Blogs
Reflecting on 2024 through the lens of Governance, Risk, and Compliance
- GRC
- 20 December 24
5 min read
Introduction
...two themes have consistently dominated the conversation. The first is regulation-driven change, particularly implementing the EU's Digital Operational Resilience Act (DORA). Alongside this, the wider implications of operational resilience have come into sharper focus, leaving organisations grappling with how best to approach compliance. The second key theme has been artificial intelligence—not only as a tool for driving efficiency and enabling deeper and broader organisational insights but also as a driver of significant regulatory changes that are already beginning to take shape.
With DORA due to come into effect in a matter of weeks, it’s been eye-opening to see how many organisations remain unclear about their approach. Some are overwhelmed; others seem to have adopted a “bury your head in the sand” strategy. At a recent seminar I co-hosted, we asked the audience a seemingly straightforward question:
“Who owns operational resilience in your organisation?”
Not a single person could provide a consistent or definitive answer. This speaks volumes. Regulations like DORA, which are broad and touch multiple areas within an organisation, don’t fit neatly into existing silos. Instead, they highlight the need for custodianship of compliance—where responsibility isn’t ‘owned’ by one department but shared across multiple stakeholders.
That said, the allocation of this custodianship can vary greatly. For some, it falls to the IT team, given their focus on operational aspects—what I often refer to as operational compliance. For others, it sits within risk management. The reality is that there is no right or wrong answer. Organisations need to find the model that works for their unique structure and culture, which often involves trial and error. What is universal, however, is the need for people to work together. Regulations like DORA demand collaboration, compromise, and shared understanding—qualities that don’t always come naturally within organisations.
Whilst technology plays an ever-increasing role in governance, risk, and compliance, it’s important to remember that it is an enabler. No algorithm, no matter how advanced, has yet figured out how to truly bring people together, mediate their differences, or force collaboration. And when it finally does, there will undoubtedly be far more pressing applications waiting in line.
Continuing with the theme of technology, AI has undeniably been hailed as a game changer. While we have seen similar promises in the past with technologies such as blockchain—only to watch them fall short—AI genuinely feels different. Its practical applications are already evident in our personal and professional lives - yes, ChatGPT reviewed this article. In the world of GRC, AI is already making its mark, with significant innovation around its practical use.
There is no question that the volume of data being collected as part of risk and compliance programmes is growing at an exponential rate. But the real challenge is not just the sheer amount of data—it is also quality. This is where I believe AI will make its first major impact. By improving and then interpreting data, AI will empower organisations to dig deeper and expand their reach across the business, ultimately providing something tangible for risk committees, boards, investors, regulators, and auditors. Many GRC vendors have arguably been on this path for some time, innovating and developing with AI to deliver advancements that, while seemingly modest on the surface, often have a profound impact in practice—much like many things in life.
Where will this lead us? Much has been said about the transformative power of generative AI, but its true value in risk and compliance settings remains to be seen. Over the coming months and years, use cases will undoubtedly emerge or evolve. However, I believe those working in highly regulated industries, where human transparency is a non-negotiable requirement for regulators, can rest assured—they are unlikely to be replaced by machines anytime soon.
What is more certain is that compliance professionals will soon need to wrestle with regulation specifically for AI. Unsurprisingly, the European Union is leading the charge, with the EU AI Act coming into force on the 1st of August of this year and set to take effect from the 2nd of August 2026. Much like previous EU legislation, the Act has a far-reaching impact, applying to anyone deploying AI systems within the EU, regardless of their geographic location.
The EU AI Act is comprehensive and ambitious, adopting a risk-based approach to regulation. It addresses everything from banning the use of AI systems by governments to monitor citizens’ behaviour (classified as “Unacceptable Risk”) to measures affecting everyday encounters with AI-generated content (classified as “Minimal Risk”), such as requiring platforms to notify users when they are engaging with such material.
This landmark legislation continues the EU’s trajectory of digital regulation, which began in earnest with the introduction of GDPR and the more recent DORA. Human nature being what it is, some degree of procrastination and confusion is to be expected as organisations come to terms with its implications.
While enforcing ethical safeguards is both sensible and necessary, the challenges for organisations are clear. Determining ownership and accountability for compliance will once again take centre stage, starting with a thorough understanding of their exposure to AI technologies. Given the widespread reliance on outsourcing and third-party technology in today’s enterprises, the ripple effects will be significant. Vendors should anticipate a sharp increase in assessments and scrutiny over the coming years.
Although navigating these requirements may seem daunting and could lead to delays, organisations that take a proactive approach to planning and preparation will be far better positioned to stay ahead of the curve.
This, however, is all for next year, so wishing you joy, warmth, and happiness this festive season. Here’s to a bright and successful 2025!
This blog was initially featured as an article on LinkedIn, click here to read it.
Jump to Topic
Related Resources
Blogs
Top 5 Governance, Risk, and Compliance (GRC) Tools and Solutions for 2025
- GRC
- 12 December 24
12 min read
Introduction
You've heard it before: technology moves fast. But when it comes to governance, risk, and compliance (GRC), falling behind the curve can spell disaster. That's why staying on top of the latest GRC tools is crucial for any organization that values data security and operational resilience.
The stakes only get higher as cyber threats evolve and regulations intensify in a world that is becoming more diverse even as it stays more connected. Thankfully, new solutions are emerging to help enterprises tackle tomorrow's challenges.
An Increasing Need for GRC Tools
But why this seismic shift toward an increasingly regulated corporate ecosystem? This landscape has always been woven with threads of past financial debacles, data breaches, and government failures. The US market, known for its dynamic regulatory environment, witnessed substantial regulatory changes, significantly altering the way businesses approach governance, risk management, and compliance. This transformation can be attributed to a combination of factors - technological advancements, economic shifts, and societal demands for greater corporate responsibility.
The palpable push towards a more regulated financial ecosystem came in the wake of the financial crises of the early 21st century, namely the 2008 recession. These crises exposed the dire consequences of lax oversight and unbridled risk-taking, serving as a stark reminder that in the world of business, oversight is not merely about ticking off a checklist but safeguarding the future. A catastrophe of this nature sparked a profound reassessment within the industry, catalyzing a renewed emphasis on the necessity of robust GRC frameworks—navigators that understand the depths of these challenges and are ready to evolve with them.
What are GRC Tools?
A GRC (Governance, Risk, and Compliance) tool is a software application that businesses use to manage, assess risks, analyze policies, adhere to regulatory changes, and streamline operations. A GRC tool can help automate various aspects of a GRC framework.
GRC tools play a pivotal role in enabling businesses to assess, monitor, and mitigate risks, establish robust internal controls, ensure adherence to regulatory requirements, and uphold organizational policies. By consolidating disparate functions into integrated platforms, GRC tools provide a holistic view of risk exposure, facilitate data-driven decision-making, and enhance overall governance effectiveness.
