Talk about roundtrips…. In-the same week of a very successful 2021 GRC virtual summit on the 19 and 20 of October, where MetricStream had over 2500 customers, prospects, and partners registered to learn, participate, and share their experiences around GRC, IRM, and everything in-between, we decided to host three physical summits based in London, Copenhagen, and Zurich to continue the conversations with our community.
All three locations had a boardroom style setting dedicated to a round table discussion. The aim was simple, we would listen to what our community had on their mind. It was an opportunity to find common synergies, lead round table discussions, and network with senior risk professionals that are paving the way in this industry.
With representation from risk, compliance, audit and IT Cyber, the discussions were captivating, and the commentary was electric.
The first of the events started off in London, and we had a great mix of customers, partners, and prospects around the table.
Our CEO, Bruce Dahlgren introduced the session, and it was an engaging group that shared their thoughts and concerns around the current themes and trends.
Alongside the presentations, our partners gave a short speech on the success of collaborating with MetricStream to provide business benefits for our risk community. What followed was an insightful roundtable discussion that covered risk quantification, cyber security, and the need for organizations to lead with purpose.
It did not take long for ESG to make an appearance and quite rightly so, with COP26 on the agenda and the link to compliance, organizations that have a purpose and are aligning to social governance, diversity, and climate change are setting a precedent. MetricStream recently launched the ESGRC product, which enables organizations to define and manage ESG standards, frameworks, and disclosure requirements. There was a lot of excitement on this in the room.
Emerging risks and third-party risks were explored in detail. With recent supply chain disruptions, it became even more apparent how peripheral risks had to be managed.
Dinner followed, and the conversations (like the wine) continued flowing. It was delightful to see customers connecting with customers. It was evident that they all thrive in this environment and that it was clearly something they had sorely missed over the last 20 months.
We settled in for another topical roundtable discussion, where the thoughts and real-life examples of how technology is an enabler in the GRC space were deliberated. In some instances, the dialogue went back and forth. One example of this was that the concern organizations face with risk was not always a technology one, but more of a transformational project that the organization needed to resolve. Accompanying this, was the remark that there are inconsistencies in risk terminologies across the industries, which fuels part of the problem. It was also surprising (to me) to learn that there were still so many organizations using spreadsheets to manage their risk. This was their default way to identify, monitor, and track risks, even though they knew it was not sustainable, efficient, or scalable.
The need for AI and ML to automate risk attributes was the next topical point. The comment was made that AI techniques recognize pattens and trends to help alleviate the pain, time, and missing information that humans cannot always detect, but how do you know that AI is doing the right thing. This conversation continued into the evening, accompanied by food and drinks.
And finally, concluding the week in Zurich, we had another full house with an engaging group that deliberated on how they can start a community of risk or as was suggested, the “Instagram of risk”. There were discussions around risk culture, accountability, accurate data, and mindset. Some customers admitted that it was quite possible to get lost in the data and what they require is speed, agility, and most of all simplicity. A comment was made that you could spend all your time managing documents and not the risk. Another referenced that as change management sits in all departments including HR and legal it can be a challenge to bring it all together for larger organizations. Crypto also made it in the discussion, with a notable mention that new risks have no historical data to base it on.
Visibility and accountability were front of mind in the discussions, and a common theme that was mentioned was on reporting risks up to the board of directors and the role of the board in risk governance.
MetricStream presented 5 current trends that we are observing in the industry and 5 innovation themes that we are leading the way with (API, AI, Adoption, Agility & Analytics).
By bridging the gap and driving value for the community, MetricStream has a purpose to continue to add value and innovate alongside our community. We want the community to thrive on risk and reap the rewards of being on a GRC journey that like a good bottle of wine gets better with age.
Until the next summit.
I recently had the privilege to sit down with Tom Fox. Tom is the author of the award-winning FCPA Compliance and Ethics blog, 18 best-selling books on compliance, including the just-published 2nd Edition of the Compliance Handbook, and publisher of the Compliance Podcast Network – the only network of podcasts for compliance leaders. A renowned expert across all aspects of compliance – corporate, regulatory, ESG, you name it – he’s known by the well-earned names “the Compliance Evangelist” and the “Voice of Compliance.”
As we all contemplate what’s next as we recover from the pandemic, navigate multiple regulations, and adapt to the ever-changing demands of our organizations, I asked Tom his thoughts on what’s trending in compliance today and tomorrow. As always, he had thought-provoking insights to share, including:
Here’s a lightly edited transcript of our conversation. Thank you, Tom!
