Risk & Resilience

The Hong Kong Monetary Authority (HKMA) has released its Annual and Sustainability Reports, showcasing how the city’s financial sector is not only navigating the complexities of a changing global economy but also positioning itself at the forefront of green finance and innovation. Through a year of strategic initiatives, the HKMA has embraced resilience in the face of economic volatility and shown a steadfast commitment to sustainable growth, ensuring that Hong Kong’s financial ecosystem remains robust and adaptable.

Cybersecurity is no longer just an IT problem, it’s a business problem. And yet, despite all the headlines and constant warnings, a concerning gap remains between the leaders of organizations and the people tasked with defending them from cyber threats. New research from Ernst & Young LLP (EY) has uncovered this alarming disconnect, revealing how the divide between C-suite executives and Chief Information Security Officers (CISOs) is putting organizations at risk.

Over the years, the term Integrated Risk Management (IRM) has increasingly become a focal point in discussions around governance, risk management, and compliance (GRC). While IRM gained limited traction in some circles, it’s important to remember that the concept of GRC is deeply rooted in a decades-long evolution, beginning with early work in risk management, compliance, and IT security. To understand where IRM fits, it's crucial to first understand how GRC came to be and why it continues to play a central role in managing risk and uncertainty to organizational objectives while ensuring integrity in organizations today.

Europe has been quietly re-engineering the rules of resilience. A few years ago, the Critical Entities Resilience Directive (CER) officially entered into force, marking a watershed moment for how the EU approaches the safeguarding of essential services across borders and sectors.

The UK government’s plan to modernize its cyber defenses isn’t just another legislative checkbox. It’s a pointed response to a threat that’s evolving faster than policy typically can. With ransomware attacks delaying over 11,000 NHS appointments last year and state-sponsored actors regularly probing UK infrastructure, the forthcoming Cyber Security and Resilience Bill is just trying to catch up.

The European Supervisory Authorities (ESAs) have released their 2024 annual report, offering a detailed overview of their work across key areas of financial regulation, from joint risk assessments to sustainable finance and digital resilience. Throughout 2024, the ESAs’ Joint Committee (JC) focused on assessing cross-sectoral risks to financial stability, producing two significant reports, one in Spring and another in Autumn.

In this article, Norman Marks inspects the concept of "risk appetite," challenging its validity and questioning its role in decision-making. Drawing from personal experiences and real-world examples, Marks argues that the traditional approach to defining and managing risk is overly simplistic and fails to capture the complexity of real-world risk. He critiques the common practice of quantifying risk as a single number and suggests that a more dynamic, objective-driven approach is needed. Rather than focusing on a static "risk appetite," Marks proposes that organizations should consider the likelihood of achieving their objectives, using risk as a factor in the decision-making process.