ERM Forum: Cyber, climate, supply chains on the agenda

Emerging risks of cyber-attacks, the existential threat posed by climate change, and weak links in supply chain logistics, were the focus of speakers addressing this year’s Enterprise Risk Management (ERM) Forum.

“Supply chain risk is our number one risk; it’s risen in profile in recent years,” said Richard James, project manager, Nuclear Transport Solutions, speaking in a panel discussion.

Sitting on the same panel, Adriano Lanzilotto, vice president, client learning and development, FM Global, highlighted the importance of collaboration to mitigate threats such as climate change and supply chain risks.

“We should stop talking about supply chain and start talking about a supply matrix,” he said.

“Risk managers need to talk more because there are risks that can be prevented or fixed just by cooperating more effectively,” he added.

Examples include construction risks, energy storage, green-proofing construction works or collaborating on energy storage, he suggested. “All these things can mitigate but also introduce risks,” Lanzilotto said.

In firms’ focus on Environment, Social and Governance (ESG) risks, climate and the environment gets most attention, noted Greig Anderson, partner, Herbert Smith Freehills.

He emphasised the growing importance of the ‘S’ and ‘G’ elements, highlighting regulatory changes such as the implementation of the UK’s Modern Slavery Act, for example.

Authorities have expanded their focus to include supply chains, under the Act, he explained, with outsourcing strategies exposed to risks such as human trafficking.

“The legislation is getting teeth now, after initially being more aspirational. We’re now seeing supply chain transparency requirements,” Anderson said.

Supply chain risks are also inextricably mixed with cyber risks, he explained, highlighting the potential for hostile nation-state supply chain exposure as a result of cyber risk.

“It’s a minefield if the people within the risk function don’t fully appreciate where that sits in the supply chain,” he warned.

James noted that on questions of outsourcing and cyber risks, the nuclear sector’s strict security focus means testing supplier systems “to see if we can get into their systems”.

The vulnerability of remote desktop access to hacking was the focus of a ransomware attack simulation provided by Tiago Henriques, head of research, Coalition.

“Ransomware groups are like start-ups, not like a hacker in the basement,” he said.

“The moment Conti [a ransomware group] knows you have cyber insurance, you don’t get away from paying, and they know how much they can take from you,” he warned.

He urged organisations to focus on addressing vulnerabilities such as remote access for employees and which critical internal assets are exposed to attackers on the web. Small and mid-sized companies are particularly vulnerable, he warned.

Don’t waste too much time thinking about the transactions [of a ransomware attack], but focus on what are you exposing to the internet, and how you’re accessing machines and making remote backups,” he said.

“Backups, separation and segmentation. There’s a lot that you can do with the basics,” he added.

In the panel discussion, Lanzilotto focused on the interplay between cyber-attacks and consequential physical risks, such as a hack affecting temperature controls leading to spoilage of medical supplies, foods or other perishable cargoes.

James emphasised the focus on supply chain risk management, with a generation of globalisation and outsourcing trends being undercut by new geopolitical risk as well as heightened regulatory demands to “own the risk”.

Who is responsible within the business itself is an increased focus, between procurement, business teams and the risk function. “The way we approach it in my business is collaborative, the days are gone when managing supply chain risk could be done in a siloed way,” he said.

Anderson suggested that flexibility in how to manage supply chain risks is key. “There’s no right or wrong way to be looking at it. The important thing is to have a plan,” he said.

Plans then need revisiting often, to ensure they stay in date, he warned, meaning risk management is likely needed to play an integral part.

“Documents will say what should happen, but the issue is if they become out of date and inaccurate. If those plans sit in a silo, within a business unit or in procurement, that’s not going to be their focus, which means it is more likely to happen,” he warned.