Top 5 GRC Tools in 2025
Let's have a look at the top GRC tools that are reshaping governance, risk management, and compliance practices:
MetricStream
MetricStream is a highly regarded, comprehensive governance, risk, and compliance (GRC) tool renowned for its versatile approach to integrating risk, compliance, audit, and cybersecurity functions within organizations. The GRC tool stands out for its exceptional capability in simplifying complex risk management processes. The MetricStream ConnectedGRC platform stands out for its ability to seamlessly synchronize operations across disparate departments, presenting a unified defense against multifaceted risks in today's interconnected landscape.
Key Features:
- MetricStream offers a centralized platform that integrates risk, compliance, audit, and cyber risk functions, providing organizations with a holistic view of their governance landscape. A single tool that can streamline all your GRC processes, including Risk Management (Operational Risk, Enterprise Risk, Third-Party Risk), Compliance Management, Policy Management, Case Management, Audit Management, IT & Cybersecurity Risk Management and ESG.
- Infused with state-of-the-art analytics and AI capabilities, MetricStream empowers businesses to embrace and implement GRC best practices efficiently. The flagship solution AiSPIRE is an AI-based GRC knowledge center that provides intelligent insights into Control Insights, Continuous Control Sensing, Control Test Prioritization, and more.
- MetricStream comes with standout features including:
- Regulatory change management automation with AI-based regulatory alerts, horizon scanning, and impact analysis
- Natural Language Processing (NLP) customized policy searches based on user intent
- Risk quantification to represent IT and enterprise risk exposures in monetary terms
- Continuous control monitoring of IT controls to automate compliance and proactively mitigate security risks
- MetricStream features low-code/no-code capabilities, allowing organizations to tailor the platform to their specific needs with minimal effort leading to accelerated implementation and customization.
- The tool is adept at handling Environmental, Social, Governance, Risk, and Compliance (ESGRC) complexities, enabling organizations to pursue sustainable growth with integrity. It effortlessly oversees the demands of diverse ESG frameworks such as GRI, SASB, TCFD, and more, streamlining operations through automated data capture and reporting.
- MetricStream conducts thorough internal and supplier evaluations while proactively managing and mitigating associated risks. This allows for informed decision-making and strategic risk reduction.
- The software streamlines and optimizes internal audit operations, facilitating efficient audit planning, workpaper management, and thorough analysis of findings. This in turn supports the entire audit lifecycle from planning and execution to report generation and follow-up actions.
MetricStream's market leader position have been vetted by leading analysts like Forrester, Gartner, and Chartis. The recent recognition as a Leader in The Forrester Wave™: Governance, Risk, and Compliance Platforms, Q4 2023, underscore its effectiveness and dependability. Using their 25-criterion evaluation of governance, risk, and compliance platform providers, Forrester identified the top 15 GRC providers and researched, analyzed, and scored them. MetricStream was classified as a Leader, receiving the highest possible scores in the GRC Vision, IT/Cyber Risk Management capabilities, Product roadmap, AI/ML and partner ecosystem criteria.
Find out more. Download your complimentary copy of The Forrester Wave™: Governance, Risk, and Compliance Platforms, Q4 2023.
See what customers have to say about MetricStream: Watch our Customer Testimonials
Pricing
Pricing is available at request.
AuditBoard
AuditBoard is a comprehensive GRC platform designed to simplify and streamline audit, risk assessment, and compliance processes for organizations.
It serves as a vital companion for auditors and compliance officers, offering intuitive functionalities that address the complexities of managing audits and regulatory requirements.
Key Features:
- It prioritizes usability with a clean and intuitive interface, allowing users to easily navigate complex processes.
- The tool facilitates collaboration among different lines of defense (first, second, and third lines) by enabling centralized communication, document sharing, and task management. This collaborative approach strengthens internal controls and ensures alignment across risk management functions.
- It offers automated workflows for audit planning, execution, and reporting, reducing manual efforts and enhancing productivity.
Pricing
Pricing is available at request.
LogicGate
LogicGate’s platform is designed to manage risk management processes. It enables users to create customized workflows tailored to their organization's specific risk profile and appetite.
Designed with flexibility in mind, LogicGate empowers users to build customized workflows that align precisely with their organization's risk profile and appetite.
Key Features
- The platform automates compliance processes, streamlining compliance management and reducing manual effort.
- One of LogicGate's standout features is its intuitive drag-and-drop interface, which allows non-technical users to create and modify workflows effortlessly.
- It provides advanced analytics and reporting capabilities, allowing organizations to gain actionable insights into their risk landscape and compliance status.
- LogicGate includes robust IT security risk management capabilities, enabling organizations to identify and eliminate IT vulnerabilities.
Pricing
Pricing is available at request.
ServiceNow
ServiceNow has evolved from its roots in IT service management to offer a comprehensive suite of GRC solutions. This expansion allows ServiceNow to integrate seamlessly with its existing services, making it a compelling choice for organizations seeking to consolidate their IT and GRC processes within a single platform.
Key Features:
- The platform emphasizes incident response within its GRC framework, ensuring compliance and risk management are embedded into daily workflows.
- ServiceNow eliminates data silos by providing a single data source for enterprise-wide information, enhancing visibility and collaboration.
- Organizations can build and manage complex workflows using ServiceNow's no-code playbooks, streamlining processes and adapting to changing requirements.
- ServiceNow features an intelligent chatbot that can answer questions, resolve issues, and initiate workflows instantly, providing real-time support and enhancing user experience.
Pricing
Pricing is available at request.
Archer
Archer is recognized as an efficient and integrated risk management solution that takes a much more proactive approach to monitoring and managing operational hazards within organizations. Focusing on risk management, Archer enables users to streamline risk identification, assessment, and mitigation across various business functions. This further solidifies Archer's reputation as a reliable GRC solution.
Key Features
- Archer prioritizes user experience with intuitive dashboards and customizable reporting tools, making data interpretation straightforward and facilitating informed decision-making.
- Their flexible assessment module supports smooth integration with existing systems, allowing organizations to adapt effectively to changing business environments.
- Archer emphasizes asset protection and provides comprehensive security for critical infrastructure, instilling confidence among stakeholders in the safety of their investments.
- The platform streamlines the onboarding process for third parties, conducting due diligence assessments and establishing risk profiles.
Pricing
Pricing is available at request.
How to Choose the Best GRC Tools
For enterprises considering buying a GRC tool to enhance their GRC processes, there are a few key aspects to consider:
-
Functionality
First, think about what core functions you need. Do you want an all-in-one solution to handle everything from risk assessments to policy management? Or are you looking for something more specialized, like a dedicated risk management tool? The range can be overwhelming, so determine must-have features before you go ahead. -
Integration
Consider how well the platform integrates with your existing systems. If you already use tools for project management or document control, you'll want a GRC solution that integrates without issues. Seamless integration means easy transfer of data between systems and consistent user experience. -
Configurability
Look for platforms that can be tailored to your requirements. Things like customizable dashboards, flexible workflow automation, and the ability to define custom fields are important. Choose a tool you can mold to fit your processes, not the other way around. -
User-Friendly
Choose tools and software solutions that are intuitive and easy to use. This is essential to ensure smooth user adoption and encourage frontline engagement in GRC. User-friendly tools with logical sequencing of tasks make it easier for frontline executives to report any observation, issue, or anomaly, which can then be analyzed by the second line. -
Pricing
Finally, compare costs. GRC software is available at a range of price points, from free, open-source options to enterprise-level subscriptions. Consider how many users you need and whether you want cloud-based or on-prem deployment.
