The world has dramatically changed in the last two years as has the risk environment. Change is fast and disruptive. Our latest research outlines the challenges facing Irish businesses and how they can adapt to support risk-informed decision-making.
of Irish respondents expect revenue growth over the next 12 months
struggle with the speed of digital transformations
will increase their spend on risk management technology
will increase their spend on data analytics
With the pandemic, geopolitical instability and sanctions leading to economic, labour market and supply chain disturbances, the risk environment for organisations is significantly different than it was just two years ago. PwC surveyed 3,584 business, risk and compliance executives to obtain their perspectives on evolving risk management practices and related challenges.
Market, operating model and cyber risks were the top risks for respondents at a global level. In Europe, geopolitical and external change (including climate) risks were top, followed by cyber (including information-management). This is consistent with PwC’s 2022 CEO Survey (undertaken before Russia’s invasion of Ukraine), which identified cyber as the leading risk for CEOs.
These high-priority risks are tightly interconnected, meaning one can amplify others and impacts can be far-reaching. What may start as a technology breach can quickly pose huge operational, financial and reputational risk. Equally, geopolitical events can significantly impact supply-chain and cybersecurity risks.
Globally, the survey found that the top 10% of respondents—those realising benefits from strategic risk management practices across all industries—expect faster revenue growth and better outcomes. They are five times more confident in their ability to deliver outcomes and twice as likely to anticipate revenue growth greater than 10%.
The survey also revealed that Irish businesses are significantly increasing their spend on risk management technology. The focus is on data analytics and process automation to keep up with the speed of digital change, and transformation to facilitate effective performance management and support more positive growth forecasts than global and European benchmarks.
With growing complexity and interdependence of risks, risk governance structures and their supporting systems and processes must be streamlined and integrated to facilitate risk-informed decision-making at all levels of an organisation.
Many do not have a common risk language, for example, which—if implemented and used consistently—can enable an organisation to productively view and make decisions about risk. Driving consistency in risk management capabilities across the organisation can be difficult, however.
Oftentimes, disparate risk processes and systems are deployed. This contributes to challenges in achieving a common and consolidated view of risk. Investment in risk processes, frameworks and enabling systems is therefore required to help organisations deploy a standardised and consistent approach to risk management.
66% of the Irish respondents (and 75% of global respondents) face significant management challenges due to technology systems that don’t work together, while 60% (and 69% globally) face challenges due to the lack of a coordinated approach to enterprise risk.
In addition, manual and/or time-consuming risk processes make them costly and difficult to engage with for 54% of Irish respondents and 73% of global respondents. Meanwhile, a lack of access to digital tools and enablers for risk management activities were areas where Irish businesses (57%) fared better than the global benchmark (72%).
In response, the survey found that roughly two-thirds of Irish businesses and three-quarters of global businesses are increasing their spend on risk management workforce practices. This includes the addition of technology and digital capabilities to the risk function, reorganising the structure of risk functions and redefining the balance of resources across the three lines.
Further, only 21% of Irish respondents and 23% of global respondents are currently realising benefit from a governance, risk and compliance (GRC) system that is panoramic and integrated, with 15% of Irish respondents and 22% of global peers increasing collaboration among the three lines.
Based on the data, it appears that there is further scope for Irish businesses to implement risk governance structures, coordinate enterprise risk management practices and, where these are in place, deploy technology over the medium-term to facilitate risk-informed decision-making.
The environment in which organisations operate is in a constant state of change. As such, strategic decisions are revisited frequently. Combined with an increasing focus on non-financial risks, the ability to utilise and interrogate data is key to understand and detect changes in the risk landscape.
How risks are managed must adapt so that real-time risk insights and analysis can support risk-informed decision-making throughout the organisation. Risk management capabilities, both technological and human, must therefore be agile and operate in an iterative manner to reflect the organisation’s evolving risk profile. This is currently a challenge for 75% of Irish respondents who stated that their risk functions and risk owners lacked the required skill sets (compared to a global rate of 70%).
Our survey found that Irish businesses are rising to the challenge with 78% of respondents increasing their spend on risk management technology (compared to a global rate of 65%) and 36% increasing their spend by more than 11% (compared to a global rate of 22%).
This increased expenditure appears to be focused on data analytics (84% for Irish respondents and 75% for global) and process automation (69% for Irish respondents and 73% for global). Notably, 42% of Irish respondents anticipate a significant increase in expenditure on process automation, which compares favourably to the global benchmark of 31%.
The significant increase in risk management technology spend comes despite only 36% of Irish respondents and 50% of global respondents seeing tangible returns from previous spending in this area. That said, 42% and 38% respectively are beginning to see tangible returns. These insights potentially reflect the longer time -horizon over which digital capabilities can be developed and integrated into risk management practices.
On that basis, there is more to be done to ensure that Irish businesses derive value from their significant medium-to-long-term investments in risk management technology.
Risk management capabilities provide the greatest value to board members and business leaders when they are embedded within the organisation’s strategic planning and decision-making processes. This enables risk management to be proactive and forward-looking, helping businesses to remain agile and efficiently drive a panoramic view of risk across the enterprise while keeping up with the pace of change.
Globally, 39% of respondents stated that they made better decisions and achieved sustained outcomes by consulting risk professionals early while 85% of Irish respondents and 91% of global respondents are confident that their risk function can increase organisational resilience.
The survey also shows that Irish business leaders find it tough to keep up with the pace of change, with 75% and 79% of Irish and global respondents stating that the speed of digital and other transformations is a significant risk management challenge. However, only 61% and 50% of Irish and global respondents state that their technology investments allow them to keep pace with the speed and scale of transformation programmes.
