Being a smarter risk taker through digital transformation

2019 Risk in Review Study

Six habits fueling smarter risk taking in digital transformations

Our 2019 Risk in Review Study reveals six behaviors that divide risk functions into those helping their organizations take smarter risks on their digital journeys—a group we call Dynamics—and those a step or more behind: the Actives and the Beginners. The groups tell us that risk management, internal audit and compliance professionals (or, collectively risk functions), far from stalling digital initiatives, can help their organizations meet or beat their transformation goals. Certain risk functions are there now. For others, it’s time to take action.

What is common among Dynamics, who represent a quarter of the 1,000 risk functions among the 2,000 executives we surveyed? They’re digitally fit. They engage early in digital initiatives. And they’re digitally overhauling their own functions by staffing and equipping them with data-driven capabilities (including skills, tools and techniques), by serving up more real-time insights and by acting in concert with their functional peers to deliver a common view of risks.

Those efforts bring leaders a more precise line of sight into risks from digital opportunities so they can make more informed decisions. Being more exact and predictive is important in a data-rich but insights-poor world. Just 22% of chief executives in our 22nd Annual Global CEO Survey believe the risk exposure data they receive to be comprehensive enough to inform their decisions. That figure is—alarmingly—unchanged in 10 years.

As such, the efforts of the Dynamics are both valuable and vital for the success of an organization’s technology-driven transformation. In 2019, businesses seeking better customer experiences, more-informed decisions and increased revenue growth from their digital investments will want to lean on digitally fit risk functions. These are the Dynamics’ most-cited payoffs.

John Merino, FedEx chief accounting officer, sums up what a Dynamic risk function brings in capabilities and spirit: “Being more digital enables the risk management functions to be more responsive, predictive and engaged. It allows for the comparison and correlation of things that traditionally didn’t connect in a way that is very provocative and powerful. You can see through the haze with much more clarity to identify things of relevance.”

Digital fitness of risk functions

The payoffs of being a Dynamic

Dynamics cite significant payoffs, which range from faster progression through their digital journey to higher-than-expected value from their digital investments in areas like better decision making and customer experiences. Dynamics are also more bullish about their revenue growth.

Organizations with Dynamic risk functions experience distinct advantages

To what extent have your digital investments paid off at your organization in the following areas to date?
Decision-making base: 95 Dynamics; 90 Actives; 171 Beginners. Customer experience base: 137 Dynamics; 148 Actives; 282 Beginners. Revenue growth base: 82 Dynamics; 72 Actives; 164 Beginners
How effectively is your organization managing risks on its digital journey?
Base: 244 Dynamics; 240 Actives; 484 Beginners
Which statement best describes your organization’s progress on its digital journey?
Base: 231 Dynamics; 206 Actives; 357 Beginners
What impact has your organization’s digital roadmap had on its risk appetite?
Base: 231 Dynamics; 206 Actives; 357 Beginners

The six habits of Dynamics you need to adopt

Go all-in on the organization’s digital plan

Without precise goals, it’s hard to charge ahead. Dynamics set and target clear outcomes and specific performance metrics for their digital strategies, aligned with those of their organizations. The strategic advice, testing and controls they provide from the design phase onward help digital rollouts stay on or get ahead of plan and budget. Dynamics most engage in digital initiatives by helping set digital governance standards across an organization. That includes assigning roles and responsibilities. “What concerns me is governance. Who has to approve what? I worry that a unit is executing digital initiatives that should be approved or that somebody should be looking over their shoulder,” notes Vanessa C. L. Chang, a member of Edison International’s audit committee.

When risk functions are digitally fit, they shape risk plans before digital projects get off the ground. That’s not current practice. For example, only 53% of respondents say cyber and privacy risk management is baked in fully from the start of transformational projects, according to PwC’s Digital Trust Insights. When risk functions are involved early, they help their organizations scale innovations while tackling critical risks.

Dynamics action their digital roadmap

Is your function conducting or planning to conduct the following activities related to building and managing a digital roadmap?
Response: Doing now
Risk functions base: 252 Dynamics; 246 Actives; 441 Beginners
Risk management base: 98 Dynamics; 65 Actives; 127 Beginners
Compliance base: 56 Dynamics; 43 Actives; 70 Beginners
Internal audit base: 98 Dynamics; 138 Actives; 244 Beginners

Upskill and inject new talent to move at the speed of the organization

Risk talent needs are changing. You need CPA and AI skills—a rare but potent combination. To fill the demand for technical skills like analytical model development and robotic process automation (RPA) programming, Dynamics are tapping shared-service centers.

