Search Results

What is Material? It is simply another way to say, 'what matters most.' But what matters most differs from person to person. Just as beauty is subjective and depends on an individual's perspective, materiality (what matters most) differs from stakeholder to stakeholder. There are dozens of different types of stakeholders, and they broadly fall into two categories: investors and non-investors. Non-investors include everyone from employees to customers, suppliers, governments, and the general public, all of whom may benefit or suffer from the actions of a company. Most of a company's value today comes from intangible assets. This means that the value of companies is typically derived from something other than cash, physical assets, or recurring revenues that are reasonably certain to occur. In many industries, over 80% of the value consists of factors like the valuation of personnel, intellectual property, manufacturing, and more. This has led to the realization that there's more to business success than money alone. In fact, financial success often depends on the way all the non-financial operational activities are orchestrated and run. By effectively managing these, a business can generate value over the longer term. All of this is well known to investors and non-investors who, over the last 20 years, have been familiar, or engaged with, the identification and measurement of the environmental and societal impacts which companies have been making as a result of their focus on delivering dividends to shareholders and repaying debt. Over recent decades investors have become increasingly conscious that their investment methodologies were less reliable than before as they observed the effects of globalization in a multi-polar, hyperconnected world that is growing in uncertainty. Investors do not like uncertainty. To minimize risk, they employ a variety of techniques, models, and tools to accurately assess the potential returns of an investment. This helps them identify which factors are most influential in their decision-making process and enables investors to gain insight into what matters most when evaluating the pros and cons of investing in something. Materiality: A Subjective Perspective? If you're focused on financial returns only, then so-called single materiality is what matters most to you. If you're focused on saving the planet, addressing social inequalities, or investing in companies exploiting opportunities in these areas, then impact materiality is what matters most to you. However, as with most things in life, it's more complex than that. Managing uncertainty requires that investors understand two things: What is Material to cashflow and a company's prospects, i.e., financial performance, and What is Material to the operational activities which underpin financial performance. Today, many of the world's largest investment funds are using ESG data as a proxy, a leading indicator of the likelihood of performance over the longer term. According to a recent Bloomberg survey of global business leaders, “the vast majority of respondents see ESG as an important consideration when making investment decisions in their own organizations, even among non-ESG fund managers.” This is where double materiality comes into play. With double materiality comes the hope of financial and sustainability-related, non-financial (aka impacts) information being presented in a way that is: Comparable (to financial data) Verifiable (limited assurance rising to reasonable assurance over the next few years) Timely (in sync with financial reporting), and Understandable Why We All Should Care? The lines between single and double materiality, as illustrated and defined by the IFRS's ISSB and the CSRD, are fuzzy. The objective of IFRS S1 General Requirements for Disclosure of Sustainability related Financial Information … is to require an entity to disclose information about its sustainability-related risks and opportunities that is useful to primary users of general-purpose financial reports in making decisions relating to providing resources to the entity '. However, it further states in the Application Guidance, which has the same authority as other parts of the standard, that …' information about sustainability-related risks and opportunities is useful to primary users because an entity's ability to generate cash flows over the short, medium and long term is inextricably linked to the interactions between the entity and its stakeholders, society, the economy and the natural environment throughout the entity's value chain. Together, the entity and the resources and relationships throughout its value chain form an interdependent system in which the entity operates. The entity's dependencies on those resources and relationships and its impacts on those resources and relationships give rise to sustainability-related risks and opportunities for the entity'. CSRD, on the other hand, defines double materiality as having two dimensions : impact materiality and financial materiality. A sustainability matter meets the criterion of double materiality if it is material from the impact perspective or the financial perspective, or both. In essence, the IFRS, with its mandate to produce international accounting standards, asserts alignment with the CSRD. The CSRD's approach begins with a GRI-informed materiality assessment. However, it also mandates a financial materiality assessment. In this process, the final step includes a 'more likely than not' evaluation of the impacts on financial and other forms of capital. How Archer ESG Solutions Can Help Companies Calculate Double Materiality The Archer Double Materiality Calculator helps you quickly and easily assess, calculate, and report on double materiality impacts. Pre-configured assessments based on the E.U.'s ESRS framework allow for evaluating individual impact and performing financial assessments. The Archer Double Materiality Calculator provides a simple and intuitive environment that enables users to quickly and efficiently input the required data by simply responding to questions and prompts in alignment with the ESRS framework. Integrated with the Archer ESG Management & IRM platform, financial and impact assessments can be incorporated into the organization's overall ESG risk analysis and provides financial teams with the critical information required to determine what ESG information needs to be disclosed. As with all Archer solutions, real-time, integrated graphical dashboards, reports, heatmaps, and quantifiable risk data help inform executives and senior leadership with decision-useful information to help achieve corporate strategic ESG goals and milestones. If you want to learn more about how Archer can help your organization assess double materiality, download our short whitepaper, ESG Reporting: From Data to Action , for additional information on best practices and steps you can take to today address your ESG reporting challenges. Contact us to speak with an Archer expert.

