At our recent GRC Summit 2024 in Baltimore, Arindam Majumdar, Deputy Chief Risk Officer, Bank OZK, presented on Bank OZK’s GRC journey, taking the audience through the challenges of operational risk management within a growing financial institution, the effective strategies implemented, and the business value being realized.
Bank OZK is a high-performing U.S. regional bank with deep expertise in specialized lending businesses nationwide .Bank OZK operates through 230 retail branches and is noted for its significant presence in construction lending, being among the top five in major cities like New York, Chicago, Miami, and San Francisco.
Here are the key takeaways from Arindam’s session.
Arindam: We are one of the largest domestic CRE construction lenders in the country. In the last eight years, we've grown three and a half fold, and we are moving towards 50 billion in total assets. The board has given us the mandate to prepare a risk management organization that can support $100 billion bank.
Now our vision is obviously not only to maximize our strength, which is motion lending, but also diversify our asset base, which is look at other lines of lending, such as CNI, consumer lending, asset-based lending, equipment financial lending, etc. So, we are pursuing those opportunities as well as diversify our geographical footprint.
We have certain systemic challenges which are not unique to us. Current environment with inflation longer rates is certainly a challenge for us. Another challenge is that we are growing exponentially. Our ability to integrate our workforce during this growth map, while we have a wide foot footprint with remote work, has been a challenge as well as the need to prep the risk management frameworks and infrastructure to be ready for $50 billion plus. We transitioned over to MetricStream and in 2023 we went live. This is our second year on the platform, and I'll get to our unique journey with GRC solutions.
Arindam: We were looking for a solution that would provide some degree of customization, especially on the reporting side. We wanted custom reports, and a solution that we could, with a high degree of confidence, expand to our user base.
What we've also done with our GRC program is a quarterly attestation of our risk and control universe. We at present, do annual testing with our controls, with our operational controls. We've also gone about integrating the solution with our internal audit solution, we have a different internal audit solution within the bank, but through MetricStream’s API connections, we've been able to pull all our audit data into the MetricStream platform as well.
We’ve adopted the issue management model, which has been a game changer for us, especially as we have tried to mature our data risk programs. Data issue management and operational risk management has been the two biggest pieces in our issue management module within MetricStream.
Arindam: Using MetricStream’s Operational Risk, RCSA Control Attestation, Issue Management Module and the integration with the internal audit solution, we have realized the following benefits:
Our biggest challenge is to keep our controls live , which is why we have 40 attestations also tested from an operational risk standpoint. Building feedback with audit, issue management and your own control environment is critical. You want to try and keep it as simple as possible. Find the right balance between information and noise.
Arindam: We're moving towards enhancing our operation of our capital model. We're trying to build a Bayesian network-based model, with real time key control indicators to make this even more live.
Watch the full session here.
I recently had the chance to discuss in depth with Arindam on the challenges of operational risk management within a growing financial institution, and the effective strategies and programs to enhance operational risk management.
Watch the webinar recording here: https://grc-summit.wistia.com/medias/spcgu7gkw3
Registrations are open for our London GRC Summit 2024 on November 6-7! Join us for groundbreaking discussions and exceptional networking opportunities with top industry leaders and experts as we unlock the latest insights and strategies in operational resilience, AI for GRC, risk management, compliance, cyber risk, and more. Register now:
What does the future of GRC hold? In recent discussions with customers, I've noticed a recurring pattern: 5 key themes are shaping the future of Governance, Risk, and Compliance (GRC). These conversations offer valuable insights into the evolving landscape of GRC, highlighting the trends that will define the industry's direction in the coming years. I wanted to share these with you and see what you are hearing.
Today’s dynamic, interconnected web of risks means reactive risk management is no longer effective. Geopolitical risks, cyber attacks, operational risks, etc., can’t be addressed manually or in siloes. There is no certainty, and we must all be agile.
Consider some major data breaches this past week, like AT&T and RiteAid. Addressing these requires agility, resilience, and proactive action.
For companies to be successful today, organizations need to adopt a connected GRC strategy: continuous and always on; cognitive and fueled by AI; and cloud-based, meaning easy to use, adopt, adapt, and flexible. Forward-looking organizations approach risk as a competitive advantage – proactive, integrated, agile, and resilient.
All our roles are changing, but none faster than the CISO’s. Cyber risk is now a top business risk and the CISO is accountable to the board for owning and communicating this risk. Unlike in the past, where the CISO's focus was primarily technical, today's CISOs are expected to navigate the complexities of cybersecurity with a business-first mindset. They are now directly accountable to the board for managing and communicating cyber risks, which are increasingly recognized as critical threats to the organization's overall success.
That means measuring and articulating cyber risk in actionable, financial terms as well as collaborating across the business to tackle cyber risks. Furthermore, the CISO must work collaboratively across the organization, breaking down silos to ensure that cyber risks are addressed holistically. This requires forging strong partnerships with other business units, aligning cybersecurity initiatives with broader business objectives, and ensuring that risk management efforts are fully integrated across the enterprise.
The CISO role is now both a business and a technical leader and has a strategic seat at the C-level table. Continuous upskilling is necessary – along with an integrated approach to risk and compliance.
Staying current and compliant has been a challenge for years, but today, it’s more critical and challenging than ever. The pace of technological innovation, the increasing complexity of regulatory requirements, and the growing sophistication of cyber threats have all contributed to making compliance a moving target.
According to Thomson Reuters, there are 257 regulatory changes a day – and that doesn’t even factor in the work of complying with new regulations like DORA, the EU AI ACT, the U.S. SEC Cybersecurity Rules and all the other headline regulations.
Many of our customers are focused on AI and automation for continuous compliance, recognizing the need for ongoing monitoring. Manual testing and compliance are no longer viable in the face of so much change.
There is so much to say on this topic. Since ChatGPT exploded onto the scene in late 2022, there’s hardly been any other topic of conversation in GRC (or anywhere!) And though AI isn’t new, Generative AI is obviously a huge leap forward.
But AI isn’t about hype or cool things. It’s about the impact on the business: topline, bottom line, human capital, and the ethics of AI. Here are a few key aspects I’ve been discussing with our customers, analysts and key AI experts:
AI is probably the most innovative shift since the internet. We must manage its risks carefully, but in this case, the joy is worth the pain.
