Managing operational risks effectively is a top priority for most organizations today, and controls play an important role in ensuring risks are mitigated. Controls range from preventive to corrective and are essential for managing risks, ensuring compliance, and safeguarding the organization’s assets, customers, and reputation. Frameworks like COSO (Committee of Sponsoring Organization) require organizations to embed internal controls into business processes to ensure ethical and transparent operations aligned with industry standards. These controls must be monitored, tested, and improved continuously to keep up with the constantly changing risk environment and business priorities. The challenge before today’s organizations is to execute reliable strategies to manage operational risks via control rationalization and facilitate better decision making.
The 2023 GRC Summit in Miami saw Kevin Finlay, Vice President, Sales, MetricStream, lead an in-depth discussion on this topic with experts:
Watch Now: Effectively Managing Operational Risks Through Control Rationalization for Improved Decision-Making
The panel of experienced practitioners had a lot to say on these topics, given that they live them every day. Read on for the key highlights of their engaging discussion.
The risk landscape is evolving at unprecedented speed and scale. As a result, an organization’s definition of what constitutes operational risk must also change, along with the steps taken to mitigate it. What do organizations consider new operational risk priorities, and how are they going about addressing it?
A comprehensive Risk and Control Self-Assessment (RCSA) is a widely used exercise today, but it must be guided by the enterprise’s risk appetite, the big risk picture, and the expected outcome to be effective.
When it comes to technology, most organizations conduct continuous control monitoring. However, the challenge lies in evaluating and rationalizing controls on non-IT systems. A bottom-up, process-driven risk control inventory anchored in common taxonomy is a good way to build a framework that encompasses all areas of risk. An overall understanding of the control environment must be followed by a systematic approach to prioritizing risks and controls for better impact.
Here are a few points to consider when it comes to assessments:
Optimizing and rationalizing controls for enterprise risk management will increase in complexity as the risk environment continues to evolve. Connected GRC approaches and technology can help organizations improve the process by leveraging data for better insights and quicker action. AI models will be immensely helpful for organizations in the years to come. At the same time, best practices from fields such as anti-money laundering must be explored and extended to unrelated businesses for a comprehensive assessment and rationalization effort.
MetricStream’s Operational Risk Management software is designed with a comprehensive set of capabilities that powers your ORM program to drive risk-intelligent, real-time business decisions that accelerate business performance and reduce losses.
With MetricStream’s Operational Risk Management software, your organization is empowered with:
Interested to learn more? Request a customized demo now.
Stay tuned for more details on the upcoming 2024 US GRC Summit! Keep an eye on this space for updates.
New year. New beginnings. New resolutions.
It’s that time of the year again! For many of us, a new year means a time to start fresh, improve and better ourselves, and make big plans with renewed optimism and energy. The same goes for risk and compliance practitioners too, who are looking to drive risk effectiveness, improve efficiency, and thrive with a fresh approach and advanced technologies.
In the world of governance, risk, and compliance (GRC), change is the only constant. As we step into 2024, banking and financial institutions are bracing themselves for the unknown unknowns stemming from escalating geo-political conflicts in various parts of the world, a grim economic outlook, intensifying cyber risks, severe supply chain disruptions, an array of new regulations, and more.
In its 2024 Banking and Capital Markets Outlook, Deloitte said that the strategic choices made by banks will be tested this year as they will be confronted with “multiple fundamental challenges” to their business models.
“A slowing global economy, coupled with a divergent economic landscape, will challenge the banking industry in 2024. Banks’ ability to generate income and manage costs will be tested in new ways,” the consulting giant noted.
So, while the leadership and top management review the past year and chalk out business goals and strategies for the year ahead, GRC leaders should take this opportunity to rethink their approach and implement changes in processes, tools, and technologies that will boost their organization’s resilience.
Against this backdrop, here are 5 key risk and compliance resolutions for banking and financial services organizations to help successfully navigate 2024. What are yours? Let us know in the comments!
Risk is an inherent part of business. Instead of viewing risk as detrimental to the organization’s growth and financial posture, banks should look to turn risks into opportunities. The willingness to take risks can help organizations gain a competitive edge and drive greater profitability and business value. However, there’s a catch – not all risks will translate into strategic advantage. So, how can financial institutions make the decision of whether to accept, reject, avoid, or mitigate a risk?
This is where the risk management program comes into play. An effective risk management program can enable decision-makers to make well-informed business decisions by providing a streamlined process for evaluating opportunities. It equips the top management and leadership with actionable insights, improved risk visibility and foresight, and greater transparency that helps them better manage projects based on risk impact and probability in relation to potential return.
Banking and financial services organizations are a primary target of cyber criminals – which is unsurprising given the sheer volume of sensitive information and assets worth billions of dollars at stake. According to Sophos, the rate of ransomware attacks in financial services jumped from 55% in 2022 to 64% in 2023.
