Wednesday, 23 May 2018

Authors: Dennis Chesley, Global Risk and Regulatory Consulting Leader and global lead for the COSO ERM Framework update, PwC US and Brian Schwartz, US Internal Audit, Compliance and Risk Management – Financial Services Leader, PwC US

What a difference a year makes. In 2017, respondents to PwC’s annual CEO survey identified over-regulation, uncertain economic growth, and exchange-rate volatility as the top threats to their businesses. Of considerably less concern were terrorism, cyber threats, and geopolitical uncertainty.

CEOs see a very different world in 2018, according to PwC’s 21st CEO Survey. As their confidence in both the health of the global economy and their own companies’ growth prospects has surged, they have downgraded uncertain economic growth to the 13th most frequently cited threat in 2018, from the most frequently cited in 2017. And with the world’s leading economies growing more or less in sync, exchange-rate volatility has dropped from fifth to tenth. Over-regulation remains one of the top threats, but terrorism has vaulted to the second-most cited threat in 2018 from the 12th most cited threat in 2017. And though concern about exchange-rate fluctuations has waned, geopolitical uncertainty has climbed to third position from fourth over the same period.

What we’re looking at here is what you might call a risk realignment. Macroeconomic and direct business risks have receded from the forefront of CEO concerns, while broad, complex political, and social concerns have grown markedly more prominent. The emergence of cyber threats in particular as a leading threat underscores the new challenges that risk professionals face. It also goes a long way toward explaining why their roles have to change in the years ahead.

The rising concern over cyber threats is no surprise, given the proliferation of cyber intrusions, data theft, and malicious manipulation of social media platforms. But the issue isn’t just the number of cyber threats but also their nature. Cyber threats are not a one-off event but continuous and constantly changing. That shape-shifting quality exposes the shortcomings of the traditional approach to risk management, which is to build higher walls, deeper trenches, and thicker doors. Cyberattacks usually impact a wide spread of business activities and functions, from product development to production to marketing, and from compliance obligations and regulatory relationships to reputation management and customer trust. As business grows ever more digital, risks will become ever-present rather than episodic. Senior management will expect risk management professionals to develop a dynamic understanding of cyber threats’ effect on every aspect of business and advise leadership on their potential impact on the organisation’s strategy.

The notion of the risk professional as strategic advisor is not universally accepted in the business world, or indeed even among risk management professionals. This point was driven home to us recently when a client’s chief risk officer told us that she didn’t know the company’s strategy and didn’t need to know it to do her job. That viewpoint is not uncommon, in our experience. It’s also an express ticket to irrelevance. Risk management professionals once spent their days preparing quarterly risk assessments and incident reports and performing internal audits. That’s no longer enough, if it ever was. Today’s CEOs and boards expect risk management professionals to know how various risks affect business performance. If they can’t meet that expectation, leadership takes notice. It’s no coincidence that only 53% of directors responding to PwC’s most recent board member survey said that management effectively communicates the risks of implementing a proposed strategy.

Tomorrow’s boards will expect risk management professionals to understand the links between innovation and risk, particularly those risks associated with artificial intelligence, robotics, and other technologies, and address the strategic ramifications of a failure to innovate. They will be expected to support the entire innovation cycle and offer a perspective on the potential risks and opportunities at every stage. Their work will require them to deploy an array of new skills, competencies, and tools to support innovation and identify and assess exposures and opportunities for the organisation.

As the findings suggest, there is a growing demand for risk management professionals who can take a wide-angle view of the business and understand how different and increasingly complex risks affect various activities and functions. To take that view they need business acumen and the soft skills necessary to advise their peers and persuade them of the virtues and vulnerabilities of a particular course of action. That’s not to say that risk management professionals don’t need technical skills as well, but those skills alone won’t be sufficient to meet the needs of the board and the CEO. The evolution of the role presents a challenge to risk management professionals, but also an opportunity. Historically, risk management professionals have been regarded within the organisation as wet blankets, forever saying ‘no’ to promising ideas. Now they have a chance to revise that view and demonstrate their value as strategic problem-solvers and enablers, helping the organisation meet its strategic goals and improve business performance. That sounds to us like a chance worth taking.