The evolution of GRC software – part 3
Chris Hamblin, Editor, London, 29 November 2017
In this question-and-answer discussion, Compliance Matters talks to French Caldwell, the chief evangelist at MetricStream, about the fourth and fifth generation of governance, risk and compliance (GRC) software.
French Caldwell: Fourth generation is where some of the vendors (including us) are. We are now going back and saying we also need it to be more intuitive, more user-friendly, you shouldn’t have to learn it. If you’re going to make an aeroplane reservation online, you don’t have to learn how to use that application to do it. It’s the same thing with these GRC tools. If you’re an auditor and you go into the audit management application you shouldn’t have to learn how to use it. It shouldn’t look like a clunky ERP-type application. It should be something intuitive to you as to how to use it as an auditor. That’s where this concept of user-centric design [comes in]. Also [it should be] ubiquitous and pervasive in the Cloud, you know? I shouldn’t have to worry about how this point this with my own IT organisation, particularly for a lot of your readers. They don’t have huge IT organisations. They might have billions and billions under management, but it’s a relatively small...it’s not Goldman Sachs.
Compliance Matters: On the subject of the Cloud, before we go on, in the days before cloud storage, regulators would come into the office and say right, let’s see your information now, and you’d be able to show it to them straight away.
French Caldwell: Right.
Compliance Matters: Can you do that with the Cloud as well?
French Caldwell: You can, absolutely. You can pull up the data and the advantage of having some of these solutions is that you can generate the reporting for the regulators very quickly as well. Some organisations will even...you know, for standard requests/demands that are coming from regulators they’ll have an interface for the regulator and ask the regulator to go in and have that data immediately. And you can control that.
Compliance Matters: You can allow the regulator to interrogate the firm’s own databases?
French Caldwell: To a certain extent. If you’re getting the same standard requests from the regulator all the time, they’re coming in every other week and saying show me this, show me this, and it’s the same kind of thing all the time, why not just build it. You can put in the link right here. You don’t show them everything – you can just give them access to that type of information that they’re typically asking for.
The advantages of Cloud technology are that you’re always staying up-to-date. Typically, the applications are updated. You don’t have to wait till your own IT department is ready, although many people in financial service organisations are required to test the applications, so if you have an upgrade to an application, even for a Cloud-based application, it has to be tested before you can roll it out and use it. The regulators essentially require that. But still, the Cloud vendor is maintaining those updates and improvements for you rather than you having to wait until your IT department has the resources to do that right. MetricStream’s a Cloud vendor. There are quite a number of them out there now.
Compliance Matters: OK, so that’s fourth generation and it’s right here now!
Fifth generation
French Caldwell: Yeah. Fifth generation is not here now. Many of the vendors are still on third generation, where they’re not very user-friendly. That whole idea of millennial user-centric design has not permeated yet. The fifth generation is where you begin to incorporate some of the AI and machine learning, you begin to get automated.
Right now, let’s say I have a control failure. I may or may not get some type of automated alert. My team might identify my control failure when they go round and do an audit, but regardless it’s got to be logged, it goes into an issue tracking system, I’ll have to assign some tasks for people to go off and fix the control, update our policy, validate that it still needs the rules and regulations and so on. But if I can do automated orchestration, as we call it, or if the machine says ‘here is what you need to do,’ that’ll help.
Compliance Matters: Just as long as people are prepared to be pushed around by a programme?
French Caldwell: Well, they are. Did you drive here? If so, you might have used Google Maps. It tells you when to turn, when to make a left or go right, when you’ve arrived…
Compliance Matters: This is being done in compliance IT now?
French Caldwell: No. I would say that there are some experiments being done by some organisations but it’s not happening. The automated orchestration is not happening yet in GRC tools. There are some IT security tools where you’ll have some security problem and it’ll go and remediate things, at least to a certain extent by...perhaps if you have a vulnerability on a given server it’ll shut down that server and traffic gets re-routed to another server. Or you have evidence of someone trying to get inappropriate access to a server and the machine will automatically raise the levels of security, which may degrade performance temporarily but it will ensure that you’re secure, and then you can go back and close the vulnerability.
