Over the past decade, fraud has evolved to become more sophisticated and systemized. Thankfully, innovations in technology now enable businesses to better combat fraud. But there’s a catch. Modern technologies also present new opportunities to cyber criminals, making fraud harder to detect and easier to commit. This raises the question – is digitalization making fraud easy? Find out ‘Through the GRC lens’ – January 2020. _____________________________________________________________________________________ Frauds are on the rise Frauds are increasing every year at an alarming rate. The Federal Trade Commission received more than 3.2 million reports of fraud in 2019. The 2020 Global Identity and Fraud Report reported significant indications that business concerns around rising fraud persist, with nearly three in five businesses concurring that fraud has increased exponentially in the past 12 months. Along with this increase is sophistication, scammers are also beginning to get extremely creative with their attacks. We recently witnessed the first case of CEO voice fraud using AI. An energy company in Germany, was cheated into allowing unauthorized transactions by mimicking the voice of its real CEO, reproduced using an AI software based on ML, to mislead the head of a UK subsidiary to transfer $220,000. The company managed to […]
The Changing Winds of Compliance As compliance teams strive to manage new regulations and technological advancements, here are some of the trends and headlines that made compliance news in November and December. In the face of changing business models, as well as new risks and dynamic global ecosystems, compliance as a discipline is rapidly evolving. Stakeholders rely on compliance teams to not only protect their organizations against regulatory penalties and legal liabilities, but to also strengthen reputation and credibility with customers. As compliance officers seek to demonstrate and enhance the value delivered to their organizations, the following are some key considerations. New Regulations While 2020 began with a focus on data privacy, here are some updates on other areas of compliance that made the headlines: Data Privacy: This month, the CCPA came into effect giving customers more control over their data. However, in a study by Ethyca, only 12% of 85 respondents believed they had achieved an adequate state of compliance readiness for the emerging regulated privacy landscape.An article in Forbes suggested that “Rather than looking at CCPA compliance as a chore, look at it as an opportunity to innovate your business practices and seek ways to regain a first-party […]
Do the risks of AI outweigh the benefits? Advancements in technology, especially in artificial intelligence (AI), are transforming GRC, leading to analytics-driven business tools with an emphasis on tackling future risk scenarios. But we still don’t have enough control over AI to give it up. Here are the technological developments in October – through the GRC lens. The mainstreaming of artificial intelligence is radically transforming how organizations approach digital transformation. AI is set to dominate enterprise agendas by augmenting decisions. Yet, practical concerns persist. According to an article in Forbes, “…while people will increasingly become used to working alongside AIs, designing and deploying our own AI-based systems will remain an expensive proposition for most businesses.” Interestingly, recent global research by Oracle, highlighted how AI is changing the relationship between people and technology at work, stating that, “64% of people trust a robot more than their manager.” The need for AI is also accelerating inside the GRC ecosystem. According to research by Capgemini, 69% of organizations believe they will not be able to respond to security threats without AI. The Big Question While we have compelling arguments to prove that AI is a boon for the digital age – is it […]
Rethinking Cybersecurity in a Disruptive Age With an increasing number of attacks in the market, despite more sophisticated cybersecurity solutions, many cybersecurity reports and surveys highlight why organizations need to rethink their cyber strategy and what’s in store for the future. – Here is what the media headlined through the GRC lens in September. As attackers get more relentless with the volume and speed of their attacks, cybersecurity defense must safeguard all possible points of the attack surface. A recent survey of internal auditors published in City AM, found – cybersecurity, regulatory change, and digitalization to be the top three risks faced by businesses across Europe. The shortage of cybersecurity talent exacerbates the cybersecurity problem in a complicated enterprise environment. Increasing cybersecurity resources According to CISO Magazine, cybersecurity has emerged as a primary investment priority for financial firms in the United Kingdom. Reports from a survey conducted by Lloyds Bank states that cybercrimes have jumped to the fourth position from the eighth place since 2018. Banks in UK are increasing their budget allocation to enhance cybersecurity capabilities at their organization, Computer Business Review reported. In another survey conducted by Infosys, targeting 867 senior executives representing 847 firms from 12 industries, […]
How safe is safe? With more than 3800 incidents reported so far, 2019 is proving to be the record year for data breaches. Despite best efforts, best practices and increasing awareness, these incidents continue to occur at an alarming rate.. 2019: A record year for data breaches According to the 2019 Midyear QuickView Data Breach Report, by RiskBased Security, “The first six months of 2019 have seen more than 3,800 publicly disclosed breaches exposing an incredible 4.1 billion compromised records.” Healthcare services was the single highest affected industry with almost 32 million patient records compromised in the first half of 2019. The report stated that, “the majority of breaches reported this year had a moderate to low severity score.” Data breach frequency and severity are increasing at an alarming rate, but while the big ones make it to the headlines, the smaller ones lose most of the money. The Capital One Breach In one of the worst data breaches in history, a hacker gained access to more than 100 million credit cards accounts and applications. The breach that happened in phases across March and April this year, only came to light this month, when someone warned a Capital One security […]
An entire nation gets hacked, Marriott and British Airways come under the radar and suffer huge GDPR fines, and Microsoft claims to have warned over 10,000 users of hacks, in the past year. As data governance becomes imperative, data ethics is increasingly becoming a valuable business driver. – Here are trending media stories in July 2019. 5 million taxpayers in Bulgaria get hacked A hacker broke into Bulgaria’s largest Tax database and accessed records of 5 million tax-payers in the country. According to Business Insider, “This hack is the country’s biggest-ever data breach and the government is fining the NRA 20 million Euros.” The hacker looted customers of their personal and financial data that included retirement pension information, addresses, incomes, photographs, names and more. The hack happened in June this year but remained undetected until a message from a Russian email address was sent to Bulgarian news outlets claiming responsibility for the attack in July. BIA, Bulgarian Industrial Association, had warned about possible flaws in the tax agency’s data protection system a year ago. Stanislav Popdonchev, Deputy Head, BIA now demands that detailed information about the leak should be sent to every person and company affected. British Airways and Marriott […]
Now in its seventh year, the GRC Summit hosted by MetricStream is one of the biggest and most anticipated events for GRC practitioners around the world. This year, the summit was held on June 2-5 in Baltimore, Maryland, bringing together over 450 GRC and business leaders to talk about the latest trends and opportunities in GRC. It was an incredible four days of learning, discovery, and collaboration—topped off by an exclusive cruise, as well as a glittering awards ceremony. Here are some of the top highlights from the summit: Integrity Front and Center In keeping with the theme of the summit—”Perform with Integrity™”—many of the speakers pointed out that financial performance is no longer the sole indicator of success. Trust is what really drives business today, and integrity is what drives trust. MetricStream CEO, Mikael Hagstroem talked about building integrity by fostering a sense of compassion in the way we approach customers, the way we treat employees, and the way we shape the future of technology. “Successful performance—be it an individual level, an organizational level, or a global level—begins with a spark of passion that, when guided by integrity and compassion, helps us improve the human condition, and enable a […]
A few weeks ago, MetricStream was awarded “GRC Product of the Year” at the 2019 Risk Technology Awards hosted by Risk.net. It was a strong validation of MetricStream’s mission to help organizations “Perform with Integrity™”. Through our GRC platform and solutions, customers are able to effectively understand and manage the interconnectedness of their risk environment, while deriving actionable risk insights for business decisions. Why GRC Matters More Today Than Ever Before Over the past year, multiple financial services organizations have faced penalties and fines from regulators for facilitating money laundering, manipulating customer accounts, and mishandling security trading. Meanwhile, serious IT meltdowns and cybersecurity incidents have severely impacted brands and reputations. Added to that, operating markets and business models are continuously being disrupted. To stay ahead of these risks—both “known” and “unknown”—in an increasingly hyperconnected, fast-changing world, organizations need timely risk insights that can help them make swifter and better business decisions. They need to be aware of how a potential incident enhance their risk exposure. These objectives are best achieved with a strong governance, risk, and compliance (GRC) foundation. What Differentiates MetricStream’s GRC Offerings We believe that there are several factors that led to us winning GRC Product of the […]
Google runs into trouble yet again with regulators in the EU, the SEC accuses Volkswagen of carrying out “a massive fraud,” and the FTC launches an inquiry into the privacy practices of large internet service providers — see March 2019 through the GRC lens. Google Is Fined $1.7 Billion in the EU for Antitrust Violations Google ran into fresh trouble with European regulators over its unfair advertising rules and was fined $1.7 billion in March, bringing the total cost of penalties incurred by the search giant in the continent to over $9 billion. The latest enforcement action from the European Union (EU) relates to the unfair terms that the Silicon Valley titan imposed on companies that used its search bar on their websites in Europe, reported The New York Times. According to The Guardian, the terms of the Google contract stopped publishers from placing search ads from the tech giant’s competitors on their results pages, and forced them to reserve the most profitable spaces for Google’s own ads. The contract also required companies to seek a written approval before making changes to how rival ads were displayed. Volkswagen Is Accused of Large-Scale Fraud by the SEC The US Securities and Exchange […]
Silicon Valley giants face greater scrutiny from a new antitrust watchdog, UK companies under fresh pressure to include more women on their boards, and Europe uncovers deeper links in the Danske Bank money-laundering scandal — here’s February 2019 through the GRC lens. The FTC Sets Up a New Antitrust Task Force to Monitor Big Tech Under pressure from the public and politicians to rein in the unchecked power of tech titans, the Federal Trade Commission (FTC) announced in February that it was launching a new task force to investigate potential antitrust violations in the tech sector, signaling tougher regulations for Silicon Valley. “The role of technology in the economy and in our lives grows more important every day…it makes sense for us to closely examine technology markets to ensure consumers benefit from free and fair competition,” said FTC Chairman Joe Simons. According to The Wall Street Journal, the task force will have a broad mission that includes re-examining past mergers and potentially unwinding deals that are found to be anti-competitive. UK Investor Body to Apply a Red Alert to Companies That Lack Women on Their Boards In a move to bolster gender diversity in the boardroom, the Investment Association (IA), […]
We’re at a time when boards are under increasing pressure to stay in step with disruptions from technology and other forces that constantly threaten established business models. Can the millennial perspective help the board better understand the changing environment and create new opportunities for innovation and growth? We take a look. In the Boardroom The leadership consulting firm SpencerStuart says that “next-gen directors” are being appointed to boards around the world to bring in expertise in areas ranging from cybersecurity, AI (artificial intelligence), and machine learning, to digital transformation and social communication. Inevitably, experts in these disciplines are from a different generation than the majority of existing board members. Just as gender diversity in the boardroom encourages different viewpoints, and enables the board to have a broader view of the business, generational diversity can also give organizations an edge over traditional competitors. Starbucks took a bold step in this direction in 2011 when it appointed then 29-year-old Clara Shih, CEO of Hearsay Social, to its board. Other companies with younger board members include Coca Cola which has 37-year-old Caroline Tsay and Walmart with 37-year-old Steuart Walton. Why Root for Millennials? This tech-savvy demographic is filled with expert multi-taskers, able to digest […]
A Chinese tech giant faces criminal charges in the US, a major bank in India fires its CEO, and an embattled Silicon Valley titan beats Wall Street estimates — here’s January through the GRC lens. Huawei Faces Criminal Charges in the US Federal prosecutors unveiled a host of charges against Chinese telecom giant Huawei and its chief financial officer Meng Wanzhou in January. The prosecutors alleged that the company stole trade secrets, obstructed justice, and committed bank fraud in an effort to circumvent the sanctions against Iran. In one indictment, prosecutors accused Huawei and its top financial officer of misleading banks and US investigators about its relationship with a longstanding affiliate in Iran, Skycom. According to reports, Huawei falsely claimed that it had sold off its interest in Skycom when in fact it controlled the company. Huawei’s American subsidiary then destroyed evidence and moved witnesses with knowledge of Skycom from the US back to China. Another indictment by the prosecutors revolves around the theft of trade secrets related to a robotic device called “Tappy,” made by T-Mobile, according to The Wall Street Journal. The Wired reported that if Huawei is convicted of all charges, it faces problems bigger than just fines. […]
