“Gone are the Days of Rigid Lines of Defense”

Key Insights and Trends from the MetricStream GRC Summit 2018

MetricStream’s 2018 Summit in Baltimore saw several hundred business executives, government leaders, GRC practitioners and industry analysts gather to talk GDPR, strategies and solutions for building better governed, more compliant organizations and more. Gaurav Kapoor, MetricStream’s Chief Operating Officer, shines a spotlight on some of the event’s key takeaways.

From June 3-6, several hundred business executives, government leaders, GRC practitioners, and industry analysts gathered at the GRC Summit 2018 in Baltimore to put forward strategies and solutions toward building better governed, more risk-aware and compliant organizations. We were privileged to listen to some of the best minds in business and government as they discussed how enterprises can effectively preserve their corporate integrity, protect their reputations and drive exceptional performance through GRC.

Here are some of the key trends and takeaways from the summit:

GRC as a Business Performance Driver

One of the recurring themes at the event was the shift in GRC from assurance function to business performance enabler. Advanced analytics and automation have enabled GRC professionals to play a more strategic role as partners to the business, empowering management teams and boards with critical intelligence to guide decision-making.

GRC is also increasingly being linked to top-line performance. For instance, companies are beginning to negotiate with their suppliers and vendors based on quality, risk and performance scores derived from their third-party governance programs.

On the cost side, there’s a big move toward optimizing business spend by rationalizing GRC programs across the lines of defense. Redundancies are being eliminated as the third line starts to leverage more of what is being done by compliance and risk functions, as well as the first line.

“We’re All in This Together:” Breaking Down Barriers Between the Lines of Defense

GRC doesn’t just happen in the second or third lines of defense – it really takes place at the first line, because that’s where the risk is, noted a CXO panel[1] at the summit. But even as risk responsibilities and ownership are pushed down to the front lines, there needs to be greater collaboration and dialogue across all the lines of defense.

Gone are the days of “checkers checking the checkers checking the checkers.” With greater audit fatigue and more lines of defense emerging, organizations must build a sense of partnership and cooperation where risk, compliance and assurance functions, as well as business units, work together toward creating common taxonomies, addressing key risks and issues and essentially moving away from a tick-box mentality toward one that is focused on the larger picture of business performance. That is key to creating a successful GRC program.

Turning GRC into a Profit Center through AI

While there has been a certain amount of trepidation around artificial intelligence (AI), many of the speakers at the summit argued for AI’s potential in amplifying the value of GRC functions and perhaps even turning these entities into profit centers.

Renee Murphy, Principal Analyst at Forrester Research, used the example of internal audit as she talked about how AI has the potential to alleviate audit paperwork by automatically pulling together and validating data from various systems of record (e.g., firewalls logs). Internal auditors are arguably the people in the organization who know the most about the company, she noted. With AI, they can really begin lending themselves to more strategic conversations, rather than spending most of their time manually gathering evidence.

Janardhan Cadambi, EVP of Transformation, Risk and Operations (LFI) at MasterCard, took the conversation further as he talked about how AI’s value can be understood in terms of “the 3Ds:” the ability to process huge volumes of data in a dynamic manner to make informed, practical decisions. The 3Ds, in turn, are achieved with the help of the 3Is: information processing, intelligence and insights. Together, they lead to the 3Ps: enabling organizations to preserve the integrity of their data across transactions, protect against cybersecurity and other data-related risks and, finally, find new ways of strengthening performance and customer satisfaction.

Avoiding the Normalization of Deviance

Keynote speaker Maj. Gen. Charles Bolden, Jr., Retired United States Marine Corps Major General and Former NASA Administrator and Astronaut, brought up the risk of “the normalization of deviance” – noticing that something in the enterprise isn’t quite right, but overlooking it because it hasn’t caused any trouble yet.

Over the last year, we’ve seen what happens when deviance is normalized – when a violation of sexual harassment policies is overlooked, or when a critical IT vulnerability isn’t patched on time. What starts off as a small issue can quickly snowball into a catastrophic problem with financial and reputational consequences. Building a comprehensive culture of risk awareness, accountability and mitigation will be key to keeping these issues in check.

GDPR: Technology Can Make a Big Difference to Compliance

At the summit, MetricStream released the findings to its latest survey report, GDPR: Are Enterprises Ready to Protect Personal Data? The majority of the respondents (55 percent) reported that they did not expect to make the May 25 GDPR compliance deadline. What’s more, less than 40 percent of the respondents indicated that their enterprises were prepared or fully prepared to manage complaints or inquiries around complex GDPR data subject rights such as the right to erasure, the right to restrict processing and the right to data portability.

Technology, however, appears to make a difference to compliance success. Fifty-three percent of the respondents who had implemented GRC solutions reported that they would be GDPR compliant by the May 25 deadline. Moreover, 70 percent of the respondents using GRC solutions indicated being either confident or highly confident that their data protection program would stand up to legal scrutiny by regulators and courts.

Better Cybersecurity through Better Collaboration and Consolidation

Many participants and speakers at the summit talked about cybersecurity risk as their number one business risk. Compounding the challenge are a growing cyberattack surface, rapidly evolving cyber threats and inconsistencies in cyber risk reporting and communication.

Having said that, significant progress is being made toward overcoming these challenges. Mark Kneidinger, Director of Cybersecurity & Communication, Federal Resilience at the Department of Homeland Security (DHS), talked about how federal agencies are reducing their attack surface by consolidating networks and using shared services. Risks are being communicated more effectively to management teams using common risk taxonomies developed with the help of the NIST cybersecurity framework. And finally, through greater collaboration and exchange of data between federal agencies as well as the private sector, there is better awareness and readiness for emerging risks and threats.

Performing with Integrity

MetricStream CEO Mikael Hagstroem talked extensively about trust and integrity being the bedrock of business success, particularly in a digital world without secrets. Everything organizations do today is under continuous scrutiny, not just from regulators and stakeholders, but also from a larger, hyperconnected society where people have tremendous computing and communication power at their fingertips.

In this world, businesses are judged and measured not only against financial metrics, but also — and perhaps more so — against how effectively they are able to meet social expectations of corporate behavior. As they rise to meet this demand, the role of GRC will be to not only manage known risks or monitor compliance with regulations, but also help organizations cultivate a culture of trust and integrity as the foundation on which they build satisfied clients, engaged workforces and successful brands.

To know more about the GRC Summit, visit https://www.grc-summit.com/us/2018/

[1] The CXO panel featured John Beeler, EVP, Chief Compliance Officer, Salesforce, Doug Watt, Chief Audit Executive, Fannie Mae, Eileen Fahey, Chief Risk Officer, Fitch Ratings, Steve Rampado, Partner, Deloitte & Touche LLP. Moderated by Gaurav Kapoor, COO, MetricStream