Today, organizations are facing a growing need to evaluate their third parties' environmental, social, and governance (ESG) performance. The drive behind this shift is the need to comply with evolving reporting requirements and guidelines for ESG. However, the lack of visibility into vendor and portfolio companies' ESG scores poses significant compliance and regulatory risks, threatening organizational sustainability efforts. ESG regulations organizations need to comply with include: Germany's Supply Chain Due Diligence Act Canada's Forced Labour and Supply Chain Reporting Law United States Uyghur Forced Labor Prevention Act European Commission's Mandatory Corporate Human Rights and Environmental Due Diligence draft Organizations must understand their vendors' commitment to ESG to overcome critical challenges. Environmental impact is a consideration as it directly affects an organization's overall environmental performance. Ensuring supply chain responsibility is essential to uphold social commitments and human rights, avoiding any adverse effects on the organization due to unethical sourcing or labor conditions by suppliers. Managing reputation risk is critical to prevent association with unethical practices that could hurt an organization's reputation. Data security and privacy concerns need to be considered, given the potential risks posed by third parties. Fostering innovation and collaboration with third parties can positively impact an organization's ESG performance. To overcome these challenges, organizations must clearly understand their vendors' commitment to ESG. Gaining insights into the ESG performance of vendors allows organizations to reinforce the resilience of their supply chains and proactively identify and prevent potential risks that could disrupt operations. Informed decisions about vendor selection, risk mitigation, and meeting regulatory requirements have become essential for organizations seeking to achieve their sustainability goals. Assessing the ESG practices of third parties enables organizations to mitigate ESG-related risks and ensures alignment with their ESG values. This proactive approach safeguards against potential liabilities and nurtures a culture of responsible business practices within the organization. In response to the growing need for comprehensive ESG insight, Archer has introduced Archer ESG Score Connect . Archer ESG Score Connect provides visibility into an organization's third-party ESG scores, facilitating a better understanding of their ESG performance to mitigate risks associated with ESG-related concerns. Contact us to speak to an Archer expert about how you can mitigate ESG risks by gaining insight into your organization's third-party ESG scores.

