ConnectedGRC

Drive a Connected GRC Program for Improved Agility, Performance, and Resilience

Explore the right questions to ask before buying a Cyber Governance, Risk & Compliance solution.

Explore the right questions to ask before buying a Cyber Governance, Risk & Compliance solution.

Learn More

Discover ConnectedGRC Solutions for Enterprise and Operational Resilience

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn More

Explore What Makes MetricStream the Right Choice for Our Customers

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Learn More

Discover How Our Collaborative Partnerships Drive Innovation and Success

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Learn More

Find Everything You Need to Build Your GRC Journey and Thrive on Risk

Download this report to explore why cyber risk is rising in significance as a business risk.

Download this report to explore why cyber risk is rising in significance as a business risk.

Learn More

Learn about our mission, vision, and core values

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Learn More
+1-650-620-2955
+1-650-620-2955 Contact Us Request Demo
×
Hit enter to search or ESC to close
featured-blog featured-blog

Risk Management

Blogs

An Ounce of Prevention is Worth a Pound of Cure

INSTA RISK
3 min read

Up, Up & Away

Last week I boarded a transatlantic flight from London to the U.S. and apart from the security checks that we have all become accustomed to, the guidance from the airport ground staff and the mumbled voice projected over the ear-crackling speakers were very conversant (once you could hear them). Let me explain! The airport would have had to update its processes and controls in line with the virus and additional COVID-19 tests that passengers need to adhere to before they can even step foot on a plane.

Just to be clear, I am not someone who wanders through airports leisurely looking for flawless instructions. I usually drift through with a coffee in one hand while wrestling a stubborn suitcase in the other, as the four wheels disobediently spin in all directions.

Airports have had to pivot their operations to survive the pandemic and adopt the everchanging guidelines that have been imposed by governments. Without the implementation of a solid internal control framework, they may not have been allowed to operate efficiently in the pandemic and continue their business.

Internal controls are essential to the survival of an organization. I recently had the opportunity to listen, learn, and moderate a session on this very topic titled “Internal Controls for the New Norm.”

Some of the discussion points included:

  • The effectiveness and risk assessment of current internal controls in a changing workforce dynamic
  • Evaluating the impact of cyber issues on internal controls and systems
  • Identifying elements of how technology has and will continue to impact the design and development of internal controls.
     

Watch the Webinar: Internal Controls for the New Normal
 

Below are the highlights from my conversation.

2 years into the COVID-19 pandemic and much has changed. Although on the medical front various concepts have advanced, the chaos caused to organizations and their professionals resulting from lockdowns and mandates has impacted every aspect of compliance, operations, and financial reporting. It goes without saying that internal controls have also been impacted.

This all comes at a time when the requirements outlined by Sarbanes-Oxley have not changed and other regulatory requirements on internal controls have stayed static. However, we must ask if management has maintained a consistent focus on control processes. At the same time, controls over financial reporting have deteriorated in many cases because of the dynamics of a remote work environment including:

  • Timelines for financial reporting have been stretched
  • Simple processes such as approvals and reconciliations have had to adapt
  • Availability to personnel and auditors has changed

Then there are things that have changed including:

  • Technology has advanced but many professionals have not advanced their knowledge with the times
  • Cyber security has become an increasingly important issue
  • Fraud risks have increased during this time

Ultimately, changes in the workforce, remote working, and in the business as a result of COVID-19 may increase control deficiencies making Risk assessment more important than ever.

In today’s environment, consider some of the following risk areas and how they may impact your organization.

  • Revenue, supply chain, technology, and other infrastructure disruption
  • Processes that are reliant on select few resources and may require updates to the delegation of authority
  • Processes that are highly manual
  • Areas that are susceptible to fraud
  • Areas where resources have been significantly impacted
  • Information technology controls

 

You can’t control the wind, but you can adjust the sails

At MetricStream, we can navigate you in the right direction, as we focus on continuous risk monitoring.

Our solution updates the audit universe and libraries periodically in response to changes in the organization’s business, operations, programs, or systems. There is better collaboration across resources to create dynamic audit plans.

We focus on cyber security by

With ConnectedGRC, we enable collaboration between different lines of business. We integrate GRC to achieve the common ultimate objective. With a federated data model and a common risk and control language, our cross-product insights make information sharing easy and effective.

You can book a demo or visit the website to learn more.

This blog is part of the Instagram of Risk Blog Series, authored by Suneel Sahi, VP, Product Marketing at MetricStream, which captures discussions and insights trending in the risk community.

Read his most recent blog for a quick recap on “moving from risk to resilience and making your organization anti-fragile.” Check out Suneel’s other ‘Instagram of Risk’ ’blogs on the key takeaways from the Charted Institute of Internal Auditors event in London, the European Compliance Week event, and the October 21 MetricStream GRC Summit held in London, Copenhagen, and Zurich.

