How digital fitness can strengthen risk management

Risk management functions that operate in lockstep with a company’s digital transformation efforts tend to perform better. But how do they get there? Brian Schwartz, a PwC partner who oversees the firm’s US governance, risk, and compliance enablement solutions, shares the traits of digitally fit risk functions and the characteristics that separate dynamic risk functions from peers.

What you’ll learn from this episode:

  • The key habits of digitally fit risk functions.
  • Four important facets of employee “upskilling”.
  • The main challenge facing companies as it relates to training their workforces.
  • The role of contingent talent in improving risk management.

Play the episode below:

To comment on this podcast or to suggest an idea for another podcast, contact Neil Amato, an FM magazine senior editor, at


Neil Amato: Joining me on the podcast is Brian Schwartz from PwC. Brian, thank you so much for being on the podcast today.

Brian Schwartz: Happy to be on, Neil. Thank you.

Amato: Hiring and upskilling for digital prowess, it doesn’t seem like it’s an easy thing to accomplish. It doesn’t seem like it’s a one-time thing. What are the issues that even the companies that are good at it are doing and the ones that are struggling with, what are they facing out there today?

Schwartz: You know, with all the digital transformations that all these companies are sort of moving through these days, and the risk function, their biggest question is, “How do I stay relevant as my company moves through the digital transformation process?”

One of the ways we help our clients, sort of, stay relevant is we talk about upskilling that you just brought up as a topic, Neil. So, upskilling is multifaceted for sure and it has to happen over and over again as the technologies change and alter a bit. But basically, there’s four things that companies need to do to really drive an upskilling culture if you will.

One is adapt or educate current resources so they can become smarter in terms of new technologies. That’s No. 1.

No. 2 would be going out to the market and hiring a different profile type person with different skills and competencies. That would be the second option.

The third option would be leveraging third parties to bring in skills that they currently don’t have in-house. That’s certainly an option, like always.

Then fourth it’s just combining all three of the ones I just mentioned to really come up with an upskilling strategy. So really, all four of those are ways companies are moving it forward at this point.

Amato: So, this upskilling strategy, it’s not “Let’s hire someone and send them to eight hours of training.” It’s about creating a learning environment that is continuous, right?

Schwartz: It is, Neil. It’s really about almost changing the way a company helps employees learn and develop because new technologies are going to become part of the day-to-day business environment. So it will be a really new way for them to learn and to actually go to school on those new technologies really on a day-to-day basis. So it’s very different than prior.

Amato: So, this talent management and engagement of the risk talent, I guess, it’s one of the six habits of risk functions that fuel smarter thinking. Do you want to talk about some of the other habits? We’ll get back to the talent angle. But, maybe to talk about the other things that companies with digitally fit risk functions are doing?

Schwartz: Absolutely, yeah. This is one, as you mentioned, of the six habits. So, the six habits are really as follows. The first one, we just talked about is upskilling. No. 2 is really about going all in on partnering with your stakeholders on your digital journey. So being part of digital transformation as a risk function being really in the day — in the moment — in terms of how that company moves through that process. That would be certainly one of those habits.

Another habit would be find the right fit for using themselves emerging technologies. How can the risk function itself become more automated and become more reliant upon leveraging these emerging technologies? So, that would certainly be one of the six habits.

Then, the last three would be enabling the organisation to act on risk in a real-time manner. So how does the risk function build capabilities to deliver risk insights on a real-time basis for the stakeholders to leverage? That would certainly be a habit.

Actively engaging decision-makers throughout the company on key digital initiatives. So is the risk function becoming part of that decision process to decide to put in — let’s say — a new technology or a new system to be used?

Then, the sixth and final habit would be: how does the risk function collaborate throughout the day with the business? So, with their stakeholders, how engaged are they in helping them understand how to initiate and deliver on digital assets within the business?

So those sort of combined, Neil, as you mentioned, really become the six habits of these dynamic risk functions.

Amato: In our internal survey — we have a US survey of finance decision-makers — quarterly survey. The top challenge for eight consecutive quarters at least — maybe even two and a half years, but at least two years — has been availability of skilled personnel.

[Companies] are looking to [fill] these high-level jobs. You know, these digitally fit jobs, but are they finding they’re having to immediately train people as it regards to risk or other parts of the business?

