A recent study from PwC identified that companies within Asia Pacific are increasingly shifting the risk management programme back to their senior management and business units, whilst increasing alignment across all three lines of defence.
A survey was carried out in 2016 with 1600 executives spanning 30 industries, aiming to identify how companies were responding to managing risks and the prevailing trends. The survey reported that the second and third lines of defence consist of risk and compliance functions along with internal audit, both critical players when executing risk management effectively.
A clear trend identified was corporate executives and business units taking the lead role by aligning ownership of key business risks with ownership of business and decision making. This is resulting in a collaborative approach to risk management with risk accountability in the first line of defence supporting greater organisational resiliency and growth.
Some of the key findings were:
- 70 percent of executives in Asia Pacific compared to 63 percent of their global counterparts agreed that moving risk management responsibilities to the first line of defence makes their company better at anticipating and mitigating negative risk events.
- In China and Hong Kong, the 2nd line of defence is not well-developed and many organisations lack a formal enterprise risk management framework. Risk management is still mainly driven by the 3rd line of defence, especially in the SME segment.
- Cybersecurity is a growing risk of particular concern. Encouragingly, 58 percent of Asian Chief Risk Officers (CROs) say that partnering with CIO/CTO and business leaders to minimise these risks is top priority for their risk function in the next 18 months.
- 67 percent of APAC CROs report having senior management’s support in the value of a strong risk management strategy, trailing 72 percent globally. As a consequence the region also lags (53 percent vs 61 percent globally) in the risk management team increasingly providing proactive advice and guidance to other business functions. These are the areas where the CRO can take a leadership role to improve their organisation’s overall approach to risk management, said the report.
Mr Jim Woods, Global and China/Hong Kong Risk Assurance leader at PwC, suggested companies in APAC should follow the below guidelines, especially Hong Kong and China in order to move towards a first line of defence risk management:
- Set a strong organisational tone focused on risk culture. Begin with the CEO, CRO and the Board and permeate within the organisation, with continuous monitoring and measurement of its effectiveness.
- Align risk management with strategy at the point of decision-making. This is so that first line decision makers anticipate business risks when setting tactical priorities.
- Recalibrate risk management programmes across all three lines of defence. The first line owns business risk decision-making, the second line monitors the first, and the third line provides objective oversight.
- Implement a clearly-defined risk appetite framework. This means creating commonly understood risk taxonomy for aggregating, tracking and predicting risk and leveraging technology and data analytics when available.
- Develop risk reporting, as this will allow executive management and the board to discharge their risk oversight responsibilities. The key is to consider risk management across various stages from strategy to execution.