×
Blogs

Meet Our 2024 GRC Journey Award Winners

MS-website-meet-2024-grc-journey-award-winners-blog-banner
7 min read

Introduction

As the global leader in governance, risk management, and compliance (GRC), MetricStream takes pride in presenting the GRC Journey Awards annually. These awards recognize and celebrate the remarkable achievements of organizations, business partners, individuals, and customers who have transformed risk into a strategic advantage through their GRC initiatives.

At the 2024 Baltimore GRC Summit, we honored a distinguished group of GRC pioneers who embody the essence of connected, high-impact, and sustainable GRC programs. These trailblazers have set a new standard with their exceptional progress in advancing GRC practices. Explore the inspiring stories of our award winners’ GRC journeys below.

Blue Cross Blue Shield of Michigan - GRC Journey Program Excellence Award, 2024

As a leading health insurance provider, Blue Cross Blue Shield of Michigan (BCBSM) plays a crucial role in offering comprehensive healthcare coverage to millions of residents in Michigan. With a mission to ensure access to affordable, quality healthcare, BCBSM serves as a trusted partner for individuals, families, and businesses across the state. Their extensive network includes a wide range of healthcare professionals, hospitals, and service providers, making them a cornerstone of the Michigan healthcare system.

Recognizing the importance of robust risk and compliance management practices, BCBSM has successfully leveraged the MetricStream software to achieve real-time visibility into compliance metrics and enhance data-tracking and reporting mechanisms.

Watch this video to see Michael Cover from Blue Cross Blue Shield of Michigan discuss how MetricStream has helped them on their GRC journey.

 

CIBC, GRC Program Excellence Award, 2024

CIBC (Canadian Imperial Bank of Commerce) is a leading North American financial institution headquartered in Toronto’s Financial District. With 48,000 dedicated employees, CIBC serves 14 million clients across Canada, the U.S., and globally, offering a comprehensive range of financial products and services. Guided by a commitment to creating lasting value, CIBC aims to help individuals and businesses achieve their ambitions while contributing to a more secure, equitable, and sustainable future.

With responsibilities for managing assets worth billions of dollars, CIBC is highly focused on identifying, assessing, and managing the interconnected risks in a dynamic marketplace.

Watch this video where Michael Donovan from CIBC explores how the bank used MetricStream to automate and standardize their integrated GRC programs for over 1000 users in multiple locations to manage risks, controls, assessments, and metrics.

 

Fred Hutchinson Cancer Center - GRC Journey Award, 2024

Fred Hutchinson Cancer Center, based in Seattle, Washington, is an internationally renowned institution dedicated to cancer research, treatment, and prevention.

Following a significant merger that doubled the organization's size, Fred Hutchinson Cancer Center recognized the need for a scalable risk management platform to handle its expanding operations effectively. To address this need, the organization sought a comprehensive tool that could facilitate risk and compliance assessments, incident management, third-party risk management, and the management of a centralized risk register and issues list.

By implementing MetricStream, they established a single source of truth for IT risk data, ensuring consistency and accuracy across the board. The transition to MetricStream has enabled them to accelerate their GRC journey, providing them with the tools necessary to manage risks more efficiently and effectively.

Watch this video to see John Soltys from Fred Hutchinson Cancer Center discuss how they accelerated their GRC journey.

 

BankUnited, Inc. - GRC Journey Award, 2024

BankUnited, Inc., a prominent bank holding company headquartered in Miami Lakes, Florida, is known for providing a full range of banking and financial services to individual and corporate customers. With a strong focus on innovation and customer service, BankUnited operates through an extensive network of branches across the United States, primarily in Florida and the New York metropolitan area.

To modernize and streamline its GRC functions, BankUnited recognized the need to replace its outdated manual legacy systems with a more efficient, automated approach. BankUnited leveraged MetricStream products and successfully established a more robust GRC framework that not only meets regulatory requirements but also enhances decision-making and fosters a proactive risk management culture within the company. This transformation has positioned BankUnited to better understand and mitigate risks, ensuring the continued delivery of high-quality financial services to their clients.

Watch this video to see Kavitha Singh from BankUnited discuss their GRC journey.

 

CHN, GRC Journey Award, 2024

CHN is a leading equipment, technology, and services company that operates globally across agriculture and construction, covering over 170 markets. Across a history spanning over two centuries, CNH has always been a pioneer in its sectors and continues to passionately innovate and drive customer efficiency and success.

CHN embarked on a GRC journey in 2018 with MetricStream’s enterprise risk management, policy management and third-party management products, now used by 1000+ employees globally.

Watch Tom Auvil from CHN describe their GRC journey and how they were able to automate end-to-end risk management across the enterprise, increase adoption and drastically reduce risk events and expenses.

 

BMO Financial Group - GRC Journey Practice Leader Award, 2024

BMO Financial Group, one of the largest financial institutions in North America, has a rich history of providing a broad range of financial products and services to personal, commercial, corporate, and institutional customers. Headquartered in Toronto, Canada, BMO operates with a strong presence across Canada, the United States, and worldwide, committed to delivering excellence in banking, investment, and financial solutions.

BMO Financial Group decided to enhance its GRC program by eliminating manual processes, upgrading technology, standardizing workflows, and improving the productivity of its internal audit program. By working with MetricStream and having a detailed GRC plan in place, BMO has significantly enhanced the speed and agility of its audit department.

Lynda Witter, Sr. Audit Manager – Audit Technology, BMO Financial Group, was awarded the GRC Practice Leader Award for her deep expertise in GRC and for driving the adoption of GRC programs within their organizations. 

Watch this video to see Lynda discuss how they implemented a centralized and streamlined audit management system.

 

Bank OZK - GRC Journey Visionary Award, 2024

Bank OZK, a leading regional bank headquartered in Little Rock, Arkansas, is known for providing a comprehensive range of financial services to individuals and businesses. With a strong presence across the southern United States, Bank OZK is dedicated to delivering exceptional customer service and innovative financial solutions.

To enhance its GRC capabilities, Bank OZK sought a trusted partner that could support its growing needs. This included the ability to support a comprehensive GRC program featuring a centralized library of risks, controls, processes, issues, and lines of business. Partnering with MetricStream has facilitated better decision-making and enhanced the bank's ability to manage risks effectively.

Arindam Majumdar, Deputy Chief Risk Officer, Bank OZK, was awarded the GRC Journey Visionary Award for his passion for GRC and his clear vision for his organization’s GRC journey.

Watch Arindam discuss how they aligned their ERM and operational risk program vision to their overall GRC vision.

 

Federal Home Loan Bank of Pittsburg, GRC Practice Leader Award, 2024

As one of 11 Federal Home Loan Banks established by Congress, the Federal Home Loan Bank of Pittsburg has been an integral and reliable part of the financial system since 1932. The bank provides reliable funding and liquidity to its member financial institutions, which include commercial and savings banks, community development financial institutions, credit unions, and insurance companies in Delaware, Pennsylvania, and West Virginia.

Partnering with MetricStream since 2016, the bank has implemented operational risk management to conduct risk assessments and manage issues and loss events, SOX management to adhere to various SOX processes, and internal audit to manage audit artifacts and triage issues.

Tom Proviano, Senior Manager, Technology Risk Oversight – Corporate Risk, Federal Home Loan Bank of Pittsburgh, was awarded the GRC Practice Leader Award in recognition of his deep expertise in GRC and responsibility for driving the adoption of GRC programs in his organizations.

Watch this video where Tom discusses his GRC journey experience with MetricStream.