U.S. companies are increasingly looking to environmental, social, and governance (ESG) initiatives to shape their strategies. ESG considerations can range from supporting diversity and inclusion practices in the workplace to reducing carbon emissions or investing in sustainability efforts. Corporate reporting on ESG initiatives and metrics has remained primarily a voluntary effort to date, resulting in many claims of companies' greenwashing (intentional or by mistake) their environmental impact and sustainability practices. The lack of confidence by consumers and investors in corporate ESG disclosures has led to global organizational bodies like the Securities and Exchange Commission (SEC) in the United States and European Sustainability Reporting Standards (ESRS) developing guidelines and reporting criteria that organizations must attest to in their non-financial disclosures. As U.S. companies become more aware of the impact of upcoming ESG regulations, they must begin considering double materiality. Double materiality requires disclosing how a company impacts the world (outside-in materiality) and how the world affects the company (inside-out materiality). The Importance of Materiality Materiality plays a crucial role in the disclosure of information by companies. In the U.S., an omitted fact is considered "material" if a reasonable shareholder would deem it important in deciding how to vote or if its disclosure would significantly alter the total mix of information made available. The E.U.'s CSRD, on the other hand, requires double materiality. It entails disclosing how a company impacts the world (outside-in materiality) and how the world affects the company (inside-out materiality). However, gathering such a broad spectrum of data poses a significant challenge. Materiality reporting is estimated to impact nearly 30% of U.S. companies and over 50,000 EU companies. Both groups must programmatically identify any negative or positive impact the company has or might have on people and the environment, assess severity, identify stakeholders affected, and assess the financial triggers and effects. What is Double Materiality Double materiality refers to the idea that both a company's actions and the actions of external factors can have a material impact on the environment and society. Double materiality may sound like a complicated concept, but it's actually quite simple. At its core, double materiality means that companies can have a material impact on the environment and society, and vice versa, environmental and social issues can have a material impact on the business operations of a company. So, when companies report on their environmental and social impact, they must consider not only their direct impact but also their indirect impact on society and the environment. Why U.S. Companies Need to Understand Double Materiality: While the concept of double materiality may be new to most U.S. companies, it is becoming increasingly important for companies to understand, especially as global ESG reporting standards evolve. The Securities and Exchange Commission (SEC) is considering incorporating ESG disclosure requirements into its reporting regulations. This means that companies' ESG reports will become increasingly important to stakeholders, including investors, employees, and customers. Companies that do not understand the importance of double materiality may not accurately or effectively report their indirect impact, which can lead to adverse consequences, loss of credibility, and potential legal issues. Materiality and Sustainability are Top Concerns for CEOs More and more CEOs cite sustainability and materiality as part of their top initiatives and critical to corporate strategy. In several recent Gartner* reports and surveys, they found: 9% of CEOs put environmental sustainability among their top 3 business priorities 70% of CEOs surveyed plan to invest in new sustainable products 74% of supply chain leaders expect sustainability to impact profitability between now and 2025 Materiality concerns are not solely driven by regulation. On the contrary, many executives consider sustainability and materiality essential to attaining corporate strategy and revenue goals. * Sources::2022 Gartner CEO and Senior Business Executive Survey, 2022 Gartner Emerging Priorities in Supply Chain Survey, 2022 Gartner Circular Economy Survey ESG Reporting Timelines for U.S. Companies There are a few important dates that companies should be aware of when it comes to ESG reporting: The SEC's proposed roadmap was released in August 2020 and requires publicly traded companies to begin disclosing information on ESG metrics. The final rule is expected to be announced fall of 2023. The ESRS brought in by the CSRD will go into effect in 2024, and will impose mandatory double-materiality sustainability reporting for nearly 50,000 entities operating in the E.U. The ESRS requirement will also impact U.S. companies doing business in the E.U. The Challenges of Calculating Double Materiality in Sustainability Reporting Now that we have defined Double Materiality, the next challenge for organizations is calculating, assessing, and reporting on their double materiality metrics and status. Gathering Data One of the most significant challenges companies face in calculating double materiality is gathering the necessary data. Double materiality requires organizations to consider both the impacts of their operations on the environment and society and how global economic, social, and environmental trends will impact their operations. The challenge here is that data on global trends can be hard to find or unreliable. Additionally, organizations need to add context to this data to understand how it will impact their operations. Without sufficient data, organizations can misunderstand their double materiality risks, resulting in incomplete reporting. Analyzing Data Gathering data is just the first step toward double materiality reporting. After collecting the data, organizations must analyze it to make informed decisions about their materiality. However, analyzing data can be a complex exercise requiring high data literacy and specialized knowledge. Moreover, data sources and quality can vary widely and may require cleaning and processing. Organizations may face reputational or regulatory risks related to incomplete reporting or poorly informed decision-making without accurate analysis. Reporting Results