Insights on governance, risk, and compliance

Loading…
Abhishek GR
Abhishek GR

Through the GRC Lens: 2018 — A Year in Review

A litany of disruptions and corporate scandals in 2018 showed that while making profits, organizations will be held responsible for their actions in an increasing shift towards more ethical business practices Last year did not turn out to be great for businesses: there were mounting data privacy concerns around the globe; cyberattacks continued to hobble cities and disrupt business operations in the US; and Brexit uncertainty left UK industries worried. Meanwhile, shocking bank and corporate scandals sparked renewed regulatory interest in Europe, India, and Japan. Amidst these larger issues, several new laws and regulations came into effect, adding to the complexity of an already challenging business landscape. With so much that happened over the past year, here are some of the events and stories that stood out: 1. Marriott’s Colossal Data Breach The hotel chain’s disclosure of a massive data breach in November, which revealed the personal details of hundreds of millions of guests, saw the company’s stock price plummet by 5.6%. The security incident, reportedly perpetrated by state-sponsored Chinese hackers, made its way onto the list of the largest ever data breaches in history, coming second only to Yahoo’s 2013 incident where the personal information of 3 billion users […]
Aruna Mary Zachariah
Aruna Mary Zachariah

GRC Isn’t Just about the Mitigation of Risk, but about the Preservation of Trust

8 Key Takeaways from the GRC Summit 2018 – London The GRC Summit on Nov 12-13, 2018 provided a forum for business and government leaders from around the world to discuss, debate, and learn about the latest trends and best practices in GRC. Based on the theme “Preserve. Protect. Perform,” the summit featured a range of inspiring keynotes, expert talks, customer success stories, and panel discussions on topical issues such as Brexit, cyber resilience, corporate integrity, and culture. Key Takeaways The biggest driver of cyber risk? The emergence of a commodity market in hacking A decade ago, if you wanted to hack into someone’s system, or even conduct a simple denial of service attack, you had to be reasonably skilled. Today, you can simply buy a tool—or better still, a managed service to do it for you at a very limited cost. This rapid rise of a commodity market in hacking has made it easier than ever for criminals, disgruntled employees, nation states, and other malicious actors to attack organizations and nations where it hurts most. For more insights, watch this fascinating keynote by Robert Hannigan, Former Director of the UK’s Government Communications Headquarters (GCHQ). GRC isn’t just about the […]
Abhishek GR
Abhishek GR

Through the GRC Lens: November

Marriott’s massive data breach, Nissan chairman Carlos Ghosn’s arrest, and the CEO exit of Walmart’s India acquisition — here’s a round-up of November’s top GRC news headlines.  Marriott Discloses One of the Biggest Data Breaches in History November saw yet another data breach. This time, it was the hospitality industry that fell victim to hackers — The Wall Street Journal reported that a data breach at one of Marriott International’s M&A ventures, Starwood properties, may have exposed the personal details of up to 500 million guests. The colossal breach — second only to Yahoo’s 2013 incident that saw the personal information of three billion users stolen — included sensitive details such as passport numbers and payment-card numbers in addition to addresses and travel details, reported the Journal. In an investigative report from the Journal, security experts weighed in on the data breach  saying that Marriott could have done more to investigate a 2015 incident to find hackers that lurked in their systems. Unsurprisingly, Marriott will face scrutiny from regulators around the world. A fine in Europe may be likely with the European Union’s tough new data protection law, GDPR. Nissan’s Chairman Carlos Ghosn Is Arrested in Japan for Under-reporting His […]
Abhishek GR
Abhishek GR

Through the GRC Lens: October

Google’s failure to disclose a data breach, California’s tough new laws on corporate governance and net neutrality, and Silicon Valley’s #MeToo — here’s a round-up of October’s top GRC news headlines. Google Fails to Disclose a Data Breach At the height of Facebook’s Cambridge Analytica scandal, when the social media giant faced widespread backlash for its misuse of personal data, another Silicon Valley giant found that it had inadvertently exposed the private data of hundreds of thousands of users through its relatively lesser known social network. Fearing that the disclosure of such a breach would immediately invoke comparisons to Facebook’s disastrous liaison with Cambridge Analytica, and prompt scrutiny from regulators, the tech giant instead chose to quietly fix the issue. But things didn’t quite go as planned: a damning report by The Wall Street Journal in October revealed that a software glitch in Google’s social network, Google+, gave developers access to the personal data of nearly half a million users, including full names, email addresses, birth dates, gender, profile photos, places lived, occupation, and relationship status. The report also mentions an internal memo from Google which talked about the possible repercussions that the company would face if the breach was […]
Abhishek GR
Abhishek GR

Through the GRC Lens: September

Facebook’s largest ever data breach, Britain’s unending Brexit woes, and Europe’s $200 billion bank scandal — here’s a round up of last month’s top GRC news headlines. Facebook in Trouble Yet Again Facebook announced in September a major data breach affecting 50 million users. The breach was the biggest ever of its kind in the company’s 14-year history and reportedly allowed hackers to use people’s account as their own, permitting them to post and read private messages of users. It was also the first time that the social media giant disclosed a major data breach since the European Union’s (EU’s) strict new data protection law, GDPR, came into effect. The Guardian reported that Facebook could face up to a $1.6 billion fine if it is found guilty of violating GDPR. Facebook said that it had logged out 90 million users from their accounts as a precautionary measure, invalidating the “access tokens” which was used by hackers to bypass the social network’s existing security measures. The hack also raised questions about the security of the company’s single sign-on feature, Facebook Login, which allowed users to access other apps and websites through their Facebook credentials. While Facebook said that it had found […]
Abhishek GR
Abhishek GR

Through the GRC Lens: August

Privacy concerns around smart home speakers, the tech industry’s continuing woes, and corporate activism on significant issues — last month’s top headlines in the GRC space point to a growing range of governance and risk challenges The Problem with Smart Home Speakers The latest trend of using smart speakers such as Google Home and Amazon Echo can expose users to hackers who target unsecured devices to listen in on private conversations. The Telegraph reported in August that a doctored Echo speaker can be used to gain access to other Echo devices, offering criminals the opportunity to not only spy on conversations, but also take over the device. Privacy concerns around always-listening digital assistants have persisted. And as more and more devices are connected to the internet—some with little, if any security—the problem is bound to grow. In an interview with TechRepublic, Caleb Barlow, IBM Security Vice President said that there were more connected devices than people on the planet, and that we have to shift our thinking now about how we manage the security of iOT devices. It remains to be seen how the tech giants address these privacy and security concerns as they seek to innovate in their product […]
Abhishek GR
Abhishek GR

The Rise of Ethical Tech and Social Media, and the Reputational Risks of Ignoring This Cultural Zeitgeist

Today, growing advances in tech and wide-spread social media reach has given us greater conveniences and powerful platforms to voice our opinions. However, these highly engaging devices and services, and the cutting-edge tech that support them, also have their flip side — they are addictive, bring in unknown risks, and in a hyperconnected world, have increasing influence on public opinion. Not surprisingly, a new cultural movement is taking shape to combat tech addiction and ensure that social media platforms and tech are used ethically. What are the implications of this cultural zeitgeist, and can organizations afford to sit on the fence on divisive issues for the sake of popularity and profit? We explore. The Growing Emphasis on Ethics Facebook’s fake-news and data-privacy scandals highlighted the real-world influence that social media platforms wield in state affairs. The scandals sparked a public outcry about the company’s ethics, eventually leading to a Congressional hearing, and more recently, to the single biggest loss in stock market history as the social media giant admitted that the scandals were beginning to hurt its business. While the US was reeling under the revelation that its election results may have been influenced through Facebook, the European Union (EU) […]
Vidya Phalke
Vidya Phalke

GRC as a Guardrail for Nurturing Corporate Culture and Integrity

As we witness some of the key news headlines in recent years – the Volkswagen emissions scandal, the Wells Fargo account fraud and the Uber crisis – to name some that are top of mind, I wonder what role technology could have played; not just to address the issues, but also to prevent such situations from occurring in the first place. I’ve sometimes been told these are ‘corporate culture’ issues and ‘technology’ cannot do much at all. However, I disagree. The foundation for culture is laid out in the core values and tenets of a company. When a company is small – these messages can be easily communicated by verbal and non-verbal methods – and if issues surface, they can be handled quickly. However, as a company scales and grows, a lot of that shorthand needs to start getting codified into the way the business operates. The natural place for this codification is in its vision, mission, policies, training, controls, compliance, and risk management practices – in other words, the essence of GRC (governance, risk, and compliance) thinking. It is by using these essential components, and by constantly refreshing them, that one creates a sustainable machinery to help preserve the […]
Abhishek GR
Abhishek GR

Uber’s Big Win and The Curious Case of Silicon Valley’s Corporate Culture

June 2018 offered startling lessons in governance and compliance Silicon Valley has of late faced an important concern – increased scrutiny from regulators over its business practices. This June, some of the Valley’s tech giants, including Uber, Google, and Intel faced questions around their ethics and principles which revealed interesting aspects of Silicon Valley’s corporate culture. Uber’s culture seems to be changing under new CEO, Dara Khosrowshahi. In less than a year, Dara has orchestrated a remarkable turnaround at the company: settling a prolonged and messy lawsuit with Waymo, winning back Uber’s operating license in London, and doubling down on ethics to rein in its combative culture. With leadership lessons aplenty, how successful will he be in his efforts to take Uber down a different road? Only time will tell. For Google, however, the emphasis on ethics and integrity came from a different source. Caving into pressure from employee activism, Google decided not to renew its contract with the Pentagon, and its CEO, Sundar Pichai, outlined the principles governing the company’s development of artificial intelligence on Google’s official blog. While the news of Brian Krzanich’s departure from Intel made little difference to the company’s stock value, the larger implications remained: […]
Aruna Mary Zachariah
Aruna Mary Zachariah

GRC for Generation Z

There’s a new first line of defense in the workplace. Gen Z is entering the workforce in droves, and will soon make up almost a quarter of the global working population. They will be the ones at the frontlines of the enterprise, managing risks every day in their business transactions, decisions, and interactions with customers. In some respects, Gen Z-ers are similar to their predecessors, the Millennials. But they also come with distinctive values, attitudes, and of course, risks that GRC teams would do well to be aware of, if they want to effectively harness the potential of this new demographic in building well-governed, risk-aware enterprises. Gen Z Is Highly Tech-Savvy Gen Z employees are the first truly digital natives. To them, smart phones aren’t just devices, but a way of life. In fact, the majority of Gen Z now communicates more digitally than in person. They expect information to be delivered instantly, visually, and in bite-sized chunks. They’re also big on personalized digital experiences and apps that can predict and provide what they need. Engaging this new demographic in GRC might require a rethink of existing GRC tools and processes. Are spreadsheets the way forward for a mobile-first generation? […]
Ryan Rodriguez-Wiggins
Ryan Rodriguez-Wiggins

“Why Excel is just not good enough” – Part 1

I was on a call the other week with the Enterprise Risk Manager of a relatively sizable multi-national corporation (over 20,000 employees across a few hundred locations on nearly every continent), and she said something that got me thinking. She said, “For us, right now – Excel is good enough.” I responded by saying that “I understood,” we discussed a few other topics on the call and hung up. It wasn’t until afterwards that I realized how much her view about Excel took me aback. As an enterprise software sales professional, I believe in companies moving to automation. But the reason the statement took me aback was because I realized that this might be a common mindset across many people and firms.  How many other people think, “Excel is good enough”? A Senior Manager on my team, Mark Winey, was also on the call. After the meeting we spoke, and he reminded me that one of my first roles was in Operational Risk Reporting and Monitoring (R&M), so I should be able to understand their perspective. I began to reflect on this. Earlier in my career, my team had built out the firm’s first op risk and control R&M function […]
Abhishek GR
Abhishek GR

How GDPR Is Shaping Tomorrow’s World

Trending in GRC News Stories: GDPR What do the following events have in common – WhatsApp updating its minimum age of use in Europe, Facebook asking you to review how you are targeted with ads, and Google restructuring its cash-cow ad business? It’s General Data Protection Regulation (GDPR) – the European Union’s (EU’s) landmark data privacy regulation. GDPR gives EU citizens multiple digital data rights, perhaps the most important one being the right to be forgotten. But today, our every search, click, and swipe leaves an online trail through web caches and cookies. There are millions of smartphone apps that gather the personal information of users every day. And tech giants collect massive amounts of data on consumers which they monetize through their ad business. In this digital data-driven age, the task of anonymizing the information of users can not only be challenging for companies, but also costly. GDPR is slated to come into effect on May 25th, leaving Europe-based companies, as well as those in other countries that handle the data of EU citizens, scrambling to get their data protection measures and controls in order. Companies that mishandle data, and fail to comply with GDPR run the risk of […]
Abhishek GR
Abhishek GR

Cryptocurrencies and Blockchain Technology: Is This the Synergy That Will Re-shape the Future of the Financial World?

