Talk about roundtrips…. In-the same week of a very successful 2021 GRC virtual summit on the 19 and 20 of October, where MetricStream had over 2500 customers, prospects, and partners registered to learn, participate, and share their experiences around GRC, IRM, and everything in-between, we decided to host three physical summits based in London, Copenhagen, and Zurich to continue the conversations with our community.
All three locations had a boardroom style setting dedicated to a round table discussion. The aim was simple, we would listen to what our community had on their mind. It was an opportunity to find common synergies, lead round table discussions, and network with senior risk professionals that are paving the way in this industry.
With representation from risk, compliance, audit and IT Cyber, the discussions were captivating, and the commentary was electric.
The first of the events started off in London, and we had a great mix of customers, partners, and prospects around the table.
Our CEO, Bruce Dahlgren introduced the session, and it was an engaging group that shared their thoughts and concerns around the current themes and trends.
Alongside the presentations, our partners gave a short speech on the success of collaborating with MetricStream to provide business benefits for our risk community. What followed was an insightful roundtable discussion that covered risk quantification, cyber security, and the need for organizations to lead with purpose.
It did not take long for ESG to make an appearance and quite rightly so, with COP26 on the agenda and the link to compliance, organizations that have a purpose and are aligning to social governance, diversity, and climate change are setting a precedent. MetricStream recently launched the ESGRC product, which enables organizations to define and manage ESG standards, frameworks, and disclosure requirements. There was a lot of excitement on this in the room.
Emerging risks and third-party risks were explored in detail. With recent supply chain disruptions, it became even more apparent how peripheral risks had to be managed.
Dinner followed, and the conversations (like the wine) continued flowing. It was delightful to see customers connecting with customers. It was evident that they all thrive in this environment and that it was clearly something they had sorely missed over the last 20 months.
We settled in for another topical roundtable discussion, where the thoughts and real-life examples of how technology is an enabler in the GRC space were deliberated. In some instances, the dialogue went back and forth. One example of this was that the concern organizations face with risk was not always a technology one, but more of a transformational project that the organization needed to resolve. Accompanying this, was the remark that there are inconsistencies in risk terminologies across the industries, which fuels part of the problem. It was also surprising (to me) to learn that there were still so many organizations using spreadsheets to manage their risk. This was their default way to identify, monitor, and track risks, even though they knew it was not sustainable, efficient, or scalable.
The need for AI and ML to automate risk attributes was the next topical point. The comment was made that AI techniques recognize pattens and trends to help alleviate the pain, time, and missing information that humans cannot always detect, but how do you know that AI is doing the right thing. This conversation continued into the evening, accompanied by food and drinks.
And finally, concluding the week in Zurich, we had another full house with an engaging group that deliberated on how they can start a community of risk or as was suggested, the “Instagram of risk”. There were discussions around risk culture, accountability, accurate data, and mindset. Some customers admitted that it was quite possible to get lost in the data and what they require is speed, agility, and most of all simplicity. A comment was made that you could spend all your time managing documents and not the risk. Another referenced that as change management sits in all departments including HR and legal it can be a challenge to bring it all together for larger organizations. Crypto also made it in the discussion, with a notable mention that new risks have no historical data to base it on.
Visibility and accountability were front of mind in the discussions, and a common theme that was mentioned was on reporting risks up to the board of directors and the role of the board in risk governance.
MetricStream presented 5 current trends that we are observing in the industry and 5 innovation themes that we are leading the way with (API, AI, Adoption, Agility & Analytics).
By bridging the gap and driving value for the community, MetricStream has a purpose to continue to add value and innovate alongside our community. We want the community to thrive on risk and reap the rewards of being on a GRC journey that like a good bottle of wine gets better with age.
Until the next summit.
The COVID-19 pandemic is a major crisis affecting every organization across every sector. To adapt to the new operational environment brought about by the outbreak, organizations worldwide increasingly switched to a digital-first business model and adjusted their business functions, including internal audit, to remote setup in 2020. With various pockets around the world still in the clutches of the coronavirus and its deadlier variants, remote auditing seems to be the norm this year as well for a number of organizations.
Remote auditing is not new—organizations, particularly those with global operations, have been using this audit method for years now. However, the pandemic has made the pivot towards remote auditing an absolute necessity for almost all organizations, regardless of their size and global footprint.
