Embracing risk in the face of disruption
The world has changed in the past two years, as has the risk environment in which organizations operate. Today, change is fast and disruptive: caused disturbance in the labour market and the supply chain. The current volatile geopolitical environment is further exacerbating supply constraints, heightening cyber risks, introducing rapidly evolving sanctions and putting safety and humanity at the forefront of all decisions. Ransomware attacks are more frequent and more sophisticated, no doubt a driver of cyber’s rise to the top threat to business among CEOs in our 25th Global CEO Survey. The changing work environment brought on by the pandemic continues to disrupt talent and labour markets. Supply shortages, sanctions and rising raw material costs are heightening risks within supply chains as organizations deal with upstream risks related to subcontractors and other fourth parties that add further complication. Customers, investors and other stakeholders are laser-focused on ESG, particularly in light of recent proposed SEC climate disclosures. Each of these risks can cause significant impacts, but because they are also highly interconnected, any one risk can initiate far-reaching implications across the enterprise and put brand and reputation at stake.
In this turbulent business environment, many executives find the need to revise and adapt their strategies and operating models at a rapid pace. They know that capturing opportunity and avoiding disruption require speed. While managing disruptions, organizations are simultaneously dealing with internal digital transformation challenges, and how to bring along internal stakeholders as they automate business processes and drive digital into everything they do.
Organizations’ risk management and broader resilience capabilities need to quickly adapt to support business agility and to contribute proactive, robust and timely risk insights for decision-making. In an environment where change is constant, strong risk and resilience capabilities can provide an edge. Business leaders can make confident decisions in pursuit of their strategy that are informed by a panoramic view of risk.
Our 2022 Global Risk Survey highlights five key actions that organizations should consider to drive their risk management capabilities forward.
Risk management capabilities provide the greatest value to Board members and business leaders when they are embedded within the organization’s strategic planning and decision-making processes. The environment in which organizations operate is far from static. It changes constantly. As such, strategic decisions are revisited frequently. How risks are managed needs to adapt so that real-time risk insights and analysis can support risk-informed decision-making by stakeholders across the organization. This means that risk management capabilities must be agile and operate in an iterative manner to reflect the organization’s changing risk profile. PwC’s survey shows that organizations recognise the importance of this imperative: Nearly eight in ten say keeping up with the speed of digital and other transformations is a significant risk management challenge.
The organizations that have stood out from the pack in the past two years have not just managed existing risks — they’ve taken on new ones, and done so with confidence. These organizations have an agility advantage. They have the right resources engaged in making risk-informed decisions at the right time. Good analysis and modelling are key components of proactive risk management, as is including risk management capabilities at the start of new projects and other strategic initiatives. Today, less than 40% of business executives are reaping the benefits of consulting with risk professionals early in their programmes.
Consider these key strategies for engaging early and getting risk insights at the point of decisions:
Organizations commonly use key performance indicators (KPIs) to measure performance against strategic objectives and to support decision-making. The same approach should be used for measuring and monitoring risks. When connected to key business risks, key risk indicators (KRIs) provide leading indicators of the risk environment in which the organization operates. Movement in KRIs provides early-warning signals to leaders to reevaluate strategies, risk management capabilities and risk mitigation activities. Changes in KRIs can signal opportunity as well as risk. Examples of KRIs to monitor ransomware risk, for example, may include phishing occurrences, the number of open critical points, email security issues or leaked credentials. Supply chain risk KRIs might include supplier quality ratings, violations, financial health measures and more.
The ability to utilise and interrogate data is a key tool in the arsenal for detecting changes in the risk landscape. The survey shows that companies are investing: Three-quarters of executives are planning on increasing spending across data analytics, process automation and technology to support the detection and monitoring of risks. Sharing investment and further integrating technology and risk data across the three lines could help to efficiently drive a panoramic view of risk across the enterprise.
Consider these key strategies for taking a panoramic view of risk:
Business leaders saw opportunities to thrive in the face of disruption during the pandemic. They began to question their business models and ways of working, and they engineered changes for the long term which were accompanied by risk. Risk and return are inextricably linked. An organization’s risk management capabilities can create tremendous value if they help the organization take advantage of the upside of risks that have higher payoff.
