As businesses become more connected, so do their risks. This means that risk functions (internal audit, compliance, risk management, etc.) need to collaborate with each other to fully understand risk interdependencies and to produce the most powerful risk insights possible. In fact, the need for better collaboration among risk functions was the key finding of PwC’s 2020 Global Risk Study.
But how can risk functions collaborate to create comprehensive views on risk and gain consensus on risk priorities when each function is categorizing risks in its own way, leveraging stand-alone technology, drawing on different data, building its own analytics and defining its own metrics? It’s hard, if not impossible—and, in the majority of organizations, that is the norm.
Risk functions face huge hurdles in building a common foundation, from data quality and data access challenges to disparate and disconnected risk management and workflow technologies. Just half (51%) of the organizations we surveyed believe they have the right data today to manage risk and only a third feel they have the right technology and tools to do so. However, a common foundation is critical to collaborating for more powerful risk insight.
So what practical steps can risk functions take to lay a common foundation that will make more powerful risk insight possible? Our study and PwC experience say to press forward in three areas:
Come to consensus on a common risk language and measurements. Without a common risk taxonomy it’s challenging for risk functions to collectively prioritize and communicate risks, unify risk assessments or assess the materiality of risks against the organization’s risk appetite. Getting to a common risk language can be a significant hurdle, particularly for global decentralized organizations, but our Global Risk Study shows that some companies are well on the way: They’ve built a common risk definition and common calculation of key risk indicators and are using that as an underpinning for analytics, continuous monitoring and dashboard reporting.
Bring disparate technologies together through a common platform. The pace of change and complexity of risk are so significant that risk functions can’t get a timely and comprehensive view of risk without technology as an aid. A consumer goods manufacturer we interviewed typically spent the bulk of each quarter consolidating risk insight. It can now prepare consolidated board reports in days thanks to a common technology platform that aggregates risk insight globally. Because of that technology-enabled consolidation, the company is able to recognize and respond to risks faster and do so with a coordinated response. For example, they can more easily monitor water scarcity which was previously monitored as a risk to only certain geographies but now, with the visibility into new risk factors and patterns, is monitored as a strategic risk. One way risk functions are pushing forward on their technology agenda is by working together to create a consolidated business case for investment which makes the value proposition much stronger.
Embed within the organization’s data strategy. Top organizations are defining a single enterprise-wide data initiative and instructing all business units to collaborate. In organizations where an enterprise data architecture strategy and data lakes are underway, risk functions should embed themselves in those efforts to make their collective data and functional requirements known. In organizations where enterprise-wide data initiatives are not yet underway, the addition of a risk data lake can multiply risk functions’ effectiveness and impact.
Our study found that some risk functions are moving aggressively down a path toward common technology and a shared data source, particularly in financial services and healthcare sectors. They are investing in risk data lakes, bringing multiple sources of data and analytics together for risk insight previously not possible, and sharing analytical models across the lines of defense for ongoing risk monitoring. With a common foundation in place, these groups will be well positioned to tell one story about their organization’s risks, issues and control environment.
Look for additional blogs in this series to learn more about how risk functions are collaborating for stronger risk insights.