Two things were on the top of our minds the past month: The sweltering heat and rising concerns about a macroeconomic downturn.
Almost all of the Northern Hemisphere experienced record-breaking heat waves this past month. This has not only created a sense of urgency to address climate change, but has also brought the spotlight on environmental, social, and governance (ESG) risk, reporting, and regulations.
US President Biden announced new executive steps to combat climate change but stopped short of issuing the much-called climate emergency declaration. Meanwhile, on the other side of the Atlantic, the UK is exploring a new task force to help investors measure the ‘S’ in ESG.
The interconnectedness and dynamic nature of risk continued to make headlines in July 2022. Gartner flagged the unusually high degree of interrelated risks as it identified concerns of a macroeconomic downturn as the top quarterly emerging risk in Q2 2022.
State-sponsored cyber attacks and key material shortages also made it into the top five. Chris Matlock, vice president with the Gartner Legal, Risk & Compliance practice, writing in the Gartner’s Quarterly Emerging Risks Report, had this to say: “The top five risks reported by respondents were notable both for their interconnectedness and origination outside of the organization.”
A lot more happened in the month of July. Scroll down for a quick glance at the top stories that made it to the headlines in the world of risk, operational resilience, compliance, IT and cyber risk, and ESG.
The webinar Managing the Deluge of New Cryptocurrency and Digital Asset Regulatory Change saw thought leaders Jennifer Clarke, Senior Editorial Manager, Regulatory SME, CUBE, Alex Royle Head of Compliance and Regulatory Affairs, EMEA, Galaxy Digital, and MetricStream Product Marketing leaders Loren Johnson and Suneel Sahi discuss the risk and compliance landscape surrounding cryptocurrency and digital assets.
In the webinar Connected, Continuous and Constantly Changing: Tackling the Intersection of Cyber and Third-Party Risks, third-party and cyber risk expert Linda Tuck Chapman and MetricStream Product Marketing leaders Loren Johnson and Patricia McParland participated in an interactive discussion on what’s new, what’s next, and how to thrive in an increasingly complex, connected web of risk.
MetricStream’s GRC Summit 2022—much looked forward to by the GRC community as a platform to share insights, exchange best practices, and more importantly to discover what's next in GRC—is back, with an in-person event as we celebrate the 10th year.
Meet us on November 8th and 9th in person at the Royal Garden Hotel in London, UK. Register Now.
As we enter the second half of 2022, businesses around the world are bracing themselves for a potential economic downturn. The US Federal Reserve announced its biggest interest rate hike in nearly 30 years in a bid to control inflation, and in Europe, many central banks are following suit. Companies and startups are resorting to substantial measures, including workforce reductions. Furthermore, the ongoing geopolitical crisis and supply chain woes are adding to the challenges faced by businesses worldwide. At the same time, regulators continue to increase their focus on areas such as data, privacy, compliance, operational resilience, and business continuity.
Against this backdrop, here’s a quick recap of the latest happenings in the governance, risk, and compliance (GRC) universe in June.
The chairman of the U.S. Senate Banking Committee called upon a leading financial services company to address the weaknesses in its "governance, risk management, and hiring practices."
Regulatory Focus: Operational resilience continues to be a top priority for financial regulatory authorities around the world.
The State of Risk Management: Industry visionaries and thought leaders published survey reports, providing insights into the current risk landscape and the state of risk management at organizations:
Cybersecurity firm Proofpoint thwarted a phishing attack trying to exploit the “Follina” vulnerability. In a blog post, Qualys explains the vulnerability in detail.
“The Follina vulnerability’s footprint is significant as it affects ALL Microsoft Office versions – 2013 and above – on ALL currently supported Microsoft Windows operating systems – even the latest: Windows Server 2022!” Qualys noted.
With the escalating number of cyber attacks on organizations, including state-sponsored attacks, the US Cybersecurity & Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory with the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI). The advisory details how People’s Republic of China (PRC) state-sponsored cyber actors are exploiting publicly known vulnerabilities to establish a broad network of compromised infrastructure. CISA also added 36 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
Gartner listed 8 cybersecurity predictions for 2022-23. The IT research firm believes that 60% of organizations will use cybersecurity risk as a primary determinant when engaging with third parties by 2025.
