Meet our GRC Journey Award Winners 2023

5 min read


As the global market leader in governance, risk management, and compliance (GRC), MetricStream is honored to present the GRC Journey Awards each year. The awards celebrate and honor organizations, business partners, individuals, and customers that have made significant strides in their GRC Journey—turning risk into a strategic advantage. 

At the 2023 London GRC Summit this October, a selected list of GRC trailblazers who exemplify connected, high-value, and sustainable GRC programs were awarded. These visionaries have set the bar high by demonstrating exceptional advancements in their GRC programs. Discover the stories of these outstanding award winners as we showcase their impactful GRC journeys below.

dnata - GRC Journey Program Excellence Award, 2023

As one of the world’s largest air services providers, offering ground handling, cargo, catering and travel services, dnata operates in 129 airports spanning 35 countries across 6 continents—with over 50,000 employees serving 320 airline customers. As part of its safety and security standards, dnata requires a robust GRC program that can offer visibility into the ever-changing risk and incident scenarios across its global operations and allow decision-makers to assess and respond to the dynamics of its business operations.   

dnata leveraged MetricStream’s GRC products, including Enterprise Risk Management, Incident Management, Policy and Document Management, Observations Management, Issue Management, and Compliance Management, and rolled it out across web and mobile-based channels with support for multiple languages. The results were proactive frontline engagement and faster decision making capabilities.

Watch David Storey, from dnata, explain how they achieved a centralized view of risks, improved frontline engagement, and more.


Almarai - GRC Journey Award, 2023

Headquartered in the Kingdom of Saudi Arabia, Almarai, is the world’s largest vertically integrated dairy company and the region’s largest food and beverage manufacturing and distribution company. Almarai ranks as the number one Fast Moving Consumer Goods (FMCG) brand in the Middle East & North Africa (MENA) region and is the market leader in most of its categories across the Gulf Cooperation Council. 

To move from manual processes and gain a connected approach to risk and issue management, Almarai leveraged MetricStream’s Enterprise Risk Management and Business Continuity management products. Today, they have achieved a 50-70% reduction in efforts with automated workflows, streamlined processes, and a defined common risk taxonomy. 

Watch Gordon Bateman from Almarai, share their incredible success story. 


Siemens Energy, GRC Journey Award, 2023

As one of the world’s leading energy technology companies, Siemens Energy covers almost the entire energy value chain – from power generation and transmission to storage. The portfolio includes conventional and renewable energy technology, such as gas and steam turbines, hybrid power plants operated with hydrogen, and power generators and transformers. Operating in a highly regulated environment, Siemens Energy wanted to improve its GRC maturity, strengthen its GRC program to increase resilience, and enhance cross-functional collaboration and communication. 

To build a single source of truth that would help them better understand the risk and impact of failures across its business processes and technology infrastructure and ensure that global cybersecurity and ITIL compliance requirements are being met, Siemens Energy leveraged MetricStream’s Enterprise Risk Management, IT Risk, IT Compliance, SOX Controls Testing, Policy Management, and Third Party Management products. 

Dorothea Liebl, from Siemens Energy, discusses how they achieved GRC maturity and improved decision-making. Watch now.


Nordea - GRC Journey Practice Leader Award, 2023

Nordea is the largest financial group in the Nordic countries, with a strong market position in personal banking, business banking, large corporate and institution banking, and asset and wealth management. They currently operate across 20 different countries with 30,000 employees. 

To automate and modernize their GRC program and enhance visibility into their risk and compliance processes, Nordea leveraged MetricStream’s Enterprise Risk, Business Continuity Management, Policy Management, IT Risk, IT Compliance, Regulatory Change, and SOX Compliance products. They have now increased visibility and measurement into key risks by linking KRIs as well as amplified the speed, agility, and scalability of IT Risk and IT Compliance processes. 

Brian F. Sørensen from Nordea shares how they implemented an integrated risk management strategy. Watch now. 


Petroliam Nasional Berhad, (PETRONAS)- GRC Journey Visionary Award, 2023

A MetricStream customer since September 2021, Petroliam Nasional Berhad (National Petroleum Limited), better known as PETRONAS, is a Malaysian oil and gas company wholly owned by the Government of Malaysia. The corporation is vested with all oil and gas resources in Malaysia and is entrusted with the responsibility of developing and adding value to these resources. Petronas is ranked among the Fortune Global 500 largest corporations in the world. 

To strengthen its GRC program and build resilience, PETRONAS embarked on a journey to ensure critical control and decision-making insights for the organization driven by three core organizational goals: agility, resiliency, and sustainability. PETRONAS leverages MetricStream’s Third-Party Risk, Business Continuity Management, IT & Cyber Compliance, IT & Cyber Risk, and Policy and Document Management products to support their BusinessGRC and Cyber/ITGRC programs. 

Nor Harliza Baharom, from PETRONAS shares details on their compliance journey, GRC strategy, and the use of MetricStream products. Watch now. 


Embark on Your GRC Journey with Confidence and Expertise by Partnering with MetricStream

Empower your GRC journey with our ConnectedGRC solutions, which include our BusinessGRC, CyberGRC, and ESGRC product suites. With MetricStream ConnectedGRC, you can go beyond a traditional integrated approach that focuses solely on technical program integration and embrace a more interconnected business-level approach that provides a single source of truth with all the risk insights you need to build your GRC programs to be future-ready. 

Request a demo now. 

Watch the videos of Autodesk, Guidewire, Apple Bank, CHN Industrial, and dnata, who were awarded the GRC Journey Awards at the 2023 Miami GRC Summit this June.

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.


2024 GRC Trends: Future-Proof Your Organization Now!

5 min read


Yet another year has passed!! We witnessed some major events, including escalating geopolitical tensions, the collapse of banks in the US and Singapore, major mergers and acquisitions, and significant technological advancements in the field of generative AI. In a world where the volume and velocity of risks are increasing, navigating the complex landscape of governance, risk management, and compliance (GRC) has become more crucial than ever. Consider these recent statistics: 

The past year has been a testament to the evolving challenges faced by organizations globally, from economic uncertainties, geopolitical tensions, and new regulations and laws to the lingering repercussions of the 2019 global pandemic. Most importantly, none of these risks exist in isolation – they’re deeply interconnected, with cascading impacts for organizations.

