iNFRont Magazine - Jun - Aug 22 Edition

BUILDING RESILIENCE

Managing risk in a fast-changing environment

CLOUD ADOPTION

The future’s bright

CRYPTO

From underground to mainstream

FINTECH

Influencing the industry

RISKTECH

Integrating new technology into risk processes

CYBER

The next big threats

SOCIAL

Developing the S in ESG

Sean Titley, Metro Bank

Sandeep Maira, OCC & Santosh Shetty, RBC

FOCUS

AMERICAS: FULLY LIVE AND BACK IN BUSINESS

VENDOR & THIRD PARTY RISK USA: NAVIGATING A CHANGING RISK LANDSCAPE

PREVIEWS

PARTY RISK MANAGEMENT USA AND CUSTOMER EXPERIENCE & DIGITAL BANKING

ESG: SPOTLIGHT ON SOCIAL

Ameet Barve, Lloyds Banking Group

Alice Kelly, CeFPro

FINTECH RISK MANAGEMENT: KEEPING PACE WITH CHANGE

Vivek Tyagi, Goldman Sachs & Omar Beer, Goldman Sachs

CONNECTING THE RISK COMMUNITY

It’s been fantastic to get back to face to face meetings and conferences after what feels like forever. I thoroughly enjoyed being part of the panel for CeFPro’s New Generation Operational Risk Europe event in March, as well as attending this summer’s Risk EMEA Conference. Not only did they provide the opportunity to keep up with developments in the risk world, but they also allowed me to network with like-minded practitioners, vendors, and consultants at the cutting edge of delivering against ever more exacting requirements and practices. You can read the full review of Risk Americas (Risk EMEA’s sister event) on p16-17 and pick up the key findings from CeFPro’s Vendor & Third Party Risk USA on p18-19.

As well as event reviews, this issue of iNFRont features a variety of articles on the latest industry hot topics, including the movement of internal and third-party systems to the cloud. This is a particular focus for UK regulators, especially in relation to concentration risk to critical third parties. Other areas of regulatory focus include reliance on fourth parties or ‘sub-outsourcing’ and resilience, both of which were debated heavily at the panel sessions in which I took part. We concluded then that, although banks had worked at pace to meet regulatory deadlines for improvements to operational resilience and managing third-party risk and outsourcing, that was just the beginning.

All UK financial institutions are working to make continuous improvements to their ability to provide a robust service to customers. We agreed that it is important to recognize that at times, issues happen which may disrupt services; therefore, as well as working to prevent them from occurring in the first place, we must also be nimble in adapting and responding to them, as well as recovering and learning from disruptions as they occur.

We hope you find this fourth edition of CeFPro’s iNFRont magazine stimulating and useful. We welcome contributions from industry professionals to future issues. This is a magazine written by practitioners for practitioners, so please do get in touch if you have something to share.

MAGAZINE ADVISORY BOARD

We welcome contributions. If you or your organization are interested in featuring in our next issue, please contact editor@cefpro.com

ADVERTISING & BUSINESS DEVELOPMENT

If you are interested in sponsorship and advertising opportunities, please contact: sales@cefpro.com

HEAD OF CONTENT & EVENT PRODUCTION

To participate in our research and forthcoming conferences, please contact Alice Kelly: alice.kelly@cefpro.com

MARKETING INQUIRIES

To discuss media and marketing collaborations or to join us at our conferences, please contact Ellie Dowsett: ellie.dowsett@cefpro.com

PUBLISHER Andreas Simou andreas.simou@cefpro.com

MANAGING EDITOR Kate O’Reilly kate.oreilly@cefpro.com

HEAD OF DESIGN Natasha Marino www.cefpro.com

Dominique Benz Head of Business Controls Mizuho

Angela Johnson de Wet Cloud Enabled Business Transformation – Head of Function Lloyds Banking Group

Mike Guglielmo Managing Director Darling Consulting Group

Ty Lambert CRO Cadence Bank

Sean Titley Director of Enterprise and Operational Risk Metro Bank

Alpa Inamdar Transformation Leader AIG

Sabeena Liconte Chief of Compliance ICBC

Philip White Head of Transformation Strategy & Reporting, Group Non-Financial Risk (GNIF) Danske Bank

Michael Jacobs Lead Quantitative Analytics and Modeling Expert PNC

Oskar Rogg MD, Head of Treasury, Americas Credit Agricole CIB

Ken Wolckenhauer VP, Vendor Management Nordea Bank, New York Branch

CLOUD ADOPTION: THE SKY’S THE LIMIT

WITH CLOUD ADOPTION INCREASING AT A RAPID PACE ACROSS THE FINANCIAL SERVICES INDUSTRY, WHERE DO YOU SEE ITS FUTURE OVER THE NEXT THREE TO FIVE YEARS?

Sandeep: The use of cloud-based services will likely continue to accelerate the technology transformation among financial services firms. Organizations are adopting cloud-based services in efforts to enhance business agility and operational efficiency, as well as to monitor and manage risk.

The cloud provides greater scalability, resiliency, and flexibility than more monolithic on-premise data centers. Just as the web provides services and applications with on-demand and always-on capabilities that were not possible with traditional local desktop computers, the cloud is facilitating a similar paradigm shift. It allows compute resources to be spun up and down to enable computing tasks to be performed much more quickly when needed, while simultaneously releasing them during periods of lower demand.

In addition, the level of resiliency provided by the cloud through multizone and multi-region capabilities materially reduces single points of failure compared to on-premise data centers. This is because if there is a failure in one zone or region, there are many more levels of redundancy than in a typical on-premise data center, where there are often just one or two levels of backup.

Santosh: Opportunities are driven by an organization’s goals. In my experience, immediate benefits can be realized by migrating applications which are self-

contained and have lower integration requirements. Application of moderate complexity should be moved next, followed by complex applications.

Cloud use will mature and find increased acceptance across financial services. The benefits it provides in terms of flexibility and cost optimization are driving migration across various financial domains. Cloud vendors are making it easier to address regulatory and government concerns on data locality and privacy. Of course, they are doing so out of self-interest to enable greater adoption. This creates a virtuous cycle whereby adoption drives increased features, which in turn drives further adoption.

As these governance and compliance hurdles are overcome, most financial services firms will move their applications to the cloud. This will gain traction and momentum over the next three- to fiveyear timeframe. Migration processes will also be fine-tuned, and lessons learnt from ongoing migrations will be applied to future migrations. Initial migrations are painful owing to lack of expertise and domain knowledge. As a result, most organizations are moving with smaller apps to begin with and learning from their experience.

