We had a fantastic start to the year at MetricStream, with global leading research and advisory firm Forrester recognizing us as a Leader in The Forrester Wave™: Third-Party Risk Management (TPRM) Platforms, Q1 2024.
The recognition comes on the heels of The Forrester Wave™: Governance, Risk, and Compliance Platforms, Q4 2023, which also named MetricStream as a Leader with the highest possible scores in the GRC Vision, IT/Cyber Risk Management capabilities, AI/ML, product roadmap, and partner ecosystem criteria. Being recognized as a Leader in GRC and TPRM by Forrester is a testament to MetricStream’s unwavering strive for excellence and our commitment to helping organizations thrive on risk.
MetricStream has been spearheading GRC innovation for 25 years now, enabling organizations across industries and geographies to embark on the GRC journey and achieve business excellence. Being validated by independent research firms consecutively for many years is no ordinary feat. It requires determination, hard work, and a lot of perseverance.
There are three key reasons that make MetricStream a leader in GRC:
MetricStream has been a trusted GRC partner for organizations across industries and geographies for nearly 25 years now. In our journey so far, we have experienced many “GRC waves” – the financial crisis in 2008, technological advancement with automation and mobile technologies around 2015, the global healthcare crisis due to the COVID-19 pandemic in 2020, and the AI revolution, particularly generative AI, in 2023.
What’s been a differentiating factor for MetricStream in all of these major global events was the ability to foresee and embrace the risks and opportunities they presented. The leaders at the helm of the company – Gunjan Sinha, Executive Chairman and Co-Founder, Gaurav Kapoor, Co-CEO and Co-Founder, and Prasad Sabbineni, Co-CEO – with their extensive experience and in-depth knowledge are uniquely positioned to guide the company’s GRC innovation roadmap and strategy to make it more relevant and forward-looking.
The product innovation roadmap and strategy are also continuously refined and improved based on customer feedback. The objective is to ensure that our products and solutions meet and exceed the needs of today’s modern enterprise. We regularly engage with our customers via dedicated product councils and special interest groups to understand customer pain points, challenges, and expectations.
The progressive vision and roadmap are brought to life via our product and platform releases. Especially in the past three years – starting from Arno to the most recent Euphrates release, we have enriched our products and solutions with advanced features and functionalities, such as low-code/no-code capabilities, connected insights, cloud-native technology, AI-powered issue and remediation management, advanced risk quantification capabilities, autonomous and continuous monitoring and testing of controls, and more. AiSPIRE, the most recent addition to our product suite, enables organizations to leverage the benefits of AI for optimizing their control environment.
But what does this mean for organizations? How are we helping companies thrive on risk?
The answer lies in the business value we deliver (based on customer responses and the GRC Journey Business Value Calculator):
Learn how we helped Zurich Insurance, Switzerland's largest insurer, revolutionize its compliance, policies, and enterprise risk management processes in this award-winning case study.
MetricStream partners play an indispensable role in our success story by helping us expand our reach and enhance the depth of our cutting-edge solutions. Our partner program is built on the core values of driving innovation, accelerating time-to-value, and achieving GRC expectations of organizations. The concerted effort aims to empower organizations to make risk-aware decisions, improve efficiency, and build resilience.
The MetricStream partner ecosystem includes some of the biggest names in the industry, such as Amazon Web Services (AWS), Deloitte, HCL Technologies, Infosys, PwC, KPMG, and many others.
As the GRC landscape continues to evolve and become more interconnected, complex, and dynamic, organizations will need true GRC systems and programs with an integrated and connected approach supported by AI, cloud, and continuous capabilities. And we are hard at work to bring these next-generation solutions to you and help you advance on your GRC maturity curve.
If you’re looking to embark on the GRC journey and want to understand how MetricStream can help, contact us today!
Get your complimentary copy of The Forrester Wave™: Governance, Risk, and Compliance Platforms, Q4 2023 by clicking on the link.
In today's rapidly shifting business landscape, where uncertainty seems to be the only constant, Governance, Risk, and Compliance (GRC) strategy, process, and technology are more critical than ever. This era is marked by a kaleidoscope of challenges: geopolitical instabilities, economic volatility, and a relentless pace of technological innovation. In my recent webinar with MetricStream’s Patricia McParland, GRC Trends and Strategies to Accelerate Risk, Compliance, and Audit Programs in 2024 and Beyond, I had the privilege of diving into this whirlpool of change to explore emerging GRC trends and strategies for 2024 and beyond.
Watch now: GRC Trends and Strategies to Accelerate Risk, Compliance, and Audit Programs in 2024 and Beyond
When I reflect on the state of global business today, I see a world grappling with unparalleled complexities. These complexities are not just passing clouds but signify a profound transformation in how businesses operate and how risks are perceived and managed. In our interconnected global economy, the ramifications of geopolitical shifts are felt almost instantaneously, economic uncertainties loom large, and the digital revolution continues to redefine the landscape. Against this backdrop, traditional GRC programs and risk intelligence methodologies are undergoing a stress test. The question arises whether our current tools and frameworks are robust enough to navigate this dynamic and sometimes tumultuous environment.
In the webinar, I endeavored to peel back the layers of these complexities, offering a nuanced perspective on the future of GRC; this includes:
As I discussed these themes with Patricia McParland from MetricStream, it became increasingly clear that the future of GRC is a multifaceted and stimulating realm. It demands an integrated, agile, and technology-empowered approach. Organizations that embrace these emerging trends and fortify their GRC frameworks will be well-equipped to navigate and capitalize on the opportunities presented by the complexities of today's business world. This webinar offered a platform to share comprehensive insights and practical strategies for organizations looking to enhance their GRC frameworks in these transformative times. It was an enlightening experience to contribute my thoughts and engage in a meaningful dialogue on the future of GRC.
Watch now: GRC Trends and Strategies to Accelerate Risk, Compliance, and Audit Programs in 2024 and Beyond
In the dynamic landscape of modern business, the need for effective Governance, Risk, and Compliance (GRC) processes has never been more critical. As organizations navigate the intricate risk and regulatory landscape globally, a robust GRC strategy becomes paramount not just for business success but also to ensure Business As Usual.