Blockchain needs no introduction. It has given rise to many benefits such as “keyless” signature systems and the ability to track thanksgiving turkeys from farm-to-table. But arguably, the most disruptive manifestation of blockchain technology is cryptocurrency. While the idea of having a digital currency that can be created by anyone, freely sourced, and unregulated by a central authority has been around since the 80s, it has failed for one reason or another — some due to regulatory crackdowns, and others due to the unavailability of a truly secure virtual mode of transaction, sans third parties. So, what’s different this time around and what does it mean for the future of the financial world? We’ve seen many technological disruptions succeed only when the time was right. Take Uber for example: A Silicon Valley company that has become synonymous with the service it offers — you no longer take a cab or a taxi, you take an Uber. But cars and drivers were around long before Uber even existed. So, what was the magic ingredient that made a service so seemingly simple and ubiquitous, worth over $72 billion today? It was the advent of the smartphone revolution and the penetration of high-speed internet on mobile devices. This […]
Abhishek GR
Abhishek GR

Growing Data Privacy Concerns, Continued Cyber-Attacks, and the Failure of Audits to Detect Frauds: Q1 of 2018 Ends on a Less-Than-Savory Note

With a major data privacy scandal involving Facebook, a crippling ransomware attack on the City of Atlanta in the US, and a $2 billion fraud at Punjab National Bank in India, we take a look at some of the biggest news stories that have dominated the GRC space in the first few months of 2018. The Data Privacy Conundrum: Facebook and Cambridge Analytica Mark Zuckerberg, Facebook’s CEO, recently testified before Congress on the alleged harvesting of personal data by Cambridge Analytica – a third-party data analytics firm – to influence the 2016 US elections. The scandal, which reports say involved the personal data of more than 70 million Americans, has led to a public outcry, prompted #deletefacebook, and shaved off over $80 billion from the company’s stock value since the incident was uncovered. The social media giant may also be at risk of hefty fines for possibly violating an FTC privacy deal. With public trust in Facebook diminishing, the company has had to postpone the launch of its smart speaker for a “better time.” Atlanta Cybersecurity Incident: Cyber-Attacks Continue to Grow More Potent After WannaCry and NotPetya last year, cyber-attacks have intensified – this time, it was the City of […]
French Caldwell
French Caldwell

The vicious cyclone of emerging risks – My big ‘aha!’ from OpRisk North America

The OpRisk North America conference was disrupted by an operational risk — a late season snow storm that has snarled transportation and complicated travel plans in the mid-Atlantic and Northeast, but most attendees and speakers chose to go forward, and I’m glad they did since conference has given me a big ‘aha’ on emerging risks. Cyber risks and cyber compliance.  In almost every session presenters and the audience have cyber risks as the dominant operational risks.  While for years, GRC experts have highlighted that with the increasing dependence of business models on digital technologies, cyber risks and cybersecurity strategies would become a critical element of strategic business planning.  Well, now those forecasts by experts have proven out, and chief risk officers are incorporating cyber risks into their risk management strategies. Cyber compliance is also emerging as a critical discipline of overall enterprise compliance management.  From a regulatory standpoint, with the emergence of digital business models, businesses are also grappling with increased oversight from regulators.  Almost all U.S. states have data breach notification laws.  The first state to regulate data breach reporting was California which requires notification of consumers for any breach that affects more than 500 customers.  Maryland requires notification […]
Aruna Mary Zachariah
Aruna Mary Zachariah

No More #Metoo: Ending Workplace Sexual Harassment

Are Policies and Training Programs the Answer? February 19 marked a year since Susan Fowler lifted the lid on sexual harassment at Uber, setting in motion a series of events that would reach a tipping point with the Harvey Weinstein exposé, and culminate in the #metoo and #timesup movements. Since then, thousands of women have come forward with their #metoo stories, revealing just how pervasive and ubiquitous the problem of sexual harassment really is. We often tend to think of harassers as lone wolves, acting of their own accord. But the fact that men like Harvey Weinstein were able to allegedly get away with their actions for decades points to a deep culture of complicity – one where sexual harassment is allowed to thrive because people around its epicenter choose to turn a blind eye to it, or fail to address it with the seriousness and urgency it deserves. That brings us to the question — how can we do a better job of preventing sexual harassment in our organizations? How do we create safer work environments where women and men are treated with dignity, and are unafraid to speak up when witnessing or being subject to inappropriate behaviors? For […]
Vibhav Agarwal
Vibhav Agarwal

Too Big to Fall? Cyberattacks Claim Some Surprising Victims in September

First it was Equifax with over 140 million accounts compromised. Then it was the SEC whose EDGAR public-company filing system was breached. Then came Deloitte who revealed that hackers may have accessed the sensitive details of several blue-chip clients. Apparently, no one is immune to a cyberattack any longer—not even the regulatory watchdog that’s been telling corporate America to get its cybersecurity act together. All three attacks are a stark reminder of how little it takes for cyber barriers to be breached. Look at Equifax, for instance. Here’s a company that, according to an investigative report in Bloomberg, had invested millions in state-of-the-art security measures, implemented anti-intrusion software, and established a dedicated team to patch vulnerabilities quickly. But then they failed to notice and fix a flaw in their backend software, leaving the door open for attackers to trigger one of the most staggering cyber heists in recent memory. Of course, the problems at Equifax run a lot deeper than a simple patch failure. Bloomberg provides a fascinating account of some of the events at Equifax that may have culminated in the data breach, including the departure of key security personnel from the company over the last few years. What […]
French Caldwell
French Caldwell

How IT Can Leverage AI to Prevent Major Cybersecurity Incidents

The need for artificial intelligence (AI) in IT governance, risk and compliance (GRC) is growing quickly.  As companies expand their digital footprints, cybersecurity vulnerabilities worsen due to an increased amount of data being produced from IT security monitoring and performance tools. At its recent Ignite 2017 conference, Microsoft revealed its plans for further incorporating artificial intelligence (AI) into its various offerings.  For example, the company is embedding AI in Excel to assist with automatic determination of different types of entries – Excel will be able to go beyond automatically differentiating between text and numbers to being able to identify the type of text utilized.  Since the program will be able to better identify types of text – for example, differentiating between objects, corporations and people – it also will be able to discover relationships within and between data sets. A recent report issued by MetricStream found that AI has already taken the step of improving the discovery of data relationships in governance, risk and compliance (GRC). For instance, if a risk assessor creates a link of a risk to a business objective, an auditor identifies a relation of a risk to a control, and an IT security manager identifies a […]
Gunjan Sinha
Gunjan Sinha

3 mega trends transforming governance, risk and compliance

What three mega-trends are shaping business actions and objectives, and how can they impact GRC professionals’ roles? In the 15 years since the term governance, risk and compliance (GRC) was coined, a lot has changed. Once managed as separate initiatives, the three processes are more entwined than ever and are playing a prominent role in helping organisations to achieve performance and growth. The business landscape is consistently evolving and businesses are becoming increasingly savvy in order to overcome new sets of risks and challenges. Of course, with increased risks come opportunities, and organisations are turning to GRC professionals to guide them. Not only are they being called upon to oversee compliance and rein in wild risk-taking, but they are expected to drive the business forward. These professionals are uniquely positioned to help businesses seize more opportunities by empowering them with the risk and regulatory intelligence they need to make better decisions. See also: Come together – a federated approach to GRC and risk management In short, it’s an exciting time to be in the GRC space. Here are three mega trends that GRC professionals need to keep in mind in order to continue driving high performance. Trend #1: Consumers are […]
French Caldwell
French Caldwell

Like Humpty Dumpty’s fall from the wall, a major data breach can crack a government

When governments suffer data leaks, the traditional fallout of breaches are combined with political scandal – the impact is multiplied and scrutiny magnified. Questions are asked around why information was withheld or, if announced soon after discovery, why it took so long to uncover. Just as a business suffers reputation damage after a breach, the Swedish Government faces a real struggle to regain citizens’ confidence.  So far two government ministers have been sacked, and the investigation into the handling of sensitive government data on its citizens and national security is expanding.  If at all possible, rebuilding trust will involve the removal of some high-profile ministers, and Anders Ygeman, the country’s home affairs minister, and Anna Johansson, the infrastructure minister, were the first to hand in their resignations. This and other recent third party breaches challenge the assumption that data is safer with service providers. Organizations often outsource IT functions as expert companies are seen to have better infrastructure and cybersecurity features. They have economies of scale as well as the economic incentive of ensuring that data remains secure – they lose business if it doesn’t. Yet, what appears to be lost on some organizations is that when you outsource or put […]
Richard Bistrong

Compliance Meaningfulness: Hard to Achieve, Easy to Destroy

In an article titled, What Makes Work Meaningful- Or Meaningless by Catherine Bailey and Adrian Madden (MIT Sloan Management Review, Summer 2016),  the authors focus upon what makes our work meaningful, with research conducted across multiple industries and responsibilities. While their findings are presented as relevant to the overall workforce, the compliance implications are significant and worthy of discussion. In sum, meaningful work, which can be “highly motivational, leading to improved performance, commitment and satisfaction” is not easily achieved, and tends to “be intensely personal and individual.” It is not derived entirely from the workplace experience, but is often a part of how employees “see their work and its wider contribution to society in ways that matter to them as individuals.” In other words, it’s related to how an individual views their work as part a greater contribution to society outside the workplace.  However, the opposite is not true- in that meaninglessness, which drives a sense of “futility” in the workplace, is almost entirely derived from the organization and the behavior of its leaders. So, what are the features of meaningful work? Common characteristics include: Self-Transcendent: Where employees experience their work as “mattering to others more than just to themselves.” In […]
Blog Admin
Blog Admin

GRC Summit 2017: GRC for High Performers

Year after year, the MetricStream GRC Summit grows bigger and better! This June 4th-7th, we assembled an incredible lineup of speakers at the Gaylord National Resort in the Washington DC area. These experts, along with industry analysts, and MetricStream customers, employees, partners, came together to empower decision-makers across industries with the right risk and regulatory intelligence to help them stay ahead of the competition. On the first day of the event, MetricStream CEO, Shellye Archambeau opened the summit by highlighting that in our increasingly disruptive world, organizations are looking for GRC champions – people that have the knowledge, skills, fortitude, and tools to drive the business forward. This was followed by an enlightening keynote by Gordon Smith, CEO of Chase Consumer & Community Banking, who highlighted and emphasized on keeping things SIMPLE and to look at everything through the customer point of view.                             The event also featured award-winning journalist and Managing Editor (US) of Financial Times, Gillian Tett who spoke about the need to break down silos by using data more effectively. We also heard from David Laufman, Chief, Counterintelligence and Export Control Section at U.S. […]
French Caldwell
French Caldwell

No, There Won’t Be New Rules On Cybersecurity – Until Someone Dies

Recently, I did an interview with Bloomberg Newsweek on the WannaCry ransomware attack that affected over 200,000 computers around the world.  The attack shutdown parts of the U.K. National Health Service leaving thousands of people without access to healthcare services, and resulted in Renault’s assembly lines being shut down in France among other things.  Newsweek picked up on my most sensational comment in the interview which was, “People have to die or lose lots of money before government steps in to regulate.” And that’s true – and has been true for over 100 years.  In the late 1800s, when railroad accidents were taking lives, the government finally interceded with safety rules.  When food poisoning became common with bad meat and processed foods in the early 1900s, the government stepped in.  With the Great Depression in the 1930s, government interceded with new rules on financial reporting. Loss of life and money are the primary rationale for new regulatory regimes, and over time those regimes grow and flourish. Whenever a major cyberattack happens, one the most common questions I’m asked by reporters is whether the government will institute new regulations.  In the U.S. and in most other democracies, the answer appears to […]
Vidya Phalke
Vidya Phalke

Mitigating Cyberattacks: The Prevention and Handling

Mitigating Cyberattacks New tools and technologies help companies in their drive to improve performance, cut costs and grow their businesses but as companies adopt cloud services in greater numbers and refine internal processes for development and operations, security considerations must be front and center. As companies rapidly adopt Cloud with a DevOps approach to rapid response to business they must revisit security plans to confirm they are still effective in preventing and handling cyberattacks, making adjustments where needed. In certain industry segments this situation becomes more acute with Internet of Things (IoT) due to the nature of how these are operated and traditionally secured. To succeed at this, companies need to create the right environment for a cybersecurity culture and utilize automation technologies to protect and preserve data, operations and applications. Cyberattacks are increasing in number and sophistication. For many security professionals and heads of business it is no longer a case of if something will happen, but when. In fact, according to Alert Logic and Crowd Research Partners, over half of cybersecurity professionals expect there to be successful cyberattacks on their organization in the next year. Consequently, a third intend to increase security spend on cloud infrastructure and over a quarter […]
Vibhav Agarwal
Vibhav Agarwal

