Blogs
We’re Listening! MetricStream hosts the First Third-Party Management Customer Product Council
- Risk Management
- 27 October 21
2 min read
Introduction
The growing dependency of organizations on multiple third parties for critical business operations and services has made their extended ecosystem highly convoluted. The complexities are turned up a notch with fourth and subsequent parties and the amplified digital interconnectedness of organizations in the current digital-first operational environment.
Outsourcing to third and subsequent parties is critical to doing business. However, it also exposes your organization to governance and risk management challenges. A robust third-party management (TPM) program for effectively monitoring the extended enterprise and staying ahead of the associated risks has become indispensable for continued business operations.
The First Third-Party Management Customer Product Council
With three feature releases a year, we constantly innovate and enhance our products and platform. We have now undertaken the initiative to host Customer Product Council sessions to have interactive and engaging conversations with our customers to validate new industry trends and understand their requirements and expectations. The objective is to incorporate the feedback in our forthcoming platform and product releases and empower our customers to strengthen resilience and thrive on risk.
To better understand the evolving business requirements from the TPM perspective, we recently hosted our first Third-Party Management Customer Product Council. The session was insightful and provided us with a deeper insight into the latest trends and themes. In particular, three key themes emerged:
- Environmental, Social, and Governance (ESG)
Unsurprisingly, ESG is a key theme across the board. With the growing global awareness of climate risks, diversity, inclusion, ethical practices, and sustainability along with heightened regulatory focus, organizations today want to be cognizant of not only their own ESG posture but also that of their extended enterprise. We are already making strides in this area with our recently-launched ESGRC product, which, among other things, integrates with third-party risk product and enables organizations to assess and evaluate the ESG posture of their suppliers based on multiple parameters. To request a personalized demo, click here.
- Reducing Third Party Assessment Fatigue
As the number of third parties that an organization deals with continues to proliferate, documenting and managing the relevant information of every individual entity can be extremely cumbersome. This creates several other challenges such as poor visibility into third-party risks, slower onboarding process, duplication of efforts, and other redundancies. Customers are looking for easy ways to simplify monitoring of third-party risks, accelerate onboarding and due-diligence processes, and enhance overall efficiency.
- Fourth-Party Risk Visibility and Monitoring
The extended ecosystem of organizations today goes beyond third parties to fourth, fifth, and subsequent parties. Having an effective oversight of the entire network of suppliers then becomes extremely difficult, often leaving blind spots and making organizations vulnerable to associated risks. Based on our customer engagement, organizations today are concerned about three key questions:
- How do we get fourth-party information from third parties?
- There could be a critical fourth party with which many of our third parties have relationships. How do we identify such critical/riskiest fourth parties?
- What level of monitoring should we do on such fourth parties?
We are appreciative of our customers for sharing their honest opinions, expectations, and pain points with us. The feedback will help us drive future innovations in a way that is more meaningful, relevant, and mutually beneficial.
We are currently adding to the council and plan to meet on a quarterly basis. If you’re a TPM customer and want to power what’s next, join the TPM Customer Product Council today! You can reach out to me directly at ahanchinamani@metricstream.com.
Jump to Topic
Related Resources
Blogs
Towards Cyber Resilience: NIST’s Cybersecurity Framework for Ransomware Risk Management
- GRC
- 21 October 21
4 min read
Introduction
The number of ransomware attacks on organizations around the globe is growing at an exponential rate with no signs of slowing down. According to Check Point, ransomware attacks grew by 102% in the first half of 2021 compared to the beginning of 2020.
Cybersecurity Ventures expects ransomware to attack a business, consumer, or device every 2 seconds by 2031, up from every 11 seconds this year, and estimates ransomware damages to cost the world $265 billion by 2031. To operate in this precarious digital landscape, organizations today must go the extra mile to ensure that their cyber defense mechanism is robust and effective.
In the wake of the significant surge in ransomware attacks, the National Institute of Standards and Technology (NIST) has published a new draft on “Cybersecurity Framework Profile for Ransomware Risk Management” that sets out its guidance on how organizations can prevent, respond to, and recover from ransomware attacks.
The document details basic preventive steps to protect against the ransomware threat, including using antivirus at all times, keeping computers fully patched, continuous monitoring, segmenting internal networks, educating employees about social engineering, assigning and managing credential authorization, and many more.
