Reinventing Internal Audit to Ensure Agility, Relevance, and Effectiveness

4 min read


It has become too trite to say that the COVID-19 pandemic has upended organizations around the globe. The impact, in fact, is of unimaginable magnitude—affecting business units, functions, and the very core of any organization, its employees. In these turbulent times, internal auditors have a pivotal role to play in providing trusted risk perspectives and guiding their organizations to higher ground.

To gain deeper insights into their evolving role in the new normal, we surveyed internal auditors from across industries and countries. The objective was to understand how prepared internal auditors are to help their organizations recover from the ongoing crisis and model a holistic audit program that drives insight and action.

Here are the key takeaways from the survey:

  • A majority (67%) of internal auditors have had to change their plans, and reprioritize audit activities during the pandemic
  • 39% of the respondents said that they are in the process of implementing, or have already implemented continuous monitoring and continuous auditing and are actively using them
  • 60% of internal auditors don’t yet follow an agile approach to internal auditing
  • 80% of organizations still use office productivity software or point solutions while only 10% of respondents said they use one integrated solution for policy, audit, risk, and compliance management
  • Although changing business priorities, risk and compliance landscape, and lack of right tools and technologies were cited as the top challenges faced by internal auditors, only 27% of those surveyed said that they will dedicate future investments towards adopting an integrated solution for policy, audit, risk, and compliance

“The future may look uncertain right now, but internal audit’s unique knowledge and perspectives can be invaluable in guiding organizations through the new normal. By embracing change, and thinking ahead, auditors can help their organizations emerge from the crisis stronger than ever,” an excerpt from the report reads.

Internal Audit: Key Considerations

The survey highlighted that the current approach to IA by most organizations largely lacks key attributes such as agility, continuous monitoring and auditing, and others. These features are crucial for organizations to move at the speed of risk and make well-informed business decisions.

Ensuring Risk-Based Approach to Auditing: 

Embedding a common definition and language of risks and controls are prerequisites of an effective audit plan. Particularly in today’s volatile and uncertain business and risk landscape, the focus has shifted from mitigation to pre-empting risks. Risk-based internal auditing is important to enhance an organization’s risk appetite and ensuring that the executive management and board have access to actionable risk insights for making better-informed business and investment decisions.

Aligning with Business Objectives and ERM Framework: 

Business risks, priorities, and strategies evolve over time due to ever-changing internal and external factors. Regularly updating audit plans to ensure alignment with overall strategic objectives and the overarching enterprise risk management (ERM) framework will enable the internal audit team to be aware of the high-risk areas and facilitate the optimum utilization of time and resources towards more pressing issues.

Implementing Rapid Assurance Model: 

This has become imperative particularly in the post-pandemic era. The model calls for a novel and pragmatic approach to assurance—breaking down the audit cycle into shorter segments or cycles with compressed timelines for reviews, insights, and action. This approach will enable providing real-time assurance and help organizations instill more agility into their working models.

Adopting Quantitative Approach: 

Adopting a quantitative approach to risk assessments—calculating risk scores and translating risks into monetary value—is critical for determining the probability and impact of every identified risk. This approach will help organizations prioritize risks and realign audit plans and business strategies in an agile manner.

Testing Internal Controls: 

Conducting audit tests of internal controls is important to determine their efficacy and effectiveness. If a control fails the test, it means that it is ineffective in detecting and thwarting risks, making the organization more vulnerable. The onus then falls on internal auditors to promptly inform the senior management to investigate and remediate.

Leveraging Smart Tools and Technologies: 

Intelligent tools and technologies, such as Robotic Process Automation (RPA) and artificial intelligence (AI), are the key ingredients for ensuring agility, relevancy, and effectiveness of audit plans. Implementing the right audit management tool or software could be a game-changer. It can not only streamline, standardize, and automate internal audit activities but also equip the executive management to make timely, data-driven business decisions.

MetricStream Internal Audit Management can help internal auditors overcome their challenges and streamline various processes. The solution helps drive an agile IA program that is aligned with organizational goals and prepared for multi-dimensional risks, while preserving the trust of every stakeholder. In addition, the latest Arno release brings some exciting new features to the solution including, collaborative authoring of audit test samples and enhanced cross-functional collaboration across teams.

