MetricStream GRC summit highlights issues facing enterprises

By John L. Guerra

GRC & Fraud Software Journal

Gaurav Kapoor, COO MetricStream

Gaurav Kapoor, COO MetricStream

MetricStream’s 2018 GRC Summit in Baltimore brought together governance, risk, compliance and regulatory leaders from various industries and market segments. The three-day summit covered the biggest issues facing GRC practitioners in banking, real estate, health care, and other business sectors.

Gaurav Kapoor, chief operating officer for MetricStream, spoke with GRC & Fraud Software Journal about the summit.

“We created a GRC summit where we could gain feedback from thought leaders and practitioners in the room,” Kapoor said. “It was intensive, with some 500 people representing 300 small to large companies representing a number of different industries – the main takeaway is that we’re all on the same journey.”

To set the stage for discussion, MetricStream announced its new tagline: “Perform with Integrity.”

“That mirrors the desire that companies have to raise performance while maintaining integrity in several aspects of the GRC model.”

According to Kapoor, companies both large and small worry about maintaining not only the integrity of their data, but their company’s integrity in the eyes of their customers who too often find they can’t trust companies to protect their personal data. Top executives at Uber, Facebook, Wells Fargo, and other companies have been summoned before Congressional hearings to answer for misuse of customer data.

“For the last two years, there have been huge breaches of trust when it comes to high-performing companies and major banks,” he said. “Companies are ensuring their GRC platforms are built for performance and integrity, and that’s in addition to preventing bribery, money laundering and other ethical problems. For the companies at our summit, maintaining the trust of their customers topped the list.”

The largest companies at the MetricStream summit said they designed GRC systems that would control ethical standards, prevent data breaches and enable them to report problems quickly to customers when they occur, Kapoor said.

“A large retailer in Sweden said their primary GRC strategy is to align systems that build trust with customers,” Kapoor said. “If there is a breach, how do we deal with customers? How do you write GRC to reflect ‘Tone at the Top?’ When your platform lets you document what kind of policies you need or have in place, you can accomplish these controls.”

At one point, the moderator asked for the attendees to stand and sit back down when the moderator hit their chief concern.

“At change and change management, most sat down,” Kapoor said. “Companies have been faced with so much change, that they are looking for the ability to adapt quickly to concerns and write it into GRC applications. For instance Crypto is an issue nobody knows how to handle. Companies are exposed to more risk like that because things are a lot more digital.”

Top 3 predictions for 2018 – a year of change

By French Caldwell

MetricStream Chief Evangelist

French Caldwell, MetricStream

French Caldwell, MetricStream

In what is becoming an annual event, MetricStream’s chief evangelist, French Caldwell, provides GRC & Fraud Software Journal readers with predictions for the upcoming year.


Prediction 1:

Data controllers and others face surge in complaints

In 2018, large data controllers, data processors, and privacy authorities will be found to be unprepared for a surge in requests and complaints by data subjects. The new EU GDPR expands the rights of EU citizens with several new rules, including the right to rectification, right to erasure, the right to object, and the right to restrict processing.

Privacy advocate groups will launch campaigns that drive large numbers of EU citizens to test these new rights. Many companies and government organizations will find they are vastly under-prepared to manage the large volume of requests and complaints.

Furthermore, many privacy authorities will not be prepared to manage the large number of complaints they receive.  To prepare, data controllers should have robust case management processes in place, and they should assure their third party data processors do as well.

Likewise, privacy authorities should evaluate their complaint management processes and ensure they are ready for a large surge.

Prediction 2:

The first €1million or more penalty under GDPR

In the event of a data breach, the new EU GDPR regulation provides for large penalties, up to 4 percent of revenues or €20million, whichever is larger. With the number of large data breaches growing, it’s just a matter of time before a large breach occurs.

While typically with a new regulation, there is a period of adjustment where regulators work through enforcement priorities, in the case of GDPR European privacy authorities are under a very public spotlight.

The first few companies or government agencies with a large data breach will set the standard for enforcement – especially if they delay reporting it.

While Europe has had many fewer reported data breaches than the U.S. that could change with the mandatory requirement in GDPR to report breaches within 72 hours of becoming aware of them.

