Blogs
Our European GRC Summit Roadshows and the Instagram of Risk
- Artificial Intelligence
- 02 November 21
4 min read
Introduction
Talk about roundtrips…. In-the same week of a very successful 2021 GRC virtual summit on the 19 and 20 of October, where MetricStream had over 2500 customers, prospects, and partners registered to learn, participate, and share their experiences around GRC, IRM, and everything in-between, we decided to host three physical summits based in London, Copenhagen, and Zurich to continue the conversations with our community.
All three locations had a boardroom style setting dedicated to a round table discussion. The aim was simple, we would listen to what our community had on their mind. It was an opportunity to find common synergies, lead round table discussions, and network with senior risk professionals that are paving the way in this industry.
With representation from risk, compliance, audit and IT Cyber, the discussions were captivating, and the commentary was electric.
London Calling
The first of the events started off in London, and we had a great mix of customers, partners, and prospects around the table.
Our CEO, Bruce Dahlgren introduced the session, and it was an engaging group that shared their thoughts and concerns around the current themes and trends.
Alongside the presentations, our partners gave a short speech on the success of collaborating with MetricStream to provide business benefits for our risk community. What followed was an insightful roundtable discussion that covered risk quantification, cyber security, and the need for organizations to lead with purpose.
It did not take long for ESG to make an appearance and quite rightly so, with COP26 on the agenda and the link to compliance, organizations that have a purpose and are aligning to social governance, diversity, and climate change are setting a precedent. MetricStream recently launched the ESGRC product, which enables organizations to define and manage ESG standards, frameworks, and disclosure requirements. There was a lot of excitement on this in the room.
Emerging risks and third-party risks were explored in detail. With recent supply chain disruptions, it became even more apparent how peripheral risks had to be managed.
Dinner followed, and the conversations (like the wine) continued flowing. It was delightful to see customers connecting with customers. It was evident that they all thrive in this environment and that it was clearly something they had sorely missed over the last 20 months.
Cycling through Denmark
We settled in for another topical roundtable discussion, where the thoughts and real-life examples of how technology is an enabler in the GRC space were deliberated. In some instances, the dialogue went back and forth. One example of this was that the concern organizations face with risk was not always a technology one, but more of a transformational project that the organization needed to resolve. Accompanying this, was the remark that there are inconsistencies in risk terminologies across the industries, which fuels part of the problem. It was also surprising (to me) to learn that there were still so many organizations using spreadsheets to manage their risk. This was their default way to identify, monitor, and track risks, even though they knew it was not sustainable, efficient, or scalable.
The need for AI and ML to automate risk attributes was the next topical point. The comment was made that AI techniques recognize pattens and trends to help alleviate the pain, time, and missing information that humans cannot always detect, but how do you know that AI is doing the right thing. This conversation continued into the evening, accompanied by food and drinks.
High-End Shopping in Zurich
And finally, concluding the week in Zurich, we had another full house with an engaging group that deliberated on how they can start a community of risk or as was suggested, the “Instagram of risk”. There were discussions around risk culture, accountability, accurate data, and mindset. Some customers admitted that it was quite possible to get lost in the data and what they require is speed, agility, and most of all simplicity. A comment was made that you could spend all your time managing documents and not the risk. Another referenced that as change management sits in all departments including HR and legal it can be a challenge to bring it all together for larger organizations. Crypto also made it in the discussion, with a notable mention that new risks have no historical data to base it on.
Visibility and accountability were front of mind in the discussions, and a common theme that was mentioned was on reporting risks up to the board of directors and the role of the board in risk governance.
MetricStream presented 5 current trends that we are observing in the industry and 5 innovation themes that we are leading the way with (API, AI, Adoption, Agility & Analytics).
By bridging the gap and driving value for the community, MetricStream has a purpose to continue to add value and innovate alongside our community. We want the community to thrive on risk and reap the rewards of being on a GRC journey that like a good bottle of wine gets better with age.
Until the next summit.
Jump to Topic
Related Resources
Blogs
Staying Remote, Yet Relevant: Essentials of a Value-Based Audit During Pandemic
- Audit Management
- 13 July 21
4 min read
Introduction
The COVID-19 pandemic is a major crisis affecting every organization across every sector. To adapt to the new operational environment brought about by the outbreak, organizations worldwide increasingly switched to a digital-first business model and adjusted their business functions, including internal audit, to remote setup in 2020. With various pockets around the world still in the clutches of the coronavirus and its deadlier variants, remote auditing seems to be the norm this year as well for a number of organizations.
