×
Blogs

Selecting the Best GRC Solution: What You Need to Know Before Investing

15-Feb-24-1076276255-blog-homepage-thumb
6 min read

Introduction

Key Considerations for Buying a GRC Software Solution

As organizations grow and scale their operations, they are required to upgrade their governance, risk, and compliance (GRC) programs and activities accordingly. While a traditional approach to GRC involving spreadsheets, emails, and/or point solutions would have somewhat worked in the past, expanding business operations together with the fast-changing risk and regulatory landscape compels organizations to consider investing in GRC tools and software solutions. 

Finding the right solution is daunting considering the growing number of GRC software vendors in the market, each promising their unique value proposition. Gartner notes that the GRC vendor selection process is also complicated due to the wide range of requirements of various stakeholders involved in the process, such as BU heads of enterprise risk management, corporate compliance, IT and cyber security, credit risk management, and others. 

Organizations are increasingly seeking a one-stop solution that is connected, scalable, and cognitive, as well as one that meets the expectations of various stakeholders. On these lines, what are the specific capabilities that the decision-makers must keep in mind before choosing a GRC solution? 

In this blog, we discuss the key considerations for buying a GRC software solution – from a buyer’s perspective. Let’s break it down.

1. Connected: Integration and Interoperability

While exploring various GRC solutions, organizations would definitely find terms like ‘integrated approach,’ ‘integration,’ ‘unified approach,’ ‘holistic approach,’ etc., again and again. What does it mean? 

More often than not, organizations find themselves managing governance, risk management, and compliance activities in a disjointed manner, depending on the maturity of each process and evolving business requirements. This inevitably results in organizational silos, which lead to duplication of efforts and data, blind spots, and high cost of compliance. Particularly in the era of amplified interconnectedness of risks and shared controls, it hampers an organization’s ability to accurately understand risk relationships and impact on effective decision-making. 

An integrated approach is nothing but a cohesive approach to managing governance, risk management, and compliance activities across business units, geographical locations, and the extended vendor network. It requires firm-wide common GRC taxonomy, shared risk and control libraries, enterprise-level and business unit-level risk appetite allocation and risk aggregation, and standardized and streamlined processes across GRC activities. Most importantly, it requires buy-in from all key stakeholders. 

Deploying a single, technology-driven GRC solution, with capabilities for establishing standardized taxonomy and centralized risk repository, can help an organization: 

  • Gain a single source of truth for all stakeholders 
  • Eliminate duplication of efforts and reduce costs 
  • Improve efficiency by automating repeatable tasks 
  • Enhance risk visibility and foresight with real-time, actionable insights

Interoperability is the ability of the GRC software to securely exchange information with other systems. While the integrated approach calls for the implementation of a single system, it is important to ensure that the system supports interoperability to capture and aggregate risk information from various sources. For example, integrating with regulatory content providers, risk rating providers, threat intelligence providers, and others via APIs or connectors.

2. Cloud: Agility and Scalability

The solution must be flexible to scale up or down depending on changing business conditions and requirements. A cloud-based GRC solution offers this much-needed agility and flexibility with high security, greater efficiency, and easier upgrades compared to on-premise solutions. Furthermore, opting for a cloud-based solution is also aligned with the ongoing digital transformation initiatives at organizations. McKinsey estimates that most companies will aim to allocate 80% of their IT budget toward cloud computing by this year.

In this context, low-code/no-code capabilities are also gaining popularity. By enabling organizations to configure and personalize the solution to meet their specific needs without the need to depend on the software vendor, a solution with low-code/no-code capabilities can significantly accelerate GRC program productivity and outcomes.

3. Cognitive: Artificial Intelligence and Continuous Innovation

There is no denying that artificial intelligence (AI)-infused workflows are the future. We are already seeing more and more applications of AI in GRC processes, such as scanning the regulatory horizon, managing issues, providing remedial action recommendations, optimizing the control environment, scanning policies and documents, and many others. With its promise to provide actionable insights quickly, AI can help organizations accelerate decision-making, create bandwidth for teams, and gain a competitive edge. 

To better meet the needs of today’s dynamic enterprise, GRC solutions need to go beyond just being a workflow-driven automation tool to a more comprehensive tool that’s cognitive and intelligent. A ‘single pane of glass’ view has become the industry norm for reporting GRC metrics. In this context, organizations are increasingly looking for solutions that support cross-product reporting, which allows importing relevant data from various products to build one comprehensive report. 

When considering a GRC solution, organizations should evaluate the technological prowess of the vendor. This requires examining not only the current capabilities and functionalities offered by their solution but also their innovation roadmap. Continuous innovation is essential for ensuring that the GRC solution is relevant and ready to adapt to the evolving business and technological landscape.

4. Continuous: Autonomous and Always-On

A periodic approach to managing governance, risk, and compliance management activities and processes is no longer effective in the digital era. Organizations today operate in a highly dynamic business environment, where they must protect their IT infrastructure, data, and assets from cyber risks, stay on top of threats, vulnerabilities, and other emerging risks, and be compliant with a multitude of industry regulations and standards. Relying on human effort for these tasks will not only result in a lag where risk, compliance, and audit teams struggle to meet expectations but also leave the organization vulnerable to risks and blind spots. 

An autonomous, always-on approach is one that is continuously running in the background and requires minimal human intervention. Before choosing a GRC solution, organizations must explore if it supports autonomous capabilities, such as continuous testing and monitoring of controls to proactively identify control weaknesses and gaps and compliance with relevant regulations. Ideally, the solution should collect evidence, generate automated reports, and notify appropriate personnel for remedial actions.

How MetricStream is Leading the Way

MetricStream’s core innovation focus is on making its products and solutions more Cognitive, Continuous, Connected, and Cloud-based. We are a recognized industry leader in GRC, empowering organizations across industries and geographies to thrive on risk for 25 years now. Here’s what sets MetricStream apart in the GRC space: 

  • Future-ready products and solutions built on top of a low-code/no-code integrated GRC platform that empowers all stakeholders to follow a consistent and collaborative approach 
  • Intelligent AI-powered capabilities for managing issues, recommending action plans, scanning of SOC2 and SOC3 reports, and AiSPIRE, an AI-based knowledge-centric tool for GRC 
  • Autonomous capabilities that enable continuous testing and monitoring of controls across on-prem and cloud environments 
  • Truly connected products that allow secure sharing of data across MetricStream platform as well as external third-party GRC systems 
  • Forward-looking product innovation roadmap and strategy that leverages peer-to-peer discussions on industry trends and best practices through customer forums and advisory boards
business-grc-buyers-guide-banner-lp

If you want to understand how MetricStream can help you embark on the GRC journey, request a personalized demo today.

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 
Blogs

What’s Next in GRC and Risk Regulations? 10 Key Focus Areas for 2024

blog-banner-regulations-2369193499
10 min read

Introduction

Like the French proverb says, the more things change, the more they stay the same – except when they speed up! Of course, I added that last part. But when it comes to regulatory change, there does seem to be one constant: expansion. Thomson Reuters says there were more than 230 regulatory alerts a day in 2022. That’s not hard to believe with the escalating levels of regulatory activity around operational resilience, artificial intelligence (AI), cybersecurity, data privacy, and ESG, among others. 