The Five Cybersecurity Framework Functions
NIST has classified Cybersecurity Framework Functions into five categories: Identify, Protect, Detect, Respond, and Recover, and has suggested key measures under each of these functions to protect against ransomware threats.
Identify - This is the first step and the foundation for the rest of the framework. It requires developing an organization-wide understanding of systems, people, assets, data, and capabilities, and the associated cybersecurity risks. Some of the key suggestions made by NIST under this head include:
- Creating, reviewing, and maintaining an inventory of all organizational data, personnel, devices, systems, and facilities
- Prioritizing organizational resources based on their classification, criticality, and business value
- Establishing cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders
- Cataloging and mapping internal and external communications and data flows
- Developing a comprehensive communication strategy that details the action plan in the event of an attack
- Effectively managing legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations
- Establishing and managing risk management processes agreed to by organizational stakeholders
- Conducting response and recovery planning and testing with suppliers and third-party providers
Protect – This function is critical to limit or contain the impact of a potential cybersecurity event and involves implementing appropriate safeguards to ensure the delivery of critical services. Some of the key measures include:
- Documenting and managing identities and credentials for authorized devices, users, and processes
- Managing remote access to maintain the integrity of systems and data files
- Effectively managing access permissions and authorizations, incorporating the principles of least privilege and separation of duties
- Providing cybersecurity awareness education and training to employees
- Managing information and data in a manner consistent with the organization’s risk strategy
Detect – This function requires the implementation of appropriate activities to identify the occurrence of a cybersecurity event and enables timely discovery of cybersecurity events. Some of the key suggestions include:
- Detecting anomalous activity and understanding the potential impact of events
- Continuous monitoring of information systems and assets
- Maintaining and testing detection processes and procedures to ensure awareness of anomalous events
Respond –Once a cybersecurity incident is detected, the Respond Function is important to take appropriate action and measures to contain the impact. NIST recommends:
- Executing and maintaining response processes and procedures to ensure a response to detected cybersecurity incidents
- Coordinating response activities with internal and external stakeholders
- Conducting analysis to ensure effective response and support recovery activities.
- Performing activities to prevent the expansion of an event, mitigate its effects, and resolve the incident
- Continuously improving organizational response activities by incorporating lessons learned from current and previous detection/response activities
Recover – This involves implementing appropriate activities to maintain plans to restore any capabilities or services that were impacted in a cybersecurity incident and helps an organization’s timely recovery to normal operations. Key measures include:
- Executing and maintaining recovery processes and procedures to ensure restoration of systems or assets affected by cybersecurity incidents
- Improving recovery planning and processes by incorporating lessons learned into future activities
- Coordinating restoration activities with internal and external parties
How MetricStream Can Help
MetricStream welcomes the ransomware guidance from NIST. Such practical frameworks can considerably help CISOs and security teams to develop an effective cybersecurity strategy from the ground up and evaluate their existing strategy for any gaps or loopholes.
The MetricStream IT and Cyber Risk and Compliance solution is aligned to the capabilities detailed in the NIST guidance. It helps organizations to proactively anticipate and minimize IT and cyber risks, threats, vulnerabilities, and multiple IT compliance requirements. The solution cuts across enterprise siloes by facilitating harmonization between various functions and aggregating information and providing a 360-degree, real-time view of IT risk, compliance, policy management, and IT vendor posture. It also enables enterprises to execute and manage an effective business continuity and disaster recovery program. To request a personalized demo, click here.
Jump to Topic
Related Resources
Blogs
Market Trends That Matter. Power What’s Next in GRC with MetricStream’s Brazos Software Release
- GRC
- 07 October 21
4 min read
Introduction
Our world is being rapidly disrupted by risk. Several emerging factors, including the new organizational challenges introduced by the ongoing pandemic, have made risk management more challenging than ever. As organizations seek new and improved ways to grow more resilient and ‘thrive on risk,’ a comprehensive understanding of the changing risk landscape can inform the right resilience strategies.