Finally, communicating double materiality data is crucial but challenging. Stakeholders expect organizations to present meaningful and transparent information. Still, with double materiality, it can be challenging to balance internal and external impacts to demonstrate how trends may impact an organization. Additionally, communicating double materiality information requires specialized reporting done in a manner that satisfies the expectations of regulators, investors, and other stakeholders. Reporting results is vital not only to meet stakeholders' expectations but also to help drive meaningful improvements in corporate sustainability practices. The Benefits of Reporting on Double Materiality Improved Corporate Governance: Double materiality can significantly improve corporate governance by requiring companies to consider non-financial factors affecting their stakeholders. This approach enables companies to identify potential risks and opportunities early, mitigating negative impacts and taking advantage of opportunities. Additionally, it encourages companies to consider the impact of their decisions on the environment, society, and governance, which can lead to improved stakeholder relations and long-term sustainability. Enhanced Financial Reporting and Auditing Standards: Double materiality also enhances financial reporting and auditing standards by requiring companies to disclose their non-financial impacts. This information is essential for investors and other stakeholders to assess a company's performance and potential risks. Additionally, with increased transparency, regulators and auditors can better monitor and detect non-financial risks that could affect a company's financial performance. Greater Accountability in the Financial System: Double materiality encourages greater accountability in the financial system by requiring companies to consider the impact of their decisions on the environment, society, and governance. This approach promotes more sustainable business practices and protects stakeholders from negative impacts. Furthermore, with increased transparency and disclosure, companies are more accountable to their stakeholders, leading to improved stakeholder relations and long-term sustainability. Improved Investor Confidence: Finally, double materiality improves investor confidence by providing more complete and accurate information about a company's overall performance and potential risks. This information helps investors make informed decisions about investing in a company, increasing market stability. Moreover, with increased transparency, companies can attract socially responsible investors who prioritize sustainability. How Archer ESG Solutions Can Help Companies Calculate Double Materiality The Archer ESG Double Materiality Calculator helps you quickly and easily assess, calculate, and report on double materiality impacts. Pre-configured assessments based on the E.U.'s ESRS framework allow for evaluating individual impact and performing financial assessments. The Archer Double Materiality Calculator provides a simple and intuitive environment that enables users to quickly and efficiently input the required data by simply responding to questions and prompts in alignment with the ESRS framework. Integrated with the Archer ESG Management & IRM platform, financial and impact assessments can be incorporated into the organization's overall ESG risk analysis and provides financial teams with the critical information required to determine what ESG information needs to be disclosed. As with all Archer solutions, real-time, integrated graphical dashboards, reports, heatmaps, and quantifiable risk data help inform executives and senior leadership with decision-useful information to help achieve corporate strategic ESG goals and milestones. Features Perform double materiality assessments and calculations to identify critical ESG risks. Pre-configured impact and financial materiality assessments aligned to the ESRS framework User-selected option to report on impact materiality to Affected Stakeholders and/or Users of Sustainability Statements Pre-configured reports and dashboards providing decision-useful information to decision-makers. Benefits Quickly collect, assess, and report on double materiality impacts. Simple, intuitive, and easy-to-use interface. Materiality assessment can be completed quickly and efficiently. Equip financial leadership with knowledge of what ESG factors need to be disclosed in financial reports Integrated with Archer ESG Management and IRM platform If you want to learn more about how Archer can help your organization assess double materiality, download our short whitepaper, ESG Reporting: From Data to Action , for additional information on best practices and steps you can take to address your ESG reporting challenges. Better yet, join us for Archer Summit 2023 in San Diego and learn more about Archer ESG Solutions. Contact us to speak with an Archer expert.

To support the growing SaaS needs of Archer customers across the Middle East, we’re pleased to announce Archer’s newest data center in the United Arab Emirates (UAE). In collaboration with Amazon Web Services (AWS), this latest data center enables us to support the explosive growth of Archer SaaS in the region with the increased performance, lower latency, and the data residency our customers require. Our UAE data center offers improved security and compliance, as data will be stored locally and subject to UAE regulations. Additionally, this data center supports our customers who want to leverage the power and scalability of the cloud to help address business risk and global compliance challenges. With the deployment of our industry-leading Archer cloud infrastructure in the UAE, we now have data centers in the U.S., Canada, Europe, Australia, and Asia Pacific, as part of our strategy to provide a regional presence in our highest-demand areas. Archer SaaS enables organizations to leverage the flexibility, availability and scalability of the cloud, coupled with the depth and breadth of the Archer Suite, to comprehensively and proactively manage risk. Offered on the Amazon Web Services (AWS) platform, Archer SaaS offers: · Support for the full set of Archer use cases · A flexible pricing model · SaaS-specific contract terms · Data residency · And much more To learn more about Archer SaaS, contact us or join us for Archer Summit 2023 in San Diego September 11-13.

