Is your company properly aligned to manage risk? A recent analysis by PwC provides insight on the key characteristics used by high-performing companies to demonstrate strategic risk alignment.
The study points out that in organizations where risk management efforts are aligned, the risk management and internal audit functions serve as second and third lines of defense that work alongside the business units as they analyze, mitigate, and make decisions pertaining to risk and which enable risk to be addressed in real or near-real time.
Risk alignment and risk resilency
The PwC study points out that for successful risk management, companies must do two things: (1) build agile and flexible risk management frameworks that can anticipate and prepare for shifts that bring long-term success and (2) build the resiliency that will enable those frameworks to mitigate, risk events and keep business moving toward its goal. The firm defines these two key characteristics. Risk agility is the ability to alter and adapt risk management infrastructure to respond quickly to changing markets, customer preferences, or market dynamics. Risk resiliency is the ability to withstand business disruption by relying on solid processes, controls, and risk management tools and techniques, including a well-defined corporate culture and strong brand.
In developing a matrix between risk agility and risk resiliency, the PwC study characterized how companies performed. “High performers” were both highly risk agile and highly risk resilient. “Steady performers” were companies that were high in resiliency and lower in agility. “Faster movers” are companies that were highly risk agile but not highly risk resilient, and “slower movers’ were companies that had both low risk agility and low risk resiliency. In the study, pharmaceutical companies ranked as “faster movers,” along with industrial manufacturing companies, and chemical companies were ranked as “high performers.” In the study, pharma companies rated themselves highly on their ability to rapidly pursue growth opportunities; 52% of pharmaceutical companies said that they were good at this compared to 41% of total respondents. However, only 23% use formal risk management techniques, according to the PwC study. Twenty-one percent of pharmaceutical company respondents said that they understood the velocity of risk, and less than half said that they can deal capably with these challenges.To compare with other areas, industrial manufacturing companies are less likely to say they continually adapt their risk approaches based on emerging risks with only 35% of industrial manufacturers saying that they do this compared with 49% of total respondents.
Pharma companies in risk agility and risk resiliency matrix
“Faster movers,” which include pharmaceutical companies, and “high performers" are more likely than other company types in the risk matrix to expect significant growth. The PwC study concluded that these companies are more focused on the upside of risk.These companies have the ability to identify opportunities ahead of competitors, more rapidly pursue those opportunities, and accommodate changes to the business more quickly than can companies that lack risk agility. For near-term revenue and profit-margin growth, risk agility was found to be a more important characteristic than risk resiliency, according to the PwC study.
The study also found that “Faster movers,” which includes pharmaceutical companies and are characterized by companies with high risk agility but not high risk resiliency, were actually able to outperform companies characterized as “High performers,” or companies with both high risk agility and high risk resiliency. “Faster movers” are slightly better at rapidly pursuing and mobilizing for new growth opportunities, but “high performers” gain an “agility boost’ by also being highly resilient. “High performers” are better able to move beyond risk agility to enable their companies to withstand disruptions or events that might counter growth strategies. This would include being better able to launch business continuity plans, better mobilize internal resources following a disruption, communicate more effectively to stakeholders, and better use third-party resources, according to the study. The study showed that “High performers” are more likely to budget effectively for disruption risk (64% versus 23% of “Faster movers”).
The study further found that “Faster movers” appear to rely more heavily on the strength of their brand rather than investing more in key risk management tools and techniques. For example, the study found that although 69% of “Faster movers“ have strong and respected brands, only 43% continuously adapt their risk approaches based on emerging risks, and only 35% have succession plans for senior leadership. Also significant, only 42% of “Faster movers” report having well-defined and automated information technology security processes. In short, “Faster movers” were found to have inadequate risk resiliency even though their revenue and profit margin gains are only slightly higher than companies that are both highly risk agile and highly risk resilient.
10 Best practices for risk management
To achieve the proper balance between risk agility and risk resiliency, the PwC study offered 10 leading practices to consider as outlined below.
1. Align risk management with strategic planning.
2. Hold the business units accountable for managing and monitoring risks.
3. Define your company’s risk appetite.
4. Invest in data analytics to gain a forward-looking view.
5. Establish a set of key risk indicators that are relevant for your business and then align them with your key performance indicators.
6. Appoint a chief risk officer or similar role.
7. Develop flexible governance, risk management, and compliance technology platforms and automated security processes across information technology infrastructure.
8. Learn how to effectively partner and take advantage of capabilities of third parties.
9. Ensure strong integration among strategy, risk management, and business continuity management.
10. Understand that risk management involves both playing offense and defense.