Power What’s Next in GRC. Four Key Takeaways from the October 2021 GRC SummitGRC | 6 Min Read |25 October 21|by Mabel M Jesudian
2 days. 21+ sessions. 45+ thought leaders. 2500+ attendees. MetricStream just concluded another successful edition of its flagship event, the GRC Summit, held on October 19-20—packed with insights and whole lot of new learnings!
A highly anticipated event in the governance, risk, and compliance (GRC) space, the bi-annual event is now in its ninth year. Adapting to the new normal, the event was conducted in a hybrid format—a two-day virtual event along with in-person networking sessions (invite-only) held in London, Copenhagen, and Zurich.
Powering What’s Next in GRC with the Sharpest Minds in the Space!
The theme for the summit was “Power What’s Next”. It closely resonates with our core belief that organizations need to “thrive on risk”—to not just be ready for the knowns and unknowns of the future but to actively leverage risk as a strategic advantage to power the future.
The event saw top industry thought leaders, risk professionals, independent industry analysts, C-suite executives, and GRC practitioners share their insights, experience, and expertise on the trending topics and pressing issues in the integrated risk management (IRM) and GRC space. The virtual event featured keynote addresses from prominent speakers, as well fireside chats, panel discussions, technology showcases, and MetricStream customer success stories.
Major themes of discussion included environmental, social, and governance (ESG), cyber risk quantification, compliance, and the role of technologies such as artificial intelligence (AI), machine learning (ML), and cloud in GRC. While each of the sessions brought out critical insights as well as industry best practices on a varied number of themes, here are four key takeaways to help you on your journey as your power what’s next in GRC.
1. Thrive on Risk by Preparing for Tomorrow’s Risk Today
As organizations adapt to the new normal, capturing the knowns and unknows across the spectrum of interconnected risk and high volume of peripheral risks have become more important than ever.
In his opening address, Bruce Dahlgren, Chief Executive Officer, MetricStream, explained how risk is going to move from the background to the forefront.
"We fundamentally believe that risk can be strategic, and we want to work with you to make that happen!" he explained.
Gaurav Kapoor, Co-Founder & Chief Operating Officer, MetricStream, spoke about the urgency of strengthening strategic foresight, which will be a key driver of business success in the new normal.
“There is an opportunity in the market right now to look at risk and resilience in the context of growth and how they come together,” he said.
Various discussions also pointed to how the past two years have further amplified the need for resiliency in risk management. New resilience priorities like agility, communication, and understanding the interdependencies of the various functions now take precedence as the pandemic is bringing new baselines into focus.
“Pandemics are not the only risks on the radar. Risk managers should identify relevant threats, understand and access their risk extent, and take all necessary actions to mitigate risks if not yet in place,” said Michael Ehrnsperger, Chief Risk Officer, Allianz Technology SE.
Discussions around strengthening operational resilience highlighted the importance of adopting an integrated risk management approach to manage both current and emerging risks. Panelists Lene Birk Enøe Christensen, Chief Operating Officer - Group Risk & Compliance, Nordea, and Tami Dokken, Chief Data Privacy Officer, World Bank, while discussing operational resilience strategies, were unanimous in their view that the human aspect is key to operational resilience. Organizations can be strengthened with all the systems and processes in place, but then when something like pandemic comes along, it is the human aspect that keeps an organization going and enables it to adapt to the changing environment.
2. Get Ready for the Convergence of ESG and GRC
While ESG risk failures are not new, environmental and social aspects are increasingly turning into critical values to be measured in the post-pandemic world. There is a growing awareness of consumers, investors, and regulators towards companies that are producing goods and services in an ethical and responsible way. This has necessitated an urgent need to bring environmental and social aspects to GRC.
“Society has become a key stakeholder for business. That’s a fundamental shift we are seeing. ESG and GRC are rapidly becoming part of the boardroom agenda, and GRC now has to incorporate both environment and social aspects,” said Gunjan Sinha, Executive Chairman, MetricStream.
