November 2024

SGV thought leadership on pressing issues faced by chief executives in today’s economic landscape. Articles are published every Monday in the Economy section of the BusinessWorld newspaper.
25 November 2024 Aris C. Malantic and Benjamin N. Villacorte

Beyond Metrics: Creating lasting value in the "Age of And"

IN BRIEF: CFOs are uniquely positioned to integrate sustainability into financial strategies and drive long-term value creation.Advanced AI and data analytics offer CFOs powerful tools to enhance reporting accuracy and transparency.By fostering deeper engagement with investors and stakeholders, CFOs can build trust and confidence in their company's sustainability commitments. PULL QUOTE: "In the Age of And, CFOs must balance short-term pressures with long-term goals to drive sustained performance.”In today's rapidly evolving business landscape, the role of the Chief Financial Officer (CFO) has never been more critical in driving long-term value. Investors are increasingly demanding clear and credible narratives on how companies will create long-term value while managing immediate challenges. However, recent research highlights significant doubts among both CFOs and investors regarding the reliability of non-financial reporting and the achievement of sustainability targets.The challenge of non-financial reportingThe 2024 EY Global Corporate Reporting Survey, which surveyed more than 2,000 finance leaders and 815 institutional investors globally, reveals a concerning level of skepticism surrounding transparency and sustainability. Only about half of the finance leaders and investors surveyed believe that companies will likely meet their stated sustainability targets. This doubt is compounded by perceptions of greenwashing, where companies are seen as overstating their environmental efforts without substantial actions to back up their claims.Non-financial reporting, particularly in the realm of sustainability, is still maturing. Unlike financial reporting, which is governed by well-established standards and metrics, sustainability reporting often relies on voluntary frameworks that widely vary. The lack of standardization can lead to inconsistencies and a lack of confidence in the reported data. CFOs, therefore, face the dual challenge of improving the quality of non-financial reporting while ensuring that it aligns with investor expectations and regulatory requirements.Balancing multiple priorities in The Age of AndIn what is termed the "Age of And," CFOs are tasked with the complex challenge of balancing short-term financial pressures with long-term strategic goals. This involves making informed capital allocation decisions that drive growth in areas such as artificial intelligence (AI) and sustainability while also meeting near-term performance expectations.The "Age of And" reflects a business environment where companies must simultaneously address multiple, often conflicting, priorities. For CFOs, this means developing strategies that ensure immediate financial stability and position the company for future growth. This balancing act requires a deep understanding of both financial and non-financial drivers of value, as well as the ability to communicate these effectively to investors and other stakeholders.Building credibility in sustainability reportingTo address these challenges, CFOs must take proactive steps to enhance the credibility of their sustainability reporting. This involves understanding investor requirements, resetting non-financial reporting standards, and integrating sustainability into financial decision-making processes. By doing so, CFOs can provide the structured insights needed to distinguish their companies in the market.One of the key steps in building credibility is ensuring that sustainability disclosures are backed by rigorous data and due diligence. This means going beyond mere compliance with reporting standards to provide a transparent and verifiable account of the company's sustainability efforts. CFOs should work closely with sustainability officers and other key stakeholders to develop robust reporting frameworks that can withstand scrutiny from investors, regulators, and the public.The role of AI in enhancing