Introduction
With the specter of COVID-19 receding, businesses are looking beyond recovery to growth. New opportunities for success abound. But so do new challenges and risks. Chief among them is Russia’s invasion of Ukraine, coupled with the cost-of-living crisis and tightening financial conditions – all of which are projected to slow down global economic growth from an estimated 6% in 2021 to 3.2% in 2022 and 2.7% in 2023.
Climate change poses an additional concern, especially as extreme weather events threaten to upend business operations and supply chains. Meanwhile, changes in regulation and legislation – be it around data governance or carbon footprints – continue to overwhelm business leaders and boards, with the risk that compliance best practices may be replaced by a ‘check-the-box’ mentality.
None of these risks exist in isolation – they’re deeply interconnected issues with cascading impacts. Navigating this complex environment requires that we move away from traditionally fragmented governance, risk, and compliance (GRC) activities, towards a more holistic and harmonized GRC approach. Built over time, this approach can offer you the big-picture risk view you need to make better-informed strategic decisions that strengthen business resilience and performance.
MetricStream is committed to helping you thrive on risk in uncertainty. Based on our conversations with customers and thought leaders and our own analysis of economic conditions, regulations, and various news events, here are our insights on where GRC is heading – and how you can prepare for the future with confidence
Risk Appetite and Tolerance – The Missing Pieces in Non-Financial Risk Management Programs
Only 33% of organizations have ‘mostly’ or ‘extensively’ articulated their risk appetite and tolerance levels as part of their strategic planning activities. This suggests that most companies are managing risk exposure in an ad hoc manner, without first understanding how much risk they’re willing to tolerate, requiring a constant reassessment, and resetting of goalposts. It’s like putting the horse before the cart or riding a highway without guardrails.
Risk appetite and tolerances help keep risk-taking activities in check. They enable you to articulate the actions and disruptions you’re prepared to live with in pursuit of your strategic objectives. And they help define thresholds for the organization; at what point do defensive or offensive measures kick in, and at what point do decisions need to be made about shifting key organizational strategies?
So, what makes a well-developed risk appetite? For one, it’s closely aligned to business strategy. It includes qualitative statements as well as quantitative metrics and exposure limits. It also adapts to changes in circumstances, business objectives, skills, and resources. The better articulated your risk appetite and tolerances, the better your ability to optimize risk-reward outcomes and take strategic advantage of risks.
Business Continuity Management – Responding to Risk Events with Confidence
Pandemics, natural calamities, geopolitical events, social unrest – there are some risk events we just can’t avoid or mitigate. But we can be better prepared to respond to and recover from them quickly and effectively. The key lies in a robust business continuity management (BCM) program. BCM helps us restore, replace, and rebuild critical business processes in the wake of disruption.
Both ERM and BCM are necessary for effective business resilience. But despite their common goals and process similarities, the two are often managed in silos. Too often, even where businesses are hyper-diligent with risk management, their business continuity strategies are designed for crises and catastrophes only. This misalignment can hamper an organization’s risk preparedness and response – which is why we expect greater alignment between ERM and BCM in the coming year.
Integrated, enterprise-level risk assessments can help business continuity teams identify which potential disruptions can cause havoc in the business, what would be their impact on the business, and build appropriate business continuity plans. A common taxonomy also helps both ERM and BCM teams communicate the impact of a disruption in consistent business terms while avoiding duplication of efforts. Similarly, business impact analysis (BIA) can provide useful insights for risk managers while assessing and prioritizing risks. Together, the two can help you strengthen your readiness for risk events, minimize losses, and return to business swiftly after a disruption.
Non-Financial Risks – Quantification Is Key
From misconduct and compliance failures to cybersecurity breaches and operational disruptions, non-financial risks (NFRs) can wreak as much havoc as financial risks. Cybercrime, for example, costs the world economy more than $1 trillion. And that’s just the direct financial impact. The reputational fall-out, system downtime, and regulatory penalties can amplify damages, making it imperative for organizations to manage these NFRs better.
We know that what gets measured gets managed. However, traditional NFR measurement techniques tend to use ambiguous qualitative terms to describe risks - probably likely to occur or somewhat likely to impact the business. These terms help us to some extent but do not provide accurate answers to many questions. Even a high-medium-low risk ranking doesn’t always provide accurate insights on which NFR to manage first and why.
