The past decade has seen an unprecedented digitalization of businesses, the widening and interconnectivity of supply chains, and the creation of new business models and talent needs. This rate of change has however been accompanied by an increase in risk exposure for businesses – here is a look at three to keep an eye out for in 2023.
Third-party risk
Third-party risk is the likelihood of a company facing an adverse event due to outsourced third parties in its supply chain or broader ecosystem. Business models have shifted from the 20th-century integrated corporations which fully managed and controlled their resources, to lean, purpose-focused businesses, which see outsourcing non-core operations to third parties as a strategic and tactical move.
This shift has seen many businesses outsourcing services to third parties at an unprecedented rate, to streamline (or scale) operations, reduce costs, or access better services. Examples of third parties include software vendors, managed IT service providers, or staffing agencies, who typically have access to a company’s systems, data, and processes.
Intrinsically, the use of third parties extends and co-mingles a business’ risk exposure to those of its third parties, and even those third parties’ own third parties. For instance, a cyberattack on a business’ cloud service provider may expose that business to operational disruptions, financial losses, reputational damage, and even regulatory action.
In the 2022 KPMG worldwide survey of 1263 third-party risk management (TPRM) senior professionals, 85% cited TPRM as a strategic business priority. A further 77% of them had experienced at least one major disruption in the past 3 years because of a third party. To properly manage this risk, businesses must apply vendor risk management processes that address third party risks before, during and after a third-party business relationship. Successful TPRM programs must also be run enterprise-wide and include relevant business players like procurement and legal.
Cybersecurity
Cybersecurity as a field describes the use of technology, people, policies, and procedures to secure a business from cyber-attacks. Common cybercrime examples are phishing, ransomware and malware attacks.
Cybercrime has quickly emerged as a fast-growing and popular type of criminal activity. Though not new, its threat levels globally have increased, given the growth in connected devices, more data moving onto the cloud, a rise in e-commerce and online financial transactions, and a shift in remote working due to the pandemic. A common thread to these trends is the ongoing digitalization of businesses.
People are generally the weakest link in an organization’s cybersecurity posture, often falling victim to standard but effective techniques like phishing. To compound this, the global shortage in cyber expertise has led many businesses to outsource niche cyber talent in addition to efforts to hire and retain their own.
In a November 2022 Forbes article, Cyber Leadership Institute CEO Phillimon Zongo suggests that cybersecurity is often incorrectly positioned as a necessary evil rather than a critical business enabler. He’s not wrong: some of the services banks and fintechs offer, as an example, require them to comply with rigorous information security requirements imposed on them by industry bodies like the Payment Card Industry Data Security Standards, or by local regulators. For such businesses, cybersecurity is a strategic and enterprise risk matter with a direct impact on the continuity of their operations.
A business’ successful management of this risk will require the co-option of cyber-savvy boards, an intentional investment in cyber resilience resourcing and awareness, the efficient monitoring and reporting of relevant metrics, and the weaving of security into digitalization programs.
Talent
The trends and needs of societies and the businesses that serve them are continuously evolving, resulting in the creation and demand for subject matter experts in newer and newer niches of already critical and scarce professionals.
For instance, when the trend in computing shifted to cloud technology, it created a need and demand for cloud engineers and solution architects. Eventually cybercriminals found a way to compromise cloud technology, sparking a further need for cloud security experts. Prior to 2006, those job titles did not even exist.
Global talent trends are moving towards greater emphasis on location flexibility and employee well-being, as well as calls for measurable diversity, equity, and inclusion reforms. When you factor in increasing wage costs and scarce skills shortages, the result is a growing and expensive challenge for many businesses to attract and retain the key talent they need to carry out their strategies.
These trends must, of course, be viewed against a parallel trend to automate or reengineer business processes, creating pockets of employees who must either be reskilled, upskilled, or laid off. When not accompanied by careful change management, the latter can problematically erode employee engagement and company culture.
To ride this wave safely, businesses must rethink and exercise flexibility in their recruitment requirements, ways of working, remuneration policies, and retention strategies. Those with the means and aligned strategic interest have already begun making provision for future skills needs by setting up talent pipelines via targeted talent acquisition and development programmes. Ultimately, the role of any HR function must be reimagined to meet the talent needs of today.
Any business navigating its way through a complex and evolving operating environment cannot escape having to proactively identify, assess, treat and monitor the risks which invariably follow change. Businesses who successfully steer through change are those whose board and executive management continuously use risk insights to inform their strategy, fortify operational continuity and protect stakeholder value.
*Thomas Hamata is an IT governance, risk and compliance professional based in The Netherlands.