At the recently held GRC Summit 2024 in Baltimore, David Story, Vice President Health, Safety, & Environment, dnata, provided the audience with a detailed overview of their GRC journey experience with MetricStream.
Dubai National Air Travel Agency (or dnata) was established in 1959 through a government decree. It set up its first international business in 1993. Gradually, over the years, it has seen significant growth across all its business units.
Here are the excerpts from David’s session on “dnata’s Integrated GRC Transformation”.
David: Our foremost priority is safety and security. Through a series of SMART objectives, we're building a best-in-class, health, safety, and environmental system, or HSE ecosystem, as we call it. Over the next few years, up to 2027 and beyond, through our medium-term plan, we are striving for a best-in-class or world-class status, and central to delivering on that goal is the effective use of our GRC platform.
Within dnata, MetricStream is the product that we use, and we have done a number of modifications and upgrades through MetricStream over the years. We refer to it within the company as “dnatahub”, which is everything we do from a GRC perspective.
So, in terms of why GRC is so important to us -- central to that is our safety management system, or SMS. SMS is essentially the bedrock of everything that we do across four key pillars -- safety policy, risk management, assurance, and promotion. To be able to deliver on the requirements of our SMS, our dnatahub platform is absolutely central to achieving those goals.
David: So, how has the dnatahub platform evolved over the last few years?
We're now into the 9th year of our partnership with MetricStream, beginning back in 2015 along with our “Global One Safety” initiative. The first pillar in that strategy was rolling out Incident Management, which allowed us to have one platform for reporting safety occurrences across local businesses.
In 2018, there was global expansion – we introduced new applications within dnata in addition to incident management and reporting.
In 2020, we started moving into the continuous monitoring phase, which saw the likes of our Documentation Management System (DMS). We also introduced surveys and inspection through the auditors. We would go out there and report safety hazards and threats to our organization. This was across all three of our operational divisions.
The beauty of DMS is that it can be accessed by any of our team in the world who got access to Office 365 accounts. Examples of a DMS document could be a global safety alert, a new manual, a guideline document, or a new operational standard. All of those are published through DMS and are automatically and electronically tested within the system as well. So, for auditing purposes, it's very, very efficient.
We also launched Observation Management as well. And, through Issue and Action Management we can assign tasks and actions to our businesses around the world.
We're now moving into Phase IV, as we call it, looking at how we scale up as we continue to build our business. We are currently two weeks away from the launch of the Euphrates upgrade as well.
We've built a very strong partnership with MetricStream, and we've now established a very strong governance model as well in terms of performance monitoring.
David: What's been key to success is keeping things simple. One of the worst things you can do in my role as a safety professional is over-complicate how you manage safety within your business.
In terms of just some numbers, we have got:
What gives me great confidence is 400,000+ observations. We actively encourage -- from our leadership level all the way down to the front line -- to report any unsafe behaviors and actions within our business. What we've seen over the last 2-3 years is a considerable increase in the number of safety reports within the business. So that leads to a much more positive and safety-aware culture.
Over the next few years, we've got some really interesting challenges coming our way. You would have seen the announcement about the new airport project in Dubai. The target is 2033 for the opening of the new terminal with a capacity of 250 million passengers a year. We already have that airport as we have for the last 10 years, and this will be a significant upgrade to be the world's largest international gateway.
We have two to three new businesses that are going to be coming online towards the end of this year, including a particularly large business in Italy. And it's essential that we look at how we scale up to meet that demand, because we could have potentially 3,000 to 4,000 users within dnata by the end of this year.
Also Read:
In today's global economy, where uncertainty is the only constant, navigating risks has never just been about avoiding the pitfalls. It's about strategically anticipating and mitigating them to steer organizations toward sustainable growth and turn them into strategic advantages.
At the heart of this crucial endeavor lies Enterprise Risk Management (ERM), a systematic approach designed to identify, assess, manage, and monitor risks across an organization. But what truly breathe life into ERM, transforming it from a theoretical concept into an effective system with well-defined workflows and processes providing actionable insights, are ERM tools.
Findings show that companies with effective ERM programs on average experience a 63% reduction in the frequency of risk events and up to a 35% reduction in operational losses.
ERM tools provide the necessary infrastructure to gather, analyze, and report on risk data across the enterprise. They support the decision-making process by offering proactive insights, allowing organizations to anticipate potential risks before they materialize. This predictive capability in Enterprise Risk Management can make all the difference between staying ahead of the competition and falling behind due to unforeseen challenges.
Here are the key features that CROs and risk managers should keep in mind while selecting an ERM tool:
When evaluating ERM tools, prioritize ease of use with intuitive interfaces that encourage user adoption. Consider the ROI beyond upfront costs, aiming for reduced risk event losses and improved efficiency. Assess functionality for alignment with specific needs, such as configurable risk assessments and reporting. Lastly, prioritize integration capabilities for smooth connectivity with existing platforms.
Gauging the success of your ERM implementation involves reviewing a range of criteria that validate its benefits. with some of them being:
Here are some well-known vendors that are recognized as leaders in the ERM landscape.
MetricStream has carved its place as an indispensable ERM tool for businesses aiming to bolster their enterprise risk management capabilities. This ERM software is crafted with an eye for integrating various aspects of risk management under a single umbrella, making it a holistic platform for businesses aiming to stay ahead of uncertainties.
This tool is best suited for organizations seeking to streamline risk processes, gain real-time insights into their risk landscape, and drive informed decision-making to optimize business performance and resilience in dynamic environments.
