Blogs
What to Know about California’s New Privacy Act
- Compliance Management
- 12 November 20
3 min read
Introduction
Without question, 2020 has been an interesting year, and with so much attention paid to the recent U.S. Presidential election, it is easy to overlook an important ballot initiative, Proposition 24, which effectively replaces the relatively new California Consumer Privacy Act (CCPA). For businesses that buy, share or utilize California resident data, this is big.
Consumer demand for privacy rights and protection of personal information continues to drive regulatory reform worldwide. For example, the General Data Protection Regulation (GDPR) mandate in Europe has redefined privacy and data protection efforts, leaving many jurisdictions, including the United States to follow suit.
California is no different. Seeking to enhance and improve on the existing CCPA, Proposition 24, also known as the Consumer Privacy Rights Acts (CPRA), gives consumers greater powers over corporate use of their sensitive personal information. Furthermore, the Act establishes a new regulatory body, the California Privacy Protection Agency, which has oversight and enforcement duties in parallel with the California Department of Justice.
There are many notable provisions in the CPRA; too many to list. However, several novel features move the CPRA closer in line to Europe’s GDPR. Some of the standout provisions include:
- Children’s Privacy – Fines of up to $7,500 per violation can be assessed for misuse of information of children under the age of 16.
- Governance Requirements – New governance requirements will go into effect, including those that impact data storage, retention, distribution and processing of individual records.
- Third-Party Relationships – Data protection provisions must now be disclosed with vendors and partners having access to personal data.
- New Data Categories – The CPRA also creates a new category of data to be protected, “sensitive personal information,” which expands on personally identifiable information (PII) protections to include: individual geolocation data, content of private communications, as well as genetic, health and biometric data.
For many technology, financial and other organizations dealing with big data, CPRA compliance comes down to a three-part test:
- The business has annual gross revenues of $25,000,000 or more;
- Buys, sells or shares the personal information of at least 100,000 consumers a year;
- Makes more than 50% of its revenue from selling or sharing personal information.
Under the CPRA, affected businesses are required to submit an annual cybersecurity audit, as well as risk assessments. This means that now, more than ever, businesses need to move from cumbersome email and spreadsheet compliance practices to streamlined and integrated compliance management and risk platforms.
One such solution to this challenge is the MetricStream Compliance Management product that simplifies and strengthens compliance with regulations across organizations, while improving visibility into control effectiveness and ensuring timely issue remediation.
MetricStream Compliance Management, built on the MetricStream M7 Integrated Risk Platform – intelligent by design, helps manage a wide range of compliance requirements, including CCPA, in an integrated manner. Policies, standards, regulations and controls are aligned, eliminating inefficiencies and redundancies. Compliance processes with workflows, self-assessments, surveys, and issue remediation are widely supported.
Key features of MetricStream Compliance Management include:
- Regulatory Intelligence – Capture, store, and monitor regulations with reliable and authoritative regulatory content sources. Map regulatory updates to risks, controls, and policies, and stay informed on these updates through automated notifications and alerts.
- Compliance Environment and Process Design – Create a structured and logical internal control hierarchy, including processes, assets, risks, controls and control activities, along with appropriate linkages between these data elements.
- Compliance Assessments and Surveys – Design and document the results of control tests or self-assessments, capture non-compliance issues, and certify the effectiveness of the controls.
- Issue Management – Accelerate issue and remediation processes by automating workflows, notifications and reporting.
- Dashboards and Reports – Gain comprehensive visibility into compliance management processes through graphical dashboards with drill-down capabilities.
CPRA, like GDPR, is here to stay, and for businesses around the world that touch California consumer data, they will have to make substantive changes to their compliance programs. Although the majority of the CPRA provisions do not go into effect until January 1, 2023 a one-year “look-back provision” will govern data collected starting January 1, 2022. As many compliance professionals know, this does not give much time for businesses to modify and update their workflows, policies and practices. Given this short time requirement to compliance, it is fair to say that indeed, we are living in interesting times.
Jump to Topic
Related Resources
Blogs
Building Corporate Resilience: The COVID-19 Impact
- Compliance Management
- 09 November 20
8 min read
Abstract
The COVID-19 pandemic is disrupting global financial markets and is creating panic, uncertainty and distraction in many operations of global corporations. The severity and global scale of the crisis have impacted business resilience to a large extent, leading to businesses rushing to validate their preparedness and effectiveness during this time of crisis. The reliability and integrity of financial and operational information very much depends on strict compliance with new regulations, policy-based guidelines, and processes protecting the assets, workforce, workplace and resources necessary to conduct and sustain business. The viewpoint expressed in this document re-examines and suggests improvements to a corporate resilience framework and how to proactively take adequate measures to restore business functions in times of crisis.
Corporate Compliance
The Corporate Compliance function is associated with ensuring compliance policies and coordination of organizations’ business functions based on robust integrated policy-based standard operating procedures and audit management functions, which depend on people, process and technology.
A strong Corporate Compliance framework and principles that govern risk controls are essential to report observations and manage/recommend actions related to potential non-compliance, negligence or impropriety during uncertain times.