Given the ongoing supply chain disruptions that continue to impact an organization’s operations, supply chain management has never been more critical. According to Gartner*, by 2025 supply chain risk management will be a critical success factor for over 50% of organizations. It is paramount to reduce supply chain risks and enhance resilience. In fact, IDC’s** research reveals that 63% of organizations view a lack of resiliency to be a key supply chain gap. * Gartner: How Supply Chain Leaders Can Prepare for the Next Big Disruption (June 8, 2022) ** IDC, Progressing Supply Chain Resiliency, Simon Ellis Gaining visibility into your supply chain is not only advantageous but imperative. Understanding your complex vendor relationships is essential for identifying vulnerabilities, assessing potential disruptions, and implementing proactive measures to ensure supply chain resilience. When organizations leverage advanced visualization, they can gain valuable insights into the dynamics of their supply chain ecosystem enabling them to make better decisions, become more resilient, and mitigate risk effectively. To learn more, join us for our webinar “ Building Resilient Supply Chains: Strategies for Success ” featuring GRC 20/20’s Michael Rasmussen and Archer’s Sarah Kassoff to learn: How to enhance your organization's supply chain resilience amid increasing uncertainties Strategies to reduce supply chain risk and ensure uninterrupted business operations The impact and benefits of visualization in tackling complex supply chain challenges Webinar: October 10, 2023 11:00 am Eastern Time Register Now! Visit Archer Third Party Governance for more information. Contact us to speak to an Archer Expert.

There are several key questions to ask in evaluating how well the content and associated documentation is managed for your use cases (like policy management). Is your change management program well designed? How would you demonstrate that to a stakeholder or outside party? Is the program applied earnestly / in good faith? How do you report on the results of the work done? The Archer Document Governance solution provides tools to manage your policy management’s critical documentation and help strengthen your program around these questions. 1: Key elements to a well-designed program: control and collaboration Policy programs are dynamic, with ongoing updates needed to keep policies and procedures current. A well-designed program will have both the agility and the control needed for ongoing change management. Archer Document Governance can help provide the agility and control you need through: Enabling simultaneous collaboration on documentation changes – no need to lose time emailing versions back and forth or risking lock-out of a collaborator from a shared network file Making teams aware of changes in the approval chain for the documentation they manage Providing a real-time view to where a document may be delayed in the change management process Documenting redlined changes for every published version Enabling quick response to audit inquiries 2. Enabling a strong culture of discipline: reinforcing the positive, removing the barriers In tandem with your leadership communications and targeted performance indicators, the right tool can help simplify and demonstrate diligent application of your policy management program. Archer Document Governance can support your culture of execution through how you manage the creation, governance, and publication of your program’s mission-critical documentation. Document Governance helps by: Simplifying through standardizing the creation, management, and distribution of policies and procedures Configuring your governance workflows and providing transparency into the process Accelerating the review and sign-off of documentation changes Serving as a single system of record for your documentation 3. Demonstrating program results Monitoring and reporting on the results of your policy management program takes both quantitative and qualitative measurements. Archer Document Governance can help you track and demonstrate program results through: Facilitating internal and external audits, providing detailed change logs, and redline comparisons for evidence across published versions Detailed management reporting, showing everything from change management cycle times to analysis where approvals get delayed by document type and team Contact us to speak to an Archer expert about how Archer Document Governance can support your program goals.

