Explore the right questions to ask before buying a Cyber Governance, Risk & Compliance solution.
Learn More
Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.
Learn More
Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream
Learn More
Download this report to explore why cyber risk is rising in significance as a business risk.
Learn More
Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey
Learn More
The Client: One of the largest financial groups in Northern Europe
Overview
Unable to automatically aggregate operational risk data from 150+ banks across the organization, the client found it difficult to get timely visibility into their overall risk and loss profile. MetricStream provided a centralized, cloud-based operational risk management solution that scales across the client’s organizational siloes, integrating and rolling up risk data in real time, and thereby strengthening operational risk transparency. This, in turn, has helped the client enhance decision-making, as well as compliance with Basel II.
Solution
After considering various solution providers, the client chose MetricStream to deliver a comprehensive operational risk management solution deployed over the MetricStream GRC Cloud. The solution enables the client to manage operational risks, controls, and losses in an integrated and streamlined manner. It also automatically aggregates and rolls up ORM data to provide a comprehensive, top-level view of risks. With multi-lingual support capabilities, the solution can easily be used by native speakers of Finnish, Swedish, and English.
Since the solution was deployed over the private MetricStream GRC Cloud, it has helped the client realize faster time-tovalue, while also providing the benefits of reliability, scalability, and high security.
Below are the capabilities of the solution that are enabling and supporting the client:
Risk Assessments: Using the solution, the client is able to streamline inherent and residual risk assessments, and capture all the risk results in a central repository. During each risk assessment, authorized users have the flexibility to add or delete risks, and view previous risk assessment ratings. The solution also supports a unique risk scoring logic which takes into consideration risk likelihood, as well as Euro impact and reputational impact, to calculate the overall risk value. This has enabled the client to gain a better, more contextual understanding of their risks. Once the risk assessments are completed, the solution provides comprehensive reports on the risk profile of the organization.
Central Risk Library: Previously, the client’s risk data was scattered across legacy systems. But with the MetricStream solution, the company has a centralized risk library to consolidate and map operational risks, controls, losses, processes, and other data elements. This integrated approach has improved the client’s risk visibility, and helped them establish a more consistent risk taxonomy across the organization.
Compliance Management: The solution enables a systematic and consistent approach to control selfassessments, as well as control testing and monitoring, thereby allowing the client to effectively evaluate the effectiveness of their controls in mitigating operational risks. The solution also supports both planned and ad hoc compliance reviews. Graphical reports and dashboards provide a snapshot of compliance selfassessments and tests, and highlight issues that need to be addressed on priority.
Loss Management: The MetricStream solution offers the client a central system to capture loss data at various organizational levels, and roll it up to the corporate level as an overall loss profile. The solution consolidates data from various loss events, and enables users to map this data to risks, processes, controls, and other data entities for enriched loss analysis and reporting. It also enables a streamlined process for loss evaluation, investigation, and tracking, as well as a complete root-cause analysis that drives the client to take the most appropriate remedial actions.
Powerful dashboards allow the client to track losses across multiple dimensions from quarter to quarter, and year to year, so that they can spot trends and recurring problems, and resolve them swiftly. In addition, the solution automatically maps loss events to the associated risks, and aligns them to Basel II risk categories to facilitate consistent compliance.
To combat loss events due to unreported fraud or other unethical activities, the solution provides an intuitive, centralized system for whistle-blowers across the organization to log a loss or risk event, anonymously. It captures essential details of the loss, supports review and analysis, and facilitates a consistent process to investigate the loss event, leading to corrective and preventive action.
Issue Management: Any issues that arise from the client’s risk assessments, control testing, or even audits are routed by the solution through a systematic process of investigation, root cause analysis, and remediation. Advanced dashboards help track the status of the issue in real time, while automated alerts keep the process on track, and help ensure that the issue is resolved in a timely manner.
Multi-Lingual Support: Given that the client is based in Northern Europe, the solution provides dynamic MultiLingual Support (MLS) capabilities for Finnish, Swedish, and English speaking users. Based on Java i18n standards and Oracle-supported UTF8 encodings, the solution’s MLS capabilities enable information such as forms, labels, reports, and alerts to be converted into the local users’ preferred language, thereby making it easy for them to view and understand the risk data.
Risk Reporting: The solution generates a range of reports and dashboards that enable the client to track operational risks, losses, controls, issues, and associated processes in real time. These reports roll up operational risk data at various organizational levels, and also provide drill-down capabilities to view the data at finer levels of detail. Powerful tools help users slice and dice through the risk data to identify critical risk patterns and trends.
The Challenge
As a European financial services company, the client was subject to Basel II regulations, and had implemented multiple processes to assess and manage operational risks and losses. However, they had one major challenge – how to efficiently aggregate risk data from across the organization, and roll it up, so that the management team could get a clear view of the company’s operational risk profile.
Compounding the issue, there were more than 150 banks under the organization - each with their own risk data that had to be consolidated to provide a cohesive risk picture. Existing legacy systems did not have the capability to unify risk information. Therefore, most risk details, losses, and control status reports ended up scattered across the organization. Without timely, in-depth visibility into this data, the management team found it difficult to make risk-informed business decisions.
The other challenge was that loss events and risk data had to be mapped to Basel II risk categories to manage compliance. This process was performed manually, and therefore ended up being time-consuming and resource-intensive. Therefore, the client began looking for a new operational risk management system that would not only automate risk management workflows, but also provide a single, global platform to bring together risk management processes and data, and enable real-time, integrated risk reporting. The new system also had to support the client’s language requirements for Finnish, Swedish, and English.
Benefits
- Better Risk Integration
Instead of a siloed and fragmented approach to operational risk management, the client now has a single, unified solution that cuts across organizational and geographic siloes, and integrates risk data in one system for complete transparency. The solution is used by approximately 600 users across locations, and can be scaled up in the future to accommodate more users. - Greater Visibility into Risks and Losses
Earlier the client had to manually aggregate risks and loss events for reporting. But with the MetricStream solution, they now have real-time, in-depth visibility into various risks, controls, and losses – not just at the business unit level, but also at the corporate level. - Support for Whistleblowers
The solution strengthens operational risk management by making it easy for whistleblowers to log a loss event such as fraud, while maintaining user anonymity and data confidentiality. The solution also enables the organization to proactively investigate and resolve the loss event, and take steps to ensure that the event doesn’t recur. - More Efficient and Consistent Risk Workflows
Disjoint and manual risk processes have been replaced with highly streamlined and automated workflows. This has helped the client simplify risk management, and save time and costs. Intuitive and user-friendly interfaces make it easy for users to navigate processes, while secure access controls ensure that only authorized users view the necessary data. - Stronger Compliance with Basel II
By automatically mapping loss events to key risks and Basel II categories, the solution enables the client to improve regulatory reporting. Users also gain a real-time view of compliance risks, control assessments, control test results, and issues which drive them to strengthen compliance.