The growing relevance of ESG for businesses was further emphasized by Juan Guitard, Head of Internal Audit, Santander Group.
“ESG has become for business as relevant as business itself,” he said.
Elena Mocchio, Head of Innovation & Development, UNI (the Italian National Standards Body) emphasized the importance of using standards for social responsibility and governance reporting, as they help identify the regulatory requirements for products and services, avoid social washing and green washing, and more.
“Taking a holistic approach by adding risk and compliance as something more to be addressed, is most important to addressing sustainability,” stressed Elena.
3. Use Cyber Risk Quantification to Manage Cybersecurity Output
With cyber risks having risen to the top of the list of threats for businesses, industry experts are increasingly seeking to bring about a consensus to quantify the financial aspect of different cyber threats. Assigning a dollar value to a cyber risk plays a vital role in securing the extended ecosystem of an enterprise and building cyber resilience—as it enables organizations to direct resources to the greatest risks.
“Business is all about taking risk, so the objective is not to reduce risk, but optimize risk. The relative ratings of red, amber, and green, or low, medium, and high assigned to cyber risks don’t do the business justice, because in every other part of business we measure in numbers. In cybersecurity, we have an infinite number of perils and that can be a challenge. To treat risk as currency of its own can help overcome this challenge,” said Gavin A. Grounds, Executive Director - Governance, Risk & Compliance, Verizon.
Considering the growing list of cybersecurity challenges—increasing supply chain attacks and data breaches, the proliferation of controls and associated costs, lack of visibility into IT & cyber risk, regulatory compliance, etc.,—assigning quantitative cyber risk assessment in dollar values brings numerous benefits including improving cyber risk management, prioritizing cyber spend, and more.
“Quantification of risk has become a key differentiator in driving a risk-aware culture,” said Gunjan.
4. Leverage Technology to Drive GRC Innovation
The industry is witnessing the convergence of three important technologies—AI, Cloud, and GRC. Technologies such as AI, ML, and natural language processing (NLP) are transforming the efficiency of GRC processes by simplifying the management of massive volumes of data and expediting decision-making.
“The predictive abilities of AI and ML changes the paradigm of GRC tools. It can help the team identify new and emerging trends before they can escalate and become an issue or crisis. Scale is always on the top-of-mind for large organizations. AI and ML helps organizations better achieve their business goals,” said Rani Selvarajoo Urbas, Head of Enterprise Trust, Google Cloud.
Ronni Lück, Head of Data, Analytics & Systems, Group Non-Financial Risk, Danske Bank, further affirmed the importance of leveraging future technologies for GRC innovation. By leveraging these technologies, businesses are better able to use risk as a strategic advantage.
“Technologies like AI and ML help identify risks in near real-time—enabling a proactive stance to prevent risk from materializing,” he said.
However, the key to maximizing the use of these technologies will depend on upgrading the maturity and capability levels, as well as GRC integration.
“For data sets to be maximized with AI and ML, GRC has to be integrated. This makes the right software solution and maturity key to the process,” explained Stuart Frost, Head of Enterprise Security & Risk Management, Department for Work & Pensions.
Technology innovations in GRC tools also help organizations strengthen their operational resiliency strategies. For example, summit panelists Stefano Biondi, Group Chief Risk Officer, Banca Mediolanum, and Frank Sundgaard Nielsen, Partner, KPMG Denmark, underscored the importance of a positive risk-aware culture and how the right technology equips the three lines to establish a common language to “talk to each other” while achieving transparency on the risk and controls.
It’s Time to Power What’s Next, Now!
Risk today has now become a vital asset in strengthening strategic foresight. Viewed through the lens of growth, it represents value for opportunity. Borrowing from Gaurav’s keynote address, where he compared the current digital scenario to a Formula 1 race, with the slow being overtaken by the fast and the fast being disrupted by the fastest, now is the time to get into the race of turning risk into an opportunity.
Missed out on a keynote address, fireside chat, or panel discussion. Watch the summit videos here.
Request a demo to gain greater insight into how your organization can leverage risk-informed decisions to accelerate business performance.