Remote auditing is not new—organizations, particularly those with global operations, have been using this audit method for years now. However, the pandemic has made the pivot towards remote auditing an absolute necessity for almost all organizations, regardless of their size and global footprint.
According to the International Organization for Standardization (ISO), the value of remote auditing “resides in its potential to provide flexibility to achieving the audit objectives. In order to realize the benefits of this audit method, all interested parties should be aware of their role in the process, inputs, expected outputs, and risks and opportunities that will provide the basis to achieve the audit and audit program objectives.”
How to Scope a Value-Driven Remote Audit
Broadly speaking, the audit lifecycle remains the same whether conducted on-premises or remotely. And, organizations have to ensure that their IA function is agile, relevant, and effective. MetricStream’s State of Internal Audit Survey Report 2021 highlighted the dire need to revamp the IA function at most organizations – 60% of the respondents said that their organization doesn’t yet follow an agile approach to internal auditing, while 80% of auditors still use office productivity software or point solutions despite the limitations of these tools.
That said, there are certain key considerations to ensure the effectiveness of the remote auditing approach in today’s digitized and fast-paced world:
- Devising a Comprehensive Remote Audit Plan
A well-planned strategy is the first step in developing a successful remote auditing program. It is important that the plan is aligned with the strategic goals and the current business environment and circumstances. In this post-COVID era, for instance, remote working, macroeconomic shifts, and structural changes have heightened existing risks and created new ones in areas such as supply chain, remote supervision and training, cybersecurity, and many more. Internal auditors, therefore, must refocus on areas they may not have considered as high risk before or risks they may not have considered at all.
In addition, implementing a rapid assurance model should be included in the plan. By breaking down the audit cycle into shorter segments or cycles with compressed timelines for reviews, insights, and action, this approach can help provide real-time assurance and instill more agility into an organizations’ working models. This will also help facilitate a more risk-based approach to auditing.
- Communicating the Plan
Effective communication is critical for ensuring that the remote auditing approach yields the desired results. The best practice is to organize a kick-off meeting with all relevant stakeholders to explain the scope and the strategy – the timelines of the process, how the information will be collected, tools used, etc. This is critical to ensure that the auditees are aligned with the overall plan.
In addition to the kick-off meeting, remote auditors must also schedule additional engagements for discussing issues and status updates, reviewing the audit report, etc. For remote interviews, the meetings must be scheduled well in advance to ensure the availability of the auditees.
- Leveraging Advanced Tools and Analytics
For conducting the audit process remotely, the reliance on video conferencing tools and document sharing platforms increases manifold. Remote auditors today can also leverage advanced technologies, such as cloud computing, artificial intelligence, machine learning, etc., and data analytics, which facilitate digitized risk assessments, provide real-time access to audit data, dashboard, and reports, enable real-time reporting, and more.
By automating various processes, these tools enable a systematic, workflow-driven, risk-based audit process, thereby reducing the burden on the IA team. Technology, in fact, is a key element for effectively driving remote auditing and enhancing the efficiency of the process. Implementing the right audit management tool or software can help streamline and standardize audit processes and better equip the executive management to make timely, data-driven business decisions.
MetricStream Internal Audit Management enables organizations to infuse more agility into their internal audit program and ensure that it is aligned with business goals and prepared for multi-dimensional risks. It also strengthens collaboration across the three lines, optimizes productivity, and boosts the board’s confidence with improved visibility into risks and potential opportunities. In addition, with the latest Arno release, MetricStream has delivered some exciting new features to the product in order to ease the pressure on Internal Auditors and complement their skills and knowledge.
To request a demo, click here.
Also Read:
1. Navigating New Terrain: Internal Auditing in a Covid-19 Era (To download the eBook, click here)
2. Importance of Robotic Process Automation (RPA) and Data Analytics (DA) in Internal Audit (To download the eBook, click here)
3. Can Artificial Intelligence Help Internal Audit Step Up Its Game? (To download the insight, click here)
Jump to Topic
Related Resources
Blogs
Reinventing Internal Audit to Ensure Agility, Relevance, and Effectiveness
- Audit Management
- 09 June 21
4 min read
Introduction
It has become too trite to say that the COVID-19 pandemic has upended organizations around the globe. The impact, in fact, is of unimaginable magnitude—affecting business units, functions, and the very core of any organization, its employees. In these turbulent times, internal auditors have a pivotal role to play in providing trusted risk perspectives and guiding their organizations to higher ground.
