Just a few weeks ago, on June 17th and 18th, the Baltimore Marriott Waterfront was abuzz as over 150 governance, risk, and compliance leaders gathered for the MetricStream GRC Summit—the premier GRC event of the year.
Over the course of two days, MetricStream brought together some of the foremost experts in GRC – with more than 50 speakers – who shared invaluable keynotes, best practices, case studies, and strategic insights on critical areas of focus and priority for leaders. The summit also offered plenty of opportunities to network with peers and celebrate the announcement of the 2024 GRC Journey Awards winners.
I wanted to share some standout moments and key themes shared during the event. You can also check out the video highlights and presentations.
5 Key Themes That Emerged During the Summit
Driven by its immense ability to automate tasks, increase productivity, and predict outcomes, Artificial Intelligence (AI) has quickly moved to the epicenter today. Organizations across industries are leveraging AI to streamline operations, revolutionize marketing strategies, and gain a competitive edge. Its applications range from automating customer service with chatbots to predicting market trends, and optimizing supply chain management.
In GRC, AI’s transformative potential enables organizations to manage risk more effectively, improve compliance, and make data-driven decisions for better governance. Enterprises are effectively utilizing AI for control monitoring, intelligent issue and remediation management, intelligent control insights and control test prioritization, the creation of a common view of risks, and so much more.
While effective and responsible AI systems are crucial, GRC leaders at the Summit focused on the importance of:
Here are two quotes that sum up the depth of discussions around AI.
“One of our priorities is to keep GRC simple. There are two aspects of AI –how do you bring AI to GRC and how do you bring GRC to AI?” --Gunjan Sinha, Co-Founder of MetricStream
“We are at an inflection point on the adoption of AI. Targeted AI adoption for specific use cases will gain traction. Humans in the loop is extremely important.” --Anand Narayan, Head of Regulatory Change Management, Sumitomo Mitsui Banking Corporation
“Agility is extremely important in managing emerging risks and regulatory requirements,” said Prabha Thomas, Chief Risk and Compliance Officer, Tata Consultancy Services. I couldn’t agree more. In today’s fast-paced and interconnected business environment, a conscious move from reactive risk and compliance to embracing proactive resilience is not just a strategic choice—it is essential for thriving in the face of uncertainty.
To build proactive resilience, organizations will need to build risk and compliance agility with a unified view powered by a centralized platform that continuously scans the horizon with regulatory change-tracking technologies and automated feeds from trusted content sources. They will need to integrate compliance management systems with other enterprise systems and apply AI and automation for automated recommendations. Furthermore, given the multitude of regulatory requirements, organizations will need to move to continuous compliance by implementing tools that help them automate control testing and evidence collection for all their enterprise controls.
A particularly resonant theme was the evolving role of the CISO. Numerous Chief Information Security Officers (CISOs), Chief Security Officers (CSOs), and Cyber Risk leaders at the Summit shared their insights on how the role has increasingly shifted towards a business-oriented focus, emphasizing that cyber risk is now recognized as a critical business issue rather than solely a technical one.
Added responsibilities of a CISO now include organizational governance, data loss prevention, and compliance with regulations. This requires not just a solid technical foundation but also a strong grasp of business principles to effectively communicate with other C-level executives and the board.
A CISO’s toolkit today should include a 360-degree view of the organization’s IT risk posture and cybersecurity investment priorities, along with continuous control monitoring, insightful reporting, and cyber risk quantification. This blend of skills and technology ensures they can anticipate risks, implement robust security architectures, and foster a culture of security within their organizations – as well as communicate strategically with the board.
“Regulators are connecting the dots,” warned Deputy Chief Risk Officer, Bank OZK. “If we as an organization don’t break down the underlying siloes, we lose control. We transitioned as a team to look at all the various risk stripes in an interconnected view.”
With the regulatory environment evolving faster than ever, it is crucial for GRC professionals to stay ahead of regulatory changes to ensure that organizations remain compliant and avoid potential fines and reputational damage. This requires utilizing advanced technologies such as AI and cloud-based platforms to streamline this process, ensuring that compliance professionals receive real-time updates and can assess their implications swiftly.
An essential takeaway from the Summit was the wise words of Tolu Oyesfesobi, Head of Financial Controls and Operational Risk, Inter-American Development Bank, who reminded us all to “Have a lot of coffee with your business… for collaboration is key to breaking down silos.”
This simple yet profound advice underscores the importance of fostering strong, communicative relationships within our organizations to achieve seamless integration and collective success.
It also underscores the importance of connecting with the GRC community. In line with the theme, "Experience The Power of Connection," the Summit stood out for bringing together the expertise of top GRC professionals. Customers, including Blue Cross Blue Shield of Michigan, Bank OZK, and Apple Bank, shared their success stories, vividly illustrating how they have effectively tackled the complexities of GRC challenges. We also conducted workshops on how to align ERM with your organization’s GRC strategy and cyber risk quantification that offered practical insights and use cases from industry experts.
