Blogs

GRC Success Story: How dnata Integrated Firm-Wide GRC Processes with MetricStream

Audit Management
16 July 24
Sumith Sagar

4 min read

Introduction

At the recently held GRC Summit 2024 in Baltimore, David Story, Vice President Health, Safety, & Environment, dnata, provided the audience with a detailed overview of their GRC journey experience with MetricStream.

Dubai National Air Travel Agency (or dnata) was established in 1959 through a government decree. It set up its first international business in 1993. Gradually, over the years, it has seen significant growth across all its business units.

Here are the excerpts from David’s session on “dnata’s Integrated GRC Transformation”.

GRC Program Objective

David: Our foremost priority is safety and security. Through a series of SMART objectives, we're building a best-in-class, health, safety, and environmental system, or HSE ecosystem, as we call it. Over the next few years, up to 2027 and beyond, through our medium-term plan, we are striving for a best-in-class or world-class status, and central to delivering on that goal is the effective use of our GRC platform.

Within dnata, MetricStream is the product that we use, and we have done a number of modifications and upgrades through MetricStream over the years. We refer to it within the company as “dnatahub”, which is everything we do from a GRC perspective.

So, in terms of why GRC is so important to us -- central to that is our safety management system, or SMS. SMS is essentially the bedrock of everything that we do across four key pillars -- safety policy, risk management, assurance, and promotion. To be able to deliver on the requirements of our SMS, our dnatahub platform is absolutely central to achieving those goals.

GRC Journey with MetricStream

David: So, how has the dnatahub platform evolved over the last few years?

We're now into the 9th year of our partnership with MetricStream, beginning back in 2015 along with our “Global One Safety” initiative. The first pillar in that strategy was rolling out Incident Management, which allowed us to have one platform for reporting safety occurrences across local businesses.

In 2018, there was global expansion – we introduced new applications within dnata in addition to incident management and reporting.

In 2020, we started moving into the continuous monitoring phase, which saw the likes of our Documentation Management System (DMS). We also introduced surveys and inspection through the auditors. We would go out there and report safety hazards and threats to our organization. This was across all three of our operational divisions.

The beauty of DMS is that it can be accessed by any of our team in the world who got access to Office 365 accounts. Examples of a DMS document could be a global safety alert, a new manual, a guideline document, or a new operational standard. All of those are published through DMS and are automatically and electronically tested within the system as well. So, for auditing purposes, it's very, very efficient.

We also launched Observation Management as well. And, through Issue and Action Management we can assign tasks and actions to our businesses around the world.

We're now moving into Phase IV, as we call it, looking at how we scale up as we continue to build our business. We are currently two weeks away from the launch of the Euphrates upgrade as well.

We've built a very strong partnership with MetricStream, and we've now established a very strong governance model as well in terms of performance monitoring.

Business Value Realized

David: What's been key to success is keeping things simple. One of the worst things you can do in my role as a safety professional is over-complicate how you manage safety within your business.

In terms of just some numbers, we have got:

20,000+ documents hosted within the DMS platform
10,000+ mobile users (around 14,000 to 15,000 currently)
40,000+ audit and survey documents accessible within the platform

What gives me great confidence is 400,000+ observations. We actively encourage -- from our leadership level all the way down to the front line -- to report any unsafe behaviors and actions within our business. What we've seen over the last 2-3 years is a considerable increase in the number of safety reports within the business. So that leads to a much more positive and safety-aware culture.

Looking Ahead

Over the next few years, we've got some really interesting challenges coming our way. You would have seen the announcement about the new airport project in Dubai. The target is 2033 for the opening of the new terminal with a capacity of 250 million passengers a year. We already have that airport as we have for the last 10 years, and this will be a significant upgrade to be the world's largest international gateway.

We have two to three new businesses that are going to be coming online towards the end of this year, including a particularly large business in Italy. And it's essential that we look at how we scale up to meet that demand, because we could have potentially 3,000 to 4,000 users within dnata by the end of this year.

The Top 5 Enterprise Risk Management (ERM) Tools For 2024

Risk Management
29 April 24
MetricStream Team

12 min read

Introduction

In today's global economy, where uncertainty is the only constant, navigating risks has never just been about avoiding the pitfalls. It's about strategically anticipating and mitigating them to steer organizations toward sustainable growth and turn them into strategic advantages.

At the heart of this crucial endeavor lies Enterprise Risk Management (ERM), a systematic approach designed to identify, assess, manage, and monitor risks across an organization. But what truly breathe life into ERM, transforming it from a theoretical concept into an effective system with well-defined workflows and processes providing actionable insights, are ERM tools.

Findings show that companies with effective ERM programs on average experience a 63% reduction in the frequency of risk events and up to a 35% reduction in operational losses.

ERM tools provide the necessary infrastructure to gather, analyze, and report on risk data across the enterprise. They support the decision-making process by offering proactive insights, allowing organizations to anticipate potential risks before they materialize. This predictive capability in Enterprise Risk Management can make all the difference between staying ahead of the competition and falling behind due to unforeseen challenges.

Key Features of ERM tools

Here are the key features that CROs and risk managers should keep in mind while selecting an ERM tool:

Risk identification and assessment capabilities
The best ERM platforms provide a centralized place to log risks from across the organization. With an easy-to-use interface, they make it easy for the first line of defense to report any observation, issue, or warning signal which can be further analyzed by the second line. Features like risk questionnaires, heat maps, and automatic risk correlation provide a holistic view of your risk landscape.
Scenario analysis and risk quantification
To prepare for uncertainty, organizations need tools that can simulate 'what-if' scenarios. Simulating and testing plausible scenarios help them better understand potential risks, devise effective response strategies, and identify control gaps and other weaknesses. Tools supporting risk quantification help transform range-based estimates into more accurate values, enabling businesses to prioritize investments better, drive alignment between risk programs and business goals, and understand why and how recovery processes and priorities operate.
Integration with strategic planning processes
These ERM tools provide dashboards, reports, and analytics that give executives insight into how various risks might affect key business objectives.
Automated reporting and analytics
ERM software should make risk data easy to understand and share across the organization. This requires solutions that offer capabilities to generate custom reports, interactive risk dashboards, and risk analytics powered by data visualization. Incorporating AI-powered processes can further enhance the accuracy of risk assessment and decision-making, analyzing vast amounts of data to identify patterns, trends, and correlations that might not be immediately apparent via human efforts.

Criteria For Evaluating ERM Tools

When evaluating ERM tools, prioritize ease of use with intuitive interfaces that encourage user adoption. Consider the ROI beyond upfront costs, aiming for reduced risk event losses and improved efficiency. Assess functionality for alignment with specific needs, such as configurable risk assessments and reporting. Lastly, prioritize integration capabilities for smooth connectivity with existing platforms.

Gauging the success of your ERM implementation involves reviewing a range of criteria that validate its benefits. with some of them being:

Ease of Use
An ERM solution is only effective if people use it. Organizations should choose a tool with an intuitive, user-friendly interface so it's easy for everyone to enter, access, and act on risk data. The easier it is to use, the more the user adoption and the more likely people will keep the tool up to date.
Return on Investment
While cost is a factor when choosing an ERM solution, organizations should not just look at the initial price tag but also consider the ROI the tool can provide, like reducing losses from risk events, lowering insurance premiums, and improving operational efficiency, all based on your industry.
Functionality
Organizations need to assess if the functionalities and capabilities of the ERM tool are aligned with their specific needs. They should look for features such as configurable risk assessment capabilities, risk registers, incident tracking, and reporting functionalities to support comprehensive risk management processes.
Integration Capabilities
Seamless integration with platforms such as enterprise resource planning (ERP) systems, project management tools, and data analytics platforms can enhance the efficiency and effectiveness of risk management processes by facilitating data sharing and streamlining workflows across different departments.

Top 5 ERM Tools For 2024

Here are some well-known vendors that are recognized as leaders in the ERM landscape.