Google, Microsoft, and Amazon are now signing strategic partnerships with most FIs. There are other vendors; however, the ‘Big Three’ provide better integration and services owing to their active developer communities. Does it lead to concentration risk? Yes, but organizations are adopting mitigation in the form of hybrid implementations with solutions like OpenShift from IBM. The future of cloud is bright!

WHAT ARE SOME OF THE MAIN CHALLENGES WHEN MANAGING CLOUD PROVIDERS AS A THIRD PARTY?

Sandeep: Protecting data in the cloud is one of the most important challenges to manage. Key considerations include privacy and cyber risks, so understanding and guarding against these risks is crucial.

Firms like OCC are operating increasingly complex infrastructures, including legacy systems, cloud architecture, and on-premise data centers. This requires a robust network security configuration and identity access management strategy to ensure that all users – including employees, market participants, and service accounts for systems – are granted least-privileged access to the network, applications, and data.

Santosh: Cloud providers have their own terms of usage – SLAs – which may not be perfect for a particular organization. Firms must therefore determine applicability to their specific use case. With cloud providers making it simple to add capacity, having a form of control on usage is essential to avoid runaway costs. Cloud adoption also requires a mindset shift regarding application architecture and operational readiness. In addition, managing culture shift across teams is a primary challenge.

Finally, technical resource shortage is an ongoing issue, which has been exacerbated by the pandemic. Massive upskilling in terms of subject matter experts who also have domain knowledge of various financial services will be a key differentiator on the path to successful adoption.

WHAT ARE SOME OF THE POTENTIAL COST BENEFITS OF MOVING TO THE CLOUD?

Sandeep: The cloud enables dynamic horizontal scalability. Unlike traditional data centers, infrastructure can be provisioned on demand so that costs are only charged for services and processing when they are in use. If executed well, this can enable both faster processing during peak times and lower total costs.

OCC is undergoing a multi-year initiative to redevelop and modernize our technology infrastructure. Our new core clearing, risk management, and data management platform is designed to:

• Enable secure, efficient, and reliable operations with a modern and modular platform.

• Provide services and tools to our clearing members that promote transparency and market integrity.

• Streamline new product development processes to support participant exchanges.

Santosh: There are multiple ways to reap cost benefits from moving to the cloud, not least as a result of decommissioning legacy hardware (like mainframes). Cloud vendors charge by the hour, so moving applications which are run intermittently is another option that can lead to financial benefits.

For high-performance computing solutions, cloud vendors provide burst

options and elastic compute capacity options; significant savings are also possible here. In addition, the cloud reduces the requirement for expensive, round-the-clock maintenance support. Given the current shortage of technical staff, this is another major avenue to improve costs.

Assuming applications are wellarchitected and containerized, cloud applications can also deliver substantial savings by eliminating or reducing technology currency costs. These are just some of the ways to ensure a fair return on any investment in cloud adoption.

CAN YOU SHARE ANY BEST PRACTICE IN ENSURING TRANSPARENCY AND DEVELOPING CONTROLS FOR CLOUD VENDORS?

Sandeep: At OCC, we plan to use thirdparty tools to automate appropriate role-based access and to implement key components of a zero-trust control environment. In essence, this means ubiquitous authentication and encryption via use of an automated public key infrastructure. This will be coupled with responsive, highly available authentication/authorization tools and management strategies to ensure appropriate industry standard security controls are in place for sensitive data, both in transit and at rest.

Santosh: Close monitoring of technology spend regarding cloud resources is required to ensure firms reap the

maximum benefits of cloud migration. Data-related privacy and locality regulations are being pushed through around the world. This necessitates establishing controls and monitoring systems to ensure governance and compliance. If done right, these controls can provide additional benefits in terms of data security.

IN SUMMARY

From an industry standpoint, heavily regulated institutions will likely move more of their processing to the cloud in the future. This is because their applications include risk management models that require high compute needs and data analytics that span wide and deep data sets. Other use cases include distributed computing-based solutions such as blockchain where nodes can run in multiple centers.

Problems that require distributed computing and flexible infrastructural capacity are natural fits for cloud compute environments. For example, blockchain-based solutions typically require consensus across distributed compute nodes where the nodes can run in multiple centers, which can be easily achieved in the cloud. Other trends include cloud-based software as a service (SaaS) solutions.

The future of cloud adoption within financial services will be one of the key topics under discussion at CeFPro’s Customer Experience and Digital Banking USA event, Nov 1-2, 2022, NYC. For more information or to book your place, go to www.cefpro.com/cx-digital-usa or see p20.

RISKTECH: INTEGRATING NEW TECHNOLOGY INTO RISK PROCESSES

At CeFPro's recent Risk EMEA event, which took place in London this June, the topic of emerging technology within risk management was a key agenda item. Here, we summarize the main points shared by our panelists on this critical area...

A key driver behind the implementation of new technology for risk management is the Basel Committee on Banking Supervision (BCBS), which is committed to increasing the standardized measurement approach (SMA). Previously, an institution could carry out internal modeling, but the BCBS now requires an SMA towards operational risk management based on loss data for certain risks. As a result, banks may have to allocate additional capital to risk processes, impacting remuneration and driving efficiency requirements.

DATA: QUALITY NOT JUST QUANTITY

In a world of increasingly complex transactions, risk managers’ time is being consumed by changes to the transaction landscape across all areas. This is yet another example of the need for efficiency within an organization, to limit labor-intensive tasks when reviewing transactions.

Data management remains vitally important. Leveraging data to make more informed decisions is increasing exponentially but firms must consider not just the volume of data they are assessing, but also the clarity. Does it make sense? Can it be used to make an informed decision or is further data required? Quality of data is increasingly difficult for risk managers to review, prompting many to seek an overview through tools such as advanced analytics and intelligence applications, etc.

A way to enhance efficiency regarding data is to implement new technology into risk management processes. However, many organizations remain constrained when it comes to

resources; very few have the ideal set-up and additional assistance is almost always required, further driving the need for additional risk management technology. As well as assistance, to successfully integrate technology into risk management processes, investment and a change-leader mindset are also required.

