Conditioning the Organization for Risk – Agility vs Resiliency

Balancing risk agility and risk resiliency is the focus of PwC’s recently published fifth annual risk study. The report, Risk in Review: Going the D​istance, makes the case that organizations that do both well are more likely to have long-term success.

Of particular interest to me is how the study defines risk agility and risk resiliency. Risk agility is an organization’s ability to “. . . respond quickly to changing markets, customer preferences, or market dynamics,” according to the study. Risk resiliency is defined as an organization’s “. . . ability to withstand disruption by relying on solid processes, controls, and risk management tools and techniques, including a well-defined corporate culture and a powerful brand.”

These definitions capture well two approaches to risk. One is offensive or aggressive while the other is defensive or protective. Put in those terms, it is clear why organizations that excel at both are more likely to enjoy enduring success

The PwC report, based in part on a survey of 1,679 risk professionals from 23 different industry segments, packs an impressive amount of survey data, case studies, and region- and industry-specific figures in its 30 pages and ends with key recommendations, titled “10 ways to build enduring growth.”

The report segments industries into four categories:

• Steady Performers (High Resiliency/Low Agility) — e.g., utilities, banking, aerospace, and defense.
• Slower Movers (Low Resiliency/Low Agility) — e.g., education, government, retail, and consumer.
• Faster Movers (High Agility/Low Resiliency) — e.g., industrial manufacturing, pharma, and business services.
• High Performers (High Resiliency/High Agility) — e.g., technology, asset management, and insurance.

​The report determines that while risk agile companies — faster movers — are far more likely to expect revenue and profit growth than those that are not risk agile — slower movers, steady performers — they fall short in areas of business continuity, succession planning, and strategic alignment that contribute to sustainable success. The bottom line: Even though risk agility enhances growth, balancing it with risk resiliency provides a competitive edge over the long term, according to PwC’s analysis of the data.

From an internal audit perspective, the PwC report findings are similar to what I’ve said before about the value of aligning the audit plan with the organization’s risk appetite and business strategy. When properly aligned, internal audit provides assurance that management’s actions fall within the risk appetite while alerting management and the board about the relative strengths and weaknesses of controls, practices, and policies designed to protect the organization.

The PwC report’s list of 10 ways to build enduring growth includes basics such as aligning risk management with strategic planning and defining the organization’s risk appetite. I’ll comment here on just a few of the others.

• Invest in data analytics to take a forward-looking view of risk. This is sound advice. But as noted in the 2016 North American Pulse of Internal Audit, it is critical for internal audit to provide assurance on the accuracy of the data being analyzed and the conclusions being drawn from the data that may be used to design business strategies.
• Align key risk indicators and key performance indicators. As noted in the PwC report, performance indicators are backward looking while risk indicators are forward looking. Internal audit should play a role in providing assurance in both areas.
• Appoint a CRO or similar role if you don’t already have one. All organizations should have someone overseeing risk, typically someone in a second line of defense role. There is danger in assigning this role to the CAE. The CAE and the internal audit function must remain independent to provide appropriate assurance on the efficiency and effectiveness of risk mitigation efforts. Putting the CAE in charge of risk oversight creates a conflict of interest.

All organizations should embrace the goal of becoming High Performers as defined by the PwC report. Some industry segments may not be positioned to excel as much in the area of risk agility, but all can strive to succeed in risk resiliency, and internal audit should ​play an active role in achieving both.

I welcome your comments, as always.