A new survey from Cloud Security Alliance (CSA) and Google found that cloud adoption improves enterprise risk management and mitigation processes. The CSA said that evaluating cloud and business risk together improves the understanding of IT's impact on an organization’s overall risk maturity, including adopting a shared fate partnership between cloud service providers and customers.
Regulatory Focus: June saw heightened cyber and data-related regulatory activity around the globe:
FM Global released the online 2022 FM Global Resilience Index, which now includes 15 economic, risk quality, and supply chain measures that offer executives insights into the vulnerabilities of a country’s business environment and, conversely, its resilience.
There’s a growing call for tying leadership compensation to ESG metrics. Sustainalytics said, “Now that companies are integrating material ESG issues into their strategies, it is the logical next step to incentivize executives to improve performance on these issues in a measurable way.”
In a new study, Moody’s Analytics found that organizations that develop more responsible ESG practices and focus on mitigating ESG risks experience generate better shareholder returns.
In its tenth SONAR report, Swiss Re explored a new generation of emerging risks resulting from climate change, particularly the thawing of permafrost.
Regulatory Focus: Environmental, social, and governance (ESG) aspects continue to make waves in the regulatory landscape.
Speaking at a recently held MetricStream webinar, “Utility Data Management and ESG Reporting – The ‘Elephant in the Room’,” Anand Hanchinamani, Senior Director, Audit Product Management, MetricStream, said, “Climate risk is a global problem with a local impact. It can lead to probably hotter working conditions in India or increased tidal flooding in Florida or coastal regions. But, [climate risk] is systemic – one particular problem can lead to a series of supply chain issues or [result in] add-on impacts around the world on different kinds of operations. So, that is why board of directors, investors, customers, and regulators demand accuracy with reporting and responses on ESG-specific issues.”
MetricStream attended the recent Gartner Security and Risk Management Conference and the Marcus Evans' 13th Edition Third Party Risk Management for Financial Institutions Conference. Key themes at both the events included the importance of automation, interconnected risk management, and risk quantification.
MetricStream at Gartner Security and Risk Management Conference (L); MetricStream at Marcus Evans' 13th Edition Third Party Risk Management for Financial Institutions Conference (R)
The Bank of England on Threadneedle Street London is the eighth oldest bank in the world. Don’t ask me how I know this or to name the other seven, but last week while having dinner with some colleagues overlooking this remarkable building, we were discussing how this bank’s vault stores over 40,000 gold bars.
As conversations go, we moved from topic to topic during our first course. We discussed the state of the world and how central banks are taking an aggressive timeline to tame spiraling inflation rises. We also pondered on the cost-of-living crisis, squeezing oil supplies, plummeting equity prices (at least for the first half of 2022), ongoing geopolitical tensions, and possibly the start of a recession. The dialog gradually morphed into how the bank insures itself against this gold and how resilient the insurance industry is.
Along with having to deal with the post-pandemic effects, the insurance industry is grappling with accelerating regulatory pressures, mounting cyber risks, and increasing climate catastrophes. You can add supply chain disruptions, migrating to the cloud, and a drop in talent retention to the list. Commercial insurance started hundreds of years ago within the shipping industry as a means to protect against looting. Cyber insurance is a more recent development that began around the 1990s and is critical, as today, the most valuable assets are stored in the cloud.
Insurance companies have built and acquired vast customer databases that reside in detached and disconnected systems and human intervention is usually required to locate, gather, and operationalize them. Data and consumer protection will always be driving forces in this industry, with further reliance on digital networks. But what we are witnessing is the revolution of digitalization and how in recent times it has been transformative with technology innovation. This includes intelligent automation, cloud computing, and automated claim processing leading the way in projecting efficiencies across automated workflows. Another name to describe this positive disruption is InsureTech.
We have entered a new era with sensitive information, data breaches, and ransomware dominating the headlines. Cyber risk has more than quadrupled since 2002 and tripled since 2013.
