CRO and risk management leaders

Despite investments, risk leaders strain to keep pace with changing landscape

For CROs, investments in talent and technology can only get them so far. Year over year they’ve upgraded their systems, increased staffing and implemented training, and most will continue doing so in the coming year to better protect their company’s assets. Their first line is well positioned to manage risk. Yet our latest PwC Pulse Survey shows that risk executives struggle to keep up. Three quarters (75%) agree that, despite their investments and improvements in risk management, they can't keep up with a rapidly changing regulatory environment. Almost as many (74%) agree they can’t keep up with a rapidly changing economic environment. This echoes the sentiment of more than 3,500 risk executives globally: 79% said their top challenge is keeping up with the pace of digital and related transformations. 

Economic and regulatory uncertainty is a common theme voiced by CROs. Macroeconomic uncertainty tops the list of concerns, with 64% of risk leaders saying they’re very concerned about a potential recession, stock market volatility and other macroeconomic conditions (versus 56% overall). They’re also worried about a more active regulatory and legislative environment (47% are very concerned) and their company’s ability to mitigate compliance and regulatory risk (with 39% very concerned). These uncertainties, coupled with evolving cyber threats, are testing — and shaping — how risk leaders prepare for 2023.

Risk executives lean on automation, analytics to achieve more with less

In a tight economic environment, CROs are banking on automation and data analytics to help reduce costs while strengthening risk management. Over the next 12 months, 65% of risk leaders will spend more to upgrade their data analytics capabilities, and 57% will spend more on automating their processes to better monitor risk. This aligns with CIO spending over the same period, with most CIOs planning increased investment in digitization of the supply chain, infrastructure and operations. 

But operating budgets aren’t keeping pace with the need to ramp up investment. Only 33% of risk leaders will spend more overall in the next 12 months, while 57% will hold the line and another 8% plan to cut overall spending. Preparing for an uncertain future requires investing in ways that improve risk management capabilities while also reducing costs. Automation is key. The business itself is making complementary moves to improve compliance and cut costs. A PwC analysis of Sarbanes-Oxley controls at more than 70 companies, for example, suggests that a 15% increase in automation can yield a 10% decrease in compliance costs. Risk executives understand this correlation, and 81% tell us they have confidence in their company’s ability to drive down compliance costs while effectively mitigating risks (versus 70% overall).

What you can do

• Implement a tech-enabled compliance program that’s scalable, prioritizing repetitive, high-volume rules-based activities. 

• Use automation and data analytics to improve monitoring and risk management while streamlining compliance activities, freeing staff to focus on emerging risks.

A triple threat for CROs: next-level cyber, supply chain and fraud risks

The challenge of keeping up is perhaps most felt by CROs against external actors who are ceaseless in probing new ways to steal or disrupt. Three top areas of threats facing CROs include cyber, fraud and supply chain risks. 

Cyber risks. Today, less than a quarter of executives globally believe they have fully mitigated the risks from cloud adoption, remote work, use of Internet of Things and other digitization efforts, according to PwC’s 2023 Global Digital Trust Insights. Fortunately, it was clear from the August 2022 Pulse Survey that there’s broad executive support in the US to focus on better cyber risk management and increase investments. CEOs and boards are making time to go up the learning curve on cyber risks. The C-suite is getting better at coordinating to understand and respond to threats together.

Fraud risks. Since the beginning of 2022, we’ve seen a jump in fraud incidents and a rise in new fraud schemes. Tough economic conditions create motives to commit fraud and rationalize it. Meanwhile, the opportunity to commit fraud has increased with digitally-enabled access to financial systems by people within and outside companies. For example, cyber-enabled vendor fraud schemes are becoming easier to execute — with higher success rates. Businesses may be experiencing an overall increase beyond the rule-of-thumb of fraud costs at 5% of revenue. 

Current fraud risk management practices are no match for this trend. In some cases, organizations have no real-time fraud detection mechanisms. In others, automated fraud alerts are not used effectively. At best, they’re tackled on a best-efforts basis. At worst, they’re ignored because teams responsible are tired, burdened or unable to manage huge spikes in fraud alerts.

Supply chain risks. The supply chain is the focal point for cyber threats, macroeconomic and geopolitical pressures, and ESG concerns. When it comes to supply chain resilience, the lack of visibility into their supply chain is a hidden weakness for most companies.

Getting insights into the structure and profile of your tier 1 supplier network is difficult. It’s even harder to get insights into tier 2 and beyond, yet they are critical “to view” — what they do, the materials they use, the industries they’re from and the locations they work in are necessary to answer the “how exposed are we” question. This visibility should be the foundation for determining which responses to external changes are the most effective moves for a company. Is it diversification of sources, substitution of elements or investments in alternatives and/or new technologies? 

What you can do

• Cyber. Assess cybersecurity risks related to your strategic moves and major transformation initiatives and implement your C-suite playbook on cyber.
• Fraud. Modernize capabilities to handle soaring fraud and fraud alerts through risk-based modeling, automation (to handle volumes and respond to low risks faster) and analytics (for continuous learning and improvement of fraud risk management). Consider outsourcing fraud risk management services to help boost compliance while managing costs.
• Supply chain. Invest in tools to ingest real-time data flows, visualize trends and investigate signals — all of which can help you gain visibility into where value is created and could be threatened.
• Your first line of defense: people. Many external threats — ransomware, data breach, fraud — start with a phish, a smish or an email compromise. Arm your workforce with the tools to help stop threats. 

On policy matters, risk leaders are focused and engaged

Policy engagement is a top concern among risk executives, and it deserves their keen attention given the regulatory landscape. Cybersecurity leads their list of policy priorities, with 92% of risk leaders monitoring cyber developments closely (47%) and actively engaging with lawmakers to influence policy (44%). Indeed, all executives except tax and HR leaders named cyber as the top policy area of engagement and monitoring (86% overall). Data privacy is another priority area, with 83% of risk leaders closely monitoring (42%) and influencing policy (also 42%). Climate and clean energy figure prominently as well, with 81% of risk executives closely monitoring (43%) and/or actively engaged (38%). 

This heightened policy focus is paying off. Despite their concerns about the changing regulatory environment, most CROs (81%) are confident that their company can drive down compliance costs while effectively mitigating regulatory risks.

What you can do 

• Ally with your CIO, a role that increasingly wants to shape their company’s ESG, cybersecurity and privacy strategy as conditions and risks evolve. 

• When faced with new disclosure requirements, make sure you have the data that regulators will expect, defining the required metrics, their scope and boundaries, what systems the information comes from and who the owners are.