The global risk landscape is evolving continuously, necessitating rapid changes to regulatory frameworks and standards and governance, risk, and compliance (GRC) functions. Enterprise GRC strategies need to be agile to adapt to these changes and ensure error-free compliance. However, traditional approaches to software and service delivery cannot deliver this agility. A low-code, no-code platform, built with visual interfaces and pre-built components that can be assembled to create functional applications, empowers organizations to quickly and easily customize GRC software to their requirements.
MetricStream’s low code, no code platform is focused on accelerating GRC program performance with a quicker, more secure, and personalized connected GRC experience. I spoke in-depth on the topic at the 2023 GRC Summit in Miami. Scroll down to check out the top takeaways from the session.
Watch Session: Product Session: Low Code, No Code
MetricStream’s updated low code, no code platform is designed to meet the specific business needs of the GRC community. The platform ensures higher agility by enabling easy tailoring of GRC applications in response to changes in the business environment. It reduces configuration time to facilitate accelerated application development. And it ensures quick adaptation to changing regulations for error-free compliance.
The latest updated platform allows customers to effortlessly customize our products by utilizing a user-friendly Domain Specific Language (DSL) for defining and crafting business rules. It also enables upgrade-safe changes.
The new and enhanced features within MetricStream’s low code, no code platform include:
With MetricStream’s updated low code no code, platform, organizations benefit from:
Managing seamless GRC functions in a landscape marked by increasing risk and disruption is no mean feat. Organizations need a powerful GRC platform that can be easily customized to meet their requirements as well as modified to keep pace with changing regulations. MetricStream’s updated low code, no code platform offers greater scalability and flexibility and enables organizations to execute their connected GRC strategies faster, easier, and in a more secure manner.
Excited to learn more. Request a demo now!
Watch the full session: Product Session: Low Code, No Code
In the rapidly evolving landscape of technology, quantum computing has emerged as a disruptive force with the potential to revolutionize a range of industries. Could this technology be applied to the field of Governance, Risk and Compliance?
Quantum computing harnesses the principles of quantum mechanics to process information in ways that classical computers simply cannot achieve, performing complex calculations at speeds that were once thought impossible - more than 100 million times faster than any other computer we know today. This extraordinary computational power has led to quantum computing being explored across multiple sectors, from healthcare and finance to materials science and cryptography.
Quantum computing has found applications in a myriad of industries, ushering in new possibilities and transforming conventional practices.
In the field of healthcare, quantum computing is making strides in drug discovery, simulating complex molecular interactions with unparalleled accuracy. This acceleration of the drug discovery process holds the potential to revolutionize medical treatments and therapies, leading to more effective interventions for various diseases.
Quantum computing has also made significant inroads into the financial sector, particularly in optimizing investment portfolios and financial risk management. The ability to solve intricate optimization problems in real-time enables financial institutions to make well-informed decisions that maximize returns while minimizing risks. This is particularly relevant in today’s fast-paced and volatile markets, where timely and data-driven decisions are paramount.
In the realm of materials science, meanwhile, quantum computing is unlocking new frontiers by simulating the behavior of materials at the quantum level. This enables researchers to design and discover novel materials with specific properties, revolutionizing industries that rely on advanced materials, such as electronics, energy storage, and manufacturing.
Quantum computing’s impact extends to the field of cryptography, too, where it both presents challenges and offers solutions. Quantum computers have the potential to break conventional encryption methods, prompting the exploration of quantum-resistant encryption techniques to safeguard sensitive data in a post-quantum era.
The field of Governance, Risk, and Compliance (GRC) is characterized by its intricate web of regulations, data analysis, and strategic decision-making, making it a natural candidate for the application of quantum computing.
Quantum computing’s unique computational abilities have the potential to redefine how organizations approach GRC, enabling more accurate risk assessments, enhanced compliance management, and optimized decision-making.
Let’s consider the specific ways in which quantum computing may be harnessed within the realm of GRC:
Risk assessment lies at the core of effective GRC practices. Quantum computing’s remarkable processing power can accelerate risk modeling and analysis by handling a multitude of variables simultaneously. Traditional risk assessments often involve intricate simulations that demand extensive time and resources. Quantum computing’s ability to process complex mathematical equations at speeds that were once unimaginable empowers organizations to conduct real-time risk assessments, thus enabling them to identify potential vulnerabilities promptly.