MetricStream

MetricStream has carved its place as an indispensable ERM tool for businesses aiming to bolster their enterprise risk management capabilities. This ERM software is crafted with an eye for integrating various aspects of risk management under a single umbrella, making it a holistic platform for businesses aiming to stay ahead of uncertainties.
This tool is best suited for organizations seeking to streamline risk processes, gain real-time insights into their risk landscape, and drive informed decision-making to optimize business performance and resilience in dynamic environments.
Key Features:
- Centralized risk repository fostering a common language for risk across the organization, ensuring consistency and transparency.
- Standardized approach to risk assessment, enabling uniform risk identification and mitigation strategies.
- Advanced analytics with real-time insights into the risk landscape, facilitating informed decision-making.
- Visualization tools that transform complex data sets into comprehensible insights for proactive risk management.
- Configurable risk assessment capabilities, incident tracking, and reporting functionalities for comprehensive risk management.
MetricStream's accolades, such as being named a Leader in The Forrester Wave™: Governance, Risk, and Compliance Platforms, Q4 2023, highlight its effectiveness and reliability. Recognition from leading research and advisory firms attests to the platform's robust capabilities in IT/Cyber Risk Management, GRC Vision, and more
To read more, download your complimentary copy of The Forrester Wave™: Governance, Risk, and Compliance Platforms, Q4 2023.
Pricing will be available on request to the vendors.
Diligent

Diligent offers a compelling narrative for ERM, emphasizing the importance of aligning leadership with the full spectrum of risks that impact an organization.
This strategic alignment is pivotal in transforming risk into actionable insights, enabling data-driven decision-making at every turn.
Diligent's approach revolves around cultivating a much more comprehensive understanding of risks across all levels of the organization, fostering a proactive risk management culture.
Key Features:
- Utilizing advanced analytics, the platform automates risk monitoring, identifying patterns, and predicting threats to enhance operational efficiency without requiring additional personnel.
- By providing a unified risk viewpoint across teams, Diligent fosters collaboration, enhances scalability and improves visibility. Such a real-time perspective offers valuable insights into top risks, trends, and risk appetite for comprehensive risk portfolio management.
- Diligent employs a suite of detection, evaluation, and monitoring tools to identify and neutralize risks preemptively, preventing them from escalating into something worse.
- The tool also includes features to ensure regulatory compliance, offering built-in frameworks, controls, and workflows aligned with industry standards and regulations.
Pricing will be available on request to the vendors.
ServiceNow

ServiceNow is a robust platform that simplifies complex risk assessments and enhances decision-making capabilities across organizations.
It facilitates enhanced data communication using chat functionalities, web portals, and mobile applications, ensuring seamless sharing and dissemination of critical risk and compliance information across the organization.
This platform is ideal for organizations looking to centralize and optimize their risk management processes while enhancing overall operational resilience.
Key Features:
- Self-assessment design and scheduling based on maturity levels to monitor risks continuously and ensure control accuracy as the organization expands.
- Incorporation of a comprehensive risk statement library for consolidating ratings and reporting through a common risk taxonomy, enabling effective communication across different organizational departments.
- Implementation of smart issue management capabilities driven by AI and machine learning, automating risk assignment, grouping, and remediation suggestions to reduce manual effort significantly.
- Access to advanced reporting features with interactive dashboards and Performance Analytics, providing deep insights into data and risk trends for informed decision-making.
Custom pricing will be available on request.
OneTrust

OneTrust is a comprehensive tool that specializes in compliance and vendor risk management, addressing critical niches within the risk management ecosystem. This tool is particularly valuable today, where data privacy regulations and third-party relationships are under increased scrutiny.
It has made its mark as a versatile cloud-based GRC platform, renowned for its customizable functionalities that cater to a wide range of risk management needs.

Key Features:
- Its integrated GRC and security module stands out for enabling organizations to efficiently scale their risk and security functions, harmonizing risk assessment with mitigation efforts.
- OneTrust cleverly intertwines risk management with incident response, alongside automating the management of security standards, which can significantly ease the administrative burden on teams.
- OneTrust provides tools for vendor risk assessment and monitoring, enabling organizations to identify and mitigate risks associated with third-party relationships.
- The platform supports the management of security standards and frameworks such as ISO 27001 and NIST, assisting in aligning security policies and controls with industry best practices.
Pricing will be available on request.
LogicGate

LogicGate presents itself as a highly adaptive and modern ERM solution designed to meet the dynamic needs of contemporary businesses.
Known for its flexibility and the ease with which it can be customized, LogicGate stands as a powerful tool in any risk manager's arsenal, particularly for those looking to streamline their ERM processes without being bogged down by complex technical requirements.
With LogicGate, businesses can forge ahead confidently, equipped with a versatile platform that aligns seamlessly with their risk management goals and operational strategies.
Key Features:
- Utilizing a modern graph database, LogicGate enables dynamic connections between risks, controls, and various business units and owners. This helps maintain reporting speed and ensures the adaptability of the risk management program without compromising on efficiency.
- It offers quick-start features such as pre-configured risk scoring and guidance for assessing inherent and residual risk ratings, simplifying the initial setup and ongoing management of risk assessments, and enhancing overall accuracy.
- Their Quantify feature introduces a new dimension to traditional quantification methods through Monte Carlo simulations. This in turn provides a financial context to risk decisions, offering executives a clearer understanding of risk impacts in tangible financial terms.
Pricing will be available on request to the vendors.

Benefits of Using an ERM Tool

Implementing an ERM tool brings a host of advantages to organizations seeking to enhance their risk management practices. Here are the top four benefits of using an ERM tool:

Improved Risk Visibility and Understanding

Implementing ERM tools enables organizations to peel back the layers of potential risks, revealing unseen threats and opportunities alike. This clarity enables businesses to anticipate challenges and navigate them with greater assurance.

Enhanced Decision-Making and Resource Allocation

With the insights garnered from these tools, organizations can make better-informed decisions that align closely with their goals. ERM tool offers the unique advantage of data-driven guidance, helping firms to allocate their resources more effectively, and ensuring that efforts are directed toward areas of highest impact.

Strengthened Resilience Against Uncertainties

ERM tools empower organizations with a proactive defense mechanism against potential disruptions. This robust preparedness doesn’t just mitigate risks, it also fosters an agile environment that can adapt and thrive in the face of uncertainties.

Regulatory Compliance and Governance Support

ERM tools serve as an invaluable ally, ensuring that compliance is maintained, and governance standards are met. This compliance is a strategic move that enhances credibility and stakeholder trust, paving the way for smoother operations and market growth.

Addressing Common Challenges in Implementation

Implementing ERM tools presents unique challenges that organizations must strategically address to ensure successful adoption and integration. From overcoming resistance to change and data quality issues to promoting cross-functional collaboration and enhancing risk assessment processes, navigating these challenges is essential for maximizing the effectiveness of ERM tools within companies.

Resistance to Change
Implementing ERM tools often requires changes in workflows and processes, which can be met with resistance from employees accustomed to traditional methods. Overcoming resistance to change involves effective change management strategies, such as stakeholder engagement, training programs, and transparent communication about its benefits.
Data Quality and Integrity
ERM tools rely heavily on accurate and reliable data to perform effective risk assessments and analyses. However, organizations may often struggle with data quality issues, including incomplete or outdated information, inconsistent data formats, and data silos.
Siloed thinking
Different departments often have narrow views of risk that don't account for how their risks might impact the rest of the organization. Organizations need to promote a culture of collaboration and an understanding of the interconnectedness of risks by establishing cross-functional risk committees and information-sharing protocols.
Inefficient risk assessment processes
Organizations need to assess risks timely, systematically, and objectively to strengthen risk preparedness and to be ready for the unexpected curveballs waiting to surface at the most inconvenient times. This requires developing comprehensive methodologies that consider risk likelihood, impact, velocity, and interconnectivity. Furthermore, organizations should update their risk profile regularly as conditions change.
Insufficient reporting and communication
Stakeholders can't make good risk-based decisions without timely and relevant information. It is imperative to establish risk reporting procedures to keep executives and risk owners in the loop. A risk dashboard or scorecard is a useful way to provide at-a-glance overviews and details on key risks.

