Embed Size (px)
Citation preview
TRENDS ANDPREDICTIONS 2018
FOREWORD
As GRC professionals, our mission is to
protect corporate integrity, preserve brands
and reputations, and provide actionable
regulatory and risk intelligence to drive
exceptional business performance. Executing
that mission, we spend much of the time
looking inward at risk assessments, control
tests, audit results, remediation of issues,
and compliance with the policies that are
intended to instantiate good governance.
Since our duty as GRC professionals is to
manage the impact of uncertainty on business
goals and objectives, all of our GRC data
must be evaluated in the context of those
business goals and objectives.
With markets and the global economy
advancing, on the whole, it appears that we
are doing a pretty good job. Yet, 2018
marks the tenth anniversary of the last time
that uncertainty grew so out of control that
it threatened a meltdown of the global
economy; 2008 to 2009 was the longest
recession in modern history. Does it make
anyone anxious that we have been so long
without even a global hiccup? The average
time between recessions is about six and a
half years. Yet, there doesn’t appear to be
one on the horizon. Even as central bankers
back out of their bond holdings and raise
rates, market volatility is so flat that investors
that were hedging on the prospect of a
downturn are redirecting those funds to
growth investments. In other words, everyone
appears to be assuming that uncertainty is
less than they supposed.
However, all of us in the risk business know better.
The question we all should be asking is: “Where is that
uncertainty thing hiding?” Even though the indicators
show low volatility and high growth, that in itself is so
weird and unprecedented that we should be suspicious.
We could round up the usual suspects – a potential
housing bubble, foolhardy investments in the latest
technology craze, geopolitical tensions, trade disputes,
and the fraying of regional and global institutions –
they are all out there, but, and I’m sure many experts
will dispute this assertion, none of them at this moment
appear to be teetering so far out of control that they
can’t be reined back in.
So, I predict that on a global scale we will muddle on quite
well through 2018 just like we did in 2017, and the global
economy will keep growing, housing in big cities will get
even more expensive, the latest tech bubble won’t do us
much harm even if it does burst, we’ll make a hash out of
trade agreements and their institutions, but not too bad
of one, and we’ll fumble on through our nasty geopolitical
issues without starting a big war. But where is that
uncertainty thing hiding? I wish I knew, but I know it is
out there.
Now, with that prognostication out of the way, let’s turn
to our annual MetricStream predictions. My colleagues
have some great ones this year. Our chairman, Gunjan
Sinha, predicts that the customer will become the new
regulator; COO, Gaurav Kapoor, says that technology is
going to help make our jobs as GRC professionals
simpler, more efficient, and tuned to business
performance; CTO, Dr. Vidya Phalke, and Marketing
Director, Vibhav Agarwal, envision innovations in the
cloud; former CEO and current board member, Shellye
Archambeau, and SVP, Brenda Boultwood, foresee
human augmentation; VP, Yo Delmar, has dire warnings
on cyber threats; VP, Sonal Sinha, warns of the growing
challenges of managing the third-party risks of the
business ecosystem; and I myself offer some near-term
cautions on the impact of the EU General Data
Protection Regulation. Please read on for predictions
from these experts and others.
-French Caldwell, Chief Evangelist, MetricStream
The Customer =The New Regulator
Consumers will expect companies to
follow standards higher than those
dictated by regulators, and
companies will have to pay attention.
They will have to consider the risks
associated with what their customers
feel, think, and believe, right at the
center of their GRC programs.
The GRC Cloud will use a multi-
instance approach, moving away from
the traditional multi-tenant architecture
in which data is co-mingled. It will
enable customers to fire up various
GRC app instances in near real time.
The Cloud isthe Future
To thrive in the digital age, organizations
will focus on strengthening their ability to
fight cyber-attacks with the help of sound
risk intelligence, business continuity
strategies, technology partnerships, and
consistent risk taxonomies.
Business Resilience: The #1 Priority of the Board and C-Suite
Simplicity andEfficiency Are In
People want simple, intuitive GRC
apps on their smart phones, available
to them anywhere and anytime. They
want rationalized controls, greater
efficiency, and reports that are
customized to their roles and
responsibilities.
By mid-2019, the first €1 million or
greater penalty under the General
Data Protection Regulation (GDPR)
will be levied.
Interconnectednessof Risk
The GDPR PenaltyBlast-off
Markets, economies, and business
networks have become so deeply
interconnected that a single risk event
can cause widespread disruption.