TF: Let’s speak about both compliance and risk management. I started a podcast last year called “Compliance and Coronavirus” because I really wanted to focus on what the COVID-19 pandemic meant for people in our profession and really everyone in the corporate world.
Probably the two most propitious things I learned in that about 50 podcast series were one, a gentleman said, I think in October, “We've had five years of change in six months of coronavirus.”
The second was the risk management part, where another guy said, “We've gone from disaster recovery to business continuity to businesses as usual.” Now the risk management world is business.
You have to prepare for risks from a worldwide pandemic to the Suez Canal being shut down, to riots at the U.S. Capitol, and everything in between. That’s just business now.
So, the types of services that you and I bring to the compliance community have only become more important in all of the things that we used to talk about. They are exponentially more important now. So that's part one, but part two is where is all of this going down the road? And that part is largely around data and the use of data.
In June 2020, the Department of Justice released an update to the Evaluation of Corporate Compliance Programs. And for the compliance professional, they specifically said a couple of very important things.
And -- your risks are going to change. You must put a risk management model in place and then you monitor that risk, all the time. And the data that you garner from that monitoring is looped back into your risk management solution through an ongoing/continuous approach to risk management -- risk assessment, continuous monitoring, continuous improvement-- all tied by data.
Everyone -- from the compliance professional to the risk management professional -- now has to utilize data to manage risks. That's how business is going to survive and thrive going forward.
TF: Probably one of the most ubiquitous phrases from 2021 has been ESG. I think that sits directly in the compliance wheelhouse. Also, the chief compliance officer is uniquely suited and situated to lead a corporate ESG effort.
Certainly, for each one of the letters in the ESG -- environmental, social, and governance -- compliance is well-suited to own it because it's putting policies and procedures in place. It's monitoring those policies and it's getting measurements from that monitoring and reporting.
TF: Probably one of the most ubiquitous phrases from 2021 has been ESG. I think that sits directly in the compliance wheelhouse. Also, the chief compliance officer is uniquely suited and situated to lead a corporate ESG effort.
Certainly, for each one of the letters in the ESG -- environmental, social, and governance -- compliance is well-suited to own it because it's putting policies and procedures in place. It's monitoring those policies and it's getting measurements from that monitoring and reporting.
And that's just one area from the regulatory sphere. The U.S. Securities and Exchange Commission (SEC) has made it clear that they expect companies to not only have ESG programs in place, but also report on those programs accurately. That is not only a regulatory requirement that could lead to regulatory enforcement, but would also help to meet investor expectations, stakeholder expectations, shareholder lawsuits, and everything in between.
The second perhaps most ubiquitous phrase is SPACs: Special Purpose Acquisition Corporations. Those are utilized to bring a privately held company and make it public. But it's different than the typical IPO process where you go 12 to 18 months, you have regulatory approval, you have filings with the regulator, you have investors like you, and may have the opportunity to review those filings, to determine if we want to invest in it. And you have an opportunity to put your Sarbanes Oxley or SOX controls in place.
When you're a SPAC, you don't have an 18-month run-up. You have “today's Tuesday, tomorrow's Wednesday. Go!” You now have all the obligations of a U.S. public company. Are your internal controls in place? Are they effective? Have you tested them? The answer is no.
It’s incredibly important for the risk management professional to think about those things. And if you think you may be acquired by a SPAC you have to be moving towards those.
Those are just a couple of areas that the regulators have made clear that they are going to look at SPACs very closely. If on the day, you become a U.S. public company, you don't have Sarbanes-Oxley 404 controls in place, the SEC may take a very dim view of that. And certainly, you open yourself up to potential investor and shareholder lawsuits.
But I think that as important as those are, they actually pale beside public opinion. And I think the greatest danger to a corporation now, certainly from a financial perspective, is negative publicity.
The social amplification and speed of social media make it mandatory that you have policies and procedures in place to detect anything and then prevent it. And if not remediate as quickly as possible, then at least be able to communicate that to all of the stakeholders that are now seen as a part of a corporation.
TF: In the past, I’ve always said the three most important things are: document, document, document.
I've amended that out to data, data, data.
You need to have a data expert, a data scientist, or someone who can work with data on your compliance team because either you're going to have to work with the data or more importantly, have someone who can work with the data. You can help shape the story that the data tells.
As the chief compliance officer, you can certainly see the trends, but you have to be able to work with data. If you don't have that training and you can't really pick up those skills in this part of your professional life, you're going to need to bring those skills into your compliance program.