According to the International Organization for Standardization (ISO), the value of remote auditing “resides in its potential to provide flexibility to achieving the audit objectives. In order to realize the benefits of this audit method, all interested parties should be aware of their role in the process, inputs, expected outputs, and risks and opportunities that will provide the basis to achieve the audit and audit program objectives.”
Broadly speaking, the audit lifecycle remains the same whether conducted on-premises or remotely. And, organizations have to ensure that their IA function is agile, relevant, and effective. MetricStream’s State of Internal Audit Survey Report 2021 highlighted the dire need to revamp the IA function at most organizations – 60% of the respondents said that their organization doesn’t yet follow an agile approach to internal auditing, while 80% of auditors still use office productivity software or point solutions despite the limitations of these tools.
That said, there are certain key considerations to ensure the effectiveness of the remote auditing approach in today’s digitized and fast-paced world:
A well-planned strategy is the first step in developing a successful remote auditing program. It is important that the plan is aligned with the strategic goals and the current business environment and circumstances. In this post-COVID era, for instance, remote working, macroeconomic shifts, and structural changes have heightened existing risks and created new ones in areas such as supply chain, remote supervision and training, cybersecurity, and many more. Internal auditors, therefore, must refocus on areas they may not have considered as high risk before or risks they may not have considered at all.
In addition, implementing a rapid assurance model should be included in the plan. By breaking down the audit cycle into shorter segments or cycles with compressed timelines for reviews, insights, and action, this approach can help provide real-time assurance and instill more agility into an organizations’ working models. This will also help facilitate a more risk-based approach to auditing.
Effective communication is critical for ensuring that the remote auditing approach yields the desired results. The best practice is to organize a kick-off meeting with all relevant stakeholders to explain the scope and the strategy – the timelines of the process, how the information will be collected, tools used, etc. This is critical to ensure that the auditees are aligned with the overall plan.
In addition to the kick-off meeting, remote auditors must also schedule additional engagements for discussing issues and status updates, reviewing the audit report, etc. For remote interviews, the meetings must be scheduled well in advance to ensure the availability of the auditees.
For conducting the audit process remotely, the reliance on video conferencing tools and document sharing platforms increases manifold. Remote auditors today can also leverage advanced technologies, such as cloud computing, artificial intelligence, machine learning, etc., and data analytics, which facilitate digitized risk assessments, provide real-time access to audit data, dashboard, and reports, enable real-time reporting, and more.
By automating various processes, these tools enable a systematic, workflow-driven, risk-based audit process, thereby reducing the burden on the IA team. Technology, in fact, is a key element for effectively driving remote auditing and enhancing the efficiency of the process. Implementing the right audit management tool or software can help streamline and standardize audit processes and better equip the executive management to make timely, data-driven business decisions.
MetricStream Internal Audit Management enables organizations to infuse more agility into their internal audit program and ensure that it is aligned with business goals and prepared for multi-dimensional risks. It also strengthens collaboration across the three lines, optimizes productivity, and boosts the board’s confidence with improved visibility into risks and potential opportunities. In addition, with the latest Arno release, MetricStream has delivered some exciting new features to the product in order to ease the pressure on Internal Auditors and complement their skills and knowledge.
To request a demo, click here.
1. Navigating New Terrain: Internal Auditing in a Covid-19 Era (To download the eBook, click here)
2. Importance of Robotic Process Automation (RPA) and Data Analytics (DA) in Internal Audit (To download the eBook, click here)
3. Can Artificial Intelligence Help Internal Audit Step Up Its Game? (To download the insight, click here)
It has become too trite to say that the COVID-19 pandemic has upended organizations around the globe. The impact, in fact, is of unimaginable magnitude—affecting business units, functions, and the very core of any organization, its employees. In these turbulent times, internal auditors have a pivotal role to play in providing trusted risk perspectives and guiding their organizations to higher ground.
To gain deeper insights into their evolving role in the new normal, we surveyed internal auditors from across industries and countries. The objective was to understand how prepared internal auditors are to help their organizations recover from the ongoing crisis and model a holistic audit program that drives insight and action.
