MDOS: Enabling Resilient GRC for Dynamic Enterprises

MDOS blog
4 min read


In today’s digital-first world, companies continuously organize and reorganize via corporate divestiture, diversification, merger, or acquisition to gain efficiencies and market share. Re-structuring, changes to roles and responsibilities, updates to project teams, addition of third parties, and more happen continuously. As the organization evolves and changes its footprint, its internal structure becomes increasingly complex with multiple layers of hierarchy. These hierarchies could span across business units, business functions, geographical locations, legal entities, and similar dimensions.

In a multi-hierarchical organization, it is critical to maintain continuous visibility into the risks and compliance functions at the granular level during and after the transition. While each of the underlying dimensions can be viewed independently, it is critical to understand their points of intersections, interdependencies, and interplays. As the organization restructures, it is important to not forget the impact of these changes on the risk and compliance aspects.

GRC Dynamic Enterprises

A robust GRC process should be able to function with these multi-hierarchical structures:

  • Risk teams, business management, and business functions should be able to view and manage risks across the enterprise, i.e., have visibility into the risk data sliced by business, region, risk category, or global function
  • Business functions should be able to report risks across locations, regions, and businesses
  • Business units should be able to manage risk and perform compliance checks across the locations they operate in
  • Regions should be able to manage risk and carry out compliance activities across the businesses operating within their region

An organization model such as the Single Dimensional Organization Structure (SDOS) falls short of meeting these requirements that arise in a dynamic hierarchical organization. SDOS typically supports a relatively flat structure with little access to the granular data and cannot adapt to the dynamic changes. Clearly, it is time for a complete redesign of the compliance modeling from grounds-up.

Enter the Dynamic MDOS

Realizing the growing needs of a complex multi-hierarchical organization, MetricStream built MDOS - Multi-Dimensional Organization Structure (patented), capability in their industry-leading MetricStream Platform. This innovative functionality supports multifarious organizational structures with a flexible data model that supports up to six dimensions. Using MDOS, enterprises now have the ability to set up several multi-hierarchy configurations that map directly to their real-world hierarchical structures. Each of these multi-hierarchy structures can now be treated as a dimension of the overall organizational makeup.

These dimensions are fully configurable: users can decide what dimensions they want to include depending on their needs.

Given an enterprise, a user can map up to six dimensions (or attributes) like company, legal entity, business function, location, line of defense, restrictions, language, or any other. Each dimension can be linked to the organization’s single source of data.

For example, a company “ABC” with operations across say Europe, can select function, location, and legal entity as the dimensions. Now the user will be able to select any combination of the three to view the relevant details, for instance, the compliance function in Germany for its subsidiary, the “XYZ” legal entity.

The MDOS framework also allows consolidating various similar but siloed functions under one common corporate unit. As an example, a business conglomerate owns, say eight different companies, with each company having its own HR department. For one HR function, navigation of eight different organizational units would be required. With MDOS, all HR units can be consolidated into a single HR entity under a common corporate functional unit without any loss of granularity. Clearly, this drastically reduces the complexity and makes compliance monitoring simpler.

MDOS enables:

  • Managing complex organizational structure

MDOS helps reduce the number of nodes in the organizational hierarchy by eliminating duplication without sacrificing the details. The platform ensures completeness and avoids issues due to the lack of mutual exclusivity in the current structure

  • Selecting values from any combination of the dimensions

Users have the flexibility of selecting values from any combination of dimensions in a unified single screen. This helps in accurately gauging the organizational risk profile and performing the risk assessments for a specific dimension. This functionality is key to creating customized reports for actionable insights

  • Visibility into the hierarchical structure

The framework provides a hierarchical visualization of the organization structure to the users. It also gives the users the ability to search on each dimension instead of an expensive ‘contains’ search.

  • Setting granular privileges for the business needs

In this framework, users are mapped to an MDOS Organization Role combination, and access is driven based on this mapping.

MetricStream has recently secured patent rights for MDOS. It is the only GRC platform capable of modeling complex, multi-dimensional organizational structures. This facilitates setting up specific and targeted risk response and restrictions across the enterprise.