Benefits of Implementing a GRC Tool
A robust GRC platform provides executives with a unified view of risks, controls, and compliance data, enabling informed decision-making. It automates compliance monitoring and risk detection to address policy breaches proactively. Enhanced accountability and transparency are achieved through streamlined workflows, optimizing resource allocation, and reducing operational redundancies.
Several significant benefits come with implementing a GRC tool, including:
Refined Decision-Making Capabilities:
A GRC platform gives executives and stakeholders a bird's eye view of risks, controls, and compliance issues. With all of this information in one place, leaders can make fully informed decisions based on data rather than assumptions.
Enhanced Compliance and Reduced Risk:
An effective GRC tool automates compliance monitoring and reporting. It provides alerts to potential policy violations and risks, allowing you to address issues before they become violations.
Augmented Accountability and Transparency:
These tools enhance accountability by giving each employee visibility into relevant risks, controls, and compliance issues. Everyone will understand their responsibilities, have guidance on how to fulfill them, and demonstrate compliance via automated reporting.
Optimized Processes and Resource Efficiency:
Integrating them into workflows streamlines processes by providing a centralized platform for managing risk and compliance activities. This centralization eliminates the need for disparate systems and manual processes, reducing duplication of efforts and saving valuable time and resources
Common Challenges in GRC Tool Implementation
Navigating the implementation of GRC tools involves overcoming potential roadblocks; here are some challenges organizations may face:
Resistance to Change:
One common obstacle in implementing GRC tools is resistance to change from employees accustomed to existing processes. Overcoming this resistance requires effective change management strategies, clear communication, and training programs to ensure organizational buy-in and adoption.
Integration Challenges:
Integration challenges with existing systems and processes are another obstacle. GRC tools may need to interface with various platforms and databases, requiring careful planning and execution to ensure seamless integration without disrupting ongoing operations.
Resource Constraints:
Limited resources, including budgetary constraints and inadequate staffing, can hinder the successful implementation of GRC tools. Organizations must allocate sufficient resources and prioritize GRC initiatives to overcome these constraints and achieve successful implementation.
Complexity of Regulations:
Regulatory requirements pose a significant challenge for organizations implementing GRC tools. Ensuring that GRC tools adequately address regulatory compliance requirements and adapt to evolving regulations requires careful planning, expertise, and ongoing monitoring and updates.
Steps for Successful Deployment and Integration of GRC Tools
Integrating GRC tools into an organization's infrastructure involves several critical steps. Here are some key considerations:
Get executive buy-in
Before you start rolling out the new system, make sure you have the full support of upper management. Explain the benefits of the tool and how it strengthens risk and compliance management. Visible support and enthusiasm will motivate staff and encourage adoption
Focus on training
While the software may be intuitive, people still need to learn how to use it to its full potential. Develop training programs for different user groups based on their roles and responsibilities, and provide opportunities for hands-on practice.
Start with a pilot
Rather than an organization-wide launch right away, consider starting with a pilot implementation. Choose a business unit or location to test the new system and work out any errors before further deployment.
Continuous improvement
View the implementation as an ongoing process rather than a one-and-done event. Monitor how people are using the system and look for opportunities to expand its functionality or optimize current features. Release updates on a consistent schedule to maintain interest and support continuous progress.
Real-World Successes with GRC Tools
Here are some real-life examples of the successful implementation of GRC software into organizations' operational workflows.
Guidewire
This case study showcases how the software company achieved seamless and efficient IT GRC management by implementing a heavily strategic approach involving people, processes, and technology. They focused on differentiating between risks and issues, developed a robust risk management strategy, and introduced measurable action plans for issue resolution.
By selecting MetricStream as their GRC platform, Guidewire experienced faster processes, increased visibility, and better stakeholder partnership, making them much more efficient and effective when it came to addressing potential risks.
Zurich Insurance
Zurich Insurance, a leading, multi-line global insurer with about 56,000 employees, provides a wide range of property, casualty, and life insurance products and services in more than 210 countries and territories. The company leveraged MetricStream BusinessGRC products to modernize and streamline its compliance, policies, and enterprise risk management processes and manage a broad range of compliance requirements in an integrated manner.
The company has realized significant benefits, including:
- Better insights on compliance with a single source of truth
- Improved compliance efficiency with automated, standardized workflows
- Greater policy awareness in the frontline
- More confident decision-making with real-time visibility into compliance risks
- Faster responsiveness to regulatory changes and updates
Conclusion
The world of GRC is not static, and the solutions we choose to navigate it shouldn't be either. The continuous evolution of threats and regulatory requirements calls for solutions that not only respond to the present but anticipate the future and thrive on risk.
In this context, the highlighted tools, with their distinct capabilities, present compelling choices for organizations of all sizes and sectors. And amidst the contenders, MetricStream emerges as a partner for the forward-thinking enterprise—thoughtful in its approach, comprehensive in its coverage, and compassionate in its client engagement.
MetricStream offers a range of GRC solutions for organizations seeking to navigate complex risk landscapes with confidence and agility.
Frequently Asked Questions (FAQs)
A GRC platform is essential for organizations to streamline risk management, compliance, and governance processes. It helps centralize data, automate workflows, and ensure regulatory adherence, ultimately enhancing operational efficiency and reducing risks.
GRC tools prioritize security with robust features like data encryption, access controls, and audit trails. They comply with industry standards and regulations to protect sensitive information and ensure data integrity.
Yes, GRC platforms enable transparency and collaboration by allowing stakeholders to monitor progress through real-time reporting, dashboards, and customized notifications. This fosters accountability and ensures alignment across the organization.
Jump to Topic
Related Resources
Blogs
5 Critical Reasons Why Your Organization Needs an AI-Powered Connected GRC Solution
- GRC
- 20 November 24
5 min read
Introduction
As global business landscapes grow increasingly intricate, managing governance, risk, and compliance (GRC) becomes more challenging. The Accenture Risk Study: 2024 Edition reports that 83% of risk leaders believe complex, interconnected risks are emerging at an accelerated pace.
Organizations today need to deal with an onslaught of regulations, interconnected risks, and operational uncertainties, often compounded by siloed risk and compliance management systems. Deloitte’s Global Risk Management Survey, 2023 highlighted these challenges, with 69% of executives reporting that their risk management processes were largely or partially siloed, resulting in blind spots and slowing response times.
