July 2022 GRC Recap - What’s Trending in the Governance, Risk, and Compliance Universe?

Introduction

Two things were on the top of our minds the past month: The sweltering heat and rising concerns about a macroeconomic downturn.

Almost all of the Northern Hemisphere experienced record-breaking heat waves this past month. This has not only created a sense of urgency to address climate change, but has also brought the spotlight on environmental, social, and governance (ESG) risk, reporting, and regulations.

US President Biden announced new executive steps to combat climate change but stopped short of issuing the much-called climate emergency declaration. Meanwhile, on the other side of the Atlantic, the UK is exploring a new task force to help investors measure the ‘S’ in ESG.

The interconnectedness and dynamic nature of risk continued to make headlines in July 2022. Gartner flagged the unusually high degree of interrelated risks as it identified concerns of a macroeconomic downturn as the top quarterly emerging risk in Q2 2022.

State-sponsored cyber attacks and key material shortages also made it into the top five. Chris Matlock, vice president with the Gartner Legal, Risk & Compliance practice, writing in the Gartner’s Quarterly Emerging Risks Report, had this to say: “The top five risks reported by respondents were notable both for their interconnectedness and origination outside of the organization.”

A lot more happened in the month of July. Scroll down for a quick glance at the top stories that made it to the headlines in the world of risk, operational resilience, compliance, IT and cyber risk, and ESG.

Trending in Operational Resilience, Business Risk, and Compliance

• The war in Ukraine has triggered a re-evaluation of systemic risks. Robert Muggah, co-founder, SecDev Group and co-founder Igarape Institute, in an article for the World Economic Forum, said. “…systemic risks are proliferating faster than the systems in place to address them” requiring both the private and public sector to adopt measures to reduce risk exposure and cultivate the “mindset, capabilities and partnerships to strengthen risk resilience.”
• The Governmental Accounting Standards Board (GASB), an independent organization that establishes accounting and financial reporting standards for U.S. state and local governments released a proposal that will require governments to disclose information on key risks that could impact the level of services they offer.
• The Allianz Risk Barometer 2022 highlights the most important global business risks for 2022. The top three risks were cyber incidents, business interruptions, and natural catastrophes.
• A new article titled, “Why Front-Line Whistleblowers Are Crucial To Your Organization’s Risk Posture” by Gaurav Kapoor, co-CEO and co-Founder of MetricStream explores the benefits of building a culture of compliance for front-line workers.
• The 2022 State of Risk Oversight by the American Institute of Certified Public Accountants (AICPA) found that more than two-thirds of organizations surveyed “still cannot claim they have complete ERM in place.”
• Deloitte’s 2022 Banking Regulatory Outlook advises banks to maintain focus on the basics including good governance, risk management, internal controls, and financial strength while also getting ready for emerging laws and regulations in the areas of climate, financial inclusion, and digital assets.
• The 13th "Cost of Compliance Report" published annually by Thomson Reuters is now out. The speed and volume of regulatory change and shortages of skilled professionals have been highlighted as the most urgent challenges but on the positive side, most compliance professionals felt that outsourcing, and new technology, especially regulatory technology, will help plug some of the gaps.
• Potential measures that will oversee and strengthen the resilience of services provided by critical third parties (CTPs) to the UK financial sector have been set out by the Bank of England, the Prudential Regulation Authority and Financial Conduct Authority.
• The Hong Kong Monetary Authority has released the seventh Guide of the series that focuses on Third-Party Monitoring and Risk Management (TPRM) and associated Regtech solutions.
• Compliance measures to address sanctions enforcement has become a core priority for the US Department of Justice (DOJ).

Trending in Cyber Risk and Compliance

• A new report titled “Treading Water: The State of Cybersecurity and Third-Party Remote Access Risk” by the Ponemon Institute is out. Top stats to note:
  • 54% of organizations have experienced a cyberattack in the past 12 months
  • 64% of organizations still rely on manual monitoring procedures, costing an average of seven hours per week to monitor third-party access
  • 49% of organizations have experienced third-party attacks in the past 12 months despite being among the 60% who have made changes to their cybersecurity structure 
• The National Institute of Standards and Technology (NIST) has updated its cybersecurity guidance for the health care industry.
• A new article by the World Economic Forum (WEF) offers insight into how the cloud has brought a shift in cybersecurity.
• New research by Trend Micro finds that 54% of global organizations feel their cyber risk assessments are not sophisticated enough.
• The Office of the Superintendent of Financial Institutions (OSFI), Canada, released its final Guideline B-13. The guideline for technology and cyber risk aims to provide specific guidance to enable organizations to balance innovation and risk management.
• New findings from Skybox Security found that the top cybersecurity challenge was the insufficient identification of cyber risks with 40% of CISOs saying that they are not prepared to handle the rapidly evolving cyber threat landscape.
• A new cybersecurity law has come into effect in the state of Virginia. The law requires agencies and local governments to report cybersecurity incidents within 24 hours of detection.
• A recent article in the HIPAA journal outlines the compliance requirements of the draft American Data Privacy and Protection Act (ADPPA). The first draft of the bill was released in early June.
• A joint cybersecurity advisory on North Korean state-sponsored cyber actors use of Maui ransomware has been released by the CISA, FBI and Treasury Department

Trending in ESG

• 27% of Chief Supply Chain Officers have conducted a climate change risk assessment according the 2022 Emerging Priorities in Supply Chain Survey by Gartner. However, only 19% of surveyed companies were found to be using tools and technology to assess climate change risks.
• In a recent Bloomberg article, Morgan Lewis attorneys discuss the importance of the ‘S’ in ESG and what employers need to know about human capital disclosures.
• Only the E matters in ESG and the E should represent ‘emissions’ not ‘environmental’ says a new article published in the Economist.
• The Environmental Risk Outlook 2022 has highlighted the cascading flow of climate risks, especially the importance of assessing the second-order threat of climate risks.
• A new article explores the transatlantic implications for multinational companies that will result from emerging EU ESG requirements
• A new report by Avanade and the European Financial Management Association finds that only 53% of banks will be ready for ESG regulatory reporting.
• Accessing relevant ESG data remains a key challenge facing banks. Read the measures outlined by flow’s Desirée Buchholz.
• The European Central Bank outlines key steps to incorporate climate change into its monetary policy operations. The measures aim to reduce financial risk related to climate change, promote transparency, and facilitate a green transition of the economy.

July 2022 Webinars at @MetricStream

The webinar Managing the Deluge of New Cryptocurrency and Digital Asset Regulatory Change saw thought leaders Jennifer Clarke, Senior Editorial Manager, Regulatory SME, CUBE, Alex Royle Head of Compliance and Regulatory Affairs, EMEA, Galaxy Digital, and MetricStream Product Marketing leaders Loren Johnson and Suneel Sahi discuss the risk and compliance landscape surrounding cryptocurrency and digital assets.

Watch the recording.

In the webinar Connected, Continuous and Constantly Changing: Tackling the Intersection of Cyber and Third-Party Risks, third-party and cyber risk expert Linda Tuck Chapman and MetricStream Product Marketing leaders Loren Johnson and Patricia McParland participated in an interactive discussion on what’s new, what’s next, and how to thrive in an increasingly complex, connected web of risk.

Download the recording.

Get Ready for the GRC Summit

MetricStream’s GRC Summit 2022—much looked forward to by the GRC community as a platform to share insights, exchange best practices, and more importantly to discover what's next in GRC—is back, with an in-person event as we celebrate the 10th year.

Meet us on November 8th and 9th in person at the Royal Garden Hotel in London, UK. Register Now.