To gain deeper insights into their evolving role in the new normal, we surveyed internal auditors from across industries and countries. The objective was to understand how prepared internal auditors are to help their organizations recover from the ongoing crisis and model a holistic audit program that drives insight and action.
Here are the key takeaways from the survey:
- A majority (67%) of internal auditors have had to change their plans, and reprioritize audit activities during the pandemic
- 39% of the respondents said that they are in the process of implementing, or have already implemented continuous monitoring and continuous auditing and are actively using them
- 60% of internal auditors don’t yet follow an agile approach to internal auditing
- 80% of organizations still use office productivity software or point solutions while only 10% of respondents said they use one integrated solution for policy, audit, risk, and compliance management
- Although changing business priorities, risk and compliance landscape, and lack of right tools and technologies were cited as the top challenges faced by internal auditors, only 27% of those surveyed said that they will dedicate future investments towards adopting an integrated solution for policy, audit, risk, and compliance
“The future may look uncertain right now, but internal audit’s unique knowledge and perspectives can be invaluable in guiding organizations through the new normal. By embracing change, and thinking ahead, auditors can help their organizations emerge from the crisis stronger than ever,” an excerpt from the report reads.
Internal Audit: Key Considerations
The survey highlighted that the current approach to IA by most organizations largely lacks key attributes such as agility, continuous monitoring and auditing, and others. These features are crucial for organizations to move at the speed of risk and make well-informed business decisions.
Ensuring Risk-Based Approach to Auditing:
Embedding a common definition and language of risks and controls are prerequisites of an effective audit plan. Particularly in today’s volatile and uncertain business and risk landscape, the focus has shifted from mitigation to pre-empting risks. Risk-based internal auditing is important to enhance an organization’s risk appetite and ensuring that the executive management and board have access to actionable risk insights for making better-informed business and investment decisions.
Aligning with Business Objectives and ERM Framework:
Business risks, priorities, and strategies evolve over time due to ever-changing internal and external factors. Regularly updating audit plans to ensure alignment with overall strategic objectives and the overarching enterprise risk management (ERM) framework will enable the internal audit team to be aware of the high-risk areas and facilitate the optimum utilization of time and resources towards more pressing issues.
Implementing Rapid Assurance Model:
This has become imperative particularly in the post-pandemic era. The model calls for a novel and pragmatic approach to assurance—breaking down the audit cycle into shorter segments or cycles with compressed timelines for reviews, insights, and action. This approach will enable providing real-time assurance and help organizations instill more agility into their working models.
Adopting Quantitative Approach:
Adopting a quantitative approach to risk assessments—calculating risk scores and translating risks into monetary value—is critical for determining the probability and impact of every identified risk. This approach will help organizations prioritize risks and realign audit plans and business strategies in an agile manner.
Testing Internal Controls:
Conducting audit tests of internal controls is important to determine their efficacy and effectiveness. If a control fails the test, it means that it is ineffective in detecting and thwarting risks, making the organization more vulnerable. The onus then falls on internal auditors to promptly inform the senior management to investigate and remediate.
Leveraging Smart Tools and Technologies:
Intelligent tools and technologies, such as Robotic Process Automation (RPA) and artificial intelligence (AI), are the key ingredients for ensuring agility, relevancy, and effectiveness of audit plans. Implementing the right audit management tool or software could be a game-changer. It can not only streamline, standardize, and automate internal audit activities but also equip the executive management to make timely, data-driven business decisions.
MetricStream Internal Audit Management can help internal auditors overcome their challenges and streamline various processes. The solution helps drive an agile IA program that is aligned with organizational goals and prepared for multi-dimensional risks, while preserving the trust of every stakeholder. In addition, the latest Arno release brings some exciting new features to the solution including, collaborative authoring of audit test samples and enhanced cross-functional collaboration across teams.
To request a demo, click here. To download the full survey report, click here.