MetricStream, a market leader in GRC software products and solutions, underscores the crucial role of automation in GRC programs, enhancing efficiency and ensuring compliance in highly regulated industries. This article explores GRC automation, its importance for organizations, and the steps to seamlessly integrate automation into existing processes.
Governance, Risk, and Compliance represent the three pillars that provide a structured framework for managing an organization's operations. GRC automation is the integration of technology-driven solutions to streamline and optimize these processes, ensuring they align with regulatory requirements and internal policies.
GRC automation tools leverage advanced technologies, such as artificial intelligence and machine learning, to enhance decision-making and mitigate risks effectively. These tools provide a unified platform that enables organizations to manage governance, assess risks, and ensure compliance seamlessly. The automation process involves the use of software solutions to replace siloed, manual, and time-consuming processes, reducing errors and improving overall operational efficiency.
Recent developments in the business world highlight the increasing significance of streamlining GRC processes and the need for automation in this sphere.
In the United States, where regulatory frameworks continue to evolve, enterprises are grappling with the complexities of compliance. The Securities and Exchange Commission (SEC) has been actively tightening regulations, emphasizing the importance of robust internal controls and risk management. Similarly, in the United Kingdom and Europe, post-Brexit, companies are navigating new regulatory landscapes, necessitating agile GRC processes to adapt to changing compliance requirements.
While the business environment continues to evolve, the advent of Generative AI has brought opportunities for automation to organizations but also posed new problems, such as data privacy and data governance challenges. When a few thousand users in and around the organization are all exposed to new and powerful AI tools, what prerogative must be set to ensure they all operate within the legal framework of the company?
Governance, then, extends beyond compliance with existing norms alone and should take on the ability to predict and plan for changes to a future that is also evolving simultaneously. Specifically, automating the GRC process gives business leaders an opportunity to accurately capture changes both within and outside the organization, make key decisions in time by observing and validating patterns, and set their company up for success and stability at all times.
The business landscape is evolving at an unprecedented pace, with regulatory requirements becoming increasingly complex. Organizations face the challenge of maintaining compliance while simultaneously dealing with intricate governance structures and managing risks effectively. Here are just a few advantages of GRC process automation:
Additionally, pilot testing and phased implementations can help identify potential challenges and streamline integration.
A thing of beauty is a joy forever, and that holds especially true for complex implementations such as GRC automation. When done right, GRC automation brings forth a multitude of benefits for organizations aiming to navigate the complex landscape of governance, risk, and compliance.
That said, points of failure are many, and a project of this nature can quickly crumble if not led by an able governance team. Here are just a few challenges that could arise.
In the dynamic landscape of modern business, the adoption of GRC automation is not merely a choice but a strategic imperative. MetricStream's emphasis on providing comprehensive GRC automation solutions underscores the growing importance of leveraging technology to enhance governance, manage risks, and ensure compliance.
Careful consideration of limitations in existing systems, solution choices, and integration with existing tools is essential for a successful implementation. The consequences of poor automation underscore the need for a meticulous approach, emphasizing user training, fine-tuning, and the judicious use of AI in the GRC context.
By embracing GRC automation, organizations can unlock efficiency, improve risk management, and navigate the intricate web of compliance requirements with agility. The road to automation may present challenges, but the long-term benefits far outweigh the initial hurdles, positioning organizations for sustained success in an ever-changing business environment.
Our Enterprise GRC solution automates risk and compliance data from across the enterprise and third-party vendors into actionable business intelligence for risk-aware decision-making.
Interested to learn more? Request a customized demo now.
At MetricStream, diversity, equity, and inclusion (DEI) are not just buzzwords; they are the cornerstone of a thriving and innovative workplace. Established as core to our organizational culture, DEI principles have helped in driving innovation, empowerment, and collective growth. As we celebrate International Women's Day (IWD) on March 8, 2024, it's an opportune moment to reflect on not just the importance of recognizing and amplifying the achievements of women worldwide but also actively working towards creating a more equitable and inclusive future for all. It also calls attention to the IDW theme for this year, #InspireInclusion, which emphasizes the need to create a world where everyone, regardless of gender, is included, respected, and valued.
As leaders in governance, risk management, and compliance (GRC) software solutions for 20+ years, we recognize the invaluable contributions of women to our success. Women play a pivotal role in driving innovation and ensuring organizational success at MetricStream. We are proud that today, women make up 33% of our workforce. Globally, women make up about 28% of the tech workforce.
In the dynamic landscape of technology, women bring different perspectives, experiences, and approaches to problem-solving, which can lead to more comprehensive and effective solutions to complex technological challenges. UN Women notes that bringing women into technology "results in more creative solutions and has greater potential for innovations that meet women’s needs and promote gender equality." Gender diversity fosters a more inclusive work culture where diverse voices are heard and valued. This not only enhances employee satisfaction but also promotes creativity and collaboration within teams.
MetricStream's commitment to DEI is deeply ingrained in our organizational DNA and reflected in our women-friendly initiatives. We run programs all through the year tailored specifically for women in tech to ensure that they have the support and resources needed to succeed.
GROW (Growing Relationship Opportunities for Women), the employee resource group focused on women, is one such initiative. As a group of women and allies for women, GROW meets once a month to support each other and learn new skills. It is a place where women (and men) can be unapologetically ambitious, expand networks, and help each other achieve goals. GROW sessions have covered various interesting topics such as Centered Leadership, Drop the Ball: Doing More of What Matters, 5 Habits to Extreme Productivity, etc.
The MetricStream Mentorship program #YouMatter@MetricStream, designed to support and celebrate our employees and provide the opportunity to develop mentor relationships with senior-level leadership, has helped women employees to learn, grow, and foster their own personal and professional growth. It also provides a platform for senior women leaders to give back and mentor junior employees. The enthusiastic responses we've garnered from women employees across the three sessions conducted to date highlight the immense value of connecting with senior leadership—regardless of gender. These interactions have proven to be incredibly beneficial for women seeking support in both career advancement and personal development.
