FEI Daily spoke with Jason Pett, Risk Assurance leader, PwC US, about how digitally fit risk functions can position their organizations to make smarter risk decisions as they move through digital transformation.
FEI Daily: What is a digitally fit risk professional?
Jason Pett: They have two overarching characteristics. One is they are thinking very proactively about ways to make the function itself more digitally fit. How do we use technology to do our work differently? How do we use data to identify risks on a proactive basis, or a predicted basis, rather than a reactive basis?
A digitally fit risk function is looking at ways, not just to use automation and technology and data to make changes on the fringes of how they’re doing their work, but they're really thinking ‘Why would I go do a set of interviews to identify risks when I can build a data lake and have 100% of the data available to the company to have my own opinion before I go validate that with humans?’ That's a totally different mindset: thinking about how they are operating their function more digitally, and that means both technology enabled, and data enabled.
And the second piece, and this is the piece I don't think a lot of functions are thinking proactively about: How do I, as a risk function, tap into the digital strategy of the company and help the company accelerate and be more effective in their digital journey.
If I'm coming at this with a really advanced digital mindset I can actually help the company figure out how to move faster. I can help them think about the risks might we face if we go down this avenue. If we want to automate our fleet of trucks to become cumulous, automated vehicles, that's a great strategy. Now why not, from a risk function, think about how you could execute that with thinking about the risks now, so we can mitigate them so that you don't run into the roadblocks and bumps in the road where you have to pivot. That piece is really important, especially as fast as companies are moving now down the digital front, and AI is going to make that go even faster. I think that second piece is super important.
FEI Daily: The 2019 Risk in Review Study describes three stages of digital maturity: Dynamics, Actives and Beginners. Can you walk me through each?
Pett: The Dynamics are asking, ‘How can we reinvent the way that we do our work?’ They're developing an actual roadmap and vision of where they want to go, and how they're going to get there. ‘I'm going to project manage it, just like I would project manage an ERP implementation. I want to train my people up over time, I want to start to use data, I want to build data lakes.’ And then they're able to take those new skills and mindset, and turn them loose on the organization itself.
The Actives are just in the next quartile down. It's important to them, they're engaged in it, they're strategizing, they just might not have a road map in place. Or they might have a plan to rework what they're doing, but they haven't bought any of the tools yet to enable it. Or they want to have integrated risks, but they don't have the GRC tools, so they really have no way to do it.
And then the Beginners, they know this is really important, and then they stop there. ‘Everybody says it's important but we haven't really begun to move yet, and we don't have a real plan of how we're going to do it.’
FEI Daily: How can organizations better understand and measure their digital fitness?
Pett: PwC recommends that risk functions outline a roadmap that answers the following questions: what do we want our function to look like, how do we get there, and how will we measure that we got there? Across the board, we found that Dynamics are building and executing against a digital roadmap. For instance, 73 percent of Dynamics are managing against an aspirational digital operating model and 75 percent have set desired outcomes for the function's digital investments.
It's imperative to be working towards a goal in order to determine your measures of success. The goal could be something along the lines of wanting half of all business decisions to be grounded in and driven by data. The key here is to very tactical and specific in your roadmap.
These same principles can apply to an organization at large, not just a risk function. For instance, here at PwC, we created various initiatives as part of our Digital Workforce Transformation approach to prepare people for the future, including our own employees. Just a few of these initiatives include a Digital Fitness app, which offers a rapid personal and organization level assessment resulting in a digital fitness score, a "Digital Accelerator" program where we offer an opportunity to do a career pivot through digital upskilling and applying those skills in our organization, and four interactive online training classes on certain emerging technologies. We have set a roadmap for ourselves and continue to measure our success against this roadmap with tangible, measurable goals.
FEI Daily: How can the CFO best support the risk function?
Pett: As you are defining your digital journey as an organization, insist that your risk function come along with you. If you insist that they come along with you, they have to get more digitally capable, otherwise they'll be irrelevant. They'll be sitting in the room, wide eyed wit no idea what you're talking about. So number one is insist.
Number two is support. You'll very often find that finance will say ‘Yes, we really want the risk function to become more digitally equipped, or technology-enabled, but we just cut your budget by 37%, so good luck with that.’ If you, as an organization say, for instance, ‘We want common definition of risk across the organization, while there's virtually no way to do that without a GRC tool, you have to support the fact that you're going to need to invest a little bit in the risk function and it's capabilities. And by risk, I mean broadly, not just the CRO function, but internal audit, compliance, and risk. If those functions are operating at a high level, they're going to make the organization move faster along this digital journey and you're going to get payback, maybe not directly attributable, by having a risk function that is enabling the organization, not holding it back.
Then the last piece is empower. The heads of risk, compliance, or internal audit have to be people that you trust to really add value to the organization, and then you empower them to use their capabilities to bring value back to the organization. If you stick them in a box, or throw them in a corner, they’re not going to be able add any value to your organization. Whereas, if you go out and you hire a really talented person, someone who might be a future CFO of the organization and empower that person to be successful, support them in terms of the capabilities and resources they need, and then insist they are in the room, you're going to have what you need.