Ransomware Cyber-Attacks: Best Practices and Preventive Measures

RANSOMWARE CYBER-ATTACKS “WanaCrypt0r 2.0” or “WannaCry,” an unprecedented global ransomware cyber-attack recently hit over 200,000 banking institutions, hospitals, government agencies, and other organizations across more than 150 countries. The ransomware encrypted user data, and demanded a payment in bitcoins to unlock the data. The companies that were hit included Telefonica – Spain’s largest telecom provider, more than 16 hospitals in England’s National Health Service (NHS), US package delivery company – FedEx, and many other high profile targets. Across the world, cyber-attacks are on the rise. CSO magazine cited the FBI as saying that $209 million had been collected in ransomware payments in the first quarter of 2016 alone. These attacks illustrate how unprepared most organizations are to counter the growing menace of cyber threats. Many large organizations still use unsupported or older versions of software, encounter significant delays in patching vulnerabilities, and perform fewer automated backups, thereby putting themselves at grave risk. As the scale and impact of cyber-attacks grow, it is imperative for CIOs, CISOs, and other business leaders to diligently address basic areas of cybersecurity to avoid disruptions in their critical business operations. KEEPING CYBER THREATS IN CHECK Detecting covert cyber threats lurking in enterprise networks, and orchestrating […]
Swapnil Srivastav
Swapnil Srivastav

Uncover and Mitigate Third-Party Risks

Third parties have become an integral part of any business operation. However, the threats and issues arising from third-party engagements require enterprises to gain an in-depth understanding of their entire global third-party ecosystem. Failing to curb third-party risks can lead to severe reputational damage and loss of stakeholder and customer trust, but assessing third parties can be resource intensive. On the other hand, establishing a robust and automated program to continuously monitor and assess third parties enables organizations to detect and alleviate risks stemming from non-compliance, unethical practices, financial risks including supplier bankruptcy or business disruption, exposure to Tier 2 suppliers, legal issues, and access to confidential data. By leveraging leading financial health analytics providers for a deep analysis of the financial viability of third parties, and by adopting robust technology, organizations can simplify the process of third-party risk management and catch early signs of risk exposure. Recently, MetricStream hosted a webinar on the topic, where experts James H. Gellert, Chairman & CEO at RapidRatings, and Swapnil Srivastav, Manager, Marketing at MetricStream, provided some key insights into the best practices that can help organizations effectively identify and mitigate third-party risks. In the course of the webinar, several interesting audience questions […]
Shua Saaqib

Streamlining Compliance Case Management

In early February this year, the fraud section of the U.S. Department of Justice (DoJ) released a new document with specific guidelines on how they will evaluate corporate compliance programs in organizations going forward. The DoJ clearly specifies in the document that they will look at corporate compliance programs in their entirety and not just at the reporting or investigations part. With a spate of new regulations coming up, organizations are striving to improve their compliance program. Many are moving up the compliance maturity curve and keeping pace with the rapid regulatory developments happening around them. However, multiple reporting requirements, myriad reporting authorities and structures, and stricter regulations continue to challenge compliance teams, putting pressure on them to develop effective and better ways to address an ever more complex regulatory and business environment. In a recent MetricStream webinar titled “Streamlining Compliance Case Management: Challenges and Best Practices,” Eric Morehead, Principal Consultant, Morehead Compliance Consulting, LLC, provided valuable insights into the challenges organizations face when managing and investigating ethics and compliance cases, how to improve the efficiency of case management programs, and how to track the effectiveness of compliance programs by leveraging technology. One of the biggest compliance challenges organizations face […]
Blog Admin
Blog Admin

Eluding Operational Risk Failures in Banks

The solidity of banks and financial institutions was tested in the financial crisis of 2003 and 2008. The best of banks were shown to have poor governance frameworks, overlooked internal controls and had a lack of adequate monitoring of loss exposures. Although the core reason of the crisis was liquidity risk and credit risk, a strong catalyst to the whole downfall was operational risk management, particularly in the banking system. Many banks paid the price for overruling risk management, designing products without adequate risk reviews, paying insufficient attention to legal risks and making poor disclosures to investors. The crisis highlighted a clear message – Operational risk needs to be made an important part of a bank’s risk management framework. Hence Operational Risk Management (ORM) frameworks are constantly evolving in banks and financial institutions due to changing market conditions, new regulatory requirements, dynamic business environment, and technological advancements. It has become imperative to address the operational risks at an enterprise level, which are closely aligned to the business objectives of the organization. But, before someone decides to invest their time and effort in implementing operational risk frameworks, it will be good to understand the following key aspects How to Identify and […]
Richard Bistrong

Can Marketing and Compliance Share a Playbook?

I recently read an article in the Winter 2017 MIT Sloan Management Review, Mastering the Market Intelligence Challenge (Chari, Luce & Thukral). In this work, the authors address how “many multinationals simply import their domestic models into emerging markets.” And whilst this work is directed towards those who deal with market intelligence in emerging markets, the conclusions drawn are equally applicable to those who face compliance challenges in such frontier regions. If you review the article and substitute ‘due-diligence’ for ‘market intelligence,’ it reads like a compliance thought piece. So I ask, can both compliance and market leaders share resources and data when it comes to due diligence and market information, as to allow for a more collaborative approach? The authors state that “for developed-market companies, winning consumers in these new high-growth markets requires a radical change in mindset, capabilities, and allocation of resources.” I would add that such ‘radical changes’ are also applicable to compliance leaders and teams who face the challenges of addressing business development in emerging markets,  where commercial opportunities and corruption risk are often intertwined. A few of the issues which might de-rail market intelligence or a compliance program in emerging markets might be: Grouping.  Very […]
Gaurav Kapoor
Gaurav Kapoor

Crowdsourcing: Enriching Corporate Data for Risk Management

Crowdsourced information from internal and external sources can enrich insight generated by governance, risk and compliance (GRC) teams to help companies mitigate risk and perform better in challenging environments. The public and collaborative nature of unstructured shared data sources (such as social media) can bring issues of interest to light faster than they may show up in formal reporting. This gives companies the benefit of being able to act quicker than they may otherwise be able to do, provided they can harness and interrogate the data to extract usable intelligence. Crowdsourcing is probably most associated with funding, software testing and development. However, the collective pooling of inputs that it represents can equally apply to information and data sharing. It has the potential to add significantly to the view companies have of external risks, internal weaknesses and possible points of non-compliance. When it comes to gathering risk information and stimulating ideas around corporate governance and control, companies can be limited by the finite resources of their GRC teams — but only if they allow themselves to be. In fact, they not only have at their disposal the significantly larger pool of minds inside their entire organization but also an entire community […]
Vibhav Agarwal
Vibhav Agarwal

Principles of an Effective Cybersecurity Strategy

Managing Cybersecurity Risks A number of trends contribute to today’s reality in which businesses can no longer treat cybersecurity as an afterthought. These include a rapid increase in the number of internet connected devices, an increased dependency on third party applications, self-provisioning as a result of bring-your-own-device and public cloud. Add to these, unprecedented levels of smart phone and mobile device adoption and we can see that the cybersecurity ‘attack surface’ has increased massively. According to MetricStream’s, ‘The State of Cyber Security in the Financial Services Industry’ report, around 66 percent of financial services institutions have faced at least one cyber-attack in the last 12 months. The cost of this, which can be catastrophic, can include regulatory penalties, eroded share prices, a loss of customer confidence and reputational damage. It can even result in a complete shutdown of the business.” It is clear therefore, that organizations need to constantly evolve their security strategies and tactics to safeguard data, systems and operations against ever-evolving security risks. In today’s cloud era, an effective strategy should leverage industry-standard cybersecurity frameworks and unified threat management systems. A sole reliance on traditional approaches and tools, such as firewalls and security solutions, may now leave networks […]
Nanda Ramanujam
Nanda Ramanujam

Are You Ready for the Predictive Analytics Revolution?

Organizations face mounting pressure to improve operational efficiency, and drive business performance and profitability. Volatile economies, evolving regulatory frameworks, and threat agents that penetrate sophisticated detection tools demand more stringent measures. However, many organizations still rely on traditional and manual processes to manage risks, monitor fraudulent transactions, and investigate incidents that have the potential to cause irreparable reputational damage and financial loss. Forward-looking enterprises have started reimagining their processes, ridding their system of guesswork and instinct in favor of more robust analytics tools, monitoring processes, and metrics. Buffeted by diverse and complex challenges, many organizations are turning their attention to predictive analytics [1] to foresee future trends (often by processing petabytes of existing data), as well as to deal with the business issues at hand. Such systematic analysis and interpretation of data helps organizations maximize productivity, reduce wasted efforts, deal with uncertainties (e.g., product failure)[2], and drive profits.[3] These new approaches have the potential to give enterprises a firmer grip on their fast-growing big data. Big data analytics and predictive models have entered a period of significant technological maturity, becoming more powerful in terms of data aggregation and analysis,[4] and more widely available than ever before. Simply put, it’s about proactively managing risk. […]
Hernan Huwyler
Hernan Huwyler

Components Of An Effective Third-Party Due Diligence Program

Third-party intermediates such as distributors, resellers, agents, service providers, or business consultants are contracted to rapidly create a presence in or access to new or emerging markets. They can work as the first foothold in opening a commercial presence, both domestic and internationally. Also, they can provide insights of the local business environment and their relationships as a business partners. While third parties are retained to operate on the organization´s behalf, their business activities are not always as transparent or controllable. It increases the exposure to bribery and corruption risks. Intermediaries include not only those used in the sales channel, but also as part of a business operations and strategy. A third-party due diligence program (KY3P) allows reducing the risk of improper payments and fraud. In addition, regulations such as the FCPA and the UK anti-bribery act, settlement agreements, enforcement actions, ISO standards and best practices, require a third-party due diligence program as part of the corporate ethics and compliance program. The following components are part of an effective program: Risk-Based Approach: the first step in the program is to perform a risk assessment of third parties, usually classified into low, medium and high. These risk tiers define how deep […]
Pallavi Singh
Pallavi Singh

Effective Ways to Reduce Cost of Poor Quality

Though the term “Quality” has been an intrinsic part of our business landscape for ages, we still tend to take it for granted – at least until we encounter a disruption in usual business. This is because of a  misconception that investing in anything to make quality better is an avoidable cost and we can do away with it. But what we fail to understand is that if there is a failure due to poor quality, the cost incurred is way more in magnitude – putting everything you would have earned over time, at stake. Now, the questions which arise are – Will Cost of Poor Quality (CoPQ) really matter to me or my organization? Which components are key to minimize the CoPQ? Are there any metrics or strategies that can be adopted to keep the CoPQ in control? All these questions and more, make it difficult for organizations to qualify the metrics and measure them. Research claims, for many organizations quality-related costs go as high as 15 to 20 percent of their sales revenue, with some even going up to 40 percent of total operations. Ideally, for a company to thrive, the cost of poor quality should be 10 […]
Vibhav Agarwal
Vibhav Agarwal

What Is Important? Cyber and Continuity Risk

New risks are emerging every day in the realm of Cybersecurity, and many organizations are moving quickly to address these risks: developing documentation, procedures, and processes. However, this is often without regard for Cybersecurity best practices. To ensure sustainability, organizations must develop cyber policies, plans, and procedures and put effective controls in place. If these controls are already in place, they should be evaluated frequently to ensure that they address these emerging risks. It is essential for every organization to review and update their security procedures and policies in order to prepare for emerging business and IT risks. Having a standard and consistent monitoring and incident response program is becoming more and more critical, as attacks occur more often and more viciously, targeting organizations across sizes and industries. In addition, the organizations need to constantly upgrade their security awareness and training programs to educate the employees and other stakeholders about new technology advances and techniques and tools available to prevent cyber attacks. Digital enterprises today need to tailor standard cyber risk methodologies, based on best practices, such as ISO 27005 to fit their organization. In the event of an attack, to ensure that critical business processes aren’t brought to a […]
Vidya Phalke
Vidya Phalke