How Do You Gauge the Success of Your Implementation?

Determining the success of your ERM implementation entails examining critical factors that showcase its achievements and improvements, such as:

Key Performance Indicators (KPIs): Establishing measurable KPIs allows organizations to track the effectiveness of their ERM implementation. Metrics such as risk mitigation rates, incident response times, and compliance levels provide tangible evidence of success.
Stakeholder Satisfaction: Keeping an ear to the ground and gathering feedback from stakeholders gives you a sense of how well our risk management efforts are working. When stakeholders are happy, it's a good sign that you’re on the right track with identifying and tackling risks throughout the organization.
Adaptability: Success in ERM is closely linked to an organization's ability to adapt to change and withstand unforeseen disruptions. Monitoring the organization's resilience to emerging risks and its capacity to pivot strategies accordingly signifies effective ERM implementation.
Financial Performance Improvement: By analyzing metrics such as cost savings from risk mitigation efforts, reduction in insurance premiums, and increased revenue from improved decision-making, organizations can gauge the effectiveness of their risk management strategies.

Trends Shaping the Future of ERM

Here are some of the latest trends that companies can look forward to, when it comes to boosting the effectiveness of ERM tools.

Enhanced Predictive Analytics: These tools not only assess risks as they emerge but also forecast future threats and opportunities with a high degree of precision. For organizations, this means a more proactive stance in risk management, moving from reactive responses to strategic risk anticipation and mitigation.
Adoption of cognitive, cloud, and other innovative technology: Organizations are increasingly adopting ERM tools that offer Artificial Intelligence (AI) and Internet of Things (IoT) capabilities, cloud support, integrations with external systems, and more. IoT devices feed real-time data into risk management systems, offering a live pulse on various risk factors while AI enhances decision-making with actionable insights, creating a highly responsive and dynamic risk management ecosystem. Cloud support is important as it is one of the key areas for organizations that are undergoing/considering digital transformation. It also enables seamless integrations with external systems which helps in a more comprehensive approach to ERM across an organization’s extended enterprise.
Greater Emphasis on Interconnectedness of Risks Given the growing complexity of the risk landscape, the scope of ERM is expanding to include cyber risks, geopolitical risks, environmental, social, and governance (ESG) risks, and other risks. These various risks have multiple points of intersection with other risks, resulting in a labyrinth of risks and risk relationships. Organizations today need tools that can help them understand this interconnectedness of risks to better gauge their probable impact and devise appropriate response strategies.
Continuous Improvement for Resilience: Enterprise risk management is not a one-time activity; it is a continuous, iterative process. Organizations need to implement tools that allow continuous testing and monitoring of controls, evidence collection, etc. that provide them regular insights into gaps and loopholes that need to be addressed for fine-tuning the risk strategy on an ongoing basis. This approach is important to improve risk visibility, foresight, and preparedness, and strengthen organizational resilience.

Conclusion

As we look forward to the trends of 2024, it’s clear that the future of ERM is not just about navigating uncertainties but about thriving in them. And when it comes to turning risks into rewards, MetricStream is a trusted partner, equipped to tackle the future of risk-management head-on.

To learn how MetricStream Enterprise Risk Management can help, request a personalized demo today.x

Jump to Topic

MetricStream Team

Meet the MetricStream a collective of seasoned professionals who are at the forefront of Governance, Risk, and Compliance (GRC) expertise. Our team brings together individuals from diverse backgrounds, spanning operational risk management, enterprise risk management, regulatory compliance, cyber risk management, and more. This deep expertise enables us to offer comprehensive insights into industry best practices, emerging trends, and regulatory requirements, equipping organizations with the tools they need to navigate the increasingly interconnected landscape of risk and compliance. Join us as we explore the evolving landscape of GRC.

Blogs

Rationalizing Controls to Effectively Manage Your Risks and Drive Risk-Aware Decisions

Risk Management
27 February 24
Sumith Sagar

effectively-manage-risks-aware-decisions

5 min read

Introduction

Managing operational risks effectively is a top priority for most organizations today, and controls play an important role in ensuring risks are mitigated. Controls range from preventive to corrective and are essential for managing risks, ensuring compliance, and safeguarding the organization’s assets, customers, and reputation. Frameworks like COSO (Committee of Sponsoring Organization) require organizations to embed internal controls into business processes to ensure ethical and transparent operations aligned with industry standards. These controls must be monitored, tested, and improved continuously to keep up with the constantly changing risk environment and business priorities. The challenge before today’s organizations is to execute reliable strategies to manage operational risks via control rationalization and facilitate better decision making.

The 2023 GRC Summit in Miami saw Kevin Finlay, Vice President, Sales, MetricStream, lead an in-depth discussion on this topic with experts:

Varun Agarwal, Director, Enterprise Risk, Western Alliance Bank
Seth Rosensweig, National Integrated Risk Technology & Enterprise GRC Leader, PWC
Patricia Catharino, SVP, Head of Risk Management & Internal Controls, Itaύ US and Caribbean
Kellie Bickenbach, Head of Control Assurance, First Citizens Bank

Watch Now: Effectively Managing Operational Risks Through Control Rationalization for Improved Decision-Making

The panel of experienced practitioners had a lot to say on these topics, given that they live them every day. Read on for the key highlights of their engaging discussion.

How are Modern Organizations Addressing and Managing Today’s Risks?

The risk landscape is evolving at unprecedented speed and scale. As a result, an organization’s definition of what constitutes operational risk must also change, along with the steps taken to mitigate it. What do organizations consider new operational risk priorities, and how are they going about addressing it?

Vendor and Third-party Risk – Most organizations today have robust risk management systems and control frameworks in place. But given the interconnected nature of risks arising from a world that is now more connected than ever before, risk can come from any quarter, including vendors and partners. A cyber event at a vendor’s site may leave enterprise data exposed. Stress testing a vendor’s risk controls, rationalizing controls for the external environment, and mapping the enterprise’s risk appetite along with the vendors are critical concerns for enterprises today.
Risk Culture - Identification of risk and determining the organization’s risk appetite in a highly interconnected environment is a foundational step that must be prioritized. Establishing the three lines of defense, educating the frontline, and equipping them to identify and address risk is important. Control optimization cannot happen until these critical and foundational steps are taken care of.
Documentation and Risk Prioritization - Organizations must have a repository of reliably documented risks and controls that are deployed and managed with a robust technology platform. They must identify key controls for critical areas and focus on those. Periodic reviews and realignment of the controls’ priority are also important.
Technology – The technology strategy to manage operational risk must start by identifying how the organization identifies, measures, and monitors key operational risks for their business. Operational risks are inherently linked to how the business is conducted, and the technology strategy must, therefore, consider the overall business environment. Integrating risk controls in application architecture, cutting down the time taken to respond to risk, focusing on how data is collected, stored, and analyzed, and the effort taken to do so are all critical considerations.

Is a Risk and Control Self-Assessment Still Relevant?

A comprehensive Risk and Control Self-Assessment (RCSA) is a widely used exercise today, but it must be guided by the enterprise’s risk appetite, the big risk picture, and the expected outcome to be effective.

When it comes to technology, most organizations conduct continuous control monitoring. However, the challenge lies in evaluating and rationalizing controls on non-IT systems. A bottom-up, process-driven risk control inventory anchored in common taxonomy is a good way to build a framework that encompasses all areas of risk. An overall understanding of the control environment must be followed by a systematic approach to prioritizing risks and controls for better impact.

