2022 Through the GRC Lens – A Year in ReviewGRC | 6 Min Read |05 January 23|by Shampa Mani
2022 was a year of transformation and continued disruption. The COVID-19 pandemic showed signs of abating thanks to global vaccination drives. But the escalating geopolitical crisis in Europe had an impact that is still being felt across the world. 2022 saw continued loss of human life, geopolitical upheaval, supply chain disruptions, rising inflation, an enduring energy crisis, reduced business confidence, and even state-sponsored cyber attacks. Organizations across sectors are now operating in a highly uncertain business environment and a heightened risk landscape. From a GRC perspective, 2022 saw a sharper focus on a few key trends – operational resilience, cyber risk, and ESG.
In 2020, when the pandemic forced the world to go into lockdown, enterprises were forced to step up their operational resilience measures. Two years on, it is evident that merely protecting and preventing risk incidents is not enough, the enterprise must be resilient enough to recover from disruptive events and carry on with business as usual. According to the BCI’s Operational Resilience Report, 77. 9 percent of organizations already have or are developing their operational resilience strategy.
Strengthening operational resilience has also been a top regulatory priority in 2022. Both the U.S. Federal Reserve and the Hong Kong Monetary Authority reiterated that operational resilience would remain a supervisory priority for the foreseeable future given the disruptive risk landscape and its possible impact on businesses and national financial stability. The Australian Prudential Regulation Authority (APRA) announced a new prudential standard to fortify the management of operational risk in the banking, insurance, and superannuation industries. Singapore issued its Business Continuity Guidelines for financial institutions with a focus on operational resilience.
Regulators are focusing on measures to ensure operational resilience across the extended enterprise as well. In Europe, the EBA highlighted the importance of operational resilience for all banks that highlights cyber risk, as well as third-party risk.
The UK Prudential Regulatory Authority regulations SS1/21 and SS2/21 apply to not just banks, but even some investment firms, insurance companies, building societies, UK-recognized investment exchanges, electronic money institutions, and registered account information service providers. They also cover third-party vendors that these firms may be working with. The rules require organizations to identify critical services and prepare for disruptive events to ensure continuity and resilience. The British Standards Institution updated its British Standard on organizational resilience BS 65000:2022 Organizational Resilience – Code of Practice. This provides guidance on developing operational resilience against future threats.
The Global Resilience Federation’s (GRF) Business Resilience Council (BRF) issued the Operational Resilience Framework (ORF). This aligns with existing standards like NIST and ISO and aims to reduce operational risk and service disruptions while limiting the impact of threats and attacks.
54 percent of organizations have faced a cyberattack over the last year, and the global average cost of a data breach stands at an all-time high of USD 4.35 million. The situation is made worse by state-sponsored cyber attacks that have escalated in the wake of the war in Ukraine. In fact, according to the European Union Agency for Cybersecurity, the world is now witnessing a broader set of cyber attacks, ranging from zero-day attacks and hacktivist attacks to AI-powered disinformation campaigns and deep fakes.
2022 saw the cybersecurity industry and technology leaders of the world banding together to better address the heightened cyber risk landscape. A group of cybersecurity providers joined hands to launch the Operational Technology Cybersecurity Coalition which campaigns for company-agnostic, interoperable, and standards-based solutions and aims to work in partnership with key stakeholders to devise the best cybersecurity strategies. Another group of cybersecurity leaders launched an open-source project, called the Open Cybersecurity Schema Framework (OCSF), to facilitate faster detection and more effective prevention of cyberattacks.
Regulators are also working to protect organizations from rising cyber risks. In the US, the Securities and Exchange Commission sought to protect public companies with a set of amended rules on improving and standardizing disclosures on cyber risk management, governance, and incident reporting. Key security agencies including the CISA, NSA, and other international cyber authorities issued an advisory to protect managed service providers and their customers from cyber attacks. The Office of the Superintendent of Financial Institutions (OFSI) issued guideline B -13 that outlines the measures for federally regulated financial institutions to better manage technology and cyber risks. Banks now must report cybersecurity incidents to their primary federal regulator within 36 hours. This new tight deadline was announced amidst the government’s warning about the increased risk of state-sponsored cyber-attacks. And even the Senate passed a new bill to strengthen critical cybersecurity infrastructure.
In Europe, the focus is on collaborative and unified action to protect organizations and improve cyber resilience. The European Council Parliament adopted a new law to strengthen security and resilience across organizations. It aims to standardize security measures across the region as this is currently highly fragmented with regional variations that increase vulnerabilities. The European Systemic Risk Board (ESRB) issued recommendations on systemic cyber risks and a comprehensive European systemic cyber incident coordination framework. The recommendations were welcomed by three key European Supervisory Authorities – EBA, EIOPA, and ESMA. The European Council and European Parliament signed a provisional agreement to strengthen cybersecurity and resilience and the EU Digital Services Act also came into action this year to keep the internet safe. And in the UK, the Bank of England is working on new IT resilience rules for financial institutions.
Escalating climate change and a turbulent socio-cultural environment put the spotlight firmly on ESG. With the war in Ukraine and other geopolitical tensions, it is now evident that the organizations will continue to work in a highly fraught ESG risk environment for the next year. Consequently, today more than half of FTSE 100 companies have ESG Committees and 87 percent of business leaders intend to increase investment in sustainability over the next couple of years. The UK is demanding stringent climate stress tests for banks and insurers and global regulators are advocating external checks on bank climate data. Leading Canadian and American banks along with the Risk Management Association formed a consortium in 2022 to tackle climate risks, while European investors pushed for greater diversity on the boards of banks.
A number of new standards were announced across the world, including the Basel Climate Principles and the Climate Related Risk Management Principles by the US OCC. The Financial Stability Board issued supervisory and regulatory approaches to climate-related risks while the ISSB released a proposal to create a global standard of sustainability disclosures. The KBRA issued a framework for embedding ESG Risk Management in credit ratings.
In the US, the Biden administration reversed a Trump-era ruling to restore key elements of the National Environmental Policy Act that calls for federal scrutiny of the climate impacts of large infrastructure projects. The Federal Reserve proposed a plan for banks to manage financial risks related to climate change and the SEC proposed rules for standardized and improved climate disclosures for investors. And in a significant first step, the SEC charged a company for ESG fraud this year.
There was also increased focus on the issue of greenwashing. The European Financial Reporting Advisory Group (EFRAG) published a broad range of sustainability targets to combat greenwashing, and three European supervisory authorities announced a Call for Evidence on possible greenwashing practices within the EU financial sector. Meanwhile, the European Central Bank stepped up its pressure on banks to accelerate climate change-related activities. European banks are now required to make full climate-related disclosures as mandated by the EC. In the UK, the Bank of England conducted the second edition of the Biennial Exploratory Scenario on climate change-related financial risks, and the FCA announced that it was working on a Code of Conduct for providers of ESG data and ratings. And, Singapore issued a standardized format for corporate assessment of environmental risk.
As we step into 2023, parts of the world are witnessing a resurgence of COVID-19 while war rages on in Europe and the threat of an economic downturn looms large. Organizations will continue to operate in a heightened risk landscape in 2023. Regulations and standards will continue to evolve as the risk landscape changes, and there will be greater emphasis on mitigating the impact of a recession in addition to cybersecurity, ESG, and operational resilience.