White Papers
Understanding, experience and technology for success

Governance, Risk and Compliance (GRC) Framework

Growing regulatory environment, higher business complexity and increased focus on accountability have led enterprises to pursue a broad range of governance, risk and compliance initiatives across the organization. However, these initiatives are uncoordinated in an era when risks are interdependent and controls are shared. As a result, these initiatives get planned and managed in silos, which potentially increases the overall business risk for the organization. In addition, parallel compliance and risk initiatives lead to duplication of efforts and cause costs to spiral out of control. Governance, Risk, and Compliance process through control, definition, enforcement, and monitoring has the ability to coordinate and integrate these initiatives.

The span of a Governance, Risk and Compliance process includes three elements

  • Governance is the oversight role and the process by which companies manage and mitigate business risks
  • Risk management enables an organization to evaluate all relevant business and regulatory risks and controls and monitor mitigation actions in a structured manner
  • Compliance ensures that an organization has the processes and internal controls to meet the requirements imposed by governmental bodies, regulators, industry mandates or internal policies.
Governance: With an increase in activism among shareholders and increased scrutiny from the regulatory bodies, corporate boards and executive teams are more focused on governance related issues than ever before. The governance process within n organization includes elements such as definition and communication of corporate control, key policies, enterprise risk management, regulatory and compliance management and oversight (e.g., compliance with ethics and options compliance as well as overall oversight of regulatory issues) and evaluating business performance through balanced scorecards, risk scorecards and operational dashboards. A governance process integrates all these elements into a coherent process to drive corporate governance.

Risk Management: With the recent jump in regulatory mandates and increasingly activist shareholders, many organizations have become sensitized to identifying and managing areas of risk in their business: whether it is financial, operational, IT, brand or reputation related risk. These risks are no longer considered the sole responsibility of specialists - executives and the boards demand visibility into exposure and status so they can effectively manage the organization’s long-term strategies. As a result, companies are looking to systemically identify, measure, prioritize and respond to all types of risk in the business, and then manage any exposure accordingly. A risk management process provides a strategic orientation for companies of all sizes in all geographies with a formal process to identify, measure and manage risk.

Compliance: An initiative to comply with a regulation typically begins as a project as companies race to meet deadlines to comply with that regulation. These projects consume significant resources as meeting the deadline becomes the most important objective. However, compliance is not a one-time event - organizations realize that they need to make it into a repeatable process, so that they can continue to sustain compliance with that regulation at a lower cost than for the first deadline. When an organization is dealing with multiple regulations at the same time, a streamlined process of managing compliance with each of these initiatives is critical, or else, costs can spiral out of control and the risk of non-compliance increases. The compliance process enables organizations to make compliance repeatable and hence enables them to sustain it on an ongoing basis at a lower cost.

Governance Risk and Compliance Process

Benefits of Taking an Integrated GRC Approach
Many organizations find themselves managing their governance, risk and compliance initiatives in silos - each initiative managed separately even if reporting needs overlap. Even though, each of these initiatives individually follow the governance, risk and compliance process outlined above, when they deployed software solutions to enable these processes, the selections were made in a very tactical manner, without a thought for a broader set of requirements. As a result, organizations have ended up with dozens of such systems to manage individual governance, risk and compliance initiatives, each operating in its own silo.

Majority of the Fortune 1000 organizations find themselves in this situation today. However, they are quickly finding that as the multiple risk and compliance initiatives become more intertwined from regulatory and organizational perspectives, multiple systems cause confusion due to duplicative and contradictory processes and documentation. In addition, the redundancy of work, as well as sheer expense of maintaining multiple point software solutions causes the cost of compliance to spiral out of control.

By taking an integrated GRC process approach and deploying a single system to manage the multiple governance, risk and compliance initiatives across the organization, the issues listed above can be easily addressed. Such an approach can :

  • Have a dramatic positive impact on organizational effectiveness by providing a clear, unambiguous process and a single point of reference for the organization
  • Eliminate all redundant work in various initiatives
  • Eliminate duplicative software, hardware, training and rollout costs as multiple governance, risk and compliance initiatives can be managed with one software solution
  • Provide a “single version of the truth” available to employees, management, auditors and regulatory bodies

According to a recent note from Gartner, “For Sarbanes-Oxley, we put the burden on a global Bank at about 0.2 percent to 0.4 percent on EBITDA. So if the Securities and Exchange Commission is one of 370 regulators for a global bank - to approach each regulatory program individually would eat up all the profits. Lots of companies have separate compliance programs for every regulatory regime. As regulatory regimes proliferate, a comprehensive compliance program keeps regulations from depressing earnings”. An integrated GRC approach enables an organization to integrate and streamline these individual compliance initiatives, so it can significantly reduce the cost of compliance.

