How enterprise resilience can help drive growth in financial services | September 2016

www.pwc.com.au/resilience

Aligninggrowthand risk

“The experience since theglobal financial crisis andrecent global events havechallenged the fundamentalsabout risks and their impacts –risk management has tochange for the good of thebusiness and for the good ofthe economy”

Aligning growth and risk | 3

Enterprise resilience – animportant businesscapability today

Risk management as a business discipline has beenthrough the wringer since the global financialcrisis. Eight years on the business environment hasstill not returned to its former state and many arewondering if it ever will. Given the ongoinguncertainties in global economics and geopolitics,it’s not surprising the confidence of business leadershas taken a hit.

Our recent Global CEO Survey found Australia’sCEOs are less confident about their companies’growth prospects than a year ago, and lessoptimistic about growth in the world economy. Andas confidence falls, concerns are rising: over threequarters see more threats today than they sawthree years ago.

The reaction of CEOs, including many in financialservices, has been to ‘de-risk’ their businesses byimplementing cost-cutting measures and reducingheadcount. But in an environment of increasingcomplexity, change and opportunity, is this reallythe path to sustained growth?

PwC considers that enterprise resilience is one ofthe most important capability business needstoday. Enterprise resilience is not traditional riskmanagement; it’s an organisation’s capacity toanticipate and react to change – not only to survive,but also to grow.

To explore what resilience could offer Australia’sfinancial services sector, we brought together aroundtable of executives and thought leaders,including PwC’s Global Leader of Risk Consulting,Dennis Chesley and Rick Crethar, PwC’s AustralianRisk Leader. Here’s a snapshot of the ideas thatemerged from our discussion.

About the authors

Dennis Chesley is PwC’s Global Riskleader with over 24 years of experienceacross a broad range of public andprivate entities with global operations.Dennis helps clients evaluate and chooseamong risk strategies and treatmentoptions – to help them realiseopportunities from the risks the chosensstrategies and options can bring. Dennis’ clientsinclude global financial institutions, NGOs, federalagencies and industry utilities, and he has beenresponsible for leading several of the firm’s largerand/or more complex projects. Most recently Dennisleads PwC’s work on the Committee of SponsoringOrganizations of the Treadway Commission (COSO)update to the Enterprise Risk Management (ERM)framework, slated for release in 2017.

Rick is a Partner in PwC Australiawho leads the Risk Consulting Businessnationally. He helps clients managerisk successfully so that they cancontinue to drive change, achievegrowth and improve the resilience oftheir organisations. Rick engages withC-suite management and board members to help them seethat risk is far more than value protection; when managedeffectively and strategically, it can have a positive impact bycapitalising on the opportunity that often accompanies it.

At PwC, we call this your risk advantage. Whether clientsare embarking on large scale projects, responding to aspecific risk, weighing up investment decisions, investigatinganomalies, or striving for greater confidence in governance,Rick works with them to evaluate risk with a focus onimproving business performance and minimising the impactof any adverse events.

4 | PwC

COSO update: The emergingalliance of growth and riskFirst up, participants were keen to hear about theupcoming changes to the Enterprise RiskManagement – Integrated Framework issued byCommittee of Sponsoring Organizations of theTreadway Commission (COSO) which has beenreleased for public comment. The framework iswidely accepted and used by organisations aroundthe world to manage uncertainty and grow value.

As one of the main contributors to both the originaland revised versions of the framework, Dennisoffered key insights into how it’s evolving.

The big difference this time around is theheightened focus on the relationship between riskand strategy, which is becoming much morepronounced globally.

“As operating environments become more complex,subject to constant change and disruption, there isan increasing need for companies to activelyconsider risk in the context of strategy, missionand values.

“In the act of strategy setting, understanding therisk profile in each strategic option and carryingthat through from an execution standpoint, is goingto be extremely important.”

“Risk to the strategy” has traditionally beenassigned to strategy functions, in an effort toprevent the potential erosion of value. However, the“implications from the strategy” and the “risk of astrategy not aligning” have potentially biggerimpacts on performance.

