risk in review rethinking risk management for new market ... · rethinking risk management for new...

Risk in reviewRethinking risk management for new market realities

Setting the right risk culture and aligning strategy to risk imperatives are essential to success in today’s new risk era.

March 2012

The heart of the matter 2

Rethinking risk management for new market realities

An in-depth discussion 4

A time of reckoning for risk management 2011: A year in review 52012: The risks ahead 11Key risks by region 19

What this means for your business 26

Coping with the new realities Risks management imperatives for 2012 32

Table of contents

March 2012

The heart of the matter

Rethinking risk management for new market realities

3 The heart of the matter

In 2011, economic turmoil, political upheavals, and ripple effects from natural disasters converged with advancing globalization and rapid technological advances to create a riskier marketplace of complexity, unpredictable events, and sudden change.

To respond to this new era of risk, forward-looking companies in 2011 continued to shift their risk management focus in several fundamental ways: from internal to external, from operational to strategic, and from bottom-up to top-down. As corporate leaders began to recognize the far-reaching impact of these risks on their businesses, they installed new risk management organizational structures and processes that leveraged corporate resources and vital information, and integrated risk management across corporate functions. Some put in place a new breed of more strategic, collaborative, and business-savvy risk management leaders. Discouraged by the failure of traditional risk and forecasting approaches, a bevy of companies also adopted innovative techniques such as scenario analysis, predictive indicators, and reverse stress-testing to challenge conventional thinking and better prepare themselves to deal with unexpected events.

In 2012 and the years that follow, creating an effective approach to managing the ever-widening risk landscape remains a work in progress. Many organizations are still struggling to improve their overall management of risk, whether that means identifying the risks that matter most or finding effective ways to link their strategy with the day-to-day handling of business risks. Companies are scrambling to fix weak links in their system, often stemming from non-traditional risks that have risen

to the fore in today’s new marketplace—for example, risks from new social media and digital technology, competition from emerging markets, and the supply and demand of global talent. In this new risk era, corporate boards and senior management have a crucial role to play.

This report examines the state of global risk in 2011 and looks at how it might evolve through 2012 and beyond. The first section of the report provides an overview of how 2011 marked a year of reckoning for many risk management leaders, as they began to acknowledge how the financial crisis and subsequent recession had irreversibly altered the global marketplace and the ways to think about risk. The second section examines the top strategic and regional risks that

lie ahead for companies, drawing on the findings from our survey of global executives and in-depth interviews with corporate leaders and risk experts across a range of industries. The final section of our report examines the risk management approaches and tools that will help companies better cope with the forces of exogenous change over the next year and beyond.

To respond to this new era of risk, forward-looking companies

in 2011 continued to shift their risk management focus in

several fundamental ways: from internal to external, from

operational to strategic, and from bottom-up to top-down.

Study methodology This study is based on results from a survey of more than 1,000 executives and risk management leaders with businesses worldwide, carried out in November 2011. The sample covered a broad range of companies, including listed entities (71% of the group) and privately owned organizations. Almost 60% of the sample was based in the United States, but there was a broad geographic spread reflecting the global economy, including 450 respondents from overseas markets. Just under one quarter of the participants represented companies with annual revenues of less than US$1 billion and just over one third of participants had revenues between US$1 billion and US$5 billion. More than 9% of respondents worked for companies with annual revenues of more than US$50 billion. To understand the statistical trends and gain a qualitative perspective, we also conducted in-depth personal interviews with CFOs and risk management leaders from a range of organizations.

An in-depth discussion

A time of reckoning for risk management

5 An in-depth discussion

2011: A year in review In 2011, it became increasingly clear that forces unleashed during the global financial and economic crisis of 2008–2009 had irreversibly altered the terrain of the global marketplace. Even for those executives who had held out hope, it became undeniable that the global economy was not going to bounce back as it had done during other recessions. This time was different: The world economy was going through structural change, with the center of gravity shifting from West to East. Globalization and technology had created more intricate linkages that could cause risks to arise more suddenly and reverberate around the world. Over the course of 2011, corporate leaders grew to accept these new market realities, and realized that this new era of global uncertainty and complexity called for a fresh approach to risk management.

Coping with global complexity

Complexity is itself a dynamic concept, embracing the interconnectedness of organizations and networks and fraught with the difficulties of understanding interactions and their secondary effects. It includes factors such as global supply networks, technology, and mutating geopolitical borders. “The complexity of the risks that businesses encounter today poses unique challenges,” says Ken Coy, who leads PwC’s US Risk Assurance–Governance, Risk, and Compliance practice. “Key components of the risks—and interrelationships with other external risks—are not always apparent. As a result, companies grapple with how to best understand, evaluate, and respond to those risks.”

For companies with a linear view of risk, this can create significant hurdles. In March 2011, the devastating Tohoku

earthquake and tsunami in Japan illustrated today’s new operating reality: When global trade, financial markets, and supply chains are inextricably linked, risks can manifest themselves swiftly and unexpectedly, with far-reaching ramifications. Taking into account its full toll, the disaster in Japan was one of the world’s costliest, with the economic losses estimated at well above $1 trillion. The disaster not only hurt profits at the big automakers and manufacturers in Japan, but also impacted far-flung multinational retailers, some of which reported large losses from disruptions in production and sales. It also sent tremors through world currency and equity markets, causing massive unexpected losses for banks, insurers, and financial investors.

As a result, PwC’s 15th annual Global CEO Survey revealed that US CEOs are slightly less optimistic than they were in 2011, and 80% of CEOs globally are

When global trade, financial markets, and supply chains are

inextricably linked, risks can come swiftly and unexpectedly,

with far-reaching ramifications.

The ongoing sovereign debt crisis in Europe

The March 2011 earthquake and nuclear crisis in Japan

Other significant external disruption over the past year

Political upheaval in Arab economies in 2011

Volcanic ash cloud over Europe in 2010

Lack of a global climate change agreement inCopenhagen and Cancún, December 2009 and 2010

Don’t know/refused

Figure 1. Which of the following events directly affected your company financially?Which of the following events, if any, have triggered specific changes to your strategy, risk management, or operational planning?

56%45%

29%

21%

24%

16%

21%15%

10%5%

7%7%

21%29%

Financially affected

Changed strategy/risk management/operational planning

Base: All respondents (1,258)Source: PwC, 15th Annual Global CEO Survey, 2012

anchor 1

6 Risk in review

Rising risk awarenessAgainst this backdrop, it is not surprising that the majority of surveyed executives believe that risks are increasing. As Kanwardeep Ahluwalia, managing director of financial risk with Swiss Re, observes, ever-faster communications and instant transmission may create an additional potential dimension of complexity via the very perception that risks have increased. Some of this perceived increase in risk may stem from the fact that events and changes that were once ever-present but unknowable are transitioning into known risks. “We have a heightened awareness of global risks today, thanks to better education and faster, broader communications,” Mr. Ahluwalia says, “but perhaps we feel risk is growing simply because we know more.”

In 2011, executives saw that macroeconomic and financial volatility—and even the potential for severe financial and economic disruption from the Eurozone debt crisis—would continue to dominate the corporate risk agenda. Faced with such uncertainty, companies held on to cash as they pondered an overriding worry that the industrial market downturn might be far from over, and that the recession of 2008–2009 might be just a prelude to a bigger economic shock to follow. There would be no simple fixes for the ballooning debt and economic weakness in the industrialized world. The woes it was facing were systemic and deep-rooted, and would stir greater

political uncertainty, social unrest, and regulatory tinkering.

In fact, the year saw another long-held belief turned on its head, as risks in emerging markets were no longer necessarily higher than those in the developing world (see Figure 2). In the most recent country risk survey conducted by Euromoney, in December 2011, a few emerging market economies (Singapore, Taiwan, Chile, and Qatar) were favorably ranked as relatively low risk, alongside or even above the United States, United Kingdom, Japan, and France. Meanwhile, major developed economies such as the Eurozone’s debt-burdened Italy, Greece, and Spain were rated as riskier than emerging market economies such as South Korea and Saudi Arabia. (Greece’s ranking has dropped particularly steeply since the onset of the Eurozone crisis in early 2010, falling from 33rd in March of that year to 115th in December 2011, and continuing to land in the bottom tier of Euromoney’s rankings as this paper went to press.) This trend provides a further sign of the improving performance and declining riskiness of emerging market economies relative to major developed economies.