At the end of March 2022, all European Union (EU) institutions and agencies were required to have cyber security frameworks in place for governance, risk management, and controls. And with regulation, it does not stop there as these changes will need to be reflected in business processes.
A common risk language makes it simpler to communicate and report risks. Meanwhile, standardized issue management processes allow stakeholders to identify quickly which issues are associated with which risks.
As a heavily regulated industry, insurance companies are now grappling with the interconnectedness and multifaceted ESG challenges that need urgent attention to identify, collate, and report the correct data through an ESG framework. Outsourcing has become an established way of working for (re)insurance leading to third-party risk management (TPRM) gaining an increasingly important part of your risk profile. The ESG objectives and mission need to be clearly demonstrated. The purpose and ethos of a company are up there with profitability.
Insurers have embraced cloud technology. As well as allowing organizations to be more agile, the cloud is an ideal platform for data storage across the systems as it is secure, scalable, and reliable.
At MetricStream, we have been working alongside insurance giants for years. Our solution is built to identify, manage, collate and operationalize risks across the enterprise.
Whether it is internal audit, enterprise/operational risk management, third-party risk, incident management, compliance and policy management, cyber and IT risk, or ESG, at MetricStream, we have you covered with:
Read the case studies from the insurance industry:
A Fortune 1000 Insurance Company Moves Up the GRC
Major Insurance Firm Engages All Lines of the Business in GRC
The dinner conversation then moved to digital assets, stable coins, and NFTs. At that point, I knew it was time to leave.
If you want to know more about how we can help your insurance company effectively manage and mitigate multi-dimensional risks, reach out to me at ssahhi@metricstream.com
You can also request a personalized demo of our product.
Stay up-to-date with the trending discussions and insights in the risk community. Subscribe to the Instagram of Risk Blog Series authored by Suneel Sahi, VP, Product Marketing at MetricStream.
Be Resilient, I Whispered to My Car
If You Think Compliance is Expensive, Then Try Non-Compliance
An Ounce of Prevention is Worth a Pound of Cure
Don’t Aim To Be Perfect, Aim To Be Anti-Fragile
Organizations today need to keep a close eye on the constantly changing Governance, Risk Management and Compliance (GRC) landscape. Newer and diverse risks, including increasing cyber risk, pandemic-related regulatory and policy changes, and risks associated with climate change now present a very real challenge that organizations need to prepare for.
Stay prepared for what’s next in GRC with our monthly round-up of the trending news and insights that you can use.
As the risk landscape expands, strengthening business resilience with enterprise and operational risk management remains a top priority for organizations. At the same time, regulatory requirements by governments and regulatory bodies has left organizations to deal with multiple layers of complex change, often happening simultaneously. This makes the compliance function an important priority for organizations of all sizes.
Here’s what has been spotted on the risk and compliance radar this month.
Other trending risk and compliance topics include, the publishing of the 2022 Interos Annual Global Supply Chain Report, which highlighted that only one-tenth of the survey respondents monitor supplier risks on a continual basis and the PwC Global Risk Survey, where 65% of survey respondents are increasing their overall spending on risk management technology.
With cyber actors continually improving the level of sophistication of cyber attacks, cyber-risk mitigation is now the top priority for organizations, governments, and regulatory authorities. In the month of May 2022:
In other IT risk and cyber risk news, Rob Joyce, the head of cybersecurity at the U.S. National Security Agency, is “still very worried” about the escalated cyber risk arising from the Russian-Ukraine war. For CISOs, this translates to continuing to track the conflict and putting measures in place to mitigate any direct attacks and cyberattack spillovers. The judgement by the Federal Court of Australia in the Australian Securities and Investments Commission v RI Advice Group Pty Ltd, has now made it clear that the failure to manage cyber risk is a breach of financial services obligations. This has led to the Australian Securities and Investments Commission (ASIC) publishing a guidance note on the critical cyber risk measures that AFSL holders are now expected to have in place.