 

Navigate Your GRC Journey with Confidence and Expertise

Start your GRC journey with our ConnectedGRC solutions, which include our BusinessGRC, CyberGRC, and ESGRC product suites. With MetricStream ConnectedGRC, your organization is empowered to move beyond the limitations of traditional integrated approaches that focus only on technical program integration. Instead, you gain a connected GRD strategy that delivers a single source of truth, providing comprehensive risk insights essential for building future-ready GRC programs.

Request a demo now.

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 
Blogs

7 GRC Myths Debunked

7-GRC-Myths-Debunked-blog-banner-dsk
6 min read

Introduction

Over two decades have passed since the term ‘governance, risk, and compliance’ (GRC) entered the business lexicon. Initially considered a nice-to-have, countless organizations have benefited from a deeper understanding of risks, a robust framework of controls, and a solid foundation of governance mechanisms. Yet, several myths around GRC continue to persist.

Let’s put some of them to rest here.

Myth 1: GRC is Only for Large Organizations in Heavily Regulated Sectors

Fact: All organizations, regardless of size, need GRC to navigate an increasingly uncertain world. Risks are coming at us from all directions – be it climate change, cyberattacks, market volatilities, or geopolitical conflicts. Add on regulatory pressures and constantly evolving compliance requirements – and you have a perfect storm of GRC challenges.

To thrive – or, even survive – we have to be able to anticipate and mitigate risk events and recover quickly in case of a crisis. We need to know where our controls are lacking, and which regulatory changes require our attention. GRC enables us to do all that – which is why it isn’t just desirable, but imperative for both large and small organizations.

Myth 2: GRC Hinders Business Agility, Slowing Down Processes and Stifling Innovation

Fact: On the contrary, if GRC is done right, it can actually enhance business agility. It enables us to foresee and respond to the risks and opportunities ahead in a way that drives growth and transformation.

Take the example of a global IT services leader that optimized business performance through a deeper understanding of its risks. Each risk is mapped to performance objectives and strategic goals. So, at a glance, stakeholders can accurately predict performance and revenue across various projects and business units. With a comprehensive picture of risk impact and control effectiveness, the board and executive team can make confident decisions that drive profitability and growth.

Myth 3: GRC is Only About Compliance

Fact: While compliance is a crucial component of GRC, it isn’t the sole focus. Being compliant doesn’t guarantee immunity against risk events. You might think your organization is safe if, for example, you’re fully compliant with cybersecurity regulations. But cyber threats are constantly evolving, often outpacing regulatory measures. So, if you’re too narrowly focused on compliance, you might not see the broader threats and attack surfaces in your business. It’s like locking the doors of your house, but leaving the windows open for intruders to come in. 

That’s why an effective GRC approach doesn’t just emphasize compliance with periodic assessments and audits – it stresses the need for good governance and sound risk management practices. That includes implementing clear policies and codes of ethics, establishing accountability, and building a risk-aware culture. When these practices are combined with compliance, they do more than just protect your business – they also help you capitalize on opportunities and strengthen resilience.

Myth 4: GRC is Too Expensive to Implement

Fact: While a GRC implementation has its costs, consider them an investment rather than an expense. GRC can actually save you money in the long run by preventing costly compliance breaches, reducing the likelihood of significant risks materializing, and improving operational efficiencies. Plus, whatever your budget, you’re likely to find a GRC solution that fits. However, we need to ensure that the GRC solution is scalable and can seamlessly extend to other functions of GRC in the future. This will not only ensure data integrity but also help you save costs on managing multiple vendors, upgrades, and data integrations.

Many organizations rely on spreadsheets and manual methods for GRC, but this approach is inefficient. Employees spend hours gathering GRC information, leading to scattered insights, data inconsistencies, and delayed decision-making due to inaccessible risk intelligence.

By contrast, a connected and scalable GRC platform can give you the risk visibility and automation you need to save both time and costs. A leading health insurer enabled a 90% reduction in regulatory reporting time by connecting all its compliance processes on one platform. Meanwhile, a telco giant cut costs by 80% with automated risk and control monitoring. You too can achieve similar efficiencies with the right solutions.

Myth 5: Once Your GRC Framework is in Place, You’re Free from Risk and Compliance Issues

Fact: No GRC framework or solution can completely eliminate risks or compliance issues. However, a good one can bring your risks down to an acceptable level, and ensure that they’re within your risk appetite. An effective solution can highlight early warnings and help you take proactive measures to mitigate risks in time. Effective GRC can also help you streamline compliance with various regulations and reduce the likelihood of costly penalties.

But through it all, vigilance is essential. You don’t want to be caught off-guard by a new risk or disruption coming out of left field. Continuous risk and control monitoring is imperative to ensure that you’re always ahead of emerging risks and control issues. Regulatory change management can also go a long way towards maintaining compliance health by keeping you abreast of new compliance legislation and updates.

Myth 6: GRC Implementation is a One-Time Activity

Fact: GRC is an ongoing process, a journey that never really ends. It can’t be when regulations, risks, and business operations are constantly evolving. The risks of next year may not be the same as the risks of this year. A control that worked before may not be relevant today. Only by monitoring, adapting, and improving GRC activities regularly can you keep risks in check and enable sustainable growth.

Myth 7: GRC Technology Can Solve GRC for You

Fact: Technology can certainly support and empower you on your GRC journey, but it isn’t a silver bullet. As GRC pundit Michael Rasmussen says, “GRC is something you do, not something you buy.” Even if you have the best GRC software in the market, it won’t offer much value unless you first have clear GRC strategies, policies, processes, and taxonomies. You need well-planned GRC processes, governance structures, and a culture that values risk management and compliance practices.

Once these building blocks are in place, technology can take your GRC program to a whole new level by streamlining and automating processes. It can simplify cross-functional collaboration on GRC activities, while also pulling together and transforming GRC data into rich insights. In that sense, GRC software can be a value-enabler. But human oversight, strategic planning, and judgment are equally important.

Supercharge your GRC Efficiency and Effectiveness with MetricStream

MetricStream ConnectedGRC enables you to manage all your GRC requirements on one platform. From operational and enterprise risk management and compliance, to audits, third-party governance, cyber risk management, and ESG (environmental, social, and governance) – your end-to-end processes are connected with a unified risk and compliance view.

With ConnectedGRC, you can:

  • Gain a unified view of risks across the enterprise and third-party ecosystem
  • Avoid regulatory violations with systematic compliance assessments, continuous control monitoring, and regulatory change management tools
  • Strengthen governance with powerful policy and procedure management solutions
  • Use advanced analytics and AI to draw out timely risk and compliance intelligence
  • Align GRC with industry best practices, standards, and frameworks

To learn how MetricStream can help you accelerate your GRC journey, request a personalized demo today!

Sumith-Sagar

Sumith Sagar Associate Director, Product Marketing

Sumith Sagar is a proven product marketing professional, specializing in software product positioning, product-led growth marketing, presales and sales enablement. With over 12 years of risk management solutioning experience ranging from Governance, Risk and Compliance (GRC), Commodity Trading & Risk Management (CTRM) and cybersecurity, she has been instrumental in driving BusinessGRC product marketing at MetricStream.

 
Blogs

The Case for an Integrated Approach to GRC in the Modern Enterprise

blog-7-Aug-2024-dsk
7 min read

Introduction

Chances are that you’re already managing governance, risk, and compliance (GRC) in some way or the other. But if your approach is ad hoc and siloed – i.e., if your risks, compliance, and audits are managed on separate systems with different taxonomies and no way to collaborate or exchange data – then, it might be time for a change.

