A: How are companies failing to protect business continuity in their platform integration?
One of the biggest challenges we found in a recent MetricStream research survey is that companies aren’t looking at the impact of third parties on their business continuity planning. We found that over 50 percent include third-party risk management in their enterprise risk management, IT risk management, and compliance programs, but just 36 person included third-party risk management as part of their BCM program.
On the other hand, survey respondents ranked “disruption” due to third parties as one of their chief concerns. Considering that companies are so dependent on extended supply chains, IT service contractors, and cloud solutions, this concern over disruption is warranted. Yet, there appears to be this disconnect for the BCM organization and third party risk managers.
Three areas of concern
Q: What are three places where companies can improve their vendor risk management – ensuring vendors aren’t harming one’s company?
A: First, just creating a single source of truth for vendor profiles is a good start. You really can’t do vendor risk management if you don’t know who your vendors are. Often we see companies start a VRM program in response to a regulatory requirement, but then they realize, wow, now I know who my vendors are.
Second, it’s important to risk tier vendors. Most companies who get serious on VRM will create three risk tiers. The high risk vendors, which may just be 1 to 5% of vendors, then medium risk, maybe 10-20%, and then the low risk or tactical vendors. This is important to do, since it’s just impossible to do the same high degree of due diligence and continuous monitoring on all your vendors – especially for companies who have tens of thousands of them.
Third, as I mentioned, including third party risk management as part of the business continuity planning is important. BCM planners need to identify those vendors that could have the highest disruptive impact, and ensure they include them as part of their business impact analysis.
Falling short with cybersecurity
Q: Is cybersecurity attainable? Where are companies falling short with enterprise risk management programs?
A: Most CISOs are really not confident that their enterprises are safe from a cyberattack. And that concerns is justified. Financial services organizations are the most prepared, and yet in a resent MetricStream Research survey, we found that 37% of financial services organizations had faced over 10 cyberattacks in the previous year; 15% had faced 100 or more. That’s astounding.
As far as enterprise risk management, there is some good news. Most enterprises now consider cybersecurity an important element of enterprise risk management – more than 90 percent of the respondents to our survey of financial services organizations. We have also found that 59 percent of all enterprises include third-party risk management within their enterprise risk management program. Furthermore, according to MetricStream Research, the top two business drivers for investment in integrated GRC, are improving overall risk oversight (71 percent) and new business initiatives that are introducing new risks and regulations (58 percent). These results indicate that executives expect GRC not just to support better compliance, but also to contribute to an overall understanding of risks and their impacts on the business. Over the last 10 years, GRC has evolved from a tactical compliance investment to a strategic business investment.
Innovations to MetricStream’s M7 GRC Platform?
A: With the M7 Platform and Apps, MetricStream is the first GRC solution provider to bring consumer-like IT to GRC professionals. With user-centric design, we have shifted GRC software from being organization-centric to being people-centric. Why is this important? First, if you’re a GRC professional – an auditor, risk manager, compliance manager, or IT security professional, you spend much of your working day in front of a screen.
Difficult to navigate enterprise software with cluttered screens and rows and rows of input forms is not going to drive the greatest productivity for the business. Engaged employees deliver more value to their teams and their organizations – so by designing our new M7 GRC platform and apps to be user-centric, we are engaging the users. And not only is it more engaging and personalized, it is more easily configured to adapt to the users’ needs, it can be accessed through any device, freeing the user from their desk, and it provides exceptional analytics that provide better insights from the wealth of data in the app.
Secondly, if you’re not a GRC professional, but need occasional access to a GRC app, you shouldn’t have to learn how to use it – it should be intuitive and self-learning. In M7, we’ve done this through a consumer look and feel, and explanatory learning tiles that appear when you hover over items on the screen.
And, taking this even further, why should most employees have to access the GRC app at all? MetricStream’s M7 architecture enables what we call layering – we layer GRC into Salesforce for instance, so that a sales person doesn’t need to go to the GRC app to acknowledge policies for instance.
The bottom line is that by designing engaging user-centric GRC software, we make GRC professionals more productive, and for other employees, we don’t make them learn a whole new app, when all they may need to do is acknowledge a policy or access a report.