Risk management leader insights

Latest findings from PwC’s Pulse Survey

Risk leaders are ready for possibilities

Vaccine makers are reporting preliminary efficacy rates above 90% just as the US has surpassed 10 million COVID-19 cases. The current reality perfectly illustrates the dual lens risk leaders take: one on possibilities and the other on risks.

With the election uncertainty behind them, risk leaders have turned more optimistic about the 2021 growth prospects. Over the next four years, risk leaders will play a pivotal role in enabling growth through multiple avenues: new products and services (61% more optimistic), organic domestic growth (55%), international acquisition (54%), domestic (52%) or organic international growth (49%).

In lock step with the C-suite, risk leaders are committed to digital transformation and securing them with spending on cybersecurity. In fact, more than 3,200 executives in our Global Digital Trust Insights Survey are upping the ante with their digital initiatives: They’re redefining their core business models (21%) and exploring new industries (18%), not just modernizing (31%) or seeking efficiencies (35%). And 55% of 1,500 security and IT chiefs in that survey expect their organizations’ spending on cyber to increase in 2021.

Factoring resilience into digital transformation is an immense task for risk leaders. Many continuity plans and controls frameworks have been designed around manual and human-led processes. Risks and failure points would be different in such a system compared to a digital process. Risk leaders need to review how well their resilience plans can support the growth possibilities that business leaders envision.

Resource re-allocations: ready for possibilities, armed for risks

Resource re-allocations: ready for possibilities, armed for risks
Q: To what extent is your business changing resource allocations in the following areas in 2021? (Responses to 'small increase,' ‘large increase’)
*Highest-ranked choices from a list of 10 options.
Source: PwC US Pulse Survey
November 13, 2020: base of 656; Risk management leader base of 112, CFO base of 227, COO base of 91, CHRO base of 108

Top findings

One hundred and twelve risk management leaders from Fortune 1000 and private companies, along with other C-suite executives, weighed in on policy-related issues in our latest PwC Pulse Survey, fielded November 9 to November 13, 2020. In the ongoing survey, risk management leaders also shared their perspectives on other top-of-mind issues, including risks with a new administration, regulatory outlook and stress-testing.


Armed for short- and long-term risks

In the short term, risk leaders remain concerned about the current operating environment. That light at the end of the pandemic tunnel is still quarters away. Almost half of risk leaders (47%) worry about the effect of a new wave of COVID-19 infections leading to further shutdowns. Already many companies are spending substantial amounts on workplace safety. Forty-seven percent are concerned about finances, including effects on results of operations, future periods and liquidity and capital resources. And 38% are concerned about another round of impact from a global economic downturn.

Longer term (over the next four years), more than half of risk leaders expect shifts in the policy and regulatory regime and related compliance risks to become more pressing. A Biden administration has signaled major pivots from the last administration in its 2021 policy agenda.

Cybersecurity shows up on both near- and long-term risks. In a Biden administration, cybersecurity is expected to receive a higher priority. More entities will likely be designated as critical infrastructures, with expectations that they meet higher resilience standards.

Nearly three-quarters of 168 US executives named cyber risk as one of the top three risks their companies face, according to a HBR survey conducted in September 2020. They put cyber risk well ahead of the next risk category, the risk of business disruption and systems failures, which only 42% cited.

The bar is rising on documenting and proving that resilience plans work. That means being ready for more scrutiny from stakeholders and more stress-testing.

Macro and business risks that will be more pressing with a Biden administration

Net change

Policy/regulatory shifts
%
Workplace safety
%
Compliance risk
%
Cybersecurity
%
Macroeconomic risk
%
Third-party disruptions
%
Environmental risk
%
Skills shortage
%
Brand/reputational damage
%
Liquidity and solvency
%
Fraud
%

Q: In the next four years, with a Biden administration, which of the following macro and business risks will be more or less pressing, compared to the last four years? (net change = ‘more pressing’ responses minus ‘less pressing’ responses)
Source: PwC US Pulse Survey
November 13, 2020: Risk management leader base of 112

Your customers, business partners and regulators are watching

In a digital world, networks of people, organizations and even nations rise and fall together. That’s the nature of connectedness. In financial services (FS), an outage at one firm or third-party service provider could have ripple effects across the entire sector.

That’s why operational resilience has become a focus area for the FS sector. A synthesis of existing regulations and guidance on sound practices for operational resilience was recently published by three overseers of financial services in the US. Large and complex FS organizations ought to review the practices against their existing operational resilience strategy and make enhancements before the agencies take the next step to formalize new requirements.

Across many industries, resilience planning will be shaped significantly by a number of emerging regulatory or enforcement trends.