Fraud detection is a perpetual challenge across various industries. Quantum computing’s ability to process vast datasets in parallel can significantly enhance fraud detection algorithms. By swiftly analyzing transaction patterns and identifying anomalies, quantum-powered systems can detect fraudulent activities in real-time, curbing financial losses and safeguarding organizational reputation.
The GRC landscape involves complex regulatory frameworks that demand meticulous adherence. Quantum computing can streamline compliance monitoring by analyzing intricate regulations and standards. By mapping an organization’s processes against a vast array of compliance requirements, quantum-powered systems can ensure a higher degree of accuracy in compliance management and minimize the risk of violations.
Quantum computing’s prowess in solving complex optimization problems has profound implications for GRC decision-making. Whether it’s resource allocation, supply chain optimization, or portfolio management, quantum algorithms can identify the most efficient and compliant solutions. This enables organizations to make informed decisions that align with their strategic goals while mitigating potential risks.
Quantum computing not only presents challenges to classical encryption methods but also offers the potential to create more robust encryption techniques. As data breaches become increasingly sophisticated, quantum-ready encryption methods can fortify data security and privacy in GRC operations. This is particularly relevant in industries where data confidentiality is paramount, such as healthcare and finance.
It is the responsibility (and the burden!) of GRC professionals to grapple with preparing for various contingencies. Quantum computing’s ability to perform rapid simulations and scenario analyses can assist organizations in devising robust contingency plans. By evaluating multiple variables simultaneously, quantum-powered systems can rapidly provide insights into the potential outcomes of different risk scenarios, enabling proactive risk mitigation.
The massive processing power achievable with quantum computing offers our industry many benefits, and opportunities. Here are just a few examples:
Imagine a global electronics manufacturer that relies on an intricate network of suppliers. Quantum computing can rapidly analyze diverse risk factors—such as geopolitical instability, supply chain disruptions, and regulatory changes—to help the organization develop agile supply chain strategies that mitigate potential disruptions and ensure business continuity.
Financial institutions grappling with AML regulations could leverage quantum computing’s processing power to enhance transaction monitoring and anomaly detection. Quantum algorithms can analyze vast transaction datasets to uncover subtle patterns indicative of money laundering, thereby strengthening AML efforts and reducing financial risks.
In industries susceptible to environmental risks, such as energy and mining, quantum computing can assist in analyzing complex geological and environmental data. By processing intricate models and simulations, quantum-powered systems can enable more accurate predictions of potential environmental impacts, aiding organizations in adhering to regulatory standards and minimizing ecological risks.
The healthcare sector, laden with stringent compliance requirements, could leverage quantum computing to navigate the complexities of regulations like HIPAA (Health Insurance Portability and Accountability Act). Quantum algorithms can swiftly assess an organization’s processes, data handling practices, and privacy measures against regulatory standards, ensuring compliance and minimizing legal risks.
The potential applications of quantum computing in Governance, Risk, and Compliance offer the promise of transforming how organizations approach complex challenges, manage risks, and ensure ethical practices.
As quantum technology continues to evolve, organizations must seize the opportunity to integrate quantum computing into their GRC strategies, laying the foundation for a more resilient, compliant, and strategically adept future.
Although there may be hurdles and ethical considerations to overcome, the immense potential benefits of quantum computing cannot be ignored. By utilizing this emerging technology to enhance their GRC approach, organizations have the opportunity to strengthen their systems and controls, safeguard against unforeseen risks, and position themselves as pioneers in a quickly changing tech space. Ultimately, by embracing this quantum leap, organizations can unlock immense potential for growth, expansion, and long-term success.
The above blog was originally published as an article by the author on LinkedIn. Read the original version here.
In today’s digital-first world, companies continuously organize and reorganize via corporate divestiture, diversification, merger, or acquisition to gain efficiencies and market share. Re-structuring, changes to roles and responsibilities, updates to project teams, addition of third parties, and more happen continuously. As the organization evolves and changes its footprint, its internal structure becomes increasingly complex with multiple layers of hierarchy. These hierarchies could span across business units, business functions, geographical locations, legal entities, and similar dimensions.