sustainabilityAI presents a significant opportunity to transform finance functions and enhance sustainability efforts. It can improve the efficiency of core processes, enhance data analytics, and generate insights that drive value creation. However, the successful implementation of AI requires strong data and technology foundations as well as a responsible approach to building trust in AI systems.AI can help CFOs address some of the key challenges in sustainability reporting by automating data collection and analysis, identifying trends and anomalies, and providing real-time insights into the company's performance. For example, AI tools can be used to monitor sustainability metrics, track progress against targets, and identify areas where additional investment or action is needed. By leveraging AI, CFOs can improve the accuracy and reliability of their reporting while also freeing up time and resources for more strategic activities.Recommendations for CFOsEnhance reporting credibility. CFOs should ensure that their sustainability reporting is backed by rigorous data and due diligence to avoid perceptions of greenwashing. This involves developing robust reporting frameworks, conducting regular audits, and engaging with stakeholders to ensure transparency and accountability. To provide additional comfort to their stakeholders, CFOs and financial reporting teams should endeavor to align sustainability reporting with financial and regulatory reporting implications and disclosures to achieve consistency in reporting. Leverage AI. Utilize AI to improve data analytics and decision-making processes, ensuring that the technology is built on solid data foundations and adheres to ethical principles. CFOs should invest in AI tools that can enhance the efficiency and accuracy of their reporting while providing valuable insights into the company's performance. This includes developing a clear strategy for AI implementation, training staff on the use of AI tools, and establishing governance frameworks to ensure the responsible use of AI.Engage with investors. Building deeper engagement with investors is crucial for gaining their trust and confidence. CFOs should regularly communicate with investors about the company's sustainability efforts, progress against targets, and plans for future growth. This includes providing detailed and transparent reports, hosting investor briefings, and seeking feedback from investors to understand their concerns and expectations.Cultivate a sustainability-driven culture. CFOs should play a key role in fostering a culture of sustainability within the organization. This involves promoting sustainability as a core value, encouraging collaboration between different departments, and providing training and resources to support sustainability initiatives. By embedding sustainability into the company's culture, CFOs can ensure that it becomes a key driver of long-term value creation.Driving long-term value through sustainable practicesCFOs play a pivotal role in shaping the future of their organizations by providing credible, transparent, and forward-looking reporting. By addressing investor concerns and integrating sustainability into their financial strategies, CFOs can build trust and drive long-term value creation. In doing so, they position themselves as essential strategic partners to the CEO and the board, capable of navigating the complexities of the modern business environment.The journey towards reliable non-financial reporting and sustainable value creation is challenging, but it is also an opportunity for CFOs to demonstrate their leadership and vision. By taking proactive steps to enhance reporting credibility, embed sustainable principles into their core operations, leverage AI, engage with investors, and foster a culture of sustainability, CFOs can ensure that their companies are well-positioned for long-term success in the Age of And. Aris C. Malantic is the Financial Accounting Advisory Services (FAAS) Leader, and Benjamin N. Villacorte is the Sustainability Services Leader, both of SGV & Co.This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinions expressed above are those of the authors and do not necessarily represent the views of SGV & Co.