To request a demo, click here. To download the full survey report, click here.



Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.


Internal Auditors Tap Industry 4.0 Technologies to Move from Traditional to Agile

Blog Image
4 min read


The sudden onset of the pandemic and the subsequent lockdowns and travel restrictions have upended business around the globe. To navigate the resulting complex and dynamic risk landscape, organizations have no option but to go digital. For the internal audit function too, it has become imperative that it reinvents itself with innovative tools and technologies to stay relevant and meet today’s business challenges.

In Deloitte’s 2020 survey of audit committee chairs and members, 92% of respondents said that IA should provide insights on and help prepare for emerging risks, while 63% said IA should be faster reporting results of their work. The current volatile business environment warrants an agile, flexible, and future-ready internal audit function that can add value to an organization.

Internal Audit: The Digital Transformation Journey

The internal audit function provides valuable insights into the effectiveness of an organization’s risk management, governance, and internal control processes. Before considering what Industry 4.0 technologies to adopt to modernize IA, it is important to have a comprehensive view on the level of maturity of this function, the maturity of the technology being considered, and the associated risks.

  • Internal Audit Maturity Level

Identifying the current level of maturity of IA marks the first step of the digital transformation journey. Depending on the level of automation and structure, the Institute of Internal Auditors (IIA) has identified five levels of maturity of the IA function:

  1. Initial: Scattered policies and processes, high reliance on manual systems and spreadsheet, no data validation, ad hoc audit activities
  2. Repeatable: Better policies and processes but may not be documented, low reliance on data and information generated from systems, reporting processes are defined but may not be documented
  3. Defined: Defined and documented policies and processes, greater reliance on information generated from systems, effective use of reporting templates
  4. Managed: Policies and processes are communicated to personnel, high data integrity, reliable automated reports, continuous monitoring of key data, highly effective reporting, quality and timeliness metrics defined and monitored
  5. Optimized: Continuous monitoring and updating policies and processes for necessary changes and emerging leading practices, extensive use of data mining and analytics, highly effective reporting, robust succession planning in place

Assessing the level of maturity of internal audit is important as it will help an organization recognize the shortcomings of its existing approach, determine the desired future state, and the technologies that must be adopted towards achieving this goal.

  • Bringing Industry 4.0 Technologies to IA

To wade through the pandemic-driven new normal and successfully manage the resulting distributed workforce, internal auditors need to embrace advanced transformational technologies to provide valuable insights and rapid assurance. When talking about Industry 4.0 technologies, the key technologies that have gained considerable traction in the past couple of years include cloud computing, robotic process automation (RPA), AI/ML (analytics), and blockchain, among others.

Implementing these technologies will empower IA teams to continuously monitor and quickly detect risks even in the remote setup, collaborate seamlessly across the three lines, automate the aggregation of risk data, be cognizant of emerging risks, and more. These capabilities, in turn, will help make the IA function more agile and future-ready.

That said, organizations should decide on the technology to be adopted and its level of maturity depending on the business needs and goals. They must determine if the application is relevant to the nature of their business or if they are implementing it just out of the fear of missing out. Ultimately, the primary reason to embark on the digital transformation journey of IA is to add value to top management’s view of business risk and facilitate effective decision making.

  • Associated Risks with Technology

When considering implementing Industry 4.0 technologies, it becomes critical for organizations to assess where these technologies are going to create risk and where the risk is going to fall. KPMG has defined four dimensions of risks when it comes to IA:

  1. Recurring: This is the dominant risk that should be considered on a recurring basis.
  2. Exceptional: This includes risks that don’t have previous audit history within the organization. IA should aim to provide initial assurance to the key stakeholders as to how these risks are addressed.
  3. Emerging: Most of the new and emerging technologies fall under this risk. This includes risks and opportunities that may not have clear attention of the organization but may soon become material risks.
  4. Established: These are the risks that are clearly considered to be the key to the organization and should dominate the IA plan and assurance agenda.

In addition to keeping abreast of the latest technologies and developments, IA practitioners must focus on understanding the impact of digitalization on business and audit processes, and identify, assess and mitigate the associated risks such as cyber risk, third-party risk, and others.