As we wrapped up two insightful days in Baltimore, the overarching topic that sparked a lot of discussion was the need to advance GRC maturity with a connected GRC strategy, especially one that is Cognitive, Continuous, and Cloud-based.
See You Next in London!
We’ll be doing it all over again in London on November 6th and 7th! We hope to see you there! Register now.
Learn more about what was discussed at the GRC Summit: Download the presentation and watch the videos.
Healthcare is one of the most strictly regulated sectors in the world. This is understandable and necessary considering that the sector deals with factors as crucial and sensitive as health and life itself. As a result, this sector has witnessed increasing regulatory complexity with different regulatory bodies focusing on various aspects of the industry. The healthcare business is also rapidly evolving and expanding with many providers offering ancillary services such as health insurance and insuretech. This makes the sector susceptible to various new and emerging risks. Healthcare providers also work with third parties who handle sensitive patient information, making it vital for them to effectively manage third-party risks. As regulatory complexity increases amidst a fraught risk landscape, ensuring compliance can be challenging.
In April 2024, records of 13.4 million patients were left exposed thanks to nine incidents of unauthorized access or disclosure of protected health information. 44 hacking incidents in the same month affected 1,919,637 records. The consequences of such breaches through penalties and impact on reputation and image are significant. This blog explores the top five risk and compliance challenges for the healthcare sector and how to address them.
The healthcare sector is governed by regulations and frameworks such as Health Insurance Portability and Accountability Act (HIPAA), the HITECH Act that complements HIPAA by increasing the penalties for data breaches, the 21st Century Cures Act, General Data Protection Regulation (GDPR), PCI DSS, California Consumer Privacy Act (CCPA), Health Information Trust Alliance Common Security Framework (HITRUST CSF), Information Blocking Rule (2021) and Interoperability and Patient Access Final Rule (2021). Most of these focus on patient data privacy, data security, access to information, and cyber security.
Each of these is constantly being updated to keep pace with a rapidly changing risk landscape. For example, this year HIPAA saw some significant updates to its patient privacy provisions and outlined stricter cyber security requirements. It gives patients greater control over their data and mandated risk assessments, incident response plans, data encryption requirements, and updated breach notification requirements. Keeping pace with these updates, assessing their impact on various processes and functions, and adapting internal controls and policies is a significant challenge.
Furthermore, there are federal, state, and local regulations and rules that apply to healthcare providers. Each state has specific reporting requirements regarding public health emergencies, infectious disease outbreaks, and specifying how long medical records can be retained. Some states may even have their own laws regarding patient data. For example, California has laws pertaining to data breach notifications that have to be complied with in addition to HIPAA. Healthcare providers must report relevant situations to their state or local agencies in the prescribed format in addition to complying with federal regulations.
Additionally, healthcare providers must be accredited by industry organizations such as The Joint Commission (TJC) that evaluates organizations on parameters such as patient care safety and healthcare management, Accreditation Association for Ambulatory Health Care (AAAHC), and Urgent Care Association (UCA). This shows that the provider meets quality and safety benchmarks set by the governing bodies. Meeting accreditation requirements, and complying with standards set by each of these bodies is a complex and challenging task.
Healthcare providers have to efficiently manage risks unique to the sector, in compliance with the relevant regulations. In addition to compliance risks, healthcare providers have to be prepared to deal with risks related to patient care and safety as any lapses can have severe legal and financial impacts in addition to damaging reputation and trust. They must be cognizant of risks pertaining to medical instruments and devices in the form of potential malfunctions that impact patient care. There are also risks pertaining to insurance claims, frauds, phantom billing, and upcoding. They have to conduct risk assessments periodically to identify and mitigate potential compliance issues and threats. They also must have comprehensive incident management processes in place to report and respond to crises quickly and effectively. Risks ranging from business operations, third parties, cybersecurity, ESG, and health hazards must be managed effectively along with appropriate business continuity plans. The healthcare industry must move from compliance check-in-the-box activity to proactive risk management to thrive in the complex risk landscape.
Patient healthcare data and records are sensitive and subject to strict security, privacy, and protection laws. Healthcare providers have to ensure that their technology systems meet HIPAA standards, which may prove to be a daunting exercise, particularly for smaller organizations.
Regulations like the 21st Century Cures Act emphasize the need for seamless and secure data sharing. And so, organizations must ensure their electronic health record systems are updated, secured, compliant with regulatory standards, and capable of securely executing data exchanges. It is equally important to ensure that different healthcare systems are interoperable while maintaining data security and privacy. Organizations must also ensure that their technology systems are updated and compliant with the latest security and regulatory standards to protect patient information and ensure foolproof compliance.
