2022 was a year of ongoing and compound crises, as organizations were faced with a myriad of disruptions. From global and regional conflicts, to cyberattacks, supply chain disruptions, climate incidents, inflation, and economic downturn, never has it been clearer that operational resilience has become a boardroom priority. On top of numerous disruptions, companies have also faced evolving global compliance requirements as regulators prioritized requirements to begin fast-tracking operational resilience.
As risk and compliance landscapes continue to evolve in 2023, organizations must prioritize resilient outcomes with a data-driven approach and foster a culture of program integration across the entire organization. When disruption inevitably occurs, resilient risk programs provide the tools to enact an informed response.
Global Regulations and Compliance
Regulators are taking operational resilience seriously by enacting and enforcing regulations around resilience, third-party risk, and cybersecurity as well as by heightening the compliance requirement for businesses. The European Union (EU) passed the Digital Operational Resilience Act (DORA) in 2022 with an expected date of final implementation and compliance by Q4 2024. In the U.S., the SEC (Securities and Exchange Commission) 2022 examination priorities established an enhanced focus on operational resilience. Operational resilience legislation for critical infrastructure sectors, such as financial services, demonstrates that regulators understand why resilience is imperative and are taking steps to ensure adequate protections are in place. For businesses, these new regulations signify that simply being resilient is not enough – they must actively demonstrate resilience to relevant shareholders and regulators.
Furthermore, regulators are beginning to hold executives personally liable for regulatory violations. Uber’s former Chief Information Security Officer was recently found guilty in federal court for concealing a cyber incident from regulators. Additionally, the FTC (Federal Trade Commission) is taking action against Drizly and its CEO James Cory Rellas over allegations the company’s security failures led to a data breach which exposed the personal information of about 2.5 million consumers. This recent shift to holding executives personally liable for corporate compliance demonstrates regulators are taking this seriously – and expect the same from all businesses as well as their leadership.
Regulatory deadlines this year showed achieving compliance can often take longer than expected. March 31, 2022, marked the deadline for firms to identify and map their important business services, set impact tolerances, and initiate a scenario testing program in accordance with the new Bank of England, PRA (Prudential Regulation Authority), and FCA (Financial Conduct Authority) regulatory requirements. The months leading up to this deadline were hectic, as regulated entities scrambled to achieve compliance, while at the same time, uncovering inconsistencies and discrepancies across their organization. Despite meeting the compliance requirements of 2022, it is clear many organizations have a long journey ahead to meet the 2025 deadline to fully achieve true resilience.
In 2023, we will likely see regulators continue to take an active role in mandating operational resilience for critical infrastructure. As technology advancements continue, so do the associated risks, such as privacy and data security. Regulators will continue to play catch-up to pass legislation that protects against these risks.
Geopolitical Risks on the Horizon
Although it feels like the COVID-19 pandemic is finally coming to an end, businesses will continue to face other significant risks in 2023. This year, the geopolitical crisis in Ukraine highlighted the multilateral impact of geopolitical events, including on personnel, vendors, the economy, and supply chains. Geopolitical events will continue to remain a pain point for many businesses with global operations.
With geopolitical tensions growing in East Asia between China and Taiwan, businesses would do well to prepare for any possible disruption if war were to break out in this region. Given many goods originate from East Asia, a major disruption could result in significant supply chain challenges. To prepare, businesses should evaluate their supply chains and map any touch points to the region. From there, companies should explore alternative options and determine how they would respond should a disruption occur.
Disruptions often happen at a moment’s notice, but with the proper proactive measures, businesses can quickly trigger an informed response. Considering the severe business disruptions following the Ukraine-Russia war, businesses need to be on the front foot and stay ahead of any potential disruptions in 2023 and beyond.
Data is Key
Operational resilience is data-driven. True resilience means having the necessary data to assess and respond to a situation promptly, while limiting disruption to customers. With businesses expected to face continued disruptions in 2023 and with regulations becoming more complex, businesses must take a data-driven approach to managing their operational resilience.
Data is a crucial component of operational intelligence to help businesses make informed decisions and communicate information with key stakeholders and regulators. Operational intelligence includes business processes, people, and technology overlaid on enterprise data elements. It provides a holistic picture of an organization, how it works, and its risks to guide intelligent decision-making. Connecting data in this manner offers executives and regulators thorough insights into business resilience through a central lens.
Beyond organizational data, scenario testing will be a key priority for businesses in 2023 to further understand the impact of specific hypothetical disruptions. Certain disruptions are more likely to occur than others, such as a hurricane hitting Florida which results in flooding and loss of power, or a supply chain impact that causes a primary supplier to deliver goods a week or more late. Testing these scenarios with a genuine probability can help a business understand how it will be impacted and how to respond. This ensures organizations know exactly how to react when the event does occur. As compound crises increase, businesses should also test scenarios that are deemed “highly unlikely.” Running these stress tests can help inform responses to more complex risks and disruptions.
Along with the increase in data collected by resilience teams, privacy and data security issues will continue in 2023 as organizations create processes to effectively manage the issues in the context of their operational resilience program.
Resilience in the Spotlight
Operational resilience brings together the separate functions of governance, risk, and compliance alongside other business functions to drive informed decision-making. In 2023, we will see businesses continue to adopt a data-driven approach to resilience to stay ahead of emerging risks and compliance obligations.
Resilience is not a one-time box-tick exercise. It is an ongoing journey to create a culture shift within an organization and, as such, does not happen overnight. But do not let the long journey stop your organization from taking the first step – every organization must start somewhere. For businesses that have not yet begun their resilience journey, 2023 is the perfect time to start.