As organizations work towards simplifying GRC processes for more efficient risk visibility, stronger compliance, and informed decision-making, embarking on simplified, AI-driven connected GRC strategy is the way forward.
Here are 5 reasons why a connected GRC solution is essential for your organization in today’s interconnected risk and compliance environment.
1. Consolidate Siloed Processes for Greater Risk Visibility
Risk and compliance functions continue to operate within departmental silos in several organizations. For instance, IT security, legal, and financial teams in an enterprise often manage risks and controls in isolation, resulting in inconsistent or insufficient reporting and a lack of cross-functional insights. This disconnect can create significant vulnerabilities, with operational risks or compliance lapses, for example, going unrecognized until they lead to costly incidents.
Implementing a connected GRC solution eliminates these silos and enables a 360° view of risks and controls across departments. With centralized data and aligned workflows, risk management becomes a collaborative and simplified effort, empowering organizations to manage interconnected risks effectively. According to Chartis Research Integrated GRC Solutions, 2024: Market Update and Vendor Landscape, the future of GRC will be a ‘data-driven integration of operations, technology, and control across the enterprise.’ Moving towards this broader risk visibility not only supports proactive risk management but also fosters resilience, uniting departments in a shared governance strategy.
2. Scalable, Automated Compliance in the Dynamic Compliance and Regulatory Landscape
The 2023 Thomson Reuters Risk and Compliance Survey Report highlighted that more than half of risk and compliance professionals spent time identifying and assessing risk (56%) and monitoring compliance (52%). And with new regulations continuously emerging across different regions and industries most global organizations are finding it challenging to keep pace with these changes.
An AI-powered connected GRC solution enables organizations to achieve scalable, automated compliance by centralizing processes, streamlining the tracking of regulatory updates, and automating the implementation of compliance measures. By adopting a connected approach, the manual burden of compliance teams is reduced, while the risk of non-compliance is mitigated. Organizations can respond swiftly to regulatory changes, minimizing the potential for fines, legal consequences, and reputational harm.
3. Reduce the Hidden Costs that are a Result of Fragmented GRC Systems
A 2023 McKinsey study reported that 30% of risk management activities across organizations are duplicated due to siloed operations. Point GRC solutions and manual processes can result in not just duplicated efforts but also data redundancies, and even compliance gaps-- leading to higher operational costs.
An integrated and intelligent solution that centralizes risk and compliance data, automates workflows, and integrates reporting, leads to reducing errors and streamlining of operations. Such a solution can further work to help reduce administrative costs and optimize resource allocation.
4. Greater Focus on Operational Resilience
There is a growing global push towards operational resilience, driven by increasing regulatory expectations to mitigate disruptions in critical services. Key frameworks include the UK's FCA and PRA guidelines requiring impact tolerance measures, the EU's Digital Operational Resilience Act (DORA) focusing on ICT risk management, and the United States’ regulatory efforts emphasizing third-party and operational risk. In Asia-Pacific, standards from APRA and HKMA also prioritize robust continuity strategies. (Read our blog on Operational Resilience Takes Regulatory Center Stage. Are You Prepared?)
Traditional, reactive risk management approaches are no longer sufficient to ensure operational resilience. A connected GRC solution enables a shift to a proactive approach by linking risk data with business continuity and incident response plans. This approach can help organizations identify emerging risks early, assess their potential impact, and devise proactive response strategies.
5. Real-time Insights for Informed Decision Making
In a fast-paced business environment, timely and informed decision-making is essential. Yet, when data is scattered across multiple systems, decision-makers struggle to access the insights they need, often relying on outdated or incomplete information. When polled on the top risk function that risk leaders focussed on during the past 12 months, the highest number--44%--responded that it involved closely integrating risk analysis with important business decisions. (Accenture Risk Study: 2024 Edition).
A connected GRC platform, with AI capabilities, is the way forward for leaders seeking a unified view with consolidated data across risk, compliance, and governance functions. With integrated reporting and AI-powered analytics, GRC as a function can be transformed into a proactive partner for strategic decision-making.
Explore the Solution Perspective on MetricStream’s ConnectedGRC by GRC 20/20 Research
The leading GRC research analyst firm, GRC 20/20 Research, headed by Michael Rasmussen, GRC Pundit and globally recognized as the Father of GRC, conducted an independent and objective research into MetricStream’s ConnectedGRC by evaluating the solution and interacting with MetricStream’s customers.
The report finds that MetricStream has enabled them to see an integrated and connected view of GRC information, reporting, and processes with a single source of truth from a common information architecture, improving visibility across the organization while also eliminating the overhead of manual processes.
The solution perspective explores:
- Customers' GRC journeys before MetricStream, their reasons for choosing it, and how they used it
- The core capabilities and functionalities of MetricStream ConnectedGRC
- The key benefits organizations can achieve by adopting the solution
Jump to Topic
Related Resources
Blogs
Are Risk Heatmaps Really Dead? What’s Next?
- GRC
- 06 November 24
5 min read
Introduction
In the early 2000s, organizations began using risk heatmaps to assess enterprise risk more effectively. As the scope of Enterprise Risk Management expanded, these heatmaps grew in popularity as the visual representation of risks made them easy to understand and communicate. And their ability to map risks by probability and consequence led to wide adoption and use in industries with complex risk profiles. However, over time, risk landscapes grew in complexity, and heatmaps failed to provide a detailed, objective, and nuanced assessment of risks. But are risk heatmaps dead, or can they be modernized to provide enterprises with a more dynamic and precise view of risk?
Decoding the Risk Heatmap
Risk heatmaps plot risks according to two factors – the likelihood of the risk occurring and the impact of the risk if it does occur. Each risk is plotted on a grid and color-coded according to the risk level. The biggest advantage these heatmaps offer is simplicity – they are easy to understand, and stakeholders can quickly assess the severity of each risk and prioritize mitigation plans accordingly. Even non-experts can understand the risks facing the organization at a glance. This simplicity makes it easy to prioritize risks and communicate relevant information to stakeholders across the organization. The question is, are heatmaps too simple to address the requirements of a significantly more complex risk landscape that enterprises are dealing with today?
Limitations of the Traditional Risk Heatmap
Traditional risk heatmaps alone are not sufficient to understand the modern-day, interconnected risks. Here are some limitations of the traditional risk heatmap:
- Limited Scope and lack of context—Heatmaps represent risks with a numerical value that does not capture the context within which the risk can occur. As a result, stakeholders do not get an accurate understanding of the risk’s complexity and potential impact.
- Oversimplification—Traditional heatmaps provide an easy-to-understand representation of enterprise risks. However, they are not capable of offering a nuanced analysis of risks’ interconnectedness and impact.
- Inaccurate worst-case scenarios—Heatmaps represent worst-case scenarios, but they are not nuanced enough to consider the full range of possibilities. This hinders decision-making and risk mitigation strategies.
- Focus only on quantifiable risks - Heatmaps also mainly map easily quantifiable risks like financial losses or operational disruptions. They are not equipped to focus on qualitative impacts of risk, such as damage to reputation or strategic implications, which also limits an organization’s understanding of risks and their plans to mitigate them. They also do not allow multiple variables to be separated and displayed.