Suneel

Suneel Sahi

 

Related Resources

Blog
Blog
4 mins
Patricia McParland
What It Takes to Be a Leader in Governance, Risk, and Compliance
Blogs

What's Driving Board Room Discussions Regarding Risk Management

risk
4 min read

Introduction

Board risk oversight is a fundamental responsibility of board directors, for firms of all types and sizes. Most often, in the absence of a Risk Committee, the Audit Committee of the board is the group that takes accountability for ensuring that effective risk oversight is in place and working. That said, every board member has fiduciary responsibilities, all of which have risk elements that are attached thereto. A critical look at risk oversight, including the board's processes and procedures for identifying and overseeing the company's "mission-critical risks" is a top priority for most boards. In the current environment, risk transcends all aspects of business oversight. This oversight role tends to focus on just a few key things including:

  • Validating the risk appetite and risk culture of the organization
  • Knowing the most significant risks, both on the downside and the upside, that the firm faces
  • Knowing which of these risks are not effectively managed and the plan in place to get them so
  • Ensuring that capably skilled risk professionals are in place in the organization
  • Ensuring that the risk strategy aligns with the strategic plan for the organization
  • Having a view into the emerging risks to the organization
  • Knowing the state of process remediation plans for known process deficits

With these risk-related priorities understood and addressed, boards can highlight and focus on risks that both raise the biggest threats as well as the biggest opportunities to organizations. There are risks in each bucket that are at the forefront of most boards in this current season. Here is a list of each for your further investigation.

First, on the threat side, most board directors recognize the need to ensure that the threats are adequately addressed as the first priority, especially the strategic risks that have been shown in the research to be the most destructive of value and typically not subject to mitigation through insurance. In fact, one study showed that 68% of the time, when 50% or more of the firm’s value was destroyed in a twelve-month period, it came from one or more strategic risks. Of current interest among board in this threat bucket are the following risks:

  • Cyber exposures – all things disruptive to the technology infrastructure and externalities
  • Pandemic response exposures – readiness for what will undoubtedly be more biological threats
  • Economic collapse exposure – the now near-complete global interconnectedness of finance and economics
  • Workforce strategy deficits – the growing challenges of finding, hiring, and keeping the talent needed to support the long-term strategy
  • Industry disruptors – exposure to typically competitive threats emanating from better products, processes, and services
  • Reputation/brand exposure – the growing challenge of protecting your brand from deterioration
  • Regulatory expansion – the deleterious effect of growing government impetus to control and force adherence to ideologically driven priorities

While many leaders still don’t think of opportunities as risks, in effect the risk coin is two-sided and the upside deserves as much, if not more attention than it often gets from risk professionals. This may be because the challenges attendant to the threats tends to distract and sometimes overwhelm, often leaving insufficient time to attend to these opportunity-based risks. When that occurs, the lost opportunity cost can be great. In today’s super-heated business environment, this axiom is of particularly noteworthy focus: “to grow, you must innovate and to innovate you must take risk; to grow and innovate successfully, you must manage risk well.” This mandate applies as much or more to the upside, as to the downside.

The opportunity risks getting the most attention at the board level today include:

  • Transitioning from traditional to technology-based products and services – often driven by the need to compete with those who were created as technology-driven companies
  • Leveraging artificial intelligence and other cutting-edge technologies to maximize returns – for more mature firms, this often remains a tactic that is poorly understood
  • Creating and reinforcing competitive advantage across key organizational functions – risk management itself is at the forefront of this opportunity among competitors
  • Recognizing and accommodating the shifting expectations of an increasingly mobile workforce that increasingly expect the flexibility of remote work whether you like it or not
  • Having and executing well, a product and service innovation strategy to stay ahead of the competition
  • Staying ahead of obsolescence as a disruptor, as it applies to your particular industry
  • Navigating the rapidly changing landscape of social change and its effect on the expectations of both the workforce and the customer – partially driven by diversity, equity, and inclusion drivers
  • Devising an ESG strategy that drives stakeholder engagement and value
  • Strengthening preparedness and resilience to crises and systemic shocks

Recognizing the two sides of risk, has increased the challenge of effective board risk oversight. One key element that eases this strain, is to leverage and even exploit the growing sophistication of risk technology solutions that enable the effective collection, use, and interpretation of risk data, especially for better decision making, the lynchpin of long-term success and desired performance outcomes. Finding the best technology solutions to address this challenge, should be a priority of all risk leaders as it will position their firms for the long-term to be better able to respond to the operational and strategic uncertainties that will undoubtedly continue to challenge risk professionals.

