Metricstream Logo
×
Blogs

GRC Leaders Speak: Top 5 Themes from the 2024 MetricStream GRC Summit

GRC-Summit-Recap-Blog-for-Jul-24-blog-banner
10 min read

Introduction

Just a few weeks ago, on June 17th and 18th, the Baltimore Marriott Waterfront was abuzz as over 150 governance, risk, and compliance leaders gathered for the MetricStream GRC Summit—the premier GRC event of the year.

Over the course of two days, MetricStream brought together some of the foremost experts in GRC – with more than 50 speakers – who shared invaluable keynotes, best practices, case studies, and strategic insights on critical areas of focus and priority for leaders. The summit also offered plenty of opportunities to network with peers and celebrate the announcement of the 2024 GRC Journey Awards winners.

I wanted to share some standout moments and key themes shared during the event. You can also check out the video highlights and presentations.

5 Key Themes That Emerged During the Summit

1. AI at the Epicenter

Driven by its immense ability to automate tasks, increase productivity, and predict outcomes, Artificial Intelligence (AI) has quickly moved to the epicenter today. Organizations across industries are leveraging AI to streamline operations, revolutionize marketing strategies, and gain a competitive edge. Its applications range from automating customer service with chatbots to predicting market trends, and optimizing supply chain management.

In GRC, AI’s transformative potential enables organizations to manage risk more effectively, improve compliance, and make data-driven decisions for better governance. Enterprises are effectively utilizing AI for control monitoring, intelligent issue and remediation management, intelligent control insights and control test prioritization, the creation of a common view of risks, and so much more.

While effective and responsible AI systems are crucial, GRC leaders at the Summit focused on the importance of: 

  • Promoting the augmentation of human capabilities in conjunction with AI tools rather than outright replacement
  • Focusing on data quality, which is essential to build trust and transparency
  • Implementing robust guardrails for AI to prevent bias and ensure ethical standards are upheld
  • Fostering a balanced approach to leveraging AI in GRC processes for more informed, agile, and ethical governance and risk management practices.

Here are two quotes that sum up the depth of discussions around AI.

“One of our priorities is to keep GRC simple. There are two aspects of AI –how do you bring AI to GRC and how do you bring GRC to AI?” --Gunjan Sinha, Co-Founder of MetricStream

“We are at an inflection point on the adoption of AI. Targeted AI adoption for specific use cases will gain traction. Humans in the loop is extremely important.” --Anand Narayan, Head of Regulatory Change Management, Sumitomo Mitsui Banking Corporation

2. From Reactive Risk and Compliance to Proactive Resilience

“Agility is extremely important in managing emerging risks and regulatory requirements,” said Prabha Thomas, Chief Risk and Compliance Officer, Tata Consultancy Services. I couldn’t agree more. In today’s fast-paced and interconnected business environment, a conscious move from reactive risk and compliance to embracing proactive resilience is not just a strategic choice—it is essential for thriving in the face of uncertainty.

To build proactive resilience, organizations will need to build risk and compliance agility with a unified view powered by a centralized platform that continuously scans the horizon with regulatory change-tracking technologies and automated feeds from trusted content sources. They will need to integrate compliance management systems with other enterprise systems and apply AI and automation for automated recommendations. Furthermore, given the multitude of regulatory requirements, organizations will need to move to continuous compliance by implementing tools that help them automate control testing and evidence collection for all their enterprise controls.

3. The Changing Role of the CISO

A particularly resonant theme was the evolving role of the CISO. Numerous Chief Information Security Officers (CISOs), Chief Security Officers (CSOs), and Cyber Risk leaders at the Summit shared their insights on how the role has increasingly shifted towards a business-oriented focus, emphasizing that cyber risk is now recognized as a critical business issue rather than solely a technical one.

Added responsibilities of a CISO now include organizational governance, data loss prevention, and compliance with regulations. This requires not just a solid technical foundation but also a strong grasp of business principles to effectively communicate with other C-level executives and the board.

A CISO’s toolkit today should include a 360-degree view of the organization’s IT risk posture and cybersecurity investment priorities, along with continuous control monitoring, insightful reporting, and cyber risk quantification. This blend of skills and technology ensures they can anticipate risks, implement robust security architectures, and foster a culture of security within their organizations – as well as communicate strategically with the board.

4. Responding to Rapidly Evolving Regulations

“Regulators are connecting the dots,” warned Deputy Chief Risk Officer, Bank OZK. “If we as an organization don’t break down the underlying siloes, we lose control. We transitioned as a team to look at all the various risk stripes in an interconnected view.”

With the regulatory environment evolving faster than ever, it is crucial for GRC professionals to stay ahead of regulatory changes to ensure that organizations remain compliant and avoid potential fines and reputational damage. This requires utilizing advanced technologies such as AI and cloud-based platforms to streamline this process, ensuring that compliance professionals receive real-time updates and can assess their implications swiftly.