Here are the key takeaways from the survey:
“The future may look uncertain right now, but internal audit’s unique knowledge and perspectives can be invaluable in guiding organizations through the new normal. By embracing change, and thinking ahead, auditors can help their organizations emerge from the crisis stronger than ever,” an excerpt from the report reads.
The survey highlighted that the current approach to IA by most organizations largely lacks key attributes such as agility, continuous monitoring and auditing, and others. These features are crucial for organizations to move at the speed of risk and make well-informed business decisions.
Embedding a common definition and language of risks and controls are prerequisites of an effective audit plan. Particularly in today’s volatile and uncertain business and risk landscape, the focus has shifted from mitigation to pre-empting risks. Risk-based internal auditing is important to enhance an organization’s risk appetite and ensuring that the executive management and board have access to actionable risk insights for making better-informed business and investment decisions.
Business risks, priorities, and strategies evolve over time due to ever-changing internal and external factors. Regularly updating audit plans to ensure alignment with overall strategic objectives and the overarching enterprise risk management (ERM) framework will enable the internal audit team to be aware of the high-risk areas and facilitate the optimum utilization of time and resources towards more pressing issues.
This has become imperative particularly in the post-pandemic era. The model calls for a novel and pragmatic approach to assurance—breaking down the audit cycle into shorter segments or cycles with compressed timelines for reviews, insights, and action. This approach will enable providing real-time assurance and help organizations instill more agility into their working models.
Adopting a quantitative approach to risk assessments—calculating risk scores and translating risks into monetary value—is critical for determining the probability and impact of every identified risk. This approach will help organizations prioritize risks and realign audit plans and business strategies in an agile manner.
Conducting audit tests of internal controls is important to determine their efficacy and effectiveness. If a control fails the test, it means that it is ineffective in detecting and thwarting risks, making the organization more vulnerable. The onus then falls on internal auditors to promptly inform the senior management to investigate and remediate.
Intelligent tools and technologies, such as Robotic Process Automation (RPA) and artificial intelligence (AI), are the key ingredients for ensuring agility, relevancy, and effectiveness of audit plans. Implementing the right audit management tool or software could be a game-changer. It can not only streamline, standardize, and automate internal audit activities but also equip the executive management to make timely, data-driven business decisions.
MetricStream Internal Audit Management can help internal auditors overcome their challenges and streamline various processes. The solution helps drive an agile IA program that is aligned with organizational goals and prepared for multi-dimensional risks, while preserving the trust of every stakeholder. In addition, the latest Arno release brings some exciting new features to the solution including, collaborative authoring of audit test samples and enhanced cross-functional collaboration across teams.
To request a demo, click here. To download the full survey report, click here.
The sudden onset of the pandemic and the subsequent lockdowns and travel restrictions have upended business around the globe. To navigate the resulting complex and dynamic risk landscape, organizations have no option but to go digital. For the internal audit function too, it has become imperative that it reinvents itself with innovative tools and technologies to stay relevant and meet today’s business challenges.
In Deloitte’s 2020 survey of audit committee chairs and members, 92% of respondents said that IA should provide insights on and help prepare for emerging risks, while 63% said IA should be faster reporting results of their work. The current volatile business environment warrants an agile, flexible, and future-ready internal audit function that can add value to an organization.
The internal audit function provides valuable insights into the effectiveness of an organization’s risk management, governance, and internal control processes. Before considering what Industry 4.0 technologies to adopt to modernize IA, it is important to have a comprehensive view on the level of maturity of this function, the maturity of the technology being considered, and the associated risks.
Identifying the current level of maturity of IA marks the first step of the digital transformation journey. Depending on the level of automation and structure, the Institute of Internal Auditors (IIA) has identified five levels of maturity of the IA function:
Assessing the level of maturity of internal audit is important as it will help an organization recognize the shortcomings of its existing approach, determine the desired future state, and the technologies that must be adopted towards achieving this goal.
To wade through the pandemic-driven new normal and successfully manage the resulting distributed workforce, internal auditors need to embrace advanced transformational technologies to provide valuable insights and rapid assurance. When talking about Industry 4.0 technologies, the key technologies that have gained considerable traction in the past couple of years include cloud computing, robotic process automation (RPA), AI/ML (analytics), and blockchain, among others.