It is critical that a GRC solution must be able to address a wide range of compliance and risk management initiatives so that an organization can leverage GRC to deploy a consistent framework across the organization for compliance and risk management. Many vendors window dress their point solution by re-labeling it as a GRC solution or adding support for a few additional regulations to claim multi-regulatory label.

GRC Dashboard and Scorecard

GRC Solution Framework and Key Capabilities
In order to articulate what makes a solution a GRC solution, we must first lay out a GRC solution framework. This framework identifies a comprehensive set of capabilities of a GRC solution and provides a benchmark to evaluate any solution against it and assess if it is a GRC solution or a point solution.

Capabilities of the GRC solution includes:

  • Governance
    • Enterprise risk management and assessment
    • Board compliance capabilities such as options policy compliance, ethics and policy compliance, etc.
    • Business performance reporting such as balanced scorecards, risk scorecards, operational controls dashboards, etc
    • Policy management, documentation and communication
  • Risk Management
    • Risk assessment
    • Risk analysis and prioritization
    • Root cause analysis of issues and mitigation
    • Risk analytics and trend analysis
  • Compliance
    • Flexible controls hierarchy
    • Assessments and audits
    • Issue tracking and remediation
    • Analytics
  • Support for complex organization models with ability to rollup at various organizational levels, while retaining the ability to cost-effectively deploy the solution within a department to enable a tactical compliance or risk initiative
  • Ability to support multiple regulations - corporate initiatives (SOX, risk management, ethics, policy compliance, etc.) as well as operational compliance initiatives (cGMP, HACCP, ISO 9000 etc). It is critical that a GRC solution can support a large number of governance and risk management initiatives within a company. A wrong choice would force the organization to revert to having to support multiple point solutions.
  • Integrated document management capability

Examples of Multiple Initiatives Managed Using a GRC Solution
The section provides examples of how an integrated GRC solution manages the multiple Governance, Risk and compliance business initiatives at companies around the globe:

  • A large technology company recently decided to streamline SOX compliance and bring the responsibility for assessment and remediation of controls back to process owners. This effort would free up dedicated corporate resources and consultants, resulting in significant cost reduction. However, ability to shift responsibility successfully while ensuring the initiative did not miss a beat, hinged on continuing to provide visibility and control to SOX program manager. In addition, they expected to take a risk-based approach to rationalize the number of controls being tested and streamline their change management process. The company decided to implement a GRC solution to sustain SOX compliance at lower costs. In addition, their plan was to ensure that when SOX streamlining was completed, they would use the platform to target other compliance initiatives.
  • A pharmaceutical company was growing fast and realized that the complexity in their operations would increase the risk of non-compliance with FDA cGMP regulations if they continued to use spreadsheets, paper and email to manage the manufacturing process. They realized that a GRC solution would provide the ability to provide strict change control on SOP documents, track process deviations and non-conformance across the two plants, identify appropriate corrective actions through a cross-functional team and ensure that remediation took place. Once the cGMP implementation was completed, the company wanted to extend the GRC solution to other aspects of their operations including ensuring that they can systematically reduce their development risks and accelerate New Drug Application (NDA) approval cycles by enabling them to capture and track potential safety issues, assess risks and implement corrective actions and identify potential quality issues by using trending and data analytics. In addition, they wanted to use the GRC solution for automating the pharmacovigilance processes to record, investigate and report cases as per the adverse event reporting guidelines mandated by the FDA and other international regulatory bodies.
  • The board of a large semiconductor company directed the head of internal audit to identify risks in their current stock options program and ensure that there were adequate controls in place to prevent backdating. In addition, the board also wanted to ensure that the newly approved charter of ethics was not violated by any of the operations of the company. The head of internal audit decided to use GRC solution as the system of record to manage the two initiatives because he wanted to make sure that a systematic process was in place to perform risk assessment, as well as test and report on compliance with internal charter of ethics, recommend additional controls and ensure that such controls were implemented. He knew that the spreadsheet and email based approach was not going to make risk assessment and remediation systematic and sustainable.
  • A large manufacturer generated about 25% of their revenue from exports to Europe, Middle East and Africa. In light of recent political events, increased global terrorism and USA Patriot Act of 2001, the company wanted to protect its brand and ensure that they have a repeatable process for OFAC compliance, so all export orders pass through restricted party screening and end use screening. In addition, they were concerned about any unknown holes in their customer-facing processes across their global operations that potentially could violate the regulations. As a result, they decided to undertake a risk assessment initiative, identify issues and then put an annual compliance assessment process in place. The scale and cross-functional scope of this global assessment process ruled out spreadsheets and email as the underlying framework. The company decided to use a GRC solution as the framework for their OFAC risk management and OFAC compliance initiatives.
  • A footwear company needed to ensure that it was in compliance with ISO 9000 quality standards so it could continue to be a preferred supplier to a large key customer. After an internal audit, they realized that they were in danger of missing the certification, creating a huge business risk for the company. The executive team decided to put a focused initiative around ISO 9000 compliance. In order to sustain compliance on an ongoing basis, they realized that the cross-functional teams across global operations needed to work very closely together. Hence, they decided to use GRC software as an enabler for the initiative - the solution would ensure all relevant documentation across the company had change control and provide mechanisms for audits, tracking issues, identifying corrective actions and remediation. Once implemented, they wanted to leverage the GRC solution for their SOX and operational risk management initiative.