Navigating the Interconnected Risk Landscape Needs New Strategies

Risks are no longer solitary entities; instead, they form a complex tapestry of interconnected challenges that are intensifying in both frequency and severity. A glimpse into the events of the year unveils the extent of this interconnectedness.

The Silicon Valley Banking Crisis in March 2023 saw several other banking failures as well, including Signature Bank, First Republic Bank, and Heartland Tri-State Bank being affected. In August 2023, the shutdown of the NATS flight planning system in the UK caused hundreds of thousands of passenger flights to be delayed or canceled. Over 2000 flights were canceled, leading carriers to face estimated losses of £100m, mainly comprising care costs and lost revenue. The tragic August 2023 Maui fire quickly unfolded as a series of failures, including communication breakdowns, severe weather conditions, miscalculations of fire severity, and issues with essential services like electricity and water, culminating in the destruction of Lahaina and substantial loss of life. The incident underscores how the convergence of various failures swiftly escalated what could have been an isolated event into a catastrophic crisis. 

As we approach 2024, the expectations for GRC professionals are to connect the dots, see issues coming, and engage in some level of predictable forecasting. Now, more than ever, understanding and adapting to the upcoming GRC trends is not just a strategic advantage—it's a necessity for thriving in an increasingly interconnected world.

2024: A Confluence of Challenges and Opportunities

The forthcoming year promises a confluence of challenges and opportunities, making it an urgent requirement for organizations to reevaluate their strategies and fortify their GRC frameworks. So, what are the top trends that will shape the narrative of tomorrow? 

  • Connected GRC Programs Powered by Flexible and Easy to Use Platforms
    To effectively respond to the growing network of interconnected risks, a connected GRC strategy that seamlessly extends across the enterprise, facilitating cohesive visibility, communication, and information, emerges as a crucial solution. Next-gen GRC cloud platforms that unify risk, compliance, audit, cyber, and ESG functions and offer the elasticity and scalability through low code/ no code and user-friendly interfaces play a pivotal role in this paradigm shift. 
  • Cognitive and Continuous Technologies for GRC 
    AI for GRC holds tremendous promise in 2024 and beyond. The power of cognitive AI to turn data into real-time decisions is immense, with powerful use cases in AI-powered threat intelligence, automated planning and scoping of risk assessments, and AI-powered fraud detection capabilities. Techniques and solutions like continuous control monitoring and risk and regulatory intelligence feeds will further be embraced as organizations seek to proactively identify vulnerabilities and enhance the risk and control oversight capability. 
  • Strengthening of Resilience and Business Continuity Programs 
    Resilience will take center stage as organizations will prioritize the need to predict, anticipate, and manage risks before they manifest, and bounce back quickly if impacted. Globally, the regulatory discussion around operational resilience is evolving as well. The Digital Operational Resilience Act (DORA), which came into force this year (and will apply from 17 January 2025 in the EU) aims to strengthen the digital operational resiliency of the financial sector. Organizations will pay more attention to enable and empower the frontline to ensure resilience across entities and third parties. 
  • Shift from Reactive to Proactive Compliance 
    To meet the rising compliance demands, organizations will continue to build compliance resilience and agility in 2024. Centralized platforms that help them automate control testing and evidence collection for all their enterprise controls, continuously scan the horizon with automated feeds from trusted content sources, integrate compliance management systems with other enterprise systems, and apply AI and automation for automated recommendations will be adopted.
  • Fortifying the Extended Enterprise 
    With the high volume of fourth and fifth-party risks and events resulting from the complexity of extended ecosystems, the focus on third-party risk management (TPRM) will get stronger in 2024. To own risk in the extended enterprise and construct a more resilient third-party ecosystem, organizations will increasingly adopt automated end-to-end processes for information gathering, onboarding, real-time monitoring, risk assessments, compliance, and control assessments.

Elevate your GRC strategy with our eBook – a detailed exploration of 2024's top 10 risk trends. top-grc-trends-2024-ebook

Stay Future Ready with MetricStream

At MetricStream our ConnectedGRC solutions help your organizations go beyond the traditional integrated approach that focuses merely on technical integration of different tools to a more connected approach at the business level to help analyze and understand the interconnectedness of risk and resilience by connecting data to generate meaningful insights. With ConnectedGRC, your organization is now empowered to break down enterprise silos and establish a single source of truth with all the risk insights you need to navigate the future. Packed with best practices, deep domain capabilities, AI-powered intelligence, and risk quantification tools, you are all set to tackle the most pressing GRC challenges of today and tomorrow. 

Interested in learning how you can power your GRC program with a connected strategy? Request a demo now!


Sumith Sagar Associate Director, Product Marketing

Sumith Sagar is a proven product marketing professional, specializing in software product positioning, product-led growth marketing, presales and sales enablement. With over 12 years of risk management solutioning experience raging from Governance, Risk and Compliance (GRC), Commodity Trading & Risk Management (CTRM) and cybersecurity, she has been instrumental in driving BusinessGRC product marketing at MetricStream.


GRC Trends in the UK Capital: Key Themes at the 2023 London GRC Summit

6 min read


On October 15 and 16, 2023, over 175+ governance, risk, and compliance leaders from over 20 countries gathered at the Royal Garden Hotel in London for the standout event of the season: The GRC Summit. Over the course of two days, MetricStream had the honor of hosting some of the foremost experts in the field of GRC, featuring more than 40+ speakers who generously shared their best practices, real-world case studies, and valuable insights on the key areas to focus and priorities for leaders. We also had the pleasure of networking with peers and celebrating the achievements of the 2023 GRC Journey Awards winners. 

I had the unique privilege of immersing myself in the insightful content and connecting with several inspiring leaders face-to-face. I'm excited to recap some of the most memorable moments and prevalent themes I encountered during the event. For those interested in viewing video highlights and accessing the presentations, I encourage you to explore the 2023 GRC Summit site.