Implementing these technologies will empower IA teams to continuously monitor and quickly detect risks even in the remote setup, collaborate seamlessly across the three lines, automate the aggregation of risk data, be cognizant of emerging risks, and more. These capabilities, in turn, will help make the IA function more agile and future-ready.
That said, organizations should decide on the technology to be adopted and its level of maturity depending on the business needs and goals. They must determine if the application is relevant to the nature of their business or if they are implementing it just out of the fear of missing out. Ultimately, the primary reason to embark on the digital transformation journey of IA is to add value to top management’s view of business risk and facilitate effective decision making.
When considering implementing Industry 4.0 technologies, it becomes critical for organizations to assess where these technologies are going to create risk and where the risk is going to fall. KPMG has defined four dimensions of risks when it comes to IA:
In addition to keeping abreast of the latest technologies and developments, IA practitioners must focus on understanding the impact of digitalization on business and audit processes, and identify, assess and mitigate the associated risks such as cyber risk, third-party risk, and others.
Organizations can simplify the digital transformation of their IA by leveraging MetricStream Internal Audit Management. The product enables companies to drive an agile internal audit program that is not only aligned with organizational goals but also allows to factor in new risks that arise with shifting priorities. In addition, automated processes, real-time reporting, and access to audit data, and analytical tools help auditors to accelerate internal auditing and optimize resource allocation and enable senior management to make faster and well-informed business decisions.
Over the years, internal auditing has continued to pivot and evolve in response to changing stakeholder needs. From certifying the reliability of financial statements, to advising on a broad range of business risks, regulatory changes, culture, and cybersecurity, internal auditors have adapted time and again to meet business expectations in a dynamic world.
Then came the COVID-19 crisis which forced internal auditors to once again shift gears, and find new ways of helping their organizations contain and respond to the crisis. Now, with the start of a new year and the roll-out of vaccines, the end of the pandemic looks to be in sight. As organizations prepare for a post-COVID-19 world, how can internal auditors continue to deliver value?
Our latest eBook provides some insights as it explores ways in which internal auditors can strengthen their strategic advisory role to accelerate business performance. Based on these insights, here are four priorities that are likely to be top of mind for internal auditors in 2021.
Businesses are grappling with digital disruptions, cost pressures, compliance burdens, and more. In the face of these challenges, internal auditors must move beyond their traditional role as corporate policemen, and become the valued strategic advisors that the business needs. Boards and executive teams are relying on auditors not just to identify weaknesses in control environments, but to provide insights on how the business can improve its efficiency and operating effectiveness.
Traditional audit responsibilities such as risk detection and fraud identification are now table stakes in the line of duty. More important questions are being asked about business resilience, climate change, supply chain disruption, data privacy in a remote work environment, and digital transformation risks. Within these conversations, internal auditors have the opportunity to deliver real business impact. The work they do can help organizations shape better risk and compliance programs, while also bolstering their readiness for future challenges.
So, how can internal auditors rise to the occasion and deliver what their businesses need? Here are four key steps:
The COVID-19 pandemic may have been unprecedented, but it’s unlikely to be the last major crisis. And if there’s anything that organizations have learned, it’s that they need be more resilient and better prepared. Internal auditors will play a key role in this effort, helping businesses anticipate the severity of a potential crisis, and build agility.
The role of internal audit doesn’t necessarily have to begin only after the other lines of defense have completed their observations, defined key risks, and implemented controls. Instead, auditors can be involved in the entire spectrum of activities since they have a unique, birds-eye view of the business. It is this that makes their contribution during a crisis, crucial.
Internal auditors carry the ability to dive into the business, check for silos or gaps, and ensure that crisis management plans are aligned to risks, communication strategies, and most importantly, strategic goals and objectives. Auditors can also help ensure that crisis plans are tested, approved, and exercised in a timely manner. The more they are involved, the greater the value they can deliver.
Risks are evolving so quickly that lengthy audits with rigid, pre-defined plans are no longer sustainable. Instead, internal auditors must be able to swiftly pivot and respond to new risks, be it health and safety, data privacy, or third-party risks. That’s where agile auditing can help.
