Blogs
May 2022 in GRC: The Latest from the GRC Universe
- GRC
- 01 June 22
6 min read
Introduction
Organizations today need to keep a close eye on the constantly changing Governance, Risk Management and Compliance (GRC) landscape. Newer and diverse risks, including increasing cyber risk, pandemic-related regulatory and policy changes, and risks associated with climate change now present a very real challenge that organizations need to prepare for.
Stay prepared for what’s next in GRC with our monthly round-up of the trending news and insights that you can use.
Building Resilience Remains Top Priority while Compliance Function Takes Center Stage
As the risk landscape expands, strengthening business resilience with enterprise and operational risk management remains a top priority for organizations. At the same time, regulatory requirements by governments and regulatory bodies has left organizations to deal with multiple layers of complex change, often happening simultaneously. This makes the compliance function an important priority for organizations of all sizes.
Here’s what has been spotted on the risk and compliance radar this month.
- As per a background document issued by the UK government alongside the Queen’s Speech there are plans for new direct legislation for tech providers.
- Three consultation papers titled "Outsourcing and third-party risk management" pertinent to Financial Market Infrastructures (FMIs) were published by the Bank of England.
- The American Institute of Certified Public Accountants (AICPA) Auditing Standards Board has voted to approve three new quality management standards. The standards will help improve the risk assessment procedure and audit quality.
- Canada’s federal financial institutions regulator, the Office of the Superintendent of Financial Institutions (OSFI), has released Draft Guideline B-10: Third-Party Risk Management. This establishes OSFI’s third-party risk management expectations for federally regulated financial institutions in Canada (FRFIs) and also sets down industry best practices.
- The Prudential Regulation Authority, UK, has formulated next steps for firms establishing their operational resilience roadmap in preparation for the March 2025 deadline.
- The fifth edition of the Regulatory Initiatives Grid, which sets out the planned regulatory initiatives for the upcoming months, has been published. This helps firms in the financial services industry and other stakeholders plan for operational impact due to the initiatives and the timing of the initiatives.
Other trending risk and compliance topics include, the publishing of the 2022 Interos Annual Global Supply Chain Report, which highlighted that only one-tenth of the survey respondents monitor supplier risks on a continual basis and the PwC Global Risk Survey, where 65% of survey respondents are increasing their overall spending on risk management technology.
Mitigating Cyber Risk Increases in Importance
With cyber actors continually improving the level of sophistication of cyber attacks, cyber-risk mitigation is now the top priority for organizations, governments, and regulatory authorities. In the month of May 2022:
- Cybersecurity authorities of the United States, Canada, New Zealand, the Netherlands, and the United Kingdom coauthored a joint Cybersecurity Advisory titled “Weak Security Controls and Practices Routinely Exploited for Initial Access.” The advisory will help organizations identify commonly exploited controls and practices. It includes cyber risk best practices to mitigate the issues.
- The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI), in partnership with cyber agencies from the UK, Australia, Canada, and New Zealand, released an advisory titled “Protecting Against Cyber Threats to Managed Service Providers and their Customers” in response to the increase in malicious cyber activity targeting MSPs.
- In response to the Presidential executive order in the US, the National Institute of Standards and Technology’s (NIST) has revised its publication, titled “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.” The revised publication provides greater guidance on identifying, assessing, and responding to cyber risks throughout the supply chain.
- In what has been lauded as one of the world’s first, the European Council and European Parliament signed a provisional agreement for the establishment of the EU Digital Services Act (DSA), which is designed to build cyber resilience by following the principle that what is illegal offline must also be illegal online.
- The European Council and the European Parliament will replace the current NIS (Network and Information Security) directive with NIS2. NIS2 is set to enable both the private and public sector build cyber resilience and incident response capabilities.
- The European Council and the European Parliament have reached a provisional agreement on the Digital Operational Resilience Act (DORA). The act will help enterprises build cyber resilience and prevent and mitigate cyber threats.
In other IT risk and cyber risk news, Rob Joyce, the head of cybersecurity at the U.S. National Security Agency, is “still very worried” about the escalated cyber risk arising from the Russian-Ukraine war. For CISOs, this translates to continuing to track the conflict and putting measures in place to mitigate any direct attacks and cyberattack spillovers. The judgement by the Federal Court of Australia in the Australian Securities and Investments Commission v RI Advice Group Pty Ltd, has now made it clear that the failure to manage cyber risk is a breach of financial services obligations. This has led to the Australian Securities and Investments Commission (ASIC) publishing a guidance note on the critical cyber risk measures that AFSL holders are now expected to have in place.
