{{item.title}}
{{item.text}}
{{item.title}}
{{item.text}}
Risk professionals should assert themselves to inform their organization’s strategy and response to new opportunities and risks. In short, they need to be more influential. But how? What can risk professionals do to hold more sway and deliver bigger, bolder outcomes for their organizations?
Our 2023 US Risk Perspectives Survey finds that risk professionals are wielding increasing influence, though not consistently. Notably, risk team involvement in major initiatives is sporadic or late in coming. Across a range of company initiatives — enterprise tech investments, entering new markets, deals, new product development, cloud migration, new business models — only about half of the risk professionals we surveyed report becoming involved during the initial strategy or design stages for any given project (with only 9% included from the start across all major initiatives). As for the rest, they may get a seat at the table, but they arrive too late to influence strategy and design.
Their effectiveness across risk management activities is similarly uneven. A clear majority report “already demonstrating” that they bring risk insights to the CEO, the board and senior leadership to shape key decisions. But on the flip side, about 40% aren’t. And even more don’t appear to be effective at coordinating across the three lines. Half of risk professionals (51%) report they’re not yet operating in a flexible way that facilitates collaboration across the three lines. In other words, they have greater influence up the chain of command than they do with their peers.
Collaboration is critical to managing the complex risks of the future. Getting there requires establishing a single, shared view of risk across the three lines. That means establishing common risk standards and a single, integrated data model that can support those standards. Otherwise, you end up with reactive risk management silos often working at cross purposes, muddling the collective message.
To be even more influential, risk leaders should work together to harmonize their messaging to the board, CEO and senior leaders. They should also engage in major initiatives at the strategy and design stages, when risk insights can mean the difference between success and failure. By coordinating and aligning on risks and deploying technology and data insights effectively to shape key strategic and design decisions, risk professionals can help their organization make bold moves with confidence.
Risk teams are starting to see some returns on their companies’ tech investments. They’re delivering better outcomes and they’re gaining experience with emerging technologies. Still, there remains a large gap between their current tech capabilities and what’s possible.
Tech applications have somewhat improved how teams manage risks. Roughly half are seeing “significant improvement” in how they manage risks from their use of tech applications such as advanced analytics, automated workflow solutions, AI/machine learning and GRC platforms. While these gains are meaningful, around half report seeing only moderate improvement in risk management — or none at all — from these various applications.
Tech investments are showing promise in terms of risk management outcomes. When asked to identify the most significant outcomes their company has already achieved from the use of tech applications, about half of risk professionals say they’re seeing better decisions based on risk insights, prioritization of risk mitigation efforts, identification of new risks and detection of threats in real time. Fewer, though, say they’re seeing significant “efficiency” outcomes such as lower compliance costs (30%) and personnel costs (25%). This points to an opportunity to explore using technology to drive greater efficiencies, not just “quality” outcomes such as better insights, detection and prioritization.
Knowledge of emerging technologies within risk functions is growing, but not sufficiently. A slim majority of risk professionals identify themselves as either “expert in the field” or having “good theoretical knowledge and practical experience” in virtual reality, cryptocurrency, virtual environment tools and generative AI. Conversely, around half report having only “good theoretical knowledge,” “some knowledge” or “little or no knowledge” across the nine emerging technology areas listed. In short, they have no practical experience in these areas. This gap points to an important area for development as technology advances continue to accelerate.
Risk teams are starting to see improvement in how they use data to manage risks. They’re also seeing better outcomes from their data investments. Despite these gains, though, barriers remain when it comes to overseeing data risks in projects managed by other teams.
Data uses have improved how teams manage risks. Over half are seeing “significant improvement” in how they manage risks as a result of their use of data in the areas of data security and privacy, cybersecurity, real-time fraud detection and prevention, and third-party risk management (TPRM). Yet there’s still room for improvement. Only 12% report significant gains across all of the nine areas listed in the survey. Nearly half are seeing only moderate improvement or none at all, especially in areas like risk modeling, planning for regulatory change and supply chain risk.
Investments in data are starting to yield positive results. When asked to identify the most significant outcomes they’ve achieved from their data investments, risk professionals cite as their top choices improved “quality” outcomes such as better prioritization of risk mitigation efforts, better decisions based on risk insights, increased coverage for risk monitoring/audit activities and detection/prevention of more threats in real time. Smaller numbers, though, report seeing significant “efficiency” outcomes, such as lower compliance costs and personnel costs.
Oversight of data risks poses more challenges. While risk professionals increasingly rely on data to help them better manage risk, they also understand that the proliferation of data across the organization can increase risk. They see a growing need to manage data risks by improving collaboration with other functions that interact with data and resulting risks.
Risk professionals are more likely to oversee data risks with their privacy teams, data office and software developers, but they’re less involved in data risk management initiatives led by other teams. For example, a clear majority of risk professionals are involved “somewhat,” “very little” or “not at all” in overseeing data risks with TPRM, procurement, marketing and AI developers. This points to a need for managing risks collectively versus in silos.
Risk professionals have made gains influencing upward to the CEO and the board. Where they should focus is on developing stronger relationships across the three lines. They should also upskill on digital competencies. It’s not about their reporting line, it’s about reaching across the business with tech- and data-enabled insights to shape important company initiatives.
With the goal of improving relevance and exerting greater influence on strategic decisions, risk professionals indicate that the key to achieving this is developing stronger relationships with senior executives who can consult with them on risks related to major initiatives. They follow this critical first step by acknowledging a need to upskill their risk workforce on emerging tech and improve collaboration across the three lines. While still noted, factors such as better engagement with the board, more explicit CEO empowerment and changing the risk function’s reporting line to the CEO are less important aspects of improving relevance and influence across the organization.
Building influence also requires new skills. To exert greater influence on strategic decisions in the company, risk professionals need their teams upskilled on systems and networks as well as specific technologies and cloud specialties. Digital skills as a whole outrank social and communication skills and business enablers, based on respondents’ top-ranked choices.
Expanding one's influence does not, however, require a change in the reporting line. Nearly half of risk leaders already report to the board or CEO. Of those who do not “strongly agree” they have sufficient influence to manage the most important risks in their current reporting line, when asked to describe their ideal reporting line only 8% selected reporting to the CEO and even fewer selected reporting to the board (5%). Most chose “no change in reporting line” when asked to describe their ideal reporting line.
Improving your effectiveness in managing risks isn’t about changing reporting lines. It’s about the value you bring, the relationships you forge, the tools and data you deploy and the skills you develop.
Between March 9 and April 3, 2023, PwC surveyed 308 risk professionals in risk, audit and compliance from US companies with revenues exceeding $1 billion. The survey gathered views across industries and job functions to understand the risk professional’s level of influence within their company and what attributes they exhibit.
PwC Research, PwC’s global centre of excellence for market research and insight, conducted this survey.
Partner, Risk and Regulatory, PwC US
Tiffany Gallagher
Principal, Health Industries, Cyber, Risk & Regulatory Leader, PwC US
Clients and Markets Leader, Cyber, Risk & Regulatory, PwC US
Vikas Agarwal
Financial Services Risk & Regulatory Leader, PwC US