In 2023, we saw some key cybersecurity and digital operational resilience regulations crystallizing in the U.S. and the European Union, setting a precedent for other regions. The regulatory momentum seen in 2023 will continue and likely become more intense in 2024. 

So what’s on the horizon for 2024, and what should you prepare for? Here’s a look at 10 key regulations and focus areas we are watching.

1. AI-Focused Regulations

The growing regulatory focus on AI in recent months is not surprising, considering the exploding use of AI and generative AI (GenAI) across industries. The trend is expected to continue well into 2024 and beyond. 

In January 2023, the National Institute of Standards and Technology (NIST) released the NIST AI Risk Management Framework (AI RMF 1.0), which aims to “improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems.” Another major development was the Executive Order published by the White House on the safe, secure, and trustworthy development and use of AI. 

The European Union is also taking steps to regulate the use of AI. In December 2023, EU officials reached a provisional agreement on comprehensive rules to ensure safe and trustworthy use of AI. According to a report from BBC, the EU Parliament will vote on the AI Act proposals this year, with the legislation to not take effect before at least 2025. Additionally, China, Canada, Brazil, South Korea, Singapore, the UK, and the UAE are all in various phases of rolling out AI-related regulations, which are likely to be adopted sooner rather than later. 

Like AI itself, we expect to see these regulations to continue to develop and evolve just as the technology itself does – and as we as an industry employ new use cases of AI for GRC.

2. SEC Cybersecurity Rules

Cyber risk is a top risk faced by organizations today. The risk of cyber attacks and data breaches has been further amplified by the widespread and easy accessibility of AI-based tools, which can be leveraged by cyber criminals to launch attacks on massive scale. Regulatory authorities are hard at work to ensure organizations have necessary measures in place to protect organizational assets and interest of all relevant stakeholders. 

The U.S. Securities and Exchange Commission (SEC) adopted Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Rules in July 2023. The focus of these rules is for public/listed companies to 

  • Implement a robust incident management process with direct reporting to the SEC 
  • Periodically disclose details of the expertise of their board and senior management and also their cybersecurity risk management processes/procedures in place 

For risk management, strategy, and governance disclosure requirements, public-listed companies are required to provide the disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023. 

To learn more about the SEC’s Cybersecurity Rules, read our blog "Achieve Compliance with SEC’s New Cybersecurity Rules ".

3. NIST Cybersecurity Framework (NIST CSF)

In addition to regulations, regulators and standard setting bodies also issue guidelines and frameworks to help businesses manage cyber risks effectively. The NIST Cybersecurity Framework is one of the most widely used frameworks by organizations. First published in 2014, the framework provides “a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs.” 

The National Institute of Standards and Technology (NIST) released a revised draft of the framework for public comment in the latter half of 2023. The draft update or Framework 2.0, it said, “reflects changes in the cybersecurity landscape and makes it easier to put the CSF into practice — for all organizations.” According to the official announcement, the final version of CSF 2.0 will be published in early 2024. 

To learn about what’s new in the revised version and how you can achieve compliance, read our blog "Demystifying NIST CSF 2.0: What's New and Why it Matters ". Also, explore how MetricStream can help you get started with NIST CSF with pre-packaged content.

4. Cybersecurity Maturity Model Certification (CMMC)

Another major cybersecurity standard and certification model is the U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC). CMMC is designed to “enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors.” 

The CMMC final rule is also expected this year. In 2023, the Department of Defense sent the draft rule, CMMC 2.0, to the White House’s Office of Information and Regulatory Affairs (OIRA) for review. CMMC 2.0 is a comprehensive framework that aims to protect the defense industrial base’s (DIB) sensitive unclassified information from advanced persistent threats (APTs). The final rule includes some key changes to the CMMC 1.0 and is expected to considerably simplify compliance, reduce assessment costs, enhance accountability, and more. 

Learn how MetricStream can help you achieve CMMC compliance.

5. NYDFS Cybersecurity Regulations

Financial sector is one of the primary targets of cyber adversaries given the amount of data and financial assets at stake. So, the intensifying regulatory focus on this sector doesn’t come as a surprise. 

The New York Department of Financial Services (NYDFS) finalized the amendments to its nation-leading Cybersecurity Regulation in November 2023. Enacted in 2017, the regulation requires covered entities, including banks, insurance companies, and other financial services institutions regulated by DFS, to have effective cyber risk and governance measures in place, including a cybersecurity program for protecting consumers’ private data, well-document policies, a CISO to help protect data and systems; and effective controls, among others. 

The amended regulations mandate enhanced governance requirements, more regular risk assessments, additional controls to protect information systems from unauthorized access, updated notification requirements, and much more. It is important for organizations to keep an eye on the NYDFS Cybersecurity Regulation as it is expected to set a precedent for other states and municipalities. 

Regulated entities need to be compliant with the new regulations by April 29, 2024.

6. Operational Resilience

The regulatory interest and activity on operational resilience of financial sector organizations continues to gain momentum. In the UK, the Bank of England (BoE), Financial Conduct Authority (FCA), and the Prudential Regulation Authority (PRA) jointly published a consultation paper on “Operational resilience: Critical third parties to the UK financial sector (PRA CP26/23 and FCA CP23/30)” last month. The deadline for sending feedback comments is March 15, 2024. The regulators also intend to consult on a joint statement of policy regarding the use of their disciplinary powers over critical third parties. 

Explore how the MetricStream Operational Resilience solution can help you navigate today’s fast-evolving risk landscape. 

In the EU, the Digital Operational Resilience Act (DORA) aims to strengthen Information and communications technology (ICT) and digital risk management with focus on third parties, and promote digital operational resilience in the region’s financial sector. Key requirements span various ICT-focused areas such as risk management framework, incident management and reporting, and digital operational resilience testing program, among others. Adopted by the European Parliament in November 2022, the act requires regulated entities to comply by January 17, 2025. This means that the countdown has already begun – financial sector organizations have just 12 months to ensure compliance with DORA.

Given the growing focus on operational resilience across industries, DORA is a landmark regulation and expected to act as a harbinger of what other sectoral and federal regulatory authorities are likely to follow. 

To learn about the DORA requirements in detail and understand how it impacts your organization and how you can ensure compliance, download our eBook “Demystifying DORA - Understanding and Preparing for the EU’s Digital Operational Resilience Act”.

7. Data Privacy

Protecting Personal Identifiable Information (PII) continues to be a top focus area for regulatory authorities worldwide. 

In the US, the enforcement of the new California Consumer Privacy Act (CCPA) regulations has been deferred until March 29, 2024. In 2020, California voters passed the California Privacy Rights Act (CPRA), which amended the CCPA and introduced additional privacy protections. CPRA established new standards for the collection, retention, and use of consumer data as well as imposed “new obligations governing personal information, including requirements that businesses adopt certain mechanisms permitting consumers to opt out of data sharing.” 

CPRA created the California Privacy Protection Agency (CPPA) to implement and enforce the law by July 1, 2022, with enforcement not to begin until July 1, 2023. However, the agency completed only the first set of regulations under the CPRA on March 29, 2023. 

