Risk management leader insights

Latest findings from PwC’s Pulse Survey

The 2021 resilience agenda

Resilience became the value proposition to customers during the pandemic. Health safety supplies and groceries at their doorsteps. Video calls enabled for school and for staying in touch. Telehealth consultations for ongoing and non-critical emergent medical attention. Work-from-home set up in two weeks. Each of these was a pivot from business as usual and required speed and scale of adjustment.

The resilience advantage is apparent to customers and investors. More than half of risk leaders say enhancing customers’ and stakeholders’ confidence in their companies’ resilience capabilities is the primary goal of their resilience strategy in the next 12 months. Customers stood by resilient companies, including those that initially faltered but course-corrected quickly. Boards and investors delved into business continuity, crisis management and recovery plans, as resilience became a trending topic on earnings calls. A recent study of company responses to the pandemic found that more positive sentiment around a company’s response was associated with less negative returns, and the effect was stronger for companies’ responses that represented a credible commitment to their stakeholders.

“You can count on us to give you what you need as events unfold” is a valuable promise. That external-facing focus is accompanied by an internal resilience focus: that of winning the confidence of the CEO and the board in the organization’s ability to deliver that promise to customers and stakeholders. 

In our September pulse survey, 87% of risk leaders said they’re investing in improving their organizations’ resiliency programs. In October, we asked them where they’re investing, to draw a picture of the resilience agenda for the next 12 months.



2021 mission: Win confidence in your resilience capabilities


Most important
2nd most important
3rd most important

Enhance our customers' and stakeholders' confidence in our resilience capabilities
%
%
%
Give our CEO and board the confidence in our ability to withstand stresses and disruptions
%
%
%
Reduce costs related to downtime and recovery
%
%
%
Increase the speed of our responses to disruptions
%
%
%

Q: What are the primary goals of your resilience strategy in the next 12 months? (rank up to three, in order of importance)
*Highest-ranked choices for Risk management leaders from a list of 8 options.
Source: PwC US Pulse Survey
October 6, 2020: Risk management leaders base of 93

Top findings

Ninety-three risk management leaders (chief risk officers, chief information security officers and chief audit executives) from Fortune 1000 and private companies, along with other C-suite executives, weighed in on policy-related issues in our latest PwC US Pulse Survey, fielded September 30, 2020 to October 6, 2020. Find these insights in our Road to Election 2020 report. In the ongoing survey, risk management leaders also shared their perspectives on other top-of-mind issues, including how they’re investing to build resilience.


Ready for the next tests of resilience

No matter who wins the 2020 US presidential elections, risk leaders say that changes in three policy areas introduce new risks: corporate tax policy, COVID-19 pandemic responses, and technology and data regulations. Business tax rates will rise in order to pay for COVID-19 relief, regardless of which party controls Congress, according to 78% of risk leaders. After all, we’re still in Act 2 of the pandemic. CFOs, economists and market analysts are still baselining sales, revenues and output to pre-COVID levels. Macro thinkers and social movement leaders are deeply concerned about a K-shaped recovery.

Risk leaders stand out, among the C-level execs we surveyed, in the attention to risks arising from changes in tech and data regulations during the next administration. Just after we closed this survey, the House Judiciary committee released the Democrats’ vision of updated antitrust rules. But both parties are concerned about issues beyond Big Tech’s market power, such as privacy and social media content moderation. As companies become more digital, policy changes in these areas will  have implications for compliance and resilience programs across industries. 

Risk leaders also recognize the need for adaptability as well as vigilance to stave off digital risks like cyber and fraud threats. These considerations — combined with the success in accelerated digitization in Act 1 of the pandemic — likely explain business executives’ ambitious digital initiatives in the next 12 months: optimizing data analytics, migrating applications and data to the cloud and automating across the business.



Resilience needed to offset risk

Increasing risks and uncertainty

Biden
Trump

US corporate tax policy
%
%
COVID-19 pandemic responses
%
%
Technology and data regulations
%
%

Q: Under a Biden/Trump administration, changes to which of the following policy areas would potentially introduce new risks for your company? (Select up to three.)
*Highest-ranked choices for Risk management leaders from a list of 10 options.
Source: PwC US Pulse Survey
October 6, 2020: Risk management leaders base of 93


Investing in digital to build resilience


Optimizing our approach to data analytics across the business
%
Moving our applications and/or data to the cloud
%
Leveraging automation technologies across the business
%

Q: Which of the following digital transformation initiatives is your firm investing in to accelerate revenue growth over the next 12 months? (Select up to three.)
*Highest-ranked choices for Risk management leaders from a list of 9 options.
Source: PwC US Pulse Survey
October 6, 2020: Risk management leaders base of 93

Risk leaders go from survival mode to innovation mode 

Until today, efforts have been focused on resilience as the ability to withstand and isolate disruptions and recover. By this measure, business executives, including risk leaders, reported significant progress in the past three years: faster response times to cyber incidents and disruptions (44%), increased prevention of cyber successful attacks (43%) and lower down time and associated costs (37%), according to our Digital Trust Insights survey of 3,249 respondents. This work is never done and remains among the most important goals of resilience strategy in 2021 (see chart above).

But the top areas of resilience spending over the next 12 months signal an important shift: risk leaders are reimagining the resilience program, not just tinkering at the margins. The pandemic highlighted the importance of improving resilience in the customer-facing parts of the business. As companies go from the survival mode during Act 1 of the pandemic to innovation mode now, they are allocating more attention and budget to these three areas:

  • Improving workforce resilience. Return-to-workplace plans are an all-hands task at the moment, as individuals adapt to on-site and related transformations happening at many levels.
  • Implementing changes to products and services based on changing customer expectations. This may mean adjusting designs and supply chains, a shared concern with COOs.
  • Developing a roadmap for improved organizational resilience — whether it’s a reset or reinvigoration.


