Blogs
7 GRC Myths Debunked
- GRC
- 14 August 24
6 min read
Introduction
Over two decades have passed since the term ‘governance, risk, and compliance’ (GRC) entered the business lexicon. Initially considered a nice-to-have, countless organizations have benefited from a deeper understanding of risks, a robust framework of controls, and a solid foundation of governance mechanisms. Yet, several myths around GRC continue to persist.
Let’s put some of them to rest here.
Myth 1: GRC is Only for Large Organizations in Heavily Regulated Sectors
Fact: All organizations, regardless of size, need GRC to navigate an increasingly uncertain world. Risks are coming at us from all directions – be it climate change, cyberattacks, market volatilities, or geopolitical conflicts. Add on regulatory pressures and constantly evolving compliance requirements – and you have a perfect storm of GRC challenges.
To thrive – or, even survive – we have to be able to anticipate and mitigate risk events and recover quickly in case of a crisis. We need to know where our controls are lacking, and which regulatory changes require our attention. GRC enables us to do all that – which is why it isn’t just desirable, but imperative for both large and small organizations.
Myth 2: GRC Hinders Business Agility, Slowing Down Processes and Stifling Innovation
Fact: On the contrary, if GRC is done right, it can actually enhance business agility. It enables us to foresee and respond to the risks and opportunities ahead in a way that drives growth and transformation.
Take the example of a global IT services leader that optimized business performance through a deeper understanding of its risks. Each risk is mapped to performance objectives and strategic goals. So, at a glance, stakeholders can accurately predict performance and revenue across various projects and business units. With a comprehensive picture of risk impact and control effectiveness, the board and executive team can make confident decisions that drive profitability and growth.
Myth 3: GRC is Only About Compliance
Fact: While compliance is a crucial component of GRC, it isn’t the sole focus. Being compliant doesn’t guarantee immunity against risk events. You might think your organization is safe if, for example, you’re fully compliant with cybersecurity regulations. But cyber threats are constantly evolving, often outpacing regulatory measures. So, if you’re too narrowly focused on compliance, you might not see the broader threats and attack surfaces in your business. It’s like locking the doors of your house, but leaving the windows open for intruders to come in.
That’s why an effective GRC approach doesn’t just emphasize compliance with periodic assessments and audits – it stresses the need for good governance and sound risk management practices. That includes implementing clear policies and codes of ethics, establishing accountability, and building a risk-aware culture. When these practices are combined with compliance, they do more than just protect your business – they also help you capitalize on opportunities and strengthen resilience.
Myth 4: GRC is Too Expensive to Implement
Fact: While a GRC implementation has its costs, consider them an investment rather than an expense. GRC can actually save you money in the long run by preventing costly compliance breaches, reducing the likelihood of significant risks materializing, and improving operational efficiencies. Plus, whatever your budget, you’re likely to find a GRC solution that fits. However, we need to ensure that the GRC solution is scalable and can seamlessly extend to other functions of GRC in the future. This will not only ensure data integrity but also help you save costs on managing multiple vendors, upgrades, and data integrations.
Many organizations rely on spreadsheets and manual methods for GRC, but this approach is inefficient. Employees spend hours gathering GRC information, leading to scattered insights, data inconsistencies, and delayed decision-making due to inaccessible risk intelligence.
By contrast, a connected and scalable GRC platform can give you the risk visibility and automation you need to save both time and costs. A leading health insurer enabled a 90% reduction in regulatory reporting time by connecting all its compliance processes on one platform. Meanwhile, a telco giant cut costs by 80% with automated risk and control monitoring. You too can achieve similar efficiencies with the right solutions.
Myth 5: Once Your GRC Framework is in Place, You’re Free from Risk and Compliance Issues
Fact: No GRC framework or solution can completely eliminate risks or compliance issues. However, a good one can bring your risks down to an acceptable level, and ensure that they’re within your risk appetite. An effective solution can highlight early warnings and help you take proactive measures to mitigate risks in time. Effective GRC can also help you streamline compliance with various regulations and reduce the likelihood of costly penalties.
But through it all, vigilance is essential. You don’t want to be caught off-guard by a new risk or disruption coming out of left field. Continuous risk and control monitoring is imperative to ensure that you’re always ahead of emerging risks and control issues. Regulatory change management can also go a long way towards maintaining compliance health by keeping you abreast of new compliance legislation and updates.
Myth 6: GRC Implementation is a One-Time Activity
Fact: GRC is an ongoing process, a journey that never really ends. It can’t be when regulations, risks, and business operations are constantly evolving. The risks of next year may not be the same as the risks of this year. A control that worked before may not be relevant today. Only by monitoring, adapting, and improving GRC activities regularly can you keep risks in check and enable sustainable growth.
Myth 7: GRC Technology Can Solve GRC for You
Fact: Technology can certainly support and empower you on your GRC journey, but it isn’t a silver bullet. As GRC pundit Michael Rasmussen says, “GRC is something you do, not something you buy.” Even if you have the best GRC software in the market, it won’t offer much value unless you first have clear GRC strategies, policies, processes, and taxonomies. You need well-planned GRC processes, governance structures, and a culture that values risk management and compliance practices.
Once these building blocks are in place, technology can take your GRC program to a whole new level by streamlining and automating processes. It can simplify cross-functional collaboration on GRC activities, while also pulling together and transforming GRC data into rich insights. In that sense, GRC software can be a value-enabler. But human oversight, strategic planning, and judgment are equally important.
Supercharge your GRC Efficiency and Effectiveness with MetricStream
MetricStream ConnectedGRC enables you to manage all your GRC requirements on one platform. From operational and enterprise risk management and compliance, to audits, third-party governance, cyber risk management, and ESG (environmental, social, and governance) – your end-to-end processes are connected with a unified risk and compliance view.
With ConnectedGRC, you can:
- Gain a unified view of risks across the enterprise and third-party ecosystem
- Avoid regulatory violations with systematic compliance assessments, continuous control monitoring, and regulatory change management tools
- Strengthen governance with powerful policy and procedure management solutions
- Use advanced analytics and AI to draw out timely risk and compliance intelligence
- Align GRC with industry best practices, standards, and frameworks
To learn how MetricStream can help you accelerate your GRC journey, request a personalized demo today!
Jump to Topic
Related Resources
Blogs
The Case for an Integrated Approach to GRC in the Modern Enterprise
- GRC
- 07 August 24
7 min read
Introduction
Chances are that you’re already managing governance, risk, and compliance (GRC) in some way or the other. But if your approach is ad hoc and siloed – i.e., if your risks, compliance, and audits are managed on separate systems with different taxonomies and no way to collaborate or exchange data – then, it might be time for a change.
