Introduction
Post the COVID-19 pandemic, there has been continued interest in operational resilience from organizations and regulators alike. The crisis, which had impacted every organization—some worse than others, had highlighted that achieving operational resilience is critical for not just navigating the current new terrain but also ensuring preparedness for the next crisis.
The pandemic had put to test the current risk management measures that were implemented by organizations as it exposed them to a plethora of new risks and intensified existing ones. To adapt to the new business environment, organizations rushed to adopt digital tools and technologies and redesign their business. This accelerated the pace of digital transformation, along with geopolitical power shifts, natural calamities, concerns over global depression, the growing digital interconnectedness of systems, people, processes, and organizations, and other factors that are continuously shaping the risk profile of organizations around the world.
According to Risk.net, the top operational risks include IT disruption, data compromise, resilience risk, theft and fraud, third-party risk, conduct risk, regulatory risk, organizational change, geopolitical risk, and employee wellbeing.
With the escalating number of operational loss events, cyber-attacks, vendor risk-related incidents, and compliance violations around the world, achieving operational resilience is of paramount importance – going beyond business continuity and operational risk management and building the ability to safeguard and sustain core business competencies, thereby protecting stakeholder interests when faced with unknown unknowns.
- World output is expected to have contracted by 4.4% in 2020 (IMF)
- Attacks targeting the financial sector have grown by 238% from the beginning of February to the end of April 2020. (VMware Carbon Black)
- Globally, suspected fraudulent digital transaction attempts against businesses jumped 46% when comparing the periods of March 11, 2019–March 10, 2020 and March 11, 2020 to March 10, 2021. (TransUnion)
- Fraud now costs companies $3.36 for every dollar lost to fraud compared to $2.40 in 2016. (LexisNexis)
Top Operational Risks
In our recent peer-to-peer roundtable, GRC practitioners, including CROs, Supplier Risk Management Heads, and CISOs, discussed the key operational risks faced by their organizations in the past year and how taking an integrated and tech-driven approach to risk management processes helped them overcome those challenges. Here is a look at five top operational risks faced by organizations in their pursuit of attaining resilience post-COVID
Supply Chain Disruption
The world essentially came to a standstill to “break the chain” and contain the spread of the coronavirus in 2020. As manufacturing units and transport services temporarily closed their doors, particularly in the manufacturing hubs of the world, such as China and India, concerns started mounting over waning stocks and impending contractual obligations.
It’s important to note here that organizations often lack end-to-end visibility of their entire value chain and supplier network. This impedes their ability to accurately foresee existing and emerging risks and understand the full scale of impact of any potential disruption at any point along the value chain.
Another incident that made a major dent in the global supply chain was the Suez Canal blockage in March—a huge container ship got wedged in the canal, blocking hundreds of ships on either side. The blockage is estimated to have roughly cost 12 percent of global trade with total losses running in billions of dollars. Though the blockage was cleared in six days, industry experts believe that the impact of this incident will reverberate through the global economy and the effects will be felt for months.
IT and Cyber Risks
Cyber adversaries are becoming increasingly sophisticated and organized and the pandemic had unfortunately provided them with a massive playground. The pandemic-driven amplified digital connectedness and remote working conditions have expanded the attack surface with the entire workforce becoming more vulnerable to cyberattacks as they are no longer protected by office firewalls and enterprise security mechanisms.
In its 2020 Annual Cybersecurity Report, Trend Micro said that it detected over 16 million COVID-19 related threats. Of these, 88% of the threats came in the form of spam emails, 11% were in the form of URLs, while malware accounted for 0.2% of the threats.
Organizations are often ill-equipped to prevent, detect, and respond to cyberattacks. According to Ponemon Institute's Cost of a Data Breach Report 2020, it takes 280 days on an average to identify and contain a breach. Many businesses also do not have a disaster recovery plan to quickly recover from such incidents should they take place. Cybersecurity Ventures estimates the cost of global cybercrime to grow by 15 percent per year over the next five years, reaching $10.5 trillion annually by 2025, up from $3 trillion in 2015.
Complex Extended Organization
Businesses are increasingly relying on third parties for business-critical goods and services. It wouldn’t be incorrect to say that almost every business function today is somehow dependent on third parties. Furthermore, with third parties also relying on fourth and subsequent parties, effective management of this extended organization has become a major pain point for organizations.