Greater focus on external events During times of tumultuous change, in an environment of complexity, exogenous risks can become more pronounced and difficult to predict. So in 2011, risk management leaders began shifting their focus from managing internal risks to devising internal responses to external events (e.g., economic shocks and regulatory change). They explored how they could put to work new, sophisticated tools for assessing and managing risks, from new hedging instruments offered

by banks to internal scenario models and early-warning systems.

“Part of what we’ve been dealing with for the past few years in a more intensified way is responding and adjusting our systems to the passage of federal healthcare reform,” says Mark Chaney, chief financial officer at regional health insurance group CareFirst BlueCross BlueShield. “We have been putting in place a range of systems and tools, from new financial modeling and scenario development to more and more education at our board level, which then filters down to our audit committee.”

According to one chief risk officer of a leading global industrial products company, the biggest risk in 2011 was the impact of global market developments on operations. “We really saw a lot of disruption in the marketplace, particularly from the EU.” The EU disruption not only affected consumption in Europe, but had a secondary effect on inventory and trade flows.

concerned about uncertain or volatile economic growth. As Figure 1 shows, the debt crisis in Europe as well as the earthquake in Japan had a direct impact on a significant number of organizations.


Figure 2. The convergence of emerging and developed market riskThroughout the year, Euromoney provides country risk survey rankings based on a weighted range of political, economic, and structural criteria, as evaluated by more than 250 participating economists worldwide. The ratings evaluate investment risk and are useful for anyone interested in gauging a country’s “riskiness” relative to that of other countries. In Euromoney’s December 2011 country risk survey, an increasing number of emerging market economies ranked alongside or even above major industrial economies. The following is a partial list. The higher the Euromoney country risk (ECR) score, the lower the perceived riskiness.

Greece

Russia

India

Ireland

Mexico

China

Spain

Brazil

Malaysia

Italy

Saudi Arabia

UAE

Poland

Kuwait

South Korea

Japan

Slovak Rep

Czech Rep

Slovenia

Belgium

Qatar

UK

Chile

France

Taiwan

United States

Germany

Hong Kong

Canada

Singapore 88.51%

84.70%

83.68%

82.12%

76.28%

76.19%

76.10%

75.24%

75.20%

73.20%

72.27%

71.66%

71.07%

70.37%

69.83%

69.27%

68.44%

67.19%

66.13%

63.58%

63.28%

63.18%

62.93%

62.27%

61.77%

58.69%

58.18%

54.47%

53.07%

33.91%

Emerging markets

Source: Euromoney Country Risk (www.euromoneycountryrisk.com)

Developed markets

anchor 2

8 Risk in review

About two thirds of executives surveyed see the unpredictability of external events as a source of growing risk. Many examples in 2011 underscored how recognizing and even embracing unpredictability can help companies be more imaginative in their risk planning and therefore more resilient the next time the unexpected occurs. But this type of risk-related thinking is not easy. “Adaptability of the organization is critical,” says Dean Simone, leader of PwC’s US Risk Assurance practice. “It’s no longer a question of just reacting when something has happened, but rather preparing for fundamental changes in the business that may be needed in response to external developments.”

From bottom-up to top-downBecause of the speed and intensity of external events—and their potential to undermine corporate performance and even long-term survival—C-suites and boards have begun pressing for more effective ways to manage looming strategic risks and black swans. “The speed of change has been greatly facilitated through technological advances,” says PwC’s Ken Coy. “Reacting isn’t necessarily enough to successfully manage risk; companies need to react faster than their competition.” Consequently, in 2011 a growing number of organizations shifted their risk management orientation from bottom-up to top-down, calling for more senior management and board involvement.

Pushed partly by regulators, boards of directors have become more engaged

with risk issues and have been seeking to improve their ability to define and communicate a clear, organization-wide risk appetite. “It is good that, overall, the profile of risk management has been raised in recent years,” says Jason Pett, a partner in PwC’s US Risk Assurance practice and the firm’s US Internal Audit Services leader. But, he argues, the challenge is to move from an essentially reactive risk management philosophy to a proactive mindset that anticipates coming risks and helps position an organization for new threats and opportunities. “Instead of simply asking yourself what might go wrong, imagine figuring out what needs to go right so as to ensure that systems, processes, and management focus are aligned to achieve successful outcomes for the company’s strategy in the face of a variety of possible situations and external scenarios.”

Barry Ward, CFO of insurer Fidelity & Guaranty Life, says his company, now in private equity ownership after it was spun out of Old Mutual in 2011, has enhanced the role of the board: “We reassigned the risk owners and moved the governance of risk from the audit committee to the board. At least once a year, we’ll spend an entire board meeting talking about risk, and it is a continuing item at each regular meeting.”

But clearly, not all companies have embraced such an approach. “In general, the risk dialogue between boards and the most senior management is still constrained,” says Ron Kinghorn, a principal with PwC’s Governance, Risk, and Compliance practice, describing this as a particular challenge for risk

Pushed partly by regulators, boards of directors have become

more engaged with risk issues and have been seeking to improve

their ability to define and communicate a clear, organization-

wide risk appetite.


management going forward. “But,” he adds, “a key way board members are becoming better informed about risks and their management is through the cross-pollination of ideas that occurs when a board member sits on two or more other companies’ boards across different industry sectors.”

An organizational responseTwo other significant trends in 2011 were the shift from an operational to a strategic risk perspective and the elevation of the chief risk officer role, which in previous years had largely been found at financial services firms. This new C-suite role requires a new kind of risk manager, who is strategic, collaborative, and business-focused. “In the consumer products and services sectors, we’ve seen a lot of clients formalize the CRO role,” notes Ron Kinghorn. “While typically a different

model outside the financial sector, the new CROs are being given the ability to have a real impact on both business decisions and operations, if they see something they don’t like.”

At one US industrial products company, the CRO was appointed to the position last year and is now responsible for expanding her company’s comprehensive risk management practices to establish a more integrated, enterprise-wide approach (see “Case study: The rise of the chief risk officer,” page 10). “I report to the CEO to empower the function to knock down silos and allow for an opportunity to challenge assumptions, question actions, and make sure that one organization is talking to another,” she says.

To manage risks, a growing number of organizations took steps in 2011 to integrate risk management systems across corporate departments and

functions. In fact, PwC’s 2012 State of the Internal Audit Profession Study shows that companies that have the best handle on risk have internal audit functions that go beyond simply providing assurance over financial controls, by providing stakeholders with a point of view and recommendations on how to mitigate risk.

Enterprise integration is critical to eliminating silos and giving executives a more holistic view of the potential threats to their organizations. It also enables CROs to include non-traditional functions like human resources in the risk dialogue. As Ken Coy notes, “Being able to look across your organization can give you perspectives that you might not otherwise have—and that can broaden your visibility.”

“I report to the CEO to empower the function to knock down

silos and allow for an opportunity to challenge assumptions,

question actions, and make sure that one organization is

talking to another.”

— CRO of an industrial products company

Case study: The rise of the chief risk officerOutside financial services, relatively few companies have embraced risk management as a way of doing business or making strategic decisions. One exception is a large industrial products manufacturer in North America, which recently appointed a chief risk officer and thereby became a pioneer of risk management techniques in its industry.

How has the appointment changed the way the company manages risk? According to a company spokesman, the company’s matrix organization structure has contributed to the CRO position being well received by all the operating units, re-invigorating the company’s risk management approach. Because the CRO reports to the CEO, this sends a signal to the rest of the organization that it is legitimate for the risk function to knock down silos and challenge thinking in different parts of the organization. The company is moving from a bottom-up risk system to a top-down approach that begins with strong support from the board and radiates downward into the operating units.

The company faces multiple risk challenges, some of which are generic (e.g., cyber-security and market modelling to determine customer needs and attitudes) and others that are specific to the industrial manufacturing industry. Last year was a tough one, dominated by the economic wobbles in the Eurozone and also by competitive forces from emerging markets. Demand for raw materials and the need to manage exposures via hedging has been a big preoccupation for the company in recent years, but dialogue is intensifying about making more systematic use of futures markets to undertake a more dynamic and opportunistic approach to hedging price volatility. A lot of effort is going into simply communicating better among the company’s operating units so that decisions are more considered and better understood by a broader management group.

anchor risk officer

10 Risk in review

2012: The risks ahead

The realignment of the global marketplace will continue unabated in 2012, and bring with it attendant dangers. A strong message from the survey is that this uncertainty is creating new challenges for companies. “You can’t predict everything and you can’t afford to mitigate every risk,” says Jason Pett, “so what do you do? What contingency plans do you make?”

