×
Blogs

Top 5 Risk and Compliance Resolutions for Banking and Financial Institutions in 2024

blog-homepage-banner-2340267463
7 min read

Introduction

New year. New beginnings. New resolutions. 

It’s that time of the year again! For many of us, a new year means a time to start fresh, improve and better ourselves, and make big plans with renewed optimism and energy. The same goes for risk and compliance practitioners too, who are looking to drive risk effectiveness, improve efficiency, and thrive with a fresh approach and advanced technologies. 

In the world of governance, risk, and compliance (GRC), change is the only constant. As we step into 2024, banking and financial institutions are bracing themselves for the unknown unknowns stemming from escalating geo-political conflicts in various parts of the world, a grim economic outlook, intensifying cyber risks, severe supply chain disruptions, an array of new regulations, and more. 

In its 2024 Banking and Capital Markets Outlook, Deloitte said that the strategic choices made by banks will be tested this year as they will be confronted with “multiple fundamental challenges” to their business models. 

“A slowing global economy, coupled with a divergent economic landscape, will challenge the banking industry in 2024. Banks’ ability to generate income and manage costs will be tested in new ways,” the consulting giant noted. 

So, while the leadership and top management review the past year and chalk out business goals and strategies for the year ahead, GRC leaders should take this opportunity to rethink their approach and implement changes in processes, tools, and technologies that will boost their organization’s resilience. 

Against this backdrop, here are 5 key risk and compliance resolutions for banking and financial services organizations to help successfully navigate 2024. What are yours? Let us know in the comments!

1. See Risk as an Opportunity – A Must for Thriving in 2024!

Risk is an inherent part of business. Instead of viewing risk as detrimental to the organization’s growth and financial posture, banks should look to turn risks into opportunities. The willingness to take risks can help organizations gain a competitive edge and drive greater profitability and business value. However, there’s a catch – not all risks will translate into strategic advantage. So, how can financial institutions make the decision of whether to accept, reject, avoid, or mitigate a risk? 

This is where the risk management program comes into play. An effective risk management program can enable decision-makers to make well-informed business decisions by providing a streamlined process for evaluating opportunities. It equips the top management and leadership with actionable insights, improved risk visibility and foresight, and greater transparency that helps them better manage projects based on risk impact and probability in relation to potential return.

2. Step Up Cyber Risk Management – Automation is Key!

Banking and financial services organizations are a primary target of cyber criminals – which is unsurprising given the sheer volume of sensitive information and assets worth billions of dollars at stake. According to Sophos, the rate of ransomware attacks in financial services jumped from 55% in 2022 to 64% in 2023. 

To protect their IT and cyber infrastructure from frequent and increasingly sophisticated cyber attacks, banks need to level up their cyber risk management approach. Relying on periodic reviews and assessments of cyber risks and controls is no longer enough. To stay on top of rapidly evolving and fast-moving cyber risks, organizations need an automated, autonomous, and continuous approach that enables them to proactively identify and address any risks, threats, vulnerabilities, control weaknesses/gaps, and issues before they snowball into something significant. 

Banks today can also harness the power of artificial intelligence and other advanced technologies to improve risk management processes and enhance efficiency. AI can significantly accelerate the decision-making process by quickly providing insights into risk trends and patterns as well as identifying areas of improvement – such as the number of duplicate or redundant controls, patterns of over and under-testing of controls, optimum control testing frequency, similar issues, and more.

3. Level Up the Compliance Game – Time to Stop Playing Catch-Up!

Regulatory compliance is becoming an increasingly challenging and demanding business function for financial firms. Already counted among the highly regulated industries, the banking and financial services industry is looking at a torrent of new regulations, standards, and regulatory updates focused on various business functions and processes. Some of the prominent ones include revisions to the NIST Cybersecurity Framework, NYDFS Cybersecurity Regulations, a revised version of PCI DSS, and others in the US, the Digital Operational Resilience Act (DORA) and the Corporate Sustainability Reporting Directive (CSRD) in the EU, and so on. 

Given the ever-increasing regulatory requirements, compliance teams inevitably fall behind as they end up spending most of their time tracking relevant regulations, understanding their impact on organizational processes, functions, risks, policies, and controls, implementing the required changes, and so on. Technology can make a huge difference in how these various compliance management tasks are performed. 

Automated compliance is the future! Today, there are tools that leverage AI to scan the regulatory horizon for identifying relevant regulations and regulatory updates, quickly show the impacted processes, functions, risks, policies, and controls using a centralized platform, run autonomous control tests to ensure adherence to relevant regulations, generate reports that demonstrate compliance posture, and more. The technology-driven, automated approach can streamline compliance management activities and help strengthen compliance resilience. 

For a deeper dive into the top 10 key regulations we are watching this year, read our blog “What’s Next in GRC and Risk Regulations? 10 Key Focus Areas for 2024.” Let us know what other regulations and regulatory developments you are keeping an eye on in the comments below.

4. Implement AI for GRC and GRC for AI – Act Now or Lag Behind!

With its ability to provide actionable insights, save time and costs, and create bandwidth for risk, compliance, audit, security, and sustainability teams, AI is already being regarded as a game-changer for GRC. While AI will not replace the need for human involvement completely, it can eliminate the possibility of human error, thereby improving the accuracy of GRC processes and decision-making and ensuring there are no blind spots. 

At the same time, it is essential to ensure responsible AI innovation. As financial institutions explore more and more use cases and integrate AI capabilities into their processes, they also have the duty to follow the highest standards to ensure its ethical and responsible use as well as implement measures to identify, manage, and manage AI risks. Think GRC for AI, if you will. 

Regulators and standard-setting bodies have already taken steps toward this goal. In the US, the National Institute of Standards and Technology (NIST) last year released the NIST AI Risk Management Framework (AI RMF 1.0) aimed at improving the “ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems” while the White House published an Executive Order on the safe, secure, and trustworthy development and use of AI. In the EU, members of the European Parliament reached a provisional agreement on the Artificial Intelligence Act. 

AI-focused innovation has been central to MetricStream’s product and platform releases over the years. Our AI capabilities span diverse GRC use cases – from issue identification and classification, action plan recommendations, and scanning of SOC2 and SOC3 reports submitted to organizations by third parties, to most recently, AiSPIRE, an AI-based knowledge-centric tool that provides intelligent insights to improve an organization’s control environment.

5. Strengthen Operational Resilience – Connect the Dots!

The financial sector is the backbone of the global economy. As such, the growing focus of financial firms on operational resilience – the ability to foresee, prevent, withstand, respond to, and recover from risk events – isn’t surprising. 