5. Collaboration is Key to Success

An essential takeaway from the Summit was the wise words of Tolu Oyesfesobi, Head of Financial Controls and Operational Risk, Inter-American Development Bank, who reminded us all to “Have a lot of coffee with your business… for collaboration is key to breaking down silos.”

This simple yet profound advice underscores the importance of fostering strong, communicative relationships within our organizations to achieve seamless integration and collective success.

It also underscores the importance of connecting with the GRC community. In line with the theme, "Experience The Power of Connection," the Summit stood out for bringing together the expertise of top GRC professionals. Customers, including Blue Cross Blue Shield of Michigan, Bank OZK, and Apple Bank, shared their success stories, vividly illustrating how they have effectively tackled the complexities of GRC challenges. We also conducted workshops on how to align ERM with your organization’s GRC strategy and cyber risk quantification that offered practical insights and use cases from industry experts.

The Future of GRC is Connected

As we wrapped up two insightful days in Baltimore, the overarching topic that sparked a lot of discussion was the need to advance GRC maturity with a connected GRC strategy, especially one that is Cognitive, Continuous, and Cloud-based.

  • Cognitive leverages AI and machine learning to automate and optimize risk and compliance processes, providing real-time insights and predictive analytics
  • Continuous ensures ongoing monitoring and assessment of risks and controls, reducing business losses and improving operational efficiency
  • Cloud-based solutions are low-code, no-code and come with scalability, flexibility, and security, enabling organizations to manage their GRC initiatives seamlessly across various functions

MetricStream's 14th Annual GRC Summit took place on June 2-3, 2026, at the Royal Garden Hotel in London, themed around the Power of AI and Resilience, bringing together C-suite executives, board members, risk officers, and GRC practitioners to explore how AI is transforming governance, risk, and compliance.

Access Summit Resources Here!

Frequently Asked Questions

The 2024 MetricStream GRC Summit was held on June 17th and 18th at the Baltimore Marriott Waterfront, bringing together over 150 governance, risk, and compliance leaders with more than 50 speakers across two days of programming. The event focused on keynotes, best practices, case studies, and strategic insights covering the most pressing issues in GRC.

The top themes from the 2024 MetricStream GRC Summit reflected the most pressing priorities for GRC leaders: the transformative role of AI in risk and compliance, the escalating complexity of regulatory environments, the strategic imperative of operational resilience, the importance of integrated risk management across functions, and the need to address cyber risk as an enterprise-wide governance responsibility. These five themes have continued to define the GRC agenda in the years since.

Summit speakers highlighted that AI enables real-time risk monitoring, automated regulatory change management, and predictive analytics that surface emerging threats before they materialize, fundamentally changing how organizations identify, assess, and respond to risks. For GRC professionals managing growing data volumes and more complex risk landscapes, AI represents the primary path to scaling programs without proportional increases in headcount.

Speakers and participants described the regulatory environment as accelerating in both complexity and pace, with multiple overlapping frameworks from data privacy to financial resilience to AI-specific regulation creating compliance challenges that traditional manual approaches cannot address. Many organizations at the summit were working to build more agile compliance capabilities that can respond to regulatory changes in days rather than months.

For summit participants, operational resilience represents a shift from treating business continuity as a crisis management exercise to embedding resilience as a permanent organizational capability. GRC leaders highlighted the importance of identifying critical services, defining tolerance limits, stress-testing operations, and demonstrating resilience to regulators through evidence of actual testing rather than documented plans.

The MetricStream GRC Summit serves as one of the leading forums for GRC professionals to share practical experience, benchmark their programs against peer organizations, and explore emerging technologies and regulatory developments. The combination of practitioner-led sessions, expert keynotes, and peer networking creates a venue where ideas translate into actionable next steps for real GRC programs.

Speakers at the 2024 summit emphasized that technology alone cannot solve the silo problem and that cultural and structural change is equally important, with successful approaches including joint risk committees with cross-functional representation, shared risk taxonomies, and executive sponsorship for integrated GRC initiatives. These structural changes create the conditions for technology to deliver its full value.

Participants gained actionable insights on building AI governance frameworks, structuring integrated risk programs, designing resilience testing programs that satisfy regulatory expectations, and communicating risk in business terms to boards and senior leadership. The summit's format combining keynotes, case studies, and working sessions was designed to produce takeaways that participants could implement within their organizations.

The MetricStream GRC Summit has evolved from a platform-focused user conference to a broad industry event addressing the strategic, regulatory, and technological forces shaping governance, risk, and compliance. Each year reflects the issues GRC professionals are wrestling with most urgently, from ESG and data privacy to operational resilience and AI governance.

The MetricStream GRC Summit attracts GRC leaders from large global enterprises across financial services, healthcare, energy, life sciences, technology, and other regulated industries. Attendees typically include Chief Risk Officers, Chief Compliance Officers, Chief Audit Executives, CISOs, risk managers, compliance officers, and internal audit leaders, making it a cross-functional gathering that reflects the interconnected nature of modern GRC.

Pat McParland

Patricia McParland VP – Marketing

Pat McParland is VP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.