Some of that automated orchestration is happening in the IT security world, but it’s not happening yet for GRC applications. Right now we’re so very dependent on humans, which means it takes a while to say all right, here’s the policy that needs to be followed...we have a control failure, it’s due to a policy that was not being addressed and it turns out our people weren’t sure that monitoring was controlled. There’s always monitoring and we didn’t pick it up earlier, so we need to update the policy. We need to improve the monitoring. We need to train the employees on their need to report to the regulator and all of these things have to be mainly initiated and in future perhaps the machine will fix what it can and then even direct the humans to go and do this, this and this. Even short of that, with automated orchestration you can still have machines that use machine learning to learn from humans what a control failure is and then improve your automated detection and control. This doesn’t happen yet.
The big backlash
You also have the risk of things getting very intrusive. If a lot of my control failures are due to human error, then you have to monitor the humans.
Compliance Matters: That goes without saying! It’s bound to happen.
French Caldwell: That’s right, but there’s a very big backlash. Then how do I do that and still meet the privacy rules and regulations?
Compliance Matters: I think we gave up our right to not be Big Brotherish on 9/11.
French Caldwell: Yeah. Big Brother definitely is...people in the US are still very sensitive to that.
Compliance Matters: So are lots of people.
French Caldwell: Well, over here in Europe quite often people are very sensitive to Big Brother being the corporation. It’s less sensitive in the US. Monitoring of employees in Europe, particularly in Germany, is a big no-no under the EU’s...charter? What do you call it?
Compliance Matters: It’s the European Convention of Human Rights. Winston Churchill had a hand in it. It’s got nothing to do with the EU. It’s older than the EU.
French Caldwell: It’s enforced by the European Court of Justice quite often. They have had a couple of judgments like the right to be forgotten.
Compliance Matters: So that’s where it came from and now it’s in the GDPR.
French Caldwell: Right. So in Europe there are much greater restrictions than in the US on the monitoring of employees. In the US, basically, if you are using an employer-provided computer and email system and you’re accessing social media, it’s all monitored. That’s not the case in the EU. Some countries are stricter on it than others – in Germany it’s very strict – but, on the other hand, there are other rules and regulations that require you to monitor what your people are doing, particularly in wealth management when you have mis-selling rules, right?
Compliance Matters: Absolutely. What they do on social media is of great consequence to compliance officers.
French Caldwell: What I see in the future is you taking all of the social media data, emails, phone calls, any type of access, monitoring everything that employees do and building up a personal profile, just like Google and Facebook who have behavioural profiles of everybody.
I remember in 2010, just about every time the CEO of Google got up on stage he’d go: “We know what you’re looking at, we kinda know what you’re doing, and we’re pretty close to knowing what you think.”
Compliance Matters: I would have thought that what you’re thinking would be higher up the list than the other two!
French Caldwell: Well that’s where they obviously want to go! And they want to control everything because they want the advertising. If they can make you click on something, they get money. Anyway, in the fifth generation of GRC I think we’ll see AI doing things like learning how to detect controls failing, but scarier I think will be the sixth and seventh generation where they’re monitoring what people are actually trying to do and what they’re actually thinking.
Compliance Matters: AI’s still pretty dumb at the moment, isn’t it?
French Caldwell: It is in general. It’s getting smarter all the time. If you look at Google, they’re always improving their algorithms. You’re interacting with AI every time you use it. You’re interacting with AI even when you don’t know you are. You’re carrying around location detection on your smartphone and enabling all of these apps on it, so someone who really wants to know could know that you and I are actually in the same place. They might be able to surmise, even before you publish this article, that you and I were probably talking to each other. They know that I like to talk to the press, and they know that you happen to be press. They could know that!
* French Caldwell was talking to Compliance Matters on the sidelines of MetricStream’s recent GRC summit in London.