The Spirit and Experience of GRC Summit

Introduction

A customer asked a few weeks ago what were the best GRC conferences to attend.  Of course our own GRC Summit came immediately to mind, but I wanted to give an objective answer, so I shared my thoughts on several very good conferences.  There’s GARP, but it’s mostly for risk managers, and the same goes for OpRisk and RMA.  There are the Gartner Security and Risk Management summits, but they are mostly for Chief Information Security Officers.  SANS, ISF, and several other organizations also run events for security professionals.  There are the IIA events, but they are for auditors, and the ISACA events are for IT auditors.  Several organizations run events for compliance officers – Compliance Week and the Society for Corporate Compliance and Ethics.  All good, but each focused on just a single GRC discipline.

So as I went through the list, I realized that while there are conferences for auditors, risk managers, IT security professionals, compliance managers, and IT administrators of GRC solutions, there really is just one real GRC Summit, and that is MetricStream’s.  No other conference truly integrates attendees from multiple GRC disciplines.  We bring together chief risk officers, chief audit executive, chief compliance officers, chief information security officers, privacy officers, corporate directors, and other GRC professionals all in the same place at the same time.

There’s a reason that there are no other large conferences that attempt a truly integrated approach for GRC leaders.  Creating 2 to 3 days of compelling sessions to both appeal to a given GRC discipline, while at the same time appealing to a cross-section of all GRC professionals is no easy task — It’s hard.  But by investing the effort, we enable our attendees to experience the spirit of GRC, and get a sense of the value that integrated GRC can bring to their own organizations.

GRC Summit through the eyes of an attendee

GRC for high performers.  Can you imagine being a new customer or prospect attending the recent GRC Summit in London – someone representing a company that is just beginning its GRC Journey.  On the first day, you hear the Chairman of MetricStream share a promise of pervasive GRC, in the cloud, with a focus on quality, and our Senior Vice President for Product Management introduce the new M7 with enhanced personalization and configurability – a vision made real of GRC that is the way you want to use it, engaging, how you need it, where you need it on any device, with great insights from its analytics, and lean and fast.  The MetricStream people call M7 “GRC for high performers,” so you go to the tech showcases to see product managers demonstrate the applications, and you decide the MetricStream people are on to the something – GRC is not just for risk and compliance anymore – it’s about business performance and opportunity.

Saving 6 months in one day.  At lunch you talk to an audit executive on one side of you, and a risk manager on the other side.  Even though you are a compliance officer, you find they have the same goals as you – to help navigate your companies through uncertain times while managing the risk and following the rules – like MetricStream’s Chief Evangelist said – to Preserve, Protect, and Perform.  Though most of the people you meet are fairly early on their GRC Journey, you go to case study presentations where you hear from companies who have been there, done that.  These GRC leaders have the scars, but you learn they are scars of success, and you just can’t believe the value you are getting from hearing their frustrations, their challenges, but also their goals and the critical success factors for achieving them.  You think you may have saved 6 months on your GRC Journey just in this first day.

GRC Journey awards.  But the day isn’t over yet – there is the GRC Journey Gala dinner, and you wonder what goes on there.  Everyone at the dinner is highly energized – the day has charged everyone one up.  And now come the awards, and you see organizations who are pretty mature in their GRC programs getting awards, as well as GRC visionaries, GRC practice leaders, and MetricStream partners all being recognized for their achievements.  You promise yourself that you are going to get your organization on that stage in the next 2 years.

Brexit fireworks.  The next day – wow!  MetricStream has the leader of the Brexit Remain campaign keynoting, and they follow that up with a panel where the keynoter and a Leave champion really take their gloves off.  But you got some really good insights from the panelists on dealing with major issues where the uncertainty could derail your company’s ability to achieve important strategic objectives.  Next you attend more sessions – one on the new EU General Data Protection Directive, which you know you’re going to have to implement, and you meet a MetricStream partner on one of the panels who has just the right expertise to help you through it – cool!

mSIG – MetricStream Special Interest Group.  Being a new customer, your MetricStream sales rep has encouraged you to go to a special lunch with other customers – she calls it an mSIG – a MetricStream Special Interest Group – and you wonder what that is.  The lunch is great and you’re at a table with other customers who readily share advice and experiences.  Then one of the MetricStream execs starts sharing a presentation on the business value of GRC, and it’s not just high level fluff – there’s actually a tool to help you measure and track GRC business value metrics, and another to help measure cost.  You realize this is just what you need to communicate to your colleagues in risk management, audit, legal, finance and IT why they need to dedicate their time and effort to integrated GRC.  You decide that this lunch alone was worth the cost and time spent at the summit, and you learn that there are dozens of mSIG meetings each year, and online communities where you can network with other customers at any time – you don’t have to wait for the next summit.

The action plan.  You attend some more sessions and its more value and loads of notes that you are going to share with your team and your colleagues when you get back.  Plus fortunately you learn that MetricStream has recorded the sessions so you can share them with others in your organization who could not attend.  And finally there’s the closing where MetricStream’s COO shares the top ten headlines of the summit, and they really resonate with you.  A couple of them really standout – “We must align GRC with our core brand values” reminded you that if you could link your GRC objectives to brand values, then the change management would be easier.  And another one, you promised yourself you were going to share with the CFO and CEO, “Don’t let Brexit consume you like the millennium bug did.”  You were going to take that advice from one of the Brexit panelists and ensure your company appointed someone as the point person for Brexit and set up a Brexit team.  That way the board would be assured that Brexit issues were tracked and dealt with, and the rest of the compliance, risk management and audit teams could get on with business.

Wow – GRC Summit was well worth the time and you had a lot to take back to the office.  On the flight home you knocked out a GRC 30 day, 90 day and 1 year action plan – you know you could not have done that just 3 days ago – and you promised yourself that you were going to return for the next GRC Summit, with your audit, risk management, and IT security colleagues.

You smiled when you realized you didn’t have to wait a year for the London GRC Summit to return – no, you opened your laptop and connected to the wifi on the plane and registered right away for the Global GRC Summit in Washington, DC, 4 to 7 June 2017!