Business Continuity inthe Supply Chain
Third-party management will
increasingly be integrated with
business continuity measures to
ensure that the organization is
well-prepared to bounce back
swiftly from a third-party risk incident.
Breaches will continue to grow larger,
and impact groups of facilities or
upstream internet service providers
that cover a wide geographical area.
These incidents could take down a
number of services.
Big Impact Breaches with Broader Ramifications
GRC – The Backbone of aSystem of Intelligence
GRC is about building a true system
of intelligence that can harvest critical
insights from huge volumes of data –
insights that can be leveraged not just
by GRC professionals, but also by
executives, CEOs, and boards.
3
4
1
6 75
9 108
TOP 10 TRENDS ANDPREDICTIONS
GRC professionals are being given a
seat at the strategy table and the
revenue generating side. Decision-
makers are relying on them to interpret
risk profiles and data, and provide
intelligence on how to increase revenue
and sales.
2 GRC Drives Business Performance
Gunjan Sinha, Chairman | Gaurav Kapoor, COO
GRC: TRENDS AND PREDICTIONS
THE POWER OF NOW
Gunjan: In a world of Instagram, Facebook,
and Snapchat, companies and businesses
are increasingly demanding instant value -
not after multiple quarters or long deployment
cycles. GRC professionals will need to find
ways of meeting this need – be it through
real-time reporting of risks, or through mobile
audits that can be conducted anytime,
anywhere.
SIMPLICITY ANDEFFICIENCY ARE IN
Gaurav: The advent of a younger workforce
and technologies such as the cloud and
mobility have led to the consumerization of
software. People want simple and contextual
apps on their smart phones – even in their
GRC activities. They also want more efficiency.
An energy company experienced a 90%
reduction in the time taken to manage
compliance activities. A bank reduced the
number of their controls by 8,000, thereby
re-routing hundreds of employees to revenue
generating activities. All these benefits
were gained with better GRC efficiency.
Personalization is another emerging trend.
Executives want GRC insights that are
customized to their roles and responsibilities
instead of generic reports or analytics.
Companies need to be able to implement
tools and technologies that can meet these
requirements.
GRC DRIVES BUSINESSPERFORMANCE
Gaurav: Traditionally, GRC was about
assurance, controls, and compliance. But
today, that is changing. GRC professionals
are being given a seat at the company strategy
table and the revenue generating side.
Decision-makers need them to interpret risk
profiles and data, and provide intelligence on
how to increase revenue and sales. Soon,
operating controls will not only help mitigate
operational risks, but also enable faster
go-to-market opportunities. Similarly, vendor
risk management won’t just be about
calculating vendor risks, but also about tying
those metrics to vendor performance and
chargebacks. The emphasis, more and more,
will be on linking GRC to business performance.
INTEGRATED GRC DELIVERS RESULTS
Gaurav: For years, GRC programs were
largely unstructured, fragmented, and
lacking in flexibility and accountability.
However, in OCEG’s 2017 GRC Maturity
Survey, 72% of organizations report some
level of GRC integration and standardization.
Of them, 89% indicated that integration
provided benefits that met or exceeded
expectations. These organizations
demonstrated significantly increased
confidence in GRC activities, mapping risks
and controls, and identifying changing threats
and requirements in a dynamic environment.
More than 20% of respondents in a November
2017 MetricStream webinar poll reported that
an integrated approach to GRC helped them
provide better confidence to the board and
senior management on internal readiness.
CARRYING THE TORCH
Gaurav: Today, there is a growing awareness that if
enterprises want to retain their license to operate,
and achieve their business objectives, while following
regulations and managing risks, they need to have
various risk management and compliance groups in
place – ranging from the board risk and audit
committees, to ethics and governance teams, safety
and security teams, and compliance units. Under
audit, there may be divisions for internal audit,
operational audit, and supplier audit. Compliance, in
turn, might be divided into regulatory compliance,
corporate compliance, legal compliance, and case
management. Essentially, GRC needs to touch almost
every part of the organization. It needs to be at the
heart of corporate culture.
GRC PARTNERSHIPS MATTER
Gaurav: As the world becomes more complex,
enterprises need a range of GRC skills and capabilities
that may not all be present with a single provider or a
single business function. Some skills may lie with a
consulting firm, others with a data or content firm,
and still others with a technology platform provider or
system integrator. Going forward, the emphasis will
be on how we can bring more of these companies and
their capabilities together in a single, comprehensive
GRC community – one that fosters open and
transparent communication, and enables people to
learn from each other’s best practices and mistakes.
