As one of the leading and best-known global sports footwear and apparel brands, the company has a deep commitment to governance, risk, and compliance (GRC). It identified the need to digitize its IT Risk and Compliance management to streamline the processes, eliminate manual and repetitive tasks, and enhance overall efficiency and business resilience. The previous outdated approach and lack of a centralized database limited the company’s visibility into risks and the effectiveness of controls.
To meet its Cyber GRC needs, the company tapped MetricStream’s IT and Cyber Risk and IT and Cyber Compliance Management products running on Amazon Web Services (AWS) cloud. With the implementation, it now has a single source of truth for its risks and controls and has successfully automated and streamlined its Cyber GRC processes— enhancing visibility into its IT and cyber risk and compliance profiles, accelerating the processing of risk and compliance assessments and issues for remediation, and improving overall speed, agility and scalability.
Legacy Approach and Related Challenges
Previously, the company did not have well-defined business processes and workflows. It largely depended on manual processes and had no recourse to repetitive tasks in IT and cyber risk and compliance. Strengthening IT risk and security was a particular priority due to the COVID-19 pandemic which resulted in amplified online access.
The company, which has around 59,000 employees from over 100 countries, lacked a centralized GRC database which not only limited the visibility into IT and cyber risk and compliance profiles across the enterprise but also how risks and controls were mapped to business units, processes, and assets.
It also used error-prone manual processes and tools, such as spreadsheets for control maturity assessments. The challenges were further exacerbated due to the lack of insightful reporting and charts to identify such controls. The company also depended on inefficient manual approval cycles.
To address and overcome these challenges, the company deployed MetricStream CyberGRC products on AWS cloud including IT and Cyber Risk and IT and Cyber Compliance. With MetricStream, it now has a centralized repository of critical assets and processes in place and has digitally transformed its Cyber GRC system, making it faster, more agile, and scalable.
Aligned Business Processes and Workflows
Implementing MetricStream CyberGRC products provided an opportunity for the company to align key business processes and workflows—particularly chalking out a unified framework for business processes, risks, and controls. This standardized approach allowed it to cut across organizational silos, automate repetitive tasks in IT and cyber risk and compliance, and eliminate duplication of efforts, thereby significantly improving overall efficiency.
Centralized Repository and Improved IT and Cyber Risk and Compliance Visibility
With MetricStream, the company now has a centralized inventory of critical processes and assets as well as a full linkage of all risk, controls, and checklists. This integrated model enhanced transparency by providing a single source of truth, improved IT and cyber risk and compliance visibility, synchronized controls, and provided a holistic and real-time view of the state of IT GRC to key stakeholders, enabling the company to make faster and well-informed decisions and enhance business resilience.
Challenge
- Lack of well-defined business processes and workflow, limiting visibility into IT and cyber risk and compliance posture
- No centralized database
- Dependency on manual processes for control maturity assessments
- Inefficient approach to IT and cyber risk and compliance management
Business Value Realized
- Accelerated processing of IT and cyber risk and compliance assessments and issues for remediation
- Real-time risk reporting and monitoring, enhanced speed, agility, and scalability of IT GRC processes
- Centralized repository of critical assets and processes
- Automation of repetitive tasks in IT and cyber risk and compliance
Enhanced Control Maturity Assessments
The company previously struggled with conducting quarterly control maturity assessments for advanced and baseline controls due to high dependency on manual processes, which required significant time, effort, and resources. Manual approval cycles and the lack of a centralized compliance database further added to the problem.
The sportswear giant implemented MetricStream IT and Cyber Compliance with additional configurations and extensions such as Control Maturity Evaluation workflow. This enabled it to not only consolidate compliance data in a centralized database, enabling comprehensive and real-time visibility, but also automate and streamline IT and cyber compliance management workflows. The company was able to enhance the speed of conducting IT and cyber compliance risk assessments as well as simplify the process of scheduling and conducting automated IT control tests.
Improved IT and Cyber Risk and Compliance Management Capabilities
The implementation also improved the company’s visibility and measurement capabilities into key risks by linking KRIs and enhanced speed, agility, and scalability of Cyber GRC processes based on industry best practices. It also helped the company accelerate the processing of risk and compliance assessments and issues for remediation. In addition, real-time risk reporting and monitoring along with powerful dashboard metrics significantly improved IT and cyber risk management capabilities.