Why? Because in today’s dynamic world, success hinges on one’s ability to make informed decisions quickly based on data collected and validated across the organization. Stakeholders need to know which risks to tackle on priority, how those risks influence other enterprise risks, which business objectives could be impacted, what issues could arise, and whether the controls in place are truly effective.
Meanwhile, internal audit – the third and final line of defense – needs to focus on assurance, rather than re-evaluating assessments completed by the second line. To do that, they need real-time visibility into events, issues, actions, and assessment outcomes.
An integrated GRC program provides all these insights. So, teams can take informed steps to protect the business and capitalize on the opportunities that really matter.
Why Don’t More Organizations Adopt an Integrated Approach?
In our experience, many businesses already have separate programs, objectives, and budgets for each GRC function – be it risk management, compliance, or internal audits. Having operated like this for years, businesses are either resistant to change or lack the drive to ensure integrated GRC data and reporting. Some companies are swayed by the bells and whistles that point solutions can provide, even if those tools work in silos, disconnected from other GRC functions.
There’s no doubt that making the shift to integrated GRC does take time and effort. But the rewards are well worth it. Imagine being able to predict risks and opportunities faster, collaborate seamlessly across functions, and make informed decisions quickly – all in a streamlined and cost-efficient manner. That’s what integrated GRC can enable.
Integrated GRC Is More Important Now Than Ever
All around us, risks are changing at a rapid rate. Four years ago, the top global risks were largely environmental – extreme weather, climate action failure, natural disasters, and biodiversity loss. This year, the top 5 risks have expanded to include AI-generated misinformation, societal/ political polarization, the cost of living crisis, and cyberattacks.
Compliance requirements are also evolving. In the first half of 2024 alone, Europe approved the corporate sustainability due diligence directive as well as the AI Act. In July, California’s Workplace Violence Prevention Plan (WVPP) came into force, as did Australia’s Environmentally Sustainable Procurement Policy.
As these regulations and risks keep changing, so also do business processes, objectives, employees, technologies, and third parties.
None of these changes occur in isolation. They’re all interconnected. For example, when you onboard a new vendor, their risks become your risks. A data breach in their networks could weaken your own cybersecurity posture, which, in turn, could lead to compliance violations, operational disruptions, reputational damage, and more.
Integrated GRC enables you to see all these interconnections. Data from spreadsheets, point solutions, and other sources are unified into a single GRC view. This helps you predict risks with accuracy, ensure consistent compliance, and strengthen your resilience.
Benefits of an Integrated GRC Program
Our customers and prospects across industries tell us that these are some of the benefits they’ve experienced with an integrated approach to GRC:
Faster, more accurate risk insights through a common GRC taxonomy
When departments such as risk management and compliance work in silos, they end up developing separate terminologies and frameworks to describe similar GRC concepts. This creates a lot of confusion when you’re trying to aggregate and report GRC data.
By contrast, an integrated GRC approach focuses on unifying and standardizing GRC taxonomies across the enterprise. So, all departments and stakeholders are on the same page, speaking the same language. This minimizes misunderstandings and miscommunications. It also simplifies the process of gathering and analyzing GRC data from across business units. There are fewer discrepancies and ambiguities in the data because everyone is using the same terminologies.
The end result is that management gains a clearer picture of the organization’s GRC posture, which, in turn, strengthens decision-making.
Improved cost-efficiencies, zero duplication of effort
When your GRC approach isn’t coordinated, multiple departments could end up assessing the same risk, or testing the same control. This duplicates effort, wastes resources, and increases costs.
An integrated GRC approach eliminates these inefficiencies by streamlining GRC workflows across departments. Tasks and responsibilities are clearly defined to minimize overlaps or redundancies.
Meanwhile, GRC data is collected, stored, and accessed centrally – so teams don’t have to waste time hunting for information. The data produced by one department can even be reused by another. For example, compliance reports can be reused in risk assessments and internal audits. This reduces labor costs, and frees up GRC resources for more strategic activities.
Stronger collaboration across business lines
In an integrated GRC program, various business lines work together in harmony. Risk managers, compliance teams, internal auditors, and others have a clear understanding of how their activities intersect with those of other lines.
Through an integrated GRC platform, information on risks, losses, controls, and metrics is easily shared across departments. Each business line is able to provide valuable inputs and support to the other. The first line’s observations and assessments of risks and compliance flow to the second line which then ensures that risks and controls are effectively managed.
Subsequent business lines, such as internal auditors and the management team, can also collaborate and monitor risks easily through the same GRC platform. This synchronized approach enhances the organization’s resilience and ability to achieve business objectives.
A comprehensive view of GRC through integrations with other systems
GRC doesn’t exist in a vacuum. It needs to be able to exchange data with other business systems like enterprise resource planning (ERP) platforms, security tools, and threat and vulnerability scanners. External content also matters – be it regulatory updates, third-party risk ratings, or data on environmental, social, and governance (ESG) factors. All these inputs enrich your ability to monitor risks, regulations, and their impact on your enterprise.
An integrated GRC approach helps you aggregate all this data by connecting your GRC platform to multiple systems within and outside the enterprise. APIs enable the seamless flow of data across these touchpoints. For example, with MetricStream products, you can automatically pull in vendor security ratings for third-party security assessments or regulatory changes and updates from CUBE. These insights make your GRC program more robust and effective.
A Fast-Growing Regional Banking Giant Enhances Business Decision-Making with MetricStream
We recently contracted with a regional bank that was a rising superstar in the BFS industry. Evaluation began with the Internal Audit team searching to replace its archaic point solution with its latest variant, while Operational Risk Management, Information Security, and Compliance Groups looked to automate their manual processes. Legacy systems, manual processes, and data silos were hampering risk visibility and effective reporting to regulators. Moreover, only 60% of planned risk assessments were executed on time and Internal Audit continued testing all risks and controls already validated by the second line.
As the evaluation progressed on separate tracks, the Internal Audit team realized the benefit of real-time visibility into first- and second-line data and incidents/events during audit planning or fieldwork. In their own calculations, there were significant time-cost-resource optimizations with such seamless enterprise data visibility. Hence, began a joint evaluation for a single and enterprise GRC platform.
After a year of rigorous evaluation wherein the criteria also included built-in practices relevant for banking industry, track record in managing and deploying enterprise programs, and a team who would guide them through their journey with the application, they chose MetricStream.
With the implementation:
- Operational risk management processes have been streamlined for optimal efficiency. Meanwhile, a centralized risk and control library saves time on risk assessments and control tests.
