As one of the world’s largest cloud computing enterprises with operations across the globe, the company is subject to a range of IT regulations. These regulations vary from one region to the next and are constantly changing or being updated. Needless to say, compliance management is often a Herculean effort.
Meanwhile, with a wide range of internal and external risks, the company is required to implement a comprehensive enterprise risk management framework to identify, mitigate, and monitor the risks in a timely manner. To reinforce risk management and regulatory compliance, periodic internal audits are key. And to enhance compliance, as well as to highlight potential risks, policies need to be defined and mapped to specific regulations, risks, and controls. Meeting these demands isn’t easy.
How do you create a standard baseline across different compliance frameworks? How do you conduct multi-dimensional risk assessments based on various qualitative and quantitative parameters? How do you manage a growing number of annual certifications and audits? How do you streamline the creation and communication of policies? The answer, to a large extent, lies in one’s approach to GRC. Over the years, traditional GRC methods and processes at the company had failed to offer stakeholders the risk visibility and efficiency they were looking for. They needed to standardize risk and control frameworks, and to provide assurance to customers that they were conforming to all compliance requirements.
To do that, they needed a single and unified GRC platform that would help them rationalize compliance controls, streamline audit activities, improve risk visibility, and simplify policy management.
Being a global, cloud-based enterprise, the company manages more than 5,000 compliance requirements across 20 different programs globally. These requirements range from FFIEC regulations to the FedRAMP program, as well as HIPAA, HITRUST, and mandates from the DoD. The company also has to ensure that their global employees, numbering in the tens of thousands, have attested to IT security policies.
These policies, in turn, are aligned to more than 70 IT standards. Added to that are an extensive number of IT certifications and audits that have to be managed throughout the year. In the past, the company had used homegrown techniques and spreadsheets to manage IT compliance, policies, audits, and risks. Their processes and controls were neither scalable nor integrated and, thus, costly. The lack of a common risk taxonomy as well as a standard compliance framework and control testing process further complicated governance and compliance.
To strengthen digital innovation, the company’s strategy was to acquire new businesses aligned with its own strategic initiatives. This approach, while profitable, increased the number of regulations that the company had to comply with. Change management processes were largely manual and therefore time-consuming, resource-intensive, complex, and costly
Meanwhile, teams that managed IT compliance, audits, security, engineering, and sales were unable to effectively collaborate and align compliance requirements with the company’s business objectives. Silos were rampant, and that, in turn, delayed the process of collecting and analyzing IT compliance data for executive-level reporting. All of these factors slowed down decision-making.
To overcome these challenges, the company began assessing various governance, risk, and compliance (GRC) solutions in the market. They eventually selected the MetricStream Enterprise GRC Solution to help them manage a wide range of regulatory requirements and risks, while strengthening collaboration and coordination across teams.
• Adhere to a growing volume of IT regulations
• Track policy attestation
• Accelerate audit cycles, and reduce audit costs
• Conduct advanced risk assessments
• Ensure control attestation compliance
• Improved IT compliance maturity and sustainability
• Reduced the cycle time needed to create and align policies with regulatory requirements
• Standardized the audit execution methodology
• Enabled transparent quarterly control certifications and attestations
• Improved risk visibility with a single view of the top risks across the first and second lines of defense
MetricStream’s M7 Integrated Risk Platform – intelligent by design, for the company includes capabilities for IT compliance management, enterprise risk management, audit management, policy management, and SOX compliance management. The product has enabled the company to automate their IT compliance management workflows, while consolidating compliance data in a centralized repository.
A common control framework, maintained by the product, makes it easy to manage and monitor compliance requirements. Pre-defined, real-time reports and user-specific dashboards offer executive management the visibility they need to track the company’s overall compliance profile. The product also integrates with a leading third-party HR tool named Workday to pull user-specific information on the company’s permanent employees, business partners, and a select set of consultants and auditors.
The company now has a flexible system to streamline and automate workflows across the policy and document management lifecycle. Policies can be mapped to the company’s compliance regulations and controls, while policy attestations and exceptions can be tracked efficiently. Graphical reports and dashboards increase the transparency of the entire policy and document management process.
The MetricStream product facilitates a systematic and structured approach to audit activities, ranging from audit planning, scheduling, and scoping, to issue remediation and reporting. A centralized repository stores all audit findings and artifacts. Rich operational and management reporting capabilities strengthen risk-awareness, enabling senior stakeholders in the company to make better and faster decisions.
Using the product, the company has implemented an organized and efficient approach to enterprise risk management. The tool supports industry-standard risk assessment methodologies and standards while delivering a real-time view of risks across the organization. Risk owners can conduct simple or advanced assessments using multiple factors and advanced risk scoring methodologies across business units, regions, and products. Users gain a holistic view of risk management programs and metrics through role-based reports and dashboards.
The product has given the company an enterprise-wide internal control management platform to support SOX compliance workflows, including risk assessment planning and scheduling, as well as control testing and assessments. Compliance dashboards and risk heat maps deliver enterprise-wide visibility into financial control management and compliance processes