5 Tips For Improving Enterprise Cloud Success In 2017

Improving Enterprise Cloud In today’s dynamic environment, enterprises are striving to gain a competitive edge, reduce maintenance overhead, manage economies of scale, and minimize capital costs. Over the last few years, there has been an increase in the adoption rate of cloud technology. In order to attain the benefits of flexibility and rapid up and down-scaling as needs dictate, enterprises will continue to transition their IT Operations towards the cloud on a rapid basis. As plans are drawn up for the year ahead, take note of these tips for improving cloud success in the enterprise. Cloud Challenges As businesses move their IT operations to the cloud, there is decreasing visibility and insight into cloud asset security amidst increasing cyber threats and compliance with ever-evolving regulations. There have been several innovations to help customers address these concerns head-on. For example, MetricStream’s IT-GRC Solution integrated with Google Cloud Platform (GCP), provides customers with an end-to-end solution that enables them to scope, plan, and achieve cloud asset security, transparency, governance and compliance. Innovations and partnerships such as this proactively address various cloud-related challenges, and help companies realize greater benefits across their infrastructure, IT strategy and business deliverables. Let’s delve further into some key […]
Shellye Archambeau
Shellye Archambeau

4 Ways Startups Can Harness Innovation and Disruption

We live in a time when doctors no longer have to rely on costly and unwieldy medical imaging devices to diagnose illnesses. A simple “visual stethoscope” would help them see deep into the human body more easily than ever, thereby accelerating both diagnosis and therapy. Meanwhile, if you’re a chronically ill patient, you no longer have to make repeated, costly visits to the hospital. Say hello to Molly — an innovative, friendly, virtual nurse who can check up on you, monitor your vitals and provide follow-up care — all through your smart phone. Speaking of smartphones, the future of banking is here. You can now use your mobile device to do just about all your banking on the go — from opening an account to tracking your spending to freezing and unfreezing your credit cards, and more. You can even have your own automated financial adviser provide advice on where and how to invest your savings smartly, at a fraction of the cost charged by traditional banks. Butterfly Network, Sense.ly, Monzo, and Betterment are the companies that are making each of these scenarios a reality, respectively. They’re transforming the way we think about healthcare and financial services. And they’re doing that through a range […]
French Caldwell
French Caldwell

Making Way For The Space Tycoons

Until recently, missions to put humans into space were government-owned programs, funded by public coffers and the tax dollars of citizens. However, the recent proposal from Elon Musk for colonizing Mars highlights the role of the private sector and tycoon visionaries in the future of space. Much is made, and rightly so, of John F. Kennedy’s challenge in 1961 to send humans to the moon, and in just eight years, NASA accomplished that goal. It was a government funded and government led effort, though of course private sector contractors provided much of the expertise. Musk’s Mars proposal though is one in which the private sector plays a leadership role. And it’s a much more audacious goal–technologically and culturally. Not only does Musk see humankind reaching Mars, but also he sees us staying there in a colony that grows to a city of as many as a million people. Musk is challenging national space policy, which has opened up to private sector entrepreneurship for near-earth orbit, but effectively has fenced off the moon, Mars and beyond with timid goals for NASA to return humans to the moon by 2025 and for humans to orbit Mars by 2030. The role that tycoons […]
Nanda Ramanujam
Nanda Ramanujam

Establishing a Big Data-Driven GRC Culture

The business complexities of today demand new resources, new investments, new ideas, and new innovative technology solutions that can integrate and automate various programs and processes, as the risk landscape and associated methodologies to manage them have undergone enormous changes. Organizations are increasingly seeking better, more proactive ways to understand and manage key areas such as risk management, compliance issues, audits, security, and business continuity programs. For most, the biggest challenge lies in truly breaking down “GRC silos” – to bring data, people, and departments together into a single source of truth. Doing this can help organizations cultivate a more collaborative, integrated, and risk-intelligent culture, and drive effective decision-making at the corporate level. The effectiveness of governance, risk management, and compliance hinges on data. Being able to gather, analyze, and communicate information with the right stakeholders, in the right format, at the right time is critical. Leading, forward-thinking organizations are responding by creating an infrastructure within the organization and across its extended supplier ecosystem that leverages data in a meaningful way to support governance, risk, and compliance programs and decision-making. The vast and growing volume of unstructured and structured data today provides limitless opportunities to improve risk intelligence, support compliance, […]
Mike McBride
Mike McBride

Promoting Data Security in the Workplace

No matter the workplace, data security is often a top concern for management professionals. Security breaches can end up threatening the livelihood of employees and entire companies alike, depending on how severe they are. There are solutions available to many common professional data security problems. However, understanding the surrounding statistics is often the first step. To learn more about data security in the workplace, checkout this infographic compiled by the University of Alabama at Birmingham’s Online Master of Science in Management Information Systems program. Employees and General Information Security Over eighty percent of companies say that their biggest security threat is end user carelessness. Seventy five percent of companies also believe that employee negligence is their greatest security threat. Three percent of all United States full time employees admitted to using the same collection of passwords for their online needs. A third of this percentage even admitted to using less than five different passwords to access anywhere between twenty five to fifty websites, some of which were business and professional locations. Over thirty three percent of US companies do not have a security plan for internal security risks, which means personal responsibility is the largest deterrent in a vast majority […]
Gaurav Kapoor
Gaurav Kapoor

To the Aspiring Unicorns of the Future

Introduction: The world of unicorns has changed over the last year – and the public markets, especially in the technology sector, seem to have taken a special dislike (some perhaps just for the short term) of overpriced valuations, slower than expected growth rates, widening negative EBITDAs, and far and wide reaching geopolitical impacts. Naturally, that impact flows to the private markets, and especially onto these “unicorns” where private clearing-houses are seeing a spike in sellers, investment firms are writing down the values, and talk of profitability and rational growth is increasingly heightened. Irrespective, most of the 150 or so ‘unicorns’ are highly successful, disruptive and ubiquitous. Background and Context: A few years ago, start-up unicorns were a rare sighting in the technology scene. Reaching the billion-dollar valuation mark was reserved only for the top echelon of industry disruptors, so much so that not even Google or Amazon, as privately held companies, reached that valuation ($1 billion or more). Today, however, unicorns have become ubiquitous, and they touch many parts of our personal and professional lives. From reading front-page headlines, to online apps and tools, to innovative transportation solutions, unicorns are all around us. According to CB Insights, there are currently […]
Richard Bistrong

Gearing Compliance to the Tasks at Hand

The following blog post was originally posted in the Richard Bistrong Front-Line Anti-Bribery Blog at www.richardbistrong.com and is reposted with his permission. I recently had the opportunity to travel to Chicago for my first SCCE Compliance and Ethics Institute (CEI), and attended a session  “Keeping Compliance Simple,” which was led by Ricardo Pellafone, CEO, The Broadcat (www.thebroadcat.com) and John Partridge of Gibson Dunn.  It was an engaging session, and it gave me an opportunity to reflect on their work in the context of some recent corporate engagements. What first caught my attention was when Ricardo started the session by sharing that a compliance training program needs to address “the tasks at hand” to those on the front-lines of business. Does that sound obvious? Well, when we look at the complex challenges facing compliance and commercial teams, it might not be. Thus, I think we should heed to Ricardo and John’s reminder that an engaging compliance program is one that’s calibrated to help people execute with what they have been charted to do. Big and small. In other words, as Ricardo well states, “give people something they can look at while they are doing their job.” I think that’s excellent thought leadership […]
Vibhav Agarwal
Vibhav Agarwal

5 Recommendations For Effective Governance, Risk And Compliance Management

Cloud adoption continues to grow, which is evident from the fact that annual 2016 revenues for cloud vendors were “within touching distance” of $150 billion. Gartner also predicts that, a corporate ‘no-cloud’ policy will be as rare by 2020 as a ‘no-Internet’ policy is today. However, a ‘’cloud-ready’ security and compliance program is the need of the hour, to manage the risks and the complexities due to cloud adoption. This will enable organizations to face cloud challenges which, according to RightScale’s 2016 State of the Cloud Report include compliance with regulations, a lack of resources and expertise, governance and control and security. Although a challenge mainstay, confidence in cloud security is nonetheless rising; SkyHigh Networks points out that 65 percent of IT leaders think the cloud is as secure, or more secure, than on-premises software. To maximize the benefits of cloud deployments while mitigating the risks, companies need to prioritize a cohesive approach to governance, risk management and compliance (GRC). A cloud governance framework can automate cloud security, risk, and compliance workflows, enable stakeholder reporting and visibility, and ensure best practices and standards for cloud compliance. With that in mind, here are five recommendations for ensuring a proper governance, risk […]
Vishal Patel

3D Printing – Boon or Bane

 The 3D printing market is growing at an average of 35% CAGR, and is set to quadruple to $12.5 Billion by 2018 from $3Billion in 2013 (Wohler Associates 2014 report), however at the same time, organizations have to face heavy penalties and loss diminished by brand and reputation due to risks associated with 3D Printing. For instance, mishandling of patient information through 3D Printed software and associated violations of HIPAA compliance has already resulted in $9Million in fines for US-based companies in the last one year alone. Consumers around the world are converging to newer technologies that allows customization and immediate product deliveries. Just as e-commerce companies have done for consumers, will 3D Printing do the same for organizations? The 3D Printing industry emerged in the 1980’s, then known as Additive Manufacturing for product developments and rapid prototyping. With new technologies in design and faster printers available, the trend has quickly shifted to mass production. General Electric, as a part of the LEAP project, started to mass produce close to 25,000 aircraft fuel nozzles using 3D Print technologies. Similarly, USPS has partnered with 3D Print Service providers and are planning to purchase printers onsite in order to deliver packages, printed […]
Brenda Boultwood
Brenda Boultwood

Basel IV: The Next Step for Capital Requirements

Basel IV will certainly have operational impacts on the day-to-day governance and risk management of financial institutions – but it also stands to have a wider impact on the competitive banking market. These effects could include industry consolidation and a change in banking portfolios, which could eventually lead to a reduction in choice for their customers. On the one hand, Basel IV will instigate a higher level of financial disclosure, meaning that customers will have more information to help them make choices. However, on the other hand, customers may discover that providers have shrunk their portfolios to mitigate the capital impact of the changes, leaving fewer options open to them. Basel IV forms part of the arsenal deployed to protect economies from the risk of another financial crisis. A large part of its impact will be on capital requirements, with a projected average increase of an eye-popping 40 percent. While the mandate on capital requirements is intended to create a stronger banking system overall, such a leap clearly represents a sea change for individual banks. At the same time, the revised method of calculating capital requirements is designed to bring standardization and consistency to the industry. Measuring Up The capital […]
Yo Delmar
Yo Delmar

Walking The Line Between Personalization And Privacy

2017 promises significant shifts in retailer tactics as they embrace more intimate conversations, leveraging the power of digital devices, analytics and channels. Walking the fine line between becoming a trusted advisor, to intrusion and perceived (or actual) privacy violations, will become as much of a science as it is an art in today’s world. Here’s a look at the top five trends that will impact the retail industry in 2017. 1. Beyond Mobile Payments: Enhancing The Personal Shopping Conversation Retailers will provide innovative mobile apps to enhance customer experience, going beyond simple payments to establishing a virtual, real-time, personal shopping conversation — for example, notifying sales associates of a drive-through pickup or return.  Retailers will equip associates with mobile devices to reach out to in-store customers, track real-time shopping behaviors and send curated offers while blurring the line between online and in-store shopping. 2. Predicting The Path To Purchase And Preference: Blurring The Line Between Online And In-Store And Satisfaction Based On Actual Use Omnichannel will reach beyond purchase into actual use as retailers unify online, offline and Internet of Things analytics to understand the 360-degree view of an individual’s needs and behavior and gain insight into preferences. Correlation analysis […]
Piyush Pant

The Rise of Artificial Intelligence in Governance, Risk and Compliance

Organisations of all sizes are facing growing pressure to improve performance. They’re expected to drive efficiency, sales and profits, while cutting costs and upholding corporate integrity. The challenge is made more complex by the growing plethora of risks that are constantly reshaping the business landscape. For example, there’s the political risk caused by Trump and Brexit, the ever-changing register of regulations, the growing frequency and sophistication of cyberattacks, social media and the opportunity it gives the public to lobby, third-party risk, IT risk and natural disasters – that’s just a few. These factors have traditionally been managed as separate silos; owned by isolated departments that have little contact with each other, report to different individuals in upper management and simply focus on the risks that fall under their ‘remit’. Yet, as risks become more intertwined, the various processes and documents used to manage them often contradict one another, resulting in further business risk, duplication of work, and spiraling costs. As such, businesses are increasingly seeing the value of managing everything under one umbrella. Governance, risk and compliance (GRC) provides a single centralised processes and empowers organisations to more easily control and manage internal and external factors that may impact the […]
Shellye Archambeau
Shellye Archambeau

What Is Causing Startups to Go Bankrupt?

