Risk Management

Green Quadrant: Enterprise Risk Management

Consulting Services (2025)

By Renee Murphy
With Katelyn Johnson March 2025

This version of the report contains Verdantix’s summary

of EY's offerings to help prospective customers evaluate
whether the vendor is a good fit for their requirements.
It does not contain other vendor profiles.

verdantix.com
Risk Management

Green Quadrant: Enterprise Risk Management

Consulting Services (2025)
By Renee Murphy
With Katelyn Johnson March 2025

This report provides a detailed, fact-based benchmark of 15 of the most prominent enterprise risk management
(ERM) services providers in the market. Based on the proprietary Verdantix Green Quadrant methodology, our analysis
entailed two-hour vendor briefings and responses to a detailed 50-point questionnaire covering both capabilities
and momentum criteria. Verdantix analysis finds that the established ERM market is growing to meet customer
needs around new technologies and emerging risks. While risk consulting stalwarts EY and PwC stand out in the
Leaders' Quadrant, our analysis highlights the unique features of each vendor and identifies their best-fit end-users.
Customers of all maturities, seeking clarity in uncertain times, can use this report to find an ERM services provider
capable of addressing their particular needs and challenges.

Table of contents
Summary for decision-makers 4
The state of the enterprise risk management (ERM) consulting services market 5
Technological innovation and new regulatory requirements are fuelling demand for ERM services
ERM firms come in many shapes and sizes, to address the varying needs of businesses across geographies
and industries
Despite recent advisory lay-offs, the ERM consulting services market is expected to grow in the long term
Green Quadrant for ERM consulting services 2025 9
Green Quadrant methodology
Evaluated firms: selection criteria
Evaluation criteria for ERM consulting services providers
EY overview 17
EY provides advanced, scalable risk solutions for complex business challenges

Table of figures
Figure 1. Overview of ERM service lines evaluated in this report 5
Figure 2. Capabilities criteria for ERM consulting services 12
Figure 3. Momentum criteria for ERM consulting services 13
Figure 4. Consulting services provider scores: capabilities 14
Figure 5. Consulting services provider scores: momentum 15
Figure 6. Green Quadrant for ERM consulting services 2025 16

Green Quadrant: Enterprise Risk Management Consulting Services (2025)

Copyright © Verdantix Ltd 2007-2025. Licensed content, reproduction prohibited
2
Organizations mentioned
Actis, Aflac, Archer, AuditBoard, Bank of England, Baringa, BDO, Boston Consulting Group (BCG), Bristol Myers Squibb,
Deloitte, dss+, Duff & Phelps, DuPont, EMX Royalty, European Bank for Reconstruction and Development (EBRD), EY,
FTI Consulting, General Mills, Grant Thornton, J.S. Held, KPMG, Kroll, McKinsey & Company, Microsoft, Pirelli, Protiviti,
PwC, Renault, RSM, SAP, ServiceNow, Tata Steel, UK Financial Conduct Authority (FCA).

Disclaimer
As an independent analyst firm, Verdantix does not endorse any vendor, product or service covered in our research
publications, webinars and other materials. Verdantix does not advise technology users to select only those vendors
with the highest ratings. Verdantix research publications consist of the opinions of the Verdantix research team based
on its analysis of the market, survey data and review of vendor solutions. Verdantix disclaims all warranties, expressed
or implied, with respect to this research, including any warranties of fitness for a particular purpose.

Green Quadrant: Enterprise Risk Management Consulting Services (2025)

Copyright © Verdantix Ltd 2007-2025. Licensed content, reproduction prohibited
3
Summary for decision-makers
• Large multinational and mid-market firms at any level of maturity, seeking clarity in uncertain times, can use
this report to find an enterprise risk management (ERM) consulting services provider capable of addressing
their needs and challenges.

• Firms looking for specialized support in ERM categories such as financial or ESG risk can leverage this study
to identify specialists to assist them in their risk management journeys.

• Based on the proprietary Verdantix Green Quadrant methodology, our analysis comprised two-hour vendor
briefings and responses to a detailed 50-point questionnaire covering both capabilities and momentum
criteria, along with a detailed assessment of publicly available data.

• The ERM consulting services market is made up of large, global firms such as the ‘Big Four’, and mid-market
specialists. Large firms are pioneering cutting-edge solutions for emerging threats across diverse industries.
Mid-market specialists are closely guiding clients seeking steady evolution – rather than disruptive revolution
– through phased ERM strategies.

• AI issues are dominating the market, with all players leveraging generative AI (GenAI), natural language
processing (NLP) and machine learning (ML), in the name of governance, risk and compliance (GRC).
Such capabilities have become table stakes, with firms needing to find another way to stand out.

Figure 6
Green Quadrant for ERM consulting services 2025

INNOVATORS LEADERS

PwC
EY
Deloitte

KPMG
Grant
Thornton

RSM J.S. Held

dss+
BDO FTI Consulting
Kroll
McKinsey
& Company
BCG
Protiviti
Baringa
CAPABILITIES

CHALLENGERS SPECIALISTS

MOMENTUM

Note: A white plot indicates a non-participating vendor.

