Companies Not Prepared For Cyber Attacks - PwC Data

Robbie Lawther

21 April 2017

Despite identifying cyber security as a "universal growing risk", only nine per cent of responders scored highly for being well prepared to cope with the threat, which suggested many companies have not adopted leading practices to prepare for online threats, according to a survey carried out by PricewaterhouseCoopers.

PwC questioned more than 1,500 executives across 30 industries within over 80 countries but only 13 per cent of the companies questioned qualified for the term "front liners" - firms giving the risk a high priority amongst their most senior executives and business processes. The term applies to firms that "make risk management a mandate for the board, the C-suite and perhaps most importantly, among crucial business unit decision makers".

The report found that front liners are more likely than other respondents to effectively manage across all 12 surveyed risk areas such as; financial, regulatory and compliance, earnings and volatility, operational, reputational, strategic, environmental, cybersecurity, technology, human capital, thirdparty, and culture and incentives.

The new study from PwC titled Risk in review: Managing risk from the front line also found that 59 per cent of front line risk managed companies expected increased profit margin growth rather than only 51 per cent of non-front line risk firms. Over three-quarters of companies that manage risk from the front line expect increased revenue growth over the next two years, six per cent more than firms that do not.

An example of risk management differences was found among companies that have suffered a disruption due to operational risk, as 63 per cent of front liners reported recovering effectively whereas other respondents reported 46 percent.

The report also covered five key ‘front line’ steps that companies should adopt:

1. Set a strong organizational tone focused on risk culture modeled and measured by leadership and the board;

2. Align risk management with strategy at the point of decision-making so risk management is embedded into planning and tactical execution;

3. Recalibrate the risk management program across all three lines of defense so that the first line owns business risk decision making, the second line monitors the first, and the third line provides objective oversight;

4. Implement a clearly defined risk appetite and framework across the organization, and

5. Develop risk reporting. Tracking risk is critical to keeping business decisions within the agreed risk appetite.

“This year’s survey tells us that leaders must make risk management a more collaborative, measurable and strategic function,” said Dean Simone, leader of PwC’s US risk assurance practice. “We also see great alignment on the biggest growing risk factors, such as cyber security, but a lack of maturity in terms of preparing for and planning around the biggest risks facing executives today.”