September 2022 GRC Recap – What’s New in the GRC Universe?

2022 GRC Recap
6 min read


Increased regulatory activity on operational risk management and cybersecurity. A growing focus on the ‘S’ or social in Environmental, Social, and Governance (ESG). An urgency to tackle third-party cyber risk.

The top GRC news in September 2022 boiled down to a handful of significant and common themes. And with good reason: As we enter the second half of the fiscal year, shrinking global GDP accompanied by inflation and tight labor markets, as well as evolving energy uncertainties stemming from the ongoing geopolitical crisis in Europe, has made resilience a top priority for businesses, politicians, and regulators. Other top priorities for businesses include staying focused on developing effective mitigation strategies to manage the interconnectedness of risks, especially emerging cyber, ESG, and third-party risks, and striving to build robust compliance resiliency initiatives to cope with the unprecedented levels of regulatory change.

We also want to take a moment to thank you for your continuous support. MetricStream won two industry awards—the Bronze Stevie® Award for its Environmental, Social, Governance, Risk, and Compliance (ESGRC) product and the Operational Risk Management Solution of the Year award, at the Risk.Net Asia Risk Awards 2022 for the second year in a row! You can read more about this at the end of the blog.

Several other risk and compliance stories made it to the headlines last month. Scroll down to read a curated account of the latest news in the GRC Universe from around the globe.

What’s New in Risk, Regulation, and Resilience?

  • Michael Hsu, Acting Comptroller of the Currency, a major U.S. bank regulator, has warned of crisis risk from fintech proliferation. “I worry increasingly about the 'unknowns' and am concerned that the less familiar risks of this digital transition are unlabeled and thus unseen. As we learned from the 2008 financial crisis, risks that are unseen have a tendency to grow and later to be the source of nasty surprises," said Hsu.
  • The Federal Reserve Board has invited comment on updates to operational risk-management requirements. This will apply to certain systemically important financial market utilities (FMUs) supervised by the Board. According to Vice Chair Lael Brainard, this initiative has been started "In light of the rapidly evolving risk landscape, (where) the proposed changes will help ensure that key financial market utilities operate with a high level of resilience and remain a source of strength for the financial system."
  • The Office of the Superintendent of Financial Institutions (OSFI) an independent agency of the Government of Canada, anticipates that it will issue a final version of the Draft Guideline B-10 on Third-Party Risk Management by the end of 2022. The Draft Guideline will be more comprehensive than its predecessor, establishing enhanced expectations for Federally Regulated Financial Institutions (FRFIs) who outsource services to third parties.
  • ISACA has released a new white paper, The Great Resignation: Business Challenges and Sustainable Solutions. The paper discusses key reasons for the present labor crunch and offers recommendations for establishing a sustainable, multipurpose workforce-management solution.
  • The Australian Prudential Regulation Authority (APRA) has released a draft new Prudential Standard CPS 230 (Operational Risk Management). Set to replace certain existing prudential standards, the draft version with significant uplifts to governance, compliance, contractual and incident response arrangements will apply to financial institutions, superannuation funds and insurers.

What’s New in IT and Cyber Risk?