Key Features:
MetricStream's accolades, such as being named a Leader in The Forrester Wave™: Governance, Risk, and Compliance Platforms, Q4 2023, highlight its effectiveness and reliability. Recognition from leading research and advisory firms attests to the platform's robust capabilities in IT/Cyber Risk Management, GRC Vision, and more
To read more, download your complimentary copy of The Forrester Wave™: Governance, Risk, and Compliance Platforms, Q4 2023.
Pricing will be available on request to the vendors.
Diligent offers a compelling narrative for ERM, emphasizing the importance of aligning leadership with the full spectrum of risks that impact an organization.
This strategic alignment is pivotal in transforming risk into actionable insights, enabling data-driven decision-making at every turn.
Diligent's approach revolves around cultivating a much more comprehensive understanding of risks across all levels of the organization, fostering a proactive risk management culture.
Key Features:
Pricing will be available on request to the vendors.
ServiceNow is a robust platform that simplifies complex risk assessments and enhances decision-making capabilities across organizations.
It facilitates enhanced data communication using chat functionalities, web portals, and mobile applications, ensuring seamless sharing and dissemination of critical risk and compliance information across the organization.
This platform is ideal for organizations looking to centralize and optimize their risk management processes while enhancing overall operational resilience.
Key Features:
Custom pricing will be available on request.
OneTrust is a comprehensive tool that specializes in compliance and vendor risk management, addressing critical niches within the risk management ecosystem. This tool is particularly valuable today, where data privacy regulations and third-party relationships are under increased scrutiny.
It has made its mark as a versatile cloud-based GRC platform, renowned for its customizable functionalities that cater to a wide range of risk management needs.
Key Features:
Pricing will be available on request.
LogicGate presents itself as a highly adaptive and modern ERM solution designed to meet the dynamic needs of contemporary businesses.
Known for its flexibility and the ease with which it can be customized, LogicGate stands as a powerful tool in any risk manager's arsenal, particularly for those looking to streamline their ERM processes without being bogged down by complex technical requirements.
With LogicGate, businesses can forge ahead confidently, equipped with a versatile platform that aligns seamlessly with their risk management goals and operational strategies.
Key Features:
Pricing will be available on request to the vendors.
Implementing an ERM tool brings a host of advantages to organizations seeking to enhance their risk management practices. Here are the top four benefits of using an ERM tool:
Implementing ERM tools enables organizations to peel back the layers of potential risks, revealing unseen threats and opportunities alike. This clarity enables businesses to anticipate challenges and navigate them with greater assurance.
With the insights garnered from these tools, organizations can make better-informed decisions that align closely with their goals. ERM tool offers the unique advantage of data-driven guidance, helping firms to allocate their resources more effectively, and ensuring that efforts are directed toward areas of highest impact.
ERM tools empower organizations with a proactive defense mechanism against potential disruptions. This robust preparedness doesn’t just mitigate risks, it also fosters an agile environment that can adapt and thrive in the face of uncertainties.
ERM tools serve as an invaluable ally, ensuring that compliance is maintained, and governance standards are met. This compliance is a strategic move that enhances credibility and stakeholder trust, paving the way for smoother operations and market growth.
Implementing ERM tools presents unique challenges that organizations must strategically address to ensure successful adoption and integration. From overcoming resistance to change and data quality issues to promoting cross-functional collaboration and enhancing risk assessment processes, navigating these challenges is essential for maximizing the effectiveness of ERM tools within companies.
Implementing ERM tools often requires changes in workflows and processes, which can be met with resistance from employees accustomed to traditional methods. Overcoming resistance to change involves effective change management strategies, such as stakeholder engagement, training programs, and transparent communication about its benefits.
ERM tools rely heavily on accurate and reliable data to perform effective risk assessments and analyses. However, organizations may often struggle with data quality issues, including incomplete or outdated information, inconsistent data formats, and data silos.
Different departments often have narrow views of risk that don't account for how their risks might impact the rest of the organization. Organizations need to promote a culture of collaboration and an understanding of the interconnectedness of risks by establishing cross-functional risk committees and information-sharing protocols.
Organizations need to assess risks timely, systematically, and objectively to strengthen risk preparedness and to be ready for the unexpected curveballs waiting to surface at the most inconvenient times. This requires developing comprehensive methodologies that consider risk likelihood, impact, velocity, and interconnectivity. Furthermore, organizations should update their risk profile regularly as conditions change.
Stakeholders can't make good risk-based decisions without timely and relevant information. It is imperative to establish risk reporting procedures to keep executives and risk owners in the loop. A risk dashboard or scorecard is a useful way to provide at-a-glance overviews and details on key risks.
Determining the success of your ERM implementation entails examining critical factors that showcase its achievements and improvements, such as:
Here are some of the latest trends that companies can look forward to, when it comes to boosting the effectiveness of ERM tools.
As we look forward to the trends of 2024, it’s clear that the future of ERM is not just about navigating uncertainties but about thriving in them. And when it comes to turning risks into rewards, MetricStream is a trusted partner, equipped to tackle the future of risk-management head-on.
To learn how MetricStream Enterprise Risk Management can help, request a personalized demo today.x
Managing operational risks effectively is a top priority for most organizations today, and controls play an important role in ensuring risks are mitigated. Controls range from preventive to corrective and are essential for managing risks, ensuring compliance, and safeguarding the organization’s assets, customers, and reputation. Frameworks like COSO (Committee of Sponsoring Organization) require organizations to embed internal controls into business processes to ensure ethical and transparent operations aligned with industry standards. These controls must be monitored, tested, and improved continuously to keep up with the constantly changing risk environment and business priorities. The challenge before today’s organizations is to execute reliable strategies to manage operational risks via control rationalization and facilitate better decision making.