Organizations can simplify the digital transformation of their IA by leveraging MetricStream Internal Audit Management. The product enables companies to drive an agile internal audit program that is not only aligned with organizational goals but also allows to factor in new risks that arise with shifting priorities. In addition, automated processes, real-time reporting, and access to audit data, and analytical tools help auditors to accelerate internal auditing and optimize resource allocation and enable senior management to make faster and well-informed business decisions.



Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.


4 Top Priorities for Internal Audit in 2021

Blog Image
4 min read


Over the years, internal auditing has continued to pivot and evolve in response to changing stakeholder needs. From certifying the reliability of financial statements, to advising on a broad range of business risks, regulatory changes, culture, and cybersecurity, internal auditors have adapted time and again to meet business expectations in a dynamic world. 

Then came the COVID-19 crisis which forced internal auditors to once again shift gears, and find new ways of helping their organizations contain and respond to the crisis. Now, with the start of a new year and the roll-out of vaccines, the end of the pandemic looks to be in sight. As organizations prepare for a post-COVID-19 world, how can internal auditors continue to deliver value?

Our latest eBook provides some insights as it explores ways in which internal auditors can strengthen their strategic advisory role to accelerate business performance. Based on these insights, here are four priorities that are likely to be top of mind for internal auditors in 2021.

1. Enhance the business impact of internal auditing

Businesses are grappling with digital disruptions, cost pressures, compliance burdens, and more. In the face of these challenges, internal auditors must move beyond their traditional role as corporate policemen, and become the valued strategic advisors that the business needs. Boards and executive teams are relying on auditors not just to identify weaknesses in control environments, but to provide insights on how the business can improve its efficiency and operating effectiveness.

Traditional audit responsibilities such as risk detection and fraud identification are now table stakes in the line of duty. More important questions are being asked about business resilience, climate change, supply chain disruption, data privacy in a remote work environment, and digital transformation risks. Within these conversations, internal auditors have the opportunity to deliver real business impact. The work they do can help organizations shape better risk and compliance programs, while also bolstering their readiness for future challenges.

So, how can internal auditors rise to the occasion and deliver what their businesses need? Here are four key steps:

Top Priorities for Internal Audit: Blog

2. Strengthen organizational preparedness for future crises

The COVID-19 pandemic may have been unprecedented, but it’s unlikely to be the last major crisis. And if there’s anything that organizations have learned, it’s that they need be more resilient and better prepared. Internal auditors will play a key role in this effort, helping businesses anticipate the severity of a potential crisis, and build agility.

The role of internal audit doesn’t necessarily have to begin only after the other lines of defense have completed their observations, defined key risks, and implemented controls. Instead, auditors can be involved in the entire spectrum of activities since they have a unique, birds-eye view of the business. It is this that makes their contribution during a crisis, crucial.

Internal auditors carry the ability to dive into the business, check for silos or gaps, and ensure that crisis management plans are aligned to risks, communication strategies, and most importantly, strategic goals and objectives. Auditors can also help ensure that crisis plans are tested, approved, and exercised in a timely manner. The more they are involved, the greater the value they can deliver.

3. Build agility in audit 

Risks are evolving so quickly that lengthy audits with rigid, pre-defined plans are no longer sustainable. Instead, internal auditors must be able to swiftly pivot and respond to new risks, be it health and safety, data privacy, or third-party risks. That’s where agile auditing can help.

Agile focuses on faster audit cycles, quicker reporting, fewer documentation requirements, and less waste. It pushes auditors and stakeholders to determine upfront the value that needs to be delivered through a particular audit project. It also helps prioritize audits based on their importance and urgency—which is critical in today’s fast-evolving environment.

Here are five best practices to enable more agility in internal auditing:

Top Priorities for Internal Audit: Blog 2

4. Expand the use of robotic process automation (RPA) and data analytics

RPA can save significant auditing time and resources by minimizing the need for human intervention—especially in tasks such as data aggregation, continuous control monitoring, and real-time identification of financial fraud. RPA also enables auditors to increase coverage by moving from simple statistical sampling to full population testing. With that, they can dig deeper into data, proactively identify hidden issues, and ensure that no risks are overlooked.

Meanwhile, advanced analytics can shed light on new risk patterns, anomalies, internal control gaps, or opportunities. They help internal auditors improve the scope and quality of their work, while also delivering better insights to stakeholders.