Source: Verdantix analysis

Green Quadrant: Enterprise Risk Management Consulting Services (2025)

Copyright © Verdantix Ltd 2007-2025. Licensed content, reproduction prohibited
4
The state of the enterprise risk management (ERM) consulting
services market
The enterprise risk management (ERM) consulting services market is on a robust growth trajectory, propelled
by the increasing necessity for comprehensive risk management solutions in a complex and evolving business
environment. Organizations are progressively recognizing the value of integrating ERM into their strategic planning
to enhance resilience and achieve long-term success. North America currently holds the largest share of the ERM
market, driven by advanced technological adoption and stringent regulatory frameworks, while the Asia-Pacific
(APAC) market is expected to enjoy the fastest levels of growth, fuelled by the increasing adoption of risk-based
decision-making practices among organizations.

Verdantix monitors prominent ERM consulting services providers active in the market. These vendors range from
comprehensive services providers with a global customer base to specialized firms that offer deep expertise in
specific functional areas or cater to particular industry verticals. Addressing the complexity, breadth and rapid
evolution of the ERM landscape, this report delivers an evaluation of 15 leading ERM consulting services firms and
their offerings. Our analysis is aimed at those responsible for selecting, implementing and maximizing the value
of ERM advisory services.

Figure 1
Overview of ERM service lines evaluated in this report

Service line Definitions

Risk advisory Consulting engagements that assist firms in identifying, assessing and mitigating risks across their
operations, strategies and processes. This involves developing frameworks, controls and governance
structures that ensure compliance with regulations, support informed decision-making, and enhance
business resilience through process creation and technology implementation.

Risk strategy Consulting engagements regarding strategic decisions and initiatives related to overall risk strategy,
and governance risk transformation programmes and risk operating models.

Regulatory compliance Consulting engagements regarding strategic decisions and initiatives related to regulatory change
and ESG and financial crime (including anti-money laundering, bribery and corruption, and fraud). Also
encompasses services related to conduct and reputational risk, sustainability, ESG and climate risk.

Internal control Consulting engagements regarding strategic decisions and initiatives related to risk and control
and assurance assessments, performed by 2LOD and 3LOD (second and third lines of defence) (where different
from financial exporting and external auditing), as well as forensic and other due diligence services
(for example, mergers and acquisitions (M&As)).

Financial risk Consulting engagements regarding strategic decisions and initiatives related to credit, liquidity,
market, capital and actuarial risk.

Operational risk and Consulting engagements regarding strategic decisions and initiatives related to third-party risk
resilience and supply chain management, ICT risk and security, and resilience.

Risk data and analytics Consulting engagements regarding strategic decisions and initiatives related to risk metrics
definitions (for example, risk appetite and key risk indicators (KRIs)), risk modelling, risk analytics
and data integration.

Source: Verdantix analysis

Green Quadrant: Enterprise Risk Management Consulting Services (2025)

Copyright © Verdantix Ltd 2007-2025. Licensed content, reproduction prohibited
5
Key questions addressed by this report include:

• What is the current state of the ERM consulting services market?

• Which ERM consulting services providers are market leaders?

• Which ERM consulting services firms best align with my organization’s requirements?

• How can I benchmark the capabilities of different ERM consulting services providers?

• What factors indicate that an ERM consulting services provider is a dependable partner for the future?

To provide answers, we evaluated 15 software vendors through a comprehensive review of seven core ERM service
lines (see Figure 1). Our analysis is based on the proprietary Verdantix Green Quadrant methodology, designed to
deliver an evidence-based, objective assessment of vendors offering comparable consulting services.

Technological innovation and new regulatory requirements are fuelling

demand for ERM services
The organization-wide view of risk that is inherent in ERM plays a crucial role in helping firms keep pace with today's
dynamic business environment, assisting them in aligning risk management with strategic goals. By providing a
structured framework for identifying, assessing and managing risks, ERM helps organizations proactively adapt to
new regulations, thus avoiding operational disruptions and penalties. Verdantix found that businesses are currently
seeking ERM consulting services because:

• Emerging risks highlight gaps in existing risk management processes.

As firms globalize, they face increasing complexity in managing cross-border operations, navigating diverse
regulatory environments and mitigating risks associated with cultural, economic and geopolitical challenges.
The dynamic nature of these emerging risks, technologies and regulations has challenged firms’ existing siloed
and reactive approaches to risk management (see Verdantix Strategic Focus: The New Wave Of Enterprise
Risk Consulting). Organizations are seeking expert guidance to effectively integrate advanced technologies,
address ESG concerns and manage third-party risks across their businesses, to ensure sustainable growth
and compliance.

• External parties have greater influence on organizations' risk profiles.