Adding to the challenge is the fact that the threat landscape is continually evolving with bad actors increasingly leveraging advanced technology to launch sophisticated attacks. Protecting health care data under these conditions can be a Herculean task. In February 2024 alone there were 24 data breaches, the biggest of which was the breach at Medical Management Resource Group that compromised 2.35 million records. Hacking and ransomware continue to plague the sector and only four breaches affecting 10,000 or more records in February were not hacking incidents. Data encryption is important to protect healthcare records. But ensuring encryption both in transit and at rest to prevent unauthorised access is a challenge.
The rapid evolution of Artificial Intelligence technologies has the potential to transform healthcare. From early detection, faster diagnoses, and better treatment to improved monitoring, decision-making, research, and training, AI is already being leveraged to drive better healthcare outcomes. But, AI comes with a significant risk of data breaches. AI platforms process huge volumes of sensitive data and any vulnerabilities can be exploited by bad actors. Healthcare providers leveraging AI must be cognizant of the security risks associated with it and implement stringent data protection strategies.
Healthcare organizations rely on numerous external vendors ranging from cloud service providers to billing companies, medical device manufacturers and suppliers, and more. Many of these have access to sensitive healthcare data and are subject to the standards set by HIPAA. This is also a vulnerability that can be targeted by hackers. Additionally, healthcare providers must monitor third parties for operational and ethical risks as well as such unavailability or disruptions to medical services, AML, bribery, and other malpractices. Third-party organizations are subject to data protection and privacy regulations such as GDPR and PCI DSS. Healthcare providers must monitor their partners’ compliance with all relevant regulations, as well as their overall risk management and mitigation strategies.
Managing third-party risk must be a crucial part of a healthcare organization’s risk management strategy. They must conduct regular due diligence with vendor risk assessments and security assessments. Compliance with all relevant regulations and standards, and risk evaluation must be a contractual obligation for all third-party vendors working with healthcare organizations. In fact, the HITECH ACT extends HIPAA’s regulations to vendors and includes penalties for vendors for non-compliance. Healthcare organizations must regularly monitor their partners and conduct comprehensive and periodic audits to ensure ongoing compliance. Establishing BAAs with vendors to ensure compliance with a wide range of regulations is advisable, but managing third-party risks adds to the significant compliance challenges of healthcare organizations.
Healthcare providers are operating within a regulatory landscape that is continuously evolving and they must ensure error-free compliance. They have to monitor the regulatory landscape on an ongoing basis to keep pace with emerging regulations and have the capability to adapt and map new regulations and updates to existing practices and controls. Continuous and automated monitoring of risks and controls is crucial for enabling real-time risk assessments, quick decision making, and faster, more effective mitigation efforts. They must have rationalized internal controls to mitigate risks and ensure compliance. They must have automated processes to onboard new third parties and carry out due diligence to ensure there are no gaps in compliance. They must also conduct regular digitized audits and continuous monitoring of compliance processes to ensure there are no gaps. Maintaining compliance reports, logs of security events and communicating with regulatory authorities is another key task for organizations.
MetricStream’s Healthcare solution is purpose-built to help organizations in this highly regulated industry adopt and implement a streamlined, automated, and integrated approach to GRC. Healthcare providers can leverage advanced capabilities for managing regulatory compliance, enterprise risks, including cyber and third-party risk, and internal audit, to improve their overall risk and compliance posture and drive better-informed decision-making.
With MetricStream, your organizations can effectively:
Interested to find out more? Request a demo now.
At the recently held GRC Summit 2024 in Baltimore, David Story, Vice President Health, Safety, & Environment, dnata, provided the audience with a detailed overview of their GRC journey experience with MetricStream.
Dubai National Air Travel Agency (or dnata) was established in 1959 through a government decree. It set up its first international business in 1993. Gradually, over the years, it has seen significant growth across all its business units.
Here are the excerpts from David’s session on “dnata’s Integrated GRC Transformation”.
David: Our foremost priority is safety and security. Through a series of SMART objectives, we're building a best-in-class, health, safety, and environmental system, or HSE ecosystem, as we call it. Over the next few years, up to 2027 and beyond, through our medium-term plan, we are striving for a best-in-class or world-class status, and central to delivering on that goal is the effective use of our GRC platform.
Within dnata, MetricStream is the product that we use, and we have done a number of modifications and upgrades through MetricStream over the years. We refer to it within the company as “dnatahub”, which is everything we do from a GRC perspective.
So, in terms of why GRC is so important to us -- central to that is our safety management system, or SMS. SMS is essentially the bedrock of everything that we do across four key pillars -- safety policy, risk management, assurance, and promotion. To be able to deliver on the requirements of our SMS, our dnatahub platform is absolutely central to achieving those goals.