Connecting the Dots: An Urgent GRC Imperative

A central theme was the pressing need to ‘connect the dots.’ Several significant events, including the recent airline disruptions, banking crises, climate issues, and breakdowns in state intelligence, demonstrate a common thread of multiple risks converging simultaneously. More important to note is that organizations have to deal with risks increasing in volume and velocity. This calls for risk, compliance, and governance leaders to not only ‘connect the dots’ but also address these risks with a connected GRC strategy. Critical to pursuing a connected strategy are simplicity, automation, and predictive capabilities, only possible by leveraging continuous control monitoring, cognitive capabilities including AI-centric workflows, and leveraging cloud technologies for faster, easier, and more secure GRC programs. 

Gaurav Kapoor, co-CEO and co-Founder, MetricStream, best summarized it when he said. “The 'Connected GRC’ strategy underpinned by a 'Cloud', 'Continuous,’ and 'Cognitive' approach is non-negotiable for organizations to navigate an incessantly changing threat, regulatory, and opportunity landscape.”

AI and Hyper-Automation: The New Hot Topic

A trending theme that emerged in nearly every conversation was the potential of artificial intelligence (AI) and automation to enhance efficiency in GRC. Almost all sessions discussed some element of AI – the possibilities to automate, predict, make recommendations, and remediate, as well as the potential risks and rewards. Top discussion points included:

  • Leveraging AI to comprehensively analyze, oversee, and extract valuable insights from the extensive volumes of GRC and control data 
  • Deploying AI to automate processes like control monitoring, third-party risk evaluation, and the creation of a common view of risks across the enterprise 
  • Leveraging AI to enhance data breach detection and, conversely, prepare for malicious actors who are currently exploiting AI technology 
  • GRC for AI: regulatory measures on the horizon for AI, how to ethically use AI, and how to mitigate the risks brought on by AI

The discussions around AI were exciting and spanned a diverse array of topics. Some quotes that stuck out on the topic were: 

”2023 began with grand plans of being the ‘year of efficiency.’ In all reality, it’s become the year of AI answering the question of how can we possibly do more with less? The next challenge we face, regardless of the industry, is how to leverage AI and how to control the risks associated with it,” said Prasad Sabbineni, co-CEO, MetricStream. 

“The problem with AI is it is a very credible liar,” cautioned Toby Billington, Managing Director - ICG Business Risk and Controls leadership team, Citi, as he spoke about the complexities of AI. 

“We believe in the need to incorporate AI but need to assess what types will help us,” said Azizi Bin Md Ali, Chief Compliance Officer, Petroliam Nasional Berhad (PETRONAS), as he spoke about the importance of AI and automation in managing risk. 

Risk Management: Lead with Resilience

Several discussions centered around the importance of resilience in risk management as a crucial strategic priority to ensure business continuity. As a proactive approach, operational resilience is an upgrade that moves operational risk management from passive to active. Furthermore, as interconnected risks due to climate change, cyber breaches, and economic instability continue to dominate the risk landscape, leading with resilience is what will help organizations bounce back quickly if/when impacted. 

Jacqui McDonald, CIO Group Finance, RFT Technology, Barclays, underscored the criticality when she said, “It is critical to ask yourself the question- Do you have enough resiliency in your organization to recover?” Chandrra Sekhaar, Chief Audit Executive (EMEA) - SMF 5, Mizuho, reiterated the importance of technology to build resilience. “Many people talk about technology as the future, but it is equally important today. Innovation, technology, and digitalization is now.”

DORA: An Important Regulatory Priority

With the Digital Operational Resilience Act (DORA), the new EU regulation that aims to strengthen the IT security of financial entities such as banks, insurance companies, and investment firms, entering into force this year, cyber operational resilience was a much-discussed topic. By introducing uniform and harmonized governing principles for the management of cyber risks, DORA aims to ensure that the financial sector in Europe can stay resilient in the event of operational disruptions. The regulation will apply as of 17 January 2025. 

Panelists deliberated several strategies for cyber risk management, including the importance of continuous control monitoring, control rationalization, and cyber risk quantification. Gavin Grounds, CEO & co-founder, Mercury Risk and Compliance, spoke extensively about how cyber risk quantification today is a “pre-requisite for success, (especially) with ever-increasing risks and an unlimited number of scenarios to be tested.” 

The Power of the GRC Community

By bringing the best minds in GRC, the Summit offered a collaborative space for experts and professionals to connect, share success stories, and celebrate GRC excellence. Here’s how we celebrated the power of this community. 

  • Customer Success Stories: Representatives from Nordea, dnata, Mediolanum International Funds, Nationwide Building Society, and Siemens Energy took us through their innovative strategies and continuous improvement that helped them build proactive approaches to audit, enterprise risk management, compliance, cyber risk management, and third-party risk management.
    The presentation of their accomplishments provided key learnings for their peers. For example, Jacob Holmehave, Head of Group Risk Office, Nordea, stressed that “strong governance with clear senior stakeholder commitment” is an important catalyst to the success of the GRC program. At the same time, David Story, VP - Health, Safety, Security & Environment, dnata, explained in detail how they “navigated the large user base training by establishing SMEs and champions.” 
  • GRC Journey Awards: Outstanding GRC program leaders, visionaries, practice leaders, and partners who championed GRC programs, achieved superior business performance, and created high-value impact through GRC were awarded in four categories: GRC Journey Awards, GRC Visionary Awards, GRC Practice Leader Awards, and GRC Partner Awards. Congratulations to the winners! 

    Check out our 2023 GRC Journey Award Winners.
  • Peer-to-Peer Networking: The Summit also served as a dynamic networking platform, promoting collective growth and nurturing innovation. Experts readily shared their problem-solving approaches and committed to continued support. Challenges were openly discussed, and best practices were exchanged. The entire atmosphere was supercharged, and I personally enjoyed the stimulating conversations!

The 2023 GRC Summit was more than just an event; it was a testament to the strength of the GRC community, its commitment to driving the field of GRC forward, and to utilizing the ‘power of connections’ to help organizations thrive on risk. 

Missed attending the Summit? Watch the videos of the sessions and download the presentations.

Interested to learn more about how you can transform your GRC program to successfully manage, embrace, and ultimately thrive on risk? Request a demo now.