Climate-Related Risks, Sustainability, and Greenwashing Make ESG Headlines
The importance of assessing risks from climate change, environment, and social equity continues to create a lot of conversation. The top highlights include:
- The European Financial Reporting Advisory Group (EFRAG) has published the first draft of its sustainability standards for public consultation. The final standards are scheduled to be sent to the European Union's executive European Commission by November 2022 for adoption. This will be a significant as business will be required to disclose information on how ESG risks impact their business and their externalities.
- The climate-related risks of 12,000 supplier sites has been studied in a joint project by supply-chain-mapping company Resilinc and the University of Maryland’s Supply Chain Management Center and Earth Systems Science Interdisciplinary Center. The study reported that 93% of the supplier sites in China and Taiwan were experiencing increases in climate variability.
- The Taskforce on Nature-related Financial Disclosures (TNFD), which consists of corporates, financial institutions and service providers backed by the UN, released a prototype framework, which closely mirrors TCFD. This aims to help public and private companies with assessing and communicating the financial risks of nature loss.
- A new report by the Financial Stability Board (FSB) has been published. This aims to assist supervisory and regulatory authorities as they devise approaches to monitor, manage and mitigate risks arising from climate change.
To be noted is the new survey report by Deloitte, which reports findings on how climate, sustainability, and social equity are now important considerations when it comes to shaping infrastructure plans. Also, various global regulators are aiming to bring new reforms to tackle greenwashing and promote greater transparency in environmental, social, and governance investments.
Thrive on Risk with MetricStream
MetricStream empowers organizations to drive a connected GRC program. Leverage ConnectedGRC, and our BusinessGRC, CyberGRC, and ESGRC product lines, to better identify, assess, manage, and mitigate strategic risks, operational and enterprise risks, IT and cyber risks, third-party risks, compliance risks, and ESG risks.
Interested to learn more? Request a demo now.
Jump to Topic
Related Resources
Blogs
Test Automation at MetricStream - Efficient, Scalable, and Fast
- GRC
- 28 April 22
4 min read
Introduction
“Winners don’t do different things. Winners do things differently” is a popular quote that perfectly demonstrates MetricStream’s test automation strategy.
Today, test automation is increasingly being preferred over manual testing since it increases efficiency in the software development process while enabling more robust products to be built. Additional benefits include higher test coverage, faster feedback cycle, improved accuracy, elimination of human error, with business advantages of reduced expenses and faster time to market.
However, the general trend being applied for test automation in the industry comes with its own set of challenges. This is where MetricStream has followed a different approach—one that is more efficient, scalable, and fast.
This blog examines the problems associated with the traditional approach followed by the industry and dives deep into MetricStream’s unique approach and the advantages it brings.
Why the Traditional Approach to Test Automation Does Not Work?
The general approach in IT industry is to have test automation led by the QA team. In the QA team one/multiple QA engineers write and maintain the automation script. However, this approach comes with several challenges including:
- The automation effort gets compromised and takes a lower priority. QA teams are required to focus on automation along with the testing. If there are delays in the deliverables or more bugs identified during testing, it takes multiple iterations for the QA team to test and certify the feature.
- A lot of effort is required for the maintenance of the script when there are changes in the features. This is because QA teams usually write automation scripts for each UI screen (form/report) and also tend to write multiple scripts for each use case within the same screen.
- The automation needs to be updated and maintained along with the features. This leads to QA teams to investing more effort in scripting/coding instead of their core competency. i.e. coming up with various scenarios in the testing of a feature.
- Standardization of the common libraries and programming techniques become difficult. The challenge is amplified when many teams are writing code for their specific Platform / Product feature.
- Short deadlines for configuration and UAT cannot be met. The teams implementing the product have very short deadlines for configuration and UAT. QA teams will not be able to plan for a separate automation cycle due to the short timelines.
Automation at MetricStream- A Unique and Efficient Approach with AutoMetric
The automation approach followed at MetricStream efficiently addresses all of the above problems. By developing an inhouse tool/product AutoMetric, MetricStream ensures the test automation needs of the entire organization are catered to. At MetricStream, a separate team of highly skilled developers build the tool and support QA teams to run/adopt the automation. This allows QA teams to focus more on test scenarios than worrying about writing automation tests.
Here’s a quick glimpse into automation at MetricStream:
- MetricStream Products are built on top of the MetricStream Platform using AppStudio, a Rapid Application Development (RAD) IDE.
- AppStudio allows the creation of various objects like Forms, Reports, Charts etc., in a standard fashion.
- Details about object fields, their rendering order, and type of the fields are stored in the platform as metadata during the design of various objects.
- The automation tool, AutoMetric, generates a “testdata” sheet for each object (Form/Report etc,) based on the metadata stored. This is a blank data sheet with only metadata information about the objects. The tool uses Page Object Model (POM) design pattern.
- QA team populates the “testdata” sheet by providing the test data associated with an object.
