GRC platform of the year: MetricStream

Aggressive regulation has increased the importance of GRC in 2013. MetricStream’s platform has responded to a growing demand from customers who are keen to avoid the bite of regulatory watchdogs

vidyadhar-phalke
Vidyadhar Phalke

Increased regulatory pressure and ever-heavier regulatory fines have had a significant impact on the governance, risk and compliance (GRC) sector in recent years. Financial institutions are keen to avoid being next into the headlines, leading to more focus and higher spending on internal controls – and the same is even true in other sectors.

"It's pretty easy to spot news items where someone gets fined a significant dollar amount," says Vidyadhar Phalke, chief technology officer at MetricStream, Operational Risk & Regulation's winner of the best GRC platform in 2013.

Phalke adds that many non-financial sectors, such as medical and retail industries, are also starting to focus on GRC. "You need GRC programmes. It has started to become a basic requirement even for small companies; it's just the cost of doing business," he says.

Small companies have been able to take advantage of cloud technology and subscription models, which have made GRC programmes more cost-effective, says Phalke.

"In a subscription model you're not locked in. You don't have heavy capital expenses or staffing costs. It's just a managed service; you have a web-based framework which anybody can use."

You need GRC programmes. It has started to become a basic requirement even for small companies; it's just the cost of doing business

In large companies, meanwhile, having a chief risk officer or a chief compliance officer has become a common phenomenon.

Regulatory pressure, however, is not the only reason for the increase in spending. Corporate social responsibility is another cause. Organisations are under pressure to manage reputational risk and show they can run their business effectively. Companies are also keen to track loss or near-loss incidents.

"Those incidents need to be tracked, they need to be risk rated and a system has to report them so you can start building a knowledge base within the company which you can reflect back on from time to time," says Phalke. Keeping track of the operational efficiency of a company also allows for internal costs to be kept down.

MetricStream's GRC platform has an underlying data model which consists of a centralised library of risks, regulations, assets, controls, processes, issues, actions, reports, and other GRC-related data objects. The data can be viewed by risk managers, audit managers, and business process owners. Reporting and analytics capabilities can be accessed in real-time. Users are able to access the platform offline, and are provided with email notifications.

Bringing a new customer in can be a challenge, Phalke says: many are upgrading their GRC procedures under pressure.

"Almost invariably in a lot of cases they need everything done yesterday. A big regulatory heavy hand has come in and they run the risk of getting significantly fined."

Customers also need to be clear about their needs. "Do I want to bolster my internal audits, or my operational risk or my compliance and policies?" Phalke asks. Enterprise software can take time to implement, and organisations are often under significant regulatory pressure to implement it within a specific time frame.

Fitting the MetricStream software to different jurisdictions involves changing the contents of the data library, a process that Phalke describes as "relatively simple".

"From the software and tool perspective it's still exactly the same," he says. "We just need to work out what the different varieties are and ensure that the data which goes into the application is different."

The software can aggregate data across an organisation's IT function, extending beyond the GRC area into core banking systems, enterprise resource planning, customer relationship management, asset management systems, and others. And a key focus for MetricStream is keeping up to date with an evolving online environment.

The platform already supports MetricStream applications on tablets and smartphones, and offers assistance with emerging risk profiles from social media interactions. The GRC implications of social media are increasingly important for MetricStream and its customers.

"There are tonnes of companies who monitor social media, but it needs to be put into intelligence which is actionable in the context of GRC," Phalke says. Companies may find themselves liable to fines if, for example, they have not sufficiently trained employees who use social media at work.

Looking forward, a further area of focus is the proliferation of mobile devices and cloud technology.

"The world's applications are moving on to the cloud. This presents a risk to companies which hasn't been managed well," says Phalke. "Even my company will have probably 40 applications in the cloud for various providers and sources, and just tracking and managing that risk is a problem. We know some banks that have around 40,000 cloud applications."

MetricStream is itself offering its own cloud platform, called Zaplet, which allows customers to build their own GRC applications.

"We don't want to be a platform that pretends to know everything and do everything in GRC," says Phalke. Customers can develop their own specialised GRC applications on top of the platform.

"We become the platform and reap the benefits there. It's a multi-prong approach to essentially take on the world over the next few years."

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact info@risk.net to find out more.

Financial crime and compliance50 2024

The detailed analysis for the Financial crime and compliance50 considers firms’ technological advances and strategic direction to provide a complete view of how market leaders are driving transformation in this sector

Investment banks: the future of risk control

This Risk.net survey report explores the current state of risk controls in investment banks, the challenges of effective engagement across the three lines of defence, and the opportunity to develop a more dynamic approach to first-line risk control

Op risk outlook 2022: the legal perspective

Christoph Kurth, partner of the global financial institutions leadership team at Baker McKenzie, discusses the key themes emerging from Risk.net’s Top 10 op risks 2022 survey and how financial firms can better manage and mitigate the impact of…

Emerging trends in op risk

Karen Man, partner and member of the global financial institutions leadership team at Baker McKenzie, discusses emerging op risks in the wake of the Covid‑19 pandemic, a rise in cyber attacks, concerns around conduct and culture, and the complexities of…

Moving targets: the new rules of conduct risk

How are capital markets firms adapting their approaches to monitoring and managing conduct risk following the Covid‑19 pandemic? In a Risk.net webinar in association with NICE Actimize, the panel discusses changing regulatory requirements, the essentials…

Most read articles loading...

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here