{{item.videoDuration}}
{{item.title}}
{{item.text}}
{{item.videoDuration}}
{{item.title}}
{{item.text}}
An interview with Alexandra Burns and Richard Thomas
Richard Thomas and Alexandra Burns discuss key current and emerging risks as well as how to successfully address them – from the strategic board level and throughout the organisation. They provide recommendations and approaches for ensuring that a risk culture is embedded by design for maximum positive impact as well as developing your risk management career and professional networks
What are the key challenges facing risk leaders? How has this changed over the last two to three years?
Alexandra Burns and Richard Thomas: Risk leaders are now working in a permanent state of disruption, dealing with multiple crises and issues that were previously neither on their radar nor high on their agendas. To some extent, Covid was a major standalone crisis. Now we have Covid, plus the energy crisis, inflation and the war in Ukraine.
Traditionally, you had a relatively stable base from which to work. Risk leaders now need to deal and be comfortable with this new, disruptive situation, while supporting the board and the organisation to constructively address key challenges. The old approach of having a Business Continuity Management (BCM) plan, more or less conducted as a tick the box activity, is over. A multiple crisis state of affairs requires a different mindset, enhanced skills and an agile risk management approach to increase organisational resilience.
What is the top tool that risk leaders are using to address this multi-crisis situation?
Top risk leaders are increasingly using scenario planning. This provides a boost to organisations in identifying and addressing events that could come into play. For example, ten months ago, most people would not have thought that there would be a war in Europe, so close to us. Now we have one. For such reasons, the more forward-thinking organisations develop scenarios and solutions for dealing with them. As it’s now clear that the unthinkable can happen, this is often done with outside support to challenge their consideration set of potential scenarios and solutions.
“Risk leaders are now working in a permanent state of disruption.”
How have board agendas changed, in relation to risk, as a result of this multiple crisis situation?
About five years ago, risk was a standalone item and not the leading topic for most boards. Now it’s “top of house” for most boards and increasingly viewed as a strategic item. This is a positive development. On the other hand, many board members are not comfortable in dealing with emerging risks, such as cybersecurity. For example, they might not understand everything that a CISO presents and, therefore, prefer to leave the topic to someone else on the board. For this reason, it is extremely important to ensure that Board members are kept up to date about the latest developments and potential risks, with relevant training.
Why is it essential for board members to understand emerging risks and ensure they are addressed?
The major reasons for someone having to leave a board are typically risk-related. This might include, for example, a risk culture issue or a major risk event that was mismanaged. At the same time, there are issues of personal accountability, liability and reputation at stake. Boards need to ensure that they’re getting what they need from the organisation to feel comfortable about their decisions.
Current and emerging risks are strategic issues. Board members don’t need to deal with technical minutiae of them. It’s more important to understand what it means for the business. What are the major things that can go wrong? Is the organisation spending money and attention where it should be? In our discussions with board members, we’re seeing a positive strategic shift on cyber issues. The next boundaries to overcome are around the convergence of post-crisis resilience, third party, technology and people risk.
“The major reasons for someone having to leave a board are typically risk-related.”
About Alexandra Burns
Alexandra is a Partner at PwC Switzerland and leads the Financial Services Risk Consulting & Internal Audit practice.
Alexandra specialises in advising clients on the design and implementation of integrated Risk Management and Compliance Frameworks. An engineer by training, she has over 15 years’ experience in delivering major programmes in the Financial Services and Technology sectors. Her leadership and management responsibilities within the practice also ensure a practical, leading-edge approach, to helping her clients protect and grow their organisations.
Why is people risk important?
People risk, such as attrition, retention or wellbeing, is a leading organisational risk and a management issue. We have amazing companies in Switzerland who develop, for example, great pharmaceutical, engineering and banking products. These companies wouldn’t be where they are if it wasn’t for the people. Following the pandemic-driven move into home offices, some companies are still struggling with successfully implementing a sustainable hybrid working model, which has risk implications. The way in which you embed your risk culture into the workforce is paramount. This involves listening to employees, understanding what’s important to them and acting in an appropriate manner so that they are engaged and doing the right things for the right reasons, when it comes to risk minimising risks.
