With the constantly growing volume, pace, and complexity of risks, strengthening business continuity and organizational resilience continues to be a top concern for businesses, industry bodies, and regulators.
Speaking at the Central Bank of Nigeria’s Second National Risk Management Conference, Joshua Rosenberg, Executive Vice President and Chief Risk Officer, Federal Reserve Bank of New York, said:
“Of course, risk management should help us reduce the frequency and size of negative events and then recover more quickly and effectively when negative events occur. But, risk management, in my view, should also help the right things happen by giving us tools to work more effectively.”
October is observed as Cybersecurity Awareness Month in the U.S. This year, we saw a surge in state leaders' desire to combat cybercrime not just in the U.S., but globally. As remote work and bring-your-own-device (BYOD) becomes the norm, there is a rising awareness of unseen dangers that lie behind cloud solutions, remote work, and increasing phishing and ransomware attacks.
At the same time, regulators continue to issue ESG guidance and recommendations to help organizations drive growth with purpose. The U.S. Federal Reserve is emerging as a pioneer with its pilot program that will see six global systemically important banks running climate change scenarios, wherein they will incorporate climate change risks into their risk management frameworks.
At MetricStream, we are celebrating an important update for our growing ecosystem of customers and partners. In October, we launched Euphrates, our latest release, which includes multiple pathbreaking product and platform innovations and enhancements that help customers accelerate their GRC program performance. To learn more about Euphrates, click here.
We cover all of this and more in our monthly roundup of the latest updates and insights viewed through the GRC lens.
Risks today are interconnected, requiring comprehensive solutions and a holistic approach to governance, risk, and compliance (GRC). As the risk landscape expands, developing organizational resilience through enterprise and operational risk management and keeping a close eye on critical third parties are emerging as top priorities.
The European Systemic Risk Board (ESRB) has warned about vulnerabilities in the Union Financial System, which will require private sector institutions, market participants, and relevant authorities to prepare for the materialization of tail-risk scenarios. It has identified three severe systemic risks to financial stability:
Here is the top news in the areas of enterprise risk, resilience, and regulations:
Heads of state are urging cybercrime prevention. The White House observed Cybersecurity Awareness Month with President Biden urging people, businesses, and institutions to recognize the importance of cybersecurity and take proactive steps to protect themselves from cyber threats to support national security and resilience.
The European Commission also plans to impose strict new security rules on IT businesses that will hold them liable for the security of their goods. The Cyber Resilience Act, the first EU-wide cybersecurity regulation, will require cybersecurity safeguards for products with digital elements.
Cloud security incidents are a recurring source of concern, according to recent data from Venafi. 51 percent of the study's security decision-makers (SDMs) think that cloud-based security threats are greater than those associated with on-premise security. Ransomware attacks on SaaS data are also becoming more widespread. Gartner reported that with the increase in remote and hybrid work, the transition from virtual private networks (VPNs) to Zero Trust Network Access (ZTNA), and the shift to cloud-based delivery models, worldwide spending on security & risk management will grow 11.3% in 2023.
Here’s a quick look at the major headlines from cyberspace:
Regulators are prioritizing environmental, social, and governance (ESG) issues. The importance of addressing climate risks, social equity, and environmental threats is gaining traction. As the board and executives across levels pay attention to ESG, corporate investors rely on ESG pledges and ratings to decide where to invest. Standardizing and implementing ESG reporting and ratings have become more crucial.
The Task Force on Climate-related Financial Disclosures (TCFD) reported a five-year increase in climate change awareness. Since 2017, climate change and climate-related reporting requirements have become more common in financial markets, and more companies are publicly committing to net-zero emission transition plans.
Here’s a quick recap of ESG-related news from around the world:
Last but not least, we are gearing up to celebrate the 10th anniversary of our premier event, GRC Summit, in London on November 8-9. The two days are packed with insightful and engaging sessions on risk, resilience, compliance, cyber, and ESG, and will provide you with opportunities to network and connect with the best in the industry. Register today to become a part of the thriving GRC community. Click here.
We are well and truly in countdown mode as we approach the end of October! Not long at all now until the GRC Summit 2022 in London.
