GRC Roundup - August 2022 I What's New in the GRC Universe?

Introduction

This year has been extremely challenging for businesses around the world. The already inundated governance, risk, and compliance (GRC) teams at organizations are further stretched thin as they try to keep up with the rapidly evolving business, cyber and ESG risks, the ever-evolving regulatory landscape, and escalating geopolitical crises.

Our recent survey with OCEG confirmed how challenged organizations are with GRC today. A large number of organizations are still relying on distributed, segmented, and separate systems for managing GRC. A meager 7% of respondents said they have “excellent” GRC capabilities today.

[For a quick look at the key takeaways of the OCEG GRC Readiness for Rapid Change Survey 2022, click here. To download the complete survey report, click here.]

What are the top concerns of businesses and regulators today? Is GRC still an afterthought? What are the new cyber challenges for companies in this new normal? Are companies going to walk the talk on ESG? Let’s find out what made it to the headlines in August – through the GRC lens.

What’s New in Risk, Regulation, and Resilience

Operational risk and resilience continue to be priority areas for regulators.

The Australian Prudential Regulation Authority (APRA) has started consulting on a new prudential standard that aims to bolster the management of operational risk in the banking, insurance, and superannuation industries. The Monetary Authority of Singapore (MAS) published a paper that sets out its expectations, good practices, and improvement areas for operational risk management at financial institutions based on its inspections of selected banks over 2020 and 2021.

In another update, Germany’s financial market regulator BaFin levied a $5.28 million fine on a leading US-based financial institution for delays in reporting voting rights notifications.

Several survey and research reports published last month underscore the importance of risk and compliance management at banks and corporations alike:

• Fitch Ratings found regulatory fines to be the overriding theme in news reports centered on corporate-governance failings by banks worldwide. “We believe this reflects both the prevalence of regulatory fines and the media’s propensity to report on bank fines, often headlining the amounts,” Fitch Ratings observed.
• Based on its recent survey, Gartner said that the most important factor in reporting of misconduct by employees is whether they think it will work well for them. The IT research firm called upon compliance leaders to understand what drives employees to report misconduct.
• According to FERMA’s 2022 European Risk Manager Survey, resilience has never been higher on the top management’s agenda. For risk managers, risk mapping, which is described as the firm's way to identify and document their important business services, continues to be one of the most important activities. However, there is a growing focus on developing specific risk assessment exercises. “This highlights a trend to continue assessing organisations’ resilience in a context of transition towards more sustainability in a digital world,” the report said.

What’s New in Cyber

A cohort of leading cybersecurity and technology organizations, including AWS, Splunk, IBM Security, and others, have come together for an open-source effort, called the Open Cybersecurity Schema Framework (OCSF) project, to break down data silos that hamper security teams. The project aims to help organizations detect, investigate, and stop cyberattacks more quickly and effectively.

The Australian Council of Financial Regulators released a revised version of the Cyber Operational Resilience Intelligence-led Exercises framework (CORIE framework v2.0). The CORIE framework aims to support the preparation and execution of industry-wide financial sector cyber resilience exercises.

Here’s a look at the current state of cyber risk and compliance management based on recent reports:

• The global average cost of a data breach reached an all-time high of $4.35 million in 2022, marking a 2.6% increase from the year before, according to the IBM-Ponemon Institute’s Cost of a Data Breach Report 2022.
• According to ENISA Threat Landscape for Ransomware Attacks, around 10 terabytes of data were stolen each month by ransomware threat actors between May 2021 and June 2022. About 58% of the stolen data included the personal data of employees.
• In a mid-year update to its 2022 SonicWall Cyber Threat Report, SonicWall said that there has been an 11% rise in global malware, a 77% increase in IoT malware, and a whopping 132% spike in encrypted threats.
• VMware’s eighth annual Global Incident Response Threat Report identified application programming interface (API) as the new endpoint with 23% of the attacks now compromising API security. The report touted APIs as the next frontier for cyber attackers.
• In the PwC’s second Pulse Survey of 2022, cyber risk emerged as the top business risk – 40% of respondents categorized frequent and/or broader cyber attacks as a serious risk.
• In the Cloud Security Alliance and Proofpoint study, 58% of survey respondents said that third parties and suppliers were the target of a cloud-based breach in 2021.
• According to the 2022 Honeywell Industrial Cybersecurity USB Threat Report, the number of threats designed specifically to target industrial control systems increased slightly to 32% compared to 30% in the previous year.

What’s New in ESG

Regulatory focus on environmental, social, and governance (ESG) aspects continues to gather steam. A joint committee of European Supervisory Authorities, namely the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) published the first annual report on the extent of voluntary disclosure of principal adverse impact under the Sustainable Finance Disclosure Regulation (SFDR).

It lays out a preliminary, indicative, and non-exhaustive overview of best practices and voluntary disclosures. In another update, ESMA called for a “quality label” to prevent investors from being misled by greenwashing.

In Singapore, a new initiative has been launched to set a uniform baseline for banks to engage their corporate clients on environmental risk issues. The Association of Banks in Singapore (ABS) rolled out the ABS Environmental Risk Questionnaire (ERQ), which will enable banks’ customers to collect data points and identify opportunities for financing the transition to a low-carbon economy.

In Australia, the Financial Services Council (FSC) published its guidance on Climate Risk Disclosure in Investment Management. It details a set of common baseline expectations for net-zero commitments for the investment management industry, disclosure of climate-friendly investment features, and reporting of climate change risk.

Here’s a look at the current state of ESG risk management based on recent reports:

• To offset the impact of rising inflation, talent shortages, and supply constraints, the first areas where organizations will cut investments are mergers and acquisitions (M&A) and sustainability, according to a recent study from Gartner.
• In a recent survey conducted by Cognizant, 90% of respondents recognized attention to ESG issues as an essential aspect of being a modern business. However, only 35% of respondents said that they are currently incorporating ESG into company strategy.
   

What’s New @ MetricStream

We are gearing up to celebrate the 10th anniversary of our premier GRC event in London on November 8-9. The GRC Summit 2022 will feature keynotes from industry leaders, product innovation sessions, MetricStream customer success stories and practitioner-led case studies, deep-dive workshops, GRC journey awards, and more! To check out the complete agenda, click here.