As we hurtle headlong into the Fourth Industrial Revolution, new advances in artificial intelligence (AI), robotic process automation (RPA), blockchain, big data, and the internet of things (IoT), are transforming the way we do business in unprecedented ways. Among these technologies, none has arguably generated as much buzz as AI. Its ability to swiftly analyze vast amounts of data, uncover patterns, and make calculated decisions far more rapidly than a human is of immense advantage to the enterprise. From digital assistants to streaming devices, AI is everywhere, and governance, risk, and compliance (GRC) is no exception.
Enterprise digitization is taking us towards a world where business users will have the same power they already enjoy in their homes with Amazon’s Alexa and Apple’s Siri. Imagine a portfolio manager wanting to know if he can change certain thresholds in derivative trading; or, a sales person wanting to find out if a certain quotation can be shared with someone else. Both will expect a near instantaneous response that will be effective only if it is a detailed enabling response coupled with appropriate guardrails. The former will come from the relevant business applications and processes, while the latter will come from the system of GRC.
To illustrate this thinking, let us expand the case of the portfolio manager. To his query, he will receive a detailed answer on what he needs to do, how much of the threshold he can change, and if he wants to go beyond that, then what process he should follow. For GRC practitioners, it isn’t hard to see that the last “process” part involves the regulatory reporting or controls that need to be in place for compliant portfolio management. Similarly, we can think of what happens in the second example about the sales person. In this case, the response will be about having appropriate information security controls embedded. At MetricStream GRC Labs, we’re engaged in putting together the building blocks that will help organizations realize the above vision.
The possibilities of AI in GRC are endless. As we explore them further, tools and techniques based on AI and machine learning will soon become the norm. They will augment user experience and decision-making, while also enabling organizations to proactively uncover incidents and potential risks. These developments, coupled with new advances in robotic process automation (RPA), big data analytics, and other emerging technologies will take GRC to the next level for digital organizations
The GRC Labs Whitepaper is a glimpse into some of our latest GRC innovations. It delves into how we see the world of GRC evolving to become more efficient, pervasive, and intelligence-driven. We also present some of the key technology shifts that we as a company are investing in. Going forward, these investments will roll up into our cloud and solution roadmap with the goal of enabling and empowering our customers to “Perform with Integrity™”.
Back in 2017, when we released our first MetricStream Labs report, our focus was largely on refining the M7 platform and GRC cloud. Today, as the adoption of both technologies accelerates, we’re setting our sights on new horizons. From our conversations with GRC practitioners, business users, partners, analysts, and customers, it’s evident that organizations are no longer interested only in understanding the status of known risks. They want to be able to predict those “unknown unknowns.” They want to sift the signal from the noise – to uncover hidden patterns in data that will help them make better business decisions.
They want to efficiently crowdsource risk data from the front lines, while engaging all employees in the GRC program. They want to spend less time on cumbersome control testing tasks, and more on forward-looking analysis. They want recommendations on remediations and corrective/ preventive actions for risks and issues. With these requirements in mind, our GRC Labs in Silicon Valley and Bangalore are working on a range of new innovations leveraging AI, machine learning, RPA, analytics, and natural language processing (NLP). We’ve found opportunities to add value across the whole chain of GRC, from the first mile to the last mile. Most importantly, all our projects are driven by collaboration and co-innovation with our customers and technology partners.
The result is a host of exciting developments that will allow us to make GRC as pervasive in your enterprises as ERP is today. And pervasive GRC will be the foundation on which the organizations of the future are built.
Here’s a closer look at some of the latest innovations that our teams are working on:
In a world where instant communication is key, messaging apps have become extremely popular – more so than even social networks1. These apps are a strong medium for businesses to engage with customers, market their brands, and sell their products.
Today, the opportunities are even greater as AI-powered conversational interfaces like virtual enterprise assistants take messaging to the next level with the ability to carry out moderately sophisticated conversations. These assistants empower users with relevant information based on listening or context, thereby increasing productivity.
MetricStream Labs has developed the APIs needed for virtual assistants or conversational interfaces to engage business users in GRC. These interfaces can help GRC first-line users flag observations on potential risks, while also reporting anomalies and deviations. Through a casual conversation, they can capture user observations regarding control weaknesses or gaps, as well as deficiencies in internal processes. These insights can then be automatically routed to the second line of defense for further analysis and investigation. In addition, the conversational interfaces can provide status updates, and carry out certain follow-up actions with users.
They will also enable GRC first-line users to perform business tasks related to policy management. Through an engaging conversation, the AI-based interfaces will help users search for specific policies based on attributes, content, author, and other business parameters. Users can also attest to policies, and respond to specific queries about applicable policies for a specific location – e.g., policies related to the General Data Protection Regulation (GDPR). The technology can add further value by streamlining the policy management process, right from policy search, to policy attestation, while also helping enterprises manage the associated compliance risks.
In today’s digital, distributed environments, it can be extremely challenging for organizations to continuously monitor various controls related to information security, regulatory compliance, and other business requirements. The costs and complexities involved particularly in manual control monitoring and audits can be very high. Yet, enterprises still need to perform frequent assessments of their enterprise infrastructure to ensure that their system configurations are secure and safe.
To automate the process of continuous monitoring and IT control testing, MetricStream Labs is building an advanced continuous control monitoring (CCM) capability that will enable enterprises to save time and costs on control monitoring, while also reducing risk velocity, enhancing audit efficiency, and improving control transparency. The CCM capability will make it easy for users to detect any type of anomaly in the functionality of internal controls. It will also help prevent unauthorized access to and corruption of data. Specific logic can be defined as part of the criteria creation process to calculate control efficiency based on the evidence collected. In addition to CCM, MetricStream is on track to seamlessly integrate with RPA tools that will automate audits and risk assessments. RPA will enable continuous auditing by automating the process of error-checking, while also verifying data in real time.
