Latest findings from PwC’s Pulse Survey
Vaccine makers are reporting preliminary efficacy rates above 90% just as the US has surpassed 10 million COVID-19 cases. The current reality perfectly illustrates the dual lens risk leaders take: one on possibilities and the other on risks.
With the election uncertainty behind them, risk leaders have turned more optimistic about the 2021 growth prospects. Over the next four years, risk leaders will play a pivotal role in enabling growth through multiple avenues: new products and services (61% more optimistic), organic domestic growth (55%), international acquisition (54%), domestic (52%) or organic international growth (49%).
In lock step with the C-suite, risk leaders are committed to digital transformation and securing them with spending on cybersecurity. In fact, more than 3,200 executives in our Global Digital Trust Insights Survey are upping the ante with their digital initiatives: They’re redefining their core business models (21%) and exploring new industries (18%), not just modernizing (31%) or seeking efficiencies (35%). And 55% of 1,500 security and IT chiefs in that survey expect their organizations’ spending on cyber to increase in 2021.
Factoring resilience into digital transformation is an immense task for risk leaders. Many continuity plans and controls frameworks have been designed around manual and human-led processes. Risks and failure points would be different in such a system compared to a digital process. Risk leaders need to review how well their resilience plans can support the growth possibilities that business leaders envision.
One hundred and twelve risk management leaders from Fortune 1000 and private companies, along with other C-suite executives, weighed in on policy-related issues in our latest PwC Pulse Survey, fielded November 9 to November 13, 2020. In the ongoing survey, risk management leaders also shared their perspectives on other top-of-mind issues, including risks with a new administration, regulatory outlook and stress-testing.
In the short term, risk leaders remain concerned about the current operating environment. That light at the end of the pandemic tunnel is still quarters away. Almost half of risk leaders (47%) worry about the effect of a new wave of COVID-19 infections leading to further shutdowns. Already many companies are spending substantial amounts on workplace safety. Forty-seven percent are concerned about finances, including effects on results of operations, future periods and liquidity and capital resources. And 38% are concerned about another round of impact from a global economic downturn.
Longer term (over the next four years), more than half of risk leaders expect shifts in the policy and regulatory regime and related compliance risks to become more pressing. A Biden administration has signaled major pivots from the last administration in its 2021 policy agenda.
Cybersecurity shows up on both near- and long-term risks. In a Biden administration, cybersecurity is expected to receive a higher priority. More entities will likely be designated as critical infrastructures, with expectations that they meet higher resilience standards.
Nearly three-quarters of 168 US executives named cyber risk as one of the top three risks their companies face, according to a HBR survey conducted in September 2020. They put cyber risk well ahead of the next risk category, the risk of business disruption and systems failures, which only 42% cited.
The bar is rising on documenting and proving that resilience plans work. That means being ready for more scrutiny from stakeholders and more stress-testing.
In a digital world, networks of people, organizations and even nations rise and fall together. That’s the nature of connectedness. In financial services (FS), an outage at one firm or third-party service provider could have ripple effects across the entire sector.
That’s why operational resilience has become a focus area for the FS sector. A synthesis of existing regulations and guidance on sound practices for operational resilience was recently published by three overseers of financial services in the US. Large and complex FS organizations ought to review the practices against their existing operational resilience strategy and make enhancements before the agencies take the next step to formalize new requirements.
Across many industries, resilience planning will be shaped significantly by a number of emerging regulatory or enforcement trends.
Stress-testing resilience plans is one of the lasting lessons from the pandemic. Risk leaders say that stress-testing will become more frequent and commonplace within the ecosystem of third and nth parties (64%), within their own organizations (63%) and in their supply chain (59%).
A stress test assumes that the worst scenario will happen. It’s conducted to discover how quickly a business would respond and what it can cost a business to recover. Do the critical systems, people and locations continue to operate and serve customers? It’s a way to find out if the organization has to adjust risk profiles and impact tolerances, as well as the resilience plans themselves.
But faced with a wide range of potential sources of disruptions, how do businesses prioritize which areas to stress-test? The organization’s view of the most important risks should inform the resilience program overall and the stress-testing activities. Zero in on those most critical areas where response-and-recovery capabilities are weakest.
Repeating stress tests often is a good way to check that the dynamic interconnections within your organization are working properly under constantly changing forces and conditions. Invest in people specifically tasked with stress-testing. Build a data recovery environment for testing, instead of relying on ad hoc, borrowed capacity.
Stress-testing yields measures of the organization’s resilience of the functional maturity of your resilience program. It also helps the organization get valuable time-series data on recovery times and costs.
Resilience is as much about being prepared to enable and secure new possibilities for your organization as it is being prepared against disruptions.
From three waves of risk leader surveys, we summarize the insights for your resilience journey.
Get your organizational resilience capabilities up.
Turn your resilience to an advantage.
Get ahead of it by stress-testing.
Principal, Risk and Regulatory, PwC US
Partner and Primary Author of the Global Risk Study, Risk and Regulatory Practice, PwC US
Principal, Risk and Regulatory, PwC US
Director, Cybersecurity & privacy, PwC US