Review SWISS GRC DAY 2022

Yahya Mohamed Mao, Head Business Development & Marketing Swiss GRC AG, welcomes the audience, speakers and event partners to the 5th SWISS GRC DAY. He promises them an interesting journey through exciting topics in the field of government, risk management and compliance and looks forward to interesting presentations and stimulating discussions during the break and over drinks.

“Are you Ransom ready?”, asks Tom Schmidt, Partner Ernst & Young AG, EMEIA FSO Cybersecurity Competency Leader & Switzerland FSO Cybersecurity Leader. He describes current cyber threats and future challenges and what (and how) companies need to prepare for.

Ransomware is the focus of his presentation. In this form of cyber attack, cyber criminals encrypt data and servers. As part of double extortion, they not only demand money for decryption, but also for not publishing the captured data in a way that attracts media attention. The “industry”, which has now formed actual cyber syndicates and operates in a large network, generated around 20 billion US dollars in 2020 alone (compared to around 11 billion in 2019). Ransomware is therefore a highly lucrative business and one of the reasons for the rapid rise in these cyberattacks. Tom Schmidt shows the different steps of a ransomware attack and how companies can arm themselves against it.

> Link to the presentation

Dr. Susanna Lüthi-Walter, Chief Risk Officer ZRe, Zurich Insurance Company, and Eva Severa-Züger, Chief Compliance Officer ZRe, Zurich Insurance Company, know the building blocks, challenges and success factors in setting up a holistic ICS from a risk and compliance perspective.

While the scope of an internal control system (ICS) traditionally focuses on financial reporting, the increasing importance of monitoring systems in today’s environment is leading to a holistic view of the ICS. The speakers shed light on this trend and describe a holistic ICS as an integral part of company-wide risk management, which maps all significant operational and financial company risks and also incorporates compliance risks. From the speakers’ point of view, this requires a pragmatic approach, an integrative ICS strategy (including implementation planning), coordinated instruments and tools and – very importantly – sufficient resources and a strong involvement of the first line.

> Link to the presentation

Dr. Iur. Jean-Pierre Méan, lawyer and former board member of Transparency International Switzerland, will share his experience of compliance management and show how an integral compliance culture can help remedy compliance and integrity risks.

A holistic approach is also the focus of this presentation. Such an approach also proves its worth when it comes to the complex topic of compliance. The very fact that compliance is part of the ISO Governance family of standards shows the close links to governance, anti-corruption, whistleblowing, etc. The anti-corruption standard is used as an example to show how a compliance culture can be implemented, what needs to be taken into account and where the standard is most helpful. In any case, the commitment of top management is crucial to the success of a company’s compliance culture. And it goes without saying that there is still room for improvement when it comes to compliance. Dr. Méan identifies this in the role and positioning of the compliance officer, conflicts of interest and compliance for SMEs, among other things.

> Link to the presentation

Tolga Ece, Head of the Risk and Insurance Management Competence Center of the City of Zurich, presents the City of Zurich’s opportunity and risk management and its comprehensive approach to better decision-making – a practical report on the success factors.

The City of Zurich has had risk and insurance regulations in place since 2011. As a result, risk management has become widespread, but there was a lack of a common system and a consolidated view. The CHARM project (from opportunity and risk management), which aims to identify and manage opportunities as well as risks, is intended to change this. The aim is to create a comprehensive opportunity and risk policy that will, for example, ensure the performance and functionality of the city administration, which has almost 30,000 employees, and promote awareness of opportunities and risks among employees. Tolga Ece describes the specific procedure in the project (workshops, bottom-up), names success factors (simple approach, clear boundaries), stumbling blocks (risk consolidation and quantification) and steps for further development (early warning indicators, cross-cutting risks).

> Link to the presentation

Angela Hunziker, Head of Corporate Risk Management, SBB CFF FFS, shows what integrated assurance looks like in practice and the challenges of cooperation between different assurance functions.

Assurance is understood as the entirety of the existing monitoring and control functions in a company, while combined assurance is the coordinated and integrated cooperation of all functions that are directly or indirectly related to risk and can contribute to improving the governance structure. Angela Hunziker shows approaches in connection with integrated assurance (ISO 37000, three-line model of the IIA), names advantageous framework conditions and current obstacles. In the second part of her presentation, she will take a practical look at integrated assurance (IA) at SBB by outlining the company’s corporate objectives, the organizational embedding of IA and cooperation. Finally, she reveals where SBB stands in terms of the regular exchange of information, joint processing of topics, coordinated processes, a consistent tool landscape and a holistic management system, and where there is potential for improvement.

> Link to the presentation

René Schüttel, Risk Manager, fedpol, explains current and new (intelligent) approaches to situation and risk assessment and poses the question “What is the future and what is already reality?”.

New technologies open up new opportunities, but also bring new (digital) risks that need to be managed. The changes to risk management (RM) in the age of digitalization are explained using a graphic. On the other hand, the results of a survey conducted in 2018 provide indications of changes expected in the short term (e.g. increasing degree of automation, improved data processing) and in the long term (e.g. increasing use of big data and AI, growing threat of cyberattacks). These changes mean that strategic and business considerations must be made in connection with RM, as well as operational and procedural ones. Management/leadership considerations are also an issue. There is no lack of concrete approaches for the further digital development of fedpol risk management. Risk quantification and an early warning system are just two of them.