Introduction

Strengthening operational resilience, enhancing self-reporting and disclosure mechanisms, seeking greater fourth-party verification, and a renewed focus on the G in ESG made it to the top GRC news stories in the month of November 2022. In the background, the magnitude, velocity, and complexity of risks continued to evolve. Ransomware still remains the top cyber risk confronting companies today, with third-party risks and automated threats also becoming an important cause for concern. In addition, the Ukraine crisis has heightened concerns about full-scale cyber warfare, with the Gartner 2023 Annual Audit Plan Hot Spots Report warning against "new geopolitical conflicts and the heightened prospect of state-sponsored attacks."

At the recently held MetricStream GRC Summit 2022 in London—our 10th anniversary event— we saw GRC thought leaders, visionaries, and industry experts highlight the most significant trends and best practices in GRC, compliance, cyber risk, and environmental, social, and governance (ESG). Here are three top insights identified by our leaders.

“It’s time to reimagine what’s possible in GRC and pivot from uncertainty to clarity and focus.” Gaurav Kapoor, Co-CEO and Co-Founder, MetricStream

“Enterprises need to look at GRC holistically and not in isolation.” Prasad Sabbineni, Co-CEO and Chief Technology Officer, MetricStream

“Talent risk is a top threat to the enterprises—ahead of many other risks.” Gunjan Sinha, Co-Founder and Executive Chairman.

What other challenges must GRC practitioners be aware of, and what are some emerging best practices in the industry? Scroll down to read our monthly roundup.

In the World of Enterprise and Operational Risk, Regulation, and Resilience

Operational resilience has emerged as a global and industry-wide priority. The Operational Resilience Framework (ORF), along with NIST and ISO, has been developed by the Business Resilience Council after nearly a year of consultation. It ensures critical services run during a crisis. In KPMG's first UK Regulatory Barometer, operational resilience ranked in joint third place, alongside ‘Regulating digital finance’ and behind ‘Maintaining financial resilience’ and the top regulatory theme was ‘Delivering ESG and sustainable finance.’ The Federal Reserve also emphasized the need for a supervisory approach to operational resilience at the US Senate Committee on Banking, Housing, and Urban Affairs.

• The McKinsey Global Institute released its discussion paper ‘Global flows: The ties that bind in an interconnected world,’ which offers a view of the flows driving global integration, an assessment of interdependency and concentration risks, and the vital role of multinational corporations. The study is the result of studying over 30 global value chains and about 6,000 globally traded products.
• Disclosure has emerged as a key theme, with the Financial Reporting Council (FRC) finding that more than half of FTSE 350 companies provided limited insight into their corporate governance and reporting in line with the UK Corporate Governance Code. For example, a treated wood and chemicals distributor in the US was asked to pay $1.3 million to the Securities and Exchange Commission (SEC) for its disclosure failures. Businesses take varying approaches when self-reporting to regulatory agencies, which can lead to differing results regarding cooperation credit.
• A panel discussion on compliance readiness for 2023 and beyond was held at Compliance Week Europe in Edinburgh, Scotland. The discussion centered around dealing with risks relating to artificial intelligence (AI); diversity, equity, and inclusion (DEI); and shortfalls in staff, training, and expertise.
• The International Data Corporation (IDC) has published its Future of Connectedness predictions for 2023 and beyond. It highlights how hybrid work and distributed workforces have necessitated seamless anytime, anywhere digital interactions, prioritized connectivity programs, and increased investments in connectedness.
• Despite geopolitical threats, high inflation, and poor economic growth, global security partnerships, financial integration, supply chain resilience, and migration will remain top priorities according to the '2023 Economics & Country Risk Outlook' Report.
• Risk management is a recurring concern globally, with experts agreeing that it cannot be a static, one-time task. According to Healix's Risk Outlook 2023 Report, the energy crisis, political polarization, cyber risks, and global extremism could be the top risks for 2023. Further, the Federal Reserve Bank of New York has clarified the common misunderstandings that often derail risk management efforts.
• Financial service providers have always been at the forefront of adopting cybersecurity measures. A recent paper, Corporate Governance Principles for Banks, notes how the increased regulatory scrutiny on compliance requires compliance officers to step up within their companies. Three key pieces of legislation will heavily impact the financial sector in the EU. The APRA’s risk culture survey calls for a continued focus on improving risk management practices and behaviors.

In the World of Cyber GRC

As the world races toward greater digitalization, organizations are likely to be more vulnerable to cyberattacks. Since 2019, three of four large firms have been impacted by some form of cyberattack. Ransomware remains the top cyber risk, but automated threats are becoming increasingly common, especially among e-commerce players.

Organizations are seeking ways to fight back. In the EU, financial firms have been pushing for standardized cybersecurity laws. The rules empowering EU countries to meet stricter supervisory and enforcement measures and harmonize their sanctions were approved by MEPs. Introducing cyber insurance, building a national cybersecurity strategy, and boosting cyber resilience can help combat the dangers of the dynamic threat landscape.