The severity of the current COVID-19 crisis has been very profound and has led to a slowing global economy. The dollars to recover from losses for most corporations has already eclipsed the Great Recession of 2007-2009 and the dot com crash at the beginning of the 21st century. Unlike the Great Recession, that was financially centered in its origin and resolution, the COVID-19 crisis is operationally centered. This means that economic impacts from this crisis are driven by a breakdown in business operations due to health-related closures. The financial stimulus provided by governments around the globe is merely a bridge to the other side of the crisis – which is business operations recovery. Once recovery begins, GRC/IRM will provide visibility of interconnected risks (i.e. third party, digital, business continuity, health and safety, legal and ethics and compliance risks) that businesses must navigate to succeed
A Chief Compliance officer is responsible for supporting Compliance Policy management which includes sourcing/analysis of raw data and information from various regulators, legal experts, industry bodies and corporate best practices. This is to sustain organizations operational efficiency, business continuity, loss recovery and overall responsiveness to rebound from the impact of COVID–19 outbreak.
The role of Corporate Compliance Officers is increasingly important to manage the crisis, and the consequences, through a data-driven approach that identifies specific causes and executes historical review simulation to prevent risks from accelerating into high-impact levels. Below are some of the critical compliance management preparedness aspects in terms of people, process and technology.
Compliance Preparedness: Pillars of Corporate Resilience
- People: When large corporations are reeling from a crisis, it’s important to abide by ethical and practical policies to safeguard and enforce ethical employee behavior within the organization, as well as in relationships with government officials, shareholders and business partners, to maintain integrity of corporate values. Address key questions around the creation of a virtual workforce, ensuring plans for seamless workforce return and seamless operations.
- Process: The various compliance process objectives should align with the overall corporate GRC vision. These should focus on having impact on enabling/improving/updating existing business resilience plans – including business continuity management, third party risk management, physical asset security, seamless operations across key business processes and data security – in line with communication from regulatory and local governments.
- Technology: The data assessment, electronic forms of evidence, news feeds, crisis management systems, virtual collaboration tools, modernization of technology infrastructure, supply chain management and implementation of risk controls, are all essential to detect any inconsistencies in compliance systems which may impact reputation, brand and recovery in operations. These are necessary to ensure continued regulatory compliance and reporting at times of a COVID–19 outbreak.
Moving Toward Corporate Resilience: Vertical Risk Visibility – IRM
In order to be more resilient, enterprises will have to revisit their entire GRC framework as they go through this forced transformation to address the new evolving business model. What’s also important for businesses to restart, and regain, lost ground is the need to look at risks both vertically and horizontally. They will need a common risk view across operations, strategy and technology; hence, the forced shift toward Integrated Risk Management (IRM) – aided by principals such as risk-informed strategy, digital risk management and rapidly changing global ecosystems
a. Information Technology Risk and Compliance Management
The survival of an organization during this challenging time is very much in lockstep with managing information technology risk and compliance, and how effectively it shares, updates, and prioritize policies and actions to deliver interim IT operations, infrastructure availability and support.
The operational resiliency expected would be to:
- Identify risks through IT-related measurement strategies (metrics, indicators, computation methods). Leverage internet news feeds from regulatory bodies, third party providers, government and quasi-government health agencies, to forecast interim IT operations plans for information systems recovery, and then decisively implement emergency operating procedures to allow a workforce to resume working remotely.
- Data storage, security and retention plans to manage information throughout the information lifecycle. Implement classification scheme for access, use and transfer of data, revise storage, retention, disposition and retrieval of information guidelines.
- Leverage digital technologies like AI/ML to ensure key process controls are automated. Monitor external regulations and the delegation of authority of policy and documentation changes required, along with regulatory requirement changes across geographies, that could be automated through Robotic Process Automation (RPA) for policy authoring, communication and storage.
- Add predictability to the IT processes using machine learning models. This way, an organization will be aware, as much as possible, of possible distress scenarios in future, i.e. when the next ATM failure will occur.
- External reporting to regulators and other stakeholders can be revised to define updates to dashboards, alerts and the appropriate level of details/abstraction, based on a broad network of information sources. This helps remove any risk of non-compliance, even in times of crisis.
- Build robust collaboration platforms to cater to the needs of a virtual workforce.
- Secure cloud-enabled infrastructure and security practices to ensure minimal infrastructure impact in the future.
b. Managing Third-Party Risk and Business Continuity Planning Management:
- It’s essential to revisit measurable indicators and thresholds of third party risk management to protect an organization from non-compliance or misconduct by vendors.
- Leverage financial methods including insurance and the establishment of reserves, including any supply chains that may be contingent on obtaining insurance from third party vendors. Supplier contracts have to be revisited to ensure compliance to operate within regulated industry requirements during a pandemic.
- Identify risk trends faced by vendors based on industry, workforce size and geography, and monitor changes in underlying factors to predict any potential disruption to business continuity.
- Short-term versus long-term planning to analyze vulnerabilities and the likelihood and impact to a third party vendor’s business operations.