Rising global concerns over the concentration of power in the hands of Silicon Valley giants do not seem to have dimmed the tech hub’s ambitions. But with the problems now growing too big to ignore, are regulators gaining momentum? Silicon Valley’s New Offering While Silicon Valley’s leading tech companies may have had many differences in the past, they have always agreed on one thing: tech is a force for good. And making the world more open, connected, and accessible can make it a better and more prosperous place. From driverless cars to smart homes — tech today is everywhere, with the potential to grow even further. But making the world easier for us to navigate digitally or otherwise, and giving us the ability to connect to masses around the world in an instant, comes at a cost. Earlier, we were sold a snazzy gizmo, urged to sign up with the hottest social media channel, or use an app that would make our lives easier. But lately, we’ve become aware of the fact that one of Silicon Valley’s newest offerings isn’t just a device, a popular social media channel, or an app. It is you and I — our data. […]
A litany of disruptions and corporate scandals in 2018 showed that while making profits, organizations will be held responsible for their actions in an increasing shift towards more ethical business practices Last year did not turn out to be great for businesses: there were mounting data privacy concerns around the globe; cyberattacks continued to hobble cities and disrupt business operations in the US; and Brexit uncertainty left UK industries worried. Meanwhile, shocking bank and corporate scandals sparked renewed regulatory interest in Europe, India, and Japan. Amidst these larger issues, several new laws and regulations came into effect, adding to the complexity of an already challenging business landscape. With so much that happened over the past year, here are some of the events and stories that stood out: 1. Marriott’s Colossal Data Breach The hotel chain’s disclosure of a massive data breach in November, which revealed the personal details of hundreds of millions of guests, saw the company’s stock price plummet by 5.6%. The security incident, reportedly perpetrated by state-sponsored Chinese hackers, made its way onto the list of the largest ever data breaches in history, coming second only to Yahoo’s 2013 incident where the personal information of 3 billion users […]
8 Key Takeaways from the GRC Summit 2018 – London The GRC Summit on Nov 12-13, 2018 provided a forum for business and government leaders from around the world to discuss, debate, and learn about the latest trends and best practices in GRC. Based on the theme “Preserve. Protect. Perform,” the summit featured a range of inspiring keynotes, expert talks, customer success stories, and panel discussions on topical issues such as Brexit, cyber resilience, corporate integrity, and culture. Key Takeaways The biggest driver of cyber risk? The emergence of a commodity market in hacking A decade ago, if you wanted to hack into someone’s system, or even conduct a simple denial of service attack, you had to be reasonably skilled. Today, you can simply buy a tool—or better still, a managed service to do it for you at a very limited cost. This rapid rise of a commodity market in hacking has made it easier than ever for criminals, disgruntled employees, nation states, and other malicious actors to attack organizations and nations where it hurts most. For more insights, watch this fascinating keynote by Robert Hannigan, Former Director of the UK’s Government Communications Headquarters (GCHQ). GRC isn’t just about the […]
Marriott’s massive data breach, Nissan chairman Carlos Ghosn’s arrest, and the CEO exit of Walmart’s India acquisition — here’s a round-up of November’s top GRC news headlines. Marriott Discloses One of the Biggest Data Breaches in History November saw yet another data breach. This time, it was the hospitality industry that fell victim to hackers — The Wall Street Journal reported that a data breach at one of Marriott International’s M&A ventures, Starwood properties, may have exposed the personal details of up to 500 million guests. The colossal breach — second only to Yahoo’s 2013 incident that saw the personal information of three billion users stolen — included sensitive details such as passport numbers and payment-card numbers in addition to addresses and travel details, reported the Journal. In an investigative report from the Journal, security experts weighed in on the data breach saying that Marriott could have done more to investigate a 2015 incident to find hackers that lurked in their systems. Unsurprisingly, Marriott will face scrutiny from regulators around the world. A fine in Europe may be likely with the European Union’s tough new data protection law, GDPR. Nissan’s Chairman Carlos Ghosn Is Arrested in Japan for Under-reporting His […]
Google’s failure to disclose a data breach, California’s tough new laws on corporate governance and net neutrality, and Silicon Valley’s #MeToo — here’s a round-up of October’s top GRC news headlines. Google Fails to Disclose a Data Breach At the height of Facebook’s Cambridge Analytica scandal, when the social media giant faced widespread backlash for its misuse of personal data, another Silicon Valley giant found that it had inadvertently exposed the private data of hundreds of thousands of users through its relatively lesser known social network. Fearing that the disclosure of such a breach would immediately invoke comparisons to Facebook’s disastrous liaison with Cambridge Analytica, and prompt scrutiny from regulators, the tech giant instead chose to quietly fix the issue. But things didn’t quite go as planned: a damning report by The Wall Street Journal in October revealed that a software glitch in Google’s social network, Google+, gave developers access to the personal data of nearly half a million users, including full names, email addresses, birth dates, gender, profile photos, places lived, occupation, and relationship status. The report also mentions an internal memo from Google which talked about the possible repercussions that the company would face if the breach was […]
Facebook’s largest ever data breach, Britain’s unending Brexit woes, and Europe’s $200 billion bank scandal — here’s a round up of last month’s top GRC news headlines. Facebook in Trouble Yet Again Facebook announced in September a major data breach affecting 50 million users. The breach was the biggest ever of its kind in the company’s 14-year history and reportedly allowed hackers to use people’s account as their own, permitting them to post and read private messages of users. It was also the first time that the social media giant disclosed a major data breach since the European Union’s (EU’s) strict new data protection law, GDPR, came into effect. The Guardian reported that Facebook could face up to a $1.6 billion fine if it is found guilty of violating GDPR. Facebook said that it had logged out 90 million users from their accounts as a precautionary measure, invalidating the “access tokens” which was used by hackers to bypass the social network’s existing security measures. The hack also raised questions about the security of the company’s single sign-on feature, Facebook Login, which allowed users to access other apps and websites through their Facebook credentials. While Facebook said that it had found […]
Privacy concerns around smart home speakers, the tech industry’s continuing woes, and corporate activism on significant issues — last month’s top headlines in the GRC space point to a growing range of governance and risk challenges The Problem with Smart Home Speakers The latest trend of using smart speakers such as Google Home and Amazon Echo can expose users to hackers who target unsecured devices to listen in on private conversations. The Telegraph reported in August that a doctored Echo speaker can be used to gain access to other Echo devices, offering criminals the opportunity to not only spy on conversations, but also take over the device. Privacy concerns around always-listening digital assistants have persisted. And as more and more devices are connected to the internet—some with little, if any security—the problem is bound to grow. In an interview with TechRepublic, Caleb Barlow, IBM Security Vice President said that there were more connected devices than people on the planet, and that we have to shift our thinking now about how we manage the security of iOT devices. It remains to be seen how the tech giants address these privacy and security concerns as they seek to innovate in their product […]
Today, growing advances in tech and wide-spread social media reach has given us greater conveniences and powerful platforms to voice our opinions. However, these highly engaging devices and services, and the cutting-edge tech that support them, also have their flip side — they are addictive, bring in unknown risks, and in a hyperconnected world, have increasing influence on public opinion. Not surprisingly, a new cultural movement is taking shape to combat tech addiction and ensure that social media platforms and tech are used ethically. What are the implications of this cultural zeitgeist, and can organizations afford to sit on the fence on divisive issues for the sake of popularity and profit? We explore. The Growing Emphasis on Ethics Facebook’s fake-news and data-privacy scandals highlighted the real-world influence that social media platforms wield in state affairs. The scandals sparked a public outcry about the company’s ethics, eventually leading to a Congressional hearing, and more recently, to the single biggest loss in stock market history as the social media giant admitted that the scandals were beginning to hurt its business. While the US was reeling under the revelation that its election results may have been influenced through Facebook, the European Union (EU) […]
As we witness some of the key news headlines in recent years – the Volkswagen emissions scandal, the Wells Fargo account fraud and the Uber crisis – to name some that are top of mind, I wonder what role technology could have played; not just to address the issues, but also to prevent such situations from occurring in the first place. I’ve sometimes been told these are ‘corporate culture’ issues and ‘technology’ cannot do much at all. However, I disagree. The foundation for culture is laid out in the core values and tenets of a company. When a company is small – these messages can be easily communicated by verbal and non-verbal methods – and if issues surface, they can be handled quickly. However, as a company scales and grows, a lot of that shorthand needs to start getting codified into the way the business operates. The natural place for this codification is in its vision, mission, policies, training, controls, compliance, and risk management practices – in other words, the essence of GRC (governance, risk, and compliance) thinking. It is by using these essential components, and by constantly refreshing them, that one creates a sustainable machinery to help preserve the […]
June 2018 offered startling lessons in governance and compliance Silicon Valley has of late faced an important concern – increased scrutiny from regulators over its business practices. This June, some of the Valley’s tech giants, including Uber, Google, and Intel faced questions around their ethics and principles which revealed interesting aspects of Silicon Valley’s corporate culture. Uber’s culture seems to be changing under new CEO, Dara Khosrowshahi. In less than a year, Dara has orchestrated a remarkable turnaround at the company: settling a prolonged and messy lawsuit with Waymo, winning back Uber’s operating license in London, and doubling down on ethics to rein in its combative culture. With leadership lessons aplenty, how successful will he be in his efforts to take Uber down a different road? Only time will tell. For Google, however, the emphasis on ethics and integrity came from a different source. Caving into pressure from employee activism, Google decided not to renew its contract with the Pentagon, and its CEO, Sundar Pichai, outlined the principles governing the company’s development of artificial intelligence on Google’s official blog. While the news of Brian Krzanich’s departure from Intel made little difference to the company’s stock value, the larger implications remained: […]
There’s a new first line of defense in the workplace. Gen Z is entering the workforce in droves, and will soon make up almost a quarter of the global working population. They will be the ones at the frontlines of the enterprise, managing risks every day in their business transactions, decisions, and interactions with customers. In some respects, Gen Z-ers are similar to their predecessors, the Millennials. But they also come with distinctive values, attitudes, and of course, risks that GRC teams would do well to be aware of, if they want to effectively harness the potential of this new demographic in building well-governed, risk-aware enterprises. Gen Z Is Highly Tech-Savvy Gen Z employees are the first truly digital natives. To them, smart phones aren’t just devices, but a way of life. In fact, the majority of Gen Z now communicates more digitally than in person. They expect information to be delivered instantly, visually, and in bite-sized chunks. They’re also big on personalized digital experiences and apps that can predict and provide what they need. Engaging this new demographic in GRC might require a rethink of existing GRC tools and processes. Are spreadsheets the way forward for a mobile-first generation? […]
I was on a call the other week with the Enterprise Risk Manager of a relatively sizable multi-national corporation (over 20,000 employees across a few hundred locations on nearly every continent), and she said something that got me thinking. She said, “For us, right now – Excel is good enough.” I responded by saying that “I understood,” we discussed a few other topics on the call and hung up. It wasn’t until afterwards that I realized how much her view about Excel took me aback. As an enterprise software sales professional, I believe in companies moving to automation. But the reason the statement took me aback was because I realized that this might be a common mindset across many people and firms. How many other people think, “Excel is good enough”? A Senior Manager on my team, Mark Winey, was also on the call. After the meeting we spoke, and he reminded me that one of my first roles was in Operational Risk Reporting and Monitoring (R&M), so I should be able to understand their perspective. I began to reflect on this. Earlier in my career, my team had built out the firm’s first op risk and control R&M function […]
Trending in GRC News Stories: GDPR What do the following events have in common – WhatsApp updating its minimum age of use in Europe, Facebook asking you to review how you are targeted with ads, and Google restructuring its cash-cow ad business? It’s General Data Protection Regulation (GDPR) – the European Union’s (EU’s) landmark data privacy regulation. GDPR gives EU citizens multiple digital data rights, perhaps the most important one being the right to be forgotten. But today, our every search, click, and swipe leaves an online trail through web caches and cookies. There are millions of smartphone apps that gather the personal information of users every day. And tech giants collect massive amounts of data on consumers which they monetize through their ad business. In this digital data-driven age, the task of anonymizing the information of users can not only be challenging for companies, but also costly. GDPR is slated to come into effect on May 25th, leaving Europe-based companies, as well as those in other countries that handle the data of EU citizens, scrambling to get their data protection measures and controls in order. Companies that mishandle data, and fail to comply with GDPR run the risk of […]