But now, there are powerful tools to quantify NFRs, and inject more clarity into risk assessments. Advanced analytics and Artificial Intelligence (AI) engines use modeling techniques like Monte Carlo simulations to estimate the value at risk (VaR) in monetary terms. Frameworks like Factor Analysis of Information Risk (FAIR™) go deeper to help measure risks in monetary terms. These results help make calculated investments, decide on capital allocations and make risk-based strategic decisions.
With these data-driven metrics, business leaders can better understand, prioritize, and act on NFRs. They can confidently answer questions like - How much should we invest in order to manage the exposure? What will be the return on investment? And do we have enough insurance coverage for NFRs?
Third-Party Risks – A Top-Tier Priority
With ongoing supply chain disruptions and cyber-attacks on vendors, we expect the focus on third-party risk management (TPRM) to not only persist in 2023 but to get stronger. TPRM is already a strategic priority for 85% of businesses, up from 77% before the pandemic. Yet, continuing third-party incidents suggest that TPRM programs are still not as mature or efficient as they should be.
Certainly, progress has been made in areas like third-party cyber risk management, but other areas remain unaddressed. Take environmental, social, and governance (ESG) risks, for example. Today, supply chain emissions are 11.4 times higher than operational emissions. Yet, 41% of organizations only have a low level of capability at present (resulting in an ad hoc approach) to assessing and prioritizing ESG risks in their supply chains.
What’s more, many TPRM programs are still managed in siloes which fail to provide a comprehensive risk view. It’s past time to build a single source of risk truth that provides visibility into all third-party risk types, as well as fourth- and fifth-party risks. Third-party risk identification and monitoring must become an ongoing exercise because the risks are often complex, multidimensional, and constantly evolving. And finally, there must be better coordination across sourcing, procurement, risk management, legal, and BCM functions to build a more resilient third-party ecosystem.
ESG – Everyone’s Responsibility
The buzz around ESG has shot up in recent years and shows no sign of slowing down. Investors, employees, and customers increasingly expect companies to show evidence of how they’re addressing emissions, treating workers fairly, and governing with integrity. Failing to meet these expectations could injure a company’s brand image and reputation for many years.
ESG has also caught the eye of regulators. From the Corporate Sustainability Reporting Directive (CSRD) in the EU, to the SEC’s proposed climate disclosure rule in the US, a flurry of new ESG-focused regulations will require companies to increase ESG reporting.
ESG has essentially become a strategic issue that touches every area of the business. Therefore, it must be seen as everyone’s responsibility, not just that of the Chief Sustainability Officer (CSO). Ownership begins with the board providing oversight of ESG risks and opportunities, followed by HR monitoring employee welfare, the procurement function ensuring responsible sourcing, corporate finance and legal teams vetting ESG disclosures, and so on. A coordinated approach across these and other business functions can help you build the coherent, compelling ESG narrative that investors and regulators are looking for.
Frontline Empowerment – Strengthening Risk Culture and Accountability
In the age of #MeToo and whistleblowing stories like that of Theranos, the frontline is emerging as a powerful force in risk management. These are the people who engage with customers, suppliers, and business operations everyday – and who, therefore, have a first-hand view of emerging risks and issues. Entrusting them with more risk management responsibilities, while also empowering them with proper training and tools, are essential steps in building a strong risk-aware culture.
Newer GRC technologies can improve frontline engagement by simplifying risk assessment and reporting. Intuitive features like conversational interfaces, chatbots, and intuitive web forms make it easy for the frontline to capture risks and anomalies – be it in the field or on-the-go. AI/machine learning (ML) can then be used to automatically triage frontline observations, correlate them to other issues, and recommend action plans. Not only do these technologies strengthen risk awareness in the frontline – they also save the second- and third-lines significant time and effort on risk monitoring.
Digitally-Transformed GRC – Helping You Stay Ahead of Risks
The pandemic accelerated digital transformation across multiple business functions – and GRC was no exception. Companies quickly realized that the manual and siloed GRC programs of the past would no longer serve them in a world where speed, collaboration, and nimbleness had become crucial. It was time to digitally transform GRC programs.
