Comprehensive risk data: The new gold

06 Apr 2022

By: Andrew McPherson and Craig Sydney, PwC Australia

It’s difficult for leaders to make well-informed decisions without an organisation-wide understanding of their risk and control environment. But gaining this view is extremely difficult when risk and regulatory information is distributed across the organisation. Use of speciality solutions is growing, creating more and more pockets of disparate data. Organisations now have systems focused on privacy; environmental, social and governance reporting; safety; cybersecurity; third-party risk; reputational risk; and more. 

The predominance of niche systems is reflective of the business taking greater ownership of risk, which is both good and necessary: as risks grow in impact and interconnectedness, it takes the entire organisation to manage them. This can, however, lead to risk data being fragmented, misaligned and scattered in organisational silos, which prevents leaders from gaining a necessary panoramic view of the risk landscape they need to act boldly and purposefully. 

So, what’s the best way to get full visibility into the most critical risks? Consolidating risk management into one single, organisation-wide governance, risk and compliance (GRC) system or integrated risk management solution is not necessarily the only answer. In most cases, the value of a GRC system is derived from its degree of data integration and aggregation, more than the technology itself. That does not mean that all risk data needs to be consolidated, nor that data has to be interfaced on a constant basis.

Indeed, most organisations have multiple enterprise systems, such as SAP, Salesforce, Workday and ServiceNow. These technology providers are building access controls, compliance processes and risk indicators into their applications. Doing so rules out a single, centralised risk and controls management system. Further, many of today’s GRC systems are designed for risk specialists, whereas other specialised enterprise systems have a more contemporary user interface, intelligent and sophisticated functionality, and are better aligned to managing the specific problem they are trying to solve; to really engage the organisation in managing and owning risk, GRC systems would need to be much easier and more intuitive to use. Additionally, some GRC technology providers are aggressively moving to redefine the user experience as well as expand the scope of risks they cover. Whether they can catch up, and then stay ahead, is uncertain, given the evolving risk landscape. Finally, in the majority of situations, if an organisation wanted to go to a single system approach, it might simply be too onerous, particularly given the bespoke development required to satisfy complex requirements.  

A risk management renaissance powered by data 

Given the associated hurdles, the centralisation of end-to-end operational risk and controls management may not be feasible or appropriate for many organisations. Instead, the best solution may lie in how the enterprise gathers, aggregates, aligns and maximises the use of all risk data at its disposal. For example, cyber, fraud and anti–money laundering teams are traditionally siloed within an organisation, but attackers can exploit cyber weaknesses by designing custom malware to bypass network controls. These attackers then spot gaps in fraud controls to gain unauthorised access to applications and user IDs; set up fraudulent bank accounts to receive and transfer the stolen funds; and launder the stolen money. This kind of attack crosses silos. Though difficult to achieve, the collective intelligence residing in these silos could be brought together through a fusion centre. In such a case, would the organisation better defend against perpetrators trying to exploit weaknesses across these areas? 

Consider a large retailer that PwC works with. It has 20 enterprise systems to manage specific risk areas such as third-party risk, store audit, privacy and resilience. The company is implementing a GRC solution not to replace these specialised systems with one centralised risk and controls management system, but as a platform to consolidate risk data, perform better risk analytics and glean better organisation-wide risk intelligence. It has designed its interfaces so that when an incident reaches Tier 1, it enters into the core GRC system. Integration for integration’s sake—or data for data’s sake—won’t provide value. It’s about having real-time, relevant information on material events. Underpinning all of this is a clear and common understanding of which risks are most important to the business, and what the organisation’s appetite is for those risks.

In a fast-moving, uncertain and unpredictable risk environment, the use of technology to detect, prevent and mitigate risk is essential—for intelligence gathering, analysis, continuous monitoring and efficiency. In many cases, the systems in which risk information is contained are not broken, but few risks can be managed and mitigated in isolated silos. A method to effectively consolidate organisation-wide risk data is necessary. In fact, the value of such data is like gold. Solving the consolidation challenge will support engaging the entire organisation in managing risk and providing an organisation-wide view of the risk landscape. It will also enable a level of intelligence and oversight on which leadership and regulators can depend.

Contact us

Andrew McPherson

Andrew McPherson

Global Risk & Regulatory Leader, PwC Australia

Tel: +61 2 8266 3275

Marc Silverman

Marc Silverman

Clients and Markets Leader, Global Tax and Legal Services, PwC United States

Tel: +1 (646) 436 6657

Bob  Pethick

Bob Pethick

US Advisory Clients & Industries Leader, PwC United States

Follow us