Previously, the company had a largely traditional and fragmented approach to governance, risk, and compliance processes across the enterprise. The lack of common risk language and a centralized library of regulatory requirements, processes, risks, controls, and assets led to a lot of inconsistencies and inefficiencies.
The reliance of the second line teams on basic office productivity software such as spreadsheets for control assessments without a centralized database further added to the challenge. This, along with the lack of insightful reporting and charts, made it difficult for the second line or executives to identify risks, control failures, regulatory compliance profile, or issues in an effective manner.
Furthermore, there was a lack of automation of repetitive tasks in operational risk, IT risk, IT compliance, and policy management. The company was also using a wide variety of manual processes and siloed systems across its five affiliates in Canada, the United Kingdom, and Ireland. This resulted in a lack of consolidated view into risk and compliance and hampered the ability of the risk teams to provide actionable information to the senior management and board.
Faced with these challenges, the company decided to renew its GRC approach to make the processes more streamlined, structured, and automated. Its GRC team selected MetricStream to support its Enterprise GRC program. The company chose MetricStream for its ability to deliver on the promise of real-time reporting and monitoring, increased speed in processing, and powerful dashboard metrics.
The implementation kicked off in late 2017. The company planned a phased rollout across multiple business functions, beginning in March 2019 with Policy and Document Management, Operational Risk Management in March 2020, and Regulatory Change Management in Q4 2020. Phase 1 saw the rapid deployment of these products out-of-the-box.
Prior to MetricStream, there was a lack of standardized GRC taxonomy across the enterprise and its affiliates, which led to an inconsistent understanding of GRC-related issues by various business units. With the implementation, the company now has a common GRC language supported by a centralized library that maps regulations, risks and processes, controls, and assets. This has empowered the GRC team to effectively gauge the company’s overall GRC posture and better understand risk relationships, risk impact, the effectiveness of controls, and more.
The integrated solution delivers a unified view of the top risks across the first and second lines of defense. The company now has a single source of truth that provides real-time and in-depth visibility into various types of risk, controls, and processes. It can now efficiently identify and assess operational risks, while also evaluating IT compliance and controls, monitoring new regulations, and remediating information security threats. This, along with interactive executive dashboards, heat maps, and advanced data visualization of key metrics, has enabled the company to optimize its decision-making process.
Common GRC taxonomy
with centralized library
Increased visibility into risks with end-to-end accountability
Increased speed and agility in risk identification and mitigation, regulatory management, control testing, and more
Streamlined policy and document management
Confidence with regulators
MetricStream Regulatory Change Management has simplified the process of ensuring regulatory compliance to a great extent by providing a common framework to manage and monitor a range of financial and IT regulations and standards. Automated and timely regulatory alerts allow the executives to stay on top of regulatory updates. The product also helps to assess the impact of the regulatory change and triggers the appropriate action plan, thereby enabling the company to proactively mitigate regulatory risks and optimize regulatory compliance.
In addition, embedded business intelligence and advanced reporting capabilities have helped the company to improve visibility into regulatory relationships, processes, risks, and controls across its five affiliates. Real-time risk, resilience, and compliance status and analytics have also helped to boost trust with regulators.
The implementation has also helped the company streamline the creation and communication of organizational policies. In addition, a centralized policy portal has greatly simplified the process of storing and accessing the latest policies. MetricStream Policy and Document Management maps policies to regulations, risks, and controls, which helps provide assurance to the senior management that the company is compliant with regulatory requirements.
MetricStream’s issue management capability enables the company to adopt a structured and integrated approach to manage various risk and compliance issues across the enterprise and its affiliates. This unified approach for enterprise-wide issue and remediation management initiatives has helped the company enhance the effectiveness of assurance programs.
With Phase 1 of implementation now complete, Phase 2 will see the implementation of Internal Audit Management, IT Compliance Management, and IT Risk Management, planned for 2022.
With MetricStream, the insurance giant is now achieving efficiencies in policy life cycle management, distribution, and attestation, and has enhanced the speed, agility, and scalability of risk identification and mitigation, regulatory management, control testing, and other process areas. Overall, MetricStream has been the company’s trusted partner in their GRC digitization journey and has helped them improve the maturity of their GRC framework.