Jump to Topic
chris_mandel

Chris Mandel RIMS-CRMP President and Managing Consultant Excellence in Risk Management, LLC

 

Related Resources

Blog
Blog
4 mins
Patricia McParland
What It Takes to Be a Leader in Governance, Risk, and Compliance
Blogs

Successfully Navigate a Changing Landscape in 2022 with a Robust Risk Strategy

Successfully Navigate a Changing Landscape: Blog
3 min read

Introduction

We are just past the first month of 2022 and we are already starting to see headlines like World Economic Forum finds that 95% of cybersecurity incidents occur due to human error”.

European organizations are increasingly becoming aware of the importance of having real-time visibility into the overall risk management strategy. A proactive approach to risk management is no longer unique to the CIO’s function alone but now decision-makers and board members are quickly coming to realize the importance of showing how they will prevent, adapt, respond to, and recover from operational disruption. While this sounds so easy, sometimes what seems simple can be the most difficult to achieve.

The landscape in which we operate continues to evolve, and we’re reading more and more about regulations and guidance that is upcoming or changing. It’s not just one pillar of risk that opens organizations to potential fines and prosecution. To make it more difficult, these risks aren’t always visible to everyone and can require a mammoth cross-functional effort to remain aligned.

The Importance of a Cross-Functional Risk Management Process

Being able to understand that risks can emerge not only from the servers you store data on but also the people who handle that data is paramount. This highlights the importance of a cross-functional risk management process. It’s not only the computers, the cloud servers, the files storage that can be an area of concern; it can be human error, and it’s important to safeguard and protect against these unknowns.

In 2022, we expect further guidance around the Digital Operational Resilience Act (DORA) which aims to ensure that all organizations participating in financial systems have the necessary safeguards in place to mitigate cyber-attacks and other risks.

Timings and scope are not finalized but there is the expectation that Sarbanes-Oxley (SOX) internal controls will be reflected in the UK. The importance of having transparent and robust controls in place will best prepare organizations for what happens next.

Climate-related risks are also going to evolve with the Prudential Regulation Authority (PRA) and Task Force on Climate-related Financial Disclosures (TCFD) requiring companies to be transparent and disclose impacts on climate. The expectation is that financial sectors globally will be bringing mandatory climate-related reporting. This comes as New Zealand was the first country back in October of 2021 to pass climate change disclosure laws bringing climate risks and resilience into financial and business decision making.

The above examples reflect the changing landscape. This is not new. Regulations and legislation have been changing over the last few years. Remembering back to 2018 when GDPR was being implemented and the concerns that organizations had in terms of personal data. There were questions around how that data was processed and what security measures each company had in place to protect that data.

Power What’s Next with ConnectedGRC

Whatever comes next we know that the key elements of your integrated risk management strategy should include an effective operational resilience program, business continuity management, cyber risk management, and third-party management. Coordinating these functions through a connected and integrated risk management program ensures that organizations will be better prepared to navigate an uncertain world and adapt quickly to disruptions.

With MetricStream’s ConnectedGRC, your organization is empowered to pursue an integrated approach to GRC. By ensuring collaboration between risk, compliance, audit, cybersecurity, and sustainability teams your business is better able to identify, assess, manage, and mitigate strategic risks, operational and enterprise risks, IT and cyber risks, third-party risks, compliance risks, and environmental, social, and governance (ESG) risks.

Whilst there may still be uncertainty, a connected GRC approach ensures that processes are in place to deal with what’s next in the simplest manner possible! As the risk landscape continues to change, stay tuned for future blogs that go deeper into changing regulations for Europe such as UK SOX and Operational Resilience.

Connect with us to see how MetricStream can help. Request a custom demo now!

Victoria- MetricStream

Victoria Boreham

 

Related Resources

Blog
Blog
4 mins
Patricia McParland
What It Takes to Be a Leader in Governance, Risk, and Compliance
Blogs

Driving Customer-Centric Innovation through MetricStream’s Enterprise Risk Management Product Council

Driving Customer-Centric MSI
3 min read

Introduction

In the current chaotic and unsettled business environment, organizations have to manage various types of risks on a daily basis. With both risk volume and velocity increasing at an unprecedented pace, implementing an effective Enterprise Risk Management (ERM) program is critical for organizations to stay one step ahead of the risks and strengthen business resilience.

Risk leaders and business decision-makers are often confronted with the question of whether to accept, reject, mitigate, or transfer risk. Adopting a tech-driven approach to ERM can allow these decision-makers to quickly gain the risk intelligence they need to make informed decisions and support the overall business strategy.

We, at MetricStream, regularly engage with our customers to understand their challenges and get their feedback. To establish a cadence for customer engagement activities, we have now set up Product Councils for our various product lines.

These Product Councils offer a forum where we can have interactive, candid, and engaging conversations with our customers to better understand their pain points and requirements. We gather feedback and insights to ensure our products and solutions meet and exceed the needs of today’s dynamic enterprises. The constructive feedback also provides further clarification and direction to our innovation activities and forthcoming releases.

