Prior to joining PwC, Schwartz worked for Ernst & Young where he had been a partner since 2005 and most recently served as the Global & Americas Internal Audit leader since 2011. In addition to his internal audit leadership role, Schwartz served as a member of the Americas Advisory leadership team and Americas Risk leadership team.
Schwartz responded to a series of written questions about risk and the growing role of risk management in both the public and private sectors.
Risks are continuing to grow in the 21st century. Where do you see those growing risks coming from? First for the corporate world and then for society in general?
At PwC, we see risks arising from the ever-changing environment that organizations must continue to operate in. This dynamic environment brings with it the many business risks that organizations have to deal with through formal risk management activities and broader governance frameworks. Specifically, these risks result from shifts in technology, increase in strategic transactions, movement into emerging markets, continued regulatory scrutiny, major business transformation, increase in strategic vendors, etc. It is more critical than ever before to have formality, structure and measurement around your risk management framework, and how this framework is fully integrated with your broader governance and compliance efforts. In the end, a fully integrated GRC strategy will fuel your performance.
Risk perception is a big issue. What have you found to be the best ways to educate senior leaders on risk in order to have them pay appropriate attention to managing risk?
Senior leaders and board members want to do the right things as they are passionate about the organizations they serve and the stakeholders they represent. There are several methods to raise the risk awareness of these key stakeholders. For example, some organizations build risk management into the scorecard used for annual performance reviews and commensalism decisions. This way, the expectation is set on just how critical risk management is as part of the role of an executive. As another example, some organizations set the tone that every key business meeting will have a portion dedicated to relevant risk discussions so it truly becomes pervasive in the day-to-day operations. As a final example, some organizations set the tone at the very top for risk management. The board expects leadership to present key business risks at each meeting and how the organization assesses and prioritizes such risks and the existing mitigating activities around the risks. An organization that embeds risk management into operations will have a competitive advantage over those that make risk management a strictly compliance oriented topic.
In terms of innovation risk, is it the risk of falling behind in the race to innovate, or is it that an organization can cross the line from cutting-edge innovation to bleeding edge — wasting resources and taking the wrong path?
I think the biggest risk related to innovation is a hybrid of both falling behind in the market and pushing it too far, too soon. An organization that decides to get out ahead in the market and innovate a product or service brings the type of focus that has helped build such a great business economy in the United States. With that said, sometimes this same innovation can flip on an organization and bring it to its knees. We have all seen this in different industries over the years. However, we have also seen organizations that have been left in the dust by their competition because they were too risk averse to push innovation. The key is to have in place formal risk management and risk monitoring activities to protect the downside and help propel the upside of business risk. This balance allows an organization to move at the pace it needs to move. In other words, an embedded risk management and governance framework can help an organization move at a higher speed when it comes to making strategic decisions. Innovation is one of these strategic decisions.
With more company specialization there is a higher degree of outsourcing and use of third-party vendors that provide specialize products or services. What risks come from engaging with external companies?
Leveraging third parties for outsourcing or co-sourcing activities is something many organizations continue to pursue. This often allows organizations to focus their internal resources on core activities, while non-core activities can be focused on by vendors that specialize in the respective area or function. The reliance on third parties does present risks the organization must manage and monitor and one such risk is an over-reliance on the vendor. Management must maintain ultimate control of the activity that is outsourced. While the organization has outsourced the physical activity, it has not outsourced the ultimate responsibility. Another risk to keep control of is the health of the vendor performing the work. Organizations should contractually have the ability to "audit" the vendor to monitor the stability of the vendor given the importance it has to the organization. Leveraging third parties for important, but non-core activities can be the right strategic decision when it comes to cost control and quality control; however, monitoring the vendor must be a key part of the process.
How often should organizations evaluate their risk profile? What should an organization be doing concerning low-frequency to high-impact risks?
An organization should institute a continuous risk assessment mentality. There are not many static organizations left, as change is almost a daily occurrence in most companies. Therefore, the risk profile is dynamic as well. The annual risk assessment process should be a thing of the past. Many organizations engage in a quarterly assessment to challenge their risk profile, and there are others who have a real-time risk assessment update that is driven by data analytic and other continuous monitoring techniques, such as continuous controls monitoring. In addition to the continuous assessment process, PwC encourages organizations to understand the triggering events that drive their need to reassess their key business risks and the overall risk profile. Examples of triggering events could include: strategic transactions, newly implemented systems, change in strategic priorities, new leadership, new products or services, etc.
The risks that are prioritized as high impact but low likelihood should be monitored in a formal way. One example of these types of risks would be a black swan event, which PwC has seen hit several times over the past decade. Therefore, monitoring these types of risks should be formal and accountable. One strategy for these types of risks is to build them into scenario analysis where an organization can use "what if" planning to determine the potential inherent impact and measure the velocity of the risk coming to fruition.
In the emergency management world, there is a desire for closer public-private partnerships. What would you recommend to the public sector as the best approach to having a meaningful engagement with the private sector? What do companies want that government can provide?
In an environment where regulatory scrutiny is only increasing across many sectors, public-private connections are more important than ever. In our business, we sponsor and drive many networking and round table events. The ones where there is a mix of public and private representatives are the ones that tend to have the healthiest discussions and debates. I do believe that each stakeholder group can learn from the other.
Looking in your crystal ball, where do you think future risks will be coming from that perhaps are not on people’s radar today?
This is a difficult question to address. Just when I think I understand the risks coming over the horizon, I get surprised just like everyone else. I do see an uptick in strategic transactions and a continued movement to developing countries. These types of trends will continue to bring emerging risks to the forefront of executives and boards. The specific types of risks will differ by sector. Regardless of the types of emerging risks that are poised to present organizations with challenges, the key is to be prepared. PwC recently surveyed 800 executives and risk managers and found as organizations continue to transform their businesses, they will face growing external market risks. As a result, organizations are rethinking their risk strategies and how they approach risk management as a whole. Some helpful strategies that are documented in our survey include: building risk resiliency into the organization, adjusting performance incentives, building digital risk into the risk agenda, minimizing business transformation risks and taking full advantage of next-generation risk analysis.
In the end, it is crucial for organizations of all shapes and sizes to spend adequate time and resources on their governance structure, risk management activities and compliance efforts. Those organizations that do this in a formal and meaningful way will not only protect their downside but help propel their opportunities. Integrated governance, risk and compliance should be a strategic priority for all organizations. Done appropriately, this integrated framework will fuel performance.