The 2023 GRC Summit in Miami saw Kevin Finlay, Vice President, Sales, MetricStream, lead an in-depth discussion on this topic with experts:
Watch Now: Effectively Managing Operational Risks Through Control Rationalization for Improved Decision-Making
The panel of experienced practitioners had a lot to say on these topics, given that they live them every day. Read on for the key highlights of their engaging discussion.
The risk landscape is evolving at unprecedented speed and scale. As a result, an organization’s definition of what constitutes operational risk must also change, along with the steps taken to mitigate it. What do organizations consider new operational risk priorities, and how are they going about addressing it?
A comprehensive Risk and Control Self-Assessment (RCSA) is a widely used exercise today, but it must be guided by the enterprise’s risk appetite, the big risk picture, and the expected outcome to be effective.
When it comes to technology, most organizations conduct continuous control monitoring. However, the challenge lies in evaluating and rationalizing controls on non-IT systems. A bottom-up, process-driven risk control inventory anchored in common taxonomy is a good way to build a framework that encompasses all areas of risk. An overall understanding of the control environment must be followed by a systematic approach to prioritizing risks and controls for better impact.
Here are a few points to consider when it comes to assessments:
Optimizing and rationalizing controls for enterprise risk management will increase in complexity as the risk environment continues to evolve. Connected GRC approaches and technology can help organizations improve the process by leveraging data for better insights and quicker action. AI models will be immensely helpful for organizations in the years to come. At the same time, best practices from fields such as anti-money laundering must be explored and extended to unrelated businesses for a comprehensive assessment and rationalization effort.
MetricStream’s Operational Risk Management software is designed with a comprehensive set of capabilities that powers your ORM program to drive risk-intelligent, real-time business decisions that accelerate business performance and reduce losses.
With MetricStream’s Operational Risk Management software, your organization is empowered with:
Interested to learn more? Request a customized demo now.
Stay tuned for more details on the upcoming 2024 US GRC Summit! Keep an eye on this space for updates.
New year. New beginnings. New resolutions.
It’s that time of the year again! For many of us, a new year means a time to start fresh, improve and better ourselves, and make big plans with renewed optimism and energy. The same goes for risk and compliance practitioners too, who are looking to drive risk effectiveness, improve efficiency, and thrive with a fresh approach and advanced technologies.
In the world of governance, risk, and compliance (GRC), change is the only constant. As we step into 2024, banking and financial institutions are bracing themselves for the unknown unknowns stemming from escalating geo-political conflicts in various parts of the world, a grim economic outlook, intensifying cyber risks, severe supply chain disruptions, an array of new regulations, and more.
In its 2024 Banking and Capital Markets Outlook, Deloitte said that the strategic choices made by banks will be tested this year as they will be confronted with “multiple fundamental challenges” to their business models.
“A slowing global economy, coupled with a divergent economic landscape, will challenge the banking industry in 2024. Banks’ ability to generate income and manage costs will be tested in new ways,” the consulting giant noted.
So, while the leadership and top management review the past year and chalk out business goals and strategies for the year ahead, GRC leaders should take this opportunity to rethink their approach and implement changes in processes, tools, and technologies that will boost their organization’s resilience.
Against this backdrop, here are 5 key risk and compliance resolutions for banking and financial services organizations to help successfully navigate 2024. What are yours? Let us know in the comments!
Risk is an inherent part of business. Instead of viewing risk as detrimental to the organization’s growth and financial posture, banks should look to turn risks into opportunities. The willingness to take risks can help organizations gain a competitive edge and drive greater profitability and business value. However, there’s a catch – not all risks will translate into strategic advantage. So, how can financial institutions make the decision of whether to accept, reject, avoid, or mitigate a risk?
This is where the risk management program comes into play. An effective risk management program can enable decision-makers to make well-informed business decisions by providing a streamlined process for evaluating opportunities. It equips the top management and leadership with actionable insights, improved risk visibility and foresight, and greater transparency that helps them better manage projects based on risk impact and probability in relation to potential return.
Banking and financial services organizations are a primary target of cyber criminals – which is unsurprising given the sheer volume of sensitive information and assets worth billions of dollars at stake. According to Sophos, the rate of ransomware attacks in financial services jumped from 55% in 2022 to 64% in 2023.
To protect their IT and cyber infrastructure from frequent and increasingly sophisticated cyber attacks, banks need to level up their cyber risk management approach. Relying on periodic reviews and assessments of cyber risks and controls is no longer enough. To stay on top of rapidly evolving and fast-moving cyber risks, organizations need an automated, autonomous, and continuous approach that enables them to proactively identify and address any risks, threats, vulnerabilities, control weaknesses/gaps, and issues before they snowball into something significant.
Banks today can also harness the power of artificial intelligence and other advanced technologies to improve risk management processes and enhance efficiency. AI can significantly accelerate the decision-making process by quickly providing insights into risk trends and patterns as well as identifying areas of improvement – such as the number of duplicate or redundant controls, patterns of over and under-testing of controls, optimum control testing frequency, similar issues, and more.
Regulatory compliance is becoming an increasingly challenging and demanding business function for financial firms. Already counted among the highly regulated industries, the banking and financial services industry is looking at a torrent of new regulations, standards, and regulatory updates focused on various business functions and processes. Some of the prominent ones include revisions to the NIST Cybersecurity Framework, NYDFS Cybersecurity Regulations, a revised version of PCI DSS, and others in the US, the Digital Operational Resilience Act (DORA) and the Corporate Sustainability Reporting Directive (CSRD) in the EU, and so on.