Interconnected Risks are Increasing in Velocity and Volume
Headline-grabbing cyber, third-party, and supply chain risks—all of which form complex interconnected risk networks—are increasing in frequency. Cybersecurity threats exploiting remote work environments rank on the top of the list for chief risk offers (CROs) in the US. PwC’s 2021 US Pulse Survey saw 45% of CROs express concern about cybersecurity threats. And when it comes to supply chain disruptions, research from the McKinsey Global Institute, forecasts that disruptions lasting a month or longer can now happen every 3.7 years on average. The interconnected nature of these risks leads to significant consequences, from operational and cost implications to tarnished reputations. In KPMG’s global survey, six out of 10 respondents attribute their organization’s most severe reputational risks to third parties. The consequence: organizations are quickly realizing that they need risk assessment to be in real-time, helping them make faster decisions.
Peripheral Risk Awareness is Expanding
Increasing data volume and regulatory overload is causing peripheral risk awareness to extend beyond the traditional boundaries. The growing digitalization is enabling organizations to produce and digest granular data—expanding the role of risk and control functions. However, data generated by business lines and operational units exist in silos and are thus not able to contribute to the overall view of business. The sheer volume of the growing regulatory change—that grows year-on-year to protect organizations, consumers and other stakeholders—is a huge challenge for compliance teams. In our recently released 2021 State of the Compliance Survey report, it was found that 76% of compliance managers manually scan regulatory websites to track changes and assess their impact on the business.
Such complexity involved in managing growing data and the escalating regulatory change is driving the need for artificial intelligence (AI) and robotic process automation (RPA) solutions.
The Front Line is Best Positioned for Risk Management
A lot of risks start at the front line, but the good news is that they can end at the front line as well. This is because frontline workers hold the unique position of being valuable sources of risk-related information for the organization. However, success depends on, one, the efficient aggregation of the intelligence from those who are dealing with risk firsthand, and two, the effective management and extraction of value from this intelligence. The adoption of digital tools that make it easier to capture, report, and track business anomalies is the obvious answer to empower the front line. Organizations agree. Three out of four (75%) key managerial personnel in KPMG’s Covid-19 Risk Assessment survey named the adoption of digital tools as a crucial priority towards developing a robust risk-assessment approach.
Greater Agility is the Need of the Hour
As organizations become more digitalized, it gives them the benefit and ability to be able to do more. Take for example, contracts—integral to any organization. With digitization, organizations are able to extract a lot more data by comparing and analyzing the information at hand. However, to use this data to make faster strategic decisions, organizations need to be empowered with agility. Risk and compliance intelligence from across business units and departments—including semantically similar issues reported in the past—need to be captured, aggregated, and analyzed in near-real time. As per Chartis Research survey data, 57% categorize real-time event processing in the ‘high impact’ category among the varied impacts of advanced technologies on firms’ GRC architectures.
Disconnected Approaches Call for Integrated GRC and Risk Quantification
Gartner forecasts a growth of 12.4% on the global spending on information security and risk management technology and services, with estimated spends reaching $150.4 billion in 2021. However, several organizations are continuing to approach the management of risk, business continuity, compliance, and internal audit management separately resulting in multiple silos and disparate processes. Near real-time visibility into risk and compliance can only be possible with the integration and harmonization of different perspectives on risk across various functions. For example, standardization of taxonomies in risk communication can help. Another way to is to embrace risk quantification. The moving away from categorizing risks as red, yellow, green, to quantifying the specifics of risk, such as the dollar cost or the impact of a risk is the way ahead.
Power What’s Next with MetricStream’s Brazos Software Release
Helping organizations address and stay ahead of the market trends is MetricStream’s Brazos software release. As outlined in our earlier blog, the Brazos release packs in several features with the aim to simplify regulatory and compliance complexity, quantify the impact of cyber risks, and power next-gen vendor risk management with AI—enabling your organization to become future-ready.
Watch the webinar or download the eBook to learn more on the market trends driving change and how your organization can stay ahead with MetricStream’s Brazos software release.
Jump to Topic
Related Resources
Blogs
Looking to Build a Strong Risk-Aware Culture? Equip and Empower the Front Line to Own Risk
- Risk Management
- 16 September 21
4 min read
Introduction
“Culture eats strategy for breakfast.” The popular phrase attributed to celebrated management guru Peter Drucker holds true not just for organizational culture but for risk culture as well. Drucker was not dismissing the importance of strategy, but rather emphasizing the role of culture in executing strategy. Similarly, a strong risk-aware culture plays an equally crucial role in effective risk management.
