×
Blogs

Modernizing ERM: How Energy and Utilities Companies Can Stay Current in Risk Management

1236384691-blog-banner-v2
4 min read

Introduction

The risks faced by energy and utilities organizations have evolved tremendously over the past decade. From intensifying cyber threats to growing awareness of environmental concerns, changing geopolitical dynamics, supply chain disruptions, fluctuating prices, regulatory changes, and more, the sector today has to navigate an extremely complex and highly interconnected risk landscape. 

In PwC’s 2022 Global Risk Survey, 83% of power and utility leaders identified keeping up with the speed of digital and other transformations as a significant or very significant risk management challenge. While the traditional approach to enterprise risk management (ERM) might have worked well in the past, energy and utilities companies need to rethink their ERM program and the approach to implement and reinforce it across the enterprise.

Needless to say, technology has a critical role to play in effectively managing these fast-changing and interdependent risks, but there’s also a greater need to change the very mindset of organizations. In today’s volatile business environment, organizations cannot view and approach risk as an afterthought – they need to be proactive and farsighted to not just address today’s risks but also prepare for tomorrow.

Modernizing ERM – Key Considerations

The U.S. Office of Management and Budget (OMB) outlined ERM requirements for federal agencies in the circular “Management’s Responsibility for Enterprise Risk Management and Internal Control.” Based on this circular, the Department of Energy explains various aspects and processes of a comprehensive ERM program in its Enterprise Risk Management Fiscal Year 2023 Guidance, including:

  • Developing an organizational risk profile by understanding the internal and external environments of the organization 
  • Evaluating the identified risks to include the probability and impact
  • Analyzing the risks with respect to the achievement of objectives – strategic, operational, compliance, and reporting 
  • Determining a risk response – accept, avoid, reduce, transfer, share – for the identified risks by considering risk tolerance, placement of controls, and other mitigating actions 
  • Monitoring the performance to determine whether the response strategy achieved the intended objectives 
  • Conducting continuous risk identification to stay on top of new and emerging risks

It is important to underscore the need for a continuous approach to ERM. Given today’s rapidly evolving internal and external risks and their cascading impacts, energy and utilities companies can no longer consider ERM as a one-time activity – it is essential to adopt a continuous and agile approach to risk identification, assessment, analysis, and mitigation so that there are no blind spots. 

Using technology as an enabler, organizations can implement the continuous approach to ERM as well as gain operational efficiencies by automating repeatable tasks. Equally important is to adopt an integrated approach to ERM that cuts across operational and functional silos, which leads to ineffective risk visibility and foresight, duplication of efforts, and misuse of resources.

Against this backdrop, here are a few key considerations for enabling an integrated and continuous ERM approach for energy and utilities organizations:

  • Centralized Risk Repository

Organizations must record all their financial and non-financial risks from internal and external environments in a centralized risk repository and map them to assets, controls, regulatory requirements, policies, business units, etc. This serves as the single source of truth across the organization, which streamlines risk aggregation and analysis and improves risk visibility.

  • Risks from the Extended Enterprise

Energy and utilities organizations have an extensive third-party ecosystem, comprising of suppliers, technology providers, transportation and logistics providers, consultants, contractors, and others. It is important to continuously identify, manage, and mitigate the risks from this extended enterprise for an effective and comprehensive approach to ERM.

  • Actionable Risk Intelligence with AI

Exploring AI use cases has become a top priority for organizations across industries. For energy and utilities organizations, AI holds the promise to transform ERM by providing timely and actionable intelligence into risk trends, control environment, action plan recommendations, and more. But it’s equally important to understand the risks of AI models and monitor them proactively to ensure the negative effects of AI on people, organizations, and data are curbed or minimized to a great extent.

  • Resilient Mindset

Being critical infrastructure organizations, the importance of business resilience of energy and utilities organizations cannot be overstated. Fostering a resilient mindset requires deliberate and active participation from the top management and board. The objective is to not only manage risks but also be able to foresee, prepare for, and adapt to changing internal and external environments and withstand, respond to, and recover from disruptions. Implementation of robust business continuity plans and testing them regularly for their effectiveness is key to ensuring resilience in energy and utilities organizations. 

The World Energy Council explains it in terms of the Dynamic Resilience Framework

“The Dynamic Resilience Framework is an integrated approach to emerging risk management that contributes to building capacity and capabilities for managing the resilience of energy systems. Resilience to specific events and systemic shifts can be enhanced by situational awareness of the different types of risks preparedness for future developments.”

What’s Next?

With the growing pressure to scout for cleaner energy sources, intensifying regulatory scrutiny, an increasing number of catastrophic events, rising cyber attacks, volatile tariff and trade policies, and more, energy and utilities companies are looking at a highly uncertain business environment with multi-dimensional risks. Embracing a technology-driven and integrated ERM program is a business necessity today for continued financial and operational success.

For a closer look at the ERM process, risk methodology, and the critical role played by technology in modernizing risk management at energy and utilities organizations, download our latest eBook which discussed key elements of a well-defined risk methodology and how to build an ideal risk management governance structure.

 

MicrosoftTeams-image (9)

 

Sumith-Sagar

Sumith Sagar Associate Director, Product Marketing

Sumith Sagar is a proven product marketing professional, specializing in software product positioning, product-led growth marketing, presales and sales enablement. With over 12 years of risk management solutioning experience raging from Governance, Risk and Compliance (GRC), Commodity Trading & Risk Management (CTRM) and cybersecurity, she has been instrumental in driving BusinessGRC product marketing at MetricStream.

