2022 Global Risk Survey
Embracing risk in the face of disruption
Seize the opportunity through strategic risk management capabilities
The world is different than it was two years ago and so is the risk environment in which organisations operate. Change is fast and disruptive. The pandemic caused disturbance in the labour market and the supply chain. The current volatile geopolitical environment is further exacerbating supply constraints, heightening cyber risks, introducing rapidly evolving sanctions and putting safety and humanity at the forefront of all decisions. Ransomware attacks are more frequent and more sophisticated, no doubt a driver of cyber’s rise to the top threat to business among CEOs in our 25th Global CEO Survey. The changing work environment brought on by the pandemic continues to disrupt talent and labour markets. Supply shortages, sanctions and rising raw material costs are heightening risks within supply chains as organisations deal with upstream supply chain risks related to subcontractors and other fourth parties that further complicate risks. Customers, investors and other stakeholders are laser-focused on ESG, particularly in light of recent proposed SEC climate disclosures. Each of these risks can cause significant impacts, but because they are also highly interconnected, any one risk can initiate far-reaching implications across the enterprise and put brand and reputation at stake.
In this turbulent business environment, many executives find the need to revise and adapt their strategies and operating models at a rapid pace. They know that capturing opportunity and avoiding disruption requires speed. While managing disruptions, organisations are simultaneously dealing with internal digital transformation challenges, and how to bring along internal stakeholders as they automate business processes and drive digital into everything they do.
Organisations’ risk management and broader resilience capabilities need to quickly adapt to support business agility and to contribute proactive, robust and timely risk insights for decision-making. In an environment where change is constant, strong risk and resilience capabilities can provide an edge. Business leaders can make confident decisions in pursuit of their strategy that are informed by a panoramic view of risk.
Our 2022 Global Risk Survey highlights five key actions that organisations should consider to drive their risk management capabilities forward.
Risk management capabilities provide the greatest value to Board members and business leaders when they are embedded within the organisation’s strategic planning and decision-making processes. The environment in which organisations operate is far from static. It changes constantly. As such, strategic decisions are revisited frequently. How risks are managed needs to adapt so that real-time risk insights and analysis can support risk-informed decision-making by stakeholders across the organisation. This means that risk management capabilities must be agile and operate in an iterative manner to reflect the organisation’s changing risk profile. PwC’s survey shows that organisations recognise the importance of this imperative: Nearly eight in ten say keeping up with the speed of digital and other transformations is a significant risk management challenge.
The organisations that have stood out from the pack in the past two years have not just managed risks. They’ve taken on risks, with confidence. These organisations have an agility advantage. They have the right resources engaged in making risk-informed decisions at the right time. Good analysis and modelling is a key component of proactive risk management, as is including risk management capabilities at the start of new projects and other strategic initiatives. Today, less than 40% of business executives are reaping the benefits of consulting with risk professionals early in their programmes.
Key considerations for engaging early and getting risk insights at the point of decisions include:
- Embed risk management into the strategic planning, business decision-making processes, and large-scale transformation initiatives
- Bring diverse risk insights together by forming a risk community of solvers to keep abreast of key risks and related analysis
- Conduct strong scenario planning and modelling capabilities to address key business risks
Organisations commonly use key performance indicators (KPIs) to measure performance against strategic objectives and to support decision-making. The same approach should be used for measuring and monitoring risks. When connected to key business risks, key risk indicators (KRIs) provide leading indicators of the risk environment in which the organisation operates. Movement in KRIs provides early-warning signals to leaders to reevaluate strategies, risk management capabilities and risk mitigation activities. Changes in KRIs can signal opportunity as well as risk. Examples of KRIs to monitor ransomware risk, for example, may include phishing occurrences, number of open critical points, email security issues, or leaked credentials. Supply chain risk KRIs might include supplier quality ratings, violations or financial health measures, and more.
The ability to utilise and interrogate data is a key tool in the arsenal to detect changes in the risk landscape. The survey shows that companies are investing: Three-quarters of executives are planning on increasing spending across data analytics, process automation and technology to support the detection and monitoring of risks. Sharing investment and further integrating technology and risk data across the three lines could help to efficiently drive a panoramic view of risk across the enterprise.
Key considerations for taking a panoramic view of risk include:
- Mine KRIs from internal and external data for real-time risk intelligence
- Take advantage of data availability and risk tools for a more panoramic view of the rapidly evolving risk landscape across all three lines
- Establish risk-monitoring capabilities and escalation procedures to respond to rapidly increasing risks
Business leaders saw opportunities to thrive in the face of disruption during the pandemic. They began to question their business model and ways of working, and they engineered changes for the long term which were accompanied by risk. Risk and return are inextricably linked. An organisation’s risk management capabilities can create tremendous value if they help the organisation take advantage of the upside of risks that have higher payoff.
Risk appetite is a critical tool to help business leaders understand where they are able to take more risk in pursuit of new opportunities and growth. It denotes the guardrails within which the Board asks executives to stay as they make decisions and execute on their strategies. If an opportunity requires more risk than the organisation’s appetite allows, it may be fruitful to revisit risk appetite and consider if the organisation is willing to take on more risk for greater reward. Among survey respondents, 22% report they are now realising benefits from either defining or resetting their organisation’s risk appetite.