Ken Coy likens the problem facing executives to that of a fighter pilot, who must continually identify potential threats, understand his or her options, decide on a course of action, and act quickly. “Executives need to have processes in place to identify these challenges early so the organization can respond quickly, have a first-mover

With high unemployment,

rising financial insecurity,

and escalating social

problems across many of the

world’s markets, nearly 60%

of executives see regulatory

risk as a major threat to their

business in the year ahead.

advantage, and survive to fight another day,” he says.

In fact, some companies have adopted the concept of “reverse stress-testing,” in which executives prepare for scenarios that could significantly disrupt their business. As noted in a recently released PwC paper, Black Swans Turn Grey: The Transformation of Risk (January 2012), this approach “effectively accepts that it is no longer possible to forecast events themselves, and instead focuses on managing their knock-on effects or consequences.”

Executives identified a number of key risks for 2012, most of them a continuation of trends already seen in 2011: economic uncertainty, greater regulation, intensifying competition, and financial volatility (see Figure 3).


Public infrastructure

Crime & terrorism

International trade & payments

Geopolitical risks

Energy & commodity costs/prices

Government spending & taxation

Business continuity

Fraud & ethics

Merger, acquisitions & JVs

Disruptive technologies

New product introductions

Large program risks

Reputation and brand

Commercial market shifts

Data privacy & security

Talent & labor

Financial market

Regulations & government policies

Competition

Economic uncertainty

Figure 3. Please rate how critical all of the risks are likely to be over the next 18 months.Percentage of respondents who selected “high” or “very high” risk

76%

63%

62%

60%

57%

56%

54%

52%

47%

46%

41%

41%

40%

39%

39%

39%

31%

21%

16%

15%

Regulations and government policies

Talent and labor

Data privacy and security

Mergers, acquisitions, and JVs

Fraud and ethics

Government spending and taxation

Energy and commodity costs/prices

International trade and payments

Crime and terrorism

Intensifying economic uncertainty Reflecting concerns about further economic deterioration, economic uncertainty tops the list as the biggest perceived threat to companies in 2012, as ranked by 73% of those surveyed.

The increasing risk of more defaults in Europe and a possible breakup of the Eurozone currency union could put local economies in freefall, cause severe financial disruption with global ramifications, and trigger another nasty worldwide recession. The US economy is also a worry, particularly given the uncertainties inherent in an election year.

While all organizations expressed significant concerns about economic conditions, some industries are more exposed than others. Given the inextricable links between the economy and financial markets, it is not surprising that financial institutions see economic uncertainty as a critical risk (77%). Companies in the industrial products sector are almost equally concerned (at 74%), though their worries likely skew more toward reduced customer demand, higher costs, and other effects of economic volatility.

The top risk focus, irrespective of one’s industry, should be where the economy is going, stresses CareFirst’s Mark Chaney: “For certain types of companies, it’s hard to separate what’s going on around the world versus what’s going on in this country. For those who have portfolios that need to be invested, I think the capital markets concern a lot of us.”

“We are quite aware of the risk that there could be a global depression,” says Swiss Re’s Mr. Ahluwalia. “As we look forward, while there is ongoing uncertainty around the Eurozone and a justifiable feeling that risk is increasing, for Swiss Re that is an opportunity as well as something requiring constant vigilance.”

The global economic shift to emerging markets also brings with it inherent risks. As noted in PwC’s recent paper Resilient Growth: Making the Most of Opportunities Away from Home, “The success of companies that have set up operations and done well in a country whose GDP growth is approaching double digits can prove enticing to latecomers. But any given market, no matter the attractions, may be a poor fit for companies from a particular sector, from a certain home country or with a particular strategy.” New, fast-growing markets have been wielding increasing influence on

12 Risk in review

economic, commercial, and financial developments and policy outcomes. Many of these influences and outcomes cannot be easily foreseen.

Increasing regulationsUnfair competitive advantages in some regions—such as trade barriers and other protectionist measures—can also pose a threat to organizations seeking to compete in the global market arena. For example, China’s industrial manufacturing companies command a dominant niche in the global market, but, says one executive, that’s because China “has erected artificial barriers in its own market to help them gain an edge against competitors.”

With high unemployment, rising financial insecurity, and escalating social problems across many of the world’s markets, nearly 60% of executives see regulatory risk as a major threat to their business in the year ahead. “A lot of regulatory movements that can happen very quickly can change the

Figure 4. What are the top drivers of increasing risk?Percentage citing response by sector

Political leadership/change

Adverse publicity/open source web

New corporate competition

Changing market needs

Structural economic change

Proliferating technology

Increasing regulations

Industrial products*

* Industrial products includes the automotive and energy sectors, as well as utilities ** Technology, information, communications, and entertainment

Financial services TICE** Health services Retail and consumer

78% 58% 45% 70% 54%

34% 20% 55% 35% 33%

50% 57% 48% 38% 49%

43% 42% 49% 31% 56%

13% 15% 26% 14% 21%

13% 12% 11% 30% 12%

20% 30% 16% 38% 19%

whole business model, or your potential opportunities—or at least your upside in some countries,” explains Ron Kinghorn.

Several executives noted that the United States (home base to more than half of all organizations surveyed) could face considerable political change following presidential and congressional elections this coming November. Although the political outcome could result in a lessening of regulatory pressure in the United States, the period leading up to the elections will likely lead to further disruption and uncertainty.

For now, US executives anticipate increasing local regulations, and many believe that regulatory changes will be the single biggest risk over the next year and beyond. In particular, massive changes in healthcare policies and financial regulations could present major obstacles for US companies. “Early implementation of federal healthcare reform in the United States has not had too many unexpected consequences or effects,” says CareFirst’s Chaney. “But what’s going to happen in 2014 is much

less certain, and we have developed a range of scenarios for our business that range from a somewhat positive to a very negative outlook.”

With such challenges at home and abroad, it is not surprising that three quarters of surveyed organizations operating in the financial and healthcare sectors consider regulatory change among their most critical risks. And as more and more companies build up their presence in emerging markets, they are more exposed to regulatory actions that may not always be stable, predictable, and transparent. In the energy sector, for example, 62% of surveyed organizations cited changes in regulations and government policy as a top risk. Shifts in government policies and regulatory changes can make companies operating in oil, gas, and other extraction industries vulnerable to expropriation and other geopolitical risks.


14 Risk in review

Tightening

Figure 5. Credit conditions for loans to businesses

-20

0

20

40

60

80

100

120

2003 2004 2005 2006 2007 2008 2009 2010 2011 2012

SpainPortugalEurozoneItaly

Source: Oxford Economics

% balance

Renewed financial volatilityBecause of the havoc economic events can play on capital and currency markets, nearly 60% of executives in our survey cited financial volatility as a paramount risk. Above all, executives worldwide worry that failure of European policy-makers to solve the Eurozone debt crisis could reach a stage that leads to disorderly defaults, the abandonment of the Euro by one or more EU members, or, at its worst, the demise of the currency union entirely. Under these scenarios, interbank markets could freeze up the way they did during the global financial crisis in September 2008, following the collapse of Lehman Brothers. This could usher in a wrenching global credit crunch and a period of extreme financial volatility.

Banking and other financial services firms, at the center of the storm in the Eurozone, are particularly vulnerable to threats from financial volatility. More than three quarters of the firms surveyed in this sector consider financial volatility as a serious risk. Not surprisingly, capital-intensive sectors, such as industrial manufacturing, view financial volatility as a major risk in the year ahead.

According to company CFO Barry Ward, Fidelity & Guaranty Life “remains keenly focused on the credit risk that we have in our investment portfolio. We have continued to de-risk our portfolio to reduce the investment risk and increase asset liquidity.”

Even if a full-blown crisis is avoided in the Eurozone, risk managers remain

wary of the impact of currency volatility due to the heightened uncertainty. “Many of our products are sold and priced in Euros,” says one executive, “and many of our inputs are priced in US dollars, so the impact of the Eurozone turmoil has a big impact on us as a firm.”

Growing competitionThe majority of executives we surveyed (63%) told us that as trade barriers fall and globalization grows, competition will continue to heat up. Across all industries, organizations are facing increased global competition at home and abroad. As one executive told us, “In a global world, everyone wants to play in someone else’s backyard.”