Here are a few points to consider when it comes to assessments:

Frequency- Organizations may assume that frequent RCSA would be more impactful – quarterly instead of annual. But such frequent assessments may quickly become a tick-in-the-box exercise with no real focus on capturing real-time risks. A well-thought-through RCSA exercise that is based on enterprise priorities, risk appetite, business processes, and risk environment is more important than the frequency.
Data-driven approach – Data holds the key to effective control rationalization. A lot of organizations still don’t use data effectively to inform their risk assessments and control rationalization or are too heavily reliant on controls. Better integration of controls with application architecture and processes will deliver more impactful outcomes. Data collection, data storage, and data integrity are critical areas to consider. Data-based questions and data-driven decision making is a critical business asset that must be exploited fully for organizations to optimize their control assessments.
Optimize assessment processes – Risk identification and control assessments are not going to become irrelevant. However, organizations must innovate and focus on making the best use of time and resources in order for the process to be effective. The way these assessments are done must be changed, beginning with a robust three lines of defense structure. An empowered and aware front line is critical as they must be agile enough to identify triggers and take action. The events at the frontline should lead to the second line deciding when to retest the control environment.

Optimizing and rationalizing controls for enterprise risk management will increase in complexity as the risk environment continues to evolve. Connected GRC approaches and technology can help organizations improve the process by leveraging data for better insights and quicker action. AI models will be immensely helpful for organizations in the years to come. At the same time, best practices from fields such as anti-money laundering must be explored and extended to unrelated businesses for a comprehensive assessment and rationalization effort.

Power Your ORM Program with MetricStream

MetricStream’s Operational Risk Management software is designed with a comprehensive set of capabilities that powers your ORM program to drive risk-intelligent, real-time business decisions that accelerate business performance and reduce losses.

With MetricStream’s Operational Risk Management software, your organization is empowered with:

Centralized repository and risk framework for smarter risk management
Advanced Risk Control Self-Assessment (RCSA) for accurate risk visibility
Dynamic operational loss data management
Key metrics (KPI, KRI, and KCI) monitoring for optimized operational risk management
AI-powered issue management to identify and reduce control redundancies
Risk quantification and analytics to safeguard critical investments
360-degree risk view with intuitive graphical dashboards and reports

Interested to learn more? Request a customized demo now.

Stay tuned for more details on the upcoming 2024 US GRC Summit! Keep an eye on this space for updates.

Jump to Topic

Sumith Sagar Associate Director, Product Marketing

Blogs

Top 5 Risk and Compliance Resolutions for Banking and Financial Institutions in 2024

Risk Management
10 January 24
Patricia McParland

7 min read

Introduction

New year. New beginnings. New resolutions.

It’s that time of the year again! For many of us, a new year means a time to start fresh, improve and better ourselves, and make big plans with renewed optimism and energy. The same goes for risk and compliance practitioners too, who are looking to drive risk effectiveness, improve efficiency, and thrive with a fresh approach and advanced technologies.

In the world of governance, risk, and compliance (GRC), change is the only constant. As we step into 2024, banking and financial institutions are bracing themselves for the unknown unknowns stemming from escalating geo-political conflicts in various parts of the world, a grim economic outlook, intensifying cyber risks, severe supply chain disruptions, an array of new regulations, and more.

In its 2024 Banking and Capital Markets Outlook, Deloitte said that the strategic choices made by banks will be tested this year as they will be confronted with “multiple fundamental challenges” to their business models.

“A slowing global economy, coupled with a divergent economic landscape, will challenge the banking industry in 2024. Banks’ ability to generate income and manage costs will be tested in new ways,” the consulting giant noted.

So, while the leadership and top management review the past year and chalk out business goals and strategies for the year ahead, GRC leaders should take this opportunity to rethink their approach and implement changes in processes, tools, and technologies that will boost their organization’s resilience.

Against this backdrop, here are 5 key risk and compliance resolutions for banking and financial services organizations to help successfully navigate 2024. What are yours? Let us know in the comments!

1. See Risk as an Opportunity – A Must for Thriving in 2024!

Risk is an inherent part of business. Instead of viewing risk as detrimental to the organization’s growth and financial posture, banks should look to turn risks into opportunities. The willingness to take risks can help organizations gain a competitive edge and drive greater profitability and business value. However, there’s a catch – not all risks will translate into strategic advantage. So, how can financial institutions make the decision of whether to accept, reject, avoid, or mitigate a risk?

This is where the risk management program comes into play. An effective risk management program can enable decision-makers to make well-informed business decisions by providing a streamlined process for evaluating opportunities. It equips the top management and leadership with actionable insights, improved risk visibility and foresight, and greater transparency that helps them better manage projects based on risk impact and probability in relation to potential return.

2. Step Up Cyber Risk Management – Automation is Key!

Banking and financial services organizations are a primary target of cyber criminals – which is unsurprising given the sheer volume of sensitive information and assets worth billions of dollars at stake. According to Sophos, the rate of ransomware attacks in financial services jumped from 55% in 2022 to 64% in 2023.

To protect their IT and cyber infrastructure from frequent and increasingly sophisticated cyber attacks, banks need to level up their cyber risk management approach. Relying on periodic reviews and assessments of cyber risks and controls is no longer enough. To stay on top of rapidly evolving and fast-moving cyber risks, organizations need an automated, autonomous, and continuous approach that enables them to proactively identify and address any risks, threats, vulnerabilities, control weaknesses/gaps, and issues before they snowball into something significant.

Banks today can also harness the power of artificial intelligence and other advanced technologies to improve risk management processes and enhance efficiency. AI can significantly accelerate the decision-making process by quickly providing insights into risk trends and patterns as well as identifying areas of improvement – such as the number of duplicate or redundant controls, patterns of over and under-testing of controls, optimum control testing frequency, similar issues, and more.

3. Level Up the Compliance Game – Time to Stop Playing Catch-Up!

Regulatory compliance is becoming an increasingly challenging and demanding business function for financial firms. Already counted among the highly regulated industries, the banking and financial services industry is looking at a torrent of new regulations, standards, and regulatory updates focused on various business functions and processes. Some of the prominent ones include revisions to the NIST Cybersecurity Framework, NYDFS Cybersecurity Regulations, a revised version of PCI DSS, and others in the US, the Digital Operational Resilience Act (DORA) and the Corporate Sustainability Reporting Directive (CSRD) in the EU, and so on.

Given the ever-increasing regulatory requirements, compliance teams inevitably fall behind as they end up spending most of their time tracking relevant regulations, understanding their impact on organizational processes, functions, risks, policies, and controls, implementing the required changes, and so on. Technology can make a huge difference in how these various compliance management tasks are performed.

Automated compliance is the future! Today, there are tools that leverage AI to scan the regulatory horizon for identifying relevant regulations and regulatory updates, quickly show the impacted processes, functions, risks, policies, and controls using a centralized platform, run autonomous control tests to ensure adherence to relevant regulations, generate reports that demonstrate compliance posture, and more. The technology-driven, automated approach can streamline compliance management activities and help strengthen compliance resilience.

For a deeper dive into the top 10 key regulations we are watching this year, read our blog “What’s Next in GRC and Risk Regulations? 10 Key Focus Areas for 2024.” Let us know what other regulations and regulatory developments you are keeping an eye on in the comments below.

4. Implement AI for GRC and GRC for AI – Act Now or Lag Behind!

With its ability to provide actionable insights, save time and costs, and create bandwidth for risk, compliance, audit, security, and sustainability teams, AI is already being regarded as a game-changer for GRC. While AI will not replace the need for human involvement completely, it can eliminate the possibility of human error, thereby improving the accuracy of GRC processes and decision-making and ensuring there are no blind spots.

At the same time, it is essential to ensure responsible AI innovation. As financial institutions explore more and more use cases and integrate AI capabilities into their processes, they also have the duty to follow the highest standards to ensure its ethical and responsible use as well as implement measures to identify, manage, and manage AI risks. Think GRC for AI, if you will.

