Latest findings from PwC’s Pulse Survey
say capitalizing on digital transformation initiatives is very important to growth in 2022
say that policy shifts in technology and data are leading to the most change in their business
say that increasing agility is very important to their company’s ability to grow
Risk executives (72%) resoundingly say that capitalizing on digital transformation initiatives is very important to their companies’ growth in 2022. Only the board member group agrees as strongly.
This is a signal change. Risk executives, whether invited in or stepping up, are alongside other executives leading digital transformations. Often relegated to bit players in these massive efforts in the past, risk execs are now central to identifying what could go wrong and designing the playbooks to mitigate them. If companies are going to disrupt themselves, they want to do it smoothly.
And they want to do it fast. Customer-facing transformations are the most pressing: unicorns disrupting many industries reach scale in three to five years, too fast for a slow incumbent to hesitate, falter or stall in its transformative initiatives.
That’s why more than half of risk executives realize that greater agility is required for their organization—and their own function—to grow.
Growth-minded risk executives take a more panoramic vista on how they do their work. Not traditionally immersed in talent issues, they know that when employee turnover goes from 15% to 45% at a company, such as we are seeing in the “Great Resignation,” hiring and retaining talent becomes vital—and failure to do so can become a significant threat to the business.
It’s easy to describe the positive day-to-day changes in the way we work and live. It’s harder to see the risks that lurk underneath. Risk executives see a broad array of them, with more than 30% naming seven risk categories as the greatest threats to their company’s ability to grow.
It’s the nature of the tech-enabled and highly interconnected business environment today. One risk emanates from one area and moves quickly through others. Attackers, for instance, can exploit cyber weaknesses by designing custom malware to bypass network controls. They then spot gaps in fraud controls to gain unauthorized access to applications and user IDs. Next, they set up fraudulent bank accounts to receive and transfer the stolen funds. Finally, the attackers launder the stolen money. This kind of threat crosses at least four risk categories: cyber, data, clients and products and regulatory.
The growth-minded, tech-savvy risk executive understands the transmission of blended risks across the enterprise and makes major adjustments. To continue with the example, traditionally siloed cyber, fraud, physical security and anti-money laundering (AML) teams are now brought together into fusion centers to better defend against perpetrators trying to exploit weaknesses across these areas.
Where collaborative risk functions used to be the exception, they now need to be the norm. Even sophisticated companies, especially those in non-regulated industries, have yet to address a lack of integration across risk categories and functions. Integration clears away speed bumps along with unnecessary complexities and costs.
Sixty-two percent of the risk executives say that policy shifts in technology and data are leading to the most change in their business. That’s because technology and data-intensive innovation have advanced beyond traditional controls. Legislative and regulatory agendas are packed with proposals and bills to protect consumers and society from harms via cryptocurrency, digital payments, user-generated content, artificial intelligence and autonomous systems.
Governments are reacting in ways that will certainly alter many companies’ global strategies and regional structures, as well as the way they use data to find, track and serve customers. The balancing act of promoting innovation while protecting against risks is evident in some new approaches to better govern and regulate new markets and technologies.
In financial services and health, the most highly regulated industries, sector-specific developments like health regulations have become top priorities for consumer markets and industrial products companies.
The growth-minded risk executive does not wait for regulation to come into force, but works with the business to set policy on their own. For example, for social media platforms and other companies involved in content moderation, they can lay the foundation by defining their guiding principles, values and ethics to devise terms of service, and clearly communicate these terms to users.
Any CEO or corporate board member wants to affirm to stakeholders that they are ahead of the curve when it comes to risks arising from the most important initiatives of the company. In cybersecurity, for example, companies will want to be cyber-ready for tomorrow, not just for today.
At least a fifth of the risk executives report getting a jump on understanding risks from new trends before they become mainstream or dominant. Executives from financial services are already monitoring risks from cryptocurrency and autonomous decisions and response systems. Tech firms are implementing risk mitigation plans related to non-fungible tokens (NFTs). Industrial manufacturers are beginning to create risk mitigation plans for the use of autonomous decision and creation systems.
To get ahead of the curve, the growth-minded risk executive encourages ways for control teams and business teams to be allies. For example, compliance and security teams update their controls strategy so that fast software development and strong controls can go hand in hand. Further, “Compliance-as-code,” continuous compliance and intelligent controls are new practices that allow organizations to be agile.
Finally, the growth-minded risk executive takes a long and panoramic view. Digitization is important to capture immense opportunities today. But digital transformation is about building real, long-term competitive advantage to succeed. The growth-minded risk executive invests in capabilities for the long-term.
Our latest PwC Pulse Survey, fielded January 10 to January 14, 2022, surveyed 93 risk leaders from Fortune 1000 and private companies, along with other C-suite executives, about business priorities, investment plans and concerns as they think about the year ahead. Find all of these insights in our PwC Pulse Survey.
Cyber & Privacy Innovation Institute Leader, PwC US
Principal, Cyber, Risk & Regulatory, PwC US