Our hybrid /flexible work policy is a testament to our commitment to understanding the challenges women employees may encounter, especially in unique circumstances such as upon returning from maternity leave or when required to be caregivers for family. This model not only accommodates their specific needs but also adds value by fostering a healthier work-life balance.
Our Women's Day panel discussions, featuring accomplished women in various fields, have consistently stood out as the highlight of our International Women's Day celebrations each year. Their extraordinary personal journeys of triumph and resilience, coupled with their valuable insights into fostering inclusivity and driving positive change through policies and practices, have been truly inspiring.
Another Women's Day initiative that has received overwhelming support from both women and men at MetricStream is the "Walk for Women," held concurrently at our numerous global locations. We also frequently extend invitations to our women employees to address events such as our Town Hall and All Hands, creating opportunities for them to share their experiences and nurture a sense of community and empowerment.
Last but not least, supportive men are integral allies in the journey towards gender equality. At MetricStream, our male leaders, managers, and mentors have actively participated in fostering an inclusive environment and advocating equal opportunities. By championing diversity and inclusion, we collectively create a workplace where everyone can thrive.
As we look to the future, MetricStream remains steadfast in our commitment to diversity, equity, and inclusion. We will continue to champion women in tech, expand our DEI initiatives, and strive towards creating a workplace that celebrates and empowers individuals from all backgrounds.
At MetricStream, we are proud to stand alongside women as allies and advocates, driving positive change within our organization and beyond.
As organizations grow and scale their operations, they are required to upgrade their governance, risk, and compliance (GRC) programs and activities accordingly. While a traditional approach to GRC involving spreadsheets, emails, and/or point solutions would have somewhat worked in the past, expanding business operations together with the fast-changing risk and regulatory landscape compels organizations to consider investing in GRC tools and software solutions.
Finding the right solution is daunting considering the growing number of GRC software vendors in the market, each promising their unique value proposition. Gartner notes that the GRC vendor selection process is also complicated due to the wide range of requirements of various stakeholders involved in the process, such as BU heads of enterprise risk management, corporate compliance, IT and cyber security, credit risk management, and others.
Organizations are increasingly seeking a one-stop solution that is connected, scalable, and cognitive, as well as one that meets the expectations of various stakeholders. On these lines, what are the specific capabilities that the decision-makers must keep in mind before choosing a GRC solution?
In this blog, we discuss the key considerations for buying a GRC software solution – from a buyer’s perspective. Let’s break it down.
While exploring various GRC solutions, organizations would definitely find terms like ‘integrated approach,’ ‘integration,’ ‘unified approach,’ ‘holistic approach,’ etc., again and again. What does it mean?
More often than not, organizations find themselves managing governance, risk management, and compliance activities in a disjointed manner, depending on the maturity of each process and evolving business requirements. This inevitably results in organizational silos, which lead to duplication of efforts and data, blind spots, and high cost of compliance. Particularly in the era of amplified interconnectedness of risks and shared controls, it hampers an organization’s ability to accurately understand risk relationships and impact on effective decision-making.
An integrated approach is nothing but a cohesive approach to managing governance, risk management, and compliance activities across business units, geographical locations, and the extended vendor network. It requires firm-wide common GRC taxonomy, shared risk and control libraries, enterprise-level and business unit-level risk appetite allocation and risk aggregation, and standardized and streamlined processes across GRC activities. Most importantly, it requires buy-in from all key stakeholders.
Deploying a single, technology-driven GRC solution, with capabilities for establishing standardized taxonomy and centralized risk repository, can help an organization:
Interoperability is the ability of the GRC software to securely exchange information with other systems. While the integrated approach calls for the implementation of a single system, it is important to ensure that the system supports interoperability to capture and aggregate risk information from various sources. For example, integrating with regulatory content providers, risk rating providers, threat intelligence providers, and others via APIs or connectors.
The solution must be flexible to scale up or down depending on changing business conditions and requirements. A cloud-based GRC solution offers this much-needed agility and flexibility with high security, greater efficiency, and easier upgrades compared to on-premise solutions. Furthermore, opting for a cloud-based solution is also aligned with the ongoing digital transformation initiatives at organizations. McKinsey estimates that most companies will aim to allocate 80% of their IT budget toward cloud computing by this year.
In this context, low-code/no-code capabilities are also gaining popularity. By enabling organizations to configure and personalize the solution to meet their specific needs without the need to depend on the software vendor, a solution with low-code/no-code capabilities can significantly accelerate GRC program productivity and outcomes.
There is no denying that artificial intelligence (AI)-infused workflows are the future. We are already seeing more and more applications of AI in GRC processes, such as scanning the regulatory horizon, managing issues, providing remedial action recommendations, optimizing the control environment, scanning policies and documents, and many others. With its promise to provide actionable insights quickly, AI can help organizations accelerate decision-making, create bandwidth for teams, and gain a competitive edge.
To better meet the needs of today’s dynamic enterprise, GRC solutions need to go beyond just being a workflow-driven automation tool to a more comprehensive tool that’s cognitive and intelligent. A ‘single pane of glass’ view has become the industry norm for reporting GRC metrics. In this context, organizations are increasingly looking for solutions that support cross-product reporting, which allows importing relevant data from various products to build one comprehensive report.
When considering a GRC solution, organizations should evaluate the technological prowess of the vendor. This requires examining not only the current capabilities and functionalities offered by their solution but also their innovation roadmap. Continuous innovation is essential for ensuring that the GRC solution is relevant and ready to adapt to the evolving business and technological landscape.
A periodic approach to managing governance, risk, and compliance management activities and processes is no longer effective in the digital era. Organizations today operate in a highly dynamic business environment, where they must protect their IT infrastructure, data, and assets from cyber risks, stay on top of threats, vulnerabilities, and other emerging risks, and be compliant with a multitude of industry regulations and standards. Relying on human effort for these tasks will not only result in a lag where risk, compliance, and audit teams struggle to meet expectations but also leave the organization vulnerable to risks and blind spots.