I see compliance really moving towards a business process and a business function. And that means data and using data to determine if a potential violation is on the horizon and using that same data to tell your story to all of the stakeholders of a corporation--your shareholders, your employees, your third parties, those who you do business with, localities where you may be doing business.
And most importantly, if the government comes knocking, that's where the “document, document, document” part comes in because you can tell your story to the government as well.
TF: Well, about a year ago, I was contacted by LexisNexis, the preeminent legal publisher in the United States and the world. I was very honored that they selected me to be their first author to lead their compliance library that they make available. I'm extraordinarily pleased to announce that in June Lexis Nexis published my latest book, the 2nd Edition of Compliance Handbook.
I'm going to continue to grow the Compliance Podcast Network. We’ll have 70 podcasts on the network by the end of summer and I'm looking to grow the network. The thing I love about podcasting is I get to interview the top experts in every form of compliance: IT compliance, HR compliance, anti-corruption compliance, AML compliance, environmental compliance, you name it. I've learned so much by interviewing people.
So, I'm going to continue to learn and grow and hopefully be a resource to the compliance community going forward.
Thanks, Tom, for sharing your insights about what’s now in compliance – and what’s next. To learn more about Tom, visit his Compliance Podcast website.
To learn how MetricStream can help you address your compliance needs and help you manage what’s next, click here.
What’s happening with risk management and compliance professionals as they manage today’s vast wave of changes – from increased regulatory pressures and a skyrocketing number of legislations to master? How are they managing what’s next in the COVID-19 era?
To understand the current state of compliance programs and processes as well as the impact of the pandemic on compliance management, MetricStream conducted a comprehensive survey of compliance professionals across industries and geographies.
We learned a lot, including:
Managing third-party risk compliance is a huge challenge. Nearly half -- 48% -- of organizations found it challenging to track third-party compliance while 44% stated that their biggest challenge was to manually conduct compliance assessments.
Staying ahead of regulatory changes remains a key issue. Regulatory authorities worldwide keep regulations at par to protect the interests of businesses, customers, and relevant stakeholders, leading businesses to cope with a tsunami of ongoing changes. As just one example, banking sector companies alone cope with an average of 220 regulatory alerts a day, compared to just 10 back in 2004.
In the survey, we found that 76% of compliance managers manually scan regulatory websites to track changes and assess their impact on the business. That’s neither efficient nor effective – how can you possibly keep up?
Engaging the front line is essential. 57% of respondents said that they engage with the frontline to respond to queries related to policies, regulations, processes, and controls. Frontline employees are the eyes and ears of the business and can often spot important trends and risks before the rest of the business. It’s encouraging that more than half are incorporating frontline feedback – a trend we hope to see continue.
The use of technology is not yet where it needs to be. Just 19% of organizations use standalone compliance management platforms. That’s shockingly low! And, only 19% of respondents said they use compliance management software as a component of a larger GRC platform – implying 80%+ are not managing compliance in a consistent, integrated way.
Combined with the manual scanning of regulatory changes, we’re seeing a key theme: automation and technology drive effectiveness and enable you to move valuable resources to strategic work, yet so few are taking advantage of it. There is work to be done. Enhancing regulatory and internal compliance assessments and improving employee awareness with more compliance training emerged as the top future priority areas. Training is key to creating a culture of compliance and coping with today’s fast-changing demands. Unless combined with more strategic technology, however, they are not enough.
In the words of the report: “As the world gears up for a post-COVID economy, organizations must also focus on fully integrated technology platforms that can automate and improve compliance with an ever-evolving regulatory framework. The post-COVID future will bring about greater uncertainties and greater changes in regulations and organizations must prepare for this now.” Only by getting ready now will we be empowered for what’s next.
To navigate today’s regulatory landscape efficiently and effectively, organizations need to embrace digitization and automation. Technology-based compliance management solutions can help streamline and automate the entire process—establishing a centralized repository of regulatory obligations and mapping them to policies, risks, controls, and processes; identifying, tracking, and analyzing regulatory changes; identifying and prioritizing high-risk areas; creating, updating, and aligning policies; managing various regulatory engagement activities, and more.
[Read more: 3 Best Practices for a Proactive Approach to Compliance (eBook)]
MetricStream can help you power what’s next. We offer a comprehensive suite of products and solutions to help organizations streamline and simplify both regulatory and corporate compliance. The products help structure and streamline various aspects of the compliance function, enhancing overall efficiency. With automated workflows, analytics, and dynamic dashboards, MetricStream products and solutions deliver real-time visibility into the compliance posture of the organization.