MetricStream’s flagship event, the GRC Summit, has for the past 9 years consistently provided opportunities for the GRC community to connect, share insights, exchange best practices, and most importantly set the stage for what's next in GRC. Our theme this 10th year is Experience the Power of Connection, empowering you to do more as you continue to thrive on risk!
If you haven’t got your ticket yet – here are some of the reasons you should attend the GRC Summit!
Networking
Whether it’s at happy hours, or during the breakout sessions, the Summit gives you the opportunity to mingle with your peers and industry experts over the two days. It’s been rare to have the opportunity to do this in person and now is the time to connect with old friends and make new ones!
Fun fact: With 60+ speakers and 200+ attendees there will be no lack of networking opportunities.
Education
I don’t think it’s possible to go to an event and not learn anything. No, that’s not a challenge! Come and listen to other experts discuss their GRC experiences, learn what not to do and how to make your job easier! You’ve got nothing to lose.
Fun Fact: There will be Keynote sessions on both days! Make sure you attend.
Inspiration
Be inspired to think differently! There’s nothing more gratifying than being in the presence of experts you admire as they provide insights that inspire more than just the day job. Hear from industry leaders who have come from a variety of backgrounds with a common interest in GRC and thriving on risk.
Fun Fact: Get future-ready now! Watch out for the innovation sessions on risk, resilience, and ESG.
Recognition
The GRC Journey awards offer a great opportunity to celebrate wins with your team and wider network. Each year, the awards celebrate and honor business partners, individuals, and customer organizations that have made significant strides on their GRC journeys toward strengthening business performance.
Fun Fact: Awards will be presented in 5 categories this year!
Exchange Views on Shared Challenges
Imagine being in a room with people who understand your exact situation or have been in a similar situation and can offer insights on how to solve them. Powerful right? Exchanging knowledge and best practices can help others avoid common mistakes and support their business goals. We all have regulations we need to comply with – but the process of how different organizations handle these can vary. Take time to learn from these shared challenges!
Fun Fact: Attend the Customer Case Study sessions to learn best practices.
Invest in Your Own Growth
Now while I don’t believe you need to be physically present to show personal growth, networking, and putting yourself out of your comfort zone, learning something new all goes towards strengthening your career and sharpening your skills.
Fun Fact: With 50+ sessions, the Summit is a great place to learn new skills to build your career.
Energy of Like-Minded Individuals
There’s a reason we’re talking about the ‘Power of Connection’. During COVID-19 this was non-existent, but as the world changes again we’re energized and ready to go with a stellar line-up of speakers and attendees all excited to be in London in person again!
Fun Fact: With C-level panels and expert talks, the energy is unparalleled!
Have Fun!
The GRC Summit is a conference like no other – providing you with the opportunities to learn, network, and mingle with experts and your peers! But you know what – the Happy Hour and Networking Breaks also offer you the ability to get to know other attendees and enjoy the few days we have together!
Fun Fact: From networking breakfasts to an awards dinner, you are sure to have plenty of fun-filled activities.
If you’re interested in grabbing a ticket – get in quick! You can register and find out more information here.
Check out the Agenda and Register Now!
The potential of GRC as a business growth enabler is immense. As businesses seek to build resilience in a volatile environment marked by geopolitical tensions, economic instability, health challenges, and an escalating climate crisis, a connected GRC approach that is agile, intelligent, proactive, and data-driven empowers organizations to adapt quickly and get ahead of risks. Facilitating this is your GRC software solution. Your solution should be intuitive and easily configurable, making it simple to use for risk, compliance, cyber, and ESG teams. Your solution should work for your teams to provide real-time, autonomous monitoring capabilities that can proactively capture vulnerabilities, control for limitations, and manage regulatory updates.
At MetricStream, we are committed to simplifying and streamlining how organizations manage, measure, and mitigate risk. And with the speed and scale of risk events today – and the expansion of cyber, ESG, third-party, and compliance risks – accelerating access to and delivering intuitive GRC solutions is critical to risk and resiliency management success. The innovations in our latest software release do just that—help you gain an advantage through automation, configurability, simplicity, and a connected GRC experience.
Download Now: What’s New in the Euphrates Release
MetricStream’s latest release, Euphrates, has multiple new features and functionalities to celebrate. Connected GRC insights, ease of configurability, continuous control monitoring, automated evidence management, and regulatory inventory scanning, are just a few of what’s new in this release. Scroll down to read the top 6 innovations of the Euphrates release.