EXPLORING THE BENEFITS

Risktech is a term relating to the new technologies that firms are looking to introduce. For example, analytics technology is replacing visualization tools such as Excel, PowerBI, and Tableau. Bringing together siloed data from various departments, spreadsheets, and models into one place is a key use of such new technologies. Building in data integration is essential to ensure that organizations are not looking at static data and spreadsheets but are instead reviewing live feeds coming from changing data sources – a real-time dashboard that enables firms to make intelligent risk decisions. This is where extraction, transformation, and loading technologies can come into play; extracting data from a changing data source and transforming it so that risk managers can visualize it in a beneficial way.

As data is stored across so many areas, very little enterprise data warehousing (EDW) takes place. For example, within an organization, employees will use a common level of workstation, each containing some level of logging. All these logs need to be stored and visualized in a way that enables actionable alerts; this is where EDW technology comes in.

TECHNOLOGY PIONEERS

Credit risk has been using technology for decades: the decision to finance a loan to a customer or corporate entity is taken from data points scattered across various sources, either external to the firm or across the organization. Companies use external sources such as rating agencies to score customers and gain credit insight; many also now look to social media as a factor to assess whether an individual or company is creditworthy.

Similarly, compliance and regulatory teams have been leveraging technology to investigate money laundering, as well as when monitoring and processing transactions, using automated pre-transaction checklists to ensure that they comply with sanctions and money laundering frameworks, etc.

THE EVOLUTION OF RISKTECH

Within the area of operational risk management, technology has advanced rapidly. The framework has been specifically defined and several use cases are emerging where new technology is consistently being used. One such example is fraud management.

For instance, many organizations previously held a narrow view of fraud controls: they looked at their indicators and if they were above the set threshold, they would qualify that as fraud. As the world continues to evolve, firms now need to consider areas such as anti-money laundering, sanctions, a customer’s IT set-up, etc., to determine whether a fraud is being committed.

The whole area of fraud has expanded to encompass a wider scope. With that wider scope comes greater data

requirements and the need to process, feed, and visualize the data to identify indications of fraud. In this situation, a data lake can be useful (a centralized repository designed to store, process, and secure large amounts of structured, semi-structured, and unstructured data), combining any number of logs coming in from various systems and areas. It can then be fed with correlations to detect weak signals for fraud management. This is a prime example of where new technologies can make a significant difference.

POTENTIAL WITHIN CYBERSECURITY

Cybersecurity is another area that warrants the use of new technologies, primarily because of the amount of data that cyber produces. One example is the security incidents and event monitoring tools that capture every log from user workstations and servers where applications are hosted. Data is correlated to provide an overview of whether unauthorized access has occurred. This again is a use case for technology to be enhanced and leveraged in a risk management environment.

CONCLUSION

There has been an increase in new technologies for credit risk and operational risk, and IT will continue to evolve and deliver more in terms of efficacy and efficiency. With time and investment, risk technologies can help firms develop a wider view of enterprise risk management, although challenges remain regarding existing infrastructure and data siloes.

For further insight into advances in risk management, register your attendance here for CeFPro's Operational Risk Management USA Congress (Oct 12-13, 2022, NYC), or see p14 for full details.

ESG: SPOTLIGHT ON SOCIAL

RECENTLY, THE INDUSTRY HAS SEEN A BIG SHIFT IN FOCUS TOWARDS ESG, WITH CLIMATE CHANGE OFTEN DOMINATING HEADLINES. WHY IS IT SO IMPORTANT TO ENSURE THAT ATTENTION IS ALSO TURNED TOWARDS THE ‘S’ IN ESG?

The core principle behind ESG is one of social contract. If you look at the genesis of ESG, its predecessor was CSR (Corporate Social Responsibility), which comes from the concept of ‘social contract’. The economist Howard Bowen wrote a book in the 1970s that talked about the social responsibility of businessmen: providing jobs; being fair and honest in dealings with employees and customers; and becoming more broadly involved in the conditions of the communities in which they operate. This was when we started seeing the pivot from individual business owners like Andrew Carnegie and J.D. Rockefeller contributing to society, to corporations as a whole taking on a more socially constructive thought process.

Over the years, following perspectives from thought leaders like Sandra Holmes and Prof. Archie Carroll, this evolved into CSR. While as a concept, social contract and CSR have been around for a while, ESG (with all its accompanying regulation and guidance) has made it possible for organizations to quantify and articulate the steps they take in this space.

will be motivated to undertake higher impact, socially focused initiatives.

As this evolves, there are a couple of nuances to ponder:

• The possibility of using ESG as a lens to articulate value creation as opposed to just risk mitigation.

• With ESG regulation becoming more prolific, and pending development of metrics to articulate social initiatives, the inevitable drift in corporate mentality from doing what organizations deeply care about, to only those initiatives they can quantify and advertise.

WHAT ARE SOME OF TODAY’S KEY SOCIAL CHALLENGES, AS WELL AS THOSE ON THE HORIZON TO WHICH WE SHOULD BE PAYING MORE ATTENTION?

The majority of the challenges we see are prolific in terms of ESG – they either stem from, or cascade into, each of the elements of E, S, and G. What can be termed as ‘key’ is a rather personal view. I tend to apply two lenses – the tactical ‘urgent and immediate’, such as climate change; and the strategic ‘urgent but with sustained, longer-term impact’, such as gender equity, racial equality, and overpopulation and its cascade effects (refugee crises, food, water and healthcare access, education, etc.).

Because of how society has evolved, many of the environmentally focused elements have become immediate and urgent. On the other hand, the socially focused elements are also urgent and will have a strategic impact.

"All elements of E, S, and G overlap in their scope and impact, but there are no obvious metrics that all organizations can use to homogenously articulate their unique, socially focused initiatives. There is a lot of work to be done in defining these but, once actioned, more organizations will be motivated to undertake higher impact, socially focused initiatives."

If we look at the journey of social contract in its evolution to ESG, there was a stage when it was known as ‘corporate social performance’. This resulted in companies focusing almost entirely on what would give them good PR. Thankfully, this has evolved further, with many corporates and FIs thinking in terms of their values and how to articulate and implement them. Since the 1980s we have had industry leaders like Johnson and Johnson (who established values around social responsibility and placed them at the core of their functionality), Milton Hershey (who took responsibility for an entire town, employees’ health, education, civil utility, etc), and the Tata Group in India. This trend of company values becoming the core principles of organizational operating philosophy has become more prolific in recent years.

change. More recently, the EU issued the Sustainable Finance Disclosure Regulations, with the UK following quickly with the Task Force on Climaterelated Financial Disclosures (TCFD). The European Securities and Markets Authority (ESMA) has its own guidelines in the form of a new Sustainable Finance Roadmap; Israel has proposals for disclosures on CSR and ESG; China has introduced environmental disclosure rules; and India is exploring ESG ratings providers’ regulations. In the US, California now requires companies to disclose their carbon emissions; and the Securities and Exchange Commission (SEC) came out with new rules requiring publicly traded companies to disclose how climate change risks affect their business.

