Introduction
We’re all standing on the precipice of tremendous change. The COVID-19 pandemic has impacted how we work and accelerated the pace of digital transformation by a decade or more. Not only are there myriad risks today – from heightened cyber risks in this digital-first and remote working environment to political risks from the highly unsettled geopolitical landscape, to the growing importance of Environmental, Social, and Governance (ESG) risks, and beyond – but they are also coming at us at incredible speed in this digitized world.
Exactly what’s next none of us knows – but by preparing and empowering ourselves and our teams, we can stay ahead of change and turn risks into opportunities. A proactive approach to getting our defense mechanism up and enhancing resilience is a must today to tackle the risks of tomorrow. At MetricStream, we help our customers “Power What’s Next.” Put simply, it means whatever’s around the corner, you have the capabilities to not only predict but also prevent or mitigate the unknown unknowns. So, what’s next for governance, risk, and compliance? Read on for the top trends – and power up your GRC for the future.
GRC: A Key Strategic Business Function
GRC, once a function that was managed independently from the rest of the business, is now a key strategic business function:
- Increasingly complex regulatory requirements, legal obligations, standards, and policies that, if not complied with, could cause significant reputational and financial loss
- The growing volume, variety, and velocity of risks that could hinder the achievement of strategic objectives
- Digital disruptions and new business models that introduce new risks while also amplifying the impact of existing risks
- An exponential increase in data volumes on security threats, risk, compliance, and issues that require quick analysis to draw out insights for decision-making
- Limitations of traditional GRC tools like spreadsheets that result in redundancies, overwhelming complexity, and insufficient risk visibility.
GRC Is Everyone’s Responsibility: Taking GRC to the Front Lines
Gone are the days when GRC responsibilities were relegated primarily to the second and third lines of the business. Today, the focus has shifted to the front line because it is there that risks are taken and best captured and where the consciousness around risk management and compliance needs to be pervasive.
Since the front line is closest to the risks, they are often better positioned than an intermediary risk function to anticipate and assess their own risks, while also managing their own compliance with regulations, laws, and policies.
Greater ownership of GRC by the front line helps organizations gain better control over risks and minimize both regulatory and reputational issues. It also reduces the need for costly and complex risk-monitoring processes.
Empowering the Front Line to Drive GRC
New generations of GRC solutions are increasingly being designed for frontline teams. These easy-to-use tools can be quickly adopted without extensive training or knowledge of GRC terminologies. The best of them combine technology and industry content with AI and analytics to make GRC an integral, almost seamless part of day-to-day business activities.
Think desk traders who receive automatic alerts on the policy and compliance implications of financial trade in real-time.
Think business travelers who, upon entering a new country, can instantly pull up all the required local policies and behavioral expectations on their GRC mobile app.
Think remote workers who are automatically notified with a cybersecurity checklist to keep them vigilant about security risks when working from home.
The key is to ensure that GRC is deeply ingrained into business processes – quickly and easily.
But GRC is ultimately a two-way street. As much as it is about enabling frontline users with tools to manage their risks and compliance, it’s also about harnessing intelligence from the front line of emerging risks and hidden areas of concern to facilitate proactive risk responses. We’re seeing the development of chatbots that can capture frontline observations of potential incidents, issues, and control weaknesses—all through a casual conversation with the business user in natural business language. These insights are then rolled up to the second and third lines of defense for deeper investigation and response.
The possibilities of GRC technology in the front line are numerous. And the easier these tools make it for business users to manage and report risks, the better the organization’s ability to accelerate risk-aware decisions.
ESG: A Movement Quickly Gaining Momentum in GRC
ESG (Environmental, Social, and Governance) concerns are becoming a top agenda item for every board of directors. Research reports from various global organizations, such as the National Aeronautics and Space Administration (NASA), the United Nations, the World Economic Forum (WEF), and others, continue to sound the alarm on the impact of climate change. In addition to climate risks, there is a growing call from consumers, regulators, and other stakeholders for diversity, inclusion, and equity in organizations.