Here’s a case in point: A leading health insurer was seeking to integrate all regulatory compliance processes so that the insights that ultimately rolled up to the senior management and board would provide a complete, accurate, and real-time view of enterprise-wide compliance. It embarked on a GRC journey with MetricStream and implemented an integrated GRC solution beginning with compliance issue management, followed by compliance risk management, policy management, case management, and audits. Today, an efficient and standardized compliance program is in place with timelier visibility into risks and other areas of concern.
[Read more: Leading Health Insurer Integrates Regulatory Compliance Efforts, Saves Time and Costs (Case Study)]
What’s next is never sure – but what’s certain is that what got us here won’t move us forward. The compliance function must adapt, automate, streamline, and collaborate with technology to power the future and turn risk into a strategic advantage.
Read more of what the compliance professionals had to say. To download the State of Compliance report, click here.
Want to see MetricStream in action? Request a demo by clicking here.
The demands and requirements of businesses to thrive in the new normal have changed drastically. Buzz words like agility, digitization, and resilience are no longer just business aspirations but have become necessary and fundamental for the readiness of organizations to address any risk event, including high-impact, low-frequency events such as COVID-19. With the latest Brazos release, we are delivering a myriad of innovations to support organizations in their journey to achieve their business goals and power through the current unsettled operational environment.
Brazos builds upon the previous Arno release and includes key innovations in areas including regulatory compliance, cyber risk quantification, and vendor risk management. The objective is to make the processes simpler, smarter, and more streamlined.
Given the complex web of regulations, along with the escalating number of regulatory change alerts that organizations are bombarded with every day, it has become imperative to simplify the compliance function to make it more efficient and systematic. On these lines, the Brazos release brings new capabilities to our regulatory compliance products, including:
Cyber risk quantification, or quantifying cyber risks in monetary terms, is critical for cybersecurity professionals today to effectively communicate the cyber risk exposure to the top management and board. By understanding the potential impact of cyber risks in dollar values, decision-makers are better positioned to prioritize IT cyber risk spending, resource allocation, and establishment of optimal controls.
Brazos brings advanced cyber risk quantification capabilities to IT and Cyber Risk Management, enabling cybersecurity teams to leverage the industry standard FAIR methodology to quantify their cyber risks in monetary value. In addition, advanced Monte Carlo simulation capabilities help upgrade the assessment teams’ guesstimates into accurate predictive values of the cyber risk exposure.
Managing risks associated with the extended enterprise quickly and efficiently is crucial for ensuring continued business operations. Supplier networks of organizations today are comprised of hundreds and thousands of third, fourth, and subsequent parties. A manual approach to review third- and fourth-party documentation, including reports, certificates, and evidence, to spot any discrepancies is time-taking and prone to error.
We are addressing this challenge by bringing the benefits of artificial intelligence (AI) and automation to Third-Party Management with the latest release. MetricStream’s AI engine automatically scans through the documents submitted by the third parties, validates the content, highlights any anomalies, and automatically recommends risks scores based on the number and type of anomalies found. This real-time intelligence equips risk teams to accelerate analysis and mitigation of third-party risks.
With Brazos, we are setting a new standard by implementing AI into multiple GRC products, empowering risk, compliance, security, and audit professionals to better perform their roles and responsibilities. The release also provides a simplified user experience and enhances agility for faster time to value with:
We are constantly striving to make your GRC journey exciting, enriching, and fun. The latest software release is guided by our key tenet of helping organizations accelerate sustainable growth with risk-aware decisions. The new features and functionalities extend the capabilities of MetricStream Platform and products and will enable you to meet the evolving business needs in this digitized world.
To know more about Brazos Release features, click here.
The growing focus on data privacy and protecting the rights and interests of customers and key stakeholders has resulted in a flurry of regulations at the global, national, and state level. The already complex regulatory landscape that organizations are required to wade through saw a fresh wave of regulations and numerous regulatory updates in the past year due to the COVID-19 pandemic.
To put things in perspective, banking sector companies today have to handle an average of 220 regulatory alerts per day compared to just 10 regulatory alerts per day back in 2004. The numbers are expected to only surge going forward as regulators will spare no effort to protect against the risks posed by rapid digitalization, volatile geopolitical environment, and other uncertainties.
Government regulations get translated into corporate policies which form the very foundation of a strong compliance program. With the mounting number of regulations and regulatory updates, ensuring an effective compliance management program has become a daunting proposition for organizations. A considerable number of firms still use the traditional approach and often end up in different policies, templates, and layouts that are scattered, inconsistent, and redundant, leaving most of the employees unsure about the latest policy applicable to them.