Jump to Topic
Related Resources
Blogs
Internal Auditors Tap Industry 4.0 Technologies to Move from Traditional to Agile
- Audit Management
- 26 March 21
4 min read
Introduction
The sudden onset of the pandemic and the subsequent lockdowns and travel restrictions have upended business around the globe. To navigate the resulting complex and dynamic risk landscape, organizations have no option but to go digital. For the internal audit function too, it has become imperative that it reinvents itself with innovative tools and technologies to stay relevant and meet today’s business challenges.
In Deloitte’s 2020 survey of audit committee chairs and members, 92% of respondents said that IA should provide insights on and help prepare for emerging risks, while 63% said IA should be faster reporting results of their work. The current volatile business environment warrants an agile, flexible, and future-ready internal audit function that can add value to an organization.
Internal Audit: The Digital Transformation Journey
The internal audit function provides valuable insights into the effectiveness of an organization’s risk management, governance, and internal control processes. Before considering what Industry 4.0 technologies to adopt to modernize IA, it is important to have a comprehensive view on the level of maturity of this function, the maturity of the technology being considered, and the associated risks.
- Internal Audit Maturity Level
Identifying the current level of maturity of IA marks the first step of the digital transformation journey. Depending on the level of automation and structure, the Institute of Internal Auditors (IIA) has identified five levels of maturity of the IA function:
- Initial: Scattered policies and processes, high reliance on manual systems and spreadsheet, no data validation, ad hoc audit activities
- Repeatable: Better policies and processes but may not be documented, low reliance on data and information generated from systems, reporting processes are defined but may not be documented
- Defined: Defined and documented policies and processes, greater reliance on information generated from systems, effective use of reporting templates
- Managed: Policies and processes are communicated to personnel, high data integrity, reliable automated reports, continuous monitoring of key data, highly effective reporting, quality and timeliness metrics defined and monitored
- Optimized: Continuous monitoring and updating policies and processes for necessary changes and emerging leading practices, extensive use of data mining and analytics, highly effective reporting, robust succession planning in place
Assessing the level of maturity of internal audit is important as it will help an organization recognize the shortcomings of its existing approach, determine the desired future state, and the technologies that must be adopted towards achieving this goal.
- Bringing Industry 4.0 Technologies to IA
To wade through the pandemic-driven new normal and successfully manage the resulting distributed workforce, internal auditors need to embrace advanced transformational technologies to provide valuable insights and rapid assurance. When talking about Industry 4.0 technologies, the key technologies that have gained considerable traction in the past couple of years include cloud computing, robotic process automation (RPA), AI/ML (analytics), and blockchain, among others.
Implementing these technologies will empower IA teams to continuously monitor and quickly detect risks even in the remote setup, collaborate seamlessly across the three lines, automate the aggregation of risk data, be cognizant of emerging risks, and more. These capabilities, in turn, will help make the IA function more agile and future-ready.
That said, organizations should decide on the technology to be adopted and its level of maturity depending on the business needs and goals. They must determine if the application is relevant to the nature of their business or if they are implementing it just out of the fear of missing out. Ultimately, the primary reason to embark on the digital transformation journey of IA is to add value to top management’s view of business risk and facilitate effective decision making.
- Associated Risks with Technology
When considering implementing Industry 4.0 technologies, it becomes critical for organizations to assess where these technologies are going to create risk and where the risk is going to fall. KPMG has defined four dimensions of risks when it comes to IA:
- Recurring: This is the dominant risk that should be considered on a recurring basis.
- Exceptional: This includes risks that don’t have previous audit history within the organization. IA should aim to provide initial assurance to the key stakeholders as to how these risks are addressed.
- Emerging: Most of the new and emerging technologies fall under this risk. This includes risks and opportunities that may not have clear attention of the organization but may soon become material risks.
- Established: These are the risks that are clearly considered to be the key to the organization and should dominate the IA plan and assurance agenda.
In addition to keeping abreast of the latest technologies and developments, IA practitioners must focus on understanding the impact of digitalization on business and audit processes, and identify, assess and mitigate the associated risks such as cyber risk, third-party risk, and others.
Organizations can simplify the digital transformation of their IA by leveraging MetricStream Internal Audit Management. The product enables companies to drive an agile internal audit program that is not only aligned with organizational goals but also allows to factor in new risks that arise with shifting priorities. In addition, automated processes, real-time reporting, and access to audit data, and analytical tools help auditors to accelerate internal auditing and optimize resource allocation and enable senior management to make faster and well-informed business decisions.