- The Internal Audit team reaps the benefit of a more efficient program allowing better audit planning and execution, and avoiding redundancy of assessment due to complete visibility into first and second line assessments, observations and actions. This allows them to focus on critical areas and data analysis.
- Compliance Group and Information Security have imbibed the embedded practices and tailored their specific use cases using the low-code, no-code toolkit.
The bank’s multi-dimensional organization structure (MDOS) has been mapped on MetricStream, making it easier to aggregate risks at any level of the organization. With better visibility into risks and controls, the bank is able to make more informed and agile decisions that strengthen business success.
Improve Your Agility, Performance, and Resilience with MetricStream ConnectedGRC
MetricStream ConnectedGRC enables an integrated approach to GRC with seamless collaboration across risk, compliance, audit, cybersecurity, and sustainability teams. Through MetricStream, you can effectively identify, assess, and manage all your risks and compliance requirements on one platform. Designed with advanced analytics and AI capabilities, ConnectedGRC delivers best practices to meet the evolving needs of today’s dynamic enterprises.
- Gain a single source of truth to manage, assess, and track GRC across the enterprise
- Break down the silos between business lines, enabling a coordinated approach to GRC
- Standardize GRC taxonomies, and simplify risk data aggregation from across departments
- Get a unified and real-time view of the relationships between risks, controls, regulations, policies, business objectives, cybersecurity, sustainability, and other data elements
- Streamline GRC processes, minimizing redundancies and inefficiencie
To learn how MetricStream can help you accelerate your GRC journey, request a personalized demo today!
Jump to Topic
Related Resources
Blogs
GRC Leaders Speak: Top 5 Themes from the 2024 MetricStream GRC Summit
- GRC
- 24 July 24
6 min read
Introduction
Just a few weeks ago, on June 17th and 18th, the Baltimore Marriott Waterfront was abuzz as over 150 governance, risk, and compliance leaders gathered for the MetricStream GRC Summit—the premier GRC event of the year.
Over the course of two days, MetricStream brought together some of the foremost experts in GRC – with more than 50 speakers – who shared invaluable keynotes, best practices, case studies, and strategic insights on critical areas of focus and priority for leaders. The summit also offered plenty of opportunities to network with peers and celebrate the announcement of the 2024 GRC Journey Awards winners.
I wanted to share some standout moments and key themes shared during the event. You can also check out the video highlights and presentations.
5 Key Themes That Emerged During the Summit
1. AI at the Epicenter
Driven by its immense ability to automate tasks, increase productivity, and predict outcomes, Artificial Intelligence (AI) has quickly moved to the epicenter today. Organizations across industries are leveraging AI to streamline operations, revolutionize marketing strategies, and gain a competitive edge. Its applications range from automating customer service with chatbots to predicting market trends, and optimizing supply chain management.
In GRC, AI’s transformative potential enables organizations to manage risk more effectively, improve compliance, and make data-driven decisions for better governance. Enterprises are effectively utilizing AI for control monitoring, intelligent issue and remediation management, intelligent control insights and control test prioritization, the creation of a common view of risks, and so much more.
While effective and responsible AI systems are crucial, GRC leaders at the Summit focused on the importance of:
- Promoting the augmentation of human capabilities in conjunction with AI tools rather than outright replacement
- Focusing on data quality, which is essential to build trust and transparency
- Implementing robust guardrails for AI to prevent bias and ensure ethical standards are upheld
- Fostering a balanced approach to leveraging AI in GRC processes for more informed, agile, and ethical governance and risk management practices.
Here are two quotes that sum up the depth of discussions around AI.
“One of our priorities is to keep GRC simple. There are two aspects of AI –how do you bring AI to GRC and how do you bring GRC to AI?” --Gunjan Sinha, Co-Founder of MetricStream
“We are at an inflection point on the adoption of AI. Targeted AI adoption for specific use cases will gain traction. Humans in the loop is extremely important.” --Anand Narayan, Head of Regulatory Change Management, Sumitomo Mitsui Banking Corporation
2. From Reactive Risk and Compliance to Proactive Resilience
“Agility is extremely important in managing emerging risks and regulatory requirements,” said Prabha Thomas, Chief Risk and Compliance Officer, Tata Consultancy Services. I couldn’t agree more. In today’s fast-paced and interconnected business environment, a conscious move from reactive risk and compliance to embracing proactive resilience is not just a strategic choice—it is essential for thriving in the face of uncertainty.
To build proactive resilience, organizations will need to build risk and compliance agility with a unified view powered by a centralized platform that continuously scans the horizon with regulatory change-tracking technologies and automated feeds from trusted content sources. They will need to integrate compliance management systems with other enterprise systems and apply AI and automation for automated recommendations. Furthermore, given the multitude of regulatory requirements, organizations will need to move to continuous compliance by implementing tools that help them automate control testing and evidence collection for all their enterprise controls.
3. The Changing Role of the CISO
A particularly resonant theme was the evolving role of the CISO. Numerous Chief Information Security Officers (CISOs), Chief Security Officers (CSOs), and Cyber Risk leaders at the Summit shared their insights on how the role has increasingly shifted towards a business-oriented focus, emphasizing that cyber risk is now recognized as a critical business issue rather than solely a technical one.
Added responsibilities of a CISO now include organizational governance, data loss prevention, and compliance with regulations. This requires not just a solid technical foundation but also a strong grasp of business principles to effectively communicate with other C-level executives and the board.
A CISO’s toolkit today should include a 360-degree view of the organization’s IT risk posture and cybersecurity investment priorities, along with continuous control monitoring, insightful reporting, and cyber risk quantification. This blend of skills and technology ensures they can anticipate risks, implement robust security architectures, and foster a culture of security within their organizations – as well as communicate strategically with the board.
4. Responding to Rapidly Evolving Regulations
“Regulators are connecting the dots,” warned Deputy Chief Risk Officer, Bank OZK. “If we as an organization don’t break down the underlying siloes, we lose control. We transitioned as a team to look at all the various risk stripes in an interconnected view.”
With the regulatory environment evolving faster than ever, it is crucial for GRC professionals to stay ahead of regulatory changes to ensure that organizations remain compliant and avoid potential fines and reputational damage. This requires utilizing advanced technologies such as AI and cloud-based platforms to streamline this process, ensuring that compliance professionals receive real-time updates and can assess their implications swiftly.
5. Collaboration is Key to Success
An essential takeaway from the Summit was the wise words of Tolu Oyesfesobi, Head of Financial Controls and Operational Risk, Inter-American Development Bank, who reminded us all to “Have a lot of coffee with your business… for collaboration is key to breaking down silos.”
This simple yet profound advice underscores the importance of fostering strong, communicative relationships within our organizations to achieve seamless integration and collective success.
