How to mix innovation and risk management

Innovation must be part of a company’s DNA if it is to survive and thrive in a fast-moving business environment. Shooting for the moon, however, takes preparation and testing, and a solid dose of risk management along the way.

Some companies are integrating innovation efforts with risk management, understanding that setting strategic objectives without thinking through the business risks could curtail such objectives. Instead of performing risk management in a vacuum, leading companies embed risk management into the innovation process, said Brian Schwartz, a PwC partner who oversees the firm’s US governance, risk, and compliance enablement solutions.

Companies that have figured out this integration, according to a recent PwC survey, have higher confidence to manage new technologies such as drones, robotic process automation (RPA), or artificial intelligence. That group of higher-performing companies on combined innovation risk are referred to as adapters in the PwC 2018 Risk in Review Study, released Wednesday.

Such adapters have more confidence in their ability to project revenue growth than non-adapters, Schwartz said. More companies (58%, compared with 19% of non-adapters) say risk management contributes significant value to their organisation.

Additionally, adapters are far more likely than non-adapters to:

  • Create new products or services outside core offerings, or enter a new industry (57% to 21%);
  • Implement technologies to develop new products or target new customers (57% to 18%); and
  • Implement technologies to materially improve existing products or customer experience (56% to 20%).

Even for adapters, obstacles remain — innovation isn’t as simple as pressing a button. Consider Domino’s Pizza and its collaboration with Ford Motor Co. on a self-driving delivery vehicle. The companies recently announced a second round of testing a delivery vehicle. The car still has a driver at this point, according to the companies. Domino’s is focusing on how a customer would receive pizza from a car with no driver.

That sort of testing seems to be an integration of risk management and innovation: trying something new while mapping what could go wrong. Ford already has spent years researching and developing self-driving technology, according to Sherif Marakby, the company’s vice-president for autonomous vehicles and electrification.

Obstacles and best practices

The PwC survey, which measured the sentiment of risk officers in 76 countries, said several obstacles are more common among non-adapters. The most common obstacles are organisational culture (chosen by 63% of non-adapters), lack of leadership buy-in to address innovation risks (52%), and lack of organisational knowledge of innovation opportunities and risks (53%).

PwC’s data is backed up by another recent survey, which shows companies are worried about staying competitive in the face of rapid global business changes. Sixty-one per cent of respondents worried about culture resisting adjustments to business models in a survey conducted by consulting firm Protiviti and North Carolina State University.

Schwartz said companies should take five actions to achieve an appropriate risk-reward balance as it relates to innovation:

Set risk culture at the top. Leaders must clearly communicate risk management’s importance to the innovation process.

Involve risk management in an entire innovation cycle. Adapters have learned to integrate the second line of defence — the risk and compliance function — with strategy around innovation. In a three-lines-of-defence model, the first line is operational management, followed by risk and compliance, and internal audit, according to The Institute of Internal Auditors.

Adjust risk appetite. This doesn’t mean a company should take on more risk than it can bear, but it should consistently update how it views risks related to innovation. Non-adapters view the creation of a risk-appetite statement as a one-time activity. Keeping risk appetite “living and breathing” is critical, Schwartz said.

Develop new competencies. Learning new skills should be broad in scope, not limited to an innovation team. For instance, a company that begins to make use of RPA will need internal auditors to increase skills to effectively audit such innovation. “They’re putting themselves [in a position of weakness] if they don’t have people who understand how to audit RPA,” Schwartz said.

Monitor risk management effectiveness. The process should be continuous to ensure that the second line of defence remains relevant and focused on business goals.

The PwC survey used responses from 1,535 risk executives worldwide, including 35% from North America, 29% from Europe, and 21% from Asia Pacific and India.

— Neil Amato ( is an FM magazine senior editor.