3 rising risks CFOs must navigate in second half of 2022

The COVID-19 pandemic revealed some systemic weaknesses in the global supply chain, changes in customer and investor preferences, an increase in remote working models, and the need to reconfigure third-party risk service models. In short, the pandemic has transformed the meaning of risk for executives in the global economy.

Simultaneously, regulators and investors began asking for more granular reporting and disclosures. In the face of a dynamic business environment and evolving risks, the role of the CFO has grown more demanding and complex. CFOs should prepare to adjust their risk management frameworks to incorporate new realities and answer the calls for more transparency in public disclosures.

Three key areas CFOs need to focus on are third-party risk management, reputational risks, and cybersecurity risks associated with enhanced disclosure requirements.

Is your third-party risk management framework current?

COVID-19 disrupted standard procedures to vet and monitor vendors. According to a 2021 report by KPMG, many organizations accepted short-term violations of their third-party risk management policies to maintain business continuity. Likewise, vendors moved swiftly to remote work models and reconfigured service delivery models.

Post pandemic, finance and risk management professionals will need to evaluate new criteria, including:

• Streamlining third party risk assessment processes including reconsidering the value of on-site reviews;
• Evaluating geographic concentrations of business process outsourcing vendors and whether backup systems are sufficiently diversified;
• Leveraging internal and external data to gain visibility into vendor control environments;
• Changing vendor risk profiles based on their geographic location and backup systems to be sufficiently geographically diversified;
• Employing artificial intelligence, machine learning, and predictive analytics to enhance the identification, monitoring, and management of third-party risks;
• Increasing capabilities to monitor offsite contingent workers.

Is your organization prepared to mitigate the reputational risks associated with enhanced reporting disclosures?

CFOs need to continue to evaluate their financial statement disclosures and navigate through regulatory changes. Investors and regulators are seeking greater transparency on the impact of external development on businesses. Businesses that fail to meet these requirements risk SEC orders and penalties as well as reputational risk.

In 2020, the SEC filed charges against The Cheesecake Factory for minimizing disclosures about the impact of the COVID-19 pandemic on its business operations and financial condition. While the penalty was deemed minimal, the act was widely considered to be a warning shot to all public companies about the significance of disclosing material events to investors and the reputational risk of failing to do so.

CFOs should continuously evaluate their organizations’ preparedness for and responses to regulatory changes. According to a recent E&Y report, CFOs should consider investing in modeling tools to map out future disclosure requirements and tax scenarios to prepare for the added complexity.

Is your organization equipped for increased cybersecurity risks?

Most organizations demonstrated rapid adaptation to new ways of working to deliver critical business services to customers. The rise of remote working has increased organizations’ attack surface by creating more access points where unauthorized users can access a system or extract data.

As organizations seek to minimize the risk associated with their expanded attack surfaces, sophisticated attackers are plumbing systems and networks seeking vulnerabilities. CFOs must invest in systems, processes, and people to minimize the risk of cyberattacks and to protect the firm and its assets.

Finance and risk professionals will need to:

• Regularly identify high-risk areas that need to be tested for vulnerabilities;
• Engage white hat hackers to identify security vulnerabilities in the IT ecosystem, using an outside-in approach;
• Quickly identify new attack vectors that have been created by process changes;
• Enhance training for the increasingly remote workforce to ensure that security is a part of the organization’s culture;
• Strengthen security networks governing VPN connections;
• Plan for the worst-case scenario, including having alternate currencies available in the event of a ransom situation.

Adapted from: “3 Rising Risks CFOs Must Navigate in Second Half of 2022”, by Simone Grimes, CFO at Acadia Insurance, published on CFO News on 09 June 2022.