An autonomous, always-on approach is one that is continuously running in the background and requires minimal human intervention. Before choosing a GRC solution, organizations must explore if it supports autonomous capabilities, such as continuous testing and monitoring of controls to proactively identify control weaknesses and gaps and compliance with relevant regulations. Ideally, the solution should collect evidence, generate automated reports, and notify appropriate personnel for remedial actions.
MetricStream’s core innovation focus is on making its products and solutions more Cognitive, Continuous, Connected, and Cloud-based. We are a recognized industry leader in GRC, empowering organizations across industries and geographies to thrive on risk for 25 years now. Here’s what sets MetricStream apart in the GRC space:
If you want to understand how MetricStream can help you embark on the GRC journey, request a personalized demo today.
Like the French proverb says, the more things change, the more they stay the same – except when they speed up! Of course, I added that last part. But when it comes to regulatory change, there does seem to be one constant: expansion. Thomson Reuters says there were more than 230 regulatory alerts a day in 2022. That’s not hard to believe with the escalating levels of regulatory activity around operational resilience, artificial intelligence (AI), cybersecurity, data privacy, and ESG, among others.
In 2023, we saw some key cybersecurity and digital operational resilience regulations crystallizing in the U.S. and the European Union, setting a precedent for other regions. The regulatory momentum seen in 2023 will continue and likely become more intense in 2024.
So what’s on the horizon for 2024, and what should you prepare for? Here’s a look at 10 key regulations and focus areas we are watching.
The growing regulatory focus on AI in recent months is not surprising, considering the exploding use of AI and generative AI (GenAI) across industries. The trend is expected to continue well into 2024 and beyond.
In January 2023, the National Institute of Standards and Technology (NIST) released the NIST AI Risk Management Framework (AI RMF 1.0), which aims to “improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems.” Another major development was the Executive Order published by the White House on the safe, secure, and trustworthy development and use of AI.
The European Union is also taking steps to regulate the use of AI. In December 2023, EU officials reached a provisional agreement on comprehensive rules to ensure safe and trustworthy use of AI. According to a report from BBC, the EU Parliament will vote on the AI Act proposals this year, with the legislation to not take effect before at least 2025. Additionally, China, Canada, Brazil, South Korea, Singapore, the UK, and the UAE are all in various phases of rolling out AI-related regulations, which are likely to be adopted sooner rather than later.
Like AI itself, we expect to see these regulations to continue to develop and evolve just as the technology itself does – and as we as an industry employ new use cases of AI for GRC.
Cyber risk is a top risk faced by organizations today. The risk of cyber attacks and data breaches has been further amplified by the widespread and easy accessibility of AI-based tools, which can be leveraged by cyber criminals to launch attacks on massive scale. Regulatory authorities are hard at work to ensure organizations have necessary measures in place to protect organizational assets and interest of all relevant stakeholders.
The U.S. Securities and Exchange Commission (SEC) adopted Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Rules in July 2023. The focus of these rules is for public/listed companies to
For risk management, strategy, and governance disclosure requirements, public-listed companies are required to provide the disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023.
To learn more about the SEC’s Cybersecurity Rules, read our blog "Achieve Compliance with SEC’s New Cybersecurity Rules ".
In addition to regulations, regulators and standard setting bodies also issue guidelines and frameworks to help businesses manage cyber risks effectively. The NIST Cybersecurity Framework is one of the most widely used frameworks by organizations. First published in 2014, the framework provides “a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs.”
The National Institute of Standards and Technology (NIST) released a revised draft of the framework for public comment in the latter half of 2023. The draft update or Framework 2.0, it said, “reflects changes in the cybersecurity landscape and makes it easier to put the CSF into practice — for all organizations.” According to the official announcement, the final version of CSF 2.0 will be published in early 2024.
To learn about what’s new in the revised version and how you can achieve compliance, read our blog "Demystifying NIST CSF 2.0: What's New and Why it Matters ". Also, explore how MetricStream can help you get started with NIST CSF with pre-packaged content.
Another major cybersecurity standard and certification model is the U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC). CMMC is designed to “enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors.”
The CMMC final rule is also expected this year. In 2023, the Department of Defense sent the draft rule, CMMC 2.0, to the White House’s Office of Information and Regulatory Affairs (OIRA) for review. CMMC 2.0 is a comprehensive framework that aims to protect the defense industrial base’s (DIB) sensitive unclassified information from advanced persistent threats (APTs). The final rule includes some key changes to the CMMC 1.0 and is expected to considerably simplify compliance, reduce assessment costs, enhance accountability, and more.
Learn how MetricStream can help you achieve CMMC compliance.
Financial sector is one of the primary targets of cyber adversaries given the amount of data and financial assets at stake. So, the intensifying regulatory focus on this sector doesn’t come as a surprise.
The New York Department of Financial Services (NYDFS) finalized the amendments to its nation-leading Cybersecurity Regulation in November 2023. Enacted in 2017, the regulation requires covered entities, including banks, insurance companies, and other financial services institutions regulated by DFS, to have effective cyber risk and governance measures in place, including a cybersecurity program for protecting consumers’ private data, well-document policies, a CISO to help protect data and systems; and effective controls, among others.
The amended regulations mandate enhanced governance requirements, more regular risk assessments, additional controls to protect information systems from unauthorized access, updated notification requirements, and much more. It is important for organizations to keep an eye on the NYDFS Cybersecurity Regulation as it is expected to set a precedent for other states and municipalities.
Regulated entities need to be compliant with the new regulations by April 29, 2024.
The regulatory interest and activity on operational resilience of financial sector organizations continues to gain momentum. In the UK, the Bank of England (BoE), Financial Conduct Authority (FCA), and the Prudential Regulation Authority (PRA) jointly published a consultation paper on “Operational resilience: Critical third parties to the UK financial sector (PRA CP26/23 and FCA CP23/30)” last month. The deadline for sending feedback comments is March 15, 2024. The regulators also intend to consult on a joint statement of policy regarding the use of their disciplinary powers over critical third parties.