Firms are increasingly reliant on third parties for critical operations – outsourcing IT infrastructure to cloud
service providers, relying on logistic partners in their supply chains and forming new partnerships to
source raw materials, among others. These relationships can create operational disruptions and introduce
compliance violations or reputational risks. Growing third-party networks also pose additional threats, due
to digitized interconnected systems in the network. Every new third party expands a firm's risk exposure –
and businesses are therefore relying on ERM consultants to help map and manage these risks.

• ESG risks are on the minds of boards and executives.

With an increasing emphasis on sustainability and ethical governance, organizations are prioritizing
ESG factors within their strategic frameworks. According to the 2024 Verdantix risk management global
corporate survey, only 1% of respondents view ESG risks as unimportant to their firm over the next three years
(see Verdantix Global Corporate Survey 2024: Risk Management Budgets, Priorities And Tech Preferences).
Assessing and mitigating ESG-related risks requires specialized knowledge and expertise: consulting services
are essential to help organizations develop robust ESG strategies, conduct comprehensive risk assessments
and ensure adherence to evolving regulatory requirements. Providers are now expanding their services to
address emerging legal risks associated with ESG considerations, delivering comprehensive legal advice
to firms seeking to navigate complex regulatory compliance issues.

Green Quadrant: Enterprise Risk Management Consulting Services (2025)

Copyright © Verdantix Ltd 2007-2025. Licensed content, reproduction prohibited
6
 • Modern risk management requires technology.
As business complexity grows, firms are looking to technology to manage their risks. In our 2024 global
corporate survey, nearly a quarter of respondents indicated that creating and implementing a risk
management digital strategy was their highest priority (out of seven risk management technology goals) over
the next two years. Digital transformation and change management can be extremely complex, and many
businesses rely on risk management consultants to help roll out new technologies effectively and securely.

ERM firms come in many shapes and sizes, to address the varying needs
of businesses across geographies and industries
Within the ERM consulting services space, there are two main categories of providers: the ‘Big Four’ and the smaller,
specialized consulting firms. The Big Four – Deloitte, EY, KPMG and PwC – are global businesses known for their broad
service offerings, with significant brand recognition and extensive resources. They typically work with very large
corporate clients and deliver end-to-end solutions, leveraging their worldwide networks and sizeable talent pools.
By contrast, smaller ERM firms focus on specialized, niche offerings and often target mid-sized organizations or
specific segments of larger enterprises. Although they may not match the scale or brand visibility of the Big Four,
these smaller providers often offer more tailored, flexible and personalized services, drawing on deep subject-matter
expertise in their focus areas. In choosing a provider, buyers should remember that:

• Scales differ significantly between the Big Four and smaller ERM firms.
The Big Four benefit from extensive global footprints and very large talent pools, enabling them to handle
cross-border engagements and manage extensive, complex risk initiatives. Industry standard-setting is
a hallmark of their market-maker role, with their broad client bases and considerable thought-leadership
capabilities enabling them to pioneer frameworks and best practices that others replicate and refine.
Smaller firms, on the other hand, have the opportunity to operate in specialized regions or industries, enabling
them to develop niche approaches and build close relationships in local markets driven by client need.

• Client experience is dictated by the resources of the provider.

The Big Four usually cater to top-tier organizations, offering a comprehensive array of risk management
and compliance solutions that leverage their global expertise. Smaller firms tend to focus on mid-sized
organizations or on specific subsidiaries or divisions within larger enterprises. The latter may lack the extensive
footprint of the Big Four, but their leaner teams allow for closer collaboration and more direct interaction
between senior advisors and client executives, fostering deeper relationships and a more tailored approach.
Because their engagements are typically more niche or regionally contained, smaller firms can zero in
on industry-specific risks or unique business processes, delivering highly customized strategies that align
particularly closely with a client’s culture and goals.

• ERM consulting services market has solutions for all needs.

ERM consulting services projects can be divided into two distinct groups that meet the needs of different
parts of the corporate ecosystem: large transformational projects sought out by the Big Four firms; and
niche or specific ERM disciplines addressed by the smaller advisory businesses. For those wishing to integrate
ESG into their current ERM programmes, ‘going down market’ to select a specialist in ESG and ERM is a
good option. If an organization wishes to overhaul its risk programme and take advantage of emerging
technologies, it should seek out the larger advisory firms. The market has providers to serve firms of all sizes,
complexity and maturity.

Green Quadrant: Enterprise Risk Management Consulting Services (2025)

Copyright © Verdantix Ltd 2007-2025. Licensed content, reproduction prohibited
7
Despite recent advisory lay-offs, the ERM consulting services market is
expected to grow in the long term
Workforce reductions reflect broader challenges within the professional services sector – such as economic
headwinds, rising interest rates, and a decline in demand for consulting services. Providers in the market have
seen only single-digit gains over the last two years, but they remain in positive territory. The Big Four firms
have been realigning their service offerings, with an increased focus on technology consulting, ESG advisory
services and cyber security, to adapt to evolving market demands. They expect the coming few years to provide
growth opportunities, thanks to the rapid adoption of AI and the constantly changing regulatory compliance
landscape. Recent movement in the market has seen:

• A slight downturn in 2023.