Recent incidents have highlighted the growing vulnerability of organizations to third-party cyber risks and how a security incident at one organization can have a domino effect and impact several connected businesses in today’s digital and hyper-connected business environment. The most recent hack of the Microsoft Exchange Server underscored how third-party cyber risk is inherent in almost all business operations through something so rudimentary as an email. As per initial estimates, the hack could have affected at least 30,000 organizations across the U.S., including small businesses, towns, cities, and local governments, and 60,000 computer systems in Germany.
There is also a significant increase in cloud adoption across industries in this new normal. According to Gartner, the proportion of IT spending that is shifting to the cloud will accelerate in the post-COVID world, with cloud estimated to make up 14.2% of the total global enterprise IT spending market in 2024, up from 9.1% in 2020. With this growing cloud adoption, concerns around cloud concentration risk - an organization’s over-reliance on one service provider to support key services—are also rising.
Employee Wellbeing
The roundtable participants were unanimous in stating that employee wellbeing sits top of their minds today—not just physical wellbeing but mental wellbeing as well.
With lockdowns and travel restrictions as the workforce moved home, interactions and conversations between employees became confined to virtual mode. The prolonged duration of the pandemic and the resulting negative sentiment have taken a toll on the mental health of people. Post-pandemic, the return to hybrid work environments have caused their own set of challenges. This directly impacts employee productivity, and hence, has become a direct risk to overall business performance.
What makes it more challenging is the fact that it is really difficult to quantify this risk and measure the effectiveness of the wellbeing initiatives conducted by organizations.
Environment, Social, and Governance (ESG) Issues
In the past couple of years, addressing ESG issues has become one of the top priorities for corporate boards. The pandemic, in particular, has exposed the fragility of organizations and how ill-prepared they are to tackle such systemic risks.
According to S&P Global Ratings, six key trends expected to dominate the corporate governance narrative in 2021
Six key trends expected to dominate the corporate governance narrative
- Diversity and increasing female participation in leadership roles
- Preparing for climate change
- Heightened focus on board effectiveness
- Closer integration of ESG metrics with executive pay
- Shareholder activism on environmental and social issues
- Tax transparency and fairness
Gunjan Sinha, Executive Chairman at MetricStream, explains that there have been three waves of governance, risk, and compliance (GRC) that we’ve witnessed so far-the first was the financial meltdown of 2008 which led to an increased focus on various financial GRC measures, followed by the second wave which saw technological revolution and widespread use of smart technologies in the past decade, and the third is the ongoing pandemic which has brought employee health, safety, and wellbeing into focus. Climate change and planet health are expected to drive the next - the fourth wave, which might strike sooner than later, he said.
“Corporate governance leaders must drive the definition of corporate objectives beyond profits-to purpose, ethics, integrity, diversity, and global sustainability. With trends of ESG and the needs of the future, companies must not exist for maximization of profits, companies must be real architects for building and sustaining the true communities in which they survive and thrive,” said Gunjan.
Ensuring Operational Resilience in 2021 and Beyond with MetricStream
The pandemic has undoubtedly been a real-world test of the resiliency and resolve of risk professionals. An agile, integrated, and technology-driven approach to enterprise risk management is key to achieving operational resilience in this new normal. Organizations need to accept that some operational risk events, such as IT downtime due to unplanned outages, natural calamities, third-party service failures, and even pandemic flu are beyond their control. What this requires is a “recovery-centric mindset” and measures to minimize the impact of such events and ensure business continuity—ensuring optimum utilization of preventative, responsive, and recovery capabilities and learning from the experiences.
Today, with MetricStream, organizations can leverage advanced technologies and analytics to continuously monitor threats and vulnerabilities and enable a more data-driven risk assessment with external risk data feed, thereby improving their risk visibility and foresight. Furthermore, setting up cadence to review and upgrade the risk management framework based on the evolving risk profile, tolerance, and appetite can help strengthen risk preparedness.
To download our eBook on the “Essential Elements of a Successful Integrated Risk Management Program”, click here.
The MetricStream Integrated Risk Management Solution,, built on the MetricStream Platform, empowers organizations to manage existing as well as emerging risks across geopolitical, digital, strategic, third-party, cybersecurity, and compliance areas. With this solution, organizations can harmonize risk taxonomies and risk management activities across all business functions, align their assurance programs, and gain comprehensive visibility into both risk exposure and relationships. The solution enables organizations to:
Companies already using an integrated risk solution did not make any changes to their risk management program, approaches, and activities during the pandemic. - MetricStream State of Risk Management Survey Report 2021
Post the COVID-19 pandemic, there has been continued interest in operational resilience from organizations and regulators alike. The crisis, which had impacted every organization—some worse than others, had highlighted that achieving operational resilience is critical for not just navigating the current new terrain but also ensuring preparedness for the next crisis.
