Home to thousands of employees and millions of customers, the bank is one of the largest financial institutions in Canada. They are also one of the most highly regulated—and therefore, subject to various compliance risks that directly impact their credibility and performance. Earlier, these risks were handled in a siloed manner with little if any collaboration across the three lines of defense. Seeking to change this pattern, and manage compliance more “strategically,” the bank embarked on a GRC journey with MetricStream.
They invested in an integrated compliance management system that would enable them to efficiently combine compliance data from across the enterprise, while delivering an aggregated view of compliance risks to support decision-making.
The legacy technology that the bank used to support their compliance control testing and efficiency management processes had reached its end of life. Rather than simply replacing the tool with a new system, the bank wanted to adopt a more strategic approach to compliance.
For years, they had conducted compliance risk assessments in a largely ad hoc and fragmented manner i.e. using various formats, rating scales, and schedules. But soon, they began looking for a more consistent, integrated approach – one that would offer them a holistic view of compliance risks across the organization. They were keen to streamline risk and compliance assessments and, over time, strengthen risk transparency. They also wanted to do away with manual data gathering processes, and instead focus on the analytical component of compliance i.e. drawing out meaningful insights from data
Building a new compliance program meant that the bank had to have their basics in place. For instance, risk and process taxonomies needed to be standardized. However, given that there were 60,000 organizational units running into 17 levels, it was a huge challenge to map each unit to the corresponding processes, risks, and controls. Before selecting a tool to support their compliance efforts, the bank wanted to understand their readiness and preparedness for an integrated compliance program.
They knew that technology was only one piece of the puzzle, and that without people and processes in place, compliance challenges would persist, no matter how sophisticated the technology was. Therefore, the bank’s first step in transforming their compliance program was to establish the foundational elements or the backbone of the program which would drive their ability to integrate information. They were keen to establish a clear structure, while gaining consensus upfront from all
• Lack of an aggregated view of compliance risks across the organization
•Inordinate amount of time spent on compiling risk and compliance data for reporting
• Difficulties in drawing out valuable insights from risk and compliance data
• Compliance management
• Regulatory change management
• Holistic, timely view of compliance risks to drive decision-making
• Less manual effort, increased efficiency in compliance management
•Improved credibility with senior stakeholders and regulators
key stakeholders on the basic ingredients of the program such as the types of processes, organizations, risks, regulations, and controls that needed to be included. The relationships between these elements also needed to be mapped. Added to that, the compliance technology had to be extensible i.e. able to cater to future GRC use cases such as internal audit and business continuity management. With these factors in mind, the bank chose to embark on a GRC journey with MetricStream.
Using the MetricStream GRC Platform as a foundation, the bank implemented solutions for compliance management and regulatory change management. Today, the bank has an efficient and standardized compliance program with an integrated view of risks across the organization. This new approach has strengthened the bank’s credibility with senior stakeholders and regulators.
Using the MetricStream compliance management solution, the bank has enabled a whole new approach to compliance – right from the way they document regulations, manage risks and controls, and assess compliance risks, to the way they create and execute test plans, track compliance issues, and record results.
Accepting all these changes was initially a challenge for end users like control testers. But when they understood the rationale behind the changes, as well as the resulting benefits, they immediately came onboard. The way a control test is documented today provides much more insight than ever into the quality of testing. With control rationalization, redundancies in testing have been eliminated. Meanwhile, compliance risk assessments have been streamlined for improved efficiency.
Stakeholders now have an aggregated view of risks across the enterprise. Using several graphical dashboards, they can easily check the status of the compliance program and readiness at each level of the organization. They can also compare assessment results across different tests. Prior to using the MetricStream solution, the bank had a dedicated resource only for compliance reporting, but today, that resource can be better utilized in other compliance processes.
With the MetricStream solution, the bank can effectively aggregate and monitor compliance risks at the enterprise level
Using the MetricStream solution for regulatory change management, the bank’s compliance team can track regulatory updates faster and more efficiently than before. Whenever a new compliance requirement arises, it is documented as an RGT (Requirement Group Topic) and tagged to a process, risk, control, or other GRC foundational element.
The impact of a new or updated regulation on internal processes is calculated through a risk assessment of both inherent and residual risks. Based on the resulting score, the compliance team can determine whether or not action must be taken to contain the impact of the regulatory change. Several dashboards enable the team to closely track the organization’s regulatory change management status, regulatory developments, tasks, and issues.
The MetricStream compliance management solution enables a comprehensive approach to the process of defining key performance and risk indicators. It also provides a powerful framework to evaluate compliance controls, processes, and risks.
Using the solution, the bank can define key indicators for selected risks (KRIs), controls (KCIs), and performance objectives (KPIs). These indicators are measured against set thresholds to identify potential threats that need to be mitigated proactively. If a threshold is breached, alerts and notifications are automatically sent to the relevant personnel. Through dashboards, users can gauge the performance of key metrics, and analyze risk trends over a period of time to assess breach patterns.
The MetricStream GRC platform can be used to address multiple current and future GRC use cases across numerous business groups in the organization