Reporting and Governance

The requirements surrounding robust ESG alignment and disclosure are tightening, and firms must be prepared. Nonetheless, financial services firms have always had to measure and evaluate risk, but their key areas of focus may require significant evolution during 2023. By Mark Turner, managing director, financial services compliance and regulation at Kroll.

Regulated financial services firms will be under even greater scrutiny to ensure that the companies that provide critical services to them constantly test their resilience.

Not only that, they will need to test their own ESG-related claims to make sure that any pledges they have made have been – or are being – met, and that their entire supply chain also meets the high standards that the global finance industry now requires. For ESG-related matters, huge reputational and financial risks may crystallise when things unravel

These different but related challenges are extremely broad, but in the context of risk management, many firms have seen good progress in taking stock, considering the cultural imperative for them to act in a sustainable and ethical manner.

Evolving legislation

The UK’s regulators have become increasingly interested in the so-called ‘critical third parties’ that a lot of financial services firms are increasingly relying on. Firms are working with external sources for various services including cloud-based computing and although they bring a plethora of benefits, they can also create regulatory risks.

The UK’s Prudential Regulatory Authority, alongside the Financial Conduct Authority, might not have direct regulatory oversight over organisations that provide key operational cloud services to major financial firms, but they are likely to be granted oversight powers nonetheless.

The Financial Services and Markets Bill, due a second reading in parliament on January 10, sets out a proposed statutory framework for the management of systemic risks posed by the firms that provide critical services to the financial services industry such as IT solutions, disaster recovery, and so on.

It outlines how it would assess and strengthen the resilience of services provided by such third parties “thereby reducing the risk of systemic disruption”, in the Bank of England’s words.

As financial services firms become more digitised, and more reliant on data, the need to prove operational resilience grows and, in many cases, becomes more complicated.

This includes financial services firms knowing what strategies their suppliers have in place in case of outages. This will require increased due diligence as suppliers are onboarded, and more intrusive oversight on an ongoing basis.

During the summer of 2022, a major data centre in London suffered a significant outage due to the unprecedented high temperatures. Firms that use such services must ensure that there are arrangements and protocols in place for such scenarios and cannot simply assume that their suppliers are responsible for meeting the terms through service level agreements.

High scrutiny

This depth of awareness about the companies that financial services firms use in their supply chains is an area of interest to regulators around the globe.

In Germany, for example, a new Lieferkettensorgfaltspflichtengesetz Act (Supply Chain Due Diligence Act) kicked in on January 1, 2023, and will cover all firms with either a head office, main branch or statutory seat in Germany.

Initially, the law will only apply to firms with more than 3000 employees, but this will be extended to those firms with more than 1000 employees in 2024.

That means that business leaders need to be fully aware of the companies that are in their supply chains and be confident that any claims they make about practices to keep modern slavery out of supply chains, cutting emissions or using sustainable materials are verifiable.

Risk oversight arrangements need to be tailored to the needs of each individual business, but the sheer scale of the task can at first appear a major barrier to progress.

Understanding the supply chain involves careful gathering, organisation and management of an often massive amount of data.

This issue is clearly already on the minds of the C-suite in most organisations. Kroll’s 2022 Anti-Bribery and Corruption Report revealed that nearly half of respondents had boosted their anti-bribery and corruption programmes with greater consideration for all the key aspects of each letter of the ESG acronym. The risks of fraudulent or incomplete information in the supply chain have grown significantly and will continue to do so in 2023.

In grasping this huge task, some firms are starting to harness the power of artificial intelligence to assist them. Beyond this, formal confirmation of compliance from accredited boards, data validated by third parties and performing due diligence should be standard practice for everyone, as the cost to a firm’s reputation of using a rogue or negligent supplier could be high.

Self-assessment vital

Executives must ensure that any ESG-related claims they have made in the past have either been achieved or are proactively being pursued. There will be cases of bold statements coming back to haunt firms that have not thoroughly substantiated them. This is why annual disclosures and regulations are set up to help firms remain committed to their goals and support them where needed.

The evolution of sustainable and ethical expectations from multiple stakeholders now requires firms to consider whether they, and their suppliers, have self-assessment mechanisms in place to facilitate the identification, mitigation and management of risk.

It is also imperative that any progress – and especially a lack of it – is monitored so that management is aware of any areas of their ESG strategy which are flourishing and those that may require greater input. This will continue to move up board agendas in 2023.

The UK’s Companies Regulations 2022 (Climate-related financial disclosures for companies and limited liability partnerships) and the matching rules for Limited Liability Partnerships that came into force in April this year are further examples of ESG-related legislation intensifying

The global evolution of ESG expectations means that firms have to be vigilant about how external parties are supporting their operations but also how their wider business strategies align with their overall ESG commitments. Risk managers have a vital role to play, and are arguably the best-placed to support, check and challenge as firms navigate this changing landscape.

If you’re a regulatory professional the Financial Times would like to make you a special offer - click here to find out.