Navigating the Coming Regulatory Risk Tsunami With IRM

Navigating the Coming Regulatory Risk Tsunami With IRM

One of the primary characteristics of a major economic downturn is a subsequent wave of regulation. Why is this? Typically, as the tide of capital gains and outsized profits recedes, a host of problems are exposed. As Warren Buffett famously exclaimed, “only when the tide goes out do you discover who has been swimming naked!” We are experiencing that now with the added impact of the Great Pandemic. As a result, what we face is no ordinary regulatory wave — it is a tsunami on the way. 

Keep in mind how a tsunami differs from a wave — it’s a wall of water generated by a seismic event on the seafloor. It generally goes unrecognized at sea, but a network of buoys on the ocean is needed to truly understand the speed and size of the surge heading for the shore. As it nears shore, the tide recedes abnormally. In the world of regulatory risk today, there are many different buoys and signals working together to alert us to an impending sea change. We are also experiencing the receding tide, leading me to conclude that a regulatory tsunami is near. By exploring some of the early signs, we can determine how best to prepare.

Regulatory Sea Changes on the Horizon

When we look at the regulatory environment, our buoys indicate a change. For example, in the world of ESG reporting, enforcement agencies are raiding the offices of Deutsche Bank or launching investigations into Goldman Sachs for “greenwashing” — false operational metrics related to environmental sustainability performance. That’s why we’re seeing regulations emerge in the EU, UK, and US as pertains to greater climate risk disclosure. The need for assurances around ESG then creates a host of financial undercurrents. A projected $53 trillion in assets will be tracked under ESG management in 2025. Another buoy is related to digital transformation. Companies will spend $1.8 trillion investing in digital transformations this year alone. The “internet of things” buoy estimates up to $12.6 trillion projected in value of IoT products and services. As a result, the European Union just reached an agreement on the Digital Operational Resilience Act (DORA). While the initial focus is on digital services and products in the financial sector, it has the potential to expand its reach into third-party tech and communications providers. 

Gartner surveyed global boards of directors and learned the top three business priorities in 2022 and 2023 are digital technology initiatives, workforce, and ESG. Businesses are facing hiring pressure compounded by workforce issues stemming from the need to find highly skilled staff in a time of reduced headcount. This folds in with digital and ESG concerns, as companies look for digital solutions to make their workplace appealing, and potential employees want to work for companies with responsible climate initiatives, strong workplace health and safety, and more. It’s all connected. Risk management is also a priority for boards that recognize the discipline needs greater attention, investment, and maturity for organizations to be successful in the future. 

Applying Lessons Learned From Recent History

As the economy weakens further, and the waters start dramatically pulling back from the shore, previously hidden issues are suddenly and shockingly exposed. They can simply no longer stay hidden. This is strikingly similar to the dot-com crash in the early 2000s. The crash led to the exposure of accounting fraud, and we had Enron, WorldCom, and other companies failing due to misstated or inaccurate financial reporting. Ironically, the resulting regulatory wave hit 20 years ago almost to the day — July 30, 2002. This is when the US Sarbanes-Oxley Act of 2002 became law. The ripple effects from that wave led to a host of regulatory requirements and improvements in internal controls over financial reporting. 

With the combined economic and operational challenges from the Great Pandemic of 2020, organizations face a third problem today also experienced in a more recent downturn — the Great Recession of 2008. The core element leading to the Great Recession was the systemic risk opacity of credit markets specifically related to mortgage-backed derivatives. There was no visibility and understanding of the counterparty relationships between the buyers and sellers of these securities. Thus, when the underlying mortgages began defaulting en masse, there was no clear direction of how to plug the credit funding gap. So, again a regulatory wave ensued with the passing of the US Dodd-Frank Act in 2010. 

The similarity to today’s crisis is the systemic risk opacity. However, rather than systemic credit risk, it is found in systemic operational risk. Once isolated to individual companies, operational risks have rapidly expanded to systemic proportions due to the nature of global business today. Multinational supply chains, outsourcing/offshoring agreements, and connected data networks have created an environment of operational risk opacity due to their complex nature. When a risk event occurs, the impact is shared — as we are seeing in the current supply chain disruptions. However, the remedy is not easy to identify because there is limited visibility and understanding of the complex relationships and related operational risks.

Organizations need speed, agility, and effectiveness to respond to and recover from a major operational risk event, but many risk professionals today are simply not equipped to see where the impacts are derived. It’s more important than ever for audit, risk, and compliance professionals to come together to provide leadership with guidance and a real-time of the organization’s top risks to enable risk-informed decision-making.

Prepare for the Regulatory Tsunami With IRM 

The soon arriving regulatory tsunami will focus on reducing the systemic operational risk opacity. Given the interconnected nature of business, the only solution is an integrated risk management (IRM) approach. IRM is designed to synthesize existing risk management programs to provide a more comprehensive view of operational risk — both within and outside an organization. To see more clearly, every organization, no matter the size, industry, or location, must view risk through four integrated risk lenses performance, resilience, assurance, and compliance. 

Leaders need a full understanding of the related nature of these risk lenses in order to focus on the areas of greatest risk to the organization. IRM takes a highly integrated view of risk across all areas — with visibility bottom-up and across the business units — and ties all of the information together in a tightly orchestrated fashion.

The InfoSec Survival Guide: Achieving Continuous Compliance

Early Warning Is In Effect

Today, we need tight communication between the buoys across local, national, and global markets to fully understand the coming regulatory risks and mitigate them quickly and effectively. Just as individuals who live in tsunami-prone areas must practice preparedness, those working in our sector need to brace themselves and take steps now in order to successfully withstand the coming regulatory risk tsunami.


John A. Wheeler is the Senior Advisor, Risk and Technology for AuditBoard, and the founder and CEO of Wheelhouse Advisors. He is a former Gartner analyst and senior risk management executive with companies including Truist Financial (formerly SunTrust), Turner Broadcasting, Emory Healthcare, EY, and Accenture. Connect with John on LinkedIn.