Latest findings from PwC’s Pulse Survey
Resilience became the value proposition to customers during the pandemic. Health safety supplies and groceries at their doorsteps. Video calls enabled for school and for staying in touch. Telehealth consultations for ongoing and non-critical emergent medical attention. Work-from-home set up in two weeks. Each of these was a pivot from business as usual and required speed and scale of adjustment.
The resilience advantage is apparent to customers and investors. More than half of risk leaders say enhancing customers’ and stakeholders’ confidence in their companies’ resilience capabilities is the primary goal of their resilience strategy in the next 12 months. Customers stood by resilient companies, including those that initially faltered but course-corrected quickly. Boards and investors delved into business continuity, crisis management and recovery plans, as resilience became a trending topic on earnings calls. A recent study of company responses to the pandemic found that more positive sentiment around a company’s response was associated with less negative returns, and the effect was stronger for companies’ responses that represented a credible commitment to their stakeholders.
“You can count on us to give you what you need as events unfold” is a valuable promise. That external-facing focus is accompanied by an internal resilience focus: that of winning the confidence of the CEO and the board in the organization’s ability to deliver that promise to customers and stakeholders.
In our September pulse survey, 87% of risk leaders said they’re investing in improving their organizations’ resiliency programs. In October, we asked them where they’re investing, to draw a picture of the resilience agenda for the next 12 months.
Ninety-three risk management leaders (chief risk officers, chief information security officers and chief audit executives) from Fortune 1000 and private companies, along with other C-suite executives, weighed in on policy-related issues in our latest PwC US Pulse Survey, fielded September 30, 2020 to October 6, 2020. Find these insights in our Road to Election 2020 report. In the ongoing survey, risk management leaders also shared their perspectives on other top-of-mind issues, including how they’re investing to build resilience.
No matter who wins the 2020 US presidential elections, risk leaders say that changes in three policy areas introduce new risks: corporate tax policy, COVID-19 pandemic responses, and technology and data regulations. Business tax rates will rise in order to pay for COVID-19 relief, regardless of which party controls Congress, according to 78% of risk leaders. After all, we’re still in Act 2 of the pandemic. CFOs, economists and market analysts are still baselining sales, revenues and output to pre-COVID levels. Macro thinkers and social movement leaders are deeply concerned about a K-shaped recovery.
Risk leaders stand out, among the C-level execs we surveyed, in the attention to risks arising from changes in tech and data regulations during the next administration. Just after we closed this survey, the House Judiciary committee released the Democrats’ vision of updated antitrust rules. But both parties are concerned about issues beyond Big Tech’s market power, such as privacy and social media content moderation. As companies become more digital, policy changes in these areas will have implications for compliance and resilience programs across industries.
Risk leaders also recognize the need for adaptability as well as vigilance to stave off digital risks like cyber and fraud threats. These considerations — combined with the success in accelerated digitization in Act 1 of the pandemic — likely explain business executives’ ambitious digital initiatives in the next 12 months: optimizing data analytics, migrating applications and data to the cloud and automating across the business.
Increasing risks and uncertainty
Until today, efforts have been focused on resilience as the ability to withstand and isolate disruptions and recover. By this measure, business executives, including risk leaders, reported significant progress in the past three years: faster response times to cyber incidents and disruptions (44%), increased prevention of cyber successful attacks (43%) and lower down time and associated costs (37%), according to our Digital Trust Insights survey of 3,249 respondents. This work is never done and remains among the most important goals of resilience strategy in 2021 (see chart above).
But the top areas of resilience spending over the next 12 months signal an important shift: risk leaders are reimagining the resilience program, not just tinkering at the margins. The pandemic highlighted the importance of improving resilience in the customer-facing parts of the business. As companies go from the survival mode during Act 1 of the pandemic to innovation mode now, they are allocating more attention and budget to these three areas:
Resilience is most challenged at points of dependencies throughout the organization. Risks thrive at the seams and at the point of hand-offs. A necessary strategic and operational change organizations can make is to designate a single executive or executive team that’s accountable for resilience strategy and implementation. Our survey found that 54% of the organizations we surveyed haven’t done that.
The resilience officer orchestrates the activities of teams — in risk management and the three lines of defense, business continuity, incident response, crisis centers — toward resiliency goals. She may be the executive or leader from those functions or from the business (operations or finance). She is responsible for leading the design and running of the target operating model for resilience.
The “fusion resilience center” is one such operating model. It integrates new and existing risk capabilities throughout the organization — creating synergies to increase efficiencies in threat intelligence, incident readiness, incident response, crisis management and BCP/DR. It shares critical knowledge among key response and recovery functions for continuous improvement.
The resilience officer gets out of the war rooms and into the executive suites, boardrooms and frontlines of business — communicating and coordinating. How else would the resilience functions win the confidence of the CEO and board, customers and partners? In our survey of 693 corporate directors, only 37% said they understood the company’s crisis management plan very well, while 32% understood the company’s cyber vulnerabilities very well. Compare that with 87% who have high familiarity with the company’s strategy and 68% with the competitive landscape.
The balance has tipped toward technology-enabled resilience. On the shopping list of risk leaders are long-term upgrades to technology (14.5% of resilience spend in the next 12 months) and short-term tech investments to meet needs uncovered during the current crises (13.2% of spend).
Threats come and spread at the speed of machines and must be stopped with a resilience tech stack that amplifies the strength of seasoned risk professionals’ expert judgment and intuition.
At critical points in the anticipate-prepare-detect-respond-recover loop of resilience, technologies can help with coverage (100%, not samples), comprehensiveness throughout systems and devices (not stovepipes), identification of new strains of attacks (not just the tried and true) and speed (seconds, not days).
Harnessing data analytics, visualization, graphical interfaces and machine learning, these resilience activities can now be automated: threat detection, investigation, monitoring and control testing, identification of high-value third parties, regulatory compliance checks. In some cases, autonomous — not just automated — detection and response is already possible. For example, AI-driven investigations can reduce time to triage by up to 92%.
The resilience tech stack should also include ways to integrate solutions together with the organization’s other systems: GRC, workflow management, business intelligence and data centers underlying the fusion centers. The point is integration by design: suites such as PwC’s Risk Command, not standalone solutions.
Complexity is an ally of attackers. As you decide on the wide array of available technologies, a good question to ask is this: how much complexity can we tolerate without introducing more risks?
cents of every resilience dollar in 2021 will go to technology upgrades.
Business leaders must anticipate policy and regulatory shifts and understand the potential impact on their businesses regardless of who wins the presidency in November. Join us October 14 for the results of the next PwC Pulse survey.
Join this webcast on October 14 at 12:00 PM EDT.
To view data and insights from previous PwC Pulse Surveys, please see below.
Internal Audit, Compliance & Risk Management Solutions Principal, PwC US
Principal, Integrated Digital GRC Solutions, PwC US
Director, Cybersecurity & privacy, PwC US