 
Blogs

How to Embed a Strong Control Framework in Risk and Compliance Strategies

Risk and Compliance Strategies
8 min read

Introduction

In today's dynamic business environment, organizations face numerous risks and regulatory challenges that can impact their operations, reputation, and profits. To navigate these complexities successfully, businesses need to establish a robust control framework that provides a solid foundation for effective risk management and compliance practices. 

We recently discussed these challenges with key experts Ivan Martinez, Chief Auditor, Banco Santander, London, and Charles Nicholls, Enterprise Risk Solutions Specialist, MetricStream, in a webinar titled, “Embedding a Strong Control Framework in Your Enterprise Risk and Compliance Strategies.” 

Our panelists discussed the importance of incorporating a strong control framework into GRC strategies, the role of risk culture in taking risk management to the frontline, the UK SOX requirements, and more. It was a lively and useful discussion with an engaged audience who asked multiple questions. 

Here are some of the key takeaways – as well as some of the audience questions.

Want to hear the original in its entirety? 

Watch Now: Embedding a Strong Control Framework in Your Enterprise Risk and Compliance Strategies 

Why Strong Controls Matter More than Ever

The risk environment isn’t the same as even 5 years ago. We’re dealing with different kinds of risks. The volume and velocity of risks have increased, and the way we manage risks and the type of risks are not the same. Today organizations have to deal with a diverse set of risks, including Environmental, Social, and Governance (ESG) risks, advanced cyberattacks, lurking third-party risks, and geopolitical risks. 

The financial services landscape has also changed. The modern banking revolution is being driven by advanced technologies like AI, ML, and RPA with chatbots, and cloud computing, along with the emergence of business models such as FinTechs and InsureTechs. 

We are witnessing collaboration between banks and financial service providers and Fintechs resulting in better customer service and enhancement of profits. However, these innovations, have also introduced newer and more complex risks. 

Risks are inherent to every business. This increases the importance of staying vigilant and resilient in our approach. It is how we manage and thrive on risks that set us apart from our peers and competitors. Being agile requires organizations to respond and learn quickly from adverse situations and land back on their feet as quickly and effectively as possible.

 Controls, compliance, and robust risk management processes are critical to building this resilience and agility. Let’s take a look at some of the key recommendations and takeaways that Ivan and Charles discussed – and their impact on anticipating risks. 

Key Takeaways and Recommendations

Highlights and takeaways from the discussion included:

  • An effective risk management program reflects the effectiveness of the organization’s control framework. No GRC or integrated risk management effort can be effective without cohesive and connected controls. 
  • There is a direct correlation between control, compliance, and positive risk culture. Controls foster transparency, accountability, and responsibility. Employees from the front line to senior management all have the same standards to align with, resulting in a common understanding and pro-risk behavior.
  • Controls (and compliance) are more than a regulatory checkbox exercise. Controls and compliance have the potential to not only mitigate risks but also avoid business disruption if managed properly. 
  • UK SOX puts controls front and center. It requires companies to assess and report on the effectiveness of internal controls as it focuses on promoting financial transparency and prevention of corporate fraud. Key steps to comply with UK SOX are to identify and assess financial-related risks and related controls, periodic testing of the entire program for its effectiveness, and compliance with the regulation. 
  • Centralizing risk, control, and UK SOX certification details is a must for an effective SOX compliance program. This includes technology as well as the alignment of roles, responsibilities, and accountability. 
  • On the technology front, it is very important to bring risk, control, policy, and compliance details on a single platform. This ensures the integrity of data, rationalization of controls, and a reduction in the cost of compliance. It also provides enterprise visibility, enabling collaboration and contributing to a positive, risk-aware culture of compliance. 
  • The future is efficiency and effectiveness, driven by AI and ML. Adopting advanced technologies like AI and ML to automate some of these processes and rationalize data elements across risk and compliance programs is essential to lower risk, improve compliance and do more with less.

Addressing Customer Questions

Below are some of the questions that were asked during the webinar and our responses:

  • Which companies will be regulated under UK SOX?           
    The businesses that will be impacted by UK SOX are:
    • Large organizations (private & public) operating in the UK due to the impact they have on the wider corporate climate 
    • Publicly-listed companies in the UK 
    • The scope of the regulation is expected to be expanded to mid-market organizations
  • What is SMF?           
    SMF stands for Senior Management Functions. As laid out in SUP 10C by FCA, SMF needs to be allocated to the most senior individual within an organization. Senior Management Functions are:
    • Governing Functions
         SMF1 (Chief Executive)                  
         SMF3 (Executive Director)                  
         SMF27 (Partner)
    • Governing Function: Non-executive
         SMF9 (Chair) 
    • Required Functions 
         SMF16 (Compliance Oversight)                  
         SMF17 (Money laundering reporting officer)                  
         SMF29 (Limited scope function) – Limited scope firms only
  • What is the biggest challenge and solution in achieving a successful culture and getting that accountability embedded from the top down? 
    One of the biggest challenges is to implement an adequate control culture. The solution is to break silos across areas and agree and delimit responsibilities among those different areas. It is very important to design spaces of common objectives and search for accountability by documenting the control framework, at a high level, and then asking the senior managers to land and cascade down these responsibilities into their teams and areas.           
     