Why? Because in today’s dynamic world, success hinges on one’s ability to make informed decisions quickly based on data collected and validated across the organization. Stakeholders need to know which risks to tackle on priority, how those risks influence other enterprise risks, which business objectives could be impacted, what issues could arise, and whether the controls in place are truly effective.

Meanwhile, internal audit – the third and final line of defense – needs to focus on assurance, rather than re-evaluating assessments completed by the second line. To do that, they need real-time visibility into events, issues, actions, and assessment outcomes.

An integrated GRC program provides all these insights. So, teams can take informed steps to protect the business and capitalize on the opportunities that really matter.

Why Don’t More Organizations Adopt an Integrated Approach?

In our experience, many businesses already have separate programs, objectives, and budgets for each GRC function – be it risk management, compliance, or internal audits. Having operated like this for years, businesses are either resistant to change or lack the drive to ensure integrated GRC data and reporting. Some companies are swayed by the bells and whistles that point solutions can provide, even if those tools work in silos, disconnected from other GRC functions.

There’s no doubt that making the shift to integrated GRC does take time and effort. But the rewards are well worth it. Imagine being able to predict risks and opportunities faster, collaborate seamlessly across functions, and make informed decisions quickly – all in a streamlined and cost-efficient manner. That’s what integrated GRC can enable.

Integrated GRC Is More Important Now Than Ever

All around us, risks are changing at a rapid rate. Four years ago, the top global risks were largely environmental – extreme weather, climate action failure, natural disasters, and biodiversity loss. This year, the top 5 risks have expanded to include AI-generated misinformation, societal/ political polarization, the cost of living crisis, and cyberattacks.

Compliance requirements are also evolving. In the first half of 2024 alone, Europe approved the corporate sustainability due diligence directive as well as the AI Act. In July, California’s Workplace Violence Prevention Plan (WVPP) came into force, as did Australia’s Environmentally Sustainable Procurement Policy.

As these regulations and risks keep changing, so also do business processes, objectives, employees, technologies, and third parties.

None of these changes occur in isolation. They’re all interconnected. For example, when you onboard a new vendor, their risks become your risks. A data breach in their networks could weaken your own cybersecurity posture, which, in turn, could lead to compliance violations, operational disruptions, reputational damage, and more.

Integrated GRC enables you to see all these interconnections. Data from spreadsheets, point solutions, and other sources are unified into a single GRC view. This helps you predict risks with accuracy, ensure consistent compliance, and strengthen your resilience.

Benefits of an Integrated GRC Program

Our customers and prospects across industries tell us that these are some of the benefits they’ve experienced with an integrated approach to GRC:

  • Faster, more accurate risk insights through a common GRC taxonomy

    When departments such as risk management and compliance work in silos, they end up developing separate terminologies and frameworks to describe similar GRC concepts. This creates a lot of confusion when you’re trying to aggregate and report GRC data.

    By contrast, an integrated GRC approach focuses on unifying and standardizing GRC taxonomies across the enterprise. So, all departments and stakeholders are on the same page, speaking the same language. This minimizes misunderstandings and miscommunications. It also simplifies the process of gathering and analyzing GRC data from across business units. There are fewer discrepancies and ambiguities in the data because everyone is using the same terminologies.

    The end result is that management gains a clearer picture of the organization’s GRC posture, which, in turn, strengthens decision-making.

  • Improved cost-efficiencies, zero duplication of effort

    When your GRC approach isn’t coordinated, multiple departments could end up assessing the same risk, or testing the same control. This duplicates effort, wastes resources, and increases costs.

    An integrated GRC approach eliminates these inefficiencies by streamlining GRC workflows across departments. Tasks and responsibilities are clearly defined to minimize overlaps or redundancies. 

    Meanwhile, GRC data is collected, stored, and accessed centrally – so teams don’t have to waste time hunting for information. The data produced by one department can even be reused by another. For example, compliance reports can be reused in risk assessments and internal audits. This reduces labor costs, and frees up GRC resources for more strategic activities.

  • Stronger collaboration across business lines

    In an integrated GRC program, various business lines work together in harmony. Risk managers, compliance teams, internal auditors, and others have a clear understanding of how their activities intersect with those of other lines.

    Through an integrated GRC platform, information on risks, losses, controls, and metrics is easily shared across departments. Each business line is able to provide valuable inputs and support to the other. The first line’s observations and assessments of risks and compliance flow to the second line which then ensures that risks and controls are effectively managed.

    Subsequent business lines, such as internal auditors and the management team, can also collaborate and monitor risks easily through the same GRC platform. This synchronized approach enhances the organization’s resilience and ability to achieve business objectives.

  • A comprehensive view of GRC through integrations with other systems

    GRC doesn’t exist in a vacuum. It needs to be able to exchange data with other business systems like enterprise resource planning (ERP) platforms, security tools, and threat and vulnerability scanners. External content also matters – be it regulatory updates, third-party risk ratings, or data on environmental, social, and governance (ESG) factors. All these inputs enrich your ability to monitor risks, regulations, and their impact on your enterprise.

    An integrated GRC approach helps you aggregate all this data by connecting your GRC platform to multiple systems within and outside the enterprise. APIs enable the seamless flow of data across these touchpoints. For example, with MetricStream products, you can automatically pull in vendor security ratings for third-party security assessments or regulatory changes and updates from CUBE. These insights make your GRC program more robust and effective.

A Fast-Growing Regional Banking Giant Enhances Business Decision-Making with MetricStream

We recently contracted with a regional bank that was a rising superstar in the BFS industry. Evaluation began with the Internal Audit team searching to replace its archaic point solution with its latest variant, while Operational Risk Management, Information Security, and Compliance Groups looked to automate their manual processes. Legacy systems, manual processes, and data silos were hampering risk visibility and effective reporting to regulators. Moreover, only 60% of planned risk assessments were executed on time and Internal Audit continued testing all risks and controls already validated by the second line.

As the evaluation progressed on separate tracks, the Internal Audit team realized the benefit of real-time visibility into first- and second-line data and incidents/events during audit planning or fieldwork. In their own calculations, there were significant time-cost-resource optimizations with such seamless enterprise data visibility. Hence, began a joint evaluation for a single and enterprise GRC platform.

After a year of rigorous evaluation wherein the criteria also included built-in practices relevant for banking industry, track record in managing and deploying enterprise programs, and a team who would guide them through their journey with the application, they chose MetricStream.

With the implementation:

  • Operational risk management processes have been streamlined for optimal efficiency. Meanwhile, a centralized risk and control library saves time on risk assessments and control tests.
  • The Internal Audit team reaps the benefit of a more efficient program allowing better audit planning and execution, and avoiding redundancy of assessment due to complete visibility into first and second line assessments, observations and actions. This allows them to focus on critical areas and data analysis. 
  • Compliance Group and Information Security have imbibed the embedded practices and tailored their specific use cases using the low-code, no-code toolkit.

The bank’s multi-dimensional organization structure (MDOS) has been mapped on MetricStream, making it easier to aggregate risks at any level of the organization. With better visibility into risks and controls, the bank is able to make more informed and agile decisions that strengthen business success.

Improve Your Agility, Performance, and Resilience with MetricStream ConnectedGRC

MetricStream ConnectedGRC enables an integrated approach to GRC with seamless collaboration across risk, compliance, audit, cybersecurity, and sustainability teams. Through MetricStream, you can effectively identify, assess, and manage all your risks and compliance requirements on one platform. Designed with advanced analytics and AI capabilities, ConnectedGRC delivers best practices to meet the evolving needs of today’s dynamic enterprises.