In the wake of this delay, a California court postponed the enforcement of the new regulations by twelve months. That said, statutory changes under the CCPA went into effect on January 1, 2023, and remain in force. 

In November 2023, the CPPA also proposed a new regulatory framework for “automated decision-making technology” (ADMT), which defines key protections related to businesses’ use of these technologies. The agency has also published the revised draft regulations on  risk assessments and cybersecurity audits

Discover how MetricStream can help you strengthen CCPA compliance

In the UK, the Department for Science, Innovation and Technology published a statutory instrument in September 2023 to amend the references to ‘fundamental rights and freedoms’ in the data protection legislation. The amended language is to refer to rights recognized under UK law, rather than retained EU law rights. If approved by the UK Parliament, the amendment is expected to come into force in early 2024.

8. Gramm-Leach-Bliley Act (GLBA)

Another key regulation focused on protecting sensitive data, specifically consumer financial privacy, is the Gramm-Leach-Bliley Act (GLBA). It requires financial institutions to explain their “information-sharing practices to their customers and to safeguard sensitive data.” 

In October 2023, 20 years after the GLBA Safeguards Rule first came into effect, the Federal Trade Commission (FTC) amended the rule. As per the latest amendment, non-banking financial institutions will be required to report data breaches to the FTC, affecting at least 500 consumers. The entities must notify the agency “as soon as possible, and no later than 30 days after discovery of the event.” 

The amendment will come into effect 180 days after its publication in the Federal Register. As per reports, this is likely to happen in 2024.

9. Payment Card Industry Data Security Standard (PCI DSS)

Another major standard aimed at protecting sensitive data, specifically cardholder data, is the Payment Card Industry Data Security Standard (PCI DSS). The globally recognized standard, applicable to organizations across industries that store, process, and/or transmit cardholder data, provides a set of technical and operational requirements intended to protect cardholder data. 

The latest version of PCI DSS will come into effect on March 31, 2024. The PCI Security Standards Council (PCI SSC) published version 4.0 of PCI DSS in March 2022 and gave organizations two years to understand the changes and implement any updates as needed. 

According to the official release, “PCI DSS v4.0 replaces version 3.2.1 to address emerging threats and technologies and enable innovative methods to combat new threats.” 

Explore how MetricStream can help you streamline and strengthen PCI DSS compliance.

10. Fairness and Sustainability

Diversity, equality, and inclusion (DEI) and sustainability are increasingly becoming top agenda items not only for organizations but also for regulators worldwide. In the US, 22 states updated the minimum wage on January 01, 2024. Later in April, the Department of Labor (DOL) is expected to release its final rule amending the regulations on the “white collar” exemptions from the overtime and minimum wage requirements of the Fair Labor Standards Act (FLSA). 

Furthermore, a revised rule by the DOL requiring establishments with 100 or more employees in designated high-hazard industries to submit injury and illness information electronically to the Occupational Safety and Health Administration (OSHA) also took effect on January 01, 2024. 

In the EU, the European Parliament adopted the Corporate Sustainability Reporting Directive (CSRD) in November 2022, with member states required to implement the new rules 18 months later. The CSRD introduces more detailed reporting requirements, enabling investors and other stakeholders to make better-informed decisions on sustainability issues. 

“The CSRD introduces more detailed reporting requirements and ensures that large companies and listed SMEs are required to report on sustainability matters such as environmental rights, social rights, human rights and governance factors,” the European Council said. 

The application of the regulation will be staggered between 2024 and 2028. In the first phase, companies already subject to non-financial reporting directive (NFRD) will be required to report in 2025 on the financial year 2024. 

These are just a few of the regulations businesses should closely watch this year. To successfully navigate the fast-changing regulatory landscape, organizations need an integrated, streamlined, and technology-driven approach to compliance that helps them stay on top of regulatory changes and reduce costs while improving visibility into the overall compliance posture. MetricStream Compliance Management helps organizations get their compliance program up and running quickly and ensure adherence to relevant regulations and industry standards. 

Explore how MetricStream can help you strengthen your compliance function – request a personalized demo today!

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 
Blogs

Meet our GRC Journey Award Winners 2023

GRC-journeys-blog-banner
5 min read

Introduction

As the global market leader in governance, risk management, and compliance (GRC), MetricStream is honored to present the GRC Journey Awards each year. The awards celebrate and honor organizations, business partners, individuals, and customers that have made significant strides in their GRC Journey—turning risk into a strategic advantage. 

At the 2023 London GRC Summit this October, a selected list of GRC trailblazers who exemplify connected, high-value, and sustainable GRC programs were awarded. These visionaries have set the bar high by demonstrating exceptional advancements in their GRC programs. Discover the stories of these outstanding award winners as we showcase their impactful GRC journeys below.

dnata - GRC Journey Program Excellence Award, 2023

As one of the world’s largest air services providers, offering ground handling, cargo, catering and travel services, dnata operates in 129 airports spanning 35 countries across 6 continents—with over 50,000 employees serving 320 airline customers. As part of its safety and security standards, dnata requires a robust GRC program that can offer visibility into the ever-changing risk and incident scenarios across its global operations and allow decision-makers to assess and respond to the dynamics of its business operations.   

dnata leveraged MetricStream’s GRC products, including Enterprise Risk Management, Incident Management, Policy and Document Management, Observations Management, Issue Management, and Compliance Management, and rolled it out across web and mobile-based channels with support for multiple languages. The results were proactive frontline engagement and faster decision making capabilities.

Watch David Storey, from dnata, explain how they achieved a centralized view of risks, improved frontline engagement, and more.

 

Almarai - GRC Journey Award, 2023

Headquartered in the Kingdom of Saudi Arabia, Almarai, is the world’s largest vertically integrated dairy company and the region’s largest food and beverage manufacturing and distribution company. Almarai ranks as the number one Fast Moving Consumer Goods (FMCG) brand in the Middle East & North Africa (MENA) region and is the market leader in most of its categories across the Gulf Cooperation Council. 

To move from manual processes and gain a connected approach to risk and issue management, Almarai leveraged MetricStream’s Enterprise Risk Management and Business Continuity management products. Today, they have achieved a 50-70% reduction in efforts with automated workflows, streamlined processes, and a defined common risk taxonomy. 

Watch Gordon Bateman from Almarai, share their incredible success story. 

 

Siemens Energy, GRC Journey Award, 2023

As one of the world’s leading energy technology companies, Siemens Energy covers almost the entire energy value chain – from power generation and transmission to storage. The portfolio includes conventional and renewable energy technology, such as gas and steam turbines, hybrid power plants operated with hydrogen, and power generators and transformers. Operating in a highly regulated environment, Siemens Energy wanted to improve its GRC maturity, strengthen its GRC program to increase resilience, and enhance cross-functional collaboration and communication. 

To build a single source of truth that would help them better understand the risk and impact of failures across its business processes and technology infrastructure and ensure that global cybersecurity and ITIL compliance requirements are being met, Siemens Energy leveraged MetricStream’s Enterprise Risk Management, IT Risk, IT Compliance, SOX Controls Testing, Policy Management, and Third Party Management products. 