NEW FRONTIERS FOR GRC
Gunjan: As companies expand their vendor network to stay focused on profitability and core competencies, they will face multiple GRC
challenges. How can you manage an increasing global network and ecosystem of suppliers, vendors, and partners? How do you mitigate vendor
risk before it impacts the business? GRC practitioners will have to address these questions, as they ensure that their efforts cover not just the
enterprise, but also the wider third-party network. The days of believing that GRC resides within the four walls of the organization are over.
TECHNOLOGY AND INTELLIGENCE:TRENDS AND PREDICTIONS
Gunjan Sinha, Chairman | French Caldwell, Chief EvangelistBrenda Boultwood, SVP, Industry Solutions
GRC - THE BACKBONE OF A SYSTEMOF INTELLIGENCE
Gunjan: GRC is no longer only about apps or
workflows or checklists. It’s about building a true
system of intelligence that can harvest critical insights
from huge volumes of data. This curated intelligence
will not only be meant for GRC professionals, but also
for executives, CEOs, and boardrooms. Soon, we might
be able to automatically group thousands of suppliers
based on specific data points, and then, in those groups,
zero in on those suppliers that pose the highest risk. In
fact, just as enterprise resource planning (ERP) became
the backbone of the system of transactions, and customer
relationship management (CRM) became the backbone
of the system of customer engagement, GRC will become
the backbone of a system of intelligence.
THE PROMISE OF AI
Gunjan: What we may have considered science fiction
is already happening! Artificial intelligence (AI) is
changing the world as we know it, and GRC will be
impacted too. Entire pizzas are being made using AI,
and you can have personalized robotic chefs in your
own kitchen, thanks to companies like Moley Robotics.
Meanwhile, in health care, exciting advances are being
made in predictive intelligence tools to diagnose and
manage new diseases even before their symptoms are
detected. I would not be surprised if future generations
of GRC software have natively built AI algorithms that
could perhaps discover risk automatically, or anticipate
compliance behaviors and patterns based on machine
learning. Many GRC tools are already incorporating
capabilities such as predictive modeling, mind maps,
and advanced visualization. But these are just baby
steps. GRC teams and solution providers will need to
collaborate, and collectively find ways of making AI a
real asset in GRC.
Nearly 60% of organizations agree that regtech has
improved their ability to handle anti-money
laundering (AML), know your customer (KYC), and
sanctions requirements. More than half are likely to
increase regtech investments in the next 3-5 years.
- Dow Jones and SWIFT Global Anti-Money Laundering Survey Results 2017
REGTECH - THE PRIME FOCUS OF GRC INNOVATION
French: Just as biotech and fintech are driving innovation
in the life sciences and financial services industries
respectively, regulatory technology (regtech) will drive
R&D investments among major GRC technology providers.
The obvious leaders in innovation are AI technologies with
their ability to extract new risk and cyber threat intelligence
from large volumes of unstructured and structured data.
However, other focus areas are also emerging. Soon,
Alexa-like chatbots will allow GRC technology users to swiftly
navigate applications, build reports, and uncover the
relationships between risks and other data objects such as
controls, performance indicators, processes, and assets.
Hybrid human-machine scoring of third-party risks, including
cybersecurity and financial risks, will enhance third-party
onboarding and governance programs. Facial recognition
will provide a new way to control data access and separation
of duties. To gain a competitive advantage, GRC vendors will
increase their investments in regtech, both organically and
through acquisitions.
AUGMENTING HUMANDECISION-MAKING
Brenda: Disruptive innovations in technology will strengthen
risk management programs, and augment human
decision-making with forward-looking risk insights. Cognitive
and algorithmic risk intelligence (“what happened and why”)
will give way to anticipatory and assistive risk intelligence
(“what is likely to happen and what has to be done”). Aided
and unaided machine learning will create business rules that
drive intelligence. Advances in natural language processing
will enable organizations to intuitively explore and analyze risk
data on compliance, people, processes, applications, assets,
and business continuity. These tools will intelligently connect
to multiple data sources and databases, pulling together
information, and extracting the insights needed by companies
to make swift, risk-aware decisions.
THE CLOUD: TRENDS AND PREDICTIONS
Gunjan Sinha, Chairman | Dr. Vidya Phalke, CTO | Vibhav Agarwal, Director, Product Marketing
THE CLOUD IS THE FUTURE
Gunjan: The cloud will continue to change the
economics of software across the board, including GRC.
