Risk in review 2017 · Risk in review 2017 Asia Pacific analysis ... Coca-Cola Bottlers Japan Inc.,...
Transcript of Risk in review 2017 · Risk in review 2017 Asia Pacific analysis ... Coca-Cola Bottlers Japan Inc.,...
PwC
Overview/Background
• The risk landscape has evolved with a volatile business and geopolitical environment and increasingly sophisticated technology and cyber related threats. This adds to the complexity of managing risk in a diverse region such as Asia Pacific.
• PwC recently conducted a global survey, with responses from 1,581 executives across 30 industries to see how companies are responding to managing risks and what are the prevailing trends.
• The survey showed a clear theme of business units and corporate executives taking the lead role by aligning ownership of key business risks with ownership of business and risk decision making.
• This is resulting in a collaborative approach to risk management with risk accountability in the first line of defence supporting greater organisational resiliency and growth.
2July 2017
PwC
Asia Pacific Risk Landscape
• While companies in Asia are generally well progressed in managing their risks in the first line, many organisations do not have the 2nd line of defence clearly defined or in place. As a result, Internal audit or compliance teams may have to take on a greater role in managing risk beyond their traditional remit.
• It was also observed that a strong risk culture is lacking in many organisations in Asia, although steps are being taken to overcome this through a more proactive effort by their risk management teams.
• Overall, talent is key to addressing the changing risk landscape by getting a breadth of different insights and perspectives to deal with new and emerging types of risk, particularly those brought on by developments in digital technology and new business models.
-
3July 2017
PwC
Risk Culture
• Bridging language and cultural barriers is critical for ensuring a consistent approach to managing risk in organisations, particularly within the diverse Asia Pacific region. Ensuring a common understanding of risk terminology and methodology is important when building a strong risk culture and there is still more effective awareness and education programmes needed. Whilst it was seen that many organisations in Asia lack a strong risk culture, steps are increasingly being taken to cultivate risk consciousness.
4July 2017
PwC
Risk Management – balancing opportunity vs risk
• Organisations have taken a more rigorous approach to risk management through defining their risk appetite and tolerance levels in line with the market risks as well as using data analytical tools.
• Risk tolerance and residual risks have been taken into consideration which are being balanced against business priorities and new growth opportunities. With the fast changing and accelerated growth in Asia, this provides an opportunity to build risk management processes in earlier to evaluate and strengthen responses before issues occur – once again pushing risk management to the first line of defence.
5July 2017
PwC
Overall Findings: The heart of the matter
PwC’s global Risk in review analysis shows that responsibility for certain risk management activities is shifting back to the first line of defense.
Companies at the forefront of this shift:
• Manage most risks in the 1st line of defense (i.e. the front line)
• Outperform peers in areas such as promoting a strong risk culture and using risk management tools and techniques
• Are confident about their company’s future revenue and profit margin performance
6July 2017
Senior management and business units
Risk and compliance functions
Internal audit
PwC
Asia Pacific respondent overview
7July 2017
3%
5%
8%
16%
25%
41%
Other
Health Services
Technology, Infocomm,Entertainment and Media,
Hospitality and Leisure
Government and Education
Financial Services
Consumer and IndustrialProducts
0% 10% 20% 30% 40% 50%
Asia Pacific respondents by industry
33%
15%26%
8%
7%
8%4%
Asia Pacific respondents by company size
$499 million or less $500 million to $999 million$1 billion to $4.9 billion $5 billion to $9.9 billion$10 billion to $19.9 billion $20 billion to $49.9 billion$50 billion or more
• Overall demographics are similar to the global Risk in review base.
• But Asian respondents differ from the total in their risk management practices—they are more likely to manage risks from the first line.
• Asian respondents could nevertheless improve their risk cultures.
PwC
Asian companies typically have a strong first line of defense
8July 2017
• Most Asian respondents have defined their risk appetite across a number of risk categories, and they take this defined risk appetite into account when making business decisions.
• They are significantly more likely than respondents overall to say they plan to move more risk management responsibility to the first line of defense. (56% vs 46%)
• In addition, respondents in Asia are more likely than respondents overall to have one or more board-level risk committees (65% vs. 55%).
46%
63%
56%
70%
During the next three years, we plan to move more riskmanagement responsibility to the first line of defense
Moving risk management responsibilities to the first lineof defense makes our company better at anticipating and
mitigating negative risk events
Q8. To what extent do you agree with the following statements?