Like the changing role of the CISO, all our roles are evolving – and as GRC leaders, we must continue to learn, develop, and up-level our skill sets. As GRC becomes more integrated, it’s up to us to cross-train and expand our capabilities.
For example: How will AI affect you? Can you educate yourself on that proactively? As risk and compliance come together more and more, how can you immerse yourself in other areas? Are you thinking like a business person, not only a technical or risk leader?
GRC leaders are increasingly getting a seat at the strategy table to impact revenue and topline and drive risk as a competitive advantage.
Finally, I would like to end with one last trend—let’s keep GRC simple.
At its core, GRC is about creating a unified approach to managing risk, ensuring compliance, and achieving governance objectives. By keeping GRC simple, organizations can ensure that their risk and compliance programs are not only robust but also adaptable and user-friendly. A simplified GRC approach allows for easier collaboration and clearer communication, resulting in more effective decision-making, and quicker responses to emerging risks.
The goal of integrated GRC and collaboration—in fact, all of the above—is to bring us all together in a unified approach that keeps us ahead, protected, and competitive.
This blog was initially featured as an article on LinkedIn. Read the original version.
As the global leader in governance, risk management, and compliance (GRC), MetricStream takes pride in presenting the GRC Journey Awards annually. These awards recognize and celebrate the remarkable achievements of organizations, business partners, individuals, and customers who have transformed risk into a strategic advantage through their GRC initiatives.
At the 2024 Baltimore GRC Summit, we honored a distinguished group of GRC pioneers who embody the essence of connected, high-impact, and sustainable GRC programs. These trailblazers have set a new standard with their exceptional progress in advancing GRC practices. Explore the inspiring stories of our award winners’ GRC journeys below.
As a leading health insurance provider, Blue Cross Blue Shield of Michigan (BCBSM) plays a crucial role in offering comprehensive healthcare coverage to millions of residents in Michigan. With a mission to ensure access to affordable, quality healthcare, BCBSM serves as a trusted partner for individuals, families, and businesses across the state. Their extensive network includes a wide range of healthcare professionals, hospitals, and service providers, making them a cornerstone of the Michigan healthcare system.
Recognizing the importance of robust risk and compliance management practices, BCBSM has successfully leveraged the MetricStream software to achieve real-time visibility into compliance metrics and enhance data-tracking and reporting mechanisms.
Watch this video to see Michael Cover from Blue Cross Blue Shield of Michigan discuss how MetricStream has helped them on their GRC journey.
CIBC (Canadian Imperial Bank of Commerce) is a leading North American financial institution headquartered in Toronto’s Financial District. With 48,000 dedicated employees, CIBC serves 14 million clients across Canada, the U.S., and globally, offering a comprehensive range of financial products and services. Guided by a commitment to creating lasting value, CIBC aims to help individuals and businesses achieve their ambitions while contributing to a more secure, equitable, and sustainable future.
With responsibilities for managing assets worth billions of dollars, CIBC is highly focused on identifying, assessing, and managing the interconnected risks in a dynamic marketplace.
Watch this video where Michael Donovan from CIBC explores how the bank used MetricStream to automate and standardize their integrated GRC programs for over 1000 users in multiple locations to manage risks, controls, assessments, and metrics.
Fred Hutchinson Cancer Center, based in Seattle, Washington, is an internationally renowned institution dedicated to cancer research, treatment, and prevention.
Following a significant merger that doubled the organization's size, Fred Hutchinson Cancer Center recognized the need for a scalable risk management platform to handle its expanding operations effectively. To address this need, the organization sought a comprehensive tool that could facilitate risk and compliance assessments, incident management, third-party risk management, and the management of a centralized risk register and issues list.
By implementing MetricStream, they established a single source of truth for IT risk data, ensuring consistency and accuracy across the board. The transition to MetricStream has enabled them to accelerate their GRC journey, providing them with the tools necessary to manage risks more efficiently and effectively.
Watch this video to see John Soltys from Fred Hutchinson Cancer Center discuss how they accelerated their GRC journey.
BankUnited, Inc., a prominent bank holding company headquartered in Miami Lakes, Florida, is known for providing a full range of banking and financial services to individual and corporate customers. With a strong focus on innovation and customer service, BankUnited operates through an extensive network of branches across the United States, primarily in Florida and the New York metropolitan area.
To modernize and streamline its GRC functions, BankUnited recognized the need to replace its outdated manual legacy systems with a more efficient, automated approach. BankUnited leveraged MetricStream products and successfully established a more robust GRC framework that not only meets regulatory requirements but also enhances decision-making and fosters a proactive risk management culture within the company. This transformation has positioned BankUnited to better understand and mitigate risks, ensuring the continued delivery of high-quality financial services to their clients.
Watch this video to see Kavitha Singh from BankUnited discuss their GRC journey.
CHN is a leading equipment, technology, and services company that operates globally across agriculture and construction, covering over 170 markets. Across a history spanning over two centuries, CNH has always been a pioneer in its sectors and continues to passionately innovate and drive customer efficiency and success.
CHN embarked on a GRC journey in 2018 with MetricStream’s enterprise risk management, policy management and third-party management products, now used by 1000+ employees globally.
Watch Tom Auvil from CHN describe their GRC journey and how they were able to automate end-to-end risk management across the enterprise, increase adoption and drastically reduce risk events and expenses.
BMO Financial Group, one of the largest financial institutions in North America, has a rich history of providing a broad range of financial products and services to personal, commercial, corporate, and institutional customers. Headquartered in Toronto, Canada, BMO operates with a strong presence across Canada, the United States, and worldwide, committed to delivering excellence in banking, investment, and financial solutions.
BMO Financial Group decided to enhance its GRC program by eliminating manual processes, upgrading technology, standardizing workflows, and improving the productivity of its internal audit program. By working with MetricStream and having a detailed GRC plan in place, BMO has significantly enhanced the speed and agility of its audit department.
Lynda Witter, Sr. Audit Manager – Audit Technology, BMO Financial Group, was awarded the GRC Practice Leader Award for her deep expertise in GRC and for driving the adoption of GRC programs within their organizations.
Watch this video to see Lynda discuss how they implemented a centralized and streamlined audit management system.
Bank OZK, a leading regional bank headquartered in Little Rock, Arkansas, is known for providing a comprehensive range of financial services to individuals and businesses. With a strong presence across the southern United States, Bank OZK is dedicated to delivering exceptional customer service and innovative financial solutions.