Given the ever-increasing regulatory requirements, compliance teams inevitably fall behind as they end up spending most of their time tracking relevant regulations, understanding their impact on organizational processes, functions, risks, policies, and controls, implementing the required changes, and so on. Technology can make a huge difference in how these various compliance management tasks are performed.
Automated compliance is the future! Today, there are tools that leverage AI to scan the regulatory horizon for identifying relevant regulations and regulatory updates, quickly show the impacted processes, functions, risks, policies, and controls using a centralized platform, run autonomous control tests to ensure adherence to relevant regulations, generate reports that demonstrate compliance posture, and more. The technology-driven, automated approach can streamline compliance management activities and help strengthen compliance resilience.
For a deeper dive into the top 10 key regulations we are watching this year, read our blog “What’s Next in GRC and Risk Regulations? 10 Key Focus Areas for 2024.” Let us know what other regulations and regulatory developments you are keeping an eye on in the comments below.
With its ability to provide actionable insights, save time and costs, and create bandwidth for risk, compliance, audit, security, and sustainability teams, AI is already being regarded as a game-changer for GRC. While AI will not replace the need for human involvement completely, it can eliminate the possibility of human error, thereby improving the accuracy of GRC processes and decision-making and ensuring there are no blind spots.
At the same time, it is essential to ensure responsible AI innovation. As financial institutions explore more and more use cases and integrate AI capabilities into their processes, they also have the duty to follow the highest standards to ensure its ethical and responsible use as well as implement measures to identify, manage, and manage AI risks. Think GRC for AI, if you will.
Regulators and standard-setting bodies have already taken steps toward this goal. In the US, the National Institute of Standards and Technology (NIST) last year released the NIST AI Risk Management Framework (AI RMF 1.0) aimed at improving the “ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems” while the White House published an Executive Order on the safe, secure, and trustworthy development and use of AI. In the EU, members of the European Parliament reached a provisional agreement on the Artificial Intelligence Act.
AI-focused innovation has been central to MetricStream’s product and platform releases over the years. Our AI capabilities span diverse GRC use cases – from issue identification and classification, action plan recommendations, and scanning of SOC2 and SOC3 reports submitted to organizations by third parties, to most recently, AiSPIRE, an AI-based knowledge-centric tool that provides intelligent insights to improve an organization’s control environment.
The financial sector is the backbone of the global economy. As such, the growing focus of financial firms on operational resilience – the ability to foresee, prevent, withstand, respond to, and recover from risk events – isn’t surprising.
Most recently, the COVID-19 pandemic served as a real-world test of the resilience of banking and financial institutions. The agility demonstrated by the organizations to quickly move their operations completely online and support remote working environments while ensuring security and compliance has been remarkable.
That said, to thrive in today’s rapidly evolving risk landscape – marked with high-frequency, high-impact risk events, growing interconnectedness of risks, and amplified digital dependencies, organizations need to double down on their efforts to strengthen operational resilience. It is critical for banks to not only have robust business continuity and disaster recovery programs in place but also integrate them into the overarching enterprise risk management program. This is important to get a holistic, 360-degree view of the organization’s GRC posture, understand the critical business functions and their interrelationships with other business functions, and improve risk visibility, foresight, and preparedness required for being resilient.
“Don’t wait for perfection before you start. Start somewhere so you can have something tangible you can work to perfect.”
This quote from Simon Sinek is relevant not only on a personal front but also in the corporate world. As the risk and regulatory landscape continues to evolve and become increasingly challenging, the need of the hour for banking and financial services institutions to embark on the GRC journey – start where they are, with what they have, and build on it.
MetricStream has been a trusted partner of several global banking and financial institutions in their GRC journey. Learn how we helped a prominent EU-based financial institution strengthen risk awareness, agility, and resilience.
If you’re looking to embark on your GRC journey and want to understand how we can help, request a personalized demo today!
The risks faced by energy and utilities organizations have evolved tremendously over the past decade. From intensifying cyber threats to growing awareness of environmental concerns, changing geopolitical dynamics, supply chain disruptions, fluctuating prices, regulatory changes, and more, the sector today has to navigate an extremely complex and highly interconnected risk landscape.
In PwC’s 2022 Global Risk Survey, 83% of power and utility leaders identified keeping up with the speed of digital and other transformations as a significant or very significant risk management challenge. While the traditional approach to enterprise risk management (ERM) might have worked well in the past, energy and utilities companies need to rethink their ERM program and the approach to implement and reinforce it across the enterprise.
Needless to say, technology has a critical role to play in effectively managing these fast-changing and interdependent risks, but there’s also a greater need to change the very mindset of organizations. In today’s volatile business environment, organizations cannot view and approach risk as an afterthought – they need to be proactive and farsighted to not just address today’s risks but also prepare for tomorrow.
The U.S. Office of Management and Budget (OMB) outlined ERM requirements for federal agencies in the circular “Management’s Responsibility for Enterprise Risk Management and Internal Control.” Based on this circular, the Department of Energy explains various aspects and processes of a comprehensive ERM program in its Enterprise Risk Management Fiscal Year 2023 Guidance, including:
It is important to underscore the need for a continuous approach to ERM. Given today’s rapidly evolving internal and external risks and their cascading impacts, energy and utilities companies can no longer consider ERM as a one-time activity – it is essential to adopt a continuous and agile approach to risk identification, assessment, analysis, and mitigation so that there are no blind spots.
