Case Study

Malaysian Oil and Gas Giant Elevates Cyber Risk And Compliance Management Program Maturity With MetricStream

Post the COVID-19 pandemic, a Malaysian oil and gas giant became laser-focused on improving three core areas – agility, resilience, and sustainability – underpinned by the key organizational objective of “value creation”. Toward this goal, it identified the need to build a resilient risk management program that provides critical control and decision-making insights. 

The organization sought a solution for driving effective management of cyber risk, third-party risk, and compliance across the enterprise, including its affiliates worldwide, providing a single view into the cyber risk and compliance posture for the entire group. It chose MetricStream for its ability to understand its program requirements and map them to CyberGRC products, delivering intended outcomes. With the implementation, the company has successfully automated and streamlined its cyber risk and compliance management processes, enhanced visibility into third parties, and improved its overall cyber maturity and resilience.

Need for Value Creation

In 2020, the organization experienced severe revenue pressures due to the COVID-19 pandemic and crude price volatility. After emerging from the crisis, it realized the need to reimagine its approach to risk management. ‘Value creation’ became a key strategy and an organizational objective with a core focus on agility, resilience, and sustainability. 

Along these lines, the organization decided to modernize its cyber risk and compliance management program, which is critical to its success and a more sustainable future. Prior to MetricStream, the program was managed manually using Excel and Word, which was prone to manual error and data inconsistencies. 

The organization chose MetricStream to level up its program and gain a single view into its third-party risk, cyber risk, and compliance posture for the entire group. The implementation was carried out in phases and was focused on two groups within the organization – Group Legal and Group Cyber.


  • Migrate from a legacy system to an online, automated system for a consolidated view into third parties, cyber risks, and compliance posture 
  • Standardize risk nomenclature across 500 entities 
  • Build a resilient program providing critical control and decision-making insights

Business Value Realized

  • Streamlined processes for performing and documenting impact assessments of 5000+ IT and OT assets
  • Automated control assignment for over 1000+ controls based on the asset impact assessment score
  • Cyber Maturity Risk Assessment score improved from 2 to 3
  • Improved visibility into third parties

Implementation Phase 1: Group Legal

In Phase 1, MetricStream’s Third-Party Risk Management and Policy and Document Management products were rolled out to 20,000 users across Procurement, Group Risk, Finance, and other operational units in the Group Legal. 

Clear Visibility into Third Parties

As the organization operates in 100 different countries, geopolitical risk has a major impact on its business. Since these are joint ventures with sovereign governments, certain governments might have reservations about third-party vendors from certain countries. So, while the organization could be already working with a third-party vendor with a niche skillset on a project, they might not be suitable for another venture in a different country. This necessitates the need for an agile third-party vendor strategy

With MetricStream Third-Party Risk Management, the organization now has well-defined processes for managing third-party information and carrying out their due diligence, ongoing monitoring, and review activities. The product supports the organization’s agile vendor strategy by providing them clear visibility on all the vendors that they work with, enabling them to make the decisions to prioritize and switch vendors in an efficient manner. 

Centralized Policy and Document Management 

With MetricStream, the organization has streamlined the management of its policies and documents, which are now stored in a centralized repository, providing quick and easy access. It has also established a systematic approach for managing the policies across their lifecycle – policy authoring, review, approval, attestation, communication, and retirement.

Implementation Phase 2: Group Cyber

One of the key goals of the Group Cyber is to ensure that 500+ entities within the group comply with the cyber governance framework. However, this is a daunting proposition given the diverse set of businesses that the organization deals with.

In Phase 2, MetricStream IT and Cyber Risk and IT and Cyber Compliance Products were rolled out to the users in the Group Cyber. As a result, the organization improved its Cyber Maturity Risk Assessment from 2 to 3, which is expected to improve further with later phases of deployment. This is helping Group Cyber in its cyber risk insurance negotiations with the insurers for the entire 500 entities. 

Effective Business Impact Assessments 

While cyber teams at organizations are usually responsible for IT assets, Group Cyber at the oil and gas giant is also responsible for managing operational technology (OT) assets, including the technology-based assets that are deployed in the refineries, oil rigs, etc. Before any IT or OT asset is made operational, i.e. deployed in their respective sites, Group Cyber needs to assess their business impact and approve them. 

With MetricStream, the organization has successfully modernized its cyber risk and compliance management program with automated workflows, centralized risk and control library, and streamlined risk and impact MetricStream CyberGRC has automated and streamlined the process of performing and documenting impact assessments of 5000+ IT and OT assets. It has also automated control assignments for over 1000+ controls based on the asset impact assessment score. Group Cyber can now make better-informed critical go or no-go decisions for the deployment of these assets in a timely manner. 

Streamlined Data Privacy Impact Assessments 

In the oil exploration business, the organization establishes joint ventures with the host nations where oil and gas reserves are found. For these joint ventures, data secrecy and data residency are key focus areas and the entire IT strategy needs to be built around it. Data Privacy Impact Assessment (DPIA) is a critical leg of this IT strategy. DPIA is the process of identifying, assessing, and minimizing the risk stemming from the processing of personal data. MetricStream has helped the organization design IT strategy in a manner that meets their requirements and streamlines the DPIA process.

To Sum It Up

With MetricStream, the organization has successfully modernized its cyber risk and compliance management program with automated workflows, centralized risk and control library, and streamlined risk and impact assessments. It has enhanced risk visibility and foresight across the enterprise, including its third-party ecosystem, and improved overall maturity and resilience.


Ready to get started?

Speak to our experts Let’s talk