Embracing risk in the face of disruption
PwC's 2022 Global Risk Survey addresses the critical questions confronting business and risk, audit and compliance executives amidst an increasingly complex risk landscape. The survey, with 3,584 respondents globally, was conducted from 4 February to 31 March 2022.
The risk environment is characterised by disruptions in the labour market and the supply chain, as a fallout from the pandemic. The current volatile geopolitical environment is further exacerbating supply constraints, heightening cyber risks, introducing rapidly evolving sanctions and putting safety and humanity at the forefront of all decisions. Ransomware attacks are more frequent and more sophisticated, prompting cyber’s rise to the list of top threats to growth for global CEOs, and the third highest risk for Malaysian CEOs in PwC's 25th Global CEO Survey.
Customers, investors and other stakeholders are laser-focused on ESG, amidst the regulatory push for better reporting. Multilateral climate commitments emerging from initiatives like the 2021 United Nations Climate Change Conference (COP 26) are beginning to translate into regulatory imperatives in various countries, including Malaysia.
Each of these risks can cause significant impacts, but because they are also highly interconnected, they can have far-reaching implications across the enterprise and put brand and reputation at stake.
In this turbulent business environment, organisations that fail to recognise the shifting external context may suffer significant losses or worse, rendered irrelevant. Meanwhile, those that recognise these disruptions will only ride on its waves if they are able to revise and adapt their strategies and operating models. Organisations’ risk management and broader resilience capabilities need to quickly adapt to support business agility and to contribute proactive, robust and timely risk insights for decision-making.
In an environment where change is constant, strong risk and resilience capabilities can provide an edge. Business leaders can make confident decisions in pursuit of their strategy if they have a panoramic view of risk.
How do organisations adapt to these evolving changes to the business environment? Our 2022 Global Risk Survey highlights four key actions that organisations can consider to drive their risk management capabilities forward.
Risk management capabilities provide the greatest value to board members and business leaders when they are embedded within the organisation’s strategic planning and decision-making processes. The environment in which organisations operate is far from static. This means that risk management capabilities must be agile and operate in an iterative manner to reflect the organisation’s changing risk profile.
Risk management capabilities need to go beyond the conventional risk management model (static reporting, activity-based and inward-looking) to real-time risk analysis. This involves considering risks at the onset of key decision-making events.
The organisations that have stood out from the pack in the past two years have not just managed risks. They’ve taken on risks, with confidence. These organisations have an agility advantage.
They considered how external circumstances may potentially affect the value chain of their organisation.
73% of the risk functions of Malaysian respondents proactively and regularly seek to include external insights in their risk assessment and monitoring.
Key considerations for taking a strategic and panoramic view of risk include:
Continuing to embed risk management into strategic planning and decision-making, and large-scale transformation initiatives. This may involve the following:
Defining a risk management plan for every major initiative
Conducting scenario planning and modelling supported by diverse subject matter experts to deep dive into key business risks and responses
Leveraging external insights to assess risk posture through avenues like:
Subscription to research and business information databases for regulatory compliance, cyber threat vulnerability and third party assessments
Integrating existing Governance, Risk and Compliance (GRC) platform (if any) with external database(s) for real-time trigger of emerging risk events
Employing data visualisation tools to map out both internal and external risk insights in an integrated manner
For 81% of Malaysian respondents, the structure and organisation of risk management at their organisation enables risk professionals to be at the table when key decisions that affect their organisation's risk profile are made.
Business leaders saw opportunities to thrive in the face of disruption during the pandemic. They began to question their business model and ways of working, and they engineered changes for the long term in consideration of risk. Risk and return are inextricably linked. An organisation’s risk management capabilities can create significant value if they help the organisation take advantage of the upside of risks that have higher payoff.
Risk appetite is a critical tool to help business leaders understand where they are able to take more risk in pursuit of new opportunities and growth. It denotes the guardrails within which the board asks executives to stay as they make decisions and execute on their strategies. If an opportunity requires more risk than the organisation’s appetite allows, it may be fruitful to revisit risk appetite and consider if the organisation is willing to take on more risk for greater reward.