Customer Engagement via Enterprise Risk Management Product Council

We recently hosted our very first Enterprise Risk Management Product Council with our customers across different industries and geographies. The session provided a deeper dive into the UI/UX improvements being made in our Enterprise and Operational Risk Management products.

Over the past few months, we have been working in the background on getting a leaner, compact version of the UI/UX experience across Risk Assessments offering a total facelift to the current version of the form. The latest improvements address the challenges of capturing risk-related information with simplified executive-level reporting, cleaner form layouts, better accessibility, and more, which will considerably help risk teams in performing risk assessments. The improvements will also enhance user experience and adoption with the forthcoming product releases.

We presented our futuristic versions of the form layouts to the council and it was encouraging to see that our efforts were well received by the customers. We also presented the futuristic versions of the dashboards across the ERM product, which will provide actionable risk intelligence to risk executives through interactive risk metrics and better drill-down capabilities.

Several themes and ideas were discussed – what’s necessary, what’s possible, and what’s next. Bringing in more automation and keeping the user interface simple and intuitive were some of the main talking points. We also discussed other product enhancements, potential areas of improvement, and shared the Enterprise Risk Management roadmap to help our customers benefit from Risk Quantification, AI-based recommendations, and much more.

In all, the first session was extremely productive and insightful. What really stood out for me was the level of trust our customers have in MetricStream - they want us to lead and drive industry best practices and not just follow the market trends. It was incredible to see that not only were our customers supportive and receptive, but they also offered to co-innovate some of the functionalities.

We are currently adding to the council and plan to meet on a quarterly basis. If you’re an ERM/ORM customer and want to have your voice heard and drive what’s next, join the Enterprise Risk Management Product Council today! You can reach out to me directly at mhyler@metricstream.com.

Explore the key takeaways from our Third-Party Management and Cyber Risk Product Councils.

Michael Hyler

Michael Hyler VP, Product Management, MetricStream

 

Related Resources

Blog
Blog
5 mins
Patricia McParland
Update on the SEC’s New Cybersecurity Rules: Insights and Outlook
Blogs

Don’t Aim To Be Perfect, Aim To Be Anti-Fragile

Don’t Aim To Be Perfect- Blog
4 min read

The Instagram of Risk Blog Series

The holiday period is when I stop and indulge. Quality time with friends and family, a feast of food including sweet treats that shamefully begins before dawn, and the exchanges of gifts make this festive season magical. Talking about gift exchanges, I noticed the words “Fragile - Handle with Care” inscribed across the packaging that I was fortunate to receive from Santa.

Fragile and anti-fragile are interesting words. I have heard them both being deliberated in conversations to determine what makes organizations resilient. At the tail end of 2021, I had the opportunity to moderate a lively panel discussion with a banker, an analyst, and an oil and gas expert (which sounds like something from a movie plot). The discussion was centered on “moving from risk to resilience and making your organization anti-fragile.”

Operational failures have established regulators to ask questions of organizations and force them to implement an operational resilient framework to identify their most critical business services and consider vulnerabilities that are broader than cyberattacks.

Here is a sample of the conversation that I posed to the team.

Watch More: Moving from Risk to Resilience- Make your Organization Anti-Fragile

Q: What are the key trends shaping operational resilience?

A: Operational resilience brings together several strands that need to be managed simultaneously. Outages and cyber-attacks can be a significant challenge and even though they are a fundamental part of your resilient model, there are other pivotal factors that you need to consider. For instance, you need to identify your critical business services, set an impact tolerant level for each of these services, have the appropriate controls in place, and carry out scenario testing to evaluate potential sources of disruption.

Q: What elements should be part of an operational resilience framework?

A: At a basic level you need to be aware of your cyber security, business continuity, enterprise risk, and third parties which includes your value chains. The trajectory of organizations migrating to the cloud is on the rise, therefore the security architecture of the organization will have a direct correlation to the resilience of an organization. Your services need to map out to your IT infrastructure. There are plenty of dependencies here, both internal and external.

Q: ESG metrics are a focal point across all industries. What are the challenges and what can you do?

A: There has been a seismic shift in the last year on ESG. It is imperative that you can articulate this before jumping in to meet ESG standards. There is a raft of important climate related initiatives that include sustainable finance disclosure regime, net zero transition plans, and work on ESG issues in the capital market. What is apparent is that customers and shareholders are demanding ESG metrics. They want to significantly reduce the carbon footprint as well as greatly improve diversity in the workplace. There needs to be structure in your ESG performance targets.

Q: How does technology help you stay resilient?