David: So, how has the dnatahub platform evolved over the last few years?
We're now into the 9th year of our partnership with MetricStream, beginning back in 2015 along with our “Global One Safety” initiative. The first pillar in that strategy was rolling out Incident Management, which allowed us to have one platform for reporting safety occurrences across local businesses.
In 2018, there was global expansion – we introduced new applications within dnata in addition to incident management and reporting.
In 2020, we started moving into the continuous monitoring phase, which saw the likes of our Documentation Management System (DMS). We also introduced surveys and inspection through the auditors. We would go out there and report safety hazards and threats to our organization. This was across all three of our operational divisions.
The beauty of DMS is that it can be accessed by any of our team in the world who got access to Office 365 accounts. Examples of a DMS document could be a global safety alert, a new manual, a guideline document, or a new operational standard. All of those are published through DMS and are automatically and electronically tested within the system as well. So, for auditing purposes, it's very, very efficient.
We also launched Observation Management as well. And, through Issue and Action Management we can assign tasks and actions to our businesses around the world.
We're now moving into Phase IV, as we call it, looking at how we scale up as we continue to build our business. We are currently two weeks away from the launch of the Euphrates upgrade as well.
We've built a very strong partnership with MetricStream, and we've now established a very strong governance model as well in terms of performance monitoring.
David: What's been key to success is keeping things simple. One of the worst things you can do in my role as a safety professional is over-complicate how you manage safety within your business.
In terms of just some numbers, we have got:
What gives me great confidence is 400,000+ observations. We actively encourage -- from our leadership level all the way down to the front line -- to report any unsafe behaviors and actions within our business. What we've seen over the last 2-3 years is a considerable increase in the number of safety reports within the business. So that leads to a much more positive and safety-aware culture.
Over the next few years, we've got some really interesting challenges coming our way. You would have seen the announcement about the new airport project in Dubai. The target is 2033 for the opening of the new terminal with a capacity of 250 million passengers a year. We already have that airport as we have for the last 10 years, and this will be a significant upgrade to be the world's largest international gateway.
We have two to three new businesses that are going to be coming online towards the end of this year, including a particularly large business in Italy. And it's essential that we look at how we scale up to meet that demand, because we could have potentially 3,000 to 4,000 users within dnata by the end of this year.
Also Read:
The rapid evolution of Artificial Intelligence (AI) and particularly Generative AI has opened up new opportunities, and prospects of development and inclusive growth. But, in the wrong hands, AI can unleash fraud, discrimination, disinformation, stifle healthy competition, disenfranchise workers, and even threaten national security. The United States of America, the European Union, and the United Kingdom have taken the first steps to regulate the development of AI with a strong focus on data privacy, transparency, accountability, security, and ethics.
Here is a quick overview of the key regulations being implemented in these three regions, highlighting the main points to note.
The European Parliament adopted the Artificial Intelligence Act in March 2024, which will be fully applicable 2 years after entry into force. The objective of this Act is to standardize a technology-neutral definition for AI for future reference. Furthermore, the Act aims to ensure that AI systems within the EU are safe, transparent, traceable, non-discriminatory, environmentally friendly and monitored by people and not automation. The law uses a risk-based approach, with different requirements based on the level of risk.
Risk level definition: It defines 2 levels of risk and states obligations for providers and users depending on the risk level:
Unacceptable Risk AI Systems - These are considered to be harmful for people and will be banned:
There are some exceptions and rules established for law enforcement agencies.
High Risk AI Systems - AI systems that can negatively impact fundamental rights and / or safety of people:
AI systems used in products covered by the EU’s product safety legislation, such as toys, aviation devices and systems, cars, medical devices and elevators.
AI systems in specific areas that have to be registered with an EU database:
High-risk AI systems will have to be assessed before they can reach the market and will be assessed throughout their lifecycle. EU residents can file complaints with relevant national authorities.
Transparency requirements – While the Act does not classify Generative AI as high risk, it mandates transparency requirements and compliance with EU copyright laws:
Supporting Innovation – The Act aims to help startups and small to medium businesses leverage AI with opportunities to develop and train AI algorithms before public release. National authorities have to provide companies with suitable testing conditions that simulate real-world conditions.
In February 2024, the UK Government announced its response to the 2023 whitepaper consultation on AI regulation. Its pro-innovation stance on AI follows an outcome-based approach with a focus on 2 key characteristics – adaptivity and autonomy – that will guide domain specific interpretation.