  • Gain a single source of truth to manage, assess, and track GRC across the enterprise
  • Break down the silos between business lines, enabling a coordinated approach to GRC
  • Standardize GRC taxonomies, and simplify risk data aggregation from across departments
  • Get a unified and real-time view of the relationships between risks, controls, regulations, policies, business objectives, cybersecurity, sustainability, and other data elements
  • Streamline GRC processes, minimizing redundancies and inefficiencie

To learn how MetricStream can help you accelerate your GRC journey, request a personalized demo today!

Vishwas-Udupa-headshot

Vishwas Udupa Director, Field Sales MEA

Vishwas Udupa is Director of Sales (MEA & APAC) at MetricStream. In his role, Vishwas is responsible for market strategy and sales, managing marquee accounts, regional go-to-market initiatives, and analyzing market trends.

Vishwas has 19 years of experience in Governance Risk and Compliance (GRC) domain as a Risk & Audit consultant and in sales profile across Oracle Financial Services, Thomson Reuters, London Stock Exchange Group (LSEG) and Empowered Systems. He has a Masters in Business Administration at ICFAI and Bachelor of Engineering degree from MSRIT, and lives in Bangalore, India.

 
Blogs

GRC Leaders Speak: Top 5 Themes from the 2024 MetricStream GRC Summit

GRC-Summit-Recap-Blog-for-Jul-24-blog-banner-dsk
5 min read

Introduction

Just a few weeks ago, on June 17th and 18th, the Baltimore Marriott Waterfront was abuzz as over 150 governance, risk, and compliance leaders gathered for the MetricStream GRC Summit—the premier GRC event of the year.

Over the course of two days, MetricStream brought together some of the foremost experts in GRC – with more than 50 speakers – who shared invaluable keynotes, best practices, case studies, and strategic insights on critical areas of focus and priority for leaders. The summit also offered plenty of opportunities to network with peers and celebrate the announcement of the 2024 GRC Journey Awards winners.

I wanted to share some standout moments and key themes shared during the event. You can also check out the video highlights and presentations.

5 Key Themes That Emerged During the Summit

1. AI at the Epicenter

Driven by its immense ability to automate tasks, increase productivity, and predict outcomes, Artificial Intelligence (AI) has quickly moved to the epicenter today. Organizations across industries are leveraging AI to streamline operations, revolutionize marketing strategies, and gain a competitive edge. Its applications range from automating customer service with chatbots to predicting market trends, and optimizing supply chain management.

In GRC, AI’s transformative potential enables organizations to manage risk more effectively, improve compliance, and make data-driven decisions for better governance. Enterprises are effectively utilizing AI for control monitoring, intelligent issue and remediation management, intelligent control insights and control test prioritization, the creation of a common view of risks, and so much more.

While effective and responsible AI systems are crucial, GRC leaders at the Summit focused on the importance of: 

  • Promoting the augmentation of human capabilities in conjunction with AI tools rather than outright replacement
  • Focusing on data quality, which is essential to build trust and transparency
  • Implementing robust guardrails for AI to prevent bias and ensure ethical standards are upheld
  • Fostering a balanced approach to leveraging AI in GRC processes for more informed, agile, and ethical governance and risk management practices.

Here are two quotes that sum up the depth of discussions around AI.

“One of our priorities is to keep GRC simple. There are two aspects of AI –how do you bring AI to GRC and how do you bring GRC to AI?” --Gunjan Sinha, Co-Founder of MetricStream

“We are at an inflection point on the adoption of AI. Targeted AI adoption for specific use cases will gain traction. Humans in the loop is extremely important.” --Anand Narayan, Head of Regulatory Change Management, Sumitomo Mitsui Banking Corporation

2. From Reactive Risk and Compliance to Proactive Resilience

“Agility is extremely important in managing emerging risks and regulatory requirements,” said Prabha Thomas, Chief Risk and Compliance Officer, Tata Consultancy Services. I couldn’t agree more. In today’s fast-paced and interconnected business environment, a conscious move from reactive risk and compliance to embracing proactive resilience is not just a strategic choice—it is essential for thriving in the face of uncertainty.

To build proactive resilience, organizations will need to build risk and compliance agility with a unified view powered by a centralized platform that continuously scans the horizon with regulatory change-tracking technologies and automated feeds from trusted content sources. They will need to integrate compliance management systems with other enterprise systems and apply AI and automation for automated recommendations. Furthermore, given the multitude of regulatory requirements, organizations will need to move to continuous compliance by implementing tools that help them automate control testing and evidence collection for all their enterprise controls.

3. The Changing Role of the CISO

A particularly resonant theme was the evolving role of the CISO. Numerous Chief Information Security Officers (CISOs), Chief Security Officers (CSOs), and Cyber Risk leaders at the Summit shared their insights on how the role has increasingly shifted towards a business-oriented focus, emphasizing that cyber risk is now recognized as a critical business issue rather than solely a technical one.

Added responsibilities of a CISO now include organizational governance, data loss prevention, and compliance with regulations. This requires not just a solid technical foundation but also a strong grasp of business principles to effectively communicate with other C-level executives and the board.

A CISO’s toolkit today should include a 360-degree view of the organization’s IT risk posture and cybersecurity investment priorities, along with continuous control monitoring, insightful reporting, and cyber risk quantification. This blend of skills and technology ensures they can anticipate risks, implement robust security architectures, and foster a culture of security within their organizations – as well as communicate strategically with the board.

4. Responding to Rapidly Evolving Regulations

“Regulators are connecting the dots,” warned Deputy Chief Risk Officer, Bank OZK. “If we as an organization don’t break down the underlying siloes, we lose control. We transitioned as a team to look at all the various risk stripes in an interconnected view.”

With the regulatory environment evolving faster than ever, it is crucial for GRC professionals to stay ahead of regulatory changes to ensure that organizations remain compliant and avoid potential fines and reputational damage. This requires utilizing advanced technologies such as AI and cloud-based platforms to streamline this process, ensuring that compliance professionals receive real-time updates and can assess their implications swiftly.

5. Collaboration is Key to Success

An essential takeaway from the Summit was the wise words of Tolu Oyesfesobi, Head of Financial Controls and Operational Risk, Inter-American Development Bank, who reminded us all to “Have a lot of coffee with your business… for collaboration is key to breaking down silos.”

This simple yet profound advice underscores the importance of fostering strong, communicative relationships within our organizations to achieve seamless integration and collective success.

It also underscores the importance of connecting with the GRC community. In line with the theme, "Experience The Power of Connection," the Summit stood out for bringing together the expertise of top GRC professionals. Customers, including Blue Cross Blue Shield of Michigan, Bank OZK, and Apple Bank, shared their success stories, vividly illustrating how they have effectively tackled the complexities of GRC challenges. We also conducted workshops on how to align ERM with your organization’s GRC strategy and cyber risk quantification that offered practical insights and use cases from industry experts.

The Future of GRC is Connected

As we wrapped up two insightful days in Baltimore, the overarching topic that sparked a lot of discussion was the need to advance GRC maturity with a connected GRC strategy, especially one that is Cognitive, Continuous, and Cloud-based.

  • Cognitive leverages AI and machine learning to automate and optimize risk and compliance processes, providing real-time insights and predictive analytics
  • Continuous ensures ongoing monitoring and assessment of risks and controls, reducing business losses and improving operational efficiency
  • Cloud-based solutions are low-code, no-code and come with scalability, flexibility, and security, enabling organizations to manage their GRC initiatives seamlessly across various functions

See You Next in London!

We’ll be doing it all over again in London on November 6th and 7th! We hope to see you there! Register now. 

