GRC, once a function that was managed independently from the rest of the business, is now a key strategic business function:
Gone are the days when GRC responsibilities were relegated primarily to the second and third lines of the business. Today, the focus has shifted to the front line because it is there that risks are taken and where the consciousness around risk management and compliance needs to be pervasive.
Since the front line is closest to the risks, they are often better positioned than an intermediary risk function to anticipate and assess their own risks, while also managing their own compliance with regulations, laws, and policies.
Greater ownership of GRC by the front line helps organizations gain better control over risks and minimize both regulatory and reputational issues. It also reduces the need for costly and complex risk monitoring processes.
New generations of GRC solutions are increasingly being designed for frontline teams. These easy-to-use tools can be quickly adopted without extensive training or knowledge of GRC terminologies. The best of them combine technology and industry content with AI and analytics to make GRC an integral, almost seamless part of day-to-day business activities.
Think desk traders who receive automatic alerts on the policy and compliance implications of financial trade in real time.
Think business travelers who, upon entering a new country, can instantly pull up all the required local policies and behavioral expectations on their GRC mobile app.
Think remote workers who are automatically notified with a cybersecurity checklist to keep them vigilant about security risks when working from home.
The key is to ensure that GRC is deeply ingrained into business processes – quickly and easily.
But GRC is ultimately a two-way street. As much as it is about enabling frontline users with tools to manage their risks and compliance, it’s also about harnessing intelligence from the front line of emerging risks and hidden areas of concern to facilitate proactive risk responses. We’re seeing the development of chatbots that can capture frontline observations of potential incidents, issues, and control weaknesses—all through a casual conversation with the business user in natural business language. These insights are then rolled up to the second and third lines of defense for deeper investigation and response.
The possibilities of GRC technology in the front line are numerous. And the easier these tools make it for business users to manage and report risks, the better the organization’s ability to accelerate risk-aware decisions.
ESG (Environmental, Social, and Governance) concerns are becoming a top agenda item for every board of directors. Research reports from various global organizations, such as the National Aeronautics and Space Administration (NASA), the United Nations, the World Economic Forum (WEF), and others, continue to sound the alarm on the impact of climate change. In addition to climate risks, there is a growing call from consumers, regulators, and other stakeholders for diversity, inclusion, and equity in organizations.
“There is a broader purpose for companies now. Going forward, they not only have to deliver profit, but they also have to deliver purpose, they have to deliver value to stakeholders that includes societies and communities in which they serve. Environment, social governance, racial justice, social justice—a lot of these topics are new to corporations, and CEOs and boardrooms are demanding that as part of their GRC initiative." - Gunjan Sinha, Executive Chairman, MetricStream
To become future-ready, organizations today need to think beyond financial statements and profits, and work towards becoming a purpose-driven entity that strives for global sustainability and enables global communities to thrive.
By empowering the first line of defense, using ethical datasets that are privacy-preserving and risk-aware, and leveraging socially-aware AI, organizations can create true GRC systems and programs that can deal with the risks from a full 360-degree perspective.
It is now necessary to discuss how ESG functions can be effectively and efficiently managed via three key factors: technology, culture, and the right ‘tone at the top’.
Boards need to assess their readiness to adapt to the rapidly changing business requirements. An effective and agile ESG performance framework can help the board look at the total impact of a company’s ESG strategy and operations. Equipped with real-time and accurate data, the board and C-suite can have a far better understanding of the company’s ESG performance. The board needs to ascertain that senior management and the C-suite are systematically monitoring ESG performance, looking for ways to turn governance, risk, and compliance into a competitive advantage, and regularly reporting to the board on the status of ESG performance.
When risk management and compliance are looked at as a competitive advantage rather than a check-the-box activity: that’s when companies can harness risk to drive growth, stay in alignment with sustainability processes, deliver on social impact commitments, and build trust and a positive relationship with customers, employees, investors, partners, suppliers, and other key stakeholders.
Boards are facing strong scrutiny from regulatory bodies, shareholders, and other key stakeholders. These issues require the board of directors to demonstrate leadership in developing a strong culture of GRC throughout their corporations. They can only accomplish this by governance principles, commanding strong compliance oversight, and developing acceptable risk postures.
Boards are responsible for creating and overseeing company policies. This isn’t a one-and-done activity. Policy management requires organizing and archiving documents so that boards can review them in relation to mandates, business objectives, risks, and controls. Policies also need to be available to employees and business partners, as necessary. GRC solutions make accessing policy documents easy and efficient.
GRC solutions automate compliance management functions such as workflow, controls and associated risks, surveys, self-assessments, reporting, testing, and remediation. This includes financial reporting to regulatory authorities and compliance with industry regulations.
“We believe that GRC happens all the time. We believe that GRC is not a destination, it’s a journey, and that journey can be strategic and a part of your business." - Bruce Dahlgren, Chief Executive Officer, MetricStream
GRC solutions help organizations adapt more readily to rapidly evolving market and governance changes, especially regarding business disruptions, such as:
There is no question the pandemic has been brutal. But it has also compelled organizations to adapt quickly, innovate, and build resilience. Underlying it is the awareness that to succeed in a post-COVID-19 era, we will need to stay one step ahead of risks. COVID-19 may have been a novel disruption, but it certainly won’t be the last. We’re already looking at the threat of a recession, ongoing cyber attacks, and catastrophic natural disasters.