Read More
18 November 2024 Joseph Ian M. Canlas and Christiane Joymiel C. Say-Mendoza

Harnessing the human element in cybersecurity

IN BRIEF: Recognizing employees as the cornerstone of cybersecurity, organizations must shift from tech-centric defenses to fostering a vigilant, security-aware culture.Comprehensive education and behavioral change strategies are essential to mitigate human-related security risks and reinforce a collective approach to cybersecurity.A balanced strategy that combines technological tools with human oversight and continuous cultural development is key to maintaining a resilient cybersecurity posture. PULL QUOTE: "Empowering employees with knowledge and vigilance is as crucial as technology in building a resilient cybersecurity defense.” In today’s rapidly evolving digital landscape, cybersecurity threats are more sophisticated and pervasive than ever. While companies invest heavily in advanced technologies and security protocols, the most critical line of defense consists of their own employees. Despite having robust security measures in place, organizations frequently find themselves vulnerable due to human error, negligence, or a lack of awareness. This reality underscores the urgent need for a shift in focus—from solely relying on technology to cultivating a culture where every employee actively contributes to cybersecurity.The critical role of human behavior in information securityThe prevalence of cyber threats in our interconnected world is undeniable, and the assumption that technology alone can safeguard information security and privacy is a misconception. A security-conscious culture within an organization is essential to effectively complement and enhance the technical safeguards already in place. IT risk management, therefore, must be a holistic practice that not only includes technological solutions but also addresses the human factors that significantly influence the security landscape.The impact of human error on security breachesHuman error continues to be a significant contributor to security breaches, with recent statistics from the 2024 Verizon Data Breach Investigations Report indicating that 68% of breaches involve some form of non-malicious human element. According to IBM, the financial repercussions are staggering, with the global average cost of each data breach in 2024 reaching USD 4.88M — the highest total ever recorded. This figure reflects direct financial losses and encompasses the long-term reputational damage that organizations suffer following a breach. Case studies from various industries have shown that breaches often stem from a lack of awareness or negligence, underscoring the importance of addressing human error as a critical component of cybersecurity strategies.Understanding human behavior in cybersecurityDelving into the psychological and behavioral aspects of cybersecurity reveals that human actions are often the weakest link in security chains. Common risky behaviors such as password reuse, oversharing on social media, and susceptibility to phishing and social engineering attacks can significantly compromise an organization's security. To effectively mitigate these risks, it is imperative to understand the underlying motivations and cognitive biases that drive such behaviors and to develop targeted strategies that promote secure practices.To combat the risks associated with human behavior, organizations must implement comprehensive and continuous education programs that raise awareness about the dangers of insecure practices and actively engage employees in adopting and maintaining secure habits. These programs should be dynamic, incorporating real-life scenarios and practical exercises that resonate with employees and foster a sense of personal responsibility for cybersecurity.Building and sustaining a security-conscious cultureCreating a security-conscious culture within an organization begins with the development of engaging and effective training programs. These programs should be designed to capture the attention of employees, providing them with the knowledge and skills necessary to recognize and respond to cybersecurity threats. Leadership commitment is crucial in reinforcing the importance of these programs, ensuring that security awareness is not just a one-time event but an ongoing priority.A human-centered approach to designing security processes and IT risk management is essential. By considering the user experience and incorporating principles of secure-by-design and human-centered design, organizations can create systems and processes that naturally encourage secure behaviors. The promotion of security champions within teams can also further embed security awareness into the fabric of business operations.The responsibility for maintaining a secure environment extends beyond the cybersecurity function or the Chief Information Security Officer (CISO). It is a collective responsibility that requires the engagement and participation of every employee. By instilling a culture where security is viewed as a shared obligation, organizations can create a more resilient and vigilant workforce capable of defending against cyber threats.Technology and human oversight: a balanced approachWhile technology plays a vital role in supporting good security habits through tools such as two-factor authentication and password managers, human oversight remains indispensable. Employees must be trained to understand the limitations of these tools and to remain vigilant in their daily activities, ensuring that security practices are consistently applied.The balance between automating security processes and maintaining human oversight is particularly important in the context of Zero Trust models. These models, which integrate privacy, security, and cyber resilience, rely on a combination of technology and human insight to verify trustworthiness and manage access to sensitive resources.Evaluating the effectiveness of security awareness programs is critical to ensuring that they are meeting their objectives. Organizations should employ strategies for continuous improvement, staying abreast of emerging threats and adapting their programs to address the evolving cybersecurity landscape.Securing the futureFostering a culture of security and privacy awareness is a collective endeavor that requires the active participation of every individual within an organization. By integrating the human element into IT risk management strategies, organizations can build a resilient defense against cyber threats. Continuous education and cultural evolution are imperative in promoting this balanced approach in risk management, ensuring that organizations remain vigilant and prepared to face the rapidly evolving cybersecurity challenges of the digital age.  Joseph Ian M. Canlas is a Risk Consulting Partner and ASEAN Core Consulting Quality Leader, and Christiane Joymiel C. Say-Mendoza is a Risk Consulting Partner, both of SGV & Co.This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinions expressed above are those of the authors and do not necessarily represent the views of SGV & Co.