To enhance its GRC capabilities, Bank OZK sought a trusted partner that could support its growing needs. This included the ability to support a comprehensive GRC program featuring a centralized library of risks, controls, processes, issues, and lines of business. Partnering with MetricStream has facilitated better decision-making and enhanced the bank's ability to manage risks effectively.
Arindam Majumdar, Deputy Chief Risk Officer, Bank OZK, was awarded the GRC Journey Visionary Award for his passion for GRC and his clear vision for his organization’s GRC journey.
Watch Arindam discuss how they aligned their ERM and operational risk program vision to their overall GRC vision.
As one of 11 Federal Home Loan Banks established by Congress, the Federal Home Loan Bank of Pittsburg has been an integral and reliable part of the financial system since 1932. The bank provides reliable funding and liquidity to its member financial institutions, which include commercial and savings banks, community development financial institutions, credit unions, and insurance companies in Delaware, Pennsylvania, and West Virginia.
Partnering with MetricStream since 2016, the bank has implemented operational risk management to conduct risk assessments and manage issues and loss events, SOX management to adhere to various SOX processes, and internal audit to manage audit artifacts and triage issues.
Tom Proviano, Senior Manager, Technology Risk Oversight – Corporate Risk, Federal Home Loan Bank of Pittsburgh, was awarded the GRC Practice Leader Award in recognition of his deep expertise in GRC and responsibility for driving the adoption of GRC programs in his organizations.
Watch this video where Tom discusses his GRC journey experience with MetricStream.
Start your GRC journey with our ConnectedGRC solutions, which include our BusinessGRC, CyberGRC, and ESGRC product suites. With MetricStream ConnectedGRC, your organization is empowered to move beyond the limitations of traditional integrated approaches that focus only on technical program integration. Instead, you gain a connected GRD strategy that delivers a single source of truth, providing comprehensive risk insights essential for building future-ready GRC programs.
Request a demo now.
Over two decades have passed since the term ‘governance, risk, and compliance’ (GRC) entered the business lexicon. Initially considered a nice-to-have, countless organizations have benefited from a deeper understanding of risks, a robust framework of controls, and a solid foundation of governance mechanisms. Yet, several myths around GRC continue to persist.
Let’s put some of them to rest here.
Fact: All organizations, regardless of size, need GRC to navigate an increasingly uncertain world. Risks are coming at us from all directions – be it climate change, cyberattacks, market volatilities, or geopolitical conflicts. Add on regulatory pressures and constantly evolving compliance requirements – and you have a perfect storm of GRC challenges.
To thrive – or, even survive – we have to be able to anticipate and mitigate risk events and recover quickly in case of a crisis. We need to know where our controls are lacking, and which regulatory changes require our attention. GRC enables us to do all that – which is why it isn’t just desirable, but imperative for both large and small organizations.
Fact: On the contrary, if GRC is done right, it can actually enhance business agility. It enables us to foresee and respond to the risks and opportunities ahead in a way that drives growth and transformation.
Take the example of a global IT services leader that optimized business performance through a deeper understanding of its risks. Each risk is mapped to performance objectives and strategic goals. So, at a glance, stakeholders can accurately predict performance and revenue across various projects and business units. With a comprehensive picture of risk impact and control effectiveness, the board and executive team can make confident decisions that drive profitability and growth.
Fact: While compliance is a crucial component of GRC, it isn’t the sole focus. Being compliant doesn’t guarantee immunity against risk events. You might think your organization is safe if, for example, you’re fully compliant with cybersecurity regulations. But cyber threats are constantly evolving, often outpacing regulatory measures. So, if you’re too narrowly focused on compliance, you might not see the broader threats and attack surfaces in your business. It’s like locking the doors of your house, but leaving the windows open for intruders to come in.
That’s why an effective GRC approach doesn’t just emphasize compliance with periodic assessments and audits – it stresses the need for good governance and sound risk management practices. That includes implementing clear policies and codes of ethics, establishing accountability, and building a risk-aware culture. When these practices are combined with compliance, they do more than just protect your business – they also help you capitalize on opportunities and strengthen resilience.
Fact: While a GRC implementation has its costs, consider them an investment rather than an expense. GRC can actually save you money in the long run by preventing costly compliance breaches, reducing the likelihood of significant risks materializing, and improving operational efficiencies. Plus, whatever your budget, you’re likely to find a GRC solution that fits. However, we need to ensure that the GRC solution is scalable and can seamlessly extend to other functions of GRC in the future. This will not only ensure data integrity but also help you save costs on managing multiple vendors, upgrades, and data integrations.
Many organizations rely on spreadsheets and manual methods for GRC, but this approach is inefficient. Employees spend hours gathering GRC information, leading to scattered insights, data inconsistencies, and delayed decision-making due to inaccessible risk intelligence.
By contrast, a connected and scalable GRC platform can give you the risk visibility and automation you need to save both time and costs. A leading health insurer enabled a 90% reduction in regulatory reporting time by connecting all its compliance processes on one platform. Meanwhile, a telco giant cut costs by 80% with automated risk and control monitoring. You too can achieve similar efficiencies with the right solutions.
Fact: No GRC framework or solution can completely eliminate risks or compliance issues. However, a good one can bring your risks down to an acceptable level, and ensure that they’re within your risk appetite. An effective solution can highlight early warnings and help you take proactive measures to mitigate risks in time. Effective GRC can also help you streamline compliance with various regulations and reduce the likelihood of costly penalties.
But through it all, vigilance is essential. You don’t want to be caught off-guard by a new risk or disruption coming out of left field. Continuous risk and control monitoring is imperative to ensure that you’re always ahead of emerging risks and control issues. Regulatory change management can also go a long way towards maintaining compliance health by keeping you abreast of new compliance legislation and updates.
Fact: GRC is an ongoing process, a journey that never really ends. It can’t be when regulations, risks, and business operations are constantly evolving. The risks of next year may not be the same as the risks of this year. A control that worked before may not be relevant today. Only by monitoring, adapting, and improving GRC activities regularly can you keep risks in check and enable sustainable growth.
Fact: Technology can certainly support and empower you on your GRC journey, but it isn’t a silver bullet. As GRC pundit Michael Rasmussen says, “GRC is something you do, not something you buy.” Even if you have the best GRC software in the market, it won’t offer much value unless you first have clear GRC strategies, policies, processes, and taxonomies. You need well-planned GRC processes, governance structures, and a culture that values risk management and compliance practices.
