Trying to reduce IT security risk is made much more difficult when managing systems that do not work well with each other, an issue faced by a majority of large organizations, according to PricewaterhouseCooper’s recently released "2022 Global Risk Survey."
Perhaps the most relevant and startling findings of the wide-reaching research is that three-quarters (75%) of organization respondents surveyed said that having various systems and networks that are not compatible “is a significant risk management challenge,” according to Elizabeth McNichol, enterprise tech leader of PwC’s cyber, risk and regulatory team.
Even more surprising: Just over one-third of those companies that face this challenge (35%) are actually addressing it in a “formal, enterprise-wide manner,” McNichol added. “Does this reflect a lack of awareness within these organizations regarding the importance of a coordinated approach and how important is this to the overall strategic approach to risk?”
“Organizations in the financial services sector were most likely to be addressing the challenge of pace of transformations at the enterprise-wide level,” McNichol said, adding that private equity was the exception, as they typically addressed this challenge at the business-unit level. Nearly one-quarter (23%) of the enterprises surveyed by PwC were financial firms, the largest category represented in the survey.
Over all sectors, the survey found roughly two-thirds of enterprises (64%) are increasing overall spending on risk-management technology, with 75% increasing spending on data analytics, 74% on process automation, and 72% on risk detection and monitoring. And, commensurate with greater investment, 64% of respondents also said they were “making better decisions with better outcomes by consulting with risk professionals early.”
While the ongoing pandemic and its fallout have clearly had a far-reaching and pervasive impact on IT security risk, organizations also cited overall “macro market risks, business and operational models and changes in those models, cybersecurity and information management, external change, and then geopolitical risks” as top concerns related to revenue growth, according to McNichol.
The survey found financial services was one of three sectors that were more likely to increase spending on risk management workforce practices across all focus areas, including technology and digital capabilities, implementing diversity, equity, and inclusion programs, and reorganizing the structure of the risk functions, McNichol underscored.
Also, financial firms were more likely to indicate they were "realizing benefits" across the six main areas of risk management strategy and development, McNichol said. According to PwC research, those six key areas are: creating a governance, risk and controls system that is panoramic and integrated; increasing collaboration amongst the three lines; defining or resetting risk appetite and risk thresholds; investing in first-line risk management processes and tools; quantifying new risks to assess risk exposure and to adjust risk appetite; investing in risk culture; and considering behavioral risk.
One key factor that could determine success or failure: Including risk-management capabilities at the start of new projects or strategic initiatives, and embedding them into these projects every step of the way is “something that many of our respondents felt was absolutely critical,” McNichol said. “Embedding risk management from the outset has helped executives to make better decisions and has led to more sustained outcomes.”
While a sharper focus on risk management, especially in financial services, is promising, McNichol pointed out: “There is still work to be done.”
“While the majority of organizations demonstrate a maturing approach to risk management,” she added, “almost one in four organizations remain reactive in their approach to risk management.”