Asia Pacific Total
Asia vs Global
+10%
+7%
+10%
+10%
PwC 9July 2017
9July 2017
“Risk management needs to play a more active role in strategy-setting; it has to be forward-looking and consider emerging risks associated with new trends. In that regard, the articulation of risk appetite will differ from organisation to organisation. I feel that for risk appetites to be useful, the organisation must know what they want to do with them, how these statements translate into action.”
GM, Risk Management of a large GLC conglomerate
Quote from a company in Asia
PwC
But Asian companies aren’t necessarily managing risks more effectively
10July 2017
• Even though Asia Pacific respondents are more likely than the total global population to manage risks from the 1st line in 10 out of 12 areas, they do not report greater risk management effectiveness.
• In fact, companies in Asia are less likely than respondents overall to rate their efforts as effective, notably in the areas of regulatory and compliance risk (66% vs. 70% overall) and environmental/sustainability risk (47% vs. 49%).
PwC 11July 2017
11July 2017
“I think for the most part, the tone at the top in mature organisations is very much in place. Most boards and senior management understand the need to cultivate and embed “risk consciousness” in our day-to-day. The challenge lies in having the tone at the middle and beyond echo this, and maintaining a consistent culture throughout.”
GM, Risk Management of a large GLC conglomerate
Quote from a company in Asia
PwC
Cybersecurity a growing threat for Asian companies
12July 2017
• Only 41% of Asian respondents say their cybersecurity risks are managed effectively today (vs. 46% total).
• But this risk area is growing—62% of Asian respondents expect disruption from cybersecurity in the next three years.
• Encouragingly, 58% of Asian Chief Risk Officers (CROs) say that partnering with the Chief Information Officers (CIOs) /Chief Technology Officers (CTOs) and business leaders to minimise cybersecurity risks is a top priority for their risk function in the next 18 months, vs. 48% of overall respondents.
• Leadership from the C-level is key in ensuring an effective approach to cybersecurity and risk management in general.
27%
62%
41%37%
62%
46%
Have experienced a disruption due tocybersecurity threats in the past two
years
Expect to experience cybersecuritydisruption over the next three years
Manage cybersecurity risk effectively
Q9. Which of the following have caused disruption for your company in the past two years?
Q10. Which do you expect to cause disruption over the next three years? Q27. How effectively does your company manage cybersecurity risk?
Asia Pacific Total
Asia vs Global
-5%
+10%
PwC
49%
51%
72%
44%
47%
63%
We undertake periodic education to update staff onnew or potential risks the company faces
Our leadership prioritizes a risk culture that focuseson doing the right thing, beyond merely what's
required
Training in ethics and compliance is mandatory for allemployees
Q25. Which of the following statements about risk culture are true of your organisation?
Asia Pacific Total
Asian companies should work to improve risk culture
13July 2017
• Fewer than half of Asian companies say that their leadership prioritises a risk culture that focuses on doing the right thing. (47% vs 51%)
• Fewer Asian companies (44%) than firms overall (49%) say they undertake periodic education to update staff on new or potential risks.
• Only 63% of Asian companies (compared with 72% overall) say that training in ethics and compliance is mandatory for all employees.
• Without a strong risk culture to back up the first line, these companies will not build more effective risk management programmes.
Asia vs Global
-5%
-9%
-9%
-4%
-5%
-4%
PwC 14July 2017
“StarHub is on a journey to reshape its enterprise risk management (ERM) framework, moving beyond its traditional compliance role to a focus on helping the company extract value from managing its strategic risks.
The second line of defence needs to better understand the business and its operating environment to equip them to constructively challenge risk owners and to improve the overall alignment of risk with corporate goals, major initiatives and emerging market trends.
Even as we strengthen risk oversight at the board and executive management levels, we need to drive greater transparency and accountability at all levels to embed a strong risk culture throughout the organisation.”
Starhub, CFO
Quote from a company in Asia
PwC
CROs in Asia have an opportunity to lead
15July 2017
43%
51%
61%
72%
39%
39%
53%
67%
Our second-line Risk Management function is seenlargely as a catalyst for rather than an impediment to
growth
Our Risk Management program encourages a data-drivenculture for decision-making
Our Risk Management team increasingly providesproactive advice and guidance for other business
functions
My company's senior management fully supports andunderstands the value of having a strong risk
management strategy
Q30. To what extent do you agree with the following statements?
Asia Pacific CROs (n=36) All CROs (n=119)
• 67% of Asian respondents agree that their company’s senior management supports and understands the value of having a strong risk management strategy. While its a strong figure, it’s smaller than the percentage of respondents overall (72%). CROs in Asia should focus on narrowing that gap.