Jump to Topic
Related Resources
Blogs
4 Top Priorities for Internal Audit in 2021
- Audit Management
- 08 February 21
4 min read
Introduction
Over the years, internal auditing has continued to pivot and evolve in response to changing stakeholder needs. From certifying the reliability of financial statements, to advising on a broad range of business risks, regulatory changes, culture, and cybersecurity, internal auditors have adapted time and again to meet business expectations in a dynamic world.
Then came the COVID-19 crisis which forced internal auditors to once again shift gears, and find new ways of helping their organizations contain and respond to the crisis. Now, with the start of a new year and the roll-out of vaccines, the end of the pandemic looks to be in sight. As organizations prepare for a post-COVID-19 world, how can internal auditors continue to deliver value?
Our latest eBook provides some insights as it explores ways in which internal auditors can strengthen their strategic advisory role to accelerate business performance. Based on these insights, here are four priorities that are likely to be top of mind for internal auditors in 2021.
1. Enhance the business impact of internal auditing
Businesses are grappling with digital disruptions, cost pressures, compliance burdens, and more. In the face of these challenges, internal auditors must move beyond their traditional role as corporate policemen, and become the valued strategic advisors that the business needs. Boards and executive teams are relying on auditors not just to identify weaknesses in control environments, but to provide insights on how the business can improve its efficiency and operating effectiveness.
Traditional audit responsibilities such as risk detection and fraud identification are now table stakes in the line of duty. More important questions are being asked about business resilience, climate change, supply chain disruption, data privacy in a remote work environment, and digital transformation risks. Within these conversations, internal auditors have the opportunity to deliver real business impact. The work they do can help organizations shape better risk and compliance programs, while also bolstering their readiness for future challenges.
So, how can internal auditors rise to the occasion and deliver what their businesses need? Here are four key steps:
2. Strengthen organizational preparedness for future crises
The COVID-19 pandemic may have been unprecedented, but it’s unlikely to be the last major crisis. And if there’s anything that organizations have learned, it’s that they need be more resilient and better prepared. Internal auditors will play a key role in this effort, helping businesses anticipate the severity of a potential crisis, and build agility.
The role of internal audit doesn’t necessarily have to begin only after the other lines of defense have completed their observations, defined key risks, and implemented controls. Instead, auditors can be involved in the entire spectrum of activities since they have a unique, birds-eye view of the business. It is this that makes their contribution during a crisis, crucial.
Internal auditors carry the ability to dive into the business, check for silos or gaps, and ensure that crisis management plans are aligned to risks, communication strategies, and most importantly, strategic goals and objectives. Auditors can also help ensure that crisis plans are tested, approved, and exercised in a timely manner. The more they are involved, the greater the value they can deliver.
3. Build agility in audit
Risks are evolving so quickly that lengthy audits with rigid, pre-defined plans are no longer sustainable. Instead, internal auditors must be able to swiftly pivot and respond to new risks, be it health and safety, data privacy, or third-party risks. That’s where agile auditing can help.
Agile focuses on faster audit cycles, quicker reporting, fewer documentation requirements, and less waste. It pushes auditors and stakeholders to determine upfront the value that needs to be delivered through a particular audit project. It also helps prioritize audits based on their importance and urgency—which is critical in today’s fast-evolving environment.
Here are five best practices to enable more agility in internal auditing:
4. Expand the use of robotic process automation (RPA) and data analytics
RPA can save significant auditing time and resources by minimizing the need for human intervention—especially in tasks such as data aggregation, continuous control monitoring, and real-time identification of financial fraud. RPA also enables auditors to increase coverage by moving from simple statistical sampling to full population testing. With that, they can dig deeper into data, proactively identify hidden issues, and ensure that no risks are overlooked.
Meanwhile, advanced analytics can shed light on new risk patterns, anomalies, internal control gaps, or opportunities. They help internal auditors improve the scope and quality of their work, while also delivering better insights to stakeholders.
That said, the use of data analytics often requires sufficient funding, high quality data, and auditors with certain skill sets. But these challenges aren’t insurmountable. Now is the time for internal audit teams to pave the way for a successful analytics program that can help them deliver better assurance to the business.
For more insights, take a look at our eBook on “Strengthening Internal Audit’s Strategic Advisory Role to Accelerate Business Performance.”