It provides preliminary definitions for 3 powerful AI systems that are integrated into downstream AI systems:
It sets out five cross-sectoral principles for regulators to use when driving responsible AI design, development, and application:
The principles are to be implemented on the basis of three foundational pillars:
The White House Office of Science and Technology Policy has formulated the Blueprint for an AI Bill of Rights with five principles to guide the design, use, and deployment of AI systems. The includes:
Safe and Effective Systems
Algorithmic Discrimination Protections
Data Privacy
Notice and Explanation
Human Alternatives, Consideration, and Fallback
In addition to these federal guidelines, several states are also formulating their own regulations. 17 states (California, Colorado, Connecticut, Delaware, Illinois, Indiana, Iowa, Louisiana, Maryland, Montana, New York, Oregon, Tennessee, Texas, Vermont, Virginia and Washington) have enacted 29 bills on AI regulation over the last five years.
AI technologies are here to stay and the world has to learn to use them safely for the betterment of humanity. Regulations for AI development and use are critical to protect populations from bias, discrimination and breach of privacy. AI technologies are evolving at an unprecedented pace, and regulators across the world are following suit with quick updates or new frameworks. Organizations need automated compliance platforms to keep pace with this rapidly changing regulatory landscape.
MetricStream’s Compliance Management can simplify and fortify enterprise compliance initiatives amidst a rapidly changing regulatory landscape. Gain greater visibility into control effectiveness and quick issue remediation with streamlined:
Even as compliance management is simplified and streamlined, it is important to have a mechanism in place to keep track of rapidly evolving regulations. MetricStream’s Regulatory Change Management platform is a centralized framework that can help organizations capture, curate, identify, extract, consolidate, and manage regulatory changes and updates sourced from diverse providers.
Find out more. Request a personalized demo today!
With Asia-Pacific’s (APAC) economic growth surpassing expectations, businesses have much to be optimistic about. However, as regulations and risks in the region grow more numerous, the need for effective governance, risk, and compliance (GRC) has never been more pressing. APAC GRC professionals are being called upon to spot emerging risks, connect the dots, and help their organizations adapt swiftly to regulatory changes. GRC solutions that can help meet these demands at scale and speed will make all the difference.
I recently had the chance to host GRC Design Workshops in Malaysia and the Philippines in association with our strategic partners - HCLTech and Expleo respectively. The workshops, led by Michael Rasmussen, GRC Analyst & Pundit, GRC 20/20 Research, delved into a range of GRC areas, including the evolving risk and regulatory landscape in APAC, GRC challenges faced by organizations in the region, how technology and automation can help, and more.
Here are some of the key takeaways from the workshops, providing insights into the trends and opportunities likely to be encountered by GRC professionals as they gear up for the road ahead.
Keeping pace with regulatory change is no small feat. In the past three years alone, Singapore, Hong Kong, and Australia have either revised or issued new standards and guidelines around operational risk management and resilience.
Meanwhile, India enacted its first comprehensive data protection law in 2023 – the Digital Personal Data Protection (DPDP) Act, even as Japan substantially amended its own Act on the Protection of Personal Information (APPI), a year earlier.
Climate change too has been enveloped in a flurry of regulatory activity. Vietnam’s Law on Environmental Protection took effect in 2022, followed by Malaysia’s Energy Efficiency and Conservation Act in 2023.
In addition to juggling regulations, APAC GRC professionals also have to navigate a growing variety of risks – including the Ukraine and Middle East conflicts that have strained global supply chains; extreme weather events like the floods in China and drought in India; the risks of deep fakes and misinformation associated with AI; and of course, the constant threat of a cyberattack. Incidentally, APAC experienced the highest year-on-year surge in weekly cyberattacks during Q1 2023, with an average of 1,835 attacks per organization.
Risks come from within the organization too – from changes to business objectives, structures, processes, employees, and technologies, as well as from the extended enterprise of suppliers, vendors, contractors, dealers, and distributors.
Getting these risks under control is key to strengthening organizational resilience and performance.
If there’s anything we’ve learned over the past few years, it’s that everything is connected. A data breach in a third-party service provider’s system can disrupt entire supply chains, damage business reputations, trigger hefty regulatory penalties, and sometimes even shut down operations for days.
That’s why it’s so important to be able to see the big picture – to understand how risks impact and influence each other, how they affect compliance, and how they hinder or help the achievement of business objectives.
GRC offers that perspective. It enables organizations to understand the road ahead more clearly, make better-informed decisions, and capitalize on the right opportunities at the right time. In other words, GRC shouldn’t be seen as an afterthought, but an enabler of the business.
APAC GRC professionals tell us that these are some of the GRC challenges they face:
Here are six ways to overcome the above challenges, and create a truly world-class GRC program:
MetricStream ConnectedGRC helps you build an automated, truly integrated, and collaborative approach to GRC. Reduce risk exposure with streamlined assessments and mitigation. Enable consistent compliance with robust control testing and reporting tools. Finally, achieve your objectives with ease using strong governance and policy management mechanisms.
MetricStream products are packed with best practice workflows, content, AI, and analytics to help you:
To learn how MetricStream can help you on your GRC journey, request a personalized demo today.