Dorothea Liebl, from Siemens Energy, discusses how they achieved GRC maturity and improved decision-making. Watch now.

 

Nordea - GRC Journey Practice Leader Award, 2023

Nordea is the largest financial group in the Nordic countries, with a strong market position in personal banking, business banking, large corporate and institution banking, and asset and wealth management. They currently operate across 20 different countries with 30,000 employees. 

To automate and modernize their GRC program and enhance visibility into their risk and compliance processes, Nordea leveraged MetricStream’s Enterprise Risk, Business Continuity Management, Policy Management, IT Risk, IT Compliance, Regulatory Change, and SOX Compliance products. They have now increased visibility and measurement into key risks by linking KRIs as well as amplified the speed, agility, and scalability of IT Risk and IT Compliance processes. 

Brian F. Sørensen from Nordea shares how they implemented an integrated risk management strategy. Watch now. 

 

Petroliam Nasional Berhad, (PETRONAS)- GRC Journey Visionary Award, 2023

A MetricStream customer since September 2021, Petroliam Nasional Berhad (National Petroleum Limited), better known as PETRONAS, is a Malaysian oil and gas company wholly owned by the Government of Malaysia. The corporation is vested with all oil and gas resources in Malaysia and is entrusted with the responsibility of developing and adding value to these resources. Petronas is ranked among the Fortune Global 500 largest corporations in the world. 

To strengthen its GRC program and build resilience, PETRONAS embarked on a journey to ensure critical control and decision-making insights for the organization driven by three core organizational goals: agility, resiliency, and sustainability. PETRONAS leverages MetricStream’s Third-Party Risk, Business Continuity Management, IT & Cyber Compliance, IT & Cyber Risk, and Policy and Document Management products to support their BusinessGRC and Cyber/ITGRC programs. 

Nor Harliza Baharom, from PETRONAS shares details on their compliance journey, GRC strategy, and the use of MetricStream products. Watch now. 

 

Embark on Your GRC Journey with Confidence and Expertise by Partnering with MetricStream

Empower your GRC journey with our ConnectedGRC solutions, which include our BusinessGRC, CyberGRC, and ESGRC product suites. With MetricStream ConnectedGRC, you can go beyond a traditional integrated approach that focuses solely on technical program integration and embrace a more interconnected business-level approach that provides a single source of truth with all the risk insights you need to build your GRC programs to be future-ready. 

Request a demo now. 

Watch the videos of Autodesk, Guidewire, Apple Bank, CHN Industrial, and dnata, who were awarded the GRC Journey Awards at the 2023 Miami GRC Summit this June.

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 
Blogs

2024 GRC Trends: Future-Proof Your Organization Now!

blog-banner-top-grc-trends-2024
5 min read

Introduction

Yet another year has passed!! We witnessed some major events, including escalating geopolitical tensions, the collapse of banks in the US and Singapore, major mergers and acquisitions, and significant technological advancements in the field of generative AI. In a world where the volume and velocity of risks are increasing, navigating the complex landscape of governance, risk management, and compliance (GRC) has become more crucial than ever. Consider these recent statistics: 

The past year has been a testament to the evolving challenges faced by organizations globally, from economic uncertainties, geopolitical tensions, and new regulations and laws to the lingering repercussions of the 2019 global pandemic. Most importantly, none of these risks exist in isolation – they’re deeply interconnected, with cascading impacts for organizations.

Navigating the Interconnected Risk Landscape Needs New Strategies

Risks are no longer solitary entities; instead, they form a complex tapestry of interconnected challenges that are intensifying in both frequency and severity. A glimpse into the events of the year unveils the extent of this interconnectedness.

The Silicon Valley Banking Crisis in March 2023 saw several other banking failures as well, including Signature Bank, First Republic Bank, and Heartland Tri-State Bank being affected. In August 2023, the shutdown of the NATS flight planning system in the UK caused hundreds of thousands of passenger flights to be delayed or canceled. Over 2000 flights were canceled, leading carriers to face estimated losses of £100m, mainly comprising care costs and lost revenue. The tragic August 2023 Maui fire quickly unfolded as a series of failures, including communication breakdowns, severe weather conditions, miscalculations of fire severity, and issues with essential services like electricity and water, culminating in the destruction of Lahaina and substantial loss of life. The incident underscores how the convergence of various failures swiftly escalated what could have been an isolated event into a catastrophic crisis. 

As we approach 2024, the expectations for GRC professionals are to connect the dots, see issues coming, and engage in some level of predictable forecasting. Now, more than ever, understanding and adapting to the upcoming GRC trends is not just a strategic advantage—it's a necessity for thriving in an increasingly interconnected world.

2024: A Confluence of Challenges and Opportunities

The forthcoming year promises a confluence of challenges and opportunities, making it an urgent requirement for organizations to reevaluate their strategies and fortify their GRC frameworks. So, what are the top trends that will shape the narrative of tomorrow? 

  • Connected GRC Programs Powered by Flexible and Easy to Use Platforms
    To effectively respond to the growing network of interconnected risks, a connected GRC strategy that seamlessly extends across the enterprise, facilitating cohesive visibility, communication, and information, emerges as a crucial solution. Next-gen GRC cloud platforms that unify risk, compliance, audit, cyber, and ESG functions and offer the elasticity and scalability through low code/ no code and user-friendly interfaces play a pivotal role in this paradigm shift. 
  • Cognitive and Continuous Technologies for GRC 
    AI for GRC holds tremendous promise in 2024 and beyond. The power of cognitive AI to turn data into real-time decisions is immense, with powerful use cases in AI-powered threat intelligence, automated planning and scoping of risk assessments, and AI-powered fraud detection capabilities. Techniques and solutions like continuous control monitoring and risk and regulatory intelligence feeds will further be embraced as organizations seek to proactively identify vulnerabilities and enhance the risk and control oversight capability. 
  • Strengthening of Resilience and Business Continuity Programs 
    Resilience will take center stage as organizations will prioritize the need to predict, anticipate, and manage risks before they manifest, and bounce back quickly if impacted. Globally, the regulatory discussion around operational resilience is evolving as well. The Digital Operational Resilience Act (DORA), which came into force this year (and will apply from 17 January 2025 in the EU) aims to strengthen the digital operational resiliency of the financial sector. Organizations will pay more attention to enable and empower the frontline to ensure resilience across entities and third parties. 
  • Shift from Reactive to Proactive Compliance 
    To meet the rising compliance demands, organizations will continue to build compliance resilience and agility in 2024. Centralized platforms that help them automate control testing and evidence collection for all their enterprise controls, continuously scan the horizon with automated feeds from trusted content sources, integrate compliance management systems with other enterprise systems, and apply AI and automation for automated recommendations will be adopted.
  • Fortifying the Extended Enterprise 
    With the high volume of fourth and fifth-party risks and events resulting from the complexity of extended ecosystems, the focus on third-party risk management (TPRM) will get stronger in 2024. To own risk in the extended enterprise and construct a more resilient third-party ecosystem, organizations will increasingly adopt automated end-to-end processes for information gathering, onboarding, real-time monitoring, risk assessments, compliance, and control assessments.

