Over 200 governance, risk, and compliance (GRC) practitioners, business executives, board members, thought leaders, and industry analysts gathered at the GRC Summit 2019 in London to discuss the key risks and opportunities facing organizations today. With over 50 sessions and 60 speakers, the summit provided a host of fresh insights and perspectives on topical concerns such as AI governance, cyber resilience, emerging risks, culture and front-line empowerment, innovation in the midst of disruption, and the future of compliance. Here are some of the key highlights from the event.

Perform with Integrity™

Andreas Diggelmann, ‘Office of the CEO’, Interim CEO, and Chief Technology Officer,

MetricStream “It’s truly inspiring to see how successful our customers are as they leverage integrity for sustainable performance and growth,” says Andy Diggelmann as he talks about how leading organizations are leveraging technology to transform GRC. At the same time, new technologies like artificial intelligence (AI) are introducing multiple ethical concerns, he says. The concept of “GRC for AI” seeks to alleviate these risks by embedding good governance practices into AI development. We need technology that serves humanity, not the other way around, he says. Find out more in this opening keynote.


The Importance of Resilience

Paddy McGuinness, Former Deputy National Security Adviser in the UK's Cabinet Office

Drawing from his experience in helping the UK government combat various national-level threats, ranging from terrorism to cyber attacks, Paddy McGuinness discusses why organizations need to be well-prepared to respond to any kind of crisis or eventuality. Cultivate real situational awareness rather than relying solely on resilience tools, he advises. He also compares how governments and businesses tackle risk events differently, while emphasizing the importance of building a clear view of risks across the organization. Watch his keynote for more insights on resilience and crisis response management.


2019 The Known Unknowns: Customer Insights and Trends

Gaurav Kapoor, ‘Office of the CEO’ and Chief Operating Officer,

MetricStream Citing multiple customer stories, Gaurav Kapoor talks about the five key trends that are shaping the world of GRC – whether it’s (1) disruption being the only constant, (2) foresight emerging as a competitive advantage, (3) harmonization as the future, (4) front-line empowerment, or (5) risk insights becoming a key performance driver. Don’t miss this engaging talk on the challenges and opportunities that organizations should be watching for as they plan their GRC strategies for 2020 and beyond. “GRC today is no more about post assurance. It’s about empowering the front line to make decisions in-stream in their activity.”


Disruptive Innovation

Andrew Jordan, Executive Vice President and Chief Technology Officer,

CWT "We're in a world that’s continually being disrupted,” observes Andrew Jordan, as he talks about the importance of keeping up with the accelerating pace of change. Today, we’re learning and generating knowledge at a massively high growth rate. The use of computers to supplement our activities is becoming more and more pervasive. Rather than fearing disruption, we ought to spend time understanding it, he says. We need to lean forward into new trends and learn how to innovate. Watch this keynote for more insights on how organizations can respond effectively to disruption.


A Glimpse into MetricStream GRC Labs

Vidyadhar Phalke, Chief Innovation and Cloud Officer,

MetricStream Andreas Diggelmann, ‘Office of the CEO’, Interim CEO, and Chief Technology Officer, MetricStream In this joint keynote, Vidya and Andy talk about how MetricStream is collaborating and co-innovating with customers and partners to build the next generation of GRC technology – whether it’s chatbots that capture observations from the front line in a simple and engaging manner; or natural language processing applications that provide rich, forward-looking insights for decision-making; or robotic process automation tools that accelerate control testing, while also enabling full sample auditing. Learn more about the transformative innovations that are coming out of MetricStream GRC labs in this keynote. “We digitalized the front office through CRM and the back office through ERP; now it’s time to digitalize GRC and integrated risk management processes.” - Andreas Diggelmann


The Organization of the Future

Gunjan Sinha, Executive Chairman,

MetricStream The organization of the future will be built on a foundation of five key pillars, says Gunjan Sinha. The first is a purpose-driven culture, and the second, a commitment to diversity and inclusion. Better diversity leads to better innovation and fewer risks, says Gunjan. The last three pillars are empowerment of the front line, ethical data management, and a humanistic approach to AI. “Ethical data will be the lifeblood of the organization of the future and human-centered AI its brain,” predicts Gunjan. Find out more in this forward-looking keynote.