Indeed, a strategy’s risk profile, the assumptionsand implications underpinning its selection, drivesthe creation of value. And that’s what the draftFramework update helps to make clear: ERM cando its part in the selection of strategy, rather thansolely managing risk after the strategy is selected.

A new COSOframework:what’s different emphasises the relationship between

strategy, risk and value

enhances the alignment betweenperformance and ERM

conduct, behaviour & risk-based decisionmaking

leveraging data and analytics

reputation, brand and trust is at the core

role of the CRO and the key lines ofdefence. Steps in the revision process:

draft released for comment on June 15.

public comment period untilSeptember 30.

final release early 2017.

Find out more at erm.coso.org

Aligning growth and risk | 5

Risk taking risks

The need for risk and strategy to talk to eachother more led to a discussion about how the riskmanagement function can reposition itselfwithin an organisation in order to be part ofthese conversations.

PwC’s Risk Consulting Leader, Rick Crethar,asked whether the risk function should re-branditself from being a gatekeeper to being moreinfluential in helping businesses realise upside.

According to Dennis, effective risk managementis about recognizing that risk evolves throughoutthe business lifecycle. Risk should have theconversations that are about identifying theopportunities which build the business whilealso keeping the ship steady.

“When you talk to business executives – youneed to have a certain mindset. You can’t simplycome in and be the wet blanket saying ‘you can’tdo this and you can’t do that’; you need to say‘here’s what we need to do to make this happen.”

This means influencing the strategy which drivesthe business. Whether it’s giving positiveguidance on transactions, or helping in with theview of what customers mean to the business –taking risk and reward together.

For example, if a company’s strategy isdependent on third parties, risk can collateinsights and run analytics so that the third partyrelationships can really deliver. In essence, it’sabout turning risk into a commercial advantage.

Some participants raised the point that thecalibre of risk people is critical; they need to havethe skills, capabilities and different attitude tohave these kinds of conversations.

Risk capabilites will shift more to mathematical,analytics and business collaboration/translationwhereby data can be analysed and translatedinto business insight.

Another said that the risk culture in theorganisation is important too: “if you’ve got abusiness which understands risk, then theorganisation will engage with risk not as the‘police’, but as advisors.

Enterprise Resilience fosters a change of mind-set and culture, moving organisations from adefensive position to proactively seekingopportunities.

It serves as the baseline for entrepreneurialthinking and leverages values for decision takingto promote greater initiative and businesspartnering which seeks to understand what thebusiness values.

Everyone agreed that this change in attitudepresents a tremendous opportunity, but that riskmust take a risk and re-think the way it engageswith, and positions itself within the organisation.

enterprise resilience[en-ter-prahyz ri-zil-yuh ns]

Resilience is an organisation’s capacityto anticipate and react to change, not only tosurvive, but also to evolve

6 | PwC

Cybersecurity: betterintegration of risk andstrategy

Because it’s among the top concerns of CEOs andboards, cybersecurity presents an opportunity forrisk to drive a conversation about business strategy.

Dennis said that the traditional risk managementapproach has not been effective for Cyber risk. Theinstinct has been to build greater defences, throughstronger walls – but this is a recipe for continuousspending in areas which may not pose the greatestrisks.

What’s missing in the conversation, from a risk andstrategy perspective, is to ask: ‘What should wechange in our business to chop cyber threats off atthe knees?’

Companies that have taken a different approachstarted by challenging what their most critical areaswere – for example – ‘We don’t necessarily need tocollect credit card information on our customers,however, we must properly manage ourauthorisation codes, in order to reduce ourexposure to stolen data’.

In other words, they reviewed their businessoperations to zero in on the real threat and reduceit. Thinking differently about risk managementfundamentally changed the nature of theconversation between risk, IT, business executivesand ultimately the Board.

One participant recognised how taking such anapproach could help build trust in the business:“Greater alignment between risk and strategy canbe used as a competitive advantage, to build trustwith customers, completely turning around thetraditional understanding of the role of risk in thebusiness.”

Turning risk intoadvantageDennis gave the example of a Chief RiskOfficer in a software company who wasstruggling to understand how risk could beturned into an advantage.