Agile focuses on faster audit cycles, quicker reporting, fewer documentation requirements, and less waste. It pushes auditors and stakeholders to determine upfront the value that needs to be delivered through a particular audit project. It also helps prioritize audits based on their importance and urgency—which is critical in today’s fast-evolving environment.
Here are five best practices to enable more agility in internal auditing:
RPA can save significant auditing time and resources by minimizing the need for human intervention—especially in tasks such as data aggregation, continuous control monitoring, and real-time identification of financial fraud. RPA also enables auditors to increase coverage by moving from simple statistical sampling to full population testing. With that, they can dig deeper into data, proactively identify hidden issues, and ensure that no risks are overlooked.
Meanwhile, advanced analytics can shed light on new risk patterns, anomalies, internal control gaps, or opportunities. They help internal auditors improve the scope and quality of their work, while also delivering better insights to stakeholders.
That said, the use of data analytics often requires sufficient funding, high quality data, and auditors with certain skill sets. But these challenges aren’t insurmountable. Now is the time for internal audit teams to pave the way for a successful analytics program that can help them deliver better assurance to the business.
For more insights, take a look at our eBook on “Strengthening Internal Audit’s Strategic Advisory Role to Accelerate Business Performance.”
As you step into 2021, MetricStream Internal Audit Management can help you enhance audit agility and efficiency, while also improving visibility into risks. Find out more.
We live in a world of disruptions which teach us new lessons every time we face one. Due to the challenges caused by disruptions, organizations strive hard to maintain continuous business operations and protect their brand image. The organizations which can anticipate these challenges and creatively respond to them often come out as winners.
The current outbreak of COVID-19 has really tested organizations on their business resiliency plans. It has forced many organizations to shift their business strategies. Some of the organizations are staring at reduced top and bottom-line growth due to lower productivity of teams. A lot of other organizations, however, are functioning during the pandemic using work from home models. Even for this kind of scenario, there has to be a change in business strategy which focuses on ensuring that employees remain healthy and productive, and committed business delivery timelines are met while continuing to work from home.
One thing which the pandemic has ensured is that uncertainty is going to continue for some time, and that no one is able to predict for how much longer. Some of the factors which this uncertainty has created are:
In today’s environment enterprises need more automation than ever before. Robotic Process Automation (RPA) plays a key role in helping enterprises tap opportunities of automating the business processes. In case, you are new to RPA, you can refer to an article about RPA and its journey here. The bots created using an RPA system can function 24×7 which increases their productivity, accuracy, and effectiveness. A point to note here is that RPA is suitable for the processes which are driven by rules and which an enterprise needs to perform repeatedly.
A recent survey by an RPA enterprise called Automation Anywhere revealed the following findings:
From a GRC standpoint, there are many use cases of RPA which an enterprise can adopt:
In addition to the GRC use cases above, there are many others which RPA can handle. Those include Insurance Claim Processing, Performing KYC Checks, Loan Origination, Purchase Order Management, Invoice Processing, and many more.
By allowing the automation of business processes, RPA not only improves productivity but also helps in containing costs for an organization. With or without the current pandemic, it makes sense for organizations to embrace RPA as it gives them an advantage in improving their business process efficiencies. It also helps the organization become more resilient by focusing on improving efficiencies via automation. RPA is also useful in executing business continuity planning during these times of uncertainty.
Organizations should look deeply within and identify the repetitive manual processes, business challenges and risks faced by them. They can then analyze how RPA can help mitigate those. Adopting RPA will not only improve the agility of an organization but also provide an opportunity to improve business resiliency.
The need for automating manual repetitive business processes was always there. The pandemic just accelerated it and brought automation to the center stage.
As compliance teams strive to manage new regulations and technological advancements, here are some of the trends and headlines that made compliance news in November and December.
In the face of changing business models, as well as new risks and dynamic global ecosystems, compliance as a discipline is rapidly evolving. Stakeholders rely on compliance teams to not only protect their organizations against regulatory penalties and legal liabilities, but to also strengthen reputation and credibility with customers. As compliance officers seek to demonstrate and enhance the value delivered to their organizations, the following are some key considerations.
While 2020 began with a focus on data privacy, here are some updates on other areas of compliance that made the headlines:
Compliance is now a key topic of discussion at the executive level, and is also a strong part of core business strategy. Newer technologies like AI and advanced analytics are helping compliance teams deliver value to the business in the digital age.
