How Leaders Are Addressing Innovation Risk: A Q&A With PwC’s Brian Schwartz

Adapters — those with programs that tackle innovation-related risks somewhat or very effectively — practice five actions that set them apart. And their programs exert much more influence over decisions about innovation.


Last month, PwC released its annual Risk in Review report, which analyzes risk management perspectives from over 1,500 senior risk executives ranging from chief risk officers to audit/risk committee members, to CEOs. FEI Daily spoke with Brian Schwartz, Internal Audit, Compliance and Risk Management Solutions leader for Financial Services, PwC U.S. about how to be an Adapter and why cyber and talent risks are much more likely to arise over periods of high growth.

FEI Daily: How can risk executives be sure they're involved throughout the innovation lifecycle to manage risk?

Brian Schwartz: First, risk executives need to influence important innovation-related decisions, with risk a key consideration. This discussion with senior business leaders should precede product, process or service development conversations. 

Secondly, C-Suite and other top leaders need to broadcast the importance of integrating risk management into strategic initiatives across the organization, particularly to mid-level and overseas managers where risk oversight often collapses. Tying their performance metrics to addressing risk in local and new initiatives will motivate managers to proactively consider and tackle risks. 

Lastly, structures and processes like sandboxes and innovation committees with business, innovation, risk and top leaders will push these groups to proactively identify, anticipate, and tackle risk from the ideation to rollout. 

FEI Daily: What are the signs that you fall in the “non-adapter” category and what can you do to move towards becoming an adapter?

Schwartz: Organizations that rarely or never exhibit the attributes or actions of the Adapters are more likely to be non-adapters. 

When it comes to attributes, Adapters most often call their organizations innovative and report that their program influences decision-making about innovation. They say their programs contribute significant value to their organization and express confidence in their program’s ability to effectively manage risks associated with new high-impact technologies like AI, big data, blockchain and IoT 

In terms of actions, Adapters more often are involved across the innovation cycle. They use multiple strategies to manage their exposure to innovation-related risk and adjust risk appetite and tolerances with frequency. Often, they add new skills, technologies, and capabilities as they lean into innovation and also use a broader set of mechanisms and metrics to monitor and measure their risk management programs’ effectiveness, to adjust for vulnerabilities as needed.

FEI Daily: Any thought on the cyber and talent risks associated with innovation and periods of growth?

Schwartz: As some recent highly publicized data privacy and driverless car cases show, both cyber and talent risks are much more likely to arise over periods of high growth.  To meet aggressive growth targets many organizations are racing to keep pace with organizations that are on the cusp of monetizing or commercializing innovation. But in many instances neither regulations nor compliance provide guidance, and public sentiment to the unintended consequences of innovation bring unanticipated risk with potentially powerful impact.  

Without the conversations and structures mentioned earlier, organizations may be blindsided by these risks, and lack crisis management plans on how to respond.  A critical piece of that puzzle is a diverse skills, experience and knowledge base for informed decisions and actions at the right time. 

For example, when an organization implements new technologies such as robotics process automation, the second line (risk and compliance functions) and the third line (internal audit) need to have the skills and knowledge to assess these new technologies.  Bots, for instance, need to be assessed by a team or individual which understands bots.