The best defense for data controllers and processors will be strong data protection and cybersecurity programs that are well tested, documented, and ready for an audit by privacy authorities.

Prediction 3:

Regulatory technology primary driver for GRC In 2018 and 2019, regulatory tech – which utilizes information technology to enhance regulatory processes – will emerge as the primary driver of technological innovation for the GRC market.

Just as biotech is driving innovation in the life sciences industry, and fintech is doing the same in finance, regulatory tech is starting to impact the research and development investments of major GRC providers.

Artificial intelligence and machine learning applied to both unstructured and structured data to discover new risk and threat insights are the obvious technical leaders of innovation, but not the only ones.

Alexa-like advanced chatbots will enable users to quickly navigate applications, create reports, and discover relationships between risks, controls, processes, performance, assets and other data objects.

Hybrid machine-human scoring of third party cybersecurity, financial, and sustainability risks will supplement onboarding and continuous monitoring programs.

Facial recognition will provide a new means of assurance for data access and separation of duties. To gain competitive advantage, GRC vendors will increase funding for regulatory tech initiatives both organically and through acquisitions.


Most organizations unaware when employees violate policy and rules

From MetricStream press release

French Caldwell, MetricStream

French Caldwell, MetricStream

More than half of organizations (55 percent) can’t tell when their own employees violate company workplace rules and policies across the enterprise, according to a revealing survey by MetricStream.

The company, a developer of governance, risk, and compliance (GRC) apps and solutions, said the survey, “What Makes an Effective Policy Management Program?” paints a picture of how organizations create, manage, and communicate policies.

Other results from the survey:

While only about 1 in 4 organizations use policy management software, the benefits they enjoy are significant. Of these organizations:

  • 21 percent take less than a month to develop and publish a policy from scratch
  • 70 percent do not consider it challenging to author and distribute policies, or provide training
  • 60 percent encountered fewer than 50 policy violations in the last year

Policy management software eases policymaking

  • 80 percent of organizations using policy management software on a GRC platform take less than three months to author and publish policies, compared to only 55 percent of organizations using pure-play policy management software
  • 42 percent of organizations that require employees to attest to certain policies encountered less than 50 policy violations.
  • 59 percent of organizations that have mapped their policies to risks and compliance requirements do not consider it challenging to update polices as regulations evolve.
  • The majority of organizations that use standardized policy templates (62 percent) take less than a quarter to develop and roll out a new policy.

French Caldwell, Chief Evangelist at MetricStream, said the survey shows automation and consistency work.

“Our survey findings indicate that an integrated and consistent approach to policy management can yield significant benefits,” Caldwell said.

Many organizations have written policies, but much more is required to ensure that those policies are adhered to across the enterprise. To build a pervasive culture of ethics and risk-intelligent behavior, organizations must ensure that their policies are communicated effectively and updated regularly in line with regulatory and business changes. Moreover, policy compliance and violations must be tracked and addressed proactively.

“Those surveyed who have mapped policies to risk and compliance requirements, have integrated training into policy management programs,” Caldwell said, “or are using policy management software on a GRC platform are able to create and communicate policies faster, update them effectively, and minimize compliance violations.”

To read the entire survey results, go here.



MetricStream releases new M7 Platform with ‘robust’ GRC apps

From MetricStream

MetricStream CEO Shellye Archambeau

MetricStream CEO Shellye Archambeau

MetricStream – the governance, risk, and compliance (GRC) apps and solutions provider – says its new M7 platform includes applications for risk, compliance, audit, IT security, third party management, and other functions upon which GRC professionals rely.

With M7, MetricStream says it is providing fourth-generation GRC technology the industry has so far lacked. The M7 platform and apps are designed to help companies preserve their corporate integrity, protect their brand, and drive exceptional business performance through GRC that is simple, pervasive, and delivered in the cloud, the company said.

M7 focuses on enabling high performers through an “engaging user experience, high degree of configurability, enhanced mobility and layering, sophisticated reporting and analytics, and a future-ready architecture,” MetricStream said in announcing the release.
“M7 enables high performing organizations by making GRC simple, intuitive, and more deeply embedded across the enterprise and extended ecosystem,” said MetricStream CEO Shellye Archambeau. “M7 gives our customers real-time intelligence that they need to anticipate risk, and balance opportunities effectively.”