Using technology as an enabler, organizations can implement the continuous approach to ERM as well as gain operational efficiencies by automating repeatable tasks. Equally important is to adopt an integrated approach to ERM that cuts across operational and functional silos, which leads to ineffective risk visibility and foresight, duplication of efforts, and misuse of resources.
Against this backdrop, here are a few key considerations for enabling an integrated and continuous ERM approach for energy and utilities organizations:
Organizations must record all their financial and non-financial risks from internal and external environments in a centralized risk repository and map them to assets, controls, regulatory requirements, policies, business units, etc. This serves as the single source of truth across the organization, which streamlines risk aggregation and analysis and improves risk visibility.
Energy and utilities organizations have an extensive third-party ecosystem, comprising of suppliers, technology providers, transportation and logistics providers, consultants, contractors, and others. It is important to continuously identify, manage, and mitigate the risks from this extended enterprise for an effective and comprehensive approach to ERM.
Exploring AI use cases has become a top priority for organizations across industries. For energy and utilities organizations, AI holds the promise to transform ERM by providing timely and actionable intelligence into risk trends, control environment, action plan recommendations, and more. But it’s equally important to understand the risks of AI models and monitor them proactively to ensure the negative effects of AI on people, organizations, and data are curbed or minimized to a great extent.
Being critical infrastructure organizations, the importance of business resilience of energy and utilities organizations cannot be overstated. Fostering a resilient mindset requires deliberate and active participation from the top management and board. The objective is to not only manage risks but also be able to foresee, prepare for, and adapt to changing internal and external environments and withstand, respond to, and recover from disruptions. Implementation of robust business continuity plans and testing them regularly for their effectiveness is key to ensuring resilience in energy and utilities organizations.
The World Energy Council explains it in terms of the Dynamic Resilience Framework:
“The Dynamic Resilience Framework is an integrated approach to emerging risk management that contributes to building capacity and capabilities for managing the resilience of energy systems. Resilience to specific events and systemic shifts can be enhanced by situational awareness of the different types of risks preparedness for future developments.”
With the growing pressure to scout for cleaner energy sources, intensifying regulatory scrutiny, an increasing number of catastrophic events, rising cyber attacks, volatile tariff and trade policies, and more, energy and utilities companies are looking at a highly uncertain business environment with multi-dimensional risks. Embracing a technology-driven and integrated ERM program is a business necessity today for continued financial and operational success.
For a closer look at the ERM process, risk methodology, and the critical role played by technology in modernizing risk management at energy and utilities organizations, download our latest eBook which discussed key elements of a well-defined risk methodology and how to build an ideal risk management governance structure.
Organizations today are operating in a heightened risk environment. The risk landscape is constantly evolving and increasing in complexity, with risks being more interconnected now than before, all of which necessitate robust and comprehensive risk management and mitigation strategies.
One of the mainstays of operational and enterprise risk management strategies is the three lines of defense (3LOD) model, where three distinct functions within an organization play unique but interlinked roles in managing risk. It is not a new concept: The three lines model has been a standard for years and has been adopted across industries in varying degrees. The question now is how organizations can modernize and optimize their 3LOD strategies and improve collaboration across the lines to navigate risks more effectively and make informed decisions to safeguard their interests.
This topic was discussed in depth at the 2023 GRC Summit in Miami. Expert panelists Martin Froelick, Senior Vice President - Risk Manager, First Citizens Bank, Michael Cover, Director, Blue Cross Blue Shield of Michigan, and Michelle Melendez, Vice President - Head of Integrated Security Risk, Management, Aon, explored the latest trends and strategies to drive efficiency and growth and shared insights on the practical implementation, benefits, and challenges associated with the three lines model.
We unpack the key highlights from their engaging discussion.
Watch the video: Three Lines Model - Trends & Strategies to Drive Efficiency & Growth
Over the years, enterprises across sectors have implemented the three lines of defense strategy in varying degrees. With concentrated attempts to improve collaboration, implement a common risk and control taxonomy, and establish better communication, risk and audit functions now work comprehensively together. The focus has now shifted to the first line of defense – the frontline.
This is crucial as the first line is “the eyes and ears of the business,” at the forefront of the enterprise’s risk posture, and must be equipped to identify and address risks as they emerge. They also have a unique insight into the myriad risks faced by the organization and their prioritization. The 3LOD strategy works best when the first line truly becomes a key partner in risk management. The second and third lines are far removed from the core of the business and must rely on the first line for risk intelligence gathering and processing. For the 3LOD strategy to work seamlessly and efficiently, organizations must focus on strengthening their first line and improving cooperation and collaboration across all three functions. The risk ownership should be transferred to the frontline.
Currently, organizations and industries globally are at different maturity levels of the 3LOD strategy implementation phase and will have varying perspectives and priorities. But when it comes to building a robust three-lines-of-defense model, there are a few factors that all organizations must keep in mind:
Articulating the Value – The first line is the closest to the business and has a unique perspective on the risks that might impact the enterprise, but they may be grappling with a different set of priorities. (Often, being a ‘risk champion’ as part of the first line is in addition to their regular day job!)
To encourage maximum participation, demonstrate the value of the chosen risk management strategy, tools, and policies. Articulating the value of the program, setting achievable goals, regular engagement, and establishing a clear monitoring and review mechanism will help in better alignment with the first line. Some companies who have successfully implemented the modern 3LOD reveal that rewarding the frontline for owning and reporting risks in time is their secret sauce for success.