Regulators and standard-setting bodies have already taken steps toward this goal. In the US, the National Institute of Standards and Technology (NIST) last year released the NIST AI Risk Management Framework (AI RMF 1.0) aimed at improving the “ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems” while the White House published an Executive Order on the safe, secure, and trustworthy development and use of AI. In the EU, members of the European Parliament reached a provisional agreement on the Artificial Intelligence Act.

AI-focused innovation has been central to MetricStream’s product and platform releases over the years. Our AI capabilities span diverse GRC use cases – from issue identification and classification, action plan recommendations, and scanning of SOC2 and SOC3 reports submitted to organizations by third parties, to most recently, AiSPIRE, an AI-based knowledge-centric tool that provides intelligent insights to improve an organization’s control environment.

5. Strengthen Operational Resilience – Connect the Dots!

The financial sector is the backbone of the global economy. As such, the growing focus of financial firms on operational resilience – the ability to foresee, prevent, withstand, respond to, and recover from risk events – isn’t surprising.

Most recently, the COVID-19 pandemic served as a real-world test of the resilience of banking and financial institutions. The agility demonstrated by the organizations to quickly move their operations completely online and support remote working environments while ensuring security and compliance has been remarkable.

That said, to thrive in today’s rapidly evolving risk landscape – marked with high-frequency, high-impact risk events, growing interconnectedness of risks, and amplified digital dependencies, organizations need to double down on their efforts to strengthen operational resilience. It is critical for banks to not only have robust business continuity and disaster recovery programs in place but also integrate them into the overarching enterprise risk management program. This is important to get a holistic, 360-degree view of the organization’s GRC posture, understand the critical business functions and their interrelationships with other business functions, and improve risk visibility, foresight, and preparedness required for being resilient.

Looking Ahead

“Don’t wait for perfection before you start. Start somewhere so you can have something tangible you can work to perfect.”

This quote from Simon Sinek is relevant not only on a personal front but also in the corporate world. As the risk and regulatory landscape continues to evolve and become increasingly challenging, the need of the hour for banking and financial services institutions to embark on the GRC journey – start where they are, with what they have, and build on it.

MetricStream has been a trusted partner of several global banking and financial institutions in their GRC journey. Learn how we helped a prominent EU-based financial institution strengthen risk awareness, agility, and resilience.

If you’re looking to embark on your GRC journey and want to understand how we can help, request a personalized demo today!

Jump to Topic

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

Blogs

Modernizing ERM: How Energy and Utilities Companies Can Stay Current in Risk Management

Risk Management
05 October 23
Sumith Sagar

4 min read

Introduction

The risks faced by energy and utilities organizations have evolved tremendously over the past decade. From intensifying cyber threats to growing awareness of environmental concerns, changing geopolitical dynamics, supply chain disruptions, fluctuating prices, regulatory changes, and more, the sector today has to navigate an extremely complex and highly interconnected risk landscape.

In PwC’s 2022 Global Risk Survey, 83% of power and utility leaders identified keeping up with the speed of digital and other transformations as a significant or very significant risk management challenge. While the traditional approach to enterprise risk management (ERM) might have worked well in the past, energy and utilities companies need to rethink their ERM program and the approach to implement and reinforce it across the enterprise.

Needless to say, technology has a critical role to play in effectively managing these fast-changing and interdependent risks, but there’s also a greater need to change the very mindset of organizations. In today’s volatile business environment, organizations cannot view and approach risk as an afterthought – they need to be proactive and farsighted to not just address today’s risks but also prepare for tomorrow.

Modernizing ERM – Key Considerations

The U.S. Office of Management and Budget (OMB) outlined ERM requirements for federal agencies in the circular “Management’s Responsibility for Enterprise Risk Management and Internal Control.” Based on this circular, the Department of Energy explains various aspects and processes of a comprehensive ERM program in its Enterprise Risk Management Fiscal Year 2023 Guidance, including:

Developing an organizational risk profile by understanding the internal and external environments of the organization
Evaluating the identified risks to include the probability and impact
Analyzing the risks with respect to the achievement of objectives – strategic, operational, compliance, and reporting
Determining a risk response – accept, avoid, reduce, transfer, share – for the identified risks by considering risk tolerance, placement of controls, and other mitigating actions
Monitoring the performance to determine whether the response strategy achieved the intended objectives
Conducting continuous risk identification to stay on top of new and emerging risks

It is important to underscore the need for a continuous approach to ERM. Given today’s rapidly evolving internal and external risks and their cascading impacts, energy and utilities companies can no longer consider ERM as a one-time activity – it is essential to adopt a continuous and agile approach to risk identification, assessment, analysis, and mitigation so that there are no blind spots.

Using technology as an enabler, organizations can implement the continuous approach to ERM as well as gain operational efficiencies by automating repeatable tasks. Equally important is to adopt an integrated approach to ERM that cuts across operational and functional silos, which leads to ineffective risk visibility and foresight, duplication of efforts, and misuse of resources.

Against this backdrop, here are a few key considerations for enabling an integrated and continuous ERM approach for energy and utilities organizations:

Centralized Risk Repository

Organizations must record all their financial and non-financial risks from internal and external environments in a centralized risk repository and map them to assets, controls, regulatory requirements, policies, business units, etc. This serves as the single source of truth across the organization, which streamlines risk aggregation and analysis and improves risk visibility.

Risks from the Extended Enterprise

Energy and utilities organizations have an extensive third-party ecosystem, comprising of suppliers, technology providers, transportation and logistics providers, consultants, contractors, and others. It is important to continuously identify, manage, and mitigate the risks from this extended enterprise for an effective and comprehensive approach to ERM.

Actionable Risk Intelligence with AI

Exploring AI use cases has become a top priority for organizations across industries. For energy and utilities organizations, AI holds the promise to transform ERM by providing timely and actionable intelligence into risk trends, control environment, action plan recommendations, and more. But it’s equally important to understand the risks of AI models and monitor them proactively to ensure the negative effects of AI on people, organizations, and data are curbed or minimized to a great extent.

Resilient Mindset

Being critical infrastructure organizations, the importance of business resilience of energy and utilities organizations cannot be overstated. Fostering a resilient mindset requires deliberate and active participation from the top management and board. The objective is to not only manage risks but also be able to foresee, prepare for, and adapt to changing internal and external environments and withstand, respond to, and recover from disruptions. Implementation of robust business continuity plans and testing them regularly for their effectiveness is key to ensuring resilience in energy and utilities organizations.

The World Energy Council explains it in terms of the Dynamic Resilience Framework:

“The Dynamic Resilience Framework is an integrated approach to emerging risk management that contributes to building capacity and capabilities for managing the resilience of energy systems. Resilience to specific events and systemic shifts can be enhanced by situational awareness of the different types of risks preparedness for future developments.”

What’s Next?

With the growing pressure to scout for cleaner energy sources, intensifying regulatory scrutiny, an increasing number of catastrophic events, rising cyber attacks, volatile tariff and trade policies, and more, energy and utilities companies are looking at a highly uncertain business environment with multi-dimensional risks. Embracing a technology-driven and integrated ERM program is a business necessity today for continued financial and operational success.

For a closer look at the ERM process, risk methodology, and the critical role played by technology in modernizing risk management at energy and utilities organizations, download our latest eBook which discussed key elements of a well-defined risk methodology and how to build an ideal risk management governance structure.

Jump to Topic

Sumith Sagar Associate Director, Product Marketing

Blogs

5 Essential Steps to Modernize the Three Lines of Defense Model in Your GRC Program

Risk Management
31 August 23
Sumith Sagar

6 min read

Introduction

Organizations today are operating in a heightened risk environment. The risk landscape is constantly evolving and increasing in complexity, with risks being more interconnected now than before, all of which necessitate robust and comprehensive risk management and mitigation strategies.