The importance of assessing risks from climate change, environment, and social equity continues to create a lot of conversation. The top highlights include:
To be noted is the new survey report by Deloitte, which reports findings on how climate, sustainability, and social equity are now important considerations when it comes to shaping infrastructure plans. Also, various global regulators are aiming to bring new reforms to tackle greenwashing and promote greater transparency in environmental, social, and governance investments.
MetricStream empowers organizations to drive a connected GRC program. Leverage ConnectedGRC, and our BusinessGRC, CyberGRC, and ESGRC product lines, to better identify, assess, manage, and mitigate strategic risks, operational and enterprise risks, IT and cyber risks, third-party risks, compliance risks, and ESG risks.
Interested to learn more? Request a demo now.
“Winners don’t do different things. Winners do things differently” is a popular quote that perfectly demonstrates MetricStream’s test automation strategy.
Today, test automation is increasingly being preferred over manual testing since it increases efficiency in the software development process while enabling more robust products to be built. Additional benefits include higher test coverage, faster feedback cycle, improved accuracy, elimination of human error, with business advantages of reduced expenses and faster time to market.
However, the general trend being applied for test automation in the industry comes with its own set of challenges. This is where MetricStream has followed a different approach—one that is more efficient, scalable, and fast.
This blog examines the problems associated with the traditional approach followed by the industry and dives deep into MetricStream’s unique approach and the advantages it brings.
The general approach in IT industry is to have test automation led by the QA team. In the QA team one/multiple QA engineers write and maintain the automation script. However, this approach comes with several challenges including:
The automation approach followed at MetricStream efficiently addresses all of the above problems. By developing an inhouse tool/product AutoMetric, MetricStream ensures the test automation needs of the entire organization are catered to. At MetricStream, a separate team of highly skilled developers build the tool and support QA teams to run/adopt the automation. This allows QA teams to focus more on test scenarios than worrying about writing automation tests.
Here’s a quick glimpse into automation at MetricStream:
MetricStream’s test automation approach is better than the traditional approach for multiple reasons. Listed below are a few benefits:
Test automation enables not just the saving of time and money but more importantly the delivering of higher quality products. At MetricStream, our unique and efficient approach to test automation ensures robust BusinessGRC, CyberGRC, and ESGRC products that empower your organization to effectively address and stay ahead of evolving business and market needs.
It’s that time again. I have to give my car in for service and I am adamant that it will be a routine check. There is nothing wrong. The engine roars, there are no warning lights, and the effortless drive in recent times has been particularly smooth.
Still, in the back of my mind, I have this niggling thought that they will find something that needs changing, replacing, or updating.
I know I should not be thinking like this, after all, it’s for my benefit. A car has many parts that need to work in tandem. If there is no battery, your car will not start, if there is no alternator your battery won’t charge, and if there is no petrol, you are not going anywhere. The resilience of a car which comprises of 30,000 parts – is incredible!
Now here is the dichotomy. Similar to cars, organizations need to demonstrate resilience, and work in tandem with other departments, technology, and processes to ensure their critical business operations continue when faced with adverse risk events.
In a recent webinar, I interviewed an ex-Chief Risk Officer and our SVP of Product to decode ‘resilience’ and ‘cyber’. Two pressing words that are shaping boardroom discussions and encouraging regulators to act fast.
Watch the Webinar: Strengthening Resilience with Effective Cyber and Enterprise Risk Management in 2022
Some of the questions that I posed to my panelists include:
Operational resilience is a firm’s ability to prevent, detect, respond to, recover, and learn from operational disruptions that may impact the delivery of important business functions and services.
Organizations need to think beyond traditional risk management programs and start focusing on strengthening operational resilience. This requires a better understanding of the overall risk profile and appetite through risk quantification, the agility to quickly adapt to the evolving risk landscape, and the ability to minimize the impact of any risk event, recover quickly, and ensure continued business operations in the aftermath of the event.
In the UK, the Financial Conduct Authority, Bank of England, and Prudential Financial Authority are working toward this and implementing regulations and guidelines. In the EU, draft legislation Digital Operational Resilience Act (DORA) has been published, and in Germany, the IDW PS 340 n.F. has been revised.
In the U.S, the Federal Bank regulatory agencies released a paper outlining sound practices for large banks to help them enhance operational resilience and several main financial authorities in the APAC region are stepping up their resilience practices.