Meet the need for on-demand expertise. American Electric Power, for example, created Charge, a digital hub where processes to be digitized or automated can be proposed, initiated and rolled out. “As part of that process we have agile governance which avoids a slower committee,” explains Stephan T. Haynes, senior vice president of Strategy & Innovation at the utility. “We don’t wait until the next committee meeting. Project and group issues are escalated through a predetermined management chain within 36 hours if they cannot be resolved by the team.”

Add skills in a bucketed way. For AI upskilling, PwC has identified a training strategy with three levels of AI-savvy employees: citizen users, citizen developers and specialists. Overlay that onto risk functions, and all team members may need some analytical skills; fewer will be data and modeling experts.

Seed talent for the future. Melvin Flowers, corporate vice president of internal audit at Microsoft Corp., sums up tomorrow’s skill set as “much more around analysis of output and prioritizing decisions based on indicators and importance. That’s why auditors will need to know more about the implications of technologies. Not how to code but what IS coded, how decisions are coded in automated processes and how to verify and confirm coding.” 

Dynamics creatively source talent

Please rate your level of agreement with the following statements about your function.
Response: Agree or strongly agree
Risk functions base: 252 Dynamics; 249 Actives; 500 Beginners
Risk management base: 98 Dynamics, 66 Actives, 146 Beginners (top three rows), 98 Dynamics, 65 Actives, 127 Beginners (bottom row)
Compliance base: 56 Dynamics, 43 Actives, 83 Beginners (top three rows), 56 Dynamics, 43 Actives, 70 Beginners (bottom row)
Internal audit base: 98 Dynamics, 140 Actives, 271 Beginners (top three rows), 98 Dynamics, 138 Actives, 244 Beginners (bottom row)

Find the right fit for emerging technologies

At least a third of Dynamics are using internet of things (IoT) sensors to assess and respond to risks in critical processes, are applying AI for tasks like population testing or controls monitoring and are using RPA programming for routine tasks such as data retrieval. Automation helps boost productivity, expand coverage and free up staff for advanced work like analysis.

Rethink risk tasks creatively. Robert King, chief vice president and chief audit executive at FedEx Corp., introduced new bot-employee Harry Botter to his team for metrics and quality assessment reporting. Harry came to life with a backstory that included high school athletics. King challenged his team to consider what tasks Harry could pick up. Now, after handling basic tasks, Harry is transitioning to more complex work. This creative and fun approach helped staff embrace automation.

Automate monitoring and auditing of critical risks, like data privacy. Baylor Scott & White Health, for example, is using AI to assess data access. “We audit who’s looking at the medical records using artificial intelligence. We don’t have to do extra work because our vendor updates their software,” explains Monica Frazer, vice president of Internal Audit at the company.

Evangelize digital first to move faster. As Ameren digitally overhauls everything from the power grid to field tools, automating certain risk tasks helps the US electric and natural gas provider move faster through its digital transformation, says Bhavani Amirthalingam, its chief digital information officer. “We can only do so much with the volume and velocity of large transformational initiatives, and we want to get to everything. Automating some audit pieces through RPA simplifies things for more advanced internal audit work.”

Dynamics find the right fit for emerging tech

Which of the following best describes your function’s use of each of these technologies?
Response: Using now
Risk functions base: 252 Dynamics; 249 Actives; 500 Beginners
Risk management base: 98 Dynamics; 66 Actives; 146 Beginners
Compliance base: 56 Dynamics; 43 Actives; 83 Beginners
Internal audit base: 98 Dynamics; 140 Actives; 271 Beginners

Enable the organization to act on risks in real time

Leaders invested in digital initiatives seek more real-time insights to inform decisions. Dynamics are showing the way by developing risk services like real-time dashboards. Such services may shine a light on critical priorities based on assessments that consider risk likelihood, impact and velocity, or time to impact.

Dynamics are also prioritizing risks through AI. And they’re mining data lakes for real-time identification, monitoring and testing of risks like fraud. When risk functions pair data lakes with AI, powerful risk and operational insights can emerge. Data lakes also help with data governance because security can be embedded in each piece of data.

Have a say in data governance. Trust is the oxygen of the Fourth Industrial Revolution, with data quality and privacy separating those safely monetizing data from those who will be left behind. Risk functions—historically less involved in data governance—now need to engage. Analyses from emerging-technology-based processes are only as good as the data used—and flawed data can lead to flawed decisions.