At the 2023 GRC Summit in Miami, Tice Morgan, Senior Manager, Governance and Compliance, American Fidelity Assurance, discussed how they improved the management of their third-party risks and IT compliance processes, their transformation journey experience with MetricStream, and more. American Fidelity Assurance is a leading health insurance company operating in 49 states across the US.
Here are the excerpts from Tice’s session at the summit.
Tice: A lot of our GRC needs were associated with simplifying our compliance program and also looking at how we could better control or at least assess our third parties.
We operate in 49 states, and what I found was that I'm answering the same questions for each of these regulators, sometimes on a quarterly basis, sometimes only on an annual basis. We really wanted to look at a compliance framework that we can customize to allow our organization to harmonize these controls. State once and then use many times.
Having a consistent approach to control and that consistent expectation of evidence has really been a challenge for our organization. And part of that is our ability to tailor our control efficacy and the frequency in which we operate. When the team comes in to test controls, they're going to test it once a year. They're going to do a small sample set. But if we look at the volume, and some of the issues that we've had like any large organization was things slip through the cracks. If they happen to sample one of those slips through the cracks, that control is going to fail for that year. So, what we're actually in the process of implementing it's a monthly control testing component so we can at least catch that up.
Tice: Our GRC program today primarily focuses on third-party risk and IT compliance.
I wanted to start out really small. We started with the Third-Party Risk Management product, and that was a pretty quick deployment. For IT compliance, it's definitely more of a long-term strategy for our organization. And part of that is that the ecosystem is changing – especially on the privacy side.
One of the compelling features of the MetricStream Platform is that it has really helped us enable our organization to be a little bit more efficient and a little bit more consistent about how we support our compliance and our third-party program.
Tice: From a key learnings and best practices perspective, one of the things that I always stress is to keep it simple. We had 137 controls when we started, and we've been able to whittle that down to 68 key controls that primarily address the majority. There are always those one offs, and we do accommodate for some of those. But I think those should be more the exception versus the rule.
The other element is to explain, educate, collaborate, and then automate. I will admit that I look at automation in two ways. There are always the technology automation components, system interaction, and API integration. Those are all good, but in a lot of cases, automation can also be just process efficiency.
The other thing is best practices – really understanding the mechanics of what you are trying to assess. The other element is identifying key source systems and reporting requirements. I really can't stress this enough, because in a lot of cases, there are a lot of systems, and getting the data out of those systems [is critical]. The GRC platform that you’re implementing is only a component of your overall compliance function.
The one thing that it does allow us to do is facilitate continuous control monitoring. In a lot of cases, we are working to test controls on a monthly basis. That way, even though our external regulators are going to do it in a quarter or on a yearly basis, we know in advance that we’re going to have an issue with that control. We can go do the awareness, we can go to the communication, the training, augment that control, or refine that control to make sure that evidence is going to be good for us. So, we catch it before the regulator or our internal audit team assesses it. It also allows us to reduce our overall control expectations and the ability to reuse controls for certain things.
You can watch the complete session here:
Find out how we can help you on your GRC journey. Request a personalized demo today!
It is almost an understatement today to say that the rise of Artificial Intelligence (AI) and Generative AI have been game-changers for businesses. In India, as many as 84% of CEOs are either securing new capital or reallocating funds from other budgets to finance GenAI, aiming to gain a competitive edge. Understandably so, given that, about 84% of Indian consumers say they were most likely to procure from an organization that uses GenAI.
As we find ourselves on the brink of the vast potential of AI, it is immensely critical to approach the technology with awe and a certain amount of prudent skepticism. Let's face it – the big player in the game right now is OpenAI, holding a ton of power in its hands. And guess what? With great power comes great responsibility, and also the fact that concentrating such substantial power in one organization could raise some significant concerns.
Who can overlook the several lawsuits OpenAI struggles with from best-selling authors, citing valid concerns about copyright infringements?
In this background, one must ask how we will keep OpenAI in check. The concern extends to a broader community of researchers, tech companies, policymakers, corporations, and even end-users, all of whom should participate in this conversation.
OpenAI, frequently leading the charge in AI research, has achieved noteworthy advancements. From creating language models capable of producing text similar to human language to solving global challenges, the organization has sparked a surge of technological progress. For countries like India, this has translated into positive outcomes with the adoption of AI technology, which is expected to propel GDP by a substantial $1.2-1.5 trillion over the next seven years.
However, the responsibility for developing and implementing AI does not rest solely on the shoulders of its creators. Instead, this calls for a collaborative effort involving a network of stakeholders, each shouldering their part of the responsibility.
Here's what each stakeholder must do.
Researchers must collaborate to usher in best practices that collectively help tackle potential risks associated with AI. Research teams should work on setting up standard benchmarks for testing AI fairness and developing open-source auditing tools.