MDOS assists companies in rapidly re-tooling their GRC solution in response to an organizational change, thus minimizing downtime and preserving visibility into risk and compliance functions. The framework also provides useful add-ons like MDOS widget, granular access control mechanisms, Universal Search with MDOS based security.

As an example, a large financial institution in North America with more than 300 decentralized organizations across eight geographical regions recently deployed the MetricStream Platform supported by the MDOS capability. With the implementation, the company went from the previous 310 organizational units to a rationalized structure with 113 organizational units and saw a 30 percent improvement in reporting and analytics for legal entities and a lower overall cost of ownership.

“Change is constant in the business environment and systems need to ebb and flow with major organization changes or organizations will be left vulnerable in transition.”

- Vidyadhar Phalke, Chief Technology Evangelist, MetricStream



Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.


Transform Risk and Compliance Programs with MetricStream’s AI-Powered Insights and Recommendations

Blog GRC
3 min read


As organizations look to harness the power of next-generation technologies and thrive in the era of the Fourth Industrial Revolution, the focus on data is now more critical than ever. It wouldn’t be wrong to say that it is data that runs the modern enterprise in today’s digitized world.

It’s often said that data is the new oil. However, data in itself cannot drive business value—it is only when it is transformed into actionable intelligence that it can enable effective decision-making.

That said, many organizations today lack common taxonomies and structured processes, resulting in unstructured data which is difficult to analyze. This is a major challenge for risk, audit, compliance, and IT & cyber teams as they end up spending most of their time going through this data rather than analyzing it for making strategic business decisions.

Streamlining the processes and workflow and automating them with the right set of tools and technologies is an absolute must for unlocking the true potential of data. By leveraging artificial intelligence (AI), organizations can quickly get insights, identify patterns, avoid duplicate effort, apply the right actions, and better focus on decision-making that helps the business. 

Bringing AI to GRC

Organizations today operate in a complex and unsettled business environment with amplified digital interconnectedness of people, processes, systems, and organizations, rapidly evolving risk and regulatory landscape, geopolitical uncertainty, and more. Furthermore, recent risk events, such as the pandemic, have underscored the importance of a future-ready GRC framework as organizations had an extremely short window of time to act.

Here, AI can be a gamechanger. It can empower organizations to break free from the clutches of siloed operations and facilitate integration and harmonization. Most importantly, it can drastically improve the speed at which risk, audit, compliance, and IT & cyber teams can locate relevant data and information, thereby expediting quick and fact-based decision-making.

MetricStream’s AI-Powered Insights and Recommendations

AI is an integral component of the MetricStream Platform, deployed and operationalized using cloud-first practices, and can be used to build any model or automate any GRC use case. MetricStream currently offers pre-built AI-powered recommendations to transform and automate GRC processes. It automatically provides key recommendations to users based on the historical patterns, so that organizations can further improve user experience and drive intelligent business decisions.

Here are some of the areas where we are bringing AI capabilities:

Issue & Action Management: MetricStream uses the core strength of AI by leveraging semantic analytics with natural language processing that can be used to identify patterns in issues and actions that can originate from any program – be it enterprise and operational risk, compliance, audit, third-party, or IT & cybersecurity. MetricStream’s AI-powered issue and action management provides recommendations to categorize issues based on their semantic similarity and automatically recommends duplicate issues and best possible action plans based on historical trends and business context.

Smart Policy Search: MetricStream’s AI-powered smart policy search simplifies the task of searching for policies using a natural language processing (NLP) based semantic search. It improves search accuracy by understanding the searcher’s intent through contextual meaning.

Observations Triage: As organizations are increasingly enabling the frontline to capture observations, they will have to manage a large number of observations. With such a high volume of observations being reported, the triage process becomes tedious. MetricStream AI-powered recommendation automatically provides recommendations to classify observations as a case, incident, issue, or loss event. This enhances the efficiency of the triage team.

