Blogs
Through the GRC Lens – September 2019
- Compliance Management
- 04 October 19
4 min read
Rethinking Cybersecurity in a Disruptive Age
With an increasing number of attacks in the market, despite more sophisticated cybersecurity solutions, many cybersecurity reports and surveys highlight why organizations need to rethink their cyber strategy and what’s in store for the future. – Here is what the media headlined through the GRC lens in September.
As attackers get more relentless with the volume and speed of their attacks, cybersecurity defense must safeguard all possible points of the attack surface. A recent survey of internal auditors published in City AM, found – cybersecurity, regulatory change, and digitalization to be the top three risks faced by businesses across Europe. The shortage of cybersecurity talent exacerbates the cybersecurity problem in a complicated enterprise environment.
Increasing cybersecurity resources
According to CISO Magazine, cybersecurity has emerged as a primary investment priority for financial firms in the United Kingdom. Reports from a survey conducted by Lloyds Bank states that cybercrimes have jumped to the fourth position from the eighth place since 2018. Banks in UK are increasing their budget allocation to enhance cybersecurity capabilities at their organization, Computer Business Review reported.
In another survey conducted by Infosys, targeting 867 senior executives representing 847 firms from 12 industries, with annual revenues over US$500 million across US, Europe, Australia and New Zealand (ANZ), reported that almost half (48%) of corporate boards and 63% of business leaders of surveyed enterprises are actively involved in cybersecurity strategy discussions.
While organizations have started to invest in building an efficient cybersecurity management and mitigation program, they still continue to face difficulty juggling priorities.
The Cyber Roadblock
A recent study conducted by BitSight, revealed that every two in five (38%) companies stated that they’ve lost their businesses due to lack of cybersecurity capabilities. An article by Forbes, ‘The Gap Between Strong Cybersecurity And Demands For Connectivity Is Getting Massive’, states, “…More devices and less adequate resources mean the attack surface continues to grow. “Every second that it takes to respond to an attack after it’s been deployed can have a huge impact on the business, be it in terms of man hours spent or sales, and reputation lost.”, states SC Magazine.
Even as enterprises invest in resources and tools to strengthen cybersecurity, why does it continue to be an Achilles heel for so many? The month of September revealed a few of the reasons:
- Human error is a big risk – 99% of email attacks rely on victims clicking links
Proofpoint’s Annual Human Factor Report, states that out of the vast majority of attacks, 99%, require some level of human input to execute – making individual users the last line of defense.
2. Businesses haven’t made it as much of a priority as it should be – Businesses are bypassing security to get to market quicker
A recent article by ITProPortal, highlights a research from Outpost24 which concludes that 34% of organizations bypass security to get products out to market faster. Almost two thirds (64%) of the respondents said they believe their customers could easily be breached, as a result of unpatched vulnerabilities in their organization’s products.
3. Third parties aren’t being monitored sufficiently
This month, thousands of resumes were exposed in a third-party breach that originated from monster.com, but the company denied any responsibility, saying – the client “owns the data.” According to CPO Magazine, “Though Monster.com’s denial of responsibility is legally acceptable under United States federal law, it puts the company at odds with the standard data protection requirements of a number of other nations.” This is yet another example of third-party risks being a great cybersecurity risk multiplier.
Cybersecurity is a complex problem with no easy solutions. Enterprises need to act quickly as the costs of data breaches are increasing at an alarming rate. According to Dark Reading, “The cost of breaches will rise by two-thirds over the next five years, exceeding an estimated $5 trillion in 2024, primarily driven by higher fines as more jurisdictions punish companies for lax security.” Juniper predicts that data breach costs will grow at 11% each year. The Ponemon Institute’s “Cost of a Data Breach” report, sponsored by IBM, pegs growth at 12% between 2014 and 2019.
Stepping up the cyber game
Unfortunately, 2019 was the year of data breaches with some record setting fines faced by companies like Equifax, British Airways and Marriott. The good news is that progress is being made:
1. Cybersecurity decisions involving the C-Suite:
Companies are fortifying their cyber strategies in alignment with business objectives. Defending threats requires the C-suite support, more than ever now. According to CPO Magazine, it’s important for security teams to make business leaders aware of the quickly shifting threat landscape.