Read More
11 November 2024 Joseph Ian M. Canlas and Christiane Joymiel C. Say-Mendoza

Managing third-party risk

IN BRIEF: Shifting from traditional Third-Party Risk Management (TPRM) to agile, real-time methodologies is crucial due to the intricate interdependencies and evolving cyber threats in IT operations.Proactive TPRM, powered by AI, enables organizations to predict and respond to third-party risks swiftly, ensuring continuous IT security.Embracing transparency and strategic collaboration with vendors fortifies TPRM, equipping organizations to handle emerging challenges and maintain robust IT systems.PULL QUOTE: " Proactive and AI-powered TPRM is vital for navigating the complexities of today's IT ecosystems and effectively managing third-party risks. In an era where technology is deeply integrated into business operations, managing third-party risk has become a critical concern for organizations worldwide. The traditional methods of Third-Party Risk Management (TPRM) are being challenged by the fast-paced and complex nature of modern IT environments, where external vendors play a pivotal role in day-to-day operations. As the reliance on third parties grows, so does the potential for risk, making it imperative for TPRM strategies to keep pace with the dynamic landscape of IT risks. This article seeks to explore the transformative approaches necessary for managing third-party risks effectively, ensuring that organizations can maintain robust IT operations amid the ever-present threat of external vulnerabilities.The evolving landscape of TPRM in IT operations The complexity and interconnectivity of modern IT operations demand a more agile and continuous approach to managing third-party risks. This necessity is underscored by the escalating frequency and sophistication of cyber threats, which can significantly impact IT operations. As businesses become more reliant on third-party vendors for essential services, the potential for risk exposure grows, highlighting the need for TPRM strategies that can adapt to new threats as they emerge. The evolving landscape of TPRM in IT operations requires a strategic shift from static, periodic assessments to a dynamic, real-time risk management model that is capable of identifying and mitigating risks promptly.From static to dynamic TPRM: adapting to real-time threats The transition from a traditionally reactive TPRM approach, characterized by annual assessments, to a more proactive and dynamic model marks a significant shift in risk management practices. This shift necessitates the continuous monitoring of third-party activities to swiftly identify and address potential risks.As an example, a global organization implemented continuous real-time monitoring tools to proactively assess third-party risks. By leveraging advanced analytics and real-time data, they were able to swiftly detect and mitigate potential vulnerabilities introduced by external vendors, enhancing their overall security posture. Continuous threat intelligence and monitoring solutions allowed the organization to detect and respond to third-party risks in real time, minimizing the window of exposure to potential threats.Integrating cyber threat intelligence (CTI) into this proactive TPRM framework offers a strategic advantage, transforming reactive security measures into a forward-thinking, intelligence-driven approach. By enabling real-time monitoring of potential vulnerabilities and emerging threats, CTI enhances the ability to share tactical intelligence with industry peers and conduct comprehensive risk assessments, thus strengthening the overall security posture of the extended enterprise. The importance of this approach was starkly highlighted by incidents such as the CrowdStrike incident, which exposed vulnerabilities in third-party risk management and had profound implications for critical IT infrastructure. Incidents such as these serve as wake-up calls, prompting organizations to reevaluate their TPRM practices. The evolution of TPRM practices post-incident, focusing on lessons learned and the implementation of strategies to prevent similar issues, is essential for safeguarding IT operations against the ubiquitous risk of third-party threats.Interdependencies between TPRM and IT operations The interdependencies between TPRM and IT operations are becoming increasingly apparent as third-party failures, such as cybersecurity breaches or