How Autodesk Moved from Siloed to Integrated IT Risk and Compliance Processes

3 min read


At MetricStream’s flagship event, GRC Summit, Clyde Tsai, GRC Lead at Autodesk, shared how MetricStream has helped them implement an integrated framework for IT risk and compliance management programs. Autodesk is a leading provider of software products to architecture, engineering, construction, product design, manufacturing, media, and entertainment industries.

Here are the key takeaways from Clyde’s session at the summit.

Why MetricStream?

Clyde: One of the very special things about Autodesk teaming up with MetricStream is that we're trying to get FedRAMP compliant. We are in the midst of getting the authority to operate in FedRAMP – it is the ability to sell to the federal government. It’s a huge audit and continuous process. That was actually our main driver for choosing MetricStream.

Apart from that we're also doing compliance for a range of frameworks. We’re trying to infuse more of a culture of risk-aware decision-making. We have a small risk team and we’re trying to do as many risk assessments as we can. Automation really helps us with that.

The Journey So Far

Clyde: We’re two years into it. Specifically, the products – IT and Cyber Risk Management, IT and Cyber Compliance Management, and Policy and Document Management. All of our initial use cases are security use cases – security compliance, security risk, FedRAMP compliance, and security policies.

Key Challenges and Learnings

Clyde: We have this challenge with silos -- we have security, privacy, internal audit, ERM, IT, and legal. The challenge that I see here is understanding and being informed when something is happening in any of these areas that affects me as a GRC implementation person. To address this challenge, we are just learning how to do interdisciplinary working groups.

An example of this is our initiative to put together an information asset inventory, which is a requirement for ISO and other frameworks. This information asset inventory includes all organizational databases, EC2s, containers, and much more. To do it right, one should collect this data from other systems. But the challenge is determining the authoritative sources of truth and what the systems are, what data is in them, and then normalizing them if they're coming from multiple systems.

In such a situation, one should piggyback on other data consolidation efforts. And that's one thing that I've learned while putting together these interdisciplinary groups. I am communicating with these groups, and they have similar initiatives going on. So, I can put my requirements in there as they might have bigger teams for doing these things.

Another challenge is that we have some processes that are mature and some that are immature. MetricStream has a lot of these workflows already as out-of-the-box workflows. Therefore, you have an opportunity to just use that as your process and have the perfect alignment between your technology and your process, which is rare to have.

Business Value and Realized Benefits

Clyde: Regarding business value that we have realized:

  • We now have a one-stop shop for product owners and other leaders on SOC2 and ISO compliance. We plan to do a lot of other frameworks, like SOX, which we have to comply with.
  • We have a single source of truth risk register for Autodesk at least from the security perspective.
  • Regarding security risk assessments, we are in the process of getting those onboarded on MetricStream.
  • We have implemented an integrated framework and process for integrating all risk data
  • We have a huge requirement around FedRAMP, which requires us to report to our sponsoring federal agency every month, such as, how we are doing against vulnerabilities, etc. We have achieved complete automation around FedRAMP Plan of Action and Milestones (POAM) tracking:
    • Generation of monthly POAM Report to sponsoring agency
    • Issues tracking for open vulnerabilities
    • Parity checks to ensure more than 90% of assets are scanned

Going forward, our priorities include end-to-end compliance testing, integrated control framework, automated evidence collection, and security policy management lifecycle.

You can watch the complete session here:


Join us in our upcoming GRC Summit 2024 in Baltimore on June 17-18 to explore other real-world GRC implementation stories. To register, click here.


Shampa Mani Assistant Manager – Marketing

Shampa Mani, Assistant Manager - Marketing, at MetricStream, has over 7 years of experience in content writing and editing. Prior to joining MetricStream, she worked in the news and media industry, covering news on fintech, blockchain technology, and digital currencies. Academically, she has an MBA in Business Economics and an MA in Economics. In her free time, she loves to cook, read, and delve into the world of UFOs and extraterrestrials.