Fast, Easy, and Secure Configurations with Low-Code/No-Code
Your organization is unique and so are your requirements! With the Euphrates release, it is simple for you to configure our ConnectedGRC products for your specific use cases. Low-code enables you to use GRC domain-specific language, built on the Groovy scripting language, to tailor our product to your organizational, team, or individual user’s needs—with minimal effort. No-code enables your non-tech teams to upskill and configure their own product experiences with simple drag-and-drop interfaces, enabling them to personalize applications, create and change fields, and build reports and templates. And all these configurations are automatically saved and applicable to your environment even when you upgrade to newer versions.
Connected GRC Insights in Minutes
As a future-ready organization, you know the importance of having a panoramic view of your organizational GRC posture to make informed business decisions. With the Euphrates release, data sharing between MetricStream products and third-party GRC solutions allows you to gain a comprehensive, contextual, and more accurate view of risks – within minutes, not hours, not days. And it gets better! You can configure the data-sharing capability in a few simple clicks to get a personalized report.
Faster, Easier Approach to Assessments in Operational Risk
The strategic role that the frontline plays in risk management cannot be emphasized enough. With the Euphrates release, your organization is now empowered to improve risk awareness by enabling your frontline employees with either a simple, intuitive approach or a more detailed option to complete timely, observational risk assessments. For first-line users, no prior settings are required; for second-line risk managers, demands are reduced while assessment scope and speed are increased. And by eliminating the dependency on the second and third lines, your frontline is empowered to participate more actively.
Curated Regulatory Intelligence
Keeping up with the constantly changing regulatory landscape is a continuous challenge for many organizations. With the Euphrates release, you now have exclusive access to multiple regulatory content providers, including Compliance.ai, Thomson Reuters, and CUBE. New for the Euphrates release is our extensive partnership with CUBE, the world’s most comprehensive source of regulatory intelligence, capturing regulatory content across more than 700 jurisdictions and 5,000 regulatory authorities. As integrated with MetricStream’s Regulatory Change Management, CUBE allows customers access to regulatory inventory, where regulations curated to their unique risk and regulatory profile are preloaded into the MetricStream environment. Along with horizon scanning and regulatory change alerts, customers can easily stay one step ahead of regulatory change with our content partners.
Hyper-Automate Compliance with Autonomous Control Testing on AWS
Today’s organizations are able to meet peak demands by leveraging cloud services. However, securing dynamic cloud assets and third-party products requires constant monitoring. Continuous control monitoring (CCM) capabilities, now available on AWS environments, allows your organization to automate control testing across cloud environments, initiate remedial actions, and map cloud security controls with your internal protocols and compliance standards (such as NIST CSF, PCI, ISO 27001, and HIPAA).
Streamlined Disclosure Metrics and Reporting Processes
Accurately assessing ESG risk is a vital and urgent business imperative demanded by regulators, customers, investors, and other stakeholders. However, companies need the right tools that ensure streamlined ESG disclosure metrics and reporting processes. With the Euphrates release, MetricStream’s ESGRC product includes pre-built disclosure frameworks, templates, formulas, and one-click reporting that allows organizations to convert disparate and varied emissions reporting into a single greenhouse gas metric. This metric allows for a better understanding of reporting, industry performance, and year-over-year trends. These new capabilities enhance the disclosure reporting process, provide the flexibility to configure reports, and simplify navigation and accessibility.
The Euphrates innovation brings several other innovations all with the aim to help your organization advance on its GRC maturity curve, drive business value and growth, and become future-ready.
Download Now: What’s New in the Euphrates Release
Excited to know more about how the new innovations in MetricStream’s Euphrates software release can help you on your connected GRC journey?
Request a personalized demo now.
Increased regulatory activity on operational risk management and cybersecurity. A growing focus on the ‘S’ or social in Environmental, Social, and Governance (ESG). An urgency to tackle third-party cyber risk.
