Business and organizational leaders have a significant responsibility to proactively address a rapidly evolving, complex and unpredictable risk landscape, as well as provide stakeholders with a greater level of assurance, according to Heather Acker, Baker Tilly’s national risk advisory practice leader. At the same time, regulation continues to increase and remains extremely relevant in this space. Properly planning for and spending resources on preventing the unknown risk is necessary in this dynamic environment.
During a recent webinar, Acker led a roundtable discussion alongside three other Baker Tilly senior risk advisory partners on the current risk environment. The panel delved deeper into three specific risks that industry and organizational leaders are facing in 2023: (1) talent, (2) cybersecurity and (3) environmental, social and governance (ESG) issues. Following is an edited version of their comments.
Ben Quigley, principal in the risk advisory practice. The pandemic changed the way that organizations think about resourcing themselves to manage risk. This includes having a proper governance model in place that is risk-proportionate to the organization, combined with having the right talent to identify emerging risks more successfully and to shift resources, as needed, to help the organization respond to incidents they weren't prepared for prior to the pandemic.
Risk stewards of organizations are getting smarter with how they organize and prioritize risks. Aside from high-impact risks to an organization, and compliance risks related to specific laws and regulations, risk stewards may need to consider some form of proactive assurance or advisory-based assessment to prepare for emerging risks. Assessing changes an organization may need to make to address emerging risks can be an effective use of resource time.
If an organization implements a new system, process, department or program to support an emerging risk, an internal audit may lean in and provide subject matter expertise about how a strategic change is being implemented. This focus allows the risks of change to be identified and managed before they have a chance to become issues that impact operational performance, and before regulation mandates that risk be managed.
Cassandra Walsh, national business risk services practice leader. The pandemic served as a catalyst for organizations across all industries to have an increased focus on their enterprise risk management (ERM) program and to define or redefine the responsibilities of the board, senior leadership and mid-management over operational, legal and compliance areas. The interconnectivity between ERM and internal audit compliance is central to supporting an organization's risk management activities. Organizations understand that the pandemic emphasized that the only constant in the business environment today is to be prepared for continuous change. And organizations need to set up their risk management infrastructures accordingly.
The pandemic disrupted organizations’ ability to operate in a particular business model and with a workforce that was built to operate in that business model. Organizations were forced to pivot creatively and with a velocity that did not allow time for trial and error. Rapidly changing your business model or numerous attributes of your work environment also affects an organization's ability to identify, address and manage past, current and future risks. This includes being able to stay on top of regulatory and compliance requirements, not just internally but also externally to appropriately understand and define something like ESG before it becomes a fire drill.
Organizations also are recognizing the need to look both internally and externally for expertise in areas like internal audit and advisory support, as well as compliance and legal assistance to stay on top of current and emerging risks.
Jeff Krull, national cybersecurity practice leader. Due to the increase in cybersecurity incidents in recent years, in particular data breaches, organizations are looking for comfort from their suppliers and other business partners to show that their systems are secure. However, there is no magic bullet or single playbook today that organizations can depend on to know that their suppliers’ and business partners’ systems are secure. Risks are constantly changing, and organizations must consider not just risk from the customer or regulator perspective, but how the organization balances investing in more cyber-risk protections versus purchasing cyber insurance.
Acker. The news about the talent problem is confusing – we see headlines about the “Great Resignation” and also about large job cuts, especially in the technology sector. At the same time, employers are facing skill gaps for significant roles. Because of demographic shifts, especially as more baby boomers retire, the U.S. Bureau of Labor Statistics estimates that by 2025 there will be fewer available workers ages 18 to 64 than open positions.
Quigley. Because employees are demanding a better work-life balance, organization leaders need to use data and listen to employees to develop an informed approach to structuring the workforce. In the end, however, employees at all levels should be focused on the quality of the hour spent at work, a “work smarter, not longer” mentality, which we're certainly seeing prevail across most industries.
Walsh. Before addressing the talent pool from a people perspective, it's important for organizations to address the structural questions around defining the workplace, the workday and the workforce. Defining the workplace includes determining whether the workplace is fully remote, fully on-site or a hybrid of both. Discussions about the workday were occurring even before the pandemic, but more organizations now realize that expectations about how many days and hours define the workweek have risen in importance among the talent pool they're trying to hire. Finally, defining the workforce is not just about the organizational infrastructure, but also needs to consider diversity, equity, the technical skills across all areas of a business, the necessary outputs needed from these individuals, how to compensate and reward the workforce, and how to show a path of professional growth.