There is also regulation targeted at preventing greenwashing, with ESMA releasing guidelines and SEC changing some rules to prevent the misuse of ‘green’ nomenclature in the asset management industry.

What is apparent is that, by its very nature, regulation tends to center on aspects that are measurable and quantifiable. As a result, it is focused on demanding quantifiable elements of ESG. However, we can see that it is also driving socially focused initiatives and a desire across the industry to set homogenous terminology to articulate these.

That said, the environmental and governance elements of ESG are rather more quantifiable than the social, with metrics like carbon emissions and tangible governance actions around processes, values, and controls being broadly homogenous across industries. The social element, however, is somewhat more complicated. While there are topical issues that gain universal attention, quantification in homogenous terms of social initiatives that are targeted for each organization’s unique ecosystem is harder. All elements of E, S, and G overlap in their scope and impact, but there are no obvious metrics that all organizations can use to homogenously articulate their unique, socially focused initiatives. There is a lot of work to be done in defining these but, once actioned, more organizations

HOW CAN ORGANIZATIONS BETTER DEFINE AND IMPLEMENT SOCIAL CHANGE ACROSS BUSINESS LINES?

As mentioned earlier, the genesis of this entire conversation is the social contract. Its evolution towards ESG and the focus on quantifiability is driving the environmental and governance elements but addressing these also has meaningful social impacts. That said, if organizations truly want to focus on social elements, they need to return to the core principle of social contract, i.e., how can the organization improve the community (ecosystem) in which it operates and not be guided solely by the quantifiable and homogenously advertisable elements.

As a result, we now have entire swathes of industry becoming facilitators to enable other organizations to implement their ESG or social initiatives. Examples include Stripe, which has developed a climate solution to enable people to articulate their carbon emissions; and Lululemon, which has revamped its entire supply chain process to be more sustainable. Organizations are realizing they can make a lot of difference and are taking charge of outcomes!

TO WHAT EXTENT ARE REGULATORS FOCUSING ON THE SOCIAL ASPECT OF ESG?

There is now extensive regulation around ESG in general, and it has also been a catalyst in driving positive social

There are also certain guidelines on purely social initiatives, like the European Commission’s proposal to focus on potential labor abuses, and Scope 3, which centers around firms taking ownership of their supply chain and making sure their entire source spectrum is sustainable (or working towards ensuring it is sustainable). In many ways, the ability to articulate and glean positive PR from actions is driving sustainability initiatives.

In summary, ESG regulation is ensuring these topics remain the focus of mainstream dialogue.

Social aspects, including sessions on diversity, equity, and inclusion (DEI), will be a key feature at CeFPro’s forthcoming ESG USA event (Oct 18-19, 2022, NYC). To book your place, click here

THE TOP 3 ESG CHALLENGES FACING FINANCIAL INSTITUTIONS

ESG CHALLENGE #2: DATA

The second key area of challenge regarding ESG concerns data and the implications from a potential greenwashing perspective. Given the relative immaturity of the discipline, many organizations place a heightened reliance on external data sources and suppliers. As a result, the level of reliability is not equivalent to internally sourced data, as validating it and providing assurance to mitigate against accusations of greenwashing are more challenging.

Again, aligned to the relative immaturity within the industry, the lack of standardized frameworks, methodologies, taxonomies, and ratings further drives uncertainty. However, this also provides an opportunity to enhance transparency. With data a fundamental requirement, underpinning business and decision-making processes, unreliable data or limited assurance on data impact the effectiveness of decision making. Many institutions and industries are therefore driving change by developing best practice to enhance data reliability and transferability across organizations.

Within financial services institutions, setting the tone from the top down and identifying the true value in any initiative remain a central focus. While some organizations are looking to further enhance the accuracy of external data, others are looking at building out their own internal capabilities. However, with a lack of historical data, collecting useable inputs from internal or external sources raises challenges for modeling.

As the industry matures, developing standardized metrics across the board and enhancing the reliability of data sources are key obstacles. Data remains the key challenge when it comes to effectively measuring and reporting the climate exposure and emissions of individual organizations.

After the success of our inaugural ESG Congress in March 2022, we are now preparing for the second edition of ESG USA, taking place in New York City on October 18-19, 2022. As part of our continued drive to provide industry-led insight across our portfolio of products, the CeFPro research team has conducted an extensive study to identify the evolution of challenges and opportunities for financial institutions when considering ESG requirements. Here, we share an overview of some of the results of this research, much of which will be addressed at this autumn’s ESG USA event...

ESG CHALLENGE #1: REGULATION

Regulation remains a key area of focus. Our research specifically centered on US financial institutions, and many highlighted regulatory changes as an area driving uncertainty and potentially hindering their ESG strategy decisioning.

Some jurisdictions are relatively more advanced in issuing guidance and expectations and are moving towards more defined standards. As is frequently the case when reviewing global regulatory agendas, financial institutions face challenges in grappling with requirements across jurisdictions and divergent expectations. When developing standards, it is therefore important to leverage lessons learnt from reporting metrics in jurisdictions such as the UK and the EU to mitigate transitional risks. This is particularly pertinent for organizations operating across jurisdictions, many of which are subject to scrutiny from multiple regulators. An alignment in expectations would reduce pressure, allowing for a global taxonomy and reporting/disclosure requirements.

Aligning operations and considering interaction and exposure to European SFDR, IFRS, FASB, and the Paris Agreement remain topical discussion points, raising questions around minimum standards and how to drive business amidst such uncertainty. One area seemingly making progress, however, is the disclosure requirements expected from the SEC. Though only in the consultation phase at present, final expectations are expected to be announced later this year and organizations are preparing for what these may look like.

The changes are expected to provide requirements for disclosures relating to climate, both internally and across suppliers and vendors. Organizations are looking to develop an implementation roadmap focusing on both short- and long-term targets and goals and setting signposts towards a staged roll-out. As with many regulatory agendas, a level of interpretation is expected. However, with final rules remaining uncertain, it is unclear exactly what the future of ESG regulation looks like and how the US will align with other jurisdictions to provide a more unified approach to global change.

