Building Resilience Through Strategic Risk Management



Strategic risk management is a way to strengthen organizational resilience and ensure long-term growth.

July 2023


Enterprise risk management is a strategic function that requires the attention of C-suite executives and Boards. The extensive global research on this topic reveals no shortage of grim scenarios to consider. For example, the World Economic Forum Global Risks Report 2023 identified risks spanning from the impact of the rising cost of living and inflation to failure to mitigate climate change.

The steep rise of the adoption of artificial intelligence (AI), fueled by the November 2022 release of ChatGPT, brings another set of global risks dominated by the risk of business disruption. This new technology is expected to impact a significant number of jobs, lead to increased cybersecurity threats and endanger the reputations of organizations that do not use proper frameworks for the use of generative AI, according to a recent Forbes article.

Given the overall increase in the speed of change enabled by multiple factors, such as global hyper-connectivity and the increased adoption of technology, we can’t expect the risk landscape to simplify. Quite the contrary: the complexity of risk management is steadily increasing.

But while technology, such as AI, big data, cloud and advanced analytics, offers new possibilities in risk monitoring, prediction and mitigation, people are the critical element in enterprise risk decision-making. Risks are fluid in nature; they pose both threats and opportunities. Examining risks from both angles requires a risk-embracing culture instead of the more traditional view of risks – a list of situations we aim to avoid.

Covid, global supply chain disruption caused by the Ukraine Crisis, ChatGPT – all of these are wake-up calls that are forcing organizations to rethink their risk strategies and act. Agility in enterprise project execution plays a critical role in an organization’s ability to course-correct in a fast and informed way. To foster this ability, organizations must connect strategic risk management and risk management functions, enabled by a strong risk culture that is characterized by diversity at the discussion table, a mindset of embracing risk fluidity, and an obsession with data.

Building Resilience Through Strategic Risk Management

  • Download
Headshot of Lenka Pincot

Lenka Pincot's signature

Lenka Pincot
Chief of Staff
to the CEO


Risk management is a critical part of any organization’s strategy to help identify and prepare for disruptions. Today, however, companies face more complex and volatile forces than ever. PMI identified several megatrends — including technological change, economic and demographic shifts and climate and diversity initiatives — that are driving the need for a broader approach to risk management. For example, four out of five executives in PwC’s 2022 Global Risk Survey report facing significant challenges in keeping up with the speed of digital and other transformations.

How can organizations respond to these forces, while continuing to pursue the growth and innovation that will keep them competitive?

Organizations with strong risk management practices are twice as likely to anticipate significant revenue growth and five times more confident in their ability to deliver on outcomes, according to PwC’s research. These organizations also perform better, as confirmed by a 2020 academic review in the IAA Journal of Applied Science.

These companies have a strong risk culture. Individuals, teams and departments across the organization — not just in isolated risk functions — have the skills to recognize and evaluate risks to see not only threats and restrictions, but opportunities and accelerators for growth. They have a common understanding of both the organization’s strategy and its risk appetite and use technology and data to support effective decision-making.

Developing a Strong Risk Culture

Establishing clear risk management processes is a good start, but executives are digging deeper to build and sustain a culture that embraces risk.


are prioritizing diversity in risk teams.


are investing in risk culture and considering behavioral risk within their organizations.


are very confident in their risk structure’s ability to build a more risk-aware culture that can identify both the positive and negative sides of risk.


are making better decisions and achieving sustained outcomes by consulting with risk management experts early in the process.


are realizing benefits from defining or resetting risk appetite and risk thresholds.

Source: 2022 Global Risk Survey, PwC

The good news is that nearly half of executives have high confidence that their organizations can build this kind of risk culture, according to PwC’s 2022 Global Risk Survey. To achieve that, companies can focus on:

  • Developing risk management capabilities across the organization that welcome diverse perspectives;
  • Using artificial intelligence (AI) to take the organizational risk management plan to the next level; and
  • Bringing the broader organizational view of risk management into individual projects.

The goal: Truly strategic risk management that will strengthen organizational resilience and ensure long-term growth. Resilient organizations are able to withstand and adapt in the face of challenges through their capacities to anticipate, absorb, recover from and transform in response to various internal and external pressures.

Arrow Quote

"Organizations should have a dynamic and flexible mindset toward risk management...This would help them be more agile and responsive amid an unpredictable future."

