Case Study

Leading Oil and Gas Company Integrates Multiple Risk, Audit, and Compliance Processes to Drive Global Expansion

The Client: Leading Oil and Gas Company


Oil and gas companies operate in a highly sensitive and vulnerable environment. Climate change, price volatility, dangerously-situated reserves, oil rig explosions, fires, gas leaks, and IT security threats are just some of the inherent risks which, if not managed properly, can have serious economic, environmental, health, safety, and security consequences.

As companies expand their global operations and publically list their subsidiaries in multiple countries, they have to ensure compliance with country specific regulations. Compliance regulations are growing more numerous and complex, and impacting oil and gas companies both operationally and strategically. One-time compliance projects that are focused only on meeting statutory deadlines are no longer relevant. Repeatability and sustainability in compliance management is critical. In turn, on-going auditing is essential to ensure the effectiveness of both compliance and risk management.

Over decades, the client had developed and matured a robust corporate governance framework with rigorous processes for audits, control assessments, and risk management. However, as the company expanded its operations, it was faced with the challenge of adapting its GRC processes to new locations and businesses. The limitations of existing GRC systems were brought to light - isolated GRC initiatives, manual processes, and spreadsheets proved to be neither effective nor efficient in managing numerous risks and compliance regulations.

As a result, the company began looking for an integrated solution that could provide a single point of reference for enterprise-wide risk management, internal audit, and regulatory compliance. The solution had to enable a consistent process to identify, assess, mitigate, and document the company’s compliance and risks programs, cover all its businesses and major locations, identify trends proactively, and track the implementation of mitigating action plans.

The solution was also required to enable compliance with a vast number of federal and state regulations across the company’s operations, interface with existing IT infrastructure, and eliminate inefficiencies and redundancies. Moreover, as business processes evolved, the solution was expected to demonstrate the flexibility to support future business needs.


To overcome the challenges confronting its GRC operations, the company decided to implement an integrated GRC framework that would serve as the nucleus of the corporative governance ecosystem, coordinating all governance, risk, and compliance activities throughout the enterprise.

This system would be able to support a federated approach to GRC, and thus increase the effectiveness of internal auditing, as well as compliance and risk management. It would also enable the company to align its GRC initiatives centrally with corporate governance and reporting, while distributing them to lines of business to assign ownership, execution, and accountability.

After considering several top GRC solution vendors, the company chose MetricStream. The selection was based on the successful implementation of MetricStream GRC solutions in leading corporations across the world, as well as the scalability and flexibility of the MetricStream GRC Platform to adapt to future GRC demands. Each of the specific solutions was equally sophisticated, and provided a perfect fit for the company’s requirements. The company was also impressed with MetricStream’s responsiveness, as well as the comprehensiveness of its solution proposal.

MetricStream provided the client an integrated GRC platform with industry specific solutions for Compliance Management, Risk Management, Internal Audit, Policy Management, Reporting, and Issue Management.

Compliance Management

MetricStream Compliance Management Solution provides a centralized framework and an integrated approach to help the client confidently comply with external regulations and standards such as NI 52109 and ISO27001/27002, as well as regional mandates specific to Latin American countries. The solution tracks compliance with internal policies and procedures, and automatically imports changes and new requirements in internal policies to ensure on-going compliance.

Using the solution, the client is able to define and maintain a centralized structure of the overall compliance and control hierarchy, beginning with each regulation, and extending down to each function (e.g. Finance, Transport), the associated processes, risks, and controls. This organized framework helps streamline compliance activities, make quick associations between controls and regulations, and simplify the tracking of control-based activities across the enterprise.

Controls can be defined in both English and Spanish, and maintained along with their assessments and risk related information in a centralized library. Equipped with an easy search capability, the library enables compliance managers and internal audit groups to quickly and easily provide evidence that a specific compliance requirement is being met, and that controls are in place to ensure on-going compliance.

The solution also provides access to other embedded information such as best practices and COSO and COBIT frameworks to help compliance managers define targeted and relevant controls. Assessments to determine the effectiveness of the controls are supported based on predefined criteria and checklists with a mechanism for scoring, tabulating, and reporting the results.

The solution enables control assessment plans to be designed and assigned based on roles and responsibilities, as well as the type of compliance requirement and associated risk. It also automates the verification of compliance controls in business processes to provide reasonable confidence that business activities are conducted in accordance with the policies, procedures, and processes defined by the corporation, best practices, and applicable regulations.