Simrin Jhangiani Associate Director, Marketing at MetricStream

Simrin Jhangiani is the Product Marketing Lead for MetricStream’s ESGRC product. As a former NYU student with a minor in Corporate Social Responsibility, Simrin is passionate about helping businesses make risk-aware business decisions around ESG. Simrin has an extensive business and marketing background having worked as a strategy consultant at KPMG and being a business owner of a sustainable fashion brand. She has lived on 3 different continents, and has travelled to over 50+ countries around the world, resulting in a comprehensive understanding of why ESG is important on a global scale. She believes that ESG is fundamental to the growth of businesses in the present day and is ardent about bringing awareness of the ever-changing regulations around Environmental, Social, and Governance.


Meet the 2023 Winners of the GRC 20/20 Best in Class Awards

3 min read


We have some exciting news to share. Two of our customers were recently awarded the 2023 GRC 20/20 Best in Class Awards for their outstanding accomplishments in enterprise IT GRC management and compliance management.

Congrats to Guidewire and Zurich Insurance on their much-deserved wins. We’re honored to be part of their journeys towards building successful governance, risk, and compliance (GRC) programs that accelerate business growth, strengthen resilience, and deliver high-value impact.

Here are these companies’ inspiring GRC stories.

Guidewire: Best in Class Enterprise IT GRC Management - Medium Enterprise

In today’s hyper-connected digital world, an IT risk in a seemingly insignificant area of the business can have a profound and cascading impact on the whole enterprise. Many organizations approach these risks reactively – putting out information security fires as and when they arise. But with security breaches increasing, it’s extremely important for IT teams to step back and think strategically about how to streamline resources and monitor IT GRC across interconnected information and technologies.

That’s exactly what Guidewire has done. The California-based solutions provider for insurers set out to replace their siloed and manual GRC program with true risk management processes aligned to business needs and stakeholder value.

The company began by implementing consistent risk assessments and metrics, establishing financially accountable owners for risks and issues, and developing an integrated GRC strategy with a cross-functional GRC steering committee. MetricStream was chosen as the GRC platform to manage policies, controls, compliance, risks (including vendor risks), and business continuity.

Using automation, Guidewire has sped up its risk management processes and reduced open issues by nearly 40%. Risk visibility has also improved, thanks to better reporting and regular cross-business communication. Issues no longer fall through the cracks, resources are deployed effectively, and resolution is tracked systematically through the MetricStream platform.

Since risk owners are clearly assigned, each one can move quickly in the case of an unexpected event. They communicate regularly through dashboards and continuously update views of risk and associated metrics. Unlike before, when they operated in silos, risk owners are now a connected team run on a single GRC platform.

All these efforts make Guidewire a true leader in IT GRC. 

Download the award-winning case study: Guidewire Optimizes Cyber GRC Risk and Compliance with MetricStream

Zurich Insurance: Best in Class Compliance Management - Large Enterprise

Today’s organizations are dynamic and constantly changing. They’re entering new markets, releasing new products, establishing new vendor relationships, and dealing with new regulations – all of which increase compliance risks. To mitigate risk exposure, organizations need to be proactive about monitoring compliance with legal requirements, regulations, policies, and ethics. That means moving away from the compliance silos of the past towards a more integrated approach that strengthens compliance visibility and agility.

Zurich Insurance has embraced this approach. The multi-line insurer, which serves over 210 countries and territories, has modernized and streamlined its compliance, policy, and risk management processes for optimal efficiency. 

Using MetricStream Compliance Management, the company has built a single source of truth to manage its entire global compliance operations. Automated and standardized workflows strengthen compliance efficiency. 

Meanwhile, a centralized compliance policy portal makes it easy for front-line employees to access the latest policies in a secure manner. The company has also streamlined policy creation, approvals, versioning, and discovery.

With real-time visibility into compliance risks and findings, teams can make more confident decisions. At the click of a button, they can see how risks are linked to controls, testing plans, and more. Dashboards and reports provide timely compliance insights, enabling the compliance team to more effectively meet its objective of providing trusted advice to the business. 

Even regulatory changes and updates are proactively captured and managed to ensure that the company is always compliant. This is what makes Zurich Insurance an award winner. 

Download the award-winning case study: Zurich Insurance Modernizes Compliance with MetricStream 

Congrats again to the award winners for setting new standards in GRC. It’s our privilege to work with companies that are finding innovative ways to thrive on risk, strengthen compliance, and demonstrate good governance.

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.


MetricStream in Amsterdam: Key Takeaways from 3 Days of Conversations with GRC Experts

7 min read


I am delighted to have spent a wonderful three days in Amsterdam with our MetricStream customers, prospects, industry experts, consultants, and solutions providers, with a peer-to-peer round table session on Tuesday, the 26th of September, followed by two days at the #Risk Amsterdam event. Here is a recap of the important highlights and key insights from the sessions that were conducted over the three days. 

Executive Roundtable Session

The executive round table session on Designing GRC Programs to Manage Risk and Enhance Operational Resilience saw cross-industry operational risk, legal, and compliance experts from banking and aviation to advanced medical suppliers. Confidentiality was assured through Chatham House rules, so I will not quote specific comments and details here but simply summarize the key challenges and discussion points that were raised and discussed in the following areas:


  • Challenges faced by dealing on a global basis in different jurisdictions 
  • Aligning and attempting to comply in a standard and consistent manner across the organization 
  • The need to string internal cooperation and alignment to address these issues 
  • The need to use tools such as the MetricStream platform to map your policies and processes to these regulations and standards and drive this standard unified approach. 
  • Fragmentation and complexity of global management 
  • No such thing as a zero-tolerance for regulatory compliance as in the real world, there is always cost pressure vs. full compliance
  • Struggle with the volume and complexity as to where to focus given daily changing priorities 
  • Need to engage and align with regulators as appropriate to your industry


Aligning to the above discussion on international issues, challenges, and management, the attendees shared and reviewed the challenges around:

  • The differing international and corporate cultures and the “Human” element of silos and differences; as above, a fragmented view in the current state 
  • The potential to have a different focus on risk vs. compliance by region 
  • The differing and ever-changing assessments of risk vs. likelihood 
  • The strong concern about human corruption and intellectual property rights protection 
  • The need to keep abreast and be agile with ever-changing sanctions and geopolitical risks

Volume Overload

All attendees agreed to the stated challenge from one of our guests around the simple challenge of dealing with ever-increasing volumes, including the:

  • The increasing number of internal controls to test 
  • Limited resources and budget 
  • Increasing standards and regulations 
  • The need to increase efficiency and standardization 
  • The consistency and transparency required in evaluation
  • The need to remove duplication of effort that persists 
  • The need to deliver and manage effective control execution across multiple divisions and silos of the organization

The Balancing Act of Aligning Goals and Costs

  • The costs of managing the ever-increasing volume weighed up against investor pressure to reduce costs, yet also investor pressure for greater assurance and transparency

Operational Resilience and Data

  • Multiple regulations and different jurisdictions with slightly different requirements 
  • Finding the synergy across the operational risk teams is seen as a challenge with operational resilience 
  • Data integration challenges and alignment are being experienced 
  • Managing to identify the critical business processes, systems, and assets across the entire organization still presents challenges for some of our attendee

Third-Party Risk and ESG

  • Concern with gathering the right data 
  • Managing the quality of data 
  • Assessing the right cadence of testing and dealing with change
  • What ESG data is being tracked, and how valid is it?

Workshop by Michael Rasmussen

The roundtable discussion was then followed by a workshop with GRC Pundit Michael Rasmussen, “The Father of GRC,” where he further reviewed the above topics with a special emphasis on the “Human Factor.” He discussed in depth: 

  • The nested supply chain issues of 4th and 5th parties and potential impacts 
  • The need for the human firewall, that policies need to be detailed, adhered to, and monitored over and over, and that we need to rely on more than just conduct 
  • The use of AI was reviewed and discussed in appropriate circumstances, and the risks of not using AI and Machine Learning technology

#Risk Amsterdam Event

Then, on Wednesday and Thursday, the 27th and 28th of September, we participated in the #Risk Amsterdam event, and not surprisingly, much the same topics seemed to be the subject of the presentations and conversations. Although we were anticipating a significant focus and questions around the pending Digital Operational Resilience Act (DORA), most of our conversations focused on some of the component elements rather than full DORA compliance and requirements as follows: 

  • Policy management and aligning policies to regulations and controls 
  • Financial & SOX controls testing and certification 
  • IT and Cyber Risk: quantification of cyber risk assessments using FAIR 
  • Quantification and scenario testing in operational risk management / non-financial risk 
  • Bow-Tie analysis 
  • Risk and loss events treatment and reporting 
  • Managing impact assessments with assets and processes across the organization 
  • Managing control frameworks, aligning to COBIT, and yet adding your own controls, such as ISO 27001 and NIST Frameworks 
  • Integrating third party related content feeds into the GRC platform, including Dow-Jones; BMC, Qualys, BitSight, EcoVadis, FinregE, Compliance.ai, Cube, Reg-Room, Sustainalytics, OFAC and Sanctions Lists, among many others

Panel Session on Risk Radar- Unveiling Critical Trends in Risk for 2024 and Beyond

On Thursday afternoon, I joined the panel moderated by Michael Rasmussen with representatives from ABN Amro, Just Eat, and Fiat Republic to share our feedback on the topic “Risk Radar- Unveiling Critical Trends in Risk for 2024 and Beyond.” The big topics discussed were:

  • The impact of Environmental Risks such as the extreme European heatwave and forest fires, Libyan floods, and Moroccan earthquakes and the ability to be agile and manage the usually determined low likelihood but high impact events that seem to be seen as ever-more ‘likely.’ 
  • The onward impact on supply chains, such as the Suez Canal blockage, brown-out power outages, and then the encompassing Geopolitical, Market, Economic, and Liquidity Risks arising from the likes of the Ukraine-Russia war and other cold war scenarios such as Taiwan and the potential impacts.
  • The reputational loss/ consequence issues around non-compliance on the ‘S’ or Social in ESG with modern slavery, child labor and exploitation, and human rights violations outside Europe as another major risk to manage and contend with.
  • IT & Cyber Risk continuing to remain a very high threat, and the focus extended to the requirements of DORA in the risk and ability to recover quickly from technology failures 
  • The risks around AI, along with the associated ethical concerns and the need to remove bias from algorithm-produced results, to derive fair and equitable solutions that do not infringe on human rights, diversity, and inclusion.
  • The risks of AI and benefits of AI with Deep Fakes and criminal spoofing and phishing and the importance of KYC and KYS along with AML were fully reflected upon. 
  • Regulatory Compliance Risks are also considered a never-ending and growing challenge that is not going away. This significantly impacts the managing and complying of internal costs, with the risk of fines now being made more personal as in the UK through SMCR enforcements on individuals rather than just the corporate fines of the past being reviewed by other global regulators.
  • The interconnectedness of these risks was reflected upon and how all these risks can fully impact the supply chain of not just the third party but extended 4th and 5th parties.

On the panel, we shared our views on the strategies to overcome these risks and how, when aligned with the MetricStream platform can provide: 

  • Clear and transparent reporting
  • Drive long-term sustainable goals and implement associated clear policies
  • Drive fast, accurate data on emerging risks across the organization 
  • Use technology to assist predictive analytics and aid human decision-making
  • Use technology to manage the vast data requirements and flow 
  • Need for consistency and standardized taxonomies of data against which to make decisions or a “single-source-of-truth” 
  • Conduct from the top, human awareness, and training and policy attestations frequently reviewed and updated 
  • Engage with the regulators early and get involved in the consultation process wherever possible 
  • Manage risk vs. reward and why more scenario analysis and appropriate quantification in the right areas are required to best determine your risk treatment or adoption 
  • Regular review policy exceptions due to the changing environment

Needless to say, we on the panel ran out of time on these topics, but MetricStream, through our powerful, fully federated, and scalable data model, is well placed to assist in the improved efficiency, accuracy, alignment, consistency, and transparency of residual risks and managing mitigating actions against a quagmire of external risks that are costly and challenging across all global markets. 

While we at MetricStream certainly can’t do everything, we can certainly help to drive consistency, efficiency, and improved management of your company’s Governance, Risk, and Compliance program by enabling the connectedness and providing rich 360-degree views of those connections, driving faster and better quality data and management of resulting treatments and actions to give you the tools to thrive on risk. 

Interested to learn how MetricStream can help? Request a demo now!

The above blog is an edited version of an article published by the author on LinkedIn. Read the original version here.