The rise of the digital economy is adding to the competitive pressures. With the Internet entering a second phase dominated by mobile devices and cloud computing, the barriers to market entry have fallen in many industries, and business models and customer loyalties are changing swiftly. Validating this trend, our study showed that some 73% of technology, information, communications, and entertainment (TICE) companies consider increased competition among the most critical risks they expect to face over the next year. This figure is even higher (75%) in the retail and consumer goods sector.

And as the use of new technology leapfrogs in the developing world, Western executives worry that the new, well-positioned contenders will be coming from emerging


markets—especially from the East. “Lower operating costs, evolving business models, advances in technology, and the ease of global trade have enabled emerging markets to grow and take market share from industries once thought to be insulated from such disruptive competition,” says Ken Coy. “In this new climate, risk functions need to be agile with regard to how they identify and respond to risks.” Emerging market companies may be better placed to win over new customers in other emerging and developing countries, where much of the future market opportunity will come. These organizations may have a competitive edge in accessing these fast-growth markets, thanks to their familiarity with digital technology, business practices, and marketing strategies tailored to these lower-income environments. For examples, look to telecom and information and communications technology providers such as ZTE and Huawei, both of which have won significant market share in India, Russia, and other emerging markets thanks not only to their lower operating costs but also to a focused effort to provide specialized customer service.

“Business has become so globally diverse,” says Microsoft CFO Peter Klein, “that it is an ongoing challenge to scale this with different cultures and operating models—and develop the tools and technologies to adjust to the continued global diversification.”

Data privacy and security threatsThe pervasive use of the Internet and social media will catapult data privacy and security risks to a higher perch on the risk agenda, according to 56% of executives we surveyed. Relegated to information technology (IT) in the past, data privacy and security risk is gaining further prominence as a strategic threat, and vastly increased attention from executives and risk managers. “As the globe becomes more interconnected, our customers are demanding an increased focus on data security, the cloud, regulatory data, and the financial costs of risk management,” says Microsoft’s Peter Klein.

As companies embrace the cloud and install new IT infrastructure, protection of sensitive customer and financial data will need to become an art form. “We know there will be a cost impact, and there are obvious security issues for many companies,” says PwC’s Dean Simone, “but the unknown impact of cloud computing is one of the biggest challenges facing business in the coming years.”

Meanwhile, the growing use of social media and mobile devices introduces a higher threat of reputational damage, misuse of customer data, and IT security breaches. Companies need to find the right balance between openness and control. “We are exploring the use of social media as a way to communicate with interested communities,” says Barry Ward of Fidelity & Guaranty Life, “but we acknowledge the need for risk controls over any social media strategy.”

Indeed, senior executives are increasingly concerned this year about data privacy and security (the 56% response represents a huge jump from the 28% who cited this as a critical risk in 2011) and reputation and brand (52% in 2012, up from just 25%). This is particularly true of financial institutions, with nearly two thirds of surveyed financial institutions naming data privacy and security among the highest risks they face going forward. Obvious areas of concern faced by banks, insurers, and other financial services firms include risks related to protecting client data and potential vulnerabilities to cyber threats, and the threat of reputational damage should a breach occur. “Security and reputation are linked phenomena,” says Jason Pett. “In a data-driven world, it’s vital that you can defend yourself, whether that means dealing with direct attacks that can impact your operational performance and perhaps eventually damage your brand, or attacks aimed at obtaining confidential corporate data or private consumer data, both of which can also damage your reputation and brand.”

In the health services sector, data privacy and security are among the top concerns (at 63%), possibly representing concerns over the cost of compliance. This risk is becoming amplified as healthcare organizations increasingly exchange sensitive personal data and information using mobile technology and other Internet-based technologies. In the United States, the Department of Health and Human Services responded last year to a number of serious cases of breaches in patient data privacy by tightening its oversight and imposing fines on healthcare providers that did not adequately protect patient data privacy.

16 Risk in review

Figure 6. How well does your organization currently manage each of these risks?Percentage of respondents who rate their organization “well” or “very well”


Geopolitical risks


Large program risks

Talent and labor






Crime and terrorism



Business continuity



Competition

Fraud and ethics


Financial market 71%

65%

65%

64%

62%

57%

57%

55%

53%

51%

51%

50%

49%

48%

47%

45%

44%

43%

40%

34%


Case study: Swiss Re There are few organizations better placed to assess the changing nature of global risks than Swiss Re, the Zurich-based reinsurer. Not only does the company have its own global operations, but its client base gives it unique insight into changing perceptions of risk: where risk is coming from and, crucially for risk assurance, how it can be priced and managed.

According to Kanwardeep Ahluwalia, the company’s managing director of financial risk, Swiss Re focused on three major risks in 2011. The first, in common with almost every major global institution, was the potential for market meltdown against the background of the Eurozone crisis. “Clearly there were large financial risks to be assessed, but there was also a need for a lot of political risks to be in the mix,” he says. Concerned about the potential for trouble, Swiss Re undertook detailed research in 2009 and then in early 2010 further reduced its already small exposure to the European periphery. In particular, it cut its sovereign holdings from peripheral Eurozone member countries to negligible levels. “We took the view that if political risk was overtaking economic risk as a major driver of outcomes, then our strategic asset allocation needed to reflect that,” says Mr. Ahluwalia. To date, he says, the measurement of this risk factor has been generally good, but he acknowledges that it is an ongoing challenge to think through the second- and third-order impacts of potential future scenarios.

The second big risk in 2011 revolved around the issue of credit risk exposures to global financial institutions. Over the course of the year, Swiss Re made considerable effort to enhance its measurement and understanding of this risk, looking for ways to further improve and enhance monitoring of its exposures and its ability to control those exposures under stressed scenarios. “It’s an area that has been ripe for further evolution,” notes Mr. Ahluwalia. “Especially in insurance and reinsurance, we deal a lot in unsecured transactions where the regulatory framework is a key element of overall confidence.” He says there has been a major effort to work systematically through contracts and retrocessions (the technical term for deals between reinsurers) to assess what credit risks might be embedded in them. “It’s a big challenge encompassing data capture through to understanding the implications for our pricing and limit setting,” he notes.

Liquidity and capital issues emerged as the third big risk category of 2011 for Swiss Re. Once unpacked, this theme lines up neatly with broader identification of regulatory change as a huge risk that became even larger as the year went on. Swiss Re is one of the many companies facing the new requirements brought in with the EU’s Solvency II regime, but it is well placed thanks to its experience with the fundamentally similar Swiss Solvency Test. Nevertheless, the potential for divergent capital regimes represents an ongoing strategic risk that touches all of the company’s operations.

The combined nature of these three big risks has had specific impacts on how Swiss Re runs its risk management function. Mr. Ahluwalia says that in particular the organization has changed its approach to credit risk, now putting greater emphasis on country credit risk frameworks and changing its mechanism for aggregating risks into an overall picture for decision-making. But he describes an ongoing evolution of the company’s already sophisticated risk management process, rather than any startling revolution. “In recent years we have made quite big investments in risk reporting at the board and executive levels,” he notes, “and the risk management function in collaboration with the business lines has made its reporting more diverse and more directly relevant to the overall strategy.” But he judges the organization to possess a relatively developed ability to manage risk holistically, noting that the emphasis is on constant internal challenge to make improvements and refinements.

Competing for talent and laborIn 2012, the ability to access the right talent and labor will represent a major risk for more than half of organizations surveyed—up significantly from just over one quarter of companies that identified this as a top risk in 2011. A particularly thorny, long-term threat will be acquiring and retaining staff in a technology-driven world where engineering and IT skills will be in high demand and short supply.

While most surveyed organizations consider talent and labor a critical risk, more than half are dissatisfied with how well they are currently managing this risk. In a global market characterized by immense competition for human capital, many companies feel they need to up their game in attracting and retaining talent, particularly in emerging economies where employee loyalty is relatively low. Equally, from the perspective of risk professionals, finding the right people to oversee a more complicated and strategic risk function often can be vexing.

But some of today’s labor issues simply stem from economic volatility and its repercussions—such as labor unrest, union disputes, and unfunded pension plans. “There are some serious negotiations with unions that could materially impact us going forward,” one risk management leader who operates with a heavily unionized workforce told us. “With our collective bargaining agreement in Europe coming up this year, we have to be very prudent about how we approach those negotiations—especially key aspects of legacy union positions related to healthcare.”