That said, the use of data analytics often requires sufficient funding, high quality data, and auditors with certain skill sets. But these challenges aren’t insurmountable. Now is the time for internal audit teams to pave the way for a successful analytics program that can help them deliver better assurance to the business.

For more insights, take a look at our eBook on “Strengthening Internal Audit’s Strategic Advisory Role to Accelerate Business Performance.”

As you step into 2021, MetricStream Internal Audit Management can help you enhance audit agility and efficiency, while also improving visibility into risks. Find out more.

Jump to Topic


Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.


Improving Organizational Resilience using RPA

4 min read


We live in a world of disruptions which teach us new lessons every time we face one. Due to the challenges caused by disruptions, organizations strive hard to maintain continuous business operations and protect their brand image. The organizations which can anticipate these challenges and creatively respond to them often come out as winners.

The current outbreak of COVID-19 has really tested organizations on their business resiliency plans. It has forced many organizations to shift their business strategies. Some of the organizations are staring at reduced top and bottom-line growth due to lower productivity of teams. A lot of other organizations, however, are functioning during the pandemic using work from home models. Even for this kind of scenario, there has to be a change in business strategy which focuses on ensuring that employees remain healthy and productive, and committed business delivery timelines are met while continuing to work from home.

One thing which the pandemic has ensured is that uncertainty is going to continue for some time, and that no one is able to predict for how much longer. Some of the factors which this uncertainty has created are:

  1. Increased online transactions – Consumers are ordering more than ever via the web leading to an increase in cashless transactions.
  2. Increased demand for high speed data – While working from home, employees are switching to better data plans which can allow them to work effectively.
  3. Increased automation – Enterprises are scouting for opportunities where manual work can be replaced via automation and thus allowing digital workforces to take shape.

In today’s environment enterprises need more automation than ever before. Robotic Process Automation (RPA) plays a key role in helping enterprises tap opportunities of automating the business processes. In case, you are new to RPA, you can refer to an article about RPA and its journey here. The bots created using an RPA system can function 24×7 which increases their productivity, accuracy, and effectiveness. A point to note here is that RPA is suitable for the processes which are driven by rules and which an enterprise needs to perform repeatedly.

A recent survey by an RPA enterprise called Automation Anywhere revealed the following findings:

  1. Nearly 50 percent of firms plan to invest in RPA to increase business resiliency in the post-COVID world. The pandemic and its aftermath have catapulted the urgency for embracing digital technologies.
  2. More than 70 percent of survey respondents said they anticipate that at least half of their workforce will be digital workers, while over one quarter expect more than 80 percent of their workforce to become digital.

From a GRC standpoint, there are many use cases of RPA which an enterprise can adopt:

  1. Full-Scale Automated Auditing – The traditional audits focused on auditing based on random sample sizes. It is difficult to manually audit all the samples available. The random sample auditing though helpful can at times lead to missing out on some key samples which can alter audit findings. RPA solves this problem as the bots can perform full-scale auditing rather than focus only on random samples. Bots can pull up evidence and indicate cases of non-conformance automatically.
  2. Risk Assessment – RPA can help organizations gather data from various disparate systems. Using this data, the internal systems can do risk classification and perform trend analysis, thereby, effectively predicting the various outcomes which can help a risk manager plan for mitigations.
  3. Control Testing Automation – Bots can be made capable of performing control testing. This is helpful in both audits and compliance management.
  4. Continuous Control Monitoring – RPA can automatically collect the data from multiple systems and access the controls. Alerts can be generated when exceptions are found.
  5. Automated Third-Party Due Diligence – RPA can also be used during third party due diligence as it can gather data about third parties from various sources. This data can then, in turn, be used to influence the decisions to onboard a third party into the system.

In addition to the GRC use cases above, there are many others which RPA can handle. Those include Insurance Claim Processing, Performing KYC Checks, Loan Origination, Purchase Order Management, Invoice Processing, and many more.

By allowing the automation of business processes, RPA not only improves productivity but also helps in containing costs for an organization. With or without the current pandemic, it makes sense for organizations to embrace RPA as it gives them an advantage in improving their business process efficiencies. It also helps the organization become more resilient by focusing on improving efficiencies via automation. RPA is also useful in executing business continuity planning during these times of uncertainty.

