Case Study

Oil and Gas Giant Strengthens Stakeholder Trust with a Holistic Approach to Assurance

A leading multinational energy company, with tens of thousands of employees, wanted to replace its manual and siloed risk, audit, SOX, compliance, and policy management processes with a streamlined and automated approach. The objective was to build a more integrated and strategic approach to risk, compliance, and assurance processes by bringing them on a common platform, facilitating easy and immediate access to real-time information.

With MetricStream BusinessGRC products, the company was able to achieve this goal and manage its risk, compliance, and assurance requirements in a more holistic manner across 4,000+ users. The cloud-based platform automates these processes, improving the speed and efficiency of decision-making. Following the initial implementation of MetricStream Internal Audit and SOX Compliance products, the company implemented Enterprise Risk Management, Regulatory Change Management, Policy and Document Management, and Compliance Management products to strengthen collaboration across the enterprise.

Fixing the Cracks

Over the years, the company’s risk, compliance, and assurance processes had become increasingly siloed. Audit, SOX, risk, compliance, and policy-related data were scattered across systems, making it difficult for teams to track key risks, such as trading, financial, sanctions, Environment, Health, and Safety (EHS), and other issues. Without a unifying platform, they couldn’t effectively coordinate and collaborate on assurance findings.

Redundancies in control data and testing efforts weren’t uncommon. What’s more, the alignment between audit and compliance taxonomies was limited. This hampered efforts at comparing findings and identifying risks.

Outdated systems and manual processes only added to the challenges, making the processes time-consuming business functions. The company needed to revamp its systems and enable a more cohesive approach to assurance—one that would help them cut across audit, risk, controls, and compliance silos to gain a consolidated view of risks across business units and geographies.

Setting It Up

MetricStream emerged as the preferred choice to meet these requirements. The MetricStream Platform provided a centralized foundation to integrate GRC processes and strengthen risk visibility. Built on the platform were the MetricStream Internal Audit, SOX Compliance, Enterprise Risk, Regulatory Compliance, Regulatory Change, and Policy and Document Management products, which together helped the company streamline and automate workflows and enhance overall efficiency and resilience.

The products were implemented out-of-the-box with some minor changes as requested by the customer to best fit their requirements. The company has a dedicated business unit that leverages Compliance Management, Regulatory Change Management, Policy and Document Management, and Enterprise Risk Management, while another part of the business is using Internal Audit and SOX Compliance products. It uses surveys for inherent and residual risk assessments.

With the implementation, the company has successfully completed over 300 risk assessments with results aggregated through automation. It has also considerably cut down on the efforts by consolidating metrics across 3,000 controls.


  • Outdated assurance systems and manual processes
  • Low visibility into risks
  • Siloed systems which limited collaboration between audit and compliance functions
  • Inconsistent risk and compliance taxonomies

Business Value Realized

  • A real-time and holistic view of risks across audit and compliance functions
  • Improved efficiency with automated assurance processes
  • Better coordination and communication through a common system
  • Smarter risk reporting and communication with standardized taxonomies

Single Source of Truth on Risk

MetricStream offers the company a unified view of risk, internal audit, SOX, compliance, and internal controls across the enterprise. The platform maps risks to compliance requirements, internal controls, control tests, assessments, processes, and other data elements in a single framework. This gives users a holistic and contextual view of risk.

The platform also standardizes risk, compliance, and control taxonomies, making risk reporting and communication much more consistent. Teams across assurance functions now have a common system to exchange data, and collaborate on risk findings. No more duplication of effort or information. Everything is clearly mapped and streamlined in the MetricStream Platform for optimal efficiency.

Streamlined Risk Assessments and Controls Testing

The company undertakes a Compliance Enterprise Risk Assessment (ERA) at least annually or more frequently in case of a material change to its risk profile and/or changes in compliance laws and regulations. Prior to implementing the MetricStream Enterprise Risk and Compliance products, it was tracking its risks manually.

The use of MetricStream advanced technologies equipped the company to take an innovative and streamlined approach to managing risk and controls assessments from start to finish. It now has a consistent global process for compliance controls, controls testing, risks, assurance, monitoring, regulatory changes, policies, and key metrics monitoring. The company can now efficiently manage compliance controls testing process from planning to recording test execution results, house the risk taxonomy and controls library, and track issues and action plans.

Simplified Regulatory Change Tracking

For the first time, the company has the ability to map regulatory obligations to policy, risks, and controls. MetricStream provides a simplified front-end form to capture and track all compliance policies and relevant regulatory changes through the tool, enabling the company to effectively de-risk regulatory challenges.

Effective Policy Management

With MetricStream, the company now has a centralized repository to store and access the latest policies. It has helped streamline and simplify the creation and communication of organizational policies. In addition, mapping policies to regulations, risks, and controls have significantly strengthened compliance while highlighting potential risks.

Enhanced Agility in Internal Auditing

MetricStream Internal Audit Management is helping the company improve its audit productivity, while also identifying and responding to risks faster. Auditors can create dynamic audit plans, assign tasks, record their findings, and attach supporting evidence all in one system.

The product supports a risk-based approach to auditing, enabling teams to prioritize and direct audit resources to the areas of highest risk. Since auditing has been integrated with SOX compliance, teams across both functions can effectively coordinate control testing activities to minimize redundancies.

MetricStream also strengthens visibility into audit findings, helping the audit team deliver valued, trusted advice to the board and leadership.

Improved Confidence in SOX Compliance

MetricStream SOX Compliance Management helps the company simplify compliance monitoring by unifying risk and control data management across financial processes. The product simplifies control testing, documentation, and certifications with systematic workflows. It also helps rationalize controls, thus reducing compliance efforts and costs. Real-time reporting enables teams to deliver swift assurance around SOX compliance, strengthening stakeholder confidence.

Streamlined Regulatory Compliance Management

The company has to ensure compliance with a plethora of regulations across jurisdictions, including those from the European Banking Authority, the U.S. Securities and Exchange Commission (SEC), and others. MetricStream Compliance Management has helped the company strengthen compliance by proactively identifying regulatory changes and assessing their impact on the business. Using the product, it can not only track the regulatory changes but also manually test the impact and ascertain how it needs to be implemented. Furthermore, the company is also better equipped to manage internal controls as well as identify issues and track them to closure.

Better Insights to Drive Performance

To conclude, powerful analytics, reports, and dashboards in MetricStream give the company in-depth visibility into risks, internal audit results, SOX compliance findings, regulatory changes, and internal controls. Decision-makers can leverage rich visualizations of the data to understand the top risks, issues, and opportunities. They can also slice and dice the information from various angles to compare findings across risk, internal audit, compliance, and more. The result is a strategic view of the company’s overall governance, risk and compliance (GRC) posture that enables leadership teams to make better-informed decisions.


Ready to get started?

Speak to our experts Let’s talk