The top GRC news in September 2022 boiled down to a handful of significant and common themes. And with good reason: As we enter the second half of the fiscal year, shrinking global GDP accompanied by inflation and tight labor markets, as well as evolving energy uncertainties stemming from the ongoing geopolitical crisis in Europe, has made resilience a top priority for businesses, politicians, and regulators. Other top priorities for businesses include staying focused on developing effective mitigation strategies to manage the interconnectedness of risks, especially emerging cyber, ESG, and third-party risks, and striving to build robust compliance resiliency initiatives to cope with the unprecedented levels of regulatory change.
We also want to take a moment to thank you for your continuous support. MetricStream won two industry awards—the Bronze Stevie® Award for its Environmental, Social, Governance, Risk, and Compliance (ESGRC) product and the Operational Risk Management Solution of the Year award, at the Risk.Net Asia Risk Awards 2022 for the second year in a row! You can read more about this at the end of the blog.
Several other risk and compliance stories made it to the headlines last month. Scroll down to read a curated account of the latest news in the GRC Universe from around the globe.
MetricStream Wins Awards for ORM and ESGRC Products
Now in the 10th year, the GRC Summit 2022 will feature keynotes from industry leaders, product innovation sessions, MetricStream customer success stories and practitioner-led case studies, deep-dive workshops, GRC journey awards, and more!
The UK saw the mourning of the oldest and longest reigning monarch, Queen Elizabeth II at the age of 96, and the appointment of the 56th prime minister, Lis Truss, take place in the same week.
The queen reigned for a magnificent 7 decades and saw 15 Prime Ministers lead the country, from Winston Churchill (born 1870) to our current PM (born in 1970). It’s mind-boggling to even contemplate the historical moments that she lived through, from the Apollo II moon landing, the end of the Vietnam war, the fall of the Berlin wall, 9/11, the COVID-19 pandemic and so many more monumental events. Her majesty was the most famous person on the planet, with her face printed on more currencies than anyone else. You don’t have to be a royalist to know that she was truly remarkable. She was effortlessly resilient, always present, and in changing times constantly relevant. She would have wanted the world to celebrate her legacy and stay connected.
At MetricStream, we are continuing with the connection theme. Now in our 10th year, we will be hosting the GRC Summit in person on 8-9 November, in London. It’s bigger, better, and bolder than before. The power of connections makes you feel heard and understood. It gives you a sense of belonging. This is why the GRC Summit has been a pillar of success. It’s a chance to network with your peers, understand what’s shaping your industry, listen, and learn from veterans on what works and what needs refining. It’s where the unthinkable becomes the thinkable.
GRC leaders across industries come together to discuss, deliberate, design, test, retest, innovate and disrupt the industry.
With keynote speakers, advisory bodies, industry experts, and product demonstrations, it’s where you can get ahead of regulatory developments and thrive on risk.
How do you connect the dots of managing interconnected risks and regulations in a rapidly evolving macro landscape? How do you boost your cyber resilience? How do you increase the trust of your stakeholders with an ESG program that speaks to your customers?
The summit is where journeys, opportunities, and priorities are created.
Join the 2-day event that will host 60+ sessions from 50+ speakers including renowned industry experts and thought leaders including:
Also watch out for other speakers from Goldman Sachs, Barclays, JP Morgan, AON, Almarai, and many more.
And don’t miss out on the top highlights which include:
We look forward to welcoming you to our GRC summit this November. Let’s keep the connection alive and shake the world.
Here in the UK during the last few months, we’ve seen a flurry of events announced. Whether in person or virtually, people are truly wanting to maximize interactions and learn from their peers. At MetricStream, we have been at the forefront when it comes to providing a platform for professionals to connect and help facilitate conversations. This enables discussion around various problems their organization is facing, concerns they have, and subjects they’d like to discuss further.
We’ve recently hosted a few peer-to-peer events and heard from attendees about their take on current industry happenings. Now we’re approaching our next event! This one is slightly larger than a peer-to-peer event but the excitement doesn’t wane. For the past 9 years, our flagship event, the GRC Summit has consistently provided opportunities for the GRC community to connect, share insights, exchange best practices, and most importantly—look to what's next in GRC. As we enter our 10th year, our commitment to building connections remains strong.
While MetricStream may host these events, our primary goal is to connect industry practitioners. These events offer the mechanism to form a community of experts, learn from their specific circumstances, develop their professional network, share trends, inspire others and discuss all things GRC.
