Reflect for a moment on this analogy: Effective risk management is to a company what brakes are to a race car. Each provides the ability to operate faster and with more agility and confidence—and that’s exactly how some of the world’s leading companies are driving their risk management operations today.
Political unrest, economic turmoil, global corporate tax reform, the pace of technological change, and cyber-threats are just a few of the risks causing major disruptions to business models and business plans today. Faced with these challenges, most companies recognize that a collaborative approach to risk management—in which risk accountability sits squarely within the business units, or its “front lines,” so to speak—can result in greater organizational resiliency and growth.
That key finding comes from PwC’s sixth annual “Risk in Review” survey, which netted responses from 1,581 corporate officers across 30 industries and spanning over 80 countries. In that survey, 63 percent of respondents agreed that “moving risk decision making to the front line makes it easier to anticipate and mitigate risk events,” and 46 percent said they plan to make this shift within the next three years.
But one small group of respondents (13 percent) lead the pack, and it is these so-named “Front Liners” that raise the bar for all other companies. Based on their collective responses, Front Liners, with their leading risk management structures, tend to share the following strengths:
1. Front Liners have a strong, enterprise-wide risk culture led by the C-suite, board, and business-unit leadership. “We operate on the idea that the first line represents our risk takers; they own the risk and understand our risk appetite,” Steve Gruppo, senior executive vice president and chief risk officer at TIAA, said in the report. “The second line then helps our business leaders implement our risk programs, managing both enterprise risks and business-unit-specific risks to that appetite.”
Business unit leaders also play a leading role at multinational software company SAP. “We’re very first-line heavy,” Melissa Lea, chief global compliance officer at SAP, explained in the report. “The more we can get risk responsibility out into the field—first into management’s hands and then to employees to make sure they’re armed with the right expectations to make the right decisions—the more successful we’ll be. We try to get people—either on the ground, in-country, or with the best lines of sight into how a particular risk might materialize—to really own that mitigation approach.”
“The second line is responsible for developing the overall risk management framework, says Jason Pett, U.S. internal audit, compliance, and risk management solutions leader at PwC. In this way, the risk and compliance functions oversee the first line, providing checks and balances, while the third line—internal audit—is there to objectively test controls and provide independent assurance, assessing first- and second-line risk activities.
“It’s all about facilitation and partnering,” said Jeffrey Rigg, general auditor and chief risk officer at Cigna. “I am not a decision maker as it relates to enterprise risk management and risk acceptance; I’m a coordinator and a communicator, and my folks are dialed into the business. We identify concerns and validate those concerns, but at the end of the day when I sit down to report to our CEO and senior risk committee, they’re the ones making the decisions about risk acceptance.”
“An effective risk management program starts with culture.”
Jason Pett, U.S. Internal Audit, Compliance and Risk Management Solutions Leader, PwC
Compared to all other respondents in the PwC survey, Front Liners fostered a strong, enterprise-wide risk culture in a variety of other ways:
Communicating proactively with external stakeholders following a negative risk event (49% vs. 37%);
Making ethics and compliance training mandatory for all employees (80% vs. 71%);
Having one or more board-level risk committees that ensure top-down and bottom-up approaches to risk management (64% vs. 54%); and
Encouraging a culture in which the second line of defense can effectively challenge and enable the first line (55% vs. 45%).
2. Front Liners are more likely than all other respondents to say they manage risks effectively. The 12 areas of risk that PwC surveyed include financial; regulatory and compliance; earnings and volatility; operational; brand/reputational; strategic; and more.
“Front Liners’ responses on the topic of past risk events suggest their confidence is based on records of success: A significantly larger percentage of Front Liners reported having addressed negative risk events,” PwC stated. This held true across all 12 causes of business disruption that PwC surveyed.
The correlation between advanced cyber-risk management maturity and advanced risk-management maturity in all 12 areas of risk was particularly fascinating, Pett says. On every measure of risk culture, high-scoring companies dramatically outpaced respondents overall.
Companies with the highest levels of cyber-risk maturity don’t treat it as an afterthought, Pett says. Rather, they embed their cyber-risk management within the business. Not surprisingly, these companies are the same companies that also are more likely to exhibit strong overall risk management:
CALLS TO ACTION
Below is an excerpt from PwC's “Risk in Review” 2017 study.