To protect their IT and cyber infrastructure from frequent and increasingly sophisticated cyber attacks, banks need to level up their cyber risk management approach. Relying on periodic reviews and assessments of cyber risks and controls is no longer enough. To stay on top of rapidly evolving and fast-moving cyber risks, organizations need an automated, autonomous, and continuous approach that enables them to proactively identify and address any risks, threats, vulnerabilities, control weaknesses/gaps, and issues before they snowball into something significant.
Banks today can also harness the power of artificial intelligence and other advanced technologies to improve risk management processes and enhance efficiency. AI can significantly accelerate the decision-making process by quickly providing insights into risk trends and patterns as well as identifying areas of improvement – such as the number of duplicate or redundant controls, patterns of over and under-testing of controls, optimum control testing frequency, similar issues, and more.
Regulatory compliance is becoming an increasingly challenging and demanding business function for financial firms. Already counted among the highly regulated industries, the banking and financial services industry is looking at a torrent of new regulations, standards, and regulatory updates focused on various business functions and processes. Some of the prominent ones include revisions to the NIST Cybersecurity Framework, NYDFS Cybersecurity Regulations, a revised version of PCI DSS, and others in the US, the Digital Operational Resilience Act (DORA) and the Corporate Sustainability Reporting Directive (CSRD) in the EU, and so on.
Given the ever-increasing regulatory requirements, compliance teams inevitably fall behind as they end up spending most of their time tracking relevant regulations, understanding their impact on organizational processes, functions, risks, policies, and controls, implementing the required changes, and so on. Technology can make a huge difference in how these various compliance management tasks are performed.
Automated compliance is the future! Today, there are tools that leverage AI to scan the regulatory horizon for identifying relevant regulations and regulatory updates, quickly show the impacted processes, functions, risks, policies, and controls using a centralized platform, run autonomous control tests to ensure adherence to relevant regulations, generate reports that demonstrate compliance posture, and more. The technology-driven, automated approach can streamline compliance management activities and help strengthen compliance resilience.
For a deeper dive into the top 10 key regulations we are watching this year, read our blog “What’s Next in GRC and Risk Regulations? 10 Key Focus Areas for 2024.” Let us know what other regulations and regulatory developments you are keeping an eye on in the comments below.
With its ability to provide actionable insights, save time and costs, and create bandwidth for risk, compliance, audit, security, and sustainability teams, AI is already being regarded as a game-changer for GRC. While AI will not replace the need for human involvement completely, it can eliminate the possibility of human error, thereby improving the accuracy of GRC processes and decision-making and ensuring there are no blind spots.
At the same time, it is essential to ensure responsible AI innovation. As financial institutions explore more and more use cases and integrate AI capabilities into their processes, they also have the duty to follow the highest standards to ensure its ethical and responsible use as well as implement measures to identify, manage, and manage AI risks. Think GRC for AI, if you will.
Regulators and standard-setting bodies have already taken steps toward this goal. In the US, the National Institute of Standards and Technology (NIST) last year released the NIST AI Risk Management Framework (AI RMF 1.0) aimed at improving the “ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems” while the White House published an Executive Order on the safe, secure, and trustworthy development and use of AI. In the EU, members of the European Parliament reached a provisional agreement on the Artificial Intelligence Act.
AI-focused innovation has been central to MetricStream’s product and platform releases over the years. Our AI capabilities span diverse GRC use cases – from issue identification and classification, action plan recommendations, and scanning of SOC2 and SOC3 reports submitted to organizations by third parties, to most recently, AiSPIRE, an AI-based knowledge-centric tool that provides intelligent insights to improve an organization’s control environment.
The financial sector is the backbone of the global economy. As such, the growing focus of financial firms on operational resilience – the ability to foresee, prevent, withstand, respond to, and recover from risk events – isn’t surprising.
Most recently, the COVID-19 pandemic served as a real-world test of the resilience of banking and financial institutions. The agility demonstrated by the organizations to quickly move their operations completely online and support remote working environments while ensuring security and compliance has been remarkable.
That said, to thrive in today’s rapidly evolving risk landscape – marked with high-frequency, high-impact risk events, growing interconnectedness of risks, and amplified digital dependencies, organizations need to double down on their efforts to strengthen operational resilience. It is critical for banks to not only have robust business continuity and disaster recovery programs in place but also integrate them into the overarching enterprise risk management program. This is important to get a holistic, 360-degree view of the organization’s GRC posture, understand the critical business functions and their interrelationships with other business functions, and improve risk visibility, foresight, and preparedness required for being resilient.
“Don’t wait for perfection before you start. Start somewhere so you can have something tangible you can work to perfect.”
This quote from Simon Sinek is relevant not only on a personal front but also in the corporate world. As the risk and regulatory landscape continues to evolve and become increasingly challenging, the need of the hour for banking and financial services institutions to embark on the GRC journey – start where they are, with what they have, and build on it.
