Over the last decade, GRC technology has evolved from point solutions supporting compliance with a handful of corporate governance regulations such as Sarbanes-Oxley, to integrated, platform-based solutions that address a broad range of strategic and tactical concerns. The GRC tools of today are no longer merely information repositories, but sophisticated, cloud-based solutions that incorporate mobility, dynamic reporting, and advanced risk analytics to inform decision-making at the highest levels of the enterprise.

Armed with these solutions, enterprises are better able to keep pace with a continuously changing regulatory environment, gain a clear view of their enterprise risks, monitor their third and fourth parties in real time, detect and mitigate cyber security threats, and much more.

We’re now at a point when GRC is moving from defense to offense. Companies are looking at GRC not just as a means to preserve their credibility or protect their brand, but as a way to catalyze business growth and performance – and technology is enabling this shift.

We’re also witnessing the “Consumerization of GRC” – making GRC solutions so engaging and personalized that they become pervasive in employees’ daily routines. The focus is moving from developing “GRC technology for the enterprise,” to developing “GRC technology for the people.”

It is at this inflection point that we at MetricStream Labs find ourselves. With our latest and biggest innovation yet – M7, we offer a smarter, more sophisticated GRC platform that combines a highly intuitive user experience with powerful reporting, intelligence, lean architecture, and more. But M7 is only the beginning. As GRC becomes more deeply ingrained in our everyday lives, and as we move towards the GRC of everything, the charter for MetricStream Labs is to be at the forefront of this trend, driving bold new innovations, and pushing the envelope of what’s possible through technology.


Our vision at MetricStream is three-fold:

 Lab Report

We enable GRC practitioners to digitize their GRC use cases through a range of products. The aim of this digitization is to deliver real-time risk insights that can help organizations drive exceptional business performance. We believe that the next level of GRC will be to create true systems of intelligence that combine external data (e.g. regulatory feeds), internal data (e.g. control test results), and predictive algorithms based on machine learning, artificial intelligence, and natural language processing to derive insights that can propel the business forward.

In a recent MetricStream Lab’s strategic scenario exercise, we envisioned a future where we will transition from driving day-to-day insights, to predicting insights, and prescribing actions.

Enterprise GRC

Enabling the GRC needs of the future will require technology that can be contextualized to an environment where performance, risk, and compliance data are generated continuously from diverse data sources – be it Internet of Things (IoT) sensors in everything, autonomous vehicles, smart grids, or social networks.

Every time we interact with anything, including each other, data is produced – data that relates to performance, data that relates to compliance, and data that can be analyzed for risks to performance and compliance. GRC technology holds the key to harnessing all of this data efficiently, and classifying, combining, and correlating it in such a manner that organizations can quickly separate the signal from the noise.

Our Guiding Principles

With a complex environment and the rapid pace of technology change, guiding principles are required to focus our investments in GRC technology development. These guiding principles are:

1. User experience: Making GRC engaging, efficient, and personalized

2. Configurability: Delivering GRC how you need it

3. Mobility and Layering: Bringing GRC to where you are

4. Visualization, Reporting, and Analytics: Providing better insights for better decisions

5. Technology and Architecture: Making GRC apps leaner, faster, and ready for the future

MetricStream Labs: Innovating, Transforming, Disrupting

With the rapid increase in use cases to which GRC has been applied, the demands on GRC technology development have been substantial. As the largest independent GRC technology provider, MetricStream has been at the forefront of new innovations.

Enterprise GRC

Our R&D centers are strategically located in the global technology hubs of Silicon Valley in California and Bangalore in India, enabling us to attract the best minds in engineering, research, and technology development. We count over 400 talented individuals in our R&D and product teams

Enterprise GRC



MetricStream benefits tremendously from the entrepreneurial and creative excellence of Silicon Valley and the engineering and development prowess of Bangalore. While most of the team is focused on continuously developing our GRC platform and 20 core apps, at any given time, 50 or more individuals are working on disruptive innovations that keep MetricStream’s GRC technology at the leading edge.