Risk Scoring of Third Parties: As part of risk assessments, third parties must periodically submit detailed SOC2 and SOC3 reports as evidence of robust compliance and controls in their infrastructure and security. MetricStream AI-powered recommendations for third-party risk can automatically extract content from SOC2 and SOC3 reports, compute, and risk rank the third parties based on the number and type of anomalies in the report.  

To learn more about MetricStream’s AI capabilities, click here.


Jayashankar Divi Senior Director, R&D


There is One Way Traffic – Downhill

Downhill blog
3 min read

The Instagram of Risk Blog Series: First Coffee, Then Audit

At the beginning of November, I attended the Charted Institute of Internal Auditors event in London, where MetricStream was exhibiting. I had the opportunity to network with the delegates and attend the keynote session. This was my takeaway.

Listening to the main presentation, set on a stage in a room full of financial professionals was anything but jaded. The presenter had the room in tears of laughter as he compared some people in the industry as cliff divers, the adrenaline rush as you look down and see the water below looking incredibly far away can make you run a mile. In a similar setting, the telltale signs of so many companies that got their accounts wrong and had to declare bankruptcy was a revelation, but no laughing matter.

You can say that hindsight is a wonderful thing, but a closer look at these failed companies balances sheets and annual reports would make the hairs on the back of your neck stand up. With falling share prices, falling short of analyst’s expectations, or sudden change of management, there are several ways you can disappoint shareholders. However, when you add creative accounting to the mix, then it is a poison chalice.

But who stands to be framed when companies are in serious trouble with deceiving accounts? Is it the management team or the auditors? Is it the investors or the bankers? Or should the blame be shared between them all?

Let’s compare this to an iceberg, only 10% of it is above the water, the rest of it is submerged under the sea, and this is very much like the accountings of a firm. On the surface everything looks fine, but if you dig a bit deeper you will unearth several surprises that are not what they seem.

The audit profession is subject to strict oversight and ultimately CEO’s and directors of companies will take full responsibility. This is where the buck stops. Audit teams need to become more agile, and they need to consider several factors especially when considering internal controls, including third party risk, cyber security, data governance, and data compliance.

Auditors who use the latest technology within their own teams are well equipped to understand the associated risks with security issues and system failures.

When dealing with a company’s financial records, auditors need to be aware of other indicators that may cause a company to nosedive:

  • Cost becomes an asset
  • Unusual stock adjustment
  • Massive accrual of income
  • Goodwill
  • Deteriorating quality of assets over the effective lifetime
  • Bad debt provisions
  • Conflict of interest

Having an audit program that is aligned to organizational goals and prepared for multi-dimensional risks while preserving the trust of every stakeholder will shape your audit universal.

Companies need to create agility and collaborate across teams to optimize audit productivity and allocate resources based on the highest risk impact.

There is a lot to be said about the right technology and choosing the right provider, which includes:

  • Protecting the business and meeting regulatory requirements
  • Migrating from manual processes to automated workflows
  • Driving consistency across the organization
  • Recurring audit planning and execution integrated with resource & time management
  • Centralizing GRC Library of risk, control, auditable entities with relationships
  • Automating workflows that include review and approval of key activities

The secret is to leverage a centralized risk framework, as audit planning is central.

With the right data, wrapped in a dashboard you can generate a draft or even final audit reports with review and approval workflows. You can gain real time access to audit data with status reports. With risk assessments, you can document, manage, and assess risk across the origination.

The right audit platform accelerates audit cycles, helps improve audit strategies, reduces audit costs, and enhances auditor productivity.

And of course, you can provide external auditors and regulators with access to audit data for pre-defined time periods.

At MetricStream, our audit team community has transformed their departments by embracing the latest technology. They are truly the Instagram of Risk.

That reminds me, until the next time we meet, stay away from cliff diving.

This blog is the second in the Instagram of Risk blog series. Read the first blog where Suneel summarizes the key takeaways from the in-person events of the Oct 21 GRC Summit held in London, Copenhagen, and Zurich.