It also underscores the importance of connecting with the GRC community. In line with the theme, "Experience The Power of Connection," the Summit stood out for bringing together the expertise of top GRC professionals. Customers, including Blue Cross Blue Shield of Michigan, Bank OZK, and Apple Bank, shared their success stories, vividly illustrating how they have effectively tackled the complexities of GRC challenges. We also conducted workshops on how to align ERM with your organization’s GRC strategy and cyber risk quantification that offered practical insights and use cases from industry experts.
The Future of GRC is Connected
As we wrapped up two insightful days in Baltimore, the overarching topic that sparked a lot of discussion was the need to advance GRC maturity with a connected GRC strategy, especially one that is Cognitive, Continuous, and Cloud-based.
- Cognitive leverages AI and machine learning to automate and optimize risk and compliance processes, providing real-time insights and predictive analytics
- Continuous ensures ongoing monitoring and assessment of risks and controls, reducing business losses and improving operational efficiency
- Cloud-based solutions are low-code, no-code and come with scalability, flexibility, and security, enabling organizations to manage their GRC initiatives seamlessly across various functions
See You Next in London!
We’ll be doing it all over again in London on November 6th and 7th! We hope to see you there! Register now.
Learn more about what was discussed at the GRC Summit: Download the presentation and watch the videos.
Jump to Topic
Related Resources
Blogs
Healthcare Risk and Compliance: 5 Key Challenges to Address in 2025
- GRC
- 18 July 24
7 min read
Introduction
Healthcare is one of the most strictly regulated sectors in the world. This is understandable and necessary considering that the sector deals with factors as crucial and sensitive as health and life itself. As a result, this sector has witnessed increasing regulatory complexity with different regulatory bodies focusing on various aspects of the industry. The healthcare business is also rapidly evolving and expanding with many providers offering ancillary services such as health insurance and insuretech. This makes the sector susceptible to various new and emerging risks. Healthcare providers also work with third parties who handle sensitive patient information, making it vital for them to effectively manage third-party risks. As regulatory complexity increases amidst a fraught risk landscape, ensuring compliance can be challenging.
In April 2024, records of 13.4 million patients were left exposed thanks to nine incidents of unauthorized access or disclosure of protected health information. 44 hacking incidents in the same month affected 1,919,637 records. The consequences of such breaches through penalties and impact on reputation and image are significant. This blog explores the top five risk and compliance challenges for the healthcare sector and how to address them.
What Are Compliance Issues in Healthcare?
Healthcare Compliance Issues refer to instances where healthcare organizations fail to adhere to relevant laws, regulations, and industry standards. Non-compliance can lead to severe consequences, including fines, penalties, legal actions, and reputational damage.
1. Regulatory Compliance
The healthcare sector is governed by regulations and frameworks such as Health Insurance Portability and Accountability Act (HIPAA), the HITECH Act that complements HIPAA by increasing the penalties for data breaches, the 21st Century Cures Act, General Data Protection Regulation (GDPR), PCI DSS, California Consumer Privacy Act (CCPA), Health Information Trust Alliance Common Security Framework (HITRUST CSF), Information Blocking Rule (2021) and Interoperability and Patient Access Final Rule (2021). Most of these focus on patient data privacy, data security, access to information, and cyber security.
Each of these is constantly being updated to keep pace with a rapidly changing risk landscape. For example, this year HIPAA saw some significant updates to its patient privacy provisions and outlined stricter cyber security requirements. It gives patients greater control over their data and mandated risk assessments, incident response plans, data encryption requirements, and updated breach notification requirements. Keeping pace with these updates, assessing their impact on various processes and functions, and adapting internal controls and policies is a significant challenge.
Furthermore, there are federal, state, and local regulations and rules that apply to healthcare providers. Each state has specific reporting requirements regarding public health emergencies, infectious disease outbreaks, and specifying how long medical records can be retained. Some states may even have their own laws regarding patient data. For example, California has laws pertaining to data breach notifications that have to be complied with in addition to HIPAA. Healthcare providers must report relevant situations to their state or local agencies in the prescribed format in addition to complying with federal regulations.
Additionally, healthcare providers must be accredited by industry organizations such as The Joint Commission (TJC) that evaluates organizations on parameters such as patient care safety and healthcare management, Accreditation Association for Ambulatory Health Care (AAAHC), and Urgent Care Association (UCA). This shows that the provider meets quality and safety benchmarks set by the governing bodies. Meeting accreditation requirements, and complying with standards set by each of these bodies is a complex and challenging task.
2. Enterprise Risk and Incident Management
Healthcare providers have to efficiently manage risks unique to the sector, in compliance with the relevant regulations. In addition to compliance risks, healthcare providers have to be prepared to deal with risks related to patient care and safety as any lapses can have severe legal and financial impacts in addition to damaging reputation and trust. They must be cognizant of risks pertaining to medical instruments and devices in the form of potential malfunctions that impact patient care. There are also risks pertaining to insurance claims, frauds, phantom billing, and upcoding. They have to conduct risk assessments periodically to identify and mitigate potential compliance issues and threats. They also must have comprehensive incident management processes in place to report and respond to crises quickly and effectively. Risks ranging from business operations, third parties, cybersecurity, ESG, and health hazards must be managed effectively along with appropriate business continuity plans. The healthcare industry must move from compliance check-in-the-box activity to proactive risk management to thrive in the complex risk landscape.
3. Data Privacy and Cyber Security
Patient healthcare data and records are sensitive and subject to strict security, privacy, and protection laws. Healthcare providers have to ensure that their technology systems meet HIPAA standards, which may prove to be a daunting exercise, particularly for smaller organizations.
Regulations like the 21st Century Cures Act emphasize the need for seamless and secure data sharing. And so, organizations must ensure their electronic health record systems are updated, secured, compliant with regulatory standards, and capable of securely executing data exchanges. It is equally important to ensure that different healthcare systems are interoperable while maintaining data security and privacy. Organizations must also ensure that their technology systems are updated and compliant with the latest security and regulatory standards to protect patient information and ensure foolproof compliance.
Adding to the challenge is the fact that the threat landscape is continually evolving with bad actors increasingly leveraging advanced technology to launch sophisticated attacks. Protecting health care data under these conditions can be a Herculean task. In February 2024 alone there were 24 data breaches, the biggest of which was the breach at Medical Management Resource Group that compromised 2.35 million records. Hacking and ransomware continue to plague the sector and only four breaches affecting 10,000 or more records in February were not hacking incidents. Data encryption is important to protect healthcare records. But ensuring encryption both in transit and at rest to prevent unauthorised access is a challenge.