Elevate your GRC strategy with our eBook – a detailed exploration of 2024's top 10 risk trends. top-grc-trends-2024-ebook

Stay Future Ready with MetricStream

At MetricStream our ConnectedGRC solutions help your organizations go beyond the traditional integrated approach that focuses merely on technical integration of different tools to a more connected approach at the business level to help analyze and understand the interconnectedness of risk and resilience by connecting data to generate meaningful insights. With ConnectedGRC, your organization is now empowered to break down enterprise silos and establish a single source of truth with all the risk insights you need to navigate the future. Packed with best practices, deep domain capabilities, AI-powered intelligence, and risk quantification tools, you are all set to tackle the most pressing GRC challenges of today and tomorrow. 

Interested in learning how you can power your GRC program with a connected strategy? Request a demo now!

Sumith-Sagar

Sumith Sagar Associate Director, Product Marketing

Sumith Sagar is a proven product marketing professional, specializing in software product positioning, product-led growth marketing, presales and sales enablement. With over 12 years of risk management solutioning experience raging from Governance, Risk and Compliance (GRC), Commodity Trading & Risk Management (CTRM) and cybersecurity, she has been instrumental in driving BusinessGRC product marketing at MetricStream.

 
Blogs

GRC Trends in the UK Capital: Key Themes at the 2023 London GRC Summit

image
6 min read

Introduction

On October 15 and 16, 2023, over 175+ governance, risk, and compliance leaders from over 20 countries gathered at the Royal Garden Hotel in London for the standout event of the season: The GRC Summit. Over the course of two days, MetricStream had the honor of hosting some of the foremost experts in the field of GRC, featuring more than 40+ speakers who generously shared their best practices, real-world case studies, and valuable insights on the key areas to focus and priorities for leaders. We also had the pleasure of networking with peers and celebrating the achievements of the 2023 GRC Journey Awards winners. 

I had the unique privilege of immersing myself in the insightful content and connecting with several inspiring leaders face-to-face. I'm excited to recap some of the most memorable moments and prevalent themes I encountered during the event. For those interested in viewing video highlights and accessing the presentations, I encourage you to explore the 2023 GRC Summit site.

Connecting the Dots: An Urgent GRC Imperative

A central theme was the pressing need to ‘connect the dots.’ Several significant events, including the recent airline disruptions, banking crises, climate issues, and breakdowns in state intelligence, demonstrate a common thread of multiple risks converging simultaneously. More important to note is that organizations have to deal with risks increasing in volume and velocity. This calls for risk, compliance, and governance leaders to not only ‘connect the dots’ but also address these risks with a connected GRC strategy. Critical to pursuing a connected strategy are simplicity, automation, and predictive capabilities, only possible by leveraging continuous control monitoring, cognitive capabilities including AI-centric workflows, and leveraging cloud technologies for faster, easier, and more secure GRC programs. 

Gaurav Kapoor, co-CEO and co-Founder, MetricStream, best summarized it when he said. “The 'Connected GRC’ strategy underpinned by a 'Cloud', 'Continuous,’ and 'Cognitive' approach is non-negotiable for organizations to navigate an incessantly changing threat, regulatory, and opportunity landscape.”

AI and Hyper-Automation: The New Hot Topic

A trending theme that emerged in nearly every conversation was the potential of artificial intelligence (AI) and automation to enhance efficiency in GRC. Almost all sessions discussed some element of AI – the possibilities to automate, predict, make recommendations, and remediate, as well as the potential risks and rewards. Top discussion points included:

  • Leveraging AI to comprehensively analyze, oversee, and extract valuable insights from the extensive volumes of GRC and control data 
  • Deploying AI to automate processes like control monitoring, third-party risk evaluation, and the creation of a common view of risks across the enterprise 
  • Leveraging AI to enhance data breach detection and, conversely, prepare for malicious actors who are currently exploiting AI technology 
  • GRC for AI: regulatory measures on the horizon for AI, how to ethically use AI, and how to mitigate the risks brought on by AI

The discussions around AI were exciting and spanned a diverse array of topics. Some quotes that stuck out on the topic were: 

”2023 began with grand plans of being the ‘year of efficiency.’ In all reality, it’s become the year of AI answering the question of how can we possibly do more with less? The next challenge we face, regardless of the industry, is how to leverage AI and how to control the risks associated with it,” said Prasad Sabbineni, co-CEO, MetricStream. 

“The problem with AI is it is a very credible liar,” cautioned Toby Billington, Managing Director - ICG Business Risk and Controls leadership team, Citi, as he spoke about the complexities of AI. 

“We believe in the need to incorporate AI but need to assess what types will help us,” said Azizi Bin Md Ali, Chief Compliance Officer, Petroliam Nasional Berhad (PETRONAS), as he spoke about the importance of AI and automation in managing risk. 

Risk Management: Lead with Resilience

Several discussions centered around the importance of resilience in risk management as a crucial strategic priority to ensure business continuity. As a proactive approach, operational resilience is an upgrade that moves operational risk management from passive to active. Furthermore, as interconnected risks due to climate change, cyber breaches, and economic instability continue to dominate the risk landscape, leading with resilience is what will help organizations bounce back quickly if/when impacted. 

Jacqui McDonald, CIO Group Finance, RFT Technology, Barclays, underscored the criticality when she said, “It is critical to ask yourself the question- Do you have enough resiliency in your organization to recover?” Chandrra Sekhaar, Chief Audit Executive (EMEA) - SMF 5, Mizuho, reiterated the importance of technology to build resilience. “Many people talk about technology as the future, but it is equally important today. Innovation, technology, and digitalization is now.”

DORA: An Important Regulatory Priority

With the Digital Operational Resilience Act (DORA), the new EU regulation that aims to strengthen the IT security of financial entities such as banks, insurance companies, and investment firms, entering into force this year, cyber operational resilience was a much-discussed topic. By introducing uniform and harmonized governing principles for the management of cyber risks, DORA aims to ensure that the financial sector in Europe can stay resilient in the event of operational disruptions. The regulation will apply as of 17 January 2025. 

Panelists deliberated several strategies for cyber risk management, including the importance of continuous control monitoring, control rationalization, and cyber risk quantification. Gavin Grounds, CEO & co-founder, Mercury Risk and Compliance, spoke extensively about how cyber risk quantification today is a “pre-requisite for success, (especially) with ever-increasing risks and an unlimited number of scenarios to be tested.” 

The Power of the GRC Community

By bringing the best minds in GRC, the Summit offered a collaborative space for experts and professionals to connect, share success stories, and celebrate GRC excellence. Here’s how we celebrated the power of this community. 

  • Customer Success Stories: Representatives from Nordea, dnata, Mediolanum International Funds, Nationwide Building Society, and Siemens Energy took us through their innovative strategies and continuous improvement that helped them build proactive approaches to audit, enterprise risk management, compliance, cyber risk management, and third-party risk management.
    The presentation of their accomplishments provided key learnings for their peers. For example, Jacob Holmehave, Head of Group Risk Office, Nordea, stressed that “strong governance with clear senior stakeholder commitment” is an important catalyst to the success of the GRC program. At the same time, David Story, VP - Health, Safety, Security & Environment, dnata, explained in detail how they “navigated the large user base training by establishing SMEs and champions.” 
  • GRC Journey Awards: Outstanding GRC program leaders, visionaries, practice leaders, and partners who championed GRC programs, achieved superior business performance, and created high-value impact through GRC were awarded in four categories: GRC Journey Awards, GRC Visionary Awards, GRC Practice Leader Awards, and GRC Partner Awards. Congratulations to the winners! 