A: Technology has proven to be an enabler and a game changer. You need the right federated technology and real-time reporting dashboards to monitor and manage the wider ecosystem. Preferably with an integrated governance, risk, and compliance solution (GRC). It will allow chief security officers, chief risk officers, auditors, senior managers, and frontline employees to identify and document the necessary people, processes, technology, facilities, and resources required to deliver these business services.

If you understand your controls, risk tolerance, and risk appetite, you can appreciate your topology. With organizations facing a barrage of new competition, regulator changes, disruptive business models, and advanced technology changes, a critical agenda is that companies need to achieve their strategic objectives. Staying resilient has to be one of their top strategic objectives.

It might look like a hill, but we’ll get you over it

At MetricStream, we are leading the way on all these initiatives. As the market leaders of GRC and risk management, we bring your IT and cyber risk management, enterprise risk management, business continuity, regulatory change management, and third-party risk management all in one powerful and user-friendly tool for visualizing, comparing metrics, and staying resilient.

The regulation has been developed to protect organizations, markets and us, and Metricstream can help you take the right direction in staying anti-fragile and complying with regulators.

Have fun and stay strong.

This blog is part of the Instagram of Risk Blog Series, authored by Suneel Sahi, VP, Product Marketing at MetricStream, which captures discussions and insights trending in the risk community.

Check out Suneel’s other ‘Instagram of Risk’ ’blogs on the key takeaways from the Charted Institute of Internal Auditors event in London, the European Compliance Week event, and the October 21 MetricStream GRC Summit held in London, Copenhagen, and Zurich.

Suneel

Suneel Sahi

 

Related Resources

Blog
Blog
4 mins
Patricia McParland
What It Takes to Be a Leader in Governance, Risk, and Compliance
Blogs

2021 in Closing – Learnings From a New MetricStreamer

2021 closing blog- MetricStream
2 min read

Introduction

With almost 3 months into my new role and with the continuously changing landscape of the COVID-19 pandemic, it seemed timely to reflect on 2021.

If you’re in the UK like myself, regular updates on current pandemic statistics, emerging variant information, and pre-emptive warnings of new restrictions are now part of the new normal. We’re shown data and graphs. This leads to series of questions on how the ‘risk’ is being measured and controlled. Do we need to work from home? Do we need to cancel social activities? Do we need to increase compliance around face masks? Is the control working? Do we need to reassess the current control? Is there sufficient data to warrant a review of the control?

Does this sound familiar? These are all questions that risk managers ask themselves on a regular basis. It’s also important to understand that ‘risk’ is a language that presents itself across industries and in many different forms. Whether you’re trying to avoid insuring properties at risk due to climate change, choosing not to travel due to pandemic restrictions, or taking available vaccines and boosters to minimize potential impact of the coronavirus.

My 3 key takeaways for 2021:

  • The landscape of risk will continue to evolve, and the focus will also shift – we’ve seen that. New requirements around environmental, social, and corporate governance are now part of the new reality. We will continue to see this evolve and companies will be held accountable for their responsible business practices. We’ve already started to see this with Lloyd’s market stating they will end new investments in coal, oil sands, and Arctic energy by 2022. At the start of this year analysts at Societe Generale SA also published a report which outlined how an insurers position on coal underwriting and investments can influence the valuation of a company in figures ranging from -3% to +9%.
  • Data is central to all of this, but sometimes it sits in multiple places. Various disparate systems that don’t talk to each-other make it difficult to form one view of risk that cuts across different business units. It also makes reporting a nightmare when you bring out our much-loved spreadsheets and try to convert different formats into the same lingo. Products available on a single platform that are interconnected can do the heavy lifting enabling you to focus on optimization instead of data management and tracking.
  • Agility is important and real-time analytics are central to understanding your risk. These insights support the risk trade-offs and identify opportunities that the board can evaluate. Organizations need to embrace agility and use data and technology assets to continue to evolve with the risk landscape, so they aren’t left behind.

While the pandemic has been a huge focal point in the past few years, I’m of the opinion that new risks will continue to emerge and change the landscape. This is why we must focus on getting ‘our house in order’ by using the data and analytics we have to assess our risk. To not make decisions by chance but by ensuring these are founded on quality data and insights.

Something we talk about here at MetricStream is transforming risk into a strategic advantage. In essence, it’s a journey on how you can move from tracking risk to managing risk and eventually thriving on risk. You can only thrive on risk once you have your data, analytics, and risk appetite in alignment and the strategy around this defined. It is something that we should aspire to do—to go from managing risk to thriving on risk.

You can read more about the journey and how we help our customers here. I hope it’s something we can all do more of in 2022.