Empowering with Tools and Technology – The first line of defense is not just about the people at the frontline but also the tools and technology available to them. Technology platforms and tools can help break down silos and ensure a seamless flow of data and intelligence across the lines. In addition to streamlining the process of risk reporting, automated systems allow front-line employees to quickly and accurately document risks, incidents, or issues they encounter in their daily activities.
The right tools also empower organizations to answer critical questions like:
Also, do watch the replay of our recent webinar on The Modern Three Lines of Defense: Managing Today’s Emerging Risk and Compliance Challenges. Michael Cover, Director, Blue Cross Blue Shield of Michigan, provides insights on how his company streamlined and modernized the 3LOD with better communication, a clear definition of roles and responsibilities, and the right technology.
MetricStream’s BusinessGRC suite of products is designed to meet the GRC needs of today’s dynamic, global enterprises. Empower your risk management programs by leveraging BusinessGRC to:
Enjoyed this recap? This is just one of many topics we featured at MetricStream’s flagship event, the GRC Summit. The GRC Summit has, for the past 11 years, consistently provided opportunities for the GRC community to connect, share insights, exchange best practices, and, most importantly, set the stage for what's next in GRC. Whether it’s an emerging technology, a new process, or a regulation that’s going to impact the way you do business, you’ll learn about it here.
The next Summit is happening in London on October 16 and 17. Join us as we take the GRC conversation forward! Register now!
Missed the 2023 GRC Summit in Miami? Watch the session videos.
In today's dynamic business environment, organizations face numerous risks and regulatory challenges that can impact their operations, reputation, and profits. To navigate these complexities successfully, businesses need to establish a robust control framework that provides a solid foundation for effective risk management and compliance practices.
We recently discussed these challenges with key experts Ivan Martinez, Chief Auditor, Banco Santander, London, and Charles Nicholls, Enterprise Risk Solutions Specialist, MetricStream, in a webinar titled, “Embedding a Strong Control Framework in Your Enterprise Risk and Compliance Strategies.”
Our panelists discussed the importance of incorporating a strong control framework into GRC strategies, the role of risk culture in taking risk management to the frontline, the UK SOX requirements, and more. It was a lively and useful discussion with an engaged audience who asked multiple questions.
Here are some of the key takeaways – as well as some of the audience questions.
Want to hear the original in its entirety?
Watch Now: Embedding a Strong Control Framework in Your Enterprise Risk and Compliance Strategies
The risk environment isn’t the same as even 5 years ago. We’re dealing with different kinds of risks. The volume and velocity of risks have increased, and the way we manage risks and the type of risks are not the same. Today organizations have to deal with a diverse set of risks, including Environmental, Social, and Governance (ESG) risks, advanced cyberattacks, lurking third-party risks, and geopolitical risks.
The financial services landscape has also changed. The modern banking revolution is being driven by advanced technologies like AI, ML, and RPA with chatbots, and cloud computing, along with the emergence of business models such as FinTechs and InsureTechs.
We are witnessing collaboration between banks and financial service providers and Fintechs resulting in better customer service and enhancement of profits. However, these innovations, have also introduced newer and more complex risks.
Risks are inherent to every business. This increases the importance of staying vigilant and resilient in our approach. It is how we manage and thrive on risks that set us apart from our peers and competitors. Being agile requires organizations to respond and learn quickly from adverse situations and land back on their feet as quickly and effectively as possible.
Controls, compliance, and robust risk management processes are critical to building this resilience and agility. Let’s take a look at some of the key recommendations and takeaways that Ivan and Charles discussed – and their impact on anticipating risks.
Highlights and takeaways from the discussion included:
Below are some of the questions that were asked during the webinar and our responses:
How are emerging risks identified? Who should own and manage these risks?
Several analysts, market research, and consulting firms have conducted thorough research based on macroeconomic conditions and drivers to understand the top emerging risks. Emerging risks need not be new but an existing risk with an elevated impact on business compared to the past. Some of the emerging risks listed by these companies are:
Everything from the above may not be applicable to all organizations. Individual organizations need to review their business objectives, respective industry trends, and risk appetite to identify and map risks to these categories.
When it comes to emerging risks, involving the frontline is very important as they are the most exposed to the lurking risks. Training and awareness of these risks are key to enabling the frontline to be ahead of these emerging risks. The ownership of identification and self-assessment of risks should remain with the frontline, and further analysis and mitigation strategies should be managed by the second line. From the technology standpoint, companies must streamline the identification of observations from across the organization, while also enabling anomalies to be recorded anonymously and triaged based on business criticality.
Implementing strong internal controls, compliance, and a robust GRC framework are the keys to building agility, resilience – and staying ahead of ever-evolving risks.
To learn more about how MetricStream can help, please request a demo today. To get a copy of the slides, please get in touch with sumith.sagar@metricstream.com.
Watch Now: Embedding a Strong Control Framework in Your Enterprise Risk and Compliance Strategies
Environmental, social and governance (ESG) concerns are rapidly emerging as critical factors that can impact and disrupt business, livelihoods, and life itself. Organizations are now aware of the significance of ESG compliance, though it is still considered primarily from a financial reporting lens. And despite there being several overlaps in terms of best practices, requirements, and reporting, many companies have still not integrated ESG reporting and compliance with their enterprise risk management (ERM) practices. As the risks continue to escalate, ESG will only increase in organizational importance, and become a permanent part of GRC. More specifically, it will become a risk category positioned under the overall risk umbrella of enterprise risk management.