Schwartz: You know, here’s what’s interesting, hiring is really changing. So, first of all, to your point, Neil, it’s really hard to find these people. Everybody — including firms like PwC and obviously companies out there that are not in the same service as we are — we’re all looking for the same types of people to hire from the market into our organisations, into our firms.

People who look differently, think differently, have different skills and competencies. Because you need that diversity in skillsets and competencies to really take what you have in your existing department or function and actually accentuate it or enhance it with these different types of skillsets. So the hiring is a really big challenge mainly because we’re all going after the same small pool of candidates. So that’s sort of one aspect of that.

The other aspect is once you get them into a company, how do you quickly get them grounded on what the company does and what the culture is like and have them use their skills to take your culture to maybe the next level from a digital or technology standpoint?

But I tell you, I think the biggest challenge of all is taking existing employees that sit in the company today — and specifically in these risk functions that span the lines of defence — how do you actually upskill those people? Bringing in somebody is a challenge. Another challenge, a bigger challenge in my opinion, is taking the people you have, the good people, and making them better from a digital standpoint.

Amato: Yeah, that’s a good point. So, what part of that — is there some part of it that maybe needs to be on the employee to seek out the training to stay relevant themselves?

Schwartz: Absolutely, yes. A lot of initiative has to come from employees. Let me give you an example. So at PwC, we have the same challenge. We are trying to take a couple hundred thousand resources and upskill ourselves to be more digitally fit so we can go out and obviously stay relevant to our clients. So, one of the programmes we have is called Digital Lab.

What Digital Lab does, it’s really an online technology-sharing community that PwC has built within our firm. So, we go out and say all employees from partner down to the very first-year associate, come up with digital ideas on how to either get better at understanding digital technologies, or come up with an idea how we can actually benefit our clients. Put it on the online community, get comments on it, share it, go back and forth, and come out with something that actually creates value for yourself, for the firm, and therefore for our clients.

So, using the community-led ideas like Digital Lab, that’s one way to get folks to really take ownership, show initiative, and actually have fun upskilling themselves.

Amato: That’s a good example of how it can work. But, yeah, you’re right, especially in an organisation your size, it can’t be easy to say “OK, let’s get our entire workforce more digitally fit in a short amount of time.”

Schwartz: Absolutely. It’s a real big challenge to get everybody to move at the same time at the same pace. Clearly, some folks will gravitate towards it easier and faster because they might have more of an interest or background. But even those who have not really been exposed to the digital assets, they’ve got to get up to speed quickly and in the right way to actually stay relevant to their jobs, to their clients, to their companies, and the like.

Amato: Are there some categories in your recent survey that you put companies in that were the dynamics for the most digitally fit, and then what were their characteristics and what were the categories of the other companies?

Schwartz: So, a couple things on that, what we measured risk factors against, we called these five dimensions to determine whether they’re a dynamic or not a dynamic.

So, you said that quickly first, the five dimensions we measured these risk functions against were as follows: The first one was vision and road map. You know, do they have a plan to become digitally fit as a risk function?

No. 2: Do they have new ways of working? Do they have, used, or leveraged new skills and competencies to work differently, faster, smarter, and the like?

No. 3: We looked at the operations of these risk functions. Are they leveraging data so they can in turn effectively challenge their stakeholders? How are they operating the actual group or department differently today?

No. 4 is do they have a different service model in mind? Are they going out with different services to their stakeholders? Let’s say, for instance, are they offering more advice on digital governance as the stakeholders are putting in more digital tools? So that’s the fourth dimension we use.

Then, the final, fifth dimension we used was: How engaged were the risk functions with their stakeholders? Do they actually get involved when the stakeholder says, “I’m thinking about putting in a new technology”? Let’s say like robotics process automation. So, is the risk function at the table at that point? If true, the implementation.

So those are the five dimensions we measured risk functions against to find out what category they’re in. So, you mentioned dynamics. So those are the risk functions that are most digitally fit.

The next category were called “actives”. They’re the ones who have started to take steps towards becoming more digitally fit, but they’re not certainly the level of what we call the dynamics.

Then, the third and final category that we bucketed these survey participants in we called “beginners”. They’re kind of ad hoc, just really starting to think about their digital fitness as a risk function. So, dynamics, actives, and beginners are what we actually categorised based on those five dimensions.

Amato: So, on the topic of dynamics and their talent management, I’m going to read from a part of the report and just get you to expand on it. It says, “Our discussions with executives showed that risk functions are considered contingent talent in order to onboard specialised skills.” Tell me more about “contingent talent” and what exactly that means.

