GRC Roundup – June 2022 | What’s New in Governance, Risk, and Compliance?GRC | 6 Min Read |01 July 22|by Shampa Mani
As we enter the second half of 2022, businesses around the world are bracing themselves for a potential economic downturn. The US Federal Reserve announced its biggest interest rate hike in nearly 30 years in a bid to control inflation, and in Europe, many central banks are following suit. Companies and startups are resorting to substantial measures, including workforce reductions. Furthermore, the ongoing geopolitical crisis and supply chain woes are adding to the challenges faced by businesses worldwide. At the same time, regulators continue to increase their focus on areas such as data, privacy, compliance, operational resilience, and business continuity.
Against this backdrop, here’s a quick recap of the latest happenings in the governance, risk, and compliance (GRC) universe in June.
In the World of Risk, Regulation, and Resilience
The chairman of the U.S. Senate Banking Committee called upon a leading financial services company to address the weaknesses in its "governance, risk management, and hiring practices."
Regulatory Focus: Operational resilience continues to be a top priority for financial regulatory authorities around the world.
- UK-based financial firms have been given three years to amp up their operational resilience. In a speech, Duncan Mackinnon, Executive Director for Supervisory Risk Specialists at the BoE, provided guidance to firms in meeting operational resilience requirements, including implementing operational resilience policy, scenario testing, building resilience, and embedding operational resilience in the way firms do business.
- HM Treasury announced its plans to mitigate the risks from ‘critical third parties’ to the UK finance sector.
- The Monetary Authority of Singapore (MAS) revised business continuity management guidelines for financial institutions.
- The Hong Kong Monetary Authority published a supervisory policy manual on operational resilience. The Hong Kong Institute for Monetary and Financial Research (HKIMR) released a new Applied Research report, titled “COVID-19 and the Operational Resilience of Hong Kong’s Financial Services Industry: Preliminary considerations from the 2020-2021 experience”.
The State of Risk Management: Industry visionaries and thought leaders published survey reports, providing insights into the current risk landscape and the state of risk management at organizations:
- In its Semiannual Risk Perspective for Spring 2022, the US Office of the Comptroller of the Currency (OCC) highlighted operational, compliance, interest rate, and credit risks among the key risks faced by the federal banking system.
- The Federation of European Risk Management Associations (FERMA) published its European risk manager survey 2022. It said the top business threats this year, including cyber threats, supply chain & disruption failure, geopolitical uncertainties, and uncertain economic growth are linked or amplified by the COVID-19 pandemic and the ongoing geopolitical crisis.
- In PwC’s 2022 Global Risk Survey, 79% of respondents said that keeping up with the pace of digital and other transformations is a major risk management challenge and 65% of respondents admitted to increasing their overall spending on risk management technology.
- Gartner found the rate of compliance reporting to have dropped by 30% compared to pre-pandemic levels. It said that employees now are less likely to observe misconduct and also less likely to report it even when observed.
In the Cyberverse
Cybersecurity firm Proofpoint thwarted a phishing attack trying to exploit the “Follina” vulnerability. In a blog post, Qualys explains the vulnerability in detail.
“The Follina vulnerability’s footprint is significant as it affects ALL Microsoft Office versions – 2013 and above – on ALL currently supported Microsoft Windows operating systems – even the latest: Windows Server 2022!” Qualys noted.
With the escalating number of cyber attacks on organizations, including state-sponsored attacks, the US Cybersecurity & Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory with the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI). The advisory details how People’s Republic of China (PRC) state-sponsored cyber actors are exploiting publicly known vulnerabilities to establish a broad network of compromised infrastructure. CISA also added 36 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
Gartner listed 8 cybersecurity predictions for 2022-23. The IT research firm believes that 60% of organizations will use cybersecurity risk as a primary determinant when engaging with third parties by 2025.
A new survey from Cloud Security Alliance (CSA) and Google found that cloud adoption improves enterprise risk management and mitigation processes. The CSA said that evaluating cloud and business risk together improves the understanding of IT's impact on an organization’s overall risk maturity, including adopting a shared fate partnership between cloud service providers and customers.
Regulatory Focus: June saw heightened cyber and data-related regulatory activity around the globe:
- The National Institute of Standards and Technology (NIST) is consulting on a new guidance document ‘Using Business Impact Analysis to Inform Risk Prioritization and Response’.
- The California Privacy Protection Agency (CPPA) published the first draft of the California Privacy Rights Act draft regulations.
- UK announced its Data Reform Bill that will “remove the UK GDPR’s prescriptive requirements giving organizations little flexibility about how they manage data risks.” The proposal is expected to deliver around £1 billion in business savings.
- Australian Securities & Investments Commission (ASIC) executive director for markets Greg Yanco called upon listed entities to boost cyber resilience measures.
- The Central Bank of Malaysia published its proposed guidance on assessing key risks and considerations of control measures when financial institutions adopt cloud services.
- In Thailand, the Personal Data Protection Act (PDPA) came into force on June 1, 2022.
In the Era of ESG
FM Global released the online 2022 FM Global Resilience Index, which now includes 15 economic, risk quality, and supply chain measures that offer executives insights into the vulnerabilities of a country’s business environment and, conversely, its resilience.
There’s a growing call for tying leadership compensation to ESG metrics. Sustainalytics said, “Now that companies are integrating material ESG issues into their strategies, it is the logical next step to incentivize executives to improve performance on these issues in a measurable way.”
In a new study, Moody’s Analytics found that organizations that develop more responsible ESG practices and focus on mitigating ESG risks experience generate better shareholder returns.
In its tenth SONAR report, Swiss Re explored a new generation of emerging risks resulting from climate change, particularly the thawing of permafrost.
Regulatory Focus: Environmental, social, and governance (ESG) aspects continue to make waves in the regulatory landscape.
- The Basel Committee on Banking Supervision issued principles for the effective management and supervision of climate-related financial risks.
- The US Commodity Futures Trading Commission (CFTC) is seeking public comment on climate-related financial risk to better understand its relevance to the derivatives markets and underlying commodities markets.
- The European Council and Parliament reached a provisional political agreement on the corporate sustainability reporting directive (CSRD).
- In Canada, the Office of the Superintendent of Financial Institutions (OFSI) released guidance on climate risk management.
- The Monetary Authority of Singapore (MAS) published information papers on environmental risk management for banks, insurers, and asset managers.
From the MetricStream Corner
Speaking at a recently held MetricStream webinar, “Utility Data Management and ESG Reporting – The ‘Elephant in the Room’,” Anand Hanchinamani, Senior Director, Audit Product Management, MetricStream, said, “Climate risk is a global problem with a local impact. It can lead to probably hotter working conditions in India or increased tidal flooding in Florida or coastal regions. But, [climate risk] is systemic – one particular problem can lead to a series of supply chain issues or [result in] add-on impacts around the world on different kinds of operations. So, that is why board of directors, investors, customers, and regulators demand accuracy with reporting and responses on ESG-specific issues.”
MetricStream attended the recent Gartner Security and Risk Management Conference and the Marcus Evans' 13th Edition Third Party Risk Management for Financial Institutions Conference. Key themes at both the events included the importance of automation, interconnected risk management, and risk quantification.
MetricStream at Gartner Security and Risk Management Conference (L); MetricStream at Marcus Evans' 13th Edition Third Party Risk Management for Financial Institutions Conference (R)