The question, of course, is why many organizations are still hesitant to adopt ESG as a business-critical requirement. Unfortunately, too many businesses still perceive environmental or social activism as irrational with little or no connection to business productivity and success. But today, extreme weather events, droughts and lessening snow packs, and global temperature increases are a reality, and instances of discrimination, incivility, and harassment are widely reported across the world, resulting widespread public condemnation, reputational damage, and demands for accountability.
We are at an inflection point with consumers recognizing their influence and demanding that businesses and industries to do better – for the environment and social governance. Their influence extends beyond condemning poor actors to buying behavior, where their demands for accountability have the power to force business, sectors, and even governments to ensure public reporting of ESG compliance, and its impact on the environment, people, and communities. The public in key markets is already making ESG value statements with their pocketbooks. It should not surprise any business today that when given the choice consumers are often more likely to do business with a company that demonstrates its commitment to sustainability. It has been shown that they are willing to pay a premium for products where the brand showcases its approach to ethical, social, and environmental causes. In short, it is time businesses realized that climate-consciousness and pursuing ESG best practices and standards can help increase profits and ensure long-term business success.
At the same time, organizations are beginning to understand the direct impact of climate change on business continuity, resilience, and profitability. It is important to remember that the increasing number of businesses and governments are declaring that climate change and environmental sustainability are real and legitimate risks to operations. This means that committing to an ESG program is no longer a nice-to-have measure that can elevate the reputation of and profitability of a business. It is a must-have critical element within a larger risk management and operational resiliency strategy.
Enterprise Risk Management is an umbrella approach for managing multiple risk categories across the business. These include external risks such as economic or geopolitical risks, cybersecurity, or environmental risks, and internal risks like reputational risks, financial risks, product risks, partner risks, data privacy risks, leadership, employee churn risks, and compliance risks. Most ERM strategies include specific categories such as operational risk management, regulatory & compliance programs, third-party risk management, IT and cybersecurity risk management, and audit programs. Many expect ESG to migrate from a standalone practice to become one more of these risk categories housed under a larger ERM framework. But we believe that time has not yet come, as the distinct practices, values, and measures within ESG need to mature further and be more widely adopted before it can be appropriately positioned under an ERM umbrella.
Management of existing risk categories today apply certain common structures, workflows, assessment practices within ERM frameworks. This includes standard practices for the identification, assessment, and prioritization of individual risks, and the evaluation of risk velocity, severity, and the connections between different risks. ERM frameworks also tend to include a centralized risk registry for easy reference. A centralized system provides the controls, procedures, and policies that can be applied when responding to any category of risks, based on the organization’s predefined risk profile and appetites. Modern ERM frameworks leverage data analytics for real time insights that facilitate better decision making across the risk universe.
Most ERM practices have been around for decades, and the best practices have been designed, tested and reviewed over time. While it is a living process that is flexible enough to adapt to risk scale, diversity and changes in organizational risk profile, program validation, scope, scale, and performance adaptation is constant. In a well-run risk management program, many processes are automated, which allows risk leaders to focus on strategy rather than day to day operations. Reapplying or extending existing standard procedures, automation, assessments, scoring methodologies, data collection and reporting – with some evolution and adaptation – to newer risk management categories like ESG makes good business sense. Pursuing ESG as a risk category and integrating it into existing ERM frameworks should help expedite program accountability and ensure reporting consistency.
Over the last few years several ESG reporting standards such as TCFD, CSRD have emerged, reaching a definitive and defensible market position. These standards define how ESG-related data is to be collected, reporting formats and requirements, as well as other criteria pertaining to what, when, where and who collects ESG data. These reporting outcomes can be easily incorporated into existing ERM frameworks and may enhance data and reporting across additional risk categories. In fact, ESG and Third-Party Risk Management (TPRM) are central to and can be further integrated into resiliency strategies within ERM. Their inclusion will be invaluable for accelerating recovery from environmental and social risk events. Integrating ESG into ERM frameworks can also add to commonly accepted structures and expand the scale, scope and depth of understanding risks. It would be a mutually beneficial move where each discipline would benefit from the data and values of the other to deliver holistic legitimacy.
There is a growing expectation that within the next five to ten years, ESG will be housed within and enhance ERM programs. For now, ESG deserves focused attention from the market to refine its reporting and frameworks as it matures. While there will clearly be distinct risks, reporting structures, frameworks, and stakeholders for ESG information, it will increasingly be viewed as one of several important risk categories under the ERM umbrella. In a sense, it must ‘cross the chasm’ to a degree of standardization, consistency, commonality, to capture the market buy-in it doesn’t yet have. Once this is achieved, organizations will more easily integrate ESG risk assessments, reporting, and definition into enterprise risks.
Want to learn how to integrate ESG risks into Enterprise Risk Management (ERM) processes.
Register for the upcoming webinar: The Interconnectedness of ESG, ERM, and Third-Party Risk Management
Read the eBook: ESG and ERM: Bridging the Gap
The Office of the Comptroller of the Currency (OCC) has published the OCC Spring 2022 Risk Report that highlights risks faced by banks and financial services organizations. The National Risk Committee (NRC) of the OCC plays a key role in monitoring the U.S. federal banking system, identifying key risks facing banks, and highlighting those risks in its semiannual publications. The latest edition of its guidance has observed that the financial condition of banks remains strong and well-positioned to “deal with the economic headwinds arising from geopolitical events, higher interest rates, and increased inflation” and has warned banks and financial organizations to prepare for elevated operational risks and heightened compliance risk.
In the report, the risks have been due to the current geopolitical tensions, a heightened compliance risk environment attributed to regulatory changes, policy initiatives, and challenges in hiring qualified compliance professionals, and an observed increase of cyberattacks on the financial services industry.