  • How are emerging risks identified? Who should own and manage these risks? 
    Several analysts, market research, and consulting firms have conducted thorough research based on macroeconomic conditions and drivers to understand the top emerging risks. Emerging risks need not be new but an existing risk with an elevated impact on business compared to the past. Some of the emerging risks listed by these companies are:

    • Emerging structural challenges, including digitalization, climate change, and ESG 
    • Advanced cyber threats 
    • Geopolitical risks 
    • Financial sanctions 
    • Regulatory risks 
    • Digital asset market turbulence 
    • Theft, fraud, and other conduct risks 
    • Systemic risks


    Everything from the above may not be applicable to all organizations. Individual organizations need to review their business objectives, respective industry trends, and risk appetite to identify and map risks to these categories.

      
    When it comes to emerging risks, involving the frontline is very important as they are the most exposed to the lurking risks. Training and awareness of these risks are key to enabling the frontline to be ahead of these emerging risks. The ownership of identification and self-assessment of risks should remain with the frontline, and further analysis and mitigation strategies should be managed by the second line. From the technology standpoint, companies must streamline the identification of observations from across the organization, while also enabling anomalies to be recorded anonymously and triaged based on business criticality. 

  • Are antagonistic threats included in the definition of emerging risks?           
    They are not included in the emerging threats as their impact has not changed over the years. However, they must be managed by the organization. For example, for a bank, any employee unrest or strike will not only impact the business but also create reputational damage.      
     
  • Does the Enterprise Risk Management (ERM) model also include third-party risks and outsourcing? Most financial institutions have a lot of outsourcing arrangements since data is in the cloud.           
    As a best practice, ERM should have third-party risk exposure as a component, which will help risk leaders understand the overall risk exposure by the organization. However, the effective management of third-party or vendor risk management will require a separate program where all processes from vendor onboarding, risk assessment (for compliance, ESG, security, and operational risks), certifications, issue management to offboarding are managed for better visibility into the extended ecosystem and related risks.      
     
  • Is risk management or compliance management responsible for the risk and control framework?           
    The second line of defense from risk and compliance functions is responsible for control frameworks.      
     
  • Is risk management or compliance management responsible to report incidents to regulators and auditors?           
    Organizations must empower each function to report issues, observations, anomalies, incidents, and risks. An informed frontline can become a great resistance against any risk or incident. Once they are reported, the second line should investigate, and report based on the severity of issues or incidents.

Stay Ahead with MetricStream

Implementing strong internal controls, compliance, and a robust GRC framework are the keys to building agility, resilience – and staying ahead of ever-evolving risks. 

To learn more about how MetricStream can help, please request a demo today. To get a copy of the slides, please get in touch with sumith.sagar@metricstream.com. 

Watch Now: Embedding a Strong Control Framework in Your Enterprise Risk and Compliance Strategies

Sumith-Sagar

Sumith Sagar Associate Director, Product Marketing

Sumith Sagar is a proven product marketing professional, specializing in software product positioning, product-led growth marketing, presales and sales enablement. With over 12 years of risk management solutioning experience raging from Governance, Risk and Compliance (GRC), Commodity Trading & Risk Management (CTRM) and cybersecurity, she has been instrumental in driving BusinessGRC product marketing at MetricStream.

 
Blogs

ESG and ERM: Optimizing Risk Resilience

Blog MSI ESG
5 min read

Introduction

Environmental, social and governance (ESG) concerns are rapidly emerging as critical factors that can impact and disrupt business, livelihoods, and life itself. Organizations are now aware of the significance of ESG compliance, though it is still considered primarily from a financial reporting lens. And despite there being several overlaps in terms of best practices, requirements, and reporting, many companies have still not integrated ESG reporting and compliance with their enterprise risk management (ERM) practices. As the risks continue to escalate, ESG will only increase in organizational importance, and become a permanent part of GRC. More specifically, it will become a risk category positioned under the overall risk umbrella of enterprise risk management.

The question, of course, is why many organizations are still hesitant to adopt ESG as a business-critical requirement. Unfortunately, too many businesses still perceive environmental or social activism as irrational with little or no connection to business productivity and success. But today, extreme weather events, droughts and lessening snow packs, and global temperature increases are a reality, and instances of discrimination, incivility, and harassment are widely reported across the world, resulting widespread public condemnation, reputational damage, and demands for accountability.

We are at an inflection point with consumers recognizing their influence and demanding that businesses and industries to do better – for the environment and social governance. Their influence extends beyond condemning poor actors to buying behavior, where their demands for accountability have the power to force business, sectors, and even governments to ensure public reporting of ESG compliance, and its impact on the environment, people, and communities. The public in key markets is already making ESG value statements with their pocketbooks. It should not surprise any business today that when given the choice consumers are often more likely to do business with a company that demonstrates its commitment to sustainability. It has been shown that they are willing to pay a premium for products where the brand showcases its approach to ethical, social, and environmental causes. In short, it is time businesses realized that climate-consciousness and pursuing ESG best practices and standards can help increase profits and ensure long-term business success.

At the same time, organizations are beginning to understand the direct impact of climate change on business continuity, resilience, and profitability. It is important to remember that the increasing number of businesses and governments are declaring that climate change and environmental sustainability are real and legitimate risks to operations. This means that committing to an ESG program is no longer a nice-to-have measure that can elevate the reputation of and profitability of a business. It is a must-have critical element within a larger risk management and operational resiliency strategy.

Why Integrating ESG into ERM frameworks is Critical?

Enterprise Risk Management is an umbrella approach for managing multiple risk categories across the business. These include external risks such as economic or geopolitical risks, cybersecurity, or environmental risks, and internal risks like reputational risks, financial risks, product risks, partner risks, data privacy risks, leadership, employee churn risks, and compliance risks. Most ERM strategies include specific categories such as operational risk management, regulatory & compliance programs, third-party risk management, IT and cybersecurity risk management, and audit programs. Many expect ESG to migrate from a standalone practice to become one more of these risk categories housed under a larger ERM framework. But we believe that time has not yet come, as the distinct practices, values, and measures within ESG need to mature further and be more widely adopted before it can be appropriately positioned under an ERM umbrella.

