Latest findings from PwC’s Pulse Survey
say an increase in new regulations is a top scenario in their 2-year resilience plans
are investing in building better crisis management plans
consider their organizations ‘mature’ in how they monetize data
Cybersecurity now has the attention of the C-suite and the board. Cybersecurity threats top the list of serious business risks for corporate directors, chief operating officers and chief marketing officers, our latest PwC Pulse Survey shows. They rank second among tax leaders, finance leaders, human resource leaders and chief information officers. Cyber threats are also the No. 1 concern in many sectors, including financial services, health, tech, media and telecom, and energy and utilities.
That shared concern in the C-suite is spurring action. There’s broad support for increased investments and a focus on better cyber risk management. Whatever issues brought them to this point — costly breaches, impending disclosure requirements or more vocal customers — the executive focus and investments position businesses to better manage a risk that’s inherent to greater digitization.
Meanwhile, hiring and retaining talent comes in a close second on the list of serious risks for the C-suite, including CROs. Clearly, senior executives are taking a more panoramic view of risks together — those who run the business and own the risks alongside the risk executives. This is a good starting point for coordinated actions needed for agile responses to multiple crises at the same time.
Several possibilities conspire to take companies off their planned growth tracks in the next 12-24 months. Four scenarios have risk leaders gearing up their organizational resilience.
of risk leaders are preparing for a surge in new regulations.
Increase in new regulations. Most of today’s laws were written for a society that was less connected and less reliant on technology. Regulators and policymakers are keen to update them for a world of decentralized finance, personalized medicine, web3 and metaverse. Proposed regulations challenge ingrained thinking about competition and antitrust, transparency and corporate responsibility. Attempts to build new guardrails abound in areas like privacy and digital assets. Risk executives need to stay on top of what’s likely to pass, what would require entirely new compliance playbooks and what would pose potentially the highest risks to the business model.
Global recession. Nearly three-quarters of both CFOs and corporate directors believe a recession is likely in the next 12 months. This prediction will trigger responses — hiring or spending freezes, accelerated cost-cutting — that will require risk executives to reassess their risk profiles and mitigation plans. Risk management can bring the trust lens to the boldest moves of the business.
Significant employee turnover. Only 27% of all executives consider themselves “very agile” in responding to shifts in the workforce, with even fewer CFOs (12%) and tax leaders (15%) saying so. CHROs (33%) too were marginally confident about their agility. The unknowns can often halt responses, especially when novel moves are needed for the issue described variously as the “great rethink,” “great resignation” or “quiet quitting.” Risk executives need to help ascertain the knock-on effects and cascading operational risks. Whatever creative responses businesses take to retain and hire talent, risk executives also need to help manage reputational risks.
High inflation. Sixty-two percent of respondents believe inflation will remain elevated in the US, but only 25% consider themselves very agile in their ability to navigate in that environment. Risk executives need to bring informed risk insights as the CFO, COO and tax leaders review their cost structures, supply chains and global footprint.
What you can do: De-risk the downside to help your organization maneuver with agility through various scenarios. Remain in sync with senior executives to have a channel to unlock opportunities for the upside.
After two years of fast adaptation, businesses continue to work on three interrelated capabilities: crisis and risk management and resilience.
of risk leaders are investing in better crisis management.
Consider the starting point for many companies. Resilience planning is something of a spreadsheet exercise — “Crisis plan. Business continuity plan. Check, check.” Structured in silos, resilience competencies and response teams can be disjointed and unequipped to coordinate the tactics, tools and technologies needed for an effective strategic response. Nothing less than transformation in these three interrelated capabilities is needed. Indeed, more than 46% of risk leaders are investing significantly in these three areas. What’s the new standard that risk leaders should aspire to reach?
Crisis management. Faced with multiple crises, risk leaders are designing their plans to be crisis-agnostic — plans that can flex to address various contingencies and secondary crises.
Collective risk management throughout the enterprise. Risk and compliance teams ally with the risk owners by arming them with risk insights at decision points and in the day-to-day. Throughout the risk management life-cycle, a principles-based approach is gaining ground, emphasizing coordination among risk owners and managers that’s facilitated by common data models and assessment methods.
Resilience testing. It’s difficult to anticipate every possible disruption. That’s why resilience testing strategies, recovery testing plans and scenario libraries are critical. Testing against multiple events and scenarios is a powerful way for stakeholders to come to a shared, working knowledge of an organization’s true recovery capabilities. It accelerates discovery of potential points of failure and galvanizes concerted action, especially where complex interdependencies are in force.
What you can do: Make resilience an enterprise capability, not just a sum of effective parts.
Most risk leaders say their companies do not have enterprisewide practices in data discovery, governance, protection and minimization.
have processes in place to secure data
Data is the asset that attackers covet most, and yet a significant majority of risk leaders say their organizations don’t have enterprisewide practices in data discovery, governance, protection and minimization. At best, 46% of risk leaders tell us that their organization has mature data protection practices. Only 39% say they have mature processes for discovering the most sensitive and high-value data. Most overlooked are data retention and data elimination processes.
This puts companies at risk in more ways than one. Effective data governance is important not only for operational resilience but for compliance with increasingly stringent regulations in the US and around the world. The new norm is that when a customer asks for information about their data — what you’re keeping and what you’re doing with it — you should be able to answer quickly and accurately. If it’s a regulator doing the asking, the wrong answer could bring heavy fines.
But the bigger consequence of not building data trust is this: Only 26% of risk leaders say that they use data to support revenue growth throughout the enterprise.
Turning data into true assets that can increase your revenues is one benefit of good data security. According to our Trust in Data Survey, companies with more mature data trust practices tend to be ahead in many respects. They earn revenues from data monetization by personalizing services, operating more efficiently and better serving their customers. Respondents from these companies strongly agree that higher customer trust leads to demonstrably higher revenue. And they monitor their third parties more — an advantage given the rise in cyber attacks and fraud perpetrated through third or nth parties.
What you can do: Identify who is responsible for data trust in your organization. Today, only 21% of the largest 2,500 publicly listed companies around the world have a chief data officer.
Our latest PwC Pulse Survey, fielded August 1 to August 5, 2022, surveyed 722 executives and board members from Fortune 1000 and private companies about the current business environment, the risks executives are facing and the impact those risks have on company strategy and growth plans. Of the respondent pool, 87 are CROs and risk executives.
Cyber, Risk and Regulatory Marketing Lead Partner, PwC US
Principal, Health Industries, Cyber, Risk & Regulatory Leader, PwC US
Cyber & Privacy Innovation Institute Leader, PwC US