Here is more into the key risk themes highlighted in the report.
The OCC report attributes the elevated operational risk to cyber threats which “continue to evolve, with an observed increase in attacks on the financial services industry.” This has been further accelerated by the ongoing geopolitical situation. Additionally, “banks’ increasing reliance on third-party relationships, along with the development and adoption of innovative products, services, and technologies, and ongoing changes to banks’ staffing and the operating environment” have all led to an increase in operational risk.
Also, the OCC has observed that banks are finding it challenging “to maintain comprehensive operational resilience frameworks commensurate with the complexity of products, services, and operations being supported in this environment.” It has further advised that some of the risk exposure may manifest in the coming quarter, making it vital for “the industry to remain vigilant and fully assess its risk exposure.”
Given the increased operational risks, the OCC’s recommendations include:
The OCC has highlighted that compliance risk remains heightened. This is primarily because banks are now required to navigate the complexity of sanctions imposed in response to the Russian invasion of Ukraine. At the same time, banks have also been required to “continue to manage the impact of forbearance programs and the elevated volume of customers on deferred payment and loss mitigation programs.”
The OCC has further observed challenges in the industry in retaining and replacing staff in compliance functions. The lack of access to subject matter expertise or the using of third-party relationships to support or fill such critical roles may increase compliance and operational risks.
The OCC offers the following recommendations for banks and financial institutions.
As banks and financial institutions work to address key risk areas, it is important that they view and recognize the interconnectedness of risk. As highlighted in the OCC report, the scale and scope of the interconnectedness of risk are rapidly expanding. This requires a connected approach to manage and mitigate risk.
MetricStream’s ConnectedGRC empowers banks and financial institutions with a connected and streamlined governance, risk management, and compliance approach that enables firms to better identify, assess, manage, and mitigate risk across the enterprise—including strategic, operational, IT and cyber, third and fourth-party, compliance, and ESG risks.
Interested to know how MetricStream can help you take a connected approach to risk management? Write to me at sumith.sagar@metricstream.com to learn more. You can also request a personalized demo to learn more about our products.
Cryptocurrency is almost synonymous with “what’s next.” From the probably best-known Bitcoin to Ether, Dogecoin, or any other of the many tokens, crypto has a futuristic air of “tomorrow’s economy today.” With the global cryptocurrency market projected to reach $32,420 billion by 2027 by IMARC Group, digital currency is becoming a fully-fledged, if not yet completely understood, member of the global financial markets.
Yet tomorrow also has brought with it extensive risk, the full range of which isn’t yet even visible.
The massive amount of currency in play, the instability of platforms, and the general lack of regulation around crypto make it a favorite for bad actors. According to Cybersecurity Ventures, crypto crime is predicted to cost the world $30 billion by 2025.
The anonymous aspects of cryptocurrency make it the most-preferred currency by cyber adversaries for carrying out ransomware attacks across industries and for money laundering, terrorist financing, and other crimes. In its analysis of cryptocurrency received by ransomware addresses, Chainalysis identified more than $602 million worth of ransomware payments in 2021, adding that “the true total for 2021 is likely to be much higher.”
The sheer size of the cryptocurrency market makes it impossible to ignore, especially for the traditional banking system as this emerging financial asset class could threaten financial stability.
Decentralized finance (DeFi) platforms, which eliminate the middle layer of banks and other third parties in financial transactions, are one aspect that poses risks. With their promise of facilitating faster and cheaper cross-border payments, they are giving legacy banks a run for their money. To stay current as the world rapidly digitizes, banks must examine the role of these and other blockchain-related technologies – but until regulations, risk monitoring, and governance catch up, the risks are significant.
Primarily seen as a vehicle for speculative investments at present, crypto also lends itself to scams. These include “pump and dump” or “rug pull,” both of which involve raising the price of currency and then dumping it, leaving investors in the cold; phishing scams to gain access to crypto wallets; and much more. The number of cyberattacks on cryptocurrency exchanges is also on the rise.
The explosive growth of the “Metaverse” in recent months has caught the attention of crypto investors. While this new frontier of the internet holds the potential to transform the e-commerce, entertainment, and other industries and can potentially merge the physical and the virtual worlds, concerns around data security and privacy, cybersecurity, and mental health issues, among others, are also growing rapidly. What makes the situation more precarious is the current lack of regulation.
The cyber impact of crypto is so high-profile that in the U.S., the Securities and Exchange Commission (SEC) recently announced that it has renamed its Cyber Unit to the Crypto Assets and Cyber Unit and will nearly double its staff with 50 dedicated positions. Among the risks being monitored will be crypto assets, exchanges, and DeFi platforms.
In the UK, the government announced a series of measures to make Britain “a global hub for cryptoasset technology and investment.” This includes establishing a Cryptoasset Engagement Group, setting up a ‘financial market infrastructure sandbox’ for firms to experiment and innovate, and others.
Regulators in Europe are also working on a comprehensive set of rules that will not only boost the potential of crypto-assets but also help to curb the threats. To address the risks posed by the anonymity feature of cryptos, the European Parliament agreed to start negotiations with EU countries on rules to allow the tracing and identification of crypto-asset transfers. Earlier this year, it adopted new rules to support the testing of the distributed ledger technology (DLT) in market infrastructures.
What the future of crypto holds remains to be seen – but like any risk, the fundamentals remain the same. Implement strong, active cyber risk management, monitoring, and governance; collaborate with quantitative and qualitative insight across your cyber and business teams; and stay agile to stay ahead of tomorrow’s risks today.