Arun Prakash Sharma, PMI-RMP, PMP
Senior operations manager at Ayu Health
Bengaluru, India

Mitigating Risk in 2023: Trends to Watch

Knowing which threats are most likely to emerge can help companies adapt their project portfolios and help project professionals manage and mitigate risks on initiatives. Here are the issues generating the most concerns for CEOs — now and in the future:

Mitigating Risk in 2023 Trends to Watch

Source: Allianz Risk Barometer, 2023

Strategic risk management is a way to strengthen organizational resilience and ensure long-term growth.

As organizations prioritize environmental, social and governance (ESG) initiatives, these issues are raising the most concerns:


Cybersecurity resilience


Company working conditions


Increasing regulatory and disclosure requirements


Lack of ESG expertise and resources

Source: Allianz Risk Barometer, 2023

The Opportunity Side of Strategic Risk Management

Line chart; man walking along the line

Risk management isn’t just about being on the lookout for potential problems. With a strong risk culture, it is easier to identify risks, establish triggers and develop mitigation plans that enable organizations to see not only the threats but also the opportunities in a situation. For example, during the COVID-19 pandemic, project teams helped their organizations take advantage of new or expanded markets: grocers rolling out delivery services for immunocompromised shoppers or apparel marketers developing new athleisure lines for remote workers.

At Adidas, efforts for strategic risk management start at the top. The company created a supervisory board to continually assess risks and opportunities and share insights biannually with an executive board. The benefits? C-suite members can balance probability against potential financial impact — then signal to risk owners how they can mitigate appropriately.

Carlos Carnelós, Americas delivery IT transformation executive at IBM Technology Lifecycle Services, Campinas, São Paulo, Brazil, says project leaders should redefine risk as “scenarios with uncertain outcomes that could also bring desirable results.” Thinking about risk this way can help “promote a growth mindset and foster a rich discussion to uncover both sides of this coin,” he says. “Engaging a diverse group of stakeholders on this exercise can also help explore the ‘what if’ of scenarios.”

That includes a concerted effort to elevate a variety of voices and bring in fresh perspectives on problems — and solutions. According to the 2022 PwC survey, 70% of executives prioritize diversity in risk teams. When Carnelós schedules periodic risk brainstorming and collaboration meetings, he establishes clear guidelines for each session to ensure feedback is inclusive.

Case Study: The ROI of Mitigating Risk

When the Triglav Group launched a project to assess the customer experience across all its sales channels, the initiative also became a catalyst for the insurance company to redefine risk.

With a goal of creating an omnichannel sales architecture so all customers could purchase products via digital, email, a call center or door-to-door salesperson, project leaders took a deep dive into the data. They discovered a potential problem: Customers were less likely to purchase complex insurance products digitally. That meant that the extra time and resources it would take to integrate those more complex products would provide limited ROI, taking away from the overall value of the project.

“When we identified the risk, we decided to turn it into an opportunity,” says Jaka Borstnar, director of the project portfolio and change management department at the Triglav Group in Ljubljana, Slovenia.

The team’s solution? Shift sales of complex products only to agents and brokers who work directly with customers. The move proved to be “more cost-efficient, more personalized and more appropriate for those particular insurance products,” Borstnar says.

The decision not only reduced costs, but it increased both customer satisfaction and sales of the company’s complex insurance products. It also opened eyes across the enterprise, Borstnar says.

“It just shows how proper monitoring and managing of risks can benefit the entire organization if we do it in the right way.”

Peach speech bubble

“Taking different people’s perspectives with respect and appreciation fosters the willingness to participate and share,” says Carnelós. “It must have a specific place on everyone’s agenda to gather inputs, process and come out with actions and decisions.”

Carlos Carnelós
Americas delivery IT transformation executive at IBM Technology Lifecycle Services
Campinas, São Paulo, Brazil

Having myriad viewpoints on a particular risk can bring to light mitigation and action plans that might not otherwise have been identified.

“You may start discussing a threat and uncover a hidden gem that you’d like to invest in,” Carnelós says. “This type of mindset is fostered by leaders using different strategies such as ‘what-if’ analysis and brainstorming or even the simplest whiteboard or sticky notes. Taking a positive approach will identify possible outcomes, and the team will be able to continue investigating those that have merit.”

