Embed Size (px)
Citation preview
Balancing risk agility and risk resiliency for enduring success
5th Annual StudyApril 2016
Risk in reviewGoing the distance
Table of contents
The heart of the matter 2
Risk resiliency + risk agility = enduring success-Keydefinitions:Riskresiliencyandriskagility-Performersandmovers:Buildingtheriskresiliency/riskagilitymatrix-Howdoindustriesdifferintheirriskpractices?
An in-depth discussion 8
Risk agility is critical for near-term growth-Casestudy,FannieMae:Makingan80-year-oldgovernment-sponsored enterprisemoreriskagile
Agility without resiliency raises business 12 sustainability risk-Significantregionaldifferencesinriskagilityandresiliency-Whatarecompaniesfocusingonforgrowth?
The path forward 20
How Chief Risk Officers and Chief Compliance Officers can lead-Casestudy,UnityPointHealth:Usingriskresiliencytoraiseagility andimprovepatientcare
Conclusion 24
10 ways to build enduring growth
2 Risk in review 2016
The heart of the matter:
Riskresiliency+riskagility=enduringsuccess
3
Risk agility: The ability to alter and adapt risk management infrastructure to respond quickly to changing markets, customer preferences or market dynamics.
Risk resiliency: The ability to withstand business disruption by relying on solid processes, controls and risk management tools and techniques, including a well-defined corporate culture and a powerful brand.
+ =Riskresiliency
Riskagility
Strategic risk management
and sustainable growth
Figure 1
Theheartofthematter
Weliveinturbulenttimes.Inrecentyears,widespreadbusinessdisruptionhasspurredcompaniestofocusonacquiringtheagilitytoquicklyidentifyandseizenewopportunities.Butwiththecurrenteconomicuncertaintybroughtonbyvolatileoilprices,anunevenstockmarket,aslowingChineseeconomy,andachaoticUSpresidentialcampaign,it’snowonder66%ofCEOsinPwC’s19thAnnualGlobalCEOSurveynowseemorethreatsthanopportunitiestotheirbusiness.
Toremaincompetitiveintoday’sbusinessclimate,companiesmustpursuetwoparallelstrategies:(1)buildingagileandflexibleriskmanagementframeworksthatcananticipateandpreparefortheshiftsthatbringlong-termsuccessand(2)buildingtheresiliencythatwillenablethoseframeworkstomitigateriskeventsandkeepthebusinessmovingtowarditsgoals.
The importance of risk resiliency and agility
1,679 23 15 84total
participantsindustry segments
job functions
headquarters locations
4 Risk in review 2016
Performers and movers: Building the risk resiliency/risk agility matrix
Inoursurvey,weaskedcompaniesquestionsabouttheirrisk-resiliencyandrisk-agilitycapabilities,processes,andcorporatecharacteristics.Wethenscoredtheiranswersona0–100scaletocreateariskresiliency/agilitymatrix.Respondentsfellintofourquadrants.
More resilient
Lessagile
Moreagile
Less resilient
HighPerformers
FasterMovers
SteadyPerformers
SlowerMovers
Steady Performers Companiesscoringintheupper-leftquadrantarehighonresiliencybutlowerinagility
High Performers Companiesscoringintheupper-rightquadrant,whichareinthesweetspot ofbeingbothhighlyriskagileand
highlyriskresilient
Slower Movers Companiesscoringinthebottom-leftquadrant,havinglowagilityandlowresiliency
Faster Movers Companiesscoringinthelower-right
quadrant,whicharehighlyagile butnothighlyresilient
Thatconnectionbetweenriskagilityandriskresiliencyisattheheartofthisyear’sRiskinreviewstudy.Ouranalysisshowsthatrisk-agilecompaniesarefarmorelikelytosaytheyexpectsignificantrevenueandprofit-margingrowththanthosethatarenotriskagile.Butagilityalonetakesyouonlysofar:companieswe’ve
termedFasterMoversmaybepursuingriskagilityattheexpenseofriskresiliency;relyingtooheavilyonthestrengthoftheirbrandstoweatherriskevents;andtheymaylackstrategiesforbusinesscontinuity,successionplanning,strategicalignment,anddataanalytics—allofwhicharecriticalfactorsforpromotingenduringsuccess.
5 Theheartofthematter
Figure 2
Risk agility/resiliency matrix, by industry
505 8
Steady Performers High Performers
Slower Movers Faster MoversLess resilient
Assest ManagementInsurance
BankingUtilities
Aerospace & Defense AutomotiveTechnology
EMC
Chemicals
Transport & LogisticsEnergy
Industrial manufacturing
Retail & Consumer
Engineering & Construction
Business services
Pharma
Payers
Providers
Less agile40
More resilient68
48
60More agile
Source: PwC Risk in Review 2016.
TICEHC
FS
GOVED
CIPS
Financial services (FS)- Asset management- Banking- Insurance
Consumer and industrialproducts and services(CIPS)- Aerospace & Defense- Automotive- Business services- Chemicals- Energy- Engineering- Industrial manufacturing- Retail & Consumer- Transport & Logistics- Utilities
Technology, information,communications &entertainment (TICE)- Entertainment, media &
communications (EMC)- Technology
Healthcare (HC)- Payers- Providers- Pharma
Government (GOV)
Education (ED)
6 Risk in review 2016
Thekeytakeaway:eventhoughriskagilityboostsgrowth,balancingitwithriskresiliencyappearstogivecompaniesanenhancedcompetitiveedgeoverthelongterm.AsPwCPartnerandRiskAssuranceLeaderDeanSimonesays:“Riskmanagementshouldbeleveragedasadefensivetacticaswellasanoffensivecatalyst.Itcomesdowntohowacompanymanagestheupsidecombinedwiththedownsideofeachbusinessrisk.”
