Risk Management Trends For 2022
2022 has been an interesting year for risk management, with emerging political issues creating new risk areas that organizations must now grapple with.
The Institute of Internal Auditors, an international professional association, serving more than 70,000 members in North America and the Caribbean, has identified the top trends for 2022 in its annual OnRisk report. The OnRisk report is similar to the Occupational Safety and Health Administration’s Top 10 Most Frequently Cited Standards.
Here are the top five risk management trends that you should be paying attention to:
- Cybersecurity and data privacy
- Talent management and culture
- Economic, political and social volatility
- Regulatory changes
- Organizational governance
Cybersecurity and data privacy
Cyberattacks are on the rise. Though today’s technology is better at securing sites and data, hackers have also gotten better at penetrating systems to steal that data. Such attacks can permanently damage an organization’s reputation, safety, security, employees, contractors and vendors. And the financial impacts can be disastrous.
But cybersecurity and data privacy risks don’t just come from hackers. They can also come from changes to regulatory requirements at the federal, state and local levels. Some of these requirements go beyond the state or area where you work to include any location where you do business.
Here are some ways you can take control of your cybersecurity risk.
Back up your data
One of the most basic measures you can take is to back up your data regularly. How often depends on your organization, the amount of critical data you typically collect over a business day or week, and what it would mean to you if that data were to be breached, lost or stolen.
Change passwords often
Another simple measure is to require employees to change passwords periodically. Again, you will need to determine how frequently based on your unique needs and resources. You should also have a written policy stating that employees cannot share passwords.
Train your employees
Lastly, train your employees on cybersecurity. Educate them on the types of cyber threats they may encounter and your password-protected systems. This training should be mandatory for all new hires, with annual refresher training thereafter. All employees should be required to sign a statement that certifies they received the cybersecurity training and understand the policy.
Talent management and culture
The COVID-19 pandemic has drastically altered the way organizations manage employee schedules, people, and work arrangements. Working from home is still new for many companies.
Not reporting to a physical location creates a whole new set of risks. Risk considerations for remote workforces include:
- Setting up remote offices
- Using company versus employee-owned equipment (such as phones and computers)
- Protecting assets, intellectual property and data
- Tracking hours worked, including overtime (This may invoke travel requirements for employees that are out of the norm. Review the International Organization for Standardization (ISO) standard on travel risk, ISO 31030, for more information.)
- Reporting and investigating workplace injuries
- Investigating workers’ compensation claims
- Preparing and responding to emergencies
- Conducting and documenting employee training to meet compliance requirements
- Recruiting and onboarding new employees
- Keeping existing employees engaged
An organization’s culture is greatly impacted by whether employees report to a physical location or work from home. Organizations need to understand, monitor and manage the tone, incentives, and actions that drive desired behavior, including perceived acceptance and loyalty. If leadership doesn’t know how to effectively manage these risks, they often end up being ignored.
Economic, political, and social volatility
The pandemic has also caused active gains and losses in the market. Any publicly-traded organization has risks related to stock value, profit-sharing and long-term valuation of assets. But the economic impacts of the pandemic have added to that volatility.
In a global economy, political volatility is also a significant risk. From trade embargoes to sanctions and military advances on other countries, your ability to do business is at risk.
The pandemic itself was expensive for organizations. The pandemic put the entire business at risk for smaller businesses with limited cash flow. The added expenses of personal protective equipment, cleaning supplies and restricted hours caused many small businesses to go out of business. They were simply unable to keep up with the health requirements and political decisions resulting from them.
The potential for a resurgence or whole new pandemic is a risk that you can’t afford to ignore. Among other factors, you’ll need to consider how to:
- Cover shifts
- Maintain production and customer service levels
- Manage variable hours
- Market to a wary customer
Another major consideration is social unrest. There is a cycle in which economic shock leads to political unrest, which leads to social unrest. Many organizations have experienced rioting, protests and other business disruptions resulting from economic and political reactions. Social unrest is expected to remain a primary risk as the public loses trust in political and business leaders. This trend will likely continue for as long as the global economy and political climate remain unstable.
As you conduct your risk assessment, consider how your business will be impacted if there is a war that disrupts various economies, especially if you are a global business. Even though this risk is out of your control, asking the question now will help you be more prepared if disaster strikes.
Regulatory changes are a major risk area that requires attention, planning, and action. These changes can happen quickly and as previously mentioned, can come from the federal, state or local levels. Most of these changes will have a financial impact, requiring businesses to conform to new standards or laws.
These changes can also have adverse effects on employees. For example, the COVID-19 lockdown altered work schedules changed employee statuses (e.g., “essential” workers) and imposed new training requirements. Many federal and state environmental regulations have a ripple effect on local communities, especially if the mandates are unfunded. These changes can introduce business risk based on the perception of a company’s position or readiness for the change and public opinion about the new standard.
Controversy can also arise over how the changes are to be made or enforced. Some organizations interpret regulations in a stricter way than the language implies, which can create confusion between leadership and those responsible for complying with the regulation. This can lead to employee and community dissatisfaction, increasing the organization’s risk for lawsuits.
While there isn’t much you can do to control regulatory changes, you can prepare for them. Continue to monitor trade associations in your industry as well as public perception. You can get a leg up on statutes while they are still in the draft phase and prepare for the coming change rather than being surprised. Participating in association committees is also a good way to stay ahead of changes.
Organizational governance and leadership
Organizational governance refers to how an organization is directed and managed. It is the system of rules, procedures, practices, processes and controls by which it operates. Your risk assessment should examine whether your governance helps you achieve your objectives and aligns with your mission and values.
Governance is not a new risk. Most organizations are already addressing it. But once an organization conducts its initial risk assessment and takes corrective actions, governance is often forgotten. Over time and through various changes such as those mentioned above, the organization can fall out of sync with its original governance because it has since had to adapt and react to many other changes.
Another area of change that often gets overlooked is when there is a change in leadership, which often results in new management styles or course changes. An active change management process will catch this, as will an internal or external audit.
Leadership changes have other implications, too. Failing to update emergency contacts or permits with the name, title and role of a new leader can result in a citation for failure to maintain documentation. These issues are often not caught until there is an inspection or regulatory action, but you can avoid them by periodically updating critical documents.
For 2022 and 2023, you should prioritize these risks. Review them with your risk management team to ensure compliance and create action plans to reduce as much risk as possible. Remember that risk management is about balancing the costs of mitigating or eliminating risks with the level of risk that your organization is willing to accept.
Though the future will certainly introduce other risks, addressing those that you know will better prepare you for what is to come.