Charles Nicholls

Charles Nicholls Senior Sales Executive- MetricStream

Charles Nicholls is an enterprise risk solutions specialist and currently serves as the Senior Sales Executive at MetricStream.

Prior to MetricStream, Charles has held various sales, audit, and Network Trading and Enterprise GRC solutions specialist positions at various organizations focused primarily in the Global Banking and Financial Markets sector, including Thomson Reuters, Refinitiv, Galvanize, BT, and others. In March 2003, he founded Inspiration Sales Consultants Ltd., which offered various services including sales and marketing consulting, staff recruitment, training, and development, and more.


Elevate Your Experience: 2023 GRC Summit, London, Unwrapped

5 min read


The London edition of the 2023 GRC Summit is all set to take place on October 16th and 17th at the prestigious Royal Garden Hotel. Following the remarkable success of our 2023 Miami edition, where GRC industry experts and thought leaders convened to exchange knowledge and forge valuable connections, we are delighted now to offer you the same experience in London. 

Now in its 11th year, the GRC Summit has been the cornerstone of the GRC community, serving as a platform for networking, knowledge-sharing, and the sharing of best practices. It continues to set the standard for the future of GRC. With the compelling theme, "Experience the Power of Connection," this year's Summit will discuss the latest trends and best practices in Connected GRC and the risks and opportunities of artificial intelligence (AI). Prepare to engage with a distinguished global community of risk, compliance, audit, cyber, and ESG professionals for an unmatched experience.

Here’s How to Amplify Your GRC Summit Experience

As we countdown to the Summit, we want to ensure that you have a truly extraordinary experience by providing you with invaluable insights on how to optimize your time. Here is the comprehensive Agenda for the Summit, along with a lineup of our esteemed Speakers. Additionally, we've handpicked a selection of must-attend sessions that promise to be both enlightening and transformative. Don't miss out on these exceptional opportunities.

  • Keynotes from Our Co-CEOs        
    The keynote speeches have consistently been a highlight of the past GRC Summits, and this year will be no different. 

    Gaurav Kapoor, Co-Founder and Co-CEO, will share the opening keynote on Experience the Power of Connection, where he will dive deep into how ConnectedGRC is powering agility and resilience through connected, cognitive, and cloud-based risk management.       

    Prasad Sabbineni, Co-CEO, will share the Product Keynote on Cognitive, Continuous, and Cloud: The Future of GRC. Find out how automated workflows, AI-driven insights, and cloud adoption are revolutionizing decision-making, operational efficiency, adaptive compliance, and more.

  • Expert Panels 
    We have multiple expert panels lined up, specifically tailored to tackle GRC challenges in today's increasingly interconnected risk landscape. Don’t miss out on:

    Driving Operational Resilience through Governance, Risk, Compliance, Cyber and Audit, with Chandrra Sekhaar, Chief Audit Executive (EMEA) - SMF 5, Mizuho, Nor Harliza Baharom, General Counsel, Compliance Strategy & Planning, Petroliam Nasional Berhad (PETRONAS) and Jacqui McDonald, CIO Group Finance, RFT Technology, Barclays.

    The Changing Role of Internal Audit, with Brandon Wright, Head of Books & Records Audit, Bilfinger SE, Ivan Martinez, Chief Audit Executive, Banco Santander London Branch, and Despina Andreadou, Chief Audit Executive, Eurobank S.A.

    The Three Cs of Modern Compliance: Connection, Collaboration, and Culture, with Peter Funck, Head of GRC, Swedish Road Administration, Sophie Dupre-Echeverria, Chief Risk & Compliance Officer, GIB Asset Management, Former – Schroders, Phil Crook, Head of Compliance, Nationwide Building Society, and Nael Kamil Nor Hisham, Senior Manager, Compliance Strategy & Planning, Petroliam Nasional Berhad (PETRONAS).

    Ensuring Collaboration Across the Lines of Defense to Strengthen Internal Controls with Fazal Mohammed, Head of ORM - Asset Management, Phoenix Group, Dorothea Liebl, Head of Internal Control Governance, Siemens Energy AG, and Benjamin Rowsell, Head of Enterprise and Operational Risk, Nationwide Building Society.

    Innovation and Risk: Encouraging a Risk-Taking Mindset for Business Growth with Philipp Herrmann, Head of Risk Management, Operations Department, Abu Dhabi Investment Authority, Petr Brezina, Head of Company Risk, KBC Asset Management and Sahil Bhardwaj, Group Head of Internal Audit & Risk, British Standards Institution.

  • Customer Case Studies               
    Presented by our customers, these real-life success stories provide deep insights into how organizations have successfully navigated the complex landscape of GRC challenges and offer a wealth of knowledge and motivation to propel your own GRC initiatives forward. Make sure to add the following sessions to your schedule.   

    Customer Case Study: Nordea               
    Brian F. Sørensen, Chief Execution Leader - Group Risk Change Management, Nordea  
    Jacob Holmehave, Head of Group Risk Office, Nordea

    Customer Case Study: Siemens Energy               
    Michael Gropp, IT Program Manager GRC, Siemens Energy

    Customer Case Study: Nationwide Building Society               
    Phil Crook, Head of Compliance, Nationwide Building Society  
    Sarah Harman, Leader - Operational Risk Framework and Systems, Nationwide Building Society

  • Product Sessions               
    Interested to learn more about the functionalities and benefits of MetricStream’s GRC products? Our product-focused sessions will provide comprehensive insights, empowering you to fully understand the capabilities and business benefits of our offerings. Be sure to be there for the following sessions:  

    Power What’s Next in Enterprise & Operational Risk Management 

    Power What’s Next IT & Cyber Risk, Compliance Management

    Digital Transformation and Operational Resilience: Adapting to New Technologies and Workflows

    Digital Operational Resilience: Building Robust Strategies to Safeguard Business Continuity in the Face of Disruptions

    Low Code No Code

  • Workshop on Enterprise GRC by Design: Blueprint for an Effective, Efficient & Agile Enterprise GRC Management Program                
    Enterprise GRC is an integral part of an organization's operational framework. When implemented effectively, GRC permeates through every facet of the business, ensuring the consistent attainment of objectives, the management of uncertainties, and the adherence to ethical standards. This necessitates a comprehensive understanding of GRC within the broader context of the enterprise's strategy, objectives, architecture, and processes.               