Victoria- MetricStream

Victoria Boreham

 

Related Resources

Blogs

Colorado Release: What’s Next in Third-Party Risk? Expanding the View to Fourth Parties

MetricStream- Colarado blog
2 min read

Introduction

In today's world, organizations are increasingly dependent on their third parties – their consultants, vendors, and partners – to provide products and services. Financial institutions and large banks especially have large networks of third parties. However, with the numerous advantages of partnerships, comes the added responsibility to ensure the trustworthiness of the extended network—now often called the extended enterprise. As the pace of business expands, managing this extended enterprise not just becomes increasingly difficult – but also equally important.

It becomes critical for organizations to manage the risks associated with direct third parties as well as identify and manage the risks associated with the third party's third parties: i.e., the Fourth Parties. According to a recent Gartner report, more than 60% of organizations are now working with more than 1,000 third parties, and in some cases, that’s a low estimate, especially as business ecosystems continue to grow and expand.

Every one of those third parties and fourth parties poses a risk to your business. Understanding whom you’re doing business with is essential, and as the network expands, the view gets hazier.

Identifying Your Fourth Parties

Until now, it’s been a real challenge to identify fourth parties since your organization is not directly working with them, and it becomes difficult to track which product or service is being offered by the fourth party. With the implementation of the SSAE 18 report, which mandates your third party to disclose their vendor information, that information can be used to identify the fourth parties – and manage them.

Managing Fourth-Party Risks

Most of the recent security breaches and privacy vulnerabilities are due to lapses in the organization’s extended networks. This can bring serious reputational, legal, and financial risks to an organization, making it vital to start identifying fourth-party risks as soon as your fourth parties are identified. You can start by:

  • Identifying and managing fourth-party information providing products/services
  • Conducting due diligence on critical fourth parties – sometimes the same fourth-party could be working with different third parties for different products/services
  • Assessing different risk areas like Cyber Security, Reputational, Legal, etc.
  • Reviewing SOC 2/SOC 3 reports - understand the control effectiveness in third-party and fourth-party organizations (if any)

How Can MetricStream Help?

In the most recent Colorado release, MetricStream Third-Party Risk Management (TPRM) has expanded its fourth-party risk functionality, equipping you to better assess the risk of your critical fourth parties.

Now, MetricStream TPRM allows you to:

  • Capture fourth-party information in a central repository
  • Associate a fourth-party to a specific product/service or at an overall third-party level
  • Conduct due diligence on the fourth-party and identify the overall risk rating
  • View overall risk exposure from various associated fourth parties at the third-party level

Like to see it in action? Let us show you how we can help you manage and mitigate not just your immediate third party and supplier risk – but also that of their vendors and suppliers. Sign up for a demo today.

Interested to know more about how the new features and functionalities in MetricStream’s Colorado software release can help you thrive on risk? Click here to read more.

Kaul Siddharth- MetricStream

Kaul Siddharth Product Manager

Siddharth Kaul is a Product Manager at MetricStream. He is responsible for managing the Third-Party Risk Management product suite and the product lifecycle including product strategy, roadmap, design, requirement definition, field enablement, customer adoption, competitor analysis, and technology partnerships.

 

Related Resources

Blog
Blog
4 mins
Patricia McParland
What It Takes to Be a Leader in Governance, Risk, and Compliance
Blogs

Transform Risk and Compliance Programs with MetricStream’s AI-Powered Insights and Recommendations

Blog GRC
3 min read

Introduction

As organizations look to harness the power of next-generation technologies and thrive in the era of the Fourth Industrial Revolution, the focus on data is now more critical than ever. It wouldn’t be wrong to say that it is data that runs the modern enterprise in today’s digitized world.

It’s often said that data is the new oil. However, data in itself cannot drive business value—it is only when it is transformed into actionable intelligence that it can enable effective decision-making.

That said, many organizations today lack common taxonomies and structured processes, resulting in unstructured data which is difficult to analyze. This is a major challenge for risk, audit, compliance, and IT & cyber teams as they end up spending most of their time going through this data rather than analyzing it for making strategic business decisions.

Streamlining the processes and workflow and automating them with the right set of tools and technologies is an absolute must for unlocking the true potential of data. By leveraging artificial intelligence (AI), organizations can quickly get insights, identify patterns, avoid duplicate effort, apply the right actions, and better focus on decision-making that helps the business. 

Bringing AI to GRC

Organizations today operate in a complex and unsettled business environment with amplified digital interconnectedness of people, processes, systems, and organizations, rapidly evolving risk and regulatory landscape, geopolitical uncertainty, and more. Furthermore, recent risk events, such as the pandemic, have underscored the importance of a future-ready GRC framework as organizations had an extremely short window of time to act.

Here, AI can be a gamechanger. It can empower organizations to break free from the clutches of siloed operations and facilitate integration and harmonization. Most importantly, it can drastically improve the speed at which risk, audit, compliance, and IT & cyber teams can locate relevant data and information, thereby expediting quick and fact-based decision-making.