“She had done a great job at methodicallyanalysing their products to understand howthey could be compliant with rules in themany countries that they shipped to. Shewas proud of the system they had developedand how effectively it worked.

“I asked whether she had thought abouttaking that system to the firm’s customerswhich shipped internationally as well, to seeif it could help them with their own risk andcompliance.

“At that point she grabbed her cell phoneand called the head of marketing and set upa meeting for the next day.

“Whenever we’ve been proud of what we’vebeen able to do to deal with a risk, there’soften an opportunity to turn that into acommercial advantage; we just need to thinkabout it a bit differently.”

Aligning growth and risk | 7

The need for speed leads to anew manifestAnother aspect of cybersecurity which haschanged the way companies think about risk isthe speed required to respond to threats. Cyberthreats change so quickly – nation states,hacktivists and organised crime are now allinvolved – that the normal risk managementcycle simply can’t keep up.

Companies are realising that cyber risks ‘live,breathe and morph’ over time. So the way theythink about the risk can’t be just in one-offtreatment options, such as coming up withcontrols and testing them. They might be totallyineffective the next day.

“Trying to deal with cyber has led riskprofessionals to say ‘we need a new manifest’.And it was out of those conversations that theconcept of enterprise resilience evolved,”explained Dennis

Cyber Security is oneof the top risks facingfinancial institutions

Financial services executives are alreadydepressingly familiar with the impact thatcyber-threats have had on their industry. InPwC’s 19th Annual Global CEO Survey, 69%of financial services’ CEOs reported that theyare either somewhat or extremely concernedabout cyber-threats,

Cyber-security is the leading challenge to theadoption of the Internet of Things becauseinsecure interfaces increase the risk ofunauthorized access. Here are someconcerns:

Attack surface: hackers can gain entryto a corporate network through anIoT device.

Perimeter security: IoT rechnology relieson cloud-based services, so it will bechallenging to implement effectiveperimeter defenses.

Privacy concerns: the pervasiveness ofIoT data collection coupled withadvanced analytic capabilities couldresult in consumer privacy breaches.

Device management: Many IoT devicescurrently do not support implementationof strong security controls. Maintaining arobust security baseline will get harderas IoT devices proliferate.

8 | PwC

From compliance toenterprise resilienceBoth regulators and companies have traditionallylooked into the past to identify and manage

risk. But this backwards-leaning view has led tocompliance, not resilience. It has also beensomewhat ‘clunky’, with different risks beingmanaged in isolation throughout the business.

Dennis explained that resilience is not traditionalrisk management: “It’s about an organisationhaving the capacity to anticipate and react tochange, not only to survive, but also to evolve.”

The critical word is change. To be resilient, youneed to manage through a major crisis, like acritical supplier’s factory being destroyed by anearthquake, as well the disruptive megatrendswhich are reshaping the global business landscape– demographic change, shifts in economic power,rapid urbanisation, climate change andtechnological breakthroughs.

“But change doesn’t have to be large scale; you alsoneed to manage the shifts in your own market, oramong your own stakeholders,” said Dennis.

The key is being ‘fit’ to capitalise on opportunities.Enterprise resilience is sometime referred to as thecorporate immune system. If it’s in good shape andsomething strikes, the company can bounce back. Italso means the business is fitter to jump further, bemore flexible to evolve, and see and seizeopportunities ahead of its competitors.

What a resiliententerprise looks likeResilient organisations exhibit the followingsix traits:

Coherence – The ability tomake mutually beneficialdecisions

Adaptive capacity – Theability to reorganise for change

Agility – The ability to makeand implement decisions at therequired speed

Relevance – Consistentlydelivering on stakeholder needs

Reliability – Consistentlydelivering to expected quality, ontime

Trust – Knowing how to createinvestment-worthy relationships

Aligning growth and risk | 9

Looking ahead: The roleof Risk?If an organisation builds resilience into its veryDNA, the question arises as to the role of theChief Risk Officer. Are they an administrator ofrisk, an overseer of the compliance function, orsomeone who provides specialist advice?