How AI Tools Can Sharpen Risk Management

Triangle connections

There’s no denying the power that comes with a team of professionals who understand the strategic importance of identifying risks as both threats and opportunities. But that’s not to say that every team can’t benefit from a tech upgrade. Investing in artificial intelligence (AI) and other emerging tech tools can help companies and project leaders better understand, identify and manage risk. These tools can turn data into valuable insights that can limit probability of the occurrence of unexpected events and their negative impact if they do happen.

A 2022 survey by PwC shows that 65% of executives are planning to increase spending for risk management technology, with a significant emphasis on data analytics, process automation and detecting and monitoring threats. Turning to automation can also help reduce cognitive biases that introduce risks — particularly at the planning stage.

Another big advantage of tech-assisted risk management? Quickly analyzing all that data can reveal patterns and flag noteworthy changes in real time. That’s true whether organizations turn to automation software for tracking timelines and budgets or build virtual project simulations that help forecast project risks and outcomes.

The payoff for implementing digital-driven risk management tools can be substantial:

  • Oil giant Shell began using AI and machine learning (ML) software to increase supply chain visibility and get ahead of any potential risks. The system can reduce data-reporting errors by as much as 80%, compared to legacy reporting systems.
  • Using digital twin models for its manufacturing projects, Boeing has realized up to a 40% improvement in first-time quality of parts and systems for its commercial and military airplanes.

At their core, AI and ML can help organizations identify high-level vulnerabilities and prevent those risks from cascading through dependent projects, says Pamela Young, PMI-RMP, PMP, senior global customer solutions manager at Amazon Web Services, New York, New York, USA.

What is a digital twin?

A digital twin is a virtual representation of a real-world object, system or process. The technology uses data to monitor conditions and simulate possible actions to enable optimal decision-making.

Learn more about digital twins through these resources:

Young believes that analyzing previous lessons learned is much more difficult and time-consuming without automated risk management tools in place. By tapping into AI and ML to collect data from multiple sources and projects, leaders can more efficiently compare, analyze and optimize information — then turn it into strategic insights for the entire project ecosystem.

Project estimates performed by a human can be very biased because they rely on historical business data that might be in different formats. AI and ML can be great equalizers: They can analyze large amounts of data to find patterns that deliver more accurate estimates.

“If the impact can be quantified and trended with predictive analytics, the probabilities for positive outcomes will be greatly improved,” she says. “With the capabilities to review several types of projects and results, we are better able to execute successful projects and reduce risk by more easily identifying mitigating factors based on the past.” 

Of course, teams can’t hand off all risk management to AI, but strategically tapping into technology can speed up the risk management process, freeing up time and headspace for project leaders.

“Project leaders have an enormous number of areas on which to focus,” Young says. Using AI and ML can help companies more accurately predict risk, giving project leaders “more time to analyze the results to improve predictive success.” 

Risk Reboot: Mitigating Risk with Technology

Technology is not only fueling new ways of working but also helping identify and mitigate risk.

Image on tangerine background with text "65% of CEOs say their organizations are increasing their spending on risk management technology."

Where are they planning to expand most?


Source: 2022 Global Risk Survey, PwC

The Benefits of Strategic Risk Management for Projects

Bar chart with people standing on top of each bar

Strategic risk management starts with an enterprise-wide risk strategy, but it must reach down into individual departments and teams as well. Armed with a clear understanding of how the company’s risk appetite aligns with its strategic vision, project managers can weave the right risk mindset into the fabric of their team’s ways of working. Rather than looking at risks within the narrow view of the project alone, they can bring a broader view by looking at the project within the context of the entire organization’s needs and objectives.

In this way, project professionals can serve as a critical link between the C-suite’s risk approach and day-to-day risk management practices. That responsibility starts with emphasizing risk review and assessment in each status meeting, says Marzikmal Omar, PMI-RMP, PMP, head of IT, e-services and telco portfolio, group PMO at Dagang NeXchange Berhad in Kuala Lumpur, Malaysia.

“Risk management is the first agenda item to be discussed and updated, as this will determine the status of the project and the next action to be taken,” he says. “By doing this, the team members will start to think how important it is to have a risk-awareness mentality in a project.”

Each project then goes through a risk management process that involves securing feedback from all relevant stakeholders. “We have dedicated risk management personnel in the project team that ensures each risk is closely monitored and updated accordingly,” he says.