Here are the M7 highlights:

For risk management professionals

The MetricStream Enterprise Risk Management app enables organizations to manage a wide range of risks and related activities in a systematic and integrated manner. Through the app, users can identify, assess, monitor, and mitigate enterprise risks effectively.

Powerful analytics and reporting capabilities, paired with detailed graphical dashboards and charts, offer comprehensive and real-time visibility into risks, enabling stakeholders to make informed decisions. This app is often deployed with the Operational Risk Management, Business Continuity Management, and Internal Audit Management apps.

For regulatory and corporate compliance pros

The MetricStream Regulatory Engagement Management app streamlines and automates the process of managing various regulatory engagements, including examinations, meetings, and requests for information from regulators.

metricstreamIn tandem with the Compliance Management app, the Regulatory Engagement Management app simplifies engagement creation and task management, and captures all regulatory engagement data in a central repository.

Powerful dashboards and reports provide real-time insights, enabling stakeholders to make informed decisions that strengthen the organization’s relationships with regulators.

For audit management professionals

The MetricStream Internal Audit Management app helps organizations plan, manage, and track internal audits with ease and efficiency.

The app streamlines audit planning and scheduling, audit execution, review and analysis of audit findings, creation of the final audit report, and follow-up activities.

Through an intelligent, risk-based approach to internal auditing, the app helps prioritize audit tasks and resources based on the areas of highest risk.

For an enterprise audit management solution, the Internal Audit Management App is often deployed with the Compliance Management and Operational Audit Management apps.

For IT security professionals

The MetricStream IT Risk Management app empowers organizations to adopt a focused and business-driven approach when managing and mitigating their IT risks.

The app streamlines IT risk identification, IT risk assessments, and risk treatment. It also provides sophisticated analytics and reports that transform raw risk data into actionable IT risk intelligence, providing clear visibility into the top risks, and improving decision-making.

This app is often deployed with the IT Compliance Management and Threat and Vulnerability Management apps for an integrated IT GRC solution.

The MetricStream Threat and Vulnerability Management app strengthens IT security by proactively aggregating and correlating threats and vulnerabilities across information assets. The app integrates with multiple end-point IT security and infrastructure management tools and security intelligence feeds to identify and prioritize the risk exposure for IT assets, and streamline the remediation process.

Third party management 

The MetricStream Issue Management app facilitates a systematic and integrated approach towards managing governance, risk, and compliance issues.

The app provides a single system for enterprise-wide issue management initiatives, thereby strengthening compliance and risk management, while reducing the associated costs.

Through an integrated approach, the app facilitates cross-functional coordination and collaboration on issue management, and helps align these processes centrally with corporate governance and reporting objectives. Issue Management is a critical component of any GRC solution.

Survey Management app

The MetricStream Survey Management app enables a structured and automated process to manage surveys for systems compliance, process compliance, risk assessments, HR policy awareness, legal attestations, etc.

The app fosters accountability by streamlining the flow of information and records, and documenting attestations and representations at appropriate stages.

Moreover, the reporting engine built on the MetricStream GRC Platform aggregates survey data, and enables exploration and evaluation of survey findings at the enterprise level.

Survey Management is a critical component of any GRC solution requiring the collection of intelligence across the enterprise and business partners, and can be integrated with other apps including Compliance Management, Risk Management, and Third Party Management.

For more information, go here

Susan Palm: Companies can use GRC to adopt to Dodd-Frank changes

By John L. Guerra

Editor, GRC & Fraud Software Journal

Susan Palm, senior vice president, Industry Solutions, MetricStream

Susan Palm, senior vice president, Industry Solutions, MetricStream

Susan Palm, senior vice president of Industry Solutions for MetricStream, talks about the impact repealing Dodd Frank will have on mergers and acquisitions, the operational risk firms will face and how GRC technology that can help to alleviate subsequent risks.

MetricStream continues to ramp up its investment in mSIG user groups in response to the volatility of change coming out of the White House.