  • The Cybersecurity and Infrastructure Agency (CISA) and the National Security Agency (NSA) have published a joint cybersecurity advisory about control system defense for operational technology (OT) and industrial control systems (ICSs). The advisory which provides a comprehensive understanding of the tactics, techniques, and procedures (TTPs) used by cyber criminals will help critical infrastructure owners and operators build cyber resilience.
  • Part one of Securing Software Supply Chain Series - Recommended Practices for Developers, a three-part joint publication series, has been published by CISA, the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI).
  • The Government of Canada introduced Bill C-26, An Act Respecting Cyber Security in an effort to “protect Canada’s critical infrastructure” and to provide a new framework for the protection of critical cyber systems for services and systems vital to national security or public safety.
  • The National Institute of Standards and Technology (NIST) has released the second draft of its Artificial Intelligence (AI) Risk Management Framework (RMF) for comment. The framework will help individuals and businesses of all sizes better understand, manage and reduce their respective “risk footprint.”
  • A new EU cybersecurity rule proposed by the EU Commission will ensure more secure hardware and software products. As the first-ever EU-wide legislation of its kind, it will introduce mandatory cybersecurity requirements for products with digital elements, throughout their whole lifecycle.
  • A report by SecureLink and the Ponemon Institute titled, The State of Cybersecurity and Third-Party Remote Access Risk found more than 50 percent of organizations reporting a third-party data breach in 2022 with more than 70 percent reporting that such breaches or cyberattacks in 2022 resulted from giving too much privileged access to third parties.
  • Australia’s second-largest wireless carrier, Optus, suffered a major cyberattack, resulting in the personal data of up to 10 million people being compromised. While operations were not affected, the breach puts all of Optus’ mobile customers at risk, with the company expressing concern about potential phishing attacks against its customers.
  • Key takeaways from the Gartner Security & Risk Management Summit 2022 London, include:
    • 30% of nation-states will by 2025 pass legislation that regulates ransomware payments, fines and negotiations, up from less than 1% in 2021
    • 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements by 2025
    • 75% of organizations are pursuing security vendor consolidation in 2022

What’s New in ESG?

  • Gaurav Kapoor, co-CEO and co-founder of MetricStream, shared key steps for leaders seeking to engage their boards for ESG initiatives.
  • A commentary published by DBRS Morningstar focusing on women’s representation at the board and executive levels of European Banks found that while gender diversity was improving at board level, it was lagging behind in executive leadership roles. In a sample of 43 European Banks (2021) women represented 37% of board member seats, but only 26% on executive management teams.
  • An EY survey of 300 European and UK-based fund managers found that German finance boards are the least gender-diverse in Europe. Only 29% of financial services board members in Germany are women in comparison to the European average of 37%.
  • The Office of the Superintendent of Financial Institutions (OSFI), Canada, issued draft Guideline B-15: Climate Risk Management in response to the risks posed by the ever-growing threat of climate change to the Canadian financial system. The guidance will aid efforts by Federally regulated financial institutions (FRFIs) to develop resilience against such risks.
  • According to Bloomberg, more than half of FTSE 100 companies now have ESG committees, with oil, gas and mining companies leading the way.
  • A report by strategic communications firm Luminous, found the introduction of mandatory TCFD reporting is helping to boost awareness of climate-related risk and driving ESG integration in annual reports.

What’s New at MetricStream?

MetricStream Wins Awards for ORM and ESGRC Products

  • MetricStream was crowned the winner at the Asia Risk Awards 2022 for its Operational Risk Management product for the second year in a row. The panel of judges highlighted MetricStream’s commitment to fine-tuning its product and the product’s ability to help businesses generate a deeper understanding of business risks in an increasingly interconnected risk environment.
  • MetricStream was awarded the Bronze Stevie® Award for its Environmental, Social, Governance, Risk and Compliance (ESGRC) SaaS in the New Product Awards category as part of the 19th Annual International Business Awards®. The award is an industry recognition of the business value that MetricStream’s ESGRC can bring to organizations seeking to embed advanced environmental and social initiatives.

Just 42 days until the GRC Summit in London!

Now in the 10th year, the GRC Summit 2022 will feature keynotes from industry leaders, product innovation sessions, MetricStream customer success stories and practitioner-led case studies, deep-dive workshops, GRC journey awards, and more!

Check out the complete agenda and register now!


Mabel M Jesudian Manager – Content Marketing

Mabel M Jesudian, Manager – Content Marketing at MetricStream, works closely with the product and digital marketing teams to create compelling content and actionable marketing assets that help drive conversations. Mabel has over 13 years of experience with leading marketing communication and PR agencies where she crafted engaging narratives for diverse B2B and B2C clients. She holds an M.A. and M.Phil. in English and Communication from the University of Madras. In her spare time, she loves to read fiction and try her hand at new dishes.