Today, 69% of businesses plan to increase their level of investment in data and technology for risk management. And 50% of financial services organizations say that efficiency tools such as robotic process automation (RPA), cognitive intelligence, and AI/ML will be an extremely or very high priority for their institutions.
It’s easy to see why. These technologies can automate repetitive GRC tasks, thereby reducing costs, while also freeing up GRC teams to focus on higher-value activities. More importantly, automation reduces any unseen gaps in GRC processes, vital to creating agility and creating value by amplifying risk visibility. Big data analytics and AI/ML can help identify potential risk events before they occur, while RPA can be used to test 100% of controls rather than only a small sample. Meanwhile, integrated GRC platforms can help break down organizational siloes, enabling various teams – risk, compliance, audit, security, and others – to collaborate in a seamless manner. The result is faster, better risk visibility that helps organizations be ready for whatever’s next.
Resilience – A Superpower in an Uncertain World
We live in volatile times where supply disruptions, economic uncertainty, geopolitical tensions, and cyber threats are likely to continue - if not increase. To thrive, we will need to strengthen our resilience – the ability to withstand uncertainty and disruptions, and even emerge stronger. Instead of reacting to risks after they occur, we must be able to predict, anticipate, and manage risks before they manifest. And even if they do manifest, we must be ready to bounce back quickly.
Resilience is rarely built in isolation – it’s a team effort. Every part of the organization must work together to pre-empt, assess, and respond quickly to risks and disruptions. The better we prepare and plan for a crisis, the greater our chances of survival and success.
Operational resilience has long been a key regulatory priority. Whether it’s the Bank of England’s operational resilience rules, the proposed Digital Operational Resilience Act (DORA) for the EU financial sector, the Australian Prudential Regulation Authority’s (APRA’s) Draft Prudential Standard CPS 230 Operational Risk Management, or even the US Federal Reserve’s joint paper on sound practices to strengthen operational resilience - the regulatory discussion around resilience is constantly evolving.
Adaptable GRC Technology – Not a One-Size-Fits-All
Every industry contends with their own risks, regulations, and governance protocols. Therefore, it’s important that the GRC solutions they use be tailored to their unique needs. A GRC platform that works well for a large retailer may not be effective for a bank or a pharmaceutical company.
The same applies to individual businesses that are each at different stages of their GRC journey. A smaller business that’s just starting out may need solutions to just manage risks and compliance requirements. But a larger business with matured GRC processes with operations across multiple geographies may need an enterprise-scale GRC platform with integrated solutions for ERM, cybersecurity, TPRM, BCM, and ESG. At this stage, companies want to not just manage risks and compliance but start making quantifiable investments and strategic business decisions.
As GRC needs evolve, organizations will seek out ‘right-sized’ GRC solutions that are designed for their industries and crafted to address their specific risk and compliance challenges. No longer will they want to waste time and money customizing GRC solutions to fit their processes. The focus will shift to adopting agile platforms that are easy to scale and upgrade.
Unfortunately, too few organizations have escalated operational resilience program design, testing, and execution to the position it should be. If there’s one thing the pace of risk and compliance challenges in the last few years has made clear, it is that those organizations that are prepared fare better. Those organizations with effective risk management and resiliency programs in place prior to the pandemic were able to thrive when those that didn’t keep up were left behind.
How MetricStream Is Helping Companies Thrive on Risk
Older approaches to risk management – siloed, fragmented, and manual – are no longer effective in a world where risk is pervasive. MetricStream’s ConnectedGRC solutions enable you to break down enterprise silos and establish a single source of truth with all the risk insights you need to navigate the future.
Connected GRC is packed with best practices, deep domain capabilities, AI-powered intelligence, and risk quantification tools that are designed to tackle today’s most pressing GRC challenges. The suite comes in three distinct product lines with multiple benefits:
Conclusion
As we head into 2023, there are many uncertainties and challenges ahead. But they aren’t unsurmountable. Through an agile, collaborative, and data-driven GRC program, we can tackle the risks head-on, and face whatever comes our way with agility.