Explore how the MetricStream Operational Resilience solution can help you navigate today’s fast-evolving risk landscape.
In the EU, the Digital Operational Resilience Act (DORA) aims to strengthen Information and communications technology (ICT) and digital risk management with focus on third parties, and promote digital operational resilience in the region’s financial sector. Key requirements span various ICT-focused areas such as risk management framework, incident management and reporting, and digital operational resilience testing program, among others. Adopted by the European Parliament in November 2022, the act requires regulated entities to comply by January 17, 2025. This means that the countdown has already begun – financial sector organizations have just 12 months to ensure compliance with DORA.
Given the growing focus on operational resilience across industries, DORA is a landmark regulation and expected to act as a harbinger of what other sectoral and federal regulatory authorities are likely to follow.
To learn about the DORA requirements in detail and understand how it impacts your organization and how you can ensure compliance, download our eBook “Demystifying DORA - Understanding and Preparing for the EU’s Digital Operational Resilience Act”.
Protecting Personal Identifiable Information (PII) continues to be a top focus area for regulatory authorities worldwide.
In the US, the enforcement of the new California Consumer Privacy Act (CCPA) regulations has been deferred until March 29, 2024. In 2020, California voters passed the California Privacy Rights Act (CPRA), which amended the CCPA and introduced additional privacy protections. CPRA established new standards for the collection, retention, and use of consumer data as well as imposed “new obligations governing personal information, including requirements that businesses adopt certain mechanisms permitting consumers to opt out of data sharing.”
CPRA created the California Privacy Protection Agency (CPPA) to implement and enforce the law by July 1, 2022, with enforcement not to begin until July 1, 2023. However, the agency completed only the first set of regulations under the CPRA on March 29, 2023.
In the wake of this delay, a California court postponed the enforcement of the new regulations by twelve months. That said, statutory changes under the CCPA went into effect on January 1, 2023, and remain in force.
In November 2023, the CPPA also proposed a new regulatory framework for “automated decision-making technology” (ADMT), which defines key protections related to businesses’ use of these technologies. The agency has also published the revised draft regulations on risk assessments and cybersecurity audits.
Discover how MetricStream can help you strengthen CCPA compliance.
In the UK, the Department for Science, Innovation and Technology published a statutory instrument in September 2023 to amend the references to ‘fundamental rights and freedoms’ in the data protection legislation. The amended language is to refer to rights recognized under UK law, rather than retained EU law rights. If approved by the UK Parliament, the amendment is expected to come into force in early 2024.
Another key regulation focused on protecting sensitive data, specifically consumer financial privacy, is the Gramm-Leach-Bliley Act (GLBA). It requires financial institutions to explain their “information-sharing practices to their customers and to safeguard sensitive data.”
In October 2023, 20 years after the GLBA Safeguards Rule first came into effect, the Federal Trade Commission (FTC) amended the rule. As per the latest amendment, non-banking financial institutions will be required to report data breaches to the FTC, affecting at least 500 consumers. The entities must notify the agency “as soon as possible, and no later than 30 days after discovery of the event.”
The amendment will come into effect 180 days after its publication in the Federal Register. As per reports, this is likely to happen in 2024.
Another major standard aimed at protecting sensitive data, specifically cardholder data, is the Payment Card Industry Data Security Standard (PCI DSS). The globally recognized standard, applicable to organizations across industries that store, process, and/or transmit cardholder data, provides a set of technical and operational requirements intended to protect cardholder data.
The latest version of PCI DSS will come into effect on March 31, 2024. The PCI Security Standards Council (PCI SSC) published version 4.0 of PCI DSS in March 2022 and gave organizations two years to understand the changes and implement any updates as needed.
According to the official release, “PCI DSS v4.0 replaces version 3.2.1 to address emerging threats and technologies and enable innovative methods to combat new threats.”
Explore how MetricStream can help you streamline and strengthen PCI DSS compliance.
Diversity, equality, and inclusion (DEI) and sustainability are increasingly becoming top agenda items not only for organizations but also for regulators worldwide. In the US, 22 states updated the minimum wage on January 01, 2024. Later in April, the Department of Labor (DOL) is expected to release its final rule amending the regulations on the “white collar” exemptions from the overtime and minimum wage requirements of the Fair Labor Standards Act (FLSA).
Furthermore, a revised rule by the DOL requiring establishments with 100 or more employees in designated high-hazard industries to submit injury and illness information electronically to the Occupational Safety and Health Administration (OSHA) also took effect on January 01, 2024.
In the EU, the European Parliament adopted the Corporate Sustainability Reporting Directive (CSRD) in November 2022, with member states required to implement the new rules 18 months later. The CSRD introduces more detailed reporting requirements, enabling investors and other stakeholders to make better-informed decisions on sustainability issues.
“The CSRD introduces more detailed reporting requirements and ensures that large companies and listed SMEs are required to report on sustainability matters such as environmental rights, social rights, human rights and governance factors,” the European Council said.
The application of the regulation will be staggered between 2024 and 2028. In the first phase, companies already subject to non-financial reporting directive (NFRD) will be required to report in 2025 on the financial year 2024.
These are just a few of the regulations businesses should closely watch this year. To successfully navigate the fast-changing regulatory landscape, organizations need an integrated, streamlined, and technology-driven approach to compliance that helps them stay on top of regulatory changes and reduce costs while improving visibility into the overall compliance posture. MetricStream Compliance Management helps organizations get their compliance program up and running quickly and ensure adherence to relevant regulations and industry standards.
Explore how MetricStream can help you strengthen your compliance function – request a personalized demo today!
As the global market leader in governance, risk management, and compliance (GRC), MetricStream is honored to present the GRC Journey Awards each year. The awards celebrate and honor organizations, business partners, individuals, and customers that have made significant strides in their GRC Journey—turning risk into a strategic advantage.
