Introduction

The last two years have been nothing short of a roller coaster. We stepped into 2022 with a lot of uncertainty around the COVID-19 pandemic as newer variants and sudden outbreaks in various pockets around the globe continue to keep optimistic sentiment in check. Added to these are the uncertainties surrounding geopolitical tensions that upended global stock markets, heightened cyber threats, and worsened supply chain woes. Businesses, still coming to terms with the post-pandemic era, are now wary of what’s next. As the first quarter of 2022 is coming to a close, let’s find out what made it to the headlines, through the Governance, Risk and Compliance (GRC) lens.

Top Risks for 2022

According to the World Economic Forum Global Risks Perception Survey (GRPS) 2021-2022, the three most potentially severe risks over the next 10 years are all related to environmental factors – namely, climate action failure, followed by extreme weather, and biodiversity. With regards to the “scars of COVID-19”, the WEF observes, ‘“Social cohesion erosion”, “livelihood crises” and “mental health deterioration” are three of the five risks that have deteriorated the most globally through the crisis, according to the GRPS. These three risks—and the pandemic itself (“infectious diseases”)—are also seen as being among the most imminent threats to the world.’

In its Risk Management Predictions for 2022, the Global Association of Risk Professionals (GARP) said that interest rate risk, regulatory changes, supply chain disruptions, credit risk, and human capital risk are the top areas of concern for risk professionals this year.

Gartner identified poor and inadequate talent strategy – recruiting and retaining talent – as the top emerging risk for organizations. The research and consulting firm said that the constant turnover can lead to multiple organizational disruptions, including degradation of workplace culture, loss of institutional knowledge, and more.

Cyber risk continues to be a top concern for organizations across industries. A number of government and security agencies have recently issued regulatory guidance to help organizations boost their cybersecurity measures. For a deeper dive, read our blog, Boost Cyber Resilience – Here’s What Cybersecurity Agencies are Recommending.”

Earlier this month, Gartner listed the top seven security and risk management trends for this year. This includes attack surface expansion, digital supply chain risk, identity threat detection and response, distributing decisions, beyond awareness, vendor consolidation, and cybersecurity mesh.

Discover the top GRC trends of 2022. Download 8 Key Trends Powering 2022 and Beyond.

Growing Focus on Agility and Resilience

Strengthening business resilience has become a key focus area for organizations, particularly in the post-pandemic world. Local regulators too are issuing guidance and framework requirements to ensure that organizations have the necessary measures in place to continue critical business operations when faced with any risk event.

Earlier this month, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released new guidance on “Enabling Organizational Agility in an Age of Speed and Disruption.” The guidance underscores how organizations can succeed by becoming “more anticipatory, agile, and adaptable.”

In the UK, the Prudential Regulatory Authority’s (PRA) new rules – SS1/21 and SS2/21 – on operational resilience, third party risk management, and outsourcing will come into force on 31 March 2022. Announcing its 2022 priorities for international banks active in the UK, the Prudential Regulation Authority (PRA) said that firms must have identified and mapped their important business services, set impact tolerances, and initiated a scenario testing program by 31 March 2022.

The ESG Conversation

Environmental, social, and governance (ESG) factors have become a talking point for regulators and businesses alike.

On March 21, the U.S. SEC was scheduled to vote on proposed rule amendments that would require SEC-registered companies to disclose certain climate-related information. The regulator said that the proposed disclosures are “similar to those that many companies already provide based on broadly accepted disclosure frameworks, such as the Task Force on Climate-Related Financial Disclosures and the Greenhouse Gas Protocol.”

In January, the European Banking Authority (EBA) published the final draft implementing technical standards (ITS) on Pillar 3 disclosures on ESG risks. By setting mandatory and consistent disclosure requirements, the EBA ESG Pillar 3 package will help institutions to address the shortcomings of their current ESG disclosures and will also help establish best practices at an international level, the EBA said.

Last month, the European Commission (EC) adopted a proposal for a directive on corporate sustainability due diligence. The new rules set out due diligence obligations for companies to identify, prevent, end or mitigate adverse impacts of their activities on human rights and on the environment.

