Diligent CEO shares advice on how US companies can prepare for new requirements in areas such as cyber-security and climate risk
Some of the risks companies face in the coming year will arise from pending regulatory changes and keeping pace with new reporting requirements. Recent research from Diligent finds that regulatory compliance is perceived as a top risk for companies in 2023, with 73 percent of risk professionals concerned about meeting compliance demands.
For example, the SEC last March proposed changes to its rules regarding disclosures companies make about cyber-security risk management, strategy, governance and incident reporting.
Some industry professionals are concerned about the complexities of complying, such as determining whether a cyber-incident is material – and therefore must be reported. Among other things, the changes would require disclosures about the board’s cyber-security expertise, if any.
Diligent CEO Brian Stafford says data is a key component of compliance. ‘The biggest challenge most compliance professionals face is that they’re unsure about the data they have to report to the CEO and board,’ he says in an interview with IR Magazine. ‘Historically, there has not been a direct feedback loop between the chief information security officer or vice president of IT security and compliance teams.
‘In many cases, the first two make their own decisions on what is material or not. In a world where you are hit by a thousand different attacks every week, especially large companies, how [do] you filter what is material or not? It’s not something many organizations have had to factor into the way they operate, until now.’
Start collecting climate data
The SEC has also proposed a new rule that, if approved, would require companies to disclose information about their governance of climate-related risks and how any climate-related risks have had, or are likely to have, a material impact on their business.
Despite uncertainty around the rule’s final scope and the timing of when it is approved, governance professionals at a recent Corporate Secretary event encouraged companies to prepare to comply. The new requirements are expected to entail companies reporting large amounts of data, particularly if they include Scope 3 emissions.
It will be essential to monitor the quality of data a company produces, and professionals suggest that companies look carefully at the processes and systems they have for collecting climate data.
Stafford advises companies to implement a data-collection process now. ‘No matter what is going to be required, the first step is collecting your data,’ he says. ‘When you do that, you can understand what you need to comply with and how you can make improvements. Regardless of the strategy you choose, or how your board is involved with that, collecting the baseline data and understanding it is a no-regrets move for organizations and they need to start doing it immediately.’
Stafford says it’s clear that companies can expect to have to comply with a growing number of rules and disclosure requirements. ‘The spectrum of compliance and reporting on non-financial measurements is going to grow. We are just in the very early stages and companies can expect to see that multiply over time,’ he points out.
Omnipresent risks in the coming year – including regulatory compliance – mean governance, risk and compliance professionals may need to reassess their roles, according to a Diligent report giving an outlook on 2023.
The report notes, for example, that ESG and compliance teams will need to expand their roles to include risk management. Audit teams will need to ‘escalate new priorities, like macroeconomic risk and geopolitical uncertainty, in their day-to-day work,’ the report states. In addition, having effective governance will necessitate ‘comprehensive visibility of risk, in all its facets, by the board and by management.’