Weather the Disruption: Business Resilience Amidst Volatility

Welcome to the Q4 2022 edition of Weather the Disruption, a quarterly newsletter intended to highlight the importance of Business Resiliency in today’s world. Our goal is to provide global regulatory updates, industry trends, best practices, and threats with the potential to impact our clients and sector. In this edition, we identify risks related to labor volatility and data management. Additionally, we observe efforts toward a new international standardization and continued action toward codification of business resiliency rules and regulations.

Opportunities to Build Resilience

Labor volatility, data protection, and increased global business risks are major issues faced by companies as they enter the new year. Opportunities exist to get ahead of each of these challenges to maintain a strong, resilient business.

Labor Volatility and a Shifting Workforce Strategy

High employee turnover in 2022 was evidenced by patterns of burnout, voluntary resignations, and increased compensation demands, resulting in costly talent acquisition efforts to drive growth. Recent cost-cutting amidst tight margins and an uncertain economic outlook is shifting such patterns, with high-profile layoffs in the tech and financial services sectors.

It is predicted that by 2025, labor volatility will cause 40% of organizations to report a material business loss. A responsive shift in workforce strategy from talent acquisition to talent retention can strengthen workforce and operating resilience.

Data Retention and Protection

As data production and consumption accelerates exponentially, business is challenged with the retention and protection of data to comply with regulations and industry standards. Such challenges present opportunity, as data-savvy organizations are 11% quicker to remediate security incidents than those lacking a solid data foundation.

Anticipating Global Business Risks Facing Organizations

Business stability will continue to be tested in 2023, with rising operational cost, poor economic conditions, and the continued effects of conflict in Ukraine. Functional agility is key to navigating uncertainty, and thus guidelines, policies, and procedures should function as living documents to maintain responsive adaptability.

Regulatory Insight

There have been major regulatory changes surrounding Business Resiliency of late, with more expected. Notable changes include:

Amendments to Cybersecurity Rules at NYDFS

In November 2022, the NYDFS (New York State Department of Financial Services) released its second draft of proposed amendments to its Part 500 Cybersecurity Rules. This amendment requires training on incident response plans, security vulnerability monitoring, annual internal and external systems penetration testing, and business continuity and disaster recovery plan to proactively incorporate Operational Resilience into ongoing business functions.

European Council Adopts DORA Act

The Digital Operational Resilience Act (DORA) sets uniform EU requirements for the security of network and information systems of organizations in the financial sector and critical third parties. In the months following DORA’s formal adoption in November 2022, EU member states will codify aspects of this Act into law.  Further, relevant European Supervisory Authorities will develop technical standards for financial services institutions, and member states’ respective regulatory bodies will begin compliance oversight and enforcement action.

Major Breaches and Disruptive Events

Here are recent notable events that have disrupted the industry this quarter:

Recent Data Breaches

Hackers have exposed cybersecurity system weaknesses by breaching companies, including Uber, Twitter, and Microsoft. In December 2022, an attack on a third-party vendor caused data to be stolen from Uber that included personally identifiable information of 77,000 Uber employees.

Ransomware Attacks in 2022

In 2022, 21% of global organizations were victims of a ransomware attack, of which 43% experienced a significant impact on their business operations. The proliferation of sophisticated cybercriminals calls for proactive and preventive cyber resilience implementation combined with existing detective tools and processes.

Business Resiliency Best Practices

Here are considerations for developing and enhancing a Business Resiliency program in 2023:

Best Practices in Operational Resilience

Business leaders are recognizing the benefits of integrating operational resilience into business strategy. The Global Resilience Federation’s Business Resilience Council published the Operational Resilience Framework in alignment with National Institute of Standards and Technology and International Standards Organization standards to facilitate critical service continuity for customers and stakeholders.

Operational Resilience adoption and integration is multifaceted—according to the Business Continuity Institute, a decision-maker should orient focus on framework implementation, risk management, business continuity planning, and outsourcing.

Resiliency in a Net-Zero World

Firms not only have to navigate a changing risk environment, but also an evolving social environment. As firms respond to environmental and social change, they must also align their resiliency programs accordingly.

Emissions—Countries Set Goals, Companies Take Action

A majority of the world’s carbon emissions come from just a few countries.  To date, 70 countries, including China, the United States and the European Union have set a net-zero target, with pledges covering about 76% of global domestic emissions. The international corporate community’s embrace of net-zero commitments has strong potential to reduce carbon emissions, combat climate change, and ease the risk of natural disasters. Investing in reducing carbon emissions can have long-term effects to reduce potential weather-related disruption events.

Jan-Willem Bode, Partner and Sustainability Lead at Guidehouse, opines: “Companies that have set science-based targets must move beyond pledging to action, and that requires developing a meaningful plan…reaching net-zero requires sustained supplier engagement in order to contribute to GHG reductions, leading to more resilient supply chains as well.”

Cybersecurity

Firms have to vigilantly manage cyber risks and security and resiliency, especially with the labor volatility in the market to protect valuable company assets:

Labor Volatility and Resulting Cybersecurity Risk

Layoffs and workforce turnover introduce unique threats to organizations’ cybersecurity. Companies often have robust external system barriers.  Combatting potential internal threats by current and former employees is equally important to risk reduction. According to research from Ponemon Institute, insider threat incidents have risen 44% over the past two years.

Cybersecurity Resiliency

The Cisco Security Outcomes Report, Volume 3: Achieving Security Resilience revealed that 96% of executives consider security resilience crucial, yet less than 40% are confident their organization would fare well during a cybersecurity event.