- Stress test current plans to ensure the breaking point is well understood across the enterprise and put in place action plans to mitigate the same.
c. Policy and Documentation Compliance Management
- External Regulations Monitoring: Identify international, national and financial industry regulations to collect and interpret regulatory change data to incorporate into relevant corporate policy guidelines, e.g. employee, third party, government, stock-exchange notifications and IT governance.
- Assess impacts on business continuity by implementing corrective controls based on measurable data including guidelines to operate in challenging times.
- Consistency in policies and documentation, and dissemination of the same, should align with overall organizational objectives to comply with applicable laws and minimize conflicts of interest. This helps to maintain transparency and provide accountability by senior management.
- Awareness of policy changes should be swiftly enabled through conference calls, policy training modules, helplines and the availability of compliance officers and will help an organization respond to inquiries from internal and external stakeholder commitments.
- Establish mandates and standards of doing business in uncertain times to improve trust, confidence and reputation.
d. Audit Compliance Management
- Define independence of senior management for independent assurance to the board and shareholders to help audit and monitor compliance objectives. Re-define senior management roles and accountability to ensure compliance officers are able to champion the management of business continuity policy guidelines.
- Ensure continuity in accountability of audit function through well-documented compliance guidelines segregating roles of the audit team to ensure highest levels of corporate governance standards.
- Define a clear communications strategy for both external and internal communications.
- Report defective controls and any alleged misconducts while operating in a time of crisis to ensure transparency in operations.
- Periodic evaluate thresholds and organizational change management at a pace to keep up with new regulatory changes, and without disrupting the operating model of respective businesses and functions.
- Work toward providing exceptions and waivers without compromising any local, national and international regulations or laws. Operate with rigor during any implementation of business continuity intended to identify any non-compliance.
Infosys -MetricStream Point of View
Although there have been pandemic threats in the past, COVID-19 is the first one to fully crystalize in many countries at the same time. As a result, there will be lessons for boards, senior managers and all three lines of defense to learn from the current situation. The stressed financial markets and the tightening liquidity have begun taking its toll on corporate balance sheets. The role of the GRC/IRM function has never been so much in the spotlight and the compliance management and operational resiliency of organizations are being tested to their limits. Thresholds in risk controls are being re-examined and compliance policy management is at the forefront of every executive’s mind. The continuous and rigorous preparedness in ensuring regulatory compliance obligations are essential to the very survival of organizations in these very challenging times and will provide a realistic path to recovery while the world grapples with the “new normal”.
For customers to rapidly adopt and upgrade their GRC/IRM offerings, Infosys and MetricStream have collaborated to launch the GRC-as-a-Service offering. GRC-as-a-Service is a unique proposition to give customers a head start in their GRC adoption and expansion journey. This digital offering from Infosys and MetricStream is a subscription model to provide risk an compliance oversight for the enterprise, allowing customers to leverage the benefits of a GRC platform and navigate through the strictest and most complex regulations. By deploying this cloud-based GRC solution, customers will gain on costs, data volumes, monitoring and maintenance.
This digital offering will help customers quickly build economies of scale through switching subscription tiers – faster ramp-up and ramp-down through a core-flex model – committed monthly costs and incremental unit pricing based on defined pricing parameters, i.e. volume of tickets, etc. This covers the cost escalation of bringing in a transparent subscription grid pricing model with clear standard operating procedures (SOP) for cost calculation and SLA metric tracking using GRC ticketing tools.
References:
GRC Capability Model Red Book
Jump to Topic
Related Resources
Blogs
GRC Resilience at the front line of new and emerging world events
- Compliance Management
- 26 August 20
5 min read
Introduction
As health risks due to COVID-19 dominate the headlines, many parts of the world are also experiencing an explosion of natural disasters, from hurricanes to heat waves and deadly wildfires in my home state of California. Instead of stay-in-place orders, these are forcing evacuations, and reminding us that there will always be risk.
As a provider of integrated risk management and business continuity solutions, this is the time for MetricStream to step up. Since the pandemic was first declared, more than 150 days ago, I’ve reached out to at least 100 customers to see how they are responding and have come away inspired.
Part of what I’ve learned is that most are on a multi-step journey:
- The Immediate: The first 1-3 months were about doing whatever it took to get set up in a reasonably stable situation. For some, it was a mad scramble to get there.
- The Intermediate: Most companies now find themselves in this second phase and looking at their governance, risk and compliance (GRC) priorities in this changing world.
- The New Normal: This is about “How do I optimize?” Organizations are re-building real-time risk processes to respond effectively in a constantly evolving risk universe.
During the intermediate phase, businesses are wrestling with daily decisions of what to prioritize: Should we bring people back into the office or wait until there’s a vaccine? How do we ensure it’s a safe environment? Do we bring them in on different shifts? And how do we “contact trace” and make sure we don’t knock out entire departments? Risk factors for not bringing people back into facilities for a manufacturing company could loom large. For a social media company, or a technology company, there’s low risk.
We used to take for granted that going into the office wasn’t a health risk. Now that it is, it has spurred a tremendous shift to working from home (WFH) and companies are moving to cloud-based solutions more and more. This is truly a shift in how our customers are working; for example, they’re moving to conducting audits on a largely remote basis without ever showing up at locations to examine physical surroundings.