- QA team also populates the “testdata” sheet with predefined keywords for operations to be performed (click, set, verify).
- AutoMetric picks the “testdata” sheet as input, validates the associated data, generates the automation steps, runs the automation tests, and publishes the report.
Why the MetricStream Test Automation Approach is Better?
MetricStream’s test automation approach is better than the traditional approach for multiple reasons. Listed below are a few benefits:
- Reduced time in running System Integration tests: Using the tool has helped achieve a 500% improvement in execution time of System Integration tests, as compared to the traditional approach.
- Increased ROI: The AutoMetric tool is built with a holistic approach that caters to the automation needs of both the Product Development and Implementation teams. This essentially translates into automation being achieved with lesser effort as compared to the traditional approach, providing a far better ROI.
- More reliable automation runs: Since the tool is developed using a Page Object model, the code is modularized and more maintainable. Hence the automation runs are more reliable.
- Ability for QA teams to focus on core competencies: QA teams can focus more on exploring test scenarios instead of worrying about writing automation scripts and maintenance of those scripts.
MetricStream AutoMetric: Powering What’s Next in GRC
Test automation enables not just the saving of time and money but more importantly the delivering of higher quality products. At MetricStream, our unique and efficient approach to test automation ensures robust BusinessGRC, CyberGRC, and ESGRC products that empower your organization to effectively address and stay ahead of evolving business and market needs.
Jump to Topic
Related Resources
Blogs
Be Resilient, I Whispered to My Car
- GRC
- 05 April 22
4 min read
Where There is no Resilience, There are no Results
It’s that time again. I have to give my car in for service and I am adamant that it will be a routine check. There is nothing wrong. The engine roars, there are no warning lights, and the effortless drive in recent times has been particularly smooth.
Still, in the back of my mind, I have this niggling thought that they will find something that needs changing, replacing, or updating.
I know I should not be thinking like this, after all, it’s for my benefit. A car has many parts that need to work in tandem. If there is no battery, your car will not start, if there is no alternator your battery won’t charge, and if there is no petrol, you are not going anywhere. The resilience of a car which comprises of 30,000 parts – is incredible!
Now here is the dichotomy. Similar to cars, organizations need to demonstrate resilience, and work in tandem with other departments, technology, and processes to ensure their critical business operations continue when faced with adverse risk events.
In a recent webinar, I interviewed an ex-Chief Risk Officer and our SVP of Product to decode ‘resilience’ and ‘cyber’. Two pressing words that are shaping boardroom discussions and encouraging regulators to act fast.
Watch the Webinar: Strengthening Resilience with Effective Cyber and Enterprise Risk Management in 2022
Some of the questions that I posed to my panelists include:
- How should organizations manage cyber risk in line with their Enterprise Risk Management?
- What is the difference between Operational Risk and Operational Resilience?
- What is the impact of cyber risk on an organization’s resilience?
- What is the importance of real-time intelligence to be agile?
- How do you use technology to build resilience?
Operational resilience is a firm’s ability to prevent, detect, respond to, recover, and learn from operational disruptions that may impact the delivery of important business functions and services.
Organizations need to think beyond traditional risk management programs and start focusing on strengthening operational resilience. This requires a better understanding of the overall risk profile and appetite through risk quantification, the agility to quickly adapt to the evolving risk landscape, and the ability to minimize the impact of any risk event, recover quickly, and ensure continued business operations in the aftermath of the event.
In the UK, the Financial Conduct Authority, Bank of England, and Prudential Financial Authority are working toward this and implementing regulations and guidelines. In the EU, draft legislation Digital Operational Resilience Act (DORA) has been published, and in Germany, the IDW PS 340 n.F. has been revised.
In the U.S, the Federal Bank regulatory agencies released a paper outlining sound practices for large banks to help them enhance operational resilience and several main financial authorities in the APAC region are stepping up their resilience practices.
How MetricStream Operational Resilience Benefits You?
MetricStream has a clear solution to help you build Operational Resilience, enabling you to:
- View and manage interconnected risks across the organization with a single view of all critical processes and associated key risks
- Leverage proactive risk management with forward-looking risk visibility using predictive risk metrics and indicators that help anticipate and prevent adverse risk incidents
- Stay ahead of threats and vulnerabilities with early warning notifications and proactive remediation mechanisms
- Manage business disruptions and ensure continuity of operations with an accurate picture of third parties and their risk impact on the business
- Support agility and risk-based decision-making by leveraging a single view of the top risks faced by the organization across the first and second lines of defense, through the use of real-time actionable insights.