MetricStream has a clear solution to help you build Operational Resilience, enabling you to:
MetricStream’s ConnectedGRC is designed to help you improve resilience and agility through an integrated approach to compliance and risk management that enables you better define, manage, and channel risk to your advantage. Our CyberGRC product line proactively and intelligently manages cyber risk by enabling users to view and aggregate cyber risk data from across the enterprise, including third and fourth-party vendors. Organizations are empowered to build cyber resilience by using the actionable business intelligence to make data-driven decisions.
You can learn more or book a demo here.
In my next blog, I will be discussing ESG and what this means to risk owners and governance structures—which makes me think, for my next service should I be driving an electric car?
Stay safe.
This blog is part of the Instagram of Risk Blog Series, authored by Suneel Sahi, VP, Product Marketing at MetricStream, which captures discussions and insights trending in the risk community.
Check out Suneel’s other ‘Instagram of Risk’ ’blogs:
If You Think Compliance is Expensive, Then Try Non-Compliance
An Ounce of Prevention is Worth a Pound of Cure
Don’t Aim To Be Perfect, Aim To Be Anti-Fragile
The last two years have been nothing short of a roller coaster. We stepped into 2022 with a lot of uncertainty around the COVID-19 pandemic as newer variants and sudden outbreaks in various pockets around the globe continue to keep optimistic sentiment in check. Added to these are the uncertainties surrounding geopolitical tensions that upended global stock markets, heightened cyber threats, and worsened supply chain woes. Businesses, still coming to terms with the post-pandemic era, are now wary of what’s next. As the first quarter of 2022 is coming to a close, let’s find out what made it to the headlines, through the Governance, Risk and Compliance (GRC) lens.
According to the World Economic Forum Global Risks Perception Survey (GRPS) 2021-2022, the three most potentially severe risks over the next 10 years are all related to environmental factors – namely, climate action failure, followed by extreme weather, and biodiversity. With regards to the “scars of COVID-19”, the WEF observes, ‘“Social cohesion erosion”, “livelihood crises” and “mental health deterioration” are three of the five risks that have deteriorated the most globally through the crisis, according to the GRPS. These three risks—and the pandemic itself (“infectious diseases”)—are also seen as being among the most imminent threats to the world.’
In its Risk Management Predictions for 2022, the Global Association of Risk Professionals (GARP) said that interest rate risk, regulatory changes, supply chain disruptions, credit risk, and human capital risk are the top areas of concern for risk professionals this year.
Gartner identified poor and inadequate talent strategy – recruiting and retaining talent – as the top emerging risk for organizations. The research and consulting firm said that the constant turnover can lead to multiple organizational disruptions, including degradation of workplace culture, loss of institutional knowledge, and more.
Cyber risk continues to be a top concern for organizations across industries. A number of government and security agencies have recently issued regulatory guidance to help organizations boost their cybersecurity measures. For a deeper dive, read our blog, Boost Cyber Resilience – Here’s What Cybersecurity Agencies are Recommending.”
Earlier this month, Gartner listed the top seven security and risk management trends for this year. This includes attack surface expansion, digital supply chain risk, identity threat detection and response, distributing decisions, beyond awareness, vendor consolidation, and cybersecurity mesh.
Discover the top GRC trends of 2022. Download 8 Key Trends Powering 2022 and Beyond.
Strengthening business resilience has become a key focus area for organizations, particularly in the post-pandemic world. Local regulators too are issuing guidance and framework requirements to ensure that organizations have the necessary measures in place to continue critical business operations when faced with any risk event.
Earlier this month, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released new guidance on “Enabling Organizational Agility in an Age of Speed and Disruption.” The guidance underscores how organizations can succeed by becoming “more anticipatory, agile, and adaptable.”
In the UK, the Prudential Regulatory Authority’s (PRA) new rules – SS1/21 and SS2/21 – on operational resilience, third party risk management, and outsourcing will come into force on 31 March 2022. Announcing its 2022 priorities for international banks active in the UK, the Prudential Regulation Authority (PRA) said that firms must have identified and mapped their important business services, set impact tolerances, and initiated a scenario testing program by 31 March 2022.