Blockchain needs no introduction. It has given rise to many benefits such as “keyless” signature systems and the ability to track thanksgiving turkeys from farm-to-table. But arguably, the most disruptive manifestation of blockchain technology is cryptocurrency. While the idea of having a digital currency that can be created by anyone, freely sourced, and unregulated by a central authority has been around since the 80s, it has failed for one reason or another — some due to regulatory crackdowns, and others due to the unavailability of a truly secure virtual mode of transaction, sans third parties. So, what’s different this time around and what does it mean for the future of the financial world? We’ve seen many technological disruptions succeed only when the time was right. Take Uber for example: A Silicon Valley company that has become synonymous with the service it offers — you no longer take a cab or a taxi, you take an Uber. But cars and drivers were around long before Uber even existed. So, what was the magic ingredient that made a service so seemingly simple and ubiquitous, worth over $72 billion today? It was the advent of the smartphone revolution and the penetration of high-speed internet on mobile devices. This […]
With a major data privacy scandal involving Facebook, a crippling ransomware attack on the City of Atlanta in the US, and a $2 billion fraud at Punjab National Bank in India, we take a look at some of the biggest news stories that have dominated the GRC space in the first few months of 2018. The Data Privacy Conundrum: Facebook and Cambridge Analytica Mark Zuckerberg, Facebook’s CEO, recently testified before Congress on the alleged harvesting of personal data by Cambridge Analytica – a third-party data analytics firm – to influence the 2016 US elections. The scandal, which reports say involved the personal data of more than 70 million Americans, has led to a public outcry, prompted #deletefacebook, and shaved off over $80 billion from the company’s stock value since the incident was uncovered. The social media giant may also be at risk of hefty fines for possibly violating an FTC privacy deal. With public trust in Facebook diminishing, the company has had to postpone the launch of its smart speaker for a “better time.” Atlanta Cybersecurity Incident: Cyber-Attacks Continue to Grow More Potent After WannaCry and NotPetya last year, cyber-attacks have intensified – this time, it was the City of […]
The OpRisk North America conference was disrupted by an operational risk — a late season snow storm that has snarled transportation and complicated travel plans in the mid-Atlantic and Northeast, but most attendees and speakers chose to go forward, and I’m glad they did since conference has given me a big ‘aha’ on emerging risks. Cyber risks and cyber compliance. In almost every session presenters and the audience have cyber risks as the dominant operational risks. While for years, GRC experts have highlighted that with the increasing dependence of business models on digital technologies, cyber risks and cybersecurity strategies would become a critical element of strategic business planning. Well, now those forecasts by experts have proven out, and chief risk officers are incorporating cyber risks into their risk management strategies. Cyber compliance is also emerging as a critical discipline of overall enterprise compliance management. From a regulatory standpoint, with the emergence of digital business models, businesses are also grappling with increased oversight from regulators. Almost all U.S. states have data breach notification laws. The first state to regulate data breach reporting was California which requires notification of consumers for any breach that affects more than 500 customers. Maryland requires notification […]
Are Policies and Training Programs the Answer? February 19 marked a year since Susan Fowler lifted the lid on sexual harassment at Uber, setting in motion a series of events that would reach a tipping point with the Harvey Weinstein exposé, and culminate in the #metoo and #timesup movements. Since then, thousands of women have come forward with their #metoo stories, revealing just how pervasive and ubiquitous the problem of sexual harassment really is. We often tend to think of harassers as lone wolves, acting of their own accord. But the fact that men like Harvey Weinstein were able to allegedly get away with their actions for decades points to a deep culture of complicity – one where sexual harassment is allowed to thrive because people around its epicenter choose to turn a blind eye to it, or fail to address it with the seriousness and urgency it deserves. That brings us to the question — how can we do a better job of preventing sexual harassment in our organizations? How do we create safer work environments where women and men are treated with dignity, and are unafraid to speak up when witnessing or being subject to inappropriate behaviors? For […]
First it was Equifax with over 140 million accounts compromised. Then it was the SEC whose EDGAR public-company filing system was breached. Then came Deloitte who revealed that hackers may have accessed the sensitive details of several blue-chip clients. Apparently, no one is immune to a cyberattack any longer—not even the regulatory watchdog that’s been telling corporate America to get its cybersecurity act together. All three attacks are a stark reminder of how little it takes for cyber barriers to be breached. Look at Equifax, for instance. Here’s a company that, according to an investigative report in Bloomberg, had invested millions in state-of-the-art security measures, implemented anti-intrusion software, and established a dedicated team to patch vulnerabilities quickly. But then they failed to notice and fix a flaw in their backend software, leaving the door open for attackers to trigger one of the most staggering cyber heists in recent memory. Of course, the problems at Equifax run a lot deeper than a simple patch failure. Bloomberg provides a fascinating account of some of the events at Equifax that may have culminated in the data breach, including the departure of key security personnel from the company over the last few years. What […]
The need for artificial intelligence (AI) in IT governance, risk and compliance (GRC) is growing quickly. As companies expand their digital footprints, cybersecurity vulnerabilities worsen due to an increased amount of data being produced from IT security monitoring and performance tools. At its recent Ignite 2017 conference, Microsoft revealed its plans for further incorporating artificial intelligence (AI) into its various offerings. For example, the company is embedding AI in Excel to assist with automatic determination of different types of entries – Excel will be able to go beyond automatically differentiating between text and numbers to being able to identify the type of text utilized. Since the program will be able to better identify types of text – for example, differentiating between objects, corporations and people – it also will be able to discover relationships within and between data sets. A recent report issued by MetricStream found that AI has already taken the step of improving the discovery of data relationships in governance, risk and compliance (GRC). For instance, if a risk assessor creates a link of a risk to a business objective, an auditor identifies a relation of a risk to a control, and an IT security manager identifies a […]
What three mega-trends are shaping business actions and objectives, and how can they impact GRC professionals’ roles? In the 15 years since the term governance, risk and compliance (GRC) was coined, a lot has changed. Once managed as separate initiatives, the three processes are more entwined than ever and are playing a prominent role in helping organisations to achieve performance and growth. The business landscape is consistently evolving and businesses are becoming increasingly savvy in order to overcome new sets of risks and challenges. Of course, with increased risks come opportunities, and organisations are turning to GRC professionals to guide them. Not only are they being called upon to oversee compliance and rein in wild risk-taking, but they are expected to drive the business forward. These professionals are uniquely positioned to help businesses seize more opportunities by empowering them with the risk and regulatory intelligence they need to make better decisions. See also: Come together – a federated approach to GRC and risk management In short, it’s an exciting time to be in the GRC space. Here are three mega trends that GRC professionals need to keep in mind in order to continue driving high performance. Trend #1: Consumers are […]
When governments suffer data leaks, the traditional fallout of breaches are combined with political scandal – the impact is multiplied and scrutiny magnified. Questions are asked around why information was withheld or, if announced soon after discovery, why it took so long to uncover. Just as a business suffers reputation damage after a breach, the Swedish Government faces a real struggle to regain citizens’ confidence. So far two government ministers have been sacked, and the investigation into the handling of sensitive government data on its citizens and national security is expanding. If at all possible, rebuilding trust will involve the removal of some high-profile ministers, and Anders Ygeman, the country’s home affairs minister, and Anna Johansson, the infrastructure minister, were the first to hand in their resignations. This and other recent third party breaches challenge the assumption that data is safer with service providers. Organizations often outsource IT functions as expert companies are seen to have better infrastructure and cybersecurity features. They have economies of scale as well as the economic incentive of ensuring that data remains secure – they lose business if it doesn’t. Yet, what appears to be lost on some organizations is that when you outsource or put […]
In an article titled, What Makes Work Meaningful- Or Meaningless by Catherine Bailey and Adrian Madden (MIT Sloan Management Review, Summer 2016), the authors focus upon what makes our work meaningful, with research conducted across multiple industries and responsibilities. While their findings are presented as relevant to the overall workforce, the compliance implications are significant and worthy of discussion. In sum, meaningful work, which can be “highly motivational, leading to improved performance, commitment and satisfaction” is not easily achieved, and tends to “be intensely personal and individual.” It is not derived entirely from the workplace experience, but is often a part of how employees “see their work and its wider contribution to society in ways that matter to them as individuals.” In other words, it’s related to how an individual views their work as part a greater contribution to society outside the workplace. However, the opposite is not true- in that meaninglessness, which drives a sense of “futility” in the workplace, is almost entirely derived from the organization and the behavior of its leaders. So, what are the features of meaningful work? Common characteristics include: Self-Transcendent: Where employees experience their work as “mattering to others more than just to themselves.” In […]
Year after year, the MetricStream GRC Summit grows bigger and better! This June 4th-7th, we assembled an incredible lineup of speakers at the Gaylord National Resort in the Washington DC area. These experts, along with industry analysts, and MetricStream customers, employees, partners, came together to empower decision-makers across industries with the right risk and regulatory intelligence to help them stay ahead of the competition. On the first day of the event, MetricStream CEO, Shellye Archambeau opened the summit by highlighting that in our increasingly disruptive world, organizations are looking for GRC champions – people that have the knowledge, skills, fortitude, and tools to drive the business forward. This was followed by an enlightening keynote by Gordon Smith, CEO of Chase Consumer & Community Banking, who highlighted and emphasized on keeping things SIMPLE and to look at everything through the customer point of view. The event also featured award-winning journalist and Managing Editor (US) of Financial Times, Gillian Tett who spoke about the need to break down silos by using data more effectively. We also heard from David Laufman, Chief, Counterintelligence and Export Control Section at U.S. […]
Recently, I did an interview with Bloomberg Newsweek on the WannaCry ransomware attack that affected over 200,000 computers around the world. The attack shutdown parts of the U.K. National Health Service leaving thousands of people without access to healthcare services, and resulted in Renault’s assembly lines being shut down in France among other things. Newsweek picked up on my most sensational comment in the interview which was, “People have to die or lose lots of money before government steps in to regulate.” And that’s true – and has been true for over 100 years. In the late 1800s, when railroad accidents were taking lives, the government finally interceded with safety rules. When food poisoning became common with bad meat and processed foods in the early 1900s, the government stepped in. With the Great Depression in the 1930s, government interceded with new rules on financial reporting. Loss of life and money are the primary rationale for new regulatory regimes, and over time those regimes grow and flourish. Whenever a major cyberattack happens, one the most common questions I’m asked by reporters is whether the government will institute new regulations. In the U.S. and in most other democracies, the answer appears to […]
Mitigating Cyberattacks New tools and technologies help companies in their drive to improve performance, cut costs and grow their businesses but as companies adopt cloud services in greater numbers and refine internal processes for development and operations, security considerations must be front and center. As companies rapidly adopt Cloud with a DevOps approach to rapid response to business they must revisit security plans to confirm they are still effective in preventing and handling cyberattacks, making adjustments where needed. In certain industry segments this situation becomes more acute with Internet of Things (IoT) due to the nature of how these are operated and traditionally secured. To succeed at this, companies need to create the right environment for a cybersecurity culture and utilize automation technologies to protect and preserve data, operations and applications. Cyberattacks are increasing in number and sophistication. For many security professionals and heads of business it is no longer a case of if something will happen, but when. In fact, according to Alert Logic and Crowd Research Partners, over half of cybersecurity professionals expect there to be successful cyberattacks on their organization in the next year. Consequently, a third intend to increase security spend on cloud infrastructure and over a quarter […]
