Managing risk in the age of innovation

Jun 01, 2018
How, in this age of innovation, can leaders manage risk while enabling growth?

As technological innovation continues to revolutionise the business landscape, organisations and their leaders are also grappling with new-found risks and uncharted challenges. PwC’s 2018 Risk in Review Study: Managing Risks and Growth in the Age of Innovation shows how a distinct set of risk management practices can arm organisations to capture value from their innovation efforts and better manage related risks for further growth.

Organisations, and their leaders in particular, must understand that risk management and innovation go hand-in-hand. Innovation brings great opportunity. A keen awareness of the necessary actions to address both known and unanticipated risks that accompany innovation can equip risk executives to succeed in this fast-changing environment. Risk executives should be engaged throughout the innovation life-cycle to effectively identify, assess and manage innovation risk.

Key drivers

In an era of digital business and rapid technology change, virtually no company can ignore the imperative to innovate. Failing to do so is an invitation to lose business. The study identified a number of key drivers:
  • New technology, including big data and the cloud;
  • Human capability skillsets to support new technology;
  • Market growth requirements;
  • Cybersecurity and privacy threats;
  • Industry peers; and
  • Increased regulation.

Strategy and risk management

As organisations across all sectors increasingly face pressure to innovate, risk executives need to help their organisations strike the right risk/reward balance. After all, organisations that effectively manage innovation risk are more effective innovators. With innovation now forming part of organisations’ strategic direction, it becomes clear that innovation must be managed just as effectively as the strategy itself, as errors could have lasting strategic impacts.

“Strategy” refers to an organisation’s plan to achieve its mission, vision and to apply its core values. A well-designed strategy drives the efficient allocation of resources and effective decision-making. It also provides a roadmap for establishing business objectives throughout the organisation.

Risk management does not create the entity’s strategy, but it does influence its development. An organisation that integrates risk management practices into setting strategy provides management with the risk information it needs to consider alternative strategies and, ultimately, to adopt a chosen strategy. Therefore, the same principles should be applied to innovation and the risks surrounding it given its inherent correlation to strategy.

Enterprise risk management

COSO’s Enterprise Risk Management Framework – Integrating Strategy and Performance 2017 defines enterprise risk management as “the culture, capabilities and practices, integrated with strategy-setting and performance, that organisations rely on to manage risk in creating, preserving and realising value”. It emphasises its focus on managing risk through:

  • Recognising culture;
  • Developing capabilities;
  • Applying practices;
  • Integrating with strategy-setting and performance;
  • Managing risk to strategy and business objectives; and
  • Linking to value.
To keep pace with innovation and risks changing at breakneck speed, organisations need to harness a range of methods that will continue to grow and evolve along with these forces. Enterprise risk management is not static, nor is it an adjunct to a business. Rather, it is continually applied to the entire scope of activities as well as special projects and initiatives (such as innovation activities). It is a part of management decisions at all levels of the entity.

Key attributes of effective risk management programmes

When organisations respond well to the range of innovation risks, it naturally follows that their innovations are more successful. There are some key attributes of effective risk management programmes which achieve this:
  1. Confidence in the risk management programme’s ability to effectively manage risks from innovative practices such as artificial intelligence, augmented reality, big data, the internet of things and robotic process automation;
  2. The risk management programme influences decision-making and the shaping of innovation strategy. Exerting influence over decisions about innovation positions risk executives to help their organisations understand – and therefore better manage – innovation-related risk;
  3. The risk management programme engages early and often across the innovation cycle. Risk plays a more active role across the innovation cycle. Risk advises on innovative activities before the planning stage, and they’re much more likely to halt initiatives based on risk assessments and suggest risk-based alternatives;
  4. Drive risk tone and culture from the top, and broadcast appetite and tolerance messages about innovation and risk across the organisation. Tie effective management of innovation risk to strategic planning and performance management to align behaviours which can be measured and monitored;
  5. The risk appetite and tolerances are adjusted with frequency. The overall risk appetite may need to shift over time due to market direction or competitive dynamics. As the organisation periodically adjusts its risk appetite and tolerances, all lines of defence are informed of such changes so that business decisions, controls testing, risk monitoring and risk reporting work in a synchronised and risk-aligned manner;
  6. Harnessing of new risk skills, competencies and tools to support innovation. Adapt risk capabilities to influence and enable the organisation’s innovation strategies, expand continuous risk assessment, and use new technology for more real-time information. Successful firms add knowledgeable, curious, action-oriented and tech-savvy recruits to keep pace with risks from technology-driven innovation. Their current workforces also continuously up-skill in new methods, metrics, tools, and technologies to make critical, in-the-moment risk/reward decisions; and
  7. The risk management programme uses a wider variety of metrics to monitor and assess effectiveness of risk management in multiple ways and by multiple parties, including external parties. Examining effectiveness through multiple metrics helps risk executives shore up areas where they fall short or are vulnerable, so that the C-suite and the board can rapidly make decisions about strategic initiatives while the business steps in to address any risk profile misalignments against risk appetite.


To spot risk and react at the right time in the right manner, ensuring that important messages cascade across and into the crevasses of an organisation, is critical. With innovation risks occurring at break-neck speed, there are undoubtedly various obstacles to overcome before effective risk management can be embedded. Some key obstacles include:
  • Organisational culture that inhibits change and fails to foster idea creation in a controlled and welcomed manner;
  • Lack of knowledge of innovation-related opportunities and risks;
  • Lack of leadership buy-in; and
  • Weak collaboration between the risk programme and the business.

Fuelling innovative growth 

Organisations must view innovation and risk as a double-edged sword, clearing the way for greater opportunity and increased revenue growth, with eyes wide open about all-but-certain and unimaginable risk. To allow for more innovation and to deflect or limit risks from new initiatives as they arise, risk executives must be engaged and influential over the entire innovation life-cycle – from high-level strategising to brainstorming, quantifying, executing, continuously taking decisions and actions about risk appetite and performance tracking. To play this important role, risk management programmes must be equipped to effectively identify, assess, and manage innovation risk. Applying rigour, using multiple approaches, pushing the organisation to periodically adjust risk appetite, adding sophisticated skills and tools, and comprehensively monitoring how successfully the programme is tackling innovation-related risk helps risk executives meet their organisation’s strategic objectives.

As digital technology accelerates the pace of change, effectively managing innovation-related risk becomes crucial. When organisations effectively manage innovation-related risk, the likelihood that they will be successful innovators rises. That simple premise alone is a call to action for risk management programmes. Failure to do so all but guarantees under-performance.

Jason McGee is a Senior Manager in Risk and Assurance at PwC.