MetricStream in Amsterdam- a blog by Charles Nicholls
Charles Nicholls
Enterprise Governance Risk & Compliance | Solutions Specialist
I am delighted to have spent a wonderful three days in Amsterdam with our MetricStream customers, prospects and many industry experts, consultants and solutions providers.
On Tuesday we? held both a Peer-to-Peer Round table session with cross-industry Operational Risk, legal and Compliance experts from banking, aviation to advanced medical suppliers.
?
Confidentiality was assured through Chatham House rules and so I will not quote specific comments and details here, but simply look to? summarise what the key challenges and discussion points that were raised and discussed:
?Compliance
·?????? Challenges faced dealing on a global basis in different jurisdictions
·?????? aligning and attempting to comply in a standard and consistent manner across the organization
·?????? the need to string internal co-operation ad alignment to address these issues
·?????? the need to use tolls such a the metricstream platform to map your policies and processes to these regulations and standards and drive this standard unified approach.
·?????? Fragmentation and complexity of Global Management
·?????? No such thing as a zero-tolerance for regulatory compliance as in the real world there is always cost pressure vs full compliance
·?????? Struggle with volume an complexity as to where to focus given daily changing priorities
·?????? Need to engage and align with regulators as appropriate to your industry
Culture
Aligning to the above discussion on International issues challenges and management the attendees shared and reviewed the challenges around
·?????? the differing international and corporate cultures and “Human” element of silos and differences; as above a fragmented view in the current state
·?????? potential to have different focus on Risk vs Compliance by region
·?????? differing and ever changing assessments of Risk vs Likelihood
·?????? strong concern on Human Corruption and Intellectual Property rights protection
·?????? need to keep abreast and be agile with ever changing Santions and geopolitical risks
Volume Overload
All attendees agreed to the stated challenge from one of our guests around the simple challenge of dealing with ever increasing volumes:
·?????? increasing number of internal controls to test
·?????? limited resources and budget
·?????? increasing standards and regulations
·?????? the need to increase efficiency and standardization
·?????? consistency and transparency required in evaluation
·?????? a need to remove duplication of effort that persists
·?????? deliver and manage effective control execution across multiple divisions and silos of the organization
Aligning Goals and Costs Balancing Act
·?????? Costs of managing the ever increasing Volume? weighed up against Investor pressure to reduce costs, yet also investor pressure for greater assurance and transparency
?
Operational Resilience and Data
As above
·?????? Multiple regulations and different jurisdictions with slightly different requirements
·?????? Finding synergy across the Op Risk teams seen as a challenge with Op Resilience
·?????? Data integration challenges and alignment experienced
·?????? Managing to identify he critical business processes, systems and assets across the entire organisation still presenting challenges for some of our attendees
Third Party Risk and ESG
·?????? Concern to gathering the right data;
·?????? Managing the quality of data
·?????? Assessing the right cadence of testing and dealing with change
·?????? What ESG data is being tracked and how valid is it?
?
This was then followed by a workshop with Michael Rasmussen “The Father of GRC” Analyst and pundit and further reviewed these topics and the “Human Factor”
领英推荐
?
The Nested Supply chain issues of 4th and 5th parties and potential impacts;
The need for the Human firewall, that policies need to be detailed, adhered to and monitored over and that we need to rely on more than just conduct.
?
The use of AI was reviewed and discussed as indeed in appropriate circumstances the risks on not using AI and Machine Learning technology.
?
Then on Wednesday and Thursday we moved to the #Risk Amsterdam event;
?
Not surprisingly, much the same topics seemed to be the subject of the presentations and conversations.