Only 19% of Malaysian respondents (vs 22% globally) are now realising benefits from defining or resetting their organisation’s risk appetite and risk thresholds
Achieving this takes time. It's crucial for organisations to clearly define their business purpose and the risk culture they aspire to cultivate internally, as this shapes their agility in risk management and influences their ability to identify opportunities in risk.
Risk culture plays a big role in recognising opportunities in risk. There are human elements at the heart of risk activities. A too strong compliance culture can stifle innovation, for example, while too weak of a compliance focus can impact brand and reputation.
An effective risk culture enables business leaders and risk managers to have a clear understanding of the organisation's risk appetite and it gives stakeholders the comfort that risk is effectively managed. When strategy, risk appetite and risk culture are aligned, business leaders can take decisive action that brings value.
Key considerations in building a risk management mindset to maximise risk returns include:
Establishing a clean and simple risk appetite statement to clearly articulate how much risk the company is willing to take in pursuit of strategy
Educating risk owners on how to leverage risk appetite as they make business decisions and inculcate a sense of ownership
Investing in risk training and awareness for all employees at periodic intervals
With the growing complexity and interdependencies of risks, more timely and relevant information is needed to make risk-informed decisions. Almost 3/4 of Malaysian respondents report that keeping up with the speed of digital and other transformations is a significant risk management challenge.
The response to this challenge is that we see a demonstrable and sustained increase in risk technology investment across the industries surveyed. Investments in both talent and technology can be observed.
However, despite the increase in technological spend, most organisations do not have a common risk language to drive a standardised and consistent approach to risk management. Oftentimes, disparate risk processes and systems are deployed, contributing to challenges in achieving a common and consolidated view of risk.
While 72% of the respondents recognise that digital transformation requires a significant change in risk management (in the area of strategy, architecture, people and processes), only 44% are addressing this challenge in a formal, enterprise-wide manner.
Furthermore, more than half of the Malaysian respondents (54%) report that having technology systems that don’t work together is a significant risk management challenge, compared to 75% of their global counterparts.
Key considerations for maximising risk technology investments:
Develop a risk technology business plan that includes transformation in data governance, people, process and technology aspects
Establish information sharing forums across the three lines of defence in relation to risk activities
Streamline risk assurance processes and establish common risk data sets and terminologies to drive consistency and clarity in risk reporting
Employ a Governance, Risk and Compliance (GRC) technology platform as a single source of truth for risk management across the three lines of defence
Take advantage of data availability and risk tools for a more panoramic view of the rapidly evolving risk landscape across all three lines
Mine key risk indicators (KRIs) from internal and external data for real-time risk intelligence
data analytics and visualisation
integrated risk management platform
Talent management. Supply chain. Cyber threats. Regulatory compliance. ESG. These are among the top risks to revenue growth for Malaysian organisations as shared earlier. Regardless of industry, these risks are likely impacting organisations’ strategies and operations.
As shared, these high-priority risks are tightly interconnected, with far reaching impacts. For example, what may start as a technology breach can quickly pose huge operational, financial and reputational risks. To safeguard themselves against these risks, organisations can perform an assessment to identify the interconnectivity of key business risks and their vulnerabilities towards these threats.
Risk management capabilities should go beyond the traditional risk analysis, and perform deep dives on these fast-moving, high-priority risks. A deep-dive effort should identify the risk triggers and signals. It should help risk owners understand the interdependencies between the risks driving the organisation’s risk profile. And an evaluation of risk management plans should identify actions the organisation can take to help drive increased resiliency.
Not all risk exposures can be completely mitigated or avoided. A critical capability to strengthen resilience is to develop robust business continuity and crisis response plans to enable the organisation to respond to and isolate risks in a swift and agile manner.
In conclusion, risk management needs to be a team sport amidst continued volatility. Ownership of different risks is increasingly spread across distributed parts of the organisation, yet all parts need to work together, with well-informed risk insights and a common understanding and setting of risk appetite.
Our survey found that when organisations embrace risk management capabilities as a strategic organisational capability — where teams have a panoramic view of risks enabled by internal and external data, together with smart technology — board and executive confidence in achieving sustainable outcomes is high.
Strong risk management capabilities help protect the organisation from downside risks and they enable the organisation to look forward and take risks in pursuit of growth. It’s a win-win.