Most recently, the COVID-19 pandemic served as a real-world test of the resilience of banking and financial institutions. The agility demonstrated by the organizations to quickly move their operations completely online and support remote working environments while ensuring security and compliance has been remarkable. 

That said, to thrive in today’s rapidly evolving risk landscape – marked with high-frequency, high-impact risk events, growing interconnectedness of risks, and amplified digital dependencies, organizations need to double down on their efforts to strengthen operational resilience. It is critical for banks to not only have robust business continuity and disaster recovery programs in place but also integrate them into the overarching enterprise risk management program. This is important to get a holistic, 360-degree view of the organization’s GRC posture, understand the critical business functions and their interrelationships with other business functions, and improve risk visibility, foresight, and preparedness required for being resilient.

Looking Ahead

“Don’t wait for perfection before you start. Start somewhere so you can have something tangible you can work to perfect.” 

This quote from Simon Sinek is relevant not only on a personal front but also in the corporate world. As the risk and regulatory landscape continues to evolve and become increasingly challenging, the need of the hour for banking and financial services institutions to embark on the GRC journey – start where they are, with what they have, and build on it. 

MetricStream has been a trusted partner of several global banking and financial institutions in their GRC journey. Learn how we helped a prominent EU-based financial institution strengthen risk awareness, agility, and resilience

If you’re looking to embark on your GRC journey and want to understand how we can help, request a personalized demo today!

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 
Blogs

Modernizing ERM: How Energy and Utilities Companies Can Stay Current in Risk Management

1236384691-blog-banner-v2
4 min read

Introduction

The risks faced by energy and utilities organizations have evolved tremendously over the past decade. From intensifying cyber threats to growing awareness of environmental concerns, changing geopolitical dynamics, supply chain disruptions, fluctuating prices, regulatory changes, and more, the sector today has to navigate an extremely complex and highly interconnected risk landscape. 

In PwC’s 2022 Global Risk Survey, 83% of power and utility leaders identified keeping up with the speed of digital and other transformations as a significant or very significant risk management challenge. While the traditional approach to enterprise risk management (ERM) might have worked well in the past, energy and utilities companies need to rethink their ERM program and the approach to implement and reinforce it across the enterprise.

Needless to say, technology has a critical role to play in effectively managing these fast-changing and interdependent risks, but there’s also a greater need to change the very mindset of organizations. In today’s volatile business environment, organizations cannot view and approach risk as an afterthought – they need to be proactive and farsighted to not just address today’s risks but also prepare for tomorrow.

Modernizing ERM – Key Considerations

The U.S. Office of Management and Budget (OMB) outlined ERM requirements for federal agencies in the circular “Management’s Responsibility for Enterprise Risk Management and Internal Control.” Based on this circular, the Department of Energy explains various aspects and processes of a comprehensive ERM program in its Enterprise Risk Management Fiscal Year 2023 Guidance, including:

  • Developing an organizational risk profile by understanding the internal and external environments of the organization 
  • Evaluating the identified risks to include the probability and impact
  • Analyzing the risks with respect to the achievement of objectives – strategic, operational, compliance, and reporting 
  • Determining a risk response – accept, avoid, reduce, transfer, share – for the identified risks by considering risk tolerance, placement of controls, and other mitigating actions 
  • Monitoring the performance to determine whether the response strategy achieved the intended objectives 
  • Conducting continuous risk identification to stay on top of new and emerging risks

It is important to underscore the need for a continuous approach to ERM. Given today’s rapidly evolving internal and external risks and their cascading impacts, energy and utilities companies can no longer consider ERM as a one-time activity – it is essential to adopt a continuous and agile approach to risk identification, assessment, analysis, and mitigation so that there are no blind spots. 

Using technology as an enabler, organizations can implement the continuous approach to ERM as well as gain operational efficiencies by automating repeatable tasks. Equally important is to adopt an integrated approach to ERM that cuts across operational and functional silos, which leads to ineffective risk visibility and foresight, duplication of efforts, and misuse of resources.

Against this backdrop, here are a few key considerations for enabling an integrated and continuous ERM approach for energy and utilities organizations:

  • Centralized Risk Repository

Organizations must record all their financial and non-financial risks from internal and external environments in a centralized risk repository and map them to assets, controls, regulatory requirements, policies, business units, etc. This serves as the single source of truth across the organization, which streamlines risk aggregation and analysis and improves risk visibility.

  • Risks from the Extended Enterprise

Energy and utilities organizations have an extensive third-party ecosystem, comprising of suppliers, technology providers, transportation and logistics providers, consultants, contractors, and others. It is important to continuously identify, manage, and mitigate the risks from this extended enterprise for an effective and comprehensive approach to ERM.

  • Actionable Risk Intelligence with AI

Exploring AI use cases has become a top priority for organizations across industries. For energy and utilities organizations, AI holds the promise to transform ERM by providing timely and actionable intelligence into risk trends, control environment, action plan recommendations, and more. But it’s equally important to understand the risks of AI models and monitor them proactively to ensure the negative effects of AI on people, organizations, and data are curbed or minimized to a great extent.

  • Resilient Mindset

Being critical infrastructure organizations, the importance of business resilience of energy and utilities organizations cannot be overstated. Fostering a resilient mindset requires deliberate and active participation from the top management and board. The objective is to not only manage risks but also be able to foresee, prepare for, and adapt to changing internal and external environments and withstand, respond to, and recover from disruptions. Implementation of robust business continuity plans and testing them regularly for their effectiveness is key to ensuring resilience in energy and utilities organizations. 

The World Energy Council explains it in terms of the Dynamic Resilience Framework

“The Dynamic Resilience Framework is an integrated approach to emerging risk management that contributes to building capacity and capabilities for managing the resilience of energy systems. Resilience to specific events and systemic shifts can be enhanced by situational awareness of the different types of risks preparedness for future developments.”

What’s Next?

With the growing pressure to scout for cleaner energy sources, intensifying regulatory scrutiny, an increasing number of catastrophic events, rising cyber attacks, volatile tariff and trade policies, and more, energy and utilities companies are looking at a highly uncertain business environment with multi-dimensional risks. Embracing a technology-driven and integrated ERM program is a business necessity today for continued financial and operational success.

For a closer look at the ERM process, risk methodology, and the critical role played by technology in modernizing risk management at energy and utilities organizations, download our latest eBook which discussed key elements of a well-defined risk methodology and how to build an ideal risk management governance structure.