Risk leaders are ready to reimagine the program, not just tinker at the margins


Improving workforce resilience through strategic and operating model changes
%
Implementing changes to products and services based on changing customer expectations
%
Developing a roadmap to enhance the overall resilience of the organization
%
Making long-term upgrades to technology infrastructure for greater resilience
%
Addressing any gaps or shortcomings, other than technology needs, in our resilience identified through the COVID-19 experience
%
Investing in short-term technology infrastructure needs uncovered by COVID-19 and related crises
%
Developing a plan for financial resilience
%

*Note: the spending priorities of individual respondents may differ widely from this aggregate spend pattern.
Q: How are you allocating your total spending on resilience among the following activities in the next 12 months?
Source: PwC US Pulse Survey
October 6, 2020: Risk management leaders base of 93

Wanted: a resilience officer to be chief orchestrator and communicator

Resilience is most challenged at points of dependencies throughout the organization. Risks thrive at the seams and at the point of hand-offs. A necessary strategic and operational change organizations can make is to designate a single executive or executive team that’s accountable for resilience strategy and implementation. Our survey found that 54% of the organizations we surveyed haven’t done that.

The resilience officer orchestrates the activities of teams — in risk management and the three lines of defense, business continuity, incident response, crisis centers — toward resiliency goals. She may be the executive or leader from those functions or from the business (operations or finance). She is responsible for leading the design and running of the target operating model for resilience. 

The “fusion resilience center” is one such operating model. It integrates new and existing risk capabilities throughout the organization — creating synergies to increase efficiencies in threat intelligence, incident readiness, incident response, crisis management and BCP/DR. It shares critical knowledge among key response and recovery functions for continuous improvement.

The resilience officer gets out of the war rooms and into the executive suites, boardrooms and frontlines of business — communicating and coordinating. How else would the resilience functions win the confidence of the CEO and board, customers and partners? In our survey of 693 corporate directors, only 37% said they understood the company’s crisis management plan very well, while 32% understood the company’s cyber vulnerabilities very well. Compare that with 87% who have high familiarity with the company’s strategy and 68% with the competitive landscape.



Stepping up organizational resilience requires designating a chief resilience officer

Q: Which statement better describes the operating model for enterprise resilience in your organization?
Source: PwC US Pulse Survey
October 6, 2020: Risk management leaders base of 93

Armed with technology: the defense against speed and scale of today’s threats

The balance has tipped toward technology-enabled resilience. On the shopping list of risk leaders are long-term upgrades to technology (14.5% of resilience spend in the next 12 months) and short-term tech investments to meet needs uncovered during the current crises (13.2% of spend). 

Threats come and spread at the speed of machines and must be stopped with a resilience tech stack that amplifies the strength of seasoned risk professionals’ expert judgment and intuition.

At critical points in the anticipate-prepare-detect-respond-recover loop of resilience, technologies can help with coverage (100%, not samples), comprehensiveness throughout systems and devices (not stovepipes), identification of new strains of attacks (not just the tried and true) and speed (seconds, not days). 

Harnessing data analytics, visualization, graphical interfaces and machine learning, these resilience activities can now be automated: threat detection, investigation, monitoring and control testing, identification of high-value third parties, regulatory compliance checks. In some cases, autonomous — not just automated — detection and response is already possible. For example, AI-driven investigations can reduce time to triage by up to 92%.

The resilience tech stack should also include ways to integrate solutions together with the organization’s other systems: GRC, workflow management, business intelligence and data centers underlying the fusion centers. The point is integration by design: suites such as PwC’s Risk Command, not standalone solutions.

Complexity is an ally of attackers. As you decide on the wide array of available technologies, a good question to ask is this: how much complexity can we tolerate without introducing more risks?



Balance has tipped toward tech-enabled resilience


We rely heavily on technology to implement various resilience tasks efficiently. Staff are primarily focused on analysis, problem solving and strategy
%
Most of our resilience activities (detection, response, recovery) are done manually
%

Q: Which statement better describes the operating model for enterprise resilience in your organization?
Source: PwC US Pulse Survey
October 6, 2020: Risk management leaders base of 93




Modernizing the resilience tech stack


cents of every resilience dollar in 2021 will go to technology upgrades.


Watch our webcast

Business leaders must anticipate policy and regulatory shifts and understand the potential impact on their businesses regardless of who wins the presidency in November. Join us October 14 for the results of the next PwC Pulse survey.

Join this webcast on October 14 at 12:00 PM EDT.

Register now


Past surveys

To view data and insights from previous PwC Pulse Surveys, please see below.

September 15, 2020

{{filterContent.facetedTitle}}

{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}
{{contentList.loadingText}}

Contact us

Dhiraj Malhotra

Dhiraj Malhotra

Internal Audit, Compliance & Risk Management Solutions Principal, PwC US

Brian Schwartz

Brian Schwartz

Partner and Primary Author of the Global Risk Study, Risk Assurance, PwC US

Lillian Borsa

Lillian Borsa

Principal, Integrated Digital GRC Solutions, PwC US

David Stainback

David Stainback

Partner, US Crisis Consulting Leader, PwC US

Shawn Lonergan

Shawn Lonergan

Director, Cybersecurity & privacy, PwC US

Tom Snyder

Tom Snyder

Risk Assurance Clients & Sectors Leader, PwC US

Follow us