Integrated GRC at M&G Plc

Jenny Roberts, Change Manager,

M&G Plc Ken Simons, Transformational Consultant, M&G Plc Simon Wallis, Head of Operational Risk, M&G Plc Moderated by: Anna Mazzone, Managing Director and GM, UK and Ireland, MetricStream Simon, Jenny, and Ken provide an in-depth look at how M&G Plc went about harmonizing, simplifying, and standardizing their GRC processes, while also improving their risk culture. They discuss the organization’s GRC program objectives, as well as its project structure, change implementation approach, and key steps to maximize the value of GRC technology. “Change your processes, not the product,” says Simon, emphasizing the importance of using technology out of the box. Don’t miss this insightful discussion.


Nationwide Building Society: GRC Implementation

Sarah Harman, GRC Tooling Accountable, Nationwide Building Society Simon Cory, Director of Risk Strategy,

Nationwide Building Society Sarah Harman and Simon Cory discuss the benefits of breaking away from siloed control environments based on legacy systems, and adopting a cloud-based, integrated GRC platform. The two talk about how their organization engaged the lines of defense in the GRC implementation through business validation workshops, system demonstrations, suggestion corners, business champion forums, and more. They also discuss the lessons learned, including the importance of minimizing customization. Watch this case study session to find out more about Nationwide’s GRC implementation journey.


Operational Risk Management at Banque Centrale du Luxembourg

Edgar Biro, Senior Operational Risk Manager,

Banque Centrale du Luxembourg Edgar Biro outlines Banque Centrale du Luxembourg’s ongoing journey from manual and siloed operational risk management processes, towards the goal of an optimized and fully integrated risk program. By bringing together risks from various sources such as business continuity management or information security, and then translating them into business risks, the bank was able to build better responsibility and accountability, says Edgar. Discover more about Banque Centrale du Luxembourg’s efforts to improve its risk culture, integrate governance, implement a risk management solution, and strengthen user adoption.


Supplier Security Assurance

Jane Wilson, Principal Enterprise Security Risk Manager, Department for Work and Pensions Mike Scanlon, Project Manager, Department for Work and Pensions

With an alarming increase in attackers injecting malware into the supply chains of unsuspecting organizations, it is imperative to adopt a pervasive approach to supplier security assurance. In this case study session, Jane and Mike share their thoughts on how to enable informed decision-making while selecting new suppliers. They also emphasize the importance of identifying instances of risk exposure in existing supplier and third-party relationships through appropriate due diligence.


Implementing a BCM App to Support your BCM Program

Dermot McCarthy, Head of Crisis Management, Standard Chartered Bank

While Standard Chartered Bank’s manual and locally-governed business continuity management (BCM) programs had served them well for years, various internal and external shifts prompted them to adopt a more integrated, federated, and automated approach to BCM. Dermot McCarthy takes us through the opportunities and challenges of this change in terms of data, processes, and people. He also shares the lessons learned along the way. Watch his presentation for further insights.


AI for Governance and Governance of AI

Mike Small, Senior Analyst, KuppingerCole

If governance is about doing business in an a compliant, ethical, and risk-aware manner, then AI impacts all these areas, says Mike Small. In this engaging talk, he explores how AI can be used to improve enterprise governance – whether it’s in terms of supporting complex processes with a compliance impact, or accelerating the diagnosis of event anomalies. He also highlights the flipside of AI – particularly, risks around bias, fairness, accountability, transparency, privacy, and ethics. Find out more in this expert talk.


The Rise of Agile GRC

Michael Rasmussen, Chief GRC Pundit,

GRC 20/20 Research Everybody’s already doing GRC, but how do we do it better, asks Michael Rasmussen. Around the world, risks, regulations, and businesses are changing at an unprecedented pace, demanding that GRC become more agile. Organizations need to not only be able to see the tree (individual risks), but also the forest (interconnectedness of risks, compliance, and controls). The key is to have a solid information architecture that provides a tightly integrated view of objectives, risks, and controls. Watch this anecdotal presentation to learn more about the importance of agile GRC.