• Similarly, 53% say their risk management team increasingly provides proactive advice and guidance for business functions. But again, the response level trails the global total (61%).
• These figures suggest that the opportunity is ripe for CROs in Asia to take a leadership role in improving their company’s overall approach to risk.
Asia vs Global
-5%
-8%
-12%
-4%
PwC 16July 201716July 2017
“A successful risk practitioner is first and foremost one who understands the business. You need to have an appreciation of the challenges the business faces and be able to speak the language.
Having an inquisitive mind and an ability to think out of the box is also important, but you need to be able to discern what is practical and what isn’t. Understand what can or cannot work… and part of this is contingent on one’s knowledge on how to navigate the organisational environment.”
GM, Risk Management of a large GLC conglomerate
Quote from a company in Asia
PwC 17July 2017
17July 2017
“We are investing in talent and technology to keep pace with the changing nature of the risk and governance environment. This includes those who can use new technology and approaches, such as data analytics and audit management tools, to increase business insights and capture process improvement opportunities.”
Hiroyuki Ikarugi, Coca-Cola Bottlers Japan Inc., Leader of Internal Audit Office
Quote from a company in Asia
PwC
Recommended: A holistic strategy where all three lines take an active role in addressing risk
18July 2017
Senior managementand business units
Risk and compliance functions
Internal audit
Responsibilities:
• Identify key risks
• Assess key risks
• Manage and monitor controls
1st
• Develop risk management framework
• Test and monitor first-line activities
• Effectively challenge first line
2nd
• Objectively test controls
• Assess first-line risk activities
• Assess second-line risk activities
3rd
PwC
How can your company shift to manage risk from the first line? 5 key steps
19July 2017
Set a strong organizational tone focused on risk culture
Align risk management with strategy at the point of decision-making
Recalibrate risk management program across three lines of defense
Implement a clearly defined risk appetite framework
Develop risk reporting
PwC 21July 2017
The bottom line
The shift to the first line representsopportunities for all lines of defense
to work closely together and create value for their enterprise.
PwC
PwC
Asian companies have more modest growth projections
23July 2017
• Companies in Asia Pacific are somewhat more likely to expect fast (more than 10%) revenue growth, but overall their growth closely tracks total respondents’.
• For expected profit margin growth, Asian companies are slightly less likely to expect increases in two years (45% vs. 52% total).
21%
18%
30%
9%3% 3%
1%
16%
23%
33%
9%4% 3%
2%
Increasemore than
10%
Increase5.01% to
10%
Increaseup to 5%
Neitherincrease
nordecrease
Decreaseup to 5%
Decrease5.01% to
10%
Decreasemore than
10%
Q5A Please estimate your company's average annual revenue growth for the next two years.
Asia Pacific Total
8%
12%
26%23%
6%1% 1%
9%
13%
30%
22%
6% 2% 2%
Increasemore
than 10%
Increase5.01% to
10%
Increaseup to 5%
Neitherincrease
nordecrease
Decreaseup to 5%
Decrease5.01% to
10%
Decreasemore
than 10%
Q6 On average, how do you expect your company's profit margin to change over the
next two years?
Asia Pacific
PwC
Companies in Asia Pacific keep pace when it comes to risk appetite
24July 2017
• Asian companies are more likely to say they have defined risk appetite across a number of risk categories, and that they have a well-defined risk appetite statement.
• But they do not lead the total respondent group when it comes to aggregating risk against the risk appetite or monitoring using KRIs.
47%
49%
54%
51%
55%
46%
47%
53%
57%
59%
We effectively monitor our risk appetite by using key riskindicators
We have a formal process to aggregate risk across thecompany and review results against our defined risk
appetite
We take our defined risk appetite into account whenmaking business decisions
Our company has a well-defined risk appetite statementand framework that is clearly communicated
Risk appetite or tolerance has been defined across anumber of key risk categories
Q7 To what extent do you agree with the following statements about your company's risk appetite? "Agree" and "Strongly agree" responses
Asia Pacific Total
Asia vs Global
+4%
+6%
-1%
-2%
-1%
PwC
Asian companies understand the value of a strong first line
25July 2017
• But these companies are no more likely to say that their company budgets adequately for risk management, or that understanding risk culture is part of employee training.
• Strengthening capabilities in those two areas could make for a more effective risk management organization.