KPMG initiated lay-offs in 2023 affecting nearly 2% of its US workforce – primarily within its advisory practice,
due to declining demand for consulting services. In late 2023 it announced an additional reduction of
approximately a further 5% of its US workforce, as it continued efforts to align staffing levels with market
demand. Deloitte, similarly, announced the removal of some 1,200 positions within its US workforce,
representing about 1.5% of its total US employees. These cuts were largely attributed to decreased demand
for consulting services amid economic uncertainties. EY declared its intention to eliminate approximately
3,000 jobs in the US, equating to about 5% of its US workforce, citing “overcapacity” and shifting economic
conditions as primary reasons for the lay-offs.

• Continued workforce reductions in 2024.

In 2024 PwC disclosed plans to reduce its US workforce by about 2.5%, impacting approximately
1,800 employees. This marked the firm's first significant lay-offs since 2009, driven by a slowdown in
demand for certain advisory services. Deloitte's UK division also indicated potential lay-offs, with around
100 employees at risk, due to a slowdown in consulting demand.

• A realignment of services to accommodate changing customer needs.

Even with these reductions in force for audit and compliance advisory, the ERM market is likely to grow over
the next four years, due to evolving geopolitical risks, increased regulation, pressures from customers and
boards, and the adoption of emerging technology. Many consulting firms now list AI, advanced analytics
and software implementations as part of their ERM offerings, reflecting the changing needs of customers
(see Verdantix Strategic Focus: The New Wave Of Enterprise Risk Consulting).

• Growth in risk management services in emerging markets.

Despite broader lay-offs, some regions have seen an increase in hiring of risk advisory staff. The COVID-19
pandemic forced businesses worldwide to re-evaluate their risk management strategies and reinforced
how interconnected and globalized firms have become. In response to this shock, as well as to other global
stressors such as climate change, geopolitical events and changing regulatory environments, emerging
markets such as India have seen a burgeoning demand for risk advisory services, leading to increased hiring
in that region amongst the Big Four.

• Ongoing ESG concerns driving services demand, as firms struggle to integrate these risks.
Forty-one per cent of respondents to the 2024 Verdantix global corporate survey indicated that ESG and
compliance risks were ‘very material’ to their firm over the previous 12 months. Nearly 70% noted that these
risks were either ‘very significant’ or the ‘most significant’ factor in increasing spend on risk management
over the same time period. However, only 36% of respondents stated that ESG and sustainability risks had
been fully integrated into core risk management processes (see Verdantix Global Corporate Survey 2024:
Risk Management Budgets, Priorities And Tech Preferences). Firms are clearly concerned about ESG risks,
but are struggling to manage them. Given the growing regulatory demands around ESG, and customer
interest (and budgets), many risk advisory firms are expanding their ESG offerings.

Green Quadrant: Enterprise Risk Management Consulting Services (2025)

Copyright © Verdantix Ltd 2007-2025. Licensed content, reproduction prohibited
8
 • Advanced technology offering new risks and opportunities for risk management.
The incorporation of AI and machine learning (ML) into business operations has transformed traditional
processes, enhancing predictive analytics and risk modelling capabilities. The convergence of AI and
human expertise is creating more robust risk management frameworks, allowing for real-time monitoring
and response to emerging threats. However, this technological evolution presents complexities that many
organizations find challenging to navigate independently. Consequently, there is a growing need for
advisory services to guide the seamless integration of these technologies, to ensure alignment with business
objectives and compliance with regulatory standards.

Green Quadrant for ERM consulting services 2025

As businesses look for efficiency and innovations, they frequently turn to more unproven capabilities in technology
sectors where they have little or no expertise. To manage the impact of their innovation strategies on overall business
and compliance requirements, they need to understand the risk and impact to their organizations these entail.
The ERM consulting services market looks to achieve this, helping firms to mature and meet their governance, risk
and compliance (GRC) requirements. For the purposes of this report, Verdantix defines ERM consulting services as:

“Services that help organizations design and implement a structured framework to identify,
assess and manage risks across strategic, operational, financial, compliance and audit domains.
These services align risk management with business objectives by establishing clear governance,
risk appetite and mitigation strategies. ERM consulting services foster a risk-aware culture, driving
value creation and long-term sustainability.”

This Green Quadrant study benchmarks ERM consulting services providers on their ability to deliver complex projects
across seven distinct service lines: risk advisory; risk strategy and governance; regulatory compliance and ESG;
internal control and assurance; financial risk; operational risk and resilience; and risk data and analytics. This report
considers both large enterprise advisory firms, as well as specialist and mid-market consultants.

Green Quadrant methodology

The Verdantix Green Quadrant methodology provides buyers of specific products or services with a structured
assessment of comparable offerings at a certain point in time. The methodology supports investment decisions by
identifying potential services providers, structuring relevant purchase criteria through discussions with buyers and
providing an evidence-based assessment of the products or services in the market. To ensure the study results are
objective, the research process is defined by:

• Transparent inclusion criteria.

