Metricstream: Enabling Businesses To Thrive On Risk

Metricstream is a global Connected GRC SaaS company providing industry-leading software products and solutions to help the world thrive on risk. The firm sits at the nexus of three large, rapidly growing markets ­ Governance Risk and Compliance (GRC) Solutions, Cyber Solutions and ESG Data Solutions.

The company recently launched its latest product, focused on accelerating GRC program performance. This includes a faster, safer, easier, and more personalized Connected GRC experience. Silicon India interviewed Shankar Bhaskaran, Managing Director, MetricStream India, to understand how the company's software products, core services and integrated platform is helping organizations turn business risk into a strategic advantage.

Can you tell us a bit about Metricstream?
Founded in 1999 in the United States, Metricstream began with its mission to solve the problem of `Risk' in 2004. Led by Gunjan Sinha, a visionary, entrepreneur, and business leader, the company coined the `GRC' acronym for Governance, Risk and Compliance in 2008 by working with analysts and, launched into that space in with its initial GRC customers. 2008 was also the year Lehman collapsed, Bear Stearns fell, and the mortgage crisis created one of the biggest financial depressions in modern history. That was when the first wave of GRC took effect. The world recognized the need for GRC, the marketplace for GRC was drafted, and a slew of financial regulations like Dodd Frank, FINRA, and SEC took on a greater meaning for financial institutions and banks to take GRC seriously.

Metricstream's office in India was set up in 2004 at Bangalore. It houses over 1,300 employees including R&D, sales, delivery, support, HR, finance and administration. Our R&D team in Bangalore built the industry's first cloud-based GRC solutions.

Please Give us an Overview of your Products/Solutions.
Metricstream's Integrated Risk Management platform is a set of components that bring together various do-mains through a federated data model. Interconnect-ed GRC objects with our app studio, low code/ no-code configurations based on code generations, AI-embedded workflows, and assessments, are available on the platform.

Instead of fearing risk, we empower business leaders to thrive on it. Metricstream's technology enables decision-makers to accelerate their organization's growth through risk-aware decisions.

With our ConnectedGRC solutions, organizations can pursue an integrated approach that ensures collaboration between risk, compliance, audit, cybersecurity, and sustainability teams.

This highly collaborative approach enables businesses to better identify, assess, manage, and mitigate business risks. These include strategic risks, operational and enterprise risks, IT and cyber risks, third-party risks, compliance risks, and environmental, social, and governance (ESG) risks. Designed with advanced analytics and AI capabilities at its core, Metricstream's products and solutions deliver GRC best practices to meet the evolving needs of today's dynamic enterprises.

ConnectedGRC is powered by Metricstream Intelligence which includes embedded best practices, deep domain capabilities, artificial intelligence (AI) powered real-time insights, and risk quantification capabilities.

Designed to address the primary challenges for today's GRC professionals, ConnectedGRC offers three distinct product lines: BusinessGRC, CyberGRC, and ESGRC.
• BusinessGRC: This enables a connected view of risk to collaborate seamlessly across Risk, Compliance, and Audit teams. Decision makers can harness combined insights into a strategic advantage for business growth, competitive edge, and brand differentiation.
• CyberGRC: This allows real-time visibility and quantified risk insights across IT, Cyber, and Vendor risk, helping risk professionals prioritize their cyber investments, and policies. It helps in safeguarding the organization with active cyber risk management.
• ESGRC: Organizations can enable a simplified approach towards collecting and reporting on all industry and organizational Environmental, Social, and Governance requirements. This helps risk professionals meet all ESG data, disclosure, and framework requirements and enhance customer, investor, and public brand perceptions.

Metricstream's technology enables decision-makers to accelerate their organization's growth through risk-aware decisions.

These solutions are available for organizations to purchase in three preconfigured packages ­ Prime, Premium, and Enterprise ­ that offer simple pricing, flexibility, and scalability organizations require as their GRC programs diversify and grow.

Governance, Risk management and Compliance (GRC) are foundational to maintaining business continuity and building resilience. Could you elaborate on how Metricstream is enabling businesses to implement a successful GRC strategy?
Our connected world has opened a wide range of opportunities for businesses to thrive. It has accelerated digitization and enabled the extension of the enterprise. But it has also ushered in an era of diverse, multi-dimensional risks for businesses. Cyber threats are growing faster than ever. Added to this is the rapidly changing regulatory landscape. Businesses are required to operate with purpose, driven by consumers, investors, and regulators taking an increased interest in the environmental, social, and governance (ESG) metrics of an organization.

As organizations seek new ways to build resilience, a connected governance, risk, and compliance (GRC) strategy is clearly the way forward. And this is exactly the approach that we have taken with our software solutions. Our products and solutions are equipped with features, capabilities, and product-specific innovations to our BusinessGRC, CyberGRC, and ESGRC product lines. They are aimed to help businesses thrive on risk in our increasingly volatile world.

For instance, our GRC products enables advance risk quantification and simulation for Enterprise and Operational Risk Management (ERM and ORM). They can use our products to trigger Monte Carlo simulations, a computerized mathematical technique that allows people to quantitatively account for risk in forecasting and decision making. Using this they can generate a range-based estimate and predict the probability of different outcomes for Annual Loss Expectancy.

