Welcome to the Q3 2022 edition of Guidehouse’s Weather the Disruption series, a quarterly newsletter intended to highlight the importance of business resiliency in today’s world. Our goal is to provide global regulatory updates, industry trends, best practices, and potential threats impacting our clients and sector. In this edition, we discuss how businesses can address business resiliency programs as they apply to employee turnover and climate change, potentially impacting daily operations.
With the recent market volatility and recession fears, not all businesses are able to maintain revenue necessary to retain employees. It costs organizations1.5-2 times the employee's salary, including dedicated time and resources to recruit, onboard, and train a new team member.
While turnover, both voluntary or involuntary, will always be a part of business, high turnover can have a massive effect on business resiliency. Resilient firms ensure employees are properly trained, to ensure that proper coverage is available and that there is a widespread understanding of recovery strategies.
Across the world, regulators are understanding the importance of business resiliency as it relates to the stability and advancement of the financial sector and the global economy as a whole. As a result, many have implemented regulations to outline standards and guidance to enhance resiliency programs:
- United Kingdom — After UK financial firms were tasked with identifying their key business services in March of this year, the next deadline is March 31, 2025, when firms must have performed all testing to ensure they are able to remain within their previously identified impact tolerances.
- European Union — The European Parliament reached an agreement on the Digital Operational Resiliency Act (DORA) in response to the increasing risk of cyberattacks within the financial industry. DORA outlines specific requirements around Information and Communications Technology risk management, incident reporting, and threat-led penetration testing.
- United States — The US and UK released a Joint Statement on the Financial Regulatory Working Group, which has been focused on a variety of topics, including the need to bolster business resiliency. The working group stressed the need to strengthen the resilience of the sector, including strengthening liquidity risk management practices and the need for future cooperation.
- Australia — The Australian Prudential Regulation Authority (APRA) has proposed a new standard for operational risk management in the banking, insurance, and superannuation industries. This standard will outline the minimum standards for managing operational risk, including updated requirements for business continuity and service provider management. APRA will review industry feedback before the standard comes into effect at the beginning of 2024.
Major Breaches and Disruptive Events
Here are some recent major events that have disrupted the industry this quarter:
- Employer-Driven Layoffs — As fear of a potential recession looms, many firms are reassessing their headcount and have already begun widespread layoffs. Major global banks have begun layoffs in an effort to cut costs, some even reimplementing their pre-COVID-19 programs of annual layoffs during performance reviews.
- Floods in Pakistan — Severe flooding has left one-third of Pakistan underwater, claiming more than 1,300 lives and has led to damages totaling more than $10 billion. Additionally, severe damage to crops and livestock has prompted the Pakistani government to warn of a potential food crisis.
- Drought in China — A recent drought has shut down Chinese factories and further stalled crippled international supply chains for automobiles, electronics, and other goods. Economists and trade experts warn that such events will become more frequent as we begin to feel the effects of climate change.
- Europe Heat Waves — Climate change has taken a toll on Europe this summer, resulting in destructive forest fires across southwest Europe. The global average temperature for June 2022 was about 0.3°C higher than the 1991-2020 average, making it the third-warmest June on record. Climate change poses a huge risk to the economy, causing billions of dollars in losses.
Business Resiliency Trends
Here are some best practices for firms looking to enhance their business resiliency:
- Preparing for Blackouts — Banks across Europe are setting up backup generators and dimming lights in preparation for potential power cuts. As Russia continues to cut gas supplies to the rest of Europe, these banks are testing how they can best operate under prolonged power shortages.
- Data Protection — While Data Breaches are of rising concerns across all industries, firms within the financial sector have been especially stringent in their data protection. The financial sector is second behind only the healthcare sector in average cost per data breach, costing firms an average of $5.97 million per breach in 2021 and 2022.
Business Resiliency Best Practices
Forward-looking financial institutions are having great success improving business resiliency programs by considering these best practices:
- Business Resiliency in Payments — Recently, banks have seen a rapid digitization in their payments systems to keep pace with consumer needs and may need to reassess their business resiliency programs to address unforeseen gaps. A resilient payment program includes well-documented requirements, governance, and risk management, as well as an established incident management system. The Federal Reserve has made resiliency a key component in their new FedNow instant payment platform as it begins its testing phase.
- Third-Party Due Diligence — As firms begin to enhance their internal business resilience, they have also begun to look externally to identify key relationships with third parties that may pose potential threats to their own operations. The UK’s Prudential Regulation Authority has even published Supervisory Statement 2/21 that outlines requirements for Third-Party (and subsequent agreements) Agreements to ensure greater resilience to the industry.
Resiliency in a Net-Zero World
Firms not only have to navigate a changing risk environment, but also an evolving social environment. As firms adapt to implement environmental and social change, they must also align their resiliency programs accordingly.
- Energy Crisis — The energy crisis and inflation have a direct correlation that effects businesses across the globe and in Europe, where the energy sub-index is up 26% this year. These high energy prices affect how a business functions and its ability to operate efficiently.
- Gas Supply — In July, Russia halted the gas supply through the Nord Stream 1 pipeline, which can send a maximum of 120 million cubic meters of gas per day from Russia to Germany. As a result, within one day the wholesale price of gas in Europe increased by 10%. In response, the EU has agreed that members will voluntarily reduce 15% of gas use between August and March, leaving companies to decide what cuts or reductions are needed.
Lloyd’s of London to Reduce Cyber Insurance Coverage — Lloyd’s of London is the most recent insurer to announce that it will be reducing the breadth of its ransomware cyber insurance coverage options starting in 2023. This change has significant impact to organizations planning to “buy down” risk exposure while implementing organizational or technical changes to better protect them from today’s cyberthreats. Ransomware attacks nearly doubled, rising by 92.7% in 2021, according to Security Magazine. The rate of ransomware payments also doubled last year. Fifty-two percent of Financial Services organizations paid ransoms to restore access to data, higher than the global average of 46%, according to IT security firm Sophos. Companies will need to continue to make investments to enhance their organic ransomware protections, in addition to their own cyber-resiliency programs to reduce the likelihood of impact to their business.
Thanks for contributions by: Chris Chen, Andrew Vegliante, Devinne Cook, and Kevin Michels.