As we enter the second half of 2022, businesses around the world are bracing themselves for a potential economic downturn. The US Federal Reserve announced its biggest interest rate hike in nearly 30 years in a bid to control inflation, and in Europe, many central banks are following suit. Companies and startups are resorting to substantial measures, including workforce reductions. Furthermore, the ongoing geopolitical crisis and supply chain woes are adding to the challenges faced by businesses worldwide. At the same time, regulators continue to increase their focus on areas such as data, privacy, compliance, operational resilience, and business continuity.
Against this backdrop, here’s a quick recap of the latest happenings in the governance, risk, and compliance (GRC) universe in June.
The chairman of the U.S. Senate Banking Committee called upon a leading financial services company to address the weaknesses in its "governance, risk management, and hiring practices."
Regulatory Focus: Operational resilience continues to be a top priority for financial regulatory authorities around the world.
The State of Risk Management: Industry visionaries and thought leaders published survey reports, providing insights into the current risk landscape and the state of risk management at organizations:
“The Follina vulnerability’s footprint is significant as it affects ALL Microsoft Office versions – 2013 and above – on ALL currently supported Microsoft Windows operating systems – even the latest: Windows Server 2022!” Qualys noted.
With the escalating number of cyber attacks on organizations, including state-sponsored attacks, the US Cybersecurity & Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory with the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI). The advisory details how People’s Republic of China (PRC) state-sponsored cyber actors are exploiting publicly known vulnerabilities to establish a broad network of compromised infrastructure. CISA also added 36 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
Gartner listed 8 cybersecurity predictions for 2022-23. The IT research firm believes that 60% of organizations will use cybersecurity risk as a primary determinant when engaging with third parties by 2025.
A new survey from Cloud Security Alliance (CSA) and Google found that cloud adoption improves enterprise risk management and mitigation processes. The CSA said that evaluating cloud and business risk together improves the understanding of IT's impact on an organization’s overall risk maturity, including adopting a shared fate partnership between cloud service providers and customers.
Regulatory Focus: June saw heightened cyber and data-related regulatory activity around the globe:
FM Global released the online 2022 FM Global Resilience Index, which now includes 15 economic, risk quality, and supply chain measures that offer executives insights into the vulnerabilities of a country’s business environment and, conversely, its resilience.
There’s a growing call for tying leadership compensation to ESG metrics. Sustainalytics said, “Now that companies are integrating material ESG issues into their strategies, it is the logical next step to incentivize executives to improve performance on these issues in a measurable way.”
In a new study, Moody’s Analytics found that organizations that develop more responsible ESG practices and focus on mitigating ESG risks experience generate better shareholder returns.
In its tenth SONAR report, Swiss Re explored a new generation of emerging risks resulting from climate change, particularly the thawing of permafrost.
Regulatory Focus: Environmental, social, and governance (ESG) aspects continue to make waves in the regulatory landscape.
Speaking at a recently held MetricStream webinar, “Utility Data Management and ESG Reporting – The ‘Elephant in the Room’,” Anand Hanchinamani, Senior Director, Audit Product Management, MetricStream, said, “Climate risk is a global problem with a local impact. It can lead to probably hotter working conditions in India or increased tidal flooding in Florida or coastal regions. But, [climate risk] is systemic – one particular problem can lead to a series of supply chain issues or [result in] add-on impacts around the world on different kinds of operations. So, that is why board of directors, investors, customers, and regulators demand accuracy with reporting and responses on ESG-specific issues.”
MetricStream attended the recent Gartner Security and Risk Management Conference and the Marcus Evans' 13th Edition Third Party Risk Management for Financial Institutions Conference. Key themes at both the events included the importance of automation, interconnected risk management, and risk quantification.
MetricStream at Gartner Security and Risk Management Conference (L); MetricStream at Marcus Evans' 13th Edition Third Party Risk Management for Financial Institutions Conference (R)