Balancing risk and reward

Hayley-Beth Peters Director - Enterprise Risk Management Lead, Non-Financial Services, PwC United Kingdom

The Covid-19 pandemic has prompted many organisations to reassess their appetite for risk, but this is work that needs to be carried out in the context of the business’s strategic objectives.

Almost nine in 10 organisations are reassessing their tolerance for risk because of the COVID-19 pandemic, new research reveals. PwC’s Annual UK CEO Survey suggests business leaders are focusing on new methods for measuring enterprise risk and making decisions in the wake of the crisis, with 89 per cent thinking again about their risk appetite^[1].

“The pandemic has made people stop and think,” says Hayley-Beth Peters, UK Lead of Enterprise Risk Management at PwC, pointing out that not a single executive in PwC’s 2019 Global Crisis Survey expected to face a global health pandemic. “We may have felt that we instinctively knew what risks we faced, but many organisations now recognise the need to think more broadly about what may face them in the future; then they can begin to think about how to deal with those risks[2]”.

There are plenty of them. The World Economic Forum’s Global Risk Report 2021 highlights the ‘highest likelihood risks of the next 10 years’ as extreme weather, climate action failure and human-led environmental damage, digital power concentration, digital inequality and cyber security failure[3].

Add to those threats the disruptive forces of technological advance and new competition. And then there is the more general sense of unease about what lies ahead: PwC’s CEO Survey shows 86 per cent of UK CEOs are worried about uncertain economic growth^[4].

Inevitably, there are difficult judgments to make. Managing enterprise risk does not mean eliminating it all together. Nor should it: after all, risk goes hand in hand with opportunity. A business focused on the potential benefits of digital transformation, for example, will be conscious of the increased cyber security risks from an increased digital footprint, but will still want to proceed while managing that risk. A business determined to get rid of all health and safety risks would have to cease operating completely.

The key is to think about enterprise risk in the context of the organisation’s objectives, argues Iain Wright, Chair of the Institute of Risk Management. “Risk has got to link to strategy,” he says. “What are the risks that the organisation faces as it pursues its strategic objectives and builds its business? What are the red lines it is not prepared to cross?”

Since the responsibility for setting the organisation’s strategic direction sits at board level, so too does the ultimate responsibility for deciding your risk appetite, argues PwC’s Hayley-Beth Peters. “The conversation the board needs to have is about where and how much risk the organisation is prepared to take given the rewards available,” she says. “This is how you set your parameters; then you move on to the controls that you need, as well as how to track risk.”

This is exactly the approach taken by Yorkshire Water, explains the utility company’s Head of Risk and Audit Rachel Lindley. “Our conversation begins with the organisation’s objectives and what could go wrong as we pursue those objectives,” she says. “We think about both bottom-up factors, issues to do with our people, our assets and our technology, and external risks, such as political, regulatory or societal risk.”

Each of those risks is assessed both for its likelihood and its potential impact, with speed of onset also an important factor. Some risks will be non-negotiable – Lindley gives the example of any threat to public safety – while in other cases, risk tolerance may be higher. “The board is very clear about its appetite for risk in the context of its objectives,” she says. “We have a mechanism that ensures the board understands the nature of the risk and its extent – and that it is able to respond in a way that is proportionate.”

Still, many organisations feel their boards are better equipped to deal with some types of risk than others. In one recent report from the management school INSEAD, 91 percent and 88 percent of boards, respectively, believed they had good knowledge of risks related to finance and regulation, but only 28 per cent and 34 per cent said the same of cyber security and climate change^[5].

“The conversation the board needs to have is about where and how much risk the organisation is prepared to take given the rewards available.”

Hayley-Beth PetersUK Lead of Enterprise Risk Management, PwC

Once an organisation's board has set out its risk appetite, the role of the CEO and the broader management is to set a course that reflects this judgement. This means building structures that enable reporting - and thus risk monitoring. Every function of the organisation is generating data constantly, so the task is to harness the relevant insights from this data to track areas identified as of concern.

New technologies have an important role to play here, with many risk functions now investing in data analytics and tools such as dashboards that provide a real-time view of a broad range of risk metrics. It is also possible to use such tools to assess potential exposures, through exercises such as stress-testing and war-gaming that give the organisation a view of its exposure to scenarios.

The aim, argues the Institute of Risk Management's Iain Wright, is to build an organisation where enterprise risk management is embedded in decision making. "Beware box ticking, where you seek risk only as a compliance exercise," he says. "The goal is a culture where you have flexibility, trust and a willingness to question yourself."

Organisations that get that right will improve the quality of decision making and enhance speed to market, rather than risk acting as a brake. For example, embedding security into digital projects at the design stage, rather than retrofitting protections, will ensure transformation proceeds more quickly and exposes the organisation to fewer vulnerabilities.

The imperative is for risk professionals to become business partners, argues PwC's Hayley-Beth Peters. "How is the risk function perceived in the wider organisation?" she asks. "Is it an afterthought that people turn to at the last minute, or do colleagues recognise its potential to help them understand and manage risk as they pursue opportunity?"

_{This content was paid for by PwC and produced in partnership with the Financial Times Commercial department.}

^{_{[1] https://www.pwc.co.uk/ceo-survey.html

[2] https://www.pwc.com/ee/et/publications/pub/pwc-global-crisis-survey-2019.pdf

[3] https://www.weforum.org/reports/the-global-risks-report-2021

[4] https://www.pwc.co.uk/ceo-survey.html

[5] https://www.insead.edu/sites/default/files/assets/dept/centres/icgc/docs/leadership-in-risk-management-european-report-2020.pdf}}