We analyse all providers that would qualify for inclusion in the research. For those providers that fail to
submit the information requested, we include them based on publicly available information and previous
Verdantix research that provides an impression of their market positioning, where such information is
deemed sufficiently complete and accurate to form a basis for benchmarking.

• Scores based on available evidence and reliance on professional integrity.

As it would be unfeasible to check all data and claims that providers make, we emphasize the need for
professional integrity. Correspondingly, assertions made by services providers are put in the public domain
via the Verdantix report and can be checked by competitors and existing customers.

Green Quadrant: Enterprise Risk Management Consulting Services (2025)

Copyright © Verdantix Ltd 2007-2025. Licensed content, reproduction prohibited
9
 • Comparison based on relative capabilities.
We construct measurement scales ranging from ‘lack of evidence, or evidence of sub-par or a lack of
functionality or positioning’ to ‘evidence of market-leading functionality or positioning’ at a certain point in
time. A provider’s position in the market can change over time, depending on how its offering and success
evolves relative to its competitors. Hence, a vendor’s Quadrant positioning may not necessarily improve –
even if it adds new capabilities, makes a strategic acquisition or receives investment – as the assessment
is relative to what other vendors are offering. The Green Quadrant analysis is typically repeated every
one-and-a-half to two years.

Evaluated firms: selection criteria

Verdantix defines vendor inclusion criteria to ensure that the Green Quadrant analysis only compares firms providing
similar services. We believe that all the vendors assessed in this report offer significant value in ERM consulting
services. The 15 profiled ERM consulting services providers were chosen because they have:

• A minimum coverage of five out of seven of the Green Quadrant ERM service lines.
To ensure that participants can deliver a wide range of ERM advisory projects – and thereby ensure a
competitive analytical playing field – we included vendors in this Green Quadrant only if they demonstrated
commercial offerings across at least five of the seven service lines identified in this report (see Figure 1).

• Capabilities to deliver limited and reasonable ERM services.

To qualify for this benchmark study, participants were required to demonstrate capabilities for delivering
ERM services at both a limited and reasonable level. This is to ensure that the firms featured have the
capabilities to meet the future needs of clients as they mature – especially the needs of mid-market customers
looking for a long-term partner to aid them in their ongoing maturity journeys, in a process that will take years,
rather than weeks or months.

• At least 1,000 full-time employees.

Firms qualified for participation in this study if they had a minimum of 1,000 employees. Although businesses
with a smaller capacity may be able to offer similar capabilities to those of their larger counterparts, our
research finds that they cannot deliver a suitable breadth of project delivery across categories to meet the
needs of the customers in the market.

• A global presence.
To qualify for this benchmark study, participants were required to have ERM risk services clients in at least
15 countries.

Based on the inclusion criteria above, this report evaluates 15 ERM consulting services providers: Baringa, BDO,
Boston Consulting Group (BCG), Deloitte, dss+, EY, FTI Consulting, Grant Thornton, J.S. Held, KPMG, Kroll,
McKinsey & Company, Protiviti, PwC and RSM. Baringa, BCG, BDO, Deloitte, FTI Consulting, Grant Thornton,
KPMG, Kroll, McKinsey & Company, Protiviti and RSM did not actively participate in the Green Quadrant and
were scored based on publicly available information. All other participants responded to the Green Quadrant
questionnaire and took part in the briefings. Several firms featured in this study were limited in the customer
information they could share with us, due to their commitment to maintaining independence while providing
assurance services.

Green Quadrant: Enterprise Risk Management Consulting Services (2025)

Copyright © Verdantix Ltd 2007-2025. Licensed content, reproduction prohibited
10
Evaluation criteria for ERM consulting services providers
Verdantix defined the evaluation criteria for the ERM consulting services Green Quadrant through a combination
of interviews with senior executives, desk research and staff expertise. This Green Quadrant analysis compares
15 ERM consulting services providers using a 50-point questionnaire, covering seven capabilities and three market
momentum categories. Individual metrics were classified as:

• Capabilities metrics.
The capabilities dimension, plotted on the vertical axis of the Green Quadrant graphic, measures each
provider based on the breadth and depth of its services approach, its differentiators against other providers,
and its proven experience in each area. In specific categories, where applicable, additional questions
covering technical expertise, digital offerings and regulatory support were used to measure performance.
In total, we assessed the providers across seven distinct capability categories.

• Momentum metrics.
The momentum dimension of the analysis, plotted on the horizontal axis of the Green Quadrant graphic,
measures each firm based on its vision, strategy and organizational resources; its ERM consulting client
base; and its ERM consulting revenue. In total, we assessed the providers across three distinct momentum
categories.