Risk Management

MetricStream Risk Management Solution provides methodologies and tools to help the client identify, categorize, prioritize, assess, manage, monitor, and mitigate the complete spectrum of risks including financial, environmental, compliance, and operational risks. The solution ensures that the organization’s risks and controls are well documented and appropriately assessed, and that remedial actions are tracked to closure. Moreover, it provides the capability to ensure that standardized risk management practices are embedded across the entire value chain.

The solution links risks and controls with policies and procedures, enabling the company to streamline risk management workflows, and establish a closed-loop risk management process across the enterprise. The solution also enables Risk-Control Self Assessments (RCSAs) to be conducted at the business unit level based on configurable methodologies and algorithms. Simultaneously, the information is rolled back upstream to provide visibility to top management at the enterprise level. Top-down and bottom-up risk identification and management are supported. Therefore, while risk identification may occur in any area, it is automatically mapped back to each business process.

The solution supports risk ranking and categorization, enabling risk managers to decide which risks, controls, and audits need maximum attention and focus. Advanced risk heat maps help monitor the risks and determine if thresholds are being breached. The solution also enables Key Risk Indicators (KRIs) to be defined and monitored on a regular basis, to ensure that the company’s risk-taking activities do not exceed its risk appetite.

The solution brings together all operational risk data in a centralized repository –RCSAs, automated alerts, data feeds, risk libraries, risk analytics, KRIs, loss events, risk heat maps, trend charts, and compliance dashboards – to provide increased enterprise-wide transparency into the risk management process, and highlight issues that need remedial action.

Audit Management

MetricStream Internal Audit Management Solution provides a comprehensive framework to help the client continuously monitor and validate their business transactions, and identify fraudulent activities or vulnerabilities in the company’s business processes.  The solution can be extended across a wide range of audits including operational audits, IT audits and quality audits.

Used by over 100 users across the company, the solution streamlines the complete audit lifecycle beginning with risk assessments, and extending through audit planning and scheduling, field data collection, the development of audit reports, and the review and implementation of audit recommendations.

The solution provides a useful resource management tool to efficiently and cost-effectively allocate the required resources, select audit teams, assign responsibilities and draw up an audit calendar. Audits can be scheduled periodically or triggered on an ad-hoc basis, with automatic alerts and event-based notifications keeping the process on track, and ensuring the timely completion of tasks.

The solution enables auditors to create an audit program with a well-defined scope and objective linked to compliance and risk management processes.  It also enables them to organize audits in a logical structure and hierarchy with detailed audit templates, evaluation criteria, checklists, workpapers, and tasks. Documents and files in any format, such as word documents or spreadsheets, can be attached at any stage of the audit as supporting evidence. All attachments are centrally stored, enabling users participating in the audit to access and view them at any time.

During the audit, the solution provides a framework to record qualitative or quantitative findings along with detailed observations and recommendations in predefined formats. A unique offline Briefcase allows auditors to enter audit findings in notebook computers or handheld devices at remote field sites without access to the corporate network, and synchronize the data with the central repository when they can access the network.

The solution provides built-in workflows for routing audit findings for review, and initiating remedial action as well as follow-up audits. In addition, graphical dashboards enable audit managers to track the status of the audit, and measure its progress against milestones to ensure timely execution.

Policy and Procedure Management

The MetricStream solution provides a single, centralized repository for the client to efficiently manage and store its policies and procedures. The documents are organized based on various templates and classification criteria with automatic or user defined numbering schemes.

The solution allows multiple users across departments and functions to access and work on policy development simultaneously. It also provides tight integration between the policies and procedures repository and the compliance, risk, and control framework. This includes dynamic links and references between the two as well as change controls and audit trails.

Complete visibility is provided into the policy and procedure system with easy status tracking. Graphical executive dashboards and flexible reports with drill-down capabilities provide statistics and data by a variety of parameters such as policy types, status, usage summaries, and average review times.


The MetricStream platform provides powerful built-in reporting engines and role-based dashboards, enabling managers to proactively track GRC metrics and indices, as well as the status of various GRC processes. These reports and dashboards provide graphical results with drill-down capabilities to view data at finer levels of detail. They enable both comprehensive aggregate reporting as well as individual status tracking in real time.

Since all the data is stored as “structured data” (stored in separate fields with common values), it can easily be reported and tracked across multiple sources, allowing trending by compliance, issues, business units, root cause, and other factors.

The process of reporting is simplified as the system automatically generates mandatory reports in formats and layouts desired by the regional regulatory agencies. The reports are generated in standard file types, and can be further worked on before being submitted to the agency.

Issue Management

For issues arising from control assessments, auditing processes, or any such event, the MetricStream Issue Management Solution triggers a seamless and streamlined process for issue investigation, management, and remediation. The solution supports triggering of automatic alerts and notifications to appropriate personnel for investigative and remediation action task assignments. The issues remains open till the action plan is carried out, and results are verified for effectiveness. Managers can track the status of issues as they automatically move from one stage to the next based on the company’s risk management procedures.