 

MicrosoftTeams-image (9)

 

Sumith-Sagar

Sumith Sagar Associate Director, Product Marketing

Sumith Sagar is a proven product marketing professional, specializing in software product positioning, product-led growth marketing, presales and sales enablement. With over 12 years of risk management solutioning experience ranging from Governance, Risk and Compliance (GRC), Commodity Trading & Risk Management (CTRM) and cybersecurity, she has been instrumental in driving BusinessGRC product marketing at MetricStream.

 
Blogs

5 Essential Steps to Modernize the Three Lines of Defense Model in Your GRC Program

blog-banner-2274730083
6 min read

Introduction

Organizations today are operating in a heightened risk environment. The risk landscape is constantly evolving and increasing in complexity, with risks being more interconnected now than before, all of which necessitate robust and comprehensive risk management and mitigation strategies. 

One of the mainstays of operational and enterprise risk management strategies is the three lines of defense (3LOD) model, where three distinct functions within an organization play unique but interlinked roles in managing risk. It is not a new concept: The three lines model has been a standard for years and has been adopted across industries in varying degrees. The question now is how organizations can modernize and optimize their 3LOD strategies and improve collaboration across the lines to navigate risks more effectively and make informed decisions to safeguard their interests. 

This topic was discussed in depth at the 2023 GRC Summit in Miami. Expert panelists Martin Froelick, Senior Vice President - Risk Manager, First Citizens Bank, Michael Cover, Director, Blue Cross Blue Shield of Michigan, and Michelle Melendez, Vice President - Head of Integrated Security Risk, Management, Aon, explored the latest trends and strategies to drive efficiency and growth and shared insights on the practical implementation, benefits, and challenges associated with the three lines model. 

We unpack the key highlights from their engaging discussion.

Watch the video: Three Lines Model - Trends & Strategies to Drive Efficiency & Growth

The First Line of Defense: The Cornerstone of the 3LOD Model

Over the years, enterprises across sectors have implemented the three lines of defense strategy in varying degrees. With concentrated attempts to improve collaboration, implement a common risk and control taxonomy, and establish better communication, risk and audit functions now work comprehensively together. The focus has now shifted to the first line of defense – the frontline. 

This is crucial as the first line is “the eyes and ears of the business,” at the forefront of the enterprise’s risk posture, and must be equipped to identify and address risks as they emerge. They also have a unique insight into the myriad risks faced by the organization and their prioritization. The 3LOD strategy works best when the first line truly becomes a key partner in risk management. The second and third lines are far removed from the core of the business and must rely on the first line for risk intelligence gathering and processing. For the 3LOD strategy to work seamlessly and efficiently, organizations must focus on strengthening their first line and improving cooperation and collaboration across all three functions. The risk ownership should be transferred to the frontline. 

5 Key Priorities for a Resilient 3LOD Strategy

Currently, organizations and industries globally are at different maturity levels of the 3LOD strategy implementation phase and will have varying perspectives and priorities. But when it comes to building a robust three-lines-of-defense model, there are a few factors that all organizations must keep in mind:

  • Building Trust - Empowering the front line to build a robust first line of defense begins with trust. Trust fosters open and transparent communication between the first and second lines of defense. When the first line trusts that their concerns will be taken seriously and addressed appropriately, they are more likely to report risks and issues in a timely manner. Trust is essential for resolving conflicts around differences in risk perception in a constructive manner, finding common ground, and ensuring that the organization's best interests are served.
  • Articulating the Value – The first line is the closest to the business and has a unique perspective on the risks that might impact the enterprise, but they may be grappling with a different set of priorities. (Often, being a ‘risk champion’ as part of the first line is in addition to their regular day job!) 

    To encourage maximum participation, demonstrate the value of the chosen risk management strategy, tools, and policies. Articulating the value of the program, setting achievable goals, regular engagement, and establishing a clear monitoring and review mechanism will help in better alignment with the first line. Some companies who have successfully implemented the modern 3LOD reveal that rewarding the frontline for owning and reporting risks in time is their secret sauce for success.

  • Empowering with Tools and Technology – The first line of defense is not just about the people at the frontline but also the tools and technology available to them. Technology platforms and tools can help break down silos and ensure a seamless flow of data and intelligence across the lines. In addition to streamlining the process of risk reporting, automated systems allow front-line employees to quickly and accurately document risks, incidents, or issues they encounter in their daily activities. 

    The right tools also empower organizations to answer critical questions like:

    • Where is data being entered?
    • How is data being managed and monitored? 
    • How does the third line get back to the second line with audit-related information?
  • Defining a Common Risk Taxonomy – A risk taxonomy is a comprehensive categorization of risks that is usually hierarchical. This is where the risk relationships are defined. It serves as the foundation for consistent, accurate, and effective risk management practices across the organization. A shared understanding of risk-related terminology helps align the objectives and efforts of the first, second, and third lines of defense. Everyone is on the same page regarding what risks are being managed, what controls are in place, and how to measure effectiveness.
  • Ensuring Seamless Collaboration – The second and third lines of defense must work closely with the first line to ensure robust risk management across the enterprise. The 3 functions complement and supplement each other and require close collaboration among themselves. While the second line is required to work with the first line to set priorities and monitor them, the first line can ensure they comply with the policies established by the second line. Together, they can identify gaps in their risk management posture and work to plug them, so the third line or the internal audit function can work effectively.   

    Interested to watch the entire session? Watch the video: Three Lines Model - Trends & Strategies to Drive Efficiency & Growth 

 

Also, do watch the replay of our recent webinar on The Modern Three Lines of Defense: Managing Today’s Emerging Risk and Compliance Challenges. Michael Cover, Director, Blue Cross Blue Shield of Michigan, provides insights on how his company streamlined and modernized the 3LOD with better communication, a clear definition of roles and responsibilities, and the right technology.