Risk culture also plays a role in taking advantage of upside risk. A too strong compliance culture can stifle innovation, for example, while too weak of a compliance focus can impact brand and reputation. An effective risk culture enables business leaders and risk managers to have a clear understanding of the organisation's risk appetite and it gives the Board and senior executives confidence that risks will be identified and managed as desired across the organisation. When strategy, risk appetite and risk culture are aligned, business leaders can take decisive action.
Key considerations for employing risk appetite to take advantage of upside risk include:
- Establish a clean and simple risk appetite statement to clearly articulate how much risk the company is willing to take in pursuit of strategy
- Educate risk owners on how to leverage risk appetite as they make business decisions
- Invest in risk culture training and awareness for all employees
With the growing complexity and interdependencies of risks, more timely and relevant information is needed to be able to make risk-informed decisions. Many organisations do not have a common risk language which enables an organisation to productively view and make decisions about risk. Driving consistency in risk management capabilities across the organisation can be difficult. Oftentimes, disparate risk processes and systems are deployed contributing to challenges in achieving a common and a consolidated view of risk. Investment in risk processes, frameworks and enabling systems is needed to help an organisation deploy a standardised and consistent approach to risk management. While 75% of organisations report that having technology systems that don’t work together is a significant risk management challenge, just 35% of those are addressing that challenge in a formal, enterprise-wide manner.
Key considerations for enabling risk-based decision-making through systems and processes include:
- Employ a Government, Risk and Compliance (GRC) technology platform to enable a consistent approach to risk management across the three lines and be the single source of truth
- Leverage a singular risk assessment approach to drive consistency in the identification and prioritisation of key business risks
- Establish strong relationships across the three lines to clearly define roles and responsibilities related to risk activities
- Put in place reporting and data requirements defined by both business and risk leaders
Talent management. Supply chain. Regulatory compliance. Cyber threats. ESG. Regardless of industry sector, these risks are likely impacting organisations’ strategies and operations.
These high-priority risks are tightly interconnected, which means one can amplify others and impacts can be far reaching. For example, what may start as a technology breach can quickly pose huge operational, financial and reputational risk.
Risk management capabilities should go beyond the traditional risk analysis, and perform deep dives on these fast-moving, high-priority risks. A deep-dive effort should identify the risk triggers and signals. It should help risk owners understand the interdependencies between the risks driving the organisation’s risk profile. And an evaluation of risk management plans should identify actions the organisation can take to help drive increased resiliency.
Not all risk exposures can be completely mitigated or avoided. A critical capability to strengthen resilience is to develop robust business continuity and crisis response plans to enable the organisation to respond to and isolate risks in a swift and agile manner.
Key considerations for doubling down efforts on top risks include:
- Perform an interconnectivity assessment over key business risks
- Facilitate deep dives into mitigating activities over key risks
- Develop and exercise robust business continuity and crisis response plans
Strategic risk management: The payoff
In a business environment defined by volatility and laden with interconnected risks, risk management must be a team sport. Ownership of different risks is understandably spread more and more across distributed parts of the organisation, yet all parts need to work together, with well-informed risk insights and a common understanding and usage of risk appetite.
Our survey found that when organisations embrace risk management capabilities as a strategic organisational capability — where a community of solvers participates and teams have a panoramic view of risks enabled by internal and external data, together with smart technology — Board and executive confidence in achieving sustainable outcomes is high. They are five times more likely to be very confident in delivering stakeholder confidence, a growth-minded risk culture, increased resilience, and business outcomes. And, they’re almost twice as likely to project revenue growth of 11% or more over the next twelve months. Strong risk management capabilities help protect the organisation from downside risks and they enable the organisation to look forward and take risks in pursuit of growth. It’s a win-win.
The top 10% of respondents — the ones that are realising benefits from strategic risk management practices — expect faster revenue growth and better outcomes.
Business outcomes
- Increased share prices
- Improve returns on strategic investments
Stakeholder confidence
- Increased board confidence
- Gain customer trust
- Increase confidence among external investors
Growth-minded risk culture
- Improve organisational resilience
About the survey
The 2022 Global Risk Survey is a survey of 3,584 business and risk, audit and compliance executives conducted from February 4 to March 31, 2022. Business executives make up 49% of the sample, and the rest is split among executives in Audit (16%), Risk management (24%), and Compliance (11%).
Fifty-eight percent of respondents are executives in large companies ($1 billion and above in revenues); 19% are in companies with $10 billion or more in revenues.
Respondents operate in a range of industries: Financial services (23%), Industrial manufacturing (22%), Retail and consumer markets (16%), Energy, utilities, and resources (15%), Tech, media, telecom (13%), Health (9%), and Government and public services (2%).
Respondents are based in various regions: Western Europe (30%), North America (29%), Asia Pacific (21%), Latin America (12%), Central and Eastern Europe (3%), Middle East (3%), and Africa (3%).
PwC Research, PwC’s global Centre of Excellence for market research and insight, conducted this survey.
