May 2022 in GRC: The Latest from the GRC Universe

This Month in GRC
6 min read


Organizations today need to keep a close eye on the constantly changing Governance, Risk Management and Compliance (GRC) landscape. Newer and diverse risks, including increasing cyber risk, pandemic-related regulatory and policy changes, and risks associated with climate change now present a very real challenge that organizations need to prepare for.

Stay prepared for what’s next in GRC with our monthly round-up of the trending news and insights that you can use.

Building Resilience Remains Top Priority while Compliance Function Takes Center Stage

As the risk landscape expands, strengthening business resilience with enterprise and operational risk management remains a top priority for organizations. At the same time, regulatory requirements by governments and regulatory bodies has left organizations to deal with multiple layers of complex change, often happening simultaneously. This makes the compliance function an important priority for organizations of all sizes.

Here’s what has been spotted on the risk and compliance radar this month.

  • As per a background document issued by the UK government alongside the Queen’s Speech there are plans for new direct legislation for tech providers.
  • Three consultation papers titled "Outsourcing and third-party risk management" pertinent to Financial Market Infrastructures (FMIs) were published by the Bank of England.
  • The American Institute of Certified Public Accountants (AICPA) Auditing Standards Board has voted to approve three new quality management standards. The standards will help improve the risk assessment procedure and audit quality.
  • Canada’s federal financial institutions regulator, the Office of the Superintendent of Financial Institutions (OSFI), has released Draft Guideline B-10: Third-Party Risk Management. This establishes OSFI’s third-party risk management expectations for federally regulated financial institutions in Canada (FRFIs) and also sets down industry best practices.
  • The Prudential Regulation Authority, UK, has formulated next steps for firms establishing their operational resilience roadmap in preparation for the March 2025 deadline.
  • The fifth edition of the Regulatory Initiatives Grid, which sets out the planned regulatory initiatives for the upcoming months, has been published. This helps firms in the financial services industry and other stakeholders plan for operational impact due to the initiatives and the timing of the initiatives.

Other trending risk and compliance topics include, the publishing of the 2022 Interos Annual Global Supply Chain Report, which highlighted that only one-tenth of the survey respondents monitor supplier risks on a continual basis and the PwC Global Risk Survey, where 65% of survey respondents are increasing their overall spending on risk management technology.

Mitigating Cyber Risk Increases in Importance

With cyber actors continually improving the level of sophistication of cyber attacks, cyber-risk mitigation is now the top priority for organizations, governments, and regulatory authorities. In the month of May 2022:

  • Cybersecurity authorities of the United States, Canada, New Zealand, the Netherlands, and the United Kingdom coauthored a joint Cybersecurity Advisory titled “Weak Security Controls and Practices Routinely Exploited for Initial Access.” The advisory will help organizations identify commonly exploited controls and practices. It includes cyber risk best practices to mitigate the issues.
  • The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI), in partnership with cyber agencies from the UK, Australia, Canada, and New Zealand, released an advisory titled “Protecting Against Cyber Threats to Managed Service Providers and their Customers” in response to the increase in malicious cyber activity targeting MSPs.
  • In response to the Presidential executive order in the US, the National Institute of Standards and Technology’s (NIST) has revised its publication, titled “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.” The revised publication provides greater guidance on identifying, assessing, and responding to cyber risks throughout the supply chain.
  • In what has been lauded as one of the world’s first, the European Council and European Parliament signed a provisional agreement for the establishment of the EU Digital Services Act (DSA), which is designed to build cyber resilience by following the principle that what is illegal offline must also be illegal online.
  • The European Council and the European Parliament will replace the current NIS (Network and Information Security) directive with NIS2. NIS2 is set to enable both the private and public sector build cyber resilience and incident response capabilities.
  • The European Council and the European Parliament have reached a provisional agreement on the Digital Operational Resilience Act (DORA). The act will help enterprises build cyber resilience and prevent and mitigate cyber threats.

In other IT risk and cyber risk news, Rob Joyce, the head of cybersecurity at the U.S. National Security Agency, is “still very worried” about the escalated cyber risk arising from the Russian-Ukraine war. For CISOs, this translates to continuing to track the conflict and putting measures in place to mitigate any direct attacks and cyberattack spillovers. The judgement by the Federal Court of Australia in the Australian Securities and Investments Commission v RI Advice Group Pty Ltd, has now made it clear that the failure to manage cyber risk is a breach of financial services obligations. This has led to the Australian Securities and Investments Commission (ASIC) publishing a guidance note on the critical cyber risk measures that AFSL holders are now expected to have in place.

Climate-Related Risks, Sustainability, and Greenwashing Make ESG Headlines

The importance of assessing risks from climate change, environment, and social equity continues to create a lot of conversation. The top highlights include:

  • The European Financial Reporting Advisory Group (EFRAG) has published the first draft of its sustainability standards for public consultation. The final standards are scheduled to be sent to the European Union's executive European Commission by November 2022 for adoption. This will be a significant as business will be required to disclose information on how ESG risks impact their business and their externalities.
  • The climate-related risks of 12,000 supplier sites has been studied in a joint project by supply-chain-mapping company Resilinc and the University of Maryland’s Supply Chain Management Center and Earth Systems Science Interdisciplinary Center. The study reported that 93% of the supplier sites in China and Taiwan were experiencing increases in climate variability.
  • The Taskforce on Nature-related Financial Disclosures (TNFD), which consists of corporates, financial institutions and service providers backed by the UN, released a prototype framework, which closely mirrors TCFD. This aims to help public and private companies with assessing and communicating the financial risks of nature loss.
  • A new report by the Financial Stability Board (FSB) has been published. This aims to assist supervisory and regulatory authorities as they devise approaches to monitor, manage and mitigate risks arising from climate change.

To be noted is the new survey report by Deloitte, which reports findings on how climate, sustainability, and social equity are now important considerations when it comes to shaping infrastructure plans. Also, various global regulators are aiming to bring new reforms to tackle greenwashing and promote greater transparency in environmental, social, and governance investments. 

Thrive on Risk with MetricStream

MetricStream empowers organizations to drive a connected GRC program. Leverage ConnectedGRC, and our BusinessGRC, CyberGRC, and ESGRC product lines, to better identify, assess, manage, and mitigate strategic risks, operational and enterprise risks, IT and cyber risks, third-party risks, compliance risks, and ESG risks.

Interested to learn more? Request a demo now.


Mabel M Jesudian Manager – Content Marketing

Mabel M Jesudian, Manager – Content Marketing at MetricStream, works closely with the product and digital marketing teams to create compelling content and actionable marketing assets that help drive conversations. Mabel has over 13 years of experience with leading marketing communication and PR agencies where she crafted engaging narratives for diverse B2B and B2C clients. She holds an M.A. and M.Phil. in English and Communication from the University of Madras. In her spare time, she loves to read fiction and try her hand at new dishes.