2. Companies Are Forming Cybersecurity Alliances:
Over the last few years, cybersecurity alliances are being formed between tech-focused companies to support each other aimed at changing the ways companies deal with cybersecurity vulnerabilities and renegotiating the social contract between states and their citizens. The exchange of information is an effort to raise the collective level of cybersecurity, shape overall security practices, and speed the adoption of security technologies.
3. Artificial Intelligence Is Changing the Cyber Security Landscape and Preventing Cyber Attacks:
New advances in tech hold great promise to build cyber resilience. An article in Entrepreneur highlights how AI is a boon in cybersecurity, by stating, “Developers are using AI to enhance biometric authentication and get rid of its imperfections to make it a reliable system… AI-ML can detect and track more than 10,000 active phishing sources and react and remediate much quicker than humans can… AI-based systems proactively look for potential vulnerabilities in organizational information systems.”
Rethinking cybersecurity strategies has become imperative. With the changing landscape of cyber defense and new tools in the market, enterprises need to focus on building a holistic cybersecurity approach to deliver an effective awareness training and layered defense strategy. A strategy that provides enterprise wide visibility to better protect the company and its customers in a more efficient and proactive manner.
Jump to Topic
Related Resources
Blogs
A Look Back at the GRC Summit 2019
- Audit Management
- 30 July 19
5 min read
Introduction
Now in its seventh year, the GRC Summit hosted by MetricStream is one of the biggest and most anticipated events for GRC practitioners around the world. This year, the summit was held on June 2-5 in Baltimore, Maryland, bringing together over 450 GRC and business leaders to talk about the latest trends and opportunities in GRC. It was an incredible four days of learning, discovery, and collaboration—topped off by an exclusive cruise, as well as a glittering awards ceremony.
Here are some of the top highlights from the summit:
- Integrity Front and Center
In keeping with the theme of the summit—”Perform with Integrity™”—many of the speakers pointed out that financial performance is no longer the sole indicator of success. Trust is what really drives business today, and integrity is what drives trust.
MetricStream CEO, Mikael Hagstroem talked about building integrity by fostering a sense of compassion in the way we approach customers, the way we treat employees, and the way we shape the future of technology. “Successful performance—be it an individual level, an organizational level, or a global level—begins with a spark of passion that, when guided by integrity and compassion, helps us improve the human condition, and enable a higher quality of life,” he said.
MetricStream Chairman, Gunjan Sinha, emphasized the need to build purpose-driven organizations where doing good is as much of a priority as doing well. A strong sense of purpose, he predicted, is what will define the successful organizations of the future, along with a commitment to diversity, inclusion, empowerment of the front line, ethical data, and social conscious AI.
- Tony Scott on the Key Transformation Drivers of the Next Five Years
The former Chief Information Officer of the United States government (2015-17) described how “relentless digitization” is rapidly upending traditional analog business models. And with it, the notion of security and privacy by design is becoming more important than ever. Technology is moving faster than we’re prepared for, he cautioned. Do we understand the risks of new tools like AI and machine learning? How do we build good governance, accountability, and transparency around these new technologies? How do we keep humanity at the center of innovation? All key questions to consider.
- Jim Quigley: Coping with the “Knowns” and “Unknowns” of Business
Drawing on his experience as a member of the board and risk committee at Wells Fargo, as well as CEO Emeritus of Deloitte, Jim Quigley talked about why the work of GRC practitioners is so critical in helping boards and management teams make better strategic decisions in the midst of escalating “known unknowns” and “unknown unknowns.” He also emphasized the importance of building sustainable risk cultures. “The biggest driver of culture in any organization is observable behavior,” he said, quoting a colleague. “We want people to raise their hands and identify problems as quickly as possible.”
- The Power of Innovation
MetricStream’s Chief Technology Officer, Andreas Diggelmann, along with Chief Innovation and Cloud Officer, Vidyadhar Phalke, delved into the new technology innovations that are emerging across the whole chain of GRC. Chatbots, for instance, are being used to capture issue data from the first line of defense in a manner that is simple and engaging. Predictive analytics are being used in the second and third lines to anticipate and respond to potential emerging risks proactively. Machine learning tools are enabling executive teams to detect risk patterns, and understand optimal mitigation practices based on historical evidence. Essentially, the possibilities with technology are endless.
