Profile photo of it specialist guy lady two business people late night coworking, watch direct monitor bugs testing java script code geek crazy professionals office indoors

From risk to resilience: Reimagine enterprise risk management

Authors

4 minute read 12 May 2025

A new era of continual disruption demands a strategic rethink — not only mitigating risk but also strengthening businesses for innovation.

In brief
  • To assess and address risk in a digital world and build resilience, chief risk executives can follow a new approach called Enterprise Resilience Management.
  • It’s founded on existing principles of risk management and strategic resilience, but the framework asks better questions and reduces organizational silos.

How EY can help

Chief risk officers (CROs) have rapidly needed to adapt to a generation’s worth of change packed into just the past few years, including a pandemic that was the most globally disruptive emergency of our lifetimes, as well as an artificial intelligence (AI) revolution that upends traditional business models and the very nature of work. The roles of these executives have now evolved to not only address downside risks but also make their enterprises more resilient and positioned for innovation.

 

A new, transformative approach that we call Enterprise Resilience Management (EReM) is emerging, focusing on converting identified risks into opportunities for resilience. It’s rooted in two mindsets that are very familiar to risk leaders, and by uniting them, organizations can experience a force multiplier effect:

 

  • Enterprise risk management, a core set of practices to identify, assess, manage and monitor risks, factored into an organization's overall strategy and decision-making processes. Historically, organizations have struggled to align risk management outcomes with actionable strategies that not only mitigate risks but also enhance resilience capabilities.
  • Strategic resilience, a holistic framework through which functional areas — including supply chain, operations, finance, IT and cyber — have specific resilience strategies that align with one another for the greater good of the full organization. Yet all this requires coordination across compliance, finance and internal audit, for example, to drive a unified approach to risk assessment and management.

 

It’s easy to see that these concepts are two sides of the same coin — and also how they may be just as separate because of organizational silos. But the EReM approach encompasses a multidimensional view of strategic risks unique to each enterprise, rooted in dialogue. Under EReM, the quality of questions that organizations pose regarding risk management leads to better answers — and therefore better operations and resilience. Here’s how it works.

Core components of EReM

Drawing upon tasks that are rooted in enterprise risk management and strategic resilience, EReM integrates several essential processes:

1. Risk identification: Establishing a clear vision and roadmap involves prioritizing enterprise risks, identifying current mitigation actions, and performing quantitative risk exposure analyses.

2. Risk assessment: Multidimensional risks and their interdependencies — how they overlap and connect with each other to take on greater complexity — must be fully assessed to mitigate their combined effects. That understanding is then aligned with resiliency capabilities. Organizations should craft a transformation roadmap for resilience and enhance governance in EReM to include resilience competencies.

3. Risk response and monitoring: Developing key risk and resilience indicators, building executive and board-level reporting dashboards, and conducting extensive risk and resilience reporting are essential for informed decision-making.

4. Cross-functional teaming: Organizations should prioritize forming cross-functional teams that combine expertise from departments such as legal, cyber, operational resilience, technology and the business units to drive resilience initiatives.

5. Risk and resilience alignment: Establishing resilience indicators within their key risk indicator (KRI) and key performance indicator (KPI) frameworks allows organizations to develop prioritized strategies and effectively monitor and report on their resilience strategies at the board level.

6. Cultural evolution and support: To support ongoing resilience efforts, organizations must regularly conduct third-party vulnerability assessments. Additionally, investing in continuous training, employee awareness programs, and cultivating an agile organizational culture are essential for long-term resilience.

Several types of resilience can arise from these efforts including:

  • Cyber and technology resilience: investing in resources such as a cyber recovery vault and network segmentation, alongside adopting cloud resilience practices
  • Operational resilience: addressing dependencies on third- and fourth-party entities, modernizing business continuity strategies, and enhancing operational frameworks to sustain resilience against evolving cyber threats
  • Financial and legal preparedness: establishing robust cyber insurance policies, maintaining financial reserves, and clarifying decision-making processes, particularly regarding ransom payments and contractual stipulations

Explore our Offerings

  •  Enterprise Resilience

    Discover how EY can help transform your business to navigate disruption with agility, stay competitive in the market and help generate long-term value.

    Read more

Five action items on EReM for risk leaders

As risk leaders navigate the complexities of enterprise resilience, several key factors should be considered.

 

1. Enhanced risk governance: Establishing clearly defined risk governance structures and standardized risk identification processes will enhance overall risk management infrastructure.
2. Cross-functional collaboration: Encouraging collaboration across departments will enable a more comprehensive understanding of risks and resilience capabilities.
3. Regular training and awareness: Continuous training and employee awareness programs will foster a culture of resilience, ensuring that all employees are equipped to handle potential risks.
4. Alignment with leading standards: Adhering to leading standards and principles across the enterprise risk spectrum will help organizations transform risks into strategic advantages, ensuring sustainable resilience.
5. Proactive cyber resilience strategies: Investing in cyber resilience, including robust incident response plans and continuous monitoring, is essential to mitigate the growing threat of ransomware.

 

By focusing on these factors, risk leaders can effectively guide their organizations toward a more resilient future, turning challenges into opportunities for growth and stability. 

Summary

Chief risk officers are adapting to rapid changes, including the pandemic and AI advancements, evolving their roles to enhance enterprise resilience and innovation. The emerging Enterprise Resilience Management (EReM) approach transforms risks into opportunities by integrating enterprise risk management and strategic resilience. This holistic approach enables organizations to turn challenges into growth opportunities, fostering long-term stability.

About this article

Authors

Related topics
Risk leaders' agenda
Consulting
Risk

Related articles

5 ways ERM and resiliency can create a robust enterprise together

Integrate ERM and resiliency to thrive in a volatile business environment. Discover 5 key strategies to build a robust enterprise. Learn more now!

Prakash Vanguri + 1

How boards can reframe strategic resiliency in a time of uncertainty

Discover how boards can enhance strategic resiliency amid uncertainty, focusing on adaptability, agility and robust governance for long-term success.

Shawn Mattar + 1

How internal audit can govern AI risks and promote compliance

Managing AI risks requires a proactive approach to governance by internal audit. Learn more.

Jessica Rodgers + 1

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.