Learn more about what was discussed at the GRC Summit: Download the presentation and watch the videos.

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 
Blogs

Healthcare Risk and Compliance: 5 Key Challenges to Address in 2024

blog-dsk-healthcare-risk-compliance-key-challenges
7 min read

Introduction

Healthcare is one of the most strictly regulated sectors in the world. This is understandable and necessary considering that the sector deals with factors as crucial and sensitive as health and life itself. As a result, this sector has witnessed increasing regulatory complexity with different regulatory bodies focusing on various aspects of the industry. The healthcare business is also rapidly evolving and expanding with many providers offering ancillary services such as health insurance and insuretech. This makes the sector susceptible to various new and emerging risks. Healthcare providers also work with third parties who handle sensitive patient information, making it vital for them to effectively manage third-party risks. As regulatory complexity increases amidst a fraught risk landscape, ensuring compliance can be challenging.

In April 2024, records of 13.4 million patients were left exposed thanks to nine incidents of unauthorized access or disclosure of protected health information. 44 hacking incidents in the same month affected 1,919,637 records. The consequences of such breaches through penalties and impact on reputation and image are significant. This blog explores the top five risk and compliance challenges for the healthcare sector and how to address them.

1. Regulatory Compliance

The healthcare sector is governed by regulations and frameworks such as Health Insurance Portability and Accountability Act (HIPAA), the HITECH Act that complements HIPAA by increasing the penalties for data breaches, the 21st Century Cures Act, General Data Protection Regulation (GDPR), PCI DSS, California Consumer Privacy Act (CCPA), Health Information Trust Alliance Common Security Framework (HITRUST CSF), Information Blocking Rule (2021) and Interoperability and Patient Access Final Rule (2021). Most of these focus on patient data privacy, data security, access to information, and cyber security.

Each of these is constantly being updated to keep pace with a rapidly changing risk landscape. For example, this year HIPAA saw some significant updates to its patient privacy provisions and outlined stricter cyber security requirements. It gives patients greater control over their data and mandated risk assessments, incident response plans, data encryption requirements, and updated breach notification requirements. Keeping pace with these updates, assessing their impact on various processes and functions, and adapting internal controls and policies is a significant challenge.

Furthermore, there are federal, state, and local regulations and rules that apply to healthcare providers. Each state has specific reporting requirements regarding public health emergencies, infectious disease outbreaks, and specifying how long medical records can be retained. Some states may even have their own laws regarding patient data. For example, California has laws pertaining to data breach notifications that have to be complied with in addition to HIPAA. Healthcare providers must report relevant situations to their state or local agencies in the prescribed format in addition to complying with federal regulations.

Additionally, healthcare providers must be accredited by industry organizations such as The Joint Commission (TJC) that evaluates organizations on parameters such as patient care safety and healthcare management, Accreditation Association for Ambulatory Health Care (AAAHC), and Urgent Care Association (UCA). This shows that the provider meets quality and safety benchmarks set by the governing bodies. Meeting accreditation requirements, and complying with standards set by each of these bodies is a complex and challenging task.

2. Enterprise Risk and Incident Management

Healthcare providers have to efficiently manage risks unique to the sector, in compliance with the relevant regulations. In addition to compliance risks, healthcare providers have to be prepared to deal with risks related to patient care and safety as any lapses can have severe legal and financial impacts in addition to damaging reputation and trust. They must be cognizant of risks pertaining to medical instruments and devices in the form of potential malfunctions that impact patient care. There are also risks pertaining to insurance claims, frauds, phantom billing, and upcoding. They have to conduct risk assessments periodically to identify and mitigate potential compliance issues and threats. They also must have comprehensive incident management processes in place to report and respond to crises quickly and effectively. Risks ranging from business operations, third parties, cybersecurity, ESG, and health hazards must be managed effectively along with appropriate business continuity plans. The healthcare industry must move from compliance check-in-the-box activity to proactive risk management to thrive in the complex risk landscape.

3. Data Privacy and Cyber Security

Patient healthcare data and records are sensitive and subject to strict security, privacy, and protection laws. Healthcare providers have to ensure that their technology systems meet HIPAA standards, which may prove to be a daunting exercise, particularly for smaller organizations.

Regulations like the 21st Century Cures Act emphasize the need for seamless and secure data sharing. And so, organizations must ensure their electronic health record systems are updated, secured, compliant with regulatory standards, and capable of securely executing data exchanges. It is equally important to ensure that different healthcare systems are interoperable while maintaining data security and privacy. Organizations must also ensure that their technology systems are updated and compliant with the latest security and regulatory standards to protect patient information and ensure foolproof compliance.

Adding to the challenge is the fact that the threat landscape is continually evolving with bad actors increasingly leveraging advanced technology to launch sophisticated attacks. Protecting health care data under these conditions can be a Herculean task. In February 2024 alone there were 24 data breaches, the biggest of which was the breach at Medical Management Resource Group that compromised 2.35 million records. Hacking and ransomware continue to plague the sector and only four breaches affecting 10,000 or more records in February were not hacking incidents. Data encryption is important to protect healthcare records. But ensuring encryption both in transit and at rest to prevent unauthorised access is a challenge.

The rapid evolution of Artificial Intelligence technologies has the potential to transform healthcare. From early detection, faster diagnoses, and better treatment to improved monitoring, decision-making, research, and training, AI is already being leveraged to drive better healthcare outcomes. But, AI comes with a significant risk of data breaches. AI platforms process huge volumes of sensitive data and any vulnerabilities can be exploited by bad actors. Healthcare providers leveraging AI must be cognizant of the security risks associated with it and implement stringent data protection strategies.

4. Third-Party Risk Management

Healthcare organizations rely on numerous external vendors ranging from cloud service providers to billing companies, medical device manufacturers and suppliers, and more. Many of these have access to sensitive healthcare data and are subject to the standards set by HIPAA. This is also a vulnerability that can be targeted by hackers. Additionally, healthcare providers must monitor third parties for operational and ethical risks as well as such unavailability or disruptions to medical services, AML, bribery, and other malpractices. Third-party organizations are subject to data protection and privacy regulations such as GDPR and PCI DSS. Healthcare providers must monitor their partners’ compliance with all relevant regulations, as well as their overall risk management and mitigation strategies.

Managing third-party risk must be a crucial part of a healthcare organization’s risk management strategy. They must conduct regular due diligence with vendor risk assessments and security assessments. Compliance with all relevant regulations and standards, and risk evaluation must be a contractual obligation for all third-party vendors working with healthcare organizations. In fact, the HITECH ACT extends HIPAA’s regulations to vendors and includes penalties for vendors for non-compliance. Healthcare organizations must regularly monitor their partners and conduct comprehensive and periodic audits to ensure ongoing compliance. Establishing BAAs with vendors to ensure compliance with a wide range of regulations is advisable, but managing third-party risks adds to the significant compliance challenges of healthcare organizations.

5. Continuous Monitoring and Reporting

Healthcare providers are operating within a regulatory landscape that is continuously evolving and they must ensure error-free compliance. They have to monitor the regulatory landscape on an ongoing basis to keep pace with emerging regulations and have the capability to adapt and map new regulations and updates to existing practices and controls. Continuous and automated monitoring of risks and controls is crucial for enabling real-time risk assessments, quick decision making, and faster, more effective mitigation efforts. They must have rationalized internal controls to mitigate risks and ensure compliance. They must have automated processes to onboard new third parties and carry out due diligence to ensure there are no gaps in compliance. They must also conduct regular digitized audits and continuous monitoring of compliance processes to ensure there are no gaps. Maintaining compliance reports, logs of security events and communicating with regulatory authorities is another key task for organizations.