In Ireland, 39% of leaders believe that digital transformations require a significant change in risk management, as opposed to moderate adjustment—significantly lower than the global rate of 62%. This indicates that Irish risk functions are more reactive in their response to risk.
Embedding risk management in the strategic planning and decision-making processes of Irish businesses must therefore be improved if they are to remain agile in the face of change.
Figure 3. To what extent is your organisation realising the benefits of implementing the following risk management strategies and programmes in 2022?
|Creating a governance, risk, and controls system that is panoramic and integrated||21%||23%|
|Increasing collaboration amongst the three lines||15%||22%|
|Defining or resetting risk appetite and risk thresholds||21%||22%|
|Investing in first-line risk management processes and tools||12%||22%|
|Quantifying new risks to assess risk exposure and to adjust risk appetite||15%||21%|
|Investing in risk culture and considering behavioural risk||27%||21%|
|Creating ethical frameworks for new areas that the business is pursuing (e.g. AI, IoT)||30%||21%|
|Achieving compliance by design with code directly in business and digital applications||18%||20%|
|Defining a new balance between first-line and second-line resources (tech, people, ownership)||21%||20%|
Many business leaders saw opportunities to thrive in the face of disruption during the pandemic. They questioned their business model and ways of working and engineered changes for the long-term, which were accompanied by risk.
Risk and return are inextricably linked. An organisation’s risk management capabilities can create tremendous value if they help the organisation take advantage of the upside of risks with a higher payoff.
Risk appetite is a critical tool in helping business leaders understand where they can take more risk in pursuit of new opportunities and growth. It denotes the guardrails within which the board asks executives to stay as they make decisions and execute on their strategies. If an opportunity requires more risk than the organisation’s appetite allows, it may be useful to revisit the risk appetite and consider whether the organisation is willing to take on more risk for greater reward. Among Irish survey respondents, 21% report that they are now realising the benefits of either defining or resetting their organisation’s risk appetite. This is in line with the global benchmark of 22%.
Risk culture also plays a role in taking advantage of the upside of risk. A strong compliance culture can stifle innovation, for example, while weak compliance can diminish the organisation’s brand and reputation. An effective risk culture enables business leaders and risk managers to have a clear understanding of the organisation’s risk appetite. It also gives the board and senior executives confidence that risks and opportunities will be identified and managed across the organisation.
54% of Irish respondents and 56% of global respondents are investing in risk culture and considering behavioural risk in 2022, while 30% and 21% respectively are realising the benefits of creating ethical frameworks for new areas of pursuit for their businesses. When strategy, risk appetite and risk culture are aligned, business leaders can take decisive action. 81% of Irish respondents are confident in their risk functions’ ability to build a more risk-aware culture, slightly lower than the global rate of 90%.
It therefore appears that there are further opportunities for Irish businesses to leverage risk management practices and risk appetite to understand where they can take more risk in pursuit of new opportunities and growth.
Figure 4. The views reflecting a proactive approach to risk management (Ireland vs Global)
|Our risk management approaches allow us to overcome complexities in our business initiatives||70%||65% (-5%)|
|Risk management technologies are integral to the way we manage risks||67%||62% (-5%)|
|Our business partners regularly consider risk management in making key decisions and frequently involve risk professionals||64%||69% (+5%)|
|The organisation of risk management enables risk professionals to be at the table when key decisions that affect the organisation's risk profile are made||61%||66% (+5%)|
|Our organisation engages in proactive and continuous dialogue with policymakers and regulators on emerging risks and how they can be managed||58%||42% (-16%)|
|Our risk function proactively and regularly seeks to include external insights in our assessment and monitoring of risk||48%||62% (+14%)|
|Digital transformations require a significant change in risk management||39%||62% (+23%)|
Review your risk management governance, framework, processes and responsibilities to ensure integration and balance of effort across the three lines of defence.
Formalise and standardise risk management practices across the enterprise to move towards an integrated approach with a common language so that you prioritise the right actions.
Consider a technology solution to facilitate integrated and coordinated risk management activities, but one where adequate culture and practices are present. Technology is an enabler, not a solution.
Mine key risk indicators (KRIs) from internal and external data for real-time risk intelligence.
Develop a common methodology supported by data analytics to provide actionable risk insights, early sight of potential problems and real-time intelligence to inform decision-making.
Where possible, leverage data to quantify risks. Where you can put a value on risk, you can better prioritise risk response and calculate the return on investment (ROI) on the investments being made.
Promote the value of performance and risk management to C-suite and board members to enable early and constructive engagement, leading to proactive and agile risk management that delivers value to the business.
Establish a strategic risk management programme to facilitate the prioritisation of strategic initiatives and active management of related risks.
Embed risk management in strategic planning, business decision-making processes and large-scale initiatives to gain insight and action and derive value from your risk investments.
Engage with a broad group of stakeholders to take a panoramic view of risk. This will allow you to respond to disruption seamlessly, focus investment in the right areas, deploy capital properly and do it all at speed.
Take advantage of available data and risk tools to give you a wider view of the rapidly evolving risk landscape across all three lines of defence.
Understand the interdependencies of risks, systems and data to better assess and establish risk-monitoring capabilities and escalation procedures that ultimately enhance risk identification and response.
Establish a clean and simple risk appetite statement to clearly articulate how much risk the company is willing to take in pursuit of strategy.
Educate risk owners on how to leverage risk appetite as they make business decisions.
Invest in risk training and awareness for all employees to develop a risk-aware culture so that you can not just withstand, but take advantage of, changing dynamics.
Disruption is inevitable, no matter how good we are at anticipating it. As a result, organisations must be agile and organisationally resilient by design. We are ready to help you on your risk transformation journey. Contact us today.