MetricStream releases new M7 Platform with ‘robust’ GRC apps

From MetricStream

MetricStream CEO Shellye Archambeau

MetricStream CEO Shellye Archambeau

MetricStream – the governance, risk, and compliance (GRC) apps and solutions provider – says its new M7 platform includes applications for risk, compliance, audit, IT security, third party management, and other functions upon which GRC professionals rely.

With M7, MetricStream says it is providing fourth-generation GRC technology the industry has so far lacked. The M7 platform and apps are designed to help companies preserve their corporate integrity, protect their brand, and drive exceptional business performance through GRC that is simple, pervasive, and delivered in the cloud, the company said.

M7 focuses on enabling high performers through an “engaging user experience, high degree of configurability, enhanced mobility and layering, sophisticated reporting and analytics, and a future-ready architecture,” MetricStream said in announcing the release.
“M7 enables high performing organizations by making GRC simple, intuitive, and more deeply embedded across the enterprise and extended ecosystem,” said MetricStream CEO Shellye Archambeau. “M7 gives our customers real-time intelligence that they need to anticipate risk, and balance opportunities effectively.”

Here are the M7 highlights:

For risk management professionals

The MetricStream Enterprise Risk Management app enables organizations to manage a wide range of risks and related activities in a systematic and integrated manner. Through the app, users can identify, assess, monitor, and mitigate enterprise risks effectively.

Powerful analytics and reporting capabilities, paired with detailed graphical dashboards and charts, offer comprehensive and real-time visibility into risks, enabling stakeholders to make informed decisions. This app is often deployed with the Operational Risk Management, Business Continuity Management, and Internal Audit Management apps.

For regulatory and corporate compliance pros

The MetricStream Regulatory Engagement Management app streamlines and automates the process of managing various regulatory engagements, including examinations, meetings, and requests for information from regulators.

metricstreamIn tandem with the Compliance Management app, the Regulatory Engagement Management app simplifies engagement creation and task management, and captures all regulatory engagement data in a central repository.

Powerful dashboards and reports provide real-time insights, enabling stakeholders to make informed decisions that strengthen the organization’s relationships with regulators.

For audit management professionals

The MetricStream Internal Audit Management app helps organizations plan, manage, and track internal audits with ease and efficiency.

The app streamlines audit planning and scheduling, audit execution, review and analysis of audit findings, creation of the final audit report, and follow-up activities.

Through an intelligent, risk-based approach to internal auditing, the app helps prioritize audit tasks and resources based on the areas of highest risk.

For an enterprise audit management solution, the Internal Audit Management App is often deployed with the Compliance Management and Operational Audit Management apps.

For IT security professionals

The MetricStream IT Risk Management app empowers organizations to adopt a focused and business-driven approach when managing and mitigating their IT risks.

The app streamlines IT risk identification, IT risk assessments, and risk treatment. It also provides sophisticated analytics and reports that transform raw risk data into actionable IT risk intelligence, providing clear visibility into the top risks, and improving decision-making.

This app is often deployed with the IT Compliance Management and Threat and Vulnerability Management apps for an integrated IT GRC solution.

The MetricStream Threat and Vulnerability Management app strengthens IT security by proactively aggregating and correlating threats and vulnerabilities across information assets. The app integrates with multiple end-point IT security and infrastructure management tools and security intelligence feeds to identify and prioritize the risk exposure for IT assets, and streamline the remediation process.

Third party management 

The MetricStream Issue Management app facilitates a systematic and integrated approach towards managing governance, risk, and compliance issues.

The app provides a single system for enterprise-wide issue management initiatives, thereby strengthening compliance and risk management, while reducing the associated costs.

Through an integrated approach, the app facilitates cross-functional coordination and collaboration on issue management, and helps align these processes centrally with corporate governance and reporting objectives. Issue Management is a critical component of any GRC solution.

Survey Management app

The MetricStream Survey Management app enables a structured and automated process to manage surveys for systems compliance, process compliance, risk assessments, HR policy awareness, legal attestations, etc.

The app fosters accountability by streamlining the flow of information and records, and documenting attestations and representations at appropriate stages.

Moreover, the reporting engine built on the MetricStream GRC Platform aggregates survey data, and enables exploration and evaluation of survey findings at the enterprise level.