How can businesses thrive and catalyze performance in this risky world? Here are a few key steps.
No longer will organizations focus only on the most obvious risks. They will also incorporate a “peripheral” view of risk data by paying more attention to non-traditional risk factors such as biological hazards, climate change, and geopolitics. At the center of these efforts will be the GRC hub -- a central, cloud-based console of risk intelligence. The hub will integrate data from numerous internal and external sources to offer organizations a truly 360-degree, real-time picture of their risks for better decision-making.
Organizations will emerge from this crisis in different ways. Some will focus on building resilience, while others will find a way to become anti-fragile. The resilient business resists shocks but stays the same. However, the anti-fragile business gets better. To build anti-fragility, organizations will need to break down risk silos, so that they can understand how various risks impact and influence each other. They will also need strong business continuity plans to be prepared. We can’t always predict every risk, but we can be ready to ride it out.
With risks hitting organizations faster than ever, leadership teams need real-time, forward-looking risk intelligence rather than retrospective information. “Predict to prevent” will be the new mantra, as business leaders leverage AI and other emerging technologies to anticipate and mitigate emerging risks proactively. This can help businesses stay one step ahead of risks.
Meanwhile, continuous auditing and risk monitoring, enabled by robotic process automation, will make it easier to detect anomalies. Stress testing will be accelerated to help risk teams proactively define action plans and early risk indicators. With comprehensive, forward-looking risk intelligence, organizations can be better prepared to land on their feet despite disruptions.
The need for dynamic, real-time risk assessments has blurred the barriers between the lines of the business. Today, all the lines must work together swiftly to catalyze business performance. Leadership teams need to respond quickly to risks like a cyber attack or a global pandemic. Therefore, the second and third lines must become more automated. Meanwhile, the front line will take on a bigger role in identifying and assessing risks. Their insights will help business leaders stay updated on new emerging risks.
Corporate leaders must drive the definition of corporate objectives to beyond just profits. Going forward, a key differentiator for organizations will be how they position themselves with respect to environment, diversity and inclusion, ethics, integrity, and global sustainability. It’s about time that organizations included metrics to measure their performance on these fronts and work towards facilitating a harmonious and sustainable future – which is why ESG has accelerated so quickly.
Risk management will play a key role in driving and guiding business performance in the future. Decision-making processes will increasingly integrate a rigorous assessment of risks. Risk findings will also be aligned much more closely to resilience and strategic objectives, so that when the next global crisis comes—because it will—organizations will be better prepared to respond and pivot quickly.
This renewed focus on risk management will be especially important in dealing with changes in business models that we’re likely to see in a post-COVID world. Some companies may shift to a permanent remote working model. Others may replace physical customer interactions with virtual or self-service options.
Most will accelerate digital transformation, investing in AI, automation, and analytics. With these shifts will come new risks and regulations. To manage them effectively, companies will need strong risk and control foundations with streamlined workflows, consistent risk taxonomies, and integrated risk visibility. As risk management becomes more deeply embedded in business processes, it will enable a more nuanced, thoughtful, and sustainable approach to business growth.
How MetricStream Helped an International Energy Services Company Improve Resilience with Faster, Better Visibility into Risks
An energy services giant, with millions of customers and tens of thousands of employees, was faced with a growing range of risks—including regulatory pressures, geopolitical shifts like Brexit, climate change, and potential cyberattacks. The company was keen to improve its risk preparedness by giving first-line leaders a more holistic view of their risks, while also automating risk aggregation at the corporate level.
The company chose MetricStream to achieve these goals. It implemented MetricStream products – Compliance Management, Enterprise Risk Management, Internal Audit Management – built on the MetricStream Platform and running on the Amazon Web Services (AWS) Cloud. MetricStream products empowered stakeholders at both the business unit level and the corporate level with real-time intelligence on the top risks and issues, including the status of mitigation action. The company was also able to streamline and automate internal auditing and compliance assurance processes, thus enhancing operational efficiency
Gain real-time, high-quality risk insights to make intelligent business decisions faster
Simplify compliance, and ensure that nothing falls through the cracks
Integrate and map disparate GRC data points in a single source of truth to provide context, understand risk relationships, and respond proactively
Strengthen reputation, resilience, and credibility by staying one step ahead of risks
Streamline and automate GRC processes to close gaps, minimize redundancies, and reduce costs
MetricStream empowers business users with simple solutions to intuitively identify, assess, and mitigate risks, while also strengthening compliance with regulations and standards. Our simple, purpose-built platform is proven with over a million global users. The platform is designed to serve integrated GRC use cases across industries and is infused with deep domain expertise, embedded content, rich context, integrated data, and explainable AI.
Our solutions automate and streamline GRC processes, while providing rich risk insights for decision-making. They also break down silos, enabling the front line to seamlessly collaborate and share information with the second and third lines of defense. Powerful observation management tools make it easy for the front line to capture and report irregularities or red flags, thus preventing risk events before they occur.
We empower customers to intuitively harness real-time risk intelligence across the extended enterprise – for what’s now, and what’s next.
Empowering everyone through inclusive technology, enabling all employees and third parties across the extended enterprise to participate in GRC initiatives in a personalized manner.