RANSOMWARE CYBER-ATTACKS “WanaCrypt0r 2.0” or “WannaCry,” an unprecedented global ransomware cyber-attack recently hit over 200,000 banking institutions, hospitals, government agencies, and other organizations across more than 150 countries. The ransomware encrypted user data, and demanded a payment in bitcoins to unlock the data. The companies that were hit included Telefonica – Spain’s largest telecom provider, more than 16 hospitals in England’s National Health Service (NHS), US package delivery company – FedEx, and many other high profile targets. Across the world, cyber-attacks are on the rise. CSO magazine cited the FBI as saying that $209 million had been collected in ransomware payments in the first quarter of 2016 alone. These attacks illustrate how unprepared most organizations are to counter the growing menace of cyber threats. Many large organizations still use unsupported or older versions of software, encounter significant delays in patching vulnerabilities, and perform fewer automated backups, thereby putting themselves at grave risk. As the scale and impact of cyber-attacks grow, it is imperative for CIOs, CISOs, and other business leaders to diligently address basic areas of cybersecurity to avoid disruptions in their critical business operations. KEEPING CYBER THREATS IN CHECK Detecting covert cyber threats lurking in enterprise networks, and orchestrating […]
Third parties have become an integral part of any business operation. However, the threats and issues arising from third-party engagements require enterprises to gain an in-depth understanding of their entire global third-party ecosystem. Failing to curb third-party risks can lead to severe reputational damage and loss of stakeholder and customer trust, but assessing third parties can be resource intensive. On the other hand, establishing a robust and automated program to continuously monitor and assess third parties enables organizations to detect and alleviate risks stemming from non-compliance, unethical practices, financial risks including supplier bankruptcy or business disruption, exposure to Tier 2 suppliers, legal issues, and access to confidential data. By leveraging leading financial health analytics providers for a deep analysis of the financial viability of third parties, and by adopting robust technology, organizations can simplify the process of third-party risk management and catch early signs of risk exposure. Recently, MetricStream hosted a webinar on the topic, where experts James H. Gellert, Chairman & CEO at RapidRatings, and Swapnil Srivastav, Manager, Marketing at MetricStream, provided some key insights into the best practices that can help organizations effectively identify and mitigate third-party risks. In the course of the webinar, several interesting audience questions […]
In early February this year, the fraud section of the U.S. Department of Justice (DoJ) released a new document with specific guidelines on how they will evaluate corporate compliance programs in organizations going forward. The DoJ clearly specifies in the document that they will look at corporate compliance programs in their entirety and not just at the reporting or investigations part. With a spate of new regulations coming up, organizations are striving to improve their compliance program. Many are moving up the compliance maturity curve and keeping pace with the rapid regulatory developments happening around them. However, multiple reporting requirements, myriad reporting authorities and structures, and stricter regulations continue to challenge compliance teams, putting pressure on them to develop effective and better ways to address an ever more complex regulatory and business environment. In a recent MetricStream webinar titled “Streamlining Compliance Case Management: Challenges and Best Practices,” Eric Morehead, Principal Consultant, Morehead Compliance Consulting, LLC, provided valuable insights into the challenges organizations face when managing and investigating ethics and compliance cases, how to improve the efficiency of case management programs, and how to track the effectiveness of compliance programs by leveraging technology. One of the biggest compliance challenges organizations face […]
The solidity of banks and financial institutions was tested in the financial crisis of 2003 and 2008. The best of banks were shown to have poor governance frameworks, overlooked internal controls and had a lack of adequate monitoring of loss exposures. Although the core reason of the crisis was liquidity risk and credit risk, a strong catalyst to the whole downfall was operational risk management, particularly in the banking system. Many banks paid the price for overruling risk management, designing products without adequate risk reviews, paying insufficient attention to legal risks and making poor disclosures to investors. The crisis highlighted a clear message – Operational risk needs to be made an important part of a bank’s risk management framework. Hence Operational Risk Management (ORM) frameworks are constantly evolving in banks and financial institutions due to changing market conditions, new regulatory requirements, dynamic business environment, and technological advancements. It has become imperative to address the operational risks at an enterprise level, which are closely aligned to the business objectives of the organization. But, before someone decides to invest their time and effort in implementing operational risk frameworks, it will be good to understand the following key aspects How to Identify and […]
I recently read an article in the Winter 2017 MIT Sloan Management Review, Mastering the Market Intelligence Challenge (Chari, Luce & Thukral). In this work, the authors address how “many multinationals simply import their domestic models into emerging markets.” And whilst this work is directed towards those who deal with market intelligence in emerging markets, the conclusions drawn are equally applicable to those who face compliance challenges in such frontier regions. If you review the article and substitute ‘due-diligence’ for ‘market intelligence,’ it reads like a compliance thought piece. So I ask, can both compliance and market leaders share resources and data when it comes to due diligence and market information, as to allow for a more collaborative approach? The authors state that “for developed-market companies, winning consumers in these new high-growth markets requires a radical change in mindset, capabilities, and allocation of resources.” I would add that such ‘radical changes’ are also applicable to compliance leaders and teams who face the challenges of addressing business development in emerging markets, where commercial opportunities and corruption risk are often intertwined. A few of the issues which might de-rail market intelligence or a compliance program in emerging markets might be: Grouping. Very […]
Crowdsourced information from internal and external sources can enrich insight generated by governance, risk and compliance (GRC) teams to help companies mitigate risk and perform better in challenging environments. The public and collaborative nature of unstructured shared data sources (such as social media) can bring issues of interest to light faster than they may show up in formal reporting. This gives companies the benefit of being able to act quicker than they may otherwise be able to do, provided they can harness and interrogate the data to extract usable intelligence. Crowdsourcing is probably most associated with funding, software testing and development. However, the collective pooling of inputs that it represents can equally apply to information and data sharing. It has the potential to add significantly to the view companies have of external risks, internal weaknesses and possible points of non-compliance. When it comes to gathering risk information and stimulating ideas around corporate governance and control, companies can be limited by the finite resources of their GRC teams — but only if they allow themselves to be. In fact, they not only have at their disposal the significantly larger pool of minds inside their entire organization but also an entire community […]
Managing Cybersecurity Risks A number of trends contribute to today’s reality in which businesses can no longer treat cybersecurity as an afterthought. These include a rapid increase in the number of internet connected devices, an increased dependency on third party applications, self-provisioning as a result of bring-your-own-device and public cloud. Add to these, unprecedented levels of smart phone and mobile device adoption and we can see that the cybersecurity ‘attack surface’ has increased massively. According to MetricStream’s, ‘The State of Cyber Security in the Financial Services Industry’ report, around 66 percent of financial services institutions have faced at least one cyber-attack in the last 12 months. The cost of this, which can be catastrophic, can include regulatory penalties, eroded share prices, a loss of customer confidence and reputational damage. It can even result in a complete shutdown of the business.” It is clear therefore, that organizations need to constantly evolve their security strategies and tactics to safeguard data, systems and operations against ever-evolving security risks. In today’s cloud era, an effective strategy should leverage industry-standard cybersecurity frameworks and unified threat management systems. A sole reliance on traditional approaches and tools, such as firewalls and security solutions, may now leave networks […]
Organizations face mounting pressure to improve operational efficiency, and drive business performance and profitability. Volatile economies, evolving regulatory frameworks, and threat agents that penetrate sophisticated detection tools demand more stringent measures. However, many organizations still rely on traditional and manual processes to manage risks, monitor fraudulent transactions, and investigate incidents that have the potential to cause irreparable reputational damage and financial loss. Forward-looking enterprises have started reimagining their processes, ridding their system of guesswork and instinct in favor of more robust analytics tools, monitoring processes, and metrics. Buffeted by diverse and complex challenges, many organizations are turning their attention to predictive analytics [1] to foresee future trends (often by processing petabytes of existing data), as well as to deal with the business issues at hand. Such systematic analysis and interpretation of data helps organizations maximize productivity, reduce wasted efforts, deal with uncertainties (e.g., product failure)[2], and drive profits.[3] These new approaches have the potential to give enterprises a firmer grip on their fast-growing big data. Big data analytics and predictive models have entered a period of significant technological maturity, becoming more powerful in terms of data aggregation and analysis,[4] and more widely available than ever before. Simply put, it’s about proactively managing risk. […]
Third-party intermediates such as distributors, resellers, agents, service providers, or business consultants are contracted to rapidly create a presence in or access to new or emerging markets. They can work as the first foothold in opening a commercial presence, both domestic and internationally. Also, they can provide insights of the local business environment and their relationships as a business partners. While third parties are retained to operate on the organization´s behalf, their business activities are not always as transparent or controllable. It increases the exposure to bribery and corruption risks. Intermediaries include not only those used in the sales channel, but also as part of a business operations and strategy. A third-party due diligence program (KY3P) allows reducing the risk of improper payments and fraud. In addition, regulations such as the FCPA and the UK anti-bribery act, settlement agreements, enforcement actions, ISO standards and best practices, require a third-party due diligence program as part of the corporate ethics and compliance program. The following components are part of an effective program: Risk-Based Approach: the first step in the program is to perform a risk assessment of third parties, usually classified into low, medium and high. These risk tiers define how deep […]
Though the term “Quality” has been an intrinsic part of our business landscape for ages, we still tend to take it for granted – at least until we encounter a disruption in usual business. This is because of a misconception that investing in anything to make quality better is an avoidable cost and we can do away with it. But what we fail to understand is that if there is a failure due to poor quality, the cost incurred is way more in magnitude – putting everything you would have earned over time, at stake. Now, the questions which arise are – Will Cost of Poor Quality (CoPQ) really matter to me or my organization? Which components are key to minimize the CoPQ? Are there any metrics or strategies that can be adopted to keep the CoPQ in control? All these questions and more, make it difficult for organizations to qualify the metrics and measure them. Research claims, for many organizations quality-related costs go as high as 15 to 20 percent of their sales revenue, with some even going up to 40 percent of total operations. Ideally, for a company to thrive, the cost of poor quality should be 10 […]
New risks are emerging every day in the realm of Cybersecurity, and many organizations are moving quickly to address these risks: developing documentation, procedures, and processes. However, this is often without regard for Cybersecurity best practices. To ensure sustainability, organizations must develop cyber policies, plans, and procedures and put effective controls in place. If these controls are already in place, they should be evaluated frequently to ensure that they address these emerging risks. It is essential for every organization to review and update their security procedures and policies in order to prepare for emerging business and IT risks. Having a standard and consistent monitoring and incident response program is becoming more and more critical, as attacks occur more often and more viciously, targeting organizations across sizes and industries. In addition, the organizations need to constantly upgrade their security awareness and training programs to educate the employees and other stakeholders about new technology advances and techniques and tools available to prevent cyber attacks. Digital enterprises today need to tailor standard cyber risk methodologies, based on best practices, such as ISO 27005 to fit their organization. In the event of an attack, to ensure that critical business processes aren’t brought to a […]
Improving Enterprise Cloud In today’s dynamic environment, enterprises are striving to gain a competitive edge, reduce maintenance overhead, manage economies of scale, and minimize capital costs. Over the last few years, there has been an increase in the adoption rate of cloud technology. In order to attain the benefits of flexibility and rapid up and down-scaling as needs dictate, enterprises will continue to transition their IT Operations towards the cloud on a rapid basis. As plans are drawn up for the year ahead, take note of these tips for improving cloud success in the enterprise. Cloud Challenges As businesses move their IT operations to the cloud, there is decreasing visibility and insight into cloud asset security amidst increasing cyber threats and compliance with ever-evolving regulations. There have been several innovations to help customers address these concerns head-on. For example, MetricStream’s IT-GRC Solution integrated with Google Cloud Platform (GCP), provides customers with an end-to-end solution that enables them to scope, plan, and achieve cloud asset security, transparency, governance and compliance. Innovations and partnerships such as this proactively address various cloud-related challenges, and help companies realize greater benefits across their infrastructure, IT strategy and business deliverables. Let’s delve further into some key […]