Of course, there are other benefits to us being a part of such events. GRC events offer a forum where we can have interactive, candid, and engaging conversations with our customers, prospects, and others from the GRC community to understand their pain points, requirements, and thoughts on key trends. It helps us stay close to key market trends and needs. These insights provide us with validated information which in turn helps us improve our products and solutions.
The foundation of GRC is the data—the data that you track, the controls that are managed, and the reporting of adherence to these controls. The processes become incredibly difficult when they are not in a format that talks to each other and are easy to update.
Some of the conversations that we’ve had point to the importance of not only having the proper systems in place but also that these systems are only as useful as the data in them. At a recent peer-to-peer event, we had one attendee mention how important it was to ensure that “when you accurately update your data, that it automatically updates the relevant systems” and “having too many manual Excel documents creates issues with maintenance and updating”. Another attendee mentioned how “If you haven’t got everything being entered in the same way, it can completely skew the results”. Right data, right time, and right use are integral to a GRC system. Quality data forms a foundational step with GRC activities before you even look for a solution. You cannot make a process better if you cannot track the success and metrics around it.
While technology has always been seen as an enabler, participants confirmed the importance of both ‘culture and education’. The education piece is hugely important in organizations alongside driving a risk-aware culture from the top. It’s also important to remember that educating staff on how to adhere to certain policies and their relevant confines ensures they are better prepared to tackle issues that may arise and deal with them in a compliant manner.
Another attendee brought up the important discussion point that “we’re all human beings but how do we share the knowledge”. Sharing of knowledge sounds easy but without a safe forum to discuss these important topics, our lessons learned don’t get shared. Collaboration for the greater good can be a huge differentiator. Take things you learn, share what you’ve learned – and keep the ball rolling.
There is no doubt that we all have been on a journey together supporting each other as the GRC landscape gets more intense and has emerged as a critical business imperative. At MetricStream, we believe in the power of the GRC community and the power of connection. Our events are designed to help you move beyond just managing risk to embracing it, and ultimately thriving on risk. It's a catalyst to implementing solutions that work for the entire organization, from the risk office to the front line, delivering a connected, single source of truth to business leaders.
MetricStream’s flagship event, the GRC Summit, will be held in person on the 8th and 9th of November 2022, at the Royal Garden Hotel, London. As we celebrate our 10th year, we have chosen our GRC Summit theme to be Experience the Power of Connection. Join the 2-day event that will host 60+ sessions from 50+ speakers.
Top highlights include:
Come, meet us at the GRC Summit in London! Register Now.
This year has been extremely challenging for businesses around the world. The already inundated governance, risk, and compliance (GRC) teams at organizations are further stretched thin as they try to keep up with the rapidly evolving business, cyber and ESG risks, the ever-evolving regulatory landscape, and escalating geopolitical crises.
Our recent survey with OCEG confirmed how challenged organizations are with GRC today. A large number of organizations are still relying on distributed, segmented, and separate systems for managing GRC. A meager 7% of respondents said they have “excellent” GRC capabilities today.
[For a quick look at the key takeaways of the OCEG GRC Readiness for Rapid Change Survey 2022, click here. To download the complete survey report, click here.]
What are the top concerns of businesses and regulators today? Is GRC still an afterthought? What are the new cyber challenges for companies in this new normal? Are companies going to walk the talk on ESG? Let’s find out what made it to the headlines in August – through the GRC lens.
Operational risk and resilience continue to be priority areas for regulators.
The Australian Prudential Regulation Authority (APRA) has started consulting on a new prudential standard that aims to bolster the management of operational risk in the banking, insurance, and superannuation industries. The Monetary Authority of Singapore (MAS) published a paper that sets out its expectations, good practices, and improvement areas for operational risk management at financial institutions based on its inspections of selected banks over 2020 and 2021.
In another update, Germany’s financial market regulator BaFin levied a $5.28 million fine on a leading US-based financial institution for delays in reporting voting rights notifications.
Several survey and research reports published last month underscore the importance of risk and compliance management at banks and corporations alike:
A cohort of leading cybersecurity and technology organizations, including AWS, Splunk, IBM Security, and others, have come together for an open-source effort, called the Open Cybersecurity Schema Framework (OCSF) project, to break down data silos that hamper security teams. The project aims to help organizations detect, investigate, and stop cyberattacks more quickly and effectively.
