To overcome the challenges confronting its GRC operations, the company decided to implement an integrated GRC framework that would serve as the nucleus of the corporative governance ecosystem, coordinating all governance, risk, and compliance activities throughout the enterprise.
This system would be able to support a federated approach to GRC, and thus increase the effectiveness of internal auditing, as well as compliance and risk management. It would also enable the company to align its GRC initiatives centrally with corporate governance and reporting, while distributing them to lines of business to assign ownership, execution, and accountability.
After considering several top GRC solution vendors, the company chose MetricStream. The selection was based on the successful implementation of MetricStream GRC solutions in leading corporations across the world, as well as the scalability and flexibility of the MetricStream GRC Platform to adapt to future GRC demands. Each of the specific solutions was equally sophisticated, and provided a perfect fit for the company’s requirements. The company was also impressed with MetricStream’s responsiveness, as well as the comprehensiveness of its solution proposal.
MetricStream provided the client an integrated GRC platform with industry specific solutions for Compliance Management, Risk Management, Internal Audit, Policy Management, Reporting, and Issue Management.
MetricStream Compliance Management Solution provides a centralized framework and an integrated approach to help the client confidently comply with external regulations and standards such as NI 52109 and ISO27001/27002, as well as regional mandates specific to Latin American countries. The solution tracks compliance with internal policies and procedures, and automatically imports changes and new requirements in internal policies to ensure on-going compliance.
Using the solution, the client is able to define and maintain a centralized structure of the overall compliance and control hierarchy, beginning with each regulation, and extending down to each function (e.g. Finance, Transport), the associated processes, risks, and controls. This organized framework helps streamline compliance activities, make quick associations between controls and regulations, and simplify the tracking of control-based activities across the enterprise.
Controls can be defined in both English and Spanish, and maintained along with their assessments and risk related information in a centralized library. Equipped with an easy search capability, the library enables compliance managers and internal audit groups to quickly and easily provide evidence that a specific compliance requirement is being met, and that controls are in place to ensure on-going compliance.
The solution also provides access to other embedded information such as best practices and COSO and COBIT frameworks to help compliance managers define targeted and relevant controls. Assessments to determine the effectiveness of the controls are supported based on predefined criteria and checklists with a mechanism for scoring, tabulating, and reporting the results.
The solution enables control assessment plans to be designed and assigned based on roles and responsibilities, as well as the type of compliance requirement and associated risk. It also automates the verification of compliance controls in business processes to provide reasonable confidence that business activities are conducted in accordance with the policies, procedures, and processes defined by the corporation, best practices, and applicable regulations.
MetricStream Risk Management Solution provides methodologies and tools to help the client identify, categorize, prioritize, assess, manage, monitor, and mitigate the complete spectrum of risks including financial, environmental, compliance, and operational risks. The solution ensures that the organization’s risks and controls are well documented and appropriately assessed, and that remedial actions are tracked to closure. Moreover, it provides the capability to ensure that standardized risk management practices are embedded across the entire value chain.
The solution links risks and controls with policies and procedures, enabling the company to streamline risk management workflows, and establish a closed-loop risk management process across the enterprise. The solution also enables Risk-Control Self Assessments (RCSAs) to be conducted at the business unit level based on configurable methodologies and algorithms. Simultaneously, the information is rolled back upstream to provide visibility to top management at the enterprise level. Top-down and bottom-up risk identification and management are supported. Therefore, while risk identification may occur in any area, it is automatically mapped back to each business process.
The solution supports risk ranking and categorization, enabling risk managers to decide which risks, controls, and audits need maximum attention and focus. Advanced risk heat maps help monitor the risks and determine if thresholds are being breached. The solution also enables Key Risk Indicators (KRIs) to be defined and monitored on a regular basis, to ensure that the company’s risk-taking activities do not exceed its risk appetite.
The solution brings together all operational risk data in a centralized repository –RCSAs, automated alerts, data feeds, risk libraries, risk analytics, KRIs, loss events, risk heat maps, trend charts, and compliance dashboards – to provide increased enterprise-wide transparency into the risk management process, and highlight issues that need remedial action.
MetricStream Internal Audit Management Solution provides a comprehensive framework to help the client continuously monitor and validate their business transactions, and identify fraudulent activities or vulnerabilities in the company’s business processes. The solution can be extended across a wide range of audits including operational audits, IT audits and quality audits.
Used by over 100 users across the company, the solution streamlines the complete audit lifecycle beginning with risk assessments, and extending through audit planning and scheduling, field data collection, the development of audit reports, and the review and implementation of audit recommendations.
The solution provides a useful resource management tool to efficiently and cost-effectively allocate the required resources, select audit teams, assign responsibilities and draw up an audit calendar. Audits can be scheduled periodically or triggered on an ad-hoc basis, with automatic alerts and event-based notifications keeping the process on track, and ensuring the timely completion of tasks.
The solution enables auditors to create an audit program with a well-defined scope and objective linked to compliance and risk management processes. It also enables them to organize audits in a logical structure and hierarchy with detailed audit templates, evaluation criteria, checklists, workpapers, and tasks. Documents and files in any format, such as word documents or spreadsheets, can be attached at any stage of the audit as supporting evidence. All attachments are centrally stored, enabling users participating in the audit to access and view them at any time.
During the audit, the solution provides a framework to record qualitative or quantitative findings along with detailed observations and recommendations in predefined formats. A unique offline Briefcase allows auditors to enter audit findings in notebook computers or handheld devices at remote field sites without access to the corporate network, and synchronize the data with the central repository when they can access the network.
The solution provides built-in workflows for routing audit findings for review, and initiating remedial action as well as follow-up audits. In addition, graphical dashboards enable audit managers to track the status of the audit, and measure its progress against milestones to ensure timely execution.
Policy and Procedure Management
The MetricStream solution provides a single, centralized repository for the client to efficiently manage and store its policies and procedures. The documents are organized based on various templates and classification criteria with automatic or user defined numbering schemes.
The solution allows multiple users across departments and functions to access and work on policy development simultaneously. It also provides tight integration between the policies and procedures repository and the compliance, risk, and control framework. This includes dynamic links and references between the two as well as change controls and audit trails.
Complete visibility is provided into the policy and procedure system with easy status tracking. Graphical executive dashboards and flexible reports with drill-down capabilities provide statistics and data by a variety of parameters such as policy types, status, usage summaries, and average review times.
The MetricStream platform provides powerful built-in reporting engines and role-based dashboards, enabling managers to proactively track GRC metrics and indices, as well as the status of various GRC processes. These reports and dashboards provide graphical results with drill-down capabilities to view data at finer levels of detail. They enable both comprehensive aggregate reporting as well as individual status tracking in real time.
Since all the data is stored as “structured data” (stored in separate fields with common values), it can easily be reported and tracked across multiple sources, allowing trending by compliance, issues, business units, root cause, and other factors.
The process of reporting is simplified as the system automatically generates mandatory reports in formats and layouts desired by the regional regulatory agencies. The reports are generated in standard file types, and can be further worked on before being submitted to the agency.
For issues arising from control assessments, auditing processes, or any such event, the MetricStream Issue Management Solution triggers a seamless and streamlined process for issue investigation, management, and remediation. The solution supports triggering of automatic alerts and notifications to appropriate personnel for investigative and remediation action task assignments. The issues remains open till the action plan is carried out, and results are verified for effectiveness. Managers can track the status of issues as they automatically move from one stage to the next based on the company’s risk management procedures.