The Future of Risk

Matt Malone, KPMG Partner and Head of Risk and Regulatory Transformation

"Risk management is actually about two things -- protecting value and growing value,” says Matt Malone. Yet how many risk functions are actually involved in value creation? How many are part of strategy planning? Quoting from KPMG’s survey of 150 UK CEOs, Matt talks about the risks and issues that are keeping business leaders up at night, be it disruptive technology, climate and political risks, or changing business models. He also discusses why there’s a need to change the mindset and understanding around risks and compliance in organizations. Find out more in this talk


Aligning your Audit Program to Key Business Objectives

Chris Greenway, Director - Internal Audit,

The Co-operative Bank Plc Aligning audits to business strategy is an intrinsic way of demonstrating value, says Chris Greenway. Not only does it lead to better reporting and insights, but it also improves the opportunities available to the internal audit function both within and outside the organization. However, to effectively align audits to business objectives, specific environmental factors and building blocks need to be considered, including robust training programs and buy-in from the board. Discover more about these and other best practices for audit alignment in this expert talk.


Building a Relevant and Agile Internal Audit Function

Andreas Trogsch, General Manager - Global Assurance,

ArcelorMittal In this deep-dive session, Andreas Trogsch discusses his experiences with Agile auditing, including the business benefits experienced. Agile auditing will keep internal audit relevant in the future, he notes while reflecting on the core Agile principles, the taxonomies involved, primary methods, and outcomes. Moving from traditional to Agile auditing can lead to higher quality products, greater teamwork and stakeholder commitment, as well as improved risk management. Find out more in this expert talk.


Leveraging Data Analytics and RPA in Audit

Chandrra Sekhaar, Global Head of Audit - Financial Markets,

ING In a digital world, the opportunities for internal audit to innovate, improve, and add value to the business are greater than ever. Data analytics and robotic process automation (RPA) are enabling internal audit to move from manual to automated testing, and from sampling to full population audits, while also minimizing repetitive tasks. But how do you put these tools into practice? And what are the areas of auditing in which they can provide optimal value? Chandrra Sekhaar provides his insights backed by multiple real-world examples in this expert talk.


The Future of Compliance: Key Priorities in 2020

Subharun Mukherjee, AVP – Strategic Initiatives,

MetricStream Compliance programs are at an inflection point created by changes in regulatory, market, and customer demands. Senior managers are increasingly being held liable for compliance incidents. Meanwhile, enterprise digitization is introducing a new set of challenges and requirements for the compliance function. In the midst of these shifts, several compliance themes have begun to emerge, including an elevated focus on resilience, conduct, regulatory returns, and horizon-scanning. Learn more about these themes and other compliance trends in this talk by Subharun Mukherjee.


The UK SM&CR: The Way Forward

Katharine Leaman, Director, Leaman Crellin Limited Katharine

Leaman dives into the origins of the Senior Managers and Certification Regime (SM&CR), as well as its implications, components, and impact. Outlining the requirements of the conduct rules, she talks about the various types of assessments that will be required for compliance. She also outlines considerations around fitness and propriety, regulatory interviews, senior manager responsibilities, and misconduct. Watch this talk for an in-depth analysis of the SM&CR, including compliance best practices.


Gaining Increased Security Assurance Underpinned by a GRC Culture

Stuart Frost, Head of Enterprise Security and Risk Management,

Department for Work and Pensions For too long, says Stuart Frost, the security function has been perceived as a corporate policeman who constantly tells the business what they can’t do, when instead, they should be talking about what the business can do if certain processes and procedures are in place. Watch Stuart explore various topical concerns, ranging from security by design, to emotional intelligence, as he emphasizes getting the security basics right. Organizations may not be able to remediate every risk, he says, but they can certainly manage every risk. It’s all about doing the necessary due diligence.


