For more and more companies, their front-line business units (such as sales teams) have a role to play in risk management activities amid rising cases of personal data leakage and food safety scandals, according to PwC’s 6th annual Risk in Review report.
“Data analytics and other tools mean that front-line people and processes, as well as corporate culture, can be more effectively used to manage risk, rather than primarily relying on specialist back-office functions,” says Jim Woods, Global Risk Assurance leader for PwC.
“Companies that can also make use of this first line of defense tend to have a much stronger risk culture and are more confident about their future financial performance. The aim is not to avoid risk, but to manage it.”
Risk management professionals talk about four lines of defense:
1st: Culture, people, processes, systems and controls;
2nd: Board level oversight, along with dedicated risk management and compliance functions;
3rd: The internal audit function;
4th: External assurance through third-party providers and regulatory oversight.
Increase risk management activities in first line of defense
PwC’s report reveals that 56% of Asia-Pacific companies plan to increase risk management activities in the first line of defense over the next three years, compared to 46% globally.
“In a fast-changing business environment with heightened regulatory requirements, there will be an increasing burden on the second line of defense – such as risk management and compliance teams. This makes it more difficult for them to stay on top of the changing risk and governance landscape,” says Cimi Leung, Risk Assurance Markets leader for PwC China and Hong Kong.
“New technology and approaches, such as data analytics tools, have had a strong enabling effect on first line business units – particularly for larger firms. A sales team, for example, can be better equipped with robust business insights to make risk-informed decisions.”
But, while leveraging technology can be critical to managing risk, only 39% of Chief Risk Officers (CROs) in Asia-Pacific feel their company encourages a data-driven culture for decision making. This compares to 51% globally. So there is still an opportunity for business units in the region to more fully embrace the power of digital.
Asia Pacific firms also score less well when it comes to educating their people and fostering a strong risk culture.
No mandatory training
A significant 37% report receiving no mandatory training in compliance and ethics for their employees, versus only 28% globally. Instead, they depend on their audit committees. These may not have the full range of risk management skills and tend to prioritize their time on financial accounting and internal and external audit issues.
As elsewhere, Asian firms struggle with the challenges of cyber-security and data privacy. To address this, 58% of Asia-Pacific CROs have made working with CIOs, CTOs and business heads to tackle cyber-security a top priority. This compares with 48% globally.
“Recent updates to the Corporate Governance code of the Hong Kong Listing Rules will encourage Hong Kong companies to improve their 2nd line of defense,” says Woods.
“Apart from lacking a dedicated risk committee, many do not have a formal Enterprise Risk Management framework. Above all, too many see risk management as being a series of negative challenges rather than as a source of potential competitive advantage. The better equipped you are, the more risk you can handle relative to your competitors.”