service outages, directly impact IT operations. These incidents can have cascading effects across an organization, affecting everything from data security to business continuity. For example, an organization that experienced a service disruption due to issues with a third-party provider strengthened its incident response and disaster recovery plans by implementing redundancy measures and conducting regular recovery drills. This integration of TPRM and IT operations ensured that the organization could swiftly recover and maintain operational stability during future vendor-related disruptions.The integration of TPRM with IT disaster recovery and incident response planning is crucial for building resilience. Organizations must employ redundancy, backup systems, and other measures to mitigate the impact of third-party risks on IT operations. Understanding these interdependencies is vital for developing robust TPRM strategies that can withstand the ripple effects of third-party issues and maintain operational stability.Navigating unforeseen changes and unvetted updates from vendors The challenge of navigating unforeseen changes and unvetted updates from vendors is becoming increasingly relevant in today's IT landscape. Vendors' software or service updates are often released without comprehensive testing, and these can introduce significant vulnerabilities or compatibility issues. Organizations must develop adaptive response mechanisms to quickly adjust to these changes.For instance, one organization faced unexpected compatibility issues when a vendor released a critical software update without thorough testing. In response, they established an automated testing environment to assess vendor updates before deployment, allowing for seamless integration with existing systems and minimizing operational disruptions.This includes maintaining robust patch management processes, utilizing automated testing environments, and employing rapid deployment frameworks to ensure the continuity and security of IT operations. By adopting such strategies, organizations can better manage the risks associated with unpredictable vendor changes and maintain the integrity of their IT infrastructure.Future-proofing TPRM Future-proofing TPRM strategies with advanced technologies and collaboration is essential for staying ahead of potential third-party risks. Leveraging AI and machine learning can provide predictive insights into third-party risks based on patterns and trends, enabling organizations to anticipate IT disruptions before they occur. For example, a logistics company used AI-driven predictive analytics to identify potential disruptions from third-party providers, such as delays due to external factors. This allowed them to adjust operations proactively, minimizing risks and maintaining service continuity.Enhancing vendor collaboration and transparency ensures that all parties are aligned on updates, vulnerabilities, and risks. Additionally, the continuous integration of feedback from IT incidents, risk assessments and cyber threat intelligence into the TPRM framework drives ongoing improvements, ensuring that TPRM strategies remain effective and aligned with the evolving IT landscape, providing organizations with actionable intelligence, facilitating informed decision-making, and fostering a proactive security posture.Evolving together – the future of TPRM in IT-driven environments As IT operations continue to evolve at a rapid pace, the need for an evolving, dynamic approach to TPRM becomes increasingly apparent. Organizations must view TPRM as an integral component of their IT strategy and resilience planning, rather than as a mere compliance requirement. Managing third-party risk in an IT-centric world requires a forward-thinking approach that embraces advanced technologies, collaboration, and continuous improvement. By adopting dynamic TPRM strategies and viewing them as integral to IT strategy, organizations can confidently and effectively navigate the challenges of an IT-driven environment and secure their operations for the future.  Joseph Ian M. Canlas is a Risk Consulting Partner and ASEAN Core Consulting Quality Leader, and Christiane Joymiel C. Say-Mendoza is a Risk Consulting Partner, both of SGV & Co.This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinions expressed above are those of the authors and do not necessarily represent the views of SGV & Co.

