Prior to MetricStream, the company had too many manual and scattered processes, disparate teams, and no enforcement of risk management processes and standardization. In addition, the lack of common GRC nomenclature and unified framework led to different interpretations of risks by different business units.
This, along with the lack of collaboration and coordination between different departments, made it difficult to give a consistent, one-version reporting to the board. This resulted in information overload—there were troves and troves of data. The situation was further exacerbated by the dependence on basic office productivity tools, such as Word and Excel, which adversely impacted its risk identification, reporting, assessment, and mitigation capabilities.
The company felt the need to coordinate various assurance activities focused on its key exposures. The objective was to reduce inefficiency in assurance activities as there were lots of silos between risk, compliance, and internal audit.
Another major challenge was regulatory fatigue. With its operations spanning multiple jurisdictions, the company is required to deal with a plethora of regulations. However, the lack of a cohesive approach led to redundancies and inefficiencies.
Therefore, it became critical for the company to have a unified, forward-looking approach to GRC. It implemented the MetricStream Enterprise GRC solution out-of-the-box in 2015 with support for GRC Libraries, Risk Management, and Issue Management. The deployment process was kicked off with Version 6.x that was implemented on-premise. Being a forward-looking company, it transitioned to the latest version of the MetricStream Platform running on the AWS Cloud.
With MetricStream, the company has successfully standardized GRC taxonomy and framework, thereby facilitating a common understanding of issues related to risk, compliance, and audit and harmonizing the ways of work. In addition, the resulting synchronized risk reporting and measurement activities helped eliminate duplication of efforts and enabled risk and compliance teams to provide a single source of truth to the key stakeholders.
Common GRC taxonomy
and single source of truth
Enhanced visibility into risks and risk relationships
Better reporting capabilities
Built confidence with regulators
Improved assurance processes
Enhanced speed and agility
Previously, the financial services company was focusing on delivering in-depth analysis of individual risk types—operational risk, and compliance risk, credit risk, market risk, insurance risk among others—without considering the correlations between these various types of risk. With the help of MetricStream, it now has a centralized risk repository that provides a comprehensive view of different risk types and their interdependencies. This has also improved its understanding of risk velocity and its vulnerability to the risks, thereby enabling the senior management and board to be cognizant of the changing risk profile and devising appropriate risk mitigation and remediation strategy.
The company engages in a lot of information reporting activities. However, previously the key information was often lost in reams and reams of pages. In its analysis of how people spend their time, the company found that its employees were spending about 8 months out of 12 months just doing reporting. This was highly inefficient as the process involved collating information, putting them in Excel and Word, and redistributing them to 5 or 10 or 15 different teams that asked for the same information but maybe in different formats or different levels of information and depth.
Through MetricStream, the company was able to find the right balance between too much and too little reporting. The risk aggregation enabled it to create multiple versions of the same report within minutes matching the diverse needs of various business units. This approach helped eliminate the noise and provide the top management with relevant information on key issues in real-time to support effective and quick decision-making
One of the primary goals of the company for undertaking this initiative was to automate its combined assurance processes. It was seeking to benefit from an effective and efficient combined assurance operation through its operating model supported by its GRC platform.
The MetricStream solution enabled various assurance groups to come together on a single platform to collaborate and share risk intelligence with each other and with other lines of business. The centralized approach simplified identifying key risk areas with streamlined Audit Issues and Action Tracking processes. This facilitated structured and risk-based assurance processes, enabling the company to perform all assurance activities in an efficient and integrated manner. The company can now efficiently determine what level of assurance is required depending on the risk appetite, who will provide the assurance (the three lines of defense), and the type of assurance that will be provided.
From a compliance and risk perspective, the company needs to comply with several international and local regulations including Solvency Assessment & Management (SAM), the equivalent for Solvency II, King III, and others. With MetricStream, it is now able to manage a wide range of compliance requirements in an effective and integrated manner. This not only helped to reduce the time spent on interacting and explaining to regulators but also demonstrate that the company has a consistent approach to handling risk, compliance, and audit activities, thereby fostering confidence with regulators.
MetricStream enabled seamless content integration with Sentinel, allowing the company to stay abreast of all regulatory updates in an efficient manner. With timely feeds, the company now has a faster response time to regulatory changes and a proactive approach in ensuring compliance.
The solution’s survey management capability has enabled the company to efficiently manage surveys for compliance risk and control assessments and more. By streamlining the flow of information and records, and document attestations and representations at appropriate stages, the company is better positioned to foster accountability.
Overall, MetricStream helped the South African behemoth to establish a common risk language and unified GRC framework and gain deeper visibility into various risks and risk relationships. Coordination and collaboration between different departments and a balanced reporting approach provided a single source of truth. The company was also able to strengthen its combined assurance framework and build confidence with regulators. By digitizing GRC processes, it benefited from enhanced speed and agility, saved time and effort by eliminating redundancies, and can now better focus on its core business. In addition, running on the AWS Cloud delivered scalability and security. MetricStream continues to be the company’s trusted partner in their GRC maturity journey.