Heading into 2020, no one could have predicted how a then-mysterious new coronavirus would cripple global business, as it is now. The last time a global crisis struck with such force, it was a man-made event – when the subprime mortgage crisis in 2008 caused the worst recession in U.S. history since the Great Depression. As a coincidence, that same year in September – just one month before Lehman Brothers filed for bankruptcy – MetricStream launched its governance, risk and compliance (GRC) solutions.
GRC was just being established then in response to banks’ needs for GRC systems to deal with the uncertain times, unchartered territories and the Unknown Unknowns. Banks were facing a huge number of new regulations such as Dodd-Frank and needed insight into their financial systems. How do you deal with issues across the globe, put into place compliance controls, apply them effectively and measure risk management – those were the needs of the hour. GRC software was created in response to the needs of large financial institutions, and then expanded to verticals across the globe.
Years earlier, the 9/11 terrorist attacks in New York had inspired me to launch MetricStream, as for the first time, I recognized that risk does “happen”. Crises like 9/11 and the 2008 financial crisis have indeed been defining moments for all of us.
Fast forward to 2020. Hundreds of thousands people globally are confirmed to have COVID-19, caused by the novel coronavirus. While this crisis feels daunting and affects human lives more directly than the ’08 financial crisis, we believe we have gained lasting business insights in the last decade to show how GRC principles apply to tackle Unknown Unknowns across widely volatile settings. Today, we apply all that we’ve learned over the last 12 years and bring that to solve the challenges the world faces in dealing with the COVID-19 impaired world.
MetricStream is ready to help!
MetricStream’s suite of applications provide a company’s leadership and board a clear and timely view into risks across the entire organization. Issues can be logged in globally, and systemic resolutions can be achieved through virtual and remote collaboration. Third party supplier risk can be tracked; and timely remedial actions can be taken to minimize any disruption caused. In addition, challenges exist for stronger IT compliance created by work from home (WFH) policies, which can also be monitored. With the right controls in place, businesses can remain resilient, even when offices shut down, suppliers are functioning on reduced capacity and employees are in remote locations. IT systems may be going through unprecedented remote access and usage, creating high threat levels and vulnerabilities for fresh cybersecurity issues. Accurate business impact assessments, mass notifications and solid business continuity management are what’s needed.
Every company needs a regimented, compliant framework that allows them to nimbly and globally orchestrate the systems of GRC, whether they be unwritten social contracts – think goodwill and reputation – or written contracts with suppliers, regulators, customers and partners. Large companies are extremely complex and senior management needs to know how everything is interconnected, so if something goes really wrong, they’ll know how to triage effectively.
As we look back (and also ahead), the financial crisis gave way to 11 years of solid growth by companies that not only survived but thrived. Today, in this current COVID-19 crisis world, GRC is even more important as workplaces go virtual, the threat of cyber risks steadily increases and globalization forces companies to deal with regulations across continents. Simply put, businesses need GRC in this new reality.
Be prepared – 4 dimensions for risk fitness
As part of a strong risk governance program, it makes sense for any company to review their key risks on a quarterly basis. Below are four dimensions to maintain risk fitness.
· Operational Risk – This includes a company’s people, including third parties who sometimes form the nucleus to support key business operations. The role of technology to automate functions that rely on people becomes paramount when people get isolated.
· Financial Risk – Financial risk increases when companies have trouble, for example, obtaining financing or when revenues and margins drop. Supply chain problems also may disrupt distribution and production, impacting sales. This, in turn, can cause missed revenue targets, a lack of clarity to provide forward looking guidance and facility closures.
· Reputation Risk – Opportunities to excel are also evident in any crisis – bringing forth a chance to show how you responded better than competitors. On the other hand, lack of leadership creates mistrust and confusion. If the firm can’t handle the crisis, can they handle my business?
· Strategic Risk – Are you prepared to pivot? Companies need a full understanding of how the risks associated with all aspects of their business are interrelated. A company’s ability to quickly triangulate key personnel risk, business resumption risk and operational risks will separate themselves from the pack and meet their business objectives.
Every company needs to prepare and invest for future events as there will always be another crisis – natural or man-made. Preparedness, in part, helps eliminate panic. The good news is that there is, and will be, growth beyond the crisis.
My heart and thoughts are with all the people affected by this unprecedented event. We especially appreciate the critical work healthcare workers and communities are doing on the front lines in fighting coronavirus.
Please feel free to reach out to me with your own stories and comments.
I will be happy to discuss your ideas and approaches on how we can together make the world less risky, more compliant and better governed. Now is the time for strong GRC-led leadership and solutions, not for retrenching back into fear and reactive execution.
We will live through COVID-19 and come out stronger with more innovation and better risk preparedness if we work together to address the needs as a GRC industry.