We live in a time when doctors no longer have to rely on costly and unwieldy medical imaging devices to diagnose illnesses. A simple “visual stethoscope” would help them see deep into the human body more easily than ever, thereby accelerating both diagnosis and therapy. Meanwhile, if you’re a chronically ill patient, you no longer have to make repeated, costly visits to the hospital. Say hello to Molly — an innovative, friendly, virtual nurse who can check up on you, monitor your vitals and provide follow-up care — all through your smart phone. Speaking of smartphones, the future of banking is here. You can now use your mobile device to do just about all your banking on the go — from opening an account to tracking your spending to freezing and unfreezing your credit cards, and more. You can even have your own automated financial adviser provide advice on where and how to invest your savings smartly, at a fraction of the cost charged by traditional banks. Butterfly Network, Sense.ly, Monzo, and Betterment are the companies that are making each of these scenarios a reality, respectively. They’re transforming the way we think about healthcare and financial services. And they’re doing that through a range […]
Until recently, missions to put humans into space were government-owned programs, funded by public coffers and the tax dollars of citizens. However, the recent proposal from Elon Musk for colonizing Mars highlights the role of the private sector and tycoon visionaries in the future of space. Much is made, and rightly so, of John F. Kennedy’s challenge in 1961 to send humans to the moon, and in just eight years, NASA accomplished that goal. It was a government funded and government led effort, though of course private sector contractors provided much of the expertise. Musk’s Mars proposal though is one in which the private sector plays a leadership role. And it’s a much more audacious goal–technologically and culturally. Not only does Musk see humankind reaching Mars, but also he sees us staying there in a colony that grows to a city of as many as a million people. Musk is challenging national space policy, which has opened up to private sector entrepreneurship for near-earth orbit, but effectively has fenced off the moon, Mars and beyond with timid goals for NASA to return humans to the moon by 2025 and for humans to orbit Mars by 2030. The role that tycoons […]
The business complexities of today demand new resources, new investments, new ideas, and new innovative technology solutions that can integrate and automate various programs and processes, as the risk landscape and associated methodologies to manage them have undergone enormous changes. Organizations are increasingly seeking better, more proactive ways to understand and manage key areas such as risk management, compliance issues, audits, security, and business continuity programs. For most, the biggest challenge lies in truly breaking down “GRC silos” – to bring data, people, and departments together into a single source of truth. Doing this can help organizations cultivate a more collaborative, integrated, and risk-intelligent culture, and drive effective decision-making at the corporate level. The effectiveness of governance, risk management, and compliance hinges on data. Being able to gather, analyze, and communicate information with the right stakeholders, in the right format, at the right time is critical. Leading, forward-thinking organizations are responding by creating an infrastructure within the organization and across its extended supplier ecosystem that leverages data in a meaningful way to support governance, risk, and compliance programs and decision-making. The vast and growing volume of unstructured and structured data today provides limitless opportunities to improve risk intelligence, support compliance, […]
No matter the workplace, data security is often a top concern for management professionals. Security breaches can end up threatening the livelihood of employees and entire companies alike, depending on how severe they are. There are solutions available to many common professional data security problems. However, understanding the surrounding statistics is often the first step. To learn more about data security in the workplace, checkout this infographic compiled by the University of Alabama at Birmingham’s Online Master of Science in Management Information Systems program. Employees and General Information Security Over eighty percent of companies say that their biggest security threat is end user carelessness. Seventy five percent of companies also believe that employee negligence is their greatest security threat. Three percent of all United States full time employees admitted to using the same collection of passwords for their online needs. A third of this percentage even admitted to using less than five different passwords to access anywhere between twenty five to fifty websites, some of which were business and professional locations. Over thirty three percent of US companies do not have a security plan for internal security risks, which means personal responsibility is the largest deterrent in a vast majority […]
Introduction: The world of unicorns has changed over the last year – and the public markets, especially in the technology sector, seem to have taken a special dislike (some perhaps just for the short term) of overpriced valuations, slower than expected growth rates, widening negative EBITDAs, and far and wide reaching geopolitical impacts. Naturally, that impact flows to the private markets, and especially onto these “unicorns” where private clearing-houses are seeing a spike in sellers, investment firms are writing down the values, and talk of profitability and rational growth is increasingly heightened. Irrespective, most of the 150 or so ‘unicorns’ are highly successful, disruptive and ubiquitous. Background and Context: A few years ago, start-up unicorns were a rare sighting in the technology scene. Reaching the billion-dollar valuation mark was reserved only for the top echelon of industry disruptors, so much so that not even Google or Amazon, as privately held companies, reached that valuation ($1 billion or more). Today, however, unicorns have become ubiquitous, and they touch many parts of our personal and professional lives. From reading front-page headlines, to online apps and tools, to innovative transportation solutions, unicorns are all around us. According to CB Insights, there are currently […]
The following blog post was originally posted in the Richard Bistrong Front-Line Anti-Bribery Blog at www.richardbistrong.com and is reposted with his permission. I recently had the opportunity to travel to Chicago for my first SCCE Compliance and Ethics Institute (CEI), and attended a session “Keeping Compliance Simple,” which was led by Ricardo Pellafone, CEO, The Broadcat (www.thebroadcat.com) and John Partridge of Gibson Dunn. It was an engaging session, and it gave me an opportunity to reflect on their work in the context of some recent corporate engagements. What first caught my attention was when Ricardo started the session by sharing that a compliance training program needs to address “the tasks at hand” to those on the front-lines of business. Does that sound obvious? Well, when we look at the complex challenges facing compliance and commercial teams, it might not be. Thus, I think we should heed to Ricardo and John’s reminder that an engaging compliance program is one that’s calibrated to help people execute with what they have been charted to do. Big and small. In other words, as Ricardo well states, “give people something they can look at while they are doing their job.” I think that’s excellent thought leadership […]
Cloud adoption continues to grow, which is evident from the fact that annual 2016 revenues for cloud vendors were “within touching distance” of $150 billion. Gartner also predicts that, a corporate ‘no-cloud’ policy will be as rare by 2020 as a ‘no-Internet’ policy is today. However, a ‘’cloud-ready’ security and compliance program is the need of the hour, to manage the risks and the complexities due to cloud adoption. This will enable organizations to face cloud challenges which, according to RightScale’s 2016 State of the Cloud Report include compliance with regulations, a lack of resources and expertise, governance and control and security. Although a challenge mainstay, confidence in cloud security is nonetheless rising; SkyHigh Networks points out that 65 percent of IT leaders think the cloud is as secure, or more secure, than on-premises software. To maximize the benefits of cloud deployments while mitigating the risks, companies need to prioritize a cohesive approach to governance, risk management and compliance (GRC). A cloud governance framework can automate cloud security, risk, and compliance workflows, enable stakeholder reporting and visibility, and ensure best practices and standards for cloud compliance. With that in mind, here are five recommendations for ensuring a proper governance, risk […]
The 3D printing market is growing at an average of 35% CAGR, and is set to quadruple to $12.5 Billion by 2018 from $3Billion in 2013 (Wohler Associates 2014 report), however at the same time, organizations have to face heavy penalties and loss diminished by brand and reputation due to risks associated with 3D Printing. For instance, mishandling of patient information through 3D Printed software and associated violations of HIPAA compliance has already resulted in $9Million in fines for US-based companies in the last one year alone. Consumers around the world are converging to newer technologies that allows customization and immediate product deliveries. Just as e-commerce companies have done for consumers, will 3D Printing do the same for organizations? The 3D Printing industry emerged in the 1980’s, then known as Additive Manufacturing for product developments and rapid prototyping. With new technologies in design and faster printers available, the trend has quickly shifted to mass production. General Electric, as a part of the LEAP project, started to mass produce close to 25,000 aircraft fuel nozzles using 3D Print technologies. Similarly, USPS has partnered with 3D Print Service providers and are planning to purchase printers onsite in order to deliver packages, printed […]
Basel IV will certainly have operational impacts on the day-to-day governance and risk management of financial institutions – but it also stands to have a wider impact on the competitive banking market. These effects could include industry consolidation and a change in banking portfolios, which could eventually lead to a reduction in choice for their customers. On the one hand, Basel IV will instigate a higher level of financial disclosure, meaning that customers will have more information to help them make choices. However, on the other hand, customers may discover that providers have shrunk their portfolios to mitigate the capital impact of the changes, leaving fewer options open to them. Basel IV forms part of the arsenal deployed to protect economies from the risk of another financial crisis. A large part of its impact will be on capital requirements, with a projected average increase of an eye-popping 40 percent. While the mandate on capital requirements is intended to create a stronger banking system overall, such a leap clearly represents a sea change for individual banks. At the same time, the revised method of calculating capital requirements is designed to bring standardization and consistency to the industry. Measuring Up The capital […]
2017 promises significant shifts in retailer tactics as they embrace more intimate conversations, leveraging the power of digital devices, analytics and channels. Walking the fine line between becoming a trusted advisor, to intrusion and perceived (or actual) privacy violations, will become as much of a science as it is an art in today’s world. Here’s a look at the top five trends that will impact the retail industry in 2017. 1. Beyond Mobile Payments: Enhancing The Personal Shopping Conversation Retailers will provide innovative mobile apps to enhance customer experience, going beyond simple payments to establishing a virtual, real-time, personal shopping conversation — for example, notifying sales associates of a drive-through pickup or return. Retailers will equip associates with mobile devices to reach out to in-store customers, track real-time shopping behaviors and send curated offers while blurring the line between online and in-store shopping. 2. Predicting The Path To Purchase And Preference: Blurring The Line Between Online And In-Store And Satisfaction Based On Actual Use Omnichannel will reach beyond purchase into actual use as retailers unify online, offline and Internet of Things analytics to understand the 360-degree view of an individual’s needs and behavior and gain insight into preferences. Correlation analysis […]
Organisations of all sizes are facing growing pressure to improve performance. They’re expected to drive efficiency, sales and profits, while cutting costs and upholding corporate integrity. The challenge is made more complex by the growing plethora of risks that are constantly reshaping the business landscape. For example, there’s the political risk caused by Trump and Brexit, the ever-changing register of regulations, the growing frequency and sophistication of cyberattacks, social media and the opportunity it gives the public to lobby, third-party risk, IT risk and natural disasters – that’s just a few. These factors have traditionally been managed as separate silos; owned by isolated departments that have little contact with each other, report to different individuals in upper management and simply focus on the risks that fall under their ‘remit’. Yet, as risks become more intertwined, the various processes and documents used to manage them often contradict one another, resulting in further business risk, duplication of work, and spiraling costs. As such, businesses are increasingly seeing the value of managing everything under one umbrella. Governance, risk and compliance (GRC) provides a single centralised processes and empowers organisations to more easily control and manage internal and external factors that may impact the […]
Many startups have a great product that’s viable, marketable, and ripe with potential. But if that was the only indicator of success, then nine out of 10 startups wouldn’t fail. The annals of startup history wouldn’t be littered with instances of companies like Friendster or Color that had fantastic products, but eventually sank. The truth is that startups often go bankrupt for reasons that extend beyond the viability of their products. Many of them fall prey to missteps that ultimately dry up their cash flow, and cause the company to fold. So what are some of these pitfalls to avoid? Failures in Compliance Theranos, one of the most promising Silicon Valley startups, is now struggling to stay afloat after regulators revoked its license to operate a lab in California because of unsafe practices. Meanwhile, Zenefits, once valued at a staggering $4.5 billion, was recently embroiled in a highly public scandal for skirting state insurance training, licensing, and certification requirements. Both companies with tremendous potential – both brought down by their neglect of compliance, among other things. For years, startups have been so focused on hyper-growth, rapid scalability, innovation, and revenue, that many of them have overlooked compliance. But with regulators […]