Once these building blocks are in place, technology can take your GRC program to a whole new level by streamlining and automating processes. It can simplify cross-functional collaboration on GRC activities, while also pulling together and transforming GRC data into rich insights. In that sense, GRC software can be a value-enabler. But human oversight, strategic planning, and judgment are equally important.
MetricStream ConnectedGRC enables you to manage all your GRC requirements on one platform. From operational and enterprise risk management and compliance, to audits, third-party governance, cyber risk management, and ESG (environmental, social, and governance) – your end-to-end processes are connected with a unified risk and compliance view.
With ConnectedGRC, you can:
To learn how MetricStream can help you accelerate your GRC journey, request a personalized demo today!
Chances are that you’re already managing governance, risk, and compliance (GRC) in some way or the other. But if your approach is ad hoc and siloed – i.e., if your risks, compliance, and audits are managed on separate systems with different taxonomies and no way to collaborate or exchange data – then, it might be time for a change.
Why? Because in today’s dynamic world, success hinges on one’s ability to make informed decisions quickly based on data collected and validated across the organization. Stakeholders need to know which risks to tackle on priority, how those risks influence other enterprise risks, which business objectives could be impacted, what issues could arise, and whether the controls in place are truly effective.
Meanwhile, internal audit – the third and final line of defense – needs to focus on assurance, rather than re-evaluating assessments completed by the second line. To do that, they need real-time visibility into events, issues, actions, and assessment outcomes.
An integrated GRC program provides all these insights. So, teams can take informed steps to protect the business and capitalize on the opportunities that really matter.
In our experience, many businesses already have separate programs, objectives, and budgets for each GRC function – be it risk management, compliance, or internal audits. Having operated like this for years, businesses are either resistant to change or lack the drive to ensure integrated GRC data and reporting. Some companies are swayed by the bells and whistles that point solutions can provide, even if those tools work in silos, disconnected from other GRC functions.
There’s no doubt that making the shift to integrated GRC does take time and effort. But the rewards are well worth it. Imagine being able to predict risks and opportunities faster, collaborate seamlessly across functions, and make informed decisions quickly – all in a streamlined and cost-efficient manner. That’s what integrated GRC can enable.
All around us, risks are changing at a rapid rate. Four years ago, the top global risks were largely environmental – extreme weather, climate action failure, natural disasters, and biodiversity loss. This year, the top 5 risks have expanded to include AI-generated misinformation, societal/ political polarization, the cost of living crisis, and cyberattacks.
Compliance requirements are also evolving. In the first half of 2024 alone, Europe approved the corporate sustainability due diligence directive as well as the AI Act. In July, California’s Workplace Violence Prevention Plan (WVPP) came into force, as did Australia’s Environmentally Sustainable Procurement Policy.
As these regulations and risks keep changing, so also do business processes, objectives, employees, technologies, and third parties.
None of these changes occur in isolation. They’re all interconnected. For example, when you onboard a new vendor, their risks become your risks. A data breach in their networks could weaken your own cybersecurity posture, which, in turn, could lead to compliance violations, operational disruptions, reputational damage, and more.
Integrated GRC enables you to see all these interconnections. Data from spreadsheets, point solutions, and other sources are unified into a single GRC view. This helps you predict risks with accuracy, ensure consistent compliance, and strengthen your resilience.
Our customers and prospects across industries tell us that these are some of the benefits they’ve experienced with an integrated approach to GRC:
Faster, more accurate risk insights through a common GRC taxonomy
When departments such as risk management and compliance work in silos, they end up developing separate terminologies and frameworks to describe similar GRC concepts. This creates a lot of confusion when you’re trying to aggregate and report GRC data.
By contrast, an integrated GRC approach focuses on unifying and standardizing GRC taxonomies across the enterprise. So, all departments and stakeholders are on the same page, speaking the same language. This minimizes misunderstandings and miscommunications. It also simplifies the process of gathering and analyzing GRC data from across business units. There are fewer discrepancies and ambiguities in the data because everyone is using the same terminologies.
The end result is that management gains a clearer picture of the organization’s GRC posture, which, in turn, strengthens decision-making.
Improved cost-efficiencies, zero duplication of effort
When your GRC approach isn’t coordinated, multiple departments could end up assessing the same risk, or testing the same control. This duplicates effort, wastes resources, and increases costs.
An integrated GRC approach eliminates these inefficiencies by streamlining GRC workflows across departments. Tasks and responsibilities are clearly defined to minimize overlaps or redundancies.
Meanwhile, GRC data is collected, stored, and accessed centrally – so teams don’t have to waste time hunting for information. The data produced by one department can even be reused by another. For example, compliance reports can be reused in risk assessments and internal audits. This reduces labor costs, and frees up GRC resources for more strategic activities.
Stronger collaboration across business lines
In an integrated GRC program, various business lines work together in harmony. Risk managers, compliance teams, internal auditors, and others have a clear understanding of how their activities intersect with those of other lines.
Through an integrated GRC platform, information on risks, losses, controls, and metrics is easily shared across departments. Each business line is able to provide valuable inputs and support to the other. The first line’s observations and assessments of risks and compliance flow to the second line which then ensures that risks and controls are effectively managed.
Subsequent business lines, such as internal auditors and the management team, can also collaborate and monitor risks easily through the same GRC platform. This synchronized approach enhances the organization’s resilience and ability to achieve business objectives.
A comprehensive view of GRC through integrations with other systems
GRC doesn’t exist in a vacuum. It needs to be able to exchange data with other business systems like enterprise resource planning (ERP) platforms, security tools, and threat and vulnerability scanners. External content also matters – be it regulatory updates, third-party risk ratings, or data on environmental, social, and governance (ESG) factors. All these inputs enrich your ability to monitor risks, regulations, and their impact on your enterprise.
An integrated GRC approach helps you aggregate all this data by connecting your GRC platform to multiple systems within and outside the enterprise. APIs enable the seamless flow of data across these touchpoints. For example, with MetricStream products, you can automatically pull in vendor security ratings for third-party security assessments or regulatory changes and updates from CUBE. These insights make your GRC program more robust and effective.