One of the mainstays of operational and enterprise risk management strategies is the three lines of defense (3LOD) model, where three distinct functions within an organization play unique but interlinked roles in managing risk. It is not a new concept: The three lines model has been a standard for years and has been adopted across industries in varying degrees. The question now is how organizations can modernize and optimize their 3LOD strategies and improve collaboration across the lines to navigate risks more effectively and make informed decisions to safeguard their interests.

This topic was discussed in depth at the 2023 GRC Summit in Miami. Expert panelists Martin Froelick, Senior Vice President - Risk Manager, First Citizens Bank, Michael Cover, Director, Blue Cross Blue Shield of Michigan, and Michelle Melendez, Vice President - Head of Integrated Security Risk, Management, Aon, explored the latest trends and strategies to drive efficiency and growth and shared insights on the practical implementation, benefits, and challenges associated with the three lines model.

We unpack the key highlights from their engaging discussion.

Watch the video: Three Lines Model - Trends & Strategies to Drive Efficiency & Growth

The First Line of Defense: The Cornerstone of the 3LOD Model

Over the years, enterprises across sectors have implemented the three lines of defense strategy in varying degrees. With concentrated attempts to improve collaboration, implement a common risk and control taxonomy, and establish better communication, risk and audit functions now work comprehensively together. The focus has now shifted to the first line of defense – the frontline.

This is crucial as the first line is “the eyes and ears of the business,” at the forefront of the enterprise’s risk posture, and must be equipped to identify and address risks as they emerge. They also have a unique insight into the myriad risks faced by the organization and their prioritization. The 3LOD strategy works best when the first line truly becomes a key partner in risk management. The second and third lines are far removed from the core of the business and must rely on the first line for risk intelligence gathering and processing. For the 3LOD strategy to work seamlessly and efficiently, organizations must focus on strengthening their first line and improving cooperation and collaboration across all three functions. The risk ownership should be transferred to the frontline.

5 Key Priorities for a Resilient 3LOD Strategy

Currently, organizations and industries globally are at different maturity levels of the 3LOD strategy implementation phase and will have varying perspectives and priorities. But when it comes to building a robust three-lines-of-defense model, there are a few factors that all organizations must keep in mind:

Building Trust - Empowering the front line to build a robust first line of defense begins with trust. Trust fosters open and transparent communication between the first and second lines of defense. When the first line trusts that their concerns will be taken seriously and addressed appropriately, they are more likely to report risks and issues in a timely manner. Trust is essential for resolving conflicts around differences in risk perception in a constructive manner, finding common ground, and ensuring that the organization's best interests are served.
Articulating the Value – The first line is the closest to the business and has a unique perspective on the risks that might impact the enterprise, but they may be grappling with a different set of priorities. (Often, being a ‘risk champion’ as part of the first line is in addition to their regular day job!)
To encourage maximum participation, demonstrate the value of the chosen risk management strategy, tools, and policies. Articulating the value of the program, setting achievable goals, regular engagement, and establishing a clear monitoring and review mechanism will help in better alignment with the first line. Some companies who have successfully implemented the modern 3LOD reveal that rewarding the frontline for owning and reporting risks in time is their secret sauce for success.
Empowering with Tools and Technology – The first line of defense is not just about the people at the frontline but also the tools and technology available to them. Technology platforms and tools can help break down silos and ensure a seamless flow of data and intelligence across the lines. In addition to streamlining the process of risk reporting, automated systems allow front-line employees to quickly and accurately document risks, incidents, or issues they encounter in their daily activities.
The right tools also empower organizations to answer critical questions like:
- Where is data being entered?
- How is data being managed and monitored?
- How does the third line get back to the second line with audit-related information?
Defining a Common Risk Taxonomy – A risk taxonomy is a comprehensive categorization of risks that is usually hierarchical. This is where the risk relationships are defined. It serves as the foundation for consistent, accurate, and effective risk management practices across the organization. A shared understanding of risk-related terminology helps align the objectives and efforts of the first, second, and third lines of defense. Everyone is on the same page regarding what risks are being managed, what controls are in place, and how to measure effectiveness.
Ensuring Seamless Collaboration – The second and third lines of defense must work closely with the first line to ensure robust risk management across the enterprise. The 3 functions complement and supplement each other and require close collaboration among themselves. While the second line is required to work with the first line to set priorities and monitor them, the first line can ensure they comply with the policies established by the second line. Together, they can identify gaps in their risk management posture and work to plug them, so the third line or the internal audit function can work effectively.

Interested to watch the entire session? Watch the video: Three Lines Model - Trends & Strategies to Drive Efficiency & Growth

Also, do watch the replay of our recent webinar on The Modern Three Lines of Defense: Managing Today’s Emerging Risk and Compliance Challenges. Michael Cover, Director, Blue Cross Blue Shield of Michigan, provides insights on how his company streamlined and modernized the 3LOD with better communication, a clear definition of roles and responsibilities, and the right technology.

Effectively Manage Non-Financial Risks and Ensure Compliance with MetricStream BusinessGRC

MetricStream’s BusinessGRC suite of products is designed to meet the GRC needs of today’s dynamic, global enterprises. Empower your risk management programs by leveraging BusinessGRC to:

Establish a standardized approach to enterprise-wide risk management with uniform risk assessment methodologies
Optimize workflows for risk identification, assessment, monitoring, and mitigation
Easily cut across organizational silos and facilitate collaboration and harmonization across teams, business units, and functions
Gain deeper visibility and insights into the top risks faced by the organization through advanced analytics, heat maps, reports, dashboards, and charts
Build confidence with regulators and executive management by establishing a strong risk data governance and issue reporting framework with clear lines of accountability
Manage a wide range of compliance requirements and easily map internal policies to industry-wide standards and regulations
Proactively identify regulatory changes and assess their impact on business processes, policies, risks, and controls

Register for the Upcoming GRC Summit in London on October 16-17, 2023

Enjoyed this recap? This is just one of many topics we featured at MetricStream’s flagship event, the GRC Summit. The GRC Summit has, for the past 11 years, consistently provided opportunities for the GRC community to connect, share insights, exchange best practices, and, most importantly, set the stage for what's next in GRC. Whether it’s an emerging technology, a new process, or a regulation that’s going to impact the way you do business, you’ll learn about it here.

The next Summit is happening in London on October 16 and 17. Join us as we take the GRC conversation forward! Register now!

Missed the 2023 GRC Summit in Miami? Watch the session videos.

Jump to Topic

Sumith Sagar Associate Director, Product Marketing

Blogs

How to Embed a Strong Control Framework in Risk and Compliance Strategies

Risk Management
06 July 23
Sumith Sagar

8 min read

Introduction

In today's dynamic business environment, organizations face numerous risks and regulatory challenges that can impact their operations, reputation, and profits. To navigate these complexities successfully, businesses need to establish a robust control framework that provides a solid foundation for effective risk management and compliance practices.

We recently discussed these challenges with key experts Ivan Martinez, Chief Auditor, Banco Santander, London, and Charles Nicholls, Enterprise Risk Solutions Specialist, MetricStream, in a webinar titled, “Embedding a Strong Control Framework in Your Enterprise Risk and Compliance Strategies.”

Our panelists discussed the importance of incorporating a strong control framework into GRC strategies, the role of risk culture in taking risk management to the frontline, the UK SOX requirements, and more. It was a lively and useful discussion with an engaged audience who asked multiple questions.

Here are some of the key takeaways – as well as some of the audience questions.

Want to hear the original in its entirety?

Watch Now: Embedding a Strong Control Framework in Your Enterprise Risk and Compliance Strategies

Why Strong Controls Matter More than Ever

The risk environment isn’t the same as even 5 years ago. We’re dealing with different kinds of risks. The volume and velocity of risks have increased, and the way we manage risks and the type of risks are not the same. Today organizations have to deal with a diverse set of risks, including Environmental, Social, and Governance (ESG) risks, advanced cyberattacks, lurking third-party risks, and geopolitical risks.

The financial services landscape has also changed. The modern banking revolution is being driven by advanced technologies like AI, ML, and RPA with chatbots, and cloud computing, along with the emergence of business models such as FinTechs and InsureTechs.

