MetricStream’s Boultwood: GRC programs take courage

By John L. Guerra

Editor, GRC & Fraud Software Journal

metricstreamWe asked Brenda Boultwood, senior vice president of industry solutions at MetricStream, to list lessons learned from the past year and to provide us with some predictions for 2017.

Herein are her thoughts:

Lessons learned/major trends for 2017

  • GRC implementations have not become easier. Full business case achievement requires governance, and an agreed data model, data migration and sun-setting of legacy systems.
  • GRC program sponsorship takes courage and the willingness to accept political risk to the CXO career. The CXO GRC program sponsor success depends not only on the downstream vendor and IT support, but also CEO support as the change program is carried out.
  • More sophisticated analytical techniques are being overwhelmed by the need to get the basics of data integrity right (e.g., BCBS 239, Basel SMA approach)
    What’s ahead for 2017

What’s ahead for 2017

  • We’ll see more focus across Financial Institutions on data aggregation and reporting, inspired by Basel Committee on Banking Supervision’s 239. Focus on a data model that works across all risk and compliance functions, including Trusted Platform Module, IT Risk, etc.
  • Cost cutting across banks will become more severe.
  • Compliance and risk spending will continue, but at a more measured rate, except at institutions with a regulator mandate. Without the regulator mandate, a company’s organizational siloes find it easier to opt for the point solution and not worry about data aggregation.

This stems from the fact that GRC mandates rarely come from the organization’s CEO.  Top line and growth targets have taken top priority.  Risk and compliance change agents in large organization atop management teams continue to be rare.



Posted in Uncategorized.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>