Lack of integration: The company relied on disparate and isolated processes and tools to manage its GRC programs. This hindered collaboration, coordination, and information-sharing across the enterprise. It also resulted in redundant and duplicate activities which wasted valuable time and resources.

Tedious manual processes: The company employed spreadsheets and word documents to maintain records. They also used PPTs to present findings, and a separate email application to assign tasks and facilitate communication. Each of these applications had to be managed manually, consuming extensive time, effort, and manpower in basic tasks such as recording findings, organizing data, and preparing reports.

Limited transparency: To effectively protect itself against risk, and ensure compliance with the complete range of regulations, the company needed to adopt a proactive approach to GRC management. This was limited by the lack of real-time visibility into GRC processes and metrics. Managers had to rely on manual spreadsheets and siloed systems which did not provide a consolidated view of GRC initiatives across the enterprise. Without the right information at the right time, they found it increasingly difficult to make actionable decisions regarding risk and compliance management.

Lack of scalability: As the company grew and expanded its operations, its existing GRC systems were unable to seamlessly scale up. Meanwhile, risks were growing more numerous, and compliance regulations more complex. However, the company’s infrastructure did not have the flexibility to evolve in response to these growing requirements.

Why the Company Selected MetricStream?

Integrated GRC solution suite with powerful workflow and collaboration functionalities
MetricStream’s integrated, Web-based platform is designed to address end-to-end GRC requirements through a unified and systematic approach. The platform provides a powerful workflow and collaboration engine to manage and support GRC processes based on industry best practices. It also controls the routing of information, and facilitates collaboration among key stakeholders.

Rich and scalable capabilities
The MetricStream platform provides a robust and scalable infrastructure with powerful capabilities such as configurable forms, real-time exception tracking, email alerts and notifications, integration, reports, executive dashboards, business intelligence, and analytics. The solution provides the flexibility to seamlessly adapt to future GRC and regulatory requirements.

Ease of use
MetricStream solutions ship with out-of-the-box functionalities based on industry standards and best practices. As these functionalities are already predefined, the solutions can be implemented quickly. MetricStream also provides tools to configure and model the solutions exactly as per the client’s business processes and environment. Intuitive and easy-to-use interfaces in the solutions minimize the learning curve, and ensure quick adoption.

Market leadership
MetricStream solutions have been successfully deployed in leading global corporations, including oil and gas companies. Each of the solutions is equipped with sophisticated capabilities that are fully able to meet the client’s functional and technical requirements.


  • Elimination of redundancies:
    The MetricStream solution provides a single point of reference for managing multiple GRC initiatives across the enterprise. Thus, the client can eliminate all redundant work, and duplicate tools and training sessions, while supporting multiple levels of reporting. The company can also minimize the risk of contradictory information flows, as the MetricStream solution provides a single version of the truth to all employees, management, auditors, and regulatory bodies.
  • Accelerated GRC processes:
    The MetricStream platform eliminates the need for cumbersome manual processes by automating end-to-end workflows. Thereby, valuable time, resources, and effort are freed up to be used in more valuable activities. The platform also streamlines various GRC processes, thus simplifying overall GRC management, and improving its efficiency.
  • Enhanced collaboration:
    The MetricStream solution transcends organizational silos, and enables seamless collaboration and coordination across business units, functions, and geographies. It facilitates quicker and simpler information sharing, and enables cross-border teams to work together efficiently to manage complex GRC processes.
  • Consistent compliance and risk management:
    The solution enables the client to establish predictable, continuous, and sustainable risk and compliance management processes, eliminating any deviations or errors. The solution also facilitates accountability by enabling process owners to take direct responsibility for managing risks and controls. The flexibility of the platform ensures that it can be seamlessly adapted to suit future GRC requirements.
  • Greater transparency:
    Dashboards and reports provide in-depth and real-time insights into critical GRC metrics and indices, as well as the status of various GRC processes across the enterprise. This information proves extremely valuable for GRC managers and top management to make strategic risk, compliance, and business decisions quickly and confidently. It also helps them decide which initiatives can provide optimal risk/reward outcomes, and which ones need to be monitored more closely.
  • Increased shareholder value:
    With the MetricStream solution, the client is able to implement a robust and sound corporate governance framework which, in turn, enhances brand value and reputation. The solution helps the company reduce compliance costs, and utilize resources more effectively while improving business performance.

Ready to get started?

Speak to our experts Let’s talk