We have all seen our favorite risk management output – the vaunted risk heat map. These colorful graphs stimulate conversation and are staples of risk reporting. However, we are also very aware of their shortcomings. Unfortunately, qualitative output, even when bounded by scales and ranges, are still subject to interpretation. More importantly, qualitative assessments lack a level of detail that is critical to making the right business decision. Today, we announced our next generation of risk quantification capabilities for Archer Insight and the new Archer Insight Workbench offering. Using Archer Insight, organizations can use quantitative assessments within their enterprise risk management (ERM) programs to calculate financial and non-financial risk exposures and provide critical business insights to better assess, aggregate and report on risk. The new Archer Insight Workbench risk modeling tool is purpose-built for risk analysts and enables them to create their own models to dig deep into risk scenarios. Unlike systems that utilize qualitative risk analysis techniques, Archer Insight is designed to simplify the calculation and aggregation of risk exposure. It enables risk functions to standardize the calculation of financial exposure, differentiate risks in terms of rate of occurrence and magnitude, measure the value of controls, and manage risk based on the relative impact to the business. In short, it replaces qualitative and semi-quantitative scales with two simple questions – what is the general rate of occurrence of a risk? and what is the range of potential impact? Of course, the first question that comes up is “Where do I get the data for these estimates?” The good news is that quantitative assessments take uncertainty into account. Instead of being vague about uncertain inputs (“I think the likelihood is Medium”), shifting to quantitative inputs (“I think the rate of occurrence is 5 times a year”) puts a more tangible estimate into the equation. Then, these estimates can be tracked against real occurrences and shifted to better reflect the risk. In other words, by being more specific about the uncertainty, you are more aware of what you should be monitoring and the adjustments you make in the future are meaningful. This release puts vital tools in the hands of risk teams. The two approaches - quantitative assessments within ERM and risk modeling – provide risk teams with broad capabilities to better analyze and communicate risk. A major benefit of this approach is the agnostic nature of Archer Insight. The quantitative assessment built into Archer Insight can be applied to all types of risks including enterprise, operational, and cyber risks. As risk management teams seek to put the best information in the hands of their decision makers, risk quantification has become a critical element of their strategy. Archer Insight brings exciting new capabilities to your GRC program and takes ERM to the next level. To read our announcement, visit: Archer Introduces Next-Generation Risk Quantification Capabilities for Archer Insight and New Archer Insight Workbench

In an era of constant disruption, becoming operationally resilience has become a critical need for organizations worldwide. Operational resilience is the ability to prepare, adapt to, withstand, and recover from disruptions and unexpected events that can include natural disasters, cyber-attacks, power outages, supply chain disruptions, pandemics, and others. Operational resilience is not only about preparing for disruptions, but also about designing and implementing systems and processes that can continue to function under unexpected circumstances and recover quickly if disrupted. Organizations that prioritize operational resilience are better equipped to protect their critical functions, continue to provide their products and services even in the face of disruption, and quickly return to normal operations after a disruption. As a result, the organization is better able to maintain its reputation and trust with customers and stakeholders and create sustainability and long-term business value. We all look to great examples in our lives to show us the way, and FNZ is cracking the code on operational resilience. FNZ is a global wealth management firm that empowers 20 million people to invest through partnerships with over 650 financial institutions and 8,000 firms. Their strategy, process, and implementation of Archer recently earned them the 'Best in Class GRC in Risk & Resilience Management' award from GRC 20/20. Archer invites you to register for our upcoming webinar at 11:00am Eastern Time on August 30, Mastering Operational Resilience: Lessons from FNZ’s Award-Winning Strategy to: Uncover FNZ's award-winning strategies for building resilience and the outcomes achieved. Identify challenges and potential roadblocks in implementing operational resilience for your organization, with expert advice on how to maneuver around them. Understand how technology can significantly boost your organization's operational resilience, with real-life examples from FNZ's successful collaboration with Archer. For more information about how Archer can help your organization become resilient, check out Archer Business Resiliency .