According to one participant: “The executiveteams in our bank really look to risk to providespecialist advice. Ideally, they’d be permeatedacross the business and giving strategic analysisand insights.”

Rick Crethar asked: what do people need to bethinking about now, so that in five years’ timerisk professionals are in high demand rightacross the business?

It is near impossible to prepare a plan for how arisk function will look in five years’ time. Thiswould require a crystal ball on how themegatrends will play out. “We can’t predict howtechnology will advance, nor what the nextmacro-economic event or scandal will be.”

CRO’s who will be ready are those which starttransforming their risk functions now byleveraging technology to streamline currentprocesses, piloting advanced analytics,enhancing risk management reporting to providegreater insight in making better risk decisions,changing the gene pool as a result and building astronger risk culture.

This led to discussion about the role of boards inrisk, strategy and resilience. Dennis believes thatthe gap between boards and executives willcontinue to close.

“Boards we talk to don’t want to see risk treatedas just a compliance function. What they want isa good sense that risk is connected to executivemanagement, helping them to ‘look aroundcorners’ to identify the things most likely toimpact on the company achieving its strategicobjectives.

“Boards are also demanding more transparencyaround risk management’s capabilities, tounderstand how it is evolving in response to themegatrends and the environment, and how itconnects back to strategy.

“Resilience is becoming increasingly importantto boards. In fact, we are seeing more and moresenior risk professionals being sought to takeboard positions,” said Dennis

10 | PwC

Developing yourorganisation’s resilienceWith greater resilience, financial servicesorganisation will be better positioned tocapitalise on change and manager through acrisis so that they come out stronger. They willhave the confidence to take risks necessary toachieve desired returns within their riskappetites.

There are logical triggers in business activitiesor the external environment which shouldprompt actions on resilience. For example:

in setting or reviewing strategic objectiveshow aligned is the strategy to purpose, visionand values?

Do you have evidence your corporate immunesystem is weak? Perhaps a breach hasoccurred which was not detected quickly

if a competitor fails – could it happen to yourorganisation?

at times of major change – a transformationproject or changes in your externalenvironment – do you have the rightcapabilities to drive change and realise thebenefits it may bring at the right speed?

But there’s no need to wait until somethinghappens to test your resilience. Here arefour steps to building your resilience:

Get everyone heading in the same direction.Understand what really matters, align howthe functions work, and create a sharedunderstanding of what resilience means andhow you can create advantage.

Assess how you invest. Many organisationsspend more on insurance than buildingresilience. But insurance cannot salvage adamaged reputation or rebuild customertrust.

Check in on your resilience. Stress test yourresilience in a safe environment. There areeffective ways now to give your corporateimmune system regular and thoroughhealth checks.

Measure resilience. The factors that definewhat makes your organisation resilient canand should be identified and measured.Embed resilience into your operating modeland monitor it continuously by buildingrobust metrics into your KPIs.

90%

37%

90% of organisations believe that resilience is greaterwhen functions such as strategy risk management,business continuity, IT and security are joined up, but…*

… only 37% of organisations believe thatthese areas are properly joined up*

Source: London first PwC Resilience Survey

Aligning growth and risk | 11

PwC contacts

Rick Crethar

Partner

+61 (2) 8266 7809rick.crethar@pwc.com

Julie Coates

Financial Services Leader

+61 (2) 8266 2006julie.coates@pwc.com

Peter Burns

Financial Services ConsultingLeader

+61 (2) 8266 4726peter.burns@pwc.com

Nicole Salimbeni

Partner – Risk & Regulation

+61 (2) 8266 1325nicole.salimbeni@pwc.com

Access the latest thinking on EnterpriseResilience at PwC’s Resilience Journal:

www.pwc.com.au/resilience

www.pwc.com.au/resilience

© 2016 PricewaterhouseCoopers. All rights reserved.PwC refers to the Australian member firm, and may sometimes refer to the PwC network.Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

At PwC Australia our purpose is to build trust in society and solve important problems. We’re a network offirms in 157 countries with more than 208,000 people who are committed to delivering quality in assurance,advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com.auLiability limited by a scheme approved under Professional Standards Legislation.

WL 127042745