Survey Management is a critical component of any GRC solution requiring the collection of intelligence across the enterprise and business partners, and can be integrated with other apps including Compliance Management, Risk Management, and Third Party Management.

For more information, go here

Susan Palm: Companies can use GRC to adopt to Dodd-Frank changes

By John L. Guerra

Editor, GRC & Fraud Software Journal

Susan Palm, senior vice president, Industry Solutions, MetricStream

Susan Palm, senior vice president, Industry Solutions, MetricStream

Susan Palm, senior vice president of Industry Solutions for MetricStream, talks about the impact repealing Dodd Frank will have on mergers and acquisitions, the operational risk firms will face and how GRC technology that can help to alleviate subsequent risks.

MetricStream continues to ramp up its investment in mSIG user groups in response to the volatility of change coming out of the White House.


Q: How will this investment help customers to address the volatility?

Susan Palm: MetricStream’s clients represent both the largest and smallest financial services firms. These clients are examined by the FDIC, OCC, and Federal Reserve. The regulators sometimes publicly share examples of best practices for generating a strong risk culture, for managing third party vendors, conducting effective control tests etc. The mSIGs act as a forum for banks to discuss their own best practices and experiences and learn from each other.

Clients find the user group forums particularly useful to share information regarding adherence to laws and regulations and the use of technology to create efficiencies and good data analytics.
Q: How will changes in Dodd Frank or a total repeal of the law impact mergers and acquisitions?

Susan Palm: There are certain dollar thresholds for increased regulatory scrutiny. For example, banks under $10 billion in assets have one type of examination schedule. Banks greater than $10 billion in assets have a more rigorous schedule of examinations, and banks greater than $50 billion have an even greater level of regulatory oversight and examination.

This has created a barrier for banks to merge if their new combined asset size puts them into a different examination category.


Q: How can GRC technology, especially M7, help companies to remain compliant and address risk in view of sweeping change?

Susan Palm: One feature of M7 enables companies to leverage mobile phones and tablet technologies in addition to traditional PC technology to deliver policy, standards and procedures to staff.

As the laws change, banks need to update their policies and procedures appropriately. Ensuring that policy and procedure changes are completed — and delivered to staff when and how they want to consume this information — will now be faster and easier with M7.
Q: What are a few best practices for firms, to prepare for continued changes in regulation from the White House?

Susan Palm: Firms should implement GRC technology solutions that integrate with strong law and regulation content providers, so that changes in laws and regulations can be quickly consumed and analyzed.

Stay vigilant and get involved in user group forums, such as RMA, ABA, with MetricStream. For smaller banks that don’t have sizable legal and compliance teams, participation in these user forums enables them to learn from the bigger bank’s experiences and leverage the investments made by larger banks with greater resources.


Q & A with French Caldwell, chief evangelist at MetricStream

French Caldwell

French Caldwell

A: How are companies failing to protect business continuity in their platform integration?

One of the biggest challenges we found in a recent MetricStream research survey is that companies aren’t looking at the impact of third parties on their business continuity planning. We found that over 50 percent include third-party risk management in their enterprise risk management, IT risk management, and compliance programs, but just 36 person included third-party risk management as part of their BCM program.

On the other hand, survey respondents ranked “disruption” due to third parties as one of their chief concerns. Considering that companies are so dependent on extended supply chains, IT service contractors, and cloud solutions, this concern over disruption is warranted. Yet, there appears to be this disconnect for the BCM organization and third party risk managers.

Three areas of concern

Q: What are three places where companies can improve their vendor risk management – ensuring vendors aren’t harming one’s company?

A: First, just creating a single source of truth for vendor profiles is a good start. You really can’t do vendor risk management if you don’t know who your vendors are. Often we see companies start a VRM program in response to a regulatory requirement, but then they realize, wow, now I know who my vendors are.

Second, it’s important to risk tier vendors. Most companies who get serious on VRM will create three risk tiers. The high risk vendors, which may just be 1 to 5% of vendors, then medium risk, maybe 10-20%, and then the low risk or tactical vendors. This is important to do, since it’s just impossible to do the same high degree of due diligence and continuous monitoring on all your vendors – especially for companies who have tens of thousands of them.