Inlightofthemanychangesweexpectduringthenextyear,thefollowingadvicefromJimCollins,authorofGood to Great and Built to Last,hasperhapsneverbeentruer:“Ifthereisanyone‘secret’toanenduringgreatcompany,itistheabilitytomanagecontinuityandchange—adisciplinethatmustbeconsciouslypracticed,evenbythemostvisionaryofcompanies.”
Insharpcontrast,HighPerformers—the36%ofsurveyrespondentswhoarebothhighlyriskagileandhighlyriskresilient—appeartoestablishstrongriskmanagementculturesandstructuresthatsupporttheirabilitytoweatherdestabilizingriskevents,whichinturngivesthemthesoliditytoquicklyandconfidentlyrespondtochangesintheirriskprofiles.Remarkably,suchcompaniesareevenmoreriskagileinalmosteverymeasurethanFasterMovers.Andtherealkicker:evenwhilebeingsetupforgreaterresiliency,HighPerformersareonlyslightlylesslikelytoexpectsignificantgrowth.Inotherwords,they’veseemtohavetakenadvantageoftheirriskmanagementorganizationandstrategiestofindthesweetspotattheintersectionofstronggrowthandsustainablesuccess.
Companies that are risk-agile are far more likely to expect significant revenue and profit-margin growth, but agility alone only takes you so far: without risk resiliency they are putting their long-term success at risk
7 Theheartofthematter
How do industries differ in their risk practices?
Pharma companiesratethemselveshighlyontheirabilitytorapidlypursuegrowthopportunities:52%saytheyaregoodatthisvs.41%oftotalrespondents.However,only23%useformalriskmanagementtechniques,21%understandthevelocityofrisk,andlessthanhalfsaytheycandealcapablywithchallenges.
Healthcare payer and provider companiesaresignificantlymorelikelythanrespondentsoveralltosaytheyaregoodatidentifyingopportunitiesaheadofcompetitors,butareamongtheleastlikelytoemployformalriskmanagementtoolsandtechniques, atjust45%.
Financial services firmsscorehighestinriskresiliency,andsignificantlyoutpaceothersintheiruseofdataanalytics.Forexample,73%useKeyRiskIndicators(KRIs)vs.53%ofallrespondents.Theyarealsomorelikelytohavealignedriskmanagementwithstrategicplanning.
Industrial manufacturing companiesaresignificantlylesslikelytosaytheycontinuouslyadapttheirriskapproachesbasedonemergingrisks.Just35%offirmssaytheydothis,comparedwith49%oftotalrespondents.
Technology firms excelatidentifyingopportunitiesaheadofthecompetition:56%oftechnologyfirmssaytheyaregoodatthis,comparedwithonly45%oftotalrespondents.Indeed,TICE(technology,informationcommunicationsandentertainment)companiesasagroupleadonvirtuallyeverymeasurewhenitcomestoagility,thoughtheyfallbehindonmanyresiliencymetrics.Forexample,only23%saytheiremployeesunderstandtheircompany’sbusinesscontinuitystrategies.
Retail and consumer products companies inourstudyaresignificantlymorelikelytohaveincreasedproductofferingsandaremorelikelytohaveexpandedintonewgeographies.And45%ofretailerssaytheyhavetransformedtechnologyplatformstomeetopportunities,comparedwithonly33%ofCIPS(consumerandindustrialproductsandservices)respondentsoverall.
8 Risk in review 2016
An in-depth discussion
Riskagilityiscriticalfornear-termgrowth
9 Anin-depthdiscussion
Despitethevariousuncertaintiesintheglobaleconomy,oursurveyrespondentsexpressrealoveralloptimismaboutgrowth,with75%expectinganincreaseinrevenueinthenexttwoyears.However,lessthanhalf(40%)saytheyexpectrevenuestoincreasesignificantly(definedasmorethan5%),andonlyone-quartersayprofitmarginswillincreasesignificantly.Companiesscoringhighonriskagility(HighPerformersandFasterMovers)aremorelikelythanallotherrespondentstosaytheyexpectsignificantgrowth.
Figure 3
Risk-agile companies are more likely to expect significant growth Companies expecting significant growth (greater than 5%) over the next two years:
More resilient
Lessagile
Moreagile
Less resilient
HighPerformers
FasterMovers
SteadyPerformers
SlowerMovers
32%18%
46%27%
36%23%
52%33%
40%25%
Total
Revenue growthProfit margin growth
Superiorrisk-agilitycapabilitiescouldexplainwhyHighPerformersandFasterMoversaresobullishongrowth.Focusedmoreontheupsideofrisk,theserespondentshavetheabilitytoidentifyopportunitiesaheadofcompetitors,rapidlypursuethoseopportunities,andaccommodatechangestothebusinessmorequicklythancancompaniesthatlackagility.
“Historically,riskmanagementhasbeenaboutpreventinglosses,protectingthedownside,”saysKimberlyJohnson,SeniorVice
“Risk management should be leveraged as a defensive tactic as well as an offensive catalyst.” — Dean Simone, PwC Partner and Risk Assurance Leader
10 Risk in review 2016
22%
24%
70%
71%
15%
8%
51%
38%
15%
16%
67%
75%
16%
17%
70%
69%
14%
10%
67%
62%
Identify opportunities ahead of competitors
Use data and analytics to identify new business opportunities
Rapidly accommodate changes to the business
Rapidly pursue growth opportunities
Flexibly change leadership and organizational structure to pursue opportunities
More resilient
Lessagile
Moreagile
Less resilient
HighPerformers
FasterMovers
SteadyPerformers
SlowerMovers
Figure 4
Stark contrasts on agility capabilitiesRespondents say their companies’ risk agility capabilities enable them to:
PresidentandChiefRiskOfficeratFannieMae.“Butthat’sallplayingdefense.Wethinkaboutriskalsointermsofhowtocreateopportunitiesbecauseyoufindwaysthatyoucanmaketherightrisktrade-off:wheretherearereturns.”