An effective risk-aware culture—determined by the awareness, attitudes, and behaviors of individuals and groups inside an organization—supports an organization’s risk strategy and risk management approach. It works to strengthen the core of an organization’s operations. This includes compliance with regulatory and statutory requirements, financial performance, and reputation in the market. Furthermore, building a strong risk-aware culture equips organizations to drive strategy. Whether it is entering a new market, negotiating mergers and acquisitions or investing in organic growth, companies are empowered to make take the right decisions.
Organizations are now ranking risk culture as one of their top ERM priorities. As per Deloitte’s recent Global Risk Management Survey, more than half (55%) of financial institutions are actively building a risk culture across the enterprise. The ongoing pandemic, as discussed in our earlier blog, has further added a sense of urgency in establishing and embedding a strong risk-aware culture.
Engaging the Front Line in your Risk Management to Implement a Positive Risk Culture
Faced with the complex challenges in today’s business risk environment, organizations across the globe have moved from a position of protective and reactive risk management to a proactive and strategic stance. They are increasingly acknowledging the risk accountability role played by the front line in developing an integrated and agile approach to risk management. They understand that risk management must be owned and led by the entire business—making it imperative for a strong risk awareness to be embedded in the front lines.
The nurse at the hospital, the teller at the bank, and the customer services executive at the telecom retail outlet all constitute frontline workers. They make up of individuals whose job roles involve engaging with external stakeholders, customers, and partners. Being the first to hold these interactions, they hold the unique position of being valuable sources of risk-related information for the company. However, unless there is a deeply embedded risk culture, they may not even be aware that they hold critical intelligence as they go about their daily operations. It is hence important to involve and empower your front line as they make key risk and compliance decisions every day protecting from or exposing your organization to various risks.
For example, a single suspicious transaction report (STR) filed by a frontline bank executive can actively stop the flow of illegal money and the associated financial crime. But very often, an unsupportive culture or even the lack of reporting tools can work as a stumbling block. Conversely, a strong risk-aware culture would empower this employee with the right awareness levels and tools to act proactively.
Today, with the pandemic causing en masse work from home, every employee is a frontline worker and by extension a risk manager. They will have to be equipped with the right training and reporting systems which will help them identify and report a malicious attack—making it even more important for organizations to actively embed a risk-aware culture.
Equipping the Front Line—Vital to Embedding a Risk-Aware Culture
Strengthening an organization’s risk culture is a continuous process. And when it comes to frontline workers, faster adoption of a risk-aware culture will depend on:
- The ease of capturing and reporting of business anomalies as well as the tracking of reported anomalies
- The efficient use of frontline workers time, including the time spent in training
- The availability of psychological and physical safety around risk reporting pertaining to sensitive issues
- The effective uses of technology such as AI-powered tools to simplify reporting of observations, issues, or any anomalies
This is where leveraging the right tools and technologies can play a key role in equipping your front line—leading to the building of a strong risk culture across the organization.
MetricStream Observation Management, built on the MetricStream Platform, makes it simple for your frontline employees to capture and report business anomalies. Your employees can report observations discreetly and anonymously (in case they feel it is a sensitive issue). The AI-powered interactive tool which includes widgets for third-party applications, browser plugins, conversational interfaces, chatbots, and intuitive web forms makes it easy for your frontline workers to flag potential risks and report any anomalies and deviations. The AI/ML capabilities provide insights into similar issues or observations raised previously to avoid any duplication of data and efforts. Once an incident or anomaly is reported, the employee can track and view the status of the observation. Finally, as an organization seeking to build a risk-aware culture, you save on training time while gaining the benefit of simplified adoption of GRC across the front line.
Additionally, the MetricStream Integrated Risk Management solution can effectively unify and streamline risk management activities across all business functions—making it easier to instill a risk-aware culture. By cutting across organizational silos, standardizing risk and control taxonomies, and enabling stakeholders to effectively coordinate, the solution can improve risk reporting visibility and efficiency for the executive management and board.
Contact us to know more about how our Observation Management and Integrated Risk Management solutions can help you build a strong risk-aware culture.