Third, as I mentioned, including third party risk management as part of the business continuity planning is important. BCM planners need to identify those vendors that could have the highest disruptive impact, and ensure they include them as part of their business impact analysis.

Falling short with cybersecurity

Q: Is cybersecurity attainable? Where are companies falling short with enterprise risk management programs?

A: Most CISOs are really not confident that their enterprises are safe from a cyberattack. And that concerns is justified. Financial services organizations are the most prepared, and yet in a resent MetricStream Research survey, we found that 37% of financial services organizations had faced over 10 cyberattacks in the previous year; 15% had faced 100 or more. That’s astounding.

As far as enterprise risk management, there is some good news. Most enterprises now consider cybersecurity an important element of enterprise risk management – more than 90 percent of the respondents to our survey of financial services organizations. We have also found that 59 percent of all enterprises include third-party risk management within their enterprise risk management program. Furthermore, according to MetricStream Research, the top two business drivers for investment in integrated GRC, are improving overall risk oversight (71 percent) and new business initiatives that are introducing new risks and regulations (58 percent). These results indicate that executives expect GRC not just to support better compliance, but also to contribute to an overall understanding of risks and their impacts on the business. Over the last 10 years, GRC has evolved from a tactical compliance investment to a strategic business investment.

Innovations to MetricStream’s M7 GRC Platform?

A: With the M7 Platform and Apps, MetricStream is the first GRC solution provider to bring consumer-like IT to GRC professionals. With user-centric design, we have shifted GRC software from being organization-centric to being people-centric. Why is this important? First, if you’re a GRC professional – an auditor, risk manager, compliance manager, or IT security professional, you spend much of your working day in front of a screen.

Difficult to navigate enterprise software with cluttered screens and rows and rows of input forms is not going to drive the greatest productivity for the business. Engaged employees deliver more value to their teams and their organizations – so by designing our new M7 GRC platform and apps to be user-centric, we are engaging the users. And not only is it more engaging and personalized, it is more easily configured to adapt to the users’ needs, it can be accessed through any device, freeing the user from their desk, and it provides exceptional analytics that provide better insights from the wealth of data in the app.

Secondly, if you’re not a GRC professional, but need occasional access to a GRC app, you shouldn’t have to learn how to use it – it should be intuitive and self-learning. In M7, we’ve done this through a consumer look and feel, and explanatory learning tiles that appear when you hover over items on the screen.

And, taking this even further, why should most employees have to access the GRC app at all? MetricStream’s M7 architecture enables what we call layering – we layer GRC into Salesforce for instance, so that a sales person doesn’t need to go to the GRC app to acknowledge policies for instance.

The bottom line is that by designing engaging user-centric GRC software, we make GRC professionals more productive, and for other employees, we don’t make them learn a whole new app, when all they may need to do is acknowledge a policy or access a report.


MetricStream launches M7 GRC platform

From MetricStream press release

metricstreamMetricStream, a developer of governance, risk, and compliance (GRC) apps and solutions, has launched its new M7 GRC platform.

According to Vasant Balasubramanian, MetricStream’s senior vice president of product management, M7 is designed as a simple, pervasive and cloud-based approach to drive exceptional business performance through GRC.

  • User Experience that is intuitive, engaging, and personalized for the end user, helping to simplify and strengthen GRC adoption across the organization through technology
  • Configurability that delivers GRC how you need it, allowing the organization to tailor GRC to its unique reporting, workflow, and content requirements; scale up to support new users; and extend the platform to add more apps and solutions as GRC requirements evolve
  • Mobility and Layering that lets organizations embed GRC into their day-to-day activities, decisions, business critical apps, and devices such as phones, tablets, laptops, and Tvs.
  • Reporting and Analytics for better insights and better decision-making through a range of powerful visualizations, analytics, and reporting capabilities
  • Architecture that is faster, leaner, and” ready for the future”, with the flexibility to manage GRC on-premise or in the private and secure GRC cloud.

MetricStream’s GRC platform is used by more than 350 organizations worldwide, including large global banks, mid-sized banks, investment banks, insurance firms, asset management companies, federal financial agencies, and clearing corporations, the company says.