MetricStream has been a trusted partner of several global banking and financial institutions in their GRC journey. Learn how we helped a prominent EU-based financial institution strengthen risk awareness, agility, and resilience.
If you’re looking to embark on your GRC journey and want to understand how we can help, request a personalized demo today!
The risks faced by energy and utilities organizations have evolved tremendously over the past decade. From intensifying cyber threats to growing awareness of environmental concerns, changing geopolitical dynamics, supply chain disruptions, fluctuating prices, regulatory changes, and more, the sector today has to navigate an extremely complex and highly interconnected risk landscape.
In PwC’s 2022 Global Risk Survey, 83% of power and utility leaders identified keeping up with the speed of digital and other transformations as a significant or very significant risk management challenge. While the traditional approach to enterprise risk management (ERM) might have worked well in the past, energy and utilities companies need to rethink their ERM program and the approach to implement and reinforce it across the enterprise.
Needless to say, technology has a critical role to play in effectively managing these fast-changing and interdependent risks, but there’s also a greater need to change the very mindset of organizations. In today’s volatile business environment, organizations cannot view and approach risk as an afterthought – they need to be proactive and farsighted to not just address today’s risks but also prepare for tomorrow.
The U.S. Office of Management and Budget (OMB) outlined ERM requirements for federal agencies in the circular “Management’s Responsibility for Enterprise Risk Management and Internal Control.” Based on this circular, the Department of Energy explains various aspects and processes of a comprehensive ERM program in its Enterprise Risk Management Fiscal Year 2023 Guidance, including:
It is important to underscore the need for a continuous approach to ERM. Given today’s rapidly evolving internal and external risks and their cascading impacts, energy and utilities companies can no longer consider ERM as a one-time activity – it is essential to adopt a continuous and agile approach to risk identification, assessment, analysis, and mitigation so that there are no blind spots.
Using technology as an enabler, organizations can implement the continuous approach to ERM as well as gain operational efficiencies by automating repeatable tasks. Equally important is to adopt an integrated approach to ERM that cuts across operational and functional silos, which leads to ineffective risk visibility and foresight, duplication of efforts, and misuse of resources.
Against this backdrop, here are a few key considerations for enabling an integrated and continuous ERM approach for energy and utilities organizations:
Organizations must record all their financial and non-financial risks from internal and external environments in a centralized risk repository and map them to assets, controls, regulatory requirements, policies, business units, etc. This serves as the single source of truth across the organization, which streamlines risk aggregation and analysis and improves risk visibility.
Energy and utilities organizations have an extensive third-party ecosystem, comprising of suppliers, technology providers, transportation and logistics providers, consultants, contractors, and others. It is important to continuously identify, manage, and mitigate the risks from this extended enterprise for an effective and comprehensive approach to ERM.
Exploring AI use cases has become a top priority for organizations across industries. For energy and utilities organizations, AI holds the promise to transform ERM by providing timely and actionable intelligence into risk trends, control environment, action plan recommendations, and more. But it’s equally important to understand the risks of AI models and monitor them proactively to ensure the negative effects of AI on people, organizations, and data are curbed or minimized to a great extent.
Being critical infrastructure organizations, the importance of business resilience of energy and utilities organizations cannot be overstated. Fostering a resilient mindset requires deliberate and active participation from the top management and board. The objective is to not only manage risks but also be able to foresee, prepare for, and adapt to changing internal and external environments and withstand, respond to, and recover from disruptions. Implementation of robust business continuity plans and testing them regularly for their effectiveness is key to ensuring resilience in energy and utilities organizations.
The World Energy Council explains it in terms of the Dynamic Resilience Framework:
“The Dynamic Resilience Framework is an integrated approach to emerging risk management that contributes to building capacity and capabilities for managing the resilience of energy systems. Resilience to specific events and systemic shifts can be enhanced by situational awareness of the different types of risks preparedness for future developments.”
With the growing pressure to scout for cleaner energy sources, intensifying regulatory scrutiny, an increasing number of catastrophic events, rising cyber attacks, volatile tariff and trade policies, and more, energy and utilities companies are looking at a highly uncertain business environment with multi-dimensional risks. Embracing a technology-driven and integrated ERM program is a business necessity today for continued financial and operational success.
For a closer look at the ERM process, risk methodology, and the critical role played by technology in modernizing risk management at energy and utilities organizations, download our latest eBook which discussed key elements of a well-defined risk methodology and how to build an ideal risk management governance structure.
In today's dynamic business environment, organizations face numerous risks and regulatory challenges that can impact their operations, reputation, and profits. To navigate these complexities successfully, businesses need to establish a robust control framework that provides a solid foundation for effective risk management and compliance practices.
We recently discussed these challenges with key experts Ivan Martinez, Chief Auditor, Banco Santander, London, and Charles Nicholls, Enterprise Risk Solutions Specialist, MetricStream, in a webinar titled, “Embedding a Strong Control Framework in Your Enterprise Risk and Compliance Strategies.”