MetricStream has spent the last few years developing
the next generation of GRC cloud infrastructure based
on the latest technologies such as VMware and Docker,
Amazon’s AWS, and the Google Cloud. The MetricStream
GRC Cloud will use a multi-instance approach, moving
away from the traditional multi-tenant architecture in
which data is co-mingled. This means that customers
will eventually be able to fire up various GRC app
instances in near real time – whether it’s for internal
audit, or enterprise risk management, or third-party
management. Already, 80% of our customers are
deploying their GRC apps on the cloud, and this trend
will grow as more companies focus on lowering costs,
and accelerating deployments.
HYBRID CLOUDS BECOMEMAINSTREAM
Vidya: As organizations reach digital nirvana, and
move their businesses onto the cloud, they will adopt
hybrid cloud platforms as a way of “de-risking” their
processes and applications against disruptions, and
enabling rapid scaling. Some applications will be
deployed on the private cloud, and others on the public
cloud based on factors such as the business criticality,
scalability, and responsiveness of the applications
involved, as well as the level of sophistication and
regulatory compliance demonstrated by the cloud
service provider. A clear and specific cloud adoption
strategy will be the cornerstone of the digital
expansion objective.
THE POWER OF NOW
d of Instagram, Facebook,
MICRO DATA CENTERS AND NEWSECURITY PARADIGMS
Vidya: With more organizations adopting the cloud and
the internet of things (IoT), organizational computing and
its security paradigm will undergo another wave of
metamorphosis. Propelling this change will be newer cloud
architecture schemes such as micro data centers that will
make it easier for companies to meet localized business and
regulatory requirements. However, new risk and compliance
related issues will emerge out of this change, driven by
cybersecurity and data privacy concerns, business service
level agreements, and regulatory pressures.
UPSURGE IN DATA PRIVACY REQUIREMENTS
Vibhav: New regulations such as the EU’s General Data
Protection Regulation (GDPR) will amplify the number of data
privacy requirements in the cloud. Organizations will be
expected to go around their facilities and servers with a
magnifying glass to identify the full scale of customer data
storage and exposure. 2018-19 will see a major increase in
software and other enabling systems to manage data discovery,
data flow, and data access in a compliant manner. Organizations
will also need to put customers at the center of their processes
around data management, access control, and cybersecurity
practices -- something that has been lacking till date.
REAL-TIME DUE DILIGENCE OF CLOUD SERVICE PROVIDERS
Vibhav: As hybrid clouds and micro data centers enable organizations to shift between cloud service providers, IT teams will adopt a more
real-time and continuous approach to due diligence. They will increase their monitoring of cloud service providers to strengthen compliance with
expanding cybersecurity regulations and internal policies. In addition, IT teams will look for standardized compliance frameworks such as the
Federal Risk and Authorization Management Program (FedRAMP) to be part of their evaluation and management of cloud service providers.
35% of large-sized enterprises cited the cloud
as having the most potential to disrupt IT risk
management programs in the next three years.
- MetricStream Research IT Risk Management Survey
CYBERSECURITY: TRENDS AND PREDICTIONS
Yo Delmar, VP, GRC
BUSINESS RESILIENCE: THE #1 PRIORITY OF THE BOARD AND C-SUITE
To thrive in the digital age, organizations will be squarely
focused on enhancing their ability to fight cyber-attacks
with the help of sound risk intelligence and business continuity
strategies. Technology partnerships will be formed to
strengthen defenses and responses across the technology and
cyber landscape. These partnerships, in turn, will require new
industry standards to govern the exchange of structured or
unstructured information, as well as the integration of systems.
We will also see a common language emerge to support risk
intelligence. While IT, security, and cyber processes operate
at machine speed, they will increasingly be integrated into
the operational risk fabric of the organization through
workflows, alerts, and analytics. As this happens—as security
and cyber processes are aligned with operational risk
management, business resilience, incident management,
and crisis management processes—organizations will build
a sustainable, common risk taxonomy. This standardized
nomenclature will support a meaningful dialogue around
risk, and drive high-value analytics that, when acted upon,
reduce risk.
BIG IMPACT BREACHES, BIG CONSEQUENCES
The Yahoo, Equifax, and Uber breaches impacted a large number of people, and saw long delays prior to disclosure. Delays mean a higher
chance of sensitive and private information being misused, as well as greater costs of remediation. In the case of Yahoo, the company’s
valuation was affected by the news of their breach - this has boards concerned about when and how to disclose security incidents.