All sub-criteria were scored between the values of zero and three. The value of zero represents ‘no capability’ in that
category. A score of 1 means the vendor meets the basic capabilities for representation, putting them on a par with
the market and indicating that they are not deficient. A value of 2 indicates at least one differentiator in a specific
category, while 3 shows that a provider has more than two differentiators in a particular category.

Each sub-criterion has a percentage weighting that dictates its contribution to the capability or momentum
score. The combination of high-level criteria scores in the capabilities and momentum sections generates the
Green Quadrant graphic and rankings. Figure 2 and Figure 3 provide details of the study criteria. Figure 4 and
Figure 5 provide the scoring for all participants in each category. Figure 6 shows the Green Quadrant graphic
summarizing the positioning of all ERM consulting services providers in this benchmark study.

Green Quadrant: Enterprise Risk Management Consulting Services (2025)

Copyright © Verdantix Ltd 2007-2025. Licensed content, reproduction prohibited
11
Figure 2
Capabilities criteria for ERM consulting services

Capabilities Questions

Please detail the risk consulting services you offer clients. Please provide client examples to highlight the breadth
of your risk expertise and depth of capabilities. Please help us understand the scale and scope of work you do
for individual clients. Please discuss your main differentiation in the market. How often do engagements for risk
services typically operate as standalone risk engagements versus components of other projects? Please describe
the nature of the engagements. What industry-specific risk capabilities and/or expertise do you provide in your
Risk advisory (16%)
three most important industry segments? Please only mention up to a maximum of three industries and provide at
least two client examples from delivered engagements for each industry that you mention. How do you leverage
internal software and digital solutions to support the delivery of your risk engagements? Please detail your own
digital tools. How do you leverage external software and digital solutions to support the delivery of your risk
engagements? Please indicate key software partners.

Please provide client examples to highlight the breadth of your risk strategy expertise and depth of capabilities.
Risk strategy and Please help us understand the scale and scope of work you do for individual clients. How many projects in this
governance (14%) area has your firm worked on in the last two years? Please describe the main way you differentiate your approach
from others in the market. What partnerships are in place with technology vendors in this area?

Please provide client examples to highlight the breadth of your risk strategy expertise and depth of capabilities.
Regulatory
Please help us understand the scale and scope of work you do for individual clients. How many projects in this
compliance and
area has your firm worked on in the last two years? Please describe the main way you differentiate your approach
ESG (14%)
from others in the market. What partnerships are in place with technology vendors in this area?

Please provide client examples to highlight the breadth of your risk strategy expertise and depth of capabilities.
Internal control and Please help us understand the scale and scope of work you do for individual clients. How many projects in this
assurance (14%) area has your firm worked on in the last two years? Please describe the main way you differentiate your approach
from others in the market. What partnerships are in place with technology vendors in this area?

Please provide client examples to highlight the breadth of your risk strategy expertise and depth of capabilities.
Please help us understand the scale and scope of work you do for individual clients. How many projects in this
Financial risk (14%)
area has your firm worked on in the last two years? Please describe the main way you differentiate your approach
from others in the market. What partnerships are in place with technology vendors in this area?

Please provide client examples to highlight the breadth of your risk strategy expertise and depth of capabilities.
Operational risk and Please help us understand the scale and scope of work you do for individual clients. How many projects in this
resilience (14%) area has your firm worked on in the last two years? Please describe the main way you differentiate your approach
from others in the market. What partnerships are in place with technology vendors in this area?

Please provide client examples to highlight the breadth of your risk strategy expertise and depth of capabilities.
Risk data and Please help us understand the scale and scope of work you do for individual clients. How many projects in this
analytics (14%) area has your firm worked on in the last two years? Please describe the main way you differentiate your approach
from others in the market. What partnerships are in place with technology vendors in this area?

Source: Verdantix analysis

Green Quadrant: Enterprise Risk Management Consulting Services (2025)

Copyright © Verdantix Ltd 2007-2025. Licensed content, reproduction prohibited
12
Figure 3
Momentum criteria for ERM consulting services

Momentum Questions

When was your firm's dedicated risk consulting practice set up? What are the average years of experience
in the risk sector across your dedicated risk team? Please elaborate on the skillsets that you have within your
Operational expertise (40%) dedicated risk team. How are you ensuring you have the right skillsets within your team to serve your clients?
How are you acquiring relevant talent? Please detail any other information on market presence specific to
risk, such as industry conference sponsorships/speeches, risk thought-leadership/webinars, etc.

What is the total number of clients (standalone engagements, as well as those that used risk services
as a component of a broader project) who used your risk consulting services in 2022? What is the total
number of clients (standalone engagements, as well as those that used risk services as a component
of a broader project) using your risk consulting services in 2023? In the last two years, what was the
Client base (30%) geographical breakdown of your risk consulting project clients? In the last two years, what was the
industry breakdown of your risk consulting engagements? In the last two years, what percentage of
your risk consulting engagements was delivered to firms in the following categories: small organizations
(revenues <$250 million), medium organizations (revenues between $250 million and $1 billion) and large
organizations (revenues >$1 billion)?

