Risk agility has the ability to maximize growth in the near-term, but aligning agility with risk resiliency will give companies the greatest competitive edge in the long-term, according to a new study from PwC US entitled, ‘Risk in review: Going the distance’. Based on a survey of nearly 1,700 participants, the findings are made up of responses from senior executives, board members, and risk professionals from across 23 industry segments, including one-on-one interviews.
"Companies today that leverage risk management as both an offensive and defensive tactic are leading the way in maintaining long-term success," said Dean Simone, leader of PwC's US Risk Assurance practice. "Finding that right median will come differently to companies and industries across the board, but the key is to strike a balance that allows for growth at a comfortable pace, relevant to the risk appetite and tolerance levels set by management and accepted by the board."
The study categorizes respondents into four quadrants, two of which are identified as ‘high performers’ and ‘faster movers.’ High performers are companies that have mastered both, high risk agility and risk resilience. They are better qualified to launch business continuity plans following a disruption and mobilize the internal resources needed for effective communication response efforts to stakeholders. Faster movers are highly agile, but not as resilient, and rely heavily on the strength of their brand name to combat adversity rather than investing more in key risk management tools and techniques.
Seventy-eight percent of CCOs agree their company's senior management wants them to adopt a more forward-looking view on compliance risks, but only 35 percent say they have adopted such an approach and less than half feel they have the capabilities needed to address the changes in their compliance risk profile. More troubling is that only 27 percent of CCOs say they have ample budget and resources to protect their company from compliance risk.
To help companies achieve long-term growth, PwC has outlined ten leading practices that companies can implement to build both a risk-agile and risk resilience infrastructure:
1. Align risk management with strategic planning. It's critical for companies to understand its strategy from its earliest development phase, to move from an enterprise risk management to strategic risk management.
2. Hold business units accountable for managing and monitoring their risks. Business units should be your company's first line of defense / defence against risk. If this responsibility is solely put on risk management, the company may be focused too much on defense.
3. Define your risk appetite. Executives need to understand the extent to which their companies can withstand risk and then aggregate risk across the organization. And communicating that risk appetite across the organization is equally important.
4. Invest in data analytics to take a forward-looking view of risk. Software tools are becoming more powerful and predictive, allowing for more transparency across the enterprise. Companies that can integrate these new techniques will have a clear advantage.
5. Establish a set of key risk indicators (KRIs) that are relevant to your business, and then align them to your company's key performance indicators (KPIs). Companies that are good at both, tracking KPIs and figuring out what risk events could arise in the future, will succeed.
6. Appoint a chief risk officer or similar role, if you don't already have one. The person overseeing risk must have a seat at the strategy table and promote active alignment across the organization. In many large companies, it is a critical C-suite role.
7. Develop flexible governance, risk management and compliance technology platforms, and automated security processes across your IT infrastructure. Leading businesses are automating security processes, using advanced analytics to detect incidents quicker, and automating access management processes and risk and compliance management processes.
8. Learn how to effectively partner with and leverage third parties. Companies need to learn how to separate core functions from auxiliary ones, and having strong ‘just-in-time’ relationships helps companies find the right resources as the need arises.
9. Ensure strong triangulation between strategy, risk management and business continuity management. All three are necessary to create long-term resilience that can then help a company become more risk-agile.
10. Remember that risk management is about playing both defense and offense. Companies must change the perception that risk management is merely about keeping the company out of trouble, but also to help prevent roadblocks in order to keep it moving forward.
"Companies that are able to truly align their risk management activities with their strategic planning process and priorities are moving the needle from enterprise risk management to strategic risk management, positioning them for long-term growth and success," said Brian Schwartz, PwC Partner and Risk Management and Compliance Solutions Leader.To download a full copy of the report go to www.pwc.com/riskinreview