Does PwC understand risk management?
I would like to say that the answer is “yes”, because I used to work for PwC and know many of their people – very good people.
I would also like to say “yes” because COSO has hired PwC to lead the update of their Enterprise Risk Management – Integrated Framework.
But, I cannot say that they do – at least not what is required for the fully effective management of uncertainty.
I think they understand much of the common, traditional wisdom about risk management, that managing risk is about avoiding threats as you strive to achieve your objectives.
But, I think they fail to understand that uncertainty between where you are and where you want to go contains both threats and opportunities – and managing risk is about making intelligent decisions at all levels of the organization, both to limit the effect and likelihood of bad things happening and to increase the effect and likelihood of good things.
Risk management is more than a risk appetite framework set by executives and approved by the board.
It is more than “embedding” the consideration of risk into the strategy-setting and execution processes.
It is more than enabling the board and executive management to make informed decisions, or even for division leaders to make informed decisions. Every decision, whether by executives or junior employees, creates and/or modifies risk.
No. Effective risk management is something that is (or should be) an integral part of making decisions and running the business every minute of every day, at all levels across not just the enterprise but the extended enterprise.
It’s about enabling decision-makers to take the right amount of the right risk.
What’s the point of a risk appetite statement if it is not effective in driving decisions, which occur not only in the board and executive committee rooms, but in every corner and crevice of the organization?
I am using PwC’s latest publication as the basis for this opinion. While Risk in review: Decoding uncertainty, delivering value (subtitled How leading companies use risk management to drive strategic, operational, and financial performance) makes some good points, it also misses the key point about enabling decision-makers to take the right amount of the right risk. It focuses instead on a view of risk management that is centered on a periodic review of a limited, point-in-time list of negative risks – such as those found in a heat map.
(The good point made by PwC is that risk and strategy need to be entwined, both in the setting of strategy and its execution. It is also useful to see that few organizations, just 12% in their view, have achieved PwC’s limited view of risk management leadership.)
I will let you read PwC’s ideas and limit my comments to their Five steps to risk management program leadership.
1. Create a risk appetite framework, and take an aggregated view of risk
I have no problem with the principle that the board and top management should understand and provide guidance to decision-makers so that they take the right amount of the right risk. I also agree that there are multiple sources of risk to any business objective, and that it is necessary to see the full picture of how uncertainty might affect the achievement of each objective.
But, as I said, a risk appetite framework has little value if it is not sufficiently granular so that every decision-maker knows what he or she must do if they are to take the right amount of the right risk. Few organizations have been able to translate a risk appetite statement to actionable guidance for decision-makers, even when they try to use risk tolerance statements. Risk criteria at the decision-maker level must be established that are consistent with the aggregated enterprise view, and this is exceptionally difficult in practice.
In addition, decision-makers should not be excessively inhibited from seizing opportunities or taking/ retaining “negative risk” when it is justified. The focus is far too often on limiting risk, even when it is at a level that should be taken.
2. Monitor key business risks through dashboards and a common GRC technology platform
I agree that every decision-maker should know the current level of risk. But what is key is that the decision-makers have this information. While it is nice to have the risk function aware of current levels of risk, it is the decision-makers who have to act with that knowledge.
Further, why this nonsense about a “GRC technology platform”? Let’s talk about a risk management solution. I know that PwC makes a lot of money helping organizations select and then implement GRC solutions, but we are talking about risk management. Let’s focus on the technology needed for the effective management of risk by decision-makers at all levels across the organization. Integrating internal audit and policy management is far less important (IMHO).
Finally, people forget (and that includes PwC) that you need to monitor risk to each objective, not risk in isolation. Executives and managers need to receive integrated performance and risk information for each of their objectives.
3. Build a program around expanding and emerging business risk, such as third-party risk and the digital frontier
Everybody talks about risk expanding, that there is more risk today than in the past. I am not sure that is correct. Maybe we are just more attuned (which is a good thing) to thinking about risk, and certainly risk sources are becoming more complex. But is there actually more risk?
PwC talks about third-party risk, but that is not new at all. I wish they would talk about risk across the extended enterprise, which would broaden the picture some.
Technology-related business risk clearly merits everybody’s attention. It is unfortunate that insufficient resources are being applied by the majority of organizations to understanding and addressing both the potential harms and benefits of new technology.
4. Continuously strengthen your second and third lines of defense
Is there a reason we shouldn’t strengthen management’s ability to address uncertainty? (They are the so-called first line of defense.) Instead of the risk function feeding fish to management, why not train them to catch their own fish? Every decision-maker should be trained in disciplined decision-making, including the disciplined consideration of uncertainty.
Yes, the second line (risk management, compliance, information security, and so on) should be strengthened.
But, internal audit should not be limited to being seen as a “line of defense”. For a start, risk is not always something you need to defend against – often it should be actively sought as a source of value. Then, internal audit should help the organization actively take the right amount of the right risk, which it does by providing assurance that the processes for doing so are effective and by making suggestions for improvement.
I much prefer to talk about lines of offense. When you attack, you still need to be aware of IEDs, sniper positions, and mines. But the focus is on achieving success rather than avoiding failure.
5. Partner with a risk management provider to close the gap on internal competencies
Such a self-serving platitude! Yes, fill resource gaps with competent, knowledgeable professionals. But don’t hire a consultant to run periodic workshops – fill that need in-house.
Am I unfair to PwC?
Do they understand risk management and what it needs to be if an organization is to make the most of uncertainty?
We need to be tough on them if they are going to help COSO bring their ERM Framework up to the standard required for today and tomorrow – enabling better decisions so everyone takes the right level of the right risk.
I welcome your thoughts.