Next in line are the tech companies that are actively engaged in the implementation of AI technology. Tasked with deploying AI solutions across diverse industries, these companies are responsible for ensuring compliance with regulatory frameworks and designing AI products that minimize risks. On their part, developing strong ethical AI guidelines and cultivating a culture that emphasizes responsible AI within the company is of utmost importance. Companies should establish AI ethics committees accountable for overseeing AI projects, aligning them with company values, and ensuring transparency in decision-making processes.
Conducting AI risk assessments to proactively identify and mitigate potential issues like data breaches, algorithmic bias, and compliance gaps is crucial. Organizations must integrate AI governance into their risk management and compliance strategies – GRC for AI, technically speaking. Essential to this process is collaboration with AI experts to formulate policies and establish processes prioritizing responsible AI adoption.
Policymakers must foster an environment that encourages AI innovation while regulating its use to alleviate risk. Formulating resilient and adaptive regulations that promote innovation and protect public interests could be challenging. So, policymakers must collaborate closely with experts, tech firms and the general public to make well-informed decisions and tackle AI's ethical, legal, and societal implications.
The fundamental practices of Governance, Risk Management, and Compliance (GRC) have consistently played a crucial role in the business world, ensuring ethical operations and adherence to legal boundaries for organizations. Nevertheless, using AI in diverse facets of business operations demands an evolution of GRC practices.
The GRC approach must take into account AI-related risks like data breaches, algorithmic biases and compliance-related issues. Organizations must create governance frameworks that supervise AI strategies, investments, and initiatives, such as aligning AI projects with organizational goals and ensuring transparency in decision-making processes.
The responsibilities and risks of AI should not rest solely on the shoulders of one company. Taming OpenAI or any such technology will require collaboration between researchers, tech firms, policymakers, corporations, and end-users. Additionally, these efforts must all be rooted in robust modern technology-enabled GRC practices to foster an environment of responsible innovation.
This blog was initially featured as an article on ET CISO. Read the original version here.
Find out more about MetricStream ConectedGRC. Request a personalized demo now.
The MetricStream GRC Summit 2024 is all set for June 17th and 18th at the Baltimore Marriott Waterfront in Maryland. For over a decade, the GRC Summit has been the ‘go-to GRC event’ for the risk and compliance community, enabling the fostering of connections, sharing of insights, and exchanging of best practices. It has continuously set the stage for what’s next in the world of GRC. Under the compelling theme of Experience the Power of Connection, this year's Summit promises to be our best yet. Prepare to join an esteemed global community of risk, compliance, audit, and cyber professionals for an unparalleled experience.
With so many significant events happening around the same time, such as the IIA International Conference, the Gartner Conference, and the American Bankers Association (ABA) conference, we know your time is limited. So, here are some top things to do to maximize your experience at the premier technology conference of the year!
The keynote speeches have always been a highlight of the GRC Summit, and this year is no exception. Attendees can look forward to exclusive insights from MetricStream leaders, including Gaurav Kapoor, Co-Founder and Co-CEO, Prasad Sabbineni, Co-CEO, and Gunjan Sinha, Co-Founder and Executive Chairman, along with other industry leaders in the opening and closing keynotes.
These sessions are not to be missed! Numerous thought leaders will participate in panels on day 2. Listed below are a few that are sure to be insightful and thought-provoking.
Don't miss out on these real-life narratives showcasing how organizations have effectively tackled the intricate realm of GRC hurdles. They provide invaluable insights and inspiration to propel your own GRC endeavors forward. Check out:
Product sessions are a cornerstone of the GRC Summit. Our tailored product sessions promise to equip you with thorough insights, enabling you to grasp the full spectrum of capabilities and advantages our offerings deliver.
Raghuram Srinivas, SVP, Product Management, MS Innovations, MetricStream, will be presenting sessions on:
Kiran Kumar Nakhate, Senior Principal Product & Platform Development Manager, MetricStream, will be presenting a session on:
The workshops are designed to offer practical insights and hands-on experience from industry experts, fostering a deeper understanding of critical GRC strategies and their real-world applications. Gain extensive knowledge of specific topics that you can apply directly to your organizations.
Christopher E. Mandel, Founder & President, Excellence in Risk Management, LLC, will be conducting a deep-dive workshop on:
Grace Beason, Director Of Governance, Risk and Compliance, Guidewire Software, and Gavin Anthony Grounds, CEO & Co-founder, Mercury Risk and Compliance, Former - Meta & Verizon, will jointly be conducting a workshop on:
Located at the Baltimore Marriott Waterfront, the venue offers stunning views and a range of amenities. Take some time to enjoy the local attractions in Baltimore, such as the Inner Harbor, historic sites, and vibrant dining scene, to make the most of your visit.
