Risk agility has the ability to maximize growth in the near-term, but aligning agility with risk resiliency will give companies the greatest competitive edge in the long-term, according to a new study from PwC US entitled, Risk in review: Going the distance. Based on a survey of nearly 1,700 participants, the findings are made up of responses from senior executives, board members, and risk professionals from across 23 industry segments, including one-on-one interviews."Companies today that leverage risk management as both an offensive and defensive tactic are leading the way in maintaining long-term success," said Dean Simone, leader of PwC's U.S. Risk Assurance practice. "Finding that right median will come differently to companies and industries across the board, but the key is to strike a balance that allows for growth at a comfortable pace, relevant to the risk appetite and tolerance levels set by management and accepted by the board."
To help companies achieve long-term growth, PwC outlines ten leading practices that companies can implement to build both a risk-agile and risk resilience infrastructure:
1. Align risk management with strategic planning. It's critical for companies to understand its strategy from its earliest development phase, to move from an enterprise risk management to strategic risk management.
2. Hold business units accountable for managing and monitoring their risks.
Business units should be your company's first line of defense against risk. If this responsibility is solely put on risk management, the company may be focused too much on defense.
3. Define your risk appetite. Executives need to understand the extent to which their companies can withstand risk and then aggregate risk across the organization. And communicating that risk appetite across the organization is equally important.
4. Invest in data analytics to take a forward-looking view of risk. Software tools are becoming more powerful and predictive, allowing for more transparency across the enterprise. Companies that can integrate these new techniques will have a clear advantage.
5. Establish a set of key risk indicators (KRIs) that are relevant to your business, and then align them to your company's key performance indicators (KPIs). Companies that are good at both, tracking KPIs and figuring out what risk events could arise in the future, will succeed.
6. Appoint a CRO or similar role, if you don't already have one. The person overseeing risk must have a seat at the strategy table and promote active alignment across the organization. In many large companies, it is a critical C-suite role.
7. Develop flexible governance, risk management and compliance technology platforms, and automated security processes across your IT infrastructure. Leading businesses are automating security processes, using advanced analytics to detect incidents quicker, and automating access management processes and risk and compliance management processes.
8. Learn how to effectively partner with and leverage third parties. Companies need to learn how to separate core functions from auxiliary ones, and having strong "just-in-time" relationships helps companies find the right resources as the need arises.
9. Ensure strong triangulation between strategy, risk management and business continuity management. All three are necessary to create long-term resilience that can then help a company become more risk-agile.
10. Remember that risk management is about playing both defense and offense. Companies must change the perception that risk management is merely about keeping the company out of trouble, but also to help prevent roadblocks in order to keep it moving forward.
"Chief Risk Officers (CROs) and Chief Compliance Officers (CCOs) will be the drivers in helping their companies become both risk-resilient and risk-agile. Their roles uniquely position them at the crossroads of risk resilience and agility, giving them an important platform to drive needed organizational change," continued Simone.