We are witnessing collaboration between banks and financial service providers and Fintechs resulting in better customer service and enhancement of profits. However, these innovations, have also introduced newer and more complex risks.

Risks are inherent to every business. This increases the importance of staying vigilant and resilient in our approach. It is how we manage and thrive on risks that set us apart from our peers and competitors. Being agile requires organizations to respond and learn quickly from adverse situations and land back on their feet as quickly and effectively as possible.

Controls, compliance, and robust risk management processes are critical to building this resilience and agility. Let’s take a look at some of the key recommendations and takeaways that Ivan and Charles discussed – and their impact on anticipating risks.

Key Takeaways and Recommendations

Highlights and takeaways from the discussion included:

An effective risk management program reflects the effectiveness of the organization’s control framework. No GRC or integrated risk management effort can be effective without cohesive and connected controls.
There is a direct correlation between control, compliance, and positive risk culture. Controls foster transparency, accountability, and responsibility. Employees from the front line to senior management all have the same standards to align with, resulting in a common understanding and pro-risk behavior.
Controls (and compliance) are more than a regulatory checkbox exercise. Controls and compliance have the potential to not only mitigate risks but also avoid business disruption if managed properly.
UK SOX puts controls front and center. It requires companies to assess and report on the effectiveness of internal controls as it focuses on promoting financial transparency and prevention of corporate fraud. Key steps to comply with UK SOX are to identify and assess financial-related risks and related controls, periodic testing of the entire program for its effectiveness, and compliance with the regulation.
Centralizing risk, control, and UK SOX certification details is a must for an effective SOX compliance program. This includes technology as well as the alignment of roles, responsibilities, and accountability.
On the technology front, it is very important to bring risk, control, policy, and compliance details on a single platform. This ensures the integrity of data, rationalization of controls, and a reduction in the cost of compliance. It also provides enterprise visibility, enabling collaboration and contributing to a positive, risk-aware culture of compliance.
The future is efficiency and effectiveness, driven by AI and ML. Adopting advanced technologies like AI and ML to automate some of these processes and rationalize data elements across risk and compliance programs is essential to lower risk, improve compliance and do more with less.

Addressing Customer Questions

Below are some of the questions that were asked during the webinar and our responses:

Which companies will be regulated under UK SOX?
The businesses that will be impacted by UK SOX are:
- Large organizations (private & public) operating in the UK due to the impact they have on the wider corporate climate
- Publicly-listed companies in the UK
- The scope of the regulation is expected to be expanded to mid-market organizations
What is SMF?
SMF stands for Senior Management Functions. As laid out in SUP 10C by FCA, SMF needs to be allocated to the most senior individual within an organization. Senior Management Functions are:
- Governing Functions
  SMF1 (Chief Executive)
  SMF3 (Executive Director)
  SMF27 (Partner)
- Governing Function: Non-executive
  SMF9 (Chair)
- Required Functions
  SMF16 (Compliance Oversight)
  SMF17 (Money laundering reporting officer)
  SMF29 (Limited scope function) – Limited scope firms only
What is the biggest challenge and solution in achieving a successful culture and getting that accountability embedded from the top down?
One of the biggest challenges is to implement an adequate control culture. The solution is to break silos across areas and agree and delimit responsibilities among those different areas. It is very important to design spaces of common objectives and search for accountability by documenting the control framework, at a high level, and then asking the senior managers to land and cascade down these responsibilities into their teams and areas.
How are emerging risks identified? Who should own and manage these risks?
Several analysts, market research, and consulting firms have conducted thorough research based on macroeconomic conditions and drivers to understand the top emerging risks. Emerging risks need not be new but an existing risk with an elevated impact on business compared to the past. Some of the emerging risks listed by these companies are:
- Emerging structural challenges, including digitalization, climate change, and ESG
- Advanced cyber threats
- Geopolitical risks
- Financial sanctions
- Regulatory risks
- Digital asset market turbulence
- Theft, fraud, and other conduct risks
- Systemic risks
Everything from the above may not be applicable to all organizations. Individual organizations need to review their business objectives, respective industry trends, and risk appetite to identify and map risks to these categories.

When it comes to emerging risks, involving the frontline is very important as they are the most exposed to the lurking risks. Training and awareness of these risks are key to enabling the frontline to be ahead of these emerging risks. The ownership of identification and self-assessment of risks should remain with the frontline, and further analysis and mitigation strategies should be managed by the second line. From the technology standpoint, companies must streamline the identification of observations from across the organization, while also enabling anomalies to be recorded anonymously and triaged based on business criticality.
Are antagonistic threats included in the definition of emerging risks?
They are not included in the emerging threats as their impact has not changed over the years. However, they must be managed by the organization. For example, for a bank, any employee unrest or strike will not only impact the business but also create reputational damage.
Does the Enterprise Risk Management (ERM) model also include third-party risks and outsourcing? Most financial institutions have a lot of outsourcing arrangements since data is in the cloud.
As a best practice, ERM should have third-party risk exposure as a component, which will help risk leaders understand the overall risk exposure by the organization. However, the effective management of third-party or vendor risk management will require a separate program where all processes from vendor onboarding, risk assessment (for compliance, ESG, security, and operational risks), certifications, issue management to offboarding are managed for better visibility into the extended ecosystem and related risks.
Is risk management or compliance management responsible for the risk and control framework?
The second line of defense from risk and compliance functions is responsible for control frameworks.
Is risk management or compliance management responsible to report incidents to regulators and auditors?
Organizations must empower each function to report issues, observations, anomalies, incidents, and risks. An informed frontline can become a great resistance against any risk or incident. Once they are reported, the second line should investigate, and report based on the severity of issues or incidents.

Stay Ahead with MetricStream

Implementing strong internal controls, compliance, and a robust GRC framework are the keys to building agility, resilience – and staying ahead of ever-evolving risks.

To learn more about how MetricStream can help, please request a demo today. To get a copy of the slides, please get in touch with sumith.sagar@metricstream.com.

Watch Now: Embedding a Strong Control Framework in Your Enterprise Risk and Compliance Strategies

Jump to Topic

Sumith Sagar Associate Director, Product Marketing

Blogs

ESG and ERM: Optimizing Risk Resilience

ESGRC
14 February 23
Loren Johnson
Simrin Jhangiani

5 min read

Introduction

Environmental, social and governance (ESG) concerns are rapidly emerging as critical factors that can impact and disrupt business, livelihoods, and life itself. Organizations are now aware of the significance of ESG compliance, though it is still considered primarily from a financial reporting lens. And despite there being several overlaps in terms of best practices, requirements, and reporting, many companies have still not integrated ESG reporting and compliance with their enterprise risk management (ERM) practices. As the risks continue to escalate, ESG will only increase in organizational importance, and become a permanent part of GRC. More specifically, it will become a risk category positioned under the overall risk umbrella of enterprise risk management.

The question, of course, is why many organizations are still hesitant to adopt ESG as a business-critical requirement. Unfortunately, too many businesses still perceive environmental or social activism as irrational with little or no connection to business productivity and success. But today, extreme weather events, droughts and lessening snow packs, and global temperature increases are a reality, and instances of discrimination, incivility, and harassment are widely reported across the world, resulting widespread public condemnation, reputational damage, and demands for accountability.

We are at an inflection point with consumers recognizing their influence and demanding that businesses and industries to do better – for the environment and social governance. Their influence extends beyond condemning poor actors to buying behavior, where their demands for accountability have the power to force business, sectors, and even governments to ensure public reporting of ESG compliance, and its impact on the environment, people, and communities. The public in key markets is already making ESG value statements with their pocketbooks. It should not surprise any business today that when given the choice consumers are often more likely to do business with a company that demonstrates its commitment to sustainability. It has been shown that they are willing to pay a premium for products where the brand showcases its approach to ethical, social, and environmental causes. In short, it is time businesses realized that climate-consciousness and pursuing ESG best practices and standards can help increase profits and ensure long-term business success.