- Reduce losses and be prepared for adverse risk events through proactive control structures and analytics, and be able to take mitigating actions on failed controls
- Strengthen confidence with regulators and executive management by establishing a strong risk data governance and issue reporting framework with clear lines of accountability
MetricStream’s ConnectedGRC is designed to help you improve resilience and agility through an integrated approach to compliance and risk management that enables you better define, manage, and channel risk to your advantage. Our CyberGRC product line proactively and intelligently manages cyber risk by enabling users to view and aggregate cyber risk data from across the enterprise, including third and fourth-party vendors. Organizations are empowered to build cyber resilience by using the actionable business intelligence to make data-driven decisions.
You can learn more or book a demo here.
In my next blog, I will be discussing ESG and what this means to risk owners and governance structures—which makes me think, for my next service should I be driving an electric car?
Stay safe.
This blog is part of the Instagram of Risk Blog Series, authored by Suneel Sahi, VP, Product Marketing at MetricStream, which captures discussions and insights trending in the risk community.
Check out Suneel’s other ‘Instagram of Risk’ ’blogs:
If You Think Compliance is Expensive, Then Try Non-Compliance
An Ounce of Prevention is Worth a Pound of Cure
Don’t Aim To Be Perfect, Aim To Be Anti-Fragile
Jump to Topic
Related Resources
Blogs
Beyond Buzz Words - What’s New in the World of Risk, Resilience, and ESG?
- GRC
- 23 March 22
4 min read
Introduction
The last two years have been nothing short of a roller coaster. We stepped into 2022 with a lot of uncertainty around the COVID-19 pandemic as newer variants and sudden outbreaks in various pockets around the globe continue to keep optimistic sentiment in check. Added to these are the uncertainties surrounding geopolitical tensions that upended global stock markets, heightened cyber threats, and worsened supply chain woes. Businesses, still coming to terms with the post-pandemic era, are now wary of what’s next. As the first quarter of 2022 is coming to a close, let’s find out what made it to the headlines, through the Governance, Risk and Compliance (GRC) lens.
Top Risks for 2022
According to the World Economic Forum Global Risks Perception Survey (GRPS) 2021-2022, the three most potentially severe risks over the next 10 years are all related to environmental factors – namely, climate action failure, followed by extreme weather, and biodiversity. With regards to the “scars of COVID-19”, the WEF observes, ‘“Social cohesion erosion”, “livelihood crises” and “mental health deterioration” are three of the five risks that have deteriorated the most globally through the crisis, according to the GRPS. These three risks—and the pandemic itself (“infectious diseases”)—are also seen as being among the most imminent threats to the world.’
In its Risk Management Predictions for 2022, the Global Association of Risk Professionals (GARP) said that interest rate risk, regulatory changes, supply chain disruptions, credit risk, and human capital risk are the top areas of concern for risk professionals this year.
Gartner identified poor and inadequate talent strategy – recruiting and retaining talent – as the top emerging risk for organizations. The research and consulting firm said that the constant turnover can lead to multiple organizational disruptions, including degradation of workplace culture, loss of institutional knowledge, and more.
Cyber risk continues to be a top concern for organizations across industries. A number of government and security agencies have recently issued regulatory guidance to help organizations boost their cybersecurity measures. For a deeper dive, read our blog, Boost Cyber Resilience – Here’s What Cybersecurity Agencies are Recommending.”
Earlier this month, Gartner listed the top seven security and risk management trends for this year. This includes attack surface expansion, digital supply chain risk, identity threat detection and response, distributing decisions, beyond awareness, vendor consolidation, and cybersecurity mesh.
Discover the top GRC trends of 2022. Download 8 Key Trends Powering 2022 and Beyond.
Growing Focus on Agility and Resilience
Strengthening business resilience has become a key focus area for organizations, particularly in the post-pandemic world. Local regulators too are issuing guidance and framework requirements to ensure that organizations have the necessary measures in place to continue critical business operations when faced with any risk event.
Earlier this month, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released new guidance on “Enabling Organizational Agility in an Age of Speed and Disruption.” The guidance underscores how organizations can succeed by becoming “more anticipatory, agile, and adaptable.”
In the UK, the Prudential Regulatory Authority’s (PRA) new rules – SS1/21 and SS2/21 – on operational resilience, third party risk management, and outsourcing will come into force on 31 March 2022. Announcing its 2022 priorities for international banks active in the UK, the Prudential Regulation Authority (PRA) said that firms must have identified and mapped their important business services, set impact tolerances, and initiated a scenario testing program by 31 March 2022.
The ESG Conversation
Environmental, social, and governance (ESG) factors have become a talking point for regulators and businesses alike.
On March 21, the U.S. SEC was scheduled to vote on proposed rule amendments that would require SEC-registered companies to disclose certain climate-related information. The regulator said that the proposed disclosures are “similar to those that many companies already provide based on broadly accepted disclosure frameworks, such as the Task Force on Climate-Related Financial Disclosures and the Greenhouse Gas Protocol.”
In January, the European Banking Authority (EBA) published the final draft implementing technical standards (ITS) on Pillar 3 disclosures on ESG risks. By setting mandatory and consistent disclosure requirements, the EBA ESG Pillar 3 package will help institutions to address the shortcomings of their current ESG disclosures and will also help establish best practices at an international level, the EBA said.
Last month, the European Commission (EC) adopted a proposal for a directive on corporate sustainability due diligence. The new rules set out due diligence obligations for companies to identify, prevent, end or mitigate adverse impacts of their activities on human rights and on the environment.
Are you Building an Enterprise ESG Program? Here's How Technology Can Help You Succeed
Looking Ahead
The risk and regulatory landscape continue to evolve at an unprecedented pace. Nobody can be sure about what’s in store for GRC professionals over the next three quarters. Organizations can, however, enhance their risk visibility and foresight and become future-ready by leveraging connected, agile, and tech-driven GRC solutions. To request a personalized demo, click here.
Jump to Topic
Related Resources
Blogs
Banks Have Passed the ‘Test of Resilience’. But What’s Next in GRC for Banking and Financial Services in North America
- GRC
- 11 January 22
3 min read
Introduction
After the 2008 financial crisis, the COVID-19 pandemic emerged as the most recent ‘test of resilience’ for the banking and financial services (BFS) industry. Thanks to the stringent regulations, the nature of its business, and relevance in the economy, the industry at large has demonstrated resilience towards the many risks that emerged out of the pandemic. Whether it was implementing and supporting employees to work remotely or quickly scaling existing technology systems to serve customers bound by social distancing mandates—BFS companies with robust risk management practices were able to pass the test and bounce back.
Now, as we move forward, regulators and key industry players are shifting their focus on operational resilience in order to respond and not react during future crises. The Deloitte Centre for Financial Services Global Outlook Survey 2020, found that many banks are currently pursuing different initiatives to build efficiency. 47% of banks in North America have decided to implement technology as part of the different actions planned over the next 6-12 months.
BFS Companies in North America Face New GRC challenges
Since the COVID-19 outbreak, the sudden onset of remote and hybrid working models, accelerated digitization efforts, growing adoption of cloud computing, and increased dependence on third-party providers have initiated a new set of GRC challenges.
Key concerns that BFS companies in North America will need to prepare for include the:
- Expanding cyber threat landscape, owing to large-scale migration to remote work, digital interconnectedness of BFS organizations, cloud concentration, and over-dependency on a single service provider for critical services.
- Growing complexity of the extended ecosystem, due to the increased dependency on vendors such as payment gateways, core banking systems, trading applications, business consultants and contractors, service providers, and other vendors for day-to-day operations and services.
- Increasing regulatory pressure, due to the need for BFS companies to comply with a growing number of regulations and standards including Basel III’s risk-weighted capital requirements, the Bank Secrecy Act, Dodd-Frank Act, Foreign Corrupt Practices Act (FCPA), as well as those mandated by the Federal Financial Institutions Examination Council (FFIEC), the Federal Reserve Board, the Securities and Exchange Commission (SEC)), and many others.
- Emerging and constantly evolving risks, augmented by the fast-changing business landscape with geopolitical power shifts, growing instances of natural calamities, pandemic-driven global economic slowdown, and strategic risks brought on by growing digitization and disruption by FinTech startups.
Read More: What’s Next in GRC for Banking and Financial Services Industry in the Americas
Powering What’s Next in GRC—The Key to Strengthening Operational Resilience
As BFS industry leaders decide on key strategies to strengthen resilience, it is important to note that building resilience should go beyond the traditional approach to risk management. A new approach should include:
- Accurate understanding of the overall risk profile and appetite through risk quantification
- Adequate agility to quickly adapt to the evolving risk landscape
- Amplified ability to minimize the impact of any risk event, recover quickly, and ensure continued business operations in the aftermath
Risk is inherent to any business and if organizations are looking to achieve resilience, they need to build a better response strategy by taking all aspects of GRC into consideration. Since the end goal of implementing a GRC program is to stay resilient when faced with any disruption or risk event, it is vital for BFS companies to be empowered by ‘what’s next’. For BFS companies looking to achieve operational resilience, they will need to consider integrated GRC programs, advanced technologies such as AI/ML, risk quantification & analytics, continuous monitoring, and more.
True to the popular saying, “with crisis comes opportunity”, is the post-pandemic era which offers the perfect opportunity for BFS companies to relook, realign, and reimagine their GRC frameworks for long-term resilience.
Download the eBook to read more about the GRC challenges faced by BFS companies in North America and how you can stay ahead by leveraging what’s next in GRC.
Request a demo to learn more about how the MetricStream Operational Risk Management software can enable you to streamline your operational risk management function—empowering your organization to make risk-intelligent, real-time business decisions while improving business performance and reducing losses.
Jump to Topic
Related Resources
Blogs
MetricStream’s Colorado Software Release is Out. 6 Innovations to Watch Out For
- GRC
- 15 December 21
5 min read
Introduction
Businesses operating in the new normal are facing a new set of challenges. Periodic disruptions to supply chain systems, increasing complexity in the regulatory landscape, the need to develop and sustain hybrid working models, and dealing with higher attrition rates, are just some of the many challenges that organizations are having to find long-term solutions for.
Another significant challenge is the intensification of cyber threats. Cyber risk ranked as one of the top risks in the World Economic Forum’s Global Risk Report 2021. Accelerated technological adoption in the wake of the COVID-19 pandemic has resulted in organizations facing novel cyber vulnerabilities on one hand with a rapidly expanding threat landscape on the other hand. This has resulted in a considerable urgency to address cyber risk, with most organizations elevating it to a strategic business issue.
We’re Listening at MetricStream
As businesses seek new solutions to effectively mitigate and manage risk, we at MetricStream are listening and taking note. Colorado, our latest software release builds upon previous releases with exciting new features, capabilities, and innovations— all driven by our customers and market trends.
Built to help organizations simplify how they manage, measure, and mitigate risk, MetricStream’s Colorado release leverages MetricStream’s deep domain GRC expertise and MetricStream Intelligence – a new ground-breaking analytics and AI-engine and framework – to equip your enterprise with new and simpler ways to assess and aggregate risks.
Given the urgent requirement for enterprises to effectively manage and mitigate IT and cyber risks, MetricStream’s Colorado release enables advanced cyber risk quantification. The software release also focusses on empowering you to effectively manage risks in the extended enterprise by deepening visibility into third and fourth-party risks. New AI-powered issue clustering capabilities, along with added intelligence, visibility, and an ongoing commitment to improving usability for an optimal user experience are other key highlights.
What’s New in Colorado Software Release
The MetricStream Colorado software release brings product enhancements to IT and Cyber Risk Management, Third-Party Risk Management, Risk Management, Regulatory Compliance, Audit, and the MetricStream Platform. Here are six innovations to make note of:
1. Advanced Cyber Risk Quantification and Simulation
Adding a dollar value to your cyber risk just got easier! The Colorado release now brings end-to-end capabilities to quantify risks in monetary terms using FAIR® and other models, as well as perform simulation and loss exposure analytics. Enterprises can now use hierarchical assessment factors, such as FAIR factors, that have parent-child relationships among themselves. This enables a response with probabilistic range-based estimates for factors – such as Min, Max, Most Likely, and confidence values -- resulting in a greater accuracy of input responses leading to dollar range-based estimates for Annual Loss Exposure. Monte Carlo simulations can also be run to predict the probability of different outcomes for the Annual Loss Expectancy.
2. Intuitive Risk Assessments
With Colorado, it now becomes both easier and quicker for you to assess risks—thanks to the newly introduced simple, intuitive risk assessment capabilities. The release brings simple, intuitive forms that make it easy for the lines of defense to perform a two-step assessment.
Risk Reporters can now perform preliminary risk assessments on-the-fly and the Risk Analysts and Managers can then furnish additional details and take appropriate actions. This new feature improves agility by simplifying risk identification and assessment while accelerating frontline adoption.
3. Streamlined Regulatory Change Impact and Compliance Risk Management
Here’s another highlight that makes it easier for your enterprise to ‘thrive on risk’! Enhancements in the Colorado release now make it easier to track what changes are required for policies, risks, and controls based on regulatory changes and perform compliance risk assessments. The Compliance Management product now supports an integrated Compliance Risk Assessment Framework, enabling a structured and systematic approach to manage organizational risks.
Your organization can now accurately understand risks and gain clear visibility into the top risks you face. With the Colorado release, the MetricStream Regulatory Change product has directly linked the GRC library objects to regulatory change and impact assessment. This makes it easier for your enterprise to assess the impact and update your policies and/or controls accordingly.
4. Expanded Visibility into Third-Party and Fourth-Party Risks
The extended enterprise is here to stay. Medium and large-scale industries now have vendors ranging anywhere between hundreds and thousands. This makes it difficult to gain complete visibility, which in turn increases the associated risk. With the Colorado software release, you can get an aggregated view of risk exposure across third and fourth parties since now associated fourth parties can be captured in the third-party profile. In addition, a new risk aggregation report provides visibility into the overall risk exposure – including these fourth parties and parents -- at the third-party level.
5. MetricStream Intelligence
Advanced technologies have enabled us to experience the future now. The Colorado software release empowers you to stay ahead by introducing MetricStream Intelligence—a flexible new analytics and AI platform that encompasses multiple calculation engines, AI/ML, and data science capabilities. The advanced analytical and AI engine enables multiple scoring models and data science tools, allowing the creation of any type of models and variables. MetricStream Cyber Risk Quantification is the first use case from MetricStream Intelligence, which will host and deliver multiple other scores, models, and AI-powered intelligence.
6. AI-Powered Issue and Action Management
Now enable your second line of defense to cluster issues for easy examination and insight. The AI-powered issue clustering capabilities, available with the Colorado release, uses AI/ML to ‘cluster’ issues, facilitating quick identification and action on insights – resulting in savings in time and effort as well as the strategic directing of resources.
Excited to know more about how the new features and functionalities in MetricStream’s Colorado software release can help you thrive on risk? Click here to read more.
Jump to Topic
Related Resources
Blogs
Transform Risk and Compliance Programs with MetricStream’s AI-Powered Insights and Recommendations
- Artificial Intelligence
- 01 December 21
3 min read
Introduction
As organizations look to harness the power of next-generation technologies and thrive in the era of the Fourth Industrial Revolution, the focus on data is now more critical than ever. It wouldn’t be wrong to say that it is data that runs the modern enterprise in today’s digitized world.
It’s often said that data is the new oil. However, data in itself cannot drive business value—it is only when it is transformed into actionable intelligence that it can enable effective decision-making.
That said, many organizations today lack common taxonomies and structured processes, resulting in unstructured data which is difficult to analyze. This is a major challenge for risk, audit, compliance, and IT & cyber teams as they end up spending most of their time going through this data rather than analyzing it for making strategic business decisions.
Streamlining the processes and workflow and automating them with the right set of tools and technologies is an absolute must for unlocking the true potential of data. By leveraging artificial intelligence (AI), organizations can quickly get insights, identify patterns, avoid duplicate effort, apply the right actions, and better focus on decision-making that helps the business.
Bringing AI to GRC
Organizations today operate in a complex and unsettled business environment with amplified digital interconnectedness of people, processes, systems, and organizations, rapidly evolving risk and regulatory landscape, geopolitical uncertainty, and more. Furthermore, recent risk events, such as the pandemic, have underscored the importance of a future-ready GRC framework as organizations had an extremely short window of time to act.
Here, AI can be a gamechanger. It can empower organizations to break free from the clutches of siloed operations and facilitate integration and harmonization. Most importantly, it can drastically improve the speed at which risk, audit, compliance, and IT & cyber teams can locate relevant data and information, thereby expediting quick and fact-based decision-making.
MetricStream’s AI-Powered Insights and Recommendations
AI is an integral component of the MetricStream Platform, deployed and operationalized using cloud-first practices, and can be used to build any model or automate any GRC use case. MetricStream currently offers pre-built AI-powered recommendations to transform and automate GRC processes. It automatically provides key recommendations to users based on the historical patterns, so that organizations can further improve user experience and drive intelligent business decisions.
Here are some of the areas where we are bringing AI capabilities:
Issue & Action Management: MetricStream uses the core strength of AI by leveraging semantic analytics with natural language processing that can be used to identify patterns in issues and actions that can originate from any program – be it enterprise and operational risk, compliance, audit, third-party, or IT & cybersecurity. MetricStream’s AI-powered issue and action management provides recommendations to categorize issues based on their semantic similarity and automatically recommends duplicate issues and best possible action plans based on historical trends and business context.
Smart Policy Search: MetricStream’s AI-powered smart policy search simplifies the task of searching for policies using a natural language processing (NLP) based semantic search. It improves search accuracy by understanding the searcher’s intent through contextual meaning.
Observations Triage: As organizations are increasingly enabling the frontline to capture observations, they will have to manage a large number of observations. With such a high volume of observations being reported, the triage process becomes tedious. MetricStream AI-powered recommendation automatically provides recommendations to classify observations as a case, incident, issue, or loss event. This enhances the efficiency of the triage team.
Risk Scoring of Third Parties: As part of risk assessments, third parties must periodically submit detailed SOC2 and SOC3 reports as evidence of robust compliance and controls in their infrastructure and security. MetricStream AI-powered recommendations for third-party risk can automatically extract content from SOC2 and SOC3 reports, compute, and risk rank the third parties based on the number and type of anomalies in the report.
To learn more about MetricStream’s AI capabilities, click here.