“If you get the organisational culture right, it can pull you through a crisis even if specific items are still a work in progress.”
What role does culture play in successful risk management?
Culture is a key driver of success. If you get the organisational culture right, it can pull you through a crisis even if specific items are still a work in progress. That’s a key reason why it’s important to have a risk culture embedded throughout your organisation.
It’s also fundamentally important for boards to understand the company culture. The culture will impact the level and type of information that they receive. A “good news” culture, where any bad news is filtered out before it reaches the board, limits the information received and the opportunities for pro-actively addressing emerging risks. As a board member you need to be aware of and counter that, for example, by asking questions until you’re satisfied with the answers received and rewarding people who highlight issues.
How important is communications in risk management?
Communication is important at so many levels. A lot of problems occur because of miscommunications. It’s a major challenge for many organisations to ensure that they have consistent messaging about their key risks and their risk mitigation approaches, so that employees know what’s expected of them.
On a standalone basis, risk policies might appear daunting. Successful risk managers have the skills to communicate with stakeholders about the policy points that really matter and their benefits to the business. They drive solution-based discussions about risk mitigation steps and responsibilities.
“A lot of problems occur because of miscommunications.”
What are your key recommendations for harnessing the full potential of risk?
Firstly, lots of basics can be improved. For example, on the technology front, do you have all your data in one place to cross reference? Is your story lining up across the various data points? Companies can, and do, benefit from getting these basics in place.
At a strategic level, it comes down to having the conversation with your key stakeholders about the role and value of risk. That includes your board, your first line functions and audit. It sounds basic but we find that once you ask the question about the role of risk you receive very different answers. You should also ask the question of how your risk function is currently perceived. Together, these views will give you an understanding of where you stand today and where you need to go in order to future proof the organisation.
How is risk changing and what are the implications?
In five years’ time, risk will look very different and it won’t be enough to simply streamline your current processes. This will not future proof your organisation. Therefore, it’s essential to understand the key capabilities you need to meet the risk management mandate, including where you need to invest and where you need to upskill or hire. Ultimately, it’s about transformation and embedding the risk function throughout the organisation. Risk management has to go beyond the core risk roles in the first and second lines of defense because you cannot prepare for multi-crisis situations using a silo-based approach.
About Richard Thomas
Richard is a Partner at PwC Switzerland. Richard is the Risk Consulting Leader (Trade, Industry, Services) and the Territory Leader Internal Audit in Switzerland.
He is a Certified Internal Auditor and has more than 24 years of experience in conducting internal audits and improving internal control reliability for international companies in Europe, the Americas & Asia. In addition, Richard has extensive experience in designing, implementing and optimising governance, risk management and internal control frameworks as well as supporting clients with transforming their control and audit activities.
What advice would you give people thinking about a career in risk management?
It’s a great place to spend even a part of your career. There’s always something new happening and lots of learning opportunities. It really teaches you to think about risk and reward which is an important agenda setting and communication skill.
Risk management is both an art and a science, involving numbers, statistical models and people. Most importantly, it comes down to people and the unpredictability of their behaviour, which keeps you on your toes. Not only does it give you a terrific place to combine and hone both skill sets, but if risk is implemented correctly, then it’s a very strategic part of the organisation.
What do you see as the most important characteristics of successful risk managers?
They are genuinely curious about issues that could have an impact – positive or negative – on an organisation. They look at other industries for precedents. For example, if they work in the pharmaceutical industry, then they might look to other heavily regulated sectors such as financial services. They are good listeners and recognise the profound value of networks, which typically extend beyond their own organisation or industry.
#social#
{{filterContent.facetedTitle}}
{{contentList.loadingText}}
{{contentList.loadingText}}
Contact us
Partner, Leader Financial Services Risk Consulting & Internal Audit, PwC Switzerland
Tel: +41 58 792 46 28