Effectively Manage Non-Financial Risks and Ensure Compliance with MetricStream BusinessGRC

MetricStream’s BusinessGRC suite of products is designed to meet the GRC needs of today’s dynamic, global enterprises. Empower your risk management programs by leveraging BusinessGRC to:

  • Establish a standardized approach to enterprise-wide risk management with uniform risk assessment methodologies
  • Optimize workflows for risk identification, assessment, monitoring, and mitigation
  • Easily cut across organizational silos and facilitate collaboration and harmonization across teams, business units, and functions 
  • Gain deeper visibility and insights into the top risks faced by the organization through advanced analytics, heat maps, reports, dashboards, and charts
  • Build confidence with regulators and executive management by establishing a strong risk data governance and issue reporting framework with clear lines of accountability 
  • Manage a wide range of compliance requirements and easily map internal policies to industry-wide standards and regulations
  • Proactively identify regulatory changes and assess their impact on business processes, policies, risks, and controls

Register for the Upcoming GRC Summit in London on October 16-17, 2023

Enjoyed this recap? This is just one of many topics we featured at MetricStream’s flagship event, the GRC Summit. The GRC Summit has, for the past 11 years, consistently provided opportunities for the GRC community to connect, share insights, exchange best practices, and, most importantly, set the stage for what's next in GRC. Whether it’s an emerging technology, a new process, or a regulation that’s going to impact the way you do business, you’ll learn about it here. 

The next Summit is happening in London on October 16 and 17. Join us as we take the GRC conversation forward! Register now! 

Missed the 2023 GRC Summit in Miami? Watch the session videos.

Sumith-Sagar

Sumith Sagar Associate Director, Product Marketing

Sumith Sagar is a proven product marketing professional, specializing in software product positioning, product-led growth marketing, presales and sales enablement. With over 12 years of risk management solutioning experience ranging from Governance, Risk and Compliance (GRC), Commodity Trading & Risk Management (CTRM) and cybersecurity, she has been instrumental in driving BusinessGRC product marketing at MetricStream.

 
Blogs

How to Embed a Strong Control Framework in Risk and Compliance Strategies

Risk and Compliance Strategies
8 min read

Introduction

In today's dynamic business environment, organizations face numerous risks and regulatory challenges that can impact their operations, reputation, and profits. To navigate these complexities successfully, businesses need to establish a robust control framework that provides a solid foundation for effective risk management and compliance practices. 

We recently discussed these challenges with key experts Ivan Martinez, Chief Auditor, Banco Santander, London, and Charles Nicholls, Enterprise Risk Solutions Specialist, MetricStream, in a webinar titled, “Embedding a Strong Control Framework in Your Enterprise Risk and Compliance Strategies.” 

Our panelists discussed the importance of incorporating a strong control framework into GRC strategies, the role of risk culture in taking risk management to the frontline, the UK SOX requirements, and more. It was a lively and useful discussion with an engaged audience who asked multiple questions. 

Here are some of the key takeaways – as well as some of the audience questions.

Want to hear the original in its entirety? 

Watch Now: Embedding a Strong Control Framework in Your Enterprise Risk and Compliance Strategies 

Why Strong Controls Matter More than Ever

The risk environment isn’t the same as even 5 years ago. We’re dealing with different kinds of risks. The volume and velocity of risks have increased, and the way we manage risks and the type of risks are not the same. Today organizations have to deal with a diverse set of risks, including Environmental, Social, and Governance (ESG) risks, advanced cyberattacks, lurking third-party risks, and geopolitical risks. 

The financial services landscape has also changed. The modern banking revolution is being driven by advanced technologies like AI, ML, and RPA with chatbots, and cloud computing, along with the emergence of business models such as FinTechs and InsureTechs. 

We are witnessing collaboration between banks and financial service providers and Fintechs resulting in better customer service and enhancement of profits. However, these innovations, have also introduced newer and more complex risks. 

Risks are inherent to every business. This increases the importance of staying vigilant and resilient in our approach. It is how we manage and thrive on risks that set us apart from our peers and competitors. Being agile requires organizations to respond and learn quickly from adverse situations and land back on their feet as quickly and effectively as possible.

 Controls, compliance, and robust risk management processes are critical to building this resilience and agility. Let’s take a look at some of the key recommendations and takeaways that Ivan and Charles discussed – and their impact on anticipating risks. 

Key Takeaways and Recommendations

Highlights and takeaways from the discussion included:

  • An effective risk management program reflects the effectiveness of the organization’s control framework. No GRC or integrated risk management effort can be effective without cohesive and connected controls. 
  • There is a direct correlation between control, compliance, and positive risk culture. Controls foster transparency, accountability, and responsibility. Employees from the front line to senior management all have the same standards to align with, resulting in a common understanding and pro-risk behavior.
  • Controls (and compliance) are more than a regulatory checkbox exercise. Controls and compliance have the potential to not only mitigate risks but also avoid business disruption if managed properly. 
  • UK SOX puts controls front and center. It requires companies to assess and report on the effectiveness of internal controls as it focuses on promoting financial transparency and prevention of corporate fraud. Key steps to comply with UK SOX are to identify and assess financial-related risks and related controls, periodic testing of the entire program for its effectiveness, and compliance with the regulation. 
  • Centralizing risk, control, and UK SOX certification details is a must for an effective SOX compliance program. This includes technology as well as the alignment of roles, responsibilities, and accountability. 
  • On the technology front, it is very important to bring risk, control, policy, and compliance details on a single platform. This ensures the integrity of data, rationalization of controls, and a reduction in the cost of compliance. It also provides enterprise visibility, enabling collaboration and contributing to a positive, risk-aware culture of compliance. 
  • The future is efficiency and effectiveness, driven by AI and ML. Adopting advanced technologies like AI and ML to automate some of these processes and rationalize data elements across risk and compliance programs is essential to lower risk, improve compliance and do more with less.

Addressing Customer Questions

Below are some of the questions that were asked during the webinar and our responses:

  • Which companies will be regulated under UK SOX?           
    The businesses that will be impacted by UK SOX are:
    • Large organizations (private & public) operating in the UK due to the impact they have on the wider corporate climate 
    • Publicly-listed companies in the UK 
    • The scope of the regulation is expected to be expanded to mid-market organizations
  • What is SMF?           
    SMF stands for Senior Management Functions. As laid out in SUP 10C by FCA, SMF needs to be allocated to the most senior individual within an organization. Senior Management Functions are:
    • Governing Functions
         SMF1 (Chief Executive)                  
         SMF3 (Executive Director)                  
         SMF27 (Partner)
    • Governing Function: Non-executive
         SMF9 (Chair) 
    • Required Functions 
         SMF16 (Compliance Oversight)                  
         SMF17 (Money laundering reporting officer)                  
         SMF29 (Limited scope function) – Limited scope firms only
  • What is the biggest challenge and solution in achieving a successful culture and getting that accountability embedded from the top down? 
    One of the biggest challenges is to implement an adequate control culture. The solution is to break silos across areas and agree and delimit responsibilities among those different areas. It is very important to design spaces of common objectives and search for accountability by documenting the control framework, at a high level, and then asking the senior managers to land and cascade down these responsibilities into their teams and areas.           
     
