Achieving Real-Time Risk and Compliance at Scale: A European Bancassurance Group’s Connected GRC Journey with MetricStream

A leading bancassurance group headquartered in Central Europe offers banking, insurance, and asset management services under one Group umbrella — a complexity that demands not just coordination, but true convergence. For several years, the Group had been running its governance, risk, and compliance (GRC) program on a heavily customized legacy system. Over time, the system became difficult to maintain and no longer met the organization’s needs, creating friction across teams and increasing the risk of failure.

The Group made a bold decision: to bring their entire risk ecosystem onto the MetricStream platform, supporting all three lines of defense with a single, unified vision — one that could bridge banking, insurance, and asset management in a way the legacy system simply could not. The initial deployment covered Operational Risk Management, Compliance Management, Internal Audit Management, and Operational Resilience. Since then, the Group has expanded its program to include Cyber Risk and Compliance, Business Continuity Management, Policy and Document Management, and Regulatory Change Management — bringing together the full suite of MetricStream’s Connected GRC platform across up to 42,000 licensed users.

Having successfully rolled out multiple MetricStream products across the Group, every line of business now speaks a common language of risk. MetricStream’s single-platform vision has become the backbone of its GRC transformation, enabling collaboration, alignment, and confident action — backed by regulator-ready reporting. With MetricStream’s robust GRC context and data model firmly in place, the Group is now exploring MetricStream’s AI-first capabilities, unlocking efficiencies and delivering meaningful, outcome-driven insights to every user across their organization.

CHALLENGES

• Legacy system required heavy customizations, making it difficult to maintain and scale
• Fragmented GRC processes across different teams with no consistent framework
• Manual approach to cyber risk and compliance management
• No unified view of third-party risk, cyber risk, and operational compliance
• Compliance with European Central Bank (ECB) regulatory requirements

Business Value Realized

• Replaced a complex legacy system with a scalable, future-ready platform
• Unified risk management across the enterprise, spanning risk, compliance, audit, cyber, and resilience
• Automated compliance processes to reduce manual effort and improve efficiency
• Strengthened business continuity capabilities through a more integrated, enterprise-wide approach
• Enabled continuous program expansion to support evolving governance and regulatory needs
• Scaled adoption across the organization with up to 42,000 users onboarded
• Established a single source of truth with unified workflows and risk-control visibility
• Improved collaboration and decision-making with real-time, risk-informed insights
• Accelerated delivery and execution through incremental rollout and cross-team alignment

Why MetricStream 

The group ran a competitive evaluation before committing to a new platform. After an extensive proof of concept and product demonstrations, MetricStream was selected over several other vendors, with the decision coming down to two things: depth of capability in banking and financial services, and the confidence that the platform could be adopted as-is, without the customization trap the group had fallen into before.

MetricStream’s alignment with ECB regulatory requirements gave the group confidence that the platform could support its compliance obligations from day one.

Building a Connected GRC Program

The initial deployment brought Operational Risk Management, Compliance Management, Internal Audit Management, and Operational Resilience onto a single platform, replacing fragmented, siloed approaches with a common framework across the bank’s core risk and compliance function.

Teams that had previously worked in isolation now operate from the same system and the same data. Risk information is captured consistently and linked to controls, policies, and regulatory obligations, giving the group a clearer and more connected picture of its risk and compliance position. Findings from internal audits feed into the same repository, so issues and remediation activities are tracked in one place rather than managed separately across functions.

On the resilience side, the group has mapped its critical business services, identified the dependencies that underpin them, and assessed the risks associated with potential disruptions. This has moved continuity and resilience planning from a reactive exercise to a structured, ongoing process — one that is now connected to the bank’s broader risk program rather than sitting apart from it.

Expanding the Program for Maximum Benefits 

Following the success of the initial deployment, the group expanded its MetricStream program across additional risk domains, including Cyber Risk and Compliance, Business Continuity Management, Regulatory Change Management, and Policy and Document Management— ultimately bringing together the full suite of Connected GRC capabilities under a single, integrated platform.

The expansion addressed some of the bank’s most pressing operational gaps. Cyber risk and IT compliance had previously been managed manually. Moving these onto MetricStream gave the group automated workflows, controls mapped directly to regulatory requirements, and a single view of cyber risk alongside its operational and compliance risks.

Business continuity planning had been managed on a separate platform, creating a disconnect between continuity activities and the rest of the risk program. Consolidating onto MetricStream closed that gap, linking business continuity directly to operational risk and resilience in a way that had not been possible before.

Policy management presented a different kind of challenge. With a large number of entities and a high volume of documentation to manage, the group needed a structured way to take policies through their full lifecycle — from drafting and review through to approval, communication, attestation, and retirement. By making policy management a connected part of the broader GRC program, the group ensured that policies stayed aligned with its controls and regulatory obligations.

Regulatory Change Management addressed the bank’s need to stay on top of a demanding and evolving regulatory landscape. With oversight from the European Central Bank and a complex operating environment, the group needed a systematic way to track regulatory developments and turn them into timely actions. Now the group has reduced the risk of compliance gaps by ensuring that new regulatory requirements are identified, assessed, and acted on before they become an issue.

Together, these additions unified the bank’s entire risk and compliance program on a single integrated platform available to up to 42,000 licensed users across the organization.

Looking Ahead

With a comprehensive GRC program now in place, the group is beginning to explore how AI can drive greater efficiency across its risk and compliance function. Initial conversations have taken place between MetricStream and the bank’s AI team, with a focus on identifying practical use cases, from automating routine tasks to surfacing insights from the large volumes of risk and compliance data the group generates.

With a strong partnership in place, a clear product roadmap, and growing interest in AI-capabilities for its Connected GRC program, this engagement represents a compelling example of how a large, regulated institution can successfully transform its approach to risk and compliance management.