At the 2023 London GRC Summit this October, a selected list of GRC trailblazers who exemplify connected, high-value, and sustainable GRC programs were awarded. These visionaries have set the bar high by demonstrating exceptional advancements in their GRC programs. Discover the stories of these outstanding award winners as we showcase their impactful GRC journeys below.
As one of the world’s largest air services providers, offering ground handling, cargo, catering and travel services, dnata operates in 129 airports spanning 35 countries across 6 continents—with over 50,000 employees serving 320 airline customers. As part of its safety and security standards, dnata requires a robust GRC program that can offer visibility into the ever-changing risk and incident scenarios across its global operations and allow decision-makers to assess and respond to the dynamics of its business operations.
dnata leveraged MetricStream’s GRC products, including Enterprise Risk Management, Incident Management, Policy and Document Management, Observations Management, Issue Management, and Compliance Management, and rolled it out across web and mobile-based channels with support for multiple languages. The results were proactive frontline engagement and faster decision making capabilities.
Watch David Storey, from dnata, explain how they achieved a centralized view of risks, improved frontline engagement, and more.
Headquartered in the Kingdom of Saudi Arabia, Almarai, is the world’s largest vertically integrated dairy company and the region’s largest food and beverage manufacturing and distribution company. Almarai ranks as the number one Fast Moving Consumer Goods (FMCG) brand in the Middle East & North Africa (MENA) region and is the market leader in most of its categories across the Gulf Cooperation Council.
To move from manual processes and gain a connected approach to risk and issue management, Almarai leveraged MetricStream’s Enterprise Risk Management and Business Continuity management products. Today, they have achieved a 50-70% reduction in efforts with automated workflows, streamlined processes, and a defined common risk taxonomy.
Watch Gordon Bateman from Almarai, share their incredible success story.
As one of the world’s leading energy technology companies, Siemens Energy covers almost the entire energy value chain – from power generation and transmission to storage. The portfolio includes conventional and renewable energy technology, such as gas and steam turbines, hybrid power plants operated with hydrogen, and power generators and transformers. Operating in a highly regulated environment, Siemens Energy wanted to improve its GRC maturity, strengthen its GRC program to increase resilience, and enhance cross-functional collaboration and communication.
To build a single source of truth that would help them better understand the risk and impact of failures across its business processes and technology infrastructure and ensure that global cybersecurity and ITIL compliance requirements are being met, Siemens Energy leveraged MetricStream’s Enterprise Risk Management, IT Risk, IT Compliance, SOX Controls Testing, Policy Management, and Third Party Management products.
Dorothea Liebl, from Siemens Energy, discusses how they achieved GRC maturity and improved decision-making. Watch now.
Nordea is the largest financial group in the Nordic countries, with a strong market position in personal banking, business banking, large corporate and institution banking, and asset and wealth management. They currently operate across 20 different countries with 30,000 employees.
To automate and modernize their GRC program and enhance visibility into their risk and compliance processes, Nordea leveraged MetricStream’s Enterprise Risk, Business Continuity Management, Policy Management, IT Risk, IT Compliance, Regulatory Change, and SOX Compliance products. They have now increased visibility and measurement into key risks by linking KRIs as well as amplified the speed, agility, and scalability of IT Risk and IT Compliance processes.
Brian F. Sørensen from Nordea shares how they implemented an integrated risk management strategy. Watch now.
A MetricStream customer since September 2021, Petroliam Nasional Berhad (National Petroleum Limited), better known as PETRONAS, is a Malaysian oil and gas company wholly owned by the Government of Malaysia. The corporation is vested with all oil and gas resources in Malaysia and is entrusted with the responsibility of developing and adding value to these resources. Petronas is ranked among the Fortune Global 500 largest corporations in the world.
To strengthen its GRC program and build resilience, PETRONAS embarked on a journey to ensure critical control and decision-making insights for the organization driven by three core organizational goals: agility, resiliency, and sustainability. PETRONAS leverages MetricStream’s Third-Party Risk, Business Continuity Management, IT & Cyber Compliance, IT & Cyber Risk, and Policy and Document Management products to support their BusinessGRC and Cyber/ITGRC programs.
Nor Harliza Baharom, from PETRONAS shares details on their compliance journey, GRC strategy, and the use of MetricStream products. Watch now.
Empower your GRC journey with our ConnectedGRC solutions, which include our BusinessGRC, CyberGRC, and ESGRC product suites. With MetricStream ConnectedGRC, you can go beyond a traditional integrated approach that focuses solely on technical program integration and embrace a more interconnected business-level approach that provides a single source of truth with all the risk insights you need to build your GRC programs to be future-ready.
Request a demo now.
Watch the videos of Autodesk, Guidewire, Apple Bank, CHN Industrial, and dnata, who were awarded the GRC Journey Awards at the 2023 Miami GRC Summit this June.
Yet another year has passed!! We witnessed some major events, including escalating geopolitical tensions, the collapse of banks in the US and Singapore, major mergers and acquisitions, and significant technological advancements in the field of generative AI. In a world where the volume and velocity of risks are increasing, navigating the complex landscape of governance, risk management, and compliance (GRC) has become more crucial than ever. Consider these recent statistics:
The past year has been a testament to the evolving challenges faced by organizations globally, from economic uncertainties, geopolitical tensions, and new regulations and laws to the lingering repercussions of the 2019 global pandemic. Most importantly, none of these risks exist in isolation – they’re deeply interconnected, with cascading impacts for organizations.
Risks are no longer solitary entities; instead, they form a complex tapestry of interconnected challenges that are intensifying in both frequency and severity. A glimpse into the events of the year unveils the extent of this interconnectedness.