Power-Up Your GRC Program with MetricStream

MetricStream’s Healthcare solution is purpose-built to help organizations in this highly regulated industry adopt and implement a streamlined, automated, and integrated approach to GRC. Healthcare providers can leverage advanced capabilities for managing regulatory compliance, enterprise risks, including cyber and third-party risk, and internal audit, to improve their overall risk and compliance posture and drive better-informed decision-making.

With MetricStream, your organizations can effectively:

  • Improve risk visibility with faster response to perceived risks, automate capture and management of regulatory changes
  • Streamline and digitalize GRC activities across the three lines of defense
  • Enhance cyber resilience with 360-degree visibility into cyber risks, threats, vulnerabilities, risk exposures, and compliance violations
  • Simplify and improve third-party risk management with automated processes for onboarding, real-time monitoring and control assessments
  • Prioritize internal audits with risk-based audits and automate audit reporting

Interested to find out more? Request a demo now.

Sumith-Sagar

Sumith Sagar Associate Director, Product Marketing

Sumith Sagar is a proven product marketing professional, specializing in software product positioning, product-led growth marketing, presales and sales enablement. With over 12 years of risk management solutioning experience ranging from Governance, Risk and Compliance (GRC), Commodity Trading & Risk Management (CTRM) and cybersecurity, she has been instrumental in driving BusinessGRC product marketing at MetricStream.

 
Blogs

GRC Success Story: How dnata Integrated Firm-Wide GRC Processes with MetricStream

Weekly-Blog-Upload-16-May-2024-dsk
4 min read

Introduction

At the recently held GRC Summit 2024 in Baltimore, David Story, Vice President Health, Safety, & Environment, dnata, provided the audience with a detailed overview of their GRC journey experience with MetricStream.

Dubai National Air Travel Agency (or dnata) was established in 1959 through a government decree. It set up its first international business in 1993. Gradually, over the years, it has seen significant growth across all its business units.

Here are the excerpts from David’s session on “dnata’s Integrated GRC Transformation”.

GRC Program Objective

David: Our foremost priority is safety and security. Through a series of SMART objectives, we're building a best-in-class, health, safety, and environmental system, or HSE ecosystem, as we call it. Over the next few years, up to 2027 and beyond, through our medium-term plan, we are striving for a best-in-class or world-class status, and central to delivering on that goal is the effective use of our GRC platform.

Within dnata, MetricStream is the product that we use, and we have done a number of modifications and upgrades through MetricStream over the years. We refer to it within the company as “dnatahub”, which is everything we do from a GRC perspective.

So, in terms of why GRC is so important to us -- central to that is our safety management system, or SMS. SMS is essentially the bedrock of everything that we do across four key pillars -- safety policy, risk management, assurance, and promotion. To be able to deliver on the requirements of our SMS, our dnatahub platform is absolutely central to achieving those goals.

GRC Journey with MetricStream

David: So, how has the dnatahub platform evolved over the last few years?

We're now into the 9th year of our partnership with MetricStream, beginning back in 2015 along with our “Global One Safety” initiative. The first pillar in that strategy was rolling out Incident Management, which allowed us to have one platform for reporting safety occurrences across local businesses.

In 2018, there was global expansion – we introduced new applications within dnata in addition to incident management and reporting.

In 2020, we started moving into the continuous monitoring phase, which saw the likes of our Documentation Management System (DMS). We also introduced surveys and inspection through the auditors. We would go out there and report safety hazards and threats to our organization. This was across all three of our operational divisions.

The beauty of DMS is that it can be accessed by any of our team in the world who got access to Office 365 accounts. Examples of a DMS document could be a global safety alert, a new manual, a guideline document, or a new operational standard. All of those are published through DMS and are automatically and electronically tested within the system as well. So, for auditing purposes, it's very, very efficient.

We also launched Observation Management as well. And, through Issue and Action Management we can assign tasks and actions to our businesses around the world.

We're now moving into Phase IV, as we call it, looking at how we scale up as we continue to build our business. We are currently two weeks away from the launch of the Euphrates upgrade as well.

We've built a very strong partnership with MetricStream, and we've now established a very strong governance model as well in terms of performance monitoring.

Business Value Realized

David: What's been key to success is keeping things simple. One of the worst things you can do in my role as a safety professional is over-complicate how you manage safety within your business.

In terms of just some numbers, we have got:

  • 20,000+ documents hosted within the DMS platform
  • 10,000+ mobile users (around 14,000 to 15,000 currently)
  • 40,000+ audit and survey documents accessible within the platform

What gives me great confidence is 400,000+ observations. We actively encourage -- from our leadership level all the way down to the front line -- to report any unsafe behaviors and actions within our business. What we've seen over the last 2-3 years is a considerable increase in the number of safety reports within the business. So that leads to a much more positive and safety-aware culture.

Looking Ahead

Over the next few years, we've got some really interesting challenges coming our way. You would have seen the announcement about the new airport project in Dubai. The target is 2033 for the opening of the new terminal with a capacity of 250 million passengers a year. We already have that airport as we have for the last 10 years, and this will be a significant upgrade to be the world's largest international gateway.

We have two to three new businesses that are going to be coming online towards the end of this year, including a particularly large business in Italy. And it's essential that we look at how we scale up to meet that demand, because we could have potentially 3,000 to 4,000 users within dnata by the end of this year.

 

Also Read:

  1. How Autodesk Moved from Siloed to Integrated IT Risk and Compliance Processes
  2. How American Fidelity Assurance Enhanced Third-Party Risk Management and IT Compliance Functions 
  3. Apple Bank Enhances and Streamlines Cyber Risk Management Program with MetricStream
Sumith-Sagar

Sumith Sagar Associate Director, Product Marketing

Sumith Sagar is a proven product marketing professional, specializing in software product positioning, product-led growth marketing, presales and sales enablement. With over 12 years of risk management solutioning experience ranging from Governance, Risk and Compliance (GRC), Commodity Trading & Risk Management (CTRM) and cybersecurity, she has been instrumental in driving BusinessGRC product marketing at MetricStream.

 
Blogs

AI Regulation Trends: Your Guide to AI Policies in the US, UK, and EU

blog-3-July-2024-dsk
8 min read

Introduction

The rapid evolution of Artificial Intelligence (AI) and particularly Generative AI has opened up new opportunities, and prospects of development and inclusive growth. But, in the wrong hands, AI can unleash fraud, discrimination, disinformation, stifle healthy competition, disenfranchise workers, and even threaten national security. The United States of America, the European Union, and the United Kingdom have taken the first steps to regulate the development of AI with a strong focus on data privacy, transparency, accountability, security, and ethics.

Here is a quick overview of the key regulations being implemented in these three regions, highlighting the main points to note.

The European Union’s Artificial Intelligence Act

The European Parliament adopted the Artificial Intelligence Act in March 2024, which will be fully applicable 2 years after entry into force. The objective of this Act is to standardize a technology-neutral definition for AI for future reference. Furthermore, the Act aims to ensure that AI systems within the EU are safe, transparent, traceable, non-discriminatory, environmentally friendly and monitored by people and not automation. The law uses a risk-based approach, with different requirements based on the level of risk. 

Risk level definition: It defines 2 levels of risk and states obligations for providers and users depending on the risk level:

  • Unacceptable Risk AI Systems - These are considered to be harmful for people and will be banned:

    • Cognitive behavioral manipulation of people or vulnerable groups
    • Social scoring or segmentation of people based on behavior, personal characteristics or socio-economic status
    • Biometric identification and categorization
    • Real time and remote biometric identification such as facial recognition programs

    There are some exceptions and rules established for law enforcement agencies.