Regulatory risk management is the proactive process of identifying, assessing, and mitigating the financial, operational, and reputational risks that changes in laws, regulations, or standards may pose to a business, industry, or market.
To mitigate regulatory risk in an efficient manner, organizations need to adopt an integrated approach to compliance management. But how?
There is no one-size-fits-all approach to compliance. It depends on each organization’s unique set of requirements which depend upon multiple factors such as the industry it operates in, the number of regulations that it must comply with, the maturity of the compliance program, the jurisdiction it is based out of, and many more.
However, there are certain core elements of a compliance program that every organization follows:
These processes, along with the technology that supports them, a common data architecture, and a risk-based approach, enable organizations to respond in an agile manner to the fast-changing regulatory landscape.
Having said that, a strong compliance program is one that is enforced with a culture of compliance across an enterprise. Particularly in the current remote working setup, compliance teams need to be thoughtful and purposeful in building a culture of compliance. A top-down approach is critical to that end—the impetus should come from the executive management and board. Clear policies and procedures, effective communication, along with recognition and disciplinary measures, will help set the expectations for individual employee behavior in the workplace and encourage a compliant mindset.
MetricStream offers a comprehensive suite of products and solutions to help organizations streamline and simplify both regulatory and corporate compliance. The products address multiple aspects of the compliance function, including a centralized library of compliance obligations, compliance assessments, as well as policy management, regulatory change management, regulatory engagement management, and case management. With automated workflows, analytics, and dynamic dashboards, MetricStream products and solutions deliver real-time visibility into the compliance posture of the organization.
The UK SOX is here and as an organization, you may already have done all you need to ensure compliance, or you may be in the midst of it, or contemplating it. No matter which stage your organization may be at, it’s important to understand the legislation, its necessity, and how you can ensure you are on the right side of it.
To understand the UK SOX, you must know more about its origin. The Sarbanes–Oxley Act of 2002, commonly called Sarbanes–Oxley or SOX is a United States federal law that put in place new, and in some cases, more elaborate requirements that company boards (public), their management, and their accounting firms needed to adhere to. Some parts of the Act are also applicable to private companies like deliberate destruction of evidence to prevent an investigation. The bill with its extensive 11 sections came into force on the back of several corporate and auditing scandals that rocked the business world. With this bill, any public corporation board of directors are held more accountable, are liable to criminal penalties and their companies subject to regulations created by the Securities and Exchange Commission to ensure compliance. These top officials also must attest that their organization’s internal controls are strong enough to enable genuine and definitive financial statements.
For many years now, Financial Reporting Council (FRC) has been working on similar legislation for implementation in the UK. This came at a time when there were loud calls for audit reforms in the country. A mention of the UK SOX was first made by Sir John Kingman in 2018 as a suggested initiative in the recommendations for audit and regulation reform. Sir Donald Brydon recommendations include having the CEO and CRO provide the board of directors with a yearly attestation on the efficacy of the company’s internal financial reporting controls.
Since the US SOX was introduced in the United States, the quality of financial reporting from the corporate world has seen tremendous improvement. There have been some interesting, unexpected plus points too. Key among these is a reinforcement of the control environment, better documentation, hands-on participation by the audit committee, more standardized processes, and a reduction in human error. Introducing the UK SOX will help bring about similar benefits to the country’s booming corporate world.
To understand this, let’s make a start with which companies will come under the purview of UK SOX. This legislation primarily aims at providing protection to investors and insulating them from corporate fraud. The requirements laid down are strict and ensure better financial disclosure, stronger assessment of internal controls, corporate governance, and complete auditor independence. UK SOX requires that any organization trading on the Financial Times Stock
Exchange (FTSE) be SOX-compliant. Besides such organizations, if your company comes under the following, it is time to initiate SOX programs:
Once you understand how your company is positioned vis-à-vis UK SOX, here is a look at the kind of changes you can anticipate when getting compliant with the regulation. Several existing internal control measures will see some changes. For example:
Annual Effectiveness Reviews Will Become More Prescriptive: Currently, reporting the efficacy of risk management and related internal control systems are governed by the UK Corporate Governance Code for public companies and the Wates Corporate Governance Principles for large, private ones. Both necessitate that committees and boards conduct an annual review of how effective their controls are and include this in the annual reports that are made. Wates Principles make it compulsory to establish a monitoring and review process along with an internal controls set-up. There is no uniformity in the kind and the expanse of the procedures to support annual reviews and very rarely is operative effectiveness documented. The UK SOX will necessitate a change in this.