ESG CHALLENGE #3: SOCIAL

Outside implementation and process challenges, another important consideration centers around the ‘S’ in ESG. Focus is often placed on environmental aspects, with social considerations being less prominent in some areas of risk. However, a heightened focus is now being placed on diversity, equity, and inclusion (DEI), which falls firmly within the ‘S’ category.

Organizations are reviewing their staffing strategies and policies both internally and externally across their vendor make up to ensure they are incorporating diversity in all operations. With ESG becoming such a central focus, it is providing an opportunity to build a more diverse population of suppliers and introduce new processes to track diversity. Many organizations have updated their onboarding processes to both assess diversity across their current supply chain, as well as ensure accessibility of inclusive companies during the proposal process.

Another area that has attracted increased attention is that of modern slave labor, with the focus on ESG highlighting the criticality of better managing supply chains to eradicate this risk. Modern slave labor practices and effective due diligence remain particularly important when reviewing vendors and supply chains to ensure oversight across all external sources. Monitoring for slave labor is an ongoing process. It is no longer enough to review it during onboarding; organizations have a social responsibility to ensure that they are not contributing to it, as failure to comply with any social outlines could result in significant reputational repercussions.

As stated above, with challenges around data beginning to improve, so monitoring and tracking for DEI and modern slave labor across supply chains and all interactions should become more efficient and meaningful. Developing the ability to benchmark best practice and conduct effective due diligence to identify this risk is vital to fulfilling the moral obligations of a large financial institution, meeting compliance obligations, and protecting reputation at a time when ESG requirements are becoming more mainstream and customer demands are evolving.

RESEARCH CONCLUSIONS

The findings of our research in advance of CeFPro’s second edition of ESG USA signal an evolution in the industry as organizations move towards exploring more practical ESG implementation methods. Firms are increasingly recognizing their societal and ethical obligations to be instigators of change and are moving towards developing long-term sustainability goals. As media attention increases and customer expectations evolve, maintaining ESG goals and best practice has become an area for competitive advantage. Reputation remains on the line with all aspects having potentially substantial repercussions.

Until now, much focus appears to have been more broadly on environmental and climate challenges; however, social considerations and DEI practices are becoming embedded into organizations’ decision making. There is an expectation for increased regulation as US regulators look to follow in the steps of the EU and UK, so leveraging lessons learnt across jurisdictions remains essential. In addition, disclosure requirements look to advance throughout 2022 as the SEC closes comments and releases its final standards towards the end of the year.

For greater insight on all these challenges and more, including expert opinions on the future of ESG within financial services and meeting obligations and targets, book your place at ESG USA (Oct 18-19, 2022, NYC), www.cefpro.com/esg-usa

CRUNCHING THE CRYPTO DATA CRUNCHING THE CRYPTO DATA

WHY FINANCIAL SERVICES CAN NO LONGER AFFORD TO IGNORE CRYPTOCURRENCY

Since cryptocurrency first came onto the scene around 13 years ago, the popularity of this peer-to-peer digital payment system has exploded, with the likes of Bitcoin, Ethereum, and Tether being joined by almost 600 alternative virtual currencies. Able to buy through exchanges such as Coinbase or Kraken, crypto is designed to be free from the oversight of authorities (such as governments) or middlemen (such as banks); the downside of this is that crypto asset investing is currently unregulated in most EU countries and the UK, giving consumers in those territories no protection. Despite this – and the sector’s notorious volatility – it continues to progress at a rapid pace, with developments such as non-fungible tokens (NFTs) and decentralized finance (DeFi) now gaining traction. With 46 million Americans (around 22% of the adult population) owning a share of Bitcoin, it’s clear that this once underground asset class is moving into the mainstream. Here’s the lowdown on one of the biggest financial trends of today…

OPERATIONAL RISK MANAGEMENT USA

7TH ANNUAL | OCTOBER 12-13, 2022 | NEW

Managing the increasingly complex operational risk environment and evolving best practices

INDEPENDENCE DAY SPECIAL FROM $599

KEY HIGHLIGHTS

RESILIENCE

Reviewing requirements for operational resilience and developing agile programs in a changing environment

QUANTIFICATION

Leveraging scenario analysis and quantification methods to better identify impact of disruption

THIRD-PARTY RISK

Enhancing control environments across supply chains and managing exposure to vendor and third-party risks

RISK APPETITE

DATA MANAGEMENT

Leveraging data as a tool to enhance operational risk controls and tailor customer experience

Setting risk appetites within an organization and establishing firm-wide expectations and monitoring metrics BUSINESS CONTINUITY

CLIMATE RISK

Reviewing treatment of climate risks from operational risk teams and impact to business practices

Enhancing business continuity planning in a volatile global environment TECHNOLOGY

Increasing technology capabilities to improve efficiency and develop agility in a competitive market

FINTECH RISK MANAGEMENT: KEEPING PACE WITH CHANGE

YOU BOTH PRESENTED AT RISK AMERICAS 2022 ON A KEYNOTE ADDRESS ABOUT FINTECH RISK MANAGEMENT. WHAT ARE SOME KEY CONSIDERATIONS IN THIS AREA FOR WHICH INSTITUTIONS SHOULD PREPARE?

Vivek: From a risk perspective, the one key takeaway or piece of advice for institutions is to ensure that there is a strong culture of partnership amongst all parties across the first line of defense, the second line of defense, and the third line where possible. I say this because fintechs, by definition, move at a very quick pace. It is important to be mindful of controls while generating the right type of client solutions. The only way that works is to have a strong partnership dynamic across the teams.

Omar: One of the first considerations for fintech risk management within the context of a larger firm is to make sure that, from a risk control perspective, all bases are covered. This includes things like policies, procedures, and training. It’s also critical to remain adaptable because the fintech environment is very

dynamic; therefore, as the business develops, we need to make sure that our controls are also developing.

Vivek: So, to summarize: pace, but not at the cost of controls.

WHICH KEY FINTECH AREAS DO YOU THINK WILL CHANGE FINANCIAL SERVICES OVER THE NEXT TWO TO THREE YEARS?