Organizations should look deeply within and identify the repetitive manual processes, business challenges and risks faced by them. They can then analyze how RPA can help mitigate those. Adopting RPA will not only improve the agility of an organization but also provide an opportunity to improve business resiliency.

The need for automating manual repetitive business processes was always there. The pandemic just accelerated it and brought automation to the center stage.

Jump to Topic

Manas Sukirti Senior Director Engineering

Manas Sukirti serves as Senior Director Engineering at MetricStream. He is heading the Quality Engineering function at MetricStream R&D and also heads the automation across entire MetricStream. Manas has diverse experience in the areas of Software Engineering Management, Project/Program Management and Release Management across the Software R&D Organizations.


Through the GRC Lens – November-December 2019

Blog Image
3 min read

The Changing Winds of Compliance

As compliance teams strive to manage new regulations and technological advancements, here are some of the trends and headlines that made compliance news in November and December. 

In the face of changing business models, as well as new risks and dynamic global ecosystems, compliance as a discipline is rapidly evolving. Stakeholders rely on compliance teams to not only protect their organizations against regulatory penalties and legal liabilities, but to also strengthen reputation and credibility with customers. As compliance officers seek to demonstrate and enhance the value delivered to their organizations, the following are some key considerations.

New Regulations

While 2020 began with a focus on data privacy, here are some updates on other areas of compliance that made the headlines:

  1. Data Privacy: This month, the CCPA came into effect giving customers more control over their data. However, in a study by Ethyca, only 12% of 85 respondents believed they had achieved an adequate state of compliance readiness for the emerging regulated privacy landscape.An article in Forbes suggested that “Rather than looking at CCPA compliance as a chore, look at it as an opportunity to innovate your business practices and seek ways to regain a first-party relationship with your customers.”
  2. Payment Security: Payment security compliance declined for the second year in a row in 2019, according to Verizon’s 2019 Payment Security Report. The report also pointed out that a compliance program without proper controls to protect data has a more than 95% probability of not being sustainable and is more likely to be a potential target of a cyberattack.
  3. Banking and Finance – As the financial services industry continues to grapple with regulatory complexities, many are turning to regtech solutions to enable and support their compliance efforts. The goal isn’t just to avoid non-compliance penalties but to strengthen trust and credibility with customers. The report, ‘Hooked: RegTech Reliance in Capital Markets Compliance’ by Greenwich Associates states that 63% of firms recognize that reputation protection is the core purpose of compliance.  
  4. Communication – Compliance teams are also struggling to keep pace with electronic communication channels, with 45% saying they are in constant catch-up mode rather than proactive mode, when it comes to electronic communication compliance, according to a report by Smarsh.
  5. Technology: The use of AI in regulatory compliance is helping both regulators and businesses. A recent Deloitte poll stated that nearly half (48.5%) of C-suite and other executives at organizations that use AI expect to increase AI use for risk management and compliance efforts in the year ahead. But only 21.1% of respondents report that their organizations have an ethical framework in place for AI use within risk management and compliance programs.

Compliance is now a key topic of discussion at the executive level, and is also a strong part of core business strategy. Newer technologies like AI and advanced analytics are helping compliance teams deliver value to the business in the digital age.

Compliance Week’s second annual technology survey highlighted that, ‘’companies are moving along the technological maturity curve in qualitative and quantitative ways today’’. According to the survey, companies are willing to spend more in 2019 than they were even a few years ago to build a more robust technology-enabled compliance function. Nearly, a quarter (23%) of compliance practitioners said their technology budget is much larger today than it was three years ago.

As compliance teams strive to do more with less, the emergence of new technologies will not only improve efficiency and cost-effectiveness, but will also enable teams to derive quick, meaningful insights from data to make well-informed decisions.



Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.


A Look Back at the GRC Summit 2019

Blog Image
5 min read


Now in its seventh year, the GRC Summit hosted by MetricStream is one of the biggest and most anticipated events for GRC practitioners around the world. This year, the summit was held on June 2-5 in Baltimore, Maryland, bringing together over 450 GRC and business leaders to talk about the latest trends and opportunities in GRC. It was an incredible four days of learning, discovery, and collaboration—topped off by an exclusive cruise, as well as a glittering awards ceremony.