Many startups have a great product that’s viable, marketable, and ripe with potential. But if that was the only indicator of success, then nine out of 10 startups wouldn’t fail. The annals of startup history wouldn’t be littered with instances of companies like Friendster or Color that had fantastic products, but eventually sank. The truth is that startups often go bankrupt for reasons that extend beyond the viability of their products. Many of them fall prey to missteps that ultimately dry up their cash flow, and cause the company to fold. So what are some of these pitfalls to avoid? Failures in Compliance Theranos, one of the most promising Silicon Valley startups, is now struggling to stay afloat after regulators revoked its license to operate a lab in California because of unsafe practices. Meanwhile, Zenefits, once valued at a staggering $4.5 billion, was recently embroiled in a highly public scandal for skirting state insurance training, licensing, and certification requirements. Both companies with tremendous potential – both brought down by their neglect of compliance, among other things. For years, startups have been so focused on hyper-growth, rapid scalability, innovation, and revenue, that many of them have overlooked compliance. But with regulators […]
Gunjan Sinha
Gunjan Sinha

The Power of Intelligence

As you read this, data volumes across the world are exploding at an unprecedented rate. Facebook Messenger and WhatsApp alone process 60 billion messages a day. Instagram has over 500 million active users per month who share more than 95 million photos and videos every day. And that’s just social media. McKinsey predicts that by 2020, as many as 30 billion smart devices will be connected. Can you imagine the amount of data that that will produce? What’s truly exciting is that we now have the technology to dig deep into these massive treasure troves of data, and draw out meaningful connections and insights that will allow us to make better, faster decisions. We’re finally beginning to make the shift from collecting data to connecting data. Emerging technologies such as natural language processing, machine learning, and artificial intelligence have catapulted us into a new era of human intelligence supplemented and enhanced by data science. In this exciting new world, the individuals and organizations who are able to truly harness the power of data – those who can turn it into timely insights to drive performance, decrease risks, and pursue opportunities – those will be the innovators, the survivors, and success […]
Gaurav Kapoor
Gaurav Kapoor

Governance at the C-Level: The Evolution of the CRO and Other Factors Driving Risk Management

Organizations continually adapt as markets, operating environments and demands change. Business roles, responsibilities and management structures have shifted in the face of today’s mobile, social, global and networked world. To keep pace with this change, responsibility for governance, risk management and compliance (GRC) has moved up the hierarchy and, appreciating its significance in driving business performance, C-level executives (aka CXOs) are working to embed a GRC ethos into the business fabric. A robust GRC program seeks to mitigate and manage many significant risk and compliance issues. These include product recalls; compliance failures and fines; corporate scandals; uncertainty around social, economic and political turmoil; and cybersecurity breaches. The latter, in particular, has been a mainstay in our newspaper headlines — and that’s not surprising when you consider that 66 percent of organizations have faced at least one cybersecurity attack in the past 12 months. Organization-Wide Reorganization C-level roles are evolving and responsibilities in the organization are also being realigned. For example, compliance used to report to the chief legal officer (CLO), whereas it is now under the auspices of the chief risk officer (CRO) at some banks. This is a step forward. Not so long ago, GRC activities were often managed […]
Shellye Archambeau
Shellye Archambeau

Balancing Risks and Opportunities: The Board’s Perspective

People start a business for many reasons. Some do it out of sheer passion, while others do it to create wealth and economic growth. Yet, underlying it all is a willingness to take risks. Entrepreneurs and established companies make risky decisions every day in the hope that those risks will translate into better opportunities, better performance, and greater profitability. However, as we all know, too much or too little risk can be a bad thing. So, how do you find the middle ground? How do you effectively balance risks and rewards for optimal success? In this regard, I believe a lot of great advice can come from your board of directors. Many startups choose not to establish a board of directors until a few years down the line. However, I’ve found that the startups that grow the fastest are often those that built a good board of directors as soon as they started their business. Having a board helps you keep your eye consistently on the strategic aspects of your business which, in turn, helps you attract investors and customers. What’s more, a board, being responsible for corporate governance, plays a major role in ensuring that your risk management program […]
Pallavi Singh
Pallavi Singh

Risk-based Thinking: Does it Really Matter for Quality?

“Risk-based thinking”, as an approach, have left organizations torn between whether this approach really matters and makes a difference to the business or whether their risks are addressed the way it should be. With the revision of ISO 9001:2015, this confusion spread like a wild fire. Stringent compliance requirements and timelines have instigated a sense of responsibility and action, as it is a clearly bounded methodological approach that distributes risk across the full scope of an integrated business function. There have been proven instances to state that organizations who have adopted risk assessment approach through the length and breadth of their processes have been more risk-proof, than those who focused only at an organizational level. In an era of rapid innovation and transformation, risk-based thinking can not only serve as a remedy to poor quality but also define the future of an organization. To gain a clear understanding of risks from both internal and external issues, it is ideal to adopt a systematic approach towards aggregating all the risks in a centralized location. This will enable organizations to have a close view of all the prevalent risks across functions, identify the acceptable and unacceptable risks, and adequately plan next steps […]
Gunjan Sinha
Gunjan Sinha

The Incredible Opportunity for India

In the last half century, India’s economy has been on a rollercoaster ride, with the turning point of economic liberalization taking off in 1991, and now 25 years later, India again stands at the top of the ride, slowly but surely continuing to climb up the next massive hill. As India propels forward, at times, the changes are imperceptible to the untrained eye. According to Arvind Panagariya, former Director and Chief Economist at the Asian Development Bank, “India’s reforms have been piecemeal and incremental, giving the casual observer the impression that nothing has been happening. If one takes the totality of reforms over the last decade, however, the change is unmistakable.” Echoing Mr. Panagariya, India’s vigor and influence on the international economy has been, and continues to be, sorely underestimated. According to the World Economic Forum, as of November 2015, India accounted for 10 percent of the world’s increase in economic activity. Due in large part to the policies put in place by Prime Minister Narendra Modi, India now ranks 55th out of 140 measured economies, which is a 16-spot jump after five years of decline. However, the country still faces systemic challenges that must be addressed so that it […]
Brenda Boultwood
Brenda Boultwood

How to Manage the Complexities of Evolving Business Risk

All businesses today must acknowledge the state of the market in which they are operating and the ways it has evolved to breed risk. Truly, today’s business climate is volatile, uncertain, complex and ambiguous. Technology has unquestionably empowered companies to innovate quickly. However, new challenges have arisen as a result. Years ago, the cable industry had no legitimate competition, yet services like Netflix have gained rapid momentum and are now used in 40% of households with TV and broadband internet. With the potential for external and internal risks to arise at an accelerated pace –alongside the risk of “left-field disruptions”— organizations are experimenting with new approaches to foster innovation, obtain a sustaining leadership position and mitigate new risks. However, they still must be careful, because so much is at stake with each business decision made. (An experimental offering can, for example, cause irreparable harm to your business.) As such, it’s time to re-evaluate how your organization operates with respect to balancing risk and opportunity. It is important to note that no company is immune to the volatile and fluctuating market today. Even on the most successful end of an industry’s spectrum, we are seeing a pattern in which the lifespans […]
Vidya Phalke
Vidya Phalke

Cloud-based GRC Intelligence Supports Better Business Performance

All businesses need a strategy and processes for governance, risk and compliance (GRC). Many still view GRC activity as a burdensome ‘must-do,’ approaching it reactively and managing it with non-specialized tools. GRC is a necessary business endeavor but it can be elevated from a cost drain to a value-add activity. By integrating GRC holistically throughout the organization, and by minimizing manual and duplicative processes through the use of cloud-based tools, firms can benefit from actionable business intelligence and support rapid and informed decision-making. Companies are questioning whether their GRC can be managed more efficiently because there is an increasing number and range of regulatory mandates and risk concerns that demand action. As problems arise, and multiple regulatory and compliance issues need to be addressed, but manual approaches to the day to day practice of GRC can swamp organizations through a constant need to monitor information sources for changes. The planning and implementation of changes often takes place as and when the demands arise. Where GRC management and implementation occurs within business silos there is duplication of effort and inefficient cost control. There is also limited capability for knowledge sharing and learning across the organization. Businesses need to tap into a […]
French Caldwell
French Caldwell

The Spirit and Experience of GRC Summit

A customer asked a few weeks ago what were the best GRC conferences to attend.  Of course our own GRC Summit came immediately to mind, but I wanted to give an objective answer, so I shared my thoughts on several very good conferences.  There’s GARP, but it’s mostly for risk managers, and the same goes for OpRisk and RMA.  There are the Gartner Security and Risk Management summits, but they are mostly for Chief Information Security Officers.  SANS, ISF, and several other organizations also run events for security professionals.  There are the IIA events, but they are for auditors, and the ISACA events are for IT auditors.  Several organizations run events for compliance officers – Compliance Week and the Society for Corporate Compliance and Ethics.  All good, but each focused on just a single GRC discipline. So as I went through the list, I realized that while there are conferences for auditors, risk managers, IT security professionals, compliance managers, and IT administrators of GRC solutions, there really is just one real GRC Summit, and that is MetricStream’s.  No other conference truly integrates attendees from multiple GRC disciplines.  We bring together chief risk officers, chief audit executive, chief compliance officers, chief […]
Sonal Sinha
Sonal Sinha

Pharmaceutical Recalls: A Risk and Compliance Roadmap for Manufacturers

The three aspects a manufacturer must swiftly address in the instance of a pharmaceutical recall. All manufacturers and distributors wish to avoid having to recall a product. Through governance, risk and compliance tools, and processes they aim to safeguard product quality and standards. This takes not only attention to detail and precision within the company’s own business operations, but also with those of its suppliers and third parties, as well as effective monitoring and assessments across the whole supply chain. However, plans do have to be made around handling a product recall should one need to happen. With increasing regulatory demands and complex international supply chains, effectively managing a pharmaceutical recall takes a coordination effort of many responsibilities. Among the many aspects a manufacturer has to get right is the identification of key decision makers, a clear understanding of roles and responsibilities, and a robust communications strategy. The damage to company brand and reputation can be severe for those that get it wrong. 1. Decision Makers The Food and Drug Administration (FDA) is responsible for protecting human health by ensuring the safety of pharmaceutical products. They can request or order a product recall when it becomes aware of a problem; […]
Brenda Boultwood
Brenda Boultwood

The Brexit Risk Impact

This summer’s UK vote to leave the European Union (EU) threw the political world into a state of turmoil, not just in the UK and the EU but around the globe. The fallout from Brexit has been political, economic and social, despite the consequences being as yet not fully understood. What is known is that the resulting uncertainty sparked a fall in the value of the pound and foreign exchange rate volatility. Both spell risk for the global public and private sector. The impact on risk professionals is real and far-reaching. They have had to broaden the scope of their scenario planning and face the prospect of change to come in the already evolving regulatory landscape. It was often said in the immediate aftermath of the vote that, whatever changes were going to occur as a result of Britain’s exit, it would be uncertainty that would cause the most disruption. It was true then and it’s still true now. The markets hate uncertainty and 2016 has given economies around the world plenty to feel uncertain about. Aside from the Brexit, there has also been significant change in the UK government; a US presidential election; and increasingly polarized national governments. Despite […]
Sonal Sinha
Sonal Sinha

Three-Stage Regulatory Compliance in Food Manufacturing

To safeguard quality and standards, food manufacturing and distribution is highly regulated. To be fully compliant, companies need insight into their complete supply chain — end-to-end from base ingredients to finished product —  and they must be prepared to act in the event of a contaminated or compromised product that jeopardizes customer health. This demands detailed and precise planning, execution, monitoring and assessment. Disconnected, manual governance, risk and compliance (GRC) tools and processes can be inefficient for the job. The regulatory landscape in the food industry is increasingly complex, particularly for global manufacturers and distributors. Companies have to comply with all local, national and regional regulatory agencies relevant to their business. This means keeping up with evolving regulations and ever-changing circumstances. Guidelines and mandates must be interpreted, acted upon and compliance tracked. The impact on businesses is far-reaching across manufacturing, handling and food distribution. Three-Stage Compliance GRC is central to business operations in all industries; in food manufacturing and distribution it must be integral to the way companies work. Robust management, quality inspection and corrective action is of paramount importance. Companies that automate and streamline activities through supply chain traceability and GRC systems will be quicker to react and take […]
Vibhav Agarwal
Vibhav Agarwal