Enterprise GRC

What’s Cooking in Our Labs?

While our technology developments in the last decade have focused on refining the MetricStream GRC Platform and developing apps for specific use cases, over the next decade, GRC users will demand technology that is more personalized, available on demand, and can manage vast, diverse, and rapidly increasing volumes of data. To this end, MetricStream Labs is working on both near term innovations (1 - 2 year horizon), and longer term innovations (3 - 5 year horizon). They include regtech offerings such as GRC Pulse, as well as advanced analytics capabilities that can correlate risk and performance metrics.

Here are several of the technologies that are cooking in our labs right now.


At MetricStream, we envision a world where GRC data is not only accessible through our own apps, but also available pervasively through mobile devices and other business applications. Here’s a look at some of the innovations that are making GRC pervasive.

GRC Pulse and Layering in Salesforce

GRC Pulse is a hybrid mobile application that leverages web technologies like HTML5, CSS, and JavaScript code, along with elements of native and mobile web apps, to deliver a best-in-class user experience across Apple and Android ecosystems. The composite cloud app is built using the MetricStream Cloud and Salesforce’s Force One platform. Through GRC Pulse, employees can be onboarded and trained on corporate policies and other compliance requirements from the convenience of their smart phones. The easy-to-use mobile app allows compliance administrators to shrink-wrap and distribute relevant content to the workforce, while also leveraging rich analytics tools to track the status of compliance. Designed for ease of use and simplicity, GRC Pulse enhances user engagement, leading to a more compliant organization. It also accelerates the time taken to roll out compliance programs from months to a matter of hours.

Enterprise GRC

Integration with Microsoft Outlook/ Exchange

Microsoft Outlook/Exchange is a cornerstone application used by companies around the world to manage calendars and emails. MetricStream’s integration with Outlook/Exchange ensures that any task assigned on a MetricStream app shows up as an appointment within Outlook/Exchange. The Outlook/Exchange calendar thus becomes the primary point of reference to manage day-to-day tasks and activities. Users can also forward emails to the MetricStream app to make them part of the system of record. Essentially, MetricStream’s integration with Microsoft Outlook/Exchange brings GRC data and contexts to where the end users are.

Enterprise GRC


At MetricStream Labs, we’re constantly innovating to offer companies the GRC intelligence and insights they need, when they need it, through a range of powerful visualization, analytics, and reporting capabilities. Some of our latest advances in this area include: Figure 7: Managing GRC Tasks through Microsoft Outlook/ Exchange status of compliance. Designed for ease of use and simplicity, GRC Pulse enhances user engagement, leading to a more compliant organization. It also accelerates the time taken to roll out compliance programs from months to a matter of hours.

Correlation and Scenario Modeling

MetricStream Labs has developed a correlation engine that can explore, combine, and provide insights into vast data sets. The current emphasis is on correlating metrics, internal and external losses, and external factors such as consumer sentiment, personal income, and unemployment rates. The correlation engine will also eventually allow companies to run a sensitivity analysis between data sets, and model scenarios to predict and forecast business performance.

Enterprise GRC

Text Analytics

In today’s world, data never sleeps and is proliferated from multiple types of sources. Companies are dealing with massive volumes of structured data such as the information captured within MetricStream apps, as well as unstructured data generated through social media, blogs, and other external data sources. Here are some of the innovations that MetricStream Labs is working on to drive better insights from all this data:


1) Text Classification

With data volumes exploding, it can be challenging for companies to monitor a wide range of data sources, and separate the signal from the noise in articles, documents, information captured in GRC systems, feeds, and social media. MetricStream Labs has invested in extensible frameworks, its own algorithms, and patented technology (US patent 9348901) to help classify, score, and link the content from these data sources to a company’s defined GRC taxonomy. This technology paves the way for natural language processing and understanding in GRC.

Enterprise GRC


2) Document Summarizer

MetricStream Labs is leveraging the industry standard “Text-Rank” algorithm from Google to summarize large volumes of legislative, regulatory, or compliance related documents and emails. When deployed in MetricStream apps, this capability will enable companies to gain a 10x reduction in content which, in turn, will enable them to quickly zero in on the most important and useful insights.