The pandemic had put to test the current risk management measures that were implemented by organizations as it exposed them to a plethora of new risks and intensified existing ones. To adapt to the new business environment, organizations rushed to adopt digital tools and technologies and redesign their business. This accelerated the pace of digital transformation, along with geopolitical power shifts, natural calamities, concerns over global depression, the growing digital interconnectedness of systems, people, processes, and organizations, and other factors that are continuously shaping the risk profile of organizations around the world.
According to Risk.net, the top operational risks include IT disruption, data compromise, resilience risk, theft and fraud, third-party risk, conduct risk, regulatory risk, organizational change, geopolitical risk, and employee wellbeing.
With the escalating number of operational loss events, cyber-attacks, vendor risk-related incidents, and compliance violations around the world, achieving operational resilience is of paramount importance – going beyond business continuity and operational risk management and building the ability to safeguard and sustain core business competencies, thereby protecting stakeholder interests when faced with unknown unknowns.
- World output is expected to have contracted by 4.4% in 2020 (IMF)
- Attacks targeting the financial sector have grown by 238% from the beginning of February to the end of April 2020. (VMware Carbon Black)
- Globally, suspected fraudulent digital transaction attempts against businesses jumped 46% when comparing the periods of March 11, 2019–March 10, 2020 and March 11, 2020 to March 10, 2021. (TransUnion)
- Fraud now costs companies $3.36 for every dollar lost to fraud compared to $2.40 in 2016. (LexisNexis)
In our recent peer-to-peer roundtable, GRC practitioners, including CROs, Supplier Risk Management Heads, and CISOs, discussed the key operational risks faced by their organizations in the past year and how taking an integrated and tech-driven approach to risk management processes helped them overcome those challenges. Here is a look at five top operational risks faced by organizations in their pursuit of attaining resilience post-COVID
The world essentially came to a standstill to “break the chain” and contain the spread of the coronavirus in 2020. As manufacturing units and transport services temporarily closed their doors, particularly in the manufacturing hubs of the world, such as China and India, concerns started mounting over waning stocks and impending contractual obligations.
It’s important to note here that organizations often lack end-to-end visibility of their entire value chain and supplier network. This impedes their ability to accurately foresee existing and emerging risks and understand the full scale of impact of any potential disruption at any point along the value chain.
Another incident that made a major dent in the global supply chain was the Suez Canal blockage in March—a huge container ship got wedged in the canal, blocking hundreds of ships on either side. The blockage is estimated to have roughly cost 12 percent of global trade with total losses running in billions of dollars. Though the blockage was cleared in six days, industry experts believe that the impact of this incident will reverberate through the global economy and the effects will be felt for months.
Cyber adversaries are becoming increasingly sophisticated and organized and the pandemic had unfortunately provided them with a massive playground. The pandemic-driven amplified digital connectedness and remote working conditions have expanded the attack surface with the entire workforce becoming more vulnerable to cyberattacks as they are no longer protected by office firewalls and enterprise security mechanisms.
In its 2020 Annual Cybersecurity Report, Trend Micro said that it detected over 16 million COVID-19 related threats. Of these, 88% of the threats came in the form of spam emails, 11% were in the form of URLs, while malware accounted for 0.2% of the threats.
Organizations are often ill-equipped to prevent, detect, and respond to cyberattacks. According to Ponemon Institute's Cost of a Data Breach Report 2020, it takes 280 days on an average to identify and contain a breach. Many businesses also do not have a disaster recovery plan to quickly recover from such incidents should they take place. Cybersecurity Ventures estimates the cost of global cybercrime to grow by 15 percent per year over the next five years, reaching $10.5 trillion annually by 2025, up from $3 trillion in 2015.
Businesses are increasingly relying on third parties for business-critical goods and services. It wouldn’t be incorrect to say that almost every business function today is somehow dependent on third parties. Furthermore, with third parties also relying on fourth and subsequent parties, effective management of this extended organization has become a major pain point for organizations.