What were your firm's total annual revenues in the last financial year? What were your firm’s total annual
Forecast/size (30%) revenues related to the risk consulting practice in the last financial year? How prepared is your firm for
addressing emerging risks?

Source: Verdantix analysis

Green Quadrant: Enterprise Risk Management Consulting Services (2025)

Copyright © Verdantix Ltd 2007-2025. Licensed content, reproduction prohibited
13
Figure 4
Consulting services provider scores: capabilities

Boston Consulting Group (BCG)

McKinsey & Company

Grant Thornton
FTI Consulting

J.S. Held
Baringa

Deloitte

Protiviti
KPMG

PwC
dss+

RSM
BDO

Kroll
EY
Risk advisory 1.5 1.7 1.5 2.4 1.8 2.7 1.6 2.0 1.8 2.4 1.8 1.9 1.5 2.5 1.3

Risk strategy and governance 1.6 1.5 1.5 2.3 2.0 2.0 1.5 2.0 1.8 2.0 1.9 1.5 1.5 2.2 1.6

Regulatory compliance and ESG 1.7 1.5 2.0 2.1 2.2 2.2 1.5 1.6 1.9 2.1 1.5 1.5 1.5 2.2 1.6

Internal control and assurance 0.0 2.0 0.0 2.4 0.0 2.8 2.0 2.0 1.0 2.4 0.0 0.0 0.0 2.4 2.0

Operational risk and resilience 1.5 1.5 1.6 2.3 2.1 2.5 1.7 1.6 1.7 2.2 1.6 1.5 1.2 2.5 1.8

Financial risk 1.0 1.6 1.7 2.4 1.0 2.6 2.0 1.6 2.1 2.4 1.9 1.5 1.0 2.6 2.0

Risk data and analytics 1.5 1.5 2.0 2.5 2.5 2.5 1.5 1.5 2.0 2.5 1.5 2.5 1.5 2.5 2.0

Scoring framework

Evidence of market-leading functionality or positioning 3

Evidence of strong, above-par functionality or positioning 2

Evidence of on-par functionality or positioning 1

Lack of evidence, or evidence of sub-par or a lack of functionality or positioning 0

Verdantix research teams determine all scores at either sub-criteria level (for capabilities)
or criteria level (for momentum), using the scoring framework above. These assessed scores
are then weighted and compiled into derived scores at criteria or capability/momentum level.

Source: Verdantix analysis

Green Quadrant: Enterprise Risk Management Consulting Services (2025)

Copyright © Verdantix Ltd 2007-2025. Licensed content, reproduction prohibited
14
Figure 5
Consulting services provider scores: momentum

Boston Consulting Group (BCG)

McKinsey & Company

Grant Thornton
FTI Consulting

J.S. Held
Baringa

Deloitte

Protiviti
KPMG

PwC
dss+

RSM
BDO

Kroll
EY
Operational expertise 1.4 1.6 1.6 2.3 1.9 2.5 1.4 1.4 1.9 2.0 1.4 1.6 1.0 2.5 1.4

Client base 1.6 1.5 1.5 2.3 1.6 2.3 1.7 1.7 1.6 2.3 1.6 1.6 1.4 2.3 1.6

Forecast/size 1.5 1.9 1.7 2.5 1.9 2.5 2.0 1.9 1.7 2.5 1.5 1.7 1.3 2.5 1.5

Scoring framework

Evidence of market-leading functionality or positioning 3

Evidence of strong, above-par functionality or positioning 2

Evidence of on-par functionality or positioning 1

Lack of evidence, or evidence of sub-par or a lack of functionality or positioning 0

Verdantix research teams determine all scores at either sub-criteria level (for capabilities)
or criteria level (for momentum), using the scoring framework above. These assessed scores
are then weighted and compiled into derived scores at criteria or capability/momentum level.

Source: Verdantix analysis

Green Quadrant: Enterprise Risk Management Consulting Services (2025)

Copyright © Verdantix Ltd 2007-2025. Licensed content, reproduction prohibited
15
Figure 6
Green Quadrant for ERM consulting services 2025

INNOVATORS LEADERS

PwC
EY
Deloitte

KPMG
Grant
Thornton

RSM J.S. Held

dss+
BDO FTI Consulting
Kroll
McKinsey
& Company
BCG
Protiviti
Baringa
CAPABILITIES

CHALLENGERS SPECIALISTS

MOMENTUM

Capabilities
This dimension measures each service provider on the breadth and depth of its ERM consulting services
across seven capability areas, as outlined in Figure 2.

Momentum
This dimension measures each service provider against three momentum factors, as outlined in Figure 3.

Note: A white plot indicates a non-participating vendor.