The rapid evolution of Artificial Intelligence technologies has the potential to transform healthcare. From early detection, faster diagnoses, and better treatment to improved monitoring, decision-making, research, and training, AI is already being leveraged to drive better healthcare outcomes. But, AI comes with a significant risk of data breaches. AI platforms process huge volumes of sensitive data and any vulnerabilities can be exploited by bad actors. Healthcare providers leveraging AI must be cognizant of the security risks associated with it and implement stringent data protection strategies.
4. Third-Party Risk Management
Healthcare organizations rely on numerous external vendors ranging from cloud service providers to billing companies, medical device manufacturers and suppliers, and more. Many of these have access to sensitive healthcare data and are subject to the standards set by HIPAA. This is also a vulnerability that can be targeted by hackers. Additionally, healthcare providers must monitor third parties for operational and ethical risks as well as such unavailability or disruptions to medical services, AML, bribery, and other malpractices. Third-party organizations are subject to data protection and privacy regulations such as GDPR and PCI DSS. Healthcare providers must monitor their partners’ compliance with all relevant regulations, as well as their overall risk management and mitigation strategies.
Managing third-party risk must be a crucial part of a healthcare organization’s risk management strategy. They must conduct regular due diligence with vendor risk assessments and security assessments. Compliance with all relevant regulations and standards, and risk evaluation must be a contractual obligation for all third-party vendors working with healthcare organizations. In fact, the HITECH ACT extends HIPAA’s regulations to vendors and includes penalties for vendors for non-compliance. Healthcare organizations must regularly monitor their partners and conduct comprehensive and periodic audits to ensure ongoing compliance. Establishing BAAs with vendors to ensure compliance with a wide range of regulations is advisable, but managing third-party risks adds to the significant compliance challenges of healthcare organizations.
5. Continuous Monitoring and Reporting
Healthcare providers are operating within a regulatory landscape that is continuously evolving and they must ensure error-free compliance. They have to monitor the regulatory landscape on an ongoing basis to keep pace with emerging regulations and have the capability to adapt and map new regulations and updates to existing practices and controls. Continuous and automated monitoring of risks and controls is crucial for enabling real-time risk assessments, quick decision making, and faster, more effective mitigation efforts. They must have rationalized internal controls to mitigate risks and ensure compliance. They must have automated processes to onboard new third parties and carry out due diligence to ensure there are no gaps in compliance. They must also conduct regular digitized audits and continuous monitoring of compliance processes to ensure there are no gaps. Maintaining compliance reports, logs of security events and communicating with regulatory authorities is another key task for organizations.
Power-Up Your GRC Program with MetricStream
MetricStream’s Healthcare solution is purpose-built to help organizations in this highly regulated industry adopt and implement a streamlined, automated, and integrated approach to GRC. Healthcare providers can leverage advanced capabilities for managing regulatory compliance, enterprise risks, including cyber and third-party risk, and internal audit, to improve their overall risk and compliance posture and drive better-informed decision-making.
With MetricStream, your organizations can effectively:
- Improve risk visibility with faster response to perceived risks, automate capture and management of regulatory changes
- Streamline and digitalize GRC activities across the three lines of defense
- Enhance cyber resilience with 360-degree visibility into cyber risks, threats, vulnerabilities, risk exposures, and compliance violations
- Simplify and improve third-party risk management with automated processes for onboarding, real-time monitoring and control assessments
- Prioritize internal audits with risk-based audits and automate audit reporting
Interested to find out more? Request a demo now.
Jump to Topic
Related Resources
Blogs
GRC Success Story: How dnata Integrated Firm-Wide GRC Processes with MetricStream
- Audit Management
- 16 July 24
4 min read
Introduction
At the recently held GRC Summit 2024 in Baltimore, David Story, Vice President Health, Safety, & Environment, dnata, provided the audience with a detailed overview of their GRC journey experience with MetricStream.
Dubai National Air Travel Agency (or dnata) was established in 1959 through a government decree. It set up its first international business in 1993. Gradually, over the years, it has seen significant growth across all its business units.
Here are the excerpts from David’s session on “dnata’s Integrated GRC Transformation”.
GRC Program Objective
David: Our foremost priority is safety and security. Through a series of SMART objectives, we're building a best-in-class, health, safety, and environmental system, or HSE ecosystem, as we call it. Over the next few years, up to 2027 and beyond, through our medium-term plan, we are striving for a best-in-class or world-class status, and central to delivering on that goal is the effective use of our GRC platform.
Within dnata, MetricStream is the product that we use, and we have done a number of modifications and upgrades through MetricStream over the years. We refer to it within the company as “dnatahub”, which is everything we do from a GRC perspective.
So, in terms of why GRC is so important to us -- central to that is our safety management system, or SMS. SMS is essentially the bedrock of everything that we do across four key pillars -- safety policy, risk management, assurance, and promotion. To be able to deliver on the requirements of our SMS, our dnatahub platform is absolutely central to achieving those goals.
GRC Journey with MetricStream
David: So, how has the dnatahub platform evolved over the last few years?
We're now into the 9th year of our partnership with MetricStream, beginning back in 2015 along with our “Global One Safety” initiative. The first pillar in that strategy was rolling out Incident Management, which allowed us to have one platform for reporting safety occurrences across local businesses.
In 2018, there was global expansion – we introduced new applications within dnata in addition to incident management and reporting.
In 2020, we started moving into the continuous monitoring phase, which saw the likes of our Documentation Management System (DMS). We also introduced surveys and inspection through the auditors. We would go out there and report safety hazards and threats to our organization. This was across all three of our operational divisions.
The beauty of DMS is that it can be accessed by any of our team in the world who got access to Office 365 accounts. Examples of a DMS document could be a global safety alert, a new manual, a guideline document, or a new operational standard. All of those are published through DMS and are automatically and electronically tested within the system as well. So, for auditing purposes, it's very, very efficient.
We also launched Observation Management as well. And, through Issue and Action Management we can assign tasks and actions to our businesses around the world.
We're now moving into Phase IV, as we call it, looking at how we scale up as we continue to build our business. We are currently two weeks away from the launch of the Euphrates upgrade as well.
We've built a very strong partnership with MetricStream, and we've now established a very strong governance model as well in terms of performance monitoring.
Business Value Realized
David: What's been key to success is keeping things simple. One of the worst things you can do in my role as a safety professional is over-complicate how you manage safety within your business.
In terms of just some numbers, we have got:
- 20,000+ documents hosted within the DMS platform
- 10,000+ mobile users (around 14,000 to 15,000 currently)
- 40,000+ audit and survey documents accessible within the platform
What gives me great confidence is 400,000+ observations. We actively encourage -- from our leadership level all the way down to the front line -- to report any unsafe behaviors and actions within our business. What we've seen over the last 2-3 years is a considerable increase in the number of safety reports within the business. So that leads to a much more positive and safety-aware culture.
