In the last 22 months, the world has changed both drastically and unexpectedly. In all areas of life, processes have been altered and redefined to fit the needs of the new landscape. Based on recent events, I believe that 2022 will represent a distinct focus on cyber risk and resilience driven by three key factors: governance, risk, and compliance (GRC); environmental, social, and governance (ESG); and operational resilience.
Cyber Risk Quantification
With the numerous and widely promoted cyber breaches this year, it’s hard to believe that cyber risk is still one of the last survivors of manual or antiquated processes when it comes to assessing risks. When you consider a full scope of GRC, most tools for measuring an impact are done in numerical terms and, in some cases, can be assigned a monetary value. But for too long Chief Risk Officers (CROs) and Chief Information Security Officers (CISOs) have been dependent on tools like heatmaps or high-/medium-/low-risk scores. I predict that 2022 is the year the enterprise kicks imprecise metrics to the curb and adopts advanced cyber risk quantification tools.
Advanced tools around cyber risk quantification will quickly become a best practice for the enterprise, providing a much more accurate measure to an organization by assigning a numerical dollar value that allows businesses to set strategic goals for addressing the potential cost of cyber hacks or external threats. Equipped with precise cyber risk quantification, the c-suite and board members can understand, analyze, and act on cyber risk. Using modeling tools like Monte Carlo simulation, risk scenarios can also be run to prioritize action plans and investments. These tools provide the enterprise with the ability to measure, manage, and see risk holistically, gaining valuable insights to make more strategic decisions.
Environmental, Social, and Governance (ESG)
There is no doubt that the past 22 months have marked a turning point with a renewed focus on assuring businesses are growing responsibly and reducing their overall carbon footprint. Looking ahead, I predict that we will not only see the development of international ESG standards but also new regulations emerging that require disclosures of ESG metrics, as well as strategic plans to improve ESG performance.
Since 2019, investments in ESG have risen by 96%, according to BlackRock. This significant increase is no fluke – ESG is making its way into boardrooms and is here to stay. While ESG is much broader than just focusing on the environmental impact, we see the “E” aspect of ESG as leading the charge.
Companies are reporting more and more sustainability metrics, such as their carbon emissions. In fact, some airlines have made it a point to make each flight’s carbon emissions publicly available information. It won’t be long before customers will choose to book a specific flight because it yields the lowest amount of carbon emissions.
While a key driving factor around ESG is a focus on the environmental impacts of organizations, I also predict that 2022 will be the year of establishing a thoughtful approach to fostering a work environment that is based on solid diversity, equity, and inclusion goals.
ESG is the next big frontier in GRC. Organizations that have implemented an ESG-enabled GRC platform have already taken a major step forward in being able to measure and report their ESG scores. Organizations that are still debating the importance of establishing an ESG strategy should be feeling pressure to move quickly so that they can respond to this new market dynamic.
Operational Resilience
It may be overstated by this point, but there’s no denying that the pandemic, increased cyber threats and data breaches, intense regulatory requirements, and environmental and social pressures have created one of the most disruptive business climates in our history. If you reflect 10 years ago, GRC was handled reactively and mostly considered isolated issues to be dealt with as they arise. Technology has emerged to make this process easier and more strategic over time.
Looking into 2022, Enterprise GRC will be a new business imperative emerging from the back office to the board room as a catalyst for achieving operational resilience. Operational resilience is defined by Gartner as “initiatives that expand business continuity management programs to focus on the impacts, connected risk appetite and tolerance levels for disruption of product or service delivery to internal and external stakeholders.”
Achieving operational resilience will be critical to the basic operations of an organization where chaos will continue to prevail, forcing businesses to set their strategy before the next new crisis hits. In fact, at the European Union level, operational resilience requirements within the financial sector are currently embedded in a variety of legislation and guidelines. Specifically, the Digital Operations Resilience Act (DORA) is the European Union’s attempt to streamline the third-party risk management process across financial organizations. We are also seeing similar moves in the U.S. from the Federal Financial Institutions Examination Council and Federal Reserve, as well as the Monetary Authority in Singapore. This means that a solid GRC strategy that enables operational resilience will move quickly from a nice-to-have to a regulatory requirement.
Here’s the good news: GRC has a long-standing history of delivering value to the enterprise. It’s inherently built to aggregate data from multiple sources across an extended enterprise and even across third-and fourth-party partners. It’s designed to map multiple autonomous database systems into a single federated database. Add intelligence, advanced AI capabilities, and intuitive dashboards, and you are well on your way to managing risks, embracing risks, and ultimately thriving in 2022.