As you read this, data volumes across the world are exploding at an unprecedented rate. Facebook Messenger and WhatsApp alone process 60 billion messages a day. Instagram has over 500 million active users per month who share more than 95 million photos and videos every day. And that’s just social media. McKinsey predicts that by 2020, as many as 30 billion smart devices will be connected. Can you imagine the amount of data that that will produce? What’s truly exciting is that we now have the technology to dig deep into these massive treasure troves of data, and draw out meaningful connections and insights that will allow us to make better, faster decisions. We’re finally beginning to make the shift from collecting data to connecting data. Emerging technologies such as natural language processing, machine learning, and artificial intelligence have catapulted us into a new era of human intelligence supplemented and enhanced by data science. In this exciting new world, the individuals and organizations who are able to truly harness the power of data – those who can turn it into timely insights to drive performance, decrease risks, and pursue opportunities – those will be the innovators, the survivors, and success […]
Organizations continually adapt as markets, operating environments and demands change. Business roles, responsibilities and management structures have shifted in the face of today’s mobile, social, global and networked world. To keep pace with this change, responsibility for governance, risk management and compliance (GRC) has moved up the hierarchy and, appreciating its significance in driving business performance, C-level executives (aka CXOs) are working to embed a GRC ethos into the business fabric. A robust GRC program seeks to mitigate and manage many significant risk and compliance issues. These include product recalls; compliance failures and fines; corporate scandals; uncertainty around social, economic and political turmoil; and cybersecurity breaches. The latter, in particular, has been a mainstay in our newspaper headlines — and that’s not surprising when you consider that 66 percent of organizations have faced at least one cybersecurity attack in the past 12 months. Organization-Wide Reorganization C-level roles are evolving and responsibilities in the organization are also being realigned. For example, compliance used to report to the chief legal officer (CLO), whereas it is now under the auspices of the chief risk officer (CRO) at some banks. This is a step forward. Not so long ago, GRC activities were often managed […]
People start a business for many reasons. Some do it out of sheer passion, while others do it to create wealth and economic growth. Yet, underlying it all is a willingness to take risks. Entrepreneurs and established companies make risky decisions every day in the hope that those risks will translate into better opportunities, better performance, and greater profitability. However, as we all know, too much or too little risk can be a bad thing. So, how do you find the middle ground? How do you effectively balance risks and rewards for optimal success? In this regard, I believe a lot of great advice can come from your board of directors. Many startups choose not to establish a board of directors until a few years down the line. However, I’ve found that the startups that grow the fastest are often those that built a good board of directors as soon as they started their business. Having a board helps you keep your eye consistently on the strategic aspects of your business which, in turn, helps you attract investors and customers. What’s more, a board, being responsible for corporate governance, plays a major role in ensuring that your risk management program […]
“Risk-based thinking”, as an approach, have left organizations torn between whether this approach really matters and makes a difference to the business or whether their risks are addressed the way it should be. With the revision of ISO 9001:2015, this confusion spread like a wild fire. Stringent compliance requirements and timelines have instigated a sense of responsibility and action, as it is a clearly bounded methodological approach that distributes risk across the full scope of an integrated business function. There have been proven instances to state that organizations who have adopted risk assessment approach through the length and breadth of their processes have been more risk-proof, than those who focused only at an organizational level. In an era of rapid innovation and transformation, risk-based thinking can not only serve as a remedy to poor quality but also define the future of an organization. To gain a clear understanding of risks from both internal and external issues, it is ideal to adopt a systematic approach towards aggregating all the risks in a centralized location. This will enable organizations to have a close view of all the prevalent risks across functions, identify the acceptable and unacceptable risks, and adequately plan next steps […]
In the last half century, India’s economy has been on a rollercoaster ride, with the turning point of economic liberalization taking off in 1991, and now 25 years later, India again stands at the top of the ride, slowly but surely continuing to climb up the next massive hill. As India propels forward, at times, the changes are imperceptible to the untrained eye. According to Arvind Panagariya, former Director and Chief Economist at the Asian Development Bank, “India’s reforms have been piecemeal and incremental, giving the casual observer the impression that nothing has been happening. If one takes the totality of reforms over the last decade, however, the change is unmistakable.” Echoing Mr. Panagariya, India’s vigor and influence on the international economy has been, and continues to be, sorely underestimated. According to the World Economic Forum, as of November 2015, India accounted for 10 percent of the world’s increase in economic activity. Due in large part to the policies put in place by Prime Minister Narendra Modi, India now ranks 55th out of 140 measured economies, which is a 16-spot jump after five years of decline. However, the country still faces systemic challenges that must be addressed so that it […]
All businesses today must acknowledge the state of the market in which they are operating and the ways it has evolved to breed risk. Truly, today’s business climate is volatile, uncertain, complex and ambiguous. Technology has unquestionably empowered companies to innovate quickly. However, new challenges have arisen as a result. Years ago, the cable industry had no legitimate competition, yet services like Netflix have gained rapid momentum and are now used in 40% of households with TV and broadband internet. With the potential for external and internal risks to arise at an accelerated pace –alongside the risk of “left-field disruptions”— organizations are experimenting with new approaches to foster innovation, obtain a sustaining leadership position and mitigate new risks. However, they still must be careful, because so much is at stake with each business decision made. (An experimental offering can, for example, cause irreparable harm to your business.) As such, it’s time to re-evaluate how your organization operates with respect to balancing risk and opportunity. It is important to note that no company is immune to the volatile and fluctuating market today. Even on the most successful end of an industry’s spectrum, we are seeing a pattern in which the lifespans […]
All businesses need a strategy and processes for governance, risk and compliance (GRC). Many still view GRC activity as a burdensome ‘must-do,’ approaching it reactively and managing it with non-specialized tools. GRC is a necessary business endeavor but it can be elevated from a cost drain to a value-add activity. By integrating GRC holistically throughout the organization, and by minimizing manual and duplicative processes through the use of cloud-based tools, firms can benefit from actionable business intelligence and support rapid and informed decision-making. Companies are questioning whether their GRC can be managed more efficiently because there is an increasing number and range of regulatory mandates and risk concerns that demand action. As problems arise, and multiple regulatory and compliance issues need to be addressed, but manual approaches to the day to day practice of GRC can swamp organizations through a constant need to monitor information sources for changes. The planning and implementation of changes often takes place as and when the demands arise. Where GRC management and implementation occurs within business silos there is duplication of effort and inefficient cost control. There is also limited capability for knowledge sharing and learning across the organization. Businesses need to tap into a […]
A customer asked a few weeks ago what were the best GRC conferences to attend. Of course our own GRC Summit came immediately to mind, but I wanted to give an objective answer, so I shared my thoughts on several very good conferences. There’s GARP, but it’s mostly for risk managers, and the same goes for OpRisk and RMA. There are the Gartner Security and Risk Management summits, but they are mostly for Chief Information Security Officers. SANS, ISF, and several other organizations also run events for security professionals. There are the IIA events, but they are for auditors, and the ISACA events are for IT auditors. Several organizations run events for compliance officers – Compliance Week and the Society for Corporate Compliance and Ethics. All good, but each focused on just a single GRC discipline. So as I went through the list, I realized that while there are conferences for auditors, risk managers, IT security professionals, compliance managers, and IT administrators of GRC solutions, there really is just one real GRC Summit, and that is MetricStream’s. No other conference truly integrates attendees from multiple GRC disciplines. We bring together chief risk officers, chief audit executive, chief compliance officers, chief […]
The three aspects a manufacturer must swiftly address in the instance of a pharmaceutical recall. All manufacturers and distributors wish to avoid having to recall a product. Through governance, risk and compliance tools, and processes they aim to safeguard product quality and standards. This takes not only attention to detail and precision within the company’s own business operations, but also with those of its suppliers and third parties, as well as effective monitoring and assessments across the whole supply chain. However, plans do have to be made around handling a product recall should one need to happen. With increasing regulatory demands and complex international supply chains, effectively managing a pharmaceutical recall takes a coordination effort of many responsibilities. Among the many aspects a manufacturer has to get right is the identification of key decision makers, a clear understanding of roles and responsibilities, and a robust communications strategy. The damage to company brand and reputation can be severe for those that get it wrong. 1. Decision Makers The Food and Drug Administration (FDA) is responsible for protecting human health by ensuring the safety of pharmaceutical products. They can request or order a product recall when it becomes aware of a problem; […]
This summer’s UK vote to leave the European Union (EU) threw the political world into a state of turmoil, not just in the UK and the EU but around the globe. The fallout from Brexit has been political, economic and social, despite the consequences being as yet not fully understood. What is known is that the resulting uncertainty sparked a fall in the value of the pound and foreign exchange rate volatility. Both spell risk for the global public and private sector. The impact on risk professionals is real and far-reaching. They have had to broaden the scope of their scenario planning and face the prospect of change to come in the already evolving regulatory landscape. It was often said in the immediate aftermath of the vote that, whatever changes were going to occur as a result of Britain’s exit, it would be uncertainty that would cause the most disruption. It was true then and it’s still true now. The markets hate uncertainty and 2016 has given economies around the world plenty to feel uncertain about. Aside from the Brexit, there has also been significant change in the UK government; a US presidential election; and increasingly polarized national governments. Despite […]
To safeguard quality and standards, food manufacturing and distribution is highly regulated. To be fully compliant, companies need insight into their complete supply chain — end-to-end from base ingredients to finished product — and they must be prepared to act in the event of a contaminated or compromised product that jeopardizes customer health. This demands detailed and precise planning, execution, monitoring and assessment. Disconnected, manual governance, risk and compliance (GRC) tools and processes can be inefficient for the job. The regulatory landscape in the food industry is increasingly complex, particularly for global manufacturers and distributors. Companies have to comply with all local, national and regional regulatory agencies relevant to their business. This means keeping up with evolving regulations and ever-changing circumstances. Guidelines and mandates must be interpreted, acted upon and compliance tracked. The impact on businesses is far-reaching across manufacturing, handling and food distribution. Three-Stage Compliance GRC is central to business operations in all industries; in food manufacturing and distribution it must be integral to the way companies work. Robust management, quality inspection and corrective action is of paramount importance. Companies that automate and streamline activities through supply chain traceability and GRC systems will be quicker to react and take […]
Business Continuity Plans Today’s organizations need comprehensive and robust business continuity planning for swift and effective action in case of a disaster or crisis. As the trade and supply chain have gone global, businesses today expect crisis response to be in seconds, not in hours, to ensure that the ripple impact is minimized. As organizations go digital, an IT failure can cripple the whole supply chain and business operations, causing extreme losses within hours and requiring countless hours to recover from the them. Plans to mitigate IT failures are also affected by the complexity of today’s IT infrastructure. As applications and systems are added based on business and market requirements, newer technologies and infrastructure pose new challenges. Most businesses leverage cloud based platforms for their enterprise needs at least partially. The cloud helps businesses minimize costs and maximize efficiency; made for speed and convenience, it can scale up and down as needs demand and bring flexibility to business operations. However, the added overhead of managing cloud data centers, planning and performing test exercises across multiple locations and vendors as well as managing a crisis recovery, requires that organizations pay critical attention to their cloud solutions in combination with legacy infrastructure. […]
As we draw closer to the end of 2016, it is important that we take a moment to look back and reflect on all of the ways technology has inspired us, and transformed the way we live and do work. As technology becomes more pervasive in our lives, we increasingly look for simple but secure, as well as consistent and engaging experiences, regardless of the device we’re using. To augment and overcome physical distance, we are starting to use drones, virtual reality, and driverless cars. “Cognitive computing,” artificial intelligence, machine learning, and advanced data analytics are evolving companies’ understanding of their customers in game-changing ways. Meanwhile, biometrics has stepped out of the realm of sci-fi and into the mainstream, playing an important role in the fight against cybercrime. Here are the top five ways technology has impacted us this year. 1. The Device-Agnostic Customer Experience Back in 2013, Google reported that 90 percent of multiple device owners switch between screens to complete tasks, using an average of three different combinations every day. Today, the “device mesh,” as Gartner describes it, has rapidly expanded to include a wide range of end points such as mobile devices, wearables, consumer electronics, and automotive […]