The Silicon Valley Banking Crisis in March 2023 saw several other banking failures as well, including Signature Bank, First Republic Bank, and Heartland Tri-State Bank being affected. In August 2023, the shutdown of the NATS flight planning system in the UK caused hundreds of thousands of passenger flights to be delayed or canceled. Over 2000 flights were canceled, leading carriers to face estimated losses of £100m, mainly comprising care costs and lost revenue. The tragic August 2023 Maui fire quickly unfolded as a series of failures, including communication breakdowns, severe weather conditions, miscalculations of fire severity, and issues with essential services like electricity and water, culminating in the destruction of Lahaina and substantial loss of life. The incident underscores how the convergence of various failures swiftly escalated what could have been an isolated event into a catastrophic crisis.
As we approach 2024, the expectations for GRC professionals are to connect the dots, see issues coming, and engage in some level of predictable forecasting. Now, more than ever, understanding and adapting to the upcoming GRC trends is not just a strategic advantage—it's a necessity for thriving in an increasingly interconnected world.
The forthcoming year promises a confluence of challenges and opportunities, making it an urgent requirement for organizations to reevaluate their strategies and fortify their GRC frameworks. So, what are the top trends that will shape the narrative of tomorrow?
To effectively respond to the growing network of interconnected risks, a connected GRC strategy that seamlessly extends across the enterprise, facilitating cohesive visibility, communication, and information, emerges as a crucial solution. Next-gen GRC cloud platforms that unify risk, compliance, audit, cyber, and ESG functions and offer the elasticity and scalability through low code/ no code and user-friendly interfaces play a pivotal role in this paradigm shift.
AI for GRC holds tremendous promise in 2024 and beyond. The power of cognitive AI to turn data into real-time decisions is immense, with powerful use cases in AI-powered threat intelligence, automated planning and scoping of risk assessments, and AI-powered fraud detection capabilities. Techniques and solutions like continuous control monitoring and risk and regulatory intelligence feeds will further be embraced as organizations seek to proactively identify vulnerabilities and enhance the risk and control oversight capability.
Resilience will take center stage as organizations will prioritize the need to predict, anticipate, and manage risks before they manifest, and bounce back quickly if impacted. Globally, the regulatory discussion around operational resilience is evolving as well. The Digital Operational Resilience Act (DORA), which came into force this year (and will apply from 17 January 2025 in the EU) aims to strengthen the digital operational resiliency of the financial sector. Organizations will pay more attention to enable and empower the frontline to ensure resilience across entities and third parties.
To meet the rising compliance demands, organizations will continue to build compliance resilience and agility in 2024. Centralized platforms that help them automate control testing and evidence collection for all their enterprise controls, continuously scan the horizon with automated feeds from trusted content sources, integrate compliance management systems with other enterprise systems, and apply AI and automation for automated recommendations will be adopted.
With the high volume of fourth and fifth-party risks and events resulting from the complexity of extended ecosystems, the focus on third-party risk management (TPRM) will get stronger in 2024. To own risk in the extended enterprise and construct a more resilient third-party ecosystem, organizations will increasingly adopt automated end-to-end processes for information gathering, onboarding, real-time monitoring, risk assessments, compliance, and control assessments.
Elevate your GRC strategy with our eBook – a detailed exploration of 2024's top 10 risk trends.
At MetricStream our ConnectedGRC solutions help your organizations go beyond the traditional integrated approach that focuses merely on technical integration of different tools to a more connected approach at the business level to help analyze and understand the interconnectedness of risk and resilience by connecting data to generate meaningful insights. With ConnectedGRC, your organization is now empowered to break down enterprise silos and establish a single source of truth with all the risk insights you need to navigate the future. Packed with best practices, deep domain capabilities, AI-powered intelligence, and risk quantification tools, you are all set to tackle the most pressing GRC challenges of today and tomorrow.
Interested in learning how you can power your GRC program with a connected strategy? Request a demo now!
On October 15 and 16, 2023, over 175+ governance, risk, and compliance leaders from over 20 countries gathered at the Royal Garden Hotel in London for the standout event of the season: The GRC Summit. Over the course of two days, MetricStream had the honor of hosting some of the foremost experts in the field of GRC, featuring more than 40+ speakers who generously shared their best practices, real-world case studies, and valuable insights on the key areas to focus and priorities for leaders. We also had the pleasure of networking with peers and celebrating the achievements of the 2023 GRC Journey Awards winners.
I had the unique privilege of immersing myself in the insightful content and connecting with several inspiring leaders face-to-face. I'm excited to recap some of the most memorable moments and prevalent themes I encountered during the event. For those interested in viewing video highlights and accessing the presentations, I encourage you to explore the 2023 GRC Summit site.
A central theme was the pressing need to ‘connect the dots.’ Several significant events, including the recent airline disruptions, banking crises, climate issues, and breakdowns in state intelligence, demonstrate a common thread of multiple risks converging simultaneously. More important to note is that organizations have to deal with risks increasing in volume and velocity. This calls for risk, compliance, and governance leaders to not only ‘connect the dots’ but also address these risks with a connected GRC strategy. Critical to pursuing a connected strategy are simplicity, automation, and predictive capabilities, only possible by leveraging continuous control monitoring, cognitive capabilities including AI-centric workflows, and leveraging cloud technologies for faster, easier, and more secure GRC programs.
Gaurav Kapoor, co-CEO and co-Founder, MetricStream, best summarized it when he said. “The 'Connected GRC’ strategy underpinned by a 'Cloud', 'Continuous,’ and 'Cognitive' approach is non-negotiable for organizations to navigate an incessantly changing threat, regulatory, and opportunity landscape.”
A trending theme that emerged in nearly every conversation was the potential of artificial intelligence (AI) and automation to enhance efficiency in GRC. Almost all sessions discussed some element of AI – the possibilities to automate, predict, make recommendations, and remediate, as well as the potential risks and rewards. Top discussion points included:
The discussions around AI were exciting and spanned a diverse array of topics. Some quotes that stuck out on the topic were:
”2023 began with grand plans of being the ‘year of efficiency.’ In all reality, it’s become the year of AI answering the question of how can we possibly do more with less? The next challenge we face, regardless of the industry, is how to leverage AI and how to control the risks associated with it,” said Prasad Sabbineni, co-CEO, MetricStream.