It’s up to project management leaders to train and empower teams to explore different scenarios and evaluate options, adds Carnelós. By framing risk in new ways, he says, teams will be better prepared to respond with agility.

At IBM, project leaders are expected to plan and lead risk management activities with team members and stakeholders to build a shared understanding and create a culture of risk awareness. Empowering team members and stakeholders to actively participate in the risk management process promotes a cohesive team dynamic that will ultimately help yield better results at a project level.

“The higher the impact of the risk, the more detail you’ll need to gather and be able to prioritize the finite resources in support of the desired response or result,” Carnelós says.

It’s Time to Forge a Strong Risk Culture

Man standing, looking down on six people standing with their shadows

Uncertain events can emerge from a dizzying array of sources — whether they’re global health events, geopolitical conflicts, industry pivots or socioeconomic shifts. Here are four ways to stay ahead of unknown risks, according to Vlad Siniavin, PMP, VP global delivery at Ciklum in London, England:

  1. Watch out for ripples in the ecosystem. Staying on top of current events — through social media, trend reports or news sites — will help project leaders identify possible risks and trends in real time. Spotting those first ripples will ensure teams can better position themselves to ride the waves, rather than get wiped out by them.
  2. Turn data into strategy. There’s a wealth of analytics tools that track information — everything from economic indicators to customer sentiment. But it’s up to project leaders to use that data to align decisions to the company’s risk appetite.
  3. Ask the experts. Engage with a variety of stakeholders and specialists to determine which activities and trends merit attention. Project leaders can capture such insights and analyses by talking to analysts and researchers or participating in industry-specific groups and forums.
  4. Map it out. Conduct scenario planning to understand how trends and developments might impact an organization and its initiatives. A clear vision of the potential risks and rewards will help organizations reprioritize projects and empower teams to anticipate the need to pivot.

A strong risk culture enables organizations to address risks most effectively and manage their impact, seeing both the positive and negative sides of risk and making effective decisions that align with the organization’s risk strategy. This contributes to resilient organizations that not only withstand the rapidly changing and complex challenges of today’s business environment but anticipate and capitalize on them to help drive growth and positive outcomes. 

Continue the Risk and Resilience Journey

Learn more about risk management and resilient organizational culture through the following resources from PMI:


PMI would like to thank the following contributors who provided their insights and actionable recommendations on strengthening organizational resilience and ensuring long-term growth presented in this report:

  • N. Christine Aykac, PMP, PMI-RMP, PMI-ACP, Project Coach & Learning Strategist, Wareness, Canada
  • Ciro Casimiro, Program Manager, KPMG, USA
  • Seun Olaniyonu, Senior Business Analyst, Government of Saskatchewan, Canada
  • Syed Ahsan Mustaqeem PE, PMP, Senior Engineer, Pakistan Petroleum Limited, Pakistan
  • Jaka Borstnar, Director of the Project Portfolio and Change Management, Triglav Group, Slovenia
  • Carlos Carnelós, Americas Delivery IT Transformation Executive, IBM Technology Lifecycle Services, Brazil
  • Marzikmal Omar, PMI-RMP, PMP, Head of IT, E-Services and Telco Portfolio, Group PMO, Dagang NeXchange Berhad, Malaysia
  • Arun Prakash Sharma, PMI-RMP, PMP, Senior Operations Manager, Ayu Health, India
  • Vlad Siniavin, PMP, VP Global Delivery, Ciklum, England
  • Pamela Young, PMI-RMP, PMP, Senior Global Customer Solutions Manager, Amazon Web Services, USA

Pro Tips for Building a Strong Risk Culture

Here are four pro tips for building a strong risk culture within project teams, according to Arun Prakash Sharma, PMI-RMP, PMP, senior operations manager, Ayu Health in Bengaluru, India:

  1. Use data. Align internal and external data usage with strategic objectives and establish processes that proactively prioritize and address risks based on data.
  2. Measure the impact. Risk management should be a key performance indicator for middle and senior-level managers — and it helps establish a culture of accountability.
  3. Talk it out. Discussing risks openly will ensure risk management is front of mind for project professionals and the entire enterprise.
  4. Plan for the worst. Creating contingency plans (and budgets) for major disruptions will ease the impact and provide a competitive advantage.