As you step into 2021, MetricStream Internal Audit Management can help you enhance audit agility and efficiency, while also improving visibility into risks. Find out more.
Jump to Topic
Related Resources
Blogs
Improving Organizational Resilience using RPA
- Audit Management
- 03 July 20
4 min read
Introduction
We live in a world of disruptions which teach us new lessons every time we face one. Due to the challenges caused by disruptions, organizations strive hard to maintain continuous business operations and protect their brand image. The organizations which can anticipate these challenges and creatively respond to them often come out as winners.
The current outbreak of COVID-19 has really tested organizations on their business resiliency plans. It has forced many organizations to shift their business strategies. Some of the organizations are staring at reduced top and bottom-line growth due to lower productivity of teams. A lot of other organizations, however, are functioning during the pandemic using work from home models. Even for this kind of scenario, there has to be a change in business strategy which focuses on ensuring that employees remain healthy and productive, and committed business delivery timelines are met while continuing to work from home.
One thing which the pandemic has ensured is that uncertainty is going to continue for some time, and that no one is able to predict for how much longer. Some of the factors which this uncertainty has created are:
- Increased online transactions – Consumers are ordering more than ever via the web leading to an increase in cashless transactions.
- Increased demand for high speed data – While working from home, employees are switching to better data plans which can allow them to work effectively.
- Increased automation – Enterprises are scouting for opportunities where manual work can be replaced via automation and thus allowing digital workforces to take shape.
In today’s environment enterprises need more automation than ever before. Robotic Process Automation (RPA) plays a key role in helping enterprises tap opportunities of automating the business processes. In case, you are new to RPA, you can refer to an article about RPA and its journey here. The bots created using an RPA system can function 24×7 which increases their productivity, accuracy, and effectiveness. A point to note here is that RPA is suitable for the processes which are driven by rules and which an enterprise needs to perform repeatedly.
A recent survey by an RPA enterprise called Automation Anywhere revealed the following findings:
- Nearly 50 percent of firms plan to invest in RPA to increase business resiliency in the post-COVID world. The pandemic and its aftermath have catapulted the urgency for embracing digital technologies.
- More than 70 percent of survey respondents said they anticipate that at least half of their workforce will be digital workers, while over one quarter expect more than 80 percent of their workforce to become digital.
From a GRC standpoint, there are many use cases of RPA which an enterprise can adopt:
- Full-Scale Automated Auditing – The traditional audits focused on auditing based on random sample sizes. It is difficult to manually audit all the samples available. The random sample auditing though helpful can at times lead to missing out on some key samples which can alter audit findings. RPA solves this problem as the bots can perform full-scale auditing rather than focus only on random samples. Bots can pull up evidence and indicate cases of non-conformance automatically.
- Risk Assessment – RPA can help organizations gather data from various disparate systems. Using this data, the internal systems can do risk classification and perform trend analysis, thereby, effectively predicting the various outcomes which can help a risk manager plan for mitigations.
- Control Testing Automation – Bots can be made capable of performing control testing. This is helpful in both audits and compliance management.
- Continuous Control Monitoring – RPA can automatically collect the data from multiple systems and access the controls. Alerts can be generated when exceptions are found.
- Automated Third-Party Due Diligence – RPA can also be used during third party due diligence as it can gather data about third parties from various sources. This data can then, in turn, be used to influence the decisions to onboard a third party into the system.
In addition to the GRC use cases above, there are many others which RPA can handle. Those include Insurance Claim Processing, Performing KYC Checks, Loan Origination, Purchase Order Management, Invoice Processing, and many more.
By allowing the automation of business processes, RPA not only improves productivity but also helps in containing costs for an organization. With or without the current pandemic, it makes sense for organizations to embrace RPA as it gives them an advantage in improving their business process efficiencies. It also helps the organization become more resilient by focusing on improving efficiencies via automation. RPA is also useful in executing business continuity planning during these times of uncertainty.
Organizations should look deeply within and identify the repetitive manual processes, business challenges and risks faced by them. They can then analyze how RPA can help mitigate those. Adopting RPA will not only improve the agility of an organization but also provide an opportunity to improve business resiliency.
The need for automating manual repetitive business processes was always there. The pandemic just accelerated it and brought automation to the center stage.
