The Client: A Leading Cooperative Bank
Today, information technology lies at the very heart of banking operations. From customer relationship management, to clearing and settlements, to fund transfers, IT has enabled banks to efficiently meet the demands of a growing customer base. Yet the associated risks are high. IT security issues such as network vulnerabilities, blended threats, advanced persistent threats, sophisticated malwares and electronic rogue trading are only growing more widespread and complex.
These risks can have a cascading effect on an institution such as the customer’s which supports a number of other financial institutions. Compounding the challenge are the myriad IT regulatory norms that are only becoming more complex, extensive and demanding. In this high pressure scenario, an integrated, automated approach offers a way to effectively address IT risk and compliance requirements, while protecting stakeholders, customers and profits.
As a customer-focused organization, the bank already had robust systems and processes in place to effectively address IT risks and compliance requirements. But as the IT-GRC landscape grew more complex, and regulations and risks grew more intertwined, the bank felt the need to replace its manual, ad hoc systems with an integrated, streamlined and automated framework.
Considering the drawbacks of its existing IT-GRC processes, the bank wanted a centralized system that could integrate, streamline and automate the complete spectrum of IT-GRC processes across the enterprise. The system was also required to integrate with other GRC initiatives, and form a cohesive, federated framework that could adapt and scale up to future GRC requirements.
After considering several solution providers, the bank selected MetricStream solutions for their integrated, rich and flexible capabilities that were the right fit for the bank’s requirements. The bank also valued MetricStream’s deep domain expertise in the banking industry, compared to other vendors.
MetricStream provided the bank a comprehensive solution for IT-GRC, Policy Management, Risk Management and SOX Compliance. Integrated on MetricStream GRC Platform, the solution provides a centralized framework to simplify GRC management and align it with the bank’s core business strategy.
MetricStream IT-GRC solution was rolled out in a record time of four weeks. The bank has already started seeing benefits from the following modules.
IT Policy Management: MetricStream Policy Management Solution provides a centralized repository for all IT policies, and streamlines the development, maintenance and communication of these policies across the enterprise.
The solution also enables the bank to integrate the IT policy and procedure repository, and the IT compliance, risk and control framework. At each section and sub-section of the policy, risks and controls can be linked.
To help the bank’s employees become more aware of IT policies, MetricStream Solution provides powerful capabilities for implementing policy training. It ensures that training requirements are fully met and recorded from an IT compliance policy standpoint. It also provides employees with easy access to a variety of training programs, guidance documents, policies, procedures, regulations and standards.
IT Risk Management: MetricStream has provided the bank a centralized IT risk management solution to streamline and automate end-to-end risk management processes and workflows, from risk identification, assessment and scoring, to risk mitigation and reporting.
The solution helps create a centralized repository of IT risks and controls which are mapped to business risks and compliance requirements to provide a complete context. Configurable risk scoring methodologies and flexible what-if analyses help assess IT risks, and prioritize responses for optimal risk/reward outcomes. A library of risk assessment questions enables surveys and questionnaires to be created for periodic risk reviews, fraud assessments and compliance.
Using the solution, the bank can design and implement controls based on the embedded COBIT framework. The solution links risks, controls and policies for a better understanding of their relationship and optimal monitoring.
Predefined or customized risk reports, heat maps and dashboards provide in-depth insights into the bank’s IT risk profile and Key Risk Indicators, highlighting issues that need to be addressed. Automated alerts for events such as exceptions and failures eliminate any surprises, and make the IT compliance processes predictable.
IT Compliance Management: MetricStream IT Compliance Management Solution enables the bank to maintain a centralized framework of the overall IT compliance and control hierarchy, including processes and assets, associated risks, policies and procedures, mitigating controls, risk-control assessments and reporting requirements.
A comprehensive library of regulations and standards mapped to standardized controls helps the bank manage IT compliance complexities by choosing the most appropriate control. Control assessments can be scheduled periodically or on an ad hoc basis. They can be carried out based on predefined criteria and checklists, with a mechanism for scoring, tabulating and reporting results. Self-assessments and surveys can also be managed in a consistent, reliable and predictable manner.
The system ensures accountability by enabling self-assessments to be carried out independently at an individual level, while rolling up the information to the executive level to be viewed, approved and certified for compliance.
A centralized repository of all control assessments with an easy search capability ensures that IT audit groups can provide evidence of compliance to external auditors.
IT Audit management: MetricStream IT Audit Management Solution streamlines and automates the bank’s complete IT audit lifecycle, from audit planning and scheduling, to audit implementation, to review of results and reporting. Automatic notifications keep the process on track, and help ensure that audits are completed within schedule.
The system supports risk-based IT auditing, enabling the bank to prioritize its audits for maximum efficiency and efficacy. It integrates with third-party tools to gather risk and vulnerability information of various IT systems, which can then be used to prioritize risks and plan audits.
The solution also helps delegate responsibilities, and assigns resources for optimal efficiency. With built-in workflows, it enables the bank’s auditors to record both qualitative and quantitative findings. These findings are then automatically routed for review and subsequent action. Built-in workflows enable remediation actions to be initiated, or follow-up audits to be scheduled. At every stage, dashboards and flexible reports provide visibility into the audit process with statistics, audit data, histories and remediation action triggered.
IT Issue Management: MetricStream IT Issue Management Solution integrates with existing systems for Threat, Vulnerability, Configuration Compliance, Identity and Access Governance, Security Information and Event Management systems to enable incidents/issues to be routed for further investigation or resolution.
The solution captures detailed information about the issue, categorizes it and supports correlation with past data for a quick analysis and decision on remedial action. It also routes the issue to the authorized personnel for review and analysis. Automatic alerts keep the process on track, and help ensure that the case is taken forward to closure.
Managers can track the status of the incident through graphical dashboards and reports with drill-down capabilities.