In the modern world, if there is anything all pervasive that would be risk. An everyday enterprise today accounts and strategizes for risk and compliance issues. It is therefore imperative the appetite and market for it is thriving. A global connected GRC SaaS company, MetricStream, provides inroads with its products and solutions to help the world thrive on risk.
In a freewheeling conversation with Dataquest, Bruce Dahlgren, global CEO of MetricStream, spoke about the GRC software company offering Integrated Risk Management (IRM) and Governance, Risk, and Compliance (GRC) solutions. And the first keyword he used is connected. “The data elements are connected and we bring it together for risk management and human connection. In the GRC world: the three important units are business, cyber and ESG,” he begins.
Dahlgren describes the typical risk management journey a customer passes through:
- Starts with Managing Risk: This includes reporting the risk and being compliant with regulations. [This is where most of the customers are in their risk management journey, according to Dahlgren.]
- The second phase is Embrace Risk: This includes educating to manage risk, using technology and capabilities to identify risk and manage them.
- The final phase is Thrive on Risk. The company uses Artificial Intelligence [MetricStream intelligence] which then becomes pervasive into the company working to become more strategic and use risk quantification capabilities to make decisions.
Factors leading enterprises to embrace and thrive on risk:
Dahlgren explains that the customers begin with the manage risk phase and are slowly moving into the embrace phase. The factors acting as a catalyst for enterprises moving towards embracing risk involve the thrust into the hybrid work culture, the transactions with new suppliers, automation being introduced steadfastly into organizations, to name a few.
Enterprises want the company to be aware of the different risks. This is where MetricStream steps in with its assessment, workshops, discoveries to help them understand the solutions. Almost half of its customer base is from the banking sector, and have now diversified with demand to adapt risk management tech from healthcare, energy, telecom, etc.
BFSI risk quantification:
Starting in 90s, financial services firm wanted to know what the market risk profile is. Post the financial crisis it evolved into credit risk, risk profile of the trade. Then evolved into operation risk. “We think the same discipline is going to come to cyber risk,” says CTO, Prasad Sabbineni.
With the regulations finalizing in the cybersecurity domain and advancements coming to it, there’ll be cyber risk quantification and firms will be asked to set aside capital to address those cyber risks. Also, with frequent ransomware attacks, the cyber insurance premiums have shot up. The companies want to control it. That brings in a cyber risk program in place and measure it, explains Sabbineni.
Role of AI:
Gartner in its IT risk management magic quadrant report places to MetricStream’s advantage its Market Understanding and Responsiveness stating, “MetricStream has consistently improved its roadmap in response to customer demand and feedback. Examples include the development of a configurable cyber risk quantification engine in the platform and continued investment in improving UX through use of chatbots and other AI/ML. Furthermore, MetricStream is committed to simplifying its pricing model.”
Sabbineni explains the inputs in the AI models include the business units. Through qualitative measures risk is measures in dollar terms. With the data captured [sometimes subjective and based on the intelligence of people], it is imperative to come up with the probability of cyber risk occurrence. “We implemented machine learning for the model to learn, from the past human behaviour, the probability of a cyber risk happening, assign a score to it. And in case of an event, determine the magnitude of the loss [also based on the human intelligence and experiences.]
The model is trained with the knowledge of the organizations, now relying on multi-tenant collaborative learning-based models “where we anonymise the data of similar companies in an industry sector to bring the awareness,” states Sabbineni.
The road ahead:
The market for GRC is evolving with digital companies and unicorns in the startup ecosystem now depending on brand reputation more than ever and don’t want to be caught up on the wrong side of a cyber risk mismanagement. “The GRC market is evolving and as Indian enterprises are operating in a global market and scale, they need to implement these programs to demonstrate to the world that they have the risk and compliance program and can implement standard GRC projects,” concludes Dahlgren.