Q: How will this investment help customers to address the volatility?

Susan Palm: MetricStream’s clients represent both the largest and smallest financial services firms. These clients are examined by the FDIC, OCC, and Federal Reserve. The regulators sometimes publicly share examples of best practices for generating a strong risk culture, for managing third party vendors, conducting effective control tests etc. The mSIGs act as a forum for banks to discuss their own best practices and experiences and learn from each other.

Clients find the user group forums particularly useful to share information regarding adherence to laws and regulations and the use of technology to create efficiencies and good data analytics.
Q: How will changes in Dodd Frank or a total repeal of the law impact mergers and acquisitions?

Susan Palm: There are certain dollar thresholds for increased regulatory scrutiny. For example, banks under $10 billion in assets have one type of examination schedule. Banks greater than $10 billion in assets have a more rigorous schedule of examinations, and banks greater than $50 billion have an even greater level of regulatory oversight and examination.

This has created a barrier for banks to merge if their new combined asset size puts them into a different examination category.


Q: How can GRC technology, especially M7, help companies to remain compliant and address risk in view of sweeping change?

Susan Palm: One feature of M7 enables companies to leverage mobile phones and tablet technologies in addition to traditional PC technology to deliver policy, standards and procedures to staff.

As the laws change, banks need to update their policies and procedures appropriately. Ensuring that policy and procedure changes are completed — and delivered to staff when and how they want to consume this information — will now be faster and easier with M7.
Q: What are a few best practices for firms, to prepare for continued changes in regulation from the White House?

Susan Palm: Firms should implement GRC technology solutions that integrate with strong law and regulation content providers, so that changes in laws and regulations can be quickly consumed and analyzed.

Stay vigilant and get involved in user group forums, such as RMA, ABA, with MetricStream. For smaller banks that don’t have sizable legal and compliance teams, participation in these user forums enables them to learn from the bigger bank’s experiences and leverage the investments made by larger banks with greater resources.


Q & A with French Caldwell, chief evangelist at MetricStream

French Caldwell

French Caldwell

A: How are companies failing to protect business continuity in their platform integration?

One of the biggest challenges we found in a recent MetricStream research survey is that companies aren’t looking at the impact of third parties on their business continuity planning. We found that over 50 percent include third-party risk management in their enterprise risk management, IT risk management, and compliance programs, but just 36 person included third-party risk management as part of their BCM program.

On the other hand, survey respondents ranked “disruption” due to third parties as one of their chief concerns. Considering that companies are so dependent on extended supply chains, IT service contractors, and cloud solutions, this concern over disruption is warranted. Yet, there appears to be this disconnect for the BCM organization and third party risk managers.

Three areas of concern

Q: What are three places where companies can improve their vendor risk management – ensuring vendors aren’t harming one’s company?

A: First, just creating a single source of truth for vendor profiles is a good start. You really can’t do vendor risk management if you don’t know who your vendors are. Often we see companies start a VRM program in response to a regulatory requirement, but then they realize, wow, now I know who my vendors are.

Second, it’s important to risk tier vendors. Most companies who get serious on VRM will create three risk tiers. The high risk vendors, which may just be 1 to 5% of vendors, then medium risk, maybe 10-20%, and then the low risk or tactical vendors. This is important to do, since it’s just impossible to do the same high degree of due diligence and continuous monitoring on all your vendors – especially for companies who have tens of thousands of them.

Third, as I mentioned, including third party risk management as part of the business continuity planning is important. BCM planners need to identify those vendors that could have the highest disruptive impact, and ensure they include them as part of their business impact analysis.

Falling short with cybersecurity

Q: Is cybersecurity attainable? Where are companies falling short with enterprise risk management programs?

A: Most CISOs are really not confident that their enterprises are safe from a cyberattack. And that concerns is justified. Financial services organizations are the most prepared, and yet in a resent MetricStream Research survey, we found that 37% of financial services organizations had faced over 10 cyberattacks in the previous year; 15% had faced 100 or more. That’s astounding.