Risk appetite is a critical tool to help business leaders understand where they are able to take more risk in pursuit of new opportunities and growth. It denotes the guardrails within which the Board asks executives to stay as they make decisions and execute on their strategies. If an opportunity requires more risk than the organization’s appetite allows, it may be fruitful to revisit risk appetite and consider if the organization is willing to take on more risk for greater reward. Among survey respondents, 22% report they are now realising benefits from either defining or resetting their organization’s risk appetite.
Risk culture also plays a role in taking advantage of upside risk. An overly strong compliance culture can stifle innovation, for example, while too weak of a compliance focus can impact brand and reputation. An effective risk culture enables business leaders and risk managers to have a clear understanding of the organization's risk appetite and gives the Board and senior executives confidence that risks will be identified and managed as desired across the organization. When strategy, risk appetite and risk culture are aligned, business leaders can take decisive action.
Consider these key strategies for employing risk appetite to take advantage of upside risk:
With the growing complexity and interdependencies of risks, more timely and relevant information is needed to be able to make risk-informed decisions. Many organizations do not have a common risk language which enables an organization to productively view and make risk-related decisions. Driving consistency in risk management capabilities across the organization can be difficult. Oftentimes, disparate risk processes and systems are deployed, contributing to challenges in achieving a common and a consolidated view of risk. Investment in risk processes, frameworks and enabling systems is needed to help an organization deploy a standardised and consistent approach to risk management. While 75% of organizations report that having technology systems that don’t work together is a significant risk management challenge, just 35% of those are addressing that challenge in a formal, enterprise-wide manner.
Consider the following key strategies for enabling risk-based decision-making through systems and processes:
Talent management. Supply chain. Regulatory compliance. Cyber threats. ESG. Regardless of industry sector, these risks are likely impacting organizations’ strategies and operations.
These high-priority risks are tightly interconnected, which means one can amplify others and impacts can be far reaching. For example, what may start as a technology breach can quickly pose huge operational, financial and reputational risk.
Risk management capabilities should go beyond the traditional risk analysis and perform deep dives on these fast-moving, high-priority risks. A deep-dive effort should identify the risk triggers and signals. It should help risk owners understand the interdependencies between the risks driving the organization’s risk profile. And an evaluation of risk management plans should identify actions the organization can take to help drive increased resiliency.
Not all risk exposures can be completely mitigated or avoided. A critical capability to strengthen resilience is to develop robust business continuity and crisis response plans to enable the organization to respond to and isolate risks in a swift and agile manner.
Consider the following key strategies for doubling down efforts on top risks:
In a business environment defined by volatility and laden with interconnected risks, risk management must be a team sport. Ownership of different risks is understandably spread more and more across distributed parts of the organization, yet all parts need to work together, with well-informed risk insights and a common understanding and usage of risk appetite.
Our survey found that when organizations embrace risk management capabilities as a strategic organizational capability — where a community of solvers participates and teams have a panoramic view of risks enabled by internal and external data, together with smart technology — Board and executive confidence in achieving sustainable outcomes is high. They are five times more likely to be very confident in delivering stakeholder confidence, a growth-minded risk culture, increased resilience and business outcomes. And, they’re almost twice as likely to project revenue growth of 11% or more over the next twelve months. Strong risk management capabilities help protect an organization from downside risks and they enable it to look forward and take risks in pursuit of growth. It’s a win-win.
The top 10% of respondents — the ones that are realising benefits from strategic risk management practices — expect faster revenue growth and better outcomes.
Business outcomes
Stakeholder confidence
Growth-minded risk culture
The 2022 Global Risk Survey is a survey of 3,584 business and risk, audit and compliance executives conducted from February 4 to March 31, 2022. Business executives make up 49% of the sample, with the remaining 51% is split among executives in audit (16%), risk management (24%) and compliance (11%).
Fifty-eight percent of respondents are executives in large companies ($1 billion and above in revenues) and 19% are in companies with $10 billion or more in revenues.
Respondents operate in a range of industries: financial services (23%), industrial manufacturing (22%), retail and consumer markets (16%), energy, utilities and resources (15%), tech, media, telecom (13%), health (9%), and government and public services (2%).
Respondents are based in various regions: Western Europe (30%), North America (29%), Asia Pacific (21%), Latin America (12%), Central and Eastern Europe (3%), Middle East (3%) and Africa (3%).
This survey was conducted by PwC Research, PwC’s global Centre of Excellence for market research and insight.
Global Cybersecurity & Privacy Leader, PwC US; Cyber, Risk & Regulatory Leader, PwC US