Supply chain risk continues to be a critical challenge that organizations need to address. Due to the ongoing reliance on third-party products and services, an important part of managing supply chain risk effectively is implementing a robust third-party risk management strategy. The lack of visibility into an organization’s third-party vendors is a significant challenge when it comes to managing supply chain risk. This lack of visibility is a critical risk because any issues with suppliers can substantially impact an organization’s overall supply chain. Developing a third-party risk management strategy that provides visibility into an organization’s nth vendors is a key part of effectively managing supply chain risks. Additionally, it is crucial to consider risks from your entire supply chain that could potentially impact your organization when implementing this strategy. Four key supply chain risks to consider are cyberattacks, natural disasters, material scarcity, and economic conditions. These supply chain risks can affect suppliers throughout your supply chain, which, in turn, may impact your organization. Having a comprehensive strategy to mitigate these risks will help achieve the best possible outcomes for your organization. To ensure you are managing supply chain risks from all vendors in your supply chain, organizations should evaluate supply chain dependencies and identify regional dependencies to understand supply chain risk. This information can be beneficial in assessing the risk level and determining how to mitigate those risks if an unforeseen event causes a supply chain disruption. Managing supply chain risk is an ongoing process that requires continuous effort. By implementing a robust third-party risk management strategy, you can better protect your supply chain from potential disruptions and build resilience in your operations. To learn more about how effective third-party risk management can mitigate supply chain risks, read our whitepaper "Mitigating Supply Chain Risks: The Power of Effective Third-Party Risk Management".

Humankind has been performing risk assessments since the first time a caveman peeked out from his dwelling and determined if it was safe to run to the watering hole. Assessing risk is an inherent capability we are all aware of and is the foundation by which we attempt to understand uncertainty. In today’s world, uncertainty is an unwelcome but constant companion and organizations clearly understand the role risk management plays in ensuring success. Thus, the process of systematically assessing risk across the business has become an absolute pillar of the risk management program. However, this practice is not without its own evolution. Gone are the days when an organization can feel comfortable with a simple periodic review of potential issues. Risk assessments have changed significantly in response to changing times. More time and effort is being spent on risk assessments due to the highly visible nature of risk and the interest level of executive management, audit and risk committees and board of directors. Just like the caveman learned it was insufficient to take a quick peek and head out into the jungle, organizations are taking a more mindful approach and dedicating resources to ensure the most relevant and appropriate data is reviewed to inform risk reporting. This is no longer a ‘check the box’ exercise but a real input into decision making and strategy building at the highest levels of the organization. The frequency of risk assessments has increased to provide a more continuous view into potential issues within business operations. Along with spending more time and effort to gather information, data is being collected on risks on a much more frequent basis to keep pace with business and operational changes. The volatility of the market, the increased regulatory pressures and the amplified consequences of negative events have pressed risk management functions to quicken pace into an ongoing cycle of assessment. The need for tangible, defensible outputs from risk assessments has led to an increased focus on quantification of risk to better support decision making. While qualitative assessments can provide general direction and prioritization, the broad categorization of risks using traditional heatmap methods makes it impossible to truly stack rank potential issues and balance investment with return. Translating uncertainty into potential exposures and financial impacts is enabling organizations to evaluate where the biggest bang for the buck comes from when making decisions to implement controls. The evolution of risk management needs has led to many organizations recalibrating their approach to risk assessment. Download our short white paper “Evolving Your Risk Assessments: Tips for build a future proof strategy’ for recommendations on how to position your risk assessment approach to meet the immediate and future needs of your organization.