Jump to Topic
Related Resources
Blogs
Through the GRC Lens – November-December 2019
- Audit Management
- 14 January 20
3 min read
The Changing Winds of Compliance
As compliance teams strive to manage new regulations and technological advancements, here are some of the trends and headlines that made compliance news in November and December.
In the face of changing business models, as well as new risks and dynamic global ecosystems, compliance as a discipline is rapidly evolving. Stakeholders rely on compliance teams to not only protect their organizations against regulatory penalties and legal liabilities, but to also strengthen reputation and credibility with customers. As compliance officers seek to demonstrate and enhance the value delivered to their organizations, the following are some key considerations.
New Regulations
While 2020 began with a focus on data privacy, here are some updates on other areas of compliance that made the headlines:
- Data Privacy: This month, the CCPA came into effect giving customers more control over their data. However, in a study by Ethyca, only 12% of 85 respondents believed they had achieved an adequate state of compliance readiness for the emerging regulated privacy landscape.An article in Forbes suggested that “Rather than looking at CCPA compliance as a chore, look at it as an opportunity to innovate your business practices and seek ways to regain a first-party relationship with your customers.”
- Payment Security: Payment security compliance declined for the second year in a row in 2019, according to Verizon’s 2019 Payment Security Report. The report also pointed out that a compliance program without proper controls to protect data has a more than 95% probability of not being sustainable and is more likely to be a potential target of a cyberattack.
- Banking and Finance – As the financial services industry continues to grapple with regulatory complexities, many are turning to regtech solutions to enable and support their compliance efforts. The goal isn’t just to avoid non-compliance penalties but to strengthen trust and credibility with customers. The report, ‘Hooked: RegTech Reliance in Capital Markets Compliance’ by Greenwich Associates states that 63% of firms recognize that reputation protection is the core purpose of compliance.
- Communication – Compliance teams are also struggling to keep pace with electronic communication channels, with 45% saying they are in constant catch-up mode rather than proactive mode, when it comes to electronic communication compliance, according to a report by Smarsh.
- Technology: The use of AI in regulatory compliance is helping both regulators and businesses. A recent Deloitte poll stated that nearly half (48.5%) of C-suite and other executives at organizations that use AI expect to increase AI use for risk management and compliance efforts in the year ahead. But only 21.1% of respondents report that their organizations have an ethical framework in place for AI use within risk management and compliance programs.
Compliance is now a key topic of discussion at the executive level, and is also a strong part of core business strategy. Newer technologies like AI and advanced analytics are helping compliance teams deliver value to the business in the digital age.
Compliance Week’s second annual technology survey highlighted that, ‘’companies are moving along the technological maturity curve in qualitative and quantitative ways today’’. According to the survey, companies are willing to spend more in 2019 than they were even a few years ago to build a more robust technology-enabled compliance function. Nearly, a quarter (23%) of compliance practitioners said their technology budget is much larger today than it was three years ago.
As compliance teams strive to do more with less, the emergence of new technologies will not only improve efficiency and cost-effectiveness, but will also enable teams to derive quick, meaningful insights from data to make well-informed decisions.
Jump to Topic
Related Resources
Blogs
A Look Back at the GRC Summit 2019
- Audit Management
- 30 July 19
5 min read
Introduction
Now in its seventh year, the GRC Summit hosted by MetricStream is one of the biggest and most anticipated events for GRC practitioners around the world. This year, the summit was held on June 2-5 in Baltimore, Maryland, bringing together over 450 GRC and business leaders to talk about the latest trends and opportunities in GRC. It was an incredible four days of learning, discovery, and collaboration—topped off by an exclusive cruise, as well as a glittering awards ceremony.
Here are some of the top highlights from the summit:
- Integrity Front and Center
In keeping with the theme of the summit—”Perform with Integrity™”—many of the speakers pointed out that financial performance is no longer the sole indicator of success. Trust is what really drives business today, and integrity is what drives trust.
MetricStream CEO, Mikael Hagstroem talked about building integrity by fostering a sense of compassion in the way we approach customers, the way we treat employees, and the way we shape the future of technology. “Successful performance—be it an individual level, an organizational level, or a global level—begins with a spark of passion that, when guided by integrity and compassion, helps us improve the human condition, and enable a higher quality of life,” he said.