    Attend this workshop on 16th October 2023 for comprehensive insights into taking an architectural approach to building your Enterprise GRC program.
  • Celebrate and Network with Your Peers               
    Whether it’s at the specially designated peer-to-peer sessions or during the networking breaks, the Summit gives you the opportunity to mingle with your peers and GRC industry experts. On 17th October 2023, join us as we recognize the key achievements of customers and partners in the field of governance, risk, and compliance management as we celebrate the GRC Journey Awards.

See you in London! 

The highlighted list above offers just a glimpse of what awaits you. Check out our Agenda to know more. Delve deeper into the expertise of our esteemed speakers. Read: GRC Summit, London, 2023: Meet the Speakers. 

If you haven't registered yet, don't miss out—secure your spot now! Register here.

dummy MSI

Aanya Sharan Associate Director - Marketing

Read the blogs authored by Aanya Sharan, Associate Director - Marketing, for the latest insights on governance, risk management, cyber resilience, and more.


Unlock the Potential of Knowledge Graphs in GRC

4 min read


In today's dynamic business landscape, the effective management of Governance, Risk, and Compliance (GRC) has never been more critical. GRC challenges have increased as economic, geopolitical, social, healthcare, cybersecurity, and other systemic and internal risks escalate. Results from a joint survey on GRC readiness from global GRC think tank OCEG and MetricStream found that 67% of respondents highlighted the urgent need for integrated processes and technologies to improve their GRC performance. 

To this end, knowledge graphs emerge as a sophisticated solution, shedding light on the intricate relationships between a multitude of entities. These structured representations of information span people, places, objects, events, and abstract concepts, offering a holistic view of the interconnected web of knowledge within an organization. So, how can knowledge graphs reshape the GRC landscape? Let's delve into the transformative power they hold.

Why Use Knowledge Graphs in GRC?

Knowledge graphs serve as a potent tool to fortify risk management practices in GRC, facilitating the identification, assessment, communication, management, and automation of risks, empowering organizations to build a robust GRC program through the following.

  • Identifying and Assessing Risks:

    Knowledge graphs empower organizations to pinpoint and assess risks more effectively. Imagine a scenario where a knowledge graph is used to dissect potential risks associated with a specific supplier. By examining the supplier's web of connections, including customers, competitors, and regulatory bodies, organizations can identify nuanced risks such as supply chain disruptions, compliance issues, or even reputational concerns.

  • Transparent Risk Communication:

    Effective risk communication is pivotal in decision-making. Knowledge graphs offer a visual storytelling platform. They enable organizations to convey complex risk profiles to stakeholders in a lucid and succinct manner. Visual representations of these graphs elucidate the connections between different risk factors, enhancing comprehension among both technical and non-technical stakeholders.

  • Risk Management:

    Managing risks is an ongoing process. Knowledge graphs play a pivotal role in monitoring the status of mitigation plans and swiftly identifying emerging risks. Imagine a dynamic knowledge graph that tracks the evolving risk landscape, sending proactive alerts when anomalies or potential threats are detected. This proactive approach empowers organizations to stay one step ahead in risk management.

  • Automating GRC Processes:

    Automation is the cornerstone of efficiency in modern organizations. Knowledge graphs are instrumental in streamlining GRC processes, such as risk assessment and compliance reporting. By automating these tasks, GRC professionals can allocate more time to strategic initiatives and value-added activities, reducing manual overhead.

Practical Applications of Knowledge Graphs in GRC

By seamlessly connecting disparate data, knowledge graphs offer unparalleled insights and efficiency in managing GRC across industry verticals. Here are a few illustrations:

  • Financial Services:

    Picture a financial institution that employs a knowledge graph to unearth and evaluate risks associated with its customers. By capturing granular data on financial transactions, customer relationships, and affiliations with other entities such as banks, it identifies risks like money laundering, fraud, or credit risk. Moreover, the knowledge graph provides actionable insights, enabling personalized risk mitigation strategies and enhanced customer due diligence.

  • Healthcare:

    In the realm of healthcare, precision is paramount. Here, a healthcare entity utilizes a knowledge graph to oversee risks linked to clinical trials. The knowledge graph captures a wealth of data, including details about trials, patient involvement, trial progress, and medical research outcomes. By connecting the dots within this expansive dataset, organizations can optimize patient safety, adhere to regulatory requirements, and expedite drug development processes.

  • Government:

    Government agencies are entrusted with safeguarding citizens and upholding regulations. A government agency harnesses a knowledge graph to automate compliance reporting, which often is a labor-intensive and error-prone process. By consolidating data on regulations, legislative changes, and agency activities, the knowledge graph automatically generates compliance reports for pertinent stakeholders. Furthermore, it facilitates real-time monitoring of regulatory changes, enabling proactive adjustments to policies and procedures.

These examples underscore the versatility and transformative potential of knowledge graphs in GRC. As this technology evolves, we anticipate even more ground breaking applications, further elevating risk management practices. By harnessing the full power of knowledge graphs, organizations can navigate the complex GRC landscape with precision, agility, and foresight. 

MetricStream’s AiSPIRE

Have you had the opportunity to witness MetricStream’s AiSPIRE in action yet? If not, don't miss out! AiSPIRE represents a game-changing advancement in the GRC landscape. It uses AI/ML, GRC ontology-based knowledge graphs, and more to transform the way you approach GRC.

     AiSPIRE can empower your organization to:

  • Remove redundant controls and reduce control tests and costs with AI 
  • Gain intelligent control insights and enhance processes for scheduling and prioritizing control tests 
  • Improve risk management by quickly identifying areas that need to be optimized and minimizing potential risks 
  • Gain insights by asking simple questions using a machine learning-based prompt intelligence

Connect with us to explore the future of GRC powered by AiSPIRE, and discover how it can drive efficiency, agility, and effectiveness in your organization's GRC endeavors. 

Request a demo today.

Download Product Overview: MetricStream AiSPIRE

Related Resources


GRC Summit, London, 2023: Meet the Speakers

5 min read


We are closing in on the big day! Just four weeks to go until the 2023 GRC Summit, to be held on the 16th and 17th of October at the Royal Garden Hotel in London. 