Many customers needed to quickly edit and re-publish their WFH policies and standards. Those who are using a Policy Management solution from MetricStream are better able to target their policies to meet the needs of specific business units, functions and roles, to provide access and who needs to attest. For example, many traders who work from home likely don’t have a needed “secured and recorded line”. MetricStream, too, continues to serve our customers with a workforce that’s working remotely. That means ensuring the cyber security of systems and executing on business continuity plans for an extended period of time in that environment.
The pandemic has also heightened the value of technology to help get work done. Our new MetricStream Platform makes it easier to work from home. Customers who were lagging on upgrades are now pushing these projects forward. They realize the new functionality and user interface are critical for staff who need to work with little training. MetricStream's embedded help and re-designed input screens have made it easier to get more employees engaged in recording risk events and potential solutions.
Greater visibility into the supply chain has also become more critical for many customers and their partners, who are looking for better tools to collaborate with vendors and suppliers. Customers have used MetricStream to better link suppliers to products and business units. This information helps each business unit understand how supply chains impacted by the pandemic directly impact the business unit’s goals. While most Vendor Management solutions stop at the link between vendor and product, MetricStream takes the relationship further by linking to business units and business objectives.
Going forward in the “new normal”, risk findings and metrics will be aligned much more closely to resilience and strategic objectives to better prepare for the next crisis. While there has been an elevation of health and safety as a priority area for companies worldwide, there is uncertainty around which regulations will apply and which to be concerned about. Generally speaking, this is a broader trend that is likely to continue.
We’re also seeing a fresh wave of innovation with AI, machine learning, robotic process automation (RPA) and analytics to keep pace with the high volume and velocity of data and to keep the cyber health of the extended enterprise secure. Forms and collection of data are great, but businesses need to integrate it with other data and include it in their monthly reports and dashboards. At one of our banking customers, GRC reduced policy research from an average of 50 hours to 50 mins.
COVID is accelerating change for our customers in a world that will only become much more digital in the aftermath of the crisis. As Microsoft CEO Satya Nadella put it in an earnings call in late July, “We’ve seen two years’ worth of digital transformation in two months. Customers every day adapt and stay open for business in a world of remote everything.”
Overall, our customers are taking a broader view of work and processes than they used to. And even as the pandemic fades in the rear-view mirror, 2020 can still be a year of clarity and a time of people coming together with a clear purpose to change society for the better.
The human experience is about overcoming adversity through resilience and that is certainly on display across the world. With the right approach, this crisis can become an opportunity to move forward and create even more value and positive societal impact. GRC practitioners will be on the front line of this new normal just as healthcare workers are on the front line in the fight against COVID and fire fighters are on the front line battling California’s wildfires. A big thank you to all our fire fighters who are willing to risk their lives to save others!
Please feel free to reach out to me at Gunjan@MetricStream.com with your own stories and comments.
Jump to Topic
Related Resources
Blogs
Effective Policy Management Through the Crisis and Beyond
- Compliance Management
- 10 June 20
4 min read
Introduction
The COVID-19 pandemic is challenging organizations across the globe to operate in a new paradigm that is changing almost on a daily basis. Business leaders are having to make decisions to best deliver on customer commitments without compromising on employee well-being. Whether it’s banks, hospitals, manufacturers, or retailers, they are all relooking into their policies and procedures and making changes to them to help deal with the crisis.
Some policies that top the list are work from home policies, travel policies, information security policies, health and safety policies, expense policies, etc.
How are the compliance and ethics teams dealing with this? How are they rapidly updating the policies? What impact are these updated policies having across the board? Is the change communicated to the applicable employees? Are the policies being followed?
Given the current, fluid situation, the need for a robust policy management program is amplified.
Listed below are some policy management strategies that compliance and ethics leaders can follow to address these concerns and sail through the current disruption and beyond.
Collaboration is key
Most organizations follow a siloed approach to policy management in which different teams within the organization work independently and follow different templates and guidelines. While there may be a dedicated owner for each policy while creating or updating the policy, the owner needs to collaborate with other business functions. For instance, while updating the work from home policy in these times of the pandemic, the information security policy, or the expense reimbursement policy, will also be impacted. A policy management technology platform can be of great help.
- It can have streamlined workflows where multiple people across the globe can easily collaborate on different sections of a policy to provide comments and feedback.
- Proper version control can be maintained.
- You can get a clear defensible audit trail on the changes made to policies.
Keep it contextual.
Take a contextual view of the policies when you are creating or updating them. It will help to have answers to the following questions.
- What is the risk associated with a policy?
- What are the regulations or standards tied to each policy and what are the processes that they may impact when a policy gets updated?
- How many exceptions are raised against a specific policy?
All exceptions carry some amount of risk which has to be taken into account. Many organizations are also not aware of the violations of policies or if these violations or cases are tracked, if they are not linked to policies. Linking policies to cases gives a lot of insight to compliance professionals on the policies they need to rework, and whether they should invest in new training programs or put additional controls in place.
Communicate, communicate, communicate!