“There is a broader purpose for companies now. Going forward, they not only have to deliver profit, but they also have to deliver purpose, they have to deliver value to stakeholders that includes societies and communities in which they serve. Environment, social governance, racial justice, social justice—a lot of these topics are new to corporations, and CEOs and boardrooms are demanding that as part of their GRC initiative." - Gunjan Sinha, Executive Chairman, MetricStream
To become future-ready, organizations today need to think beyond financial statements and profits, and work towards becoming a purpose-driven entity that strives for global sustainability and enables global communities to thrive.
By empowering the first line of defense, using ethical datasets that are privacy-preserving and risk-aware, and leveraging socially-aware AI, organizations can create true GRC systems and programs that can deal with the risks from a full 360-degree perspective.
It is now necessary to discuss how ESG functions can be effectively and efficiently managed via three key factors: technology, culture, and the right ‘tone at the top’.
Driving a Pervasive ESG Strategy
Boards need to assess their readiness to adapt to the rapidly changing business requirements. An effective and agile ESG performance framework can help the board look at the total impact of a company’s ESG strategy and operations. Equipped with real-time and accurate data, the board and C-suite can have a far better understanding of the company’s ESG performance. The board needs to ascertain that senior management and the C-suite are systematically monitoring ESG performance, looking for ways to turn governance, risk, and compliance into a competitive advantage, and regularly reporting to the board on the status of ESG performance.
When risk management and compliance are looked at as a competitive advantage rather than a check-the-box activity: that’s when companies can harness risk to drive growth, stay in alignment with sustainability processes, deliver on social impact commitments, and build trust and a positive relationship with customers, employees, investors, partners, suppliers, and other key stakeholders.
Delivering the Right Tone From the Top
Boards are facing strong scrutiny from regulatory bodies, shareholders, and other key stakeholders. These issues require the board of directors to demonstrate leadership in developing a strong culture of GRC throughout their corporations. They can only accomplish this by governance principles, commanding strong compliance oversight, and developing acceptable risk postures.
Boards are responsible for creating and overseeing company policies. This isn’t a one-and-done activity. Policy management requires organizing and archiving documents so that boards can review them in relation to mandates, business objectives, risks, and controls. Policies also need to be available to employees and business partners, as necessary. GRC solutions make accessing policy documents easy and efficient.
GRC solutions automate compliance management functions such as workflow, controls and associated risks, surveys, self-assessments, reporting, testing, and remediation. This includes financial reporting to regulatory authorities and compliance with industry regulations.
GRC solutions help organizations adapt more readily to rapidly evolving market and governance changes, especially regarding business disruptions, such as:
What’s Next: Better Business Performance
There is no question the pandemic has been brutal. But it has also compelled organizations to adapt quickly, innovate, and build resilience. Underlying it is the awareness that to succeed in a post-COVID-19 era, we will need to stay one step ahead of risks. COVID-19 may have been a novel disruption, but it certainly won’t be the last. We’re already looking at the threat of a recession, ongoing cyber attacks, and catastrophic natural disasters.
How can businesses thrive and catalyze performance in this risky world? Here are a few key steps.
Develop a Peripheral View of Risks
No longer will organizations focus only on the most obvious risks. They will also incorporate a “peripheral” view of risk data by paying more attention to non-traditional risk factors such as biological hazards, climate change, and geopolitics. At the center of these efforts will be the GRC hub -- a central, cloud-based console of risk intelligence. The hub will integrate data from numerous internal and external sources to offer organizations a truly 360-degree, real-time picture of their risks for better decision-making.
Build an Anti-fragile Business
Organizations will emerge from this crisis in different ways. Some will focus on building resilience, while others will find a way to become anti-fragile. The resilient business resists shocks but stays the same. However, the anti-fragile business gets better. To build anti-fragility, organizations will need to break down risk silos, so that they can understand how various risks impact and influence each other. They will also need strong business continuity plans to be prepared. We can’t always predict every risk, but we can be ready to ride it out.
Gear Up for High-velocity Risks
With risks hitting organizations faster than ever, leadership teams need real-time, forward-looking risk intelligence rather than retrospective information. “Predict to prevent” will be the new mantra, as business leaders leverage AI and other emerging technologies to anticipate and mitigate emerging risks proactively. This can help businesses stay one step ahead of risks.
Meanwhile, continuous auditing and risk monitoring, enabled by robotic process automation, will make it easier to detect anomalies. Stress testing will be accelerated to help risk teams proactively define action plans and early risk indicators. With comprehensive, forward-looking risk intelligence, organizations can be better prepared to land on their feet despite disruptions.
Rethink Priorities Across Business Lines
The need for dynamic, real-time risk assessments has blurred the barriers between the lines of the business. Today, all the lines must work together swiftly to catalyze business performance. Leadership teams need to respond quickly to risks like a cyber attack or a global pandemic. Therefore, the second and third lines must become more automated. Meanwhile, the front line will take on a bigger role in identifying and assessing risks. Their insights will help business leaders stay updated on new emerging risks.
Focus on Profit with Purpose
Corporate leaders must drive the definition of corporate objectives to beyond just profits. Going forward, a key differentiator for organizations will be how they position themselves with respect to the environment, diversity and inclusion, ethics, integrity, and global sustainability. It’s about time that organizations included metrics to measure their performance on these fronts and work towards facilitating a harmonious and sustainable future – which is why ESG has accelerated so quickly.
Align Risk Management to Performance
Risk management will play a key role in driving and guiding business performance in the future. Decision-making processes will increasingly integrate a rigorous assessment of risks. Risk findings will also be aligned much more closely to resilience and strategic objectives, so that when the next global crisis comes—because it will—organizations will be better prepared to respond and pivot quickly.
This renewed focus on risk management will be especially important in dealing with changes in business models that we’re likely to see in a post-COVID world. Some companies may shift to a permanent remote working model. Others may replace physical customer interactions with virtual or self-service options.
Most will accelerate digital transformation, investing in AI, automation, and analytics. With these shifts will come new risks and regulations. To manage them effectively, companies will need strong risk and control foundations with streamlined workflows, consistent risk taxonomies, and integrated risk visibility. As risk management becomes more deeply embedded in business processes, it will enable a more nuanced, thoughtful, and sustainable approach to business growth.
Driving Success and Resilience
How MetricStream Helped an International Energy Services Company Improve Resilience with Faster, Better Visibility into Risks
An energy services giant, with millions of customers and tens of thousands of employees, was faced with a growing range of risks—including regulatory pressures, geopolitical shifts like Brexit, climate change, and potential cyberattacks. The company was keen to improve its risk preparedness by giving first-line leaders a more holistic view of their risks, while also automating risk aggregation at the corporate level.
The company chose MetricStream to achieve these goals. It implemented MetricStream products – Compliance Management, Enterprise Risk Management, and Internal Audit Management – built on the MetricStream Platform and running on the Amazon Web Services (AWS) Cloud. MetricStream products empowered stakeholders at both the business unit level and the corporate level with real-time intelligence on the top risks and issues, including the status of mitigation action. The company was also able to streamline and automate internal auditing and compliance assurance processes, thus enhancing operational efficiency
With an integrated and tech-driven approach to GRC, organizations can:
- Gain real-time, high-quality risk insights to make intelligent business decisions faster
- Simplify compliance, and ensure that nothing falls through the cracks
- Integrate and map disparate GRC data points in a single source of truth to provide context, understand risk relationships, and respond proactively
- Strengthen reputation, resilience, and credibility by staying one step ahead of risks
- Streamline and automate GRC processes to close gaps, minimize redundancies, and reduce costs
How MetricStream Can Help
MetricStream empowers business users with simple solutions to intuitively identify, assess, and mitigate risks, while also strengthening compliance with regulations and standards. Our simple, purpose-built platform is proven with over a million global users. The platform is designed to serve integrated GRC use cases across industries and is infused with deep domain expertise, embedded content, rich context, integrated data, and explainable AI.
Our solutions automate and streamline GRC processes, while providing rich risk insights for decision-making. They also break down silos, enabling the front line to seamlessly collaborate and share information with the second and third lines of defense. Powerful observation management tools make it easy for the front line to capture and report irregularities or red flags, thus preventing risk events before they occur.
We empower customers to intuitively harness real-time risk intelligence across the extended enterprise – for what’s now, and what’s next.
We’re all standing on the precipice of tremendous change. The COVID-19 pandemic has impacted how we work and accelerated the pace of digital transformation by a decade or more. Not only are there myriad risks today – from heightened cyber risks in this digital-first and remote working environment to political risks from the highly unsettled geopolitical landscape, to the growing importance of Environmental, Social, and Governance (ESG) risks, and beyond – but they are also coming at us at incredible speed in this digitized world.
Exactly what’s next none of us knows – but by preparing and empowering ourselves and our teams, we can stay ahead of change and turn risks into opportunities. A proactive approach to getting our defense mechanism up and enhancing resilience is a must today to tackle the risks of tomorrow. At MetricStream, we help our customers “Power What’s Next.” Put simply, it means whatever’s around the corner, you have the capabilities to not only predict but also prevent or mitigate the unknown unknowns. So, what’s next for governance, risk, and compliance? Read on for the top trends – and power up your GRC for the future.
GRC, once a function that was managed independently from the rest of the business, is now a key strategic business function:
- Increasingly complex regulatory requirements, legal obligations, standards, and policies that, if not complied with, could cause significant reputational and financial loss
- The growing volume, variety, and velocity of risks that could hinder the achievement of strategic objectives
- Digital disruptions and new business models that introduce new risks while also amplifying the impact of existing risks
- An exponential increase in data volumes on security threats, risk, compliance, and issues that require quick analysis to draw out insights for decision-making
- Limitations of traditional GRC tools like spreadsheets that result in redundancies, overwhelming complexity, and insufficient risk visibility.
Gone are the days when GRC responsibilities were relegated primarily to the second and third lines of the business. Today, the focus has shifted to the front line because it is there that risks are taken and best captured and where the consciousness around risk management and compliance needs to be pervasive.
Since the front line is closest to the risks, they are often better positioned than an intermediary risk function to anticipate and assess their own risks, while also managing their own compliance with regulations, laws, and policies.
Greater ownership of GRC by the front line helps organizations gain better control over risks and minimize both regulatory and reputational issues. It also reduces the need for costly and complex risk-monitoring processes.
Empowering the Front Line to Drive GRC
New generations of GRC solutions are increasingly being designed for frontline teams. These easy-to-use tools can be quickly adopted without extensive training or knowledge of GRC terminologies. The best of them combine technology and industry content with AI and analytics to make GRC an integral, almost seamless part of day-to-day business activities.
Think desk traders who receive automatic alerts on the policy and compliance implications of financial trade in real-time.
Think business travelers who, upon entering a new country, can instantly pull up all the required local policies and behavioral expectations on their GRC mobile app.
Think remote workers who are automatically notified with a cybersecurity checklist to keep them vigilant about security risks when working from home.
The key is to ensure that GRC is deeply ingrained into business processes – quickly and easily.
But GRC is ultimately a two-way street. As much as it is about enabling frontline users with tools to manage their risks and compliance, it’s also about harnessing intelligence from the front line of emerging risks and hidden areas of concern to facilitate proactive risk responses. We’re seeing the development of chatbots that can capture frontline observations of potential incidents, issues, and control weaknesses—all through a casual conversation with the business user in natural business language. These insights are then rolled up to the second and third lines of defense for deeper investigation and response.
The possibilities of GRC technology in the front line are numerous. And the easier these tools make it for business users to manage and report risks, the better the organization’s ability to accelerate risk-aware decisions.
ESG (Environmental, Social, and Governance) concerns are becoming a top agenda item for every board of directors. Research reports from various global organizations, such as the National Aeronautics and Space Administration (NASA), the United Nations, the World Economic Forum (WEF), and others, continue to sound the alarm on the impact of climate change. In addition to climate risks, there is a growing call from consumers, regulators, and other stakeholders for diversity, inclusion, and equity in organizations.
“There is a broader purpose for companies now. Going forward, they not only have to deliver profit, but they also have to deliver purpose, they have to deliver value to stakeholders that includes societies and communities in which they serve. Environment, social governance, racial justice, social justice—a lot of these topics are new to corporations, and CEOs and boardrooms are demanding that as part of their GRC initiative." - Gunjan Sinha, Executive Chairman, MetricStream
To become future-ready, organizations today need to think beyond financial statements and profits, and work towards becoming a purpose-driven entity that strives for global sustainability and enables global communities to thrive.
By empowering the first line of defense, using ethical datasets that are privacy-preserving and risk-aware, and leveraging socially-aware AI, organizations can create true GRC systems and programs that can deal with the risks from a full 360-degree perspective.
It is now necessary to discuss how ESG functions can be effectively and efficiently managed via three key factors: technology, culture, and the right ‘tone at the top’.
Driving a Pervasive ESG Strategy
Boards need to assess their readiness to adapt to the rapidly changing business requirements. An effective and agile ESG performance framework can help the board look at the total impact of a company’s ESG strategy and operations. Equipped with real-time and accurate data, the board and C-suite can have a far better understanding of the company’s ESG performance. The board needs to ascertain that senior management and the C-suite are systematically monitoring ESG performance, looking for ways to turn governance, risk, and compliance into a competitive advantage, and regularly reporting to the board on the status of ESG performance.
When risk management and compliance are looked at as a competitive advantage rather than a check-the-box activity: that’s when companies can harness risk to drive growth, stay in alignment with sustainability processes, deliver on social impact commitments, and build trust and a positive relationship with customers, employees, investors, partners, suppliers, and other key stakeholders.
Delivering the Right Tone From the Top
Boards are facing strong scrutiny from regulatory bodies, shareholders, and other key stakeholders. These issues require the board of directors to demonstrate leadership in developing a strong culture of GRC throughout their corporations. They can only accomplish this by governance principles, commanding strong compliance oversight, and developing acceptable risk postures.
Boards are responsible for creating and overseeing company policies. This isn’t a one-and-done activity. Policy management requires organizing and archiving documents so that boards can review them in relation to mandates, business objectives, risks, and controls. Policies also need to be available to employees and business partners, as necessary. GRC solutions make accessing policy documents easy and efficient.
GRC solutions automate compliance management functions such as workflow, controls and associated risks, surveys, self-assessments, reporting, testing, and remediation. This includes financial reporting to regulatory authorities and compliance with industry regulations.
GRC solutions help organizations adapt more readily to rapidly evolving market and governance changes, especially regarding business disruptions, such as:
There is no question the pandemic has been brutal. But it has also compelled organizations to adapt quickly, innovate, and build resilience. Underlying it is the awareness that to succeed in a post-COVID-19 era, we will need to stay one step ahead of risks. COVID-19 may have been a novel disruption, but it certainly won’t be the last. We’re already looking at the threat of a recession, ongoing cyber attacks, and catastrophic natural disasters.
How can businesses thrive and catalyze performance in this risky world? Here are a few key steps.
Develop a Peripheral View of Risks
No longer will organizations focus only on the most obvious risks. They will also incorporate a “peripheral” view of risk data by paying more attention to non-traditional risk factors such as biological hazards, climate change, and geopolitics. At the center of these efforts will be the GRC hub -- a central, cloud-based console of risk intelligence. The hub will integrate data from numerous internal and external sources to offer organizations a truly 360-degree, real-time picture of their risks for better decision-making.
Build an Anti-fragile Business
Organizations will emerge from this crisis in different ways. Some will focus on building resilience, while others will find a way to become anti-fragile. The resilient business resists shocks but stays the same. However, the anti-fragile business gets better. To build anti-fragility, organizations will need to break down risk silos, so that they can understand how various risks impact and influence each other. They will also need strong business continuity plans to be prepared. We can’t always predict every risk, but we can be ready to ride it out.
Gear Up for High-velocity Risks
With risks hitting organizations faster than ever, leadership teams need real-time, forward-looking risk intelligence rather than retrospective information. “Predict to prevent” will be the new mantra, as business leaders leverage AI and other emerging technologies to anticipate and mitigate emerging risks proactively. This can help businesses stay one step ahead of risks.
Meanwhile, continuous auditing and risk monitoring, enabled by robotic process automation, will make it easier to detect anomalies. Stress testing will be accelerated to help risk teams proactively define action plans and early risk indicators. With comprehensive, forward-looking risk intelligence, organizations can be better prepared to land on their feet despite disruptions.
Rethink Priorities Across Business Lines
The need for dynamic, real-time risk assessments has blurred the barriers between the lines of the business. Today, all the lines must work together swiftly to catalyze business performance. Leadership teams need to respond quickly to risks like a cyber attack or a global pandemic. Therefore, the second and third lines must become more automated. Meanwhile, the front line will take on a bigger role in identifying and assessing risks. Their insights will help business leaders stay updated on new emerging risks.
Focus on Profit with Purpose
Corporate leaders must drive the definition of corporate objectives to beyond just profits. Going forward, a key differentiator for organizations will be how they position themselves with respect to the environment, diversity and inclusion, ethics, integrity, and global sustainability. It’s about time that organizations included metrics to measure their performance on these fronts and work towards facilitating a harmonious and sustainable future – which is why ESG has accelerated so quickly.
Align Risk Management to Performance
Risk management will play a key role in driving and guiding business performance in the future. Decision-making processes will increasingly integrate a rigorous assessment of risks. Risk findings will also be aligned much more closely to resilience and strategic objectives, so that when the next global crisis comes—because it will—organizations will be better prepared to respond and pivot quickly.
This renewed focus on risk management will be especially important in dealing with changes in business models that we’re likely to see in a post-COVID world. Some companies may shift to a permanent remote working model. Others may replace physical customer interactions with virtual or self-service options.
Most will accelerate digital transformation, investing in AI, automation, and analytics. With these shifts will come new risks and regulations. To manage them effectively, companies will need strong risk and control foundations with streamlined workflows, consistent risk taxonomies, and integrated risk visibility. As risk management becomes more deeply embedded in business processes, it will enable a more nuanced, thoughtful, and sustainable approach to business growth.
How MetricStream Helped an International Energy Services Company Improve Resilience with Faster, Better Visibility into Risks
An energy services giant, with millions of customers and tens of thousands of employees, was faced with a growing range of risks—including regulatory pressures, geopolitical shifts like Brexit, climate change, and potential cyberattacks. The company was keen to improve its risk preparedness by giving first-line leaders a more holistic view of their risks, while also automating risk aggregation at the corporate level.
The company chose MetricStream to achieve these goals. It implemented MetricStream products – Compliance Management, Enterprise Risk Management, and Internal Audit Management – built on the MetricStream Platform and running on the Amazon Web Services (AWS) Cloud. MetricStream products empowered stakeholders at both the business unit level and the corporate level with real-time intelligence on the top risks and issues, including the status of mitigation action. The company was also able to streamline and automate internal auditing and compliance assurance processes, thus enhancing operational efficiency
- Gain real-time, high-quality risk insights to make intelligent business decisions faster
- Simplify compliance, and ensure that nothing falls through the cracks
- Integrate and map disparate GRC data points in a single source of truth to provide context, understand risk relationships, and respond proactively
- Strengthen reputation, resilience, and credibility by staying one step ahead of risks
- Streamline and automate GRC processes to close gaps, minimize redundancies, and reduce costs
MetricStream empowers business users with simple solutions to intuitively identify, assess, and mitigate risks, while also strengthening compliance with regulations and standards. Our simple, purpose-built platform is proven with over a million global users. The platform is designed to serve integrated GRC use cases across industries and is infused with deep domain expertise, embedded content, rich context, integrated data, and explainable AI.
Our solutions automate and streamline GRC processes, while providing rich risk insights for decision-making. They also break down silos, enabling the front line to seamlessly collaborate and share information with the second and third lines of defense. Powerful observation management tools make it easy for the front line to capture and report irregularities or red flags, thus preventing risk events before they occur.
We empower customers to intuitively harness real-time risk intelligence across the extended enterprise – for what’s now, and what’s next.