In a multi-hierarchical organization, it is critical to maintain continuous visibility into the risks and compliance functions at the granular level during and after the transition. While each of the underlying dimensions can be viewed independently, it is critical to understand their points of intersections, interdependencies, and interplays. As the organization restructures, it is important to not forget the impact of these changes on the risk and compliance aspects.
A robust GRC process should be able to function with these multi-hierarchical structures:
An organization model such as the Single Dimensional Organization Structure (SDOS) falls short of meeting these requirements that arise in a dynamic hierarchical organization. SDOS typically supports a relatively flat structure with little access to the granular data and cannot adapt to the dynamic changes. Clearly, it is time for a complete redesign of the compliance modeling from grounds-up.
Realizing the growing needs of a complex multi-hierarchical organization, MetricStream built MDOS - Multi-Dimensional Organization Structure (patented), capability in their industry-leading MetricStream Platform. This innovative functionality supports multifarious organizational structures with a flexible data model that supports up to six dimensions. Using MDOS, enterprises now have the ability to set up several multi-hierarchy configurations that map directly to their real-world hierarchical structures. Each of these multi-hierarchy structures can now be treated as a dimension of the overall organizational makeup.
These dimensions are fully configurable: users can decide what dimensions they want to include depending on their needs.
Given an enterprise, a user can map up to six dimensions (or attributes) like company, legal entity, business function, location, line of defense, restrictions, language, or any other. Each dimension can be linked to the organization’s single source of data.
For example, a company “ABC” with operations across say Europe, can select function, location, and legal entity as the dimensions. Now the user will be able to select any combination of the three to view the relevant details, for instance, the compliance function in Germany for its subsidiary, the “XYZ” legal entity.
The MDOS framework also allows consolidating various similar but siloed functions under one common corporate unit. As an example, a business conglomerate owns, say eight different companies, with each company having its own HR department. For one HR function, navigation of eight different organizational units would be required. With MDOS, all HR units can be consolidated into a single HR entity under a common corporate functional unit without any loss of granularity. Clearly, this drastically reduces the complexity and makes compliance monitoring simpler.
MDOS helps reduce the number of nodes in the organizational hierarchy by eliminating duplication without sacrificing the details. The platform ensures completeness and avoids issues due to the lack of mutual exclusivity in the current structure
Users have the flexibility of selecting values from any combination of dimensions in a unified single screen. This helps in accurately gauging the organizational risk profile and performing the risk assessments for a specific dimension. This functionality is key to creating customized reports for actionable insights
The framework provides a hierarchical visualization of the organization structure to the users. It also gives the users the ability to search on each dimension instead of an expensive ‘contains’ search.
In this framework, users are mapped to an MDOS Organization Role combination, and access is driven based on this mapping.
MetricStream has recently secured patent rights for MDOS. It is the only GRC platform capable of modeling complex, multi-dimensional organizational structures. This facilitates setting up specific and targeted risk response and restrictions across the enterprise.
MDOS assists companies in rapidly re-tooling their GRC solution in response to an organizational change, thus minimizing downtime and preserving visibility into risk and compliance functions. The framework also provides useful add-ons like MDOS widget, granular access control mechanisms, Universal Search with MDOS based security.
As an example, a large financial institution in North America with more than 300 decentralized organizations across eight geographical regions recently deployed the MetricStream Platform supported by the MDOS capability. With the implementation, the company went from the previous 310 organizational units to a rationalized structure with 113 organizational units and saw a 30 percent improvement in reporting and analytics for legal entities and a lower overall cost of ownership.
“Change is constant in the business environment and systems need to ebb and flow with major organization changes or organizations will be left vulnerable in transition.”
- Vidyadhar Phalke, Chief Technology Evangelist, MetricStream
At the recent European Compliance Week event, as well as interviewing compliance professionals, I was fortunate enough to moderate a panel session. Below are the highlights of my discussions.
On the backend of such a devasting pandemic, one that arrived so quickly and unfortunately continues to mutate, compliance professionals catapulted into the limelight by proactively updating compliance programs. For it to work, there needed to be clear communication, outstanding cross-function cooperation, and a strong element of business resilience.