MetricStream Chairman, Gunjan Sinha, emphasized the need to build purpose-driven organizations where doing good is as much of a priority as doing well. A strong sense of purpose, he predicted, is what will define the successful organizations of the future, along with a commitment to diversity, inclusion, empowerment of the front line, ethical data, and social conscious AI.
- Tony Scott on the Key Transformation Drivers of the Next Five Years
The former Chief Information Officer of the United States government (2015-17) described how “relentless digitization” is rapidly upending traditional analog business models. And with it, the notion of security and privacy by design is becoming more important than ever. Technology is moving faster than we’re prepared for, he cautioned. Do we understand the risks of new tools like AI and machine learning? How do we build good governance, accountability, and transparency around these new technologies? How do we keep humanity at the center of innovation? All key questions to consider.
- Jim Quigley: Coping with the “Knowns” and “Unknowns” of Business
Drawing on his experience as a member of the board and risk committee at Wells Fargo, as well as CEO Emeritus of Deloitte, Jim Quigley talked about why the work of GRC practitioners is so critical in helping boards and management teams make better strategic decisions in the midst of escalating “known unknowns” and “unknown unknowns.” He also emphasized the importance of building sustainable risk cultures. “The biggest driver of culture in any organization is observable behavior,” he said, quoting a colleague. “We want people to raise their hands and identify problems as quickly as possible.”
- The Power of Innovation
MetricStream’s Chief Technology Officer, Andreas Diggelmann, along with Chief Innovation and Cloud Officer, Vidyadhar Phalke, delved into the new technology innovations that are emerging across the whole chain of GRC. Chatbots, for instance, are being used to capture issue data from the first line of defense in a manner that is simple and engaging. Predictive analytics are being used in the second and third lines to anticipate and respond to potential emerging risks proactively. Machine learning tools are enabling executive teams to detect risk patterns, and understand optimal mitigation practices based on historical evidence. Essentially, the possibilities with technology are endless.
- Anna Felländer on Being Vigilant to the Ethical Risks of AI
Co-founder of the AI Sustainability Center, Anna Felländer pointed out that in a data-driven world, AI is key to helping organizations build better operational efficiency and deeper client relationships. Yet, it also introduces many ethical risks around the misuse/ overuse of the technology as well as multiple biases. If we want to avoid these pitfalls, we need to start investing as much in the humanistic side of AI as the engineering side, she said. We need to shape a future where humans lead AI, not the other way around. We need to find ways of ensuring that technology doesn’t get ahead of regulation.
- Risk Management Is Everyone’s Responsibility
Many of the speakers emphasized the need to strengthen risk awareness at every level of the organization, right from the front lines to the boardroom. “Risk needs to be something that companies walk, talk, eat, and breathe every day,” said Kenneth Bacon, Member of the Board, Comcast, and Co-founder and Managing Partner, RailField Realty Partners. We need to have more risks and issues self-identified by the business rather than by internal audit or regulators, pointed out Sarah Dahlgren, Head of Regulatory Relations – Corporate Risk, Wells Fargo & Company. The more proactive the first and second lines of defense are in reporting risk data, the better informed and more confident the board and management team can be in their strategic decision-making processes.
- In a Fast-Changing World, GRC Must be Agile
Disruption is the only constant in business today, pointed out MetricStream’s Chief Operating Officer, Gaurav Kapoor. If we want to be prepared for the new risks around the corner, GRC programs have to be agile, he said. Other speakers talked about what agility entails. Raven Catlin, Former CAE and Industry Expert in Internal Audit and Risk Management, described how internal audit must be ready to embrace new tools, new skills, and new approaches to auditing. Michael Rasmussen, Chief GRC Pundit, GRC 20/20, highlighted the importance of integration and collaboration in building more agile GRC functions.
- A Celebration of GRC Champions
The much-anticipated GRC Journey awards ceremony, held on day 1 of the summit, recognized and honored MetricStream’s business partners, individuals, and customer organizations that have made significant strides on their GRC journey towards strengthening business performance. This year, there were 17 award recipients across five categories.
- Connecting and Collaborating
There were plenty of opportunities for attendees to connect, share with, and learn from with each other – be it the many interactive workshops and networking sessions, or the relaxed “happy hours.” Day 2 of the summit culminated in an exclusive cruise down Patapsco River which saw attendees letting loose and singing their hearts out at a Karaoke session.
Jump to Topic