Driving Forces Behind ESG

4 min read

The Driving Forces of ESG

ESG – these are the most frequently spoken letters in boardrooms across the globe. From sustainable investing to emerging regulations, it is a burning topic for board directors, c-suite executives, and finance professional. Some see ESG as an evolutionary journey to become a better corporate citizen. Others see it as the brave new world of sustainable investing. This article will discuss some of the key challenges faced by risk and compliance leaders embracing the task of building corporate ESG programs. The road ahead for these pioneers is both exciting and murky. Building an ESG program is not a quick fix. It is tempting to sweep ESG under sustainability or environmental management. Others might simply categorize it as part of GRC. While both are correct, ESG is a delicate topic and requires more than just a one-size-fit-all solution. To understand ESG from the risk and compliance perspective, it is worth digging a level down to understand what the key driving forces are.

In just less than two years, the world witnessed major catalysts fueling the unprecedented acceleration of ESG. Growing concerns about lasting environmental effects. Widespread socioeconomic and human rights issues. Demand for greater corporate transparency. ESG carries material impacts and possesses the ability to influence the future of an organization. In 2020 alone, the US ESG ETF market saw a 318% year-over-year increase. Prior to 2019 or global COVID-19 pandemic, ESG investing was just merely a niche market, experiencing relatively insignificant growth. It is reasonable to assume that a significant portion of global capital is now being relocated from “weak ESG” companies to “strong ESG” companies at an exponential rate never seen before.

So what does “strong ESG” mean?

The growth of ESG investing has given rise to yet another problem - Greenwashing. Companies making inaccurate claims about their environmental and social responsibility efforts. This is not necessarily intentional or a toxic corporate behavior. ESG disclosure is inherently a tricky exercise. It involves a great deal of effort, time, and money. On top of that, there are very few guidance on which disclosure frameworks to use and how to use them. To further complicate the matter, regulators around the globe are starting to zero in on greenwashing. For instance, the European Union regulators launched a new set of ESG regulations in early 2021. The Sustainable Finance Disclosure Regulation (SFDR) sets mandatory disclosure requirements for financial market participants and financial advisers operating in the EU. These organizations will be required to follow specific mandates on how and what to disclosure on an annual basis. Compliance reporting has never been straight forward. From Sarbanes Oxley to GDPR, compliance leader around the world have seen their fair share of ups and downs navigating these turbulent seas.

There is yet another angle to consider. From institutional to retail investors, ESG index score has become a popular metric when it comes to investment decisions. An ESG index score is essentially the grade point average or credit rating of a company’s ESG performance. These figures don’t lie and are quite accurate. For instance, MSCI is a one of the leading investment research firms offering an ESG index score on over 2,800 companies. These companies are being assessed on thousands of ESG related data points and ranked against their peers. Investors leverage this research to understand the current state and potential long-term risk implications of companies. Index scores from different firms are typically used in conjunction for a broader perspective. This is an important consideration for the risk and compliance leaders managing ESG. Understanding the metrics and frameworks behind these index scores can not only help a company’s ESG ranking, but more importantly, keep risks under control and become a more sustainable company overall. These index scores should not be looked at as cheat-sheets for better ESG ranking. But rather guidelines to better corporate citizenship.

Global ESG assets are projected to exceed $53 trillion by 2025, more than a third of the projected total assets under management worldwide. ESG is expanding and by no means plateauing. These investment trends and regulatory changes are just the early stages. ESG investment products will continue to become more complex. Regulators will increase their focus on this matter. From the 2007-08 financial crisis to the COVID-19 global pandemic, and many challenges before; the answer is not a simple one-size-fit all solution. But a constant battle of wits and strength.

Learn more about MetricStream’s ESGRC product. Download the product overview to discover how MetricStream’s ESGRC product can get you started on your ESG journey.

Watch the video to gain a deeper insight into how MetricStream’s ESGRC product can help your organization take the next step in your ESG journey.


Simrin Jhangiani Associate Director, Marketing at MetricStream

Simrin Jhangiani is the Product Marketing Lead for MetricStream’s ESGRC product. As a former NYU student with a minor in Corporate Social Responsibility, Simrin is passionate about helping businesses make risk-aware business decisions around ESG. Simrin has an extensive business and marketing background having worked as a strategy consultant at KPMG and being a business owner of a sustainable fashion brand. She has lived on 3 different continents, and has travelled to over 50+ countries around the world, resulting in a comprehensive understanding of why ESG is important on a global scale. She believes that ESG is fundamental to the growth of businesses in the present day and is ardent about bringing awareness of the ever-changing regulations around Environmental, Social, and Governance.