Compliance Week’s second annual technology survey highlighted that, ‘’companies are moving along the technological maturity curve in qualitative and quantitative ways today’’. According to the survey, companies are willing to spend more in 2019 than they were even a few years ago to build a more robust technology-enabled compliance function. Nearly, a quarter (23%) of compliance practitioners said their technology budget is much larger today than it was three years ago.
As compliance teams strive to do more with less, the emergence of new technologies will not only improve efficiency and cost-effectiveness, but will also enable teams to derive quick, meaningful insights from data to make well-informed decisions.
Now in its seventh year, the GRC Summit hosted by MetricStream is one of the biggest and most anticipated events for GRC practitioners around the world. This year, the summit was held on June 2-5 in Baltimore, Maryland, bringing together over 450 GRC and business leaders to talk about the latest trends and opportunities in GRC. It was an incredible four days of learning, discovery, and collaboration—topped off by an exclusive cruise, as well as a glittering awards ceremony.
Here are some of the top highlights from the summit:
In keeping with the theme of the summit—”Perform with Integrity™”—many of the speakers pointed out that financial performance is no longer the sole indicator of success. Trust is what really drives business today, and integrity is what drives trust.
MetricStream CEO, Mikael Hagstroem talked about building integrity by fostering a sense of compassion in the way we approach customers, the way we treat employees, and the way we shape the future of technology. “Successful performance—be it an individual level, an organizational level, or a global level—begins with a spark of passion that, when guided by integrity and compassion, helps us improve the human condition, and enable a higher quality of life,” he said.
MetricStream Chairman, Gunjan Sinha, emphasized the need to build purpose-driven organizations where doing good is as much of a priority as doing well. A strong sense of purpose, he predicted, is what will define the successful organizations of the future, along with a commitment to diversity, inclusion, empowerment of the front line, ethical data, and social conscious AI.
The former Chief Information Officer of the United States government (2015-17) described how “relentless digitization” is rapidly upending traditional analog business models. And with it, the notion of security and privacy by design is becoming more important than ever. Technology is moving faster than we’re prepared for, he cautioned. Do we understand the risks of new tools like AI and machine learning? How do we build good governance, accountability, and transparency around these new technologies? How do we keep humanity at the center of innovation? All key questions to consider.
Drawing on his experience as a member of the board and risk committee at Wells Fargo, as well as CEO Emeritus of Deloitte, Jim Quigley talked about why the work of GRC practitioners is so critical in helping boards and management teams make better strategic decisions in the midst of escalating “known unknowns” and “unknown unknowns.” He also emphasized the importance of building sustainable risk cultures. “The biggest driver of culture in any organization is observable behavior,” he said, quoting a colleague. “We want people to raise their hands and identify problems as quickly as possible.”
MetricStream’s Chief Technology Officer, Andreas Diggelmann, along with Chief Innovation and Cloud Officer, Vidyadhar Phalke, delved into the new technology innovations that are emerging across the whole chain of GRC. Chatbots, for instance, are being used to capture issue data from the first line of defense in a manner that is simple and engaging. Predictive analytics are being used in the second and third lines to anticipate and respond to potential emerging risks proactively. Machine learning tools are enabling executive teams to detect risk patterns, and understand optimal mitigation practices based on historical evidence. Essentially, the possibilities with technology are endless.
Co-founder of the AI Sustainability Center, Anna Felländer pointed out that in a data-driven world, AI is key to helping organizations build better operational efficiency and deeper client relationships. Yet, it also introduces many ethical risks around the misuse/ overuse of the technology as well as multiple biases. If we want to avoid these pitfalls, we need to start investing as much in the humanistic side of AI as the engineering side, she said. We need to shape a future where humans lead AI, not the other way around. We need to find ways of ensuring that technology doesn’t get ahead of regulation.
Many of the speakers emphasized the need to strengthen risk awareness at every level of the organization, right from the front lines to the boardroom. “Risk needs to be something that companies walk, talk, eat, and breathe every day,” said Kenneth Bacon, Member of the Board, Comcast, and Co-founder and Managing Partner, RailField Realty Partners. We need to have more risks and issues self-identified by the business rather than by internal audit or regulators, pointed out Sarah Dahlgren, Head of Regulatory Relations – Corporate Risk, Wells Fargo & Company. The more proactive the first and second lines of defense are in reporting risk data, the better informed and more confident the board and management team can be in their strategic decision-making processes.
