CRO and risk management leaders

Latest findings from PwC’s Pulse Survey

Risk leaders, clear-eyed about perils and priorities, face obstacles

Risk executives understand the imperative to adapt. Most (61%) say the average competitor won’t survive more than six years if they don’t change their current business model, according to our June 2024 Pulse Survey. To better manage evolving risks, they’re prioritizing advanced capabilities, coordination across the lines of defense and greater C-suite influence. 

But obstacles stand in their way. Financial pressures are limiting funding for emerging risk identification (73%), advanced risk monitoring (75%) and third-party services (71%). What’s more, only about one-third of risk leaders are included in key resilience decisions around operations, technology and IT management. 

How can they overcome these hurdles? For starters, they can work with their C-suite peers to show the strategic value and ROI of resilience-by-design practices and investments. Attuned to the risks that others may not fully grasp, risk executives should demonstrate how investing in resilience can pay for itself — and extend the company’s longevity.

Cautious to confident Cautious to confident Cautious to confident

Risk executives seek innovation, influence and collaboration


prioritize expanding their function’s influence across the entire C-suite

Resilience against an evolving risk landscape requires new tools and skills. That’s why most risk leaders are looking to strengthen their capabilities and reinvent their function. The vast majority (over 80%) are prioritizing various initiatives, including advanced capabilities to address emerging risks and regulatory requirements, collaboration across the lines of defense and greater C-suite influence. 

Risk executives take a sober and measured view of the disruptive trends and risks that lie ahead. Top concerns include technological disruption, which 71% say is a moderate or serious risk to their company, followed by more frequent and/or broader cyber attacks (67%), the global regulatory environment (65%) and a shortage of relevant skills in the workforce (65%). 

Notably, other C-suite executives are more likely to cite these risks as either a moderate or serious risk. The good news is that risk leaders understand the challenge and they’re prioritizing the necessary resilience actions. But moving the organization from awareness to action will require executing on strategic risk management priorities. It will also require better alignment with the CEO’s vision. Among CEO respondents, only half (52%) say their company’s risk leaders are very aligned with their vision for the future.

 What you can do 

  • Foster risk-informed decisions. Get ahead in addressing external threats by using risk insights and scenario planning to shape management’s approach to resilience.

  • Align risk management with business strategy. Highlight to other executives the link between resilience investments and innovation.

  • Collaborate across the organization. Tapping into other executives’ purviews can help you think beyond the present, known risks.

PwC Pulse Survey: Finding opportunity in reinvention PwC Pulse Survey: Finding opportunity in reinvention

Get more on this topic

Cautious to confident Cautious to confident Cautious to confident

Financial pressures hinder resilience investments


say financial pressures limit their ability to invest in advanced technologies to assess and monitor risks

Unfunded priorities aren’t priorities, they’re a wish list. That’s a reality most risk leaders are confronting as they struggle to get organizational backing for key investments. While their C-suite peers may see the same risks, resilience often takes a back seat to other business priorities when it comes time to write the checks.

Case in point: Most risk executives (75%) say financial pressures are limiting their ability to invest in advanced technologies to assess and monitor risks. Nearly as many say the same about funding for emerging risk identification and assessment, engaging third-party providers to supplement skills, control testing and rationalization, and process reengineering.

This is, of course, short-sighted and penny-wise. Delaying investments in resilience may save money now but can cost the organization dearly in the long run, not just in terms of disruption and remediation but also a lost opportunity to innovate and capitalize on risk perspectives. To get the support they need, risk leaders need to change their message — from one that stresses incremental gains to one of enterprise-wide transformation. By taking a horizontal approach to risk and compliance, organizations can ultimately achieve significant cost takeout while also improving performance and resilience.

 What you can do

  • Reengineer and automate existing risk processes. This will help eliminate manual, disparate workstreams and terminology that often differs across the three lines. Actively explore and implement technology solutions that can streamline these processes and provide real-time insights for informed decision-making.

  • Bring your resources together. Look at your mix of onshore and offshore models to limit the cost and downtime of keeping talent on the bench. You might, for example, scale up skilled control testers in low-cost locations with proper tools and oversight. A centralized control testing team can then be leveraged across all three lines of defense.

  • Demonstrate the strategic value of enterprise resilience, which can safeguard the organization from disruption while enabling agility to adapt, create value and maintain a competitive edge.

PwC Pulse Survey: Finding opportunity in reinvention PwC Pulse Survey: Finding opportunity in reinvention

Cautious to confident Cautious to confident Cautious to confident

On resilience strategy, risk leaders have limited sway

Only 31%

are involved in defining resilience strategy around technology and IT management

Risk executives need a greater voice in shaping their company’s resilience strategy. They may implement it or provide input, but most don’t have a seat at the table when it comes to defining the strategy and assessing the “what if” scenarios. Only a third are involved in defining resilience strategy around operations, technology and IT management. Slightly more say the same about their strategic involvement in workforce management (35%), data quality (42%) and financial resilience (45%).

Paradoxically, the stakeholders most knowledgeable about risk and charged with mitigating risk are largely excluded from strategic decisions in their purview. This omission can leave organizations unnecessarily exposed and force risk teams to do clean-up on the back end, a costly and inefficient workaround. It can also foster a reactive approach to risk versus capitalizing on looking around corners.

 What you can do 

  • Build stronger relationships across the C-suite. Seek opportunities to collaborate on strategic initiatives by demonstrating the value of risk management in achieving business objectives. This can help you move from focusing primarily on value protection to responsible value creation.

  • Enhance collaboration across the three lines of defense. Actively engage in regular communication and information sharing. This includes organizing cross-functional meetings and workshops to discuss risk management strategies, sharing relevant risk information and insights, and seeking feedback from all three lines of defense.

PwC Pulse Survey: Finding opportunity in reinvention PwC Pulse Survey: Finding opportunity in reinvention

Get access to the complete survey response data and future insights

View the main Pulse Survey

About the survey

Our latest PwC Pulse Survey, fielded May 15 to May 22, 2024, surveyed 673 executives and board members from Fortune 1000 and private companies about the current business environment, the risks executives are facing and their company’s strategic plans and priorities. Of the respondent pool, 83 were risk leaders, including chief risk officers, chief information security officers and chief audit executives. 

Contact us

John Sabatini

John Sabatini

Clients and Markets Leader, Cyber, Risk & Regulatory, PwC US

Michelle Horton

Michelle Horton

Principal, Cyber, Risk & Regulatory, PwC US

Matt Gorham

Matt Gorham

Cyber & Privacy Innovation Institute Leader, PwC US

Follow us