The Australian Council of Financial Regulators released a revised version of the Cyber Operational Resilience Intelligence-led Exercises framework (CORIE framework v2.0). The CORIE framework aims to support the preparation and execution of industry-wide financial sector cyber resilience exercises.
Here’s a look at the current state of cyber risk and compliance management based on recent reports:
Regulatory focus on environmental, social, and governance (ESG) aspects continues to gather steam. A joint committee of European Supervisory Authorities, namely the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) published the first annual report on the extent of voluntary disclosure of principal adverse impact under the Sustainable Finance Disclosure Regulation (SFDR).
It lays out a preliminary, indicative, and non-exhaustive overview of best practices and voluntary disclosures. In another update, ESMA called for a “quality label” to prevent investors from being misled by greenwashing.
In Singapore, a new initiative has been launched to set a uniform baseline for banks to engage their corporate clients on environmental risk issues. The Association of Banks in Singapore (ABS) rolled out the ABS Environmental Risk Questionnaire (ERQ), which will enable banks’ customers to collect data points and identify opportunities for financing the transition to a low-carbon economy.
In Australia, the Financial Services Council (FSC) published its guidance on Climate Risk Disclosure in Investment Management. It details a set of common baseline expectations for net-zero commitments for the investment management industry, disclosure of climate-friendly investment features, and reporting of climate change risk.
Here’s a look at the current state of ESG risk management based on recent reports:
We are gearing up to celebrate the 10th anniversary of our premier GRC event in London on November 8-9. The GRC Summit 2022 will feature keynotes from industry leaders, product innovation sessions, MetricStream customer success stories and practitioner-led case studies, deep-dive workshops, GRC journey awards, and more! To check out the complete agenda, click here.
As someone who has been working in the GRC market for more than six years, it’s always interesting to tap into the trends and moods of the market and its buyers. In a former role, I built and ran annual market surveys on GRC systems, capabilities, needs, and evolving top concerns of risk and compliance professionals. This year, MetricStream collaborated with OCEG on an especially timely and topic-rich survey of GRC professionals. The outcomes are surprising, not surprising, and I believe, a strong reflection of the state of the market, all at the same time.
The survey, conducted in February 2022, was focused on GRC program readiness in a highly unpredictable and dynamic time for risk and compliance. Nearly 350 GRC professionals representing a cross-section of roles, industries, geographies, and company sizes completed a broad survey, resulting in a published report.
Download the Report: OCEG GRC Readiness for Rapid Change Survey 2022
The results show a handful of key findings and one trend that bears some analysis. Here’s a quick snapshot of a small handful of findings with data:
1. Too many organizations do not have a fully defined and documented GRC strategy. At a time when the pace and severity of risks and compliance challenges are increasing and intensifying, an organizational strategy that enables a holistic approach to managing, mitigating, and gaining advantage from risks from across the business is essential.
2. Too many GRC approaches rely on distributed, segmented, and separate systems. While virtually all GRC pundits and experts talk about the importance and urgency of investing in improved visibility, insight, and actionability across connected GRC systems, we still see that many are still using separate, unlinked systems and approaches, and far too many are using software not designed to support GRC functionality.
Similarly, we also see that many respondents are still struggling with siloed programs, even while the pressure to perform increases. There is palpable recognition among respondents of the limitations of segmented systems and the vulnerabilities they create. 34% of respondents reported that siloed risk and compliance management was their greatest barrier to rapidly responding to changes in risks.
While that chart might indicate a market without clear direction and priorities, we found that many respondents are clear on what they need to address many of their challenges. And given the pace, scale, and severity of risks these days – across economic and financial risk, regulatory compliance, cybersecurity risks, third party risks, audit risks – it’s good to see that so many identify integrated processes, technologies, controls and data as so central to addressing their challenges.
3. Not surprisingly, given the data above, only 7% of respondents said they have excellent GRC capabilities today. And 47% report that their programs are good. This is, ironically, an improvement over the last few years. Yet there are still improvements to make, and most seem to recognize it.