Successful compliance departments create an environment where the right channels are fostered and compliance policies which include the encompassing code of conduct document are regularly updated.
Organizations have found it challenging to track third-party vendors, who although can be strategic partners and play a pivotal role in an organization’s supply chain, still need to be managed delicately. Compliance assessments, control testing, policy, and process updates have all been challenging at a time when remote working is a permanent fixture for millions of us.
Compliance teams have shown agility. They are pushing for C-suite representation and asking for support to cope with the stress and additional work burden.
CEOs have to steer the ship and address the pressures of results and the overall performance, but what is equally important is promoting the right culture. Although it might start from the top, all employees need to take responsibility. Compliance and the value associated with it should not be sidelined. It needs strong representation and respective departments should stay close to their compliance teams.
The compliance lens needs to marry up with the commercial lens. Once you show commercial benefits, you have senior management buy-in. Again, a point that is strongly correlated with fostering the right culture and promoting the right conversations.
Compliance officers need to recognize the organization’s business needs and challenges. They should take an interest in their colleagues’ priorities and build relationships (even if it needs to be done remotely).
Data is of particular concern. Today, companies gather, create, and store an eyewatering amount of it. Most probably, this data will be saved for a rainy day. However, without the right technology, data can do more harm than good. Technology has the prowess to identify, manage, and evaluate the data so strategic decisions can be executed.
The importance of technology has taken center stage. We are in a phase where agility and adoptability are strong contenders to disrupt the old ways of thinking. Implementing the right technology does not take as long as you think. Organizations are realizing the rationale of a solution that works for them, albeit to replace their existing technology or supersede their in-house functionality. Compliance teams need structure, they need to understand the ever-changing regulatory environment, demonstrate how policy management will influence their markets, and provide solutions for observations and whistle blowing.
Companies that adopt, implement, and embrace the right technology will significantly notice improvements across the spectrum and align their business objectives with their compliance needs.
Examples of where technology has helped these teams include:
With an increase in business risk, social unrest, and climate change, compliance is not an easy task, and without fully digitized platforms and processes, organizations may be left behind.
As we step into a new year, there are several points for consideration:
To build effective compliance programs, organizations need robust, automated compliance tools that make it easier to identify and manage regulatory changes, assess and test controls, and improve visibility into compliance across the enterprise. With the right technology, processes, and teams, organizations can transform compliance into a strong competitive advantage, strengthening trust and credibility with stakeholders, customers, and regulators.
“Life is either a daring adventure or nothing at all.” Compliance officers, you are doing a great job.
This blog is part of the Instagram of Risk Blog Series, authored by Suneel Sahi, VP, Product Marketing at MetricStream, which captures discussions and insights trending in the risk community.
Check out Suneel’s other ‘Instagram of Risk ’blogs on the key takeaways from the Charted Institute of Internal Auditors event in London and the Oct 21 MetricStream GRC Summit held in London, Copenhagen, and Zurich.
As organizations look to harness the power of next-generation technologies and thrive in the era of the Fourth Industrial Revolution, the focus on data is now more critical than ever. It wouldn’t be wrong to say that it is data that runs the modern enterprise in today’s digitized world.
It’s often said that data is the new oil. However, data in itself cannot drive business value—it is only when it is transformed into actionable intelligence that it can enable effective decision-making.
That said, many organizations today lack common taxonomies and structured processes, resulting in unstructured data which is difficult to analyze. This is a major challenge for risk, audit, compliance, and IT & cyber teams as they end up spending most of their time going through this data rather than analyzing it for making strategic business decisions.
Streamlining the processes and workflow and automating them with the right set of tools and technologies is an absolute must for unlocking the true potential of data. By leveraging artificial intelligence (AI), organizations can quickly get insights, identify patterns, avoid duplicate effort, apply the right actions, and better focus on decision-making that helps the business.
Organizations today operate in a complex and unsettled business environment with amplified digital interconnectedness of people, processes, systems, and organizations, rapidly evolving risk and regulatory landscape, geopolitical uncertainty, and more. Furthermore, recent risk events, such as the pandemic, have underscored the importance of a future-ready GRC framework as organizations had an extremely short window of time to act.