With the current COVID-19 situation, some policies are getting updated on a weekly basis and there could be compliance implications if the policies are not adhered to by the employees. While most companies use email as a mechanism to communicate policies, there is a probability that policies get lost in the many emails that one receives. Some best practices could be:
- Post policy updates on your intranet or any other operational or internal social platforms.
- Focus on sticking to the most important messages and keep them short, engaging and empathetic.
Simplify Policy Access
In addition to email, announcements regarding the policy can be made available on a centralized policy portal. Whichever channel is chosen for the communication of policies, it really helps to be clear about what the change is, why the change is required, and what measures need to be taken by employees to make sure they adhere to the new requirements. MetricStream Policy and Document Management has a centralized state of the art policy portal that only shows the latest relevant policies applicable to each employee, relieving the employee from having to search through multiple databases.
Get policies to where employees are
Consider a case where the employee has to search for policies in multiple portals, not knowing which one is the latest and which one is applicable to him/her. It makes sense for the policies to pop up in the intranet, in the chatbot, customer relationship tool, or any other operational system that is frequently used by employees. For example, if the loan processing agent needs to refer to the updated policy on loans it makes sense for him/her to access the latest updated policy quickly on the intranet rather than referring to the old outdated policy and thereby violating norms.
Assess Policy Awareness
Policies can be deemed effective only if they are adhered to. Most organizations invest in quizzes and surveys to gauge how well employees have comprehended the policy. This is more prevalent for training on the FCPA, Information Security and Sexual Harassment policies. With policy management technology, employees can be allowed to attest to a policy only upon a minimum passing score and the questions can be designed to be engaging and interactive.
In summary
While the given situation has compounded the need for an effective policy management program, businesses understand that policies are an integral part of the overall compliance program. There is no doubt that policies, procedures and other compliance-related documents are the foundation for a successful compliance program. It helps to have a technology solution like MetricStream Policy and Document Management that can automate, streamline and integrate policy change management so that you can mitigate compliance related risks and stay ahead of the curve.
Jump to Topic
Related Resources
Blogs
Through the GRC Lens – February 2020
- Artificial Intelligence
- 13 March 20
4 min read
Building a Future of Trustworthy AI
The European Commission recently unveiled its long-awaited proposal to regulate artificial intelligence (AI). But will the new proposal stifle innovation? Find out more through the GRC Lens – February 2020 edition.
_____________________________________________
On the 19th of February, the European Commission (EC) President, Ursula von der Leyen, Executive Vice-President, Margrethe Vestager and EU Commissioner for Internal Market, Thierry Breton, held a press conference at the European Commission headquarters in Brussels, unveiling their ideas and actions to regulate AI.
Keen on building “a digital Europe that reflects the best of Europe,” the EC released a white paper on AI that defines an extensive framework under which AI can be developed and deployed across the EU. The paper includes considerations to govern high-risk use of AI like facial recognition used in public spaces, with an overall ambition to shape Europe’s digital future”.
The proposal still has a long way to go. For now, the EC plans to gather opinions and reactions from companies, countries, and other interested parties before they begin to draft the laws. And although the AI white paper is open for suggestions until May 19, lobbying has already begun.
Worried AI Vendors: Will Regulation Stifle Innovation?
Although many AI experts have said that the regulation of AI is necessary, especially due to ethical concerns, there is considerable worry around the consequences of regulation. Europe’s new proposal has already had far-reaching implications on the big tech brands that have invested in AI. After the EC declared a 12-week discussion period, several tech leaders from large organizations have journeyed to Brussels to meet with EU officials.
Their major concern – will tough laws hinder innovation?
AI vendors are worried that if the process of regulation, considered a slow process that can be subject to interference and distortion, is applied to a fast-moving field like AI, it can stifle innovation and divert the technology’s enormous potential benefits.
To illustrate this concern, a recent article in Analytics India Magazine, used the example of neural nets to explain how the regulation of AI could possibly hamper innovation. Neural networks work by finding patterns in training data and applying those patterns in new data, enabling researchers to solve problems that they couldn’t earlier.
For instance, CheXnet, an AI algorithm from Stanford, has an incredibly powerful ability to detect pneumonia among older patients through chest X-rays. But for technologies like these to work, they need a certain amount of creative and scientific freedom (within ethical boundaries, of course). If there is a ban on “black box” AI systems that humans can’t interpret, could AI innovation be impacted?
Another area of confusion revolves around the definition of “high-risk” applications of AI. The report seems to be unclear about high-risk applications in low-risk sectors, leaving companies uncertain on how to approach this issue.
The Need for AI Regulation: Consumer Protection
There is no doubt that AI has enormous potential to be used for good. But its accelerating adoption across industries comes with multiple ethical concerns.
According to a survey by KPMG, 80% of risk professionals are not confident about the governance in place around AI.
What happens when decisions are made by AI without human oversight? Recent instances have shown that automated decision-making can perpetuate social biases. In addition, deep fakes, surveillance technology, autonomous weapons, and discriminatory HR recruiting tools come with multiple serious risks. The focus of AI regulatory authorities is on developing frameworks to govern AI.
Like Anna Fellander, Co-founder of the AI Sustainability Center, said at the GRC Summit in London, “It’s no longer just about what AI can do, but what it should do.” In a similar vein, Andreas Diggelmann, “Office of the CEO,” Interim CEO and CTO at MetricStream said, “We need technology that serves humanity, not the other way around.”