Management of existing risk categories today apply certain common structures, workflows, assessment practices within ERM frameworks. This includes standard practices for the identification, assessment, and prioritization of individual risks, and the evaluation of risk velocity, severity, and the connections between different risks. ERM frameworks also tend to include a centralized risk registry for easy reference. A centralized system provides the controls, procedures, and policies that can be applied when responding to any category of risks, based on the organization’s predefined risk profile and appetites. Modern ERM frameworks leverage data analytics for real time insights that facilitate better decision making across the risk universe.

Most ERM practices have been around for decades, and the best practices have been designed, tested and reviewed over time. While it is a living process that is flexible enough to adapt to risk scale, diversity and changes in organizational risk profile, program validation, scope, scale, and performance adaptation is constant. In a well-run risk management program, many processes are automated, which allows risk leaders to focus on strategy rather than day to day operations. Reapplying or extending existing standard procedures, automation, assessments, scoring methodologies, data collection and reporting – with some evolution and adaptation – to newer risk management categories like ESG makes good business sense. Pursuing ESG as a risk category and integrating it into existing ERM frameworks should help expedite program accountability and ensure reporting consistency.

Over the last few years several ESG reporting standards such as TCFD, CSRD have emerged, reaching a definitive and defensible market position. These standards define how ESG-related data is to be collected, reporting formats and requirements, as well as other criteria pertaining to what, when, where and who collects ESG data. These reporting outcomes can be easily incorporated into existing ERM frameworks and may enhance data and reporting across additional risk categories. In fact, ESG and Third-Party Risk Management (TPRM) are central to and can be further integrated into resiliency strategies within ERM. Their inclusion will be invaluable for accelerating recovery from environmental and social risk events. Integrating ESG into ERM frameworks can also add to commonly accepted structures and expand the scale, scope and depth of understanding risks. It would be a mutually beneficial move where each discipline would benefit from the data and values of the other to deliver holistic legitimacy.

ESG and ERM: The Road Ahead

There is a growing expectation that within the next five to ten years, ESG will be housed within and enhance ERM programs. For now, ESG deserves focused attention from the market to refine its reporting and frameworks as it matures. While there will clearly be distinct risks, reporting structures, frameworks, and stakeholders for ESG information, it will increasingly be viewed as one of several important risk categories under the ERM umbrella. In a sense, it must ‘cross the chasm’ to a degree of standardization, consistency, commonality, to capture the market buy-in it doesn’t yet have. Once this is achieved, organizations will more easily integrate ESG risk assessments, reporting, and definition into enterprise risks.

Want to learn how to integrate ESG risks into Enterprise Risk Management (ERM) processes.

Register for the upcoming webinar: The Interconnectedness of ESG, ERM, and Third-Party Risk Management

Read the eBook: ESG and ERM: Bridging the Gap

Request for a personalized demo

simrin

Simrin Jhangiani Associate Director, Marketing at MetricStream

Simrin Jhangiani is the Product Marketing Lead for MetricStream’s ESGRC product. As a former NYU student with a minor in Corporate Social Responsibility, Simrin is passionate about helping businesses make risk-aware business decisions around ESG. Simrin has an extensive business and marketing background having worked as a strategy consultant at KPMG and being a business owner of a sustainable fashion brand. She has lived on 3 different continents, and has travelled to over 50+ countries around the world, resulting in a comprehensive understanding of why ESG is important on a global scale. She believes that ESG is fundamental to the growth of businesses in the present day and is ardent about bringing awareness of the ever-changing regulations around Environmental, Social, and Governance.

 
Blogs

OCC Spring 2022 Risk Report Highlights Risks Facing BFS Companies

OCC Spring 2022 Risk Blog
4 min read

Introduction

The Office of the Comptroller of the Currency (OCC) has published the OCC Spring 2022 Risk Report that highlights risks faced by banks and financial services organizations. The National Risk Committee (NRC) of the OCC plays a key role in monitoring the U.S. federal banking system, identifying key risks facing banks, and highlighting those risks in its semiannual publications. The latest edition of its guidance has observed that the financial condition of banks remains strong and well-positioned to “deal with the economic headwinds arising from geopolitical events, higher interest rates, and increased inflation” and has warned banks and financial organizations to prepare for elevated operational risks and heightened compliance risk.

In the report, the risks have been due to the current geopolitical tensions, a heightened compliance risk environment attributed to regulatory changes, policy initiatives, and challenges in hiring qualified compliance professionals, and an observed increase of cyberattacks on the financial services industry.

Here is more into the key risk themes highlighted in the report.
 

Elevated Operational Risk Due to an Increasingly Complex Operating Environment

The OCC report attributes the elevated operational risk to cyber threats which “continue to evolve, with an observed increase in attacks on the financial services industry.” This has been further accelerated by the ongoing geopolitical situation. Additionally, “banks’ increasing reliance on third-party relationships, along with the development and adoption of innovative products, services, and technologies, and ongoing changes to banks’ staffing and the operating environment” have all led to an increase in operational risk.

Also, the OCC has observed that banks are finding it challenging “to maintain comprehensive operational resilience frameworks commensurate with the complexity of products, services, and operations being supported in this environment.” It has further advised that some of the risk exposure may manifest in the coming quarter, making it vital for “the industry to remain vigilant and fully assess its risk exposure.”