- Anna Felländer on Being Vigilant to the Ethical Risks of AI
Co-founder of the AI Sustainability Center, Anna Felländer pointed out that in a data-driven world, AI is key to helping organizations build better operational efficiency and deeper client relationships. Yet, it also introduces many ethical risks around the misuse/ overuse of the technology as well as multiple biases. If we want to avoid these pitfalls, we need to start investing as much in the humanistic side of AI as the engineering side, she said. We need to shape a future where humans lead AI, not the other way around. We need to find ways of ensuring that technology doesn’t get ahead of regulation.
- Risk Management Is Everyone’s Responsibility
Many of the speakers emphasized the need to strengthen risk awareness at every level of the organization, right from the front lines to the boardroom. “Risk needs to be something that companies walk, talk, eat, and breathe every day,” said Kenneth Bacon, Member of the Board, Comcast, and Co-founder and Managing Partner, RailField Realty Partners. We need to have more risks and issues self-identified by the business rather than by internal audit or regulators, pointed out Sarah Dahlgren, Head of Regulatory Relations – Corporate Risk, Wells Fargo & Company. The more proactive the first and second lines of defense are in reporting risk data, the better informed and more confident the board and management team can be in their strategic decision-making processes.
- In a Fast-Changing World, GRC Must be Agile
Disruption is the only constant in business today, pointed out MetricStream’s Chief Operating Officer, Gaurav Kapoor. If we want to be prepared for the new risks around the corner, GRC programs have to be agile, he said. Other speakers talked about what agility entails. Raven Catlin, Former CAE and Industry Expert in Internal Audit and Risk Management, described how internal audit must be ready to embrace new tools, new skills, and new approaches to auditing. Michael Rasmussen, Chief GRC Pundit, GRC 20/20, highlighted the importance of integration and collaboration in building more agile GRC functions.
- A Celebration of GRC Champions
The much-anticipated GRC Journey awards ceremony, held on day 1 of the summit, recognized and honored MetricStream’s business partners, individuals, and customer organizations that have made significant strides on their GRC journey towards strengthening business performance. This year, there were 17 award recipients across five categories.
- Connecting and Collaborating
There were plenty of opportunities for attendees to connect, share with, and learn from with each other – be it the many interactive workshops and networking sessions, or the relaxed “happy hours.” Day 2 of the summit culminated in an exclusive cruise down Patapsco River which saw attendees letting loose and singing their hearts out at a Karaoke session.
Jump to Topic
Related Resources
Blogs
MetricStream’s Enterprise GRC Solution awarded GRC Product of the Year by Risk.net
- Audit Management
- 19 July 19
3 min read
Introduction
A few weeks ago, MetricStream was awarded “GRC Product of the Year” at the 2019 Risk Technology Awards hosted by Risk.net. It was a strong validation of MetricStream’s mission to help organizations “Perform with Integrity™”. Through our GRC platform and solutions, customers are able to effectively understand and manage the interconnectedness of their risk environment, while deriving actionable risk insights for business decisions.
Why GRC Matters More Today Than Ever Before
Over the past year, multiple financial services organizations have faced penalties and fines from regulators for facilitating money laundering, manipulating customer accounts, and mishandling security trading. Meanwhile, serious IT meltdowns and cybersecurity incidents have severely impacted brands and reputations. Added to that, operating markets and business models are continuously being disrupted.
To stay ahead of these risks—both “known” and “unknown”—in an increasingly hyperconnected, fast-changing world, organizations need timely risk insights that can help them make swifter and better business decisions. They need to be aware of how a potential incident enhance their risk exposure. These objectives are best achieved with a strong governance, risk, and compliance (GRC) foundation.
What Differentiates MetricStream’s GRC Offerings
We believe that there are several factors that led to us winning GRC Product of the Year:
1. Support for Multiple Evolving GRC Roles
Chief Risk Officers (CROs), Chief Compliance Officers (CCOs), Chief Information Security Officers (CISOs), Chief Sourcing Officers (CSOs), and Chief Audit Executives (CAEs)—once limited in their roles—are increasingly being given a seat at the table with the power to influence strategy and decision-making. With this new power comes new obligations and challenges.
At MetricStream, we focus on addressing these challenges through our GRC platform, solutions, and apps. We thematically look at the core needs of each GRC persona—be it the CRO, CCO, CISO, CSO, or CAE—and provide tailored solutions to meet those needs. We also deliver specific content, workflows, and reports to help various personas make informed decisions that are aligned to their business objectives.
Our wide array of packaged apps, which can be enhanced with third-party applications, are designed to improve risk visibility and intelligence. Underlying these apps is our cloud-enabled, future-ready GRC platform that provides customers with long-term value throughout their GRC journey.