  • High Risk AI Systems - AI systems that can negatively impact fundamental rights and / or safety of people:

    AI systems used in products covered by the EU’s product safety legislation, such as toys, aviation devices and systems, cars, medical devices and elevators.

    AI systems in specific areas that have to be registered with an EU database:

    • Systems used for managing or operating critical infrastructure
    • Systems used for educational and vocational training
    • Those used to employment, employee management and access to self -employment
    • Those that are involved with access to and utilization of essential private and public services and benefits
    • Law enforcement systems.
    • Systems involving migration, asylum, border control management
    • Those providing legal interpretation and application of laws.

    High-risk AI systems will have to be assessed before they can reach the market and will be assessed throughout their lifecycle. EU residents can file complaints with relevant national authorities.

Transparency requirements – While the Act does not classify Generative AI as high risk, it mandates transparency requirements and compliance with EU copyright laws:

  • Disclosures that state the content was generated by AI
  • Designing the model to stop it from generating illegal content
  • Publishing summaries of copyrighted data used for training

Supporting Innovation – The Act aims to help startups and small to medium businesses leverage AI with opportunities to develop and train AI algorithms before public release. National authorities have to provide companies with suitable testing conditions that simulate real-world conditions.

United Kingdom’s Response to the White Paper Consultation on Regulating Artificial Intelligence

In February 2024, the UK Government announced its response to the 2023 whitepaper consultation on AI regulation. Its pro-innovation stance on AI follows an outcome-based approach with a focus on 2 key characteristics – adaptivity and autonomy – that will guide domain specific interpretation.

It provides preliminary definitions for 3 powerful AI systems that are integrated into downstream AI systems:

  • Highly capable GPAI – large language models fall into this category. These are foundational models that can carry out a wide range of tasks. Their capabilities can range from basic to advanced and can even grow to outpace the most advanced models in use currently.
  • Highly Capable Narrow AI- these can carry out a limited range of tasks within a specific field or domain. These can also meet or outpace the most advanced models in use today within those specific domains
  • Agentic AI – this is an emerging subset of AI technology that can complete numerous sequential steps over long periods of time using tools like the Internet and narrow AI models.

It sets out five cross-sectoral principles for regulators to use when driving responsible AI design, development, and application:

  • Safety, security, and robustness
  • Appropriate transparency and explainability
  • Fairness
  • Accountability and Governance
  • Contestability and Redress

The principles are to be implemented on the basis of three foundational pillars:

  • Working with existing regulatory authorities and frameworks – UK will not be instituting a separate AI regulator. Instead existing regulatory offices such as the Information Commissioner's Office (ICO), Ofcom, and the FCA, will implement the five principles as they oversee their respective domains and use existing laws and regulations. They are expected to quickly implement the AI regulatory framework within their domains. Their strategy must include an overview of the steps taken to align their AI plans with the principles defined in the framework, an analysis of AI-related risks, and an overview of their ability to manage these risks.
  • Creating a central function for risk monitoring and regulatory coordination – The UK has set up a central function within DSIT to monitor and evaluate AI risks and address any gaps in the regulatory environment. This is because AI opportunities and risks cannot be addressed in isolation.
  • Foster innovation via a multi-agency advisory service – A multi-regulatory advisory service, the AI and Digital Hub, will be launched to help innovators ensure complete legal and regulatory compliance before they launch their products.

Blueprint for an AI Bill of Rights by the White House Office of Science and Technology Policy

The White House Office of Science and Technology Policy has formulated the Blueprint for an AI Bill of Rights with five principles to guide the design, use, and deployment of AI systems. The includes:

Safe and Effective Systems

  • Diverse communities, stakeholders, and domain experts should be consulted during the development of automated systems so that concerns, risks, and possible impact of the systems can be better identified
  • Extensive pre-deployment testing, risk identification and mitigation, and ongoing monitoring to ensure safety and effectiveness
  • Automated systems must be designed to proactively protect the American public from any negative impact due to unintended uses or impact of the systems. This includes inappropriate or irrelevant use of data in the design, use, and deployment of these systems

Algorithmic Discrimination Protections

  • This happens when automated systems contribute to differential and unfair treatment of people based on their race, color, ethnicity, gender, medical condition, sexual orientation, gender identity, religion, disability or any other classification protected by law
  • Designers and developers have to take proactive and continuous steps to protect the American public from such discrimination and ensure that systems are designed to be equitable
  • This must include proactive equity assessments as part of the system design, use of representative data, protection against proxies for demographic features, ensuring accessibility for people with disabilities, disparity testing and mitigation, and organizational oversight
  • It also recommends independent evaluation and plain language reporting

Data Privacy

  • Built-in measures to protect against abusive data practices and default measures to ensure individual agency over how personal data is collected and used
  • Designers, developers, and deployers of such systems must secure individual consent regarding the collection use, transfer, access, and even deletion of personal data
  • Consent collection mechanisms must be brief and in easily understood language
  • Data pertaining to sensitive domains such as healthcare, education, criminal justice, and finance, must be used only for necessary functions and be protected by ethical review and use prohibitions
  • The American public cannot be subjected to unchecked surveillance and such technologies must undergo stricter oversight with pre deployment assessment of possible negative impact
  • Continuous surveillance cannot be used in education, work, housing, or in other contexts where the use of such surveillance technologies is likely to limit rights, opportunities, or access

Notice and Explanation

  • People must know when an automated system is being used and understand how it impacts them
  • This must be communicated via plain language documentation with clear description of how the system works and its outcomes
  • People must know when an outcome impacting them was determined by an automated system even when that system was not the only input determining the outcome

Human Alternatives, Consideration, and Fallback

  • People should have the option of connecting with people to remedy any problems and should be able to opt out of automated systems to engage with a person instead
  • Engagement with humans should be accessible, equitable effective and managed well with adequate operator training. It should not put additional burden on the public
  • Automated systems in sensitive domains must be customized to provide meaningful access for oversight and include human consideration for high risk or negative decisions

In addition to these federal guidelines, several states are also formulating their own regulations. 17 states (California, Colorado, Connecticut, Delaware, Illinois, Indiana, Iowa, Louisiana, Maryland, Montana, New York, Oregon, Tennessee, Texas, Vermont, Virginia and Washington) have enacted 29 bills on AI regulation over the last five years.

Stay Ahead with MetricStream

AI technologies are here to stay and the world has to learn to use them safely for the betterment of humanity. Regulations for AI development and use are critical to protect populations from bias, discrimination and breach of privacy. AI technologies are evolving at an unprecedented pace, and regulators across the world are following suit with quick updates or new frameworks. Organizations need automated compliance platforms to keep pace with this rapidly changing regulatory landscape.

MetricStream’s Compliance Management can simplify and fortify enterprise compliance initiatives amidst a rapidly changing regulatory landscape. Gain greater visibility into control effectiveness and quick issue remediation with streamlined:

  • Mapping of regulations to processes, assets, risks, controls, and issues
  • Identifying, prioritizing, managing, and monitoring areas of high compliance risk
  • Performing control testing and monitoring
  • Creating and communicating corporate policies
  • Identifying, capturing, and managing regulatory updates
  • Generating reports with drill-down capabilities

Even as compliance management is simplified and streamlined, it is important to have a mechanism in place to keep track of rapidly evolving regulations. MetricStream’s Regulatory Change Management platform is a centralized framework that can help organizations capture, curate, identify, extract, consolidate, and manage regulatory changes and updates sourced from diverse providers.

