Climate and ESG, cyber, and resilience are three major risk trends dominating the European corporate agenda

Climate and ESG, cyber, and resilience are three major risk trends dominating the corporate agenda. As these emerging threats continue to grow, Europe is adapting its regulatory framework and adopting an increasingly prescriptive approach.

Rami Feghali, PwC Europe, Middle East and Africa Risk Leader said: “Climate risk, ESG risk, and cyber and digital risk… are significant enough to change the shape of current economies. These are also the top concerns that CEOs and management teams raise with us and they consistently rank amongst the highest risks in our annual CEO survey.”

Risk managers have their work cut out to ensure organisations are managing these risks appropriately whilst also complying with ever-changing regulations and numerous pieces of legislation from across the globe.

Alex Dali, President of the G31000 Risk Institute said: “Going beyond compliance and reporting to fully embed risk management into decision-making will become increasingly important. Risk Managers will have the choice to adapt the management of risks or to become irrelevant.”

ESG and climate

Legislation to watch: Corporate Sustainability Reporting Directive (CSRD), Corporate Sustainability Due Diligence Directive (CSDDD), The common agricultural policy (CAP),

The European Green Deal, adopted in December 2019, aims to achieve economic growth while reducing environmental harm. The target is to achieve climate neutrality by 2030 and net-zero greenhouse gas emissions by 2050.

However, economic decarbonisation requires not only billions in investment in new technology, but also a comprehensive redesign of corporate reporting. The CSRD regulations add further complexity by extend the scope beyond financial risks to include materiality.

Consequently, compliance around sustainability and other environmental, social, and governance (ESG) issues is high on the risk register for companies in 2023.

Dali says: “Risk managers have a key role to play to gain credibility, increase their influence and guide managers to take into account climate risks… By ignoring the Green transition and its associated benefits, companies will face regular problems of corporate project financing, an accumulation of stranded assets and increased ESG pressure by stakeholders.”

Cyber and technology

Legislation to watch: the Network & Information Security (NIS) Directive (NIS2), the Digital Operational Resilience Act (DORA), the Digital Services Act package, the UK’s Online Safety Bill and the EU Digital Services Act. Developing proposals to regulate the use of artificial intelligence (AI) in the UK and the EU.

Regulation designed to protect against cyber threats continues to expand, with governments particularly focused on data breaches and privacy regulations. Government regulations requiring organisations to provide consumer privacy rights will cover five billion people worldwide in 2023, representing more than 70% of global GDP, according to Gartner.

This explosion of digital regulation means that risk managers need to be on the front foot, and cyber security must be a top priority. The risks of getting this wrong include damaged reputation and the possibility of prohibitive fines where data privacy laws are breached.

Hoe-Yeong Loke, Head of Research at Airmic, said: “Regulatory developments in the technology space are evolving rapidly, and risk professionals should keep up to speed with them – not only in Europe but also in the US.

”Nevertheless, they should not let a purely compliance mindset override the imperative to invest more in technology for the future.”

Operational and supply chain resilience, D&O

The DORA (Digital Operational Resilience Act), The European Commission’s new directive to prevent the misuse of shell entities for tax purposes, European Chips Act, ISO 22301, operational resilience under PS21-3 / PS6-21

Globally, there is an increasing level of concern around supply chain risk and resilience. The UK financial sector has introduced operational resilience regulations, and that is likely to be just the beginning.

Managing these threats requires robust third-party and supply chain management and a joined-up approach from practitioners. Disciplines will have to become more closely aligned to ensure a robust feedback loop between risk teams and scenario testing.

Kate Needham-Bennett, EMEA Head of Financial Services Go-To-Market at Fusion Risk Management says: “Whenever a third party is onboarded, there should be a trigger sent out from your risk or resilience software to alert the business users as well as the project teams that they need to do risk assessments, plan exit strategies, and update details in continuity plans – and that only once the business is assured that the change will make the firm more resilient in the long run, is the change management team permitted to proceed.”

World trade growth has driven companies to scale investments, raise funds, and expand operations. As a result, directors, board members, and managers face greater risks.

Firms must protect their directors and their firms from the economic consequences of breaching fiduciary duties.

More than a tick-box exercise

Of course, more regulation means a heavier workload for risk managers, particularly when it comes to managing growing reporting requirements. However, experts suggest that embracing technology can help ease the burden.

Furthermore, there is an opportunity for risk professionals to engage at the c-suite level whilst also boosting organisational resilience.

One common theme through all new regulatory developments is the importance of transparency. Firms are now expected to undertake granular assessments, evaluate risks and identify the controls needed.

Risk managers must therefore implement a framework to manage and monitor the control areas identified including with respect to their interaction with third parties.

Such frameworks should reference to the commercial environment and key drivers for a business, as well as risk analysis methodologies. This should result in a nuanced framework that identifies and minimises key risks whilst at the same time maximising business potential.

Needham-Bennett said: “Risk… will need to become more interconnected with the data that is being collected by first-line functions.

”Risk managers may need to become better versed in those resilience, cyber, ESG (environmental, social, and governance), and third-party disciplines; where regulations are being set; and the controls that they are then required to assess and govern. This also helps to streamline the process of aligning to various policies, acts, and standards.”

However, Loke cautions that if risk professionals get stuck in compliance, then the role can easily lapse into a tick-box function.

To avoid this, risk managers must take steps to ensure that firms are striking the right balance between compliance and strategic risk management. This means embedding risk practices so that they’re no longer an afterthought.