Internal Audit Committees will Look to Businesses for Enhanced Support: Boards and audit-related committees are going to need a great deal of information to ensure that their yearly internal control efficacy review is documented and established. Internal audit teams will be deeply involved in the compliance and implementation of UK SOX. They will, however, have to maintain their independence while doing so. You will find that they will increasingly initiate conversations around how the business can improve its controls. These are some of the key questions you can expect:
Such internal audits apply risk and control skills to help any business create a definitive framework to assess current statuses and possible areas of improvement. Some other changes that you can anticipate include:
For a better understanding of what to expect, looking into the learnings from the US-SOX implementation can help. Here are some to consider.
A Dry Run Time of One Year: It can take up to a year to narrow down the scope, the design and be able to implement and train all your teams. Embedding these controls in your organization and ensuring their seamless functioning can take another year. If you are looking to be compliant with the UK SOX, then ensure you have at least a year to be able to implement a dry run to spot errors and fix them.
Lead from the Top: For compliance to become a part of the working culture of your organization, it is essential the management lead from the top down. This will ensure that you have an effective controls framework in place. Every employee should be trained and held accountable in the operation of controls to make them effective. Such training will also help spot defects that can be rectified. Engagement with compliance is best implemented as part of your employees’ job descriptions.
IT Remains an Integral Part of Framework: In the bid to ensure compliance with financial controls, it is often easy to forget how dependent you are on IT controls and a range of outsourced services. Work to identify central IT controls and/or those managed by third-party service providers to critical to a smooth functioning financial control system. The accountability for this must be set up by your organization.
Now that you understand what UK SOX means for your company, here is a look at the basic foundations that make up a SOX program. Here is what you will need to do:
You Need Not One, But Two Steering Committees: You will need to bring into place two SOX committees – one related to business processes and the other one for IT. Together these two committees can provide technical supervisory insights, be able to work on executive buy-in, and ensure the rest of the company is on board too. The steering committees will be able to create protocols and ensure frequent testing in year one. This is inclusive of double rounds of testing, time for management assessment of the program, and making way for corrections.
Educate the Team, Division-Wise: You must connect with and educate all the business teams that comprise your organization, and those over which UK SOX will have a direct impact. This is inclusive of the C-suite level executives. Help them understand its relevance, the parts they play in the process, and the impact on the department. Provide them with sample documentation and an explanation of the responsibilities they have and how to set benchmarks for successful implementation.
Flesh out the Process: Work on a detailed plan. No element is too small. Start with risk assessment and list out every process and system associated with it. Go through every process put down on paper to ensure that it still does what it is supposed to do. This will help validate continuing its use. At every stage, clearly define the process and who holds the responsibility for a particular control. Ensure that they know it and also are clear on what is expected of them.
In the process of building your own SOX program, you will pass through multiple stages of maturity. It will finally culminate in a situation where you will move from manual to automated processes to be able to ascertain control efficacy. Implementing any financial controls framework is spread over 18-24 months at least. Identifying key workstreams and the associated activities is the path to improving controls improvement and getting ahead on the compliance track. All the preparations you do in advance will establish crucial governance-based improvements and efficiency, irrespective of compliance with the UK SOX mandate.
Here are some key workstreams you can concentrate on:
A Clear Vision for Your Compliance Program: The idea behind any good quality compliance program is to ensure that it is quality-driven and cost-effective. Having a clear vision of what it should entail is key. It should have a clear purpose and vision, based on which an operating model is created, and the benefits accrued are what help in achieving the success you are aiming at. This is what your UK SOX compliance model will need.
A Formal Structure: Companies that have a formal structure in place, with qualified and aware stakeholders, well-defined roles and responsibilities across all teams, and strong management taking overall ownership will help a business get compliant and grow.
Putting Together Trained Resources: Companies need to assess their human resources and understand who fits into the necessary roles for compliance models. In some cases, existing resources may not be trained enough, and this will need to happen. In other cases, you may need to recruit new forces or bring in specialized expertise when required. Understanding where you lack resources is essential.
Top-down View of Risk Factors: To be able to arrive at a starting point for your compliance program, you need to have a top view of all the risks possible at multiple stages. This could be with your financial statement line items (FSLIs) or could be in one of the end-to-end business processes you have in place. This comprehensive view will give you the clarity needed on every process and related control.
Investment in Technology: Early in the game, you will need to invest in the right technology to help monitor all controls and related environments. This will help in the testing of controls as well, which in the long term can assure you of having transparent processes in place, bringing down the cost of compliance.