Jump to Topic
Related Resources
Blogs
Powering Your Operational Resilience Journey With an Integrated Risk Management Approach
- Risk Management
- 04 August 21
4 min read
Introduction
The regulatory focus on operational resilience, particularly of financial services institutions, has intensified in the post-pandemic world. Central banks and other regulatory authorities are increasingly publishing guidance and policies to help financial firms navigate these untested waters and recover quickly from any operational disruption.
Regulatory Guidance and Initiatives
In March 2021, the Basel Committee published “Principles for operational resilience” to promote a principles-based approach to improving operational resilience. The committee said that the principles aim to “strengthen banks’ ability to withstand operational risk-related events that could cause significant operational failures or wide-scale disruptions in financial markets, such as pandemics, cyber incidents, technology failures or natural disasters.”
In the U.S., federal bank regulatory agencies, including the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC), released a paper in October 2020 outlining sound practices for large banks to help them enhance operational resilience.
In the European Union, the draft legislation, Digital Operational Resilience Act (DORA), was published in 2020. The objective is to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyberattacks and other risks.
In the UK, the Bank of England (BoE), the Financial Conduct Authority (FCA), and the Prudential Regulation Authority (PRA) published a joint discussion paper on Operational Resilience in 2018 followed by a joint consultation paper in 2019 with the primary objective of promoting the operational resilience of firms and financial market infrastructures (FMIs). Similar efforts are being made by regulators in other jurisdictions, including the Monetary Authority of Singapore (MAS), Hong Kong Monetary Authority (HKMA), and others.
The heightened regulatory focus, however, is not surprising given the paradigm shift in the business environment spurred by the pandemic. Organizations today have to operate in an extremely unsettled business environment and withstand cyberattacks, supply chain disruptions, third-party risks, geopolitical upheaval, and many other risks on a daily basis.
[Read more: Top 5 Operational Resilience Challenges in the Post-Pandemic Era (eBook)]
Operational Resilience: Key Considerations
Last year, I wrote this paper based on the focus of the BoE & FCA joint consultation paper and the Institute of Risk Management’s Innovation Special Interest Group focus on this topic of operational resilience. Given the continued market focus on this subject, I have looked to revisit this subject and present prevailing views from across the industry in a new eBook.
I simply look to explore what achieving resilience really means in practice and how financial firms can gain a view and report to the board, investors, and regulators in an agile and meaningful fashion to attest to their “State of Operational Resilience”. Here are some key considerations for organizations:
- Adopting a robust operational risk management program with fully integrated loss/risk event management, which in turn fully integrates with an organization’s business impact assessments from their business continuity management system.
- Proactively planning crisis responses, periodically testing recovery procedures, and enabling rapid recovery from disruptive incidents affecting business operations.
- Improving the quality and assurance around supply chain, including setting up cadence for review of critical suppliers.
- Aligning business processes, associated risks, controls, assets, and policies together on an integrated platform for enhancing risk visibility and improving the understanding of interdependencies.
- Ensuring effective management of data to uphold data quality and integrity
I believe that to be able to readily view the enterprise status of operational resilience, organizations need to focus on people, processes, systems, and data. To pull these effectively together, they need a simplified clear vision and adaptable risk and controls framework that can adapt and change with innovation and ever-changing regulations and standards pulled together across all three lines on a powerful integrated risk management platform.
Implementing an integrated risk program can help organizations in their pursuit of achieving operational resilience. A technology-driven, integrated risk management program that spans the organization across multiple functions and regions, products, and segments will help aggregate to a single source of truth.
MetricStream Integrated Risk Management empowers organizations to manage both current and emerging risks across geopolitical, digital, strategic, third-party, cybersecurity, and compliance areas. The solution helps to unify risk management activities across all business functions, align assurance programs, and gain comprehensive visibility into both risk exposure and relationships. By providing deeper visibility and understanding of risk inter-linkages and their impact on business performance, Integrated Risk Management Solution strengthens resilience, enhances agility, and empowers risk-aware decision making.
To download the eBook, click here.
Jump to Topic
Related Resources
Blogs
Making the Right Investments by Quantifying your Risks
- IT Risk & Cyber Risk
- 22 July 21
3 min read
Introduction
Organizations today need to optimize their risk rather than focusing on avoiding the risk – to know which risk should be accepted to enable business success and create value.