  • How are emerging risks identified? Who should own and manage these risks? 
    Several analysts, market research, and consulting firms have conducted thorough research based on macroeconomic conditions and drivers to understand the top emerging risks. Emerging risks need not be new but an existing risk with an elevated impact on business compared to the past. Some of the emerging risks listed by these companies are:

    • Emerging structural challenges, including digitalization, climate change, and ESG 
    • Advanced cyber threats 
    • Geopolitical risks 
    • Financial sanctions 
    • Regulatory risks 
    • Digital asset market turbulence 
    • Theft, fraud, and other conduct risks 
    • Systemic risks


    Everything from the above may not be applicable to all organizations. Individual organizations need to review their business objectives, respective industry trends, and risk appetite to identify and map risks to these categories.

      
    When it comes to emerging risks, involving the frontline is very important as they are the most exposed to the lurking risks. Training and awareness of these risks are key to enabling the frontline to be ahead of these emerging risks. The ownership of identification and self-assessment of risks should remain with the frontline, and further analysis and mitigation strategies should be managed by the second line. From the technology standpoint, companies must streamline the identification of observations from across the organization, while also enabling anomalies to be recorded anonymously and triaged based on business criticality. 

  • Are antagonistic threats included in the definition of emerging risks?           
    They are not included in the emerging threats as their impact has not changed over the years. However, they must be managed by the organization. For example, for a bank, any employee unrest or strike will not only impact the business but also create reputational damage.      
     
  • Does the Enterprise Risk Management (ERM) model also include third-party risks and outsourcing? Most financial institutions have a lot of outsourcing arrangements since data is in the cloud.           
    As a best practice, ERM should have third-party risk exposure as a component, which will help risk leaders understand the overall risk exposure by the organization. However, the effective management of third-party or vendor risk management will require a separate program where all processes from vendor onboarding, risk assessment (for compliance, ESG, security, and operational risks), certifications, issue management to offboarding are managed for better visibility into the extended ecosystem and related risks.      
     
  • Is risk management or compliance management responsible for the risk and control framework?           
    The second line of defense from risk and compliance functions is responsible for control frameworks.      
     
  • Is risk management or compliance management responsible to report incidents to regulators and auditors?           
    Organizations must empower each function to report issues, observations, anomalies, incidents, and risks. An informed frontline can become a great resistance against any risk or incident. Once they are reported, the second line should investigate, and report based on the severity of issues or incidents.

Stay Ahead with MetricStream

Implementing strong internal controls, compliance, and a robust GRC framework are the keys to building agility, resilience – and staying ahead of ever-evolving risks. 

To learn more about how MetricStream can help, please request a demo today. To get a copy of the slides, please get in touch with sumith.sagar@metricstream.com. 

Watch Now: Embedding a Strong Control Framework in Your Enterprise Risk and Compliance Strategies

Sumith-Sagar

Sumith Sagar Associate Director, Product Marketing

Sumith Sagar is a proven product marketing professional, specializing in software product positioning, product-led growth marketing, presales and sales enablement. With over 12 years of risk management solutioning experience ranging from Governance, Risk and Compliance (GRC), Commodity Trading & Risk Management (CTRM) and cybersecurity, she has been instrumental in driving BusinessGRC product marketing at MetricStream.

 
Blogs

ESG and ERM: Optimizing Risk Resilience

Blog MSI ESG
5 min read

Introduction

Environmental, social and governance (ESG) concerns are rapidly emerging as critical factors that can impact and disrupt business, livelihoods, and life itself. Organizations are now aware of the significance of ESG compliance, though it is still considered primarily from a financial reporting lens. And despite there being several overlaps in terms of best practices, requirements, and reporting, many companies have still not integrated ESG reporting and compliance with their enterprise risk management (ERM) practices. As the risks continue to escalate, ESG will only increase in organizational importance, and become a permanent part of GRC. More specifically, it will become a risk category positioned under the overall risk umbrella of enterprise risk management.

The question, of course, is why many organizations are still hesitant to adopt ESG as a business-critical requirement. Unfortunately, too many businesses still perceive environmental or social activism as irrational with little or no connection to business productivity and success. But today, extreme weather events, droughts and lessening snow packs, and global temperature increases are a reality, and instances of discrimination, incivility, and harassment are widely reported across the world, resulting widespread public condemnation, reputational damage, and demands for accountability.

We are at an inflection point with consumers recognizing their influence and demanding that businesses and industries to do better – for the environment and social governance. Their influence extends beyond condemning poor actors to buying behavior, where their demands for accountability have the power to force business, sectors, and even governments to ensure public reporting of ESG compliance, and its impact on the environment, people, and communities. The public in key markets is already making ESG value statements with their pocketbooks. It should not surprise any business today that when given the choice consumers are often more likely to do business with a company that demonstrates its commitment to sustainability. It has been shown that they are willing to pay a premium for products where the brand showcases its approach to ethical, social, and environmental causes. In short, it is time businesses realized that climate-consciousness and pursuing ESG best practices and standards can help increase profits and ensure long-term business success.

At the same time, organizations are beginning to understand the direct impact of climate change on business continuity, resilience, and profitability. It is important to remember that the increasing number of businesses and governments are declaring that climate change and environmental sustainability are real and legitimate risks to operations. This means that committing to an ESG program is no longer a nice-to-have measure that can elevate the reputation of and profitability of a business. It is a must-have critical element within a larger risk management and operational resiliency strategy.

Why Integrating ESG into ERM frameworks is Critical?

Enterprise Risk Management is an umbrella approach for managing multiple risk categories across the business. These include external risks such as economic or geopolitical risks, cybersecurity, or environmental risks, and internal risks like reputational risks, financial risks, product risks, partner risks, data privacy risks, leadership, employee churn risks, and compliance risks. Most ERM strategies include specific categories such as operational risk management, regulatory & compliance programs, third-party risk management, IT and cybersecurity risk management, and audit programs. Many expect ESG to migrate from a standalone practice to become one more of these risk categories housed under a larger ERM framework. But we believe that time has not yet come, as the distinct practices, values, and measures within ESG need to mature further and be more widely adopted before it can be appropriately positioned under an ERM umbrella.

Management of existing risk categories today apply certain common structures, workflows, assessment practices within ERM frameworks. This includes standard practices for the identification, assessment, and prioritization of individual risks, and the evaluation of risk velocity, severity, and the connections between different risks. ERM frameworks also tend to include a centralized risk registry for easy reference. A centralized system provides the controls, procedures, and policies that can be applied when responding to any category of risks, based on the organization’s predefined risk profile and appetites. Modern ERM frameworks leverage data analytics for real time insights that facilitate better decision making across the risk universe.

