In our more than 120 interviews with board members and senior executives as part of PwC’s 2020 Global Risk Study the theme we heard repeatedly was that risk functions (internal audit, compliance, risk management, etc) have to collaborate - and do so in ways far more advanced than just communicating with each other and sharing information.
Why? Because in our connected world, risks are more complex and interconnected. Studying business risks only in silos, such as by risk function or business unit, can lead to less than full visibility to enterprise business risk and a lack of understanding of risk inter-relationships. Risk functions that want to provide their organizations with the strongest and most timely risk insights need to pool their collective risk intelligence to form the most comprehensive and sophisticated views.
There’s work to do here. PwC research shows that just 27% of risk functions set an integrated tone for risk management. We all know it is not uncommon for senior executives to receive different insight on the same risks from different risk functions. How can those executives reconcile this piecemeal information to make the smartest risk-informed decisions? Splintered insights also have broader consequences: the board and senior executives may agree on the list of top risks to the organization, but their perspectives on a risk’s priority, its connectivity with other risks, and overall view on how well a risk is being managed and monitored may not align.
Boards and senior executives play a significant role in rectifying the above situation. When these groups set a collaborative tone, and expect risk functions to collaborate, it naturally drives more interaction. If that leadership expectation is missing or unclear, risk functions should be proactive with management about the need for a collaborative tone at the top.
Following the checklist below will help to ensure a collaborative tone and appropriate governance of risk management are in place. When the tone is set, risk functions can work cohesively to provide the best risk insights to help protect business value, keep programs on track and enable strategies.
The goal of many organizations with more mature enterprise risk management programs is to make decisions which consider risk appetite across all risk categories and business units. One asset management company we interviewed noted they make company-wide portfolio investment decisions based on balancing risk and risk appetite. These discussions and decisions are facilitated through committee meetings, and possible only because the company has spent significant time defining risk appetite, and developing comprehensive aggregated reporting driven by the CRO with input from the various business units.
When there is consolidation of risk insight and reconciliation of issues across the lines of defense a deeper and more comprehensive view is presented to senior executives and the board, which allows them to make smarter, risk-informed decisions. Tone at the top, and leadership direction on where priorities lie, push risk functions forward in collaborating on insights and gaining consensus on how operational governance over risk is, and should be executed.
Look for additional blogs in this series to learn more about how risk functions are collaborating for stronger risk insights.