In the past, GRC may have primarily focused on cybersecurity and compliance. But in the future, it must be seen through an integrated risk and resiliency lens. Disruptive GRC technologies like AI/ML and analytics can help by providing a real-time window into risks and opportunities that can then be transformed into a competitive advantage. With these tools, as well as the right people and processes, we can truly build future-ready enterprises - connected, purpose-driven, and resilient.
With the specter of COVID-19 receding, businesses are looking beyond recovery to growth. New opportunities for success abound. But so do new challenges and risks. Chief among them is Russia’s invasion of Ukraine, coupled with the cost-of-living crisis and tightening financial conditions – all of which are projected to slow down global economic growth from an estimated 6% in 2021 to 3.2% in 2022 and 2.7% in 2023.
Climate change poses an additional concern, especially as extreme weather events threaten to upend business operations and supply chains. Meanwhile, changes in regulation and legislation – be it around data governance or carbon footprints – continue to overwhelm business leaders and boards, with the risk that compliance best practices may be replaced by a ‘check-the-box’ mentality.
None of these risks exist in isolation – they’re deeply interconnected issues with cascading impacts. Navigating this complex environment requires that we move away from traditionally fragmented governance, risk, and compliance (GRC) activities, towards a more holistic and harmonized GRC approach. Built over time, this approach can offer you the big-picture risk view you need to make better-informed strategic decisions that strengthen business resilience and performance.
MetricStream is committed to helping you thrive on risk in uncertainty. Based on our conversations with customers and thought leaders and our own analysis of economic conditions, regulations, and various news events, here are our insights on where GRC is heading – and how you can prepare for the future with confidence
Only 33% of organizations have ‘mostly’ or ‘extensively’ articulated their risk appetite and tolerance levels as part of their strategic planning activities. This suggests that most companies are managing risk exposure in an ad hoc manner, without first understanding how much risk they’re willing to tolerate, requiring a constant reassessment, and resetting of goalposts. It’s like putting the horse before the cart or riding a highway without guardrails.
Risk appetite and tolerances help keep risk-taking activities in check. They enable you to articulate the actions and disruptions you’re prepared to live with in pursuit of your strategic objectives. And they help define thresholds for the organization; at what point do defensive or offensive measures kick in, and at what point do decisions need to be made about shifting key organizational strategies?
So, what makes a well-developed risk appetite? For one, it’s closely aligned to business strategy. It includes qualitative statements as well as quantitative metrics and exposure limits. It also adapts to changes in circumstances, business objectives, skills, and resources. The better articulated your risk appetite and tolerances, the better your ability to optimize risk-reward outcomes and take strategic advantage of risks.
Pandemics, natural calamities, geopolitical events, social unrest – there are some risk events we just can’t avoid or mitigate. But we can be better prepared to respond to and recover from them quickly and effectively. The key lies in a robust business continuity management (BCM) program. BCM helps us restore, replace, and rebuild critical business processes in the wake of disruption.
Both ERM and BCM are necessary for effective business resilience. But despite their common goals and process similarities, the two are often managed in silos. Too often, even where businesses are hyper-diligent with risk management, their business continuity strategies are designed for crises and catastrophes only. This misalignment can hamper an organization’s risk preparedness and response – which is why we expect greater alignment between ERM and BCM in the coming year.
Integrated, enterprise-level risk assessments can help business continuity teams identify which potential disruptions can cause havoc in the business, what would be their impact on the business, and build appropriate business continuity plans. A common taxonomy also helps both ERM and BCM teams communicate the impact of a disruption in consistent business terms while avoiding duplication of efforts. Similarly, business impact analysis (BIA) can provide useful insights for risk managers while assessing and prioritizing risks. Together, the two can help you strengthen your readiness for risk events, minimize losses, and return to business swiftly after a disruption.
From misconduct and compliance failures to cybersecurity breaches and operational disruptions, non-financial risks (NFRs) can wreak as much havoc as financial risks. Cybercrime, for example, costs the world economy more than $1 trillion. And that’s just the direct financial impact. The reputational fall-out, system downtime, and regulatory penalties can amplify damages, making it imperative for organizations to manage these NFRs better.