Simplified Data Import & Export

blog new
3 min read


Prior to moving to MetricStream to manage their GRC content, our customers would have been either leveraging competitor applications or managing all their data manually via spreadsheets. This huge volume of data would be in different forms and shapes which now needs to flow into our MetricStream system. So, it becomes important for our customers to have a smooth transition from their legacy applications to the MetricStream solution.

MetricStream’s Answer: Data Import & Export

MetricStream provided the “Data Import & Export” spreadsheet-based import framework to push data to our systems seamlessly. This framework allowed:

  • Migration of data from legacy systems into the MetricStream system
  • Bulk creation and updating of data into records, bulk creation of library objects like Risks, Controls, Processes, Auditable Entities, etc. and import system entities like Users, Organizations, etc.

Data import

However, although the existing framework enabled extensive usage, it still presented a few challenges. Our customers were operating with certain limitations around configurability and upgrade safety. And especially while importing high volumes of data, import wait time was high. Hence, rather than adding new features to the existing framework and tuning it, it was identified that developing a brand-new framework from scratch would reap more benefits strategically in the long run, which led to the birth of the “Simplified Data Import & Export” framework.



How Will the “Simplified Data Import & Export” Framework Help?

The new simplified data import & export framework is an effort to overcome the challenges which were faced in the existing framework.

Note: Adoption of Business Rules & Business APIs is a pre-requisite to enable Forms with the new framework.

Developer Community

  • A developer tool that will allow to easily configure and upgrade Safe Data Import & Export templates with minimal development effort
  • No additional development effort to have the Data Import & Export validations written separately, since the framework now relies on Business Rules, which will act as a common validation layer across Forms and Data Import
  • Relying on the BAPI underneath, will make the framework more performant
  • Upgrade safe, thereby reducing the time taken to upgrade to future releases or patches

Users of MetricStream

The new framework will co-exist with the existing data import & export framework, i.e., specific Forms can adopt the new framework. Users intending to move to the new framework for a specific Form will require the adoption of Business Rules and Business API’s for that corresponding Form.

The new framework enables:

  • Dynamic generation and leveraging of user-friendly templates
  • Import of attachments & ability to retain rich text format during import
  • Importing data at different workflow stages
  • Improved import & export status reports

The early adopters of the brand-new framework from Products include select Forms from GRCF, CMP and LSM.

In short, if your Forms are ready with the adoption of Business Rules and Business APIs, and you plan to leverage the Data Import & Export capability in your application, then, the Simplified Data Import & Export framework should be your choice.

Stay tuned for more information on our product enhancements coming soon.

Request a demo to learn more about how MetricStream can help your organization enable risk-informed decisions that accelerate business performance.

Jump to Topic

Veeraj Tallur Product Manager - Platform Team at MetricStream

Veeraj Tallur, Product Manager -Platform Team at MetricStream, has over 10+ years of experience in Product Management with an additional interest to write blogs and create marketing content. Prior to joining MetricStream, he has experience of working in the news and media industry such as Thomson Reuters, responsible for creating external facing financial market related content. Academically, he has an engineering degree in Electronics and Communication. In his free time, he loves to read blogs and go for long drives with his family.


Related Resources


Our European GRC Summit Roadshows and the Instagram of Risk

Blog 4
4 min read


Talk about roundtrips…. In-the same week of a very successful 2021 GRC virtual summit on the 19 and 20 of October, where MetricStream had over 2500 customers, prospects, and partners registered to learn, participate, and share their experiences around GRC, IRM, and everything in-between, we decided to host three physical summits based in London, Copenhagen, and Zurich to continue the conversations with our community.