Looking Forward to Trusted AI
AI expert Ivana Bartoletti, Technical Director, Deloitte – Cybersecurity and Privacy Division, speaking at Impact 2020 conference, said: “The reason why we’re talking so much about ethics in AI is over the last few years we have seen the best of technology – but also the worst.”
With its novel approach to AI regulation, the EC wants to promote the development of AI while respecting human fundamental rights and addressing potential risks that come with the technology. The EC wants a digital transformation that works for all, reflecting the best of Europe: open, fair, diverse, democratic, and confident.
The new AI proposal has already begun to receive acceptance in some industries. Ted Kwartler, Vice President, DataRobot, said the vendor welcomes calls for regulatory approaches that don’t stifle innovation. Christopher Padilla, VP, Government and Regulatory Affairs, IBM, also was reported saying in Protocol, “By focusing on precision regulation — applying different rules for different levels of risk — Europe can ensure its businesses and consumers have trust in technology.”
It appears now that big tech companies that want to tap into Europe’s market will have to play by the rules that come into force. Like the GDPR in 2018, will the new AI proposal inspire similar, tough regulatory action in other parts of the world? Read the MetricStream Blog to stay updated on more news.
Jump to Topic
Related Resources
Blogs
Through the GRC Lens – November-December 2019
- Audit Management
- 14 January 20
3 min read
The Changing Winds of Compliance
As compliance teams strive to manage new regulations and technological advancements, here are some of the trends and headlines that made compliance news in November and December.
In the face of changing business models, as well as new risks and dynamic global ecosystems, compliance as a discipline is rapidly evolving. Stakeholders rely on compliance teams to not only protect their organizations against regulatory penalties and legal liabilities, but to also strengthen reputation and credibility with customers. As compliance officers seek to demonstrate and enhance the value delivered to their organizations, the following are some key considerations.
New Regulations
While 2020 began with a focus on data privacy, here are some updates on other areas of compliance that made the headlines:
- Data Privacy: This month, the CCPA came into effect giving customers more control over their data. However, in a study by Ethyca, only 12% of 85 respondents believed they had achieved an adequate state of compliance readiness for the emerging regulated privacy landscape.An article in Forbes suggested that “Rather than looking at CCPA compliance as a chore, look at it as an opportunity to innovate your business practices and seek ways to regain a first-party relationship with your customers.”
- Payment Security: Payment security compliance declined for the second year in a row in 2019, according to Verizon’s 2019 Payment Security Report. The report also pointed out that a compliance program without proper controls to protect data has a more than 95% probability of not being sustainable and is more likely to be a potential target of a cyberattack.
- Banking and Finance – As the financial services industry continues to grapple with regulatory complexities, many are turning to regtech solutions to enable and support their compliance efforts. The goal isn’t just to avoid non-compliance penalties but to strengthen trust and credibility with customers. The report, ‘Hooked: RegTech Reliance in Capital Markets Compliance’ by Greenwich Associates states that 63% of firms recognize that reputation protection is the core purpose of compliance.
- Communication – Compliance teams are also struggling to keep pace with electronic communication channels, with 45% saying they are in constant catch-up mode rather than proactive mode, when it comes to electronic communication compliance, according to a report by Smarsh.
- Technology: The use of AI in regulatory compliance is helping both regulators and businesses. A recent Deloitte poll stated that nearly half (48.5%) of C-suite and other executives at organizations that use AI expect to increase AI use for risk management and compliance efforts in the year ahead. But only 21.1% of respondents report that their organizations have an ethical framework in place for AI use within risk management and compliance programs.
Compliance is now a key topic of discussion at the executive level, and is also a strong part of core business strategy. Newer technologies like AI and advanced analytics are helping compliance teams deliver value to the business in the digital age.
Compliance Week’s second annual technology survey highlighted that, ‘’companies are moving along the technological maturity curve in qualitative and quantitative ways today’’. According to the survey, companies are willing to spend more in 2019 than they were even a few years ago to build a more robust technology-enabled compliance function. Nearly, a quarter (23%) of compliance practitioners said their technology budget is much larger today than it was three years ago.
As compliance teams strive to do more with less, the emergence of new technologies will not only improve efficiency and cost-effectiveness, but will also enable teams to derive quick, meaningful insights from data to make well-informed decisions.
Jump to Topic
Related Resources
Blogs
Through the GRC Lens – September 2019
- Compliance Management
- 04 October 19
4 min read
Rethinking Cybersecurity in a Disruptive Age
With an increasing number of attacks in the market, despite more sophisticated cybersecurity solutions, many cybersecurity reports and surveys highlight why organizations need to rethink their cyber strategy and what’s in store for the future. – Here is what the media headlined through the GRC lens in September.
As attackers get more relentless with the volume and speed of their attacks, cybersecurity defense must safeguard all possible points of the attack surface. A recent survey of internal auditors published in City AM, found – cybersecurity, regulatory change, and digitalization to be the top three risks faced by businesses across Europe. The shortage of cybersecurity talent exacerbates the cybersecurity problem in a complicated enterprise environment.