We enable organizations to assess financial risk while conducting onboarding due diligence for vendors and third-party suppliers. Our software for cloud environments is useful for tracking controls, creating reports, collecting evidence, and sending out automated alerts to relevant stakeholders. It enables Continuous Control Monitoring that helps in operationalizing the overall cyber risk management effort. The software also automatically captures data on a broad range of metrics required for ESG financial risk disclosures and simplifies its management in a centralized portal.

What should businesses know about ConnectedGRC?
An effective GRC program isn't built overnight and is essentially a journey that companies embark on. Many organizations are well ahead on their GRC journey, while others are just starting out. Irrespective of where organizations are in their GRC journey, they can use Connected GRC to pursue an integrated approach. Instead of operating in silos, they can seamlessly collaborate between risk, compliance, audit, cybersecurity, and sustainability teams. The benefits of having a ConnectedGRC approach are several. According to the OCEG survey:

• 60 of organizations responded that increased data privacy and cybersecurity regulations drove significant changes to their approach to GRC. The events of the past two years highlighted the need for better rapid response capability; close to 70 percent report new GRC challenges from having employees working remotely.

• 54 percent of organizations adapted to changes in regulatory and risk environment by adding more focus to risk management, while 41 percent focused more on compliance efforts.

• 33 percent of organizations say that siloed risk and compliance management is the greatest barrier to rapidly responding to risk.

• 70 percent of organizations that responded need more integrated processes and Connected GRC technologies to ensure GRC strategies perform well under stress. Organizations can avoid risk of compliance violations, regulatory enforcement, reputational damage, and penalties. With Connected GRC they can build confidence with regulators and executive management, as well as with partners and customers, by establishing a strong data governance and reporting framework.

How is Metricstream helping companies transform risk into a strategic advantage?
Kindly share a few success stories.A leading multi-national financial services company was expected to adhere to multiple regulatory obligations, while keeping possible disruptions and risks in check. The risks ranged from operational and IT risks to misselling, regulatory, reputational, business disruption, fraud, and geographic risks ­ all of which need to be identified and effectively mitigated across the enterprise. Previous approaches to risk management and business continuity management were largely siloed and, thereby, difficult to scale or sustain. Metricstream helped the company in the following ways:

• It introduced a federated data model that enabled Single, Realtime Risk View for the company, groups & countries.

• Automated data collection and reporting ­ streamlined processes with faster turn around.

• System driven ownership for clear accountability across all functions and processes.

• Increased speed and agility in issue remediation and prevention.

In another instance, one of the world's largest communication technology giants was justifiably concerned about potential security breaches. The company, which has tens of millions of customers and thousands of network points, records a whopping one billion plus threats per day. The CISO turned to us for a solution.

Today, Metricstream Cyber Risk Quantification is helping the company transform cyber risk data into a single risk score that's quantified in terms of dollar impact. These actionable insights have accelerated decision-making time by 60 percent. Cyber teams are better able to prioritize investments, while boards and leadership teams are able to provide stronger oversight of cybersecurity. This single cyber risk score is both credible and real-time, and the cyber risk taxonomy is mapped on the relationships between cyber risks, assets, business lines, covering the 100+ systems monitoring the security posture.

What's in the pipeline? (new products, innovative solutions?)
We recently launched our latest product, focused on accelerating GRC program performance. This includes a faster, safer, easier, and more personalized Connected GRC experience. The modernized, purpose-built low-code/no-code platform empowers customers to easily personalize and configure products to their unique needs. The new platform product release includes the following technology advancements, which are available now:

Faster, Safer, Easier Configurations: Administrators can access simple GRC domain-specific language which allows them to personalize and configure applications, create and change fields, reports, and templates. low code/no code places control of individualized experiences into the hands of the customer while upskilling their teams.

Seamless Integration with Third-party Systems: 50+ GRC APIs to easily integrate Metricstream into other IT and third-party systems, simplifying data exchange. Deliver GRC Insights in Minutes: Capture and connect data across Metricstream products and external systems, build contextual insights, and create customized reports with simple clicks using enhanced self-service reporting.

Streamlined Disclosure Reporting for ESG: ESGRC now includes preloaded reporting frameworks, formulas, and templates for data disclosures that align to TCFD, GRI, and SASB standards, as well as enhanced dashboards to deliver clarity and actionability on facility and supplier data.

Other innovations include Automated regulatory intelligence that reduces risks and costs associated with regulatory change management, autonomous control testing and evidence gathering in AWS environments, and faster and easier first line access to operational risk assessments.

From an HR perspective, what is Metricstream doing to engage employees (elaborate on hiring, retention, best practices and so on)
The best place to work is where employees can trust their organizations and have everything they need to succeed in their role. At Metricstream we have a people first policy and a culture that encourages employees to work together as one team. Post COVID, we aim to create a sense of belonging with flexibility. We are hiring across all departments and even though most organizations are now opening up to work from office, we continue to provide flexibility to our employees with engaging on-site events that enhances our team building efforts. We always would like to have an environment where our employees can achieve optimum productivity.

Metricstream is dedicated to diversity, equity, and inclusion, always focusing on how employees can achieve their full potential within the organization and advance in their careers. We have several internal mentorship programmes for employee upskilling, to enhance employee competence and employee value proposition.

What are your future plans for Metricstream?
In the midst of volatile market conditions, the demand for GRC continues to accelerate with significantly higher emphasis on cyber, ESG, operational resiliency and compliance. Looking ahead, we will continue to focus on accelerating our innovation and GRC SaaS leadership, provide value to our global customer base, and deepen the partner ecosystem, while achieving balanced growth and profitability.