Here are some of the top highlights from the summit:

  • Integrity Front and Center

In keeping with the theme of the summit—”Perform with Integrity™”—many of the speakers pointed out that financial performance is no longer the sole indicator of success. Trust is what really drives business today, and integrity is what drives trust.

MetricStream CEO, Mikael Hagstroem talked about building integrity by fostering a sense of compassion in the way we approach customers, the way we treat employees, and the way we shape the future of technology. “Successful performance—be it an individual level, an organizational level, or a global level—begins with a spark of passion that, when guided by integrity and compassion, helps us improve the human condition, and enable a higher quality of life,” he said.

MetricStream Chairman, Gunjan Sinha, emphasized the need to build purpose-driven organizations where doing good is as much of a priority as doing well. A strong sense of purpose, he predicted, is what will define the successful organizations of the future, along with a commitment to diversity, inclusion, empowerment of the front line, ethical data, and social conscious AI.

  • Tony Scott on the Key Transformation Drivers of the Next Five Years

The former Chief Information Officer of the United States government (2015-17) described how “relentless digitization” is rapidly upending traditional analog business models. And with it, the notion of security and privacy by design is becoming more important than ever. Technology is moving faster than we’re prepared for, he cautioned. Do we understand the risks of new tools like AI and machine learning? How do we build good governance, accountability, and transparency around these new technologies? How do we keep humanity at the center of innovation? All key questions to consider.

  • Jim Quigley: Coping with the “Knowns” and “Unknowns” of Business

Drawing on his experience as a member of the board and risk committee at Wells Fargo, as well as CEO Emeritus of Deloitte, Jim Quigley talked about why the work of GRC practitioners is so critical in helping boards and management teams make better strategic decisions in the midst of escalating “known unknowns” and “unknown unknowns.” He also emphasized the importance of building sustainable risk cultures. “The biggest driver of culture in any organization is observable behavior,” he said, quoting a colleague. “We want people to raise their hands and identify problems as quickly as possible.”

  • The Power of Innovation

MetricStream’s Chief Technology Officer, Andreas Diggelmann, along with Chief Innovation and Cloud Officer, Vidyadhar Phalke, delved into the new technology innovations that are emerging across the whole chain of GRC. Chatbots, for instance, are being used to capture issue data from the first line of defense in a manner that is simple and engaging. Predictive analytics are being used in the second and third lines to anticipate and respond to potential emerging risks proactively. Machine learning tools are enabling executive teams to detect risk patterns, and understand optimal mitigation practices based on historical evidence. Essentially, the possibilities with technology are endless.


  • Anna Felländer on Being Vigilant to the Ethical Risks of AI

Co-founder of the AI Sustainability Center, Anna Felländer pointed out that in a data-driven world, AI is key to helping organizations build better operational efficiency and deeper client relationships. Yet, it also introduces many ethical risks around the misuse/ overuse of the technology as well as multiple biases. If we want to avoid these pitfalls, we need to start investing as much in the humanistic side of AI as the engineering side, she said. We need to shape a future where humans lead AI, not the other way around. We need to find ways of ensuring that technology doesn’t get ahead of regulation.

  • Risk Management Is Everyone’s Responsibility

Many of the speakers emphasized the need to strengthen risk awareness at every level of the organization, right from the front lines to the boardroom. “Risk needs to be something that companies walk, talk, eat, and breathe every day,” said Kenneth Bacon, Member of the Board, Comcast, and Co-founder and Managing Partner, RailField Realty Partners. We need to have more risks and issues self-identified by the business rather than by internal audit or regulators, pointed out Sarah Dahlgren, Head of Regulatory Relations – Corporate Risk, Wells Fargo & Company. The more proactive the first and second lines of defense are in reporting risk data, the better informed and more confident the board and management team can be in their strategic decision-making processes.

  • In a Fast-Changing World, GRC Must be Agile

Disruption is the only constant in business today, pointed out MetricStream’s Chief Operating Officer, Gaurav Kapoor. If we want to be prepared for the new risks around the corner, GRC programs have to be agile, he said. Other speakers talked about what agility entails. Raven Catlin, Former CAE and Industry Expert in Internal Audit and Risk Management, described how internal audit must be ready to embrace new tools, new skills, and new approaches to auditing. Michael Rasmussen, Chief GRC Pundit, GRC 20/20, highlighted the importance of integration and collaboration in building more agile GRC functions.