Enterprise GRC

3) Intelligent Data Validation, Routing, and Recommendations

MetricStream Labs is exploring the use of text analytics which will route information intelligently, and validate the completeness and consistency of this information based on pre-configured rules and regulations. These text analytics will also help provide recommendations and suggestions to fill in data forms and fields effectively.

GRC Cloud Business Intelligence

Cloud-based Business Intelligence (BI) software is fast replacing traditional, on-premise BI products. The benefits of cloud BI software are many – reduced data centers, lower management costs, faster deployment, and increased flexibility in adapting to changing business needs.

MetricStream’s cloud-based BI capability provides turn-key business intelligence on the MetricStream GRC Cloud to complement the in-product reporting capabilities available through the MetricStream apps. The cloud-based BI enables companies to provide C-level reports, create holistic dashboards across apps, and mash up data from different data sources and systems, while also supporting ad hoc reporting for business users.

Enterprise GRC

Artificial Intelligence: Conversational GRC

2017 will continue to be the year of everything conversational. Messaging apps are taking over the world and app store rankings with incredible retention and engagement rates. The advent of smartphone messaging, Slack, and Facebook Messenger are irreversibly changing the way we exchange information. Meanwhile, artificial intelligence innovations around voice-activated assistants can generate valuable insights based on a user’s voice input, while also becoming location aware, and tapping into a variety of data sources.

MetricStream Labs is exploring various ways to bring the conversational paradigm to its products. In the near future, users will be able to launch GRC Voice – a GRC chat application to ask and receive insights into their GRC data. We’re also researching advanced deep learning functionalities of speech recognition and Natural Language Understanding (NLU) which will enable life-like contextual interactions to answer your questions on GRC data.


If GRC is to become part of an organization’s culture, then the tools and solutions that support it need to be as intuitive and engaging as possible. With our next-gen GRC platform – M7 – we’ve designed the content, navigation, and interactions to simplify GRC adoption, enable seamless collaboration with other individuals, and personalize the system behavior and content to the user’s unique requirements.

Some of the other key user experience-focused innovations from MetricStream Labs include:

Web Annotations

The effectiveness of a GRC program depends to a great extent on the level of collaboration across teams. MetricStream Labs has developed the technology that will eventually enable users to collaborate on web documents, reports, and forms by simply highlighting and annotating sections. All annotations will be maintained as a system of record in the MetricStream apps.

Enterprise GRC

Enhanced Rich Text and Web Editing

To edit documents, MetricStream app users would traditionally have to download the document, make the text changes, and upload them to the apps. Today, MetricStream Labs has leveraged the industry standard Web Distributed Authoring and Versioning (WebDAV) protocol to enable seamless editing of documents online. Users can leverage Microsoft Word to make text changes, and save them directly to a MetricStream app.

Enterprise GRC

Looking Ahead: How Will the Technology of the Future Impact GRC

Today, technology is changing faster than ever. Artificial intelligence, smart devices, and autonomous vehicles are all triggering the humanization of technology. So, instead of us adapting to technology, technology is adapting to us. This shift, coupled with the proliferation of apps, devices, and other data sources, are confronting GRC practitioners with new challenges. At MetricStream Labs, we’re gearing up to meet these challenges head on.

Some of the key trends we’re following include:

The Transition to the Modern Cloud and Hyperconvergence

As cloud computing becomes more pervasive, IaaS, PaaS, and Saas will give way to XaaS – anything or everything as a service. Hyperconvergence will soon become mainstream, introducing new levels of flexibility and agility. Business value chains will be transformed with data flowing seamlessly, securely, and intelligently across different platforms and infrastructures. These transitions will usher in a new era of risks, regulations, and governance requirements, each having a broader impact than ever. Companies will need to not only strengthen their focus on data privacy, security, and vendor management, but also improve the transparency of audits, legal, and regulatory compliance, while refining business continuity planning.

