Hong Kong, 8 Sep 2017 - Recent cases of personal data leakage, deals falling through and food safety scandals all illustrate the need for companies to systematically assess weak spots and other sources of risk and then determine the best way to keep those risks at manageable levels. In recent years that has meant greater reliance on dedicated risk and compliance units. But PwC’s 6th annual Risk in Review report [‘the report’] shows that, for more and more companies, their front-line business units (such as sales teams) also have a role to play.
“Data analytics and other tools mean that front-line people and processes, as well as corporate culture, can be more effectively used to manage risk, rather than primarily relying on specialist back-office functions,” says Jim Woods, Global Risk Assurance leader for PwC. “Companies that can also make use of this first line of defence tend to have a much stronger risk culture and are more confident about their future financial performance. The aim is not to avoid risk, but to manage it.”
Risk management professionals talk about four lines of defence:
1st: Culture, people, processes, systems and controls;
2nd: Board level oversight, along with dedicated risk management and compliance functions;
3rd: The internal audit function;
4th: External assurance through third-party providers and regulatory oversight.
PwC’s report reveals that 56% of Asia-Pacific companies plan to increase risk management activities in the first line of defence over the next three years, compared to 46% globally.
“In a fast-changing business environment with heightened regulatory requirements, there will be an increasing burden on the second line of defence – such as risk management and compliance teams. This makes it more difficult for them to stay on top of the changing risk and governance landscape,” says Cimi Leung, Risk Assurance Markets leader for PwC China and Hong Kong. “New technology and approaches, such as data analytics tools, have had a strong enabling effect on first line business units – particularly for larger firms. A sales team, for example, can be better equipped with robust business insights to make risk-informed decisions.”
But, while leveraging technology can be critical to managing risk, only 39% of Chief Risk Officers (CROs) in Asia-Pacific feel their company encourages a data-driven culture for decision making. This compares to 51% globally. So there is still an opportunity for business units in the region to more fully embrace the power of digital.
Asia Pacific firms also score less well when it comes to educating their people and fostering a strong risk culture. A significant 37% report receiving no mandatory training in compliance and ethics for their employees, versus only 28% globally. Instead, they depend on their audit committees. These may not have the full range of risk management skills and tend to prioritise their time on financial accounting and internal and external audit issues.
As elsewhere, Asian firms struggle with the challenges of cyber-security and data privacy. To address this, 58% of Asia-Pacific CROs have made working with CIOs, CTOs and business heads to tackle cyber-security a top priority. This compares with 48% globally.
“Recent updates to the Corporate Governance code of the Hong Kong Listing Rules will encourage Hong Kong companies to improve their 2nd line of defence,” says Mr Woods. “Apart from lacking a dedicated risk committee, many do not have a formal Enterprise Risk Management framework. Above all, too many see risk management as being a series of negative challenges rather than as a source of potential competitive advantage. The better equipped you are, the more risk you can handle relative to your competitors.”
Tel: + 2289 8696
Tel: + 2289 8470