MetricStream is a market leader in Enterprise-wide GRC and Quality Management Solutions for global corporations. MetricStream enterprise solutions are used by leading corporations in diverse industries such as Automotive, Food, Pharmaceuticals, Manufacturing and Electronics to manage their quality processes, regulatory and industry-mandated compliance and corporate governance initiatives. In addition MetricStream’s ComplianceOnline.com portal is used by over a million compliance professionals worldwide to improve their work productivity and for professional growth.

MetricStream delivers the most comprehensive mapping of the GRC framework within the industry with the following unique capabilities:

  • Rich corporate governance capabilities
    • Enterprise risk management framework
    • Risk, compliance and governance scorecards and dashboards
    • End-to-end compliance process for stock option policies, internal policies, etc.
    • Central repository of all corporate policies, change management and mechanism for communication
  • Comprehensive risk management features including
    • Documentation of all risks in a central repository through integrated document management
    • Risk identification from surveys and events and categorization
    • Risk assessment and calculation
    • Risk prioritization using heat maps
    • Remediation workflow
  • Extensive multi-regulatory compliance capabilities
    MetricStream offers the most extensive support for multi-regulatory compliance in the industry today that includes enterprise/corporate compliance initiatives such as SOX, ethics policy compliance, stock options grant, etc. as well as a wide range of operational compliance initiatives such as FDA, cGMP, ISO 9000, HACCP, FERC, etc. Key compliance capabilities of the MetricStream solution include:
    • Support for multiple compliance frameworks such as COSO and COBIT
    • Ability to create a comprehensive risk based controls framework
    • Comprehensive controls testing capabilities such as inspections, audits, manual and automated assessments
    • Flexible scheduling of testing of controls
    • Rich workflow for remediation, certification and disclosure
  • Integrated ComplianceOnline.com capabilities
    • Industry framework content
    • Process, risk and controls content
    • Integrated framework for enterprise 2.0 collaboration
  • Integrated document management solution
  • Scalable and enterprise-class platform
    • Use defined workflow with email or portal based notifications
    • Role based security
    • Single sign-on
    • Flexible framework to integrate with external systems either using standards such as WSDL/SOAP or with an integrated tool that needs no programming
    • Integrated graphical development tool for configurations and enhancements
    • Integrated reporting engine
    • Electronic signatures
    • Offline access to application with automatic synchronization, when connected to the network

Summary
Growing regulatory environment, higher business complexity and increased focus on accountability has led enterprise to pursue risk and compliance initiatives across the organization. However, these initiatives are uncoordinated in an era when risks are interdependent and controls are shared, leading to gross inefficiency, duplication of efforts and a silo view of the world. GRC systems through control, definition, enforcement, and monitoring have the ability to coordinate and integrate these initiatives and address the above mentioned issues. MetricStream provides the most comprehensive GRC solution in the industry today.

With a comprehensive set of GRC capabilities, support for a very broad set of compliance initiatives ranging from ethics and options compliance to SOX or internal audit to cGMP or ISO 9000, supplemented with rich industry content from ComplianceOnline.com - all built on an enterprise class platform make MetricStream the most compelling GRC solution in the industry today. For additional information, visit us at: www.metricstream.com

MetricStream Solution

Governance

  • Centralize all policy documentation in a repository
  • Role-based access control to documentation
  • Support for policy change management through check-in, check-out, review workflow and notification
  • Balanced scorecards
  • Risk scorecards
  • Operational dashboards
  • Options policy compliance
  • Certifications
  • Risk Management
    • Risk scope
      • Identify assets and processes included in an assessment
      • Select controls included in the scope
  • Risk Assessment
    • Automate risk assessment workflow
    • Capture near misses and other events
    • Ensure completeness of data collected
    • Tabulate assessments
  • Risk calculation and prioritization
    • Calculate and aggregate risk
    • Risk heat maps for visual representation
  • Risk remediation
    • Root cause analysis
    • Remediation workflow
  • Reporting and disclosure
    • Status, dashboards, scorecards