“The problem with AI is it is a very credible liar,” cautioned Toby Billington, Managing Director - ICG Business Risk and Controls leadership team, Citi, as he spoke about the complexities of AI.
“We believe in the need to incorporate AI but need to assess what types will help us,” said Azizi Bin Md Ali, Chief Compliance Officer, Petroliam Nasional Berhad (PETRONAS), as he spoke about the importance of AI and automation in managing risk.
Several discussions centered around the importance of resilience in risk management as a crucial strategic priority to ensure business continuity. As a proactive approach, operational resilience is an upgrade that moves operational risk management from passive to active. Furthermore, as interconnected risks due to climate change, cyber breaches, and economic instability continue to dominate the risk landscape, leading with resilience is what will help organizations bounce back quickly if/when impacted.
Jacqui McDonald, CIO Group Finance, RFT Technology, Barclays, underscored the criticality when she said, “It is critical to ask yourself the question- Do you have enough resiliency in your organization to recover?” Chandrra Sekhaar, Chief Audit Executive (EMEA) - SMF 5, Mizuho, reiterated the importance of technology to build resilience. “Many people talk about technology as the future, but it is equally important today. Innovation, technology, and digitalization is now.”
With the Digital Operational Resilience Act (DORA), the new EU regulation that aims to strengthen the IT security of financial entities such as banks, insurance companies, and investment firms, entering into force this year, cyber operational resilience was a much-discussed topic. By introducing uniform and harmonized governing principles for the management of cyber risks, DORA aims to ensure that the financial sector in Europe can stay resilient in the event of operational disruptions. The regulation will apply as of 17 January 2025.
Panelists deliberated several strategies for cyber risk management, including the importance of continuous control monitoring, control rationalization, and cyber risk quantification. Gavin Grounds, CEO & co-founder, Mercury Risk and Compliance, spoke extensively about how cyber risk quantification today is a “pre-requisite for success, (especially) with ever-increasing risks and an unlimited number of scenarios to be tested.”
By bringing the best minds in GRC, the Summit offered a collaborative space for experts and professionals to connect, share success stories, and celebrate GRC excellence. Here’s how we celebrated the power of this community.
The 2023 GRC Summit was more than just an event; it was a testament to the strength of the GRC community, its commitment to driving the field of GRC forward, and to utilizing the ‘power of connections’ to help organizations thrive on risk.
Missed attending the Summit? Watch the videos of the sessions and download the presentations.
Interested to learn more about how you can transform your GRC program to successfully manage, embrace, and ultimately thrive on risk? Request a demo now.
We have some exciting news to share. Two of our customers were recently awarded the 2023 GRC 20/20 Best in Class Awards for their outstanding accomplishments in enterprise IT GRC management and compliance management.
Congrats to Guidewire and Zurich Insurance on their much-deserved wins. We’re honored to be part of their journeys towards building successful governance, risk, and compliance (GRC) programs that accelerate business growth, strengthen resilience, and deliver high-value impact.
Here are these companies’ inspiring GRC stories.
In today’s hyper-connected digital world, an IT risk in a seemingly insignificant area of the business can have a profound and cascading impact on the whole enterprise. Many organizations approach these risks reactively – putting out information security fires as and when they arise. But with security breaches increasing, it’s extremely important for IT teams to step back and think strategically about how to streamline resources and monitor IT GRC across interconnected information and technologies.
That’s exactly what Guidewire has done. The California-based solutions provider for insurers set out to replace their siloed and manual GRC program with true risk management processes aligned to business needs and stakeholder value.
The company began by implementing consistent risk assessments and metrics, establishing financially accountable owners for risks and issues, and developing an integrated GRC strategy with a cross-functional GRC steering committee. MetricStream was chosen as the GRC platform to manage policies, controls, compliance, risks (including vendor risks), and business continuity.
Using automation, Guidewire has sped up its risk management processes and reduced open issues by nearly 40%. Risk visibility has also improved, thanks to better reporting and regular cross-business communication. Issues no longer fall through the cracks, resources are deployed effectively, and resolution is tracked systematically through the MetricStream platform.
Since risk owners are clearly assigned, each one can move quickly in the case of an unexpected event. They communicate regularly through dashboards and continuously update views of risk and associated metrics. Unlike before, when they operated in silos, risk owners are now a connected team run on a single GRC platform.
All these efforts make Guidewire a true leader in IT GRC.
Download the award-winning case study: Guidewire Optimizes Cyber GRC Risk and Compliance with MetricStream
Today’s organizations are dynamic and constantly changing. They’re entering new markets, releasing new products, establishing new vendor relationships, and dealing with new regulations – all of which increase compliance risks. To mitigate risk exposure, organizations need to be proactive about monitoring compliance with legal requirements, regulations, policies, and ethics. That means moving away from the compliance silos of the past towards a more integrated approach that strengthens compliance visibility and agility.
Zurich Insurance has embraced this approach. The multi-line insurer, which serves over 210 countries and territories, has modernized and streamlined its compliance, policy, and risk management processes for optimal efficiency.
Using MetricStream Compliance Management, the company has built a single source of truth to manage its entire global compliance operations. Automated and standardized workflows strengthen compliance efficiency.
Meanwhile, a centralized compliance policy portal makes it easy for front-line employees to access the latest policies in a secure manner. The company has also streamlined policy creation, approvals, versioning, and discovery.
With real-time visibility into compliance risks and findings, teams can make more confident decisions. At the click of a button, they can see how risks are linked to controls, testing plans, and more. Dashboards and reports provide timely compliance insights, enabling the compliance team to more effectively meet its objective of providing trusted advice to the business.
Even regulatory changes and updates are proactively captured and managed to ensure that the company is always compliant. This is what makes Zurich Insurance an award winner.
Download the award-winning case study: Zurich Insurance Modernizes Compliance with MetricStream
Congrats again to the award winners for setting new standards in GRC. It’s our privilege to work with companies that are finding innovative ways to thrive on risk, strengthen compliance, and demonstrate good governance.
Subscribe for Latest Updates
Subscribe Now