    Check out our 2023 GRC Journey Award Winners.
  • Peer-to-Peer Networking: The Summit also served as a dynamic networking platform, promoting collective growth and nurturing innovation. Experts readily shared their problem-solving approaches and committed to continued support. Challenges were openly discussed, and best practices were exchanged. The entire atmosphere was supercharged, and I personally enjoyed the stimulating conversations!

The 2023 GRC Summit was more than just an event; it was a testament to the strength of the GRC community, its commitment to driving the field of GRC forward, and to utilizing the ‘power of connections’ to help organizations thrive on risk. 

Missed attending the Summit? Watch the videos of the sessions and download the presentations.

Interested to learn more about how you can transform your GRC program to successfully manage, embrace, and ultimately thrive on risk? Request a demo now.

simrin

Simrin Jhangiani Associate Director, Marketing at MetricStream

Simrin Jhangiani is the Product Marketing Lead for MetricStream’s ESGRC product. As a former NYU student with a minor in Corporate Social Responsibility, Simrin is passionate about helping businesses make risk-aware business decisions around ESG. Simrin has an extensive business and marketing background having worked as a strategy consultant at KPMG and being a business owner of a sustainable fashion brand. She has lived on 3 different continents, and has travelled to over 50+ countries around the world, resulting in a comprehensive understanding of why ESG is important on a global scale. She believes that ESG is fundamental to the growth of businesses in the present day and is ardent about bringing awareness of the ever-changing regulations around Environmental, Social, and Governance.

 
Blogs

Meet the 2023 Winners of the GRC 20/20 Best in Class Awards

blog-banner-casestudy-final
3 min read

Introduction

We have some exciting news to share. Two of our customers were recently awarded the 2023 GRC 20/20 Best in Class Awards for their outstanding accomplishments in enterprise IT GRC management and compliance management.

Congrats to Guidewire and Zurich Insurance on their much-deserved wins. We’re honored to be part of their journeys towards building successful governance, risk, and compliance (GRC) programs that accelerate business growth, strengthen resilience, and deliver high-value impact.

Here are these companies’ inspiring GRC stories.

Guidewire: Best in Class Enterprise IT GRC Management - Medium Enterprise

In today’s hyper-connected digital world, an IT risk in a seemingly insignificant area of the business can have a profound and cascading impact on the whole enterprise. Many organizations approach these risks reactively – putting out information security fires as and when they arise. But with security breaches increasing, it’s extremely important for IT teams to step back and think strategically about how to streamline resources and monitor IT GRC across interconnected information and technologies.

That’s exactly what Guidewire has done. The California-based solutions provider for insurers set out to replace their siloed and manual GRC program with true risk management processes aligned to business needs and stakeholder value.

The company began by implementing consistent risk assessments and metrics, establishing financially accountable owners for risks and issues, and developing an integrated GRC strategy with a cross-functional GRC steering committee. MetricStream was chosen as the GRC platform to manage policies, controls, compliance, risks (including vendor risks), and business continuity.

Using automation, Guidewire has sped up its risk management processes and reduced open issues by nearly 40%. Risk visibility has also improved, thanks to better reporting and regular cross-business communication. Issues no longer fall through the cracks, resources are deployed effectively, and resolution is tracked systematically through the MetricStream platform.

Since risk owners are clearly assigned, each one can move quickly in the case of an unexpected event. They communicate regularly through dashboards and continuously update views of risk and associated metrics. Unlike before, when they operated in silos, risk owners are now a connected team run on a single GRC platform.

All these efforts make Guidewire a true leader in IT GRC. 

Download the award-winning case study: Guidewire Optimizes Cyber GRC Risk and Compliance with MetricStream

Zurich Insurance: Best in Class Compliance Management - Large Enterprise

Today’s organizations are dynamic and constantly changing. They’re entering new markets, releasing new products, establishing new vendor relationships, and dealing with new regulations – all of which increase compliance risks. To mitigate risk exposure, organizations need to be proactive about monitoring compliance with legal requirements, regulations, policies, and ethics. That means moving away from the compliance silos of the past towards a more integrated approach that strengthens compliance visibility and agility.

Zurich Insurance has embraced this approach. The multi-line insurer, which serves over 210 countries and territories, has modernized and streamlined its compliance, policy, and risk management processes for optimal efficiency. 

Using MetricStream Compliance Management, the company has built a single source of truth to manage its entire global compliance operations. Automated and standardized workflows strengthen compliance efficiency. 

Meanwhile, a centralized compliance policy portal makes it easy for front-line employees to access the latest policies in a secure manner. The company has also streamlined policy creation, approvals, versioning, and discovery.

With real-time visibility into compliance risks and findings, teams can make more confident decisions. At the click of a button, they can see how risks are linked to controls, testing plans, and more. Dashboards and reports provide timely compliance insights, enabling the compliance team to more effectively meet its objective of providing trusted advice to the business. 

Even regulatory changes and updates are proactively captured and managed to ensure that the company is always compliant. This is what makes Zurich Insurance an award winner. 

Download the award-winning case study: Zurich Insurance Modernizes Compliance with MetricStream 

Congrats again to the award winners for setting new standards in GRC. It’s our privilege to work with companies that are finding innovative ways to thrive on risk, strengthen compliance, and demonstrate good governance.

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 
Blogs

MetricStream in Amsterdam: Key Takeaways from 3 Days of Conversations with GRC Experts

ConnectedGRC-blog-banner
7 min read

Introduction

I am delighted to have spent a wonderful three days in Amsterdam with our MetricStream customers, prospects, industry experts, consultants, and solutions providers, with a peer-to-peer round table session on Tuesday, the 26th of September, followed by two days at the #Risk Amsterdam event. Here is a recap of the important highlights and key insights from the sessions that were conducted over the three days. 