Source: Verdantix analysis

Green Quadrant: Enterprise Risk Management Consulting Services (2025)

Copyright © Verdantix Ltd 2007-2025. Licensed content, reproduction prohibited
16
EY overview
Information
Headquartered in London and founded in 1903, EY operates a global practice of approximately 25,000 risk professionals. The firm’s risk consulting
services encompass integrated risk management, cyber security, forensics, financial crime, compliance, sustainability and internal audit. EY also
addresses enterprise and operational resilience, third-party risk management, and various dimensions of financial risk (e.g. liquidity, credit, market,
capital and actuarial). EY has a sector-specific approach that aligns risk practices with both regulatory requirements and strategic goals, frequently
leveraging technology partnerships to embed cloud-based platforms, automate processes and unify risk frameworks.

Vendor info Customer regional presence

Firm name EY Asia 1

Headquarters London, UK Oceania 1

Employees ~395,400 Europe 2

Revenues $51.2bn Middle East and Africa 2

Latin America and the Caribbean 1

No. of offices 700
North America 3
Example customers Not disclosed

% Customer base
0 0% 1 <10% 2 10%-25% 3 25%-50% 4 above 50%

EY's top three industry penetration

1. 2. 3.
Finance Technology, media and Manufacturing
telecommunications

Highest capabilities scores Momentum scores

0 0

Risk data and analytics

0.50 0.50 Forecast/size
Operational risk and resilience

Financial risk

Internal control and assurance Client base

Regulatory compliance and ESG

Risk strategy and governance

Operational expertise
Risk advisory

1 3 1 3

1.50 2.50 1.50 2.50

Capability scores on a 0 to 3 scale.

A score of 0 means no capability and
2 3 means market-leading capability. 2

Green Quadrant: Enterprise Risk Management Consulting Services (2025)

Copyright © Verdantix Ltd 2007-2025. Licensed content, reproduction prohibited
17
EY provides advanced, scalable risk solutions for complex business challenges
The Green Quadrant analysis finds that EY has:

• Solutions to address unique challenges, with flexible standards.

EY is recognized in the enterprise risk management (ERM) market for its comprehensive risk management
offerings. Leveraging sector knowledge, advanced analytics and innovative technology platforms, the
firm provides integrated solutions to identify, assess, mitigate and monitor key risks – including financial,
operational, cyber and strategic concerns. Its advisory teams emphasize the importance of strong
governance frameworks, a robust risk culture and effective decision-making. As external and internal
environments shift, EY’s data-driven insights, scenario planning and compliance expertise empower clients
to remain resilient, preserve value and drive sustainable growth through well-defined ERM strategies.
This combination of capabilities makes EY a frontrunner in the risk advisory, financial risk, operational
resilience and risk, and risk data and analytics categories in this benchmark.

• A concentrated approach that may lead to missed opportunities in the mid-market.

EY’s strategy is geared towards comprehensive ERM solutions tailored to large multinational enterprises,
which may leave mid-market organizations or niche sectors underserved. However, the firm is developing
modular, scalable risk management frameworks that align with smaller budgets and simpler operational
needs – which will broaden its market appeal. In addition, EY's emphasis on advanced technologies, such
as AI and predictive analytics, is a key differentiator for its risk management strategy, but clients often face
challenges in adopting and integrating these solutions. By offering more robust implementation support,
such as change management strategies, training programmes and post-implementation reviews, EY can
ensure that they derive maximum value from these technologies.

• Specialized support for global organizations in highly regulated industries.

EY specializes in supporting multinational organizations in highly regulated industries, such as financial
services and energy, by aligning risk management with industry-specific requirements and broader corporate
strategies. Focused on large, transformational projects, the firm takes an integrated, multi-domain approach to
governance, technology and process improvement strategies. Its expertise in data analytics, AI and machine
learning (ML), combined with strategic ecosystem and alliance partnerships on cloud-based platforms –
such as with Archer, AuditBoard, Microsoft, SAP and ServiceNow, among others – enables organizations to
enhance decision-making, operational resilience and compliance within complex regulatory environments.

Green Quadrant: Enterprise Risk Management Consulting Services (2025)

Copyright © Verdantix Ltd 2007-2025. Licensed content, reproduction prohibited
18
Independent Our research is a trusted source for some of the largest
and most innovative businesses in the world. With over

insight and
a decade of reports, data and analysis, our subscribers
have access to depths of insight that cannot be found
elsewhere.

analysis Whether you are implementing a leading-edge

technology strategy, or developing the products and
value propositions of the future, our analysis will help you
futureproof your thinking.

Our expertise

AI Applied
EHS & Quality
ESG & Sustainability
Industrial Transformation
Net Zero & Climate Risk
Real Estate & Built Environment
Risk Management

Contact Opportunities at Verdantix

Verdantix Ltd, Since 2008, Verdantix has been delivering high-quality

Woolyard, 52-56 Bermondsey Street, research and advice to its clients. If you’re interested in
London SE1 3UD, United Kingdom joining a world-class team with an unwavering focus on
success, apply to join us today. We are delighted to be
[email protected]
hiring across all teams and have a variety of opportunities
@Verdantix
in both London and Boston

verdantix.com RMT2503Q1007-GQ