Are you Building an Enterprise ESG Program? Here's How Technology Can Help You Succeed

Looking Ahead

The risk and regulatory landscape continue to evolve at an unprecedented pace. Nobody can be sure about what’s in store for GRC professionals over the next three quarters. Organizations can, however, enhance their risk visibility and foresight and become future-ready by leveraging connected, agile, and tech-driven GRC solutions. To request a personalized demo, click here.

Introduction

After the 2008 financial crisis, the COVID-19 pandemic emerged as the most recent ‘test of resilience’ for the banking and financial services (BFS) industry. Thanks to the stringent regulations, the nature of its business, and relevance in the economy, the industry at large has demonstrated resilience towards the many risks that emerged out of the pandemic. Whether it was implementing and supporting employees to work remotely or quickly scaling existing technology systems to serve customers bound by social distancing mandates—BFS companies with robust risk management practices were able to pass the test and bounce back.

Now, as we move forward, regulators and key industry players are shifting their focus on operational resilience in order to respond and not react during future crises. The Deloitte Centre for Financial Services Global Outlook Survey 2020, found that many banks are currently pursuing different initiatives to build efficiency. 47% of banks in North America have decided to implement technology as part of the different actions planned over the next 6-12 months.

BFS Companies in North America Face New GRC challenges

Since the COVID-19 outbreak, the sudden onset of remote and hybrid working models, accelerated digitization efforts, growing adoption of cloud computing, and increased dependence on third-party providers have initiated a new set of GRC challenges.

Key concerns that BFS companies in North America will need to prepare for include the:

• Expanding cyber threat landscape, owing to large-scale migration to remote work, digital interconnectedness of BFS organizations, cloud concentration, and over-dependency on a single service provider for critical services.
• Growing complexity of the extended ecosystem, due to the increased dependency on vendors such as payment gateways, core banking systems, trading applications, business consultants and contractors, service providers, and other vendors for day-to-day operations and services.
• Increasing regulatory pressure, due to the need for BFS companies to comply with a growing number of regulations and standards including Basel III’s risk-weighted capital requirements, the Bank Secrecy Act, Dodd-Frank Act, Foreign Corrupt Practices Act (FCPA), as well as those mandated by the Federal Financial Institutions Examination Council (FFIEC), the Federal Reserve Board, the Securities and Exchange Commission (SEC)), and many others.
• Emerging and constantly evolving risks, augmented by the fast-changing business landscape with geopolitical power shifts, growing instances of natural calamities, pandemic-driven global economic slowdown, and strategic risks brought on by growing digitization and disruption by FinTech startups.

Read More: What’s Next in GRC for Banking and Financial Services Industry in the Americas

Powering What’s Next in GRC—The Key to Strengthening Operational Resilience

As BFS industry leaders decide on key strategies to strengthen resilience, it is important to note that building resilience should go beyond the traditional approach to risk management. A new approach should include:

• Accurate understanding of the overall risk profile and appetite through risk quantification
• Adequate agility to quickly adapt to the evolving risk landscape
• Amplified ability to minimize the impact of any risk event, recover quickly, and ensure continued business operations in the aftermath

Risk is inherent to any business and if organizations are looking to achieve resilience, they need to build a better response strategy by taking all aspects of GRC into consideration. Since the end goal of implementing a GRC program is to stay resilient when faced with any disruption or risk event, it is vital for BFS companies to be empowered by ‘what’s next’. For BFS companies looking to achieve operational resilience, they will need to consider integrated GRC programs, advanced technologies such as AI/ML, risk quantification & analytics, continuous monitoring, and more.

True to the popular saying, “with crisis comes opportunity”, is the post-pandemic era which offers the perfect opportunity for BFS companies to relook, realign, and reimagine their GRC frameworks for long-term resilience.

Download the eBook to read more about the GRC challenges faced by BFS companies in North America and how you can stay ahead by leveraging what’s next in GRC.

Request a demo to learn more about how the MetricStream Operational Risk Management software can enable you to streamline your operational risk management function—empowering your organization to make risk-intelligent, real-time business decisions while improving business performance and reducing losses.

Introduction

Businesses operating in the new normal are facing a new set of challenges. Periodic disruptions to supply chain systems, increasing complexity in the regulatory landscape, the need to develop and sustain hybrid working models, and dealing with higher attrition rates, are just some of the many challenges that organizations are having to find long-term solutions for.