We recently contracted with a regional bank that was a rising superstar in the BFS industry. Evaluation began with the Internal Audit team searching to replace its archaic point solution with its latest variant, while Operational Risk Management, Information Security, and Compliance Groups looked to automate their manual processes. Legacy systems, manual processes, and data silos were hampering risk visibility and effective reporting to regulators. Moreover, only 60% of planned risk assessments were executed on time and Internal Audit continued testing all risks and controls already validated by the second line.
As the evaluation progressed on separate tracks, the Internal Audit team realized the benefit of real-time visibility into first- and second-line data and incidents/events during audit planning or fieldwork. In their own calculations, there were significant time-cost-resource optimizations with such seamless enterprise data visibility. Hence, began a joint evaluation for a single and enterprise GRC platform.
After a year of rigorous evaluation wherein the criteria also included built-in practices relevant for banking industry, track record in managing and deploying enterprise programs, and a team who would guide them through their journey with the application, they chose MetricStream.
With the implementation:
The bank’s multi-dimensional organization structure (MDOS) has been mapped on MetricStream, making it easier to aggregate risks at any level of the organization. With better visibility into risks and controls, the bank is able to make more informed and agile decisions that strengthen business success.
MetricStream ConnectedGRC enables an integrated approach to GRC with seamless collaboration across risk, compliance, audit, cybersecurity, and sustainability teams. Through MetricStream, you can effectively identify, assess, and manage all your risks and compliance requirements on one platform. Designed with advanced analytics and AI capabilities, ConnectedGRC delivers best practices to meet the evolving needs of today’s dynamic enterprises.
To learn how MetricStream can help you accelerate your GRC journey, request a personalized demo today!
Just a few weeks ago, on June 17th and 18th, the Baltimore Marriott Waterfront was abuzz as over 150 governance, risk, and compliance leaders gathered for the MetricStream GRC Summit—the premier GRC event of the year.
Over the course of two days, MetricStream brought together some of the foremost experts in GRC – with more than 50 speakers – who shared invaluable keynotes, best practices, case studies, and strategic insights on critical areas of focus and priority for leaders. The summit also offered plenty of opportunities to network with peers and celebrate the announcement of the 2024 GRC Journey Awards winners.
I wanted to share some standout moments and key themes shared during the event. You can also check out the video highlights and presentations.
5 Key Themes That Emerged During the Summit
Driven by its immense ability to automate tasks, increase productivity, and predict outcomes, Artificial Intelligence (AI) has quickly moved to the epicenter today. Organizations across industries are leveraging AI to streamline operations, revolutionize marketing strategies, and gain a competitive edge. Its applications range from automating customer service with chatbots to predicting market trends, and optimizing supply chain management.
In GRC, AI’s transformative potential enables organizations to manage risk more effectively, improve compliance, and make data-driven decisions for better governance. Enterprises are effectively utilizing AI for control monitoring, intelligent issue and remediation management, intelligent control insights and control test prioritization, the creation of a common view of risks, and so much more.
While effective and responsible AI systems are crucial, GRC leaders at the Summit focused on the importance of:
Here are two quotes that sum up the depth of discussions around AI.
“One of our priorities is to keep GRC simple. There are two aspects of AI –how do you bring AI to GRC and how do you bring GRC to AI?” --Gunjan Sinha, Co-Founder of MetricStream
“We are at an inflection point on the adoption of AI. Targeted AI adoption for specific use cases will gain traction. Humans in the loop is extremely important.” --Anand Narayan, Head of Regulatory Change Management, Sumitomo Mitsui Banking Corporation
“Agility is extremely important in managing emerging risks and regulatory requirements,” said Prabha Thomas, Chief Risk and Compliance Officer, Tata Consultancy Services. I couldn’t agree more. In today’s fast-paced and interconnected business environment, a conscious move from reactive risk and compliance to embracing proactive resilience is not just a strategic choice—it is essential for thriving in the face of uncertainty.
To build proactive resilience, organizations will need to build risk and compliance agility with a unified view powered by a centralized platform that continuously scans the horizon with regulatory change-tracking technologies and automated feeds from trusted content sources. They will need to integrate compliance management systems with other enterprise systems and apply AI and automation for automated recommendations. Furthermore, given the multitude of regulatory requirements, organizations will need to move to continuous compliance by implementing tools that help them automate control testing and evidence collection for all their enterprise controls.
A particularly resonant theme was the evolving role of the CISO. Numerous Chief Information Security Officers (CISOs), Chief Security Officers (CSOs), and Cyber Risk leaders at the Summit shared their insights on how the role has increasingly shifted towards a business-oriented focus, emphasizing that cyber risk is now recognized as a critical business issue rather than solely a technical one.
Added responsibilities of a CISO now include organizational governance, data loss prevention, and compliance with regulations. This requires not just a solid technical foundation but also a strong grasp of business principles to effectively communicate with other C-level executives and the board.
A CISO’s toolkit today should include a 360-degree view of the organization’s IT risk posture and cybersecurity investment priorities, along with continuous control monitoring, insightful reporting, and cyber risk quantification. This blend of skills and technology ensures they can anticipate risks, implement robust security architectures, and foster a culture of security within their organizations – as well as communicate strategically with the board.
“Regulators are connecting the dots,” warned Deputy Chief Risk Officer, Bank OZK. “If we as an organization don’t break down the underlying siloes, we lose control. We transitioned as a team to look at all the various risk stripes in an interconnected view.”
With the regulatory environment evolving faster than ever, it is crucial for GRC professionals to stay ahead of regulatory changes to ensure that organizations remain compliant and avoid potential fines and reputational damage. This requires utilizing advanced technologies such as AI and cloud-based platforms to streamline this process, ensuring that compliance professionals receive real-time updates and can assess their implications swiftly.
An essential takeaway from the Summit was the wise words of Tolu Oyesfesobi, Head of Financial Controls and Operational Risk, Inter-American Development Bank, who reminded us all to “Have a lot of coffee with your business… for collaboration is key to breaking down silos.”
This simple yet profound advice underscores the importance of fostering strong, communicative relationships within our organizations to achieve seamless integration and collective success.
It also underscores the importance of connecting with the GRC community. In line with the theme, "Experience The Power of Connection," the Summit stood out for bringing together the expertise of top GRC professionals. Customers, including Blue Cross Blue Shield of Michigan, Bank OZK, and Apple Bank, shared their success stories, vividly illustrating how they have effectively tackled the complexities of GRC challenges. We also conducted workshops on how to align ERM with your organization’s GRC strategy and cyber risk quantification that offered practical insights and use cases from industry experts.