JasminLussier,ChiefComplianceOfficeratPPGIndustries,agrees:“Arisk-agileorganizationisonewithacohesiveandthoughtfulprocessintermsofunderstandingcurrentandfuturerisks.”
Bydefinition,SteadyPerformersandSlowerMoversarelessagilethanFasterMoversandHighPerformers,butwhatisstrikingisthesizeofthegapbetweenthem,asFigure4illustrates.
Overall,oursurveyresultstellusthatfornear-termrevenueandprofit-margingrowth,riskagilitytrumpsriskresiliency.
11 Anin-depthdiscussion
Case study: Fannie Mae
Making an 80-year-old government-sponsored enterprise more risk-agile
Since the collapse of the housing market in 2008–09, Fannie Mae—the government-sponsored enterprise that provides liquidity to the mortgage market and plays an essential role in setting loan eligibility, underwriting, and risk management standards—has been forced to rethink its strategic plan and redetermine how it can best help generate positive impacts on the US housing market. From the very start, risk management has been deeply embedded in the conversation.
“Everybody is trying to crack the wheel around faster and more-agile business delivery,” says Fannie Mae’s Senior Vice President and Chief Risk Officer, Kimberly Johnson. “We’re an old company,” she explains, adding that the company uses many legacy systems, “but we’re working all the time on becoming more agile.” For example, she says, “We had key performance indicators and key risk indicators built together, in tandem, into the launch of our new strategic plan. The partnership with the business was tremendous—and a unique way to begin a transformation.”
Fannie Mae is investing in new tools and techniques to change its approach to risk management. “We are working on new, better, faster, more reliable data and models, and streamlined business processes,” says Johnson, “and we are striving to reduce risks and costs to us, to our customers and to the housing finance system as a whole. But we also think about risk in terms of playing offense. We’re now thinking about innovation from a strategic risk perspective.”
Just as critical as developing new tools, she asserts, is changing the culture within the organization regarding regular conversations about risk and when it should be escalated. Johnson now convenes meetings three times a week with her senior staff to evaluate new risks on the horizon. “It’s not only about the tools; it’s also about the people,” she says. “It really is cultural. Whether or not people are identifying and escalating risk issues—be they small or large—really depends on the environment you create.”
“We think about risk in terms of playing offense…thinking about innovation from a strategic risk perspective.”—KimberlyJohnson,SeniorVicePresidentandChiefRiskOfficer,FannieMae
12 Risk in review 2016
An in-depth discussion
Agilitywithoutresiliencyraisesbusinesssustainabilityrisk
13 Anin-depthdiscussion
Agilitymaybecriticalfornear-termgrowth.Butcanhighlyrisk-agilecompaniesalsosucceedoverthelongerterm,sustainingtheirgrowthmomentum?
WecomparedHighPerformers’riskagilityresponseswiththoseofFasterMoversandfoundstrikingresults.FasterMoversoutscoreHighPerformersinonlytwoareas:Theyareslightlybetteratrapidlypursuingandmobilizingfornewgrowthopportunities.Butineveryothermetricweexamined,HighPerformersactuallyscorebetteronriskagilitythanFasterMoversdo.Asagroup,HighPerformersscorehigheronagilitythanFasterMoversbymorethansevenpoints(66forHighPerformers,59forFasterMovers).
ThissuggeststhatHighPerformersgainan“agilityboost”bybeinghighlyresilient.Inotherwords,theirrisk-resilienttechniqueshelpthemdevelopgreaterriskagility.MorenikeMiles,DeputyGeneralCounselforEnterpriseRiskManagementofVirginiapowerutilitycompanyDominionResources,
seesthisimportantconnectionbetweenriskagilityandresiliency:“Keepingoursightstrainedontherisklandscapereallydoeshelpincreaseouragility,”shesays.“We’reabletobebetterpositionedtorespondtochangesinthebusinessenvironmentandregulatoryclimateandtochangingmarketdynamics.Andthatagilityhelpsusbecomemoreresilient:wecanidentifyandrespondtoriskearlier,andthatincreasesourabilitytowithstandandcraftcontrolstomitigatethoserisks.”
HighPerformersmovebeyondriskagilitytoenabletheircompaniestoweathereventsthatmaypushtheirgrowthstrategiesoffcourse.They’resignificantlybetterabletolaunchbusinesscontinuityplansfollowingadisruption,mobilizetherightinternalresourcestorespondeffectively,andsuccessfullycommunicateresponse
Companies ignore the connection between risk agility and risk resiliency at their peril
effortstostakeholders.They’realsofarbetteratbringinginthird-partyresourcesasneeded.SaysAndrewRabinowitz,ChiefOperatingOfficerofMarathonAssetManagement:“Asthesayinggoes,‘IamwisebecauseIknowwhatIdonotknow.’Whatthatmeansisthatnoneofusknowseverythingaboutallaspectsofeverytopic,especiallyrisk.Youhavetoknowwhenit’stimetohavesomehumilityandawarenessandraiseyourhandandaskforguidancefromindustryexperts.”
ToddBialick,PwCPartnerandTrustandTransparencySolutionsLeader,agrees:“Everycompanyhasitscorecompetencies.Butifyouhaveastrategicrelationshipandaleveloftrustbetweenyouandyourthird-partypartner,youcanbuildprocessesthatnotonlymakeyoustrongerbuthelpyoumovefasteraswell.”