MetricStream’s AI-Powered Insights and Recommendations

AI is an integral component of the MetricStream Platform, deployed and operationalized using cloud-first practices, and can be used to build any model or automate any GRC use case. MetricStream currently offers pre-built AI-powered recommendations to transform and automate GRC processes. It automatically provides key recommendations to users based on the historical patterns, so that organizations can further improve user experience and drive intelligent business decisions.

Here are some of the areas where we are bringing AI capabilities:

Issue & Action Management: MetricStream uses the core strength of AI by leveraging semantic analytics with natural language processing that can be used to identify patterns in issues and actions that can originate from any program – be it enterprise and operational risk, compliance, audit, third-party, or IT & cybersecurity. MetricStream’s AI-powered issue and action management provides recommendations to categorize issues based on their semantic similarity and automatically recommends duplicate issues and best possible action plans based on historical trends and business context.

Smart Policy Search: MetricStream’s AI-powered smart policy search simplifies the task of searching for policies using a natural language processing (NLP) based semantic search. It improves search accuracy by understanding the searcher’s intent through contextual meaning.

Observations Triage: As organizations are increasingly enabling the frontline to capture observations, they will have to manage a large number of observations. With such a high volume of observations being reported, the triage process becomes tedious. MetricStream AI-powered recommendation automatically provides recommendations to classify observations as a case, incident, issue, or loss event. This enhances the efficiency of the triage team.

Risk Scoring of Third Parties: As part of risk assessments, third parties must periodically submit detailed SOC2 and SOC3 reports as evidence of robust compliance and controls in their infrastructure and security. MetricStream AI-powered recommendations for third-party risk can automatically extract content from SOC2 and SOC3 reports, compute, and risk rank the third parties based on the number and type of anomalies in the report.  

To learn more about MetricStream’s AI capabilities, click here.

Author

Jayashankar Divi Senior Director, R&D

 

Related Resources

Blog
Blog
4 mins
Patricia McParland
What It Takes to Be a Leader in Governance, Risk, and Compliance
Blogs

Simplified Data Import & Export

blog new
3 min read

Introduction

Prior to moving to MetricStream to manage their GRC content, our customers would have been either leveraging competitor applications or managing all their data manually via spreadsheets. This huge volume of data would be in different forms and shapes which now needs to flow into our MetricStream system. So, it becomes important for our customers to have a smooth transition from their legacy applications to the MetricStream solution.

MetricStream’s Answer: Data Import & Export

MetricStream provided the “Data Import & Export” spreadsheet-based import framework to push data to our systems seamlessly. This framework allowed:

  • Migration of data from legacy systems into the MetricStream system
  • Bulk creation and updating of data into records, bulk creation of library objects like Risks, Controls, Processes, Auditable Entities, etc. and import system entities like Users, Organizations, etc.

Data import

However, although the existing framework enabled extensive usage, it still presented a few challenges. Our customers were operating with certain limitations around configurability and upgrade safety. And especially while importing high volumes of data, import wait time was high. Hence, rather than adding new features to the existing framework and tuning it, it was identified that developing a brand-new framework from scratch would reap more benefits strategically in the long run, which led to the birth of the “Simplified Data Import & Export” framework.
 

 

 

How Will the “Simplified Data Import & Export” Framework Help?

The new simplified data import & export framework is an effort to overcome the challenges which were faced in the existing framework.

Note: Adoption of Business Rules & Business APIs is a pre-requisite to enable Forms with the new framework.

Developer Community

  • A developer tool that will allow to easily configure and upgrade Safe Data Import & Export templates with minimal development effort
  • No additional development effort to have the Data Import & Export validations written separately, since the framework now relies on Business Rules, which will act as a common validation layer across Forms and Data Import
  • Relying on the BAPI underneath, will make the framework more performant
  • Upgrade safe, thereby reducing the time taken to upgrade to future releases or patches

Users of MetricStream

The new framework will co-exist with the existing data import & export framework, i.e., specific Forms can adopt the new framework. Users intending to move to the new framework for a specific Form will require the adoption of Business Rules and Business API’s for that corresponding Form.

The new framework enables:

  • Dynamic generation and leveraging of user-friendly templates
  • Import of attachments & ability to retain rich text format during import
  • Importing data at different workflow stages
  • Improved import & export status reports

The early adopters of the brand-new framework from Products include select Forms from GRCF, CMP and LSM.

In short, if your Forms are ready with the adoption of Business Rules and Business APIs, and you plan to leverage the Data Import & Export capability in your application, then, the Simplified Data Import & Export framework should be your choice.

Stay tuned for more information on our product enhancements coming soon.

Request a demo to learn more about how MetricStream can help your organization enable risk-informed decisions that accelerate business performance.