As we wrapped up two insightful days in Baltimore, the overarching topic that sparked a lot of discussion was the need to advance GRC maturity with a connected GRC strategy, especially one that is Cognitive, Continuous, and Cloud-based.
See You Next in London!
We’ll be doing it all over again in London on November 6th and 7th! We hope to see you there! Register now.
Learn more about what was discussed at the GRC Summit: Download the presentation and watch the videos.
Healthcare is one of the most strictly regulated sectors in the world. This is understandable and necessary considering that the sector deals with factors as crucial and sensitive as health and life itself. As a result, this sector has witnessed increasing regulatory complexity with different regulatory bodies focusing on various aspects of the industry. The healthcare business is also rapidly evolving and expanding with many providers offering ancillary services such as health insurance and insuretech. This makes the sector susceptible to various new and emerging risks. Healthcare providers also work with third parties who handle sensitive patient information, making it vital for them to effectively manage third-party risks. As regulatory complexity increases amidst a fraught risk landscape, ensuring compliance can be challenging.
In April 2024, records of 13.4 million patients were left exposed thanks to nine incidents of unauthorized access or disclosure of protected health information. 44 hacking incidents in the same month affected 1,919,637 records. The consequences of such breaches through penalties and impact on reputation and image are significant. This blog explores the top five risk and compliance challenges for the healthcare sector and how to address them.
The healthcare sector is governed by regulations and frameworks such as Health Insurance Portability and Accountability Act (HIPAA), the HITECH Act that complements HIPAA by increasing the penalties for data breaches, the 21st Century Cures Act, General Data Protection Regulation (GDPR), PCI DSS, California Consumer Privacy Act (CCPA), Health Information Trust Alliance Common Security Framework (HITRUST CSF), Information Blocking Rule (2021) and Interoperability and Patient Access Final Rule (2021). Most of these focus on patient data privacy, data security, access to information, and cyber security.
Each of these is constantly being updated to keep pace with a rapidly changing risk landscape. For example, this year HIPAA saw some significant updates to its patient privacy provisions and outlined stricter cyber security requirements. It gives patients greater control over their data and mandated risk assessments, incident response plans, data encryption requirements, and updated breach notification requirements. Keeping pace with these updates, assessing their impact on various processes and functions, and adapting internal controls and policies is a significant challenge.
Furthermore, there are federal, state, and local regulations and rules that apply to healthcare providers. Each state has specific reporting requirements regarding public health emergencies, infectious disease outbreaks, and specifying how long medical records can be retained. Some states may even have their own laws regarding patient data. For example, California has laws pertaining to data breach notifications that have to be complied with in addition to HIPAA. Healthcare providers must report relevant situations to their state or local agencies in the prescribed format in addition to complying with federal regulations.
Additionally, healthcare providers must be accredited by industry organizations such as The Joint Commission (TJC) that evaluates organizations on parameters such as patient care safety and healthcare management, Accreditation Association for Ambulatory Health Care (AAAHC), and Urgent Care Association (UCA). This shows that the provider meets quality and safety benchmarks set by the governing bodies. Meeting accreditation requirements, and complying with standards set by each of these bodies is a complex and challenging task.
Healthcare providers have to efficiently manage risks unique to the sector, in compliance with the relevant regulations. In addition to compliance risks, healthcare providers have to be prepared to deal with risks related to patient care and safety as any lapses can have severe legal and financial impacts in addition to damaging reputation and trust. They must be cognizant of risks pertaining to medical instruments and devices in the form of potential malfunctions that impact patient care. There are also risks pertaining to insurance claims, frauds, phantom billing, and upcoding. They have to conduct risk assessments periodically to identify and mitigate potential compliance issues and threats. They also must have comprehensive incident management processes in place to report and respond to crises quickly and effectively. Risks ranging from business operations, third parties, cybersecurity, ESG, and health hazards must be managed effectively along with appropriate business continuity plans. The healthcare industry must move from compliance check-in-the-box activity to proactive risk management to thrive in the complex risk landscape.
Patient healthcare data and records are sensitive and subject to strict security, privacy, and protection laws. Healthcare providers have to ensure that their technology systems meet HIPAA standards, which may prove to be a daunting exercise, particularly for smaller organizations.
Regulations like the 21st Century Cures Act emphasize the need for seamless and secure data sharing. And so, organizations must ensure their electronic health record systems are updated, secured, compliant with regulatory standards, and capable of securely executing data exchanges. It is equally important to ensure that different healthcare systems are interoperable while maintaining data security and privacy. Organizations must also ensure that their technology systems are updated and compliant with the latest security and regulatory standards to protect patient information and ensure foolproof compliance.
Adding to the challenge is the fact that the threat landscape is continually evolving with bad actors increasingly leveraging advanced technology to launch sophisticated attacks. Protecting health care data under these conditions can be a Herculean task. In February 2024 alone there were 24 data breaches, the biggest of which was the breach at Medical Management Resource Group that compromised 2.35 million records. Hacking and ransomware continue to plague the sector and only four breaches affecting 10,000 or more records in February were not hacking incidents. Data encryption is important to protect healthcare records. But ensuring encryption both in transit and at rest to prevent unauthorised access is a challenge.
The rapid evolution of Artificial Intelligence technologies has the potential to transform healthcare. From early detection, faster diagnoses, and better treatment to improved monitoring, decision-making, research, and training, AI is already being leveraged to drive better healthcare outcomes. But, AI comes with a significant risk of data breaches. AI platforms process huge volumes of sensitive data and any vulnerabilities can be exploited by bad actors. Healthcare providers leveraging AI must be cognizant of the security risks associated with it and implement stringent data protection strategies.
Healthcare organizations rely on numerous external vendors ranging from cloud service providers to billing companies, medical device manufacturers and suppliers, and more. Many of these have access to sensitive healthcare data and are subject to the standards set by HIPAA. This is also a vulnerability that can be targeted by hackers. Additionally, healthcare providers must monitor third parties for operational and ethical risks as well as such unavailability or disruptions to medical services, AML, bribery, and other malpractices. Third-party organizations are subject to data protection and privacy regulations such as GDPR and PCI DSS. Healthcare providers must monitor their partners’ compliance with all relevant regulations, as well as their overall risk management and mitigation strategies.