- Manual and subjective - Heatmaps are usually created manually, and assessments are done according to human perception of the risk. This is subjective and prone to inconsistencies, as different teams may perceive the same risk differently.
- Static – The modern risk landscape is constantly evolving, and changes in the business environment and regulations, or even technology advancements, can impact the severity of a risk. While a traditional heatmap can capture and describe factors at a singular moment in time, it is not dynamic and cannot adapt to changes quickly. This results in outdated and inaccurate risk assessments that do not provide management teams with complete, up to up-to-date information about the risk.
- Not aligned with organizational goals—Traditional heatmaps may not always align with enterprise goals, resulting in risk management strategies that are not effective enough for the organization.
- Data quality – Heatmaps need high-quality data to ensure accurate risk ratings, and incomplete or inaccurate data can result in misleading assessments.
- Prone to bias - The initial evaluation of a risk can create an anchoring effect, influencing later assessments and may even result in a tendency to uphold the original rating. This anchoring bias may also lead individuals to seek out information that confirms their initial perception of the risk, further reinforcing their biases and limiting objective reassessment.
Making Risk Heatmaps More Effective: What’s Next
Does this mean that risk heatmaps are beyond repair that must be retired from enterprise risk management strategies? Well, not quite. Despite limitations, risk heat maps can be useful for quickly identifying and prioritizing risks at the enterprise level. Color coding and size variations help distinguish between different levels of impact and likelihood. Combining heatmaps with other risk assessment tools like quantitative assessments and scenario testing can ensure a more nuanced and comprehensive view of risks. Heatmaps must also be regularly reviewed and updated to ensure they are in sync with the larger organizational objectives and entire business ecosystem. Different stakeholders across organizational levels may have different perspectives on risks, and their priorities may differ. The risk assessment must take into consideration all of these diverse viewpoints without any bias for it to be fully effective. Most importantly, organizations must be cognizant of the fact that risks are highly interconnected and can trigger a snowball effect if not addressed effectively. They must understand and map the interconnectedness of risks and analyze how they interact and impact each other. This will help them identify potential cascading risks, and they can plan their risk mitigation strategies accordingly.
But organizations must also be open to exploring other risk assessment measures that may be better suited to their requirements, such as:
- Risk Registers: A comprehensive list of risks identified by the organization, their description, possible impacts, likelihood of occurring, and detailed mitigation strategies. These registers help in a deeper analysis of risks. Even though this is manual in nature, organizations can use AI capabilities to unearth hidden risk relationships.
- Bow Tie Analysis: A visual representation of the cause-and-effect relationships between risks, threats, and possible consequences.
- Qualitative and Quantitative Risk Assessments: Formal, enterprise-wide assessments using standardized frameworks and methodologies such as ISO 31000 or NIST Cybersecurity Framework.
- Risk Modelling: Quantitative models that simulate risk scenarios and evaluate possible outcomes.
- Risk Appetite Statements and Impact Tolerances: Statements and tolerance limits detailing the organization’s risk appetite and tolerance levels across different aspects of the business.
- Key Metrics: Key metrics such as Key Risk Indicators (KRI), Key Control Indicators (KCI), and Key Performance Indicators (KPI) can signal emerging risks or changes in risk levels and must be monitored constantly.
How MetricStream Can Help
The traditional risk heatmap is no longer sufficient for managing the complex, interconnected and constantly evolving risk landscape that enterprises operate within today. They need a comprehensive and automated risk management solution that uses heatmaps in conjunction with other tools for a 360-degree view and assessment of risks and their potential impact.
MetricStream Enterprise Risk Management (ERM) and Operational Risk Management (ORM) software offers a structured risk management approach with standardized risk assessment methodologies and comprehensive risk and control assessments based on quantitative and qualitative parameters. It combines robust analytics with modernized risk heatmaps, reports, and dashboards to ensure real-time insights into the risk landscape and facilitate quicker, data-backed decisions. The solution uses modernized risk heatmaps in conjunction with other visual representations of risk analysis to ensure that decision-makers are able to fully understand the risks facing the organization and respond faster to emerging or changing risk profiles.
Find out more. Request a personalized demo today.
Jump to Topic
Related Resources
Blogs
AI Complements Human Intelligence, It Doesn’t Replace It
- GRC
- 30 October 24
6 min read
Introduction
In the latest edition of Expert Talk on the INDIAai portal, MetricStream’s Co-Founder and Executive Chairman, Gunjan Sinha, was interviewed by Dr. Nivash Jeevanandam, a Senior Technology Journalist and Research Writer. Read the interview below for Gunjan’s perspective on artificial intelligence, the key role it plays in innovation, its use in Governance, Risk, and Compliance (GRC) and more.
*This interview was initially published in the INDIAai website, click here to read the original article.
Gunjan Sinha is the founder and executive chairman of MetricStream. He is best known as the founder of WhoWhere? - an internet search engine he sold to Lycos in 1998. He is also the co-founder and board member of the customer engagement software company eGain (NASDAQ: EGAN).
From 2010 to 2017, Gunjan was a founding board member of the US India Endowment Board, founded by the US State Department and the White House Office of Science and Technology. This board supports science and technology innovation and commercialization for social good in the US and India.
Gunjan helped create Child Family Health International, a United Nations-recognized public non-profit, to transform global health education. He is passionate about social innovation, diversity, inclusiveness, and global risk management.
INDIAai interviewed Gunjan Sinha to get his perspective on AI.
As an entrepreneur, how do you see AI shaping the future of innovation and entrepreneurship? What emerging AI trends excite you the most?
AI complements human intelligence: it doesn’t replace it, resulting in AI becoming the most significant transformative force of our times. Process automation, enhanced decision-making, and personalized customer experiences result in unprecedented efficiency, precision, and adaptability, a game-changer. AI is democratizing access to tools and knowledge, creating a level playing field for enterprises of all sizes.
In the increasingly interconnected risk landscape, I see AI revolutionizing risk management. AI-powered workflows today can predict risks, automate control testing, and provide real-time insights. It enables organizations to leverage risk as a driver for growth, transforming traditional business models in the process.
With your experience at MetricStream, how do you see AI revolutionizing traditional business models, particularly in customer engagement, governance, and risk management?
The possibilities with AI are endless. AI-powered tools can analyze vast amounts of data for usage patterns, often in real-time. These use cases directly benefit agile, responsive, and cost-effective business operations. AI-infused workflows at MetricStream, for instance, have allowed organizations to significantly reduce control testing costs and improve issue management speed by grouping similar issues and suggesting tailored action plans.
Likewise, analyzing usage patterns allows for hyper-personalization of customer journeys, leading to stronger relationships and more engaging experiences.
How do AI advancements enhance the predictive capabilities of Governance, Risk, and Compliance (GRC) platforms, helping businesses anticipate and mitigate risks?