Find out more. Request a personalized demo today!

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 

Related Resources

Blogs

Enterprise GRC in Asia-Pacific: Trends, Challenges, and Opportunities

blog-26-June-2024-dsk-1
6 min read

Introduction

With Asia-Pacific’s (APAC) economic growth surpassing expectations, businesses have much to be optimistic about. However, as regulations and risks in the region grow more numerous, the need for effective governance, risk, and compliance (GRC) has never been more pressing. APAC GRC professionals are being called upon to spot emerging risks, connect the dots, and help their organizations adapt swiftly to regulatory changes. GRC solutions that can help meet these demands at scale and speed will make all the difference.

I recently had the chance to host GRC Design Workshops in Malaysia and the Philippines in association with our strategic partners - HCLTech and Expleo respectively. The workshops, led by Michael Rasmussen, GRC Analyst & Pundit, GRC 20/20 Research, delved into a range of GRC areas, including the evolving risk and regulatory landscape in APAC, GRC challenges faced by organizations in the region, how technology and automation can help, and more.

Here are some of the key takeaways from the workshops, providing insights into the trends and opportunities likely to be encountered by GRC professionals as they gear up for the road ahead.

1. Constantly Changing Regulations

Keeping pace with regulatory change is no small feat. In the past three years alone, Singapore, Hong Kong, and Australia have either revised or issued new standards and guidelines around operational risk management and resilience.

Meanwhile, India enacted its first comprehensive data protection law in 2023 – the Digital Personal Data Protection (DPDP) Act, even as Japan substantially amended its own Act on the Protection of Personal Information (APPI), a year earlier.

Climate change too has been enveloped in a flurry of regulatory activity. Vietnam’s Law on Environmental Protection took effect in 2022, followed by Malaysia’s Energy Efficiency and Conservation Act in 2023.

2. Risks Galore

In addition to juggling regulations, APAC GRC professionals also have to navigate a growing variety of risks – including the Ukraine and Middle East conflicts that have strained global supply chains; extreme weather events like the floods in China and drought in India; the risks of deep fakes and misinformation associated with AI; and of course, the constant threat of a cyberattack. Incidentally, APAC experienced the highest year-on-year surge in weekly cyberattacks during Q1 2023, with an average of 1,835 attacks per organization.

Risks come from within the organization too – from changes to business objectives, structures, processes, employees, and technologies, as well as from the extended enterprise of suppliers, vendors, contractors, dealers, and distributors.

Getting these risks under control is key to strengthening organizational resilience and performance.

3. Connecting the Dots

If there’s anything we’ve learned over the past few years, it’s that everything is connected. A data breach in a third-party service provider’s system can disrupt entire supply chains, damage business reputations, trigger hefty regulatory penalties, and sometimes even shut down operations for days.

That’s why it’s so important to be able to see the big picture – to understand how risks impact and influence each other, how they affect compliance, and how they hinder or help the achievement of business objectives. 

GRC offers that perspective. It enables organizations to understand the road ahead more clearly, make better-informed decisions, and capitalize on the right opportunities at the right time. In other words, GRC shouldn’t be seen as an afterthought, but an enabler of the business.

Challenges and Roadblocks

APAC GRC professionals tell us that these are some of the GRC challenges they face:

  • Data silos: Risk and compliance data is scattered across disparate systems and business functions. So, organizations don’t have a clear view of their GRC universe.
  • Inefficient processes: GRC data is manually managed through spreadsheets, emails, and other cumbersome tools that slow down risk efforts and limit efficiency.
  • Lack of forward-looking risk visibility: When an organization’s sights are only fixed on the rear-view mirror, they aren’t able to anticipate emerging risks. Issues are managed reactively rather than proactively.
  • Limited agility: With manual and siloed GRC processes, organizations can’t adapt quickly to regulatory and business changes. Nor can they coordinate and integrate GRC across business functions.
  • Forgetting the G in GRC: Many organizations forget that GRC begins with governance – i.e., the achievement of objectives. Whether it’s an enterprise objective or a process objective, that’s what risks and compliance should be measured against.

The GRC Playbook: Six Winning Practices

Here are six ways to overcome the above challenges, and create a truly world-class GRC program:

  • Automate wherever possible: Toss out those spreadsheets, and unlock new efficiencies by streamlining and automating your GRC processes. With automation, you can monitor risk exposure and compliance status in real time, and respond more proactively when issues Also, automating routine GRC tasks frees up more time for your teams to focus on value adding and strategic activities like risk analysis.
  • Build a single source of GRC truth: Break down silos, and unify all your GRC data in a single system of record. Enrich that data by integrating information from other systems like ERP platforms, social media, transaction systems, threat and vulnerability scanners, and regulatory content feeds. The idea is to have complete horizontal and vertical GRC visibility across your enterprise through one platform. This can help you make better-informed decisions that optimize risk-reward trade-offs.
  • Understand risk interconnectedness: Map your GRC data in such a way that users understand the relationships between various risks, regulations, policies, controls, third parties, ESG (environmental, social, and governance) elements, strategic objectives, audits, incidents, and cases. Having a connected view of GRC will help you target your risk management efforts and resources in the right place, in the right way, at the right time.
  • Foster risk awareness across teams: Bring together your risk managers, compliance professionals, and auditors on one platform where they can seamlessly collaborate and exchange GRC insights. Empower your front line with simple, intuitive GRC tools to capture issues and risks as they arise.
  • Enable continuous control monitoring and regulatory horizon scanning: Chances are that you can’t manually monitor all your controls and regulatory changes all the time – even though you need to. So, choose a continuous control monitoring (CCM) tool that can automate the process. Go from periodic, sample-based testing models to always-on monitoring of full control populations. Couple that with regulatory change management software that can automatically capture alerts on proposed and anticipated legislation, as well as regulatory updates. So, you can adapt your compliance program faster.
  • Use AI for richer insights: AI-powered analytics can unlock the full potential of your GRC and transactional data by connecting with multiple data sources, and drawing out insights faster. Use it to enable predictive and data-driven decision-making. You can even train AI models to identify risk and control deficiencies, patterns of over-testing and under-testing, and duplicate risks and controls that can be removed.

Transform your GRC program with MetricStream

MetricStream ConnectedGRC helps you build an automated, truly integrated, and collaborative approach to GRC. Reduce risk exposure with streamlined assessments and mitigation. Enable consistent compliance with robust control testing and reporting tools. Finally, achieve your objectives with ease using strong governance and policy management mechanisms.

MetricStream products are packed with best practice workflows, content, AI, and analytics to help you:

  • Drive business growth and strategic differentiation through your GRC program
  • Connect risk, compliance, audit, cybersecurity, and sustainability on one platform
  • Improve GRC efficiency, reduce costs
  • Protect your digital business from cyber risks and evolving threats
  • Grow with purpose using ESG best practices

To learn how MetricStream can help you on your GRC journey, request a personalized demo today.

Vishwas-Udupa-headshot

Vishwas Udupa Director, Field Sales MEA

Vishwas Udupa is Director of Sales (MEA & APAC) at MetricStream. In his role, Vishwas is responsible for market strategy and sales, managing marquee accounts, regional go-to-market initiatives, and analyzing market trends.

Vishwas has 19 years of experience in Governance Risk and Compliance (GRC) domain as a Risk & Audit consultant and in sales profile across Oracle Financial Services, Thomson Reuters, London Stock Exchange Group (LSEG) and Empowered Systems. He has a Masters in Business Administration at ICFAI and Bachelor of Engineering degree from MSRIT, and lives in Bangalore, India.

 

Related Resources