Here, AI can be a gamechanger. It can empower organizations to break free from the clutches of siloed operations and facilitate integration and harmonization. Most importantly, it can drastically improve the speed at which risk, audit, compliance, and IT & cyber teams can locate relevant data and information, thereby expediting quick and fact-based decision-making.
AI is an integral component of the MetricStream Platform, deployed and operationalized using cloud-first practices, and can be used to build any model or automate any GRC use case. MetricStream currently offers pre-built AI-powered recommendations to transform and automate GRC processes. It automatically provides key recommendations to users based on the historical patterns, so that organizations can further improve user experience and drive intelligent business decisions.
Here are some of the areas where we are bringing AI capabilities:
Issue & Action Management: MetricStream uses the core strength of AI by leveraging semantic analytics with natural language processing that can be used to identify patterns in issues and actions that can originate from any program – be it enterprise and operational risk, compliance, audit, third-party, or IT & cybersecurity. MetricStream’s AI-powered issue and action management provides recommendations to categorize issues based on their semantic similarity and automatically recommends duplicate issues and best possible action plans based on historical trends and business context.
Smart Policy Search: MetricStream’s AI-powered smart policy search simplifies the task of searching for policies using a natural language processing (NLP) based semantic search. It improves search accuracy by understanding the searcher’s intent through contextual meaning.
Observations Triage: As organizations are increasingly enabling the frontline to capture observations, they will have to manage a large number of observations. With such a high volume of observations being reported, the triage process becomes tedious. MetricStream AI-powered recommendation automatically provides recommendations to classify observations as a case, incident, issue, or loss event. This enhances the efficiency of the triage team.
Risk Scoring of Third Parties: As part of risk assessments, third parties must periodically submit detailed SOC2 and SOC3 reports as evidence of robust compliance and controls in their infrastructure and security. MetricStream AI-powered recommendations for third-party risk can automatically extract content from SOC2 and SOC3 reports, compute, and risk rank the third parties based on the number and type of anomalies in the report.
To learn more about MetricStream’s AI capabilities, click here.
At the beginning of November, I attended the Charted Institute of Internal Auditors event in London, where MetricStream was exhibiting. I had the opportunity to network with the delegates and attend the keynote session. This was my takeaway.
Listening to the main presentation, set on a stage in a room full of financial professionals was anything but jaded. The presenter had the room in tears of laughter as he compared some people in the industry as cliff divers, the adrenaline rush as you look down and see the water below looking incredibly far away can make you run a mile. In a similar setting, the telltale signs of so many companies that got their accounts wrong and had to declare bankruptcy was a revelation, but no laughing matter.
You can say that hindsight is a wonderful thing, but a closer look at these failed companies balances sheets and annual reports would make the hairs on the back of your neck stand up. With falling share prices, falling short of analyst’s expectations, or sudden change of management, there are several ways you can disappoint shareholders. However, when you add creative accounting to the mix, then it is a poison chalice.
But who stands to be framed when companies are in serious trouble with deceiving accounts? Is it the management team or the auditors? Is it the investors or the bankers? Or should the blame be shared between them all?
Let’s compare this to an iceberg, only 10% of it is above the water, the rest of it is submerged under the sea, and this is very much like the accountings of a firm. On the surface everything looks fine, but if you dig a bit deeper you will unearth several surprises that are not what they seem.
The audit profession is subject to strict oversight and ultimately CEO’s and directors of companies will take full responsibility. This is where the buck stops. Audit teams need to become more agile, and they need to consider several factors especially when considering internal controls, including third party risk, cyber security, data governance, and data compliance.
Auditors who use the latest technology within their own teams are well equipped to understand the associated risks with security issues and system failures.
When dealing with a company’s financial records, auditors need to be aware of other indicators that may cause a company to nosedive:
Having an audit program that is aligned to organizational goals and prepared for multi-dimensional risks while preserving the trust of every stakeholder will shape your audit universal.
Companies need to create agility and collaborate across teams to optimize audit productivity and allocate resources based on the highest risk impact.
There is a lot to be said about the right technology and choosing the right provider, which includes:
The secret is to leverage a centralized risk framework, as audit planning is central.
With the right data, wrapped in a dashboard you can generate a draft or even final audit reports with review and approval workflows. You can gain real time access to audit data with status reports. With risk assessments, you can document, manage, and assess risk across the origination.