Networking is a significant component of the GRC Summit. Attendees will have the chance to connect with peers, share experiences, and discuss challenges. The Summit provides a conducive environment for formal and informal networking opportunities, fostering connections that can lead to future collaborations.
The list above is just a part of what’s on our Agenda. Join us and deep-dive into all things GRC! Get to know more about our esteemed speakers. Read our recent blog post. Meet our Speakers, to get to know more about the speakers and their areas of expertise.
Not yet registered? Register now.
At MetricStream’s flagship event, GRC Summit, Clyde Tsai, GRC Lead at Autodesk, shared how MetricStream has helped them implement an integrated framework for IT risk and compliance management programs. Autodesk is a leading provider of software products to architecture, engineering, construction, product design, manufacturing, media, and entertainment industries.
Here are the key takeaways from Clyde’s session at the summit.
Clyde: One of the very special things about Autodesk teaming up with MetricStream is that we're trying to get FedRAMP compliant. We are in the midst of getting the authority to operate in FedRAMP – it is the ability to sell to the federal government. It’s a huge audit and continuous process. That was actually our main driver for choosing MetricStream.
Apart from that we're also doing compliance for a range of frameworks. We’re trying to infuse more of a culture of risk-aware decision-making. We have a small risk team and we’re trying to do as many risk assessments as we can. Automation really helps us with that.
Clyde: We’re two years into it. Specifically, the products – IT and Cyber Risk Management, IT and Cyber Compliance Management, and Policy and Document Management. All of our initial use cases are security use cases – security compliance, security risk, FedRAMP compliance, and security policies.
Clyde: We have this challenge with silos -- we have security, privacy, internal audit, ERM, IT, and legal. The challenge that I see here is understanding and being informed when something is happening in any of these areas that affects me as a GRC implementation person. To address this challenge, we are just learning how to do interdisciplinary working groups.
An example of this is our initiative to put together an information asset inventory, which is a requirement for ISO and other frameworks. This information asset inventory includes all organizational databases, EC2s, containers, and much more. To do it right, one should collect this data from other systems. But the challenge is determining the authoritative sources of truth and what the systems are, what data is in them, and then normalizing them if they're coming from multiple systems.
In such a situation, one should piggyback on other data consolidation efforts. And that's one thing that I've learned while putting together these interdisciplinary groups. I am communicating with these groups, and they have similar initiatives going on. So, I can put my requirements in there as they might have bigger teams for doing these things.
Another challenge is that we have some processes that are mature and some that are immature. MetricStream has a lot of these workflows already as out-of-the-box workflows. Therefore, you have an opportunity to just use that as your process and have the perfect alignment between your technology and your process, which is rare to have.
Clyde: Regarding business value that we have realized:
Going forward, our priorities include end-to-end compliance testing, integrated control framework, automated evidence collection, and security policy management lifecycle.
You can watch the complete session here:
Join us in our upcoming GRC Summit 2024 in Baltimore on June 17-18 to explore other real-world GRC implementation stories. To register, click here.
We're officially in countdown mode! With just six weeks to go until the 2024 GRC Summit, to be held on June 17th and 18th in Baltimore, excitement is high. This year marks the 12th anniversary of our GRC event, and our theme, "Experience the Power of Connection," aims to empower you to achieve more as you continue to thrive on risk!
MetricStream’s flagship event, the GRC Summit, has been a ‘must-attend event’ for the GRC community over the past decade. The GRC conference serves as a platform for networking, sharing insights, exchanging best practices, and setting the stage for the future of GRC. Whether it's exploring emerging technologies, discovering new processes, or dissecting new regulations impacting business operations, the summit is the place to stay ahead of the curve.
The two-day technology conference will bring together an influential gathering of 200+ GRC leaders and recognized industry experts to discuss the latest trends and best practices in Connected GRC, the risks and opportunities of artificial intelligence (AI) for GRC, GRC for AI and more.
Find out more: Explore the GRC Summit Agenda.
As a leading thought-leadership event in the GRC realm, the GRC Summit consistently showcases top-tier expertise in risk, compliance, cyber, audit, and operational resilience. This year, we're thrilled to present over 45 experts who will deliver insightful keynotes, offer valuable insights and best practices, and generously share their own GRC journeys.
Keep scrolling to meet some of our esteemed speakers and learn more about their areas of expertise.
Discover more about our speakers, along with the full speaker lineup.
MetricStream leaders Gaurav Kapoor and Prasad Sabbineni, our Co-CEOs, along with Gunjan Sinha, our Co-Founder and Executive Chairman, will offer valuable insights in their keynote addresses and panel discussions.
Secure your ticket now, as they're going fast! Register now.
Stay tuned for more updates on speakers and exciting highlights of the GRC Summit. Bookmark this space!