Managing third-party risk must be a crucial part of a healthcare organization’s risk management strategy. They must conduct regular due diligence with vendor risk assessments and security assessments. Compliance with all relevant regulations and standards, and risk evaluation must be a contractual obligation for all third-party vendors working with healthcare organizations. In fact, the HITECH ACT extends HIPAA’s regulations to vendors and includes penalties for vendors for non-compliance. Healthcare organizations must regularly monitor their partners and conduct comprehensive and periodic audits to ensure ongoing compliance. Establishing BAAs with vendors to ensure compliance with a wide range of regulations is advisable, but managing third-party risks adds to the significant compliance challenges of healthcare organizations.
Healthcare providers are operating within a regulatory landscape that is continuously evolving and they must ensure error-free compliance. They have to monitor the regulatory landscape on an ongoing basis to keep pace with emerging regulations and have the capability to adapt and map new regulations and updates to existing practices and controls. Continuous and automated monitoring of risks and controls is crucial for enabling real-time risk assessments, quick decision making, and faster, more effective mitigation efforts. They must have rationalized internal controls to mitigate risks and ensure compliance. They must have automated processes to onboard new third parties and carry out due diligence to ensure there are no gaps in compliance. They must also conduct regular digitized audits and continuous monitoring of compliance processes to ensure there are no gaps. Maintaining compliance reports, logs of security events and communicating with regulatory authorities is another key task for organizations.
MetricStream’s Healthcare solution is purpose-built to help organizations in this highly regulated industry adopt and implement a streamlined, automated, and integrated approach to GRC. Healthcare providers can leverage advanced capabilities for managing regulatory compliance, enterprise risks, including cyber and third-party risk, and internal audit, to improve their overall risk and compliance posture and drive better-informed decision-making.
With MetricStream, your organizations can effectively:
Interested to find out more? Request a demo now.
At the recently held GRC Summit 2024 in Baltimore, David Story, Vice President Health, Safety, & Environment, dnata, provided the audience with a detailed overview of their GRC journey experience with MetricStream.
Dubai National Air Travel Agency (or dnata) was established in 1959 through a government decree. It set up its first international business in 1993. Gradually, over the years, it has seen significant growth across all its business units.
Here are the excerpts from David’s session on “dnata’s Integrated GRC Transformation”.
David: Our foremost priority is safety and security. Through a series of SMART objectives, we're building a best-in-class, health, safety, and environmental system, or HSE ecosystem, as we call it. Over the next few years, up to 2027 and beyond, through our medium-term plan, we are striving for a best-in-class or world-class status, and central to delivering on that goal is the effective use of our GRC platform.
Within dnata, MetricStream is the product that we use, and we have done a number of modifications and upgrades through MetricStream over the years. We refer to it within the company as “dnatahub”, which is everything we do from a GRC perspective.
So, in terms of why GRC is so important to us -- central to that is our safety management system, or SMS. SMS is essentially the bedrock of everything that we do across four key pillars -- safety policy, risk management, assurance, and promotion. To be able to deliver on the requirements of our SMS, our dnatahub platform is absolutely central to achieving those goals.
David: So, how has the dnatahub platform evolved over the last few years?
We're now into the 9th year of our partnership with MetricStream, beginning back in 2015 along with our “Global One Safety” initiative. The first pillar in that strategy was rolling out Incident Management, which allowed us to have one platform for reporting safety occurrences across local businesses.
In 2018, there was global expansion – we introduced new applications within dnata in addition to incident management and reporting.
In 2020, we started moving into the continuous monitoring phase, which saw the likes of our Documentation Management System (DMS). We also introduced surveys and inspection through the auditors. We would go out there and report safety hazards and threats to our organization. This was across all three of our operational divisions.
The beauty of DMS is that it can be accessed by any of our team in the world who got access to Office 365 accounts. Examples of a DMS document could be a global safety alert, a new manual, a guideline document, or a new operational standard. All of those are published through DMS and are automatically and electronically tested within the system as well. So, for auditing purposes, it's very, very efficient.
We also launched Observation Management as well. And, through Issue and Action Management we can assign tasks and actions to our businesses around the world.
We're now moving into Phase IV, as we call it, looking at how we scale up as we continue to build our business. We are currently two weeks away from the launch of the Euphrates upgrade as well.
We've built a very strong partnership with MetricStream, and we've now established a very strong governance model as well in terms of performance monitoring.
David: What's been key to success is keeping things simple. One of the worst things you can do in my role as a safety professional is over-complicate how you manage safety within your business.
In terms of just some numbers, we have got:
What gives me great confidence is 400,000+ observations. We actively encourage -- from our leadership level all the way down to the front line -- to report any unsafe behaviors and actions within our business. What we've seen over the last 2-3 years is a considerable increase in the number of safety reports within the business. So that leads to a much more positive and safety-aware culture.
Over the next few years, we've got some really interesting challenges coming our way. You would have seen the announcement about the new airport project in Dubai. The target is 2033 for the opening of the new terminal with a capacity of 250 million passengers a year. We already have that airport as we have for the last 10 years, and this will be a significant upgrade to be the world's largest international gateway.
We have two to three new businesses that are going to be coming online towards the end of this year, including a particularly large business in Italy. And it's essential that we look at how we scale up to meet that demand, because we could have potentially 3,000 to 4,000 users within dnata by the end of this year.
Also Read:
The rapid evolution of Artificial Intelligence (AI) and particularly Generative AI has opened up new opportunities, and prospects of development and inclusive growth. But, in the wrong hands, AI can unleash fraud, discrimination, disinformation, stifle healthy competition, disenfranchise workers, and even threaten national security. The United States of America, the European Union, and the United Kingdom have taken the first steps to regulate the development of AI with a strong focus on data privacy, transparency, accountability, security, and ethics.
Here is a quick overview of the key regulations being implemented in these three regions, highlighting the main points to note.
The European Parliament adopted the Artificial Intelligence Act in March 2024, which will be fully applicable 2 years after entry into force. The objective of this Act is to standardize a technology-neutral definition for AI for future reference. Furthermore, the Act aims to ensure that AI systems within the EU are safe, transparent, traceable, non-discriminatory, environmentally friendly and monitored by people and not automation. The law uses a risk-based approach, with different requirements based on the level of risk.
