Case Study

Leading Credit Asset Management Firm Transforms and Scales GRC Program with MetricStream

A leading credit asset management firm wanted to move up the GRC maturity curve and address the inefficiencies resulting from a fragmented approach, siloed third-party database, and manual processes. It sought a GRC solution that offers flexibility and agility to tackle its risk challenges while enabling it to move forward on its GRC journey.

The company selected MetricStream to transform and streamline GRC processes in 2017. With MetricStream’s BusinessGRC products – Operational Risk Management, Third-Party Risk Management, and Business Continuity Management implementation, the goal was to proactively identify and remediate potential sources of operational risk, automate and improve supplier onboarding and risk management, and ensure business continuity.

The Need for Transformation

Before MetricStream, the company was missing an integrated GRC approach that could be scaled across the three lines of defense. Its processes for managing risks, issues, and action plans were largely manual, which were prone to errors and other inefficiencies.

Furthermore, the firm was expanding its third-party ecosystem – onboarding ~10 new vendors per month and expecting to grow to 1,000+ vendors within the next few years. However, the lack of a single repository of third-party profiles and related risk information resulted in the unavailability of timely third-party risk intelligence and delayed decision-making and actions.

To overcome these challenges, the company sought a GRC tool that could help it gain operational efficien-cies and demonstrate increasing maturity within its GRC program. It chose MetricStream for its flexible, cloud-based products. MetricStream’s Operational Risk Management and Third-Party Risk Management products enabled it to strengthen, shorten, and automate workflows and processes for managing risks, issues, and action plans.

The company used MetricStream to scale out an integrated GRC program across the three lines of defense. The implementation strengthened collabo-ration between executives and risk managers who were able to shorten cycle time and decrease costs for performing risk assessments.

Setting It Up

In its use of MetricStream, the firm focused on configuring its data libraries on the MetricStream Platform including organization, risks, regulatory requirements, processes, products, and controls, which were appropriately mapped to each other at the right level, providing a backbone structure for its analytics framework. The detailed data libraries support extensive out-of-the-box reporting and heatmaps and allow the company to roll up and aggregate risks based on organizational and other risk factors.


  • Dependency on fragmented and manual approach 
  • Unavailability of timely third-party risk intelligence due to siloed database 
  • Scaling GRC program based on evolving business requirements

Business Value Realized

  • Improved risk visibility and foresight
  • Reduced cycle time for risk assessments and supplier management tasks
  • Improved collaboration across GRC program stakeholders and operational efficiencies
  • Ability to scale the GRC program as per business needs

Integrated Risk Management

With MetricStream products, the company establish a top-down, risk-driven view across the three lines of defense and document mapping of risks to business objectives to enable risk-aware corporate strategic planning. Risks have been appropriately aligned with processes, policies, and controls to provide the right level of detail, accountability, and analytics. The company can leverage this data for strong, executive-level reports and visualizations.

Operational Efficiencies

The company has been able to strengthen collaboration between executives and risk managers, reduce cycle time, and decrease the costs associated with risk assessments. Switching from manual processes for managing risks, action plans, and issues to automated workflows has allowed the organization to demonstrate GRC maturity with better agility and responsiveness.

Improved Line of Sight

With the implementation, the company is able to maintain a line of sight into existing and emerging risks, including those from third-party vendors. This ensures that business performance is not at stake due to supplier performance or non-conformance to policies, procedures, and regulations.

Better Third-Party Risk Management

MetricStream Third-Party Risk Management enables the company to leverage KPIs which provides more context to vendor scores. It has improved visibility into third-party risks with quick risk assessments and automated workflows. The company is better equipped to swiftly move ahead in its journey with faster vendor onboarding, enhanced visibility into vendor risk scores, and streamlined vendor lifecycle management from onboarding to termination.

To Sum It Up

The company is growing through a period of exponential growth and MetricStream implementation has allowed it to effectively scale its GRC program accordingly. MetricStream products have been successfully rolled out and are used by GRC program stakeholders, including risk managers, executive leaders, and others. The improvements in cycle time for risk assessments and supplier management tasks helped the team to effectively manage and expand the GRC Program. It has been able to drive operational efficiencies by establishing a strong risk program that delivers forward-looking risk visibility to reduce risk exposure and losses and improve capital allocation. 

The company has also identified new business functions and areas to be included in the GRC Program. It is considering use cases to expand the MetricStream product suite to include the IT & Cyber Risk Management product within MetricStream’s CyberGRC.


Ready to get started?

Speak to our experts Let’s talk