Vivek: At Goldman Sachs, we are using technologies that enable TxB to take a modern approach to surveillance and monitoring. We also use APIs in a way that allows for a user-friendly client onboarding experience. An example of this is our Virtual Integrated Accounts product, wherein our clients – often fintechs – can open accounts on behalf of their customers, accept deposits, and make payments in a matter of seconds after conducting appropriate KYC.

For the full review of Risk Americas 2022, turn to p16.

Co-Head of Investment

Compliance

HAVING PRESENTED AT VARIOUS LIVE AND VIRTUAL CEFPRO EVENTS OVER THE LAST FEW YEARS, HOW HAVE YOU SEEN THE TOPICS AND AGENDAS EVOLVE?

Omar: As the industry has developed and changed, both on the commercial and risk control side, agenda topics have changed as well.

Vivek: In a way, the incredible amount of liquidity that central banks have put into various economies has created a lot of innovation over the last few years. Now we’re starting to see some of that change as the US Federal Reserve Bank increases its rates. Over the last few years, agenda themes around cryptocurrencies, technological enablement, and inclusivity have come to the fore – all positive developments as the world was navigating some very difficult and challenging times. It will be interesting to see where we’ll go from here as the Federal Reserve starts to raise rates. Hopefully, the focus on innovation will remain, given the inflection point in the economic cycle.

RISK AMERICAS

FULLY LIVE AND BACK IN BUSINESS

This May, CeFPro’s flagship convention, Risk Americas, returned for its 11th year in New York City. As the industry continues to evolve following the pandemic, the event bounced back with a completely live format, with organizers, speakers, and attendees alike delighted to reconnect with so many familiar faces, as well as meet a host of new ones.

This year, the convention was divided into four workstreams to allow the audience to custom-build their own agenda. Delegates chose between:

• Technology and innovation risk

• Operational risk and emerging trends

• Market trends and financial risk

• Interactive workstream, NEW for 2022.

The event was launched by the Former CRO of ICBC, who addressed global geopolitical trends and managing the transition as we emerge from the global pandemic. With the risk landscape evolving over the last two years and continued volatility heightening uncertainty, the audience discussed how organizations should leverage lessons learnt and quantify risks to better manage future impacts.

“ Like the previous Risk Americas, the 2022 event was well organized and provided very useful information. I especially liked the CECL interactive session; the smaller setting allowed for a more open discussion.”

AVP, Balance Sheet Risk Management, Bank of China

“ An informative and wonderfully managed event. It was a pleasure meeting in person – I look forward to future events and discussions.”

Chief Control Officer, HSBC

PANEL DISCUSSIONS

SPEAKERS

ADDRESSING ESG

The keynote sessions continued with a panel discussion featuring C-suite experts from Cadence Bank, Manulife, and American Express GBT addressing the buzzword of the day on ESG disclosure requirements. When the audience was asked to reveal across which area of ESG strategy, policy, and practice they would dedicate an extra five hours to this week, given the opportunity, 46% of attendees voted for ‘E’; environmental aspects – see the full result below.

If you could have an extra five hours this week dedicated to one area of ESG strategy, policy, and practice, what area would you select?

IN-PERSON NETWORKING

Before dividing into four streams for a jam-packed agenda, delegates made the most of the event’s first networking break. After such a long hiatus from interacting in person with colleagues and peers, these opportunities for face-to-face communication proved invaluable, a fact that the CeFPro event team had anticipated. In total, Risk Americas included over seven hours of networking to allow for much-missed enhanced interaction and the chance to reconnect with industry professionals.

“It was a pleasure to exhibit and attend in 2022.”

Enterprise Sales Manager, Onspring

4 STREAMS

“A great event filled with cutting edge topics.”

Unit Chief, Environmental and Social Risk Management, Inter-American Development Bank

ALL-NEW INTERACTIVE SESSIONS

A new feature for 2022 was the interactive stream, which addressed topics including advanced technology, cryptocurrency, and CECL. Lasting up to two hours, each closed-door session comprised a maximum of 25 people to ensure optimal interaction between speakers and attendees, with the Chatham House Rule enabling a frank and enlightening deep dive into each topic.

Day one concluded with a highly popular networking drinks reception, before moving onto a second day which mirrored the same format. With discussions advancing further to provide attendees with a well-rounded update on their specific areas of expertise, as well as new and emerging trends, Risk Americas 2022 delivered a fully formed offering of industry insight, expert opinion, lively debate, and in-person interaction.

NAVIGATING A CHANGING RISK LANDSCAPE

As part of CeFPro’s official return to live events, this June saw us welcome delegates to Vendor & Third-Party Risk USA, with its European sister event taking place in London later the same month. The two-day conference brought together diverse groups of experts to discuss the current trends and challenges in a volatile and fast-changing environment. As an industry, financial services – like many others – has had to respond quickly throughout the global pandemic and subsequent geopolitical hurdles, with supply chain disruptions once again bringing vendor and third-party risk to the forefront of many risk professionals’ minds. This event presented the perfect opportunity to discuss how the industry has navigated these challenging scenarios and identified new best practices with which to move forward successfully. Here, we provide an overview of the key takeaways from across the two days...

Certa followed the panel discussion and narrowed the focus to the ‘S’ within ESG. Their Chief Customer Success Officer outlined the demand for incorporating diversity, equity, and inclusion (DEI) into risk processes and the importance of reviewing DEI at onboarding level and beyond. The panel then discussed approaches to measuring diversity and obtaining suppliers’ diversity plans and spends.

• Tools and controls to limit vendor outsourcing without notification.

• Supply chain oversight.

• Critical third and fourth parties.

• Risk ranking fourth parties.

This was followed by NContracts, on the topic of strategic partnerships and the opportunity to leverage fintech as a tool to drive strategic goals whilst maximizing flexibility as an organization. The corporate culture between financial institutions and fintech companies can be substantial, with differing mindsets and expectations. Managing corporate language barriers also remains a challenge.

Day one began with an overview of the current regulatory environment and where the industry anticipates global regulation heading next. With the Federal Reserve and the OCC finalizing its latest requirements and the Bank of England introducing changes to treatment of critical third parties, alignment of global agendas was top of mind, though viewed as an unlikely outcome, given disparities in views globally.