At the same time, organizations are beginning to understand the direct impact of climate change on business continuity, resilience, and profitability. It is important to remember that the increasing number of businesses and governments are declaring that climate change and environmental sustainability are real and legitimate risks to operations. This means that committing to an ESG program is no longer a nice-to-have measure that can elevate the reputation of and profitability of a business. It is a must-have critical element within a larger risk management and operational resiliency strategy.

Why Integrating ESG into ERM frameworks is Critical?

Enterprise Risk Management is an umbrella approach for managing multiple risk categories across the business. These include external risks such as economic or geopolitical risks, cybersecurity, or environmental risks, and internal risks like reputational risks, financial risks, product risks, partner risks, data privacy risks, leadership, employee churn risks, and compliance risks. Most ERM strategies include specific categories such as operational risk management, regulatory & compliance programs, third-party risk management, IT and cybersecurity risk management, and audit programs. Many expect ESG to migrate from a standalone practice to become one more of these risk categories housed under a larger ERM framework. But we believe that time has not yet come, as the distinct practices, values, and measures within ESG need to mature further and be more widely adopted before it can be appropriately positioned under an ERM umbrella.

Management of existing risk categories today apply certain common structures, workflows, assessment practices within ERM frameworks. This includes standard practices for the identification, assessment, and prioritization of individual risks, and the evaluation of risk velocity, severity, and the connections between different risks. ERM frameworks also tend to include a centralized risk registry for easy reference. A centralized system provides the controls, procedures, and policies that can be applied when responding to any category of risks, based on the organization’s predefined risk profile and appetites. Modern ERM frameworks leverage data analytics for real time insights that facilitate better decision making across the risk universe.

Most ERM practices have been around for decades, and the best practices have been designed, tested and reviewed over time. While it is a living process that is flexible enough to adapt to risk scale, diversity and changes in organizational risk profile, program validation, scope, scale, and performance adaptation is constant. In a well-run risk management program, many processes are automated, which allows risk leaders to focus on strategy rather than day to day operations. Reapplying or extending existing standard procedures, automation, assessments, scoring methodologies, data collection and reporting – with some evolution and adaptation – to newer risk management categories like ESG makes good business sense. Pursuing ESG as a risk category and integrating it into existing ERM frameworks should help expedite program accountability and ensure reporting consistency.

Over the last few years several ESG reporting standards such as TCFD, CSRD have emerged, reaching a definitive and defensible market position. These standards define how ESG-related data is to be collected, reporting formats and requirements, as well as other criteria pertaining to what, when, where and who collects ESG data. These reporting outcomes can be easily incorporated into existing ERM frameworks and may enhance data and reporting across additional risk categories. In fact, ESG and Third-Party Risk Management (TPRM) are central to and can be further integrated into resiliency strategies within ERM. Their inclusion will be invaluable for accelerating recovery from environmental and social risk events. Integrating ESG into ERM frameworks can also add to commonly accepted structures and expand the scale, scope and depth of understanding risks. It would be a mutually beneficial move where each discipline would benefit from the data and values of the other to deliver holistic legitimacy.

ESG and ERM: The Road Ahead

There is a growing expectation that within the next five to ten years, ESG will be housed within and enhance ERM programs. For now, ESG deserves focused attention from the market to refine its reporting and frameworks as it matures. While there will clearly be distinct risks, reporting structures, frameworks, and stakeholders for ESG information, it will increasingly be viewed as one of several important risk categories under the ERM umbrella. In a sense, it must ‘cross the chasm’ to a degree of standardization, consistency, commonality, to capture the market buy-in it doesn’t yet have. Once this is achieved, organizations will more easily integrate ESG risk assessments, reporting, and definition into enterprise risks.

Want to learn how to integrate ESG risks into Enterprise Risk Management (ERM) processes.

Register for the upcoming webinar: The Interconnectedness of ESG, ERM, and Third-Party Risk Management

Read the eBook: ESG and ERM: Bridging the Gap

Request for a personalized demo

Jump to Topic

Loren Johnson

Simrin Jhangiani Associate Director, Marketing at MetricStream

Simrin Jhangiani is the Product Marketing Lead for MetricStream’s ESGRC product. As a former NYU student with a minor in Corporate Social Responsibility, Simrin is passionate about helping businesses make risk-aware business decisions around ESG. Simrin has an extensive business and marketing background having worked as a strategy consultant at KPMG and being a business owner of a sustainable fashion brand. She has lived on 3 different continents, and has travelled to over 50+ countries around the world, resulting in a comprehensive understanding of why ESG is important on a global scale. She believes that ESG is fundamental to the growth of businesses in the present day and is ardent about bringing awareness of the ever-changing regulations around Environmental, Social, and Governance.

Risk Management

GRC Success Story: How dnata Integrated Firm-Wide GRC Processes with MetricStream

Introduction

GRC Program Objective

GRC Journey with MetricStream

Business Value Realized

Looking Ahead

Related Resources

The Top 5 Enterprise Risk Management (ERM) Tools For 2024

Introduction

Key Features of ERM tools

Criteria For Evaluating ERM Tools

Top 5 ERM Tools For 2024

MetricStream

Diligent

ServiceNow

OneTrust

LogicGate

Benefits of Using an ERM Tool

Improved Risk Visibility and Understanding

Enhanced Decision-Making and Resource Allocation

Strengthened Resilience Against Uncertainties

Regulatory Compliance and Governance Support

Addressing Common Challenges in Implementation

Resistance to Change

Data Quality and Integrity

Siloed thinking

Inefficient risk assessment processes

Insufficient reporting and communication

How Do You Gauge the Success of Your Implementation?

Trends Shaping the Future of ERM

Conclusion

Related Resources

Rationalizing Controls to Effectively Manage Your Risks and Drive Risk-Aware Decisions

Introduction

How are Modern Organizations Addressing and Managing Today’s Risks?

Is a Risk and Control Self-Assessment Still Relevant?

Power Your ORM Program with MetricStream

Related Resources

Top 5 Risk and Compliance Resolutions for Banking and Financial Institutions in 2024

Introduction

1. See Risk as an Opportunity – A Must for Thriving in 2024!

2. Step Up Cyber Risk Management – Automation is Key!

3. Level Up the Compliance Game – Time to Stop Playing Catch-Up!

4. Implement AI for GRC and GRC for AI – Act Now or Lag Behind!

5. Strengthen Operational Resilience – Connect the Dots!

Looking Ahead

Related Resources

Modernizing ERM: How Energy and Utilities Companies Can Stay Current in Risk Management

Introduction

Modernizing ERM – Key Considerations

Centralized Risk Repository

Risks from the Extended Enterprise

Actionable Risk Intelligence with AI

Resilient Mindset

What’s Next?

Related Resources

5 Essential Steps to Modernize the Three Lines of Defense Model in Your GRC Program

Introduction

The First Line of Defense: The Cornerstone of the 3LOD Model

5 Key Priorities for a Resilient 3LOD Strategy

Effectively Manage Non-Financial Risks and Ensure Compliance with MetricStream BusinessGRC

Register for the Upcoming GRC Summit in London on October 16-17, 2023

Related Resources

How to Embed a Strong Control Framework in Risk and Compliance Strategies

Introduction

Why Strong Controls Matter More than Ever

Key Takeaways and Recommendations

Addressing Customer Questions

Stay Ahead with MetricStream

Related Resources

ESG and ERM: Optimizing Risk Resilience

Introduction

Why Integrating ESG into ERM frameworks is Critical?

ESG and ERM: The Road Ahead

Related Resources

OCC Spring 2022 Risk Report Highlights Risks Facing BFS Companies

Introduction

Elevated Operational Risk Due to an Increasingly Complex Operating Environment

Heightened Compliance Risk, Driven by Regulatory Changes and Policy Initiatives