Our integrated GRC solution enables a high level of cohesiveness across core GRC components which, in turn, improves risk assessments, predictions, and mitigation. Organizations can effectively balance risks and rewards, make confident strategic decisions, and respond to the changes that occur within and outside their enterprise.
2. Balance Between Autonomy and Aggregation
At MetricStream, we understand that while the core requirements of GRC are more or less consistent across organizations, the processes, priorities, and needs of each organization are unique. Therefore, we offer flexible product alignment which allows customers to choose from multiple best-in-class, out-of-the-box GRC products that can be used along with third-party applications. Our apps and solutions provide agile risk reporting capabilities, while advanced analytics empower GRC practitioners to visualize large datasets within intuitive and interactive dashboards in real time.
3. Leadership in Addressing the Interconnectedness of Risk
The hyperconnectivity of markets has created both known and unknown dependencies and interconnections within and outside the enterprise. This, in turn, has increased the interconnectedness across different types of risks.
The MetricStream GRC Platform has been built to comprehend these risk relationships and to deliver contextual insights though the aggregation and analysis of risk information. Our customers have adopted the platform along with built-in best practices and modifications to identify, understand, quantify, and predict the multiple points of impact for any risk event.
4. Focus on Long-term Partnerships Based on Value Delivery
MetricStream is focused on being a long-term strategic partner to customers as they grow and transform along their GRC journey. Our GRC advisory framework and methodologies help organizations build a multi-year GRC vision and roadmap that augments value realization based on a “true platform” strategy.
Through our value discovery workshops, we enable customers to identify key value propositions that can be measured as outcomes throughout the design and implementation of their GRC programs. Our GRC Journey initiative adds a further advantage by helping customers understand the current and future state of their GRC programs, so that they can then re-engineer existing GRC processes for optimal business benefits.
***
As we continue to find new ways of enabling and supporting our customers, we’re deeply grateful to Risk.net for the recognition and award received. We look forward to continuously raising the bar on innovation, and delivering products that truly empower our customers to Perform with Integrity™.
Jump to Topic
Related Resources
Blogs
Through the GRC Lens: January 2019
- Compliance Management
- 14 February 19
3 min read
Introduction
A Chinese tech giant faces criminal charges in the US, a major bank in India fires its CEO, and an embattled Silicon Valley titan beats Wall Street estimates — here’s January through the GRC lens.
Huawei Faces Criminal Charges in the US
Federal prosecutors unveiled a host of charges against Chinese telecom giant Huawei and its chief financial officer Meng Wanzhou in January. The prosecutors alleged that the company stole trade secrets, obstructed justice, and committed bank fraud in an effort to circumvent the sanctions against Iran.
In one indictment, prosecutors accused Huawei and its top financial officer of misleading banks and US investigators about its relationship with a longstanding affiliate in Iran, Skycom. According to reports, Huawei falsely claimed that it had sold off its interest in Skycom when in fact it controlled the company. Huawei’s American subsidiary then destroyed evidence and moved witnesses with knowledge of Skycom from the US back to China.
Another indictment by the prosecutors revolves around the theft of trade secrets related to a robotic device called “Tappy,” made by T-Mobile, according to The Wall Street Journal. The Wired reported that if Huawei is convicted of all charges, it faces problems bigger than just fines.
ICICI Bank Fires Its CEO
India’s second-largest private sector lender sacked its former managing director and CEO, Chanda Kochhar, after a panel found her guilty of violating the bank’s code of conduct and making inadequate disclosures.
According to reports, there was a lack of diligence from the former CEO in dealing with conflict of interest and due disclosure while sanctioning loans. The loan, to the tune of $425 million, was made to the Videocon group, allegedly quid pro quo.
Following the scandal, the country’s top economic regulator initiated a money-laundering probe against those involved, including Kochhar’s husband and the chairman of the Videocon group.
The former CEO will also have to return bonuses accumulated over 10 years.
Facebook Posts a Record Profit Despite Scandals
Facebook proved naysayers wrong by posting a record $6.9 billion profit for the last three months of 2018 — a jump of 61% from the same period in 2017 and well ahead of Wall Street estimates, according to CNN.
Despite making headlines last year for scandals involving the spread of disinformation, mishandling of private data, and election meddling that invoked the ire of regulators around the world, the company seems to have surprisingly gained more users. According to estimates, 1.52 billion people use the social network every day, and 2.32 billion use it every month — both of which represent a 9% increase from 2017.