Increasing cybersecurity resources
According to CISO Magazine, cybersecurity has emerged as a primary investment priority for financial firms in the United Kingdom. Reports from a survey conducted by Lloyds Bank states that cybercrimes have jumped to the fourth position from the eighth place since 2018. Banks in UK are increasing their budget allocation to enhance cybersecurity capabilities at their organization, Computer Business Review reported.
In another survey conducted by Infosys, targeting 867 senior executives representing 847 firms from 12 industries, with annual revenues over US$500 million across US, Europe, Australia and New Zealand (ANZ), reported that almost half (48%) of corporate boards and 63% of business leaders of surveyed enterprises are actively involved in cybersecurity strategy discussions.
While organizations have started to invest in building an efficient cybersecurity management and mitigation program, they still continue to face difficulty juggling priorities.
The Cyber Roadblock
A recent study conducted by BitSight, revealed that every two in five (38%) companies stated that they’ve lost their businesses due to lack of cybersecurity capabilities. An article by Forbes, ‘The Gap Between Strong Cybersecurity And Demands For Connectivity Is Getting Massive’, states, “…More devices and less adequate resources mean the attack surface continues to grow. “Every second that it takes to respond to an attack after it’s been deployed can have a huge impact on the business, be it in terms of man hours spent or sales, and reputation lost.”, states SC Magazine.
Even as enterprises invest in resources and tools to strengthen cybersecurity, why does it continue to be an Achilles heel for so many? The month of September revealed a few of the reasons:
- Human error is a big risk – 99% of email attacks rely on victims clicking links
Proofpoint’s Annual Human Factor Report, states that out of the vast majority of attacks, 99%, require some level of human input to execute – making individual users the last line of defense.
2. Businesses haven’t made it as much of a priority as it should be – Businesses are bypassing security to get to market quicker
A recent article by ITProPortal, highlights a research from Outpost24 which concludes that 34% of organizations bypass security to get products out to market faster. Almost two thirds (64%) of the respondents said they believe their customers could easily be breached, as a result of unpatched vulnerabilities in their organization’s products.
3. Third parties aren’t being monitored sufficiently
This month, thousands of resumes were exposed in a third-party breach that originated from monster.com, but the company denied any responsibility, saying – the client “owns the data.” According to CPO Magazine, “Though Monster.com’s denial of responsibility is legally acceptable under United States federal law, it puts the company at odds with the standard data protection requirements of a number of other nations.” This is yet another example of third-party risks being a great cybersecurity risk multiplier.
Cybersecurity is a complex problem with no easy solutions. Enterprises need to act quickly as the costs of data breaches are increasing at an alarming rate. According to Dark Reading, “The cost of breaches will rise by two-thirds over the next five years, exceeding an estimated $5 trillion in 2024, primarily driven by higher fines as more jurisdictions punish companies for lax security.” Juniper predicts that data breach costs will grow at 11% each year. The Ponemon Institute’s “Cost of a Data Breach” report, sponsored by IBM, pegs growth at 12% between 2014 and 2019.
Stepping up the cyber game
Unfortunately, 2019 was the year of data breaches with some record setting fines faced by companies like Equifax, British Airways and Marriott. The good news is that progress is being made:
1. Cybersecurity decisions involving the C-Suite:
Companies are fortifying their cyber strategies in alignment with business objectives. Defending threats requires the C-suite support, more than ever now. According to CPO Magazine, it’s important for security teams to make business leaders aware of the quickly shifting threat landscape.
2. Companies Are Forming Cybersecurity Alliances:
Over the last few years, cybersecurity alliances are being formed between tech-focused companies to support each other aimed at changing the ways companies deal with cybersecurity vulnerabilities and renegotiating the social contract between states and their citizens. The exchange of information is an effort to raise the collective level of cybersecurity, shape overall security practices, and speed the adoption of security technologies.
3. Artificial Intelligence Is Changing the Cyber Security Landscape and Preventing Cyber Attacks:
New advances in tech hold great promise to build cyber resilience. An article in Entrepreneur highlights how AI is a boon in cybersecurity, by stating, “Developers are using AI to enhance biometric authentication and get rid of its imperfections to make it a reliable system… AI-ML can detect and track more than 10,000 active phishing sources and react and remediate much quicker than humans can… AI-based systems proactively look for potential vulnerabilities in organizational information systems.”
Rethinking cybersecurity strategies has become imperative. With the changing landscape of cyber defense and new tools in the market, enterprises need to focus on building a holistic cybersecurity approach to deliver an effective awareness training and layered defense strategy. A strategy that provides enterprise wide visibility to better protect the company and its customers in a more efficient and proactive manner.
Jump to Topic
Related Resources
Blogs
A Look Back at the GRC Summit 2019
- Audit Management
- 30 July 19
5 min read
Introduction
Now in its seventh year, the GRC Summit hosted by MetricStream is one of the biggest and most anticipated events for GRC practitioners around the world. This year, the summit was held on June 2-5 in Baltimore, Maryland, bringing together over 450 GRC and business leaders to talk about the latest trends and opportunities in GRC. It was an incredible four days of learning, discovery, and collaboration—topped off by an exclusive cruise, as well as a glittering awards ceremony.