Executive Roundtable Session

The executive round table session on Designing GRC Programs to Manage Risk and Enhance Operational Resilience saw cross-industry operational risk, legal, and compliance experts from banking and aviation to advanced medical suppliers. Confidentiality was assured through Chatham House rules, so I will not quote specific comments and details here but simply summarize the key challenges and discussion points that were raised and discussed in the following areas:

Compliance

  • Challenges faced by dealing on a global basis in different jurisdictions 
  • Aligning and attempting to comply in a standard and consistent manner across the organization 
  • The need to string internal cooperation and alignment to address these issues 
  • The need to use tools such as the MetricStream platform to map your policies and processes to these regulations and standards and drive this standard unified approach. 
  • Fragmentation and complexity of global management 
  • No such thing as a zero-tolerance for regulatory compliance as in the real world, there is always cost pressure vs. full compliance
  • Struggle with the volume and complexity as to where to focus given daily changing priorities 
  • Need to engage and align with regulators as appropriate to your industry

Culture

Aligning to the above discussion on international issues, challenges, and management, the attendees shared and reviewed the challenges around:

  • The differing international and corporate cultures and the “Human” element of silos and differences; as above, a fragmented view in the current state 
  • The potential to have a different focus on risk vs. compliance by region 
  • The differing and ever-changing assessments of risk vs. likelihood 
  • The strong concern about human corruption and intellectual property rights protection 
  • The need to keep abreast and be agile with ever-changing sanctions and geopolitical risks

Volume Overload

All attendees agreed to the stated challenge from one of our guests around the simple challenge of dealing with ever-increasing volumes, including the:

  • The increasing number of internal controls to test 
  • Limited resources and budget 
  • Increasing standards and regulations 
  • The need to increase efficiency and standardization 
  • The consistency and transparency required in evaluation
  • The need to remove duplication of effort that persists 
  • The need to deliver and manage effective control execution across multiple divisions and silos of the organization

The Balancing Act of Aligning Goals and Costs

  • The costs of managing the ever-increasing volume weighed up against investor pressure to reduce costs, yet also investor pressure for greater assurance and transparency

Operational Resilience and Data

  • Multiple regulations and different jurisdictions with slightly different requirements 
  • Finding the synergy across the operational risk teams is seen as a challenge with operational resilience 
  • Data integration challenges and alignment are being experienced 
  • Managing to identify the critical business processes, systems, and assets across the entire organization still presents challenges for some of our attendee

Third-Party Risk and ESG

  • Concern with gathering the right data 
  • Managing the quality of data 
  • Assessing the right cadence of testing and dealing with change
  • What ESG data is being tracked, and how valid is it?

Workshop by Michael Rasmussen

The roundtable discussion was then followed by a workshop with GRC Pundit Michael Rasmussen, “The Father of GRC,” where he further reviewed the above topics with a special emphasis on the “Human Factor.” He discussed in depth: 

  • The nested supply chain issues of 4th and 5th parties and potential impacts 
  • The need for the human firewall, that policies need to be detailed, adhered to, and monitored over and over, and that we need to rely on more than just conduct 
  • The use of AI was reviewed and discussed in appropriate circumstances, and the risks of not using AI and Machine Learning technology

#Risk Amsterdam Event

Then, on Wednesday and Thursday, the 27th and 28th of September, we participated in the #Risk Amsterdam event, and not surprisingly, much the same topics seemed to be the subject of the presentations and conversations. Although we were anticipating a significant focus and questions around the pending Digital Operational Resilience Act (DORA), most of our conversations focused on some of the component elements rather than full DORA compliance and requirements as follows: 

  • Policy management and aligning policies to regulations and controls 
  • Financial & SOX controls testing and certification 
  • IT and Cyber Risk: quantification of cyber risk assessments using FAIR 
  • Quantification and scenario testing in operational risk management / non-financial risk 
  • Bow-Tie analysis 
  • Risk and loss events treatment and reporting 
  • Managing impact assessments with assets and processes across the organization 
  • Managing control frameworks, aligning to COBIT, and yet adding your own controls, such as ISO 27001 and NIST Frameworks 
  • Integrating third party related content feeds into the GRC platform, including Dow-Jones; BMC, Qualys, BitSight, EcoVadis, FinregE, Compliance.ai, Cube, Reg-Room, Sustainalytics, OFAC and Sanctions Lists, among many others

Panel Session on Risk Radar- Unveiling Critical Trends in Risk for 2024 and Beyond

On Thursday afternoon, I joined the panel moderated by Michael Rasmussen with representatives from ABN Amro, Just Eat, and Fiat Republic to share our feedback on the topic “Risk Radar- Unveiling Critical Trends in Risk for 2024 and Beyond.” The big topics discussed were:

  • The impact of Environmental Risks such as the extreme European heatwave and forest fires, Libyan floods, and Moroccan earthquakes and the ability to be agile and manage the usually determined low likelihood but high impact events that seem to be seen as ever-more ‘likely.’ 
  • The onward impact on supply chains, such as the Suez Canal blockage, brown-out power outages, and then the encompassing Geopolitical, Market, Economic, and Liquidity Risks arising from the likes of the Ukraine-Russia war and other cold war scenarios such as Taiwan and the potential impacts.
  • The reputational loss/ consequence issues around non-compliance on the ‘S’ or Social in ESG with modern slavery, child labor and exploitation, and human rights violations outside Europe as another major risk to manage and contend with.
  • IT & Cyber Risk continuing to remain a very high threat, and the focus extended to the requirements of DORA in the risk and ability to recover quickly from technology failures 
  • The risks around AI, along with the associated ethical concerns and the need to remove bias from algorithm-produced results, to derive fair and equitable solutions that do not infringe on human rights, diversity, and inclusion.
  • The risks of AI and benefits of AI with Deep Fakes and criminal spoofing and phishing and the importance of KYC and KYS along with AML were fully reflected upon. 
  • Regulatory Compliance Risks are also considered a never-ending and growing challenge that is not going away. This significantly impacts the managing and complying of internal costs, with the risk of fines now being made more personal as in the UK through SMCR enforcements on individuals rather than just the corporate fines of the past being reviewed by other global regulators.
  • The interconnectedness of these risks was reflected upon and how all these risks can fully impact the supply chain of not just the third party but extended 4th and 5th parties.

On the panel, we shared our views on the strategies to overcome these risks and how, when aligned with the MetricStream platform can provide: 

  • Clear and transparent reporting
  • Drive long-term sustainable goals and implement associated clear policies
  • Drive fast, accurate data on emerging risks across the organization 
  • Use technology to assist predictive analytics and aid human decision-making
  • Use technology to manage the vast data requirements and flow 
  • Need for consistency and standardized taxonomies of data against which to make decisions or a “single-source-of-truth” 
  • Conduct from the top, human awareness, and training and policy attestations frequently reviewed and updated 
  • Engage with the regulators early and get involved in the consultation process wherever possible 
  • Manage risk vs. reward and why more scenario analysis and appropriate quantification in the right areas are required to best determine your risk treatment or adoption 
  • Regular review policy exceptions due to the changing environment

Needless to say, we on the panel ran out of time on these topics, but MetricStream, through our powerful, fully federated, and scalable data model, is well placed to assist in the improved efficiency, accuracy, alignment, consistency, and transparency of residual risks and managing mitigating actions against a quagmire of external risks that are costly and challenging across all global markets. 

While we at MetricStream certainly can’t do everything, we can certainly help to drive consistency, efficiency, and improved management of your company’s Governance, Risk, and Compliance program by enabling the connectedness and providing rich 360-degree views of those connections, driving faster and better quality data and management of resulting treatments and actions to give you the tools to thrive on risk. 

Interested to learn how MetricStream can help? Request a demo now!

The above blog is an edited version of an article published by the author on LinkedIn. Read the original version here.

Charles Nicholls

Charles Nicholls Senior Sales Executive- MetricStream

Charles Nicholls is an enterprise risk solutions specialist and currently serves as the Senior Sales Executive at MetricStream.

