Almost ten years after the emergence of the financial crisis in 2008, risk management is evolving, shifting away from a purely protective mindset. In the old paradigm, risk was managed traditionally by the “second line” of defense in an organization.
However, a new study from PwC, “Risk in review: Managing risk from the front line,” finds leading companies are increasingly moving risk management decisions squarely in the purview of “first line” business units. Companies doing this most effectively (“front liners”) are more likely to project higher revenues and profit growth. Yet this innovative group is in the minority: out of more than 1,500 executives across 30 industries and over 80 countries surveyed, only 13 percent qualify as ’front liners’.
Additionally, the report underscores an alarming paradox: although cybersecurity is identified as a universal growing risk, only nine percent of respondents score highly on cyber risk maturity, suggesting many have not adopted leading practices to prepare them for online threats.
According to PwC’s new survey, Front Liners are more likely than other respondents to effectively manage across all 12 surveyed risk areas: financial, regulatory and compliance, earnings and volatility, operational, reputational, strategic, environmental, cybersecurity, technology, human capital, third-party, and culture and incentives. For example, among companies that have suffered a disruption due to operational risk, 63 percent of Front Linters reported recovering effectively versus 46 percent of other respondents.
The survey outlines five “Front Line” steps companies should consider taking to build a collaborative, effective risk management approach:
Set a strong organizational tone focused on risk culture modeled and measured by leadership and the board.
Align risk management with strategy at the point of decision-making so risk management is embedded into planning and tactical execution.
Recalibrate the risk management program across all three lines of defense so that the first line owns business risk decision making, the second line monitors the first, and the third line provides objective oversight.
Implement a clearly defined risk appetite and framework across the organization.
Develop risk reporting. Tracking risk is critical to keeping business decisions within the agreed risk appetite.