Environmental, social, and governance (ESG) factors have become a talking point for regulators and businesses alike.
On March 21, the U.S. SEC was scheduled to vote on proposed rule amendments that would require SEC-registered companies to disclose certain climate-related information. The regulator said that the proposed disclosures are “similar to those that many companies already provide based on broadly accepted disclosure frameworks, such as the Task Force on Climate-Related Financial Disclosures and the Greenhouse Gas Protocol.”
In January, the European Banking Authority (EBA) published the final draft implementing technical standards (ITS) on Pillar 3 disclosures on ESG risks. By setting mandatory and consistent disclosure requirements, the EBA ESG Pillar 3 package will help institutions to address the shortcomings of their current ESG disclosures and will also help establish best practices at an international level, the EBA said.
Last month, the European Commission (EC) adopted a proposal for a directive on corporate sustainability due diligence. The new rules set out due diligence obligations for companies to identify, prevent, end or mitigate adverse impacts of their activities on human rights and on the environment.
Are you Building an Enterprise ESG Program? Here's How Technology Can Help You Succeed
The risk and regulatory landscape continue to evolve at an unprecedented pace. Nobody can be sure about what’s in store for GRC professionals over the next three quarters. Organizations can, however, enhance their risk visibility and foresight and become future-ready by leveraging connected, agile, and tech-driven GRC solutions. To request a personalized demo, click here.
After the 2008 financial crisis, the COVID-19 pandemic emerged as the most recent ‘test of resilience’ for the banking and financial services (BFS) industry. Thanks to the stringent regulations, the nature of its business, and relevance in the economy, the industry at large has demonstrated resilience towards the many risks that emerged out of the pandemic. Whether it was implementing and supporting employees to work remotely or quickly scaling existing technology systems to serve customers bound by social distancing mandates—BFS companies with robust risk management practices were able to pass the test and bounce back.
Now, as we move forward, regulators and key industry players are shifting their focus on operational resilience in order to respond and not react during future crises. The Deloitte Centre for Financial Services Global Outlook Survey 2020, found that many banks are currently pursuing different initiatives to build efficiency. 47% of banks in North America have decided to implement technology as part of the different actions planned over the next 6-12 months.
Since the COVID-19 outbreak, the sudden onset of remote and hybrid working models, accelerated digitization efforts, growing adoption of cloud computing, and increased dependence on third-party providers have initiated a new set of GRC challenges.
Key concerns that BFS companies in North America will need to prepare for include the:
Read More: What’s Next in GRC for Banking and Financial Services Industry in the Americas
As BFS industry leaders decide on key strategies to strengthen resilience, it is important to note that building resilience should go beyond the traditional approach to risk management. A new approach should include:
Risk is inherent to any business and if organizations are looking to achieve resilience, they need to build a better response strategy by taking all aspects of GRC into consideration. Since the end goal of implementing a GRC program is to stay resilient when faced with any disruption or risk event, it is vital for BFS companies to be empowered by ‘what’s next’. For BFS companies looking to achieve operational resilience, they will need to consider integrated GRC programs, advanced technologies such as AI/ML, risk quantification & analytics, continuous monitoring, and more.
True to the popular saying, “with crisis comes opportunity”, is the post-pandemic era which offers the perfect opportunity for BFS companies to relook, realign, and reimagine their GRC frameworks for long-term resilience.
Download the eBook to read more about the GRC challenges faced by BFS companies in North America and how you can stay ahead by leveraging what’s next in GRC.
Request a demo to learn more about how the MetricStream Operational Risk Management software can enable you to streamline your operational risk management function—empowering your organization to make risk-intelligent, real-time business decisions while improving business performance and reducing losses.
Businesses operating in the new normal are facing a new set of challenges. Periodic disruptions to supply chain systems, increasing complexity in the regulatory landscape, the need to develop and sustain hybrid working models, and dealing with higher attrition rates, are just some of the many challenges that organizations are having to find long-term solutions for.