Here are some of the top highlights from the summit:
- Integrity Front and Center
In keeping with the theme of the summit—”Perform with Integrity™”—many of the speakers pointed out that financial performance is no longer the sole indicator of success. Trust is what really drives business today, and integrity is what drives trust.
MetricStream CEO, Mikael Hagstroem talked about building integrity by fostering a sense of compassion in the way we approach customers, the way we treat employees, and the way we shape the future of technology. “Successful performance—be it an individual level, an organizational level, or a global level—begins with a spark of passion that, when guided by integrity and compassion, helps us improve the human condition, and enable a higher quality of life,” he said.
MetricStream Chairman, Gunjan Sinha, emphasized the need to build purpose-driven organizations where doing good is as much of a priority as doing well. A strong sense of purpose, he predicted, is what will define the successful organizations of the future, along with a commitment to diversity, inclusion, empowerment of the front line, ethical data, and social conscious AI.
- Tony Scott on the Key Transformation Drivers of the Next Five Years
The former Chief Information Officer of the United States government (2015-17) described how “relentless digitization” is rapidly upending traditional analog business models. And with it, the notion of security and privacy by design is becoming more important than ever. Technology is moving faster than we’re prepared for, he cautioned. Do we understand the risks of new tools like AI and machine learning? How do we build good governance, accountability, and transparency around these new technologies? How do we keep humanity at the center of innovation? All key questions to consider.
- Jim Quigley: Coping with the “Knowns” and “Unknowns” of Business
Drawing on his experience as a member of the board and risk committee at Wells Fargo, as well as CEO Emeritus of Deloitte, Jim Quigley talked about why the work of GRC practitioners is so critical in helping boards and management teams make better strategic decisions in the midst of escalating “known unknowns” and “unknown unknowns.” He also emphasized the importance of building sustainable risk cultures. “The biggest driver of culture in any organization is observable behavior,” he said, quoting a colleague. “We want people to raise their hands and identify problems as quickly as possible.”
- The Power of Innovation
MetricStream’s Chief Technology Officer, Andreas Diggelmann, along with Chief Innovation and Cloud Officer, Vidyadhar Phalke, delved into the new technology innovations that are emerging across the whole chain of GRC. Chatbots, for instance, are being used to capture issue data from the first line of defense in a manner that is simple and engaging. Predictive analytics are being used in the second and third lines to anticipate and respond to potential emerging risks proactively. Machine learning tools are enabling executive teams to detect risk patterns, and understand optimal mitigation practices based on historical evidence. Essentially, the possibilities with technology are endless.
- Anna Felländer on Being Vigilant to the Ethical Risks of AI
Co-founder of the AI Sustainability Center, Anna Felländer pointed out that in a data-driven world, AI is key to helping organizations build better operational efficiency and deeper client relationships. Yet, it also introduces many ethical risks around the misuse/ overuse of the technology as well as multiple biases. If we want to avoid these pitfalls, we need to start investing as much in the humanistic side of AI as the engineering side, she said. We need to shape a future where humans lead AI, not the other way around. We need to find ways of ensuring that technology doesn’t get ahead of regulation.
- Risk Management Is Everyone’s Responsibility
Many of the speakers emphasized the need to strengthen risk awareness at every level of the organization, right from the front lines to the boardroom. “Risk needs to be something that companies walk, talk, eat, and breathe every day,” said Kenneth Bacon, Member of the Board, Comcast, and Co-founder and Managing Partner, RailField Realty Partners. We need to have more risks and issues self-identified by the business rather than by internal audit or regulators, pointed out Sarah Dahlgren, Head of Regulatory Relations – Corporate Risk, Wells Fargo & Company. The more proactive the first and second lines of defense are in reporting risk data, the better informed and more confident the board and management team can be in their strategic decision-making processes.
- In a Fast-Changing World, GRC Must be Agile
Disruption is the only constant in business today, pointed out MetricStream’s Chief Operating Officer, Gaurav Kapoor. If we want to be prepared for the new risks around the corner, GRC programs have to be agile, he said. Other speakers talked about what agility entails. Raven Catlin, Former CAE and Industry Expert in Internal Audit and Risk Management, described how internal audit must be ready to embrace new tools, new skills, and new approaches to auditing. Michael Rasmussen, Chief GRC Pundit, GRC 20/20, highlighted the importance of integration and collaboration in building more agile GRC functions.
- A Celebration of GRC Champions
The much-anticipated GRC Journey awards ceremony, held on day 1 of the summit, recognized and honored MetricStream’s business partners, individuals, and customer organizations that have made significant strides on their GRC journey towards strengthening business performance. This year, there were 17 award recipients across five categories.
- Connecting and Collaborating
There were plenty of opportunities for attendees to connect, share with, and learn from with each other – be it the many interactive workshops and networking sessions, or the relaxed “happy hours.” Day 2 of the summit culminated in an exclusive cruise down Patapsco River which saw attendees letting loose and singing their hearts out at a Karaoke session.
Jump to Topic