The right audit platform accelerates audit cycles, helps improve audit strategies, reduces audit costs, and enhances auditor productivity.
And of course, you can provide external auditors and regulators with access to audit data for pre-defined time periods.
At MetricStream, our audit team community has transformed their departments by embracing the latest technology. They are truly the Instagram of Risk.
That reminds me, until the next time we meet, stay away from cliff diving.
This blog is the second in the Instagram of Risk blog series. Read the first blog where Suneel summarizes the key takeaways from the in-person events of the Oct 21 GRC Summit held in London, Copenhagen, and Zurich.
ESG – these are the most frequently spoken letters in boardrooms across the globe. From sustainable investing to emerging regulations, it is a burning topic for board directors, c-suite executives, and finance professional. Some see ESG as an evolutionary journey to become a better corporate citizen. Others see it as the brave new world of sustainable investing. This article will discuss some of the key challenges faced by risk and compliance leaders embracing the task of building corporate ESG programs. The road ahead for these pioneers is both exciting and murky. Building an ESG program is not a quick fix. It is tempting to sweep ESG under sustainability or environmental management. Others might simply categorize it as part of GRC. While both are correct, ESG is a delicate topic and requires more than just a one-size-fit-all solution. To understand ESG from the risk and compliance perspective, it is worth digging a level down to understand what the key driving forces are.
In just less than two years, the world witnessed major catalysts fueling the unprecedented acceleration of ESG. Growing concerns about lasting environmental effects. Widespread socioeconomic and human rights issues. Demand for greater corporate transparency. ESG carries material impacts and possesses the ability to influence the future of an organization. In 2020 alone, the US ESG ETF market saw a 318% year-over-year increase. Prior to 2019 or global COVID-19 pandemic, ESG investing was just merely a niche market, experiencing relatively insignificant growth. It is reasonable to assume that a significant portion of global capital is now being relocated from “weak ESG” companies to “strong ESG” companies at an exponential rate never seen before.
The growth of ESG investing has given rise to yet another problem - Greenwashing. Companies making inaccurate claims about their environmental and social responsibility efforts. This is not necessarily intentional or a toxic corporate behavior. ESG disclosure is inherently a tricky exercise. It involves a great deal of effort, time, and money. On top of that, there are very few guidance on which disclosure frameworks to use and how to use them. To further complicate the matter, regulators around the globe are starting to zero in on greenwashing. For instance, the European Union regulators launched a new set of ESG regulations in early 2021. The Sustainable Finance Disclosure Regulation (SFDR) sets mandatory disclosure requirements for financial market participants and financial advisers operating in the EU. These organizations will be required to follow specific mandates on how and what to disclosure on an annual basis. Compliance reporting has never been straight forward. From Sarbanes Oxley to GDPR, compliance leader around the world have seen their fair share of ups and downs navigating these turbulent seas.
There is yet another angle to consider. From institutional to retail investors, ESG index score has become a popular metric when it comes to investment decisions. An ESG index score is essentially the grade point average or credit rating of a company’s ESG performance. These figures don’t lie and are quite accurate. For instance, MSCI is a one of the leading investment research firms offering an ESG index score on over 2,800 companies. These companies are being assessed on thousands of ESG related data points and ranked against their peers. Investors leverage this research to understand the current state and potential long-term risk implications of companies. Index scores from different firms are typically used in conjunction for a broader perspective. This is an important consideration for the risk and compliance leaders managing ESG. Understanding the metrics and frameworks behind these index scores can not only help a company’s ESG ranking, but more importantly, keep risks under control and become a more sustainable company overall. These index scores should not be looked at as cheat-sheets for better ESG ranking. But rather guidelines to better corporate citizenship.
Global ESG assets are projected to exceed $53 trillion by 2025, more than a third of the projected total assets under management worldwide. ESG is expanding and by no means plateauing. These investment trends and regulatory changes are just the early stages. ESG investment products will continue to become more complex. Regulators will increase their focus on this matter. From the 2007-08 financial crisis to the COVID-19 global pandemic, and many challenges before; the answer is not a simple one-size-fit all solution. But a constant battle of wits and strength.