Schwartz: So, the contingent talent takes a few different models or shapes. Contingent talent could be bringing out sort of a third party to enhance what you have while you’re upskilling what you currently have. Because upskilling takes time. You might have to have a contingent plan and bring in a third party to actually fill in the gap you might have until you’re fully upskilled. So that’s a good example of contingent talent. It’s also, again, bringing new people in from the outside while you try to upskill your current people that we talked about in terms of having a fresh perspective and really offsetting what you’re missing internally until they get upskilled. So those are a couple examples of really using a contingency around existing talent within a group.

Amato: When people hear “robotic process automation”, depending on their job duties, they can get a little scared. Are you finding that some of these digitally fit risk functions are able to work with the RPA to be able to add more analysis, or is it something that’s — are people being replaced?

Schwartz: You know, RPA, that’s one of those new technologies that — I even hesitate to use the word “new” in front of “technologies” because RPA was sort of the first one that these functions started taking advantage of. Believe me, there’s still a long way to go with RPA but at least it’s a more known technology. So, they’re really leveraging it.

Here’s an example: if you’re a third-line internal audit function, for example, we’re working with our clients at PwC to help them automate the controls testing that the third line does. So if you can take RPA and build a box to actually make controls testing more efficient and quicker at one-tenth of the speed it took from a manual standpoint, that’s a huge win for internal audit because you can get more done faster.

That’s an example of RPA sort of in the third line.

If you look at the first line, the business, the ones who are actually owning the controls, we’re working with them to help them actually automate the controls. You have RPA automating controls, and you have RPA actually automating the testing of controls. So, RPA is definitely making its progress through a lot of companies these days. Still a long way to go, but it’s certainly one of the first ones that’s being leveraged pretty effectively.

And I don’t think we’re seeing resources go away because RPA is put in. I think we’re seeing resources just become more efficient while the RPA and after the RPA is put in.

Amato: So, dynamics, I guess in your rankings, they’re incorporating new performance metrics?

Schwartz: Yeah, they are. They’re putting in new performance measures. They’re actually in some cases creating new performance scorecards holistically. So, when they measure themselves as a risk function against this scorecard or if they measure their professionals within the risk group against a scorecard, they can really look at specific things they’re doing to actually drive digital.

One scorecard might have a performance measure around, “Have you helped your stakeholders as a risk function put in more governance standards around using digital access?” So at the end of the year, they see a lot of recommendations being made for digital governance being put in, they can give themselves a better score.

So, at the end of the year they’re saying, “Did we do well or did we not do well?” That’s not only based on the old stuff, that’s based on the new technology stuff and being digital. Digitally fit actually benefiting and adding value to their stakeholders.

Amato: Brian, this has been excellent information today. Is there anything you’d like to add in closing?

Schwartz: You know, Neil, one thing. I want to share how companies can advance their risk functions’ digital fitness. We talked about dynamics being the most digitally fit. But if you’re a beginner out there, you’re trying to think about how “How do I advance to dynamic? What does that even mean tangibly?” Let me share in my words what that means.

I think about five ways that they can get started. No. 1 is, they need to start with identifying the gaps in their own digital fitness. So, be honest and be very candid with how good you are today from a resource standpoint, understanding digital assets, that sort of gap analysis if you will.

No. 2 would be, can they leverage other things that exist in the company already like centres of excellence? Things like that around new products and services. A lot of companies have these emerging technology groups so can the risk function attach themselves to that and leverage the centre of excellence concept that already exists within the company? So that would be a way.

No. 3, we talked a lot about this already, get the current employees upskilled and hire different profile people. You do those two things together, you’re going to be amazed how quickly you become more astute around digital assets and digital fitness in general.

No. 4 would be, to the point I made earlier about what PwC is doing, promote and required citizen-led innovation. So, get an ideation process going and incentivise employees to come to the table or put into a database ideas to become more digitally fit. It’s amazing how much they have in their heads. Share it with the company; leverage off that power.

And then No. 5 and the last one I’ll mention is really, it doesn’t hurt — at the beginning at least — to team with a third party who can quickly advance your digital acuity. It takes time to ramp up your own digital fitness and it’s OK to leverage third parties to help get you there on a quicker path.

So that’s what I would share as closing thoughts, Neil.

Amato: Thank you very much, Brian.

Schwartz: Hey, I appreciate it, Neil. Thanks for having me on the podcast.