Read More
04 November 2024 Christiane Joymiel C. Say-Mendoza and Joseph Ian M. Canlas

Key components for strategic risk management

IN BRIEF: Board surveys reveal a pressing need for more effective risk management, with several boards recognizing room for improvement.The strategic empowerment of CROs is essential to navigate the complex risk landscape and capitalize on emerging opportunities.Implementing a connected risk approach and embracing technology are key steps to advancing risk management practices and driving organizational value.PULL QUOTE: " As organizations strive for resilience amid escalating risks, empowering CROs is essential. They must break down silos, foster collaborative interactions, adopt a connected risk approach, and harness technology to modernize risk management strategies." In an era where risk landscapes are rapidly evolving, the role of Chief Risk Officers (CROs) has never been more crucial. The 2023 EY Global Board Risk Survey revealed a stark reality: 60% of boards agree that emerging risks are insufficiently addressed in risk management. Looking ahead, the survey suggests that boards need to strengthen their governance structures, processes and knowledge to improve oversight of both risks and opportunities.The survey further echoes the urgency for robust risk management, identifying various risks poised to severely impact organizations in the upcoming year. From geopolitical events and supply chain disruptions to cyberattacks and changing customer demands, the array of threats is diverse and daunting. Notably, while certain risks such as changing customer demands have decreased in perceived importance since 2021, others like misaligned culture and increased remote working have surged in significance.Empowering the risk steward/Chief Risk Officer (CRO)Successful risk management lies in the empowerment of the CRO. In many non-regulated sectors, this role is not formally recognized within the C-suite, despite the intense demands on risk leaders. As the complexity of the risk environment evolves, the need for CROs to collaborate closely with executive management and the board becomes paramount.Boards now expect executive management to identify risks and uncover the opportunities they may present. For example, a competitor's new joint venture could be seen as a threat, but from a strategic standpoint, it might also represent an acquisition target or potential partnership. Additionally, boards are calling for a deeper understanding of interconnected risks and their second-order impacts, such as the multifaceted challenges posed by climate change.CROs must be fully integrated into the business strategy and kept abreast of emerging megatrends that could affect the organization. Their insights are invaluable for mitigating downside risks and seizing "upside" opportunities. To be effective, CROs need clear and open communication channels with other senior executives and should be involved in regular management reporting, including strategies, business plans, and investment proposals.Successful risk stewards are characterized by their ability to break down organizational silos and work across all lines of defense. They understand the cultural risk appetite and can motivate leaders to adopt a common risk definition. Their experience in prioritizing risk outcomes is crucial for organizational performance.Connected risk approachA connected risk approach leverages improved data access to risk taxonomy, implement dynamic risk assessment methods that adapt to the changing business environment and coordinate risk response and reporting across all Three Lines (e.g., management, risk and compliance teams and internal audit). This approach unifies data on a common platform, offering continuous refresh capabilities and creating value through analytics and dashboards for better risk management planning.To execute a connected risk approach, an integrated risk taxonomy is essential. It provides a single view of risk by connecting data from traditionally siloed functions across the Three Lines. This enables rapid identification and assessment of risks that matter. Building a dynamic risk assessment is a collaborative effort that must be comprehensive and flexible, incorporating new data and market changes for agility.The dynamic risk assessment process includes orienting the mandate to manage risk, identifying risks through data-driven inputs, prioritizing current risks, and responding in a manner that fits the organization's risk posture. It incorporates qualitative assessments, quantitative metrics, risk performance leveraging a common taxonomy, and external data to challenge internal risk assessments.Technology-enabled risk managementThe 2023 EY Global Board Risk Survey indicates that only 31% of boards say their oversight of risks related to digital transformations is very effective, while 19% say it is slightly or less effective. Traditional risk management, which relied on professional judgment and manual processes, must evolve to take advantage of automation and data analysis capabilities.Integrated Risk Management treats risk and compliance activities as an enterprise-wide responsibility, promoting transparency and better decision-making. Automation technology can process low-value manual tasks and free up management time to enable them to focus on emerging risks, while data collection and monitoring can be automated to occur in real time to flag issues earlier. Cloud and AI technologies can execute complex scenario analyses and reveal insights into risk interdependencies.An integrated risk platform is foundational for connected risk capabilities, storing and modeling relationships between various data sources. This unified technology solution provides better insights, enabling a common risk ecosystem, consolidating risk management activities, and managing customer expectations through informed risk-taking.Fostering resilient risk leadershipTo be risk resilient, the boards need to understand the full spectrum of current and emerging risks that could impact the organization.  CROs can swiftly generate value by aggregating risk registers to form a comprehensive risk landscape and conducting collaborative sessions to unify risk definitions across the organization. This establishes a centralized framework and common taxonomy, essential for integrating risk management with strategic and operational planning. By embedding risk considerations into decision-making and employing technology for automation, CROs enhance the organization's proactive risk posture, turning risk management into a strategic asset for resilience and success.As organizations strive for resilience amid escalating risks, empowering CROs is essential. They must break down silos, foster collaborative interactions, adopt a connected risk approach, and harness technology to modernize risk management strategies. The strategic empowerment of CROs is not just beneficial—it is imperative for safeguarding and driving value. Christiane Joymiel C. Say-Mendoza and Joseph Ian M. Canlas are Business Consulting Partners of SGV & Co.This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinions expressed above are those of the authors and do not necessarily represent the views of SGV & Co.

Read More
Leading the way in business

Other SGV News and Publications