When it comes to cyber risks, one of the biggest challenges security professionals face is communicating the associated financial impact to the decision-makers. Assigning a dollar value to cyber risks will better equip the executive management and board to prioritize the risks, drive a stronger alignment between business priorities and cyber investments, and ultimately, make risk-aware decisions.
At MetricStream GRC Summit June 2021 Edition, Gavin Grounds from Verizon joined us for an exciting discussion on how organizations can thrive on risk to get a competitive edge.
In this blog, we have highlighted the interesting points from the discussion on how quantification can help in making the right security investment decisions.
What are some of the key challenges?
Regardless of whether it is a large organization or a small, one of the common challenges across all organizations in the area of cybersecurity is prioritization, Gavin said.
Organizations today face thousands of risks and a key challenge is to ascertain which of those is the biggest priority. Likewise, they might have hundreds of controls and they need to define the importance of these controls and determine how much to spend on each control. Every dollar they spend on these controls should be justified with the benefits/advantages realized. Because they have a finite budget, they need to use it in the most optimal manner.
How to start with Cyber Risk Quantification?
The primary objective for the CISO is to drive overall risk down and drive better-informed business decisions. And, cyber risk quantification can greatly simplify the process by quantifying risks in monetary value. As an example, suppose you got a business opportunity of $100M with $1M cyber risk, you can easily see the overall value of $99M and make your decision to go ahead or not. But if you represent your cyber risk in a way like 3 are critical, 5 are high, and 3 are mid risks, in that case, it's difficult to calculate the overall business value of that business opportunity and you might miss the first-mover opportunity on that business.
Prasad Sabbineni, EVP, Product at MetricStream, added that CRQ is the natural extension of the quantitative assessment (high, mid, and low-risk heatmaps) that organizations have been doing as all these factors serve as input to the model to calculate the dollar value of the associated risk. When asked about how organizations can start with CRQ, Prasad suggested that organizations can start small – select key risk areas and apply this quantitative technique to see the results. Once they understand the results and their value, they can gradually expand to other risk areas.
How MetricStream helped one of the largest telecom companies in their decision making
With MetricStream Cyber Risk Quantification (CRQ), a U.S. telco giant was able to make their cybersecurity decisions 50% faster by quantifying the dollar Impact of cyber risks.
MetricStream helped the company harmonize its risk management techniques and methods by driving towards a common risk score across cyber, operational risk, and resilience teams. This score is based on consistent factors and is grounded in a business context.
This combined risk score helps cyber teams accurately weigh the cost-benefit of either a single risk mitigation strategy or a combination of them. It also helps them increase the agility and speed of remediation efforts. MetricStream also provides a top-down and bottom-up 360-degree view of cyber risk.
Top-down views take risk assessment information from the business in terms of dollars—for example, how much it costs to keep an order processing system up and running. Meanwhile, bottom-up views provide data on the costs of mitigating vulnerabilities.
Conclusion
CRQ is important for every organization irrespective of the size and industry. With the interconnected fast-paced digital economy, organizations are exposed to many new risks. Prioritization and communication of risk will help in better decision-making and provide a competitive advantage in the market.
Jump to Topic
Related Resources
Blogs
The 5 As of Innovation – Keeping MetricStream Ahead of the GRC Game
- Risk Management
- 15 July 21
5 min read
Introduction
One of the exciting things I’ve noticed since joining MetricStream recently is the high degree of what I think of as “ions”: Collaboration, Adaptation, Acceleration, Motivation.
We listen to customers, we flex fast to meet their needs, and we work hard together.
Above all, to belabor the “ion” metaphor, I’ve been struck by the degree of Innovation. Here are five areas of innovation that are driving risk management and GRC overall, and where MetricStream is taking a fast-forward lead. Let’s take a closer look.
APIs – Addressing Interconnected Risks Through Integration
If there is one word that describes risk management and GRC today, it’s “interconnected.” (I guess I should have said “intersection,” to stay with our theme, but you get the point!)
Risks and regulations are coming at us more quickly than ever, and they’re completely connected. As just one example, think of your third parties. We may think of “third-party risk,” but those third parties pose cyber, compliance, and reputational risks. New regulations drive policy. Policy drives compliance. And compliance drives corporate culture and behavior.