THE THREAT OF NATION-STATE CYBER WARFARE
In 2017, nation-state “hacktivism” that uses social media to influence elections, entered public consciousness. It was a new twist on cyber war. We
also saw telecom outages in large geographic areas, as if test runs were being executed to orchestrate the crippling of internet services in an
enemy’s territory.
SIMPLE RANSOMWARE BECOMES HIGHLY DISRUPTIVE
In 2017, large segments of industries were forced to
revert to manual processes after ransomware exploited
known and easily fixed vulnerabilities using widely
accessible commodity tools. The incidents were a
wake-up call for organizations, prompting them to
invest in basic security hygiene across their people,
processes, and technology.
MORE BREACHES, BROADERRAMIFICATIONS
Breaches will continue to grow larger, and disclosures
more delayed, especially in cases that might affect the
valuations of companies that are being acquired or
spun out. Large-scale breaches will also impact groups
of facilities or upstream internet service providers that
cover a wide geographical area. These incidents could
take down a number of services.
THE DARK SIDE OF IOT
As driverless cars and other IoT and biometric
technologies continue to proliferate, we will witness
the first wave of security failures that bring life or
death consequences. Manufacturers will be held to
high standards of security, and will be required to
ensure that their products are not vulnerable to
security threats. Prescriptive standards will be
adopted e.g. requiring that connected devices like
smart TVs come hardened with strong and unique
security settings that cannot be easily hacked.
Broader regulations will be slow to follow the debate
on how much technology should drive our lives.
The top four IT threats and risks that organizations
have faced in the last two years are:
1. Malware infections
2. Security breaches
3. Compliance violations and regulatory actions
4. Account phishing
- MetricStream Research IT Risk Management Survey 2017
35% of large-sized enterprises cited the cloud
as having the most potential to disrupt IT risk
management programs in the next three years.
- MetricStream Research IT Risk Management Survey
BACKLASH AGAINST CYBER SOCIAL ENGINEERING
We will see activists rallying to challenge how social
platforms like Google, Facebook, and Twitter can
shape our views, and influence public opinion in a
form of predictive programming. Groups will organize
to fight back for higher veracity tests on content and
greater control over what information is served up
and when.
INCREASING REGULATIONS FOR PRIVACY AND IOT DEVICES
We can expect to see more cybersecurity regulations
around basic practices such as adopting unique
passwords made up of random numbers for IoT
devices. Industry standards and product regulations
will be drafted, discussed, and adopted to help enforce
these practices, and to prevent IoT abuse. Utilities,
transportation, and health services will also witness
increasing privacy and cybersecurity regulations. We’re
already seeing the start of it with the EU GDPR. The
year 2018 will see little tolerance for organizations that
fail to comply with this new mandate and other privacy
regulations.
NEXT GENERATION SECURITY TOOLS
AI and machine learning will become more mainstream
in combating the increasingly complex threat surface
and the growing incidence of attacks that now exploit
multiple vectors simultaneously. By triggering
orchestrated responses at machine speed, cyber
teams will be able to fortify their defense strategies at
each line of defense and the overall kill chain.
COMPLIANCE, CULTURE, AND ETHICS:TRENDS AND PREDICTIONS
Gunjan Sinha, Chairman | Shellye Archambeau, Former CEO and Current Board MemberBrenda Boultwood, SVP, Industry Solutions | John Palmiero, SVP, EMEA
THE CUSTOMER =THE NEW REGULATOR
Gunjan: With the increasing adoption of social media,
the voice of the customer will grow louder than ever.
Consumers will expect companies to follow standards
higher than those dictated by regulators. We saw it
happen at United Airlines when a video of a passenger
being mistreated on a flight went viral, resulting in the
#BoycottUnited campaign. We saw it happen when
thousands of customers deleted the Uber app because
they disagreed with the company’s practices. That’s the
power of the collective voice of the customer. And
companies will have to pay attention. They will have to
consider the risks associated with what their customers
feel, think, and believe, right at the center of their GRC
programs. The more they put the customer first, the
more value they will gain, and the better prepared they
will be to meet the highest customer standards.
CULTURE IS CRITICAL
Shellye: Culture has come to the fore in the wake of
multiple sexual harassment allegations, fraud, and
accounting scandals at top corporate companies. It is
no longer enough to have a few policies on paper.