Our panelists discussed the importance of incorporating a strong control framework into GRC strategies, the role of risk culture in taking risk management to the frontline, the UK SOX requirements, and more. It was a lively and useful discussion with an engaged audience who asked multiple questions.
Here are some of the key takeaways – as well as some of the audience questions.
Want to hear the original in its entirety?
Watch Now: Embedding a Strong Control Framework in Your Enterprise Risk and Compliance Strategies
The risk environment isn’t the same as even 5 years ago. We’re dealing with different kinds of risks. The volume and velocity of risks have increased, and the way we manage risks and the type of risks are not the same. Today organizations have to deal with a diverse set of risks, including Environmental, Social, and Governance (ESG) risks, advanced cyberattacks, lurking third-party risks, and geopolitical risks.
The financial services landscape has also changed. The modern banking revolution is being driven by advanced technologies like AI, ML, and RPA with chatbots, and cloud computing, along with the emergence of business models such as FinTechs and InsureTechs.
We are witnessing collaboration between banks and financial service providers and Fintechs resulting in better customer service and enhancement of profits. However, these innovations, have also introduced newer and more complex risks.
Risks are inherent to every business. This increases the importance of staying vigilant and resilient in our approach. It is how we manage and thrive on risks that set us apart from our peers and competitors. Being agile requires organizations to respond and learn quickly from adverse situations and land back on their feet as quickly and effectively as possible.
Controls, compliance, and robust risk management processes are critical to building this resilience and agility. Let’s take a look at some of the key recommendations and takeaways that Ivan and Charles discussed – and their impact on anticipating risks.
Highlights and takeaways from the discussion included:
Below are some of the questions that were asked during the webinar and our responses:
How are emerging risks identified? Who should own and manage these risks?
Several analysts, market research, and consulting firms have conducted thorough research based on macroeconomic conditions and drivers to understand the top emerging risks. Emerging risks need not be new but an existing risk with an elevated impact on business compared to the past. Some of the emerging risks listed by these companies are:
Everything from the above may not be applicable to all organizations. Individual organizations need to review their business objectives, respective industry trends, and risk appetite to identify and map risks to these categories.
When it comes to emerging risks, involving the frontline is very important as they are the most exposed to the lurking risks. Training and awareness of these risks are key to enabling the frontline to be ahead of these emerging risks. The ownership of identification and self-assessment of risks should remain with the frontline, and further analysis and mitigation strategies should be managed by the second line. From the technology standpoint, companies must streamline the identification of observations from across the organization, while also enabling anomalies to be recorded anonymously and triaged based on business criticality.
Implementing strong internal controls, compliance, and a robust GRC framework are the keys to building agility, resilience – and staying ahead of ever-evolving risks.
To learn more about how MetricStream can help, please request a demo today. To get a copy of the slides, please get in touch with sumith.sagar@metricstream.com.
Watch Now: Embedding a Strong Control Framework in Your Enterprise Risk and Compliance Strategies
Environmental, social and governance (ESG) concerns are rapidly emerging as critical factors that can impact and disrupt business, livelihoods, and life itself. Organizations are now aware of the significance of ESG compliance, though it is still considered primarily from a financial reporting lens. And despite there being several overlaps in terms of best practices, requirements, and reporting, many companies have still not integrated ESG reporting and compliance with their enterprise risk management (ERM) practices. As the risks continue to escalate, ESG will only increase in organizational importance, and become a permanent part of GRC. More specifically, it will become a risk category positioned under the overall risk umbrella of enterprise risk management.
The question, of course, is why many organizations are still hesitant to adopt ESG as a business-critical requirement. Unfortunately, too many businesses still perceive environmental or social activism as irrational with little or no connection to business productivity and success. But today, extreme weather events, droughts and lessening snow packs, and global temperature increases are a reality, and instances of discrimination, incivility, and harassment are widely reported across the world, resulting widespread public condemnation, reputational damage, and demands for accountability.
We are at an inflection point with consumers recognizing their influence and demanding that businesses and industries to do better – for the environment and social governance. Their influence extends beyond condemning poor actors to buying behavior, where their demands for accountability have the power to force business, sectors, and even governments to ensure public reporting of ESG compliance, and its impact on the environment, people, and communities. The public in key markets is already making ESG value statements with their pocketbooks. It should not surprise any business today that when given the choice consumers are often more likely to do business with a company that demonstrates its commitment to sustainability. It has been shown that they are willing to pay a premium for products where the brand showcases its approach to ethical, social, and environmental causes. In short, it is time businesses realized that climate-consciousness and pursuing ESG best practices and standards can help increase profits and ensure long-term business success.
