Few US companies are risk-management leaders, even though most executives and directors agree that business uncertainties and threats are increasing, a PwC survey suggested.
Nearly three-fourths (73%) of the more than 1,200 survey respondents said risks to their business are increasing as leaders must supply more data to regulators and potential deal partners, protect intellectual property and customer data from increasingly sophisticated cyber-attacks, and better understand risks embedded in their supply chains.
Proactive and well-integrated risk-management programmes help businesses deal with these uncertainties and threats, but only 12% of the companies participating in the survey had established them.
“Integrating risk management into the life cycle of your business gives you the opportunity to do two things,” Dean Simone, PwC partner and risk assurance leader, said in the survey report. “First, it helps you understand the implication of risk at the point of decision rather than afterward. And second, it allows you to move very quickly and confidently, knowing that you’ve anticipated the risk and are less likely to have made a mistake that could slow you down.”
Forty-one per cent of the risk-management leaders identified in the survey reported profit margins of 10% or more in the past three years, compared to 31% of the other companies. And 55% of the risk-management leaders increased their profit margins in the past three years, compared to 43% of the other companies.
The survey identified four key strengths that distinguished risk-management leaders:
Understand how risks interconnect and cascade. Risk-management leaders create risk-appetite statements for the company and each significant business unit that are tailored to match each unit’s unique risk profile. The approach allows 73% of the risk-management leaders in the survey to take an aggregated view of risk, compared with 27% of the other companies. This aggregated view helps 70% of the risk-management leaders see how risks interconnect and cascade, which only 23% of the other companies can do.
Fully align risk-management programmes across business units. Ninety per cent of the risk-management leaders have risk-management programmes that are highly aligned with the company’s strategic planning process. It was 36% among the other companies.
Cross-functional alignment at risk-management leaders was particularly strong between the risk function and the finance function (97%), internal audit (95%), and corporate compliance (93%). They were also far more likely to say they involve risk analysis in their decision-making process (67% among leaders compared with 43% among non-leaders), which allows them to spot more business opportunities.
Apply sophisticated techniques to anticipate and address risks. Forty-six per cent of risk-management leaders spend more time calculating and preparing for risk than reacting to it (21% of the other companies).
Techniques used include identification and forecasting of emerging risks (96% of leaders vs. 59% of non-leaders), building organisational resilience to risk (88% of leaders vs. 42% of non-leaders), scanning the horizon for early-warning indicators (81% of leaders vs. 33% of non-leaders), scenario planning (77% of leaders vs. 33% of non-leaders), and stress testing (75% of leaders vs. 30% of non-leaders).
Financial services companies lead businesses in other sectors in using sophisticated risk-management techniques, followed by health-care companies. Sixty-eight per cent of companies in developed economies identify and forecast risks, compared with 56% of companies in emerging economies.
Are willing to take risks because they have a strategic understanding of their risk appetite. Risk-management leaders are more confident about being able to manage risks. Ninety per cent said they were highly effective in managing regulatory and compliance risk (64% of non-leaders). Ninety-three per cent felt that way about financial risk (72% of non-leaders), 86% about brand and reputational risk (51% of non-leaders), and 83% about earnings and volatility risk (52% of non-leaders).
Based on their confidence, risk-management leaders are more likely than other companies to have a high or very high risk appetite in several areas. The differences are most pronounced for accepting financial risk (31% of leaders vs. 21% of non-leaders), diversification and concentration risk (35% of leaders vs. 26% of non-leaders), regulatory and compliance risk (20% of leaders vs. 13% of non-leaders), and earnings and volatility risk (27% of leaders vs. 20% of non-leaders).
Also, 68% of the risk-management leaders have a risk-appetite statement that is well-communicated and understood (versus 20% of non-leaders), and they are more likely to examine risks and opportunities to help them determine where to focus growth efforts (88% of leaders vs. 32% of non-leaders).
How to become a risk-management leader
The PwC report recommended five strategies to better anticipate and prepare for risk events, identify acceptable risks, and generate higher returns:
- Create a risk-appetite framework and take an aggregated view of risk.
- Monitor key business risks through dashboards and a common governance, risk, and compliance technology platform.
- Build a programme around expanding and emerging business risk, such as third-party risk and the digital frontier.
- Continuously strengthen your second and third lines of defence.
- Partner with a risk-management provider to close the gap on internal competencies.
Related CGMA Magazine content:
“Some ERM Practices Going Stagnant, Survey Indicates”: Senior finance executives say their companies are often not in alignment about the need for enterprise risk management oversight, a survey on behalf of the American Institute of CPAs shows.
“Five Barriers Restricting Risk-Management Progress”: Only about 15% of companies see a strong link between their enterprise risk management (ERM) processes and their business strategy, according to a new survey.
“Five Key Defences Against Risk”: Maintaining a healthy tension between entrepreneurial risk and protection of enterprise value is a challenging task for risk management and internal control. Organisations can use five lines of defence to achieve the appropriate tension.
—Sabine Vollmer (firstname.lastname@example.org) is a CGMA Magazine senior editor.