38%
33%
48%
54%
46%
63%
37%
38%
48%
55%
56%
70%
Understanding our company's risk culture is a formalpart of our employee onboarding and training process
In the past three years, business units at my companyhave been allowed to take greater risks
My company budgets adequately for risk managementacross the organisation
Business units have adequate authority, resources, andexecutive-level support to effectively manage risks from
the first line of defense
During the next three years, we plan to move more riskmanagement responsibility to the first line of defense
Moving risk management responsibilities to the first lineof defense makes our company better at anticipating and
mitigating negative risk events
Q8 To what extent do you agree with the following statements about risk management?
"Agree" and "Strongly agree" responsesAsia Pacific Total
Asia vs Global
+3%
+10%
+1%
-%
+5%
-1%
PwC
Asian companies hardly break the mold on cybersecurity
26July 2017
• Asia Pacific, like respondents overall, have an opportunity to up their game in managing cybersecurity and privacy risk.
• Companies with higher cyber risk maturity also have better risk cultures, another area where Asian companies have room for improvement.
59%
28%
18% 18%
61%
28%
19%23%
Cybersecurity and privacy risk is managedby the CIO/Chief Technology Officer (CTO)
The CIO/CTO works with each individualbusiness unit and function to safeguard data
The Chief Risk Officer and the CTO arejointly responsible for overseeing
cybersecurity and privacy risk
Our company has a cross-functionalcybersecurity/information risk committee
Q24 Which of the following describes the way your organisation manages cybersecurity and privacy risk?
Asia Pacific Total
PwC
Where Asian companies fall behind on risk culture
27July 2017
• As we’ve seen, Asian companies have an opportunity to improve their risk cultures.
• In particular, companies in the region should improve their employee training, including periodic education.
15%
14%
24%
39%
49%
41%
46%
51%
72%
62%
55%
12%
16%
22%
38%
44%
44%
45%
47%
63%
63%
65%
We have a dedicated manager of third-party risk
We reward employees who actively take steps to minimizerisk by using existing resources
We use external providers of risk management, compliance,training or other services
When an adverse event occurs, external relations personnelcommunicate promptly with stakeholders
We undertake periodic education to update staff on new orpotential risks the company faces
Updates on risk management are part of regularperformance reports
At my company, the second line of defense can effectivelychallenge business
Our leadership prioritizes a risk culture that focuses ondoing the right thing, beyond merely what's required
Training in ethics and compliance is mandatory for allemployees
We have a formal process for employees to report potentialrisk events or flag concerns as they arise
My company has one or more board-level risk committeesthat ensure a top-down and bottom-up approach to risk…
Q25 Which of the following statements about risk culture are true of your organisation?
Asia Pacific Total
Asia vs Global
+10%+1%-9%-7%-1%
-5%+3%
-1%-2%c+2%
-3%
PwC
Asian companies are not necessarily managing most risks more effectively
28July 2017
73%
66%64% 63%
60%
55%
47%
42% 41% 40%37% 37%
74%
70%
58%
63%
56%53%
49%
42%
46%
36% 37% 38%
Financial risk Regulatory andcompliance
Brand/reputationalrisk
Earnings and volatilityrisk
Operational risk Strategic risk Environmental risk Technology risk Cybersecurity Third-party risk Human capital risk Culture and incentiverisk
Q27 How effectively are the following risks managed today?"Effective" responses
Asia Pacific Total
PwC
Asian companies are keeping pace with their use of risk management tools
29July 2017
22%
24%
24%
22%
31%
40%
38%
22%
25%
25%
27%
32%
33%
36%
Intellectual property audits
Integrated risk data warehouse
Developing risk-relatedperformance incentives
Brand value and brandmanagement audits
Organisational integration of riskmanagement function
Stress-testing or reverse stress-testing
Talent and human resourcesaudits
Asia Pacific Total
44%
45%
53%
53%
49%
53%
67%
58%
69%
44%
49%
50%
53%
54%
57%
66%
68%
73%
Scenario planning
Horizon scanning
Third-party/vendor audits
Corporate risk dashboard
Specifying a corporate riskappetite
Building organisationalresilience to risks
Identification and forecasting ofemerging risks
Environment, health, and safetyaudits
Risk rating system
Q28 Which of the following risk mangementtools and techniques does your company use
and plan to continue to use for managing risks?
Asia Pacific Total
Thank you
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, [insert legal name of the PwC firm], its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
© 2017 PricewaterhouseCoopers Limited. All rights reserved. PwC refers to the Hong Kong member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.