Cyber and Compliance, ESG and Organizational Resilience: They’re All Connected
Incorporating the elements of governance, risk and compliance alongside other business functions and goal-setting
Friday, January 28, 2022
By Lauren Kornutick
2021 was a record year for cyber breaches, as reported by the Identity Theft Resource Center. With high-profile attacks hitting the headlines – from SolarWinds to Colonial Pipeline to CNA Financial, where one of the largest insurance companies in the United States reportedly paid a $40 million ransom so that it could continue to operate – risk and compliance have never been more paramount.
What is in store for businesses and their risk and compliance strategies in 2022?
Ransomware and supply chain attacks are becoming increasingly systematic, and organizations must have in place robustly developed, planned and tested risk and resilience frameworks. The stakes have been raised, and there are no more excuses. There are no second chances. Organizations must adopt a holistic approach to resilience, and be proactive in making all business decisions with resilience in mind.
ESG and Cybersecurity in Risk Modeling
The increase in cyberattacks has driven a more stringent underwriting process, which has led to maturing of the cyber insurance market and seen insurance companies demanding much more from organizations when it comes to risk mitigation. A high number of large-scale, devastating cyberattacks in 2021 rendered services inoperable for some time, while the victims of the attacks suffered severe financial losses, and some were deemed “uninsurable” because of poor cyber hygiene.
In 2022, businesses can expect to experience a greater expectation of accountability in minimizing risk, as underwriters have grown a lot more aware of what kind of risk controls make effective cyber programs.
They will need to evidence to cyber insurance providers that they have in place robust and structured processes and policies to prevent a breach. For example, cyber insurance underwriters now expect businesses to adopt multifactor authentication within their IT environment, as well as an updated patch management program, air-gapped and encrypted backups, and employee awareness and phishing simulations, among other strategies.
Risk and compliance teams are uniquely suited to work cross-functionally as change agents, writes Fusion Risk Management’s Lauren Kornutick.
Customers, employees and investors are increasingly holding companies to account for ESG practices around equality and diversity, for example, as well as climate change. Companies are expected to act morally and responsibly to support the broader objectives of not just their local community, but the wider world. Similar to cyber insurance, insurance companies have linked the strength of ESG programs to predictors for risk and placed increased scrutiny on these programs.
At the same time, there is increased momentum around the role of ESG in financial disclosures. For instance, the U.S. House of Representatives passed legislation last year to require companies to report ESG metrics, and Europe’s Sustainable Finance Disclosure Regulation (SFDR) continues to evolve.
Businesses this year will need to fully understand ESG issues that affect them and embed them into their risk management and business operation framework. They will need to ensure ESG policies and procedures are integrated into their culture, systems and processes and be wholly transparent through structured ESG reporting.
Risk and Compliance as Change Enablers
There’s no doubt about it, the game has changed when it comes to expectations that companies act responsibly and ethically to support a progressive and positive society. More than just the bottom line, stakeholders expect that companies understand their relationship with the world around them. Without a robust risk management framework that includes ESG, resiliency and strong cyber and compliance programs, there’s a serious risk to a company’s reputation, its ability to attract and retain the best talent and customers, and its market position.
No longer are risk management and compliance merely an organization’s police, reacting to violations, misconduct, or other wrongdoing. Looking to 2022, organizations will be focused on ensuring that risk and compliance is central to their ethos just as much as, for instance, superior customer service or employee well-being. Ethical behavior and decision-making programs will become increasingly common as leaders overhaul the traditional perception of compliance within the workplace and instil proper risk-related governance – where risk and compliance are seen as real change enablers.
Risk and compliance teams are uniquely suited to work cross-functionally with others in the organization to be the effective change agents. Their teams have access to all stakeholders and business processes, and they are accustomed to building programs from gray or emerging topics and being effective with limited resources. Risk and compliance will continue in a business-enablement role to identify and create strategic opportunities to achieve business goals and achieve organizational objectives.
Regulators will also shift to examining the culture of compliance within the organization, as part of sentencing guidelines or when determining fines, penalties etc. if wrongdoing occurred. Organizations must evidence that risk, resilience and compliance are woven into their values and that leadership is setting the appropriate tone from the top. They must demonstrate that they are championing a culture of compliance, risk management, and ethics and are continuing to improve in these areas as the company evolves and regulations change around them.
Resilience Takes Center Stage
Resilience is not just about overcoming a disruption or managing to operate in the face of multiple unexpected events outside of an organization’s control. Much more than that, resilience is about proactive organizational decision-making, and this involves incorporating the separate functions of governance, risk and compliance alongside other business functions into a business’s objectives.
This year, we’ll see business leaders focus their attention on creating smarter, more resilient ecosystems. Third-party partnerships will be important to this, too, with third-party management being placed at the center of strategic risk and operational planning and modeling.
Whilst reputational risk has always been a concern, it has been hugely amplified over the past year. Leaders realize that if an incident does occur, they need to demonstrate that their organization’s culture or values was not the cause. This is necessary to minimize any reputational damage from a data leak or cyberattack.
Organizational resilience is not just something you do once and it’s done, box ticked. It’s a life-long, living, breathing, ever-evolving process that does not occur overnight.
We’re all learning together about the right and appropriate approach to risk and resilience, and the journey is never really finished. It’s about creating a strong sense of organizational priorities and purpose, and mobilizing stakeholders – employees, investors, customers – to personify and truly deliver a robust and relevant business model with risk and resilience at the center of the methodology.
Lauren Kornutick is solutions manager, compliance, at Fusion Risk Management. She has over 15 years of risk management and compliance experience and previously, at Grant Thornton, successfully led efforts to stand up the firm’s privacy program.