Risk level definition: It defines 2 levels of risk and states obligations for providers and users depending on the risk level:
Unacceptable Risk AI Systems - These are considered to be harmful for people and will be banned:
There are some exceptions and rules established for law enforcement agencies.
High Risk AI Systems - AI systems that can negatively impact fundamental rights and / or safety of people:
AI systems used in products covered by the EU’s product safety legislation, such as toys, aviation devices and systems, cars, medical devices and elevators.
AI systems in specific areas that have to be registered with an EU database:
High-risk AI systems will have to be assessed before they can reach the market and will be assessed throughout their lifecycle. EU residents can file complaints with relevant national authorities.
Transparency requirements – While the Act does not classify Generative AI as high risk, it mandates transparency requirements and compliance with EU copyright laws:
Supporting Innovation – The Act aims to help startups and small to medium businesses leverage AI with opportunities to develop and train AI algorithms before public release. National authorities have to provide companies with suitable testing conditions that simulate real-world conditions.
In February 2024, the UK Government announced its response to the 2023 whitepaper consultation on AI regulation. Its pro-innovation stance on AI follows an outcome-based approach with a focus on 2 key characteristics – adaptivity and autonomy – that will guide domain specific interpretation.
It provides preliminary definitions for 3 powerful AI systems that are integrated into downstream AI systems:
It sets out five cross-sectoral principles for regulators to use when driving responsible AI design, development, and application:
The principles are to be implemented on the basis of three foundational pillars:
The White House Office of Science and Technology Policy has formulated the Blueprint for an AI Bill of Rights with five principles to guide the design, use, and deployment of AI systems. The includes:
Safe and Effective Systems
Algorithmic Discrimination Protections
Data Privacy
Notice and Explanation
Human Alternatives, Consideration, and Fallback
In addition to these federal guidelines, several states are also formulating their own regulations. 17 states (California, Colorado, Connecticut, Delaware, Illinois, Indiana, Iowa, Louisiana, Maryland, Montana, New York, Oregon, Tennessee, Texas, Vermont, Virginia and Washington) have enacted 29 bills on AI regulation over the last five years.
AI technologies are here to stay and the world has to learn to use them safely for the betterment of humanity. Regulations for AI development and use are critical to protect populations from bias, discrimination and breach of privacy. AI technologies are evolving at an unprecedented pace, and regulators across the world are following suit with quick updates or new frameworks. Organizations need automated compliance platforms to keep pace with this rapidly changing regulatory landscape.
MetricStream’s Compliance Management can simplify and fortify enterprise compliance initiatives amidst a rapidly changing regulatory landscape. Gain greater visibility into control effectiveness and quick issue remediation with streamlined:
Even as compliance management is simplified and streamlined, it is important to have a mechanism in place to keep track of rapidly evolving regulations. MetricStream’s Regulatory Change Management platform is a centralized framework that can help organizations capture, curate, identify, extract, consolidate, and manage regulatory changes and updates sourced from diverse providers.
Find out more. Request a personalized demo today!
With Asia-Pacific’s (APAC) economic growth surpassing expectations, businesses have much to be optimistic about. However, as regulations and risks in the region grow more numerous, the need for effective governance, risk, and compliance (GRC) has never been more pressing. APAC GRC professionals are being called upon to spot emerging risks, connect the dots, and help their organizations adapt swiftly to regulatory changes. GRC solutions that can help meet these demands at scale and speed will make all the difference.
I recently had the chance to host GRC Design Workshops in Malaysia and the Philippines in association with our strategic partners - HCLTech and Expleo respectively. The workshops, led by Michael Rasmussen, GRC Analyst & Pundit, GRC 20/20 Research, delved into a range of GRC areas, including the evolving risk and regulatory landscape in APAC, GRC challenges faced by organizations in the region, how technology and automation can help, and more.
Here are some of the key takeaways from the workshops, providing insights into the trends and opportunities likely to be encountered by GRC professionals as they gear up for the road ahead.
Keeping pace with regulatory change is no small feat. In the past three years alone, Singapore, Hong Kong, and Australia have either revised or issued new standards and guidelines around operational risk management and resilience.
Meanwhile, India enacted its first comprehensive data protection law in 2023 – the Digital Personal Data Protection (DPDP) Act, even as Japan substantially amended its own Act on the Protection of Personal Information (APPI), a year earlier.
Climate change too has been enveloped in a flurry of regulatory activity. Vietnam’s Law on Environmental Protection took effect in 2022, followed by Malaysia’s Energy Efficiency and Conservation Act in 2023.
In addition to juggling regulations, APAC GRC professionals also have to navigate a growing variety of risks – including the Ukraine and Middle East conflicts that have strained global supply chains; extreme weather events like the floods in China and drought in India; the risks of deep fakes and misinformation associated with AI; and of course, the constant threat of a cyberattack. Incidentally, APAC experienced the highest year-on-year surge in weekly cyberattacks during Q1 2023, with an average of 1,835 attacks per organization.
Risks come from within the organization too – from changes to business objectives, structures, processes, employees, and technologies, as well as from the extended enterprise of suppliers, vendors, contractors, dealers, and distributors.
Getting these risks under control is key to strengthening organizational resilience and performance.
If there’s anything we’ve learned over the past few years, it’s that everything is connected. A data breach in a third-party service provider’s system can disrupt entire supply chains, damage business reputations, trigger hefty regulatory penalties, and sometimes even shut down operations for days.
That’s why it’s so important to be able to see the big picture – to understand how risks impact and influence each other, how they affect compliance, and how they hinder or help the achievement of business objectives.
GRC offers that perspective. It enables organizations to understand the road ahead more clearly, make better-informed decisions, and capitalize on the right opportunities at the right time. In other words, GRC shouldn’t be seen as an afterthought, but an enabler of the business.
APAC GRC professionals tell us that these are some of the GRC challenges they face:
Here are six ways to overcome the above challenges, and create a truly world-class GRC program:
MetricStream ConnectedGRC helps you build an automated, truly integrated, and collaborative approach to GRC. Reduce risk exposure with streamlined assessments and mitigation. Enable consistent compliance with robust control testing and reporting tools. Finally, achieve your objectives with ease using strong governance and policy management mechanisms.
MetricStream products are packed with best practice workflows, content, AI, and analytics to help you:
To learn how MetricStream can help you on your GRC journey, request a personalized demo today.