Disruption is the only constant in business today, pointed out MetricStream’s Chief Operating Officer, Gaurav Kapoor. If we want to be prepared for the new risks around the corner, GRC programs have to be agile, he said. Other speakers talked about what agility entails. Raven Catlin, Former CAE and Industry Expert in Internal Audit and Risk Management, described how internal audit must be ready to embrace new tools, new skills, and new approaches to auditing. Michael Rasmussen, Chief GRC Pundit, GRC 20/20, highlighted the importance of integration and collaboration in building more agile GRC functions.
The much-anticipated GRC Journey awards ceremony, held on day 1 of the summit, recognized and honored MetricStream’s business partners, individuals, and customer organizations that have made significant strides on their GRC journey towards strengthening business performance. This year, there were 17 award recipients across five categories.
There were plenty of opportunities for attendees to connect, share with, and learn from with each other – be it the many interactive workshops and networking sessions, or the relaxed “happy hours.” Day 2 of the summit culminated in an exclusive cruise down Patapsco River which saw attendees letting loose and singing their hearts out at a Karaoke session.
A few weeks ago, MetricStream was awarded “GRC Product of the Year” at the 2019 Risk Technology Awards hosted by Risk.net. It was a strong validation of MetricStream’s mission to help organizations “Perform with Integrity™”. Through our GRC platform and solutions, customers are able to effectively understand and manage the interconnectedness of their risk environment, while deriving actionable risk insights for business decisions.
Over the past year, multiple financial services organizations have faced penalties and fines from regulators for facilitating money laundering, manipulating customer accounts, and mishandling security trading. Meanwhile, serious IT meltdowns and cybersecurity incidents have severely impacted brands and reputations. Added to that, operating markets and business models are continuously being disrupted.
To stay ahead of these risks—both “known” and “unknown”—in an increasingly hyperconnected, fast-changing world, organizations need timely risk insights that can help them make swifter and better business decisions. They need to be aware of how a potential incident enhance their risk exposure. These objectives are best achieved with a strong governance, risk, and compliance (GRC) foundation.
We believe that there are several factors that led to us winning GRC Product of the Year:
1. Support for Multiple Evolving GRC Roles
Chief Risk Officers (CROs), Chief Compliance Officers (CCOs), Chief Information Security Officers (CISOs), Chief Sourcing Officers (CSOs), and Chief Audit Executives (CAEs)—once limited in their roles—are increasingly being given a seat at the table with the power to influence strategy and decision-making. With this new power comes new obligations and challenges.
At MetricStream, we focus on addressing these challenges through our GRC platform, solutions, and apps. We thematically look at the core needs of each GRC persona—be it the CRO, CCO, CISO, CSO, or CAE—and provide tailored solutions to meet those needs. We also deliver specific content, workflows, and reports to help various personas make informed decisions that are aligned to their business objectives.
Our wide array of packaged apps, which can be enhanced with third-party applications, are designed to improve risk visibility and intelligence. Underlying these apps is our cloud-enabled, future-ready GRC platform that provides customers with long-term value throughout their GRC journey.
Our integrated GRC solution enables a high level of cohesiveness across core GRC components which, in turn, improves risk assessments, predictions, and mitigation. Organizations can effectively balance risks and rewards, make confident strategic decisions, and respond to the changes that occur within and outside their enterprise.
2. Balance Between Autonomy and Aggregation
At MetricStream, we understand that while the core requirements of GRC are more or less consistent across organizations, the processes, priorities, and needs of each organization are unique. Therefore, we offer flexible product alignment which allows customers to choose from multiple best-in-class, out-of-the-box GRC products that can be used along with third-party applications. Our apps and solutions provide agile risk reporting capabilities, while advanced analytics empower GRC practitioners to visualize large datasets within intuitive and interactive dashboards in real time.
3. Leadership in Addressing the Interconnectedness of Risk
The hyperconnectivity of markets has created both known and unknown dependencies and interconnections within and outside the enterprise. This, in turn, has increased the interconnectedness across different types of risks.