Most ERM practices have been around for decades, and the best practices have been designed, tested and reviewed over time. While it is a living process that is flexible enough to adapt to risk scale, diversity and changes in organizational risk profile, program validation, scope, scale, and performance adaptation is constant. In a well-run risk management program, many processes are automated, which allows risk leaders to focus on strategy rather than day to day operations. Reapplying or extending existing standard procedures, automation, assessments, scoring methodologies, data collection and reporting – with some evolution and adaptation – to newer risk management categories like ESG makes good business sense. Pursuing ESG as a risk category and integrating it into existing ERM frameworks should help expedite program accountability and ensure reporting consistency.

Over the last few years several ESG reporting standards such as TCFD, CSRD have emerged, reaching a definitive and defensible market position. These standards define how ESG-related data is to be collected, reporting formats and requirements, as well as other criteria pertaining to what, when, where and who collects ESG data. These reporting outcomes can be easily incorporated into existing ERM frameworks and may enhance data and reporting across additional risk categories. In fact, ESG and Third-Party Risk Management (TPRM) are central to and can be further integrated into resiliency strategies within ERM. Their inclusion will be invaluable for accelerating recovery from environmental and social risk events. Integrating ESG into ERM frameworks can also add to commonly accepted structures and expand the scale, scope and depth of understanding risks. It would be a mutually beneficial move where each discipline would benefit from the data and values of the other to deliver holistic legitimacy.

ESG and ERM: The Road Ahead

There is a growing expectation that within the next five to ten years, ESG will be housed within and enhance ERM programs. For now, ESG deserves focused attention from the market to refine its reporting and frameworks as it matures. While there will clearly be distinct risks, reporting structures, frameworks, and stakeholders for ESG information, it will increasingly be viewed as one of several important risk categories under the ERM umbrella. In a sense, it must ‘cross the chasm’ to a degree of standardization, consistency, commonality, to capture the market buy-in it doesn’t yet have. Once this is achieved, organizations will more easily integrate ESG risk assessments, reporting, and definition into enterprise risks.

Want to learn how to integrate ESG risks into Enterprise Risk Management (ERM) processes.

Register for the upcoming webinar: The Interconnectedness of ESG, ERM, and Third-Party Risk Management

Read the eBook: ESG and ERM: Bridging the Gap

Request for a personalized demo

simrin

Simrin Jhangiani Associate Director, Marketing at MetricStream

Simrin Jhangiani is the Product Marketing Lead for MetricStream’s ESGRC product. As a former NYU student with a minor in Corporate Social Responsibility, Simrin is passionate about helping businesses make risk-aware business decisions around ESG. Simrin has an extensive business and marketing background having worked as a strategy consultant at KPMG and being a business owner of a sustainable fashion brand. She has lived on 3 different continents, and has travelled to over 50+ countries around the world, resulting in a comprehensive understanding of why ESG is important on a global scale. She believes that ESG is fundamental to the growth of businesses in the present day and is ardent about bringing awareness of the ever-changing regulations around Environmental, Social, and Governance.

 
Blogs

OCC Spring 2022 Risk Report Highlights Risks Facing BFS Companies

OCC Spring 2022 Risk Blog
4 min read

Introduction

The Office of the Comptroller of the Currency (OCC) has published the OCC Spring 2022 Risk Report that highlights risks faced by banks and financial services organizations. The National Risk Committee (NRC) of the OCC plays a key role in monitoring the U.S. federal banking system, identifying key risks facing banks, and highlighting those risks in its semiannual publications. The latest edition of its guidance has observed that the financial condition of banks remains strong and well-positioned to “deal with the economic headwinds arising from geopolitical events, higher interest rates, and increased inflation” and has warned banks and financial organizations to prepare for elevated operational risks and heightened compliance risk.

In the report, the risks have been due to the current geopolitical tensions, a heightened compliance risk environment attributed to regulatory changes, policy initiatives, and challenges in hiring qualified compliance professionals, and an observed increase of cyberattacks on the financial services industry.

Here is more into the key risk themes highlighted in the report.
 

Elevated Operational Risk Due to an Increasingly Complex Operating Environment

The OCC report attributes the elevated operational risk to cyber threats which “continue to evolve, with an observed increase in attacks on the financial services industry.” This has been further accelerated by the ongoing geopolitical situation. Additionally, “banks’ increasing reliance on third-party relationships, along with the development and adoption of innovative products, services, and technologies, and ongoing changes to banks’ staffing and the operating environment” have all led to an increase in operational risk.

Also, the OCC has observed that banks are finding it challenging “to maintain comprehensive operational resilience frameworks commensurate with the complexity of products, services, and operations being supported in this environment.” It has further advised that some of the risk exposure may manifest in the coming quarter, making it vital for “the industry to remain vigilant and fully assess its risk exposure.”

Given the increased operational risks, the OCC’s recommendations include:

  • Lowering reporting thresholds on information sharing activities, testing of organizational response plans, and continuing the focus on business continuity and resilience (as recommended by Cybersecurity and Infrastructure Security Agency (CISA))
  • Maintaining robust threat and vulnerability monitoring processes and implementing more stringent cybersecurity measures
  • Applying sound fraud risk management practices to help prevent losses when implementing new technology and innovative products and services
  • Following appropriate due diligence, change management, and risk management processes in accordance with the bank’s size, complexity, and risk profile, while accounting for and keeping pace with any new, modified, or expanded activity and the complexity that comes with it
  • Developing robust planning and risk management processes to manage, partner, or compete with new fintech entrants as needed

Heightened Compliance Risk, Driven by Regulatory Changes and Policy Initiatives

The OCC has highlighted that compliance risk remains heightened. This is primarily because banks are now required to navigate the complexity of sanctions imposed in response to the Russian invasion of Ukraine. At the same time, banks have also been required to “continue to manage the impact of forbearance programs and the elevated volume of customers on deferred payment and loss mitigation programs.”

The OCC has further observed challenges in the industry in retaining and replacing staff in compliance functions. The lack of access to subject matter expertise or the using of third-party relationships to support or fill such critical roles may increase compliance and operational risks.

The OCC offers the following recommendations for banks and financial institutions.

