The Client: A Leading Wholesale Cooperative Bank
Hundreds of financial institutions depend on the bank as a stable source of funding through all economic cycles. Given this enormous responsibility, the bank is committed to ensuring that its risks and compliance requirements are effectively managed, monitored and mitigated. The risk management team assesses and monitors risks regularly, while the audit team oversees audit processes, control self-assessments and testing of control requirements for SOX compliance.
Previously, most risk, compliance and audit initiatives were conducted using paper-based spreadsheets where a lot of time and effort was spent in recording and updating data, as well as preparing reports. Compounding the challenge, multiple independent systems and processes were used to handle various risk, compliance and audit activities. Therefore it was difficult for teams to collaborate on and coordinate these activities across the enterprise.
Given these limitations, the bank felt the need to improve the operational efficiency of risk, compliance and audit processes, and establish a more integrated, collaborative pattern of functioning.
To overcome the above challenges, the bank wanted to replace its existing risk, compliance and audit management systems with an integrated framework that would enhance coordination across the bank, automate complex and time-consuming processes, and save resources and costs.
After considering several vendors, the bank picked MetricStream to address its various needs. The selection was based on MetricStream’s leadership in the GRC space, as well as its superior capabilities and its flexible, single platform approach.
For the bank, MetricStream implemented a comprehensive solution for risk, compliance and audit management, built on its GRC platform, and designed to scale across the enterprise.
Risk Management: The MetricStream solution enables the bank’s risk managers to efficiently manage, monitor and mitigate risks across a wide variety of processes and functions, including Information Technology, Investments and Mortgage Assets, Liquidity and Balance Sheet Management, Community Investments, Non-Credit Services, and Strategy, Governance and Goals.
The solution helps assess risks across the organization based on configurable methodologies and algorithms. It provides a clear, centralized view into the organization’s risk profile with comprehensive qualitative risk information such as the number of risks, risk rating and comparison with previous risk scores. This enables managers to prioritize their response strategies for optimal risk-reward outcomes.
The solution also provides a centralized library of all risks and controls along with their assessments, KRIs, KPIs and other important risk metrics which can be leveraged to track the status of risk management, and check if a particular control was tested. Executive dashboards provide enterprise wide visibility into the risk management process and highlight issues that need to be addressed in risk heat maps.
Risk managers can also track risk profiles, control ownership, assessment plans and other important data on graphical charts that display real-time information. The ability to drill-down provides an easy way to access the data at finer levels of detail.
Internal Audit Management: The MetricStream solution enables the bank to streamline the complete internal audit lifecycle - beginning with risk assessments and audit planning, and extending through audit execution, fieldwork, data collection, review and approval of findings, and development of audit reports and recommendations.
The solution is used by 12 auditors at the bank to schedule internal audits periodically or on an ad hoc basis, and link them to the compliance and risk management processes. They can also leverage the solution’s powerful tools such as shared calendars, auditor time sheets, budget tracking and assignment tracking to efficiently plan and allocate resources to various projects. Automated alerts keep the process on track, and ensure that deadlines are adhered to.
During the audit itself, the solution enables the bank’s auditors to record qualitative and quantitative findings alongside the checklist of evaluation criteria. The status of the audit can be tracked and measured against milestones to ensure timely execution. In addition, the solution supports multiple simultaneous audit tasks, collaborative reviews and fieldwork approvals to improve productivity and collaboration.
SOX Compliance Management: Using the MetricStream solution, the bank’s auditors can structure a logical compliance and controls hierarchy, including processes, sub-processes, objectives, risks, controls and control activities. The solution also provides capabilities to capture all the processes, associated financial accounts and financial statements for a business unit. Risks and controls are identified with appropriate linkages, while associated policies and procedure documents can be attached for reference.
Auditors can design tests and evaluations to assess controls, assign tasks to employees based on roles and responsibilities, and schedule assessments based on controls and risk types. The system supports assessments based on predefined checklists, and has a mechanism for scoring, tabulating and reporting results. It also supports continuous control monitoring to ensure that controls around trading information are operating effectively.