Companies have to walk the talk. They have to listen
more, and talk less. Perhaps things at Wells Fargo
might have been different if executives had listened
to their employees, and understood the pressures
they were under to meet sales targets. The point is
that it’s important to build a work environment based
on openness, as well as integrity, risk awareness, and
accountability. Culture needs to be treated with the
same importance as a company’s core products or
services.
The majority of organizations (55%) are unaware
of policy compliance violations that might have
occurred in their enterprises.
- MetricStream Research Policy Management Survey 2017
RE-THINKING COMPLIANCE
Brenda: Regulatory compliance and financial crime
compliance groups are beginning to see budget
reductions, even while expectations remain that their
jobs will be done well – managing the inventory of
requirements, dealing with changes in these
requirements at a citation level, assessing risks,
handling policies and procedures, performing
compliance control assurance, managing regulatory
engagements, and centralizing issue and action
management. For many groups, the solution to the
compliance efficiency challenge has been workflow
automation. However, teams are also realizing that they
need a data model to drive data aggregation,
group-wide compliance analytics, and collaboration.
The benefits of better data models and better
automation include improved reporting, compliance
control rationalization, and greater accountability.
LOCAL REGULATIONS,GLOBAL IMPACT
Brenda: Brexit may see the UK leaving the EU, but
issues of extraterritorial jurisdiction remain. Similarly,
GDPR may be an EU regulation, but its impact is global
since it applies to all data processors and controllers
across countries that process the data of EU citizens.
The US Congress is already considering “GDPR-like”
data privacy legislation that will apply to the data of all
US citizens globally. The bottom-line is that regulatory
and legislative requirements, including their reach and
penalties, are crossing geographical boundaries. A while
ago, Taiwan’s Mega Bank was fined by New York’s
financial regulator for anti-money laundering violations.
This trend is likely to continue, and risk professionals
will need to take note.
INTEGRITY: THE NEW COMPETITIVE DIFFERENTIATOR
John: The speed at which customer loyalties can change is forcing businesses to become more
introspective, and look at their internal processes and governance practices. Consumers are
choosing to buy from brands that demonstrate ethical behavior. Therefore, businesses must take
it upon themselves to define and implement standards of ethics and integrity, and ensure that
these standards are complied with throughout the enterprise. We will soon see a hugely
disruptive internet-based company come unstuck because of consumer sentiment. For a long
time, the company may have been able to act outside the boundary of regulations, banking on the
massive support of customers who relied on the company for its convenient services. However, as
more instances of unethical behavior at the company come to light – be it unvetted employees or
hidden data breaches – that customer support is rapidly dwindling.
French Caldwell, Chief Evangelist
GDPR: TRENDS AND PREDICTIONS
THE APPROACHING TSUNAMI OF PRIVACYCOMPLAINTS AND REQUESTS
GDPR gives EU citizens several new rights, including the right
to rectification, the right to be forgotten, the right to restrict
processing, and the right to object. As a growing number of
EU citizens begin to execute these rights, organizations and
government agencies, as well as data protection authorities,
will find themselves largely unprepared to deal with the
massive volume of complaints and requests that come their
way. To avoid this hurdle, data controllers would do well to
ensure that their organizations, as well as those of their third
parties, implement effective case management processes.
Similarly, data protection authorities should assess their
complaint management systems and processes to ensure
that they are capable of handling large surges.
THE GDPR PENALTY BLAST-OFF
By mid-2019, the first €1 million or greater penalty under
GDPR will be levied. Usually, a new regulation comes with a
period of adjustment where regulators decide on their
enforcement priorities. However, with GDPR, data protection
authorities are in a very public spotlight. Their reaction and
response to the first few data breaches that occur will set the
precedent for future enforcements – especially if there is a
delay in the reporting of these breaches. Compared to the
US, Europe has historically reported fewer data breaches, but
that could change with the GDPR’s mandate on companies to
report breaches within 72 hours of becoming aware of them.
For data controllers and processors, the best defense is to
implement robust data protection programs that are well
planned and documented, well-tested, and audit-ready.