The strong results come after the company said that it expected its growth to slow as it spends more to improve the privacy and security of user data.
The Low-Down
US regulators are tightening the reins on companies like Huawei that have been accused of compliance failures while trying to advance their own interests. Huawei’s latest indictments bear similarities to what happened to another Chinese telecom giant, ZTE, that admitted to violating US sanctions and ended up paying a whopping $1.9 billion in penalties, also while agreeing to replace its entire board and senior leadership, and open itself to US auditors.
According to reports, the same fate might await Huawei if the company is convicted. US financial institutions could be banned from doing business with the company — a move that is likely to have a significant impact on the telecom equipment provider’s bottom-line.
The ICICI Bank case highlights governance issues in developing economies like India. According to a report by The Hindu, global rating agency Standard and Poor’s (S&P) noted that developments around the case and the changing stance of the bank’s board of directors show “weak governance and transparency in the Indian banking sector.” However, the agency agreed that the board’s claw back of bonuses and benefits when a person is proved to be at fault is an important check that aids accountability and good leadership. More such measures are required in the country’s banking sector to avoid recurring scandals of a similar nature.
While Facebook’s endless crises do not seem to be hurting the company’s business for now, time will tell if the social media giant can sustain its growth in the long term as regulators begin to question its business practices. Data privacy laws like the European Union’s (EU’s) General Data Protection Regulation (GDPR) have already forced powerful tech companies to restructure their business models, while France’s latest tech tax is another indication that regulators are trying to rein in the unbridled power of the tech titans.
Jump to Topic
Related Resources
Blogs
GRC Isn’t Just about the Mitigation of Risk, but about the Preservation of Trust
- Compliance Management
- 18 December 18
5 min read
Introduction
8 Key Takeaways from the GRC Summit 2018 – London
The GRC Summit on Nov 12-13, 2018 provided a forum for business and government leaders from around the world to discuss, debate, and learn about the latest trends and best practices in GRC. Based on the theme “Preserve. Protect. Perform,” the summit featured a range of inspiring keynotes, expert talks, customer success stories, and panel discussions on topical issues such as Brexit, cyber resilience, corporate integrity, and culture.
Key Takeaways
The biggest driver of cyber risk? The emergence of a commodity market in hacking
A decade ago, if you wanted to hack into someone’s system, or even conduct a simple denial of service attack, you had to be reasonably skilled. Today, you can simply buy a tool—or better still, a managed service to do it for you at a very limited cost. This rapid rise of a commodity market in hacking has made it easier than ever for criminals, disgruntled employees, nation states, and other malicious actors to attack organizations and nations where it hurts most.
For more insights, watch this fascinating keynote by Robert Hannigan, Former Director of the UK’s Government Communications Headquarters (GCHQ).
GRC isn’t just about the mitigation of risk but about the preservation of trust
Traditional GRC may have been about policing the organization. But today it’s about empowering the first line of defense to be effective custodians of trust — equipping them with the knowledge and tools they need to take ownership of risks and to do the right thing. The key is to remember the 4 R’s: (1) Respect – Ensure that the three lines are working together towards the same objectives (2) Rapport – Empathize with the needs and challenges of the first line (3) Responsibility – Ensure that the three lines understand what they need to do and how to execute it transparently (4) Reflection – Take the time to step back and evaluate the approach.
To know more, watch this C-suite panel discussion on trust and integrity featuring business leaders from M&G Investment, UBS, and Intelligent Ethics.
Innovation without integrity is like motion without direction
For years, business success has been talked about in terms of the speed of innovation, or how quickly one can notch up billions of dollars in valuation. But in the race to get to the top, many employees report being pressurized to compromise standards. In fact, they often see questionable business practices being rewarded rather than punished. Fortunately, that is beginning to change as organizations come under greater scrutiny—not just from regulators and investors, but also from a larger hyperconnected society with tremendous computing and communication power at its fingertips. In this transparent world, values like integrity, trust, and alignment of profit with purpose will become increasingly critical to business success.
Find out more on what it means to perform with integrity in this keynote by MetricStream CEO, Mikael Hagstroem.