    Compliance

  • Scope
    • Control hierarchy: processes/risks/controls
    • Assets
  • Testing
    • Test effectiveness of controls
    • Manual
    • Automatic
    • Multiple scheduling techniques
    • Reporting of results including highlighting issues
  • Certification and disclosure
  • Remediation
    • Issue prioritization
    • Root cause analysis
    • Remediation workflow
  • Reporting
    • Status, scorecards, dashboards
    • Alerts
  • Support for complex organization models with ability to rollup at various organizational levels, while retaining the ability to cost-effectively deploy the solution within a department to enable a tactical compliance or risk initiative
  • Ability to support multiple regulations - corporate initiatives (SOX, Risk Management, Ethics Policy Compliance, etc.) as well as operational compliance initiatives (FDA, cGMP, HACCP, ISO 9000, etc).
    • It is critical that a GRC solution can support a large number of Governance and Risk management initiatives within a company. A wrong choice would force the organization to revert to having to support multiple point solutions.
  • Integrated document management capability
  • Solution should be built on a platform infrastructure that includes capabilities such as:
    • Ability to define a flexible workflow with email or portal based notifications
    • Role based security and access control with integration to directories such as LDAP for single sign-on
    • Ability to integrate with external systems including a web services API framework via XML interfaces based on industry standards such as WSDL and SOAP
    • Ability to easily configure the software using graphical development tools
    • Built-in reporting engine for powerful reports and executive dashboards with drill down capability.
    • Ability to define new reports
    • Electronic signatures support to meet FDA 21 CFR Part 11 compliance as well as data encryption algorithms
    • Offline access to application with automatic synchronization, when connected to the network

    Appendix B: How MetricStream Addresses Various GRC Initiatives
    In this section, we will discuss how MetricStream supports the various GRC initiatives within the industry - whether they are enterprise GRC initiatives or operational GRC initiatives.

    Corporate/Enterprise GRC initiatives:
    MetricStream addresses a number of corporate/enterprise GRC initiatives. These initiatives have activities that cut across multiple departments and are hence managed at the corporate level. Examples include:

    Sarbanes-Oxley Act
    Sarbanes-Oxley Act (SOX) mandates a stricter governance model and tighter internal controls for public companies. While companies in year 1 of the compliance pursued an open checkbook approach to SOX compliance with a project-oriented approach, majority of them are now focused on sustaining SOX compliance at significantly reduced costs by streamlining their SOX compliance process.

    They are beginning to shift responsibilities for documentation and testing to the process owners, while keeping the overall ownership of Sarbanes-Oxley compliance still with the internal audit group. As a result, SOX compliance will become a part of the process owner's daily job and not a separate project with its own team of internal employees and external consultants. However, it is difficult for internal audit manager to transfer responsibility to process owners without having clear visibility into the project status, issues and activities at all times. In addition, before this transfer of responsibility, the entire process of scheduling, testing and remediation needs to be automated, so the internal audit manager can ensure repeatability over time and across business units. In addition, strict change control needs to be implemented for processes and controls and associated documentation to stay in sync (once it becomes integrated with daily operational processes), so that the investments in year 1 in documentation can continue to be leveraged.

    MetricStream enables companies to address the above issues to significantly reduce their cost of Sarbanes-Oxley Section 404 (SOX 404) compliance. Using MetricStream SOX solution, companies can design, assess and improve internal controls under the COSO framework, monitor their compliance processes at any level of detail and easily provide evidence to the external auditors that an internal control was tested to the satisfaction of the internal audit group. Its document control capabilities provide a central repository with comprehensive change control capabilities. The SOX compliance solution also provides greater control and clear visibility into issues, status and plans to all stakeholders.

    Company Ethics/FCPA
    In light of recent corporate scandals, most boards have adopted strict corporate ethics compliance policies. A large number of companies have created roles of Chief Ethics Officer to ensure that they are embedding ethics into the corporate culture and developing and implementing improvements in internal control procedures to mitigate identified corporate ethics program risks. In addition, US companies are required to comply with Foreign Corrupt Practices Act (FCPA) and have to demonstrate that they have internal controls and processes for such compliance.

    MetricStream enables organizations to continually audit their internal controls and communication processes to identify risks, validate compliance with corporate ethics policies and ensure that they have a mechanism to identify gaps and deficiencies and remedy them in a timely manner.