Given the increased operational risks, the OCC’s recommendations include:

  • Lowering reporting thresholds on information sharing activities, testing of organizational response plans, and continuing the focus on business continuity and resilience (as recommended by Cybersecurity and Infrastructure Security Agency (CISA))
  • Maintaining robust threat and vulnerability monitoring processes and implementing more stringent cybersecurity measures
  • Applying sound fraud risk management practices to help prevent losses when implementing new technology and innovative products and services
  • Following appropriate due diligence, change management, and risk management processes in accordance with the bank’s size, complexity, and risk profile, while accounting for and keeping pace with any new, modified, or expanded activity and the complexity that comes with it
  • Developing robust planning and risk management processes to manage, partner, or compete with new fintech entrants as needed

Heightened Compliance Risk, Driven by Regulatory Changes and Policy Initiatives

The OCC has highlighted that compliance risk remains heightened. This is primarily because banks are now required to navigate the complexity of sanctions imposed in response to the Russian invasion of Ukraine. At the same time, banks have also been required to “continue to manage the impact of forbearance programs and the elevated volume of customers on deferred payment and loss mitigation programs.”

The OCC has further observed challenges in the industry in retaining and replacing staff in compliance functions. The lack of access to subject matter expertise or the using of third-party relationships to support or fill such critical roles may increase compliance and operational risks.

The OCC offers the following recommendations for banks and financial institutions.

  • Navigate the “complex and evolving” sanctions by accurately assessing “the applicability and impact of sanctions on their institutions and customers, including the impact of sanctions imposed by both the U.S. and other countries on foreign branches, overseas offices, and subsidiaries.”
  • Institute effective change management and compliance risk management processes “to identify, measure, monitor, and control the evolving and emerging risks related to consumer products and services.”

Thrive on Risk with a Connected GRC Approach

As banks and financial institutions work to address key risk areas, it is important that they view and recognize the interconnectedness of risk. As highlighted in the OCC report, the scale and scope of the interconnectedness of risk are rapidly expanding. This requires a connected approach to manage and mitigate risk.

MetricStream’s ConnectedGRC empowers banks and financial institutions with a connected and streamlined governance, risk management, and compliance approach that enables firms to better identify, assess, manage, and mitigate risk across the enterprise—including strategic, operational, IT and cyber, third and fourth-party, compliance, and ESG risks.

  • Gain a holistic approach to risk, compliance, audit, and third-party management with MetricStream’s BusinessGRC. Leverage the comprehensive set of capabilities of Operational Risk Management to strengthen operational resilience and gain forward-looking risk visibility with predictive risk metrics and indicators. Reduce losses and avoid adverse risk events through proactive control structures and analytics. Navigate the complex web of regulatory obligations with Regulatory Compliance Management and sustain compliance by easily implementing measures, processes, and policies.
  • Actively manage IT and cyber risk and build cyber resilience with MetricStream’s CyberGRC that enables a streamlined, proactive, and business-driven approach to IT and cyber risk management and mitigation. Utilize best practices, insightful reporting, and cyber risk quantification to build cyber resilience.
  • Streamline management of various ESG requirements with MetricStream’s ESGRC. Define and manage ESG standards, frameworks, and disclosure requirements including GRI, SASB, TCFD, and others, automate the collection and aggregation of data, and report through real-time analytics and dashboards.


Interested to know how MetricStream can help you take a connected approach to risk management? Write to me at sumith.sagar@metricstream.com to learn more. You can also request a personalized demo to learn more about our products.

Sumith-Sagar

Sumith Sagar Associate Director, Product Marketing

Sumith Sagar is a proven product marketing professional, specializing in software product positioning, product-led growth marketing, presales and sales enablement. With over 12 years of risk management solutioning experience raging from Governance, Risk and Compliance (GRC), Commodity Trading & Risk Management (CTRM) and cybersecurity, she has been instrumental in driving BusinessGRC product marketing at MetricStream.

 
Blogs

Crypto, Metaverse, DeFi: Are You Prepared for the Risks of Tomorrow?

Crypto, Metaverse MetricStream
3 min read

Introduction

Cryptocurrency is almost synonymous with “what’s next.” From the probably best-known Bitcoin to Ether, Dogecoin, or any other of the many tokens, crypto has a futuristic air of “tomorrow’s economy today.” With the global cryptocurrency market projected to reach $32,420 billion by 2027 by IMARC Group, digital currency is becoming a fully-fledged, if not yet completely understood, member of the global financial markets.

Yet tomorrow also has brought with it extensive risk, the full range of which isn’t yet even visible.

The massive amount of currency in play, the instability of platforms, and the general lack of regulation around crypto make it a favorite for bad actors. According to Cybersecurity Ventures, crypto crime is predicted to cost the world $30 billion by 2025.

The Good, The Bad, and The Ugly

The anonymous aspects of cryptocurrency make it the most-preferred currency by cyber adversaries for carrying out ransomware attacks across industries and for money laundering, terrorist financing, and other crimes. In its analysis of cryptocurrency received by ransomware addresses, Chainalysis identified more than $602 million worth of ransomware payments in 2021, adding that “the true total for 2021 is likely to be much higher.”

The sheer size of the cryptocurrency market makes it impossible to ignore, especially for the traditional banking system as this emerging financial asset class could threaten financial stability.

Decentralized finance (DeFi) platforms, which eliminate the middle layer of banks and other third parties in financial transactions, are one aspect that poses risks. With their promise of facilitating faster and cheaper cross-border payments, they are giving legacy banks a run for their money. To stay current as the world rapidly digitizes, banks must examine the role of these and other blockchain-related technologies – but until regulations, risk monitoring, and governance catch up, the risks are significant.