18 Risk in review

anchor swiss

Key risks by region

As 2012 began, the global economy found itself at a dangerous crossroads. Sharply deteriorating financial conditions in the Eurozone and a slowing of growth in some of the largest emerging market economies painted a bleak global economic picture, with significant implications for risk management leaders worldwide. Forecasting a more pessimistic outlook overall for the global economy, Oxford Economics has further revised downward its GDP growth figures, projecting global growth at 2.4% for 2012. The still very serious possibility of more defaults by the Eurozone’s peripheral economies—which could lead at its worst to a breakup of the currency union itself—is widely considered the most serious economic risk facing the world. Such an outcome could

Japan/Australasia

North America (US, Canada)

Western Europe

Latin America/Carribean

Central/Eastern Europe

Developing Asia

Sub-Saharan Africa

Middle East/North Africa

Figure 7. Please rate the risk of doing business in the�following regions over the next 18 months.Percentage of respondents who rate this risk “high” or “very high”

77%

75%

65%

57%

52%

34%

25%

14%

cause severe financial and commercial disruption with global ramifications, and trigger another painful world recession.

But survey findings reveal that many organizations may not have fully grasped the seriousness of the fallout from an extended Eurozone crisis, and that in today’s “new normal” global market, the industrial world may actually be riskier than emerging markets. For example, despite reports from Euromoney and others, surveyed organizations overall continue to believe that emerging market regions pose the highest potential risk: Nearly two thirds of survey respondents believe the risks of doing business in emerging Asia are high, while only 34% rated Western Europe risks as high. This shows that risk managers themselves risk being caught unaware as the debt crisis in the Eurozone continues. If the crisis were to reach a critical point, the risk of

doing business in these countries would also increase—particularly if Eurozone policymakers respond by resorting to measures that protect local companies over foreign ones. The inability—or at least severe difficulty—in accessing credit from Eurozone banks during the associated credit crunch would also greatly raise the risk of doing business.

Changes in long-accepted paradigms and perceptions about regions and risk, together with an increasingly globalized world where technology and capital move across borders at rapid rates, mean companies that do business overseas must give ever greater priority to monitoring regional risks. Every country must be monitored as its own unique operating environment with different resources, labor market qualities, regulations, political stability, and security considerations.


anchor 7

Emerging AsiaWeaker growth forecast for emerging Asia in 2012 may take a further toll on the stagnant Eurozone economy through the resultant slower demand for Europe’s exports. Manufacturing and service sector activity in China slowed last year to the lowest levels seen since early 2009, with financial imbalances and an over-inflated property sector stoking concerns of a hard landing.

While growth rates in most of emerging Asia continue to decelerate from last year, the region’s recent economic performance and future growth prospects still look considerably brighter than those of Europe—and also of the United States. However, it is important to note that while this region is expected to see the greatest average GDP growth through 2016 (see Figure 8), it ranks third among respondents in terms of risk over the next 18 months (see Figure 7).

Indeed, a collapse in China’s property sector would severely hit consumer and business confidence in that country and beyond, likely further depressing domestic demand. The effects of a hard landing scenario for China’s economy would be felt

globally through trade linkages and financial contagion. Although Oxford Economics has raised the probability of a China hard landing scenario to 15% in 2012, there are encouraging signs that Chinese authorities have begun to implement policy measures to avoid this outcome—for example, cutting reserve requirements to ease credit conditions.

Indeed, the rapid growth of China, now the world’s second largest economy, has caught even some of the largest organizations that dominate their sectors off-guard. As an industry, industrial manufacturers did not foresee the rapid development of China’s steel industry, nor did they predict the country’s greatly increased consumption patterns.

EurozoneIn the Eurozone, tighter lending conditions have begun to have a further dampening effect on the already sluggish economy. According to Oxford Economics’ estimates, the Eurozone slid back into recession in the fourth quarter of 2011 and is facing a no-growth scenario in 2012. Despite numerous attempts, EU leaders have so far been unable to agree upon a resolution that

Figure 8. Economic growth prospects: 2011–2016Annual GDP growth, US$ basis

Eurozone

United States

Latin America

Middle East & North Africa

Sub-Saharan Africa

Emerging Asia


7.2%

5.1%

4.6%

4.1%

2.8%

1.3%

Middle East/North Africa

will halt the intensification of the Eurozone debt crisis. The largest single risk to global financial stability is the prospect of the Eurozone’s breakup or—less potentially catastrophic but still destabilizing—the exit of one or more of its members.

According to Oxford Economics’ central forecast, there is a 45% probability of the Eurozone avoiding a disorderly default in 2012, with advanced economies staging a mild recovery constrained by high debt levels, anemic job growth, and fiscal retrenchment, and the growing middle class in emerging economies bolstering consumer spending and trade (see Figure 9). Risks associated with this central forecast appear to be strongly skewed to the downside, and radical policy changes are required by the Eurozone countries to avoid a disorderly default of the currency bloc.

20 Risk in review

anchor 8

Industrial manufacturers did not foresee the rapid development

of China’s steel industry—nor did they predict the country’s

greatly increased consumption patterns.

Figure 9. Risks to Oxford Economics’ forecast

Oxford forecast (45%)

• Eurozone avoids disorderly default and steps taken to shore up banks

• Risk premia fall, and consumer and business confidence gradually recover

• But recovery in advanced economies limited by high debt, weak job growth, and fiscal retrenchment

• Emerging markets robust as policy eases and growing middle class supports consumer spending and trade

Disorderly Eurozone default (30%)

• Eurozone authorities fail to agree on a credible solution to tackle the crisis

• Pushes one or more countries into a disorderly default

• Run on banks, share prices plunge, credit conditions tighten

• Business and consumer confidence dives, deep recession ensues

• 10% probability of a full Eurozone breakup

Corporate reawakening (10%)

• Strong corporate liquidity feeds into investment

• This raises business and consumer confidence

• Banks’ balance sheets improve and credit conditions loosen

• Strong growth helps fiscal consolidation and lowers bond yields

China hard landing (15%)

• Commercial property crash and external weakness leads to banking sector stress

• Flight from risk leads to falling share and property prices

• Investment slumps in China as government recapitalizes banks

• Asian supply chain affected as domestic engine of growth stalls

Corporate stress

Gov

ernm

ent

stre

ss


anchor 9


The risk of a disorderly Eurozone default According to the most recent global scenarios prepared by Oxford Economics, uncertainty about the future of the Eurozone as a currency union remains one of the most concerning global risks. A disorderly default of the Eurozone—a scenario assigned a 30% probability in 2012—could take the form of a range of sub-scenarios, with a 10% probability of the complete demise of the Eurozone as a currency union.

Under this full Eurozone breakup scenario, failure by member countries to agree on a credible solution to the debt crisis would trigger a series of disorderly defaults and an ensuing collapse in business and financial confidence throughout the Eurozone and beyond. Interbank markets would freeze up in a way similar to what happened at the onset of the global financial crisis’s acute phase in September 2008, after the collapse of Lehman Brothers. This would usher in a severe global credit crunch.

Five so-called peripheral countries—Greece, Portugal, Ireland, Italy, and Spain—would withdraw from the Eurozone in early 2012 and reintroduce their national currencies, which would cause significant and costly economic disruption.

Under this scenario, exiting peripheral countries would see their national currencies depreciate sharply, while the residual euro appreciates. The exiting countries’ central banks—having regained sovereignty over national monetary policy and facing fragile domestic economies—would not raise interest rates to levels needed to counter high inflation and strengthen their currencies. GDP would decline precipitously in 2012–2013 in the five exiting countries, by 12% to 19% relative to the baseline. The core Eurozone countries also would see GDP decline sharply, by an average 10% by the end of 2013. Growth in China would slow to about 6.5% annually in 2012 and 2013. Bolstered by a weaker dollar and still healthy (albeit slower) export demand in emerging markets, US GDP growth would decelerate to just 0.7% in 2013. The UK economy would be more negatively affected, however, by its closer trade and financial links with the Eurozone: UK GDP would fall about 5% below baseline by year-end 2013.

22 Risk in review

Central and Eastern EuropeBecause of its commercial and financial ties with the Eurozone, Central and Eastern Europe is expected to feel the spillover effects of the euro crisis most strongly. Here, too, companies may be interpreting developments using an outdated prism: Surveyed organizations have a relatively benign view of the risks to their businesses posed by events in Central and Eastern Europe, with a relatively low 35% of participating executives deeming these countries high-risk. They are apparently not well enough attuned to the very real possibility of cascading effects from the euro crisis (including potential contagion should the Eurozone’s financial and economic troubles spill over) and the implications of an extensive retrenchment by Eurozone banks needing to shore up their capital, which is already underway. Central and Eastern Europe’s banking sector is particularly vulnerable to the risk of a severe credit crunch.