    Stock Options Grant
    In light of recent Stock Options backdating scandals, organizations are reviewing their option granting procedures to identify areas of exposure from past practices and to improve practices for the future. Incorrect practices in option grants can result in the organization taking incorrect tax deductions which may lead to requirements to revise prior tax returns and subject the company to IRS penalties. In addition if the compensation expense is not recorded or under recorded, then the historical financial results may need restating. Due to such practices, companies could face shareholder class action or pension plan lawsuits and may lead to fines, civil and criminal penalties. Officers and directors may be sued in derivative lawsuits for breaching their fiduciary duties in connection with the granting and improper reporting and other treatment of backdated options. Depending on the facts and circumstances, company indemnification and D&O insurance may not cover such liability.

    New rules applicable to SEC reporting companies governing executive compensation disclosure went into effect on December 15, 2006. Required disclosures will include the grant date of options, fair market value on the grant date, the closing market price and the strike price of an option on the grant date if the latter is lower, the date the committee or board took action to grant the option (if different from the grant date), and a description of the methodology for determining the option price if it varies from the closing market price on the grant date.

    MetricStream enables organizations to continually audit their stock grant processes and assess internal controls to identify risks and validate compliance with SEC requirements as well as the board compensation committee policies. In addition, MetricStream can ensure that companies have a repeatable mechanism to document gaps and deficiencies in their process and remedy them in a timely manner.

    Consumer Privacy
    Companies operating in specific industries or geographies where they keep consumer information need to comply with regulations such as GLBA (Gramm-Leach-Bliley Act), HIPAA (Health Insurance Portability and Accountbility Act of 1996), SB 1386 (the California Security Breach Information Act), EU Data Protection Directive, PCI DSS (Payment Card Industry Data security Act) etc. These regulations and mandates aim to ensure that companies are providing increased protection to consumer information in their company databases. As a result, companies have developed internal controls and policies to ensure compliance with these regulations. Non-compliance can lead to significant fines and penalties and even revocation of business license in extreme cases.

    MetricStream enables organizations to continually audit their internal controls and processes to identify risks, validate compliance with regulations and ensure that they have a mechanism to identify gaps and deficiencies to remedy them in a timely manner.

    BSA/Patriot Act
    BSA (Bank Secrecy Act), initially designed for Anti-Money Laundering, established requirements for recordkeeping and reporting by private individuals, banks, and other financial institutions to help identify the source, volume, and movement of currency and other monetary instruments transported or transmitted into or out of the United States or deposited in financial institutions. BSA requirements were significantly updated due to the USA Patriot Act of 2001.

    BSA compliance is critical due to the reputational, regulatory, legal and financial risk exposure to the financial institution for being involved in money laundering schemes or willfully violating the BSA statute. Civil money penalties and regulatory enforcement actions may be imposed for noncompliance with money laundering regulations which can endanger capital and earnings. Furthermore, banks may be criminally prosecuted for willful violations of money laundering statutes, which could ultimately lead to termination of FDIC insurance.

    MetricStream enables financial institutions to continually audit their processes for filing of CTR/CMIR/FBAR forms, identification of suspicious transactions and filing a SAR form etc., as well as assess internal controls to identify risks and validate compliance with BSA requirements. In addition, MetricStream can enable them to have a repeatable mechanism to document issues and gaps in their process and remedy them in a timely manner.

    Enterprise Risk Management (ERM)
    Risk within an enterprise can come from various sources including mergers/acquisitions requiring extensive integration in a business unit, new regulations that may be subject to varying interpretation or entry of a company into a new market with substantial exposure and return. By implementing an enterprise risk management (ERM) framework, organizations can reduce the likelihood of unexpected disruptive business events in their environment. As a result, they can increase their operating margins, reduce earnings volatility, enhance process efficiency, improve regulatory compliance and optimize cash flow reserves.

    MetricStream enables organizations to identify, assess, quantify, monitor and manage their enterprise risk in an integrated manner. It brings together all risk management related data - a reusable library of risks and their corresponding controls and assessments; results from individual assessments; key risk indicators; events such as losses and near-misses; issues and remediation plans - in a single solution. Its workflow capabilities streamline the risk assessment process. Once risk has been assessed, it enables organizations to prioritize using risk heat maps and make strategic decisions on risk response.

    Operational/Functional GRC initiatives:
    In addition, MetricStream addresses a number of departmental/operational GRC initiatives. Within these initiatives, the activities are primarily owned and managed within a specific department or function. Examples include:

    ISO 9000/TS 16949/Quality Management
    Many organizations are deploying industry standard quality management methodologies based on ISO 9000 or related specifications developed for specific industries such as TS 16949 for the automotives industry and ISO 13485 for the medical device industry. These standards bring the organizational focus on customer satisfaction and continuous improvement and take a process-centric approach towards quality management and assurance.

