Case Study

A Leading South African Financial Services Group Embarks On Digitized GRC Journey To Strengthen Combined Assurance Framework With MetricStream

A South African financial services giant embarked on the journey to streamline its GRC processes to do away with its existing manual, siloed, and inefficient approach. The lack of a single GRC framework and common taxonomy, along with disparate systems and processes, resulted in duplication of efforts and redundancies. The company identified the need to revamp its ways of work and implement a technology solution to ensure harmonization and consistency in GRC methodology

The financial services group selected MetricStream to provide an integrated and enterprise-wide GRC solution. With the implementation of MetricStream Enterprise GRC, built on the MetricStream Platform and running on the Amazon Web Services (AWS) Cloud, it has successfully standardized GRC taxonomy across the enterprise, harmonized its ways of work, automated its combined assurance framework, and gained a holistic view of key operational and compliance risks.

The Need to Go digital

Prior to MetricStream, the company had too many manual and scattered processes, disparate teams, and no enforcement of risk management processes and standardization. In addition, the lack of common GRC nomenclature and unified framework led to different interpretations of risks by different business units.

This, along with the lack of collaboration and coordination between different departments, made it difficult to give a consistent, one-version reporting to the board. This resulted in information overload—there were troves and troves of data. The situation was further exacerbated by the dependence on basic office productivity tools, such as Word and Excel, which adversely impacted its risk identification, reporting, assessment, and mitigation capabilities.

The company felt the need to coordinate various assurance activities focused on its key exposures. The objective was to reduce inefficiency in assurance activities as there were lots of silos between risk, compliance, and internal audit.

Another major challenge was regulatory fatigue. With its operations spanning multiple jurisdictions, the company is required to deal with a plethora of regulations. However, the lack of a cohesive approach led to redundancies and inefficiencies.

Therefore, it became critical for the company to have a unified, forward-looking approach to GRC. It implemented the MetricStream Enterprise GRC solution out-of-the-box in 2015 with support for GRC Libraries, Risk Management, and Issue Management. The deployment process was kicked off with Version 6.x that was implemented on-premise. Being a forward-looking company, it transitioned to the latest version of the MetricStream Platform running on the AWS Cloud.

Common Taxonomy That Led to Single a Source of Truth

With MetricStream, the company has successfully standardized GRC taxonomy and framework, thereby facilitating a common understanding of issues related to risk, compliance, and audit and harmonizing the ways of work. In addition, the resulting synchronized risk reporting and measurement activities helped eliminate duplication of efforts and enabled risk and compliance teams to provide a single source of truth to the key stakeholders.


  • Fragmented systems and processes with no common GRC taxonomy
  • No single source of truth
  • Dependence on manual tools and technologies
  • Silos between risk, compliance, and internal audit; duplication of efforts
  • Limited visibility into risk and compliance posture
  • Excessive and inconsistent reporting

Business Value Realized

  • Common GRC taxonomy and single source of truth
  • Enhanced visibility into risks and risk relationships
  • Better reporting capabilities
  • Built confidence with regulators
  • Improved assurance processes
  • Enhanced speed and agility

Understanding Correlation Between Risks

Previously, the financial services company was focusing on delivering in-depth analysis of individual risk types—operational risk, and compliance risk, credit risk, market risk, insurance risk among others—without considering the correlations between these various types of risk. With the help of MetricStream, it now has a centralized risk repository that provides a comprehensive view of different risk types and their interdependencies. This has also improved its understanding of risk velocity and its vulnerability to the risks, thereby enabling the senior management and board to be cognizant of the changing risk profile and devising appropriate risk mitigation and remediation strategy.

Balanced Reporting

The company engages in a lot of information reporting activities. However, previously the key information was often lost in reams and reams of pages. In its analysis of how people spend their time, the company found that its employees were spending about 8 months out of 12 months just doing reporting. This was highly inefficient as the process involved collating information, putting them in Excel and Word, and redistributing them to 5 or 10 or 15 different teams that asked for the same information but maybe in different formats or different levels of information and depth.

Through MetricStream, the company was able to find the right balance between too much and too little reporting. The risk aggregation enabled it to create multiple versions of the same report within minutes matching the diverse needs of various business units. This approach helped eliminate the noise and provide the top management with relevant information on key issues in real-time to support effective and quick decision-making

Combined Assurance Framework

One of the primary goals of the company for undertaking this initiative was to automate its combined assurance processes. It was seeking to benefit from an effective and efficient combined assurance operation through its operating model supported by its GRC platform.

The MetricStream solution enabled various assurance groups to come together on a single platform to collaborate and share risk intelligence with each other and with other lines of business. The centralized approach simplified identifying key risk areas with streamlined Audit Issues and Action Tracking processes. This facilitated structured and risk-based assurance processes, enabling the company to perform all assurance activities in an efficient and integrated manner. The company can now efficiently determine what level of assurance is required depending on the risk appetite, who will provide the assurance (the three lines of defense), and the type of assurance that will be provided.

Meeting Regulatory Expectations

From a compliance and risk perspective, the company needs to comply with several international and local regulations including Solvency Assessment & Management (SAM), the equivalent for Solvency II, King III, and others. With MetricStream, it is now able to manage a wide range of compliance requirements in an effective and integrated manner. This not only helped to reduce the time spent on interacting and explaining to regulators but also demonstrate that the company has a consistent approach to handling risk, compliance, and audit activities, thereby fostering confidence with regulators.

Staying on Top of Regulatory Updates

MetricStream enabled seamless content integration with Sentinel, allowing the company to stay abreast of all regulatory updates in an efficient manner. With timely feeds, the company now has a faster response time to regulatory changes and a proactive approach in ensuring compliance.

Survey Management

The solution’s survey management capability has enabled the company to efficiently manage surveys for compliance risk and control assessments and more. By streamlining the flow of information and records, and document attestations and representations at appropriate stages, the company is better positioned to foster accountability.


Overall, MetricStream helped the South African behemoth to establish a common risk language and unified GRC framework and gain deeper visibility into various risks and risk relationships. Coordination and collaboration between different departments and a balanced reporting approach provided a single source of truth. The company was also able to strengthen its combined assurance framework and build confidence with regulators. By digitizing GRC processes, it benefited from enhanced speed and agility, saved time and effort by eliminating redundancies, and can now better focus on its core business. In addition, running on the AWS Cloud delivered scalability and security. MetricStream continues to be the company’s trusted partner in their GRC maturity journey.


Ready to get started?

Speak to our experts Let’s talk