The pace of change will never be as slow as it is today
One of the biggest dilemmas that organizations face is how to keep up with the ever-accelerating pace of change and disruption without being blindsided by the associated risks. How do you enable faster processing of financial transactions without increasing data security vulnerabilities? How do you leverage open banking opportunities without worrying that a third party will misuse sensitive customer information? Agility and resilience hold the key. But achieving these objectives will require collaboration. Organizations, industries, suppliers, customers, public bodies, and governments must find a way to work together towards preparing for and responding to change in a way that benefits everyone.
To learn more about the changes and risks impacting organizations today, watch this panel discussion with risk leaders from Johnson Matthey, Infosys, Santander, and Equifax.
GRC must become a way of life
Employees need to be doing GRC without realizing it – that’s how deeply and intrinsically it must be embedded in corporate culture. While that may be easier said than done, the first step in the right direction is for assurance functions to start speaking the language of the business i.e. instead of talking specifically about risks and controls, focus on how GRC can improve business efficiency and productivity. Look at GRC through the lens of the first line. How will their daily routines be impacted by additional risk responsibilities? Is there a way to make GRC a seamless part of the front line’s daily tasks? These are important questions to consider if organizations want to build a truly risk-aware, well-governed, and compliant culture.
To know more, watch this panel discussion of GRC leaders preceded by a talk on GRC market trends and insights by MetricStream COO, Gaurav Kapoor.
Regardless of the outcome of Brexit, organizations will need to be prepared with a contingency plan
While the future of Britain’s relationship with the EU continues to be shrouded in uncertainty, what is evident is that the repercussions of a hard Brexit will likely be catastrophic unless organizations are prepared to counter these risks. That includes conducting scenario analyses to understand and address potentially adverse outcomes, while developing contingency plans to protect business interests. It also means tackling possible bottlenecks in the physical supply chain, as well as the financing and data supply chains. Yes, all these efforts will require significant investment, but think of them as an insurance policy for your organization.
For more insights, watch the Brexit panel discussion featuring experts from financial services, manufacturing, and the government.
Analytics and deep learning present a $9 trillion to $15 trillion opportunity
Artificial intelligence has finally come of age. However, the challenge now lies in scaling AI initiatives in a way that delivers optimal value. As complex as that might seem, there are best practices that organizations can follow. One is to ensure that the business has a well-defined and well-aligned AI objective and strategy with a clear understanding of where the monetary value lies. Another is to remember that AI isn’t just about technology but also about the right working practices and methods. And the third is to realize that data scientists alone don’t make a successful AI project – it takes a village to do AI well.
For the whole picture, watch this business leadership talk by Nicolaus Henke, Global Leader, Digital and Analytics, McKinsey.
Smart ledgers could be a boon for compliance
While ledgers have been in use for thousands of years, they have never arguably been as much a part of popular discourse as they are today, particularly with the advent of the blockchain and bitcoin. Smart ledgers—essentially multi-organizational databases with a super audit trail—hold significant potential not just for payments, but also for clinical trials, trade, and geostamping. Most importantly, they act as anti-cheating devices. And in that sense, they are exciting for compliance functions who can now use smart ledgers for a variety of purposes, ranging from regulatory reporting, to time-stamping, bench marking of shared data, and even as a “dropbox” for proof of compliance with the Senior Managers Regime.
Learn more about smart ledgers in this insightful keynote by Michael Mainelli, Chairman, Z/Yen.
Explore more videos and insights from the GRC summit here.
Jump to Topic
Related Resources
Blogs
“Why Excel is just not good enough” – Part 1
- Audit Management
- 17 May 18
3 min read
Introduction
I was on a call the other week with the Enterprise Risk Manager of a relatively sizable multi-national corporation (over 20,000 employees across a few hundred locations on nearly every continent), and she said something that got me thinking.
She said, “For us, right now – Excel is good enough.” I responded by saying that “I understood,” we discussed a few other topics on the call and hung up.
It wasn’t until afterwards that I realized how much her view about Excel took me aback. As an enterprise software sales professional, I believe in companies moving to automation. But the reason the statement took me aback was because I realized that this might be a common mindset across many people and firms. How many other people think, “Excel is good enough”?
A Senior Manager on my team, Mark Winey, was also on the call. After the meeting we spoke, and he reminded me that one of my first roles was in Operational Risk Reporting and Monitoring (R&M), so I should be able to understand their perspective. I began to reflect on this.