At the same time, organizations are beginning to understand the direct impact of climate change on business continuity, resilience, and profitability. It is important to remember that the increasing number of businesses and governments are declaring that climate change and environmental sustainability are real and legitimate risks to operations. This means that committing to an ESG program is no longer a nice-to-have measure that can elevate the reputation of and profitability of a business. It is a must-have critical element within a larger risk management and operational resiliency strategy.
Enterprise Risk Management is an umbrella approach for managing multiple risk categories across the business. These include external risks such as economic or geopolitical risks, cybersecurity, or environmental risks, and internal risks like reputational risks, financial risks, product risks, partner risks, data privacy risks, leadership, employee churn risks, and compliance risks. Most ERM strategies include specific categories such as operational risk management, regulatory & compliance programs, third-party risk management, IT and cybersecurity risk management, and audit programs. Many expect ESG to migrate from a standalone practice to become one more of these risk categories housed under a larger ERM framework. But we believe that time has not yet come, as the distinct practices, values, and measures within ESG need to mature further and be more widely adopted before it can be appropriately positioned under an ERM umbrella.
Management of existing risk categories today apply certain common structures, workflows, assessment practices within ERM frameworks. This includes standard practices for the identification, assessment, and prioritization of individual risks, and the evaluation of risk velocity, severity, and the connections between different risks. ERM frameworks also tend to include a centralized risk registry for easy reference. A centralized system provides the controls, procedures, and policies that can be applied when responding to any category of risks, based on the organization’s predefined risk profile and appetites. Modern ERM frameworks leverage data analytics for real time insights that facilitate better decision making across the risk universe.
Most ERM practices have been around for decades, and the best practices have been designed, tested and reviewed over time. While it is a living process that is flexible enough to adapt to risk scale, diversity and changes in organizational risk profile, program validation, scope, scale, and performance adaptation is constant. In a well-run risk management program, many processes are automated, which allows risk leaders to focus on strategy rather than day to day operations. Reapplying or extending existing standard procedures, automation, assessments, scoring methodologies, data collection and reporting – with some evolution and adaptation – to newer risk management categories like ESG makes good business sense. Pursuing ESG as a risk category and integrating it into existing ERM frameworks should help expedite program accountability and ensure reporting consistency.
Over the last few years several ESG reporting standards such as TCFD, CSRD have emerged, reaching a definitive and defensible market position. These standards define how ESG-related data is to be collected, reporting formats and requirements, as well as other criteria pertaining to what, when, where and who collects ESG data. These reporting outcomes can be easily incorporated into existing ERM frameworks and may enhance data and reporting across additional risk categories. In fact, ESG and Third-Party Risk Management (TPRM) are central to and can be further integrated into resiliency strategies within ERM. Their inclusion will be invaluable for accelerating recovery from environmental and social risk events. Integrating ESG into ERM frameworks can also add to commonly accepted structures and expand the scale, scope and depth of understanding risks. It would be a mutually beneficial move where each discipline would benefit from the data and values of the other to deliver holistic legitimacy.
There is a growing expectation that within the next five to ten years, ESG will be housed within and enhance ERM programs. For now, ESG deserves focused attention from the market to refine its reporting and frameworks as it matures. While there will clearly be distinct risks, reporting structures, frameworks, and stakeholders for ESG information, it will increasingly be viewed as one of several important risk categories under the ERM umbrella. In a sense, it must ‘cross the chasm’ to a degree of standardization, consistency, commonality, to capture the market buy-in it doesn’t yet have. Once this is achieved, organizations will more easily integrate ESG risk assessments, reporting, and definition into enterprise risks.
Want to learn how to integrate ESG risks into Enterprise Risk Management (ERM) processes.
Register for the upcoming webinar: The Interconnectedness of ESG, ERM, and Third-Party Risk Management
Read the eBook: ESG and ERM: Bridging the Gap
The Office of the Comptroller of the Currency (OCC) has published the OCC Spring 2022 Risk Report that highlights risks faced by banks and financial services organizations. The National Risk Committee (NRC) of the OCC plays a key role in monitoring the U.S. federal banking system, identifying key risks facing banks, and highlighting those risks in its semiannual publications. The latest edition of its guidance has observed that the financial condition of banks remains strong and well-positioned to “deal with the economic headwinds arising from geopolitical events, higher interest rates, and increased inflation” and has warned banks and financial organizations to prepare for elevated operational risks and heightened compliance risk.
In the report, the risks have been due to the current geopolitical tensions, a heightened compliance risk environment attributed to regulatory changes, policy initiatives, and challenges in hiring qualified compliance professionals, and an observed increase of cyberattacks on the financial services industry.
Here is more into the key risk themes highlighted in the report.
The OCC report attributes the elevated operational risk to cyber threats which “continue to evolve, with an observed increase in attacks on the financial services industry.” This has been further accelerated by the ongoing geopolitical situation. Additionally, “banks’ increasing reliance on third-party relationships, along with the development and adoption of innovative products, services, and technologies, and ongoing changes to banks’ staffing and the operating environment” have all led to an increase in operational risk.