Enterprise risk and GRC is a sprawling web of interlinked risks and data – and managing it is, to say the least, a challenge.
That’s where APIs come in. They’re not a new concept – many of us were working with Application Programming Interfaces to connect applications 20 years ago. But today’s APIs enable you to seamlessly integrate and connect your internal and external data to see connections and link risks.
Connect your risk management application such as MetricStream to your internal data sources, applications, and relevant external content (such as security risk ratings, financial data, and much more) for the complete picture. You might even call that a… revelation.
Uncover Patterns With Artificial Intelligence and Machine Learning
Remember “big data” from a decade or so ago? It was quite the “sensation!” (I am on this roll now – I’d like to apologize, but it’s too fun.) In all seriousness, big data has only gotten bigger – apparently, we create 1.145 trillion megabytes of data a day, according to the internet. I don’t know how to visualize that, but we all know: it’s a lot.
Now imagine sifting through all that data to make risk decisions. Compliance with new regulations. Observations submitted by frontline employees. Third-party questionnaires. Even if it were possible manually, is that how you want to spend your time? Luckily, artificial intelligence and machine learning – which have also been on our collective radars for quite some time now – are coming of age and realizing their promises of intelligence, effectiveness, and efficiency.
AI and ML can quickly:
- Deal with large amounts of unstructured data. Picture comments and questionnaires, for example. How could you possibly examine them? AI and ML can quickly categorize, sort, and sift through them for answers and patterns.
- Apply learning analytics. AI can apply models and make predictions, just as a traditional risk model could – but more importantly, it can learn and change with the inputs, making the outputs highly predictive.
- Make recommendations. We’re all familiar with recommendations in our personal lives, like Amazon’s “you might also like…” AI can work similarly in risk management, running scenarios, and making recommendations based on your organization’s risk tolerance and behavior.
The full promise of AI, ML, natural language processing, and other neural techniques are just unfolding – but they’re starting to change the game in risk management. Stay tuned.
Adoption – The Power of Intuition
Wow, an “ion” twofer! However, we know it’s true – a product is only as good as its adoption. It will only be used if it’s intuitive, easy to use, and easy to roll out.
That comes down to a friendly user experience, onscreen and off – and at MetricStream, it’s one of the key themes we hear about. Today, risk management and compliance are what we call “team sports.” They stretch across the enterprise and involve employees from risk management and audit to the board – and on the frontlines. Without being able to easily implement and adopt a product, the ability to manage and control risk is severely compromised.
At MetricStream, we pride ourselves on providing a complete customer experience – from when you first sign up through implementation to an easy-to-use, modern, cloud-based interface. Whatever product you use, adoption is key. Look for a smooth experience – easy to buy, adopt, and use.
Agility – Move Fast and Iterate
One of my favorite movies is “Ferris Bueller’s Day Off.” Do you remember Ferris’s big quote?
“Life moves pretty fast. If you don’t stop and looking around once in a while you could miss it.”
Of course, he wasn’t talking about risk management (though he was clearly a master of it!) but he just as well could have been talking about GRC and risk management today. The speed of change, regulation, and risk is dizzying. Each ransomware and cyberattack we hear is more alarming than the last, from Colonial Pipeline to Kaseya Software. Governments are fast upping the ante on legislation and compliance. Suppliers and third parties are multiplying.
The only way to keep up with such change is to stay ahead and stay agile. The “As” and “ions” I’ve mentioned so far all add up to a fast approach – easy to adopt, integrate and use AI – but risk management as a thought process also needs to be agile. Policies need to be stored, managed, and rolled out in ways that adapt to new situations. (How did your work at home policy fare with COVID-19?)
Agility is a theme not just for software development but building a culture of risk management. We need to stay fast, flexible – and open to change.
Analytics – Apply Intelligence and Predict
Finally, let’s close with a theme we hear about daily – the importance of analytics. Once again, analytics in risk and GRC aren’t new. Most of us have probably been using credit risk models or algorithms for years. But today’s analytics are something else – powerful, adaptive, predictive.
- Where are your most risky suppliers?
- How can you analyze and model cybersecurity threats and vulnerabilities?
- How can you quantify your risk – whether cyber or enterprise?