  • A Celebration of GRC Champions

The much-anticipated GRC Journey awards ceremony, held on day 1 of the summit, recognized and honored MetricStream’s business partners, individuals, and customer organizations that have made significant strides on their GRC journey towards strengthening business performance. This year, there were 17 award recipients across five categories.

  • Connecting and Collaborating

There were plenty of opportunities for attendees to connect, share with, and learn from with each other – be it the many interactive workshops and networking sessions, or the relaxed “happy hours.” Day 2 of the summit culminated in an exclusive cruise down Patapsco River which saw attendees letting loose and singing their hearts out at a Karaoke session.

Jump to Topic


Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.


MetricStream’s Enterprise GRC Solution awarded GRC Product of the Year by Risk.net

3 min read


A few weeks ago, MetricStream was awarded “GRC Product of the Year” at the 2019 Risk Technology Awards hosted by Risk.net. It was a strong validation of MetricStream’s mission to help organizations “Perform with Integrity™”. Through our GRC platform and solutions, customers are able to effectively understand and manage the interconnectedness of their risk environment, while deriving actionable risk insights for business decisions.

Why GRC Matters More Today Than Ever Before

Over the past year, multiple financial services organizations have faced penalties and fines from regulators for facilitating money laundering, manipulating customer accounts, and mishandling security trading. Meanwhile, serious IT meltdowns and cybersecurity incidents have severely impacted brands and reputations. Added to that, operating markets and business models are continuously being disrupted.

To stay ahead of these risks—both “known” and “unknown”—in an increasingly hyperconnected, fast-changing world, organizations need timely risk insights that can help them make swifter and better business decisions. They need to be aware of how a potential incident enhance their risk exposure. These objectives are best achieved with a strong governance, risk, and compliance (GRC) foundation.

What Differentiates MetricStream’s GRC Offerings

We believe that there are several factors that led to us winning GRC Product of the Year:

1. Support for Multiple Evolving GRC Roles

Chief Risk Officers (CROs), Chief Compliance Officers (CCOs), Chief Information Security Officers (CISOs), Chief Sourcing Officers (CSOs), and Chief Audit Executives (CAEs)—once limited in their roles—are increasingly being given a seat at the table with the power to influence strategy and decision-making. With this new power comes new obligations and challenges. 

At MetricStream, we focus on addressing these challenges through our GRC platform, solutions, and apps. We thematically look at the core needs of each GRC persona—be it the CRO, CCO, CISO, CSO, or CAE—and provide tailored solutions to meet those needs. We also deliver specific content, workflows, and reports to help various personas make informed decisions that are aligned to their business objectives.

Our wide array of packaged apps, which can be enhanced with third-party applications, are designed to improve risk visibility and intelligence. Underlying these apps is our cloud-enabled, future-ready GRC platform that provides customers with long-term value throughout their GRC journey.

Our integrated GRC solution enables a high level of cohesiveness across core GRC components which, in turn, improves risk assessments, predictions, and mitigation. Organizations can effectively balance risks and rewards, make confident strategic decisions, and respond to the changes that occur within and outside their enterprise. 

2. Balance Between Autonomy and Aggregation

At MetricStream, we understand that while the core requirements of GRC are more or less consistent across organizations, the processes, priorities, and needs of each organization are unique. Therefore, we offer flexible product alignment which allows customers to choose from multiple best-in-class, out-of-the-box GRC products that can be used along with third-party applications. Our apps and solutions provide agile risk reporting capabilities, while advanced analytics empower GRC practitioners to visualize large datasets within intuitive and interactive dashboards in real time. 

3. Leadership in Addressing the Interconnectedness of Risk

The hyperconnectivity of markets has created both known and unknown dependencies and interconnections within and outside the enterprise. This, in turn, has increased the interconnectedness across different types of risks.

The MetricStream GRC Platform has been built to comprehend these risk relationships and to deliver contextual insights though the aggregation and analysis of risk information. Our customers have adopted the platform along with built-in best practices and modifications to identify, understand, quantify, and predict the multiple points of impact for any risk event.