Looking Ahead
Over the next few years, we've got some really interesting challenges coming our way. You would have seen the announcement about the new airport project in Dubai. The target is 2033 for the opening of the new terminal with a capacity of 250 million passengers a year. We already have that airport as we have for the last 10 years, and this will be a significant upgrade to be the world's largest international gateway.
We have two to three new businesses that are going to be coming online towards the end of this year, including a particularly large business in Italy. And it's essential that we look at how we scale up to meet that demand, because we could have potentially 3,000 to 4,000 users within dnata by the end of this year.
Also Read:
Jump to Topic
Related Resources
Blogs
AI Regulation Trends: Your Guide to AI Policies in the US, UK, and EU
- GRC
- 03 July 24
8 min read
Introduction
The rapid evolution of Artificial Intelligence (AI) and particularly Generative AI has opened up new opportunities, and prospects of development and inclusive growth. But, in the wrong hands, AI can unleash fraud, discrimination, disinformation, stifle healthy competition, disenfranchise workers, and even threaten national security. The United States of America, the European Union, and the United Kingdom have taken the first steps to regulate the development of AI with a strong focus on data privacy, transparency, accountability, security, and ethics.
Here is a quick overview of the key regulations being implemented in these three regions, highlighting the main points to note.
The European Union’s Artificial Intelligence Act
The European Parliament adopted the Artificial Intelligence Act in March 2024, which will be fully applicable 2 years after entry into force. The objective of this Act is to standardize a technology-neutral definition for AI for future reference. Furthermore, the Act aims to ensure that AI systems within the EU are safe, transparent, traceable, non-discriminatory, environmentally friendly and monitored by people and not automation. The law uses a risk-based approach, with different requirements based on the level of risk.
Risk level definition: It defines 2 levels of risk and states obligations for providers and users depending on the risk level:
Unacceptable Risk AI Systems - These are considered to be harmful for people and will be banned:
- Cognitive behavioral manipulation of people or vulnerable groups
- Social scoring or segmentation of people based on behavior, personal characteristics or socio-economic status
- Biometric identification and categorization
- Real time and remote biometric identification such as facial recognition programs
There are some exceptions and rules established for law enforcement agencies.
High Risk AI Systems - AI systems that can negatively impact fundamental rights and / or safety of people:
AI systems used in products covered by the EU’s product safety legislation, such as toys, aviation devices and systems, cars, medical devices and elevators.
AI systems in specific areas that have to be registered with an EU database:
- Systems used for managing or operating critical infrastructure
- Systems used for educational and vocational training
- Those used to employment, employee management and access to self -employment
- Those that are involved with access to and utilization of essential private and public services and benefits
- Law enforcement systems.
- Systems involving migration, asylum, border control management
- Those providing legal interpretation and application of laws.
High-risk AI systems will have to be assessed before they can reach the market and will be assessed throughout their lifecycle. EU residents can file complaints with relevant national authorities.
Transparency requirements – While the Act does not classify Generative AI as high risk, it mandates transparency requirements and compliance with EU copyright laws:
- Disclosures that state the content was generated by AI
- Designing the model to stop it from generating illegal content
- Publishing summaries of copyrighted data used for training
Supporting Innovation – The Act aims to help startups and small to medium businesses leverage AI with opportunities to develop and train AI algorithms before public release. National authorities have to provide companies with suitable testing conditions that simulate real-world conditions.
United Kingdom’s Response to the White Paper Consultation on Regulating Artificial Intelligence
In February 2024, the UK Government announced its response to the 2023 whitepaper consultation on AI regulation. Its pro-innovation stance on AI follows an outcome-based approach with a focus on 2 key characteristics – adaptivity and autonomy – that will guide domain specific interpretation.
It provides preliminary definitions for 3 powerful AI systems that are integrated into downstream AI systems:
- Highly capable GPAI – large language models fall into this category. These are foundational models that can carry out a wide range of tasks. Their capabilities can range from basic to advanced and can even grow to outpace the most advanced models in use currently.
- Highly Capable Narrow AI- these can carry out a limited range of tasks within a specific field or domain. These can also meet or outpace the most advanced models in use today within those specific domains
- Agentic AI – this is an emerging subset of AI technology that can complete numerous sequential steps over long periods of time using tools like the Internet and narrow AI models.
It sets out five cross-sectoral principles for regulators to use when driving responsible AI design, development, and application:
- Safety, security, and robustness
- Appropriate transparency and explainability
- Fairness
- Accountability and Governance
- Contestability and Redress
The principles are to be implemented on the basis of three foundational pillars:
- Working with existing regulatory authorities and frameworks – UK will not be instituting a separate AI regulator. Instead existing regulatory offices such as the Information Commissioner's Office (ICO), Ofcom, and the FCA, will implement the five principles as they oversee their respective domains and use existing laws and regulations. They are expected to quickly implement the AI regulatory framework within their domains. Their strategy must include an overview of the steps taken to align their AI plans with the principles defined in the framework, an analysis of AI-related risks, and an overview of their ability to manage these risks.
- Creating a central function for risk monitoring and regulatory coordination – The UK has set up a central function within DSIT to monitor and evaluate AI risks and address any gaps in the regulatory environment. This is because AI opportunities and risks cannot be addressed in isolation.
- Foster innovation via a multi-agency advisory service – A multi-regulatory advisory service, the AI and Digital Hub, will be launched to help innovators ensure complete legal and regulatory compliance before they launch their products.