“Companies that are able to truly align their risk management activities with their strategic planning process and/or strategic priorities are moving the needle from enterprise risk management to strategic risk management.” — Brian Schwartz, PwCPrincipalandRiskManagementandComplianceSolutionsLeader
14 Risk in review 2016
HighPerformersarealsomorelikelytobudgeteffectivelyfordisruptionrisk(64%vs.just23%ofFasterMovers).Figure5illustratesthesignificantgapbetweenFasterMoversandHighPerformersacrossarangeofriskresiliencymeasures.
IncontrasttoHighPerformers,FasterMoversappeartorelymoreheavilyonthestrengthoftheirbrandnamestoseethemthroughadversityinsteadofinvestingmoreinkeyriskmanagementtoolsandtechniquesthatwouldpreparethemtosuccessfullymanageriskevents.Forexample,although69%ofFasterMoverssaytheyhavestrongandrespectedbrands,only43%continuouslyadapttheirrisk
approachesbasedonemergingrisks,andonly35%havesuccessionplansforseniorleadership.
Significantly,just42%ofFasterMovers reporthavingwell-definedandautomatedinformationtechnology(IT)securityprocesses.ButaccordingtoGrantWaterfall,PwCPartnerandGlobalCybersecurityandPrivacyAssuranceLeader,“Virtuallyallcompaniesneedtoimprovetheirapproachestosecuritytobecomemoreriskresilientandriskagile.Forresilience,itmeansinvestinginabroad-basedcybersecurityriskmanagementprogram.Foragility,it’saboutbothpivotingsecurityattentiontosupporttherapiddevelopmentof
More resilient
Lessagile
Moreagile
Less resilient
HighPerformers
FasterMovers
SteadyPerformers
SlowerMovers
Figure 5
Faster Movers lack business continuity strategiesRespondents say their companies’ risk resiliency capabilities enable them to:
93%
53%
83%
30%
88%
51%
71%
42%
64%
23%
Mobilize the right internal resources to respond quicklyand effectively
Immediately launch business continuity plans following a disruption
Effectively communicate responseefforts to stakeholders
Quickly add third-party resources to assist in resolution
Budget effectively for disruption risk
15 Anin-depthdiscussion
Significant regional differences in risk agility and resiliency
Asagroup,respondents whose companies are headquartered in North Americareporthavingthegreatestriskagilityandriskresiliency.Theyaremorelikelytosaytheyhaveprovenrecordsofprotectingtheircorebusinesseswhileremaininginnovativeandagile:55%comparedwith45%ofEuropeanrespondentsand39%ofAsianrespondents.NorthAmericanrespondentsalsoratetheirabilitytomobilizeinternalresourcesasmuchhigherthantheabilityofothers:70%saytheyaregoodorexcellentinthisarea.Only16%ofNorthAmericanrespondents,however,saytheyhavehadorplantohaveanindependentassessmentoftheircompanies’riskagilityversus23%inMiddleEast/Africa,whosaythesame.Andjust45%ofNorthAmericanrespondentssaytheyidentifyopportunitiesaheadoftheircompetitors—asagainst61%inSouthAmericawhomakethatclaim.
Respondentsheadquartered in Asiaranksecondhighestinriskresiliency(thoughwellbelowtheirNorthAmericancounterparts)andthirdinriskagility.Theyareleastlikelytosaytheycanidentifyopportunitiesaheadoftheircompetitorsorthattheyunderstandthevelocityofrisk.Whenitcomestobeingabletoimmediatelylaunchbusinesscontinuityplansfollowingadisruption,however,respondentsinAsia(57%)outpacetheirpeersinEurope(51%),theMiddleEast/Africa(46%),andLatinAmerica(43%).
Respondentsheadquartered in Europescorenearthetopwhenitcomestotheuseofriskmanagementtoolsandtechniques,with57%claimingthisischaracteristicoftheirorganizations—justbehindAsia(58%).Europeanrespondentsalsoseetheirbrandleadershipasastrength,at71%(behindonlyNorthAmerica,at77%).Overall,theyrankthirdhighestforriskresiliencybutoutpaceonlytheMiddleEast/Africaonagility.
Respondentsheadquartered in the Middle East/Africaaremorelikelythanrespondentsheadquarteredinotherregionstohaveestablishedbusinessmodelswithdocumentedriskmanagementprocesses(61%vs.just42%inLatinAmericaand58%inEurope).Theserespondentsarealsomostlikelytoagreeorstronglyagreethattheircompaniesunderstandthevelocityofrisk(43%vs.only29%inAsia).Still,onaverage,companiesinthisregionscorelowestonagilityandsecondlowestonresiliency.
RiskagilitysignificantlyoutpacesriskresiliencyamongrespondentsheadquarteredinLatin America,with61%sayingtheyaregoodorexcellentatidentifyingopportunitiesbeforetheircompetitors,comparedwithonly40%ofrespondentsinAsiaandtheMiddleEast/Africaand48%inEurope.Morethanhalf(52%)ofLatinAmericanrespondentsagreeorstronglyagreethattheircompaniesencourageprocessflexibilitytoimproveefficiency,versusjust39%inEurope,Asia,andtheMiddleEast/Africa.
16 Risk in review 2016
“I’veseencompanieswithaggressivetop-linegrowthtargetsdecidenottoinvestattheappropriatelevelintheirriskmanagementprograms,”saysBrianSchwartz,PwCPrincipalandRiskManagementandComplianceSolutionsLeader.“Therearetoomanyexamplesofcompaniesacrosssectorsthatallowtheirgrowthtooutpacetheirinfrastructure.Theunfortunateresultisthattheirvulnerabilitypeaks,andriskeventsbecomemorecripplingtotheirbrands.”