As far as enterprise risk management, there is some good news. Most enterprises now consider cybersecurity an important element of enterprise risk management – more than 90 percent of the respondents to our survey of financial services organizations. We have also found that 59 percent of all enterprises include third-party risk management within their enterprise risk management program. Furthermore, according to MetricStream Research, the top two business drivers for investment in integrated GRC, are improving overall risk oversight (71 percent) and new business initiatives that are introducing new risks and regulations (58 percent). These results indicate that executives expect GRC not just to support better compliance, but also to contribute to an overall understanding of risks and their impacts on the business. Over the last 10 years, GRC has evolved from a tactical compliance investment to a strategic business investment.

Innovations to MetricStream’s M7 GRC Platform?

A: With the M7 Platform and Apps, MetricStream is the first GRC solution provider to bring consumer-like IT to GRC professionals. With user-centric design, we have shifted GRC software from being organization-centric to being people-centric. Why is this important? First, if you’re a GRC professional – an auditor, risk manager, compliance manager, or IT security professional, you spend much of your working day in front of a screen.

Difficult to navigate enterprise software with cluttered screens and rows and rows of input forms is not going to drive the greatest productivity for the business. Engaged employees deliver more value to their teams and their organizations – so by designing our new M7 GRC platform and apps to be user-centric, we are engaging the users. And not only is it more engaging and personalized, it is more easily configured to adapt to the users’ needs, it can be accessed through any device, freeing the user from their desk, and it provides exceptional analytics that provide better insights from the wealth of data in the app.

Secondly, if you’re not a GRC professional, but need occasional access to a GRC app, you shouldn’t have to learn how to use it – it should be intuitive and self-learning. In M7, we’ve done this through a consumer look and feel, and explanatory learning tiles that appear when you hover over items on the screen.

And, taking this even further, why should most employees have to access the GRC app at all? MetricStream’s M7 architecture enables what we call layering – we layer GRC into Salesforce for instance, so that a sales person doesn’t need to go to the GRC app to acknowledge policies for instance.

The bottom line is that by designing engaging user-centric GRC software, we make GRC professionals more productive, and for other employees, we don’t make them learn a whole new app, when all they may need to do is acknowledge a policy or access a report.


Can government be trusted with a company’s proprietary information?

By French Caldwell, chief evangelist, MetricStream

Special to GR & Fraud Software Journal

French Caldwell

French Caldwell

I thought the 2015 Office of Personnel Management breach was bad, but the recent National Security Agency hack was even more devastating.

In June 2015, OPM discovered that the background investigation records of current, former, and prospective Federal employees and contractors had been stolen, including the Social Security Numbers of 21.5 million individuals.

Worse, the stolen data included information on 1.8 million non-job applicants, primarily spouses or co-habitants of applicants. Add to that 5.6 million stolen fingerprints in the hands of financial criminals and you can say goodbye to many Americans’ security.

In recent weeks the United States has found itself in a cyber Cold War, a real-world “Hunt for Red October” in which American intelligence personnel skilled in cyber warfare and counter-cyber attacks troll for signs of enemy intrusion in government computer networks.

Bizarre new world

The bizarreness of it all became apparent in the presidential race, when hackers believed to be Russian broke into Democratic National Committee databases, making it a central point of contention between the Republican and Democratic presidential candidates.

Then the U.S. government warned that foreign hackers might even attempt to muddle voting results displayed in digital election records come November.

Then came perhaps the most serious breach of U.S. government networks thus far: Hackers in late August stole cyber warfare tools and hacking software designed and owned by the National Security Agency. The secrecy of the NSA’s cyber weapons are dear to its effectiveness.

Though foreign hacking isn’t the same as a nuclear submarine threatening America’s coastlines, the NSA hack means America’s entire library of hacking tools have probably fallen into the hands of our adversaries. What network can be safe?

Enemies selling NSA hack tools

Then last week, a group calling itself the “ShadowBrokers” announced an auction for what it claimed were “cyber weapons” made by the NSA.

As of now, all other national security agencies, including Britain’s Government Communications Headquarters, should be deemed vulnerable. If the NSA has been hacked, the chances are that it, too has become a victim, especially its fellow Five Eyes members – the intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States.