At Nationwide Mutual Insurance Co., governance is at the center of risk and control considerations for the emerging technologies the company uses, says Greg Jordan, its senior vice president and chief audit executive. “Who controls the data? Who oversees the governance structure? Who’s making sure we’ve got licensed associates or vendors using drones? Who is managing compliance and privacy with the use of chatbots and voice analytics?” he asks. “We operate a federated model with governance and guidelines to be implemented by the business. We want consistency in the design, the application and the documentation.”

Dynamics embrace new ways to tackle risks from digital innovation

Is your function conducting or planning to conduct the following service-related activities based on the availability of digital technologies?
Response: Doing now
Risk functions base: 252 Dynamics; 249 Actives; 500 Beginners
Risk management base: 98 Dynamics; 66 Actives; 146 Beginners
Compliance base: 56 Dynamics; 43 Actives; 83 Beginners
Internal audit base: 98 Dynamics; 140 Actives; 271 Beginners

Actively engage decision makers of key digital initiatives

Dynamics continually connect with stakeholders. They work closely with core digital teams to help shape risk strategies, lean into C-level discussions about risks from digital initiatives and routinely deliver boards a risk picture through data visualizations. Those connections and activities give Dynamics a vision and a voice.

Share insights visually. Boards are demanding better risk information. Digitally advanced functions are delivering. S&P Global’s internal audit team, for example, has their audit universe information in Tableau. Notes Nancy J. Luquette, senior vice president and chief risk & audit executive at S&P Global Inc, “If the Audit Committee wants to see all of the high-risk entities, for example, we can quickly click and drill down to show them that information.” Boards are also asking about prominent themes being observed. “We’re now focused on categorizing audit issues so we can see themes across the company. We can use our digital tools to get the thematic information based on how we capture and categorize issues. We highlight this so the board can be more informed about key issues and make decisions accordingly,” she adds.

Consider KRIs. Key risk indicators (KRIs) help everyone speak the same risk language. Not having the same language means not having consistent metrics. For example, only 27% of respondents cited comfort with the adequacy of metrics for cyber and privacy risk management in board reports, according to PwC’s Digital Trust Insights.

Dynamics keep the board and management current on risks

Please rate your level of agreement with the following statements about your function.
Response: Agree or strongly agree
Risk functions base: 252 Dynamics; 249 Actives; 500 Beginners
Risk management base: 98 Dynamics; 66 Actives; 146 Beginners
Compliance base: 56 Dynamics; 43 Actives; 83 Beginners
Internal audit base: 98 Dynamics; 140 Actives; 271 Beginners

Collaborate and align to provide a consolidated view of risks

Different risk metrics can present a flawed risk picture. Dynamics work in concert, using common risk frameworks and metrics for a common view of risk.

Use a common infrastructure to become more predictive. The integration of infrastructure through a data lake can bring benefits well beyond controls—such as becoming more proactive, says John Newstead, head of global shared services and chief risk officer at DXC Technology: “Broader insights inside and outside the organization inform the risk assessment and audit plan and improve leadership and board confidence. Benefits radiate in multiple directions.”

Now is the time for risk functions to work together. By working from one source of data on a common platform with a common tech stack, risk functions can bring their leaders a consolidated view of risk. Boards, CEOs and other stakeholders crave this for more informed and more agile decision making.

Dynamics are moving to shared view of risks

Is your function currently integrated or planning to integrate with other lines of defense in the following areas?
Response: Fully integrated
Risk functions base: 252 Dynamics; 249 Actives; 500 Beginners
Risk management base: 98 Dynamics; 66 Actives; 146 Beginners
Compliance base: 56 Dynamics; 43 Actives; 83 Beginners
Internal audit base: 98 Dynamics; 140 Actives; 271 Beginners

Find out if you have what it takes to make smart decisions about digital strategies and business risks.

If you are involved in digital initiatives, take our quiz to see how your strategies and moves to become more digitally fit compare to those of your peers (and competitors).

Take our quiz to learn how you compare

Contact us

Jason Pett

Risk Assurance Leader, PwC US

Andrew McPherson

Global Governance Risk Compliance (GRC) and Internal Audit Leader, PwC Australia

Tel: +61 2 8266 3275

Mike Maali

Internal Audit, Compliance & Risk Management Solutions Leader, PwC US

Vicki Coxon

Internal Audit, Compliance & Risk Management Solutions Principal, PwC US

Scott Greenfield

Digital Risk Solutions Leader, PwC US

Brian Schwartz

Partner and Primary Author of the Global Risk Study, Risk Assurance, PwC US

Follow us