Jump to Topic
Veeraj

Veeraj Tallur Product Manager - Platform Team at MetricStream

Veeraj Tallur, Product Manager -Platform Team at MetricStream, has over 10+ years of experience in Product Management with an additional interest to write blogs and create marketing content. Prior to joining MetricStream, he has experience of working in the news and media industry such as Thomson Reuters, responsible for creating external facing financial market related content. Academically, he has an engineering degree in Electronics and Communication. In his free time, he loves to read blogs and go for long drives with his family.

 

Related Resources

Blog
Blog
4 mins
Patricia McParland
What It Takes to Be a Leader in Governance, Risk, and Compliance
Blogs

Our European GRC Summit Roadshows and the Instagram of Risk

Blog 4
4 min read

Introduction

Talk about roundtrips…. In-the same week of a very successful 2021 GRC virtual summit on the 19 and 20 of October, where MetricStream had over 2500 customers, prospects, and partners registered to learn, participate, and share their experiences around GRC, IRM, and everything in-between, we decided to host three physical summits based in London, Copenhagen, and Zurich to continue the conversations with our community.

All three locations had a boardroom style setting dedicated to a round table discussion. The aim was simple, we would listen to what our community had on their mind. It was an opportunity to find common synergies, lead round table discussions, and network with senior risk professionals that are paving the way in this industry.
With representation from risk, compliance, audit and IT Cyber, the discussions were captivating, and the commentary was electric.

London Calling

 

London

The first of the events started off in London, and we had a great mix of customers, partners, and prospects around the table.
Our CEO, Bruce Dahlgren introduced the session, and it was an engaging group that shared their thoughts and concerns around the current themes and trends.

Alongside the presentations, our partners gave a short speech on the success of collaborating with MetricStream to provide business benefits for our risk community. What followed was an insightful roundtable discussion that covered risk quantification, cyber security, and the need for organizations to lead with purpose.

It did not take long for ESG to make an appearance and quite rightly so, with COP26 on the agenda and the link to compliance, organizations that have a purpose and are aligning to social governance, diversity, and climate change are setting a precedent. MetricStream recently launched the ESGRC product, which enables organizations to define and manage ESG standards, frameworks, and disclosure requirements. There was a lot of excitement on this in the room.

Emerging risks and third-party risks were explored in detail. With recent supply chain disruptions, it became even more apparent how peripheral risks had to be managed.

Dinner followed, and the conversations (like the wine) continued flowing. It was delightful to see customers connecting with customers. It was evident that they all thrive in this environment and that it was clearly something they had sorely missed over the last 20 months.

Cycling through Denmark

CopenWe settled in for another topical roundtable discussion, where the thoughts and real-life examples of how technology is an enabler in the GRC space were deliberated. In some instances, the dialogue went back and forth. One example of this was that the concern organizations face with risk was not always a technology one, but more of a transformational project that the organization needed to resolve. Accompanying this, was the remark that there are inconsistencies in risk terminologies across the industries, which fuels part of the problem. It was also surprising (to me) to learn that there were still so many organizations using spreadsheets to manage their risk. This was their default way to identify, monitor, and track risks, even though they knew it was not sustainable, efficient, or scalable.

The need for AI and ML to automate risk attributes was the next topical point. The comment was made that AI techniques recognize pattens and trends to help alleviate the pain, time, and missing information that humans cannot always detect, but how do you know that AI is doing the right thing. This conversation continued into the evening, accompanied by food and drinks.

High-End Shopping in Zurich

ZurichAnd finally, concluding the week in Zurich, we had another full house with an engaging group that deliberated on how they can start a community of risk or as was suggested, the “Instagram of risk”. There were discussions around risk culture, accountability, accurate data, and mindset. Some customers admitted that it was quite possible to get lost in the data and what they require is speed, agility, and most of all simplicity. A comment was made that you could spend all your time managing documents and not the risk. Another referenced that as change management sits in all departments including HR and legal it can be a challenge to bring it all together for larger organizations. Crypto also made it in the discussion, with a notable mention that new risks have no historical data to base it on.

Visibility and accountability were front of mind in the discussions, and a common theme that was mentioned was on reporting risks up to the board of directors and the role of the board in risk governance.

MetricStream presented 5 current trends that we are observing in the industry and 5 innovation themes that we are leading the way with (API, AI, Adoption, Agility & Analytics).

By bridging the gap and driving value for the community, MetricStream has a purpose to continue to add value and innovate alongside our community. We want the community to thrive on risk and reap the rewards of being on a GRC journey that like a good bottle of wine gets better with age.

Until the next summit.

Suneel

Suneel Sahi

 

Related Resources

Blog
Blog
6 mins
Sumith Sagar
Building Compliance Resilience in the Changing Regulatory Landscape
lets-talk-img

Ready to get started?

Speak to our experts Let’s talk