Shifting risk management activities to the first line of defense is only one part of moving toward a more proactive, strategically aligned, risk management program. Building a risk management ecosystem optimized for today’s challenges requires buy-in across the enterprise.
Here are five steps that can set your organization on the right path:
1. Set a strong organizational tone focused on risk culture. The CEO and the board should model this tone, which should permeate the organization and be continually monitored and measured for effectiveness. CEOs should ensure performance management and incentives are aligned with their risk culture goals. Leadership team communications should foster clear and consistent messaging. Risk should be incorporated into routine conversations and decision making.
2. Align risk management with strategy at the point of decision-making. Having a clear view into the organization’s strategy gives the first line a common vision on which to align its decisions and behaviors, positioning it to react faster to risks and disruptions. Decision makers should embed risk management into both strategic-planning and tactical execution.
3. Recalibrate the risk management program across the three lines of defense. For optimal performance, the first line owns business risk decision making, the second line monitors the first, and the third provides objective oversight. Defining boundaries and natural intersections clearly across the lines of defense enables the coordination of roles and responsibilities with maximum effectiveness. Leadership can then better define its risks, assign them to the different lines, and ensure that those risks are managed in the right places. Each line of defense must be enabled with the information and resources it needs to be effective.
4. Implement a clearly defined risk appetite and framework across the organization.
(a) Define risks the company is in business to take, (b) risks that cannot be tolerated, (c) which risks should be measured and monitored, (d) and which risks are associated with financial performance variances that could impede strategy achievement.
A commonly understood risk taxonomy should govern the process of aggregating, tracking, and anticipating risks. The process should leverage technology and data analytics when available.
The risk appetite and framework must be clearly communicated to decision-makers.
5. Develop risk reporting that enables executive management and the board to effectively execute their risk oversight responsibilities. Enhance data governance and data collection processes to support risk-reporting efforts. Risk aggregation, tracking, and reporting are critical to keeping business decisions within the agreed risk appetite/tolerance. Reporting and monitoring processes should routinely track risks and associated risk management activities. Owners should be assigned to top-tier enterprise risks and be required to provide detailed, time-bound risk action plans.
Source: PwC Risk in Review 2017
Have a formal process for employees to report potential risk events or flag concerns as they arise;
Make training in ethics and compliance mandatory for all employees;
Have leadership that prioritizes a risk culture that focuses on doing the right thing—beyond merely what is required;
Undertake periodic education to update staff on new or potential risks the company faces;
Have one or more board-level risk committees that ensure top-down and bottom-up approaches to risk management; and
Give the second line of defense authority to effectively challenge the business.
3. Front Liners also tend to take a more rigorous approach to risk management. In the PwC report, they lead all other respondents across the following five risk-management practices:
Risk appetite or tolerance has been defined across a number of key risk categories (69% vs. 53%);
We take our defined risk appetite into account when making business decisions (66% vs. 52%);
Our company has a well-defined risk appetite statement and framework that is clearly communicated (66% vs. 49%);
We have a formal process to aggregate risk across the company and review results against our defined risk appetite (61% vs. 46%); and
We effectively monitor our risk appetite by using key risk indicators (57% vs. 45%).
4. Front Liners are more likely to use risk management tools and techniques to aggregate risk across the enterprise. These include, for example, a risk rating system; building organizational resilience to risks; specifying a corporate risk appetite; conducting third-party audits; stress-testing; and more.
5. Front Liners tend to be more financially resilient. Specifically, they are more likely than other survey respondents to expect increased profit growth margin (59% vs. 51%) and increased revenue growth (77% vs. 71%) in the next two years, the PwC survey states.
That brings us back to the race car analogy: A race car with quality brakes enables the driver to accelerate faster, having confidence that the brakes will slow the car down when it approaches dangerous corners. The same concept applies to a company with a collaborative risk management structure, providing the front line the freedom to make strategic business decisions quickly and with confidence. “Through its alignment of strategy, risk ownership, and decision making,” the PwC report stated, “a risk management program led by the first line automatically becomes more strategic and proactive rather than protective and reactive, thereby contributing to strong revenue and profit growth.”