    MetricStream offers industry's most advanced and comprehensive suite of solutions to support ISO 9000 compliance. It tracks events as they move from one stage to the next, even across departments and groups, to ensure a closed loop quality management process. For instance, a document change can initiate a training request and CAPAs triggered as a result of audit findings are tied to the audit.

    The solution enables organizations to maintain a centralized repository of process documentation, SOPs, batch records, regulatory filing, and quality reports with change control capabilities. It provides capabilities to efficiently plan, schedule and conduct audits (such as supplier audits or quality audits), allows audit findings to be reviewed and analyzed by a team, enables initiation of follow-up activities such as corrective/preventive actions when needed and provides the ability to monitor the entire process. In addition, the solution supports flexible product inspections. Once issues are identified, it tracks them and enables triggering CAPAs, performing root cause analysis, assigning follow up actions while effectively tracking and routing cases from initiation to closure. Finally, it provides complete visibility into quality system database with comprehensive reports and dashboards as well as event-based notification.

    FDA cGXP/ISO 13485/21CFR Part 11
    Companies in pharmaceutical, biotechnology or medical devices industries are constantly pushing the boundary of innovation to develop new products. In addition, the industry is constantly being challenged to meet the rising standards of quality and to comply with rigorous regulatory requirements.

    Traditionally, homegrown systems, stand-alone applications, or even manual paper-based system have been used to manage quality at departmental level. Such point-solutions fail to address systemic quality problems because they lack a broad enterprise reach. In addition, such point solutions cannot scale well significantly raising the cost of compliance and increasing the risk of non-compliance with FDA's GXP regulations.

    MetricStream solutions are widely being used in the life science industry for supporting key processes and requirements for 21 CFR Part 11, Part 210-211, Part 820 / QSR, Part 606, ICH Q7A compliance for:

    • Pre-Market Stage: Enabling customers to reduce their development risks and accelerate approval cycles by enabling them to capture and track potential safety issues, assess risks and implement corrective actions and identify potential quality issues by using trending and data analytics.
    • Manufacturing: Reducing cGMP non-compliance risks by creating a transparent environment for proactively identifying, tracking and resolving quality issues.
    • Post-Market Surveillance: Automating pharmacovigilance processes to records, investigate and report cases as per the adverse event reporting guidelines mandated by the FDA and other international regulatory bodies.

    The solution enables organizations to maintain a centralized repository of process documentation, SOPs, batch records, regulatory filing and quality reports with change control capabilities. The solution tracks non-conformance and deviations and enables triggering CAPAs, performing root cause analysis, assigning follow up actions while effectively tracking and routing cases from initiation to closure. Finally, it provides complete visibility into quality system database with comprehensive reports and dashboards as well as event-based notification.

    HACCP/ISO22000 Compliance
    Mandates by the FDA and the USDA such as HACCP procedures and ISO 22000-based food safety management systems are the basis for many compliance and quality programs in the food and beverage industry. Improperly trained employees, substandard products or poor service can cost millions of dollars a year in lost sales for the business and leave the door open to more severe consequences.

    MetricStream provides end-to-end HACCP & ISO 22000 compliance software solutions to support safety and quality compliance programs in the food and beverage industry. It enables foodservice companies to capture, route, correct, prevent and analyze system-wide issues between their organization and their trading partners. Unlike records in spreadsheets, paper-based procedures and email-based processes, MetricStream HACCP & ISO 22000 business solutions give companies the ability to collaborate with their partners, provide a real-time view into quality data and enables issue-tracking for a closed-loop compliance process. By unifying all compliance and quality data into one central repository, food and beverage companies can leverage robust reporting, dashboard and alert capabilities to easily identify trends, overdue actions and other performance metrics while maintaining detailed scorecards against Key Performance Indicators (KPIs).

    IT Audit and Compliance
    In most companies, key operational processes are managed by Information Technology systems. An IT organization, with well defined internal controls, enables companies to identify and manage their IT related risks. Ability to manage and contain such risks is critical to ensuring compliance with regulations and mandates such as Sarbanes-Oxley Act (SOx), Gramm-Leach Bliley Act (GLBA), and Health Insurance Portability and Accountability Act (HIPAA).

