March 19, 2014 - Internal business changes intended to address dynamic market shifts have created a more complex risk landscape for businesses around the globe. Compounding this problem, according to the PwC USRisk in Review report, "Re-evaluating how your company addresses risk," is that traditional risk management systems have not evolved fast enough to monitor, track and manage today's intensified risk climate.
According to a survey of 1,940 business executives and risk managers worldwide, business risks are rising across the board, with 75 percent of executives reporting increased risks to their business. A majority of executives foresee continued significant market changes that will dramatically impact their companies, particularly in three key areas over the next 18 months:
- Technological change and related IT risks (58 percent of respondents)
- Increasing regulatory complexity (56 percent of respondents)
- Rapidly changing customer needs (50 percent of respondents)
In contrast, only 42 percent of respondents ranked global economic shifts and uncertainty as a major driver of change, compared to last year when increased recessionary pressures were the leading risk coming in at 72 percent.
"In response to these dynamic shifts in the market, organizations across all sectors are undertaking dramatic business transformations, altering their strategies and driving radical internal change," said Dean Simone, leader of PwC's US Risk Assurance practice. "Our survey shows that 75 percent of respondents reported that they are in some stage of transformation, and 71 percent ranked business transformation as the biggest internal driver of change over the next 18 months. The impact of transformation is especially important because of its capacity to create cascading risk effects across many business activities and open capability gaps in risk management, particularly around data management, business strategy and technology."
The combination of external shifts and business transformation has heightened risk exposure, opening up capability gaps. PwC's survey identified the top three gaps as fragmented risk data and analysis, gaps arising directly from business transformation initiatives, and cyber-security gaps. In one increasingly crucial area - interconnected risks - relatively few (16 percent) reported significant capability gaps. Yet, this is a vulnerability that will require closer attention as it's about understanding how one risk can trigger another, according to PwC.
In addition, the biggest capability gap centers on increasingly technology-dependent business models. When asked what technological change puts organizations at risk, failure of new IT systems to deliver expected benefits ranked as the highest concern, cited by 53 percent of respondents. Other concerns include cyber attacks becoming more frequent and sophisticated (47 percent) followed by lack of technology skills to support new digital technologies (34 percent).
Despite the growing challenges associated with capability gaps and technology changes, companies are making progress at maintaining and building their risk management competencies. PwC's survey respondents reported being the most satisfied with their auditing non-financial performance (61 percent) and their risk identification, tracking and monitoring processes (60 percent). "While our survey shows that satisfaction is on the rise, many areas still need improvement. Respondents reported being the least satisfied with their abilities around risk forecasting and scenario analysis as well as building up the risk function and resources," said Simone.
While improving competencies is an important step in closing capability gaps, survey respondents have made or are planning to make broader changes in the next 18 months including, according to PwC's survey:
- 84 percent plan to create a risk-aware culture, making risk management a priority for people at all levels of the organization
- 82 percent plan to develop processes to identify and monitor risks, including non-traditional risks
- 79 percent plan to conduct more non-financial audits to ensure that emerging threats like cyber-security are being addressed
- 79 percent plan to integrate risk and business strategies, ensuring that risk is factored into all strategic decisions
"Executives are working to close the capability gaps they've identified, and agree that close collaboration between risk-related functions is vital to ensure a shared view of business risks across the enterprise," said Brian Schwartz, PwC's US Risk Assurance Governance Risk and Compliance leader. "However, they may be missing a key issue - a sharp disconnect between top management and the risk and compliance functions. Not only are they disagreeing on the type and degree of key risks facing a company, but also about the organization's capabilities."
Concerns remain that collaboration among the three lines of defense (business units, risk and compliance and internal audit) in identifying, monitoring, and effectively managing critical risks is still not deep enough, with 60 percent of survey respondents concerned that a lack of collaboration could be exposing their company to capability gaps. "On the bright side, respondents did report a great deal of progress in fostering broader alignment between risk management and functions traditionally considered its partners, including internal audit, finance and compliance. Establishing and leveraging a cross-functional, collective view of risk in the organization is one of the pillars of true risk maturity," said Jason Pett, PwC US Risk Assurance Internal Audit Services leader.
Becoming a "risk leader," or a risk-mature firm, involves creating a risk-aware culture and improving risk processes and skills by upgrading and leveraging risk tools and systems. According to PwC's survey, risk leaders are 59 percent more likely than others to be improving analytic tools, building an integrated risk data warehouse (52 percent) and upgrading regulatory and tracking systems (44 percent). Risk leaders have also made significant progress in developing the capability to identify and track risks across the organization, conducting more non-financial audits and devoting more attention to monitoring emerging risks.
"Continuing business transformation and the capability gaps created by heightened external and internal change make it urgent that organizations improve their risk management maturity. Risk management is about sustainability; making sure the odds favor the company's survival. This means continuing to look forward and becoming ever more sensitive to emerging and complex risks," concluded Simone.