All three locations had a boardroom style setting dedicated to a round table discussion. The aim was simple, we would listen to what our community had on their mind. It was an opportunity to find common synergies, lead round table discussions, and network with senior risk professionals that are paving the way in this industry.
With representation from risk, compliance, audit and IT Cyber, the discussions were captivating, and the commentary was electric.

London Calling



The first of the events started off in London, and we had a great mix of customers, partners, and prospects around the table.
Our CEO, Bruce Dahlgren introduced the session, and it was an engaging group that shared their thoughts and concerns around the current themes and trends.

Alongside the presentations, our partners gave a short speech on the success of collaborating with MetricStream to provide business benefits for our risk community. What followed was an insightful roundtable discussion that covered risk quantification, cyber security, and the need for organizations to lead with purpose.

It did not take long for ESG to make an appearance and quite rightly so, with COP26 on the agenda and the link to compliance, organizations that have a purpose and are aligning to social governance, diversity, and climate change are setting a precedent. MetricStream recently launched the ESGRC product, which enables organizations to define and manage ESG standards, frameworks, and disclosure requirements. There was a lot of excitement on this in the room.

Emerging risks and third-party risks were explored in detail. With recent supply chain disruptions, it became even more apparent how peripheral risks had to be managed.

Dinner followed, and the conversations (like the wine) continued flowing. It was delightful to see customers connecting with customers. It was evident that they all thrive in this environment and that it was clearly something they had sorely missed over the last 20 months.

Cycling through Denmark

CopenWe settled in for another topical roundtable discussion, where the thoughts and real-life examples of how technology is an enabler in the GRC space were deliberated. In some instances, the dialogue went back and forth. One example of this was that the concern organizations face with risk was not always a technology one, but more of a transformational project that the organization needed to resolve. Accompanying this, was the remark that there are inconsistencies in risk terminologies across the industries, which fuels part of the problem. It was also surprising (to me) to learn that there were still so many organizations using spreadsheets to manage their risk. This was their default way to identify, monitor, and track risks, even though they knew it was not sustainable, efficient, or scalable.

The need for AI and ML to automate risk attributes was the next topical point. The comment was made that AI techniques recognize pattens and trends to help alleviate the pain, time, and missing information that humans cannot always detect, but how do you know that AI is doing the right thing. This conversation continued into the evening, accompanied by food and drinks.

High-End Shopping in Zurich

ZurichAnd finally, concluding the week in Zurich, we had another full house with an engaging group that deliberated on how they can start a community of risk or as was suggested, the “Instagram of risk”. There were discussions around risk culture, accountability, accurate data, and mindset. Some customers admitted that it was quite possible to get lost in the data and what they require is speed, agility, and most of all simplicity. A comment was made that you could spend all your time managing documents and not the risk. Another referenced that as change management sits in all departments including HR and legal it can be a challenge to bring it all together for larger organizations. Crypto also made it in the discussion, with a notable mention that new risks have no historical data to base it on.

Visibility and accountability were front of mind in the discussions, and a common theme that was mentioned was on reporting risks up to the board of directors and the role of the board in risk governance.

MetricStream presented 5 current trends that we are observing in the industry and 5 innovation themes that we are leading the way with (API, AI, Adoption, Agility & Analytics).

By bridging the gap and driving value for the community, MetricStream has a purpose to continue to add value and innovate alongside our community. We want the community to thrive on risk and reap the rewards of being on a GRC journey that like a good bottle of wine gets better with age.

Until the next summit.

Related Resources


Towards Cyber Resilience: NIST’s Cybersecurity Framework for Ransomware Risk Management

4 min read


The number of ransomware attacks on organizations around the globe is growing at an exponential rate with no signs of slowing down. According to Check Point, ransomware attacks grew by 102% in the first half of 2021 compared to the beginning of 2020.

Cybersecurity Ventures expects ransomware to attack a business, consumer, or device every 2 seconds by 2031, up from every 11 seconds this year, and estimates ransomware damages to cost the world $265 billion by 2031. To operate in this precarious digital landscape, organizations today must go the extra mile to ensure that their cyber defense mechanism is robust and effective.

