We caught up with Piyush Pant at his offices in London. Before answering queries, he set the scene: “MetricStream deals with governance and compliance software. It's a GRC (integrated Governance, Risk and Compliance) market provider. We apply GRC software exclusively. Our HQ is in Silicon Valley. We have some of the largest financial institutions in the world. We cover risk-management and compliance.

“We don't do super-equivalence. We have to be close to what our customers are looking for. There's a range of projects. We have to adapt the right rules to fit their situation. We have a pipe – a source of contents we have called CRC intelligence. We collect different content about rules, then we curate it and feed it into the software and it's mapped onto internal workflows and 'due diligence' procedures.

“As regards imposing a global standard, it's not what most parties are looking for. That even goes for British firms that have to impose the 'super-equivalent' Bribery Act on the rest of the world. This is because these firms are trying to take small steps towards improving around multiple dimensions. Most companies are making a step-by-step journey. I'll give you an example of why. We saw in the past that it's not possible just to have a list of third parties you're dealing with. It sounds a simple task, but it's impossible. Their sourcing functions are often split up and so are many more of their components. So even this 'event' or disaster. The other one is caused by regulation. In the first model, when the home regulator calls for disclosures about all third-party relationships, that'll lead to a firm-wide compliance or GRC effort. Let us look at two more examples.

(i) We once provided software to a 'matrix' firm that had its headquarters the UK, where it wanted to get a better view of that supplier-base. This was the area of its business that was 'feeling the pain' the most. It had a sourcing function that was unable to cope with the volume. The first step they took was to ensure that they could accurately model and 'get on board' all third-party relationships.

(ii) Then there is the firm that manages this centrally. We helped a US firm that had to comply with demands from the OCC and the Commodities and Futures Trading Commission for end-to-end visibility for supplier risk. In these cases there's a complete plan.

Q3: What do you mean by the term 'downstream supplier'?

A: Three or four years ago, the notion of the supplier stopped at pretty low levels. If someone supplied you with something, you were only interested in whether they were compliant. Now, for certain clients, we have multi-layering of suppliers. It could be supplier-to-supplier or one supplier could have multiple business units across the globe. Take HB or IBM. There's a business unit that supplies hardware, software, business services and everything in between but they're packaged up in all permutations and the arrangements vary country-by-country. So you can say that IBM is a . We can manage raw data in an SAP (Systems, Applications, Products) system But we are also seeing that some of these solutions are being kept in the Cloud. In those cases we do see a very heavily increased security assessment before the company goes down that route. We never get a look at their confidential information; we have no access to their data.