Back to How We Help Clients

Enterprise Risk Management and Risk Culture

We help clients design and implement integrated risk-management solutions and bring a risk-reward perspective to strategic decision making and day-to-day operations.

Many risk-management activities at the enterprise level are influenced by various types of pressure. Some are external, such as compliance or regulatory changes, for example. Sometimes, unfortunate events in one’s own company or in the industry prompt internal soul searching regarding whether existing risk-management approaches are adequate. In more and more cases, however, CEOs and business leaders take a more proactive stance, as their goal is to further develop risk-management capabilities (proactively based on their strategic and economic priorities and growing aspiration levels) into a true competitive advantage—ultimately improving business decisions and increasing the value of the company in a risk-conscious way.

We have worked with clients in many different industries, including finance, energy and basic materials, automotive, pharmaceuticals, infrastructure, logistics, and travel. We have also assisted public entities, as many of them are increasingly aiming to improve their enterprise-risk-management (ERM) capabilities.

Our recent work includes supporting clients in targeted initiatives for upgrading ERM capabilities. Economic crises motivated our clients to work on stress testing and rapid-recovery programs. Natural or operational disasters resulted in the creation of effective crisis-response projects. Far-reaching regulatory and supervisory actions triggered work to articulate strategic risk appetite and strengthen internal-control frameworks.

We have also supported our clients in large and broad multiyear ERM transformation programs in order to build the ERM capabilities that are necessary for an institution to thrive in a new economic, competitive, and regulatory environment. We focus on strengthening the structural elements of ERM, including the link between risk and strategy, for example, in identifying and managing M&A or capex risks; the impact of risk-return on portfolio management, and sometimes, portfolio “de-risking”; and the strong link between risk and financial management, such as in balance-sheet management. Many boards and CEOs have asked us to discuss risk governance as it relates to their companies, including the roles and involvement of the board and the CEO in risk management. Also, many of our projects now focus on ensuring that ERM is implemented in and across an organization, including within a company's culture.

Our systematic approach to ERM focuses on five dimensions, each of which is substantiated with industry-specific diagnostics, benchmarks, and best-practice recommendations:

Risk-return transparency and insight

We help our clients identify, quantify, and prioritize their most important risks as well as related returns. We do this using a combination of advanced quantification methods (such as analytic modeling and stress testing, also using nontraditional data sources) and the systematic integration of qualitative factors, including business-management judgment. To complement statistically validated approaches, we integrate forward thinking, especially in risk measurement and management reporting. In close cooperation with our Business Technology Office, we advise our clients on appropriate data and IT solutions. As a result, our clients gain a clearer perspective of their most important risks and the related returns, as well as on the structure of their portfolio of risks and how they can use insights in order to improve strategic, financial, and operational decision making (for example, on risk mitigation, portfolio adjustments, contracting or risk based pricing).

Risk ownership and strategy

Companies should choose consciously what types and levels of risk to take and what to avoid and mitigate (“risk ownership”). We help clients gauge their unique strategic, financial, and operational circumstances (“risk bearing capacity”) in order to ensure that their risk choices are aligned with their strategy and with their financial and operational risk-taking capabilities (“risk strategy and risk appetite”), so that they can optimize the risk-return trade-off.

Risk-enabled decisions and processes

When making important strategic, financial, and operational decisions, decision makers must consider risks related to information and associated trade-offs. We support our clients in integrating risk-return-related considerations into important decisions in M&A; routine processes, such as planning and capital allocation; and daily frontline transactions, such as contract structuring and pricing. We pay particular attention to ensuring sound risk reporting, monitoring, and control processes.

Risk governance and organization

Everyone in an organization has some responsibility in managing risk across the organization, not just the chief risk officer. Shareholders, rating agencies, and regulators and policy makers request that companies involve their top management and even their boards. However, the right structural and organizational choices, the description of roles and responsibilities, as well as the appropriate definitions of organizational units and reporting lines, are critical to ensuring robust and effective enterprise-risk management. We help clients define overall governance as well as the organization of the relevant risk, finance, and other control functions, and determine how they should interact with one another and other parts of the organization. Furthermore, we provide granular benchmarks on the appropriate size of and cost for different risk and control units.