Primarily seen as a vehicle for speculative investments at present, crypto also lends itself to scams. These include “pump and dump” or “rug pull,” both of which involve raising the price of currency and then dumping it, leaving investors in the cold; phishing scams to gain access to crypto wallets; and much more. The number of cyberattacks on cryptocurrency exchanges is also on the rise.

The explosive growth of the “Metaverse” in recent months has caught the attention of crypto investors. While this new frontier of the internet holds the potential to transform the e-commerce, entertainment, and other industries and can potentially merge the physical and the virtual worlds, concerns around data security and privacy, cybersecurity, and mental health issues, among others, are also growing rapidly. What makes the situation more precarious is the current lack of regulation.

Regulators Take Notice

The cyber impact of crypto is so high-profile that in the U.S., the Securities and Exchange Commission (SEC) recently announced that it has renamed its Cyber Unit to the Crypto Assets and Cyber Unit and will nearly double its staff with 50 dedicated positions. Among the risks being monitored will be crypto assets, exchanges, and DeFi platforms.

In the UK, the government announced a series of measures to make Britain “a global hub for cryptoasset technology and investment.” This includes establishing a Cryptoasset Engagement Group, setting up a ‘financial market infrastructure sandbox’ for firms to experiment and innovate, and others.

Regulators in Europe are also working on a comprehensive set of rules that will not only boost the potential of crypto-assets but also help to curb the threats. To address the risks posed by the anonymity feature of cryptos, the European Parliament agreed to start negotiations with EU countries on rules to allow the tracing and identification of crypto-asset transfers. Earlier this year, it adopted new rules to support the testing of the distributed ledger technology (DLT) in market infrastructures.

What the future of crypto holds remains to be seen – but like any risk, the fundamentals remain the same. Implement strong, active cyber risk management, monitoring, and governance; collaborate with quantitative and qualitative insight across your cyber and business teams; and stay agile to stay ahead of tomorrow’s risks today.

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 
Blogs

May 2022 in GRC: The Latest from the GRC Universe

This Month in GRC
6 min read

Introduction

Organizations today need to keep a close eye on the constantly changing Governance, Risk Management and Compliance (GRC) landscape. Newer and diverse risks, including increasing cyber risk, pandemic-related regulatory and policy changes, and risks associated with climate change now present a very real challenge that organizations need to prepare for.

Stay prepared for what’s next in GRC with our monthly round-up of the trending news and insights that you can use.

Building Resilience Remains Top Priority while Compliance Function Takes Center Stage

As the risk landscape expands, strengthening business resilience with enterprise and operational risk management remains a top priority for organizations. At the same time, regulatory requirements by governments and regulatory bodies has left organizations to deal with multiple layers of complex change, often happening simultaneously. This makes the compliance function an important priority for organizations of all sizes.

Here’s what has been spotted on the risk and compliance radar this month.
 

  • As per a background document issued by the UK government alongside the Queen’s Speech there are plans for new direct legislation for tech providers.
  • Three consultation papers titled "Outsourcing and third-party risk management" pertinent to Financial Market Infrastructures (FMIs) were published by the Bank of England.
  • The American Institute of Certified Public Accountants (AICPA) Auditing Standards Board has voted to approve three new quality management standards. The standards will help improve the risk assessment procedure and audit quality.
  • Canada’s federal financial institutions regulator, the Office of the Superintendent of Financial Institutions (OSFI), has released Draft Guideline B-10: Third-Party Risk Management. This establishes OSFI’s third-party risk management expectations for federally regulated financial institutions in Canada (FRFIs) and also sets down industry best practices.
  • The Prudential Regulation Authority, UK, has formulated next steps for firms establishing their operational resilience roadmap in preparation for the March 2025 deadline.
  • The fifth edition of the Regulatory Initiatives Grid, which sets out the planned regulatory initiatives for the upcoming months, has been published. This helps firms in the financial services industry and other stakeholders plan for operational impact due to the initiatives and the timing of the initiatives.


Other trending risk and compliance topics include, the publishing of the 2022 Interos Annual Global Supply Chain Report, which highlighted that only one-tenth of the survey respondents monitor supplier risks on a continual basis and the PwC Global Risk Survey, where 65% of survey respondents are increasing their overall spending on risk management technology.

Mitigating Cyber Risk Increases in Importance

With cyber actors continually improving the level of sophistication of cyber attacks, cyber-risk mitigation is now the top priority for organizations, governments, and regulatory authorities. In the month of May 2022:
 

  • Cybersecurity authorities of the United States, Canada, New Zealand, the Netherlands, and the United Kingdom coauthored a joint Cybersecurity Advisory titled “Weak Security Controls and Practices Routinely Exploited for Initial Access.” The advisory will help organizations identify commonly exploited controls and practices. It includes cyber risk best practices to mitigate the issues.
  • The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI), in partnership with cyber agencies from the UK, Australia, Canada, and New Zealand, released an advisory titled “Protecting Against Cyber Threats to Managed Service Providers and their Customers” in response to the increase in malicious cyber activity targeting MSPs.
  • In response to the Presidential executive order in the US, the National Institute of Standards and Technology’s (NIST) has revised its publication, titled “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.” The revised publication provides greater guidance on identifying, assessing, and responding to cyber risks throughout the supply chain.
  • In what has been lauded as one of the world’s first, the European Council and European Parliament signed a provisional agreement for the establishment of the EU Digital Services Act (DSA), which is designed to build cyber resilience by following the principle that what is illegal offline must also be illegal online.
  • The European Council and the European Parliament will replace the current NIS (Network and Information Security) directive with NIS2. NIS2 is set to enable both the private and public sector build cyber resilience and incident response capabilities.
  • The European Council and the European Parliament have reached a provisional agreement on the Digital Operational Resilience Act (DORA). The act will help enterprises build cyber resilience and prevent and mitigate cyber threats.


