For our second edition of Risk Hotseat, we sat down with Adelani Adesida, Aravo’s Senior Sales Director (EMEA). We put him on the spot to discuss recent EU ESG legislation, trends in cybersecurity, and best practices for approaching risk assessments.
The date for the initial filing of mandatory reports is fast approaching. The European Union Corporate Sustainability Reporting Directive, or the CSRD, took effect on the 5th of January this year. The CSRD brings non-financial sustainability reporting to the same level as financial reporting for the first time in history. Thus, providing the initial step in fulfilling the promise contained in the EU’s green deal: to be the first climate neutral economy by 2050. Initially, the new rules will apply to approximately 12,000 companies, growing to over 49,000 by January 2026 as the CSRD expands in scope.
Organizations will have to report on a range of different topics, including climate change, environmental protection, social responsibility, and governance. On the impact of future regulations, the CSRD is also introduced in the concept of double materiality. Whereby companies will be required to report both on their ESG risks and opportunities that affect their business, as well as on those ESG impacts of their business on the people and the environment. This will be representative of the significant amount of work required in fulfilling the reporting requirements and its multilayer demand shows just how adequate preparation is.
While the European Banking Authority is revising the ESG capital requirement framework so that lenders reflect environmental and social risks in mandatory, industry-wide buffers. Per the EBA, this is a significant shift in changing the risk profile for the banking sector. The development is expected to become more pronounced over time and has implications for the traditional categories of financial risks such as credit, market, and operational risks. The EBA report contains more than five pages of instructions for banks and national supervisors for both short- and longer-term changes. That includes plans for future regulatory action, which the EBA does suggest will require new legislation.
A notable trend is that banks are highly likely to face bigger losses as the economy moves towards net zero emissions. Though how big will depend ultimately on the policies adopted to address climate change. According to a September report by the European Central Bank, the changes the EBA is making as part of a larger reconfiguration of the bank’s capital framework, which includes more extensive disclosure requirements around ESG, is the latest demonstration of the EU’s willingness to take a global lead in responding to the risks posed by climate change.
As dependencies on third parties continues to increase, it’s critical to ensure organizations can effectively protect your data and your reputation. According to the Ponemon Institute, over 50% of data breaches are caused by the actions of a third party, meaning that every organization needs to conduct appropriate due diligence on vendors that process their customer or employee data, or have access to networks where that data resides.
Often in the financial services industry, we see organizations focus on mature risk materiality calculations, as opposed to just spend. The same goes with any organization, by scoping vendors and instituting the appropriate levels of due diligence, organizations can catch risks operating across multiple threat vectors.
Good vendor onboarding focuses on the ability to critically view every single vendor relationship and adopt a unified, decision-making framework. The goal is to uncover the risk posture of suppliers and measure those against our risk appetite. This is valuable as organizations can remain efficient when using a proportion approach to continue to drive operational effectiveness. How quickly can we onboard a supplier is important, but not at the cost of effectiveness. Ensuring that a proven methodology is in place and adopting an evidence-based profile significantly bolsters an organization’s cybersecurity measures.
The risk assessment stands as a cornerstone in strategic business decision making, the modern, structured, and meticulous approach to ensuring how effective they are. Now, having spent the first seven years of my career specializing in the enterprise risk management space, it’s important to recognize the value in both risk identification and really having a “so what” treatment approach. Risk assessments can be conducted on a qualitative or quantitative basis and are brought to life by well-defined rating scales as your program matures.
Tools like risk heat maps are helpful, but organizations do need to go a step further. We need to be able to act as we recognize these emerging risks at both a third-party and individual contractor engagement level. There may be a low-risk business partner we’re working with and that’s fine, but how do we identify if they’ve got a particular concern solely on their ESG risks?
If we break this down, there are about six pillars that fall into what we would refer to as best practice risk assessment methodologies.
Number one is the identification. Identifying risks involves recognizing and describing the potential pitfalls that will prevent us from meeting our business objectives.
Quantification being number two. Businesses need to quantify the risks, gauging their actual impact and likelihood to determine whether they are risks that can simply be accepted or transferred elsewhere.
Prioritization is the third pillar and that really ensures that we have (whether it’s a risk library or otherwise) a process of determining which risks are most critical and why. And this will allow us to rank and evaluate the risks to determine which should be addressed first, based on its significance to us.
Fourth is our evaluation stage. Now, once we’ve prioritized the risks to a business, a comprehensive evaluation piece is essential. It really allows us to weigh the magnitude of each risk against the appetite.
Fifth is management. This is the “so what” as we refer to it. Mitigating and managing risks forms the next stage, and strategic decisions are often made around whether we accept. It may be a low enough risk that actually the cost of implementing controls outweighs the cost of the risk that’s taking place. There are other mechanisms such as the ability to transform, having insurance in place if a risk does occur, and so on and so forth. But the key thing here is that having safeguards to diminish its effect, or even cancel a risk, are only helpful to an organization’s resilience.
Monitoring is the final point. Risks are inherently dynamic, so approving or identifying that a third party sits within our risk appetite is just one part of the journey. Ensuring that they stay there and having a mechanism to track if that organization still remains within our risk appetite is critical. And so that monitoring program needs to be taken with an element of proportionality. What are the most critical relationships that we have? Which of those do we need to monitor on an ongoing or an ad-hoc basis? And how do we want to allocate our resources, which are finite from the organization, to help ensure that we are able to be proactive as opposed to reactive? These are all questions we need to ask to ensure our continuous monitoring programs are effective.
Share with Your Friends:
