ALM Intelligence: Q&A with PwC's Brian Schwartz

Schwartz: There's pressure on companies to grow through innovation, and it is driving many to undertake major multiyear digital transformation initiatives. Since companies initially set up their risk management programs as protection against downside risk, many view risk management as a gatekeeper and a wet blanket to the innovation process. We are helping change the perception of risk management by building their capabilities as both a protector of the company and an enabler of innovation and strategy. The best way for second line risk management functions to contribute as an enabler is to closely align and integrate with their organization's strategic planning processes. We help risk management functions earn a seat at that table by proving they add value by raising awareness of risks that may derail success against strategic initiatives. Our goal is to get risk management involved in innovation and transformation design and planning from day one, so they can help shape and influence the process at the front end all the way through implementation. In this way, risk management functions can inform participants in a timely fashion whether new initiatives remain within board-approved risk appetite/tolerance frameworks or work with the board and senior management to adjust it if necessary, particularly around newer areas like cybersecurity and data privacy. 

ALM Intelligence: How is digital affecting the risk function itself?

Schwartz: Well, company boards are increasingly demanding a comprehensive and prioritized view of all the risks across their organization. The challenge, however, is that in most companies, the information—if it exists at all—is spread widely across the organization's business units and lines of defense. We've come into situations where the CRO is spending hundreds of hours prior to each board meeting trying to collect and compile this data, even before the analysis begins. Thus, we see a massive need for risk management to undertake their own digital transformation. Luckily there are excellent GRC technology solutions available that enable a common digitized platform with standardized measurement and monitoring processes. The common error we see in companies implementing GRC solutions, however, is that they do not accompany implementation with change management and thus many times these potentially powerful platforms sit there largely unused. Proper implementation involves a dedicated change management program with active communication, facilitation and education across the three lines of defense to support the need for change and new ways of working.

ALM Intelligence: So what does the future hold? 

Schwartz: PwC's focus is to help clients create a truly integrated risk management program where all three lines of defense are on the same page about key business risks, internal controls, and metrics so that leadership can make decisions based on a confident and comprehensive view of how well their organization can manage and monitor risk. PWC is committed to helping our clients innovate, think about innovation risk and driving innovation into the risk management functions so they are better positioned to enable stakeholders and strategy. Said differently, transforming lines of defense into integrated lines of defense and offense to support the firm's digital transformation journey.