2022 Global Risk Survey

Embracing risk in the face of disruption

Seize the opportunity through strategic risk management capabilities

The world has changed in the past two years, as has the risk environment in which organizations operate. Today, change is fast and disruptive: caused disturbance in the labour market and the supply chain. The current volatile geopolitical environment is further exacerbating supply constraints, heightening cyber risks, introducing rapidly evolving sanctions and putting safety and humanity at the forefront of all decisions. Ransomware attacks are more frequent and more sophisticated, no doubt a driver of cyber’s rise to the top threat to business among CEOs in our 25th Global CEO Survey. The changing work environment brought on by the pandemic continues to disrupt talent and labour markets. Supply shortages, sanctions and rising raw material costs are heightening risks within supply chains as organizations deal with upstream risks related to subcontractors and other fourth parties that add further complication. Customers, investors and other stakeholders are laser-focused on ESG, particularly in light of recent proposed SEC climate disclosures. Each of these risks can cause significant impacts, but because they are also highly interconnected, any one risk can initiate far-reaching implications across the enterprise and put brand and reputation at stake.

In this turbulent business environment, many executives find the need to revise and adapt their strategies and operating models at a rapid pace. They know that capturing opportunity and avoiding disruption require speed. While managing disruptions, organizations are simultaneously dealing with internal digital transformation challenges, and how to bring along internal stakeholders as they automate business processes and drive digital into everything they do. 

Organizations’ risk management and broader resilience capabilities need to quickly adapt to support business agility and to contribute proactive, robust and timely risk insights for decision-making. In an environment where change is constant, strong risk and resilience capabilities can provide an edge. Business leaders can make confident decisions in pursuit of their strategy that are informed by a panoramic view of risk.

Our 2022 Global Risk Survey highlights five key actions that organizations should consider to drive their risk management capabilities forward.

Risk management capabilities provide the greatest value to Board members and business leaders when they are embedded within the organization’s strategic planning and decision-making processes. The environment in which organizations operate is far from static. It changes constantly. As such, strategic decisions are revisited frequently. How risks are managed needs to adapt so that real-time risk insights and analysis can support risk-informed decision-making by stakeholders across the organization. This means that risk management capabilities must be agile and operate in an iterative manner to reflect the organization’s changing risk profile. PwC’s survey shows that organizations recognise the importance of this imperative: Nearly eight in ten say keeping up with the speed of digital and other transformations is a significant risk management challenge.

The organizations that have stood out from the pack in the past two years have not just managed existing risks — they’ve taken on new ones, and done so with confidence. These organizations have an agility advantage. They have the right resources engaged in making risk-informed decisions at the right time. Good analysis and modelling are key components of proactive risk management, as is including risk management capabilities at the start of new projects and other strategic initiatives. Today, less than 40% of business executives are reaping the benefits of consulting with risk professionals early in their programmes.

Consider these key strategies for engaging early and getting risk insights at the point of decisions:

  • Embed risk management into the strategic planning, business decision-making processes, and large-scale transformation initiatives
  • Bring diverse risk insights together by forming a risk community of solvers to keep abreast of key risks and related analysis 
  • Conduct strong scenario planning and modelling capabilities to address key business risks

Organizations commonly use key performance indicators (KPIs) to measure performance against strategic objectives and to support decision-making. The same approach should be used for measuring and monitoring risks. When connected to key business risks, key risk indicators (KRIs) provide leading indicators of the risk environment in which the organization operates. Movement in KRIs provides early-warning signals to leaders to reevaluate strategies, risk management capabilities and risk mitigation activities. Changes in KRIs can signal opportunity as well as risk. Examples of KRIs to monitor ransomware risk, for example, may include phishing occurrences, the number of open critical points, email security issues or leaked credentials. Supply chain risk KRIs might include supplier quality ratings, violations, financial health measures and more. 

The ability to utilise and interrogate data is a key tool in the arsenal for detecting changes in the risk landscape. The survey shows that companies are investing: Three-quarters of executives are planning on increasing spending across data analytics, process automation and technology to support the detection and monitoring of risks. Sharing investment and further integrating technology and risk data across the three lines could help to efficiently drive a panoramic view of risk across the enterprise. 

Consider these key strategies for taking a panoramic view of risk: 

  • Mine KRIs from internal and external data for real-time risk intelligence
  • Take advantage of data availability and risk tools for a more panoramic view of the rapidly evolving risk landscape across all three lines
  • Establish risk-monitoring capabilities and escalation procedures to respond to rapidly increasing risks

Business leaders saw opportunities to thrive in the face of disruption during the pandemic. They began to question their business models and ways of working, and they engineered changes for the long term which were accompanied by risk. Risk and return are inextricably linked. An organization’s risk management capabilities can create tremendous value if they help the organization take advantage of the upside of risks that have higher payoff.

Risk appetite is a critical tool to help business leaders understand where they are able to take more risk in pursuit of new opportunities and growth. It denotes the guardrails within which the Board asks executives to stay as they make decisions and execute on their strategies. If an opportunity requires more risk than the organization’s appetite allows, it may be fruitful to revisit risk appetite and consider if the organization is willing to take on more risk for greater reward. Among survey respondents, 22% report they are now realising benefits from either defining or resetting their organization’s risk appetite. 

Risk culture also plays a role in taking advantage of upside risk. An overly strong compliance culture can stifle innovation, for example, while too weak of a compliance focus can impact brand and reputation. An effective risk culture enables business leaders and risk managers to have a clear understanding of the organization's risk appetite and gives the Board and senior executives confidence that risks will be identified and managed as desired across the organization. When strategy, risk appetite and risk culture are aligned, business leaders can take decisive action. 