The Aftermath of a Data Breach: How Do We Handle It

Rory Conway, Chief Compliance Officer – MetLife,

EMEA Everybody should have an incident management process for how to deal with data breaches, says Rory Conway. Watch his talk for practical advice on the things to do when a data breach occurs – be it determining and continuously re-evaluating the impact of the breach, or investigating its root cause, or mitigating its effect. Also understand the things not to do i.e. actions that could worsen the impact of a breach. “Learn from any data breaches that you have, so that you're better next time at dealing with them,” he says.


Governance in an Era of Disruption

Anna Felländer, Co-founder, AI Sustainability Center Laura Turner, Chief of Risk Management, World Food Programme (WFP) Peter Bannister, SVP for GRC,

MetricStream Moderated By: Marco Icardi, President of Europe Operations, MetricStream While Laura Turner talks about how technology has revolutionized the WFP’s ability to help people in need, Anna Felländer highlights the ethical issues associated with AI, saying that while we must embrace the technology, its risks are as exponential as its value. AI could be misused or overused even when the intention is good, she cautions. One of the other challenges, as Peter Bannister points out, is that the people creating the AI algorithms are a long, long way from the boardrooms. So how do you address these issues? Watch this panel to know more.


Linking All the Lines of Defense to Increase Maturity

Chandrra Sekhaar, Global Head of Audit – Financial Markets, ING Chris Greenway, Director - Internal Audit,

The Co-operative Bank Plc Ivan Martinez, Chief Audit Executive, Banco Santander Sophie Dupre-Echeverria, Chief Risk Officer, Gulf International Bank Moderated by: Andrew McIntyre, Associate Director, MetricStream Effective coordination of assurance activities across the lines of defense can help executive teams gain a clear, consistent picture of the risks that matter. But to enable better collaboration among assurance functions, there needs to be a common risk language, consistent methodologies, effective incentives, investments, and the right attitude, says this panel of experts. Watch the discussion for more insights on integrated assurance, as well as the challenges and opportunities involved in building a “1.5 line of defense".


The Platform Advantage: Enabling Agility, Scalability, and Innovation

Jean Goetzinger, Head of Risk Prevention, Banque Centrale du Luxembourg Ken Simons, Transformational Consultant, M&G Plc Marisa Melliou, Group Audit Director, OPAP Moderated by: Sanjay Sinha, Chief Marketing Officer,

MetricStream Having led successful GRC transformation projects in their organizations, this panel of experts share their best practices and lessons learned. They also discuss the benefits they’ve gained from their GRC platforms, whether it’s greater audit productivity, or better efficiency and risk visibility. To truly optimize the value of a platform, they point out, certain building blocks need to be in place, including a common risk taxonomy, clearly-defined three lines of defense, commitment from the top, and effective change management. Watch this panel to learn more.


Establishing a Strong Risk Culture: The Business Knows Where the Risks Are, But Are They Ready for GRC?

Ben Jeary, GRC Program Director and Global RCSA Program Head, Citigroup Eloise Francis, Head, Operational Risk, L&G Capital Jean Goetzinger, Head of Risk Prevention, Banque Centrale du Luxembourg Søren Agergaard Andersen, Chief Risk Officer, Nordea Asset Management Moderated by: Subharun Mukherjee, AVP – Strategic Initiatives,

MetricStream Risk culture lies at the heart of decisions that govern everyday business activities. Yet, it is as elusive as it is powerful, note the panelists at this discussion. “Risk culture isn’t something you can just plug and play,” says Søren Agergaard Andersen. But there are steps that organizations can take to strengthen risk awareness across the enterprise – be it using a simple risk language, or establishing accountability, or improving both top-down and bottom-up communication. Explore the real meaning of risk culture, as well as how to build and measure it, in this panel discussion.



Senior cybersecurity and risk management professionals gathered for an exclusive roundtable at the summit to discuss and debate the core components of an effective cybersecurity program. Led by cyber experts from McKinsey & Company, the session explored the latest trends and best practices in cyber risk management.

Some of the areas that were discussed included:

• How third parties remain a major attack vector

• Why more spend on cyber doesn’t always translate to more security

• The increasing convergence of IT and OT

• The importance of culture in building an effective cyber posture


Ready to get started?

Speak to our experts Let’s talk