The past 18 months have marked a turning point with a renewed focus for enterprises to reassess their governance, risk management and compliance (GRC) capabilities, in constantly evolving market conditions. A Deloitte survey found that 84% of financial services firms in Asia Pacific plan to enhance existing resilience plans with 88% reporting they were conducting or planning to conduct frequent simulation exercises.
“Based on recent events, 2022 will usher in a distinct focus on risk management and resilience driven by three key factors: cyber risk quantification with GRC, Environmental, Social, and Governance (ESG), as well as operational resilience” said Aravind Varadharajan, Senior Vice President & Managing Director, APAC for MetricStream.
Cyber Risk Quantification
According to IDC, investments on security related products and services are expected to grow at a five-year CAGR of 13.3% reaching a whopping US$35 billion by 2024 in Asia Pacific. This is in response to the rise in cyber crime sophistication which has grown exponentially. The figures indicate that many enterprises still use traditional or antiquated processes when it comes to assessing cyber risk.
For too long, Chief Risk Officers (CROs) and Chief Information Security Officers (CISOs) have been dependent on heatmaps or high/ medium/ low-risk scores to measure risk. Moving forward, enterprises should incorporate a full scope of GRC digital tools to measure impact in quantifiable terms.
In 2022, many enterprises will likely do away with traditional risk assessment measurement tools and adopt advanced cyber risk quantification tools instead for precise measurements of an enterprise’s risk appetite by assigning a dollar value. These tools provide the enterprise with the ability to measure, manage, and see risk holistically, gaining valuable insights to make more strategic decisions to address potential costs of cyber risk or other threats. Armed with this knowledge, risk and security professionals can justify investments to C-suite and board members in quantifiable terms.
Environmental, Social, and Governance (ESG)
ESG is growing in importance for many businesses across industries in the region. According to the 11th annual EY/ IIF global bank risk management survey, a staggering 100% of Asia Pacific CROs recognise climate change as a top risk requiring their utmost attention – compared to 49% globally. In comparison, European organisations widely heralded as leaders in environmental, social and governance (ESG) action have resorted to dropping clients to dodge costs tied to ESG risk.
To overcome the cost of ESG risk, enterprises must incorporate an element of managing ESG risk and this is an emerging area of governance, risk, and compliance (GRC). In 2022, the implementation of an ESG-enabled GRC strategy will take precedence among enterprises to accurately measure and report ESG scores.
Operational Resilience
According to Gartner, operational resilience is defined as “initiatives that expand business continuity management programs to focus on the impacts, connected risk appetite and tolerance levels for disruption of product or service delivery to internal and external stakeholders.” In an environment with constant change, enterprises that weather the storm do so by having plans in place even before the next crisis. Spearheading this movement, authoritative bodies in the region have begun embracing operational resilience requirements within the financial sector with a plethora of regulations and guidelines.
Most notably, the Monetary Authority in Singapore has published a paper that highlights possible risks to financial services and suggests risk management actions as well as, guidelines to benchmark themselves against. The Hong Kong Monetary Board (HKMA) has recognised the urgent need for operational resilience among businesses and developed the principles for operational resilience within the banking sector. Similarly, the Securities and Futures Commission (SFC) released operational resilience standards and framework measures to supplement existing guidance for issuance of licences for corporations and introduction of new regulations.In summary, adopting an effective GRC strategy to rationalise data from varied sources across the enterprise ensures that leaders will be well on their way to managing, embracing, and ultimately thriving on risk in 2022.
