The COVID-19 pandemic revealed some systemic weaknesses in the global supply chain, changes in customer and investor preferences, an increase in remote working models, and the need to reconfigure third-party risk service models. In short, the pandemic has transformed the meaning of risk for executives in the global economy.
Simultaneously, regulators and investors began asking for more granular reporting and disclosures. In the face of a dynamic business environment and evolving risks, the role of the CFO has grown more demanding and complex. CFOs should prepare to adjust their risk management frameworks to incorporate new realities and answer the calls for more transparency in public disclosures.
Three key areas CFOs need to focus on are third-party risk management, reputational risks, and cybersecurity risks associated with enhanced disclosure requirements.
COVID-19 disrupted standard procedures to vet and monitor vendors. According to a 2021 report by KPMG, many organizations accepted short-term violations of their third-party risk management policies to maintain business continuity. Likewise, vendors moved swiftly to remote work models and reconfigured service delivery models. Now the question remains, which modified processes will become permanent and what lessons learned need to be carried forward?
Post pandemic, finance and risk management professionals will need to evaluate new criteria, including:
Streamlining third party risk assessment processes including reconsidering the value of on-site reviews
Evaluating geographic concentrations of business process outsourcing vendors and whether backup systems are sufficiently diversified
Leveraging internal and external data to gain visibility into vendor control environments
Changing vendor risk profiles based on their geographic location and backup systems to be sufficiently geographically diversified
Employing artificial intelligence, machine learning, and predictive analytics to enhance the identification, monitoring, and management of third-party risks
Increasing capabilities to monitor offsite contingent workers
CFOs need to continue to evaluate their financial statement disclosures and navigate through regulatory changes. Investors and regulators are seeking greater transparency on the impact of external development on businesses. Businesses that fail to meet these requirements risk SEC orders and penalties as well as reputational risk.
In 2020, the SEC filed charges against The Cheesecake Factory for minimizing disclosures about the impact of the COVID-19 pandemic on its business operations and financial condition. While the penalty was deemed minimal, the act was widely considered to be a warning shot to all public companies about the significance of disclosing material events to investors and the reputational risk of failing to do so.
SEC Chairman Gary Gensler recently doubled down on the agency’s legal authority to mandate enhanced disclosures to all publicly traded U.S. companies, which he asserted “follows a long tradition of disclosures.” CFOs should prepare for the possible implementation of two key proposed rules deemed critical to the SEC: environmental, social, and governance (ESG) reporting and cybersecurity disclosures.
The SEC issued a proposed rule on climate disclosure requirements that would increase ESG reporting requirements for U.S. public companies. The requirements cover enhanced greenhouse gas (GHG) emission disclosures and qualitative disclosures about the likelihood and materiality of the impact of climate-related risks. The proposed rule would also require enhanced governance disclosures on the ESG skills embedded within the board of directors and in executive management teams.
The proposed new requirements for cybersecurity disclosures would establish new requirements to disclose cyber incidents on Form 8-K within four business days. Cyber disclosures from the 8-Ks would have to appear in the form 10-K (annual report) and the 10-K would have to include an overview of the organization’s cybersecurity program. The proposed rule would also require more granular disclosures about the role of the board of directors in mitigating cybersecurity risks.
CFOs should continuously evaluate their organizations’ preparedness for and responses to regulatory changes. According to a recent E&Y report, CFOs should consider investing in modeling tools to map out future disclosure requirements and tax scenarios to prepare for the added complexity.
Most organizations demonstrated rapid adaptation to new ways of working to deliver critical business services to customers. The rise of remote working has increased organizations’ attack surface by creating more access points where unauthorized users can access a system or extract data.
As organizations seek to minimize the risk associated with their expanded attack surfaces, sophisticated attackers are plumbing systems and networks seeking vulnerabilities. CFOs must invest in systems, processes, and people to minimize the risk of cyberattacks and to protect the firm and its assets.
Finance and risk professionals will need to:
Regularly identify high-risk areas that need to be tested for vulnerabilities
Engage white hat hackers to identify security vulnerabilities in the IT ecosystem, using an outside-in approach
Quickly identify new attack vectors that have been created by process changes
Enhance training for the increasingly remote workforce to ensure that security is a part of the organization’s culture
Strengthen security networks governing VPN connections
Plan for the worst-case scenario, including having alternate currencies available in the event of a ransom situation
Simone Grimes is CFO at Acadia Insurance.