In the wake of the significant surge in ransomware attacks, the National Institute of Standards and Technology (NIST) has published a new draft on Cybersecurity Framework Profile for Ransomware Risk Management that sets out its guidance on how organizations can prevent, respond to, and recover from ransomware attacks.

The document details basic preventive steps to protect against the ransomware threat, including using antivirus at all times, keeping computers fully patched, continuous monitoring, segmenting internal networks, educating employees about social engineering, assigning and managing credential authorization, and many more.

The Five Cybersecurity Framework Functions

NIST has classified Cybersecurity Framework Functions into five categories: Identify, Protect, Detect, Respond, and Recover, and has suggested key measures under each of these functions to protect against ransomware threats.

Identify - This is the first step and the foundation for the rest of the framework. It requires developing an organization-wide understanding of systems, people, assets, data, and capabilities, and the associated cybersecurity risks. Some of the key suggestions made by NIST under this head include:

  • Creating, reviewing, and maintaining an inventory of all organizational data, personnel, devices, systems, and facilities
  • Prioritizing organizational resources based on their classification, criticality, and business value
  • Establishing cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders
  • Cataloging and mapping internal and external communications and data flows
  • Developing a comprehensive communication strategy that details the action plan in the event of an attack
  • Effectively managing legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations
  • Establishing and managing risk management processes agreed to by organizational stakeholders
  • Conducting response and recovery planning and testing with suppliers and third-party providers

Protect – This function is critical to limit or contain the impact of a potential cybersecurity event and involves implementing appropriate safeguards to ensure the delivery of critical services. Some of the key measures include:

  • Documenting and managing identities and credentials for authorized devices, users, and processes
  • Managing remote access to maintain the integrity of systems and data files
  • Effectively managing access permissions and authorizations, incorporating the principles of least privilege and separation of duties
  • Providing cybersecurity awareness education and training to employees
  • Managing information and data in a manner consistent with the organization’s risk strategy

Detect – This function requires the implementation of appropriate activities to identify the occurrence of a cybersecurity event and enables timely discovery of cybersecurity events. Some of the key suggestions include:

  • Detecting anomalous activity and understanding the potential impact of events
  • Continuous monitoring of information systems and assets
  • Maintaining and testing detection processes and procedures to ensure awareness of anomalous events

Respond –Once a cybersecurity incident is detected, the Respond Function is important to take appropriate action and measures to contain the impact. NIST recommends:

  • Executing and maintaining response processes and procedures to ensure a response to detected cybersecurity incidents
  • Coordinating response activities with internal and external stakeholders
  • Conducting analysis to ensure effective response and support recovery activities.
  • Performing activities to prevent the expansion of an event, mitigate its effects, and resolve the incident
  • Continuously improving organizational response activities by incorporating lessons learned from current and previous detection/response activities

Recover – This involves implementing appropriate activities to maintain plans to restore any capabilities or services that were impacted in a cybersecurity incident and helps an organization’s timely recovery to normal operations. Key measures include:

  • Executing and maintaining recovery processes and procedures to ensure restoration of systems or assets affected by cybersecurity incidents
  • Improving recovery planning and processes by incorporating lessons learned into future activities
  • Coordinating restoration activities with internal and external parties

How MetricStream Can Help

MetricStream welcomes the ransomware guidance from NIST. Such practical frameworks can considerably help CISOs and security teams to develop an effective cybersecurity strategy from the ground up and evaluate their existing strategy for any gaps or loopholes.

The MetricStream IT and Cyber Risk and Compliance solution is aligned to the capabilities detailed in the NIST guidance. It helps organizations to proactively anticipate and minimize IT and cyber risks, threats, vulnerabilities, and multiple IT compliance requirements. The solution cuts across enterprise siloes by facilitating harmonization between various functions and aggregating information and providing a 360-degree, real-time view of IT risk, compliance, policy management, and IT vendor posture. It also enables enterprises to execute and manage an effective business continuity and disaster recovery program. To request a personalized demo, click here.

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.


