GRC Leaders Speak: Top 5 Themes from the 2024 MetricStream GRC Summit

Introduction

Just a few weeks ago, on June 17th and 18th, the Baltimore Marriott Waterfront was abuzz as over 150 governance, risk, and compliance leaders gathered for the MetricStream GRC Summit—the premier GRC event of the year.

Over the course of two days, MetricStream brought together some of the foremost experts in GRC – with more than 50 speakers – who shared invaluable keynotes, best practices, case studies, and strategic insights on critical areas of focus and priority for leaders. The summit also offered plenty of opportunities to network with peers and celebrate the announcement of the 2024 GRC Journey Awards winners.

I wanted to share some standout moments and key themes shared during the event. You can also check out the video highlights and presentations.

5 Key Themes That Emerged During the Summit

1. AI at the Epicenter

Driven by its immense ability to automate tasks, increase productivity, and predict outcomes, Artificial Intelligence (AI) has quickly moved to the epicenter today. Organizations across industries are leveraging AI to streamline operations, revolutionize marketing strategies, and gain a competitive edge. Its applications range from automating customer service with chatbots to predicting market trends, and optimizing supply chain management.

In GRC, AI’s transformative potential enables organizations to manage risk more effectively, improve compliance, and make data-driven decisions for better governance. Enterprises are effectively utilizing AI for control monitoring, intelligent issue and remediation management, intelligent control insights and control test prioritization, the creation of a common view of risks, and so much more.

While effective and responsible AI systems are crucial, GRC leaders at the Summit focused on the importance of: 

• Promoting the augmentation of human capabilities in conjunction with AI tools rather than outright replacement
• Focusing on data quality, which is essential to build trust and transparency
• Implementing robust guardrails for AI to prevent bias and ensure ethical standards are upheld
• Fostering a balanced approach to leveraging AI in GRC processes for more informed, agile, and ethical governance and risk management practices.

Here are two quotes that sum up the depth of discussions around AI.

“One of our priorities is to keep GRC simple. There are two aspects of AI –how do you bring AI to GRC and how do you bring GRC to AI?” --Gunjan Sinha, Co-Founder of MetricStream

“We are at an inflection point on the adoption of AI. Targeted AI adoption for specific use cases will gain traction. Humans in the loop is extremely important.” --Anand Narayan, Head of Regulatory Change Management, Sumitomo Mitsui Banking Corporation

2. From Reactive Risk and Compliance to Proactive Resilience

“Agility is extremely important in managing emerging risks and regulatory requirements,” said Prabha Thomas, Chief Risk and Compliance Officer, Tata Consultancy Services. I couldn’t agree more. In today’s fast-paced and interconnected business environment, a conscious move from reactive risk and compliance to embracing proactive resilience is not just a strategic choice—it is essential for thriving in the face of uncertainty.

To build proactive resilience, organizations will need to build risk and compliance agility with a unified view powered by a centralized platform that continuously scans the horizon with regulatory change-tracking technologies and automated feeds from trusted content sources. They will need to integrate compliance management systems with other enterprise systems and apply AI and automation for automated recommendations. Furthermore, given the multitude of regulatory requirements, organizations will need to move to continuous compliance by implementing tools that help them automate control testing and evidence collection for all their enterprise controls.

3. The Changing Role of the CISO

A particularly resonant theme was the evolving role of the CISO. Numerous Chief Information Security Officers (CISOs), Chief Security Officers (CSOs), and Cyber Risk leaders at the Summit shared their insights on how the role has increasingly shifted towards a business-oriented focus, emphasizing that cyber risk is now recognized as a critical business issue rather than solely a technical one.

Added responsibilities of a CISO now include organizational governance, data loss prevention, and compliance with regulations. This requires not just a solid technical foundation but also a strong grasp of business principles to effectively communicate with other C-level executives and the board.

A CISO’s toolkit today should include a 360-degree view of the organization’s IT risk posture and cybersecurity investment priorities, along with continuous control monitoring, insightful reporting, and cyber risk quantification. This blend of skills and technology ensures they can anticipate risks, implement robust security architectures, and foster a culture of security within their organizations – as well as communicate strategically with the board.

4. Responding to Rapidly Evolving Regulations

“Regulators are connecting the dots,” warned Deputy Chief Risk Officer, Bank OZK. “If we as an organization don’t break down the underlying siloes, we lose control. We transitioned as a team to look at all the various risk stripes in an interconnected view.”

With the regulatory environment evolving faster than ever, it is crucial for GRC professionals to stay ahead of regulatory changes to ensure that organizations remain compliant and avoid potential fines and reputational damage. This requires utilizing advanced technologies such as AI and cloud-based platforms to streamline this process, ensuring that compliance professionals receive real-time updates and can assess their implications swiftly.

5. Collaboration is Key to Success

An essential takeaway from the Summit was the wise words of Tolu Oyesfesobi, Head of Financial Controls and Operational Risk, Inter-American Development Bank, who reminded us all to “Have a lot of coffee with your business… for collaboration is key to breaking down silos.”

This simple yet profound advice underscores the importance of fostering strong, communicative relationships within our organizations to achieve seamless integration and collective success.

It also underscores the importance of connecting with the GRC community. In line with the theme, "Experience The Power of Connection," the Summit stood out for bringing together the expertise of top GRC professionals. Customers, including Blue Cross Blue Shield of Michigan, Bank OZK, and Apple Bank, shared their success stories, vividly illustrating how they have effectively tackled the complexities of GRC challenges. We also conducted workshops on how to align ERM with your organization’s GRC strategy and cyber risk quantification that offered practical insights and use cases from industry experts.

The Future of GRC is Connected

As we wrapped up two insightful days in Baltimore, the overarching topic that sparked a lot of discussion was the need to advance GRC maturity with a connected GRC strategy, especially one that is Cognitive, Continuous, and Cloud-based.

• Cognitive leverages AI and machine learning to automate and optimize risk and compliance processes, providing real-time insights and predictive analytics
• Continuous ensures ongoing monitoring and assessment of risks and controls, reducing business losses and improving operational efficiency
• Cloud-based solutions are low-code, no-code and come with scalability, flexibility, and security, enabling organizations to manage their GRC initiatives seamlessly across various functions

See You Next in London!

We’ll be doing it all over again in London on November 6th and 7th! We hope to see you there! Register now. 

Learn more about what was discussed at the GRC Summit: Download the presentation and watch the videos.