Though we were anticipating a significant focus and questions around the pending Digital Operational Resilience Act (DORA), most of our conversations focused on some of the component elements rather than full DORA compliance and requirements as follows:
·?????? Policy Management ad aligning Policies to Regulations and Controls
·?????? Financial & SOX Controls testing and certification
·?????? IT and Cyber Risk- Quantification Cyber Risk Assessments using FAIR
·?????? Quantification and Scenario testing in Operational Risk Management / Non-Financial Risk
·?????? Bow-Tie analysis
·?????? Risk and Loss Events treatment and reporting
·?????? Managing Impact Assessments with Assets and Process across the organisation
·?????? Managing control frameworks, aligning to COBIT, and yet adding your own controls, ISO 27001 and NIST Frameworks
·?????? Integrating Third Party related content feeds into the GRC platform including Dow-Jones; BMC, Qualys Bitsight, Ecovardis FinRegE, Compliance.ai , Cube, RegRoom; Sustainalytics OFAC and sanctions lists among many others.
?
Then on Thursday afternoon I joined the panel moderated by Michael Rasmussen with representatives from ABN Amro; Just Eat; and Fiat Republic to share our feedback on the topic “Risk Radar- Unveiling Critical Trendsin Risk for 2024 and beyond.
?
The big topic was on the impact of Environmental Risks such as the extreme European Heat wave and Forest fires, Libyan Floods, Moroccan Earthquakes and the ability to be agile and manage the usually determined low likelihood but High impact events that seem to be seen as ever more “likely”. The onward impact to Supply chains such as Suez canal blockage,? Brown-out power outages; and then the encompassing Geopolitical, Market, Economic and Liquidity Risks, arising from the likes of the Ukraine Russia war and other cold war scenarios such as Taiwan and potential impacts; ?The reputational loss/ consequence issues around non-compliance on the Social in ESG with modern slavery; child labour and exploitation and human rights violations outside Europe was considered as another major risk to manage and contend with
IT &Cyber Risk was reflected upon and remains a very high threat The focus extended to the requirements of DORA in the risk and ability to recover quickly from Technology Failures.
Again the risks around AI were also discussed along with the associated ethical concerns and the need to remove bias from algorithm produced results, to derive fair and equitable solutions that do not infringe on Human Rights; Diversity and inclusion.
The risks of AI and benefits of AI with Deep fakes and criminal spoofing and phishing and the importance of KYC and KYS along with AML were fully reflected upon
Regulatory Compliance Risks ?are also considered a never ending ?and growing challenge that is not going away. This impacts significantly in internal costs to manage and comply, with the risk of fines now being made more “personal as in UK through SMCR enforcements? on individuals rather than just the corporate fines of the past being reviewed by other global regulators.
?
The interconnectedness of these risks was reflected upon and how all these risks can fully impact the supply chain of not just the third party but extended 4th and 5th parties.
?
On the panel we shared our views on the strategies to overcome these risks which of course aligned to the goals of the metricstream platform.. to provide:
·?????? Clear and transparent reporting
·?????? Drive long term sustainable goals and implement associated clear policies
·?????? Drive fast accurate data on emerging risks across the organization
·?????? Use technology to assist predictive analytics and aid human decision making
·?????? Use technology to manage the vast data requirements and flow
·?????? Need for consistency and standardized ?taxonomies of data against which to make decision or a “single-source-of-truth”
·?????? Conduct from the top, Human awareness and training and policy attestations frequently reviewed and updated
·?????? Engage with the regulators early and get involved in the consultation process wherever possible
·?????? Manage Risk vs Reward and why ever more scenario analyses ad appropriate quantification in the right areas required to best determine your risk treatment or adoption;
·?????? Regular review policy exceptions due to the changing environment
?
Needless to say , we on the panel ran out of time on these topics, but MetricStream through our powerful fully federated and scalable data model is well places to assist in the improved efficiency accuracy , alignment, consistency, and transparency ?of residual risks and ?managing mitigating actions against a quagmire of external risks that are costly and challenging across all global markets.
?
Where we at MetricStream certainly can’t do everything, we can certainly help to drive consistency , efficiency and improved management of your company Governance Risk and Compliance through the connectedness and rich 360 degree views of those connections, driving faster and better quality data and management of resulting treatments and actions to give you the tools to thrive on risk
A very good read! Much covered in such a short period and very relevant to todays focus of impact assurance measures and how we need to manage diverse key risk and compliance areas, thanks for sharing Charles.
Fantastic!