Case Study

A Government Department Fortifies GRC Culture by Integrating IT Risk and Compliance Management

Being a public service department, the organization is committed to delivering a wealth of benefits to millions of customers. Earlier however, these services were hampered by weak security and resilience programs, inadequate risk transparency, and insufficient oversight over risk and compliance management. As a result, the organization began looking for a way to optimize risk awareness and response in their enterprise, so that they would be able to deliver safer, better quality services to their customers and communities.

To achieve this objective, the organization needed to develop a strong GRC culture aligned with their specific business objectives — a culture that would enable them to deliver better governance, while strengthening their security and risk management programs, improving their understanding of GRC roles and responsibilities, and interlinking GRC processes based on their business requirements

Taking Stock

Before embarking on their GRC journey, the organization first approached the Open Compliance & Ethics Group (OCEG) to build a deeper understanding of the GRC space.

They also identified the GRC resources that were already available in their enterprise, including a dedicated risk management function with defined roles and responsibilities, as well as a security and governance framework.

The problem was that these groups and programs operated in siloes which weren’t conducive to a cohesive GRC culture. What the organization needed was a system or solution that would bring together all relevant stakeholders, frameworks, and processes into a common GRC journey. After evaluating various GRC solutions in the market, the organization chose MetricStream for IT and Cyber risk and IT and Cyber compliance management. With these tools, business, IT, and security teams were gradually able to gain a common view of risks across the enterprise.

Improved IT and Cyber Risk Management Maturity

Today, MetricStream’s product for IT and Cyber risk management has helped the organization streamline the identification, analysis, and mitigation of IT and Cyber risks. The product cuts across enterprise silos, integrating IT and Cyber risk data in a common system for comprehensive risk visibility across the three lines of defense.

The product also simplifies the complete IT and Cyber risk management lifecycle, comprising risk documentation, assessments, and control management, as well as issue detection and resolution.

This systematic and holistic approach has enabled the organization to treat IT and Cyber risks as business risks that have a direct impact on performance and strategy. Additionally, advanced analytics and dashboards help stakeholders transform raw risk data into actionable business intelligence for quicker and better decision-making


  • Build a strong GRC culture across the enterprise
  • Deliver a real-time view of IT and Cyber compliance risks and IT and Cyber compliance

Business Value Realized

  • Enhanced consistency of IT and Cyber risk management workflows across business units and divisions
  • Enabled a real-time view of IT and Cyber risks through aggregated risk reports and dashboards
  • Improved visibility into IT and Cyber compliance
  • Reinforced business resilience with a strong GRC culture

Increased Visibility Into IT and Cyber Compliance Risks

MetricStream IT and Cyber Compliance Management has given the organization a centralized system to manage and track compliance with a wide range of IT and Cyber regulations and standards. It enables a structured, standardized process to conduct and schedule IT and Cyber control tests based on pre-defined criteria and checklists. Through a federated approach to IT and Cyber compliance management, users gain detailed insights into IT and Cyber compliance processes across various business units and functional departments.

A flexible, comprehensive reporting and dashboard engine offers a holistic and real-time view of IT and Cyber compliance risks. As a result, top management is better able to anticipate risks with accurate information on their potential business impact.

Integrated Approach to GRC – the Road Ahead

The organization now plans to extend their GRC foundation, and accelerate their GRC journey by implementing MetricStream products for threat and vulnerability management, as well as business continuity management. These products will enable the organization to effectively secure their business critical information technology assets, while minimizing the impact of business disruptions.


Ready to get started?

Speak to our experts Let’s talk