The MetricStream GRC Platform has been built to comprehend these risk relationships and to deliver contextual insights though the aggregation and analysis of risk information. Our customers have adopted the platform along with built-in best practices and modifications to identify, understand, quantify, and predict the multiple points of impact for any risk event.
4. Focus on Long-term Partnerships Based on Value Delivery
MetricStream is focused on being a long-term strategic partner to customers as they grow and transform along their GRC journey. Our GRC advisory framework and methodologies help organizations build a multi-year GRC vision and roadmap that augments value realization based on a “true platform” strategy.
Through our value discovery workshops, we enable customers to identify key value propositions that can be measured as outcomes throughout the design and implementation of their GRC programs. Our GRC Journey initiative adds a further advantage by helping customers understand the current and future state of their GRC programs, so that they can then re-engineer existing GRC processes for optimal business benefits.
***
As we continue to find new ways of enabling and supporting our customers, we’re deeply grateful to Risk.net for the recognition and award received. We look forward to continuously raising the bar on innovation, and delivering products that truly empower our customers to Perform with Integrity™.
I was on a call the other week with the Enterprise Risk Manager of a relatively sizable multi-national corporation (over 20,000 employees across a few hundred locations on nearly every continent), and she said something that got me thinking.
She said, “For us, right now – Excel is good enough.” I responded by saying that “I understood,” we discussed a few other topics on the call and hung up.
It wasn’t until afterwards that I realized how much her view about Excel took me aback. As an enterprise software sales professional, I believe in companies moving to automation. But the reason the statement took me aback was because I realized that this might be a common mindset across many people and firms. How many other people think, “Excel is good enough”?
A Senior Manager on my team, Mark Winey, was also on the call. After the meeting we spoke, and he reminded me that one of my first roles was in Operational Risk Reporting and Monitoring (R&M), so I should be able to understand their perspective. I began to reflect on this.
Earlier in my career, my team had built out the firm’s first op risk and control R&M function completely manually in excel. Part of my role was to spend the first few hours of the day updating spreadsheets with additional information for the metrics I was tasked with tracking. We had defined thresholds of red, amber, and green based on a formula we created using standard deviations, and when those thresholds were breached, we needed to escalate.
Once I was done compiling the additional information, the next few hours were spent chasing on threshold breaches and gathering commentary around root cause and resolution. When that was finally complete, I would spend the vast majority of the rest of my day consolidating the prior month’s end reporting. This then went on for about 3 weeks until the “Month End Report” was done. At this point, we would reach out to executives in order to have meetings scheduled on their calendars; this took another 3 to 4 weeks before we could meet and present the report.
This brief narrative reveals two important insights:
First, and perhaps the more obvious insight, is that by the time we finally met with executives, the data was at least 45 days stale! This was in 2009 and we all understood the importance of accurate, real-time data; however, every month, as things stood, we were always looking in the rear view, and pretty far behind, at that.
Second, and this is the implied insight, I spent the smallest portion of my time thinking critically about the data. As an analyst, by definition “a person who analyzes or who is skilled in analysis (thank you Google, analyst),” I spent very little time actually analyzing. This was counter-intuitive to me – I was getting paid to dig-in and think critically, but most of the time was spent on redundant manual efforts.
I’d like to estimate some numbers to illustrate how concerning this should be as risk practitioners. Let’s start with the assumptions that on average there are:
After factoring out lunch, holidays, vacations, etc., these assumptions should be fairly accurate. I didn’t document the precise time I spent on every activity, but let’s say that for the first 3 weeks of the month my day consisted of:
My day looked exactly the same for the last week of the month, except for this key difference: I now had 2 free hours a day since the “Month End Report” was complete!
In an interview a client of ours said, “We see the GRC Program really enabling the commoditization of the existing compliance activities and governance activities, so that managers have time to think about what’s the next risk, and really use intellectual capacity to manage risk going forward.” Given the manual approach described above, as an analyst I would have spent 6.25% of my time thinking about “the next risk” and “managing risk going forward.” After reading this, does 10 hours a month seem like an adequate effort for risk analysis? Do you still think Excel is good enough?
Subscribe for Latest Updates
Subscribe Now