    Most organizations regularly test the internal controls within their IT organization to ensure secure and continuous operation of their entire information systems infrastructure. Such controls, typically derived from COBIT control processes, reduce IT related risks and form the basis for good IT governance. The IT Auditing and Compliance process is inherently complex as it involves multiple internal and external stakeholders. Existing audit infrastructures have evolved from the bottom up and organizations lack a single system of record preventing top down visibility and control.

    MetricStream provides a comprehensive solution for IT Audit and Compliance. Designed to support the COBIT framework, the solution ensures sustained compliance of IT controls at significantly lower costs. It enables organizations to define the controls they want to test, maintain a repository of tests, perform assessments, identify issues and drive the remediation process. It also enables multiple stakeholders to have visibility and control over the entire IT Audit process and provides a single system of record for IT audits.

    Internal Audit
    Most companies run operations in accordance with government regulations, industry mandates and corporate governance standards. As a result, they are required to conduct regular audits to ensure compliance. With increasing business complexity and the rising number and types of audits companies need to conduct, audit managers are realizing that point-solutions and spreadsheet based systems are not suited for managing audit programs.

    Challenges being faced include data inconsistency due to varying practices across regions and business units, poor analytics due to lack of visibility and access to information, and productivity loss due to manual processes for information routing and communication. These issues increase the risk of noncompliance as the system does not guide users based on regulatory requirements and cannot enforce a process for audits, corrective actions and investigations. Even if companies are compliant, it is difficult to provide evidence of compliance from an audit standpoint.

    MetricStream solution provides the building blocks for streamlining audit management process in organizations. It provides the flexibility to support any type of audits, simple or complex, internal and external and for any regulation or function. It enables centralized control of audit resources and planning to support auditing as a corporate function. It provides comprehensive scheduling assessment and tabulation capabilities. Powerful reporting and analytics on audit data are made easily accessible. Advanced capabilities like built-in workflows, email based notifications and alerts, risk assessment methodologies and offline functionality for conducting audits at remote field sites allow organizations to implement the industry best practices for efficient audit execution.

    OFAC
    Since the USA Patriot Act of 2001 was signed; exporters are under a greater level of scrutiny regarding global trade practices than ever before. They must have a repeatable process for ensuring compliance with the two key requirements:

    • Restricted party screening: Automated screening of all parties involved in an export transaction against numerous lists of restricted or denied parties defined by the country of export’s control lists, such as BIS Denied Parties, OFAC Specially Designated Nationals, Japanese Proliferation Concerns and UN Sanctions List, among many others. Restricted lists include banks, service providers, customers and end users. These lists change on a daily or weekly basis, putting a significant strain on the compliance process.
    • End use screening: Restrictions on the end use of sold goods to prevent a commercial product from being used for military purpose by the end user without the knowledge of the exporter

    Most exporters find themselves challenged to ensure 100% compliance with trade regulations, leading to potential fines, penalties and jail sentences, as well as loss of ability to export goods.

    MetricStream enables organizations to continually audit their internal export processes and test internal controls to validate sustainable compliance and ensure that they have a mechanism to identify gaps and deficiencies in their process and remedy them.

    eDiscovery
    The litigation and discovery environment is changing very quickly due to benchmarks like Zubulake and use of electronic discovery as a routine element of most matters. Based on the emerging Zubulake V and Delaware standards for preservation and production, organizations must have a repeatable process for communicating and ensuring legal holds, to prevent disposal of relevant electronic data. Non-compliance creates a huge financial exposure due to the risk of significant fines and penalties. In addition, organizations must ensure that the corporate retention policies are defined, communicated and being followed.

    MetricStream enables organizations to continually audit their internal retention processes and test internal controls to evaluate sustainable compliance with corporate retention policies, validate that they have a repeatable process for ensuring legal holds and make certain that they have a mechanism to identify gaps and deficiencies in their process and remedy them in a timely manner.

    Operational Risk Management (ORM)
    Operational risk can come from various sources including mergers/acquisitions requiring extensive integration in a business unit, new regulations that may be subject to varying interpretation or entry of a company into a new market with substantial exposure and return. By implementing a risk management framework, organizations can reduce the likelihood of unexpected disruptive business events in their environment. As a result, they can increase their operating margins, reduce earnings volatility, enhance process efficiency, improve regulatory compliance and optimize cash flow reserves. It is a challenge to engage a cross functional team in an ORM initiative that is enabled by email and spreadsheet.

    MetricStream's solution integrates all risk management related data - a reusable library of risks and their corresponding controls and assessments, results from individual assessments, key risk indicators, events such as losses and near-misses, issues and remediation plans - in a single solution. It leverages best-practices content to help define the scope of processes and sub-processes for which risk management needs to be performed, and to help develop control and test libraries. Its workflow capabilities streamline the risk assessment process. Once risk has been assessed, it enables organizations to prioritize using risk heat maps and make strategic decisions on risk response. Its workflow-rich solution enables organizations to easily track issues and drive their remediation process to ensure risk mitigation. In addition, the feedback loop enables organizations to develop new controls to lower the likelihood of recurrence of near-misses and unplanned events.