Risk culture

Mind-sets and behaviors of individuals and groups inside the organization—and not only the risk organization—play a crucial role in the execution of a company’s enterprise-risk-management strategy. We have developed a proprietary approach to risk culture that, for the first time ever, allows for the creation of a specific and detailed description of the core elements of a company´s risk culture, an analytical approach toward measuring and profiling that culture, overarching industry-specific benchmarking, and the identification of specific levers for actively influencing and developing risk culture.

Featured capabilities

To assess, benchmark, and improve a client’s ERM capabilities, we use a combination of proprietary data and unique tools, including the following:

  • Enterprise Risk Management (ERM) Diagnostic. A holistic assessment of the effectiveness of enterprise-wide risk management, this diagnostic helps generate a view on the perceived strengths and weaknesses of a bank's current risk management capabilities. It is structured along a five-part framework covering all aspects of risk management, including risk transparency and insights; natural ownership, and risk appetite and strategy; risk-related decisions and processes; risk organization and governance; and risk culture. The diagnostic encompasses a self-assessment as well as a peer benchmarking and provides detailed insights into global best practices as a basis for developing initiatives.

    Management questions addressed:

    • What is the bank-internal view on the overall enterprise risk management capabilities?
    • How do my current capabilities compare to those of peers and industry best practices?
    • What does this imply for my aspiration level?
  • Risk Organization Diagnostic and Benchmarking Tool. McKinsey's risk organization diagnostic benchmarks the number or allocation of resources and operational costs against peers, using a detailed, activity-level risk taxonomy. The tool further helps analyze organizational structure in terms of archetype models—span of control, for example. The results of the diagnostic enable the identification of potential levers to increase effectiveness and cost efficiency. The tool can also be applied to the compliance areas.

    Management questions addressed:

    • How many resources perform specific activities (across risk types and lines of business) in my organization, and in which organizational setup (central versus business-aligned functions)?
    • Is my risk organization set up efficiently compared to that of my peers?
    • What organizational designs can we adopt to become more efficient and effective?
    • What are the major opportunity areas for my risk organization?
  • Risk Culture Diagnostic. Historical evidence suggests that many risk incidents involve a cultural root cause. McKinsey’s risk culture diagnostic helps measure risk culture and identify these causes, which can then be addressed with tangible initiatives. The diagnostic uses a framework of attitudes and behaviors based upon a rigorously tested methodology. Actively shaping the risk culture will mitigate future risks and improve overall performance.

    Management questions addressed:

    • How can risk culture be measured?
    • Do I understand where risk culture is in my organization?
    • Which interventions are necessary to improve risk culture?
    • How can risk culture be actively shaped?
  • Compliance Health Check. Helps clients test for compliance in their particular industry. A series of industry-specific tools for certain compliance areas (such as Business Partner Management or Gifts & Hospitality) are also available.
  • Cash Flow at Risk (CFAR) Models. Risk technology and operations is a priority topic for banks and regulators to achieve sound risk management practices. This diagnostic tool helps assess current capabilities in this area (such as data availability and consistency, and system functionalities) against current and future regulatory requirements as well as against target sound industry practices. The results provide a basis for an informed discussion on required developments and investments.

    Management questions addressed:

    • How well are risk IT processes designed with respect to supporting risk management?
    • How sophisticated is IT application coverage for critical risk functionality?
    • How advanced are data capabilities such as quality, consistency, integration, and especially an aggregated risk view?
    • How mature are operating systems, databases, servers, and backup facilities, and how well do they perform?
    • What are mechanisms for managing risk technology and operations and achieving IT security or compliance?

Featured experts

Cindy Levy

Senior Partner, London

Uwe Stegemann

Senior Partner, Cologne

Olivia White

McKinsey Global Institute Director and Senior Partner, Bay Area

Hans Helbekkmo

Partner, Bay Area

Impact story

Creating a leader in compliance

Redesigned governance structure helps leading investment bank instill compliance throughout organization.

Related insights


From scenario planning to stress testing: The next step for energy companies

– Utilities and oil and gas firms have long used scenario analysis, but extraordinary times call for new measures.

The future of bank risk management

– Banks have made dramatic changes to risk management in the past decade—and the pace of change shows no signs of slowing.... Here are six initiatives to help them stay ahead.