Gorgeous spring weather finally arrived in Boston this weekend, so like any sensible compliance enthusiast I spent that time indoors reading the 2021 PwC Global CEO Survey. We have some findings about digital transformation of business processes and risk management to discuss.
For those unfamiliar with the PwC Global CEO survey, it’s an annual report that arrives in the first quarter of every year; and is always worth reading so you know what’s on the mind of the boss. This year’s survey polled more than 5,000 CEOs around the world, asking their thoughts on economic growth, advances in technology, government regulation, business risks, and so forth.
Two trends in the data seem particularly relevant for compliance and risk professionals.
First, the survey asked CEOs to rate the top threats they see to business growth in the coming year. To no surprise, the pandemic took the top spot for 2021, when public health wasn’t even among the top 20 last year.
All the other threats that CEOs identified for 2021 were the same issues they cited in 2020 and years prior. The risks were in somewhat different order from 2020, but in one form or another, all the usual suspects were still present.
So what’s the news? That more CEOs were citing each risk. That is, the risks to business growth aren’t changing all that much, other than the pandemic — but the business landscape itself is becoming more risky.
Look at Figure 1, below, to see what I mean. Over-regulation was the top threat in 2020, cited by 36 percent of CEOs. For 2021 over-regulation dropped to third place — but it’s cited by 42 perent of CEOs. Policy uncertainty was cited by 33 percent last year, and 38 percent this year. Cyber threats rose from 33 percent to 47 percent.
Climate change is a good example of the dynamic here. The number of CEOs citing climate change as a risk rose from 24 percent to 30 percent. That’s a big increase in the number of chief executives suddenly realizing, “Yikes, climate change might affect our business operations.”
The question for compliance, internal audit, and risk officers, therefore, is how you can build a robust risk assurance program — one that can keep pace with the business landscape, where so many issues are becoming more pressing, to the point the CEO and the board are starting to say, “Yep, this issue could affect our business strategy. Can we get a report on how severe this threat is to us, and what we’re doing to prevent it?”
We can get into how you’d build that versatile program, and what capabilities said versatility would entail, another day. For now, the big point is that CEOs see their organizations surrounded by risk, and those risks are getting more turbulent.
CEOs on Digital Transformation
The PwC survey also asked CEOs how they plan to change their corporate investments over the next three to five years, as a result of the pandemic.
Topping the list (by far and away) were investments to accelerate digital transformation. Close behind were investments to manage costs and investments to improve cybersecurity. See Figure 2, below.
It’s no surprise that businesses are rushing headlong into digital transformation. My question is how that rush will affect your compliance obligations, or just the effectiveness of your compliance program generally.
As one CEO quoted in the PwC said, prior to the pandemic, most firms wanted to plan their digital transformation thoughtfully before proceeding. That approach went out the window by March 2020, when firms needed to transform their processes immediately — like, within weeks, if not days.
Now, that same CEO says, “It’s a matter of getting it out there and refining it as we go.”
That statement does have a certain logic from the CEO’s perspective. It still should still give compliance, audit, and risk professionals heartburn, because consider what’s really afoot here: technology potential in the First Line of Defense is racing ahead of the Second Line of Defense’s ability to govern the implications thereof.
Take the example of customer onboarding. In financial services, many firms still had lots of paper-based onboarding processes in 2020. Then the pandemic struck, and everyone was suddenly transforming those processes on the fly.
Now come the implications. Once you digitally transform customer onboarding, your sales teams can reach new customer bases: anyone with a web browser and money to invest. As the customer base expands, however, that can expose the company to new data privacy obligations.
So how do you, the compliance or privacy team, build a more versatile program — one that can keep pace with that digitally transformed process? How do you manage any adjustments to policies, procedures, and controls that might be necessary, when digital transformation of onboarding has also accelerated the pace of new privacy obligations pummeling your business?
Customer onboarding and privacy compliance are only one example of this dynamic. We could just as easily spin up similar examples for accounting processes, or procurement, or HR supervision, or lord knows what else. The rush to digitally transform operating processes is leaving our compliance processes wheezing to catch up.
In theory, compliance and risk functions could embrace their own digital transformations, and I know that’s happening in fits and starts. Let’s just hope that the second priority in Figure 2, above — cost containment — doesn’t leave your compliance function stuck on the side of the road.