  • Privacy right of action clauses in state and federal legislation. Sixty-two percent of risk leaders anticipate that laws like the recently passed California Privacy Rights Act will provide consumers and privacy advocates with means to seek redress on privacy violations.
  • Information-sharing platforms between government and private sector to increase resilience of critical infrastructures, expected by 57% of risk leaders.
  • Expansion of oversight of cloud providers and other ICT third-party service providers as proposed in the Digital Resilience Act, and harmonization of resilience, such as the proposal for international collaboration, expected by 49% of risk leaders.
  • Enforcement action even before an incident, based on evidence of weaknesses in controls or practices — exemplified by the New York Department of Financial Services’ charges against a large insurance company — anticipated by 42% of risk leaders.

Risk leaders are gearing up for increased scrutiny of resilience programs

More scrutiny from industry regulators
%
More scrutiny from business partners and customers in my ecosystem
%
More scrutiny from national regulators
%

Q: Given the outcome of the presidential and congressional elections, do you expect more or less scrutiny of your resilience program?
Source: PwC US Pulse Survey
November 13, 2020: Risk management leader base of 112

Uncover weaknesses through stress-testing before others discover them for you

Stress-testing resilience plans is one of the lasting lessons from the pandemic. Risk leaders say that stress-testing will become more frequent and commonplace within the ecosystem of third and nth parties (64%), within their own organizations (63%) and in their supply chain (59%).

A stress test assumes that the worst scenario will happen. It’s conducted to discover how quickly a business would respond and what it can cost a business to recover. Do the critical systems, people and locations continue to operate and serve customers? It’s a way to find out if the organization has to adjust risk profiles and impact tolerances, as well as the resilience plans themselves.

But faced with a wide range of potential sources of disruptions, how do businesses prioritize which areas to stress-test? The organization’s view of the most important risks should inform the resilience program overall and the stress-testing activities. Zero in on those most critical areas where response-and-recovery capabilities are weakest.

Repeating stress tests often is a good way to check that the dynamic interconnections within your organization are working properly under constantly changing forces and conditions. Invest in people specifically tasked with stress-testing. Build a data recovery environment for testing, instead of relying on ad hoc, borrowed capacity.

Stress-testing yields measures of the organization’s resilience of the functional maturity of your resilience program. It also helps the organization get valuable time-series data on recovery times and costs.

Stress-testing is going to be conducted more frequently in the next year

Stress-testing our third-party, nth-party relationships
%
Stress-testing within our organization
%
Stress-testing our supply chain
%

Q: What are your plans for conducting stress tests of your resilience plan in the next 12 months? (Responses to ‘conducting more frequently’)
Source: PwC US Pulse Survey
November 13, 2020: Risk management leader base of 112

Takeaways

Resilience is as much about being prepared to enable and secure new possibilities for your organization as it is being prepared against disruptions.

From three waves of risk leader surveys, we summarize the insights for your resilience journey.

  1. Master the basics of organizational resilience. Build visibility into your critical assets and dependencies. Name a resilience leader and team, and formalize their responsibilities within a target operating model. Tie your resilience strategy to the enterprise risk management program. Eighty-seven percent of risk leaders are investing to improve their resilience programs.
  2. Look for opportunities to turn your resilience to an advantage. Invest to re-imagine the program, not just tinker at the margins. Use technology to help strengthen your resilience for the speed and scale of the threats organizations face today. Risk leaders are investing 28 cents of every dollar for technology upgrades. Their yardstick for success? Increased confidence of customers and stakeholders in their ability to withstand, respond, and recover from constant intrusions and threats. 
  3. Prepare for greater scrutiny: resilience is now business as usual. Consider it a regular part of operations. It’s no longer the crisis-driven capability that gets activated occasionally. About two-thirds of risk leaders expect increased scrutiny from customers, business partners and regulators; they’re prepared to conduct stress tests more frequently in the coming year.

Being prepared for new possibilities and being prepared against disruptions


Master the basics.

Master the basics.

Get your organizational resilience capabilities up.

Look for opportunities.

Look for opportunities.

Turn your resilience to an advantage.

Prepare for greater scrutiny.

Prepare for greater scrutiny.

Get ahead of it by stress-testing.

Past surveys

To view data and insights from previous PwC Pulse Surveys, please see below.

November 23, 2020

October 13, 2020

September 15, 2020

{{filterContent.facetedTitle}}

{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}
{{contentList.loadingText}}

Contact us

Dhiraj Malhotra

Dhiraj Malhotra

Principal, Risk and Regulatory, PwC US

Brian Schwartz

Brian Schwartz

Partner and Primary Author of the Global Risk Study, Risk and Regulatory Practice, PwC US

Lillian Borsa

Lillian Borsa

Principal, Risk and Regulatory, PwC US

David Stainback

David Stainback

Partner, US Crisis Consulting Leader, PwC US

Shawn Lonergan

Shawn Lonergan

Director, Cybersecurity & privacy, PwC US

Tom Snyder

Tom Snyder

Risk and Regulatory Operations Leader, PwC US

Follow us