Before MetricStream, the company was missing an integrated GRC approach that could be scaled across the three lines of defense. Its processes for managing risks, issues, and action plans were largely manual, which were prone to errors and other inefficiencies.
Furthermore, the firm was expanding its third-party ecosystem – onboarding ~10 new vendors per month and expecting to grow to 1,000+ vendors within the next few years. However, the lack of a single repository of third-party profiles and related risk information resulted in the unavailability of timely third-party risk intelligence and delayed decision-making and actions.
To overcome these challenges, the company sought a GRC tool that could help it gain operational efficien-cies and demonstrate increasing maturity within its GRC program. It chose MetricStream for its flexible, cloud-based products. MetricStream’s Operational Risk Management and Third-Party Risk Management products enabled it to strengthen, shorten, and automate workflows and processes for managing risks, issues, and action plans.
The company used MetricStream to scale out an integrated GRC program across the three lines of defense. The implementation strengthened collabo-ration between executives and risk managers who were able to shorten cycle time and decrease costs for performing risk assessments.
In its use of MetricStream, the firm focused on configuring its data libraries on the MetricStream Platform including organization, risks, regulatory requirements, processes, products, and controls, which were appropriately mapped to each other at the right level, providing a backbone structure for its analytics framework. The detailed data libraries support extensive out-of-the-box reporting and heatmaps and allow the company to roll up and aggregate risks based on organizational and other risk factors.
Improved risk visibility and foresight
Reduced cycle time for risk assessments and supplier management tasks
Improved collaboration across GRC program stakeholders and operational efficiencies
Ability to scale the GRC program as per business needs
With MetricStream products, the company establish a top-down, risk-driven view across the three lines of defense and document mapping of risks to business objectives to enable risk-aware corporate strategic planning. Risks have been appropriately aligned with processes, policies, and controls to provide the right level of detail, accountability, and analytics. The company can leverage this data for strong, executive-level reports and visualizations.
The company has been able to strengthen collaboration between executives and risk managers, reduce cycle time, and decrease the costs associated with risk assessments. Switching from manual processes for managing risks, action plans, and issues to automated workflows has allowed the organization to demonstrate GRC maturity with better agility and responsiveness.
With the implementation, the company is able to maintain a line of sight into existing and emerging risks, including those from third-party vendors. This ensures that business performance is not at stake due to supplier performance or non-conformance to policies, procedures, and regulations.
MetricStream Third-Party Risk Management enables the company to leverage KPIs which provides more context to vendor scores. It has improved visibility into third-party risks with quick risk assessments and automated workflows. The company is better equipped to swiftly move ahead in its journey with faster vendor onboarding, enhanced visibility into vendor risk scores, and streamlined vendor lifecycle management from onboarding to termination.
The company is growing through a period of exponential growth and MetricStream implementation has allowed it to effectively scale its GRC program accordingly. MetricStream products have been successfully rolled out and are used by GRC program stakeholders, including risk managers, executive leaders, and others. The improvements in cycle time for risk assessments and supplier management tasks helped the team to effectively manage and expand the GRC Program. It has been able to drive operational efficiencies by establishing a strong risk program that delivers forward-looking risk visibility to reduce risk exposure and losses and improve capital allocation.
The company has also identified new business functions and areas to be included in the GRC Program. It is considering use cases to expand the MetricStream product suite to include the IT & Cyber Risk Management product within MetricStream’s CyberGRC.