AI today allows for connecting data from diverse sources, such as regulatory updates, cybersecurity reports, and third-party risk assessments, for creating a holistic view of the organization’s risk profile in real-time. Vast and complex datasets are processed with AI technologies like machine learning, NLP, and LLMs to identify emerging risks and vulnerabilities.
Likewise, AI's ability to analyze large datasets enables enterprises to identify unseen risks that would not have been possible manually.
Examples:
- Third-party risk analysts get to act on recommendations from AI risk assessments.
- Automatic recommendations of risk assessment plans and risk treatment.
- Quick identification of risk management processes and missing controls.
What role does AI play in enhancing regulatory compliance and risk management in banking, energy, and healthcare industries? How can AI improve governance processes to be more resilient and adaptive to change?
AI enables continuous monitoring of banking transactions or healthcare operations to identify anomalies or potential non-compliance issues. For example, suspicious activities like money laundering in banking or non-adherence to privacy regulations like HIPAA in healthcare can be automated. Compliance and risk management examples: AI can automate policy searches, map regulatory changes to existing controls, and predict risk scenarios. AI solutions can help financial institutions complete third-party assessments significantly faster, allowing risk teams to focus more on mitigation efforts rather than documentation reviews.
Likewise, governance enhancements would include data-driven decision-making, governance process automation and adaptive governance models that can continuously learn from evolving risks and regulatory updates.
As AI increasingly detects and manages risks, what are the most critical considerations for companies to ensure responsible AI usage within their GRC frameworks?
With increasing AI integration, it is crucial to establish guardrails that ensure AI's safe, ethical, and secure use, particularly in sensitive sectors like banking, energy, and healthcare. Establish an AI governance framework that aligns with legal and ethical standards, conduct comprehensive risk assessments, and promote transparency and explainability of AI models so that AI can trace and audit decisions.
Likewise, human-in-the-loop processes are vital to validating AI-driven decisions and safeguarding against overreliance in high-risk areas such as patient care. Employees must be aware of responsible AI use and create cross-functional ethics committees to oversee AI initiatives, ensuring that AI applications are compliant, ethical, and secure from biases and vulnerabilities.
How do you see AI contributing to global social good, especially in areas like public health, education, and financial inclusion?
AI can optimize healthcare delivery, predict disease outbreaks, and improve access to medical services through telemedicine, automated diagnostics, and personalized healthcare. AI can personalize learning experiences, making education more accessible and tailored to individual needs. Financial inclusion can be improved through AI-powered credit scoring models that offer financial services to underbanked populations.
Given your deep experience in global risk management, how can AI tools help businesses better navigate emerging risks such as cybersecurity threats, data privacy concerns, and geopolitical challenges?
In cyber risk management, AI is a protective layer with real-time threat detection, automated incident response, and predictive threat modelling. It can detect anomalies and potential breaches faster than traditional methods, helping organizations respond swiftly to threats. For example, AI can analyze patterns in email communication and detect subtle signs of phishing attempts that may not be obvious to the human eye. Automated continuous control monitoring for cloud instances enables continuous assessment of cloud configurations and applications against regulatory standards and security best practices.
Likewise, AI can be used in risk forecasting to anticipate and plan for disruptions like supply chain interruptions, sanctions, or regulatory changes, as well as for scenario planning to simulate geopolitical scenarios to understand their impact on business operations and plan resilient strategies.
What advice would you give future leaders about integrating AI into their strategic decision-making processes?
Embrace AI as a strategic asset that can drive innovation, enhance decision-making, and provide a competitive edge. Focus on responsible AI usage and investing in AI governance frameworks. AI decisions should be transparent, ethical, and aligned with organizational goals.
Discover how MetricStream ConnectedGRC integrates AI to enhance GRC solutions. Request a personalized demo now.
Jump to Topic
Related Resources
Blogs
7 Pro Tips to Maximize Your 2024 London GRC Summit Experience
- GRC
- 23 October 24
5 min read
Introduction
The stage is set at Royal Garden Hotel, London, UK for the MetricStream London GRC Summit 2024. To be held on November 6th and 7th, it celebrates over a decade as the premier event for the GRC community. The GRC Summit has continually empowered professionals to connect, share insights, and exchange best practices while paving the way for what’s next in GRC.
This year, with the theme “Experience the Power of AI and Resilience”, the summit will explore two critical forces that are shaping the future of GRC. In today's interconnected risk landscape, AI is revolutionizing governance, risk, and compliance, as a driver of GRC agility, and for GRC to be applied to AI itself. And building resilience has never been more essential for organizations to effectively navigate disruptions and manage risks in an increasingly interconnected risk landscape.
Our two-day summit offers multifaceted value, be it knowledge, insights, or engaging content, and some bonus entertainment to unwind. To ensure you get most of the summit, here is a list of top tips for you to gain the 360° experience.
1. Prioritize the Keynote Sessions
This year the summit will have three keynote sessions including a special keynote by Axel P. Lehmann—Former Group Executive Board Member of UBS and Ex-Chairman of Credit Suisse. He will be presenting on the topic Thriving on Risk in an Increasingly Disrupted World: Balancing Risk-Taking, Resilience, and Performance.
MetricStream leaders, Gaurav Kapoor, our CEO and Co-Founder, and Gunjan Sinha, Co-Founder and Executive Chairman will also be providing valuable insights on the dynamic world of risk and compliance and how to power agility and resilience.
2. Join Deep-Dive Workshops on Day 1
Workshops offer the opportunity to deep dive into GRC strategies and understand how they are applied in practice. Learn directly from the experts on how to apply real-world pivotal strategies in your organizations:
- Michael Rasmussen, GRC Analyst & Pundit at GRC 20/20 Research, LLC Enterprise GRC by Design will be conducting a workshop on Blueprint for an Effective, Efficient & Agile Enterprise GRC Management Program.
- Elena Pykhova, Director, and Founder, The Op Risk Company Ltd will be exploring about Mastering Risk and Control Self-Assessments: Why They Fail and How to Derive Value.
3. Experience In-Depth Panel Dialogues
On Day 2, a diverse panel of prominent GRC leaders will share their insights and provide an insider perspective on emerging trends and best practices in the industry. Their thoughts and expert feedback are sure to enlighten listeners and spark a desire to know more. Below are some panels scheduled for the day:
- CXO Panel: Designing Integrated GRC and Resilience Programs for Sustainable Business Growth featuring Libby Denchfield, Global Head, Operations for Operational, Cyber Technology & Risk, Standard Chartered Bank and Robert Taylor, Head of Enterprise and Non-Financial Risk, London Stock Exchange Group.
- CXO Panel: Expanding the AI Horizon in GRC while Ensuring Strong AI Governance featuring Sakari Lehtinen, Chief Audit Executive, OP Financial Group and Wilna Meiring, Managing Executive: Corporate Risk and Security, Vodacom Group (Pty) Ltd.
