The Client: A Large Electric Utility
The electric utilities industry is undergoing changes as a result of environmental mandates, as well as the global availability of energy, and the cost of supply and infrastructure. The economics of delivering energy tend to depend on capacity as opposed to average usage. Electric utilities are undergoing transformations as they respond to regulatory changes, demand fluctuations, new technologies, price volatility, and fierce competition.
The energy industry generates a large amount of pollution, including toxic gases. Complying with environmental mandates and government regulations to minimize pollution form a large part of the industry´s responsibilities.
The nature of the business gives rise to a strong dependence on computer networks and technology, exposing the industry to cyber crimes. A lack of appropriate risk and compliance management frameworks and techniques can lead to huge losses, legal consequences, and heavy penalties from national and regional regulators. The truth is that risk and compliance impact all business functions of organizations in this sector at the operational and strategic level.
In response to these circumstances, the company was looking to adopt an integrated and scalable approach to manage its risks, and to cope with the complex regulatory landscape.
The company needed an integrated system with a highly flexible and scalable Governance, Risk, and Compliance (GRC) platform architecture for managing enterprise-wide risk and compliance programs, and supporting its complex control requirements and regulatory obligations.
After a detailed survey of various options, the company selected MetricStream as the solution provider for this requirement. The basis of the selection was the MetricStream solution’s functional and technical capabilities to fulfill the company’s complex requirements.
MetricStream delivered an integrated GRC management solution with comprehensive modules to manage IT and financial controls.
MetricStream’s integrated GRC solution: The solution is a comprehensive, Web-based application deployed on MetricStream GRC Platform, and designed to manage a vast amount of regulatory information. The solution provides a common framework and an integrated approach to manage all the GRC requirements of the organization.
MetricStream’s platform supports the company’s organizational model across all business units and departments, as well as their mapping to different roles and reporting relationships. The portal views are based on the user’s profile and organizational mapping. The architecture allows for handling transitions and organizational changes such as acquisitions, divestures, mergers, and spin-offs.
The MetricStream solution provides highly granular, multi-level security and access control with support for hierarchy-based organizational models and organization and role pairings. Access controls can be set at the feature level, application level, and data level.
Compliance management: The MetricStream solution provides a centralized repository to maintain legislation, regulations, company policies, and standards across the organization. The staff across the organization can easily access standard compliance policies such as internal policies and procedures, law and regulation changes, HIPAA, HR standards, data security, NEI 04-04, and NERC with appropriate role-based access rights.
Multiple compliance requirements can be defined and maintained in the solution. The company is able to manage various jurisdiction mandates and regulations using the platform. The solution also provides comprehensive details on the impact of non-conformance in the form of a detailed non-compliance report (also known as a deficiency report).
Using the solution, compliance officers are able to map the company’s compliance requirements to the business hierarchy of functions, processes, risks, controls, and tests.
The MetricStream solution helps the compliance staff create compliance related tasks (known as actions) and assign them to individual owners. These owners are responsible for completing the task within the defined dates. In case of a failure, an automatic escalation is triggered and sent to the relevant personnel via email for further action.
The solution allows the staff to include appropriate external links, attach relevant documentation, and provide compliance related alerts. Tools and reports are included to monitor the overall health and status of the compliance program.
The MetricStream solution also maintains a central library for process and controls around regulations. Any update to this central library automatically ensures that other references throughout the system are also updated. A detailed audit trail helps track every modification.
Risk management: The MetricStream solution provides a centralized risk framework to document and manage all risks faced by the company. It supports risk assessment and computations based on configurable methodologies and algorithms, thereby outlining the complete risk profile of the company. Based on this data, risk managers are able to prioritize their response strategies for optimal risk/reward outcomes.
The MetricStream solution supports a workflow-based approach to core risk management activities such as risk identification, risk classification and documentation, risk assessment, control testing, KRI scoring, updating of risk definitions and risk profiles, and risk mitigation.
Using the solution, risk managers are able to rank individual risks according to their significance, and obtain other information such as risk likelihood and impact to calculate the risk score. Advanced reporting capabilities allow for aggregation of risks across the company. Risk managers can also use risk calculators to identify and rank significant risks in achieving strategic objectives and opportunities. The solution includes reporting capabilities such as dashboards and analytical tools, heat maps, scorecards, and drill-down reports.
The company’s objectives and associated risks can be identified and defined within the solution. Risk managers are able to closely track risk metrics such as risk scores (inherent as well as residual), aggregated and individual gains and losses, potential gains, investment in resources, actual gains, returns on investment, potential liability, cost of mitigation, actual cost, number of risks, controls, high priority incidents, and the status of events.
Risk management efforts are integrated with the compliance and regulatory initiatives of the company. Every process involved in a compliance initiative can be mapped to the associated risk.
GRC functional integration: Through a comprehensive data model, the solution offers the company a transparent and holistic view of all GRC related activities across the enterprise. The company now has a central repository for all governance, risk and compliance programs.
