Case Study

Major Insurance Company Uses a Holistic Approach to Engage All Lines of the Business in GRC

A leading insurer with millions of customers was committed to effectively managing risks arising from new business models, digitalization, and cyber threats. With MetricStream products the company could enable an automated, consistent, and agile approach to governance, risk and compliance, while also gaining contextual risk intelligence to make better-informed decisions faster.

Bringing ‘Agile’ Into GRC

At the insurer’s organization, risk management is not just a second-line responsibility. The first line is also expected to identify risks, test controls, document issues, and attest to their understanding of policies.

Earlier however, there was no consistency in the way risks and compliance were managed across the lines of the business. Each line used different processes, tools, and taxonomies. This resulted in a complex and siloed GRC environment with little visibility into and agreement on risks. Redundancies in GRC data and processes were quite common.

Legacy tools like spreadsheets only added to the challenge. With so many of these documents floating around the enterprise, it was difficult to get a consolidated and timely view of risks. The second line spent more time on manual administrative tasks like aggregating risk data from various spreadsheets, rather than functioning as advisors to the business.

Eager to overcome these challenges, the company chose MetricStream to provide an integrated risk platform that would not only automate and standardize GRC processes, but also improve visibility into risk and compliance across the enterprise.

Today, MetricStream supports a wide range of GRC activities, including regulatory engagement management, IT compliance and risk management, policy management, survey management, threat and vulnerability management, business continuity management, third-party management, issue management, and enterprise risk management.

The cloud-based implementation was out-of-the box, leveraging embedded best practices to accelerate deployment timelines. MetricStream products are currently employed by over 50 power issues, 200 light users for processes such as issue management, and up to 3,000 users for policy attestations.

Faster Risk Identification Through an Integrated Approach

With MetricStream, the insurer now has a single source of truth on GRC. The underlying libraries on the platform map regulations, products, services, processes, strategic imperatives, and objectives to risks, controls, and assets. This integrated data model enables stakeholders to proactively identify potential risks, as well as early warning signs of non-compliance.

The product also standardizes GRC processes and taxonomies. No more operational silos or inconsistencies. Everything is managed in a homogenous and harmonized manner. A common GRC language makes it simpler for teams to communicate and report risks. Meanwhile, standardized issue management processes allow stakeholders to quickly identify which issues are associated with which risks and organizations.



  • Growing range of risks and regulations
  • Inconsistent GRC processes and taxonomies across the lines of defense
  • Limited visibility into and agreement on risks
  • Cumbersome spreadsheet-based processes

Business Value Realized


Better GRC consistency and coordination across the enterprise


Improved communication through standardized risk and control taxonomies


Faster responsiveness to risks and non-compliance with real-time risk visibility


Better efficiency with automated GRC workflows


More time for the
second line to act as
risk advisors, rather than
risk administrators


Swifter policy creation, review, and communication


Stronger Collaboration Across the Lines of the Business

MetricStream products engage all the lines of the business in GRC. With their intuitive tools, frontline teams can easily document risks, issues, and control test results, while also reviewing and attesting to their understanding of corporate policies.

The second line, in turn, spends less effort on administrative tasks because most workflows like data aggregation have been automated. The team can now devote more time and resources to analyzing risk findings, and uncovering valuable advice for the business and leadership team.

GRC collaboration across the lines has also grown stronger with MetricStream’s unifying Integrated Risk Platform – intelligent by design. Teams can swiftly exchange risk findings, and communicate issues, thus enhancing risk responsiveness.

Improved Risk Management and Compliance

MetricStream enables a risk-based approach to compliance, IT security, and business continuity. This has helped the insurer accelerate its digitalization strategy across business functions.

The product streamlines identification, assessment, and monitoring for a wide range of risks, including enterprise, IT security, and third-party risks. It also harmonizes business continuity planning, disaster tracking, and recovery action initiation and management. This allows the insurer to be better prepared for sudden risk events and crisis scenarios.

When it comes to compliance, the product reduces the time taken to create, review, and publish policies. It also simplifies the process of managing regulatory engagements, including examinations, meetings, and requests for information.

Stakeholders can proactively detect, respond to, and minimize IT risks with timely insights from the first and second lines. It also strengthens compliance with IT regulations and standards through an integrated compliance framework and automated workflows.

Greater Risk Awareness

With MetricStream, the insurer has an enterprise-wide view of GRC operations across the lines of the business. Powerful reports, dashboards, and analytics transform risk and compliance findings into actionable intelligence that helps stakeholders make informed business decisions. With real-time insights, they can effectively understand the risks ahead, capitalize on opportunities, and strengthen business performance.

Related Stories

Case Study

Baptist Health Care Improves Audit Efficiency and Visibility With MetricStream

Case Study

Leading Sports Footwear and Apparel Company Automates IT and Cyber Risk and Compliance

Case Study

Home Healthcare Provider Accelerates Compliance Monitoring and Risk Mitigation Across Clinical Practices


Ready to get started?

Speak to our experts Let’s talk