Recent incidents have highlighted the growing vulnerability of organizations to third-party cyber risks and how a security incident at one organization can have a domino effect and impact several connected businesses in today’s digital and hyper-connected business environment. The most recent hack of the Microsoft Exchange Server underscored how third-party cyber risk is inherent in almost all business operations through something so rudimentary as an email. As per initial estimates, the hack could have affected at least 30,000 organizations across the U.S., including small businesses, towns, cities, and local governments, and 60,000 computer systems in Germany.
There is also a significant increase in cloud adoption across industries in this new normal. According to Gartner, the proportion of IT spending that is shifting to the cloud will accelerate in the post-COVID world, with cloud estimated to make up 14.2% of the total global enterprise IT spending market in 2024, up from 9.1% in 2020. With this growing cloud adoption, concerns around cloud concentration risk - an organization’s over-reliance on one service provider to support key services—are also rising.
The roundtable participants were unanimous in stating that employee wellbeing sits top of their minds today—not just physical wellbeing but mental wellbeing as well.
With lockdowns and travel restrictions as the workforce moved home, interactions and conversations between employees became confined to virtual mode. The prolonged duration of the pandemic and the resulting negative sentiment have taken a toll on the mental health of people. Post-pandemic, the return to hybrid work environments have caused their own set of challenges. This directly impacts employee productivity, and hence, has become a direct risk to overall business performance.
What makes it more challenging is the fact that it is really difficult to quantify this risk and measure the effectiveness of the wellbeing initiatives conducted by organizations.
In the past couple of years, addressing ESG issues has become one of the top priorities for corporate boards. The pandemic, in particular, has exposed the fragility of organizations and how ill-prepared they are to tackle such systemic risks.
According to S&P Global Ratings, six key trends expected to dominate the corporate governance narrative in 2021
Six key trends expected to dominate the corporate governance narrative
- Diversity and increasing female participation in leadership roles
- Preparing for climate change
- Heightened focus on board effectiveness
- Closer integration of ESG metrics with executive pay
- Shareholder activism on environmental and social issues
- Tax transparency and fairness
Gunjan Sinha, Executive Chairman at MetricStream, explains that there have been three waves of governance, risk, and compliance (GRC) that we’ve witnessed so far-the first was the financial meltdown of 2008 which led to an increased focus on various financial GRC measures, followed by the second wave which saw technological revolution and widespread use of smart technologies in the past decade, and the third is the ongoing pandemic which has brought employee health, safety, and wellbeing into focus. Climate change and planet health are expected to drive the next - the fourth wave, which might strike sooner than later, he said.
“Corporate governance leaders must drive the definition of corporate objectives beyond profits-to purpose, ethics, integrity, diversity, and global sustainability. With trends of ESG and the needs of the future, companies must not exist for maximization of profits, companies must be real architects for building and sustaining the true communities in which they survive and thrive,” said Gunjan.
The pandemic has undoubtedly been a real-world test of the resiliency and resolve of risk professionals. An agile, integrated, and technology-driven approach to enterprise risk management is key to achieving operational resilience in this new normal. Organizations need to accept that some operational risk events, such as IT downtime due to unplanned outages, natural calamities, third-party service failures, and even pandemic flu are beyond their control. What this requires is a “recovery-centric mindset” and measures to minimize the impact of such events and ensure business continuity—ensuring optimum utilization of preventative, responsive, and recovery capabilities and learning from the experiences.
Today, with MetricStream, organizations can leverage advanced technologies and analytics to continuously monitor threats and vulnerabilities and enable a more data-driven risk assessment with external risk data feed, thereby improving their risk visibility and foresight. Furthermore, setting up cadence to review and upgrade the risk management framework based on the evolving risk profile, tolerance, and appetite can help strengthen risk preparedness.
To download our eBook on the “Essential Elements of a Successful Integrated Risk Management Program”, click here.
The MetricStream Integrated Risk Management Solution,, built on the MetricStream Platform, empowers organizations to manage existing as well as emerging risks across geopolitical, digital, strategic, third-party, cybersecurity, and compliance areas. With this solution, organizations can harmonize risk taxonomies and risk management activities across all business functions, align their assurance programs, and gain comprehensive visibility into both risk exposure and relationships. The solution enables organizations to:
Companies already using an integrated risk solution did not make any changes to their risk management program, approaches, and activities during the pandemic. - MetricStream State of Risk Management Survey Report 2021