The latest research from PwC outlines five steps C-Suite leaders can take to build more risk-agile organizations
Written by Sally Bernstein and Mike Besly
Risk management is high on the C-suite agenda, consistently ranked as a top priority by participants in PwC’s annual Global CEO Survey in recent years. In response to increasing regulatory scrutiny, business complexity, and a growing list of high-profile security breaches, many companies are striving to strengthen their risk management capabilities and create a supportive internal culture—one based on a foundation of ethics and the right risk mindset.
These efforts can play an important role in helping companies become more agile in dealing with risk and, ultimately, gain a risk advantage—the competitive edge that results when proactive, dynamic risk management is embedded deep within the organization, when risk becomes central to the organizational strategy and the way business is conducted.
Where to Begin
We have identified five steps companies can take to become more risk-agile and move down the path toward achieving a risk advantage.
Step 1: Create a legitimate seat at the table for the risk management function.
In many companies, the risk management function has inadequate authority or influence. Leading companies are taking these steps to elevate the credibility and authority of the function:
· Changing the dynamic between risk management and the business. Risk managers are viewed as partners and advisors to the business. Risk teams have knowledge of business operations, enabling them to understand and support the risk-taking and innovation companies need to stay competitive.
· Embedding risk considerations into business decisions. Business units are playing a more active role as the first line of defense against risk. This involves clarifying risk roles and responsibilities, identifying risk triggers, and seeking risk counsel as part of key business decisions, not as an afterthought.
· Clarifying risk reporting relationships. According to PwC’s 2014 State of Compliance survey, leading companies are appointing Chief Risk Officers and giving them direct lines of communication to the CEO and board.
Step 2: Establish a “walk the talk” culture—from top to bottom.
Many companies claim that leadership promotes core values over growing the bottom line, but in some cases, this claim is not supported by management actions and decisions. To ensure that employees understand and act on the organization’s stated ethics and risk management values, leading companies are doing the following:
- Developing clear guidance on the risk culture to support organizational understanding of it. Examples include ensuring that all employees understand and follow the Code of Conduct; using standardized, consistent and easy-to-interpret risk language (i.e., avoiding “legalese”); and building risk considerations into strategic planning, budgeting, and marketing plans.
- Building risk-aware teams by embedding risk considerations into training policies and development program For instance, some companies emphasize risk-related rotations and/or risk oversight experience for key executives.
- Frequently communicating expectations surrounding effective risk management and ethical behavior, including reiteration of a zero-tolerance policy for retaliation, and discussing risk topics in routine management review meetings.
Step 3: Make change stick by means of better incentives—and clear consequences.
Leaders are taking the following steps to promote the right risk management behaviors and deter or censure the wrong ones:
· Dealing with compliance violations quickly, consistently, and fairly. Executives in leading companies hold themselves and their employees accountable for behaving in accordance with the stated values and ethics of the company. By doing so (e.g., firing a top sales producer after a fair and transparent investigation of an ethics violation), they send a clear message about the importance of risk management and compliance.
· Aligning incentives with desired risk behaviors. By integrating risk metrics into employee compensation, evaluations, and development, leading companies demonstrate their commitment to promoting sound risk behaviors over short-term profits at any price.
Step 4: Create better integrated and real-time reporting.
Many companies struggle to identify emerging risks because they lack readily available reports and dashboards, which are essential to improving decision making and helping teams consider risk more effectively. Forward-thinking companies are investing in sophisticated data mining tools, predictive analytics techniques, and consolidated and real-time risk reporting. Their goals:
· Develop an enterprise-wide view of data that overcomes fragmented technology, inadequate risk reporting, and longstanding organizational silos.
· Leverage advanced data analytics to improve management’s ability to proactively identify, escalate, and track potential risks.
· Improve communication channels to ensure that the right risk information is delivered to the right people—those overseeing specific strategic priorities—when and where it’s needed most.
Step 5: Develop a consistent approach to risk management across regions.
Risk policies should be adapted to local markets, but local teams need consistent guidance on key risk topics to ensure they’re aligned with the corporate strategy. Following these four guidelines will help ensure that local teams consistently take the appropriate risks for your business:
- Communicate clearly and regularly. Be explicit about your organizational risk appetite and risk tolerance, especially for your core strategies. Tell your employees exactly what sort of risks you’re willing to take (or not). Some organizations have had success in building risk communications directly into their corporate communications planning process.
- Clearly define the risk-related roles and responsibilities of everyone in the organization. Make sure that employees know exactly what they can and can’t do, including the level of risk they’re authorized to assume at each organizational and regional level.
- Empower your people and stand behind them. When you authorize them to take risks, don’t blame them for taking those risks if something subsequently goes wrong.
Accelerating Toward Success with Confidence
Becoming a risk-agile organization is not just about avoiding negative consequences; it’s about capitalizing on business opportunities. Just as brakes enable a car to accelerate with confidence, the combination of effective risk management and strong ethics allows a company to innovate faster and grow more rapidly, knowing that the “brakes” are in place to prevent it from losing control and veering off course. In an era of rising risks, the ability to accelerate confidently in the direction of your goals can help your company gain a risk advantage.