Middle East and North AfricaPolitical unrest in a number of Middle East and North Africa countries in 2011 ushered in an era of unprecedented political, economic, and social change. For now, disruptive effects have resulted in sharp reductions in economic growth in many of the region’s countries, and threaten to negatively impact businesses operating in the region. Iran represents the biggest regional risk. The possibility of an Iranian shutdown of the Strait of Hormuz in retaliation for the West’s

trade sanctions, or other more extreme measures by the Iranian government, would obstruct the transport of Gulf oil and gas and could trigger a significant spike in prices.

Unsurprisingly, 77% of executives responding to our survey consider risks to their business in the Middle East and North Africa region to be very high. In the medium to long term, however, the Arab Spring and the more open, equitable societies that could result could lead to greatly improved conditions for investors and commercial enterprises. As 2012 opened, the region’s economies were also feeling the effects of the Eurozone crisis—particularly North African economies, which have close trade and investment ties with the Eurozone.

Sub-Saharan AfricaSub-Saharan Africa has undergone a major turnaround in the past decade, with growth rates in a number of economies having outpaced those of almost every other region of the world, and Oxford Economics expects the region to see substantial growth through 2016 (see Figure 8). Accompanying this long-elusive economic growth is a growing middle class, which brings significant opportunity for enterprising companies based within and outside the region. Strongly influencing respondents’ risk perceptions, however, are the still considerable threats and deficiencies in commercial operating environments, including conflicts and rising threats from terrorist activity that continue to afflict several countries. These threats

While many African countries have seen significant

improvements to business and investment climates, business

and other regulatory and policy frameworks can still be fluid

in a number of countries.


United StatesWhile downside risks continue to be concerning, new upside risks to the US economic outlook have emerged recently (see Figure 10). Consumer confidence in the United States has been on an upswing in recent months, in marked contrast to the Eurozone. Only one quarter of surveyed firms see the United States (and Canada) as posing high risks.

While the outlook for the US economy is more optimistic, with recent estimates of economic performance generally outperforming expectations, the moderate recovery remains constrained by still-high levels of household debt and a weak housing market. And any further deterioration in global financial conditions due to the Eurozone crisis continues to pose a considerable risk, as do rising tensions with Iran.

24 Risk in review

and deficiencies led more than 75% to deem the region a high risk (see Figure 7). While many nations have seen significant improvements to business and investment climates, business and other regulatory and policy frameworks can still be fluid and weak in a number of countries, and infrastructure remains poor.

Latin AmericaLatin America’s largest economy, Brazil, returned to growth in November 2011, and domestic spending has rebounded in response to lower interest rates and government stimulus measures. Latin America seems to be perceived as lower risk than other emerging market regions, based on our survey findings: Just over half of surveyed companies consider the region to be high risk, a lower proportion than for other regions. According to Oxford Economics, the biggest risks in store for the Latin America region overall in 2012, as for much of the rest of the world economy, are posed by further deterioration of the Eurozone debt crisis and the possibility of a China hard landing.

Figure 10. Reasons to be optimistic about the United States

• Financial sector debt position much improved

• Inflation likely to fall sharply

• Competitiveness improved dramatically

• Corporate cash positions still strengthening

• Dependency on imported fuel declining

• Innovation high, and a possible new information and communications technology (ICT) boom could be imminent

• Political environment could improve after the elections

• But:

– End of Bush tax cuts as well as payroll tax holiday would imply massive fiscal tightening in 2013 if not extended

– Still needs to be significant fiscal adjustment in the longer term


anchor 10

Shifting the focus on riskAre companies paying enough attention to the right risks?

Maybe not. Executives cite economic uncertainty, competition,

regulation and government policies, the financial market, and

talent and labor as the top 5 potential risks over the next 18

months. Yet when asked how well various risks are currently

managed, a new picture emerges. For example, while 76%

say that economic uncertainty is a top risk, only 53% say they

manage this risk well or very well—a gap of 23 points. At the


Figure 11. Please rate how critical these risks are likely to be over the next 18 months and tell us how well your organization currently manages each risk.Percentage of respondents who selected “high risk” and “well/very well managed”

Crime and terrorism


Fraud and ethics


Business continuity



Financial market

Geopolitical



New product introduction

Disruptive technology



Competition


Large program risks

Talent and labor


Well managedHigh risk

76% -2353%

57% 45%

47% 44%

62% 62%

63% 64%

56% 57%

54% 55%

41% 43%

46% 50%

41% 49%

39% 48%

31% 40%

60% 71%

39% 51%

52% 65%

39% 57%

15% 34% 19

40% 65%

21% 47%

16% 51%

-12

-3

0

1

1

1

2

Gap

4

8

9

9

11

12

13

18

25

26

35



Geopolitical risks

other end of the spectrum, only 16% cite crime and terrorism

as a key risk, yet 51% say this risk is managed well or very

well—a difference of 35 points. While it is difficult to determine

the reasons for these differences (for example, risks such as

fraud and ethics may be of lower priority precisely because

they are well-managed), the results imply that executives might

consider shifting their focus to ensure that key risks receive

adequate attention.

What this means for your business

Coping with the new realities

27 What this means for your business

In 2012, increasing pressure from boards and senior management will impel risk management leaders to take stronger measures to assess and prepare for external risks. How will organizations change their risk management approaches in 2012, and how well prepared are they for the challenging times ahead?

Increasing cross-communicationPutting greater emphasis on communications and data sharing will be a top priority for companies in 2012, with two thirds of those surveyed taking steps to improve cross-functional/departmental communication. Times of increasing turmoil require increasing vigilance on the part of managers. “We’re a business that needs to be very integrated,” says Fidelity & Guaranty Life’s Barry Ward. “Our investment team has to be in frequent communication with our pricing, sales, and actuarial groups. Finance, treasury, and tax are all voices in that as well. So we’re a business that needs to stay very integrated

Putting greater emphasis on communications and data sharing

will be a top priority for companies in 2012.

across the functional lines.” Larger, more global organizations tend to have developed more complex management and operational structures, leaving them vulnerable to breakdowns in internal communication and understanding. The risk function is only one element of this, but it is often the one that is perceived as inadequate, vulnerable, or blameworthy when things go wrong. Risk managers and other senior executives are wrestling with this issue in both its external and internal dimensions.

Improving data quality and reportingFifty-seven percent of surveyed organizations report that they are beefing up their global economic teams, improving data quality, and putting in place improved processes for reporting data. One industrial manufacturing CRO explains how her company arranged for different business units to meet periodically to review and exchange information and data, as a form of early alert to possible upcoming risks to the business: “We started a weekly operating

committee session that talks through the operating decisions to be made that week—while adding certain data benchmarks to those we track, which are important to our sector globally, such as indices, government reports, and other market intelligence.”

Better forecasting and scenario analysisManagers realize they can no longer rely on general economic forecasts and the conventional economic models of the past. Organizations are turning to more sophisticated tools such as early-warning systems and contingency plans as they reconfigure their approaches to managing risk. More than half of those surveyed say their companies are taking steps to improve analytics and risk modeling through scenario analysis and other risk management techniques that map out, monitor, readjust, and respond to alternative scenarios. Certain best practices have begun to emerge: setting up scenario models or Monte Carlo analysis geared to the nuances of the business, running models as events unfold, preparing contingency plans for risk scenarios, and setting up monitoring systems to provide alerts to developments indicating that a scenario may be materializing.

“We are always looking to improve upon our modeling capabilities,” says Barry Ward. “Our models are just models; you still have to interpret them. And they may not tell you everything, so you need to apply it in a practical way to your company. Stochastic modeling with thousands of scenarios is helpful to our business, as opposed to deterministic modeling, where there are only a few scenarios.”

Companies are turning to more sophisticated

tools such as early-warning systems and

contingency plans as they reconfigure their

approaches to managing risk.

28 Risk in review

Fewer than half of respondents feel that the role of internal

audit fits well with the broader risk management efforts

of the organization.