Pervasiveness of Artificial Intelligence

Artificial intelligence will be the new interface for interaction. In fact, we see a future where there will be minimal UI. With advances such as Amazon’s Lex platform, Apple’s Siri, and Google Assistant we’re entering a time when artificial intelligence combined with machine learning will continue to learn from us and from data sets, and be able to personalize information and insights. The risk intelligence gathered will lead to significant gains in performance management at multiple levels. GRC technology will need to evolve to keep pace with these expanding data sets and varied risks. Solutions will need to transform to help businesses manage risk and compliance effectively and pervasively across the organization. For instance, we’re already beginning to see virtual reality incorporated into GRC technology to support training and simulation around risk management, crisis management, and other GRC scenarios.

Evolution of the Internet of Things

The physical devices of the future will be smarter and more connected to electronics, software, sensors, actuators, and networks, enabling the seamless flow of information. According to Gartner, nearly 20.8 billion devices will be connected to each other by 2020. This “device mesh” and the information generated by it will introduce unique challenges for governance, security, risk, and compliance. Currently, IoT operators tend to overlook security, failing to realize that IoT devices are not traditional, isolated controllers, but small computers that can create havoc. Case in point: The Mirai botnet which ensnared hundreds of thousands of IoT devices, exposing their inherent vulnerabilities. If we are to truly benefit from IoT in the future, we need to think of new ways of securing these devices.

Blockchain Layering in GRC

Traditionally used to enable the movement of bitcoins, blockchains have a secure and fault-tolerant design that make them suitable to record any event. For instance, in the food industry, blockchains are being used to track food quality from raw material to packaging, ensuring that the final product is safe to consume. In the shipping industry, blockchains enable shippers to comply with the International Maritime Organization’s SOLAS treaty by ensuring that data around the accurate Verified Gross Mass (VGM) of packed containers is swiftly distributed across terminals/carriers before they are shipped. As for GRC, the technologies of the future will provide a way to connect to blockchain exchanges, providing governance over and visibility into data. Companies will be able to leverage blockchains to streamline the exchange of risk and compliance related information in real time, while also flagging discrepancies.

The New Economy

Businesses will drive the formation of new industries. Companies like Uber are already on the path to creating the new social economy, while self-driving cars are rewriting the rules of auto manufacturing. The new industries of the future will not only define new products and services, but will also require a new set of regulations and governance requirements. GRC technologies will need to be flexible and intelligent enough to adapt to this changing regulatory and risk landscape, as well as the new processes and controls that will need to be implemented.

The New Workforce

Collaboration tools like Slack and HipChat are already changing the way people work. With the advent of the new economy, as well as artificial intelligence and IoT, workforces will become more fluid, transcending the barriers of countries and infrastructure, and working on specialized products and services. Businesses will require new frameworks to manage this new fluid workforce which will come with its own risks and governance requirements. GRC technology will also need to adapt to the changes that this workforce brings in terms of information security guidelines, authentication and authorization measures, infrastructure security, data encryption, and country-specific regulations.


As we continue to look over the horizon, and build new technologies to address the existing and emerging needs of GRC practitioners, we believe that the best innovations are not those that are developed in isolation, but those that are built in collaboration with our partners and customers. Through our customer community and Special Interest Groups (mSIGs), as well as our partners across the world, we are constantly exposed to a range of rich insights, feedback, and divergent thinking that enable us to shape our ideas and innovations for best results.

Many of our partners and customers work closely with us to build new innovations for the market. HCL, for instance, developed a PCI-DSS app on the MetricStream GRC Platform which makes it easy for customers to conduct self-assessments and surveys mandated by the PCI Security Council. With powerful reporting tools and other capabilities, the HCL-developed app reduces the effort and time required to comply with the reporting requirements of PCI DSS.

It is this kind of partnership and collaboration that enables MetricStream to stay at the leading edge of GRC. So, as we settle into 2017, we look forward to forging stronger connections with our communities and delivering products that transform the way companies manage risks, govern workforces, and comply with regulations.


Ready to get started?

Speak to our experts Let’s talk