Organizations are turning towards bringing in partners, whether outsourced or co-sourced, to help fill the needs when full-time equivalents do not exist to do certain jobs. Organizations are looking outward to maintain growth and meet regulatory requirements, but also to avoid legal compliance issues, revenue declines or poor product quality outputs.
Krull. From a cybersecurity talent perspective, if you're an organization that went remote during the pandemic, but now wants people back on premise, it may be difficult to retain your cybersecurity employees who might have other remote work options. We're seeing a real churn in some of these cyber positions at a time when many organizations have a laundry list of cybersecurity projects that need to get accomplished. One spot of good news is that many higher education institutions have started creating cybersecurity majors and various types of cyber programs. The challenge is that very few organizations want to hire entry level cybersecurity professionals; they are looking for people with three, five or 10 years of experience, depending on what skillset they're looking for.
Krull. Verizon’s annual data breach report shows that 82% of breaches involve the human element – stolen credentials, phishing, misuse or simple errors. In most cases, this relates to a breakdown in basic cybersecurity controls, like ensuring that everybody has strong passwords and that multifactor authentication is enforced. Organizations not only have to make sure that their most important systems are secured, but also non-mission critical systems, because the latter is often the entry point for a bad actor who can then access all your systems.
Almost all data breaches are related to financial gain, so there are some well-funded criminals who will continue these attacks because they are taking these funds and “reinvesting” them into their businesses.
We are not at a point where cybersecurity gets easier; it will remain one of these risks that continues to evolve, and every organization will need to keep investing the necessary resources to protect the organization from both new and old risks.
Acker. ESG and related risks soon will be affecting organizations across most industries, either through requirements and regulations (such as the SEC’s climate impact regulations) or through stakeholder requests for information beyond an organization’s financial results.
Quigley. Pressure related to ESG is coming from large corporations, compliance requirements, internal and external stakeholders, and the institutional investors who own public shares in a company. Most Fortune 500 companies have established sustainability teams. They've published ESG and sustainability reports and have action plans and initiatives to improve ESG metrics. In some cases, this means they're asking more of their suppliers and service providers through supplier codes of conduct and requests for net zero carbon pledges. More companies will need to comply with ESG-related requests from their buyers if they want to continue working with them.
In November 2022, the federal government issued a proposed rule that anyone selling more than $4.5 million of goods and services to the federal government will need to disclose their greenhouse gas emissions and have them validated. If a company does business with the federal government, it's a future risk to consider. The European Union announced a new proposed rule that would require a much wider set of ESG disclosures, including social and governance topics that would apply to public and private companies with over 40 million euro in revenue. Also, banks are starting to request ESG information as part of their underwriting process. Right now, it's more voluntary and focused on data gathering as opposed to affecting interest rates, but this could change.
Walsh. Many boards and organization leaders are talking about ESG even if they don’t think they are being asked to do any reporting yet. These conversations focus on where to start and how to address ESG when it hasn't been asked of you yet. If they take a closer look at their existing enterprise risk management plan, they may find that they have already incorporated elements and philosophies of the ESG standards into their plans.
Krull. An organization cannot view cybersecurity as something that is accomplished and checked off a list. It’s more like peeling an onion – organizations will address the risk right in front of them, and then they're going to move to the next set of risks. Expect cybersecurity to be an area where organizations will continually take an objective look at it, and always be working through old risks that maybe weren’t addressed well in the past, as well as any new risks that arise.
Walsh. Governance is key to managing existing and emerging risks. Everybody in an organization should understand their role as it relates to risk. Proper communications and conversations about risk need to happen between the board, the C-suite, risk managers and risk owners. While many organizations have the structure and the resources in place, many are still trying to mature their risk management activities.
Quigley. While the concept of ESG can seem overwhelming, many parts of ESG relate to things an organization is already evaluating, tracking and collecting data on – worker safety, data privacy, cybersecurity, fair hiring practices, board governance and energy procurement. These are just part of everyday business operations to keep the organization sustainable. The key now is to start to build awareness within the organization, starting with educating the board and senior leadership on ESG so they understand why it needs to be addressed. Organizations can establish a governance structure to support ESG awareness and compliance and integrate it within existing risk management practice, while looking at which ESG topics are most material to the organization and its stakeholders.
ESG frameworks exist that can help an organization understand what ESG metrics are important. The risk of not starting the process now is that you could lose revenue because you're not prepared. At the very least, not being proactive and establishing an ESG approach now could lead to scrambling to address ESG-related issues in the future, taking time away from day-to-day operations and possibly resulting in improper disclosures to government agencies or stakeholders.