The UK SOX may seem like a massive undertaking, which in many ways it is. But its positive impact needs to be reiterated.
There are some negatives such as an increased need for technology and people, which could lead to a rise in costs. Some tasks will take a longer time to complete to meet all compliance requirements. Additional paperwork is now going to be a part of the process. However, these outweigh the benefits that your company stands to gain.
Did you know that there are more than 56,000 regulatory alerts produced every year from more than 1,000 regulatory bodies across the globe? This averages to 200+ updates every day.
The MetricStream Compliance Management offerings brings together regulations, processes, controls, risks, policies and cases in a central point of reference, so that customers have the visibility to effectively manage and monitor compliance.
Organizations need to be constantly updated about ever-changing regulations in order to be compliant. To facilitate this, MetricStream recently partnered with Thomson Reuters to help financial institutions and other heavily regulated businesses gain agility while simplifying their compliance challenges. The Thomson Reuters Regulatory Intelligence content will now be integrated with MetricStream Regulatory Change Management product.
For many organizations, the chaos of compliance acts like an anchor because of an unyielding array of new and constantly changing regulatory requirements, stemming from hundreds of disparate regulatory bodies, many organizations must manage hundreds of compliance changes per day. With MetricStream and Thomson Reuters working together, our customers will be able to consistently, quickly and effectively stay on top of regulatory change and manage its impact on the business.
Advantages for customers –
Access to these alerts will enhance visibility and enable organizations to take better risk-aware business decisions.
COVID-19 pandemic notwithstanding, German legislative authorities are introducing a new law, touted to be more efficient than earlier versions, in handling white-collar crime. Detailed discussions spanning five years led to the draft bill titled Gesetz zur Stärkung der Integrität in der Wirtschaft (Law to Strengthen Integrity in Business). With a bid for approval that began in 2020, the government is looking at its implementation in two years.
Currently all German white collar crimes are examined under the Gesetz über Ordundgswidrigkeiten (OWiG). However, this law has always examined white collar crime from an administrative viewpoint. Investigations are based on discretionary principles rather than on legality. This means that the concerned administrative authority is not obligated to initiate any legal proceedings if there is a law violation. Sanctions are limited to paltry fines, not commensurate with the fallout of large fraud cases. Additionally, the current law is also not applicable to frauds committed by German companies abroad.
As with every bill, there are some red flags that have been raised by the committee looking into the bill in the Federal Assembly. The concerns raised can be summarised as below:
Once the draft bill is published, it will take two more years before it is implemented. That is, after the two year period, it will come into force from the first day of the next quarter. This gives companies enough of time to ensure they are compliant with the new regulations.
There is intense work on to ensure that the process to the publication of the VerSanG is done quickly. The two year period before it is brought into force pegs its implementation at the end of 2022 and the beginning of 2023. It is uncertain currently whether the ongoing pandemic may have any effect on these timelines. An explanatory memorandum to this draft act says that the two-year period is to ensure that organizations have the necessary time to implement measures mandated by the courts, agencies of law enforcement as well as the registry authority. Companies can also utilize the time to understand where they are most at risk in terms of compliance. One thing is certain, VerSanG will come into effect with minimal changes expected to the current draft. Being prepared is key.
The MetricStream Regulatory Compliance Solution provides a common framework and an integrated approach to meet cross-industry regulations, such as the VerSanG. The solution enables a sustainable and repeatable compliance program with the help of a centralized library of compliance obligations, as well as capabilities for compliance risk management, control testing and certifications, regulatory change management, policy management, regulatory engagement management, and case management.
The forces of digitalization and globalization continue to shape the working environment and conditions. The way we work has drastically changed over the years and is still evolving. Our work location today is no longer confined to office premises and work itself is no longer dependent on desktop computers or laptops. ‘Work from anywhere’ has become the new normal and quite often all you need is a mobile phone and internet connectivity to get the job done.
Understanding these dynamic business requirements, MetricStream continues to innovate to better equip risk and compliance professionals to perform their roles and responsibilities with ease and on the go. Towards this goal, we are delivering some new functionalities on our Policy and Document Management and Business Continuity Management mobile apps with the MetricStream Arno Release.
MetricStream Policy and Document Management helps organizations automate the entire lifecycle management of policies from creation, review, approval, communication, storage, maintenance, to obsolescence and retirement of policies. It provides a consistent policy management framework.