Blueprint for an AI Bill of Rights by the White House Office of Science and Technology Policy
The White House Office of Science and Technology Policy has formulated the Blueprint for an AI Bill of Rights with five principles to guide the design, use, and deployment of AI systems. The includes:
Safe and Effective Systems
- Diverse communities, stakeholders, and domain experts should be consulted during the development of automated systems so that concerns, risks, and possible impact of the systems can be better identified
- Extensive pre-deployment testing, risk identification and mitigation, and ongoing monitoring to ensure safety and effectiveness
- Automated systems must be designed to proactively protect the American public from any negative impact due to unintended uses or impact of the systems. This includes inappropriate or irrelevant use of data in the design, use, and deployment of these systems
Algorithmic Discrimination Protections
- This happens when automated systems contribute to differential and unfair treatment of people based on their race, color, ethnicity, gender, medical condition, sexual orientation, gender identity, religion, disability or any other classification protected by law
- Designers and developers have to take proactive and continuous steps to protect the American public from such discrimination and ensure that systems are designed to be equitable
- This must include proactive equity assessments as part of the system design, use of representative data, protection against proxies for demographic features, ensuring accessibility for people with disabilities, disparity testing and mitigation, and organizational oversight
- It also recommends independent evaluation and plain language reporting
Data Privacy
- Built-in measures to protect against abusive data practices and default measures to ensure individual agency over how personal data is collected and used
- Designers, developers, and deployers of such systems must secure individual consent regarding the collection use, transfer, access, and even deletion of personal data
- Consent collection mechanisms must be brief and in easily understood language
- Data pertaining to sensitive domains such as healthcare, education, criminal justice, and finance, must be used only for necessary functions and be protected by ethical review and use prohibitions
- The American public cannot be subjected to unchecked surveillance and such technologies must undergo stricter oversight with pre deployment assessment of possible negative impact
- Continuous surveillance cannot be used in education, work, housing, or in other contexts where the use of such surveillance technologies is likely to limit rights, opportunities, or access
Notice and Explanation
- People must know when an automated system is being used and understand how it impacts them
- This must be communicated via plain language documentation with clear description of how the system works and its outcomes
- People must know when an outcome impacting them was determined by an automated system even when that system was not the only input determining the outcome
Human Alternatives, Consideration, and Fallback
- People should have the option of connecting with people to remedy any problems and should be able to opt out of automated systems to engage with a person instead
- Engagement with humans should be accessible, equitable effective and managed well with adequate operator training. It should not put additional burden on the public
- Automated systems in sensitive domains must be customized to provide meaningful access for oversight and include human consideration for high risk or negative decisions
In addition to these federal guidelines, several states are also formulating their own regulations. 17 states (California, Colorado, Connecticut, Delaware, Illinois, Indiana, Iowa, Louisiana, Maryland, Montana, New York, Oregon, Tennessee, Texas, Vermont, Virginia and Washington) have enacted 29 bills on AI regulation over the last five years.
Stay Ahead with MetricStream
AI technologies are here to stay and the world has to learn to use them safely for the betterment of humanity. Regulations for AI development and use are critical to protect populations from bias, discrimination and breach of privacy. AI technologies are evolving at an unprecedented pace, and regulators across the world are following suit with quick updates or new frameworks. Organizations need automated compliance platforms to keep pace with this rapidly changing regulatory landscape.
MetricStream’s Compliance Management can simplify and fortify enterprise compliance initiatives amidst a rapidly changing regulatory landscape. Gain greater visibility into control effectiveness and quick issue remediation with streamlined:
- Mapping of regulations to processes, assets, risks, controls, and issues
- Identifying, prioritizing, managing, and monitoring areas of high compliance risk
- Performing control testing and monitoring
- Creating and communicating corporate policies
- Identifying, capturing, and managing regulatory updates
- Generating reports with drill-down capabilities
Even as compliance management is simplified and streamlined, it is important to have a mechanism in place to keep track of rapidly evolving regulations. MetricStream’s Regulatory Change Management platform is a centralized framework that can help organizations capture, curate, identify, extract, consolidate, and manage regulatory changes and updates sourced from diverse providers.
Find out more. Request a personalized demo today!
Jump to Topic
Related Resources
Blogs
Enterprise GRC in Asia-Pacific: Trends, Challenges, and Opportunities
- GRC
- 26 June 24
6 min read
Introduction
With Asia-Pacific’s (APAC) economic growth surpassing expectations, businesses have much to be optimistic about. However, as regulations and risks in the region grow more numerous, the need for effective governance, risk, and compliance (GRC) has never been more pressing. APAC GRC professionals are being called upon to spot emerging risks, connect the dots, and help their organizations adapt swiftly to regulatory changes. GRC solutions that can help meet these demands at scale and speed will make all the difference.
I recently had the chance to host GRC Design Workshops in Malaysia and the Philippines in association with our strategic partners - HCLTech and Expleo respectively. The workshops, led by Michael Rasmussen, GRC Analyst & Pundit, GRC 20/20 Research, delved into a range of GRC areas, including the evolving risk and regulatory landscape in APAC, GRC challenges faced by organizations in the region, how technology and automation can help, and more.
Here are some of the key takeaways from the workshops, providing insights into the trends and opportunities likely to be encountered by GRC professionals as they gear up for the road ahead.
1. Constantly Changing Regulations
Keeping pace with regulatory change is no small feat. In the past three years alone, Singapore, Hong Kong, and Australia have either revised or issued new standards and guidelines around operational risk management and resilience.
Meanwhile, India enacted its first comprehensive data protection law in 2023 – the Digital Personal Data Protection (DPDP) Act, even as Japan substantially amended its own Act on the Protection of Personal Information (APPI), a year earlier.
Climate change too has been enveloped in a flurry of regulatory activity. Vietnam’s Law on Environmental Protection took effect in 2022, followed by Malaysia’s Energy Efficiency and Conservation Act in 2023.
2. Risks Galore
In addition to juggling regulations, APAC GRC professionals also have to navigate a growing variety of risks – including the Ukraine and Middle East conflicts that have strained global supply chains; extreme weather events like the floods in China and drought in India; the risks of deep fakes and misinformation associated with AI; and of course, the constant threat of a cyberattack. Incidentally, APAC experienced the highest year-on-year surge in weekly cyberattacks during Q1 2023, with an average of 1,835 attacks per organization.
Risks come from within the organization too – from changes to business objectives, structures, processes, employees, and technologies, as well as from the extended enterprise of suppliers, vendors, contractors, dealers, and distributors.
Getting these risks under control is key to strengthening organizational resilience and performance.
3. Connecting the Dots
If there’s anything we’ve learned over the past few years, it’s that everything is connected. A data breach in a third-party service provider’s system can disrupt entire supply chains, damage business reputations, trigger hefty regulatory penalties, and sometimes even shut down operations for days.
That’s why it’s so important to be able to see the big picture – to understand how risks impact and influence each other, how they affect compliance, and how they hinder or help the achievement of business objectives.
GRC offers that perspective. It enables organizations to understand the road ahead more clearly, make better-informed decisions, and capitalize on the right opportunities at the right time. In other words, GRC shouldn’t be seen as an afterthought, but an enabler of the business.
Challenges and Roadblocks
APAC GRC professionals tell us that these are some of the GRC challenges they face:
- Data silos: Risk and compliance data is scattered across disparate systems and business functions. So, organizations don’t have a clear view of their GRC universe.
- Inefficient processes: GRC data is manually managed through spreadsheets, emails, and other cumbersome tools that slow down risk efforts and limit efficiency.