We know that what gets measured gets managed. However, traditional NFR measurement techniques tend to use ambiguous qualitative terms to describe risks - probably likely to occur or somewhat likely to impact the business. These terms help us to some extent but do not provide accurate answers to many questions. Even a high-medium-low risk ranking doesn’t always provide accurate insights on which NFR to manage first and why.
But now, there are powerful tools to quantify NFRs, and inject more clarity into risk assessments. Advanced analytics and Artificial Intelligence (AI) engines use modeling techniques like Monte Carlo simulations to estimate the value at risk (VaR) in monetary terms. Frameworks like Factor Analysis of Information Risk (FAIR™) go deeper to help measure risks in monetary terms. These results help make calculated investments, decide on capital allocations and make risk-based strategic decisions.
With these data-driven metrics, business leaders can better understand, prioritize, and act on NFRs. They can confidently answer questions like - How much should we invest in order to manage the exposure? What will be the return on investment? And do we have enough insurance coverage for NFRs?
With ongoing supply chain disruptions and cyber-attacks on vendors, we expect the focus on third-party risk management (TPRM) to not only persist in 2023 but to get stronger. TPRM is already a strategic priority for 85% of businesses, up from 77% before the pandemic. Yet, continuing third-party incidents suggest that TPRM programs are still not as mature or efficient as they should be.
Certainly, progress has been made in areas like third-party cyber risk management, but other areas remain unaddressed. Take environmental, social, and governance (ESG) risks, for example. Today, supply chain emissions are 11.4 times higher than operational emissions. Yet, 41% of organizations only have a low level of capability at present (resulting in an ad hoc approach) to assessing and prioritizing ESG risks in their supply chains.
What’s more, many TPRM programs are still managed in siloes which fail to provide a comprehensive risk view. It’s past time to build a single source of risk truth that provides visibility into all third-party risk types, as well as fourth- and fifth-party risks. Third-party risk identification and monitoring must become an ongoing exercise because the risks are often complex, multidimensional, and constantly evolving. And finally, there must be better coordination across sourcing, procurement, risk management, legal, and BCM functions to build a more resilient third-party ecosystem.
The buzz around ESG has shot up in recent years and shows no sign of slowing down. Investors, employees, and customers increasingly expect companies to show evidence of how they’re addressing emissions, treating workers fairly, and governing with integrity. Failing to meet these expectations could injure a company’s brand image and reputation for many years.
ESG has also caught the eye of regulators. From the Corporate Sustainability Reporting Directive (CSRD) in the EU, to the SEC’s proposed climate disclosure rule in the US, a flurry of new ESG-focused regulations will require companies to increase ESG reporting.
ESG has essentially become a strategic issue that touches every area of the business. Therefore, it must be seen as everyone’s responsibility, not just that of the Chief Sustainability Officer (CSO). Ownership begins with the board providing oversight of ESG risks and opportunities, followed by HR monitoring employee welfare, the procurement function ensuring responsible sourcing, corporate finance and legal teams vetting ESG disclosures, and so on. A coordinated approach across these and other business functions can help you build the coherent, compelling ESG narrative that investors and regulators are looking for.
In the age of #MeToo and whistleblowing stories like that of Theranos, the frontline is emerging as a powerful force in risk management. These are the people who engage with customers, suppliers, and business operations everyday – and who, therefore, have a first-hand view of emerging risks and issues. Entrusting them with more risk management responsibilities, while also empowering them with proper training and tools, are essential steps in building a strong risk-aware culture.
Newer GRC technologies can improve frontline engagement by simplifying risk assessment and reporting. Intuitive features like conversational interfaces, chatbots, and intuitive web forms make it easy for the frontline to capture risks and anomalies – be it in the field or on-the-go. AI/machine learning (ML) can then be used to automatically triage frontline observations, correlate them to other issues, and recommend action plans. Not only do these technologies strengthen risk awareness in the frontline – they also save the second- and third-lines significant time and effort on risk monitoring.
The pandemic accelerated digital transformation across multiple business functions – and GRC was no exception. Companies quickly realized that the manual and siloed GRC programs of the past would no longer serve them in a world where speed, collaboration, and nimbleness had become crucial. It was time to digitally transform GRC programs.