Another significant challenge is the intensification of cyber threats. Cyber risk ranked as one of the top risks in the World Economic Forum’s Global Risk Report 2021. Accelerated technological adoption in the wake of the COVID-19 pandemic has resulted in organizations facing novel cyber vulnerabilities on one hand with a rapidly expanding threat landscape on the other hand. This has resulted in a considerable urgency to address cyber risk, with most organizations elevating it to a strategic business issue.
As businesses seek new solutions to effectively mitigate and manage risk, we at MetricStream are listening and taking note. Colorado, our latest software release builds upon previous releases with exciting new features, capabilities, and innovations— all driven by our customers and market trends.
Built to help organizations simplify how they manage, measure, and mitigate risk, MetricStream’s Colorado release leverages MetricStream’s deep domain GRC expertise and MetricStream Intelligence – a new ground-breaking analytics and AI-engine and framework – to equip your enterprise with new and simpler ways to assess and aggregate risks.
Given the urgent requirement for enterprises to effectively manage and mitigate IT and cyber risks, MetricStream’s Colorado release enables advanced cyber risk quantification. The software release also focusses on empowering you to effectively manage risks in the extended enterprise by deepening visibility into third and fourth-party risks. New AI-powered issue clustering capabilities, along with added intelligence, visibility, and an ongoing commitment to improving usability for an optimal user experience are other key highlights.
The MetricStream Colorado software release brings product enhancements to IT and Cyber Risk Management, Third-Party Risk Management, Risk Management, Regulatory Compliance, Audit, and the MetricStream Platform. Here are six innovations to make note of:
1. Advanced Cyber Risk Quantification and Simulation
Adding a dollar value to your cyber risk just got easier! The Colorado release now brings end-to-end capabilities to quantify risks in monetary terms using FAIR® and other models, as well as perform simulation and loss exposure analytics. Enterprises can now use hierarchical assessment factors, such as FAIR factors, that have parent-child relationships among themselves. This enables a response with probabilistic range-based estimates for factors – such as Min, Max, Most Likely, and confidence values -- resulting in a greater accuracy of input responses leading to dollar range-based estimates for Annual Loss Exposure. Monte Carlo simulations can also be run to predict the probability of different outcomes for the Annual Loss Expectancy.
2. Intuitive Risk Assessments
With Colorado, it now becomes both easier and quicker for you to assess risks—thanks to the newly introduced simple, intuitive risk assessment capabilities. The release brings simple, intuitive forms that make it easy for the lines of defense to perform a two-step assessment.
Risk Reporters can now perform preliminary risk assessments on-the-fly and the Risk Analysts and Managers can then furnish additional details and take appropriate actions. This new feature improves agility by simplifying risk identification and assessment while accelerating frontline adoption.
3. Streamlined Regulatory Change Impact and Compliance Risk Management
Here’s another highlight that makes it easier for your enterprise to ‘thrive on risk’! Enhancements in the Colorado release now make it easier to track what changes are required for policies, risks, and controls based on regulatory changes and perform compliance risk assessments. The Compliance Management product now supports an integrated Compliance Risk Assessment Framework, enabling a structured and systematic approach to manage organizational risks.
Your organization can now accurately understand risks and gain clear visibility into the top risks you face. With the Colorado release, the MetricStream Regulatory Change product has directly linked the GRC library objects to regulatory change and impact assessment. This makes it easier for your enterprise to assess the impact and update your policies and/or controls accordingly.
4. Expanded Visibility into Third-Party and Fourth-Party Risks
The extended enterprise is here to stay. Medium and large-scale industries now have vendors ranging anywhere between hundreds and thousands. This makes it difficult to gain complete visibility, which in turn increases the associated risk. With the Colorado software release, you can get an aggregated view of risk exposure across third and fourth parties since now associated fourth parties can be captured in the third-party profile. In addition, a new risk aggregation report provides visibility into the overall risk exposure – including these fourth parties and parents -- at the third-party level.