The fourth edition of the KING report builds on the best practices and principles in corporate governance in South Africa. The draft report was published in Mar 2016 and post the comments phase, the report was finally launched at the Sandton Covention Center in Johannesburg on 1 Nov 2016. The last edition of the report – King III was launched in 2009 post the financial crisis, and since then the global environment has changed significantly due to climate change, geo-political issues, population growth, and above all, rapid technological developments. Therefore, good corporate governance has become vital for sustainable value creation not only in South Africa, but also in the global context. This is also the primary objective for King IV where promotion of good corporate governance in business is going to benefit an organization in terms of developing an ethical culture, enhance performance and value creation, help the governing bodies or regulators to exercise effective control, and help build confidence in an organization which will in turn strengthen its reputation. King IV will also look to broaden the scope of application of good corporate governance by making it accessible and suitable for organizations of various sizes, resources and complexity. The […]
Governance, risk and compliance (GRC) management is becoming increasingly integrated across a wide and expanding set of use cases — moving beyond traditional risk management and into regulatory compliance, audit, third-party management, ethics and compliance, privacy, quality management, environmental health and safety, cybersecurity, business resilience and more. In OCEGs’ 2015 GRC Maturity Survey, over 50 percent of organizations surveyed stated they are executing on an integrated GRC vision and over 80 percent claim that benefits realized have met or exceeded their expectations. The core promise of a GRC program that integrates needs across all stakeholders is better business performance – a prerequisite for survival in today’s highly competitive world. As a result, leaders across the enterprise are asking for help in setting the vision, plotting the course and implementing integrated programs that deliver real value to all organizational units. While many organizations have seen benefits from their GRC investments, building the case for business value is fundamental in getting commitment to put a high-value, sustainable GRC program in place. Experience shows us that those organizations that manage GRC as an integrated program — involving people, processes and technologies — are more successful in delivering value to their organizations than those […]
Globalization and regulation, coupled with inadequate investment in compliance programs and third-party risk management programs, are making the proactive identification and resolution of risks posed by suppliers a challenging task. Companies that don’t face up to the challenge run the risk of non-compliant products in their supply chain, and can face serious brand and reputational damage as a result. The key is to accept that supplier management changed; a new and more effective approach is needed, and technology can help with that. Companies are responsible for managing their brand and reputation, and hence, are ultimately accountable for ensuring risks are identified and accepted, or mitigated within their end-to-end supply chain. In addition to being a good corporate citizen, multiple regulations require conformance with supplier management standards. Meanwhile, corporate social responsibility carries a moral intolerance for unsuitable working conditions and inadequate pay, wherever it may occur along the supply chain. Companies cannot plead ignorance or exemption if any dereliction of duty occurs outside their four walls when it is part of their supply chain. Instead, they must ensure complete compliance across all suppliers, not only to meet regulatory requirements, but also to preserve the integrity of their own business and protect […]
Organizations have certain expectations and apprehensions when adopting a technology solution for suppliers. When it comes to automating a process, in terms of its usability, its benefits, and of course, returns in lieu of the investments made, it is common to see tensions rising high within your organization. However, such a solution would not only streamline the organization’s supplier quality across product lines, geographies, and industries, but would also elevate it to achieve a sustainable business environment. To keep a lid on the anxiety and making sure that all boxes are checked during this process, there are a few things that you can keep in mind. Firstly, you need to understand that the list of features/ functionalities can be exhaustive, of which you would have to segregate the set of “must have” from “desirable” features. Based on these categories, you need to identify the most appropriate and flexible software platform that would meet your expectations. To maintain a cordial relationship with your global partners and to build a sustainable base of business operations, with metrics and parameters around quality and compliance, it is vital for you to have a clear view of your organization’s overall goals and objectives. In today’s […]
Assessing Cloud Application Vendors from a Security Perspective Enterprises of all structures and sizes across the globe have been adopting cloud for all needs – for computing, storage, databases, to hosting business applications. They are also proactively addressing cyber-security needs – both as dictated by internal Info-Sec controls, as well as those coming from external regulatory mandates. For enterprises looking out for new cloud applications, I think one needs to look deeper and go beyond ‘checking the box’, which is typically done by looking at Compliance Standards around SOC2 controls, PCI-DSS, HIPAA, etc. This deeper insight can be gathered by looking at few key areas as follows: Underlying cloud infrastructure approach – Is it multi-tenant or multi-instance? I believe a multi-instance strategy that ensures there is no co-mingling of data across customers in the back end provides a sounds foundation for security because of the physical segregation that it leads to. There are other benefits in terms of performance and SLAs, as well. Encryption with key management should rest with the enterprise and not the cloud provider. This capability provides the necessary foundation for ensuring that you and the enterprise can decide where and how to provide encryption, and align it to your business needs. This will help […]
One in every five towels sold in the U.S. is reportedly made by Indian company Welspun, which is now in the thick of a storm for allegedly selling fake Egyptian cotton sheets to Target Corp. and other retailers. Target, which has not disclosed when it began investigating the Mumbai-headquartered company, or what caused it to scrutinize the sheets imported from the Indian manufacturer, said it was terminating all ties with Welspun, which also supplies major American retailers Bed, Bath and Beyond, Walmart, J.C. Penney, Macy’s, Costco, and Home Depot. Target pulled Welspun manufactured items from all its stores, and so did Walmart. Other retailers are also investigating Welspun’s cotton certification. Target has also decided to refund all its customers that bought the sheets sold under the Fieldcrest brand. The retailer said that about 750,000 sheets and pillowcases sold as Egyptian cotton were made using a different type of cotton and were sold for as much as $75 a piece. Welspun’s other customers said they have started or would start their own investigations to see whether or not the textiles contain Egyptian cotton. “After an extensive investigation, we recently confirmed that Welspun substituted another type of non-Egyptian cotton when producing these […]
A cybersecurity report by Ponemon Institute, in association with Keeper Security, found that in the 12 months leading up to June 2016, 55 percent of small and medium-sized businesses (SMBs) experienced a cyber attack, while 50 percent encountered data breaches involving customer and employee information. These statistics belie the common notion that cybercriminals attack only big businesses. In truth, SMBs and startups are often easier targets, as their defenses tend to be weaker. Limited financial resources make it challenging for these companies to invest in sophisticated security mechanisms or full-fledged IT departments – a fact that hackers and cyber attackers use to their full advantage. Today, all it takes is one security breach to bring down a company’s brand and reputation. For startups, who depend so much on word-of-mouth recommendations, the impact of a breach could be fatal. Despite this risk, many startups continue to be woefully underprepared. According to the Ponemon Institute survey mentioned earlier, only 14 percent of SMBs rate their ability to mitigate cyber risks, vulnerabilities, and attacks as highly effective. At a time when authorities such as the World Economic Forum are citing cyber attacks as one of the top global risks, both in terms of […]
About a month ago, my sister announced that she had been diagnosed with dengue. This happened soon after she had visited me in Bangalore. As I rushed to catch the first flight to be with her in Mumbai, I couldn’t but wonder at how a tiny insect like the mosquito could continue to strike down the human species with new and debilitating viruses each time. Zika, dengue, chikungunya – different names, different continents – all with one common factor – a certain mosquito. And this, after most of the world has rid itself of malaria! To me, these mosquito borne virus strains and the like are the new “left-field disruptions” – situations that catch you off guard and shake up the rhythm of your existence. I mean, who would have thought that dengue and chikungunya would continue to afflict city dwellers, regardless of the neighborhood they lived in? Who would have thought that yet another mosquito-borne disease, zika, would rear its ugly head, and spread across the world with such alarming speed and intensity? Who would have predicted, a few years ago, that this same disease would be one of the biggest disruptors in the run-up to the Rio Olympics, […]
2016 has been a year of significant change; a year in which a sky full of hobbyist drones has become the norm; a year that has witnessed a new breed of terrorism that has shaken the world’s strongest governments; a year in which corporate governance scandals splash time and time again across the front-page news. We continue to see a significant increase in the frequency of unpredictable external threats, and organizations are weathering the aftermath from incidents of corruption and non-compliance scandals. Even if we managed to learn from these developments quickly, today’s age of social media, with its fast-paced aggregation and reporting of facts and experiences, makes it feel like we are always playing catch-up. It is only by stepping back to view this New Reality in its entirety, that the business and leadership learnings become clear. The Three Top Concerns for Leaders Around the World There are three key trends that are capturing the attention of CEOs and government leaders, and fundamentally changing the way we live and do business – the introduction of left field disruptions, the risks and opportunities of global business ecosystems, and the rise of the digital universe. Left field Disruption In a […]
Here is Stephen Covey’s famous time management grid again. It is a great tool that can be used to explain how to manage your time (but, of course), how to plan your career, how to prioritize requirements in your products, and many more. As always, the most exciting quadrant is the second one – “Not Urgent & Important”. This is where the coolest ideas are, the ones that can improve products, improve customer satisfaction, and even increase revenue, but they are also the ones that move to the back burner due to more urgent matters. Given that most product support teams (the single point of contact for customers for technical and functional queries on live solutions) work 365X24X7, the amount of work they have in Quadrant I – “Urgent & Important”– can be mind boggling; that is the biggest deterrent to their giving the necessary focus to Quadrant II. A great product support organization works around this challenge and sets quantifiable targets to their employees for their deliverables in Quadrant II. What then does the second quadrant hold for product support? Here are my top three: Provide actionable feedback to product management This is by far the most important […]
Outsourcing business activities to a vendor does not include outsourcing the risk and compliance responsibilities. Relying heavily on vendors, with low or limited visibility into the vendor networks, exposes organizations to high risks. Therefore, understanding and managing vendor risks is crucial to maintain sustainable businesses. With a strong Vendor Risk Management (VRM) program companies can anticipate inherent risks rather than simply reacting to adverse situations and incidents after they occur. In many organizations, VRM programs are largely traditional. The focus is on managing vendor risk only when selecting a vendor or finalizing a vendor contract. However, for VRM to be truly effective, there is a need for continuous vendor monitoring which helps organizations be well-prepared for unexpected eventualities. That being said, it can be quite a challenging task to define and adopt an efficient VRM program, as multiple factors need to be considered, including dependency on the vendor, the location and financial stability of the vendor, as well as the scope of the vendor relationship. This is where technology can help by significantly automating and simplifying vendor risk assessments. Companies are increasingly focusing on strengthening VRM through best practices such as: Effective vendor selection process Streamlined due diligence and continued […]
According to a leading IT firm research nearly 90 percent of the data in the world has been produced in just the last two years. Though a bit of a buzz phrase these days, big data is as important as the internet itself to many businesses today, for a number of reasons. The simplest explanation of how big data benefits businesses is this: It provides the insights needed to make more confident decisions, take faster actions, improve operational efficiencies, minimize risks, and reduce spending. The sudden emergence of the whole phenomenon around the data explosion has been the result of the pervasive use of mobile devices and the large volumes of data generated from web based purchases, mobile activities, and social media interactions. As the massive volume of data and computing platforms continues to proliferate, the absence of thorough reassessments and thinking around information processing paradigms of the past will leave today’s enterprises ill-prepared to deal with this new (IT) normal. Enterprises have to realize the obvious fact that big data is an immensely powerful concept, and information is a strong business asset. Managing large volumes of homogenous data is something that organizations of all kinds can benefit from; spanning […]