- Modernizing RCSAs with Dynamic and Data-Driven Approaches featuring Ben Jeary, Head of Operational Risk, Santander, Margaret Norden, Global Head OTCR Framework and Stress Testing, Standard Chartered Bank and Benjamin Rowsell, Head of Enterprise and Operational Risk, Nationwide Building Society.
- Key Strategies to Build Cyber Resilience for Effective Cyber Risk Management featuring Peter Debasse, Group Information Security Officer, KBC Group, Thomas Barkias, Team Lead - Cyber Resilience, ICT, Crypto & Operational Risk, European Central Bank, and Ana Chavez Alanis, Global Head of Resilience Risk, Standard Chartered Bank.
- Building a Culture of High Performance and Integrity: The Crucial Role of Integrated Risk, Compliance, and Audit by Design featuring Somkant Mishra, Senior GRC Manager, CRH, Claudia Iacobucci, Head of Assurance, Risk and Controls, ABB and Bilal Javed Mahmood, Senior Director Risk Management, Hitachi Rail.
4. Learn What’s Next with Expert Talks
Expert talks are perfect for those looking to gain quick yet impactful knowledge on tackling GRC hurdles, offering a unique opportunity to learn from GRC leaders. They will deliver concise and powerful ideas for enhancing your organization's resilience. Check them out here:
Revolutionizing Model Validation and Controls with AI and Machine Learning featuring Rita Gnutti, Executive Director, Intesa Sanpaolo.
New Science of Quantifying Risks of Digital Infrastructure featuring Sidhartha Dash, Research Director, Chartis.
5. Uncover Product Session Insights
Gain comprehensive insights into the MetricStream products, understanding their full range of capabilities and benefits. The Product Sessions offer an unmissable opportunity for attendees to directly learn from the product experts, who offer deep dives into the technical aspects and answer your specific questions. Be sure to bookmark the below sessions:
- Navigating DORA: Strengthening Digital Operational Resilience presented by Raghuram Srinivas, SVP, Product Management
- Elevating User Experience: Discover the New UI/UX in MetricStream presented by Shreyank S. Kamat, Senior Director, Product Management
6. Explore the Venue and City
Amidst the regal beauty of Kensington, the iconic Royal Garden Hotel sets the stage for a captivating sojourn in one of the world's most dynamic cities. Check out this video to discover the amazing features and attractions that our venue has to offer!
Be sure to also immerse yourself in the rich tapestry of London's attractions. Explore the historic British Museum, wander through the splendour of Hyde Park, and indulge in a panoramic vista from the iconic London Eye.
7. Build Connections with Industry Peers
A key aspect of the GRC Summit is the opportunity for attendees to engage with industry leaders and experts. There are plenty of opportunities for participants can gain fresh insights and broaden their professional horizons with both formal and informal sessions. The summit provides an excellent setting for building relationships and strengthening collaborations.
Bonus Tip:
Take a moment to also check out our exclusive customer case study presented by Gurjeev Sanghera, Product Manager Enterprise GRCA, Shell. Attend the session to learn how Shell was able boost efficiency and coordination with automated assurance processes and improve communication through a shared system.
See You in London!
The list above encapsulates the highlights, but be sure to check out the Agenda for a more comprehensive list of topics being covered Join us at the Summit to explore how AI and Resilience are shaping the future of GRC!
Discover more about our esteemed speakers and their areas of expertise in our recent blog post – Meet our Speakers.
Not yet registered? To join an esteemed global community of over 250+ risk, compliance, audit, and cyber professionals, Register now.
Jump to Topic
Related Resources
Blogs
GRC Summit 2024, London: Get to Know the Speakers
- GRC
- 09 October 24
5 min read
Introduction
It’s only a few more weeks until MetricStream’s London GRC Summit, and the excitement is starting to build! Scheduled for November 6th and 7th at the prestigious Royal Garden Hotel, London, this year’s summit brings a new theme: “Experience the Power of AI and Resilience”. We will focus on the transformative impact of Artificial Intelligence (AI) in governance, risk and compliance (GRC) and the critical importance of resilience in today’s interconnected world, discussing how organizations navigate risks, optimize processes, and ensure long-term sustainability amidst rapid technological and regulatory changes.
The two-day gathering will unite over 250 GRC leaders and specialists who will share cutting-edge insights and strategies.
The GRC Summit will feature more than 40 sessions that will delve into the potential risks and benefits of AI for GRC, and GRC for AI, along with topics such as operational resilience, enterprise risk, operational risk, regulatory compliance, internal audit, third-party risk, and IT and cyber risk management.
To find out more on what is in store for you at the Summit, explore the GRC Summit Agenda.
Meet the Speakers
Some of the leading pioneers and industry experts in GRC will be at the summit to discuss, strategize, and impart invaluable insights that will shape the future of GRC with AI and Resilience at its centre.
Read on to learn more about our distinguished speakers who will feature in our keynote addresses, interactive panel discussions, and hands-on workshops while they generously share learnings from their own GRC journeys and experiences.
- Axel P. Lehmann—Former Group Executive Board Member of UBS and Ex-Chairman of Credit Suisse - Axel is the keynote speaker at this year’s MetricStream London GRC Summit. He will be presenting on the topic “Thriving on Risk in an Increasingly Disrupted World: Balancing Risk-Taking, Resilience, and Performance.” Axel is an IMD Executive in Residence and Affiliate Professor at University of St. Gallen (HSG), the former Chairman of Credit Suisse Group and former member of Board of Directors at UBS. He was also a member of Group Executive Board at UBS, where he served as Chief Operating Officer, joint President of Personal and Corporate Banking, and President Switzerland. He also has a nearly 20-year career at Zurich Insurance Group, where he spent 14 years on its Group Executive Committee in various roles.
- Michael Rasmussen, GRC Analyst and Pundit, GRC 20/20 Research, LLC - With over 27 years of industry experience, Michael is a distinguished authority in enhancing GRC processes. Renowned as the “Father of GRC,” he was the first to define and model the GRC market in February 2002 during his tenure at Forrester Research. As a highly sought-after keynote speaker, author, and advisor, Michael continues to lead the conversation on GRC.
- Robert Taylor, Head of Enterprise and Non-Financial Risk, London Stock Exchange Group (LSEG) - Robert is an accomplished senior executive with deep expertise in Enterprise, Capital, and Operational Risk Management. He has a track record of establishing effective risk management structures and improving departmental performance. Formerly, Robert held roles as Group Head of Capital Risk Management at Revolut and UK Head of Enterprise and Non-Financial Risk at Credit Suisse. His active involvement with Boards and regulators positions him as an influential leader in the GRC sector.
- Dorothea Liebl, Head of Internal Control Governance, Siemens Energy - With over 14 years of experience as a Governance, Risk, and Compliance (GRC) professional, Dorothea has mastered managing risk, ensuring regulatory compliance, and implementing robust governance frameworks. Her strategic thinking and team culture drive exceptional, ethical results and help build and maintain global Risk and Internal Control systems for Siemens.