In other IT risk and cyber risk news, Rob Joyce, the head of cybersecurity at the U.S. National Security Agency, is “still very worried” about the escalated cyber risk arising from the Russian-Ukraine war. For CISOs, this translates to continuing to track the conflict and putting measures in place to mitigate any direct attacks and cyberattack spillovers. The judgement by the Federal Court of Australia in the Australian Securities and Investments Commission v RI Advice Group Pty Ltd, has now made it clear that the failure to manage cyber risk is a breach of financial services obligations. This has led to the Australian Securities and Investments Commission (ASIC) publishing a guidance note on the critical cyber risk measures that AFSL holders are now expected to have in place.

Climate-Related Risks, Sustainability, and Greenwashing Make ESG Headlines

The importance of assessing risks from climate change, environment, and social equity continues to create a lot of conversation. The top highlights include:
 

  • The European Financial Reporting Advisory Group (EFRAG) has published the first draft of its sustainability standards for public consultation. The final standards are scheduled to be sent to the European Union's executive European Commission by November 2022 for adoption. This will be a significant as business will be required to disclose information on how ESG risks impact their business and their externalities.
  • The climate-related risks of 12,000 supplier sites has been studied in a joint project by supply-chain-mapping company Resilinc and the University of Maryland’s Supply Chain Management Center and Earth Systems Science Interdisciplinary Center. The study reported that 93% of the supplier sites in China and Taiwan were experiencing increases in climate variability.
  • The Taskforce on Nature-related Financial Disclosures (TNFD), which consists of corporates, financial institutions and service providers backed by the UN, released a prototype framework, which closely mirrors TCFD. This aims to help public and private companies with assessing and communicating the financial risks of nature loss.
  • A new report by the Financial Stability Board (FSB) has been published. This aims to assist supervisory and regulatory authorities as they devise approaches to monitor, manage and mitigate risks arising from climate change.


To be noted is the new survey report by Deloitte, which reports findings on how climate, sustainability, and social equity are now important considerations when it comes to shaping infrastructure plans. Also, various global regulators are aiming to bring new reforms to tackle greenwashing and promote greater transparency in environmental, social, and governance investments. 

Thrive on Risk with MetricStream

MetricStream empowers organizations to drive a connected GRC program. Leverage ConnectedGRC, and our BusinessGRC, CyberGRC, and ESGRC product lines, to better identify, assess, manage, and mitigate strategic risks, operational and enterprise risks, IT and cyber risks, third-party risks, compliance risks, and ESG risks.

Interested to learn more? Request a demo now.

Mabel

Mabel M Jesudian Manager – Content Marketing

Mabel M Jesudian, Manager – Content Marketing at MetricStream, works closely with the product and digital marketing teams to create compelling content and actionable marketing assets that help drive conversations. Mabel has over 13 years of experience with leading marketing communication and PR agencies where she crafted engaging narratives for diverse B2B and B2C clients. She holds an M.A. and M.Phil. in English and Communication from the University of Madras. In her spare time, she loves to read fiction and try her hand at new dishes.

 
Blogs

Looking at Risk from Both Sides – Why Quantitative and Qualitative Risk Assessments Work Together

Looking at Risk from Both Sides Blog
4 min read

Introduction

“I’ve looked at risk from both sides now…”

Ok – I guess I owe an apology to Judy Collins, and to all of you for damaging a great sixties music classic! But I often think about this song when thinking about cyber risk. Examining risk takes more than a one-sided view: It requires perspective, and both quantitative and qualitative analysis.

That’s especially important in today’s unsettled world, where the need to adopt a risk-based approach to business decision-making has been gaining prominence in recent years. Particularly in the wake of a series of disruptions in the past two years, including the COVID-19 pandemic, the Suez Canal blockage, geopolitical unrest, rapid digitization, and more, organizations are increasingly making efforts to improve their enterprise risk management programs. A broader view is a must.

Performing risk assessments is one of the most important steps in the enterprise risk and cyber risk management processes. Once risks have been identified, assessment and analysis are critical to unlock deeper insights into your organization’s overall risk posture, understand the factors that can have a negative impact, and take proactive steps to mitigate and minimize them.

Left Brain/Right Brain: The Qualitative vs. Quantitative Debate

Risk managers are often faced with a difficult decision – which risk assessment method should I go with? Qualitative or quantitative?

As I’ve already hinted in my introduction, I’m biased toward a combination view – using both sides of the risk brain, if you will.

But from a practical standpoint, whether to perform a qualitative or quantitative risk assessment depends on what you’re trying to assess and what you expect to learn. Consider the risk of fire hazard faced by an organization. An initial risk assessment would entail survey questions such as:

Looking at Risk from Both Sides Blog 2

In another example, if we consider the risks posed by IT vendors, you would want to segregate the third parties into critical and non-critical categories based on their level of access to critical organizational assets.

This requires asking questions like:

Looking at Risk from Both Sides Blog 3

Organizations can easily identify which third parties require close monitoring and define risk management and control measures.

In these examples, most of the questions usually require a yes/no response and rely on the knowledge and expertise of the assessor. Though qualitative assessments are subjective in nature and can be influenced by the assessor’s bias and perception, they are important to understand the likelihood and severity of any risk event.