5 Simple Tips To Make Strong And Robust Business Continuity Plans

Business Continuity Plans Today’s organizations need comprehensive and robust business continuity planning for swift and effective action in case of a disaster or crisis. As the trade and supply chain have gone global, businesses today expect crisis response to be in seconds, not in hours, to ensure that the ripple impact is minimized. As organizations go digital, an IT failure can cripple the whole supply chain and business operations, causing extreme losses within hours and requiring countless hours to recover from the them. Plans to mitigate IT failures are also affected by the complexity of today’s IT infrastructure. As applications and systems are added based on business and market requirements, newer technologies and infrastructure pose new challenges. Most businesses leverage cloud based platforms for their enterprise needs at least partially. The cloud helps businesses minimize costs and maximize efficiency; made for speed and convenience, it can scale up and down as needs demand and bring flexibility to business operations. However, the added overhead of managing cloud data centers, planning and performing test exercises across multiple locations and vendors as well as managing a crisis recovery, requires that organizations pay critical attention to their cloud solutions in combination with legacy infrastructure. […]
Shellye Archambeau
Shellye Archambeau

The Five Major Tech Trends of 2016

As we draw closer to the end of 2016, it is important that we take a moment to look back and reflect on all of the ways technology has inspired us, and transformed the way we live and do work. As technology becomes more pervasive in our lives, we increasingly look for simple but secure, as well as consistent and engaging experiences, regardless of the device we’re using. To augment and overcome physical distance, we are starting to use drones, virtual reality, and driverless cars. “Cognitive computing,” artificial intelligence, machine learning, and advanced data analytics are evolving companies’ understanding of their customers in game-changing ways. Meanwhile, biometrics has stepped out of the realm of sci-fi and into the mainstream, playing an important role in the fight against cybercrime. Here are the top five ways technology has impacted us this year. 1. The Device-Agnostic Customer Experience Back in 2013, Google reported that 90 percent of multiple device owners switch between screens to complete tasks, using an average of three different combinations every day. Today, the “device mesh,” as Gartner describes it, has rapidly expanded to include a wide range of end points such as mobile devices, wearables, consumer electronics, and automotive […]
Vibhor Mittal
Vibhor Mittal

King IV Report For Corporate Governance: What It May Mean For Your Organisation

The fourth edition of the KING report builds on the best practices and principles in corporate governance in South Africa. The draft report was published in Mar 2016 and post the comments phase, the report was finally launched at the Sandton Covention Center in Johannesburg on 1 Nov 2016. The last edition of the report – King III was launched in 2009 post the financial crisis, and since then the global environment has changed significantly due to climate change, geo-political issues, population growth, and above all, rapid technological developments. Therefore, good corporate governance has become vital for sustainable value creation not only in South Africa, but also in the global context. This is also the primary objective for King IV where promotion of good corporate governance in business is going to benefit an organization in terms of developing an ethical culture, enhance performance and value creation, help the governing bodies or regulators to exercise effective control, and help build confidence in an organization which will in turn strengthen its reputation. King IV will also look to broaden the scope of application of good corporate governance by making it accessible and suitable for organizations of various sizes, resources and complexity. The […]
Yo Delmar
Yo Delmar

GRC Programs: Building the Business Case for Value

Governance, risk and compliance (GRC) management is becoming increasingly integrated across a wide and expanding set of use cases — moving beyond traditional risk management and into regulatory compliance, audit, third-party management, ethics and compliance, privacy, quality management, environmental health and safety, cybersecurity, business resilience and more. In OCEGs’ 2015 GRC Maturity Survey, over 50 percent of organizations surveyed stated they are executing on an integrated GRC vision and over 80 percent claim that benefits realized have met or exceeded their expectations. The core promise of a GRC program that integrates needs across all stakeholders is better business performance – a prerequisite for survival in today’s highly competitive world. As a result, leaders across the enterprise are asking for help in setting the vision, plotting the course and implementing integrated programs that deliver real value to all organizational units. While many organizations have seen benefits from their GRC investments, building the case for business value is fundamental in getting commitment to put a high-value, sustainable GRC program in place. Experience shows us that those organizations that manage GRC as an integrated program — involving people, processes and technologies — are more successful in delivering value to their organizations than those […]
Sonal Sinha
Sonal Sinha

Tackling Procurement Challenges in the Supply Chain

Globalization and regulation, coupled with inadequate investment in compliance programs and third-party risk management programs, are making the proactive identification and resolution of risks posed by suppliers a challenging task. Companies that don’t face up to the challenge run the risk of non-compliant products in their supply chain, and can face serious brand and reputational damage as a result. The key is to accept that supplier management changed; a new and more effective approach is needed, and technology can help with that. Companies are responsible for managing their brand and reputation, and hence, are ultimately accountable for ensuring risks are identified and accepted, or mitigated within their end-to-end supply chain. In addition to being a good corporate citizen, multiple regulations require conformance with supplier management standards. Meanwhile, corporate social responsibility carries a moral intolerance for unsuitable working conditions and inadequate pay, wherever it may occur along the supply chain. Companies cannot plead ignorance or exemption if any dereliction of duty occurs outside their four walls when it is part of their supply chain. Instead, they must ensure complete compliance across all suppliers, not only to meet regulatory requirements, but also to preserve the integrity of their own business and protect […]
Pallavi Singh
Pallavi Singh

How Estimating ROI for Adopting Technology Can Help Streamline Supplier Quality

Organizations have certain expectations and apprehensions when adopting a technology solution for suppliers. When it comes to automating a process, in terms of its usability, its benefits, and of course, returns in lieu of the investments made, it is common to see tensions rising high within your organization. However, such a solution would not only streamline the organization’s supplier quality across product lines, geographies, and industries, but would also elevate it to achieve a sustainable business environment. To keep a lid on the anxiety and making sure that all boxes are checked during this process, there are a few things that you can keep in mind. Firstly, you need to understand that the list of features/ functionalities can be exhaustive, of which you would have to segregate the set of “must have” from “desirable” features. Based on these categories, you need to identify the most appropriate and flexible software platform that would meet your expectations. To maintain a cordial relationship with your global partners and to build a sustainable base of business operations, with metrics and parameters around quality and compliance, it is vital for you to have a clear view of your organization’s overall goals and objectives. In today’s […]
Vidya Phalke
Vidya Phalke

Ensuring Resilient Cyber Safeguards in Cloud Applications

Assessing Cloud Application Vendors from a Security Perspective Enterprises of all structures and sizes across the globe have been adopting cloud for all needs – for computing, storage, databases, to hosting business applications. They are also proactively addressing cyber-security needs – both as dictated by internal Info-Sec controls, as well as those coming from external regulatory mandates. For enterprises looking out for new cloud applications, I think one needs to look deeper and go beyond ‘checking the box’, which is typically done by looking at Compliance Standards around SOC2 controls, PCI-DSS, HIPAA, etc. This deeper insight can be gathered by looking at few key areas as follows: Underlying cloud infrastructure approach – Is it multi-tenant or multi-instance? I believe a multi-instance strategy that ensures there is no co-mingling of data across customers in the back end provides a sounds foundation for security because of the physical segregation that it leads to. There are other benefits in terms of performance and SLAs, as well. Encryption with key management should rest with the enterprise and not the cloud provider. This capability provides the necessary foundation for ensuring that you and the enterprise can decide where and how to provide encryption, and align it to your business needs. This will help […]
Sanjeev Jain
Sanjeev Jain

How Welspun’s Supply Chain Spun Out of Control

One in every five towels sold in the U.S. is reportedly made by Indian company Welspun, which is now in the thick of a storm for allegedly selling fake Egyptian cotton sheets to Target Corp. and other retailers. Target, which has not disclosed when it began investigating the Mumbai-headquartered company, or what caused it to scrutinize the sheets imported from the Indian manufacturer, said it was terminating all ties with Welspun, which also supplies major American retailers Bed, Bath and Beyond, Walmart, J.C. Penney, Macy’s, Costco, and Home Depot. Target pulled Welspun manufactured items from all its stores, and so did Walmart. Other retailers are also investigating Welspun’s cotton certification. Target has also decided to refund all its customers that bought the sheets sold under the Fieldcrest brand. The retailer said that about 750,000 sheets and pillowcases sold as Egyptian cotton were made using a different type of cotton and were sold for as much as $75 a piece. Welspun’s other customers said they have started or would start their own investigations to see whether or not the textiles contain Egyptian cotton. “After an extensive investigation, we recently confirmed that Welspun substituted another type of non-Egyptian cotton when producing these […]
Shellye Archambeau
Shellye Archambeau

What Startups Can Do About Cyber Attacks

A cybersecurity report by Ponemon Institute, in association with Keeper Security, found that in the 12 months leading up to June 2016, 55 percent of small and medium-sized businesses (SMBs) experienced a cyber attack, while 50 percent encountered data breaches involving customer and employee information. These statistics belie the common notion that cybercriminals attack only big businesses. In truth, SMBs and startups are often easier targets, as their defenses tend to be weaker. Limited financial resources make it challenging for these companies to invest in sophisticated security mechanisms or full-fledged IT departments – a fact that hackers and cyber attackers use to their full advantage. Today, all it takes is one security breach to bring down a company’s brand and reputation. For startups, who depend so much on word-of-mouth recommendations, the impact of a breach could be fatal. Despite this risk, many startups continue to be woefully underprepared. According to the Ponemon Institute survey mentioned earlier, only 14 percent of SMBs rate their ability to mitigate cyber risks, vulnerabilities, and attacks as highly effective. At a time when authorities such as the World Economic Forum are citing cyber attacks as one of the top global risks, both in terms of […]
Sonia Sharma
Sonia Sharma

The Disruptive Mosquito

About a month ago, my sister announced that she had been diagnosed with dengue. This happened soon after she had visited me in Bangalore. As I rushed to catch the first flight to be with her in Mumbai, I couldn’t but wonder at how a tiny insect like the mosquito could continue to strike down the human species with new and debilitating viruses each time. Zika, dengue, chikungunya – different names, different continents – all with one common factor – a certain mosquito. And this, after most of the world has rid itself of malaria! To me, these mosquito borne virus strains and the like are the new “left-field disruptions” – situations that catch you off guard and shake up the rhythm of your existence. I mean, who would have thought that dengue and chikungunya would continue to afflict city dwellers, regardless of the neighborhood they lived in? Who would have thought that yet another mosquito-borne disease, zika, would rear its ugly head, and spread across the world with such alarming speed and intensity? Who would have predicted, a few years ago, that this same disease would be one of the biggest disruptors in the run-up to the Rio Olympics, […]
Gunjan Sinha
Gunjan Sinha

The New Reality of Risk

2016 has been a year of significant change; a year in which a sky full of hobbyist drones has become the norm; a year that has witnessed a new breed of terrorism that has shaken the world’s strongest governments; a year in which corporate governance scandals splash time and time again across the front-page news. We continue to see a significant increase in the frequency of unpredictable external threats, and organizations are weathering the aftermath from incidents of corruption and non-compliance scandals. Even if we managed to learn from these developments quickly, today’s age of social media, with its fast-paced aggregation and reporting of facts and experiences, makes it feel like we are always playing catch-up. It is only by stepping back to view this New Reality in its entirety, that the business and leadership learnings become clear.   The Three Top Concerns for Leaders Around the World There are three key trends that are capturing the attention of CEOs and government leaders, and fundamentally changing the way we live and do business – the introduction of left field disruptions, the risks and opportunities of global business ecosystems, and the rise of the digital universe. Left field Disruption In a […]
Mallikarjun Kandkuru
Mallikarjun Kandkuru

Product Support and Covey’s second quadrant

Here is Stephen Covey’s famous time management grid again. It is a great tool that can be used to explain how to manage your time (but, of course), how to plan your career, how to prioritize requirements in your products, and many more. As always, the most exciting quadrant is the second one – “Not Urgent & Important”. This is where the coolest ideas are, the ones that can improve products, improve customer satisfaction, and even increase revenue, but they are also the ones that move to the back burner due to more urgent matters.   Given that most product support teams (the single point of contact for customers for technical and functional queries on live solutions) work 365X24X7, the amount of work they have in Quadrant I – “Urgent & Important”– can be mind boggling; that is the biggest deterrent to their giving the necessary focus to Quadrant II. A great product support organization works around this challenge and sets quantifiable targets to their employees for their deliverables in Quadrant II. What then does the second quadrant hold for product support? Here are my top three: Provide actionable feedback to product management This is by far the most important […]
Swapnil Srivastav
Swapnil Srivastav