- Lack of forward-looking risk visibility: When an organization’s sights are only fixed on the rear-view mirror, they aren’t able to anticipate emerging risks. Issues are managed reactively rather than proactively.
- Limited agility: With manual and siloed GRC processes, organizations can’t adapt quickly to regulatory and business changes. Nor can they coordinate and integrate GRC across business functions.
- Forgetting the G in GRC: Many organizations forget that GRC begins with governance – i.e., the achievement of objectives. Whether it’s an enterprise objective or a process objective, that’s what risks and compliance should be measured against.
The GRC Playbook: Six Winning Practices
Here are six ways to overcome the above challenges, and create a truly world-class GRC program:
- Automate wherever possible: Toss out those spreadsheets, and unlock new efficiencies by streamlining and automating your GRC processes. With automation, you can monitor risk exposure and compliance status in real time, and respond more proactively when issues Also, automating routine GRC tasks frees up more time for your teams to focus on value adding and strategic activities like risk analysis.
- Build a single source of GRC truth: Break down silos, and unify all your GRC data in a single system of record. Enrich that data by integrating information from other systems like ERP platforms, social media, transaction systems, threat and vulnerability scanners, and regulatory content feeds. The idea is to have complete horizontal and vertical GRC visibility across your enterprise through one platform. This can help you make better-informed decisions that optimize risk-reward trade-offs.
- Understand risk interconnectedness: Map your GRC data in such a way that users understand the relationships between various risks, regulations, policies, controls, third parties, ESG (environmental, social, and governance) elements, strategic objectives, audits, incidents, and cases. Having a connected view of GRC will help you target your risk management efforts and resources in the right place, in the right way, at the right time.
- Foster risk awareness across teams: Bring together your risk managers, compliance professionals, and auditors on one platform where they can seamlessly collaborate and exchange GRC insights. Empower your front line with simple, intuitive GRC tools to capture issues and risks as they arise.
- Enable continuous control monitoring and regulatory horizon scanning: Chances are that you can’t manually monitor all your controls and regulatory changes all the time – even though you need to. So, choose a continuous control monitoring (CCM) tool that can automate the process. Go from periodic, sample-based testing models to always-on monitoring of full control populations. Couple that with regulatory change management software that can automatically capture alerts on proposed and anticipated legislation, as well as regulatory updates. So, you can adapt your compliance program faster.
- Use AI for richer insights: AI-powered analytics can unlock the full potential of your GRC and transactional data by connecting with multiple data sources, and drawing out insights faster. Use it to enable predictive and data-driven decision-making. You can even train AI models to identify risk and control deficiencies, patterns of over-testing and under-testing, and duplicate risks and controls that can be removed.
Transform your GRC program with MetricStream
MetricStream ConnectedGRC helps you build an automated, truly integrated, and collaborative approach to GRC. Reduce risk exposure with streamlined assessments and mitigation. Enable consistent compliance with robust control testing and reporting tools. Finally, achieve your objectives with ease using strong governance and policy management mechanisms.
MetricStream products are packed with best practice workflows, content, AI, and analytics to help you:
- Drive business growth and strategic differentiation through your GRC program
- Connect risk, compliance, audit, cybersecurity, and sustainability on one platform
- Improve GRC efficiency, reduce costs
- Protect your digital business from cyber risks and evolving threats
- Grow with purpose using ESG best practices
To learn how MetricStream can help you on your GRC journey, request a personalized demo today.
Jump to Topic
Related Resources
Blogs
How American Fidelity Assurance Enhanced Third-Party Risk Management and IT Compliance Functions
- GRC
- 19 June 24
3 min read
Introduction
At the 2023 GRC Summit in Miami, Tice Morgan, Senior Manager, Governance and Compliance, American Fidelity Assurance, discussed how they improved the management of their third-party risks and IT compliance processes, their transformation journey experience with MetricStream, and more. American Fidelity Assurance is a leading health insurance company operating in 49 states across the US.
Here are the excerpts from Tice’s session at the summit.
Challenges
Tice: A lot of our GRC needs were associated with simplifying our compliance program and also looking at how we could better control or at least assess our third parties.
We operate in 49 states, and what I found was that I'm answering the same questions for each of these regulators, sometimes on a quarterly basis, sometimes only on an annual basis. We really wanted to look at a compliance framework that we can customize to allow our organization to harmonize these controls. State once and then use many times.
Having a consistent approach to control and that consistent expectation of evidence has really been a challenge for our organization. And part of that is our ability to tailor our control efficacy and the frequency in which we operate. When the team comes in to test controls, they're going to test it once a year. They're going to do a small sample set. But if we look at the volume, and some of the issues that we've had like any large organization was things slip through the cracks. If they happen to sample one of those slips through the cracks, that control is going to fail for that year. So, what we're actually in the process of implementing it's a monthly control testing component so we can at least catch that up.
The Implementation Journey
Tice: Our GRC program today primarily focuses on third-party risk and IT compliance.
I wanted to start out really small. We started with the Third-Party Risk Management product, and that was a pretty quick deployment. For IT compliance, it's definitely more of a long-term strategy for our organization. And part of that is that the ecosystem is changing – especially on the privacy side.
One of the compelling features of the MetricStream Platform is that it has really helped us enable our organization to be a little bit more efficient and a little bit more consistent about how we support our compliance and our third-party program.
Business Value Realized
Tice: From a key learnings and best practices perspective, one of the things that I always stress is to keep it simple. We had 137 controls when we started, and we've been able to whittle that down to 68 key controls that primarily address the majority. There are always those one offs, and we do accommodate for some of those. But I think those should be more the exception versus the rule.
The other element is to explain, educate, collaborate, and then automate. I will admit that I look at automation in two ways. There are always the technology automation components, system interaction, and API integration. Those are all good, but in a lot of cases, automation can also be just process efficiency.
The other thing is best practices – really understanding the mechanics of what you are trying to assess. The other element is identifying key source systems and reporting requirements. I really can't stress this enough, because in a lot of cases, there are a lot of systems, and getting the data out of those systems [is critical]. The GRC platform that you’re implementing is only a component of your overall compliance function.
The one thing that it does allow us to do is facilitate continuous control monitoring. In a lot of cases, we are working to test controls on a monthly basis. That way, even though our external regulators are going to do it in a quarter or on a yearly basis, we know in advance that we’re going to have an issue with that control. We can go do the awareness, we can go to the communication, the training, augment that control, or refine that control to make sure that evidence is going to be good for us. So, we catch it before the regulator or our internal audit team assesses it. It also allows us to reduce our overall control expectations and the ability to reuse controls for certain things.
You can watch the complete session here:
Find out how we can help you on your GRC journey. Request a personalized demo today!
Jump to Topic