Consider these key strategies for employing risk appetite to take advantage of upside risk: 

  • Establish a clean and simple risk appetite statement to clearly articulate how much risk the company is willing to take in pursuit of strategy
  • Educate risk owners on how to leverage risk appetite as they make business decisions
  • Invest in risk culture training and awareness for all employees

With the growing complexity and interdependencies of risks, more timely and relevant information is needed to be able to make risk-informed decisions. Many organizations do not have a common risk language which enables an organization to productively view and make risk-related decisions. Driving consistency in risk management capabilities across the organization can be difficult. Oftentimes, disparate risk processes and systems are deployed, contributing to challenges in achieving a common and a consolidated view of risk. Investment in risk processes, frameworks and enabling systems is needed to help an organization deploy a standardised and consistent approach to risk management. While 75% of organizations report that having technology systems that don’t work together is a significant risk management challenge, just 35% of those are addressing that challenge in a formal, enterprise-wide manner. 

Consider the following key strategies for enabling risk-based decision-making through systems and processes: 

  • Employ a Government, Risk and Compliance (GRC) technology platform to enable a consistent approach to risk management across the three lines and be the single source of truth
  • Leverage a singular risk assessment approach to drive consistency in the identification and prioritization of key business risks
  • Establish strong relationships across the three lines to clearly define roles and responsibilities related to risk activities
  • Put in place reporting and data requirements defined by both business and risk leaders

Talent management. Supply chain. Regulatory compliance. Cyber threats. ESG. Regardless of industry sector, these risks are likely impacting organizations’ strategies and operations.

These high-priority risks are tightly interconnected, which means one can amplify others and impacts can be far reaching. For example, what may start as a technology breach can quickly pose huge operational, financial and reputational risk. 

Risk management capabilities should go beyond the traditional risk analysis and perform deep dives on these fast-moving, high-priority risks. A deep-dive effort should identify the risk triggers and signals. It should help risk owners understand the interdependencies between the risks driving the organization’s risk profile. And an evaluation of risk management plans should identify actions the organization can take to help drive increased resiliency. 

Not all risk exposures can be completely mitigated or avoided. A critical capability to strengthen resilience is to develop robust business continuity and crisis response plans to enable the organization to respond to and isolate risks in a swift and agile manner.

Consider the following key strategies for doubling down efforts on top risks: 

  • Perform an interconnectivity assessment over key business risks
  • Facilitate deep dives into mitigating activities over key risks
  • Develop and exercise robust business continuity and crisis response plans

Strategic risk management: The payoff 

In a business environment defined by volatility and laden with interconnected risks, risk management must be a team sport. Ownership of different risks is understandably spread more and more across distributed parts of the organization, yet all parts need to work together, with well-informed risk insights and a common understanding and usage of risk appetite.

Our survey found that when organizations embrace risk management capabilities as a strategic organizational capability — where a community of solvers participates and teams have a panoramic view of risks enabled by internal and external data, together with smart technology — Board and executive confidence in achieving sustainable outcomes is high. They are five times more likely to be very confident in delivering stakeholder confidence, a growth-minded risk culture, increased resilience and business outcomes. And, they’re almost twice as likely to project revenue growth of 11% or more over the next twelve months. Strong risk management capabilities help protect an organization from downside risks and they enable it to look forward and take risks in pursuit of growth. It’s a win-win.

The top 10% of respondents — the ones that are realising benefits from strategic risk management practices — expect faster revenue growth and better outcomes.

Business outcomes

  • Increased share prices
  • Improved returns on strategic investments

Stakeholder confidence

  • Increased board confidence
  • Increased customer trust
  • Increased confidence among external investors

Growth-minded risk culture

  • Improved organizational resilience

About the survey

The 2022 Global Risk Survey is a survey of 3,584 business and risk, audit and compliance executives conducted from February 4 to March 31, 2022. Business executives make up 49% of the sample, with the remaining 51% is split among executives in audit (16%), risk management (24%) and compliance (11%). 

Fifty-eight percent of respondents are executives in large companies ($1 billion and above in revenues) and 19% are in companies with $10 billion or more in revenues. 

Respondents operate in a range of industries: financial services (23%), industrial manufacturing (22%), retail and consumer markets (16%), energy, utilities and resources (15%), tech, media, telecom (13%), health (9%), and government and public services (2%).

Respondents are based in various regions: Western Europe (30%), North America (29%), Asia Pacific (21%), Latin America (12%), Central and Eastern Europe (3%), Middle East (3%) and Africa (3%).

This survey was conducted by PwC Research, PwC’s global Centre of Excellence for market research and insight.

Check out our on-demand webcast "Reimagine risk in the face of disruption"

Watch now

Industry snapshots coming soon: Technology, Media and Entertainment, Healthcare, Pharma and life sciences, Industrial products, Private equity.

Contact us

Sam Samaratunga

Sam Samaratunga

Head of Risk, PwC United Kingdom

Sean Joyce

Sean Joyce

Global Cybersecurity & Privacy Leader, PwC US; Cyber, Risk & Regulatory Leader, PwC US

Andrew McPherson

Andrew McPherson

Global Risk Markets Leader, PwC Australia

Tel: +61 418 431 296

Brian Schwartz

Brian Schwartz

Partner, Cyber, Risk and Regulatory, PwC US

Mike Maali

Mike Maali

Partner, Cyber, Risk and Regulatory, PwC US

Robert Ryan

Robert Ryan

Partner, Cyber, Risk and Regulatory, PwC US

Follow us