During the past decade, MetricStream's flagship event, the GRC Summit, has consistently provided opportunities for the GRC community to connect, share insights, exchange best practices, and, most importantly, set the stage for what's next in GRC. Whether it's an emerging technology, a new process, or a regulation that's going to impact the way you do business, you'll learn about it here. 

Now in our 11th year, and after an exciting edition of the GRC Summit in Miami this June, we will now be in London. The two-day event will bring together the most influential risk leaders to discuss the latest trends and best practices in Connected GRC and the risks and opportunities of artificial intelligence (AI). Our theme is "Experience the Power of Connection," empowering you to achieve more as you continue to thrive on risk! 

Explore our Agenda.

Get to Know Our Esteemed Speakers

As the foremost thought-leadership event in the GRC space, the GRC Summit consistently showcases some of the most brilliant minds in the fields of risk assessment, compliance management, cyber risk, audit, and environmental, social, and governance (ESG). In the upcoming edition of the summit, we are thrilled to present a lineup of over 30 seasoned experts who will grace our stage to deliver compelling keynote addresses, offer invaluable insights, share best practices, and, most importantly, recount their own enriching GRC journeys. 

Scroll down to explore the profiles of a few of our esteemed speakers and gain a deeper understanding of their areas of expertise. 

Chandrra Sekhaar, Chief Audit Executive (EMEA) - SMF 5, Mizuho, is a Senior Audit Leader and pacesetter who initiates action and excitement in the controlled compliance and risk-driven environment and removes skepticism and obstacles to advance the business and capture excellence. A firm believer in strategic control impact and a transformational leader and coach, he promotes team values, builds collaboration, and secures buy-in for change. 

Jacob Holmehave, Head of Group Risk Office, Nordea, is a former external consultant and keynote speaker within change management and transformation. Today, Jacob is the business owner of the development of Nordea’s new Integrated Risk Management Application (IRMA) – a large digital and cultural transformation that will change the way Nordea works with risk management and compliance within all three lines of defense. 

Dorothea Liebl, Head of Internal Control Governance, Siemens Energy AG, has been with Siemens since 1999. She has also served as the Head of Risk and Internal Control at Siemens Global Services and Siemens Real Estate.

David Storey, Vice President - Health, Safety & Environment, dnata, is responsible for the development and implementation of dnata's global HSE strategy as part of the global management team. With over 20+ years of experience in airline, ground operations and safety, David has worked for more than two decades in the Middle East region for large international airlines. David holds an MSc in Aviation Safety and is a member of the Royal Aeronautical Society (MRAeS). 

Phil Crook is Head of Compliance, Nationwide Building Society, whose current responsibilities include being the Accountable Executive for the implementation of their first Regulatory Change Management Tool, leading a business-as-usual team that focuses on Risk Insight, Regulatory Developments, Data Analytics, Prudential Compliance and Wholesale Conduct. He joined Nationwide in 2021 following 11 years at Lloyds Banking Group across the three lines of defense, with expertise across Regulatory Compliance, Operational Risk, Retail banking products and Wealth management. 

Dr. Jenny J. Birdi, Head of Operational Risk and Risk Strategy UK, HSBC, has been with HSBC for over 25 years. She is currently the Head of Operational Risk and Risk Strategy for the UK ring-fenced bank, having been appointed to this double-hatted role in April 2018.  She was previously the Head of Three Lines of Defense Execution for Operational Risk.

Philipp Herrmann, Head, Risk Management, Operations Department, Abu Dhabi Investment Authority (ADIA), is responsible for leading the Operational Risk Management practice for the Department and co-leading Enterprise Risk Management efforts. Joining ADIA in January 2016, Philipp plays a key role in shaping ADIA's risk landscape, including the development of Risk Policies, advancement of Risk Culture, and oversight of the MetricStream application. 

Ivan Martinez, Chief Audit Executive, Banco Santander London Branch, is the Head of Internal Audit Santander CIB UK, and is responsible for designing and developing the annual audit plan covering all risks of the investment banking activities in the UK. 

Peter Funck, as Head of GRC, Swedish Road Administration, helps the Swedish Transport Administration strengthen the GRC areas by developing and implementing a new department responsible for the management and coordination of the second-line activities as well as general governance and risk frameworks. 

Brian Sorensen, Chief Execution Leader - Group Risk Change Management, Nordea, has 25+ years of experience within the banking industry, with a majority spent within project and program management and application implementation and the latest 8 years within non-financial risk management. 

Sarah Harman, Leader - Operational Risk Framework and Systems, Nationwide Building Society, has over 20 years of financial services experience. Her responsibilities include being accountable for the setting of the Enterprise Risk Management framework and owning, developing, and maintaining the Societies’ Risk system.

Sophie Dupre-Echeverria, Chief Risk & Compliance Officer, GIB Asset Management, Former – Schroders, is responsible for driving an effective risk culture throughout the company, designing the risk and compliance frameworks, and overseeing risk management and regulatory compliance practices. Sophie joined GIB (UK) with extensive experience in the field, having previously served as Executive Director for Compliance and Operational Risk Control at UBS Asset Management. 

Despina Andreadou, Chief Audit Executive, Eurobank S.A., is for the last 25 years the Group Chief Audit Executive of Eurobank S.A, a European banking organization offering universal banking across four countries. Being one of the four Systemic banks in Greece, Eurobank has a strong presence in Bulgaria, Romania, and Cyprus and offers Wealth Management services in Luxembourg and London. 

Excited to hear and interact with our speakers? Register now.

Delve into our full lineup of speakers and explore their profiles.

Keynotes from our Co-CEOs

MetricStream leaders Gaurav Kapoor, Co-Founder and Co-CEO, and Prasad Sabbineni, Co-CEO, will also be sharing their insights at the London summit. 

If you’re excited about attending – get your ticket now! Register now.

Watch this space for updated information on the speakers, workshops, agenda, and other key highlights of the London GRC Summit.

dummy MSI

Aanya Sharan Associate Director - Marketing

Read the blogs authored by Aanya Sharan, Associate Director - Marketing, for the latest insights on governance, risk management, cyber resilience, and more.


Related Resources


Ready to get started?

Speak to our experts Let’s talk