By Paula Fontana, Fusion Risk Management
2021 heralded a year of record cyber breaches with the Identity Theft Resource Centre (ITRC) reporting that the number of data breaches publicly reported so far this year has already surpassed the total for 2020. With high profile attacks hitting the headlines from the SolarWinds breach and Colonial Pipeline Company shutdown to the CNA Financial attack, where one of the largest insurance companies in the United States paid a $40 million ransom so that it could continue to operate, risk and compliance have never been more paramount.
Ransomware and supply chain attacks are becoming increasingly systematic and organisations must have in place robustly developed, planned and tested risk and resilience frameworks. The stakes have been raised and there are no more excuses. There are no second chances. Organisations must adopt a holistic approach to resilience, and be proactive in making all business decisions with resilience in mind.
As we reflect on this past year, it raises the question: what is in store for businesses and their risk and compliance strategies in 2022?
Greater focus on ESG and cybersecurity programmes in risk modelling
The increase in cyber security attacks has driven more stringent underwriting process which has led to maturing of the cyber insurance market and seen insurance companies demanding much more from organisations when it comes to risk mitigation. 2021 witnessed a high number of large-scale, devastating cyberattacks that both rendered services inoperable for some time while the victims of the attacks suffered severe financial loss and has since left some customers deemed “uninsurable” because of poor cyber-hygiene. In 2022, businesses can expect to experience a greater expectation of accountability in minimising risk as underwriters have grown a lot more aware of what kind of risk controls make effective cyber programmes.
They will need to evidence to their cyber insurance provider that they have in place robust and structured processes and policies to prevent a breach as much as they can. For example, cyber insurance underwriters now expect businesses to adopt multifactor authentication within their IT environment as well as an updated patch management programme, air-gapped and encrypted backups and employee awareness and phishing simulations among other strategies.
Customers, employees and investors are increasingly holding companies to account for their ESG practises around equality and diversity, for example, and climate change. Companies are expected to act morally and responsibly to support the broader objectives of not just their local community but the wider world. Similar to cyber insurance, insurance companies have linked the strength of ESG programmes to predictors for risk and placed increased scrutiny on these programmes. At the same time, there is increased momentum around the role of ESG in financial disclosures. For instance, the House of Representatives in the United States recently passed legislation that, if signed into law, would require companies to report ESG metrics. In Europe, SFDR regulations continue to evolve.
As we enter 2022, businesses will need to fully understand the ESG issues that affect their company and ensure to embed them into their risk management and business operation framework. They will need to ensure ESG policies and procedures are integrated into their culture, systems and processes and be wholly transparent in their ESG approach through structured ESG reporting.
Risk and compliance are taking a primary role as change enablers
There’s no doubt about it, the game has changed when it comes to expectations that companies act responsibly and ethically to support a progressive and positive society. It’s more than just a bottom line, stakeholders expect that companies understand their relationship with the world around them. Without a robust risk management framework that includes ESG, resiliency and strong cyber and compliance programmes, there’s a serious risk to a company’s reputation, its ability to attract and retain the best talent and customers, and its market position too.
While risk and compliance were once seen as the organization’s police and reacting to violations, misconduct, or other wrongdoing, that is no longer the case. As we move into 2022, organisations will be focused on ensuring risk management and compliance is central to their ethos just as much as, for instance, superior customer service or employee wellbeing is. Ethical behaviour and decision making programmes will become increasingly common as leaders overhaul the traditional perception of compliance within the workplace and instil proper risk-related governance where risk and compliance are seen as real change enablers.
Risk and compliance teams within organisations are uniquely suited to work cross-functionally with others in the organisation to be the effective change agents. Their teams have access to all stakeholders and business processes, and they are accustomed to building programmes from grey or emerging topics and being effective with limited resources. Risk and compliance will continue in a business enablement role where they can identify and create strategic opportunities to achieve business goals and continue to achieve the organization’s objectives.
Regulators will also shift to examining the culture of compliance within the organisation as part of sentencing guidelines or when determining fines, penalties etc. if wrongdoing occurred. Organisations must evidence that risk, resilience and compliance are woven into their values and that leadership is setting the appropriate tone from the top. They must demonstrate that they’re championing a culture of compliance, risk management, and ethics and continuing to improve this as the company evolves and regulations change around them.
Organisational resilience takes centre stage
Resilience is not just about overcoming a disruption or managing to operate in the face of multiple unexpected events outside of an organization’s control – it means so more than that. Organisational resilience is about proactive organisational decision making and this involves incorporating the separate functions of governance, risk, and compliance alongside other business functions into a business’s objectives.
Next year, we’ll see business leaders focus their attention on creating smarter, more resilient ecosystems. Third-party partnerships will be important to this too, with leaders placing third-party management at the centre of strategic risk and operational planning and modelling.
Whilst reputational risk has always been a concern, it has hugely amplified in the last 12 months. Leaders realise that if an incident does occur, they need to demonstrate that it’s not resulted because of their organization’s culture or values. They need to do this to minimise any reputational damage that a data leak or cyberattack can cause.
Organisational resilience is not just something you do once and it’s done, box ticked. It’s a lifelong living, breathing, ever-evolving process that does not occur overnight. We’re all learning together about the right and appropriate approach to risk and resilience, and the journey is never really finished. It’s about creating a strong sense of organisational priorities and purpose, and mobilising stakeholders – employees, investors, customers – to personify this and truly deliver a robust and relevant business model with risk and resilience at the centre of the methodology.