Companiesignoretheconnectionbetweenriskagilityandriskresiliencyattheirperil.SiliconValley,forinstance,isknownforfast-growthfirmsanddisruptivebusinessmodels,buteven
customer-facingdigitaltechnologythatdrivesrevenueandusingadvancedtechniquestobetterpredict,detect,andrespondtoarapidlychangingdigitalandthreatlandscape.”DennisChesley,PwCPrincipalandGlobalRiskConsultingLeader,agrees:“Manyexecutivesaredeclaringcyberastheriskthatwilldefineourgeneration.”
OuranalysissuggeststhatwhileHighPerformersarebuildingstrongerfoundationsforlong-termgrowth,FasterMoversarepursuingagilitywithoutadequateriskresiliency—eventhoughtherevenueandprofitmargingainstheyseewiththatapproachareonlynegligiblyhigher.
Figure 6
Faster Movers rely too much on brandRespondents say these risk resiliency characteristics describe their companies:
More resilient
Lessagile
Moreagile
Less resilient
HighPerformers
FasterMovers
SteadyPerformers
SlowerMovers
72%
69%
61%
52%
55%
43%
53%
42%
48%
35%
Is a strong and respected brand
Uses risk management tools and techniques
Continuously evolves its risk approach based on emerging risks
Has well-defined and automated IT security protocols
Has a succession plan for senior leadership
17 Anin-depthdiscussion
What are companies focusing on for growth?
Companieshavefocusedonvariousgrowthstrategiesinthepast18months.Amongrespondentsoverall,72%haveincreasedproductofferings,69%havetransformedtheirtechnologyplatforms,and60%havediversifiedtheirportfolios.
HighPerformersaresignificantlymorelikelytoreporttheuseoftransformedtechnologyplatformsthanFasterMovers.Fastermovers,meanwhile,appearfarmorelikelytohavereorganizedaroundnewbusinessmodels.
Bysector,respondentsinTICEcompanies(technology,information,communicationsandentertainment)aresignificantlymorelikelytohaveincreasedtheirproductofferingsthanarerespondentsasawhole(84%vs.72%).Financialservicesandhealthindustriesrespondentsarealsostronglyfocusedonproducts(78%and79%,respectively).Pharmacompaniesaremorelikelytobepursuingstrategicacquisitions.Fromaregionalperspective,LatinAmericanrespondentsaremostlikelytosaytheychangedtheirgo-to-marketstrategiesinthepast18months:at64%vs.42%overall.
Strikingabalancebetweentheabilitytoflextheirriskappetitetocapturenewopportunitiesandtheresiliencytoprotectagainstunexpectedrisksappearstohelpcompaniesachievetheirgrowthobjectives.Oneimportantwayofdevelopingthatbalanceistoalignkeyperformanceindicatorswithkeyriskindicators.Anotheristoapplydataanalyticsforanunderstandingofearly-warningsigns.
More resilient
Lessagile
Moreagile
Less resilient
HighPerformers
FasterMovers
SteadyPerformers
SlowerMovers
Figure 7
Changes to meet opportunities—and mitigate riskRespondents report making the following changes to their businesses in the past 18 months:
69%9%
39%28%
47%19%
71%9%
42%34%
44%23%
59%10%
35%33%
56%11%
33%31%
31%23%
33%25%
meet opportunity
Changes made to…
mitigate a risk
Increased product offerings Transformed technology platforms Diversified portfolio
18 Risk in review 2016
inthatenvironment,complianceissuescancausecompaniestostumble.Recently,concernsaboutimproperlicensingoftheinsurancesalesforceatahumanresourcessoftwareplatformunicornledtotheresignationofthecompany’sfounderandCEO.
Ontheothersideofthecoin,innovativecompaniesoftendemonstratetheycaneffectivelymanagegrowthwithoutmajorresiliencerisks.
Fiveyearsago,forexample,Microsoftmadeastrategicshift:Realizingthefutureofsoftwaredeliverywas“inthecloud,”ittookitspremierproduct,Office—whichincludesWord,PowerPoint,andExcel—andmadeitavailableonlineinanewsuitecalledOffice365.“Thereweresomenaysayerswhopredictedwewouldnotbesuccessfulinthecloud,”saysMelvinFlowers,CorporateVicePresidentatMicrosoft.Historyhasproventhosedoubterswrong.
Tomanagesuchlargetransformationssuccessfully,riskexecutives“havetoactuallyunderstandthestrategyandbusinessplanforthecompany.Wemusthelpmanagementidentifykeyrisksanddeveloptheappropriatemitigationplan,”Flowerssays.
Riskmanagersshouldbeengagedasearlyaspossiblewhenstrategicbusinessconversationsbegin,hestresses,buttheymustalwaysbefocusedonaddingvaluetothebusiness.Thatmeansdetermininghowcontrolscanbeenhancedorprocessescanbeimprovedbeforeanyshiftisimplemented.“Whetherornottheyturnouttobeissues,youcanstilladdalotofvalue,”Flowerssays.
“Anytimeyouareinaconversation,youhaveanobligationtoeitheraddsomevalueormakesurewhatyouaretakingawayisleadingtoaprocessthatwilladdvalue.Youareonlyasgoodasyourlastcontribution,”headded.“Youearnyourstripeseveryday.”
“There were some naysayers who predicted we would not be successful in the cloud.” —MelvinFlowers,CorporateVicePresident,Microsoft
19 Anin-depthdiscussion
“The most sophisticated companies are using visual data tools to spot trends and be more predictive. That makes them simultaneously more resilient and more agile—and increases the likelihood of success.” — John Sabatini, PwC Principal and Advanced Risk and Compliance Analytics Solutions Leader
MarathonAssetManagement’sAndrewRabinowitzsaystheincreasinglyglobalnatureofinvestmentsandthehigherexpectationsinvolvedinregulatoryandcompliancegovernancemakeitimperativeforhiscompanytoexamineitsriskprofileeveryday.“Everyoneatthefirm—whetheryou’reananalyst,inoperations,ontheriskteam,theCEO,ortheCIO[chiefinformationofficer]—everyoneisaskedtothinkaboutriskaspartoftheirbusiness… sothere’sconstantback-and-forthinaconstructivemanner.It’snotlikewemeetonlyonceaweekat7A.M.and‘Don’tbothermeuntilthen.’It’sveryinteractive.”
