GRC platform of the year: MetricStream

Increased regulatory pressure and ever-heavier regulatory fines have had a significant impact on the governance, risk and compliance (GRC) sector in recent years. Financial institutions are keen to avoid being next into the headlines, leading to more focus and higher spending on internal controls – and the same is even true in other sectors.

"It's pretty easy to spot news items where someone gets fined a significant dollar amount," says Vidyadhar Phalke, chief technology officer at MetricStream, Operational Risk & Regulation's winner of the best GRC platform in 2013.

Phalke adds that many non-financial sectors, such as medical and retail industries, are also starting to focus on GRC. "You need GRC programmes. It has started to become a basic requirement even for small companies; it's just the cost of doing business," he says.

Small companies have been able to take advantage of cloud technology and subscription models, which have made GRC programmes more cost-effective, says Phalke.

"In a subscription model you're not locked in. You don't have heavy capital expenses or staffing costs. It's just a managed service; you have a web-based framework which anybody can use."

You need GRC programmes. It has started to become a basic requirement even for small companies; it's just the cost of doing business

In large companies, meanwhile, having a chief risk officer or a chief compliance officer has become a common phenomenon.

Regulatory pressure, however, is not the only reason for the increase in spending. Corporate social responsibility is another cause. Organisations are under pressure to manage reputational risk and show they can run their business effectively. Companies are also keen to track loss or near-loss incidents.

"Those incidents need to be tracked, they need to be risk rated and a system has to report them so you can start building a knowledge base within the company which you can reflect back on from time to time," says Phalke. Keeping track of the operational efficiency of a company also allows for internal costs to be kept down.

MetricStream's GRC platform has an underlying data model which consists of a centralised library of risks, regulations, assets, controls, processes, issues, actions, reports, and other GRC-related data objects. The data can be viewed by risk managers, audit managers, and business process owners. Reporting and analytics capabilities can be accessed in real-time. Users are able to access the platform offline, and are provided with email notifications.

Bringing a new customer in can be a challenge, Phalke says: many are upgrading their GRC procedures under pressure.

"Almost invariably in a lot of cases they need everything done yesterday. A big regulatory heavy hand has come in and they run the risk of getting significantly fined."

Customers also need to be clear about their needs. "Do I want to bolster my internal audits, or my operational risk or my compliance and policies?" Phalke asks. Enterprise software can take time to implement, and organisations are often under significant regulatory pressure to implement it within a specific time frame.

Fitting the MetricStream software to different jurisdictions involves changing the contents of the data library, a process that Phalke describes as "relatively simple".

"From the software and tool perspective it's still exactly the same," he says. "We just need to work out what the different varieties are and ensure that the data which goes into the application is different."

The software can aggregate data across an organisation's IT function, extending beyond the GRC area into core banking systems, enterprise resource planning, customer relationship management, asset management systems, and others. And a key focus for MetricStream is keeping up to date with an evolving online environment.

The platform already supports MetricStream applications on tablets and smartphones, and offers assistance with emerging risk profiles from social media interactions. The GRC implications of social media are increasingly important for MetricStream and its customers.

"There are tonnes of companies who monitor social media, but it needs to be put into intelligence which is actionable in the context of GRC," Phalke says. Companies may find themselves liable to fines if, for example, they have not sufficiently trained employees who use social media at work.

Looking forward, a further area of focus is the proliferation of mobile devices and cloud technology.

"The world's applications are moving on to the cloud. This presents a risk to companies which hasn't been managed well," says Phalke. "Even my company will have probably 40 applications in the cloud for various providers and sources, and just tracking and managing that risk is a problem. We know some banks that have around 40,000 cloud applications."

MetricStream is itself offering its own cloud platform, called Zaplet, which allows customers to build their own GRC applications.

"We don't want to be a platform that pretends to know everything and do everything in GRC," says Phalke. Customers can develop their own specialised GRC applications on top of the platform.

"We become the platform and reap the benefits there. It's a multi-prong approach to essentially take on the world over the next few years."