The MetricStream Arno Release adds the following new functionalities to the mobile app:
MetricStream Business Continuity Management (BCM) enables organizations to identify potential threats and assess the impact on business operations should those threats be realized. It also provides a framework to strengthen business resilience with an agile and effective response strategy.
The MetricStream Arno Release brings the following new features to the mobile app:
In addition, the following functionalities have also been added to both Policy and Document Management and Business Continuity Management mobile apps to improve the user experience:
We are excited to offer these enhancements as part of our endeavor to make a GRC-enabled world a reality. The new features and functionalities extend the capabilities of our mobile apps and support the evolving needs of businesses resulting from the pandemic-driven accelerated pace of digital transformation. We will continue this journey to deliver on our promise of constantly improving the experience of our customers.
The recent MetricStream IT Risk and Compliance Survey Report 2021 reveals a deep divide between IT Cyber Risk Management Strategy and Actual Practice.
______________________________________________________________________________
Since COVID-19, the pace of digital transformation has accelerated dramatically increasing our dependence on technology. Almost everything we do today is digital-first. Unfortunately, this has opened doors to new risks that can have wide-ranging consequences on business profitability and reputation. Today, companies need a clear understanding of their exposure, vulnerabilities, and potential losses related to every decision they make, in order to build and implement a concrete risk-based approach to cybersecurity. Decision-makers need faster and better risk visibility—which calls for an advanced, integrated, and automated IT GRC approach.
A couple of months ago, we decided to ask IT risk and cybersecurity practitioners from around the world some pressing questions on the current scenario – How effectively are IT and Cyber risks being managed? How mature are risk assessments and monitoring processes? Who is leading IT and cyber risk programs? And how robust are the tools being used?
As it turns out, the pandemic is likely to trigger a surge in IT and cyber risk investments where key focus areas include IT security solutions and regulatory compliance, evidences the latest insights gleaned from hundreds of companies that participated in our MetricStream IT Risk and Compliance Survey 2021.
The key areas of consensus among those who took part in the research, lead to the emergence of several broad themes. Here are some of them:
1. Risks are evolving; compliance violations remain top of mind.
To find out what keeps security and risk professionals up at night, MetricStream asked what risks and threats their organization faced in the last two years. “Denial of Service” took the top spot, followed closely by “Compliance violations and regulatory actions.” Taking third was “Spoofing of company social media.”, reported AiThority.
2. IT risk programs have executive visibility; the majority are not driven by the CISO.
The survey shows that 70 percent of respondents agree that their senior management and leadership help establish the strategic direction of their IT risk management program. However, only 29 percent of respondents say that their IT risk program rolls up to the Chief Information Security Officer (CISO), reported Continuity Central in their article, ‘Survey looks at IT cyber risk management trends’.
“First, this report can help CISOs and compliance officers really understand how the pandemic transformed IT risk…CISOs have to think about how to keep corporate systems working — in a secure manner, and in compliance with all the usual regulatory requirements — in a much more loosely controlled IT environment. Even a task as simple as tracking all the IT devices accessing your data becomes much more complicated,” notes Radical Compliance, in their article Thoughts on IT Risk Management featuring key findings from the Survey.
3. Most IT risk programs have yet to reach optimal maturity.
When asked about the maturity level of their IT risk programs, 69 percent of respondents stated that they are not quantitatively managing their IT risk program. Furthermore, 31 percent of respondents report having IT risk assessment reviews on a quarterly basis. Only 15 percent stated having monthly reviews, highlighted yahoo!finance while featuring the report.
4. The number one tool used for IT risk management – spreadsheets.
Dark Reading while covering the report highlights, “When asked what tools are used for IT risk management, the number one response was spreadsheets. More than 45 percent of respondents reported using spreadsheets, even if they had an IT GRC solution in place. Moreover, 54 percent stated not using any IT GRC solution to manage IT risks.”
5. Investment in security and compliance are top risk priorities for 2021.
When asked about future plans, 38 percent of respondents stated that they are planning to increase their spend on IT risk management in 2021. Additionally, respondents ranked their top 2021 priorities to be: 1) investment in IT security solution, 2) compliance with federal and government regulations, and 3) IT security data aggregation and reporting, informed Cision Newswire while highlighting the key findings in the survey.
“Most security and risk professionals know that IT security is like a chain; you are only as strong as the weakest link,” said Gaurav Kapoor, COO, MetricStream. Overall, we can hope that the more organizations prioritize and invest in IT and cyber risk management, the better prepared they will be to deal with both the opportunities and threats of operating in an increasingly digital world. Access the complete report here.