Elevating the CROAwareness is growing that the risk function’s effectiveness could be compromised if it is not well integrated into both overall strategy and the operations and decision-making processes needed to run the business from day to day. In recognition of this, the creation of the CRO function in more organizations across sectors is an important advance in risk management and is likely to pick up momentum into 2012 and beyond. “We are likely to see CROs getting more cross-functional access and ability to effect decision-making,” says PwC’s Ron Kinghorn. This puts the risk management role on the proactive offensive instead of reactive defense.

This point is reinforced in our survey findings. Fewer than half of respondents feel that the role of internal audit fits well with the broader risk management efforts of the organization. And executives tended to be lukewarm, at best, in their view of how well their internal audit function’s risk assessment processes are coordinated with the company’s enterprise risk management (ERM), ORM (operational risk management), and BCM (business continuity management) processes. Linkages between internal audit and functional risk management groups (those embedded in business units or other functions) are considered even weaker. Clearly, internal audit sees opportunities for improvement in the future.

Some organizations, however, are taking the lead in allocating internal audit a role that enhances overall risk management. “At Microsoft, internal audit has earned a seat at the table and demonstrates how it can create business value,” says CFO Peter Klein. “IA demonstrates the appropriate level of balance between partnering with stakeholders, as well as understanding the business issues and processes to provide consultation and recommendations on how to mitigate potential risks.”

During the strategic risk planning process, risk management and the execution of the strategic plan must be considered simultaneously. “Effective CEOs don’t let reward potential blind them to the risks and other consequences associated with the pursuit of strategic objectives,” says Christopher Michaelson of PwC’s Global Advisory Strategy and Risk Institute. “Good strategy incorporates a realistic appraisal of and plan for associated risk and stakeholder management, so that successful execution is not vulnerable purely to chance.”

Integrating risk managementAccording to one senior executive in the financial services industry, efforts to manage risk more holistically or in a more integrated fashion can be hampered by the difficulty of finding risk professionals from a sufficiently

diverse set of backgrounds, given the tendency for them to have had relatively narrow training in specialist areas such as credit risk or operational risk. Nevertheless, there are distinct functional areas where good progress has been made across sectors to manage risk more holistically. Companies continue to integrate risk management into decision-making processes relating to “traditional” functions such as strategic planning (as reported by 54% of those surveyed), investment/divestment (51%), budgeting/forecasting (50%), and performance measures (46%). In new areas such as talent management and outsourcing, however, organizations are not yet effectively integrating these areas into decision-making. These areas are prone to major potential risks, yet as many as 17% of those surveyed rate their company’s management of these risks as poor. Addressing these gaps and integrating these new areas into decision-making will give organizations improved ability to respond to, govern, and manage risks more effectively during periods of rapid change.


Best risk management practices by industryWhile corporations across all sectors are implementing decisive measures to cope with the new risk landscape, three industries stand out because of the proactive steps they are taking: financial services; technology, information, communications, and entertainment (TICE); and health services. Each of these industries is exposed to a high degree of risk from shifting market dynamics and disruptive technological change. But their strategies for dealing with this new era of risk can vary sharply due to the nuances of their business.

Financial services firms, which have long been leaders in risk management because of the inherent volatility of financial markets, are creating next-generation ERM approaches that may provide lessons for other industries. Many of these organizations have already implemented ERM systems, but as the survey shows, they are now getting their data to work harder by improving the quality and timeliness of their reports and building more sophisticated data analytics and risk models. The impetus: changing regulations, particularly Basel II and III and, in the United States, the Dodd-Frank Wall Street Reform and Consumer Protection Act, all of which are causing financial services institutions to tighten up reporting and turn to stress- testing and other sophisticated risk techniques to pinpoint vulnerabilities. Similarly, with the role of the CRO now firmly embedded in the majority of financial organizations, more than half

(56%) are pushing toward a more holistic risk management approach. By enhancing cross-departmental and cross-functional communication, and by integrating risk management with decision-making, financial institutions hope to sharpen their ability to respond to fast-moving market conditions and better cope with strategic and non-traditional risks. (See the Swiss Re case study, page 18.)

For the TICE industry organizations, it is technological change, not regulatory change, that’s driving market transformation. Last year was a tipping point for the industry, with the digital market decisively entering a second phase. In this phase, traditional business will be eclipsed by digital trends, which will dominate business models, customer relationships, and revenue growth. To prepare for these shifts, which have the power to supercharge corporate performance, TICE companies are making wholesale improvements to their risk management capabilities. To stay in touch with customer needs and identify sudden shifts in demand, two thirds of surveyed TICE companies are using the latest technology and techniques, like social media, to drive improvements in their data and reporting. Sixty-three percent are giving priority to better cross-functional/departmental communication, to improve internal capacities to stay on top of rapidly changing trends. And because of the pace of change and the major impact on corporate strategy, boards at more than half of our surveyed companies are taking a more active role in risk management. “The risk landscape for TICE companies is characterized by complex operating

environments and rapid product innovation, so it is not surprising to see them evolving their risk management capabilities to be fit for such a demanding environment,” says Brian Brown, PwC principal and leader of Risk Assurance Innovation in the United States.

Facing radical market transformation caused largely by regulatory change, companies in the health services sectors are also actively re-engineering their risk approaches. Aware of the drawbacks to silo thinking in an interconnected world, the vast majority of health services organizations are improving cross-departmental/functional communication to overcome this common problem, which is seen often, for example, in large decentralized pharmaceutical companies. In addition, to manage the far-reaching strategic risks caused by the new healthcare agenda in the United States and Europe, a majority of surveyed companies in this sector are also taking steps to integrate risk management with decision-making—and more than half are getting their boards more directly involved in risk management. The passage of healthcare reform in the United States, for example, has prompted health services companies there to create more flexible internal systems and techniques to help them cope with increasing policy uncertainty and change over the next few years. Timely data is essential to respond quickly, which is why the majority of organizations in this sector are enhancing their data reporting (62%) and IT infrastructure (62%). (See the CareFirst case study, page 31.)

Figure 12. What steps are firms taking to enhance their risk management approaches in uncertain times?Percentage citing response by sector

Increased integration of risk management with decision-making

IT infrastructure

Board level/senior management governance

Better analytics and risk modeling

Improved data quality and reporting

Better cross-functional/departmental communication

Industrial products*

* Industrial products includes the automotive and energy sectors, as well as utilities ** Techonology, information, communications, and entertainment

Financial services TICE** Health services Retail and consumer

68% 61% 63% 64% 68%

67% 49% 54% 66% 52%

62% 46% 48% 47% 43%

45% 44% 42% 45% 35%

51% 36% 51% 49% 36%

56% 50% 45% 46% 50%

30 Risk in review

Bolstering IT Although data privacy and security also rank as a critical risk, about 45% of the total organizations surveyed feel they currently manage this risk poorly. Data privacy and security was also singled out as an area that is likely to receive increased investment during 2012 and beyond.

As the number of security incidents increase, so, too, do the clean-up costs. According to a recent PwC paper, Fortifying Your Defenses: The Role of Internal Audit in Assuring Data Security and Privacy (2012), the 2011 hacking of Sony’s PlayStation Network cost the company more than $171 million—and analysts estimated the potential cost of investigations, compensation, lost business, and additional data security investments could go much higher. Even more worrisome, a June 2011 study conducted by the Ponemon Institute revealed that 90% of companies had computers that had been breached at least once in the prior 12 months.

All companies—large and small, across all sectors—need to take stock of where to build better processes, practices, procedures, and technical defenses. Companies with global expansion plans must be wary of increased risks that result when IT infrastructure spreads to support these plans, keeping in mind that an IT infrastructure network is only as good as its weakest link. At the same time, shifting technology and heightened competition for new customers in new markets mean more companies will feel increasingly compelled to rely on social media and new ways of working with IT to reach these new customers.

Because this also exposes organizations to more risk, it will be imperative that they do their homework first and study the setbacks and successes of peers who pioneered the use of these new technologies for commercial purposes.

Greater board involvementBecause more sudden, unexpected risks are emerging in today’s volatile, unpredictable operating environments, board involvement is increasing: 43% of surveyed companies are taking steps to strengthen board-level and senior management governance. This year will see further shifts to a top-down approach.

How involved should the board be? Effective boards understand the risks facing a company and then have in-depth discussions with management to make sure those risks are being handled properly. This discussion should also cover potential risks that are not yet on management’s radar, and what the implications of those emerging risks might be. Catherine Bromilow, partner and leader of PwC’s Corporate Governance Board, explains that directors can add value by using their combined experience and insight into other companies to help management be effective and, ideally, even “see around the corner” to better anticipate unknown risks.

