The COVID-19 pandemic has revealed some systemic weaknesses in the global supply chain, changes in customer and investor preferences, a proliferation of remote working models, and the need to reconfigure third-party risk service models. In short, the pandemic has changed the meaning of risk for leaders in the global economy.
At the same time, regulators and investors began demanding more detailed reports and disclosures. In a dynamic business environment and evolving risks, the CFO’s role has become more demanding and complex. CFOs should prepare to adapt their risk management frameworks to reflect new realities and respond to calls for more transparency in disclosures.
Three key areas CFOs need to focus on are third-party risk management, reputational risk, and cybersecurity risk related to enhanced disclosure requirements.
Is your third-party risk management framework up to date?
COVID-19 disrupted standard vendor screening and monitoring procedures. According to a 2021 report by KPMG, many companies have accepted short-term breaches of their risk management policies from third parties to maintain business continuity. Likewise, vendors have rapidly transitioned to remote working models and reconfigured service delivery models. The question now remains as to which changed processes will become permanent and which lessons learned must be continued?
Post-pandemic, finance and risk management professionals need to assess new criteria, including:
Streamline third-party risk assessment processes, including verifying the value of on-site inspections
Assess the geographic concentrations of business process outsourcing vendors and whether backup systems are sufficiently diversified
Leveraging internal and external data to gain insight into vendor control environments
Changing the risk profiles of providers based on their geographic location and back-up systems in order to be sufficiently geographically diversified
Use of artificial intelligence, machine learning and predictive analytics to improve the identification, monitoring and management of third-party risks
Expansion of the possibilities for monitoring external external employees
Is your organization prepared to mitigate the reputational risks associated with disclosures in enhanced reports?
CFOs must continue to evaluate their financial statement disclosures and navigate regulatory changes. Investors and regulators are striving for more transparency about the impact of external development on companies. Companies that fail to meet these requirements risk SEC orders and penalties, as well as reputational risks.
In 2020, the SEC filed charges against The Cheesecake Factory for minimizing disclosures about the impact of the COVID-19 pandemic on its operations and financial condition. Although the penalty was considered minimal, the act was widely viewed as a warning shot for all publicly traded companies about the importance of disclosing material events to investors and the reputational risk of not doing so.
SEC Chairman Gary Gensler recently doubled down on the agency’s legal authority to require all publicly traded US companies to make expanded disclosures, which he says “follows a long tradition of disclosure.” CFOs should prepare for the potential implementation of two key proposed rules deemed critical for the SEC: environmental, social and governance (ESG) reporting and cybersecurity disclosures.
The SEC has issued a proposed rule on climate disclosure requirements that would increase ESG reporting requirements for US public companies. The requirements include improved disclosures of greenhouse gas (GHG) emissions and qualitative disclosures about the likelihood and materiality of the impact of climate-related risks. The proposed rule would also require enhanced governance disclosures on the ESG capabilities enshrined in the board and executive teams.
The proposed new cybersecurity disclosure requirements would establish new cyber incident disclosure requirements on Form 8-K within four business days. Cyber disclosures from the 8-Ks would need to appear on the Form 10-K (Annual Report), and the 10-K would need to include an overview of the organization’s cybersecurity program. The proposed rule would also require more detailed disclosures about the board’s role in mitigating cybersecurity risks.
CFOs should continuously assess their organizations’ readiness and response to regulatory changes. According to a recent E&Y report, CFOs should consider investing in modeling tools to map future disclosure requirements and tax scenarios and prepare for the added complexity.
Is your organization prepared for increased cybersecurity risks?
Most organizations have quickly adapted to new ways of working to provide customers with critical business services. The rise of remote working has increased the attack surface of organizations by creating more entry points where unauthorized users can access a system or extract data.
As organizations seek to mitigate the risk associated with their expanded attack surfaces, sophisticated attackers seek vulnerabilities in systems and networks. CFOs need to invest in systems, processes and people to mitigate the risk of cyberattacks and protect the business and its assets.
Finance and risk professionals must:
Regularly identify high-risk areas that need vulnerability testing
Use white hat hackers to identify security gaps in the IT ecosystem using an outside-in approach
Quickly identify new attack vectors created by process changes
Improve training for increasingly remote workers to ensure safety is part of the company culture
Strengthening security networks for VPN connections
Plan for the worst-case scenario, including the availability of alternative currencies in the event of a ransomware situation
Simone Grimes is CFO at Acadia Insurance.