While those points tend to show progression on data that analysts have been collecting for years about the state of the GRC marketplace, the most interesting findings to me relate to how people perceive heightened challenges from the last few years, and how their GRC programs have had to adapt to them.
This survey showed that nearly 85% of respondents report significant changes in their GRC universe in the last two years, with nearly 70% reporting increasing challenges related to employees working remotely, and 60% reporting increased data privacy and cybersecurity concerns. At the same time, nearly 20% of respondents have not acted or can’t report any changes in their programs in response to broadly acknowledged increases in risk.
In terms of adapting to these rapid changes in the risk and compliance environment, 61% of respondents indicate their organizations place maturing cyber security and data protections as very important in the next 24 months, 56% indicate maturing regulatory compliance as very important, 54% operational risk and business continuity strategies as very important, and just over 50% indicate audit and financial controls as very important. In fact, there were no elements of a complete GRC program, including managing third-party risk and ESG risks, that did not score under 50% ranking it very important. Sadly, that’s not surprising, given the risk and compliance environment today.
The recent significant changes in the risk environment and a recognition of a need to adapt GRC programs for risk-readiness and organizational resiliency is central to how those with GRC oversight should be viewing their programs. The days of periodic risk assessments and separate risk and compliance functional teams are over. Any business that wants to be able to rapidly adapt to risks, regulatory changes, and cybersecurity best practices must strive to unify their systems, data, policies, controls, and actions in a connected solution to best enable holistic understanding, management, and advantage.
In an increasingly dynamic and unstable world, isolating risk signals in the noise, linking and aggregating data and enabling real-time insight can make the difference between organizations suffering from unexpected risks and being able to anticipate and gain an advantage from them. We are at a very interesting and consequential point in GRC maturity. GRC is a business-critical function with strategic significance for how businesses operate and succeed. Segmented and separated systems create strategic disadvantage where connected systems help deliver readiness, resiliency, and advantage.
Read the full report: Download OCEG GRC Readiness for Rapid Change Survey 2022.
Check out how MetricStream can help you implement a connected GRC strategy. Explore ConnectedGRC. Request a demo now.
Two things were on the top of our minds the past month: The sweltering heat and rising concerns about a macroeconomic downturn.
Almost all of the Northern Hemisphere experienced record-breaking heat waves this past month. This has not only created a sense of urgency to address climate change, but has also brought the spotlight on environmental, social, and governance (ESG) risk, reporting, and regulations.
US President Biden announced new executive steps to combat climate change but stopped short of issuing the much-called climate emergency declaration. Meanwhile, on the other side of the Atlantic, the UK is exploring a new task force to help investors measure the ‘S’ in ESG.
The interconnectedness and dynamic nature of risk continued to make headlines in July 2022. Gartner flagged the unusually high degree of interrelated risks as it identified concerns of a macroeconomic downturn as the top quarterly emerging risk in Q2 2022.
State-sponsored cyber attacks and key material shortages also made it into the top five. Chris Matlock, vice president with the Gartner Legal, Risk & Compliance practice, writing in the Gartner’s Quarterly Emerging Risks Report, had this to say: “The top five risks reported by respondents were notable both for their interconnectedness and origination outside of the organization.”
A lot more happened in the month of July. Scroll down for a quick glance at the top stories that made it to the headlines in the world of risk, operational resilience, compliance, IT and cyber risk, and ESG.
The webinar Managing the Deluge of New Cryptocurrency and Digital Asset Regulatory Change saw thought leaders Jennifer Clarke, Senior Editorial Manager, Regulatory SME, CUBE, Alex Royle Head of Compliance and Regulatory Affairs, EMEA, Galaxy Digital, and MetricStream Product Marketing leaders Loren Johnson and Suneel Sahi discuss the risk and compliance landscape surrounding cryptocurrency and digital assets.
In the webinar Connected, Continuous and Constantly Changing: Tackling the Intersection of Cyber and Third-Party Risks, third-party and cyber risk expert Linda Tuck Chapman and MetricStream Product Marketing leaders Loren Johnson and Patricia McParland participated in an interactive discussion on what’s new, what’s next, and how to thrive in an increasingly complex, connected web of risk.
MetricStream’s GRC Summit 2022—much looked forward to by the GRC community as a platform to share insights, exchange best practices, and more importantly to discover what's next in GRC—is back, with an in-person event as we celebrate the 10th year.