Today, 69% of businesses plan to increase their level of investment in data and technology for risk management. And 50% of financial services organizations say that efficiency tools such as robotic process automation (RPA), cognitive intelligence, and AI/ML will be an extremely or very high priority for their institutions.
It’s easy to see why. These technologies can automate repetitive GRC tasks, thereby reducing costs, while also freeing up GRC teams to focus on higher-value activities. More importantly, automation reduces any unseen gaps in GRC processes, vital to creating agility and creating value by amplifying risk visibility. Big data analytics and AI/ML can help identify potential risk events before they occur, while RPA can be used to test 100% of controls rather than only a small sample. Meanwhile, integrated GRC platforms can help break down organizational siloes, enabling various teams – risk, compliance, audit, security, and others – to collaborate in a seamless manner. The result is faster, better risk visibility that helps organizations be ready for whatever’s next.
We live in volatile times where supply disruptions, economic uncertainty, geopolitical tensions, and cyber threats are likely to continue - if not increase. To thrive, we will need to strengthen our resilience – the ability to withstand uncertainty and disruptions, and even emerge stronger. Instead of reacting to risks after they occur, we must be able to predict, anticipate, and manage risks before they manifest. And even if they do manifest, we must be ready to bounce back quickly.
Resilience is rarely built in isolation – it’s a team effort. Every part of the organization must work together to pre-empt, assess, and respond quickly to risks and disruptions. The better we prepare and plan for a crisis, the greater our chances of survival and success.
Operational resilience has long been a key regulatory priority. Whether it’s the Bank of England’s operational resilience rules, the proposed Digital Operational Resilience Act (DORA) for the EU financial sector, the Australian Prudential Regulation Authority’s (APRA’s) Draft Prudential Standard CPS 230 Operational Risk Management, or even the US Federal Reserve’s joint paper on sound practices to strengthen operational resilience - the regulatory discussion around resilience is constantly evolving.
Every industry contends with their own risks, regulations, and governance protocols. Therefore, it’s important that the GRC solutions they use be tailored to their unique needs. A GRC platform that works well for a large retailer may not be effective for a bank or a pharmaceutical company.
The same applies to individual businesses that are each at different stages of their GRC journey. A smaller business that’s just starting out may need solutions to just manage risks and compliance requirements. But a larger business with matured GRC processes with operations across multiple geographies may need an enterprise-scale GRC platform with integrated solutions for ERM, cybersecurity, TPRM, BCM, and ESG. At this stage, companies want to not just manage risks and compliance but start making quantifiable investments and strategic business decisions.
As GRC needs evolve, organizations will seek out ‘right-sized’ GRC solutions that are designed for their industries and crafted to address their specific risk and compliance challenges. No longer will they want to waste time and money customizing GRC solutions to fit their processes. The focus will shift to adopting agile platforms that are easy to scale and upgrade.
Unfortunately, too few organizations have escalated operational resilience program design, testing, and execution to the position it should be. If there’s one thing the pace of risk and compliance challenges in the last few years has made clear, it is that those organizations that are prepared fare better. Those organizations with effective risk management and resiliency programs in place prior to the pandemic were able to thrive when those that didn’t keep up were left behind.
Older approaches to risk management – siloed, fragmented, and manual – are no longer effective in a world where risk is pervasive. MetricStream’s ConnectedGRC solutions enable you to break down enterprise silos and establish a single source of truth with all the risk insights you need to navigate the future.
Connected GRC is packed with best practices, deep domain capabilities, AI-powered intelligence, and risk quantification tools that are designed to tackle today’s most pressing GRC challenges. The suite comes in three distinct product lines with multiple benefits:
As we head into 2023, there are many uncertainties and challenges ahead. But they aren’t unsurmountable. Through an agile, collaborative, and data-driven GRC program, we can tackle the risks head-on, and face whatever comes our way with agility.
In the past, GRC may have primarily focused on cybersecurity and compliance. But in the future, it must be seen through an integrated risk and resiliency lens. Disruptive GRC technologies like AI/ML and analytics can help by providing a real-time window into risks and opportunities that can then be transformed into a competitive advantage. With these tools, as well as the right people and processes, we can truly build future-ready enterprises - connected, purpose-driven, and resilient.