There can be no doubt that the pandemic has greatly impacted everyday working practices, both within financial institutions and across vendor and supplier companies. The panel, formed of experts from State Street, Moody’s Analytics, USAA, and State of Flux, concluded that the future of regulation remains uncertain, with expectations of enhanced scrutiny and tightened requirements in the face of continued changes to working practices.

ability to remain resilient, with many organizations now considering various scenarios, re-evaluating response plans, and integrating processes for a holistic view. Event partner Aravo provided an insightful presentation on developing a business case for an integrated approach to third-party risk management, highlighting the importance of communicating value to senior management.

impact. Although challenges have arisen internally from a controls perspective with a work from home or hybrid model, it has also proved challenging to manage controls across suppliers with remote workforces. Contracts have had to be reviewed to ensure that SLAs are being met, and that security and privacy requirements are being adhered to. In the longer term, organizations are reviewing best practice for change management and due diligence requirements with a homeworking model.

The agenda would not have been complete without a discussion directly addressing Covid-19, lessons learnt, and changes to working environments. Pre-pandemic, many organizations operated within a secure office environment with tight controls to manage exposure to risks. When staff were suddenly forced to work from home, many controls had to rapidly evolve. Now, as the pandemic appears to be subsiding, organizations are looking ahead at longer term practices, with many adopting a hybrid approach comprising workforces in an office environment on a part-time basis only.

Another area receiving attention throughout the day was that of resilience. Unsurprisingly, the pandemic has shone a spotlight on firms’

The Covid-19 panel discussion then assessed the changes experienced by different types of organizations and where these have had a positive

Another key discussion point during day one was ESG, the ubiquitous buzzword of the moment. Representatives from Nordea Bank, EY, Riskonnect, and Wells Fargo debated how to incorporate ESG into third-party risk practices and develop metrics and scoring criteria to ensure compliance. The panel also discussed the overlap between ESG and reputational risk and reviewed organizational structures regarding where ESG sits within an organization. It is clear that organizations must look to better monitor and manage ESG risks across vendors, third parties, and suppliers; with heightened headline risk, it has become the number one talking point within financial services today.

The first day concluded with a shift in focus towards strategic sourcing from Archer, who provided an overview on managing strategic sourcing within a TPRM framework and the benefits of developing a holistic view. Closely aligned with ESG discussions, the sessions investigated strategies to identify vendors that fit a firm’s ESG agenda; concentration risk and techniques to identify concentration early in the process; and gaining senior management buy in. A lively drinks reception rounded off the day with attendees, event partners, and speakers alike making the most of the opportunity for in-person networking. The valuable interaction outside of the auditorium reconnected an industry that has largely only seen each other through screens for best part of two years.

Discussions then took a deep dive into fintech and the management of fintech organizations as a third party. Representatives from Bradley Arant Boult shared their perspective on the treatment of fintechs as a third party, addressing the regulatory gap between financial services and fintech companies before reviewing contractual considerations and changes in treatment from a third party to acquisition scenario.

Finally, Snap Finance and the Former ICBC CRO led an interactive session reviewing best practice for a long-term partnership with a fintech organization. Poll results revealed that over half of the audience believe fintechs have less regulatory and compliance oversight, with 60% of attendees planning a digital banking partnership over the next 12 months.

The panel explored the current cyber threat landscape and mitigation tactics to limit vulnerabilities, reviewing ongoing monitoring programs and approaches to maximize effectiveness. They also shared best practice for identifying direct and indirect contact across suppliers and outsourced companies, to better facilitate oversight and effective management.

The agenda then moved towards fourth to nth party risk, led by a representative from Scotiabank who ran an interactive session featuring polls and an extensive Q&A. Attracting over 20 audience questions, the key discussion points emerged as:

• Vendor disclosure vs. technology to identify fourth parties.

• Regulatory expectations for management of fourth parties.

• Managing data stored at vendor data centers.

The next events in our series of specialist third-party conferences are Third Party Risk Management USA: Cross Industry, taking place in Atlanta on November 8-9, 2022; and Vendor and Third Party Risk Europe, 15-16 November, 2022, London. For the full agendas or to book your place, go to www.cefpro.com/tprm-usa or www.cefpro.com/vendor-risk.

NEW FOR 2022: CUSTOMER EXPERIENCE & DIGITAL BANKING

JOIN US FOR THE INAUGURAL CUSTOMER EXPERIENCE & DIGITAL BANKING SUMMIT ON NOVEMBER 1-2, 2022, IN NEW YORK CITY

Taking place as a live event for the first time in Atlanta on November 8-9, 2022, Third Party Risk Management USA will bring together hundreds of professionals to share practical insight from a cross section of industries.

Expect a multitude of engaging presentations, panel discussions, and Q&As covering key topics addressing cross-sectoral trends and challenges concerning third-party risk, supply chains, and technology, including:

• Global trends

• Vendor management

• Cybersecurity

• Ethical supply chain

As customer expectations and working environments keep evolving, so the move towards digitalization continues apace. Hear from industry experts on their varying approaches to digital banking and how they see expectations changing, alongside best practices to enhance the customer experience across a range of platforms.

REGISTER YOUR INTEREST TODAY HERE

COMING SOON! THIRD PARTY RISK MANAGEMENT USA: CROSS INDUSTRY

Delegates can not only enhance their knowledge during the event itself but will also receive access to our exclusive post-event website featuring approved presentations and videos to assist with ongoing professional development. And with over seven hours of opportunities across the two days to meet with like-minded professionals – including our popular drinks reception – this event is also a perfect chance to network.

REGISTER TODAY AND SAVE $$$ WITH OUR SPECIAL PRE-AGENDA REGISTRATION RATE OF $599! CLICK HERE FOR PRE-REGISTRATION

PRE-ORDER YOUR COPY OF NFR LEADERS

2022

Following an extensive research project conducted by CeFPro’s research team involving over 700 of the most knowledgeable experts across a variety of sectors, the results are in for the top non-financial risk of the year…

In 2021, the industry voted operational resilience as its NFR Leader, with technology/IT risk and cyber risk coming in at #2 and #3. How have the votes changed in 2022? Be among the first to know by pre-ordering your copy of the report today, set to launch later this summer.