With the MetricStream solution, auditors can identify controls as manual or automated, and track the design status, process ownership, assessment plans and other factors on graphical charts with drill-down features. Thereby, they can create a streamlined and transparent view of their control data, simplifying the processes of verification and control.
Issue Management: Issues identified during the audit or compliance process are automatically routed by the solution through a systematic process of investigation and resolution. The solution assigns a unique issue number to each issue, categorizes it, and captures detailed information on it so that the bank’s auditors can closely track the status of the issue as it moves from one stage to the next. The solution also supports correlation with past data to analyze the issue and determine the appropriate course of action.
Automatic alerts are triggered to the appropriate bank personnel for investigating the issue, identifying the root cause, and determining the immediate remedial action to contain the impact of the issue. The investigation is driven by collaborative workflows that ensure responsiveness by assigning investigative tasks to an individual or a team with due dates based on severity level.
Once a corrective action or remediation is initiated, the issues remain open till the action plan is carried out, and results are verified for effectiveness. Graphical dashboards enable the bank to track the status of the issue as it automatically moves from one stage to the next based on organizational procedures.
Reporting: With the MetricStream solution, the bank can automate the generation of multiple reports - both preconfigured standard reports as well as ad hoc reports. These reports provide a consolidated view of metrics by a variety of parameters such as process, business units and status. They also provide quarterly and monthly trending analyses along with the ability to drill-down into each report and to see the underlying details.
The process of reporting is simplified as the system automatically generates mandatory reports in formats and layouts prescribed by the regulatory bodies. The reports are generated in standard file types such as MS Word and can be further worked on before being submitted.
Complex and extensive compliance and audit requirements: The bank had a small, specialized audit team to manage compliance and audit activities. But given the number of regulatory requirements, the team found it increasingly complex to continually monitor all the controls across the organization, identify high risk areas, ensure that audits were conducted at regular intervals, and investigate and resolve issues quickly.
High costs, limited efficiency: The bank relied on manual processes and paper-based spreadsheets to conduct risk assessments, test controls, and prepare reports. This often resulted in excessive paperwork, unwieldy documents and extensive email and paper trails. The risk of errors in data entry and calculation were ever-present. Moreover a lot of time, effort and resources had to be spent on manually managing each risk, compliance and audit activity.
Limited ability to track the status of risk, compliance or audit management: Like any other major financial institution, the bank was confronted with multiple ever-changing risks and regulatory requirements. Yet managing them proactively was difficult because of the lack of real-time visibility into risk, compliance and audit processes. Management was unable to get a clear picture of the overall risk status of the bank at a given time, or the number of outstanding issues across the enterprise. They had to rely on manual reports which took a lot of time to prepare.
Operational redundancies, lack of coordination: Given the size of the organization, most risk assessments, audits and control-based activities were conducted in isolated silos. There was little or no interaction among various departments and business units on how each activity was performed. This led to redundancies and duplication of efforts at various points across the bank. In the process, costs, effort and time were unnecessarily used up.
MetricStream is a reputed leader in the GRC space with some of the largest companies in the financial services industry as its clients.
The MetricStream solution provides an extensive range of innovative and advanced capabilities such as a risk-control library, automated report creation tools, resource management tools, preloaded control tests, powerful dashboards and automatic alerts that proved to be the best fit for the bank’s unique needs.
The MetricStream solution provides a unique blend of content and technology that enables a holistic approach to risk, compliance and audit management.
The MetricStream solution is built on a single platform that integrates risk, compliance and audit processes across the enterprise in a single, centralized framework, thus enhancing visibility into processes, eliminating duplicate activities, and enhancing operational efficiency.
The MetricStream solution is flexible, scalable and extendible to other areas of GRC such as policy management, Dodd-Frank compliance management, Basel III compliance management, regulatory exam management and IT GRC management.