80% of firms will not fully comply with GDPR.- Forrester Predictions 2018: A Year of Reckoning
RISK MANAGEMENT:TRENDS AND PREDICTIONS
Shellye Archambeau, Former CEO and Current Board MemberGaurav Kapoor, COO | Brenda Boultwood, SVP, Industry Solutions
DISRUPTION AND UNCERTAINTY
Shellye: The world is grappling with increasing cybercrime,
terrorism, extreme climate events, geopolitical shocks, and
more. Within business as well, fundamental disruptions are
taking place. No longer is success based merely on a
company’s experience, size, or scale. Completely new market
entrants like Uber or Airbnb are sweeping away the larger,
more established competitors. That is the reality of the digital
age. Every day, there are disruptive technologies emerging,
more attractive cost models, and more engaging products and
services. Companies will need to find ways of riding this wave
of disruption and uncertainty, rather than being pulled under.
INTERCONNECTEDNESS OF RISK
Gaurav: Our markets, economies, and business networks
have become so deeply interconnected that a single risk event
can cause widespread disruption. We saw it with the Equifax
data breach, Brexit, the migrant crisis, and various political
upheavals that had implications that extended far beyond
local boundaries. Risks themselves are becoming more
interconnected -- the World Economic Forum’s report on the
top risks of 2017 emphasized how deep the links are between
risks such as unemployment and social instability. Similarly,
companies are realizing that compliance risks aren’t just
compliance risks alone, but are also linked to reputational
risks, strategic risks, and financial risks. Understanding these
interconnections will be crucial to building risk maturity.
BALANCING HINDSIGHT WITH FORESIGHT
Shellye: Often, companies don’t see the risks and threats coming because they spend so much time looking in the rear-view mirror at what
happened, instead of scanning the road ahead. That’s not going to work anymore. The risks and threats, as well as the opportunities, are
increasing and evolving swiftly. If companies want to stay ahead, they will need to anticipate what’s coming, and make faster decisions. The
way to do that is with data. When companies have the right data -- the right risk intelligence at the right time -- they can make faster, better
decisions that drive exceptional business performance.
SHIFT IN RISKRESPONSIBILITIES
Brenda: In the past, internal auditors
may have been called upon to help the
second line of defense identify risks,
particularly when resources were scarce.
However, that is fast changing – as it
should. Internal audit’s role, as an
independent and objective assurance
provider, is not to uncover or assess
risks. They may certainly report risks that
the management, board, or risk function
might have overlooked. They may even
champion the cause of risk management
in the organization. But ultimately, the
responsibility for risk and control
environments falls to the first line of
defense.
THE FIRST LINE TAKES THE LEAD
Brenda: As the risk takers of the
organization, the first line is best positioned
to own, understand, and manage the risks
they take. Therefore, companies will
increasingly push risk management down to
the frontlines as they seek to move from a
traditionally reactive and defensive risk
management program to one that is
proactive and agile. Meanwhile, the second
line of defense will take on a more advisory
and strategic role, defining and
implementing risk management
frameworks, and collaborating with the first
line to challenge and strengthen risk-based
decisions.
OPERATIONAL RISK MANAGE-MENT IN THE SPOTLIGHT
Brenda: In the wake of recent cyberattacks,
third-party data breaches, and money
laundering incidents, operational risk
management (ORM) has received renewed
attention. Today, it functions almost as a
microcosm of enterprise risk management
(ERM) – one that seeks a broad view of
operational risks across multiple risk types,
including vendor risks, compliance risks, IT
asset risks, fraud risks, and disruption risks.
ORM specialists will need to find ways of
bringing all these risks together in an
integrated framework, and then applying
analytics and data mining techniques to
draw out the risk intelligence required by
the business for its operational decisions.
63% of organizations report that shifting more
risk management responsibilities to the first line
has made their companies better at anticipating
and mitigating risk events.
- PwC’s Risk in Review 2017
BACK TO THE BASICS FOR RISKDATA MODELS
Brenda: To strengthen compliance with BCBS 239,
organizations will increasingly bring together the
elements of their risk universe into a “single source of
truth” which can then be mapped to the business
universe, the compliance universe, and the audit
universe. By building this tightly-knit, flexible, and
centralized information model, stakeholders will have a
clear picture of organizational risks, as well as the
impact of these risks on each other and on business
objectives, audits, compliance processes, and other
elements. These insights, in turn, will enable the
organization to react to the mushrooming of fire-drills
around compliance with ease and discipline.