Jump to Topic
Related Resources
Blogs
Driving Forces Behind ESG
- GRC
- 16 November 21
4 min read
The Driving Forces of ESG
ESG – these are the most frequently spoken letters in boardrooms across the globe. From sustainable investing to emerging regulations, it is a burning topic for board directors, c-suite executives, and finance professional. Some see ESG as an evolutionary journey to become a better corporate citizen. Others see it as the brave new world of sustainable investing. This article will discuss some of the key challenges faced by risk and compliance leaders embracing the task of building corporate ESG programs. The road ahead for these pioneers is both exciting and murky. Building an ESG program is not a quick fix. It is tempting to sweep ESG under sustainability or environmental management. Others might simply categorize it as part of GRC. While both are correct, ESG is a delicate topic and requires more than just a one-size-fit-all solution. To understand ESG from the risk and compliance perspective, it is worth digging a level down to understand what the key driving forces are.
In just less than two years, the world witnessed major catalysts fueling the unprecedented acceleration of ESG. Growing concerns about lasting environmental effects. Widespread socioeconomic and human rights issues. Demand for greater corporate transparency. ESG carries material impacts and possesses the ability to influence the future of an organization. In 2020 alone, the US ESG ETF market saw a 318% year-over-year increase. Prior to 2019 or global COVID-19 pandemic, ESG investing was just merely a niche market, experiencing relatively insignificant growth. It is reasonable to assume that a significant portion of global capital is now being relocated from “weak ESG” companies to “strong ESG” companies at an exponential rate never seen before.
So what does “strong ESG” mean?
The growth of ESG investing has given rise to yet another problem - Greenwashing. Companies making inaccurate claims about their environmental and social responsibility efforts. This is not necessarily intentional or a toxic corporate behavior. ESG disclosure is inherently a tricky exercise. It involves a great deal of effort, time, and money. On top of that, there are very few guidance on which disclosure frameworks to use and how to use them. To further complicate the matter, regulators around the globe are starting to zero in on greenwashing. For instance, the European Union regulators launched a new set of ESG regulations in early 2021. The Sustainable Finance Disclosure Regulation (SFDR) sets mandatory disclosure requirements for financial market participants and financial advisers operating in the EU. These organizations will be required to follow specific mandates on how and what to disclosure on an annual basis. Compliance reporting has never been straight forward. From Sarbanes Oxley to GDPR, compliance leader around the world have seen their fair share of ups and downs navigating these turbulent seas.
There is yet another angle to consider. From institutional to retail investors, ESG index score has become a popular metric when it comes to investment decisions. An ESG index score is essentially the grade point average or credit rating of a company’s ESG performance. These figures don’t lie and are quite accurate. For instance, MSCI is a one of the leading investment research firms offering an ESG index score on over 2,800 companies. These companies are being assessed on thousands of ESG related data points and ranked against their peers. Investors leverage this research to understand the current state and potential long-term risk implications of companies. Index scores from different firms are typically used in conjunction for a broader perspective. This is an important consideration for the risk and compliance leaders managing ESG. Understanding the metrics and frameworks behind these index scores can not only help a company’s ESG ranking, but more importantly, keep risks under control and become a more sustainable company overall. These index scores should not be looked at as cheat-sheets for better ESG ranking. But rather guidelines to better corporate citizenship.
Global ESG assets are projected to exceed $53 trillion by 2025, more than a third of the projected total assets under management worldwide. ESG is expanding and by no means plateauing. These investment trends and regulatory changes are just the early stages. ESG investment products will continue to become more complex. Regulators will increase their focus on this matter. From the 2007-08 financial crisis to the COVID-19 global pandemic, and many challenges before; the answer is not a simple one-size-fit all solution. But a constant battle of wits and strength.
Learn more about MetricStream’s ESGRC product. Download the product overview to discover how MetricStream’s ESGRC product can get you started on your ESG journey.
Watch the video to gain a deeper insight into how MetricStream’s ESGRC product can help your organization take the next step in your ESG journey.
Jump to Topic
We settled in for another topical roundtable discussion, where the thoughts and real-life examples of how technology is an enabler in the GRC space were deliberated. In some instances, the dialogue went back and forth. One example of this was that the concern organizations face with risk was not always a technology one, but more of a transformational project that the organization needed to resolve. Accompanying this, was the remark that there are inconsistencies in risk terminologies across the industries, which fuels part of the problem. It was also surprising (to me) to learn that there were still so many organizations using spreadsheets to manage their risk. This was their default way to identify, monitor, and track risks, even though they knew it was not sustainable, efficient, or scalable.
And finally, concluding the week in Zurich, we had another full house with an engaging group that deliberated on how they can start a community of risk or as was suggested, the “Instagram of risk”. There were discussions around risk culture, accountability, accurate data, and mindset. Some customers admitted that it was quite possible to get lost in the data and what they require is speed, agility, and most of all simplicity. A comment was made that you could spend all your time managing documents and not the risk. Another referenced that as change management sits in all departments including HR and legal it can be a challenge to bring it all together for larger organizations. Crypto also made it in the discussion, with a notable mention that new risks have no historical data to base it on.