• The Cybersecurity and Infrastructure Security Agency (CISA) outlined three areas of focus for improvement. First, its guide for categorizing vulnerabilities by stakeholders seeks to automate mitigation by making the data about vulnerabilities machine-readable. It has also released cybersecurity performance goals to reduce the risk and impact of adversarial threats.
• Cyberthreats and IT governance are top risk areas for internal auditors to address in their audit plans for 2023, according to Gartner’s 2023 Audit Plan Hot Spots Report. The ten worst cybersecurity threats until 2030 were identified and ranked by ENISA (the European Union Agency for Cybersecurity) after an eight-month foresight study.
• To mitigate the cybersecurity concerns of various stakeholders, The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) released a set of guidelines.
• Financial institutions are frequently the target of numerous attacks. As a result, the New York Department of Financial Services (NYDFS) has proposed several changes to its cybersecurity regulations and requested the public to provide recommendations. The new regulations will strengthen the threat landscape as cyber regulatory pressures continue to mount for banks.
• The Dobbs decision, the risk from third parties, and the increasing interconnectedness of healthcare are some of the biggest HIPAA compliance challenges today. Poor cybersecurity initiatives could result in complete blacklisting. As of September, third-party vendors were responsible for seven of the ten most significant healthcare data breaches disclosed to OCR this year.
• The role of cybersecurity staff and their contribution to the overall culture of the cybersecurity industry was the highlight of Forrester’s APAC predictions for 2023.
• As the digital landscape becomes increasingly complex, so are vendor relationships. While many organizations are still dealing with third-party risk, the discussion is shifting to address fourth-party risk

In the World of ESG Regulations and Risks

Reporting and disclosure are vital to keeping abreast of evolving ESG trends and building climate resilience. Across the world, companies face pressure to incorporate Environmental, Social, and Governance (ESG) measures into their core business strategies, take accountability for public statements, and follow concerted ESG initiatives.

The EBRD put out its third annual report based on the framework for voluntary reporting set up by the Task Force on Climate-Related Financial Disclosures (TCFD). TCFD reporting can deliver significant business benefits beyond compliance. As disclosure standards become more comprehensive and consistent, companies will have a solid base from which to measure their ESG impacts and outcomes and compare themselves to their peers.

However, while transparency in the ESG journey has been steadily increasing, the EY Global Corporate Reporting and Institutional Investor Survey found a significant reporting disconnect with investors on ESG disclosures. Stakeholders pointed out that their expectations for transparency still needed to be met.

• A Gartner survey found that customers’ pressure encourages organizations to increase their sustainability investments, and over 87% will increase their investment over the next two years.
• According to Forrester, environmental sustainability presents both an opportunity and risk and will become a strategic imperative that ushers in a green market revolution. The US has issued a draft of the Fifth National Climate Assessment, a tool that shows climate and sustainability progress and provides risk management decision-makers with the latest information.
• According to Deloitte’s 2022 Global Third-Party Risk Management Survey, the extended enterprise lacks a formal mechanism to manage and prioritize ESG issues properly. Organizations must also work on reducing emissions by prioritizing supply chain sustainability. In the infrastructure sector, suppliers need to provide different levels of disclosure for reporting compliance based on whether they are beginners, intermediates, or leaders.
• ESG encompasses the environmental, social, and governance aspects; all three elements need equal attention, but according to the Harvard Business Review, governance, in particular, is getting shortchanged. There is also a question of whether cybersecurity does not deserve its identity in the ESG framework.
• The financial sector has been making special efforts with its ESG initiatives. According to a new World Bank Group report, investing 1.4% of the annual GDP would reduce emissions by 70% by 2050 and boost resilience in developing countries. The European Central Bank is pushing banks to speed up climate change work. The Dubai Financial Services Authority’s (DFSA) Task Force on Sustainable Finance (TFSF) issued a Climate and Environmental Risk Management publication to kickstart an open dialogue on sustainability within the UAE. Insurers, too, are committing to integrating ESG into their operational and investment choices to reduce their carbon footprint and achieve net zero.
• To avoid a "ruin scenario," firms must plan for low-likelihood, high-severity risks and adjust faster, according to an Institute and Faculty of Actuaries (IFoA) report with the Climate Crisis Advisory Group (CCAG).
• Nearly 70% of more than 500 global corporations report higher-than-expected financial returns on climate initiatives, proving that pro-climate actions do not impact profitability.

What’s Next @MetricStream

Don’t forget to register for the following webinars:

• MetricStream Partner Forum Glimpse of Euphrates: Day in the Life of a Partner Developer, Part II Dec 01, 2022 7.30 pm PST | 03:30 pm GMT
• A UK and European Roadmap to Compliance and Regulation Dec 15, 2022 3.00 pm UK Time | 4:00 am CET

Missing out on top GRC stories? Subscribe to our blog and newsletter.