Learn more about MetricStream’s ESGRC product. Download the product overview to discover how MetricStream’s ESGRC product can get you started on your ESG journey.
Watch the video to gain a deeper insight into how MetricStream’s ESGRC product can help your organization take the next step in your ESG journey.
Prior to moving to MetricStream to manage their GRC content, our customers would have been either leveraging competitor applications or managing all their data manually via spreadsheets. This huge volume of data would be in different forms and shapes which now needs to flow into our MetricStream system. So, it becomes important for our customers to have a smooth transition from their legacy applications to the MetricStream solution.
MetricStream provided the “Data Import & Export” spreadsheet-based import framework to push data to our systems seamlessly. This framework allowed:
However, although the existing framework enabled extensive usage, it still presented a few challenges. Our customers were operating with certain limitations around configurability and upgrade safety. And especially while importing high volumes of data, import wait time was high. Hence, rather than adding new features to the existing framework and tuning it, it was identified that developing a brand-new framework from scratch would reap more benefits strategically in the long run, which led to the birth of the “Simplified Data Import & Export” framework.
The new simplified data import & export framework is an effort to overcome the challenges which were faced in the existing framework.
Note: Adoption of Business Rules & Business APIs is a pre-requisite to enable Forms with the new framework.
The new framework will co-exist with the existing data import & export framework, i.e., specific Forms can adopt the new framework. Users intending to move to the new framework for a specific Form will require the adoption of Business Rules and Business API’s for that corresponding Form.
The new framework enables:
The early adopters of the brand-new framework from Products include select Forms from GRCF, CMP and LSM.
In short, if your Forms are ready with the adoption of Business Rules and Business APIs, and you plan to leverage the Data Import & Export capability in your application, then, the Simplified Data Import & Export framework should be your choice.
Stay tuned for more information on our product enhancements coming soon.
Request a demo to learn more about how MetricStream can help your organization enable risk-informed decisions that accelerate business performance.
Talk about roundtrips…. In-the same week of a very successful 2021 GRC virtual summit on the 19 and 20 of October, where MetricStream had over 2500 customers, prospects, and partners registered to learn, participate, and share their experiences around GRC, IRM, and everything in-between, we decided to host three physical summits based in London, Copenhagen, and Zurich to continue the conversations with our community.
All three locations had a boardroom style setting dedicated to a round table discussion. The aim was simple, we would listen to what our community had on their mind. It was an opportunity to find common synergies, lead round table discussions, and network with senior risk professionals that are paving the way in this industry.
With representation from risk, compliance, audit and IT Cyber, the discussions were captivating, and the commentary was electric.
The first of the events started off in London, and we had a great mix of customers, partners, and prospects around the table.
Our CEO, Bruce Dahlgren introduced the session, and it was an engaging group that shared their thoughts and concerns around the current themes and trends.
Alongside the presentations, our partners gave a short speech on the success of collaborating with MetricStream to provide business benefits for our risk community. What followed was an insightful roundtable discussion that covered risk quantification, cyber security, and the need for organizations to lead with purpose.
It did not take long for ESG to make an appearance and quite rightly so, with COP26 on the agenda and the link to compliance, organizations that have a purpose and are aligning to social governance, diversity, and climate change are setting a precedent. MetricStream recently launched the ESGRC product, which enables organizations to define and manage ESG standards, frameworks, and disclosure requirements. There was a lot of excitement on this in the room.
Emerging risks and third-party risks were explored in detail. With recent supply chain disruptions, it became even more apparent how peripheral risks had to be managed.
Dinner followed, and the conversations (like the wine) continued flowing. It was delightful to see customers connecting with customers. It was evident that they all thrive in this environment and that it was clearly something they had sorely missed over the last 20 months.
We settled in for another topical roundtable discussion, where the thoughts and real-life examples of how technology is an enabler in the GRC space were deliberated. In some instances, the dialogue went back and forth. One example of this was that the concern organizations face with risk was not always a technology one, but more of a transformational project that the organization needed to resolve. Accompanying this, was the remark that there are inconsistencies in risk terminologies across the industries, which fuels part of the problem. It was also surprising (to me) to learn that there were still so many organizations using spreadsheets to manage their risk. This was their default way to identify, monitor, and track risks, even though they knew it was not sustainable, efficient, or scalable.