It will also notify auditors about anomalies and errors discovered by the system. Additionally, it will make the process of collecting, validating, and reporting control-related data faster, simpler, and more cost-efficient. Larger sets of manual or legacy processes will be automated, so that control testers and auditors gain quicker insights on how to improve internal controls, lower operational risks, and enhance the customer experience.
Enterprises typically deal with a range of internal and external issues rising from control ineffectiveness, policy non-compliance, unmitigated risks, and other such causes. To manage and track these issues, many enterprises leverage spreadsheets. However, these cumbersome tools not only consume valuable time, effort, and resources, but also limit enterprise-wide visibility into issues, thus slowing down the decision-making process. A better alternative is an automated approach that enables enterprises to swiftly analyze large volumes of issue related data, while accelerating the issue management process.
It also gives senior stakeholders a 360-degree view of all issues within the enterprise at any given time. MetricStream’s machine learning powered issue analytics solution allows businesses to efficiently manage numerous issues, findings, and gaps. The solution makes it easy for users to identify similar issues by uncovering common patterns in the data. The system can intelligently assist users in classifying the issues appropriately, while also recommending action plans to holistically address the issues
Cyber risks can have a major impact on revenue and reputations. Therefore, it’s important to have a broad, quantitative, and business-oriented approach towards cyber risk modeling. Such an approach—which incorporates the technology, business, and delivery aspects of cyber risk mitigation—increases the confidence of organizational stakeholders, while also accelerating decision-making.
MetricStream is leveraging the M7 GRC platform to create a cyber risk quantification framework based on FAIR (factor analysis of information risk) methodology. M7’s comprehensive cybersecurity risk and compliance taxonomy, as well as its open architecture and rapidly evolving REST API framework, are enabling us to work collaboratively with multiple partners towards developing FAIR-based computational models. The FAIR framework provides a model to understand, evaluate, and measure information risks in financial terms.
FAIR is the standard value at risk (VaR) framework for cybersecurity risk. It leverages the threats, vulnerabilities, historical loss frequency, and magnitude of a given cyber risk scenario to quantify the probability of risk, as well as the magnitude of future loss. Such quantified values enable business and technology stakeholders to compare competing cyber risk issues, optimize cyber insurance coverage, prioritize risk mitigation options, and make swift, data-driven decisions.
Today, technology is evolving faster than our ability as humans to keep up with it. AI, smart devices, and autonomous vehicles are all triggering the humanization of technology. This shift, coupled with the proliferation of apps, devices, and other data sources, are confronting GRC practitioners with new challenges. At MetricStream Labs, we’re gearing up to meet these challenges head-on. Some of the key trends we’re following include:
In the future, AI and NLP will be able to translate large volumes of unstructured data into structured, targeted, and personalized risk insights – all in a matter of minutes and with minimal user interfacing. The system will scour internal and external data sets—including loss event databases, control test results, and external feeds—looking for weaknesses or breakdowns. It will cross-reference data to suggest themes, and identify potential issues.
Data reports will be available to boards and management teams in real time in both structured and natural language formats depending on the recipient. As the technology continues to evolve, MetricStream is working hard to integrate AI and ML capabilities into our GRC platform with the goal of helping businesses manage risks and compliance more effectively and pervasively than ever.
As AI becomes more ubiquitous and begins to contribute significantly to organizational-decision-making, one of the biggest risks we’re dealing with is algorithm bias or AI bias. This phenomenon is typically a result of the AI system being trained using biased data which may implicitly favor or discriminate against certain people based on their gender, race, or ideology.
At MetricStream, we believe that enforcing a strong governance framework over AI models will help ensure that such biases are detected proactively and then eliminated by re-training the system. This approach will be imperative if we want to truly optimize the benefits of AI. MetricStream has taken the first step in this direction by partnering with a leading AI center to identify ways and means by which we can raise awareness, and build frameworks for ethical AI. At MetricStream Labs, we’re working on some initial prototypes and ideas to take this thought process further, even while we look for more partners in the field. 12
We know that innovation doesn’t occur in a vacuum.That’s why we’re committed to collaborating not just with customers and partners, but also with regulators, thought leaders, universities, and governments. Our vision is to build a global community of co-innovators that can bring to the table diverse ideas and perspectives on how GRC can effectively enable enterprises to “Perform with Integrity™”. This year at the MetricStream GRC Summit, we were honored to share the stage with two of our co-innovators as we talked about our collective efforts to integrate new technologies like NLP and AI into our existing GRC solutions. The results so far have been promising.
Meanwhile, in our MetricStream Special Interest Groups (mSIGs), we continue to work closely with passionate customers from across industries to shape and develop our innovation roadmap. Other forums like the bi-annual MetricStream GRC Summit, GRC roundtables, MetricStream University, and ComplianceOnline.com all enable us to stay connected to what our customers are saying, what they need, and how we can help them achieve their missions. Over the next decade, GRC users will demand technology that is intuitive, personalized, predictive, agile, and integrated. At MetricStream Labs, we’re doubling down on our focus and resources to meet these demands. We see ourselves enabling and empowering enterprises to strengthen business performance, growth, and success by making GRC a seamless part of their corporate cultures. Ultimately, our mission isn’t just to deliver GRC software, but to enable each customer to thrive in a digital economy with GRC as their foundation.