Also, the OCC has observed that banks are finding it challenging “to maintain comprehensive operational resilience frameworks commensurate with the complexity of products, services, and operations being supported in this environment.” It has further advised that some of the risk exposure may manifest in the coming quarter, making it vital for “the industry to remain vigilant and fully assess its risk exposure.”
Given the increased operational risks, the OCC’s recommendations include:
The OCC has highlighted that compliance risk remains heightened. This is primarily because banks are now required to navigate the complexity of sanctions imposed in response to the Russian invasion of Ukraine. At the same time, banks have also been required to “continue to manage the impact of forbearance programs and the elevated volume of customers on deferred payment and loss mitigation programs.”
The OCC has further observed challenges in the industry in retaining and replacing staff in compliance functions. The lack of access to subject matter expertise or the using of third-party relationships to support or fill such critical roles may increase compliance and operational risks.
The OCC offers the following recommendations for banks and financial institutions.
As banks and financial institutions work to address key risk areas, it is important that they view and recognize the interconnectedness of risk. As highlighted in the OCC report, the scale and scope of the interconnectedness of risk are rapidly expanding. This requires a connected approach to manage and mitigate risk.
MetricStream’s ConnectedGRC empowers banks and financial institutions with a connected and streamlined governance, risk management, and compliance approach that enables firms to better identify, assess, manage, and mitigate risk across the enterprise—including strategic, operational, IT and cyber, third and fourth-party, compliance, and ESG risks.
Interested to know how MetricStream can help you take a connected approach to risk management? Write to me at sumith.sagar@metricstream.com to learn more. You can also request a personalized demo to learn more about our products.
Cryptocurrency is almost synonymous with “what’s next.” From the probably best-known Bitcoin to Ether, Dogecoin, or any other of the many tokens, crypto has a futuristic air of “tomorrow’s economy today.” With the global cryptocurrency market projected to reach $32,420 billion by 2027 by IMARC Group, digital currency is becoming a fully-fledged, if not yet completely understood, member of the global financial markets.
Yet tomorrow also has brought with it extensive risk, the full range of which isn’t yet even visible.
The massive amount of currency in play, the instability of platforms, and the general lack of regulation around crypto make it a favorite for bad actors. According to Cybersecurity Ventures, crypto crime is predicted to cost the world $30 billion by 2025.
The anonymous aspects of cryptocurrency make it the most-preferred currency by cyber adversaries for carrying out ransomware attacks across industries and for money laundering, terrorist financing, and other crimes. In its analysis of cryptocurrency received by ransomware addresses, Chainalysis identified more than $602 million worth of ransomware payments in 2021, adding that “the true total for 2021 is likely to be much higher.”
The sheer size of the cryptocurrency market makes it impossible to ignore, especially for the traditional banking system as this emerging financial asset class could threaten financial stability.
Decentralized finance (DeFi) platforms, which eliminate the middle layer of banks and other third parties in financial transactions, are one aspect that poses risks. With their promise of facilitating faster and cheaper cross-border payments, they are giving legacy banks a run for their money. To stay current as the world rapidly digitizes, banks must examine the role of these and other blockchain-related technologies – but until regulations, risk monitoring, and governance catch up, the risks are significant.
Primarily seen as a vehicle for speculative investments at present, crypto also lends itself to scams. These include “pump and dump” or “rug pull,” both of which involve raising the price of currency and then dumping it, leaving investors in the cold; phishing scams to gain access to crypto wallets; and much more. The number of cyberattacks on cryptocurrency exchanges is also on the rise.
The explosive growth of the “Metaverse” in recent months has caught the attention of crypto investors. While this new frontier of the internet holds the potential to transform the e-commerce, entertainment, and other industries and can potentially merge the physical and the virtual worlds, concerns around data security and privacy, cybersecurity, and mental health issues, among others, are also growing rapidly. What makes the situation more precarious is the current lack of regulation.
The cyber impact of crypto is so high-profile that in the U.S., the Securities and Exchange Commission (SEC) recently announced that it has renamed its Cyber Unit to the Crypto Assets and Cyber Unit and will nearly double its staff with 50 dedicated positions. Among the risks being monitored will be crypto assets, exchanges, and DeFi platforms.
In the UK, the government announced a series of measures to make Britain “a global hub for cryptoasset technology and investment.” This includes establishing a Cryptoasset Engagement Group, setting up a ‘financial market infrastructure sandbox’ for firms to experiment and innovate, and others.
Regulators in Europe are also working on a comprehensive set of rules that will not only boost the potential of crypto-assets but also help to curb the threats. To address the risks posed by the anonymity feature of cryptos, the European Parliament agreed to start negotiations with EU countries on rules to allow the tracing and identification of crypto-asset transfers. Earlier this year, it adopted new rules to support the testing of the distributed ledger technology (DLT) in market infrastructures.