Earlier in my career, my team had built out the firm’s first op risk and control R&M function completely manually in excel. Part of my role was to spend the first few hours of the day updating spreadsheets with additional information for the metrics I was tasked with tracking. We had defined thresholds of red, amber, and green based on a formula we created using standard deviations, and when those thresholds were breached, we needed to escalate.
Once I was done compiling the additional information, the next few hours were spent chasing on threshold breaches and gathering commentary around root cause and resolution. When that was finally complete, I would spend the vast majority of the rest of my day consolidating the prior month’s end reporting. This then went on for about 3 weeks until the “Month End Report” was done. At this point, we would reach out to executives in order to have meetings scheduled on their calendars; this took another 3 to 4 weeks before we could meet and present the report.
This brief narrative reveals two important insights:
First, and perhaps the more obvious insight, is that by the time we finally met with executives, the data was at least 45 days stale! This was in 2009 and we all understood the importance of accurate, real-time data; however, every month, as things stood, we were always looking in the rear view, and pretty far behind, at that.
Second, and this is the implied insight, I spent the smallest portion of my time thinking critically about the data. As an analyst, by definition “a person who analyzes or who is skilled in analysis (thank you Google, analyst),” I spent very little time actually analyzing. This was counter-intuitive to me – I was getting paid to dig-in and think critically, but most of the time was spent on redundant manual efforts.
I’d like to estimate some numbers to illustrate how concerning this should be as risk practitioners. Let’s start with the assumptions that on average there are:
- 8 working hours in a day
- 5 days in a week
- 4 weeks in a month
After factoring out lunch, holidays, vacations, etc., these assumptions should be fairly accurate. I didn’t document the precise time I spent on every activity, but let’s say that for the first 3 weeks of the month my day consisted of:
- 2 hours of updating spreadsheets
- 2 hours of reaching out on breaches
- 2 hours of month end reporting
- 2 hours on administrative tasks (meetings, emails, phone calls, etc.)
My day looked exactly the same for the last week of the month, except for this key difference: I now had 2 free hours a day since the “Month End Report” was complete!
In an interview a client of ours said, “We see the GRC Program really enabling the commoditization of the existing compliance activities and governance activities, so that managers have time to think about what’s the next risk, and really use intellectual capacity to manage risk going forward.” Given the manual approach described above, as an analyst I would have spent 6.25% of my time thinking about “the next risk” and “managing risk going forward.” After reading this, does 10 hours a month seem like an adequate effort for risk analysis? Do you still think Excel is good enough?
Jump to Topic
Related Resources
Blogs
The vicious cyclone of emerging risks – My big ‘aha!’ from OpRisk North America
- GRC
- 21 March 18
3 min read
Introduction
The OpRisk North America conference was disrupted by an operational risk — a late season snow storm that has snarled transportation and complicated travel plans in the mid-Atlantic and Northeast, but most attendees and speakers chose to go forward, and I’m glad they did since conference has given me a big ‘aha’ on emerging risks.
Cyber risks and cyber compliance
In almost every session presenters and the audience have cyber risks as the dominant operational risks. While for years, GRC experts have highlighted that with the increasing dependence of business models on digital technologies, cyber risks and cybersecurity strategies would become a critical element of strategic business planning. Well, now those forecasts by experts have proven out, and chief risk officers are incorporating cyber risks into their risk management strategies.
Cyber compliance is also emerging as a critical discipline of overall enterprise compliance management. From a regulatory standpoint, with the emergence of digital business models, businesses are also grappling with increased oversight from regulators. Almost all U.S. states have data breach notification laws. The first state to regulate data breach reporting was California which requires notification of consumers for any breach that affects more than 500 customers. Maryland requires notification if even just one customer is affected. The U.S. SEC was an early mover, requiring that public companies report material cybersecurity incidents.
These new rules at federal and state levels have led to greater transparency of cybersecurity. Now, broader, more encompassing state-level cybersecurity laws are rolling out. New York was the first mover in 2017 with the Department of Financial Services Cybersecurity Regulation, and in 2018 many more states are passing legislation to codify the National Association of Insurance Commissioner’s new Model Data Security Law.
Disruptive technology and conduct risks
More privacy regulations should be expected as well. Political abuse of user behavioral and profile information gathered by the new tech giants like Facebook goes back at least to the 2012 election cycle in the US, and has been brought into the limelight with the Cambridge Analytica scandal. The new European General Data Protection Regulation (GDPR) was already slated to go into effect in May 2018. No doubt, now, European authorities will be analyzing GDPR to see if it adequately addresses the abusive practices of Cambridge Analytica, and in the US, the Federal Trade Commission is investigating. Notably the scandal opens up a whole new front on the challenges of third party information risks, that is, customer risks — ensuring that buyers of information analytical services are not abusing those services.