Thatalignmentiscriticalforsuccess,saysJasonPett,PwCPartner,InternalAuditSolutionsLeaderandFinancialServicesRiskAssuranceLeader.“Inacompanywhereriskmanagementeffortsaretrulyaligned,thesecondandthirdlinesofdefense—riskmanagementandinternalaudit—workalongsidethebusinessunitsasthe
lattermakedecisionsandtakeonrisk,therebyhelpingthemreadthatriskandrespondtoitinrealornearrealtime.”
JohnSabatini,PwCPrincipalandAdvancedRiskandComplianceAnalyticsSolutionsLeader,says:“Themostsophisticatedcompaniesareusingvisualdatatoolstospottrendsandbemorepredictive.Thatmakesthemsimultaneouslymoreresilientandmoreagile—andincreasesthelikelihoodofsuccess.”
Findingtherightbalancepointbetweenriskresiliencyandriskagilitycanbeverydifferentfromcompanytocompanyandindustrytoindustry,saysPwC’sBrianSchwartz:“Thekeyistostriketherightbalancethatallowsforgrowthatacomfortablepacerelevanttotheriskappetiteandrisktolerancelevelssetbymanagementandacceptedbytheboard.”
Likewise,puttingcleardecision-makingprocessesinplaceanddefiningresponsibilitiescanactuallymakeiteasierforanorganizationtoaccelerateitsriskassessments,accordingtoJosephHo,SeniorVicePresidentofEnterpriseRiskManagementatEnergyFutureHoldings:“Itdoessoundalittlecounterintuitivetosay,‘Hey,tobecomemoreagile,I’mgoingtoputinanewprocess.’Butitdoeshelp.”Withincreasedtransparency,headds,“majorhedgingdecisionscanbemadeveryquickly.”
20 Risk in review 2016
The path forward
HowChiefRiskOfficersandChiefComplianceOfficerscanlead
21 Thepathforward
ChiefRiskOfficers(CROs)andChiefComplianceOfficers(CCOs)havearesponsibilitytohelptheircompaniesbecomebothriskresilientandriskagile.Theirrolesuniquelypositionthematthecrossroadsofriskresiliencyandriskagility,whichgivesthemanimportantplatformfordrivingneededorganizationalchange.
CROsareconfidenttheC-suiterecognizesthevaluetheybring:aclearmajority(68%)saytheirfunctionisrespectedandvaluedbyseniormanagement,and59%sayotherbusinessfunctionsproactively
seektheiradvice.ForCROsatHighPerformercompanies,thosefiguresaresignificantlyhigher,at91%and88%,respectively.Butonlyaboutone-thirdofallCROsinourstudysaytheirriskmanagementstrategiesareseenbyothersbeyondtheC-suiteascatalysts
More resilient
Lessagile
Moreagile
Less resilient
HighPerformers
FasterMovers
SteadyPerformers
SlowerMovers
Figure 8
Changing the perception of risk management as an enabler for growthChief Risk Officers report that their companies’ risk management program:
91% 91% 88% 84%
84% 75% 69% 63%
68%Total
65%Total
59%Total
58%Total
45%Total
45%Total
47%Total
36%Total
Is respected and valued by senior management
Is proactively sought out for advice by other business functions
Provides proactive advice and guidance for other business functions
Has a strong strategy and execution plan
Is sufficiently agilePromotes a culture of data-driven decision makingIs sufficiently resilient
Is seen by other executives as a catalyst to growth, not an impediment
forgrowth,whichsignifiesamajoropportunitytochangeperceptions.AtHighPerformercompanies,theresultsaremuchhigher:63%ofHighPerformerCROssaytheyareseenascatalystsforgrowth.
Within high performing companies, 63% of Chief Risk Officers (CROs) say they are seen as catalysts for growth compared with 36% of CROs overall
22 Risk in review 2016
Case study: UnityPoint Health
Using risk resiliency to raise agility—and improve patient care
The healthcare ecosystem in the US is changing rapidly, especially since the Affordable Care Act took effect. At Trinity Muscatine Hospital in Muscatine, Iowa, part of the UnityPoint health care network, the staff is “getting really good at being able to respond quickly to change, and make improvements quickly and efficiently,” says Jamie Bosten, Chief Compliance, Privacy and Risk Officer. The hospital has built systemic processes that can turn reliability metrics into process improvements that boost organizational agility.
“We had to find a better way to look at problems and solve them,” Bosten explains. So scattered across the facility are “opportunity boards” where any employee can “scribble a couple of key details onto a 3 x 5 card” and post it on the board. Each day, the forms are examined and reviewed, and stratified in terms of their risk severity, potential to recur, and other factors. Simple issues are fixed at once. For more complicated issues, “we find people who are doing the work, we find subject-matter experts in the area we think might cross into this particular area, we put them all in a room together and follow a standard process for evaluating the situation. We come out with an action plan and timeline to implement it.”
In practice, that means that “we can take something as complex as an adverse-outcome event and within about an hour of having the meeting, we have a plan for preventing that from ever happening again,” Bosten says. In this way, the hospital creates a virtuous circle of resiliency and agility.