Based on the initial assessment, the next step is to assess the associated controls. In the example of fire hazard, this requires asking questions such as – How many fire extinguishers are available on every floor? Is there a fire exit? Are fire sprinklers installed? Are fire safety drills conducted?

In control assessments too, a qualitative assessment is often preferred.

For example, if you need to check the effectiveness of a control, such as the fire sprinkler system, you can use a qualitative assessment using a scale of 1 to 5 (or red, yellow, or green risk assessment), where 1 could mean that the system has not been installed, 2 - installed but not working, 3 - some sprinklers are not working, 4 - all are working but the coverage is not optimum, and 5 means that they are working effectively with full coverage.

However, if we go a step further to analyze the risk exposure: that’s where quantitative risk assessment works best.

Driven by data, quantitative analysis eliminates the ambiguity and subjectivity inherent in qualitative assessments. Associating a monetary value to risk equips chief risk officers to effectively communicate the risk exposure to the executive management in a language that is easy to interpret and act upon, and helps easily prioritize risks.

In the example of fire hazard, expressing the loss exposure in monetary terms, followed by questions such as – Do you have fire insurance? How much is the fire insurance? – will help accurately understand the risk exposure and mitigation measures.

It’s Not Either Or, It’s And

The deepest insights come from the widest perspectives. For true risk assessment, perform both qualitative and quantitative risk assessments to gain real visibility into the overall organizational and cyber risk posture. You may have heard it called a 360-degree view of risk. With apologies to Judy, I like to see it as looking at risk from both – or all – sides now.

MetricStream’s latest release, Danube, brings risk quantification capabilities to the Enterprise and Operational Risk Management products – already available in our CyberGRC product line. Risk practitioners can now leverage advanced models to better quantify and prioritize risk strategies. They can easily capture values for variables (e.g. loss event frequency, loss magnitude) that can be represented in a simple format. The support for Monte Carlo simulations enables users to generate a range-based estimate and predict the probability of different outcomes for the annual loss expectancy. To request a personalized demo, click here.

To read more about the new innovations in our Danube Software Release, click here.

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 

Related Resources

Blogs

Thriving in 2022: Become Future-Ready and Resilience-Centric with Integrated Risk Management

Thriving in 2022: Blog
2 min read

Introduction

As we entered 2022, the coronavirus pandemic continues to have a strong foothold in pockets around the globe with newer variants, keeping optimistic sentiment in check.

Will 2022 be the year when the pandemic ends, and we return to normalcy? Maybe. Maybe not. Based on our conversations with our customers and partners, we have learned that organisations are no longer pondering over this question. Having weathered pandemic-led challenges in the past two years, organisations are now seeking “what’s next” and how can they prepare for it. The approach towards enterprise strategy and managing the unknown unknowns has undergone a major shift in the past two years.

The crisis has brought much-needed changes in the very DNA of today’s businesses. Organisations have realized that digitization, agility, and resilience are not just buzz words but critical to thrive in today’s unsettled business environment with several new and evolving risks.

Enterprise risk management (ERM) practices, too, are evolving from being an afterthought to becoming more future-ready and proactive. While the traditional approach to risk management involving risk identification, assessment, and mitigation will continue to be the foundation, a future-ready ERM strategy also focuses on preparedness for risk events, resilience to quickly bounce back and continue business operations in the aftermath of the event, and the ability to turn risk into a strategic advantage.

Risk Strategy for 2022 and Beyond

Around the world, organisations are looking at a highly uncertain risk landscape in 2022 with uneven economic recovery, elevated level of cyber threats, growing awareness and regulatory activity on environmental, social, and governance (ESG) aspects, geopolitical tensions, and more. The amplified digital interconnectedness of organisations in the post-pandemic world further exacerbates the situation as a disruption anywhere in the market can quickly impact several connected businesses.

In its Global Risk Report 2022, the World Economic Forum observes, “Converging technological platforms, tools and interfaces connected via an internet that is rapidly shifting to a more decentralized version 3.0 are at once creating a more complex cyberthreat landscape and a growing number of critical failure points.”

So, what’s next for GRC? Explore 8 Key Trends Powering 2022 and Beyond

With the growing digital dependencies and interconnectedness between organisations, the points of intersection among risks are also multiplying. As such, looking at risks in isolation is no longer effective to manage them and their domino effect.

The pandemic has been a wake-up call for organisations and it is encouraging to see them moving away from antiquated and siloed practices and focusing on more integrated, holistic, and tech-driven approach to ERM – ensuring seamless collaboration between risk, compliance, audit, third-party, cybersecurity, and other business functions. Organisations are also increasingly adopting advanced technologies, such as artificial intelligence and machine learning, to get actionable risk insights in a timely manner for effective decision-making.

A forward-looking and resilience-centric ERM strategy, complemented with automated workflows, is critical for organisations today to ensure preparedness for the risks of tomorrow.

So, what areas should organisations focus on while devising their risk strategy for this year? Join me as I discuss this and more in the webinar "Road to Resilience: Powering your Risk Strategy to Thrive in 2022 and Beyond with Dan wood, Senior Risk Professional & RMIA Queensland Chapter Committee, and Kieran Heinze, Global Supply Resilience Practice Lead, Infosys. To register for the webinar, click here.

Vicki Wright

Vicki Wright Director – Sales, MetricStream

Read the blogs authored by Vicki Wright, Director – Sales, MetricStream, for the latest insights on governance, risk management, cyber resilience, and more.

 

Related Resources

lets-talk-img

Ready to get started?

Speak to our experts Let’s talk