4. Focus on Long-term Partnerships Based on Value Delivery

MetricStream is focused on being a long-term strategic partner to customers as they grow and transform along their GRC journey. Our GRC advisory framework and methodologies help organizations build a multi-year GRC vision and roadmap that augments value realization based on a “true platform” strategy.

Through our value discovery workshops, we enable customers to identify key value propositions that can be measured as outcomes throughout the design and implementation of their GRC programs. Our GRC Journey initiative adds a further advantage by helping customers understand the current and future state of their GRC programs, so that they can then re-engineer existing GRC processes for optimal business benefits.


As we continue to find new ways of enabling and supporting our customers, we’re deeply grateful to Risk.net for the recognition and award received. We look forward to continuously raising the bar on innovation, and delivering products that truly empower our customers to Perform with Integrity™. 



Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.


Related Resources


“Why Excel is just not good enough” – Part 1

3 min read


I was on a call the other week with the Enterprise Risk Manager of a relatively sizable multi-national corporation (over 20,000 employees across a few hundred locations on nearly every continent), and she said something that got me thinking.

She said, “For us, right now – Excel is good enough.” I responded by saying that “I understood,” we discussed a few other topics on the call and hung up.

It wasn’t until afterwards that I realized how much her view about Excel took me aback. As an enterprise software sales professional, I believe in companies moving to automation. But the reason the statement took me aback was because I realized that this might be a common mindset across many people and firms.  How many other people think, “Excel is good enough”?

A Senior Manager on my team, Mark Winey, was also on the call. After the meeting we spoke, and he reminded me that one of my first roles was in Operational Risk Reporting and Monitoring (R&M), so I should be able to understand their perspective. I began to reflect on this.

Earlier in my career, my team had built out the firm’s first op risk and control R&M function completely manually in excel. Part of my role was to spend the first few hours of the day updating spreadsheets with additional information for the metrics I was tasked with tracking. We had defined thresholds of red, amber, and green based on a formula we created using standard deviations, and when those thresholds were breached, we needed to escalate.

Once I was done compiling the additional information, the next few hours were spent chasing on threshold breaches and gathering commentary around root cause and resolution. When that was finally complete, I would spend the vast majority of the rest of my day consolidating the prior month’s end reporting. This then went on for about 3 weeks until the “Month End Report” was done. At this point, we would reach out to executives in order to have meetings scheduled on their calendars; this took another 3 to 4 weeks before we could meet and present the report.

This brief narrative reveals two important insights:

First, and perhaps the more obvious insight, is that by the time we finally met with executives, the data was at least 45 days stale! This was in 2009 and we all understood the importance of accurate, real-time data; however, every month, as things stood, we were always looking in the rear view, and pretty far behind, at that.

Second, and this is the implied insight, I spent the smallest portion of my time thinking critically about the data. As an analyst, by definition “a person who analyzes or who is skilled in analysis (thank you Google, analyst),” I spent very little time actually analyzing. This was counter-intuitive to me – I was getting paid to dig-in and think critically, but most of the time was spent on redundant manual efforts.

I’d like to estimate some numbers to illustrate how concerning this should be as risk practitioners. Let’s start with the assumptions that on average there are:

  • 8 working hours in a day
  • 5 days in a week
  • 4 weeks in a month

After factoring out lunch, holidays, vacations, etc., these assumptions should be fairly accurate. I didn’t document the precise time I spent on every activity, but let’s say that for the first 3 weeks of the month my day consisted of:

  • 2 hours of updating spreadsheets
  • 2 hours of reaching out on breaches
  • 2 hours of month end reporting
  • 2 hours on administrative tasks (meetings, emails, phone calls, etc.)

My day looked exactly the same for the last week of the month, except for this key difference: I now had 2 free hours a day since the “Month End Report” was complete!

In an interview a client of ours said, “We see the GRC Program really enabling the commoditization of the existing compliance activities and governance activities, so that managers have time to think about what’s the next risk, and really use intellectual capacity to manage risk going forward.” Given the manual approach described above, as an analyst I would have spent 6.25% of my time thinking about “the next risk” and “managing risk going forward.” After reading this, does 10 hours a month seem like an adequate effort for risk analysis? Do you still think Excel is good enough?

Jump to Topic

Related Resources


Ready to get started?

Speak to our experts Let’s talk