What the future of crypto holds remains to be seen – but like any risk, the fundamentals remain the same. Implement strong, active cyber risk management, monitoring, and governance; collaborate with quantitative and qualitative insight across your cyber and business teams; and stay agile to stay ahead of tomorrow’s risks today.
Organizations today need to keep a close eye on the constantly changing Governance, Risk Management and Compliance (GRC) landscape. Newer and diverse risks, including increasing cyber risk, pandemic-related regulatory and policy changes, and risks associated with climate change now present a very real challenge that organizations need to prepare for.
Stay prepared for what’s next in GRC with our monthly round-up of the trending news and insights that you can use.
As the risk landscape expands, strengthening business resilience with enterprise and operational risk management remains a top priority for organizations. At the same time, regulatory requirements by governments and regulatory bodies has left organizations to deal with multiple layers of complex change, often happening simultaneously. This makes the compliance function an important priority for organizations of all sizes.
Here’s what has been spotted on the risk and compliance radar this month.
Other trending risk and compliance topics include, the publishing of the 2022 Interos Annual Global Supply Chain Report, which highlighted that only one-tenth of the survey respondents monitor supplier risks on a continual basis and the PwC Global Risk Survey, where 65% of survey respondents are increasing their overall spending on risk management technology.
With cyber actors continually improving the level of sophistication of cyber attacks, cyber-risk mitigation is now the top priority for organizations, governments, and regulatory authorities. In the month of May 2022:
In other IT risk and cyber risk news, Rob Joyce, the head of cybersecurity at the U.S. National Security Agency, is “still very worried” about the escalated cyber risk arising from the Russian-Ukraine war. For CISOs, this translates to continuing to track the conflict and putting measures in place to mitigate any direct attacks and cyberattack spillovers. The judgement by the Federal Court of Australia in the Australian Securities and Investments Commission v RI Advice Group Pty Ltd, has now made it clear that the failure to manage cyber risk is a breach of financial services obligations. This has led to the Australian Securities and Investments Commission (ASIC) publishing a guidance note on the critical cyber risk measures that AFSL holders are now expected to have in place.
The importance of assessing risks from climate change, environment, and social equity continues to create a lot of conversation. The top highlights include:
To be noted is the new survey report by Deloitte, which reports findings on how climate, sustainability, and social equity are now important considerations when it comes to shaping infrastructure plans. Also, various global regulators are aiming to bring new reforms to tackle greenwashing and promote greater transparency in environmental, social, and governance investments.
MetricStream empowers organizations to drive a connected GRC program. Leverage ConnectedGRC, and our BusinessGRC, CyberGRC, and ESGRC product lines, to better identify, assess, manage, and mitigate strategic risks, operational and enterprise risks, IT and cyber risks, third-party risks, compliance risks, and ESG risks.
Interested to learn more? Request a demo now.
“I’ve looked at risk from both sides now…”
Ok – I guess I owe an apology to Judy Collins, and to all of you for damaging a great sixties music classic! But I often think about this song when thinking about cyber risk. Examining risk takes more than a one-sided view: It requires perspective, and both quantitative and qualitative analysis.
That’s especially important in today’s unsettled world, where the need to adopt a risk-based approach to business decision-making has been gaining prominence in recent years. Particularly in the wake of a series of disruptions in the past two years, including the COVID-19 pandemic, the Suez Canal blockage, geopolitical unrest, rapid digitization, and more, organizations are increasingly making efforts to improve their enterprise risk management programs. A broader view is a must.
Performing risk assessments is one of the most important steps in the enterprise risk and cyber risk management processes. Once risks have been identified, assessment and analysis are critical to unlock deeper insights into your organization’s overall risk posture, understand the factors that can have a negative impact, and take proactive steps to mitigate and minimize them.
Risk managers are often faced with a difficult decision – which risk assessment method should I go with? Qualitative or quantitative?
As I’ve already hinted in my introduction, I’m biased toward a combination view – using both sides of the risk brain, if you will.
But from a practical standpoint, whether to perform a qualitative or quantitative risk assessment depends on what you’re trying to assess and what you expect to learn. Consider the risk of fire hazard faced by an organization. An initial risk assessment would entail survey questions such as:
In another example, if we consider the risks posed by IT vendors, you would want to segregate the third parties into critical and non-critical categories based on their level of access to critical organizational assets.
This requires asking questions like:
Organizations can easily identify which third parties require close monitoring and define risk management and control measures.
In these examples, most of the questions usually require a yes/no response and rely on the knowledge and expertise of the assessor. Though qualitative assessments are subjective in nature and can be influenced by the assessor’s bias and perception, they are important to understand the likelihood and severity of any risk event.
Based on the initial assessment, the next step is to assess the associated controls. In the example of fire hazard, this requires asking questions such as – How many fire extinguishers are available on every floor? Is there a fire exit? Are fire sprinklers installed? Are fire safety drills conducted?