Related Resources


Power What’s Next in GRC with MetricStream’s Brazos Software Release

3 min read


The demands and requirements of businesses to thrive in the new normal have changed drastically. Buzz words like agility, digitization, and resilience are no longer just business aspirations but have become necessary and fundamental for the readiness of organizations to address any risk event, including high-impact, low-frequency events such as COVID-19. With the latest Brazos release, we are delivering a myriad of innovations to support organizations in their journey to achieve their business goals and power through the current unsettled operational environment.

Brazos builds upon the previous Arno release and includes key innovations in areas including regulatory compliance, cyber risk quantification, and vendor risk management. The objective is to make the processes simpler, smarter, and more streamlined.

Simplifying Regulatory Complexity

Given the complex web of regulations, along with the escalating number of regulatory change alerts that organizations are bombarded with every day, it has become imperative to simplify the compliance function to make it more efficient and systematic. On these lines, the Brazos release brings new capabilities to our regulatory compliance products, including:

  • Fully packaged, real-time curated regulatory intelligence from 1,000 supervisory bodies and 2,500 collections of regulatory/legislative materials facilitating efficient management of regulation overload.
  • Certification and sub-certification processes enabling the creation of accountability chains.
  • Contextual intelligence on policies allowing compliance teams to easily identify the policy section related to regulations, risks, and controls.
  • Artificial Intelligence (AI)-powered action plan recommendations based on semantically similar compliance issues reported in the past for quick and easy resolution.
  • Multiple enhancements to the Mobile App that simplify searching policies, tracking regulatory changes, and managing compliance assessments and regulatory engagement activities.

Quantifying the Impact of Cyber Risks

Cyber risk quantification, or quantifying cyber risks in monetary terms, is critical for cybersecurity professionals today to effectively communicate the cyber risk exposure to the top management and board. By understanding the potential impact of cyber risks in dollar values, decision-makers are better positioned to prioritize IT cyber risk spending, resource allocation, and establishment of optimal controls.

Brazos brings advanced cyber risk quantification capabilities to IT and Cyber Risk Management, enabling cybersecurity teams to leverage the industry standard FAIR methodology to quantify their cyber risks in monetary value. In addition, advanced Monte Carlo simulation capabilities help upgrade the assessment teams’ guesstimates into accurate predictive values of the cyber risk exposure.

Powering Next-Gen Vendor Risk Management with AI

Managing risks associated with the extended enterprise quickly and efficiently is crucial for ensuring continued business operations. Supplier networks of organizations today are comprised of hundreds and thousands of third, fourth, and subsequent parties. A manual approach to review third- and fourth-party documentation, including reports, certificates, and evidence, to spot any discrepancies is time-taking and prone to error.

We are addressing this challenge by bringing the benefits of artificial intelligence (AI) and automation to Third-Party Management with the latest release. MetricStream’s AI engine automatically scans through the documents submitted by the third parties, validates the content, highlights any anomalies, and automatically recommends risks scores based on the number and type of anomalies found. This real-time intelligence equips risk teams to accelerate analysis and mitigation of third-party risks.

With Brazos, we are setting a new standard by implementing AI into multiple GRC products, empowering risk, compliance, security, and audit professionals to better perform their roles and responsibilities. The release also provides a simplified user experience and enhances agility for faster time to value with:

  • High configurability capabilities across the MetricStream Platform.
  • Enhanced frontline capabilities to anonymously report compliance cases.
  • Improved mobile capabilities for regulatory compliance, IT compliance, and audit.
  • Content Integration Service that leverages REST APIs to import content from external sources.
  • Better collaboration and improved cross-referencing in audit workpapers within Microsoft Word.

We are constantly striving to make your GRC journey exciting, enriching, and fun. The latest software release is guided by our key tenet of helping organizations accelerate sustainable growth with risk-aware decisions. The new features and functionalities extend the capabilities of MetricStream Platform and products and will enable you to meet the evolving business needs in this digitized world.

To know more about Brazos Release features, click here.



Read more about the latest happenings in the GRC universe. MetricStream experts share their valuable insights on how organizations can turn risk into a strategic advantage and thrive on risk.


Related Resources


Ready to get started?

Speak to our experts Let’s talk