How to Mitigate Risk Exposure from Vendor Relationships

Outsourcing business activities to a vendor does not include outsourcing the risk and compliance responsibilities. Relying heavily on vendors, with low or limited visibility into the vendor networks, exposes organizations to high risks. Therefore, understanding and managing vendor risks is crucial to maintain sustainable businesses. With a strong Vendor Risk Management (VRM) program companies can anticipate inherent risks rather than simply reacting to adverse situations and incidents after they occur. In many organizations, VRM programs are largely traditional. The focus is on managing vendor risk only when selecting a vendor or finalizing a vendor contract. However, for VRM to be truly effective, there is a need for continuous vendor monitoring which helps organizations be well-prepared for unexpected eventualities. That being said, it can be quite a challenging task to define and adopt an efficient VRM program, as multiple factors need to be considered, including dependency on the vendor, the location and financial stability of the vendor, as well as the scope of the vendor relationship. This is where technology can help by significantly automating and simplifying vendor risk assessments. Companies are increasingly focusing on strengthening VRM through best practices such as: Effective vendor selection process Streamlined due diligence and continued […]
Nanda Ramanujam
Nanda Ramanujam

Governance, Risk, Compliance and the Big Data Advantage

According to a leading IT firm research nearly 90 percent of the data in the world has been produced in just the last two years. Though a bit of a buzz phrase these days, big data is as important as the internet itself to many businesses today, for a number of reasons. The simplest explanation of how big data benefits businesses is this: It provides the insights needed to make more confident decisions, take faster actions, improve operational efficiencies, minimize risks, and reduce spending. The sudden emergence of the whole phenomenon around the data explosion has been the result of the pervasive use of mobile devices and the large volumes of data generated from web based purchases, mobile activities, and social media interactions. As the massive volume of data and computing platforms continues to proliferate, the absence of thorough reassessments and thinking around information processing paradigms of the past will leave today’s enterprises ill-prepared to deal with this new (IT) normal. Enterprises have to realize the obvious fact that big data is an immensely powerful concept, and information is a strong business asset. Managing large volumes of homogenous data is something that organizations of all kinds can benefit from; spanning […]
French Caldwell
French Caldwell

How to Cross-Sell Compliance to Your Sales Managers

The story of Wells Fargo’s cross-selling compliance failure, reminds me of the huge fine that HSBC received in 2012 for mis-selling— over $3 billion.  Wells Fargo’s $185 million fine for poor cross-selling practices pales in comparison – but still “ouch!”  Even worse and more costly could be the reputation damage — Wells Fargo styles itself as the big bank that has that small town feel. According to reports, Wells Fargo had identified violations of its cross-selling policies for years — for instance, issuing credit cards without fully informing customers — and significant remedial actions, sometimes even with mass firings of offenders.  The tone at the top seems to have been pretty clear and supportive of compliance.  Yet on the other hand, failing to meet sales quotas could also result in a firing — as it should. At most companies, we find that employees are rewarded for meeting goals that are tied to business goals — with performance indicators focused on production, growth, and sales.  There is no reward for not breaking the rules.  “Hey, John — thanks for not doing anything illegal this quarter — here’s an extra $2,000” — nope, that doesn’t happen. Give Managers the GRC Tools They Need The […]
Nanda Ramanujam
Nanda Ramanujam

GRC And Social Media: Strategy For Success

Social media remains one of the most talked about and used phenomena in this new age digital world. Today’s tech-savvy organizations are on the constant look out for the latest social technologies that can help them gain a competitive advantage over their peers. The rise of popular social networking sites like Facebook, LinkedIn, and Twitter in the workplace has provided a big boost to the broader social media movement. In fact, an increasing number of organizations are harnessing the power of social media platforms and applications for both internal and external communications. Organizations, large and small alike, are leveraging powerful social media capabilities to share updates, curate content, and promote and showcase their products and services, as well as communicate with employees, media, partners, and their broader ecosystems. According to the 2014 Social Media Marketing Industry Report, a significant 92% of marketers indicate that social media is important for their business, up from 86% in 2013. Nearly 89% of marketers want to know the most effective social tactics and the best ways to engage their audience with social media. While a corporate presence on social media has become imperative for all organizations, it can also be a double-edged sword. It offers […]
French Caldwell
French Caldwell

Brexit — Time Is On Our Side

In the first few days following the Brexit vote in the U.K., I heard many pundits refer to the decision to leave as a “black swan” event, but it was nothing of the sort.  A black swan is a risk that is highly unlikely but has high impact if it does manifest itself.  By the very fact that the referendum was happening, the potential that the UK would pull out of the EU was not a highly unlikely event.  Still, it did catch people by surprise when the vote was to leave the EU, but for companies who were directly affected, prudent leadership would have begun planning for a potential leave vote ever since the referendum was announced. However, the break-up is such a complicated endeavor, even prudent planners are struggling with the implications.  Fortunately, time is on their side.  Despite some impolitic calls in Europe for the UK to get out quickly, it is in no one’s interest for a messy divorce, and cooler heads are already starting to prevail. So, with time on our side, what should GRC leaders do?  First, it’s worth focusing on the “known knowns.”  What do you know today about factors of Brexit that […]
Vibhor Mittal
Vibhor Mittal

The Third Wave Of Technology Transformation For Banking And Financial Services

Banking and Financial Services industry is undergoing a strategic shift with the advent of disruptive technologies such as Fintech, Blockchain, and IoT which are challenging the established technology based banking models. This may be the third wave of technology transformation to reshape the modern financial institutions around the world, the first two being ‘computerization’, which moved the banking operations from paper based to software based, and the second being ‘internet/mobile banking’ which radically changed the way banks delivered their services to the customers. However, with the arrival of each technological shift have come new challenges, and this trend is not likely to change much in near future. Cybersecurity has become one of the biggest concerns for the organizations across the globe. Regulators are also continuously altering the existing regulatory landscape in the larger interest of the consumers and the economy as a whole. In the course of this blog series, I will take you through some of these disruptions in the banking and financial services industry, and how adopting a mature Governance, Risk and Compliance (GRC) based approach may be the way forward. My first blog will talk about the changing regulatory landscape and five steps that you may want to […]
Warren Bell
Warren Bell

Welcome!

Welcome to the initial entry of this blog!  In subsequent posts, I’ll discuss competitive trends I’m observing in the GRC market along with other issues that will affect GRC vendors. Earlier in my career, I had the opportunity to work in the CRM industry and saw directly how that market grew, matured and eventually consolidated.  In many ways, today’s GRC market is similar (buyers still learning what GRC means to them, no dominant market player, little M & A activity to date) to how the CRM market appeared in the early 2000’s. Thanks for joining and I’m looking forward to speaking with you. Warren
Vinaya Honavalli
Vinaya Honavalli

So, Where’s My IT-Risk (Or Threat) Library?

We need a good information security risk and threat library. Rather than build one from scratch (and most internet searches do not yield meaningful results), we were wondering if MetricStream offers standard content for such a library. That’s a question we’re frequently asked when we get a Customer up and running with MetricStream’s IT-Risk Management App. It’s an excellent question for sure because Customers, especially in the Governance, Risk, and Compliance space, require preloaded (and expert/industry-grade) content that can get them up and running on day one. The content ask is straightforward when it comes to in-depth content from authority documents (individual citations or sections and sub-sections), control statements, or even policy templates. Citations from an authority document wouldn’t change across Customers and control statements too are uniform especially if you leverage upon a harmonized control framework. Information security risk content (threats, vulnerabilities, and risks) is, however, in a league of its own – perhaps in the league of extraordinary content. Prima facie, it’s pretty easy to be misled into believing that information security risks applicable for my business are exactly the same as those applicable for your business because, hey, come on, we’re both using information technology right? In […]
Vibhor Mittal
Vibhor Mittal

5 Steps To Stay Ahead Of Regulatory Change

Banking and Financial Services Institutions across the globe are struggling to keep pace with regulatory change, and, quite often, grappling with the sheer volume and the complexity of these updates can be a laborious, up-hill battle. According to a survey by MetricStream which polled the responses of 123 compliance professionals across North America & Europe, 19% of the respondents reported taking up to a year to implement regulatory changes1. Considering the magnitude of change that financial institutions have to deal with, this may no longer be affordable. It may have been possible to keep a track of regulatory updates using standard manual approaches during the pre-financial meltdown era, but as regulators continue to usher in more reforms in this age of rapidly evolving and disruptive financial technologies — including Fintech, IoT, and Crypto currencies — standard models are proving to be ineffective. Yet, the survey shows that 48% of the organizations surveyed are still using office productivity software (Excel spreadsheets) to track regulatory changes. The need of the hour is to develop a robust and technologically reinforced regulatory change management framework to help manage the next wave of regulatory reforms. A “wait-and-watch” approach is no longer sustainable, and organizations would […]
Nanda Ramanujam
Nanda Ramanujam

Corporate Growth Engines: Driving Sustainable Strategic Advantage

Growth must sustain profitability and profitability must sustain growth. In today’s highly competitive and rapidly changing business & economic environment, core competence and capability principles have become mainstay concepts of corporate strategic thinking landscape. They lend themselves well to high-level strategic analysis, but their limited focus and static character do not inherently provide either an application roadmap to develop a competence/capability or, given the existence of a core competence, a framework to achieve active market superiority. The concept of corporate growth engine, a further development of core competence and capability, unifies and extends several existing strategy paradigms, and spans all three phases of the corporate strategy process – analysis, planning and execution. Its characteristics can be used by the management team with the desire to actively drive to sustainable strategic advantage as a blueprint for implementation. Some empirical evidence points at significant benefits for both well and poorly run corporations. Driving profitable corporate growth presents challenges even during times of economic prosperity. This is especially true for companies that have experienced market success and are already sizable. The bigger the base of the sales, the harder it is to grow it meaningfully without deviating from the original value proposition. Yet, […]
Rituparna Bhattacharjee
Rituparna Bhattacharjee

Future Of Manufacturing: Taking The Right Risks To Fuel Performance

The year 2015 saw leading manufacturers and automotive companies being pulled up for various regulatory compliance violations around emission mandates, GMP deviations, recall procedures, and safety. With non-compliance penalties becoming more aggressive, the industry is under tremendous pressure to comply with regulations, standards, and procedures from a wide range of government and industry bodies. To add to this, new innovations, wider market opportunities, and fierce competition have made it extremely difficult for manufacturers to stay compliant and manage their changing risk landscape. Global operations and the dependency on hundreds and thousands of partners and suppliers add to existing risks and challenges involved in ensuring compliance with regulations, standards, and procedures. This complication multiplies when subsidiaries come into play as they bring in new governance challenges. Parent companies are under pressure to have standardized processes and programs, ensure local adaptation at subsidiary levels, and make sure that there is appropriate information roll up and aggregation. Ineffective oversight can result in governance failures, whichpose reputational, regulatory, and financial risks. As product lifecycles get shorter and role of IoT increases, organizations will need their operations to sustain them through the future. These new developments will bring in its wake new and previously unidentified […]
Shellye Archambeau
Shellye Archambeau

My Best Advice For Aspiring Entrepreneurs And Tech Startups

What an incredible time to be a tech startup! The opportunities out there are just tremendous. Digital payments, wearable technology, mobile healthcare, virtual reality and gamification, predictive analytics, and green tech—these are just a few of the startup areas that are expected to be big this year, according to venture capitalists and industry experts. “Full stack startups” and “dis-intermediation” are the new buzzwords, as companies like Uber and Airbnb revolutionize the way business is done, and demonstrate how it is possible to cut out the middlemen. Meanwhile, the “Internet of Things” is taking the world by storm, opening up new doors for entrepreneurs and organizations to develop software that can connect products and devices to the Web.Education technology is also gaining more traction, creating new opportunities to improve education and learning experiences, and teach people new skills through the use of technology. If you’re an aspiring tech entrepreneur, now is a great time to take the plunge. But before you do, here are a few  pieces of advice, observations, and lessons learned from my own career and current role as CEO of MetricStream. Your Team Matters Most Many investors will tell you they invest in teams first, and that the […]
Sam Mukherjee
Sam Mukherjee

“Digital disruption” isn’t an overnight phenomenon. It started with Google

The term “digital disruption” has been over-hyped, overused and taken out of context during these past few months. Every new mobile app that gets created in Silicon Valley have been compared with the likes of Uber, Airbnb and most surprisingly, Amazon. Don’t get me wrong, I am not a naysayer predicting doomsday for the new wave of tech innovation where personalization and localization seems to have become an obsession. Anyways who can predict the future, unless you’re Toffler or Taleb. But then “digital disruption” is not an overnight phenomenon. Google started it. The most valuable brand in the world, Apple is doing it in more ways than one and the recent rise of companies like Uber and Airbnb proves that it is here to stay. I googled “What is digital disruption?” and in a tiny box at the top of the search results, it offers sage advice and I quote verbatim, “Digital disruption refers to changes enabled by digital technologies that occur at a pace and magnitude that disrupt established ways of value creation, social interactions, doing business and more generally our thinking. Digital Disruption can be seen as both a threat and an opportunity.” Recently, I was in San Francisco […]
Shellye Archambeau
Shellye Archambeau