Forget the fact that many of the NSA files date back to 2013; there will be future ramifications. All national governments are pushing for increased collaboration with business, to tackle a very real cyber security threat, but incidents like this raise serious questions over the safety of co-operation.

Companies can’t trust government security

The 2016 Presidential Policy Directive — United States Cyber Incident Coordination plan calls for private companies that have suffered data theft of customer information to work to reveal what has been stolen and other proprietary information with the FBI and other federal government agencies to investigate the crime.


But why shouldn’t private corporations and smaller businesses be worried that governments can’t protect their own information? Private businesses are understandably skeptical when it comes to sharing their proprietary information when partnering with government in the aftermath of data breaches.

Why should businesses trust the government to protect their secrets when they can’t protect their own?

The federal government need to get its house in order first.

After all, how much sense does it make to put one’s proprietary data in a government safe for which the criminals already know the combination?


MetricStream: Companies falling behind in regulatory compliance

judge hammerRegulatory compliance management (RCM) still isn’t a mature process despite its enterprise-wide impact, says French Caldwell, chief evangelist at MetricStream.

In fact, many companies even still rely on spreadsheets like Excel to manage regulatory compliance.

The company’s recent change management survey highlights the difficulty organizations and companies have keeping up with the multitude of legal requirements and rule changes.

According to the U.S. Congressional Research Service, the number of final rules from U.S. federal agencies alone ranges between 2,500 and 4,500 annually.

Caldwell says compliance teams must scan multiple sources to keep track of new or changed regulations, conduct business impact and risk assessments, implement relevant changes to policies, processes, systems, and controls, and finally, carry out the testing, monitoring, and audit processes to ensure that their enterprises are up to date.

The MetricStream survey analyzed existing processes at dozens of organizations, the number of employees dedicated to regulation compliance and the departments in charge of RCM at those organizations.

The results indicate that many businesses are still unaware of or are unable to invest in appropriate technology and tools.

The MetricStream survey found that most companies are dedicating a growing number of employees to the RCM process.

  • Mid-size enterprises (1,000 10,000 employees) have three to 10 people dedicated to RCM
  • Large enterprises (more than 10,000 employees) have at least 21 people on RCM

The survey also found that RCM maturity is low across enterprises.

  • Nearly half (48 percent) of organizations still rely on manual processes and basic office productivity software such as Excel spreadsheets to track regulatory changes
  • The next most common methods are knowledge management software (19.5 percent) and in-house development tools (17.9 percent) proving high tech tools are widely under utilized
  • The department most commonly tasked with managing and implementing RCM is compliance (61 percent), followed by legal (16 percent) and operations (7 percent)
  • Organizations rely on a number of sources to keep up-to-date with regulatory developments, the top being regulatory agencies’ press releases (84 percent) and then industry bodies and trade associations’ announcements (70 percent)

The full survey can be viewed here.

MetricStream launches M7 GRC platform

From MetricStream press release

metricstreamMetricStream, a developer of governance, risk, and compliance (GRC) apps and solutions, has launched its new M7 GRC platform.

According to Vasant Balasubramanian, MetricStream’s senior vice president of product management, M7 is designed as a simple, pervasive and cloud-based approach to drive exceptional business performance through GRC.

  • User Experience that is intuitive, engaging, and personalized for the end user, helping to simplify and strengthen GRC adoption across the organization through technology
  • Configurability that delivers GRC how you need it, allowing the organization to tailor GRC to its unique reporting, workflow, and content requirements; scale up to support new users; and extend the platform to add more apps and solutions as GRC requirements evolve
  • Mobility and Layering that lets organizations embed GRC into their day-to-day activities, decisions, business critical apps, and devices such as phones, tablets, laptops, and Tvs.
  • Reporting and Analytics for better insights and better decision-making through a range of powerful visualizations, analytics, and reporting capabilities
  • Architecture that is faster, leaner, and” ready for the future”, with the flexibility to manage GRC on-premise or in the private and secure GRC cloud.

MetricStream’s GRC platform is used by more than 350 organizations worldwide, including large global banks, mid-sized banks, investment banks, insurance firms, asset management companies, federal financial agencies, and clearing corporations, the company says.