  • Navigate the “complex and evolving” sanctions by accurately assessing “the applicability and impact of sanctions on their institutions and customers, including the impact of sanctions imposed by both the U.S. and other countries on foreign branches, overseas offices, and subsidiaries.”
  • Institute effective change management and compliance risk management processes “to identify, measure, monitor, and control the evolving and emerging risks related to consumer products and services.”

Thrive on Risk with a Connected GRC Approach

As banks and financial institutions work to address key risk areas, it is important that they view and recognize the interconnectedness of risk. As highlighted in the OCC report, the scale and scope of the interconnectedness of risk are rapidly expanding. This requires a connected approach to manage and mitigate risk.

MetricStream’s ConnectedGRC empowers banks and financial institutions with a connected and streamlined governance, risk management, and compliance approach that enables firms to better identify, assess, manage, and mitigate risk across the enterprise—including strategic, operational, IT and cyber, third and fourth-party, compliance, and ESG risks.

  • Gain a holistic approach to risk, compliance, audit, and third-party management with MetricStream’s BusinessGRC. Leverage the comprehensive set of capabilities of Operational Risk Management to strengthen operational resilience and gain forward-looking risk visibility with predictive risk metrics and indicators. Reduce losses and avoid adverse risk events through proactive control structures and analytics. Navigate the complex web of regulatory obligations with Regulatory Compliance Management and sustain compliance by easily implementing measures, processes, and policies.
  • Actively manage IT and cyber risk and build cyber resilience with MetricStream’s CyberGRC that enables a streamlined, proactive, and business-driven approach to IT and cyber risk management and mitigation. Utilize best practices, insightful reporting, and cyber risk quantification to build cyber resilience.
  • Streamline management of various ESG requirements with MetricStream’s ESGRC. Define and manage ESG standards, frameworks, and disclosure requirements including GRI, SASB, TCFD, and others, automate the collection and aggregation of data, and report through real-time analytics and dashboards.


Interested to know how MetricStream can help you take a connected approach to risk management? Write to me at sumith.sagar@metricstream.com to learn more. You can also request a personalized demo to learn more about our products.

Sumith-Sagar

Sumith Sagar Associate Director, Product Marketing

Sumith Sagar is a proven product marketing professional, specializing in software product positioning, product-led growth marketing, presales and sales enablement. With over 12 years of risk management solutioning experience ranging from Governance, Risk and Compliance (GRC), Commodity Trading & Risk Management (CTRM) and cybersecurity, she has been instrumental in driving BusinessGRC product marketing at MetricStream.

 
Blogs

Crypto, Metaverse, DeFi: Are You Prepared for the Risks of Tomorrow?

Crypto, Metaverse MetricStream
3 min read

Introduction

Cryptocurrency is almost synonymous with “what’s next.” From the probably best-known Bitcoin to Ether, Dogecoin, or any other of the many tokens, crypto has a futuristic air of “tomorrow’s economy today.” With the global cryptocurrency market projected to reach $32,420 billion by 2027 by IMARC Group, digital currency is becoming a fully-fledged, if not yet completely understood, member of the global financial markets.

Yet tomorrow also has brought with it extensive risk, the full range of which isn’t yet even visible.

The massive amount of currency in play, the instability of platforms, and the general lack of regulation around crypto make it a favorite for bad actors. According to Cybersecurity Ventures, crypto crime is predicted to cost the world $30 billion by 2025.

The Good, The Bad, and The Ugly

The anonymous aspects of cryptocurrency make it the most-preferred currency by cyber adversaries for carrying out ransomware attacks across industries and for money laundering, terrorist financing, and other crimes. In its analysis of cryptocurrency received by ransomware addresses, Chainalysis identified more than $602 million worth of ransomware payments in 2021, adding that “the true total for 2021 is likely to be much higher.”

The sheer size of the cryptocurrency market makes it impossible to ignore, especially for the traditional banking system as this emerging financial asset class could threaten financial stability.

Decentralized finance (DeFi) platforms, which eliminate the middle layer of banks and other third parties in financial transactions, are one aspect that poses risks. With their promise of facilitating faster and cheaper cross-border payments, they are giving legacy banks a run for their money. To stay current as the world rapidly digitizes, banks must examine the role of these and other blockchain-related technologies – but until regulations, risk monitoring, and governance catch up, the risks are significant.

Primarily seen as a vehicle for speculative investments at present, crypto also lends itself to scams. These include “pump and dump” or “rug pull,” both of which involve raising the price of currency and then dumping it, leaving investors in the cold; phishing scams to gain access to crypto wallets; and much more. The number of cyberattacks on cryptocurrency exchanges is also on the rise.

The explosive growth of the “Metaverse” in recent months has caught the attention of crypto investors. While this new frontier of the internet holds the potential to transform the e-commerce, entertainment, and other industries and can potentially merge the physical and the virtual worlds, concerns around data security and privacy, cybersecurity, and mental health issues, among others, are also growing rapidly. What makes the situation more precarious is the current lack of regulation.

Regulators Take Notice

The cyber impact of crypto is so high-profile that in the U.S., the Securities and Exchange Commission (SEC) recently announced that it has renamed its Cyber Unit to the Crypto Assets and Cyber Unit and will nearly double its staff with 50 dedicated positions. Among the risks being monitored will be crypto assets, exchanges, and DeFi platforms.

In the UK, the government announced a series of measures to make Britain “a global hub for cryptoasset technology and investment.” This includes establishing a Cryptoasset Engagement Group, setting up a ‘financial market infrastructure sandbox’ for firms to experiment and innovate, and others.

Regulators in Europe are also working on a comprehensive set of rules that will not only boost the potential of crypto-assets but also help to curb the threats. To address the risks posed by the anonymity feature of cryptos, the European Parliament agreed to start negotiations with EU countries on rules to allow the tracing and identification of crypto-asset transfers. Earlier this year, it adopted new rules to support the testing of the distributed ledger technology (DLT) in market infrastructures.

What the future of crypto holds remains to be seen – but like any risk, the fundamentals remain the same. Implement strong, active cyber risk management, monitoring, and governance; collaborate with quantitative and qualitative insight across your cyber and business teams; and stay agile to stay ahead of tomorrow’s risks today.

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 

Related Resources

Blogs

May 2022 in GRC: The Latest from the GRC Universe

This Month in GRC
6 min read

Introduction

Organizations today need to keep a close eye on the constantly changing Governance, Risk Management and Compliance (GRC) landscape. Newer and diverse risks, including increasing cyber risk, pandemic-related regulatory and policy changes, and risks associated with climate change now present a very real challenge that organizations need to prepare for.

Stay prepared for what’s next in GRC with our monthly round-up of the trending news and insights that you can use.

