks to a high ratio (~80%) of value-added activities. This will require significantly upgrading skills to align with new risks (such as climate, IT, digital, and cyber) and technology requirements and building an organization fit for supporting the entire firm. The risk function will need to maintain its independence, but also transcend its traditional role to become a valued partner for the future.


Preparing for the future of risk requires a company-wide transformation in the operating model, the organizational structure, and in the minds of the company employees. When everyone views the management of risk as a part of their job, a company is on its way to being well-prepared and resilient for future risk events.

The authors are grateful to their BCG colleagues in the Risk & Compliance practice whose insights and experience contributed to this report. In particular, they thank Abhinav Bansal, Ingmar Broemstrup, Stephanie Bussan, Davide Corradi, Lorenzo Fantini, Bernhard Gehra, Gerold Grasshoff, Paul O’Rourke, Sebastién Rexhausen, Pierre Roussel, Hanjo Seibert, and Carsten Wiegand.

Subscribe to our Risk Management and Compliance E-Alert.

protected by reCaptcha

The New World of Risk—and What to Do About It