- Suman Sourav, Head of GRC, Lazada (Alibaba Group) - Suman is a security governance, technology risk, and privacy programme specialist with over 18 years of extensive experience. In his current role, he excels in driving technology risk management, regulatory compliance, application security, and data protection.
- Rita Gnutti, Executive Director, Intesa Sanpaolo - Rita brings a wealth of experience, currently overseeing Internal Validation, Model Risk Management, and Second Level Controls at the group level, reporting directly to the Group CRO. With 15 years of experience in risk management and leadership roles, including heading the FRTB program, her insights are invaluable.
- Somkant Mishra, Senior GRC Manager, CRH - A GRC expert with 14 years of experience in risk management, regulatory compliance, and governance frameworks, Somkant has been instrumental in driving business alignment with regulatory requirements and improving processes for enhanced organizational resilience. His expertise spans multiple industries, making him a must-hear speaker at the upcoming summit.
- Claudia Iacobucci, Head of Assurance, Risk and Controls, ABB – Claudia has over 20 years of experience as a leader in governance and compliance for multinational listed companies. She brings unparalleled expertise and insights. Be sure to use this opportunity to learn from her extensive knowledge in navigating complex regulatory landscapes.
- Sahil Bhardwaj, Group Head of Internal Audit and Risk, British Standards Institution (BSI) - Sahil is a seasoned expert with global experience in developing value-driven risk and assurance functions, recognized as a two-time award winner by the Institute of Internal Auditors for 'Outstanding Team – Private Sector.' Join us to learn from his extensive background collaborating with Board members and Audit Committees in diverse cultures and leadership roles in both London and Singapore.
- Elena Pykhova, Director, and Founder, The Op Risk Company Ltd - Elena is an award-winning risk expert, author, and international trainer who specializes in risk transformation and executive-level risk management strategies. She authored the best-selling book "Operational Risk Management in Financial Services" and conducts training for top organizations worldwide, including Euronext and Cambridge University.
Check out the full list of our speaker line here.
Insights from Our Co-CEO and Executive Chairman
MetricStream leaders Gaurav Kapoor, our Co-CEO, along with Gunjan Sinha, our Co-Founder and Executive Chairman, will offer valuable insights in their keynote addresses and panel discussions. Expect to learn from their expertise on the latest trends in risk and compliance, as well as about the future developments in GRC for businesses
Secure your ticket now, as they're going fast! Register now.
Stay tuned for more updates on speakers and exciting highlights of the GRC Summit. Bookmark this space!
Jump to Topic
Related Resources
Blogs
Bank OZK Enhances Risk Posture and Agility with Increased Risk Visibility
- GRC
- 25 September 24
4 min read
Introduction
At our recent GRC Summit 2024 in Baltimore, Arindam Majumdar, Deputy Chief Risk Officer, Bank OZK, presented on Bank OZK’s GRC journey, taking the audience through the challenges of operational risk management within a growing financial institution, the effective strategies implemented, and the business value being realized.
Bank OZK is a high-performing U.S. regional bank with deep expertise in specialized lending businesses nationwide .Bank OZK operates through 230 retail branches and is noted for its significant presence in construction lending, being among the top five in major cities like New York, Chicago, Miami, and San Francisco.
Here are the key takeaways from Arindam’s session.
Bank OZK’s GRC Program Objective: Challenges and Needs
Arindam: We are one of the largest domestic CRE construction lenders in the country. In the last eight years, we've grown three and a half fold, and we are moving towards 50 billion in total assets. The board has given us the mandate to prepare a risk management organization that can support $100 billion bank.
Now our vision is obviously not only to maximize our strength, which is motion lending, but also diversify our asset base, which is look at other lines of lending, such as CNI, consumer lending, asset-based lending, equipment financial lending, etc. So, we are pursuing those opportunities as well as diversify our geographical footprint.
We have certain systemic challenges which are not unique to us. Current environment with inflation longer rates is certainly a challenge for us. Another challenge is that we are growing exponentially. Our ability to integrate our workforce during this growth map, while we have a wide foot footprint with remote work, has been a challenge as well as the need to prep the risk management frameworks and infrastructure to be ready for $50 billion plus. We transitioned over to MetricStream and in 2023 we went live. This is our second year on the platform, and I'll get to our unique journey with GRC solutions.
GRC Journey with MetricStream
Arindam: We were looking for a solution that would provide some degree of customization, especially on the reporting side. We wanted custom reports, and a solution that we could, with a high degree of confidence, expand to our user base.
What we've also done with our GRC program is a quarterly attestation of our risk and control universe. We at present, do annual testing with our controls, with our operational controls. We've also gone about integrating the solution with our internal audit solution, we have a different internal audit solution within the bank, but through MetricStream’s API connections, we've been able to pull all our audit data into the MetricStream platform as well.
We’ve adopted the issue management model, which has been a game changer for us, especially as we have tried to mature our data risk programs. Data issue management and operational risk management has been the two biggest pieces in our issue management module within MetricStream.
Business Value Realized
Arindam: Using MetricStream’s Operational Risk, RCSA Control Attestation, Issue Management Module and the integration with the internal audit solution, we have realized the following benefits:
- Support for 100 users – risk assessments, issue tracking to all employees
- Support for risk-based audit planning, audit execution and reporting
- Facilitation of continuous control monitoring
- Increase in risk visibility through efficient reporting
- Increase in efficiency of RCSA controlled monitoring and testing
- Use of RCSA residual risk profile for enterprise risk profile monitoring
- Use of insights from control health for Stress Testing
- Use of the RCSA results for Economical Capital framework development for Operational Risk Economic capital calculations
Our biggest challenge is to keep our controls live , which is why we have 40 attestations also tested from an operational risk standpoint. Building feedback with audit, issue management and your own control environment is critical. You want to try and keep it as simple as possible. Find the right balance between information and noise.
Looking Ahead
Arindam: We're moving towards enhancing our operation of our capital model. We're trying to build a Bayesian network-based model, with real time key control indicators to make this even more live.
Watch the full session here.
I recently had the chance to discuss in depth with Arindam on the challenges of operational risk management within a growing financial institution, and the effective strategies and programs to enhance operational risk management.
Watch the webinar recording here: https://grc-summit.wistia.com/medias/spcgu7gkw3
Registrations are open for our London GRC Summit 2024 on November 6-7! Join us for groundbreaking discussions and exceptional networking opportunities with top industry leaders and experts as we unlock the latest insights and strategies in operational resilience, AI for GRC, risk management, compliance, cyber risk, and more. Register now:
Find out more about what our other customers have to say:
- How Autodesk Moved from Siloed to Integrated IT Risk and Compliance Processes
- How American Fidelity Assurance Enhanced Third-Party Risk Management and IT Compliance Functions
- Apple Bank Enhances and Streamlines Cyber Risk Management Program with MetricStream
- GRC Success Story: How dnata Integrated Firm-Wide GRC Processes with MetricStream
Jump to Topic
