Case Study

Global SaaS Provider Reinforces IT Compliance and Policy Management


As one of the world’s largest cloud computing enterprises with operations across the globe, the company is subject to a range of IT regulations. These regulations vary from one region to the next and are constantly changing or being updated. Needless to say, compliance management is often a Herculean effort.

Meanwhile, with a wide range of internal and external risks, the company is required to implement a comprehensive enterprise risk management framework to identify, mitigate, and monitor the risks in a timely manner. To reinforce risk management and regulatory compliance, periodic internal audits are key. And to enhance compliance, as well as to highlight potential risks, policies need to be defined and mapped to specific regulations, risks, and controls.

Meeting these demands isn’t easy. How do you create a standard baseline across different compliance frameworks? How do you conduct multi-dimensional risk assessments based on various qualitative and quantitative parameters? How do you manage a growing number of annual certifications and audits? How do you streamline the creation and communication of policies?

The answer, to a large extent, lies in one’s approach to GRC. Over the years, traditional GRC methods and processes at the company had failed to offer stakeholders the risk visibility and efficiency they were looking for. They needed to standardize risk and control frameworks, and to provide assurance to customers that they were conforming to all compliance requirements. To do that, they needed a single and unified GRC platform that would help them rationalize compliance controls, streamline audit activities, improve risk visibility, and simplify policy management.


Why a Manual and Siloed Approach to GRC Didn’t Work :Being a global, cloud-based enterprise, the company manages more than 5,000 compliance requirements across 20 different programs globally. These requirements range from FFIEC regulations, to the FedRAMP program, as well as HIPAA, HITRUST, and mandates from the DoD.1

The company also has to ensure that their global employees, numbering in the tens of thousands, have attested to IT security policies. These policies, in turn, are aligned to more than 70 IT standards. Added to that are an extensive number of IT certifications and audits that have to be managed throughout the year.

In the past, the company had used homegrown techniques and spreadsheets to manage IT compliance, policies, audits, and risks. Their processes and controls were neither scalable nor integrated and, thus, costly. The lack of a common risk taxonomy as well as a standard compliance framework and control testing process further complicated governance and compliance.

To strengthen digital innovation, the company’s strategy was to acquire new businesses aligned with its own strategic initiatives. This approach, while profitable, increased the number of regulations that the company had to comply with. Change management processes were largely manual and therefore time-consuming, resource-intensive, complex, and costly.

Meanwhile, teams that managed IT compliance, audits, security, engineering, and sales were unable to effectively collaborate and align compliance requirements with the company’s business objectives. Siloes were rampant, and that, in turn, delayed the process of collecting and analyzing IT compliance data for executive-level reporting. All of these factors slowed down decision-making.

To overcome these challenges, the company began assessing various governance, risk, and compliance (GRC) solutions in the market. They eventually selected the MetricStream Enterprise GRC Solution to help them manage a wide range of regulatory requirements and risks, while strengthening collaboration and coordination across teams.

Reducing Compliance Costs, Strengthening Compliance Intelligence : MetricStream’s integrated GRC solution for the company includes capabilities for IT compliance management, enterprise risk management, audit management, policy management, and SOX compliance management.

The solution has enabled the company to automate their IT compliance management workflows, while consolidating compliance data in a centralized repository. A common control framework, maintained by the solution, makes it easy to manage and monitor compliance requirements. Pre-defined, real-time reports and user-specific dashboards offer executive management the visibility they need to track the company’s overall compliance profile.

The solution also integrates with a leading thirdparty HR tool named Workday to pull user-specific information on the company’s permanent employees, business partners, and a select set of consultants and auditors.

Minimizing Policy Management Redundancies and Inefficiencies : The company now has a flexible system to streamline and automate workflows across the policy and document management lifecycle. Policies can be mapped to the company’s compliance regulations and controls, while policy attestations and exceptions can be tracked efficiently. Graphical reports and dashboards increase the transparency of the entire policy and document management process.

Using the solution, the company has been able to harmonize controls across multiple IT standards and compliance requirements – specifically, 300 controls across more than 5,000 IT compliance requirements which, in turn, has enabled a 90% consolidation in effort.

Streamlining Audit Management : The MetricStream solution facilitates a systematic and structured approach to audit activities, ranging from audit planning, scheduling, and scoping, to issue remediation and reporting. A centralized repository stores all audit findings and artifacts. Rich operational and management reporting capabilities strengthen risk-awareness, enabling senior stakeholders in the company to make better and faster decisions.

Improving Visibility into Enterprise Risks : Using the solution, the company has implemented an organized and efficient approach to enterprise risk management. The tool supports industrystandard risk assessment methodologies and standards, while delivering a real-time view of risks across the organization. Risk owners can conduct simple or advanced assessments using multiple factors and advanced risk scoring methodologies across business units, regions, and products. Users gain a holistic view of risk management programs and metrics through role-based reports and dashboards.

Optimizing SOX Compliance : The solution has given the company an enterprise- wide internal control management platform to support SOX compliance workflows, including risk assessment planning and scheduling, as well as control testing and assessments. Compliance dashboards and risk heat maps deliver enterprise-wide visibility into financial control management and compliance processes.

1FFIEC - Federal Financial Institutions Examination Council; FedRAMP - Federal Risk and Authorization Management Program; HIPAA - Health Insurance Portability and Accountability Act; HITRUST - Health Information Trust Alliance; DoD – Department of Defense


  • Adhere to a growing volume of IT regulations 
  • Track policy attestation 
  • Accelerate audit cycles, and reduce audit costs 
  • Conduct advanced risk assessments 
  • Ensure control attestation compliance

Ready to get started?

Speak to our experts Let’s talk