All of these recent regulatory developments, political intrigues, and corporate scandals must have been in the minds of attendees and speakers at OpRisk when they were polled on their top emerging risks. Disruptive technology tied with cyber risks for the number one position at 47% each. All other emerging risks paled in comparison.
My big ‘aha!’ — Chief risk officers are sensing a vicious cyclone of disruptive technology, conduct risks, and cyber risks. Disruptive technology is being adopted at a faster than sustainable rate — it’s being pushed into service before the lessons from early adopters can be shared with other enterprises. Advanced automation also requires fewer people, but these people are also enabled through disruptive technology that when abused either intentionally or through ignorance or negligence, can wreak tremendous havoc. The technology is also being pushed out at such a pace that the cyber vulnerabilities are not fully known and addressed — presenting all kinds of opportunities for malicious actors to act at scales never before possible. Inevitably there are going to be problems, and it’s up to CEOs and CROs to act together to ensure that their organizations are not caught up in this vicious cyclone.
Jump to Topic
Related Resources
Blogs
How IT Can Leverage AI to Prevent Major Cybersecurity Incidents
- IT Risk & Cyber Risk
- 23 October 17
3 min read
Introduction
The need for artificial intelligence (AI) in IT governance, risk and compliance (GRC) is growing quickly. As companies expand their digital footprints, cybersecurity vulnerabilities worsen due to an increased amount of data being produced from IT security monitoring and performance tools.
At its recent Ignite 2017 conference, Microsoft revealed its plans for further incorporating artificial intelligence (AI) into its various offerings. For example, the company is embedding AI in Excel to assist with automatic determination of different types of entries – Excel will be able to go beyond automatically differentiating between text and numbers to being able to identify the type of text utilized. Since the program will be able to better identify types of text – for example, differentiating between objects, corporations and people – it also will be able to discover relationships within and between data sets.
A recent report issued by MetricStream found that AI has already taken the step of improving the discovery of data relationships in governance, risk and compliance (GRC). For instance, if a risk assessor creates a link of a risk to a business objective, an auditor identifies a relation of a risk to a control, and an IT security manager identifies a link between a control and an IT asset, an analyst now can evaluate the relationships between IT assets, risks and controls and business objectives. Over time, through machine learning, a GRC system leveraging AI could begin to distinguish these relationships on its own, and thereby augment the discovery of linkages between data objects and make suggestions to human end users of the system. Further, rather than waiting for a human analyst to evaluate the relationships and trends, an AI-backed GRC solution could utilize cognitive computing to continuously analyze the data objects for any changes that could lead to greater risks or control failures – any detected threats to the ability to achieve business objectives would automatically alert human analysts for deeper evaluation.
Within an IT GRC context, the need for AI is growing quickly. As companies expand their digital footprints, cybersecurity vulnerabilities worsen due to an increased amount of data being produced from IT security monitoring and performance tools. In response to this, vendors have begun augmenting threat-monitoring tools with AI; the potential for discovering patterns of security vulnerabilities and IT asset performance can be significantly enhanced by the incorporation of this technology. However, AI still requires human analysis of the reports from those assets. Applying machine learning, GRC solutions can learn from the human analysis and then continuously monitor for the emergence of high-risk vulnerabilities, thus catching them and, through cognitive computing, orchestrate corrective action that can prevent a major incident or failure.
How far is the GRC industry from deploying solutions augmented by AI? Perhaps not that far. According to a recent survey conducted by GARP, a risk professionals association, 15 percent of their risk management organizations are already using AI. However, just 4.6 percent say that it plays a significant role in risk management. Certainly, if compliance and audit professionals were surveyed, the numbers would be even smaller. Still, with new tools emerging from industry giants like Microsoft that enable developers to incorporate AI capabilities into Excel-based solutions, there will be a lot of experimentation over the next two to three years, and GRC solutions that incorporate AI will play a major role in the industry in the near future.
Corporate Compliance Insights is a wholly owned subsidiary of Conselium Executive Search, the global leader in compliance search.
This article was originally published by Corporate Compliance Insights and can be read here: Can AI Be the Next Step in GRC’s Evolution?
Jump to Topic