The story of Wells Fargo’s cross-selling compliance failure, reminds me of the huge fine that HSBC received in 2012 for mis-selling— over $3 billion. Wells Fargo’s $185 million fine for poor cross-selling practices pales in comparison – but still “ouch!” Even worse and more costly could be the reputation damage — Wells Fargo styles itself as the big bank that has that small town feel. According to reports, Wells Fargo had identified violations of its cross-selling policies for years — for instance, issuing credit cards without fully informing customers — and significant remedial actions, sometimes even with mass firings of offenders. The tone at the top seems to have been pretty clear and supportive of compliance. Yet on the other hand, failing to meet sales quotas could also result in a firing — as it should. At most companies, we find that employees are rewarded for meeting goals that are tied to business goals — with performance indicators focused on production, growth, and sales. There is no reward for not breaking the rules. “Hey, John — thanks for not doing anything illegal this quarter — here’s an extra $2,000” — nope, that doesn’t happen. Give Managers the GRC Tools They Need The […]
Social media remains one of the most talked about and used phenomena in this new age digital world. Today’s tech-savvy organizations are on the constant look out for the latest social technologies that can help them gain a competitive advantage over their peers. The rise of popular social networking sites like Facebook, LinkedIn, and Twitter in the workplace has provided a big boost to the broader social media movement. In fact, an increasing number of organizations are harnessing the power of social media platforms and applications for both internal and external communications. Organizations, large and small alike, are leveraging powerful social media capabilities to share updates, curate content, and promote and showcase their products and services, as well as communicate with employees, media, partners, and their broader ecosystems. According to the 2014 Social Media Marketing Industry Report, a significant 92% of marketers indicate that social media is important for their business, up from 86% in 2013. Nearly 89% of marketers want to know the most effective social tactics and the best ways to engage their audience with social media. While a corporate presence on social media has become imperative for all organizations, it can also be a double-edged sword. It offers […]
In the first few days following the Brexit vote in the U.K., I heard many pundits refer to the decision to leave as a “black swan” event, but it was nothing of the sort. A black swan is a risk that is highly unlikely but has high impact if it does manifest itself. By the very fact that the referendum was happening, the potential that the UK would pull out of the EU was not a highly unlikely event. Still, it did catch people by surprise when the vote was to leave the EU, but for companies who were directly affected, prudent leadership would have begun planning for a potential leave vote ever since the referendum was announced. However, the break-up is such a complicated endeavor, even prudent planners are struggling with the implications. Fortunately, time is on their side. Despite some impolitic calls in Europe for the UK to get out quickly, it is in no one’s interest for a messy divorce, and cooler heads are already starting to prevail. So, with time on our side, what should GRC leaders do? First, it’s worth focusing on the “known knowns.” What do you know today about factors of Brexit that […]
Banking and Financial Services industry is undergoing a strategic shift with the advent of disruptive technologies such as Fintech, Blockchain, and IoT which are challenging the established technology based banking models. This may be the third wave of technology transformation to reshape the modern financial institutions around the world, the first two being ‘computerization’, which moved the banking operations from paper based to software based, and the second being ‘internet/mobile banking’ which radically changed the way banks delivered their services to the customers. However, with the arrival of each technological shift have come new challenges, and this trend is not likely to change much in near future. Cybersecurity has become one of the biggest concerns for the organizations across the globe. Regulators are also continuously altering the existing regulatory landscape in the larger interest of the consumers and the economy as a whole. In the course of this blog series, I will take you through some of these disruptions in the banking and financial services industry, and how adopting a mature Governance, Risk and Compliance (GRC) based approach may be the way forward. My first blog will talk about the changing regulatory landscape and five steps that you may want to […]
Welcome to the initial entry of this blog! In subsequent posts, I’ll discuss competitive trends I’m observing in the GRC market along with other issues that will affect GRC vendors. Earlier in my career, I had the opportunity to work in the CRM industry and saw directly how that market grew, matured and eventually consolidated. In many ways, today’s GRC market is similar (buyers still learning what GRC means to them, no dominant market player, little M & A activity to date) to how the CRM market appeared in the early 2000’s. Thanks for joining and I’m looking forward to speaking with you. Warren
We need a good information security risk and threat library. Rather than build one from scratch (and most internet searches do not yield meaningful results), we were wondering if MetricStream offers standard content for such a library. That’s a question we’re frequently asked when we get a Customer up and running with MetricStream’s IT-Risk Management App. It’s an excellent question for sure because Customers, especially in the Governance, Risk, and Compliance space, require preloaded (and expert/industry-grade) content that can get them up and running on day one. The content ask is straightforward when it comes to in-depth content from authority documents (individual citations or sections and sub-sections), control statements, or even policy templates. Citations from an authority document wouldn’t change across Customers and control statements too are uniform especially if you leverage upon a harmonized control framework. Information security risk content (threats, vulnerabilities, and risks) is, however, in a league of its own – perhaps in the league of extraordinary content. Prima facie, it’s pretty easy to be misled into believing that information security risks applicable for my business are exactly the same as those applicable for your business because, hey, come on, we’re both using information technology right? In […]
Banking and Financial Services Institutions across the globe are struggling to keep pace with regulatory change, and, quite often, grappling with the sheer volume and the complexity of these updates can be a laborious, up-hill battle. According to a survey by MetricStream which polled the responses of 123 compliance professionals across North America & Europe, 19% of the respondents reported taking up to a year to implement regulatory changes1. Considering the magnitude of change that financial institutions have to deal with, this may no longer be affordable. It may have been possible to keep a track of regulatory updates using standard manual approaches during the pre-financial meltdown era, but as regulators continue to usher in more reforms in this age of rapidly evolving and disruptive financial technologies — including Fintech, IoT, and Crypto currencies — standard models are proving to be ineffective. Yet, the survey shows that 48% of the organizations surveyed are still using office productivity software (Excel spreadsheets) to track regulatory changes. The need of the hour is to develop a robust and technologically reinforced regulatory change management framework to help manage the next wave of regulatory reforms. A “wait-and-watch” approach is no longer sustainable, and organizations would […]
Growth must sustain profitability and profitability must sustain growth. In today’s highly competitive and rapidly changing business & economic environment, core competence and capability principles have become mainstay concepts of corporate strategic thinking landscape. They lend themselves well to high-level strategic analysis, but their limited focus and static character do not inherently provide either an application roadmap to develop a competence/capability or, given the existence of a core competence, a framework to achieve active market superiority. The concept of corporate growth engine, a further development of core competence and capability, unifies and extends several existing strategy paradigms, and spans all three phases of the corporate strategy process – analysis, planning and execution. Its characteristics can be used by the management team with the desire to actively drive to sustainable strategic advantage as a blueprint for implementation. Some empirical evidence points at significant benefits for both well and poorly run corporations. Driving profitable corporate growth presents challenges even during times of economic prosperity. This is especially true for companies that have experienced market success and are already sizable. The bigger the base of the sales, the harder it is to grow it meaningfully without deviating from the original value proposition. Yet, […]
The year 2015 saw leading manufacturers and automotive companies being pulled up for various regulatory compliance violations around emission mandates, GMP deviations, recall procedures, and safety. With non-compliance penalties becoming more aggressive, the industry is under tremendous pressure to comply with regulations, standards, and procedures from a wide range of government and industry bodies. To add to this, new innovations, wider market opportunities, and fierce competition have made it extremely difficult for manufacturers to stay compliant and manage their changing risk landscape. Global operations and the dependency on hundreds and thousands of partners and suppliers add to existing risks and challenges involved in ensuring compliance with regulations, standards, and procedures. This complication multiplies when subsidiaries come into play as they bring in new governance challenges. Parent companies are under pressure to have standardized processes and programs, ensure local adaptation at subsidiary levels, and make sure that there is appropriate information roll up and aggregation. Ineffective oversight can result in governance failures, whichpose reputational, regulatory, and financial risks. As product lifecycles get shorter and role of IoT increases, organizations will need their operations to sustain them through the future. These new developments will bring in its wake new and previously unidentified […]
What an incredible time to be a tech startup! The opportunities out there are just tremendous. Digital payments, wearable technology, mobile healthcare, virtual reality and gamification, predictive analytics, and green tech—these are just a few of the startup areas that are expected to be big this year, according to venture capitalists and industry experts. “Full stack startups” and “dis-intermediation” are the new buzzwords, as companies like Uber and Airbnb revolutionize the way business is done, and demonstrate how it is possible to cut out the middlemen. Meanwhile, the “Internet of Things” is taking the world by storm, opening up new doors for entrepreneurs and organizations to develop software that can connect products and devices to the Web.Education technology is also gaining more traction, creating new opportunities to improve education and learning experiences, and teach people new skills through the use of technology. If you’re an aspiring tech entrepreneur, now is a great time to take the plunge. But before you do, here are a few pieces of advice, observations, and lessons learned from my own career and current role as CEO of MetricStream. Your Team Matters Most Many investors will tell you they invest in teams first, and that the […]
The term “digital disruption” has been over-hyped, overused and taken out of context during these past few months. Every new mobile app that gets created in Silicon Valley have been compared with the likes of Uber, Airbnb and most surprisingly, Amazon. Don’t get me wrong, I am not a naysayer predicting doomsday for the new wave of tech innovation where personalization and localization seems to have become an obsession. Anyways who can predict the future, unless you’re Toffler or Taleb. But then “digital disruption” is not an overnight phenomenon. Google started it. The most valuable brand in the world, Apple is doing it in more ways than one and the recent rise of companies like Uber and Airbnb proves that it is here to stay. I googled “What is digital disruption?” and in a tiny box at the top of the search results, it offers sage advice and I quote verbatim, “Digital disruption refers to changes enabled by digital technologies that occur at a pace and magnitude that disrupt established ways of value creation, social interactions, doing business and more generally our thinking. Digital Disruption can be seen as both a threat and an opportunity.” Recently, I was in San Francisco […]
When I was a young girl, I knew that I wanted to run my own business someday. In fact, I would end up leading almost every club or team that I got involved in at school. However, by the time I actually began my career, I was well aware that the odds were not entirely in my favor due to my gender and ethnicity. I didn’t let that get in the way, though, and worked hard to prove myself. Today, I am proud to be the CEO of MetricStream, a leading technology company that I helped build from the ground up. That being said, I know how daunting it is to be a woman, and especially a female entrepreneur in the field of technology, where the lack of gender diversity is a serious cause for concern. Silicon Valley Bank’s recent “U.S. Startup Outlook 2016” report found that 66 percent of startups have no women on their boards, and 46 percent have no women in executive positions. However, about a quarter of respondents (26 percent) said that they have programs in place to increase the number of women in leadership roles. And therein lies the good news – things are slowly […]
Seventy-three percent of U.S. adults agree that we’re living in an age of significant innovation. Indeed, the pace at which new products and services are being developed is truly incredible. In 2014 alone, the U.S. Patent and Trademark Office (USPTO) granted a record 300,678 utility patents – the most issued in a single year, ever. Meanwhile, 81 percent of executives from across 213 companies globally have reported that innovation is an “important” or “critically important” factor in achieving their organizational objectives. This is an encouraging sign. In fact, looking across Silicon Valley and beyond, I see many companies setting up innovation labs and appointing Chief Innovation Officers, often with the goal of developing new technology breakthroughs and disrupting the status quo. However, with so many new businesses emerging every year, each aspiring to be the “most innovative,” or the next “disruptive force,” what does the term “innovation” mean anymore? Is it just about creating a new product or service? Or is it more than that? Putting “Value” Back into “Innovation” Opinion pieces like this one published in the Harvard Business Review and this one carried by Virgin put a bright spotlight on the idea that terms like “innovation” and “disruption” have become so overused that they either feel empty, […]
