A leading insurer with millions of customers was committed to effectively managing risks arising from new business models, digitalization, and cyber threats. With MetricStream products the company could enable an automated, consistent, and agile approach to governance, risk and compliance, while also gaining contextual risk intelligence to make better-informed decisions faster.

At the insurer’s organization, risk management is not just a second-line responsibility. The first line is also expected to identify risks, test controls, document issues, and attest to their understanding of policies.

Earlier however, there was no consistency in the way risks and compliance were managed across the lines of the business. Each line used different processes, tools, and taxonomies. This resulted in a complex and siloed GRC environment with little visibility into and agreement on risks. Redundancies in GRC data and processes were quite common.

Legacy tools like spreadsheets only added to the challenge. With so many of these documents floating around the enterprise, it was difficult to get a consolidated and timely view of risks. The second line spent more time on manual administrative tasks like aggregating risk data from various spreadsheets, rather than functioning as advisors to the business.

Eager to overcome these challenges, the company chose MetricStream to provide an integrated risk platform that would not only automate and standardize GRC processes, but also improve visibility into risk and compliance across the enterprise.

Today, MetricStream supports a wide range of GRC activities, including regulatory engagement management, IT compliance and risk management, policy management, survey management, threat and vulnerability management, business continuity management, third-party management, issue management, and enterprise risk management.

The cloud-based implementation was out-of-the box, leveraging embedded best practices to accelerate deployment timelines. MetricStream products are currently employed by over 50 power issues, 200 light users for processes such as issue management, and up to 3,000 users for policy attestations.



With MetricStream, the insurer now has a single source of truth on GRC. The underlying libraries on the platform map regulations, products, services, processes, strategic imperatives, and objectives to risks, controls, and assets. This integrated data model enables stakeholders to proactively identify potential risks, as well as early warning signs of non-compliance.

The product also standardizes GRC processes and taxonomies. No more operational silos or inconsistencies. Everything is managed in a homogenous and harmonized manner. A common GRC language makes it simpler for teams to communicate and report risks. Meanwhile, standardized issue management processes allow stakeholders to quickly identify which issues are associated with which risks and organizations.



• Growing range of risks and regulations

• Inconsistent GRC processes and taxonomies across the lines of defense

• Limited visibility into and agreement on risks

• Cumbersome spreadsheet-based processes



Regulatory Engagement Management

IT and Cyber Risk Management

IT and Cyber Compliance Management

Third-Party Risk Management

Policy Management

Business Continuity Management

Survey Management

Enterprise Risk Management



• Better GRC consistency and coordination across the enterprise

• Improved communication through standardized risk and control taxonomies

• Faster responsiveness to risks and non-compliance with real-time risk visibility

• Better efficiency with automated GRC workflows

• More time for the second line to act as risk advisors, rather than risk administrators

• Swifter policy creation, review, and communication



MetricStream products engage all the lines of the business in GRC. With their intuitive tools, frontline teams can easily document risks, issues, and control test results, while also reviewing and attesting to their understanding of corporate policies.

The second line, in turn, spends less effort on administrative tasks because most workflows like data aggregation have been automated. The team can now devote more time and resources to analyzing risk findings, and uncovering valuable advice for the business and leadership team.

GRC collaboration across the lines has also grown stronger with MetricStream’s unifying Integrated Risk Platform – intelligent by design. Teams can swiftly exchange risk findings, and communicate issues, thus enhancing risk responsiveness.



MetricStream enables a risk-based approach to compliance, IT security, and business continuity. This has helped the insurer accelerate its digitalization strategy across business functions.

The product streamlines identification, assessment, and monitoring for a wide range of risks, including enterprise, IT security, and third-party risks. It also harmonizes business continuity planning, disaster tracking, and recovery action initiation and management. This allows the insurer to be better prepared for sudden risk events and crisis scenarios.

When it comes to compliance, the product reduces the time taken to create, review, and publish policies. It also simplifies the process of managing regulatory engagements, including examinations, meetings, and requests for information.

Stakeholders can proactively detect, respond to, and minimize IT risks with timely insights from the first and second lines. It also strengthens compliance with IT regulations and standards through an integrated compliance framework and automated workflows.



With MetricStream, the insurer has an enterprise-wide view of GRC operations across the lines of the business. Powerful reports, dashboards, and analytics transform risk and compliance findings into actionable intelligence that helps stakeholders make informed business decisions. With real-time insights, they can effectively understand the risks ahead, capitalize on opportunities, and strengthen business performance.

Ready to get started?

Speak to our experts