In control assessments too, a qualitative assessment is often preferred.
For example, if you need to check the effectiveness of a control, such as the fire sprinkler system, you can use a qualitative assessment using a scale of 1 to 5 (or red, yellow, or green risk assessment), where 1 could mean that the system has not been installed, 2 - installed but not working, 3 - some sprinklers are not working, 4 - all are working but the coverage is not optimum, and 5 means that they are working effectively with full coverage.
However, if we go a step further to analyze the risk exposure: that’s where quantitative risk assessment works best.
Driven by data, quantitative analysis eliminates the ambiguity and subjectivity inherent in qualitative assessments. Associating a monetary value to risk equips chief risk officers to effectively communicate the risk exposure to the executive management in a language that is easy to interpret and act upon, and helps easily prioritize risks.
In the example of fire hazard, expressing the loss exposure in monetary terms, followed by questions such as – Do you have fire insurance? How much is the fire insurance? – will help accurately understand the risk exposure and mitigation measures.
The deepest insights come from the widest perspectives. For true risk assessment, perform both qualitative and quantitative risk assessments to gain real visibility into the overall organizational and cyber risk posture. You may have heard it called a 360-degree view of risk. With apologies to Judy, I like to see it as looking at risk from both – or all – sides now.
MetricStream’s latest release, Danube, brings risk quantification capabilities to the Enterprise and Operational Risk Management products – already available in our CyberGRC product line. Risk practitioners can now leverage advanced models to better quantify and prioritize risk strategies. They can easily capture values for variables (e.g. loss event frequency, loss magnitude) that can be represented in a simple format. The support for Monte Carlo simulations enables users to generate a range-based estimate and predict the probability of different outcomes for the annual loss expectancy. To request a personalized demo, click here.
To read more about the new innovations in our Danube Software Release, click here.
As we entered 2022, the coronavirus pandemic continues to have a strong foothold in pockets around the globe with newer variants, keeping optimistic sentiment in check.
Will 2022 be the year when the pandemic ends, and we return to normalcy? Maybe. Maybe not. Based on our conversations with our customers and partners, we have learned that organisations are no longer pondering over this question. Having weathered pandemic-led challenges in the past two years, organisations are now seeking “what’s next” and how can they prepare for it. The approach towards enterprise strategy and managing the unknown unknowns has undergone a major shift in the past two years.
The crisis has brought much-needed changes in the very DNA of today’s businesses. Organisations have realized that digitization, agility, and resilience are not just buzz words but critical to thrive in today’s unsettled business environment with several new and evolving risks.
Enterprise risk management (ERM) practices, too, are evolving from being an afterthought to becoming more future-ready and proactive. While the traditional approach to risk management involving risk identification, assessment, and mitigation will continue to be the foundation, a future-ready ERM strategy also focuses on preparedness for risk events, resilience to quickly bounce back and continue business operations in the aftermath of the event, and the ability to turn risk into a strategic advantage.
Around the world, organisations are looking at a highly uncertain risk landscape in 2022 with uneven economic recovery, elevated level of cyber threats, growing awareness and regulatory activity on environmental, social, and governance (ESG) aspects, geopolitical tensions, and more. The amplified digital interconnectedness of organisations in the post-pandemic world further exacerbates the situation as a disruption anywhere in the market can quickly impact several connected businesses.
In its Global Risk Report 2022, the World Economic Forum observes, “Converging technological platforms, tools and interfaces connected via an internet that is rapidly shifting to a more decentralized version 3.0 are at once creating a more complex cyberthreat landscape and a growing number of critical failure points.”
So, what’s next for GRC? Explore 8 Key Trends Powering 2022 and Beyond
With the growing digital dependencies and interconnectedness between organisations, the points of intersection among risks are also multiplying. As such, looking at risks in isolation is no longer effective to manage them and their domino effect.
The pandemic has been a wake-up call for organisations and it is encouraging to see them moving away from antiquated and siloed practices and focusing on more integrated, holistic, and tech-driven approach to ERM – ensuring seamless collaboration between risk, compliance, audit, third-party, cybersecurity, and other business functions. Organisations are also increasingly adopting advanced technologies, such as artificial intelligence and machine learning, to get actionable risk insights in a timely manner for effective decision-making.
A forward-looking and resilience-centric ERM strategy, complemented with automated workflows, is critical for organisations today to ensure preparedness for the risks of tomorrow.
So, what areas should organisations focus on while devising their risk strategy for this year? Join me as I discuss this and more in the webinar "Road to Resilience: Powering your Risk Strategy to Thrive in 2022 and Beyond” with Dan wood, Senior Risk Professional & RMIA Queensland Chapter Committee, and Kieran Heinze, Global Supply Resilience Practice Lead, Infosys. To register for the webinar, click here.
Subscribe for Latest Updates
Subscribe Now