Furthermore, half of all survey participants believe that management does not define their organization’s

tolerance for the amount of risk acceptable in different areas of the business. This suggests there is an ongoing challenge to translate the desire for clarity and transparency about the top-down view of risk into meaningful information that the front line can act on. Some organizations have made progress at the board level in defining and articulating risk appetite statements—often via relatively recently formed board risk committees operating under specific charters. But top-level momentum can be difficult to mirror further down in an organization.

Clearly, this progress represents only the beginning of a longer-term challenge. And it also varies considerably by sector, with financial services perceived to be in the vanguard, followed by other risk-intensive sectors such as energy and pharmaceuticals. There is also a correlation between size and sophistication, says PwC’s Ken Coy: “Bigger companies tend to have access to a greater number of resources and to be more evolved, with good debate over the roles and opportunities to capitalize on risk management practices. Smaller companies, meanwhile, generally have a more focused perspective on risks directly facing the company.” He adds that where boards and the C-suite are engaged in an open dialogue on risk, there is likely to be a healthy influence on the culture of the internal audit function as a vital cog in overall risk management.

anchor carefirst

Case study: CareFirst The US healthcare industry has undergone fundamental change in recent years, with huge consequences for providers and insurers. The process is ongoing as President Barack Obama’s health reforms are implemented, and is also subject to enormous uncertainty: Depending on electoral results as well as decisions in the US courts, some or all of the legislation might be rolled back, but there is also the possibility of further reforms that will demand yet more changes to business models and practices. “Our favorite word around here is that we need to be nimble,” says Mark Chaney, CFO at CareFirst BlueCross BlueShield, one of the biggest regional health insurance groups in America. “We need to be able to react and move in different directions. Even to the point that the health insurance industry could become almost completely new to us and everyone else in our industry around the country.”

All of this makes risk management an important and growing priority, he says. In recent years, the company has been developing a compliance culture to help it cope with its industry’s steepening regulatory hurdles. But it has also been steadily increasing its compliance expertise in order to mitigate the downside risk and reputational harm that operational and compliance failures could bring. And it has spent millions of dollars over the past three years on a major IT overhaul, bringing its systems up to the standards required by regulator and marketplace demands. Awareness of data security and patient confidentiality risks is high on the company’s agenda.

CareFirst has also been investing in more sophisticated risk management approaches as part of a strategy to shore up its earnings in an extremely competitive and fast-changing landscape. “At the heart of our risk system is a risk-based capital model,” says Chaney. “For us it’s the key financial metric. It is the best indicator to us that some of our risks are playing out either favorably or unfavorably. The number links directly to our pricing strategies and to an important part of our mission—how much we give back to the community in the way of grants and programs to improve the healthcare of our community—and to our targeted underwriting margin and net income, on both an annual and three-year basis.”

Chaney says that CareFirst has also been shifting its risk management approach, moving to a more top-down model based on the goal of making sure that the 30-plus members of its board of directors are informed of the changing risk environment. “We’ve been trying to get them to understand the potential impacts of this federal healthcare reform,” he says. “We showed them something that we had never showed them before—that is, a five-year model post-2014, which is the biggest part of this reform, and the multiple scenarios that we might have to deal with, good and bad.”

What are the big risks driving those scenarios in 2012? The uncertain future of the US economy and federal healthcare reform top the list, dwarfing the other main risk factors identified by Mr. Chaney, but he acknowledges that the economy is closely tied to the evolution of the European financial and sovereign crisis. And he cites uncertainty in capital markets as a major ongoing risk, arguing that it has become extremely difficult to assess fixed-income investment portfolios in a world where yields are unprecedentedly low. Add in the US elections and it seems fair to conclude that “2012 is going to be a pivotal year.”


Risk management imperatives for 2012To prepare for the new global risk landscape in 2012 and beyond, companies should reconsider their attitudes and approaches to risk. Dean Simone, PwC’s US Risk Assurance leader, suggests that senior executives ask the following questions to find out whether their company is ready for the road ahead:

1. Is your board thinking beyond traditional risk frameworks and focusing on the right strategic risks? Many boards still concentrate on “known” risks, such as those identified and monitored in ERM systems. But research has shown that in the past, companies have been most badly damaged or destroyed by “unknown” risks. These can be black swan events that hit without warning, or emerging risks with far-reaching implications that grow more serious over time. According to Dean Simone, “One of the best ways to protect against unknown risks is to think about vulnerabilities rather than trying to predict risk events. Ask yourself, what are the assumptions behind our strategy and business model—and what happens if those assumptions are blown off course by a major disturbance?”

2. Have you encouraged a risk-aware culture? In today’s fluid environment, rigid risk cultures that focus on compliance—and simply identifying, assessing, and prioritizing risks—are becoming anachronistic. Risk-aware cultures understand that risk is not just to be avoided, but often needs to be accepted and made a pivotal part of an organization’s business strategy. Just as important,

a risk-aware culture does not see risk management as a single job for one department; rather, it is a shared responsibility across the organization. “The old paradigm was to control risks through rigid rules regardless of business circumstances,” says Mr. Simone, “but risk-aware cultures are more flexible. They put in guard rails and ensure people operate within these bounds.” He recommends that senior executives alter management rewards and incentives to reinforce this new way of thinking and create risk appetite statements that widely communicate the risks the company is willing to bear. With this new culture comes a new breed of risk manager: one who is strategic, collaborative, and able to think laterally.

3. Is risk management integrated across departments and functions? Having a risk framework set by the board will help to break down barriers not just between departments, but also between different forms of operational, financial, and strategic risks. A holistic approach to risk management will ensure that the full corporate team—including HR, IT, and other new guests at the table—has a hand in framing the risk agenda. It will also help align risk with business strategy, and support the successful execution of that strategy. Mr. Simone explains: “The problem with many ERM-based risk systems is that they tend to examine single risks. In today’s interconnected world, companies need broader systems that can look at all potential aspects of risks—not just in one silo but the connections in the second and third order. In short, the implications of the risk across the entire enterprise and the systems it operates in.”

4. Have you expanded your repertoire of risk and forecasting techniques to include innovative tools geared to today’s complexity, uncertainty, and velocity? One hard-learned lesson of recent times is that conventional forecasting approaches can no longer be fully trusted. Today’s more complex, interconnected world calls for more sophisticated approaches such as scenario modeling, which can show the impact of external shocks or new assumptions, calculate the accelerating change and magnitude of impact, and identify the catalytic effects. A particularly effective way to understand “unknown” risks is reverse stress-testing. Unlike scenario analysis, which starts with a risk event, reverse stress-testing begins with an unfavorable outcome (e.g., corporate bankruptcy) and identifies circumstances that may cause the outcome.

Facing the new risk landscapeIn a world that’s tied together ever more closely by trade, finance, and digital communications, risks are arising more quickly and unexpectedly than ever before, with significant potential impacts on companies’ operations, reputations, and even survival. To thrive, companies must adopt a new and more robust approach to defining, communicating, and managing their global risk profile. Going forward, the only predictable thing about risk will be that it’s always changing. The challenge for companies is to craft a risk management approach that’s defined by its readiness—for anything.

32 Risk in review

www.pwc.com

© 2012 PwC. All rights reserved.“PwC” and “PwC US” refer to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. This document is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. MW-12-0220

To have a deeper discussion about this subject, please contact:

Dean Simone, Partner US Risk Assurance Leader [email protected] T: (267) 330 2070

Ken Coy, Partner US Risk Assurance–Governance, Risk, and Compliance Leader [email protected] T: (213) 217 3000

Brian Brown, Principal Risk Assurance Innovation Leader [email protected] T: (949) 241 5052

Jason Pett, Partner US Internal Audit Leader [email protected] T: (410) 659 3380

Ron Kinghorn, Principal US Advisory–Governance, Risk, and Compliance Leader [email protected] T: (617) 530 5938

Christopher Michaelson, Director PwC’s Global Advisory Strategy and Risk Institute [email protected] T: (612) 596 4497

Neelam Sharma, Director US Risk Assurance Strategy, Sales, and Marketing Leader [email protected] T: (973) 236 4963

This publication is printed on Mohawk Options 100PC. It is a Forest Stewardship Council (FSC) certified stock using 100% post consumer waste (PCW) fiber and manufactured with renewable, non-polluting, wind-generated electricity.

risk in review rethinking risk management for new market ... · rethinking risk management for new...

Documents