The need for AI and ML to automate risk attributes was the next topical point. The comment was made that AI techniques recognize pattens and trends to help alleviate the pain, time, and missing information that humans cannot always detect, but how do you know that AI is doing the right thing. This conversation continued into the evening, accompanied by food and drinks.
And finally, concluding the week in Zurich, we had another full house with an engaging group that deliberated on how they can start a community of risk or as was suggested, the “Instagram of risk”. There were discussions around risk culture, accountability, accurate data, and mindset. Some customers admitted that it was quite possible to get lost in the data and what they require is speed, agility, and most of all simplicity. A comment was made that you could spend all your time managing documents and not the risk. Another referenced that as change management sits in all departments including HR and legal it can be a challenge to bring it all together for larger organizations. Crypto also made it in the discussion, with a notable mention that new risks have no historical data to base it on.
Visibility and accountability were front of mind in the discussions, and a common theme that was mentioned was on reporting risks up to the board of directors and the role of the board in risk governance.
MetricStream presented 5 current trends that we are observing in the industry and 5 innovation themes that we are leading the way with (API, AI, Adoption, Agility & Analytics).
By bridging the gap and driving value for the community, MetricStream has a purpose to continue to add value and innovate alongside our community. We want the community to thrive on risk and reap the rewards of being on a GRC journey that like a good bottle of wine gets better with age.
Until the next summit.
The number of ransomware attacks on organizations around the globe is growing at an exponential rate with no signs of slowing down. According to Check Point, ransomware attacks grew by 102% in the first half of 2021 compared to the beginning of 2020.
Cybersecurity Ventures expects ransomware to attack a business, consumer, or device every 2 seconds by 2031, up from every 11 seconds this year, and estimates ransomware damages to cost the world $265 billion by 2031. To operate in this precarious digital landscape, organizations today must go the extra mile to ensure that their cyber defense mechanism is robust and effective.
In the wake of the significant surge in ransomware attacks, the National Institute of Standards and Technology (NIST) has published a new draft on “Cybersecurity Framework Profile for Ransomware Risk Management” that sets out its guidance on how organizations can prevent, respond to, and recover from ransomware attacks.
The document details basic preventive steps to protect against the ransomware threat, including using antivirus at all times, keeping computers fully patched, continuous monitoring, segmenting internal networks, educating employees about social engineering, assigning and managing credential authorization, and many more.
NIST has classified Cybersecurity Framework Functions into five categories: Identify, Protect, Detect, Respond, and Recover, and has suggested key measures under each of these functions to protect against ransomware threats.
Identify - This is the first step and the foundation for the rest of the framework. It requires developing an organization-wide understanding of systems, people, assets, data, and capabilities, and the associated cybersecurity risks. Some of the key suggestions made by NIST under this head include:
Protect – This function is critical to limit or contain the impact of a potential cybersecurity event and involves implementing appropriate safeguards to ensure the delivery of critical services. Some of the key measures include:
Detect – This function requires the implementation of appropriate activities to identify the occurrence of a cybersecurity event and enables timely discovery of cybersecurity events. Some of the key suggestions include:
Respond –Once a cybersecurity incident is detected, the Respond Function is important to take appropriate action and measures to contain the impact. NIST recommends:
Recover – This involves implementing appropriate activities to maintain plans to restore any capabilities or services that were impacted in a cybersecurity incident and helps an organization’s timely recovery to normal operations. Key measures include:
MetricStream welcomes the ransomware guidance from NIST. Such practical frameworks can considerably help CISOs and security teams to develop an effective cybersecurity strategy from the ground up and evaluate their existing strategy for any gaps or loopholes.
The MetricStream IT and Cyber Risk and Compliance solution is aligned to the capabilities detailed in the NIST guidance. It helps organizations to proactively anticipate and minimize IT and cyber risks, threats, vulnerabilities, and multiple IT compliance requirements. The solution cuts across enterprise siloes by facilitating harmonization between various functions and aggregating information and providing a 360-degree, real-time view of IT risk, compliance, policy management, and IT vendor posture. It also enables enterprises to execute and manage an effective business continuity and disaster recovery program. To request a personalized demo, click here.