    FERC
    The California energy crisis, the Enron meltdown, and the fitful development of competitive wholesale power markets spurred Federal Energy Regulatory Commission (FERC), the agency that regulates the interstate transmission of natural gas, oil and electricity, to action in recent years to strengthen its policing of regulatory compliance, primarily through its Office of Enforcement. FERC has devoted significant resources to market oversight, regulatory and reliability auditing and investigation. Energy companies that fail to adopt effective, comprehensive regulatory compliance programs do so at their peril. Improper trading activities in the electricity and natural gas markets have triggered investigations and prosecutions that have resulted in criminal convictions and fines.

    MetricStream enables energy companies to continually audit their internal controls and processes to identify risks of non-compliance, validate compliance with FERC regulations and ensure that they have a mechanism to identify gaps and deficiencies and remedy them in a timely manner.

    Environmental Health & Safety (EH&S)
    Workplace safety is emerging as one of the key risk management and regulatory compliance areas. As a result of this trend, traditional workplace environmental health and safety compliance systems, which were designed to be point solutions at a plant level, are giving way to enterprise-wide safety management systems. Such systems need to comply with the OSHA 29 CFR regulations and support the OSHAS 18001 framework, while providing enterprise-wide visibility into incidents and trends, corrective actions and process metrics.

    To streamline Environmental Health & Safety (EH&S) programs and support compliance with various federal, state and local reporting requirements, companies are looking at ways to automate environmental health and safety related processes. MetricStream’s environmental health and safety software solution enables organizations to effectively comply with regulatory mandates around EH&S by automating their procedures to discover and document safety issues as well as to track, manage, and close corrective actions.

    Key capabilities of the MetricStream solution include the ability to capture and report incidents and provide information on hazardous material, initiate and implement containment, corrective and preventive actions and powerful reporting and analytics by a variety of parameters such as by incident, by plant and by division. Executive dashboards provide real-time visibility into key process indicators and email-based alerts and notifications ensure prompt response.

    Others
    MetricStream GRC solutions can enable companies to streamline compliance with other regulations such as FAA and EPA, internal initiatives such as retail audits or supplier quality audits as well as industry mandates such as TREAD amd BASEL II.

    Best practices content and training from ComplianceOnline.com
    It is simply not enough to have an enterprise solution that enables an organization to have a central document repository of all relevant process documentation, drive audits inspections or assessments, track non-conformance and manage the corrective action and remediation process.

    There are two other key components needed for a solid and repeatable GRC initiative:

    • A library of Best Practices Content, so an organization does not have to create everything from scratch
    • Ongoing training for all stakeholders, so that they are better educated on the regulations and how to address them, which significantly reduces the risk of compliance.

    MetricStream addresses this issue head-on with its popular ComplianceOnline.com portal, which is integrated with its enterprise solutions. Key capabilities include:

    • Comprehensive research on regulations, best practices, articles, news and thought leadership on compliance that are aggregated from some of the best sources on compliance worldwide, including regulatory bodies, publications, corporations, experts and practicing professionals. ComplianceOnline.com contains thousands of relevant documents covering a broad set of compliance issues, including Governance, Ethics, Risk, FDA, Sarbanes Oxley. FDA, Food Safety, Environmental, FERC/Energy, Quality, ISO 9000, SEC and SOX
    • Online web-based training on hundreds of specific topics for regulatory professionals worldwide, delivered by industry experts in their specific domains. The training is offered both live and on-demand. Regular alerts providing time sensitive regulatory, industry and market updates to various subscribers
    • Aggregated library of over 20,000 compliance products available through its commerce channel. These products include standards, checklists, templates and e-books written and published by industry experts to promote best practices in compliance. For example, ComplianceOnline.com recently added the entire ISO standards repository in digital format via a partnership with the American National Standard Institute (ANSI), the sole U.S. representative of the International Organization for Standardization (ISO)
    • A vibrant online community of thousands of professionals who are interacting with each other, asking questions and seeking advice on complex regulatory interpretations on hundreds of different topics in the areas of governance, risk, compliance and quality.
    • A highly sophisticated vertical search engine built on proprietary taxonomy specific to governance, risk and compliance; so that users can get to relevant information they want quickly. Every piece of content, training, community discussion and product offered on the site is indexed for fast and relevant retrieval.