THE IMPACT OF THE LOWEST COMMON GRC DENOMINATOR
Brenda: Across an industry, reputations can be
tarnished by one bad actor. Within a company as well,
governance can be hampered by a single functional
area that is unable to execute initiatives, and manage
risks. In both cases, it is the lowest common
denominator that grabs the headlines and casts doubt
on others. When this is the case, it can also be true
within a company that executives are hunkered down
in their siloes, producing data in their "stovepipes," and
lauded for their local perspective on risk and initiative
completion. However, this may not be a sustainable
approach. CEOs need robust analytics across each
business and functional group. They need strong data
with consistent quality that can then be mined to
identify emerging issues.
THIRD-PARTY MANAGEMENT:TRENDS AND PREDICTIONS
Sonal Sinha, VP, Industry Solutions
THE SILO PROBLEM
Too often, business lines, as well as departments such
as sourcing, IT, and risk management operate in siloes,
leading to a non-uniform and static view of third parties.
The lack of a common taxonomy while onboarding third
parties, or conducting risk assessments, or monitoring
third-party controls leads to an environment where the
risks and information around these entities is relatively
unknown.
PERFORMANCE TRACKING
Due to the sheer size and complexity of the supplier
base, many organizations find it difficult to track
third-party performance. While contracts contain service
level agreements (SLAs), they at times do not have
well-defined parameters for third-party evaluation and
penalty clauses. As a result, the ability of organizations
to measure supplier compliance and performance, and
to hold suppliers accountable for issues and incidents,
becomes limited.
ALIGNMENT WITH BUSINESS CONTINUITY MANAGEMENT
While companies may have well-defined processes to
identify third-party risks, they often don’t have plans and
systems in place to respond to and recover from a
significant risk event such as a third-party data breach.
The traditional method of conducting third-party
assessments may provide insights into probable risks,
but to be truly effective, it needs to be followed up with
business continuity plans and measures which ensure
that the organization is well-prepared to deal with and
bounce back swiftly from a third-party risk event that
does occur.
21% of organizations reported that their
organizations faced risk exposure due to
third parties in the last 18 months. Of those
who shared financial impact data on the
losses, 25% said that the loss impact was
greater than $10 million.
- MetricStream Research Third-Party Risk Management Survey 2017
REGULATORY HURDLES
Third-party risk issues around sensitive areas such as
data breaches, corruption, bribery, and misconduct are
leading to increased regulatory oversight and fines. In
the financial services sector alone, strict regulatory
guidelines around third-party risk management and
governance have been defined by authorities such as
the Federal Financial Institutions Examination Council
(FFIEC), the Office of the Comptroller of the Currency
(OCC), the Financial Conduct Authority (FCA), the
Monetary Authority of Singapore (MAS), the Australian
Prudential Regulatory Authority (APRA), and the Hong
Kong Monetary Authority (HKMA), as well as New York’s
new cybersecurity rules from the Department of
Financial Services, the Foreign Corrupt Practices Act
(FCPA), and the EU GDPR across various jurisdictions
like the US, EU, Singapore, Australia, and Hong Kong.
RELIANCE ON CONTENT FEEDS
Organizations will increasingly seek timely risk insights
on vendors in emerging technology areas such as cloud
services. Many firms are looking to GRC tools to not only
manage third-party onboarding, but also to monitor
third-party risks based on the scores and data from
multiple external content partners. These partners
provide ratings on supply chain risks, financial risks,
sustainability, cybersecurity, anti-corruption, and
anti-bribery which can help organizations create a
unified risk score for their third parties.
BRIDGING THE GAP
Effective supply chain management programs will be those that integrate
the upstream and downstream supply chain, extending from suppliers,
to internal operations, to logistics, and finally, customers. By linking these
entities, organizations will be able to simplify data exchange, and improve
visibility into their third-party ecosystem, thus enhancing their ability to
identify and respond to third-party risk exposures.
CONTRIBUTORS
Shellye Archambeau,Former CEO and Current
Board Member
Gaurav Kapoor,COO, MetricStream
Gunjan Sinha, Chairman,
MetricStream
Brenda Boultwood,SVP, Industry Solutions,
MetricStream
John Palmiero,SVP, EMEA, MetricStream
Yo Delmar,VP, GRC, MetricStream
Vibhav AgarwalDirector, Product
Marketing, MetricStream
Sonal Sinha,VP, Industry Solutions,
MetricStream
Dr. Vidya Phalke,CTO, MetricStream
French Caldwell,Chief Evangelist,
MetricStream
CONTACT
© 2018 Copyright MetricStream. All Rights Reserved.
Email: [email protected]: +1-650-620-2955UK: +44-203-318-8554Australia: + 61 2-8036-3130India : +91-(0)80-4049 6600