Prior to MetricStream, Charles has held various sales, audit, and Network Trading and Enterprise GRC solutions specialist positions at various organizations focused primarily in the Global Banking and Financial Markets sector, including Thomson Reuters, Refinitiv, Galvanize, BT, and others. In March 2003, he founded Inspiration Sales Consultants Ltd., which offered various services including sales and marketing consulting, staff recruitment, training, and development, and more.

 

Related Resources

Blogs

Elevate Your Experience: 2023 GRC Summit, London, Unwrapped

Blog-banner-optimized
5 min read

Introduction

The London edition of the 2023 GRC Summit is all set to take place on October 16th and 17th at the prestigious Royal Garden Hotel. Following the remarkable success of our 2023 Miami edition, where GRC industry experts and thought leaders convened to exchange knowledge and forge valuable connections, we are delighted now to offer you the same experience in London. 

Now in its 11th year, the GRC Summit has been the cornerstone of the GRC community, serving as a platform for networking, knowledge-sharing, and the sharing of best practices. It continues to set the standard for the future of GRC. With the compelling theme, "Experience the Power of Connection," this year's Summit will discuss the latest trends and best practices in Connected GRC and the risks and opportunities of artificial intelligence (AI). Prepare to engage with a distinguished global community of risk, compliance, audit, cyber, and ESG professionals for an unmatched experience.

Here’s How to Amplify Your GRC Summit Experience

As we countdown to the Summit, we want to ensure that you have a truly extraordinary experience by providing you with invaluable insights on how to optimize your time. Here is the comprehensive Agenda for the Summit, along with a lineup of our esteemed Speakers. Additionally, we've handpicked a selection of must-attend sessions that promise to be both enlightening and transformative. Don't miss out on these exceptional opportunities.

  • Keynotes from Our Co-CEOs        
    The keynote speeches have consistently been a highlight of the past GRC Summits, and this year will be no different. 

    Gaurav Kapoor, Co-Founder and Co-CEO, will share the opening keynote on Experience the Power of Connection, where he will dive deep into how ConnectedGRC is powering agility and resilience through connected, cognitive, and cloud-based risk management.       

    Prasad Sabbineni, Co-CEO, will share the Product Keynote on Cognitive, Continuous, and Cloud: The Future of GRC. Find out how automated workflows, AI-driven insights, and cloud adoption are revolutionizing decision-making, operational efficiency, adaptive compliance, and more.

  • Expert Panels 
    We have multiple expert panels lined up, specifically tailored to tackle GRC challenges in today's increasingly interconnected risk landscape. Don’t miss out on:

    Driving Operational Resilience through Governance, Risk, Compliance, Cyber and Audit, with Chandrra Sekhaar, Chief Audit Executive (EMEA) - SMF 5, Mizuho, Nor Harliza Baharom, General Counsel, Compliance Strategy & Planning, Petroliam Nasional Berhad (PETRONAS) and Jacqui McDonald, CIO Group Finance, RFT Technology, Barclays.

    The Changing Role of Internal Audit, with Brandon Wright, Head of Books & Records Audit, Bilfinger SE, Ivan Martinez, Chief Audit Executive, Banco Santander London Branch, and Despina Andreadou, Chief Audit Executive, Eurobank S.A.

    The Three Cs of Modern Compliance: Connection, Collaboration, and Culture, with Peter Funck, Head of GRC, Swedish Road Administration, Sophie Dupre-Echeverria, Chief Risk & Compliance Officer, GIB Asset Management, Former – Schroders, Phil Crook, Head of Compliance, Nationwide Building Society, and Nael Kamil Nor Hisham, Senior Manager, Compliance Strategy & Planning, Petroliam Nasional Berhad (PETRONAS).

    Ensuring Collaboration Across the Lines of Defense to Strengthen Internal Controls with Fazal Mohammed, Head of ORM - Asset Management, Phoenix Group, Dorothea Liebl, Head of Internal Control Governance, Siemens Energy AG, and Benjamin Rowsell, Head of Enterprise and Operational Risk, Nationwide Building Society.

    Innovation and Risk: Encouraging a Risk-Taking Mindset for Business Growth with Philipp Herrmann, Head of Risk Management, Operations Department, Abu Dhabi Investment Authority, Petr Brezina, Head of Company Risk, KBC Asset Management and Sahil Bhardwaj, Group Head of Internal Audit & Risk, British Standards Institution.

  • Customer Case Studies               
    Presented by our customers, these real-life success stories provide deep insights into how organizations have successfully navigated the complex landscape of GRC challenges and offer a wealth of knowledge and motivation to propel your own GRC initiatives forward. Make sure to add the following sessions to your schedule.   

    Customer Case Study: Nordea               
    Brian F. Sørensen, Chief Execution Leader - Group Risk Change Management, Nordea  
    Jacob Holmehave, Head of Group Risk Office, Nordea

    Customer Case Study: Siemens Energy               
    Michael Gropp, IT Program Manager GRC, Siemens Energy

    Customer Case Study: Nationwide Building Society               
    Phil Crook, Head of Compliance, Nationwide Building Society  
    Sarah Harman, Leader - Operational Risk Framework and Systems, Nationwide Building Society

  • Product Sessions               
    Interested to learn more about the functionalities and benefits of MetricStream’s GRC products? Our product-focused sessions will provide comprehensive insights, empowering you to fully understand the capabilities and business benefits of our offerings. Be sure to be there for the following sessions:  

    Power What’s Next in Enterprise & Operational Risk Management 

    Power What’s Next IT & Cyber Risk, Compliance Management

    Digital Transformation and Operational Resilience: Adapting to New Technologies and Workflows

    Digital Operational Resilience: Building Robust Strategies to Safeguard Business Continuity in the Face of Disruptions

    Low Code No Code

  • Workshop on Enterprise GRC by Design: Blueprint for an Effective, Efficient & Agile Enterprise GRC Management Program                
    Enterprise GRC is an integral part of an organization's operational framework. When implemented effectively, GRC permeates through every facet of the business, ensuring the consistent attainment of objectives, the management of uncertainties, and the adherence to ethical standards. This necessitates a comprehensive understanding of GRC within the broader context of the enterprise's strategy, objectives, architecture, and processes.               

    Attend this workshop on 16th October 2023 for comprehensive insights into taking an architectural approach to building your Enterprise GRC program.
  • Celebrate and Network with Your Peers               
    Whether it’s at the specially designated peer-to-peer sessions or during the networking breaks, the Summit gives you the opportunity to mingle with your peers and GRC industry experts. On 17th October 2023, join us as we recognize the key achievements of customers and partners in the field of governance, risk, and compliance management as we celebrate the GRC Journey Awards.

See you in London! 

The highlighted list above offers just a glimpse of what awaits you. Check out our Agenda to know more. Delve deeper into the expertise of our esteemed speakers. Read: GRC Summit, London, 2023: Meet the Speakers. 

If you haven't registered yet, don't miss out—secure your spot now! Register here.

dummy MSI

Aanya Sharan Associate Director - Marketing

Read the blogs authored by Aanya Sharan, Associate Director - Marketing, for the latest insights on governance, risk management, cyber resilience, and more.

 

Related Resources

lets-talk-img

Ready to get started?

Speak to our experts Let’s talk