Meet us on November 8th and 9th in person at the Royal Garden Hotel in London, UK. Register Now.
As we enter the second half of 2022, businesses around the world are bracing themselves for a potential economic downturn. The US Federal Reserve announced its biggest interest rate hike in nearly 30 years in a bid to control inflation, and in Europe, many central banks are following suit. Companies and startups are resorting to substantial measures, including workforce reductions. Furthermore, the ongoing geopolitical crisis and supply chain woes are adding to the challenges faced by businesses worldwide. At the same time, regulators continue to increase their focus on areas such as data, privacy, compliance, operational resilience, and business continuity.
Against this backdrop, here’s a quick recap of the latest happenings in the governance, risk, and compliance (GRC) universe in June.
The chairman of the U.S. Senate Banking Committee called upon a leading financial services company to address the weaknesses in its "governance, risk management, and hiring practices."
Regulatory Focus: Operational resilience continues to be a top priority for financial regulatory authorities around the world.
The State of Risk Management: Industry visionaries and thought leaders published survey reports, providing insights into the current risk landscape and the state of risk management at organizations:
Cybersecurity firm Proofpoint thwarted a phishing attack trying to exploit the “Follina” vulnerability. In a blog post, Qualys explains the vulnerability in detail.
“The Follina vulnerability’s footprint is significant as it affects ALL Microsoft Office versions – 2013 and above – on ALL currently supported Microsoft Windows operating systems – even the latest: Windows Server 2022!” Qualys noted.
With the escalating number of cyber attacks on organizations, including state-sponsored attacks, the US Cybersecurity & Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory with the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI). The advisory details how People’s Republic of China (PRC) state-sponsored cyber actors are exploiting publicly known vulnerabilities to establish a broad network of compromised infrastructure. CISA also added 36 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
Gartner listed 8 cybersecurity predictions for 2022-23. The IT research firm believes that 60% of organizations will use cybersecurity risk as a primary determinant when engaging with third parties by 2025.
A new survey from Cloud Security Alliance (CSA) and Google found that cloud adoption improves enterprise risk management and mitigation processes. The CSA said that evaluating cloud and business risk together improves the understanding of IT's impact on an organization’s overall risk maturity, including adopting a shared fate partnership between cloud service providers and customers.
Regulatory Focus: June saw heightened cyber and data-related regulatory activity around the globe:
FM Global released the online 2022 FM Global Resilience Index, which now includes 15 economic, risk quality, and supply chain measures that offer executives insights into the vulnerabilities of a country’s business environment and, conversely, its resilience.
There’s a growing call for tying leadership compensation to ESG metrics. Sustainalytics said, “Now that companies are integrating material ESG issues into their strategies, it is the logical next step to incentivize executives to improve performance on these issues in a measurable way.”
In a new study, Moody’s Analytics found that organizations that develop more responsible ESG practices and focus on mitigating ESG risks experience generate better shareholder returns.
In its tenth SONAR report, Swiss Re explored a new generation of emerging risks resulting from climate change, particularly the thawing of permafrost.
Regulatory Focus: Environmental, social, and governance (ESG) aspects continue to make waves in the regulatory landscape.
Speaking at a recently held MetricStream webinar, “Utility Data Management and ESG Reporting – The ‘Elephant in the Room’,” Anand Hanchinamani, Senior Director, Audit Product Management, MetricStream, said, “Climate risk is a global problem with a local impact. It can lead to probably hotter working conditions in India or increased tidal flooding in Florida or coastal regions. But, [climate risk] is systemic – one particular problem can lead to a series of supply chain issues or [result in] add-on impacts around the world on different kinds of operations. So, that is why board of directors, investors, customers, and regulators demand accuracy with reporting and responses on ESG-specific issues.”
MetricStream attended the recent Gartner Security and Risk Management Conference and the Marcus Evans' 13th Edition Third Party Risk Management for Financial Institutions Conference. Key themes at both the events included the importance of automation, interconnected risk management, and risk quantification.
MetricStream at Gartner Security and Risk Management Conference (L); MetricStream at Marcus Evans' 13th Edition Third Party Risk Management for Financial Institutions Conference (R)