“ We had to find a better way to look at problems and solve them.”—JamieBosten,ChiefCompliance,PrivacyandRiskOfficer,UnityPointHealth
23 Thepathforward
PPG’sJasminLussiernotesthatgoodriskmanagersmusthelptheircompaniesknowwhenitbecomesadvisabletotakeongreaterrisks.“Whenyouembedriskmanagementintoyourday-to-dayprocessesanddiscussions,youcanbetterassessyouroptionsandperhapstakeondifferentrisks.”
AtDominion,ChiefRiskOfficerMarkWebbsaysit’simportanttobattlecomplacencywithintheriskpractice.“Ifpeoplegetusedtodoingacertaintypeofassessmentorcertaintypeofanalysis,itcanbecomeformulaic.”Tocombatthis,notonlyaremanagersfrequentlyrotatedfromdivisiontodivisionwithintheutility,buteveryyear“weincludenewrequests,ornewmetrics,thatwillkeeppeople’sthinkingfreshwhentheyapproachtheirassessments.”
Asregulatorymandatesincrease,aclearmajorityofCCOs(78%)agreetheircompanies’seniormanagementwantsthemtoadoptamoreforward-lookingviewwhenitcomestocompliance;yetjust35%saytheyhaveadoptedsuchanapproachtothemetricstheyprovideseniormanagement,andlessthanhalfsaytheyhavethecapabilitiesneededtomakethechangesintheircomplianceriskprofile.Moretroublesomeisthatonly27%ofCCOssaytheyhaveamplebudgetsandresourcestoprotecttheircompaniesfromcompliancerisk.
“We’renotasfaralongaswe’dlikeintakingapredictiveapproachtoanalyticsinourriskmanagement,”
78% Most say their company’s senior management wants a more forward-looking view when it comes to compliance, however:
49%Just 49% feel they have the capabilities needed to address the changes in their compliance risk profile
35%Only 35% have adopted a forward-looking approach in the metrics they report to senior management
27%Only 27% feel they have ample budget and resources to protect their company from compliance risk
Figure 9
Chief Compliance Officers are constrained by budget and resourcesReporting on their companies’ compliance efforts…
saysMicrosoft’sMelvinFlowers.“Idothinktherearesomeuniquewayswecanusedataanalyticstoenhanceourcontributionstothebusiness.”
Thatabilitytobeforward-lookingisreallywhereriskmanagementbecomesastrategicasset,saysPwC’sJohnSabatini.“Ifyoureallyunderstandthebusinessandyouhavethisinformationatyourfingertips—thethingsyoumostneedtotakeaction—thenyouhavethepulseofthebusiness,andyoucanmakeimportantdecisionsfortodayandalsobegintothinkabouttherisksandopportunitiesthefuturewillbring.”
AtComcast,CindiHook,SeniorVicePresident,GeneralAuditorandGlobalRiskOfficer,saysthatacoupleofareasthecompanyhasbeeninvestinginare“dataanalyticsanddoingmoreproactivemonitoring—whatweliketocallenhanced-coverageanalytics.”Comcastisnowseeing“howwellwecanpushthesetechniquesintothesecondline”todevelop“amoreformalcontrolself-assessment-typeprogram”toenhanceriskresiliencyinarapidlychangingindustry.
24 Risk in review 2016
Conclusion
10waystobuildenduringgrowth
25
Figure 10
High Performers align risk management with strategic planningRespondents who say their strategic planning function is aligned with their risk management program today
Conclusion
Inaworldfullofunforeseeablehazards,companiesmustbuildbothrisk-agileandrisk-resilientinfrastructurestoachievesustainedsuccess.TheHighPerformersinourstudydothatbest,yettherearemeasuresallcompaniescantaketobetterbalanceriskagilityandriskresiliency.Followingare10leadingpracticestoconsider.
1. Align risk management with strategic planning. Understandingcompanystrategyfromitsearliestdevelopmentphaseiscritical.AsPwC’sBrianSchwartzsays,“Companiesthatareabletotrulyaligntheirriskmanagementactivitieswiththeirstrategicplanningprocessand/orstrategicprioritiesaremovingtheneedlefromenterpriseriskmanagementtostrategicriskmanagement.”
2. Hold the business units accountable for managing and monitoring their risks.Businessunitsshouldbeyourcompany’sfirstlineofdefenseagainstrisk.Puttingthisresponsibilitysolelyonthesecondline(riskmanagement)canfocustoomuchondefense.
More resilient
Lessagile
Moreagile
Less resilient
HighPerformers
FasterMovers
SteadyPerformers
SlowerMovers
58%
32%
75%
43%
“Chief Risk Officers have an opportunity to take a much more active leadership role in connecting the business around managing cybersecurity risk... to help the business think and move boldly as well, turning your company’s security platform into a predictive tool that can keep you one step ahead of threats — and the competition.” — Grant Waterfall, PwC Partner and Global Cybersecurity
and Privacy Assurance Leader
26 Risk in review 2016
More resilient
Lessagile
Moreagile
Less resilient
HighPerformers
FasterMovers
SteadyPerformers
SlowerMovers
Figure 11
High Performers use data and analytics tools more effectively
34%
6%
56%
14%
62%
38%
70%
40%
64%
36%
67%
37%
We use data analytics to identify new business opportunities
15%
8%
51%
38%
We use key risk indicators (KRIs)
We apply analytics effectively to improve resiliency processes
We use corporate risk dashboards/visualizations
27 Conclusion
3. Define your risk appetite. Understandingtheextenttowhichacompanycanwithstandriskandaggregatingriskacrosstheenterprisehelpsexecutivesmakedecisionsonhowresilientandagilethecompanycanbe.Whiledefiningyourorganizationalriskappetiteisimportant,communicatingitthroughouttheorganizationsopeoplecanleverageitisevenmoreimportant,”saysPwC’sBrianSchwartz.