In today's interconnected business landscape, where companies heavily rely on third-party vendors, the need for robust cyber risk management practices has become crucial. The increasing frequency of cyberattacks originating from external vendors calls for proactive measures to safeguard sensitive data, protect business reputation, and mitigate potential financial losses. To ensure your strategic vendors prioritize cybersecurity, it's important to ask them the right questions. These are six important questions you can ask your vendors to help assess your vendors' cyber risk management practices and foster a secure business environment: 1. Has the third-party developed a comprehensive cybersecurity risk management program that addresses and manages their own supplier ecosystem - including their partners and other providers? A strong cybersecurity risk management program should encompass not only the third-party vendor itself but also extend to its suppliers, partners, and other providers within its ecosystem. By understanding how your vendors manage security across their entire network, you can assess their commitment to minimizing cyber risks and maintaining a robust security posture. 2. Are third-party employees well educated on security awareness and kept up to date on phishing schemes and other security-related concerns? Employee awareness and education play a pivotal role in combating cyber threats. Inquire about the training programs and initiatives implemented by your vendors to educate their staff on security best practices. A well-informed workforce that remains vigilant against phishing attempts and other security-related concerns can significantly reduce the likelihood of successful cyberattacks. 3. How is the third-party vendor alerted in cases of potential unauthorized access to their own data? Unauthorized access to your vendors' data can have serious implications for your business as well. It's crucial to understand how your vendors detect and respond to potential breaches within their systems. Prompt identification and remediation of security incidents can help minimize the impact on your organization and enable effective collaboration with vendors during such events. 4. What plan does your third-party vendor have in place to notify your company in cases of breaches or other security-related incidents? Timely communication is key in addressing security breaches or incidents. Ask your vendors about their notification processes and protocols in the event of a security breach. Having a clear understanding of how your vendor will inform your company enables you to respond swiftly, mitigate potential damages, and maintain transparency with your stakeholders. 5. Does your third-party vendor continuously monitor cybersecurity performance? Cybersecurity is an ongoing process that requires constant monitoring and evaluation. Inquire about your vendors' practices for monitoring their cybersecurity performance. Regular assessments and audits, vulnerability management, and adherence to industry standards demonstrate a commitment to maintaining a strong security posture. Continuous monitoring ensures proactive identification and mitigation of potential vulnerabilities before they can be exploited by malicious actors. 6. How well do your third-party vendors' Business Continuity Management (BCM) plans support your own operational resilience? Business Continuity Management (BCM) is crucial for maintaining operational resilience in the face of disruptions. Assess how your vendors' BCM plans align with your own business requirements. Understanding their strategies for mitigating risks, ensuring redundancy, and minimizing downtime during incidents enables you to gauge their ability to support your organization's operational continuity. As the cyber threat landscape continues to evolve, it's imperative to prioritize cyber risk management when engaging with strategic vendors. By asking these six essential questions, you can gain valuable insights into your vendors' cybersecurity practices and make informed decisions to protect your business. To learn more about effective cyber risk management, read our whitepaper: " Why Your Third-Party Risk Management Strategy Should Address Cyber Risk ."

Supply chain risk management has become increasingly critical in today's interconnected and complex business environment. Organizations rely heavily on third-party products and services, which introduces a new layer of risk that must be proactively managed. Failure to address these risks can lead to supply chain disruptions, compromised data security, and reputational damage. To enhance resilience and minimize vulnerabilities, organizations need to integrate third-party risk management into their overall supply chain risk management practices. Understanding the Importance of Third-Party Risk Management Managing third-party risks requires a comprehensive and systematic approach. It involves conducting due diligence on potential partners, assessing their risk profiles, and ensuring they have robust strategies and controls in place to prevent and mitigate risks. Clear contractual agreements should be established, outlining expectations for risk management, and specifying mechanisms for monitoring and addressing emerging risks. The Four Key Supply Chain Risks: Cyberattacks: Cyber risk management is crucial, considering the increasing prevalence of cyber threats. Organizations must develop strong partnerships with suppliers that have robust strategies to prevent loss or restore services promptly. Rigorous due diligence, regular assessments, and clear contractual agreements are essential for mitigating cyber risks. Natural Disasters: Natural disasters can cause widespread disruptions, impacting multiple suppliers in a specific region. Organizations should adopt a supply chain-based approach and consider backup capabilities and alternative suppliers in different parts of the world to reduce vulnerability caused by disruptions. Rising Consumer Demand/Material Scarcity: Managing increased consumer demand and material scarcity requires data-driven approaches. Leveraging technology and predictive analytics allows organizations to make informed decisions regarding inventory management, anticipate potential scarcities, and optimize supply chain operations accordingly. Increasing Freight Prices/Inflation/Economic Conditions: Collaboration within the supply chain network and leveraging technology play vital roles in managing risks associated with economic conditions. By actively engaging with suppliers, monitoring risks, and utilizing advanced analytics tools, organizations can optimize operations, reduce costs, and adapt to the evolving economic landscape. To learn more about how to mitigate supply chain risks through effective third-party risk management, read our eBook " Mitigating Supply Chain Risks: The Power of Effective Third-Party Risk Management ."