There’s Never Been a Better Time for Female Tech Entrepreneurs

When I was a young girl, I knew that I wanted to run my own business someday. In fact, I would end up leading almost every club or team that I got involved in at school. However, by the time I actually began my career, I was well aware that the odds were not entirely in my favor due to my gender and ethnicity. I didn’t let that get in the way, though, and worked hard to prove myself. Today, I am proud to be the CEO of MetricStream, a leading technology company that I helped build from the ground up. That being said, I know how daunting it is to be a woman, and especially a female entrepreneur in the field of technology, where the lack of gender diversity is a serious cause for concern. Silicon Valley Bank’s recent “U.S. Startup Outlook 2016” report found that 66 percent of startups have no women on their boards, and 46 percent have no women in executive positions. However, about a quarter of respondents (26 percent) said that they have programs in place to increase the number of women in leadership roles. And therein lies the good news – things are slowly […]
Shellye Archambeau
Shellye Archambeau

“Innovation” in a Competitive Startup Economy

Seventy-three percent of U.S. adults  agree that we’re living in an age of significant innovation. Indeed, the pace at which new products and services are being developed is truly incredible. In 2014 alone, the U.S. Patent and Trademark Office (USPTO) granted a record 300,678 utility patents – the most issued in a single year, ever. Meanwhile, 81 percent of executives from across 213 companies globally have reported that innovation is an “important” or “critically important” factor in achieving their organizational objectives. This is an encouraging sign. In fact, looking across Silicon Valley and beyond, I see many companies setting up innovation labs and appointing Chief Innovation Officers, often with the goal of developing new technology breakthroughs and disrupting the status quo. However, with so many new businesses emerging every year, each aspiring to be the “most innovative,” or the next “disruptive force,” what does the term “innovation” mean anymore? Is it just about creating a new product or service? Or is it more than that? Putting “Value” Back into “Innovation” Opinion pieces like this one published in the Harvard Business Review and this one carried by Virgin put a bright spotlight on the idea that terms like “innovation” and “disruption” have become so overused that they either feel empty, […]
Gunjan Sinha
Gunjan Sinha

What Tomorrow’s Leading Enterprises Are Doing Today

Technology today has become synonymous with both innovation and disruption. And with incredible technological innovation and disruption brings new risks — but also new opportunities to advance and transform our organizations, societies, and economies. We live in a big data world, where supply chains are global, services are being digitized, and an increasing number of smart devices are being connected to each-other, to “things” and to the Internet in new and exciting ways. Naturally, all of the change around us calls into question the “traditional” way of doing business. It also raises important questions about how leaders can ensure that they keep pace with, and stay one step ahead by having the right information at the right time to make the right decisions that protect the financial and reputational well-being of the organization. Businesses of all ages and sizes should stop and reflect now on their organizational culture, their operating structure, and their talent, all in the name of creating the modern, leading and enduring enterprises of the future. Culture Looking out across Silicon Valley, technology plays a critical and enabling role in supporting collaboration, which creates fertile ground for innovation and ground-breaking advancement. In today’s mobile, global, social, and […]
Rituparna Bhattacharjee
Rituparna Bhattacharjee

5 Ways to Strengthen Your Third-Party Management Program

For one of the world’s biggest automotive manufacturers, the year 2016 started off on a less than promising note when the company, which produces millions of cars every year, was forced to halt vehicle production for a week after an explosion at a supplier site resulted in a shortage of components. The incident was a timely reminder of just how much companies have come to rely on their third parties, and how significantly a single supply chain disruption can affect a company’s performance. As organizations grapple with these and other third-party risks such as data breaches and contract risks, as well as multiple third-party related regulations, a robust third-party management program can make all the difference. With that in mind, here are five best practices to take your third-party management program to the next level: Effectively Assess and Monitor Third-Party Risks Third-party risks can have a direct impact on company profits and brand value. It is imperative, therefore, to identify these risks in a timely manner, and implement the appropriate controls and control testing processes. Also, establish contracts and policies that outline the roles and responsibilities of all parties in risk mitigation. If there are any fourth parties involved, make […]
Sam Mukherjee
Sam Mukherjee

Should Apple fight a court order to unencrypt iPhones? #unlockiPhone

There is a lot more than what meets the eye in Tim Cook’s spirited fight against the FBI and US DOJ’s demands to create a back-door for iPhones. Don’t hold your breath for this riveting saga to come to any real conclusion for at least a few more weeks. While the FBI has made a specific request: that Apple help hack the iPhone, owned by the San Bernardino Department of Health and used by one of the terrorists responsible for killing fourteen people on December 2, 2015, leading tech CEO’s like Mark Zuckerberg and Sundar Pichai have rallied behind Tim Cook and his fears around user privacy for millions of iPhone users if this technology fell into the wrong hands. Bill Gates who was earlier reported to be supporting FBI in this case, came out strongly clarifying his views that a more “nuanced” approach needs to be taken here and that Congress and the courts must help strike an appropriate balance between security and privacy. Gates was quoted in an interview on Bloomberg saying, “I do believe there are sets of safeguards where the government shouldn’t have to be completely blind, but striking that balance — clearly the government has taken information […]
Shellye Archambeau
Shellye Archambeau

3 Key Workplace Policies that Startups Can’t Afford to Ignore

Most startups are focused on getting their business off the ground. As a result, they usually delay policy development until a later date. But here’s why it’s important to draft and implement certain policies right at the start of your business: policies pre-empt and prevent misunderstandings between employees and employers about obligations and behavior at the workplace. More importantly, they help protect a business against lawsuits and employee disputes which could otherwise wipe out a startup before it has had a chance to take off. Here are a few key policies that startups would do well to focus on: 1. Paid Time-Off (PTO) Many startups provide a consolidated bank of vacation days and sick days that employees can draw from. Other startups offer an unlimited time-off system. Whatever your approach, remember that a time-off system is only as effective as the policy surrounding it. In one of the companies I worked for, a PTO policy wasn’t implemented until the business was ten years old. By then, significant expenses resulting from accrued vacation had built up. So, even though the PTO policy was eventually established, a number of people were immediately out of compliance since they had accrued more time off than […]
Nanda Ramanujam
Nanda Ramanujam

Why Does Great User Experience Matter?

As our industry’s technologies and methodologies advance and mature at an unprecedented and rapid pace, Web applications become progressively more complex. As such, creating a great User Experience (UX) in today’s world can be considered a fine art form. User experience determines how an individual feels when interacting with a system, which can be website, a web application, or desktop software. In modern contexts, UX is generally denoted by some form of human-computer interaction (HCI) and includes factors such as usability, accessibility, performance, navigation, aesthetics, utility, ergonomics, and overall human interaction. But UX is not exactly the same thing as usability, although they are related. UX is the experience, emotion, intuition and connection a user feels when using a website or software application. Usability is more about the effectiveness of the software design and the extent to how user-friendly it is. Usability is a key component of overall user experience. UX – The Official Definition. According to ISO 9241-210, UX is the “overall experience, in general or specifics, a user, customer, or audience member has with a product, service, or an event. In the Usability field, this experience is usually defined in terms of ease-of-use. However, the experience encompasses more than […]

Join our community and become a contributor

Loading…

I am responsible for leading MetricStream’s overall strategy and execution. I currently serve on the Board of Directors of several Silicon Valley companies, and was appointed in 2010 to the Board of the US-India Science and Technology Research Endowment Fund by the US State Department to promote entrepreneurship and innovation. Additionally, I have been the Chairman of CFHI.org, which brings transformative healthcare education to under-served communities.  Over the course of my career, I have spent over 20 years in various entrepreneurial, board, and executive positions building innovative businesses. I was the Co-Founder and President of WhoWhere? Inc., a leading Internet directory services company that was acquired by Lycos in 1998, as well as eGain, an online customer service company which I built from inception to post NASDAQ IPO. I obtained my BS and MS degrees in Computer Science from the Indian Institute of Technology, New Delhi, and UC Santa Cruz, respectively. I also hold an MS in Industrial Engineering and Engineering Management from Stanford University. 

I am a seasoned technology management professional with over 15 years of software industry experience with 10 years in architecting, developing and delivering reliable and scalable Enterprise Class Web applications and messaging services for Audit, Governance, Risk and Compliance management, and Learning Management Systems. I have had extensive experience in establishing effective technology strategies, delivering critical projects on-time and on-budget, demonstrating a track record of creating and implementing enterprise governance models, creating technology roadmaps, and aligning business corporate objectives and technology initiatives to tangible solutions within the GRC domain.I have a progressive experience in all facets of Software Application Development and demonstrated ability to lead cross-organizational technology and product development projects including solution architecture, requirements management, project planning, statement of work creation, execution management, risk management, budget management, vendor management and an ability to build and manage effective customer relationships.

I am a seasoned technology executive with MetricStream, focused on strategy, corporate governance, risk management and regulatory compliance and work with Fortune 500 companies to provide advisory services, manage technology implementations and expand existing relationships.  I have been a  speaker on information technology and GRC-related topics and have  presented at events organized by Deloitte, FTI, Forrester, Intertek, Bureau Veritas, UL, AAFA, FDRA, USFIA, ComplianceWeek, among others. Prior to MetricStream, I worked with Oracle, JP Morgan Chase and Trisys in the fields of Corporate Finance, Investment Banking and Equity Analysis respectively. I have completed Executive Programs in Business, Economics and Management from HBX/ Harvard Business School and SDA Bocconi, a Graduate Program in Information Systems Management from the National Institute of Information Technology and hold a Bachelor of Commerce from the University of Calcutta. In 2015, I founded Young Tech Professionals, the world's leading organization to bring together young individuals working across Technology and related areas. I volunteer and serve in leadership positions at local non-profit organizations and I am a sports enthusiast. Read my articles here: https://www.linkedin.com/today/author/samxm.  

Shellye Archambeau is the CEO of MetricStream and under her leadership, MetricStream has grown into a recognized global market leader recognized for growth and innovation. Shellye has proven global business expertise combined with a passion for public policy.  She is a member of the board of directors for the Silicon Valley Leadership Group, a nationally recognized organization focused on fostering a cooperative effort between business and government officials to address major public policy issues. Shellye was recently appointed to the Board of Directors of Nordstrom, Inc. She also serves on the board of directors of Verizon Communications Inc. Shellye has led initiatives and Washington DC delegations to address regulatory compliance issues, and to improve governance. She also pens a column on leadership and entrepreneurship for Xconomy, and is frequently quoted in top tier media publications, including the Wall Street Journal, New York Times, Compliance Week, and Silicon Valley Business Journal. Previously, she served on the Board of Directors and the Audit and Technology committees for Arbitron, Inc., a media research company.  Shellye is a much sought-after speaker who has presented on GRC issues to Fortune 500 corporations, members of Congress, and various associations, including the IIA, ISACA, and NASDAQ. In…

I have worked extensively on a variety of global and regional brands ranging from technology companies such as Yahoo! India, IBM Global Business Services, Intuit and IDA Singapore to luxury lifestyle brands such as Rolex, Chopard, Mercedes-Benz and Cartier and other brands such as METRO Cash & Carry, Lavazza and Biocon.My Middle East experience also provided me the opportunity to work in the oil and gas sector on brands such as Shell, BP, Oman Gas and Petroleum Development Oman. Other brands handled include BAE Systems, AkzoNobel, Biocon and Al Ahlia Insurance ( a member of the RSA group).More recently, I have helped clients migrate to social media platforms and worked closely with social media teams on content generation and follower engagement. I currently head the Marketing Communication team at MetricStream.

As a Product Management Expert with over 14-years of professional experience, I help Enterprises take business opportunities from an idea stage to commercial success. Right from implementing the world’s first wireless credit/debit card point-of-sale payment solution (in New Zealand and subsequently in Thailand and Malaysia) to being a recognized Leader year-on-year in Gartner’s Magic Quadrant for IT-Governance, Risk, and Compliance (IT-GRC) solutions I have successfully leveraged upon my business, technology, and product management acumen to overcome multiple business challenges across geographies by influencing, negotiating, and nudging key stakeholders (both internal and external) towards key business outcomes and success.

Back to Top