Analytics, combined with data integration and AI, equip you to act on true insight – rather than spending your time gathering and trying to understand data. They elevate risk management to the strategic art and science it is – and provide you the visibility you need to make informed, risk-aware decisions.
I hope you’ve enjoyed our tour of GRC innovation – please reach out to see how MetricStream can help you address any or all of them with a personalized demo. Thank you!
Jump to Topic
Related Resources
Blogs
Five Big Things for Risk Leaders
- Risk Management
- 28 June 21
3 min read
Introduction
The risk management discipline is making its way toward being a true profession with some practitioners and leading, progressive trade associations among others, leading the way. As the VUCA world (Volatile, Uncertain, Chaotic, and Ambiguous) becomes more and more pervasive for everyone, it is critical that the discipline stakeholders up their commitment to enhancing its capabilities. Accordingly, here are “five big things” that all stakeholders should take account of moving forward.
First, the risk discipline is striving for greater acceptance among decision-makers with a long-term goal of achieving “profession” status. This goes beyond effectiveness to strategic influence. Regrettably, most colleagues of my generation and even the follow-on (Gen X) generation, are still too often perceived to be “insurance” managers. Needed, but not strategic players with influence. Some achieving CRO status are climbing this hill, but even many CROs are “chief” in title only. RIMS is working on this issue. For example, I’ve advised them on the development of an upskilling program to prepare their members to advise their boards more effectively and long term, to prepare them to take board seats as risk experts.
Second, the increasing unpredictability of events that can produce major losses continues to perplex the risk discipline. Emerging risk process has been the key tool/method for getting ahead of low frequency, high severity loss exposures that some consider “black swans” (e.g., Covid) but, it more often involves the “grey swans” and “white elephants” (coined by James Lam) that represent events that are a bit more likely but still highly destructive. Advanced risk systems generally and other insurtech oriented solutions/tools are adding to predictive capabilities that will mitigate this going forward. Clearly, in the case of Covid, the mark was missed.
Third, operational resilience is a fast-rising critical issue especially in the wake of the Covid-19 pandemic. Banks, in particular, have upped their game in this area after experiencing significant disruptive impacts from Covid-19. While strategic risks continue to be the most destructive of value according to the research, operational risks (risks associated with people, process, and technology) can drive “death by a thousand cuts” especially when the events directly relate to serving the customer. Consistently delivering quality customer service, both directly and indirectly, through even substantial disruptive events, is the objective. In order to build and maintain operational resilience to sufficient levels, it is critical to consider among other things, the following: ensure an effective business continuity strategy and plan is in place and regularly tested and updated; understand and track the interdependencies and interconnectedness among and between operational risks; ensure there is a robust third-party risk management process in place; and, have a risk technology capability that can track, assess and manage incidents, extract relevant exposure information from across all segments of the organization and use targeted, refined and actionable risk information reporting to the right risk stakeholders at the right times.
Fourth, the accelerating and more frequent instances of disruptive innovation, technologies, and events are morphing the risk profiles of organizations, especially multinationals. I’ve written about digital risk management as an emerging subset of the risk management discipline that to clearly indicates that those risk profiles of the future are likely to be nearly all digital. In other words, as most new exposures have digital profiles themselves, risk leaders will be increasingly unable to understand the risk, let alone understanding how to manage these risks effectively. Sedgwick can help its customers get ahead of this curve, which will ultimately render them obsolete if not dealt with.
Fifth and finally, as disruption risk rises for all organizations, the business of risk and risk management is continuing to rapidly evolve its capabilities to mitigate disruptors especially through technology-based solutions to risk challenges. The return on these innovation-related investments is driving record amounts of venture capital ($7B in insurtech alone in 2020) to risk-related start-ups and incremental investments in aging solutions. All risk stakeholders stand to benefit from this trend as the destructive effects of disruption find more effective mitigation in the balance. The traditional ways so much of risk management has been done, will not persist much longer as the coming disruptions that will inevitably occur, will be increasingly leveraged for value creation (the upside of risk) and less distracted by loss events (the downside of risk) as in the past.
Chris Mandel will be speaking at the MetricStream webinar, “Strengthening Operational Resilience for Banks and Financial Institutions”, on June 29, 2021. To register, click here.
Jump to Topic