Gain unparalleled insight into:

• Top 10 non-financial and operational risks

• Key investment priorities

• Specific non-financial and operational challenges and opportunities

• And much more

MOBILE BANKING APPS

There has been a significant increase in malicious activity targeting mobile banking vulnerabilities since the onset of Covid-19, with months of lockdowns triggering a surge of activity. In CeFPro’s upcoming webinar, held in partnership with Nethone, two leading industry experts will share their insights on mobile banking app fraud, the effects of social engineering, and how to protect your financial institution, including:

• Tools to prevent fraud in mobile apps

• Similarities and differences between mobile apps and desktop

• Fraudsters’ techniques

• The effects of social engineering

SPEAKERS

Phil Bonhard

Head of Customer Experience

– Fraud & Security Lloyds Banking Group Maciej Jamiołkowski Business Development Lead Nethone

ESG STATE OF PLAY

BANKS’ COMPLIANCE AND AUTOMATED REPORTING TRENDS

Following an extensive research project to better understand the state of play of ESG across financial services, the Center for Financial Professionals, in partnership with Workiva, has released a new report. Aiming to provide a benchmark for financial institutions regarding the progress and development of automation, reporting, data, and investment decision making, here we provide a snapshot of the report's key findings, taken from our research with more than 130 industry professionals. To download the full report, click here.

GOVERNANCE TAKES THE LEAD

Given the heightened focus and increased headline risk associated with many environmental aspects, it was initially surprising to learn that the ‘E’ in ESG did not dominate the responses in terms of priority and focus across all practices. Instead, industry experts explained that good governance is a fundamental aspect that underpins all others. Without good governance to provide the foundation for environmental and social initiatives, much of a company’s work around ESG could be in vain.

ACCORDING TO WORKIVA…

We live in a material world. Financial institutions can no longer simply brand themselves as supporting ESG standards; they need to rethink how their operations align with them to stay valid in a discerning market. Compelling results reveal an overarching theme: identifying, procuring, and synthesizing data remain key hurdles in integrating ESG standards into firms’ operations. The apparent lack of data and supporting regulatory standardization is stalling most financial institutions’ use of ESG-related information to drive broader strategic decisions.

As the ESG agenda matures, technology modernization to support finance transformation and the preparation of trusted data for a broadened stakeholder group should continue to be a priority for financial organizations that want to keep pace with the flux of change.

ASSESSING AUTOMATION

When assessing the primary technology used to support ESG reporting, 36% of respondents opted for desktop tools. This was a source of confusion when reviewed in the context of the previous question, where IT systems and processes were highly rated. Desktop tools were not typically seen as automated or advanced; this therefore seems to have created a level of uncertainty regarding how automated a system can truly be when it relies so heavily upon desktop tools.

A WORD FROM THE INDUSTRY...

GREATEST CYBER AND TECHNOLOGY THREATS

With technology continuing to evolve at a rapid pace, financial services firms must regularly review their plans to mitigate the risk and potential fallout of a cyberattack. But with the landscape constantly shifting, it can be difficult to anticipate from where the next threat may come. At CeFPro’s recent Vendor & Third Party Risk Europe event, which took place this June in London, we quizzed some of the industry’s leading figures on what they believe represent the greatest cyber and technology threats on the horizon…

UK Finance

Ransomware continues to be a significant threat. Aligned to that, issues around the cyber insurance market, and whether cyber insurance products are fit for purpose, are also a concern. From a technology perspective, the biggest risk is potential fragmentation coming from increased legislation and regulation, prompting technology providers to provide localized services, which could reduce the resilience they offer to firms.

Jon O’Brien

Consulting Crossword CyberSecurity

The biggest cyber threat on the horizon is the increasing malicious misuse of legitimate credentials. There is no longer such a dependency on malicious actors getting malware onto your device; what they want to do is get hold of your credentials and misuse them to compromise your accounts.

Desmond Campbell

With an increase in vendors in the market holding data on various organizations, we sometimes lose track of our goal, which is to capture data properly and know where it is being stored. This means ensuring that not only is it being stored correctly but knowing who is in that supply chain handling our data. Is a third party going to store the information, or is it their fourth or nth level parties? What is the impact further down the chain? And is there appropriate resilience in the chain to ensure that data doesn’t go missing or is leaked elsewhere?

Alex Dorlandt

Lloyds Banking Group

Firms operate in a world where cyber and technology threats are a growing reality, and should be considered in everything we do, both internally and through the supply chain.

The challenge lies in responding proportionately to the threats. Firms need to protect against these threats with appropriate security and business continuity measures, but in a way that doesn’t hamper business development. This means that all organizations must balance their controls to meet their internal risk appetite, providing scope for businesses to deliver on their strategy

Will Gray

Field Sales Director SecurityScorecard

Ransomware threats are continuing to increase, as it appears that malicious actors are very keen to share successful tactics and ransomware has certainly been a successful threat vector over the last few years. Large ransoms are being paid, so I can only see that continuing to grow.

Ayesha James

Group Third Party Risk Steward & Europe Head of Operational & Resilience Risk

HSBC

What we have learnt over the last three years is that there are always new, emerging threats. We therefore need to ensure that we build our data and systems architecture in such a way that will allow us to pose, interrogate, and answer questions that we haven’t seen previously.

Thibault Lapédagne

Cybersecurity Research Director

CyberVadis

The biggest failures and greatest attacks are happening through the supply chain. This means we must be aware of how extended our information system is. If one vulnerability gets published, you are potentially exposed by all your vendors. Therefore, we must understand how to remediate internally, and consider how vendors are tackling the issue.

Managing the increasingly complex operational risk landscape will be a key theme at CeFPro's upcoming Operational Risk Management USA Congress (Oct 12-13, 2022, NYC).

See p14 for full details or register your attendance here

EVENTS CALENDAR 2022

US EVENTS

Now in its 7th edition, Operational Risk Management USA will consider how to manage the increasingly complex operational risk environment and assess evolving best practices. Topics on the agenda include quantification, resilience, RCSA, data privacy, model risk, and more. See p14 for full details.

Addressing the industry’s hottest topic of the moment, ESG USA aims to advance best practice to effectively manage evolving ESG agendas across financial services. Issues under scrutiny will be climate stress testing, regulation, DEI, greenwashing, and many more.

The inaugural Customer Experience & Digital Banking Summit will bring together industry leaders to review the evolution of customer expectations and digitalization opportunities. See p20 for more details.

Taking place as a live event for the first time, Third Party Risk Management USA will cover key cross-sectoral trends and challenges including vendor management, cybersecurity, and ethical supply chains. See p20 for full details.

EUROPEAN EVENTS

Managing the evolution of fraud and financial crimes and effective mitigation techniques, this 5th annual event will cover key topics including scams, greenwashing, sanctions, crypto, money laundering, and more.

&

Now in its 8th edition, this two-day event will deep dive into areas such as regulation, cyber risk, exit planning, onboarding, ESG, and fourth parties.