Case Study

Vendor Risk Management: From Start to Finish in 12 Weeks with MetricStream GRC Cloud

The Client: Zurich Insurance Company Ltd (UK)


In 2013, the UK sourcing team of Zurich Insurance was given a tough mandate - find and implement a Vendor Risk Management (VRM) solution across 500+ vendors in just three months! It was a tight deadline - yet, the urgency was warranted, as there were multiple vendor related challenges that had to be addressed quickly. VRM processes had become increasingly complex, manual, and labor intensive. In the absence of an effective VRM system, most critical vendor information was managed on spreadsheets.

Adding to the challenge, the sourcing team had developed a “toolkit” of vendor policies and procedures, which hadn’t been uniformly adopted across the organization’s sourcing and procurement functions. 

The sourcing team began looking for a VRM solution that could be quickly implemented out-of-the-box, without any customization. The solution needed to be scalable with end-to-end functionalities for VRM, as well as self-service tools that would enable vendors to upload data on their own. 

The implementation timelines were challenging, and the demands were tough. Yet the sourcing team was determined to make it work.


How Technology Has Helped

The MetricStream VRM Solution has simplified and strengthened VRM processes across Zurich Insurance’s UK operations. The solution was rolled out over MetricStream GRC Cloud, and as a result, it went live within a few weeks, despite the large scale and scope of the implementation. 

Today, the solution is enabling and supporting the following processes at Zurich Insurance:

  • Vendor and contract information management- All vendor related data is consolidated in a single database, making it easy to track any vendor in any location. In addition, all vendor documents, including templates, business continuity plans, and exit plans are maintained centrally for easy search and reference.
  • Due diligence- When a new vendor has to be selected, the solution streamlines the entire due diligence lifecycle.
  • Information security risk assessments - At the click of a button, the solution provides complete visibility into the security assessments across all vendors, so that Zurich Insurance can respond in a timely manner.
  • Assurance testing - The solution enables a risk-based approach to vendor assurance testing. At any time, users can check which vendors have good or bad assurance and performance scores. They can also track vendor KPIs and SLAs, and make sourcing decisions accordingly.
  • Issue management - If any vendor risk issues arise, the solution helps investigate and resolve them before they spiral out of control.
  • Workflow automation - Every day, users can view their VRM schedule, and identify outstanding tasks, upcoming tasks, and high-priority tasks. Sourcing executives also have a better view of their team’s schedules.
Best Practice

Through the course of their VRM project, Zurich Insurance identified several best practices:

  • Know what you want - Define your requirements clearly. Keep them simple and straightforward. Don’t add new requirements later to the scope of the project. Identify what you want at the beginning, prioritize it, and lock it down.
  • Develop a robust project structure - Create a project plan and structure with clearly-defined timelines. Nominate a good project manager to oversee the implementation.
  • Trust your vendors - Do your homework, and find a vendor that you can rely on. Then trust them to do what they do best. Invest in building a solid partnership with the vendor. Also, learn from them - take their suggestions and feedback.
  • Engage with stakeholders - Have regular conversations with stakeholders about the progress of the project. If there are problems, discuss them openly and honestly, so that an authentic solution can be found.
The Road Ahead

Zurich Insurance and MetricStream will continue their partnership by rolling out the MetricStream solution across the global organization. 

The teams are also working on implementing vendor self-service capabilities which will simplify vendor assessments and assurance processes by enabling vendors to upload their own data. 

In the future, the solution will be extended to include more capabilities such as vendor contract management and integration with vendor payment systems.


Developing a strategy, engaging with key stakeholders
The team defined a 3-year strategy for vendor risk management. The first year had already passed - wherein they had defined vendor processes, policies, and procedures. Year two was about finding the right VRM solution and embedding it within the organization. Year three focus was on extending the solution to new areas of the business. 

This strategy was laid out with clearly-defined timelines. The sourcing team then set up a structure of how to engage with key stakeholders at each stage of the VRM project in order to keep them informed. The team also implemented good governance and control processes around their VRM strategy to ensure that everything went as planned.

Choosing a VRM solution provider
Zurich Insurance spent a significant amount of time researching and evaluating VRM solution providers to find the right fit for their organization. MetricStream was selected based on their market leadership, solution functionalities, potential for continuous partnership, and compatibility. Moreover, MetricStream had the capability to roll out the VRM solution quickly over their secure and scalable cloud offering. 

Onboarding MetricStream was the next challenge. Typically Zurich Insurance conducts extensive due diligence, reviews, and approvals processes before partnering with external third parties which can take several months. However, in this particular instance, as the deadlines were short, due diligence and onboarding processes had to be accelerated. So, the sourcing team began to proactively collaborate with multiple executives in the organization, bringing alive the VRM strategy for them, and helping them understand the urgency of the implementation. As a result, it was possible to expedite the onboarding process with MetricStream to ensure they could meet the VRM implementation deadline.

Building an implementation plan
The UK sourcing team from Zurich Insurance spent two days with the MetricStream team, explaining their vendor processes, as well as their VRM solution requirements, ensuring the team had a clear set of requirements. This approach ensured everybody knew what needed to be done and by when which helped deliver a smooth implementation from start to finish. 

Ensuring continuous reporting
Throughout the implementation process, Zurich Insurance kept communicating with the MetricStream team, discussing the project requirements, and making sure that both teams were aligned and understood what was needed. This continuous communication and collaboration was a major success factor in the project - it helped ensure that everyone was interpreting the implementation requirements in the same way. 

Creating pilot programs
Together, the sourcing team and MetricStream built a number of VRM pilots that enabled them to see what the end result would like, and determine whether or not that worked for the company. On occasions when things didn’t quite go according to plan, the teams would go back to the drawing board, and discuss what needed to be changed. Whilst the whole process took some time, it was very useful in ensuring the right functionality was delivered and that the rollout was smooth. 

Combining training and testing
Most companies test a solution first, and then train their users on it. Yet Zurich Insurance chose to do both simultaneously, given the short timelines of their project. The approach worked well for them - users would get trained on the MetricStream solution, and then go into the system, get comfortable with the tools, identify any bugs, and make sure that they were fixed.


  • Better control over vendor risks
    All vendor governance information and risk data are consolidated in a central location. Therefore, users have the visibility to quickly identify risk issues, and resolve them in a timely manner.
  • Simplified vendor governance
    The solution automates vendor governance processes, thereby saving time, effort, and resources. It also helps in efficiently planning and scheduling various vendor governance tasks and assignments.
  • Greater scalability
    The MetricStream solution is scalable – it can be extended beyond the UK sourcing team, and used across Zurich Insurance to achieve a greater level of consistency in VRM processes.
  • 20% reduction in FTE
    Within just 12 weeks, the MetricStream solution helped Zurich Insurance realize 20% efficiency savings in VRM.

Ready to get started?

Speak to our experts Let’s talk