What this means for you and your business

The shift occurs now. Are you ready?

Building an optimized risk management ecosystem

First-line risk management leadership is all about engagement: placing responsibility for the various building blocks of an effective risk management program—strategic alignment, expertise, processes, assurance—with the line of defense best prepared to execute them.

When leaders drive risk management, they move beyond support to ownership.

Shifting risk management activities to the first line of defense is only one part of moving towards a more proactive, strategically aligned risk management program. Building a risk management ecosystem optimized for today’s challenges requires buy-in across the enterprise. Here are five steps that can set your organization on the right path.

Five steps for your organization path

Putting the C-suite to work

When leaders drive risk management, they move beyond support to ownership.

The Chief Executive Officer (CEO) must set the tone for a constructive risk culture, promote a coherent, organization-wide risk appetite framework, and align risk management with strategic planning.

The Chief Financial Officer (CFO) should support calibration of risk management decision making by allocating resources to the lines of defense and to decision making points.

The Chief Risk Officer (CRO) enables effective risk management by promoting active monitoring, leading risk tolerance training, and coordinating with the CIO/CISO to manage cyber risk organization wide.

The Chief Compliance Officer (CCO) takes a leadership role in helping the organization aggregate risk. CCOs are more likely than other titles to say they have a formal process for aggregating risk across the company and that they review results against a defined risk appetite (58% vs. 51% for CROs).

The Chief Information Officer (CIO), who owns all the technology risk, equips the lines of defense with the necessary technology for predicting and monitoring risk. The Chief Information Risk Officer (CIRO) coordinates with the CRO to monitor cyber and data privacy risk.

The Chief Audit Executive (CAE), as the last and objective line of defense against risk, must continually evaluate the risk management program overall—including the CRO’s effectiveness—”and independently assess first and second line risk activities.

The Board of Directors supports the CEO in setting a top-down risk culture and overseeing aggregated risk in the context of the organisation’s risk appetite and risk tolerance framework.

“Shifting risk responsibility back to first line and moving the second line into the oversight role takes a great deal of collaboration, but it can be difficult to collaborate and provide effective challenge at the same time.”

Kimberly H. JohnsonExecutive Vice President and Chief Risk Officer Fannie Mae

Contact us

Jason Pett
Risk Assurance Leader, PwC US
Tel: +1 (410) 659 3380

Brian Schwartz
Financial Services Internal Audit, Compliance and Risk Management Solutions Leader and GRC Enablement Leader, PwC US
Tel: +1 (202) 729 1627

Scott Greenfield
Advanced Risk and Compliance Analytics Solutions Leader, PwC US
Tel: +1 (646) 471 5383

Jim Woods
Global and China/Hong Kong Risk Assurance Leader
Tel: +[852] 2289 2316

Follow us