Building Resilience Remains Top Priority while Compliance Function Takes Center Stage

As the risk landscape expands, strengthening business resilience with enterprise and operational risk management remains a top priority for organizations. At the same time, regulatory requirements by governments and regulatory bodies has left organizations to deal with multiple layers of complex change, often happening simultaneously. This makes the compliance function an important priority for organizations of all sizes.

Here’s what has been spotted on the risk and compliance radar this month.
 

  • As per a background document issued by the UK government alongside the Queen’s Speech there are plans for new direct legislation for tech providers.
  • Three consultation papers titled "Outsourcing and third-party risk management" pertinent to Financial Market Infrastructures (FMIs) were published by the Bank of England.
  • The American Institute of Certified Public Accountants (AICPA) Auditing Standards Board has voted to approve three new quality management standards. The standards will help improve the risk assessment procedure and audit quality.
  • Canada’s federal financial institutions regulator, the Office of the Superintendent of Financial Institutions (OSFI), has released Draft Guideline B-10: Third-Party Risk Management. This establishes OSFI’s third-party risk management expectations for federally regulated financial institutions in Canada (FRFIs) and also sets down industry best practices.
  • The Prudential Regulation Authority, UK, has formulated next steps for firms establishing their operational resilience roadmap in preparation for the March 2025 deadline.
  • The fifth edition of the Regulatory Initiatives Grid, which sets out the planned regulatory initiatives for the upcoming months, has been published. This helps firms in the financial services industry and other stakeholders plan for operational impact due to the initiatives and the timing of the initiatives.


Other trending risk and compliance topics include, the publishing of the 2022 Interos Annual Global Supply Chain Report, which highlighted that only one-tenth of the survey respondents monitor supplier risks on a continual basis and the PwC Global Risk Survey, where 65% of survey respondents are increasing their overall spending on risk management technology.

Mitigating Cyber Risk Increases in Importance

With cyber actors continually improving the level of sophistication of cyber attacks, cyber-risk mitigation is now the top priority for organizations, governments, and regulatory authorities. In the month of May 2022:
 

  • Cybersecurity authorities of the United States, Canada, New Zealand, the Netherlands, and the United Kingdom coauthored a joint Cybersecurity Advisory titled “Weak Security Controls and Practices Routinely Exploited for Initial Access.” The advisory will help organizations identify commonly exploited controls and practices. It includes cyber risk best practices to mitigate the issues.
  • The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI), in partnership with cyber agencies from the UK, Australia, Canada, and New Zealand, released an advisory titled “Protecting Against Cyber Threats to Managed Service Providers and their Customers” in response to the increase in malicious cyber activity targeting MSPs.
  • In response to the Presidential executive order in the US, the National Institute of Standards and Technology’s (NIST) has revised its publication, titled “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.” The revised publication provides greater guidance on identifying, assessing, and responding to cyber risks throughout the supply chain.
  • In what has been lauded as one of the world’s first, the European Council and European Parliament signed a provisional agreement for the establishment of the EU Digital Services Act (DSA), which is designed to build cyber resilience by following the principle that what is illegal offline must also be illegal online.
  • The European Council and the European Parliament will replace the current NIS (Network and Information Security) directive with NIS2. NIS2 is set to enable both the private and public sector build cyber resilience and incident response capabilities.
  • The European Council and the European Parliament have reached a provisional agreement on the Digital Operational Resilience Act (DORA). The act will help enterprises build cyber resilience and prevent and mitigate cyber threats.


In other IT risk and cyber risk news, Rob Joyce, the head of cybersecurity at the U.S. National Security Agency, is “still very worried” about the escalated cyber risk arising from the Russian-Ukraine war. For CISOs, this translates to continuing to track the conflict and putting measures in place to mitigate any direct attacks and cyberattack spillovers. The judgement by the Federal Court of Australia in the Australian Securities and Investments Commission v RI Advice Group Pty Ltd, has now made it clear that the failure to manage cyber risk is a breach of financial services obligations. This has led to the Australian Securities and Investments Commission (ASIC) publishing a guidance note on the critical cyber risk measures that AFSL holders are now expected to have in place.

Climate-Related Risks, Sustainability, and Greenwashing Make ESG Headlines

The importance of assessing risks from climate change, environment, and social equity continues to create a lot of conversation. The top highlights include:
 

  • The European Financial Reporting Advisory Group (EFRAG) has published the first draft of its sustainability standards for public consultation. The final standards are scheduled to be sent to the European Union's executive European Commission by November 2022 for adoption. This will be a significant as business will be required to disclose information on how ESG risks impact their business and their externalities.
  • The climate-related risks of 12,000 supplier sites has been studied in a joint project by supply-chain-mapping company Resilinc and the University of Maryland’s Supply Chain Management Center and Earth Systems Science Interdisciplinary Center. The study reported that 93% of the supplier sites in China and Taiwan were experiencing increases in climate variability.
  • The Taskforce on Nature-related Financial Disclosures (TNFD), which consists of corporates, financial institutions and service providers backed by the UN, released a prototype framework, which closely mirrors TCFD. This aims to help public and private companies with assessing and communicating the financial risks of nature loss.
  • A new report by the Financial Stability Board (FSB) has been published. This aims to assist supervisory and regulatory authorities as they devise approaches to monitor, manage and mitigate risks arising from climate change.


To be noted is the new survey report by Deloitte, which reports findings on how climate, sustainability, and social equity are now important considerations when it comes to shaping infrastructure plans. Also, various global regulators are aiming to bring new reforms to tackle greenwashing and promote greater transparency in environmental, social, and governance investments. 

Thrive on Risk with MetricStream

MetricStream empowers organizations to drive a connected GRC program. Leverage ConnectedGRC, and our BusinessGRC, CyberGRC, and ESGRC product lines, to better identify, assess, manage, and mitigate strategic risks, operational and enterprise risks, IT and cyber risks, third-party risks, compliance risks, and ESG risks.

Interested to learn more? Request a demo now.

Mabel

Mabel M Jesudian Manager – Content Marketing

Mabel M Jesudian, Manager – Content Marketing at MetricStream, works closely with the product and digital marketing teams to create compelling content and actionable marketing assets that help drive conversations. Mabel has over 13 years of experience with leading marketing communication and PR agencies where she crafted engaging narratives for diverse B2B and B2C clients. She holds an M.A. and M.Phil. in English and Communication from the University of Madras. In her spare time, she loves to read fiction and try her hand at new dishes.

 

Related Resources