5. MetricStream Intelligence
Advanced technologies have enabled us to experience the future now. The Colorado software release empowers you to stay ahead by introducing MetricStream Intelligence—a flexible new analytics and AI platform that encompasses multiple calculation engines, AI/ML, and data science capabilities. The advanced analytical and AI engine enables multiple scoring models and data science tools, allowing the creation of any type of models and variables. MetricStream Cyber Risk Quantification is the first use case from MetricStream Intelligence, which will host and deliver multiple other scores, models, and AI-powered intelligence.
6. AI-Powered Issue and Action Management
Now enable your second line of defense to cluster issues for easy examination and insight. The AI-powered issue clustering capabilities, available with the Colorado release, uses AI/ML to ‘cluster’ issues, facilitating quick identification and action on insights – resulting in savings in time and effort as well as the strategic directing of resources.
Excited to know more about how the new features and functionalities in MetricStream’s Colorado software release can help you thrive on risk? Click here to read more.
As organizations look to harness the power of next-generation technologies and thrive in the era of the Fourth Industrial Revolution, the focus on data is now more critical than ever. It wouldn’t be wrong to say that it is data that runs the modern enterprise in today’s digitized world.
It’s often said that data is the new oil. However, data in itself cannot drive business value—it is only when it is transformed into actionable intelligence that it can enable effective decision-making.
That said, many organizations today lack common taxonomies and structured processes, resulting in unstructured data which is difficult to analyze. This is a major challenge for risk, audit, compliance, and IT & cyber teams as they end up spending most of their time going through this data rather than analyzing it for making strategic business decisions.
Streamlining the processes and workflow and automating them with the right set of tools and technologies is an absolute must for unlocking the true potential of data. By leveraging artificial intelligence (AI), organizations can quickly get insights, identify patterns, avoid duplicate effort, apply the right actions, and better focus on decision-making that helps the business.
Organizations today operate in a complex and unsettled business environment with amplified digital interconnectedness of people, processes, systems, and organizations, rapidly evolving risk and regulatory landscape, geopolitical uncertainty, and more. Furthermore, recent risk events, such as the pandemic, have underscored the importance of a future-ready GRC framework as organizations had an extremely short window of time to act.
Here, AI can be a gamechanger. It can empower organizations to break free from the clutches of siloed operations and facilitate integration and harmonization. Most importantly, it can drastically improve the speed at which risk, audit, compliance, and IT & cyber teams can locate relevant data and information, thereby expediting quick and fact-based decision-making.
AI is an integral component of the MetricStream Platform, deployed and operationalized using cloud-first practices, and can be used to build any model or automate any GRC use case. MetricStream currently offers pre-built AI-powered recommendations to transform and automate GRC processes. It automatically provides key recommendations to users based on the historical patterns, so that organizations can further improve user experience and drive intelligent business decisions.
Here are some of the areas where we are bringing AI capabilities:
Issue & Action Management: MetricStream uses the core strength of AI by leveraging semantic analytics with natural language processing that can be used to identify patterns in issues and actions that can originate from any program – be it enterprise and operational risk, compliance, audit, third-party, or IT & cybersecurity. MetricStream’s AI-powered issue and action management provides recommendations to categorize issues based on their semantic similarity and automatically recommends duplicate issues and best possible action plans based on historical trends and business context.
Smart Policy Search: MetricStream’s AI-powered smart policy search simplifies the task of searching for policies using a natural language processing (NLP) based semantic search. It improves search accuracy by understanding the searcher’s intent through contextual meaning.
Observations Triage: As organizations are increasingly enabling the frontline to capture observations, they will have to manage a large number of observations. With such a high volume of observations being reported, the triage process becomes tedious. MetricStream AI-powered recommendation automatically provides recommendations to classify observations as a case, incident, issue, or loss event. This enhances the efficiency of the triage team.
Risk Scoring of Third Parties: As part of risk assessments, third parties must periodically submit detailed SOC2 and SOC3 reports as evidence of robust compliance and controls in their infrastructure and security. MetricStream AI-powered recommendations for third-party risk can automatically extract content from SOC2 and SOC3 reports, compute, and risk rank the third parties based on the number and type of anomalies in the report.
To learn more about MetricStream’s AI capabilities, click here.