This integrated approach has helped the company identify all gaps in its GRC related programs, and track them to closure. This is achieved through the issue and action planning functionality of the solution.
Issues and exceptions related to risk and compliance are integrated with the issue management and remediation management modules of the solution. Once issues are identified and documented, a systematic mechanism of investigation and remediation is triggered by the underlying workflow and collaboration engine.
The solution sends out automatic alerts and notifications to appropriate personnel for task assignments, investigation and remedial action. The exceptions cases remain open till the action plan is carried out, and the results are verified for effectiveness. Managers can track the status of issues as they automatically move from one stage to the next, based on the company’s compliance management procedures.
IT governance: The MetricStream solution enables the company to implement IT security processes as per the guidelines of National Institute of Standards and Technology (NIST).
With the organization’s hierarchy model extended to include products and processes, IT managers at the company can define different kinds of IT processes and related IT assets. They can also assess the significance and vulnerability of the IT assets through the risk assessment module of the solution. The solution captures all the details of the assets along with the risk rating. This is based on the Control Objectives for Information and Related Technology (COBIT) and Committee of Sponsoring Organizations (COSO) frameworks embedded in the system.
The solution allows the IT staff to capture IT loss incidents. These losses are further linked to KRIs and risks. Appropriate issues are created and tracked to prevent future loss.
The MetricStream solution provides comprehensive IT governance reporting capabilities, including real-time IT risk and compliance status dashboards, and trend reports that use KRIs to send out alerts before risk thresholds are exceeded. Standard audit reports for all major IT laws and compliance requirements are included, along with custom reports on IT governance for internal audits and management.
Financial control management: The MetricStream solution supports risk assessments based on the guidelines of the Public Company Accounting Oversight Board (PCAOB). The framework captures significant financial reporting elements, as well as financial statement risks within these elements. The attributes of entity level and transaction level controls to address these risks are also captured.
As part of the assessment cycle, the finance managers at the company are able to obtain details such as the nature, extent, and timing of evidence required to complete the assessment of in-scope controls. The MetricStream solution supports testing of in-scope controls for certification. Control testing procedures, testing templates, and descriptions are stored centrally, and sent to testers. The results of tests as identified by testers are sent to the appropriate personnel for approvals before controls are certified.
The MetricStream solution integrates financial control management with audit management procedures. The integrated platform allows work-papers to be rolled back to the risk assessment team as part of control testing procedures. Schedulers at the company can schedule periodic audit around the financial control management process. The process can also be added as an ad-hoc audit.
The system can be evaluated by internal auditors or third-party external auditors completely independently of the risk assessment team. The results of such assessments can be viewed separately through reports and dashboards.
The solution enables periodic and ad-hoc scheduling of assessment, well-integrated with email. The flexibility of the solution allows the finance managers to include and exclude various organizational units or accounts during the assessment.
The MetricStream solution provides a customizable workflow around monthly/quarterly questionnaires. The list of questions is made available to the process owner for certification/approval.
The solution generates alerts and notifications to inform appropriate personnel about an increase in the likelihood of a material misstatement, or an increase in significant financial statement elements. Finance managers can set an appropriate threshold in the system for such events.
Using the solution, finance managers can identify and certify financial statement account assertions. They can capture all the processes, associated financial accounts, and financial statement assertions for every business unit.
Increasing complexity of the regulatory environment: With the rising number of “green” environmental standards and rigorous regulatory requirements such as the Energy Policy (EP) Act, North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) 002-009, Federal Energy Regulation Commission (FERC) mandates, Sarbanes Oxley (SOX), and state regulations, the company is under constant pressure to effectively identify regulations associated with its business and IT functions, and impose stringent compliance oversight and reporting requirements. The company’s operations demand compliance with such regulations and guidelines, spanning business functions such as finance control, IT governance, and risk management.
Mounting risks in virtual security: Operating in the highly sensitive and vulnerable environment of the energy supply industry, the company faced risks associated with cyber security and reliability. This demanded actions to increase risk-adjusted returns, improve strategic judgment, and avoid extraordinary losses due to lawsuits, fines, operational failures, thefts, or negligence.
Need to consolidate risk and compliance requirements: Exposed to various hazards of the business, the company was looking at consolidating enterprise risk and compliance requirements at the corporate level, interpreting various laws, mandates, and guidance for specific processes, and compiling a synchronized set of IT controls, control activities, and tests.
The company selected MetricStream for this engagement based on the following merits:
MetricStream offers a complete solution suite with absolute support for all GRC processes on a single, integrated platform.
The MetricStream solution includes powerful reporting capabilities with executive dashboards, heat maps, customized reports, analytics, and trend analyses.
MetricStream’s Web-based architecture and user-friendly interface allow the solution to be quickly adopted and integrated in operations.
The MetricStream solution contains embedded best practices. Moreover, its out-of-the-box nature allows it to be used without any elaborate infrastructure changes.
The MetricStream solution provides the maturity and flexibility to map to the specific requirements of the company, and adapt to changing business processes.