4. Invest in data analytics to take a forward-looking view of risk. Assoftwaretoolsbecomemorepowerfulandpredictive,andastheycanfacilitatemoreandmoretransparencyacrosstheenterprise,clearadvantagescanaccruetocompaniesthatintegratethenewtechniques.“Wecontinuouslylookatwaysofmanagingallofourdatamoreefficientlyandeffectivelyacrossourbusinesses,”saysPPG’sJasminLussier.“Thishelpsdriveoureffortstousethedataforpredictivepurposes.”
5. Establish a set of KRIs that are relevant for your business, and then align them with your company’s KPIs.“Manycompaniesaregoodattrackingkeyperformanceindicators(KPIs)becauseKPIsarehistorical;theylookbackward,”saysPwC’sJohnSabatini.Incontrast,“trackingkeyriskindicators(KRIs)isabouttryingtofigureoutwhatriskeventscouldariseinthefuture.Youhavetodobothtobesuccessful.”
6. Appoint a CRO or similar role if you don’t already have one. Insomecompanies,thatmaymeancombiningtheChiefRiskOfficerandChiefAuditExecutiveroles.Eitherway,thepersonoverseeingriskmusthaveaseatatthestrategytableandmustpromoteactivealignmentacrosstheorganization.“Inmanylargecompanies,it’sacriticalC-suiterole,”saysPwC’sJasonPett.
“The person overseeing risk must have a seat at the strategy table and must promote active alignment across the organization. In most large companies, it’s a critical C-suite role.” — Jason Pett, PwC Partner and Internal Audit Solutions and FinancialServicesRiskAssuranceLeader
28 Risk in review 2016
7. Develop flexible governance, risk management, and compliance technology platforms, and automated security processes across your IT infrastructure.Ascorporateneedsshiftandthefootprintofbothassetsandemployeesareunderconstantreview,flexibleplatformscanplayanessentialroletohelpmanagerapidgrowthwithoutjeopardizingsecurity.Agilecompaniesneedtheflexibilitytoshiftplatformsandprocessesasdemandschange.“Leadingbusinessesareautomatingsecurityprocesses,usingadvancedanalyticstopredictanddetectincidentsmorequickly,andautomatingaccessmanagementprocessesandriskandcompliancemanagementprocesses,”saysPwC’sGrantWaterfall.“They’realsoincreasinglyadoptingcloud-basedsecuritysolutions.”
“Having strong ‘just-in-time’ relationships helps companies find the right resources as the need arises, creating greater risk agility and resiliency.” — Todd Bialick, PwC Partner and Trust and Transparency Solutions Leader
Figure 12
Faster Movers underperform on IT and security
53%
42%
We have well-defined and automated IT security protocols
49%
46%
We have technology platforms/tools that help employees work effectively, on- or off-site
8. Learn how to effectively partner with and take advantage of the capabilities of third parties.Eventhemost-highly-integratedcompanieshavetolearnhowtoseparatecorefunctionsfromauxiliaryones.“Havingstrong,just-in-timerelationshipshelpscompaniesfindtherightresourcesasneedsarise,therebycreatinggreaterriskagilityandresiliency,”saysPwC’sToddBialick.
9. Ensure strong triangulation between strategy, risk management, and business continuity management.Allthreearenecessarytocreatelong-termresiliencethatthenservestohelpacompanybecomemoreriskagile.“Whencompaniesincreasetheiroverallresiliency,theycanaffordtobemoreagileinacontrolledmanner,”saysPwC’sBrianSchwartz.
More resilient
Lessagile
Moreagile
Less resilient
HighPerformers
FasterMovers
SteadyPerformers
SlowerMovers
29
10. Remember that risk management is about playing both defense and offense. Change theperceptionthatriskmanagementismerelyaboutkeepingthecompanyoutoftrouble.“Theriskfunctionhastokeepupwiththebusinesssothatitcanhelpidentifyandnavigatearoundtheroadblocksandcanhelpkeepthecompanymovingforward,”saysPwC’sDeanSimone.
Astheystudytoday’scorporatelandscape,fewexecutiveswouldsaythepaceofchangeisslowingorthatglobalcompetitionordigitizationwillsuddenlyabate.
Fortheforeseeablefuture,companieswillhavetomeetconstantmarket,demographic,andregulatorychangeswithconstantoperationalandstrategicevolution.Insuchanenvironment,it’simperativethatriskandcomplianceofficersmoveassertivelytoelevatetheirriskresiliencyandriskagility.Byapplyingsomeofthetechniquesdescribedinthispaperandbydrivingriskawarenesseverdeeperintotheircorporatecultures,CROsandCCOscanmovetheirriskprocessesforwardandhelptheircompaniesensureenduring—andexceptional—performance.
Conclusion
Figure 13
Strong relationships help High Performers be more resilient
71%
42%
We can quickly add third-party resources to assist in resolution
56%
42%
Our risk manage-ment program is aligned with external stakeholders
More resilient
Lessagile
Moreagile
Less resilient
HighPerformers
FasterMovers
SteadyPerformers
SlowerMovers
© 2016 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the US member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.
PwC US helps organizations and individuals create the value they’re looking for. We’re a network of firms in 157 countries with more than 195,000 people who are committed to delivering quality in assurance, tax and advisory services. Find out more and tell us what matters to you by visiting us at www.pwc.com/us.
125073-2016. jm. jc.
To have a deeper conversation about how this subject may affect your business, please contact:
pwc.com/riskinreview
Brian ChristiansenPartner Tel.:+45 5140 8040 [email protected]
Johan Bogentoft Partner Tel.: +45 2927 6296 [email protected]
PwCextendsaspecialthankstoourclientsfortheirtimeandparticipationinthisstudy,andtoOxfordEconomics.