Another significant challenge is the intensification of cyber threats. Cyber risk ranked as one of the top risks in the World Economic Forum’s Global Risk Report 2021. Accelerated technological adoption in the wake of the COVID-19 pandemic has resulted in organizations facing novel cyber vulnerabilities on one hand with a rapidly expanding threat landscape on the other hand. This has resulted in a considerable urgency to address cyber risk, with most organizations elevating it to a strategic business issue.

We’re Listening at MetricStream

As businesses seek new solutions to effectively mitigate and manage risk, we at MetricStream are listening and taking note. Colorado, our latest software release builds upon previous releases with exciting new features, capabilities, and innovations— all driven by our customers and market trends.

Built to help organizations simplify how they manage, measure, and mitigate risk, MetricStream’s Colorado release leverages MetricStream’s deep domain GRC expertise and MetricStream Intelligence – a new ground-breaking analytics and AI-engine and framework – to equip your enterprise with new and simpler ways to assess and aggregate risks.

Given the urgent requirement for enterprises to effectively manage and mitigate IT and cyber risks, MetricStream’s Colorado release enables advanced cyber risk quantification. The software release also focusses on empowering you to effectively manage risks in the extended enterprise by deepening visibility into third and fourth-party risks. New AI-powered issue clustering capabilities, along with added intelligence, visibility, and an ongoing commitment to improving usability for an optimal user experience are other key highlights.

Learn More About the Colorado Software Release

What’s New in Colorado Software Release

The MetricStream Colorado software release brings product enhancements to IT and Cyber Risk Management, Third-Party Risk Management, Risk Management, Regulatory Compliance, Audit, and the MetricStream Platform. Here are six innovations to make note of:

1. Advanced Cyber Risk Quantification and Simulation

Adding a dollar value to your cyber risk just got easier! The Colorado release now brings end-to-end capabilities to quantify risks in monetary terms using FAIR® and other models, as well as perform simulation and loss exposure analytics. Enterprises can now use hierarchical assessment factors, such as FAIR factors, that have parent-child relationships among themselves. This enables a response with probabilistic range-based estimates for factors – such as Min, Max, Most Likely, and confidence values -- resulting in a greater accuracy of input responses leading to dollar range-based estimates for Annual Loss Exposure. Monte Carlo simulations can also be run to predict the probability of different outcomes for the Annual Loss Expectancy.

2. Intuitive Risk Assessments

With Colorado, it now becomes both easier and quicker for you to assess risks—thanks to the newly introduced simple, intuitive risk assessment capabilities. The release brings simple, intuitive forms that make it easy for the lines of defense to perform a two-step assessment.

Risk Reporters can now perform preliminary risk assessments on-the-fly and the Risk Analysts and Managers can then furnish additional details and take appropriate actions. This new feature improves agility by simplifying risk identification and assessment while accelerating frontline adoption.

3. Streamlined Regulatory Change Impact and Compliance Risk Management

Here’s another highlight that makes it easier for your enterprise to ‘thrive on risk’! Enhancements in the Colorado release now make it easier to track what changes are required for policies, risks, and controls based on regulatory changes and perform compliance risk assessments. The Compliance Management product now supports an integrated Compliance Risk Assessment Framework, enabling a structured and systematic approach to manage organizational risks.

Your organization can now accurately understand risks and gain clear visibility into the top risks you face. With the Colorado release, the MetricStream Regulatory Change product has directly linked the GRC library objects to regulatory change and impact assessment. This makes it easier for your enterprise to assess the impact and update your policies and/or controls accordingly.

4. Expanded Visibility into Third-Party and Fourth-Party Risks

The extended enterprise is here to stay. Medium and large-scale industries now have vendors ranging anywhere between hundreds and thousands. This makes it difficult to gain complete visibility, which in turn increases the associated risk. With the Colorado software release, you can get an aggregated view of risk exposure across third and fourth parties since now associated fourth parties can be captured in the third-party profile. In addition, a new risk aggregation report provides visibility into the overall risk exposure – including these fourth parties and parents -- at the third-party level.

5. MetricStream Intelligence

Advanced technologies have enabled us to experience the future now. The Colorado software release empowers you to stay ahead by introducing MetricStream Intelligence—a flexible new analytics and AI platform that encompasses multiple calculation engines, AI/ML, and data science capabilities. The advanced analytical and AI engine enables multiple scoring models and data science tools, allowing the creation of any type of models and variables. MetricStream Cyber Risk Quantification is the first use case from MetricStream Intelligence, which will host and deliver multiple other scores, models, and AI-powered intelligence.

6. AI-Powered Issue and Action Management

Now enable your second line of defense to cluster issues for easy examination and insight. The AI-powered issue clustering capabilities, available with the Colorado release, uses AI/ML to ‘cluster’ issues, facilitating quick identification and action on insights – resulting in savings in time and effort as well as the strategic directing of resources.

Excited to know more about how the new features and functionalities in MetricStream’s Colorado software release can help you thrive on risk? Click here to read more.

Introduction

As organizations look to harness the power of next-generation technologies and thrive in the era of the Fourth Industrial Revolution, the focus on data is now more critical than ever. It wouldn’t be wrong to say that it is data that runs the modern enterprise in today’s digitized world.

It’s often said that data is the new oil. However, data in itself cannot drive business value—it is only when it is transformed into actionable intelligence that it can enable effective decision-making.

That said, many organizations today lack common taxonomies and structured processes, resulting in unstructured data which is difficult to analyze. This is a major challenge for risk, audit, compliance, and IT & cyber teams as they end up spending most of their time going through this data rather than analyzing it for making strategic business decisions.

Streamlining the processes and workflow and automating them with the right set of tools and technologies is an absolute must for unlocking the true potential of data. By leveraging artificial intelligence (AI), organizations can quickly get insights, identify patterns, avoid duplicate effort, apply the right actions, and better focus on decision-making that helps the business. 

Bringing AI to GRC

Organizations today operate in a complex and unsettled business environment with amplified digital interconnectedness of people, processes, systems, and organizations, rapidly evolving risk and regulatory landscape, geopolitical uncertainty, and more. Furthermore, recent risk events, such as the pandemic, have underscored the importance of a future-ready GRC framework as organizations had an extremely short window of time to act.

Here, AI can be a gamechanger. It can empower organizations to break free from the clutches of siloed operations and facilitate integration and harmonization. Most importantly, it can drastically improve the speed at which risk, audit, compliance, and IT & cyber teams can locate relevant data and information, thereby expediting quick and fact-based decision-making.

MetricStream’s AI-Powered Insights and Recommendations

AI is an integral component of the MetricStream Platform, deployed and operationalized using cloud-first practices, and can be used to build any model or automate any GRC use case. MetricStream currently offers pre-built AI-powered recommendations to transform and automate GRC processes. It automatically provides key recommendations to users based on the historical patterns, so that organizations can further improve user experience and drive intelligent business decisions.

Here are some of the areas where we are bringing AI capabilities:

Issue & Action Management: MetricStream uses the core strength of AI by leveraging semantic analytics with natural language processing that can be used to identify patterns in issues and actions that can originate from any program – be it enterprise and operational risk, compliance, audit, third-party, or IT & cybersecurity. MetricStream’s AI-powered issue and action management provides recommendations to categorize issues based on their semantic similarity and automatically recommends duplicate issues and best possible action plans based on historical trends and business context.

Smart Policy Search: MetricStream’s AI-powered smart policy search simplifies the task of searching for policies using a natural language processing (NLP) based semantic search. It improves search accuracy by understanding the searcher’s intent through contextual meaning.

Observations Triage: As organizations are increasingly enabling the frontline to capture observations, they will have to manage a large number of observations. With such a high volume of observations being reported, the triage process becomes tedious. MetricStream AI-powered recommendation automatically provides recommendations to classify observations as a case, incident, issue, or loss event. This enhances the efficiency of the triage team.

Risk Scoring of Third Parties: As part of risk assessments, third parties must periodically submit detailed SOC2 and SOC3 reports as evidence of robust compliance and controls in their infrastructure and security. MetricStream AI-powered recommendations for third-party risk can automatically extract content from SOC2 and SOC3 reports, compute, and risk rank the third parties based on the number and type of anomalies in the report.  

To learn more about MetricStream’s AI capabilities, click here.