The Client: A Leading Cooperative Bank


Today, information technology lies at the very heart of banking operations. From customer relationship management, to clearing and settlements, to fund transfers, IT has enabled banks to efficiently meet the demands of a growing customer base. Yet the associated risks are high. IT security issues such as network vulnerabilities, blended threats, advanced persistent threats, sophisticated malwares and electronic rogue trading are only growing more widespread and complex.

These risks can have a cascading effect on an institution such as the customer’s which supports a number of other financial institutions. Compounding the challenge are the myriad IT regulatory norms that are only becoming more complex, extensive and demanding. In this high pressure scenario, an integrated, automated approach offers a way to effectively address IT risk and compliance requirements, while protecting stakeholders, customers and profits.

As a customer-focused organization, the bank already had robust systems and processes in place to effectively address IT risks and compliance requirements. But as the IT-GRC landscape grew more complex, and regulations and risks grew more intertwined, the bank felt the need to replace its manual, ad hoc systems with an integrated, streamlined and automated framework.

Download the Case Study


Considering the drawbacks of its existing IT-GRC processes, the bank wanted a centralized system that could integrate, streamline and automate the complete spectrum of IT-GRC processes across the enterprise. The system was also required to integrate with other GRC initiatives, and form a cohesive, federated framework that could adapt and scale up to future GRC requirements.

After considering several solution providers, the bank selected MetricStream solutions for their integrated, rich and flexible capabilities that were the right fit for the bank’s requirements. The bank also valued MetricStream’s deep domain expertise in the banking industry, compared to other vendors.

MetricStream provided the bank a comprehensive solution for IT-GRC, Policy Management, Risk Management and SOX Compliance. Integrated on MetricStream GRC Platform, the solution provides a centralized framework to simplify GRC management and align it with the bank’s core business strategy.

MetricStream IT-GRC solution was rolled out in a record time of four weeks. The bank has already started seeing benefits from the following modules.

IT Policy Management: MetricStream Policy Management Solution provides a centralized repository for all IT policies, and streamlines the development, maintenance and communication of these policies across the enterprise.

The solution also enables the bank to integrate the IT policy and procedure repository, and the IT compliance, risk and control framework. At each section and sub-section of the policy, risks and controls can be linked.

To help the bank’s employees become more aware of IT policies, MetricStream Solution provides powerful capabilities for implementing policy training. It ensures that training requirements are fully met and recorded from an IT compliance policy standpoint. It also provides employees with easy access to a variety of training programs, guidance documents, policies, procedures, regulations and standards.

IT Risk Management: MetricStream has provided the bank a centralized IT risk management solution to streamline and automate end-to-end risk management processes and workflows, from risk identification, assessment and scoring, to risk mitigation and reporting.

The solution helps create a centralized repository of IT risks and controls which are mapped to business risks and compliance requirements to provide a complete context. Configurable risk scoring methodologies and flexible what-if analyses help assess IT risks, and prioritize responses for optimal risk/reward outcomes. A library of risk assessment questions enables surveys and questionnaires to be created for periodic risk reviews, fraud assessments and compliance.

Using the solution, the bank can design and implement controls based on the embedded COBIT framework. The solution links risks, controls and policies for a better understanding of their relationship and optimal monitoring.

Predefined or customized risk reports, heat maps and dashboards provide in-depth insights into the bank’s IT risk profile and Key Risk Indicators, highlighting issues that need to be addressed. Automated alerts for events such as exceptions and failures eliminate any surprises, and make the IT compliance processes predictable.

IT Compliance Management: MetricStream IT Compliance Management Solution enables the bank to maintain a centralized framework of the overall IT compliance and control hierarchy, including processes and assets, associated risks, policies and procedures, mitigating controls, risk-control assessments and reporting requirements.

A comprehensive library of regulations and standards mapped to standardized controls helps the bank manage IT compliance complexities by choosing the most appropriate control. Control assessments can be scheduled periodically or on an ad hoc basis. They can be carried out based on predefined criteria and checklists, with a mechanism for scoring, tabulating and reporting results. Self-assessments and surveys can also be managed in a consistent, reliable and predictable manner.

The system ensures accountability by enabling self-assessments to be carried out independently at an individual level, while rolling up the information to the executive level to be viewed, approved and certified for compliance.

A centralized repository of all control assessments with an easy search capability ensures that IT audit groups can provide evidence of compliance to external auditors.

IT Audit management: MetricStream IT Audit Management Solution streamlines and automates the bank’s complete IT audit lifecycle, from audit planning and scheduling, to audit implementation, to review of results and reporting. Automatic notifications keep the process on track, and help ensure that audits are completed within schedule.

The system supports risk-based IT auditing, enabling the bank to prioritize its audits for maximum efficiency and efficacy. It integrates with third-party tools to gather risk and vulnerability information of various IT systems, which can then be used to prioritize risks and plan audits.

The solution also helps delegate responsibilities, and assigns resources for optimal efficiency. With built-in workflows, it enables the bank’s auditors to record both qualitative and quantitative findings. These findings are then automatically routed for review and subsequent action. Built-in workflows enable remediation actions to be initiated, or follow-up audits to be scheduled. At every stage, dashboards and flexible reports provide visibility into the audit process with statistics, audit data, histories and remediation action triggered.

IT Issue Management: MetricStream IT Issue Management Solution integrates with existing systems for Threat, Vulnerability, Configuration Compliance, Identity and Access Governance, Security Information and Event Management systems to enable incidents/issues to be routed for further investigation or resolution.

The solution captures detailed information about the issue, categorizes it and supports correlation with past data for a quick analysis and decision on remedial action. It also routes the issue to the authorized personnel for review and analysis. Automatic alerts keep the process on track, and help ensure that the case is taken forward to closure.

Managers can track the status of the incident through graphical dashboards and reports with drill-down capabilities.


Limited efficiency, highly prone to manual errors: The bank managed its IT risk and compliance requirements through manual paper-based processes. Spread sheets, emails and phones were used to record and store data, track trends, prepare reports and conduct the entire plethora of required IT GRC activities. This was neither an efficient nor simple approach. In fact, it required substantial time, resources and manpower, considering the size of data, and number of systems and controls that had to be analyzed and documented.

Need for more security: The bank, deeply committed to protecting the security and confidentiality of its data and processes, had implemented a number of security controls. But without a unified view of security threats and associated risks, the bank found it difficult to manage myriad vulnerabilities, and ensure timely remediation.

Siloed IT-GRC processes: Given the vast scope of GRC, the bank found it easier to manage risks, IT-GRC, SOX compliance and other related processes in separate silos. However, SOX compliance and IT-GRC in particular, share common controls regarding the privacy and security of information. The approach of managing them in separate initiatives resulted in redundant or duplicate controls and control assessments which, in turn, consumed costs and resources that could have been more profitably utilized elsewhere.

Lack of a central data repository: As the bank managed its various GRC programs in separate silos, there was no centralized repository to store enterprise-wide data. Each department would have its own pockets of data related to IT risk, audits or compliance. Therefore, it was complex and tiresome for IT-GRC personnel to locate the required control assessments, policies, guidelines, compliance data and other GRC related information.

Limited collaboration: Information technology is used across departments and business units. Therefore, managing the risks associated with them requires consistent and seamless collaboration. However, the lack of a centralized IT-GRC management system in the bank limited the collaboration between various enterprise entities.

Regulatory pressures: The bank is required to comply with a multitude of IT regulations including ISO 27002, PCI DSS, Basel III, SOX and NIST. Each of these regulations comes with a plethora of requirements. Creating, assessing and monitoring controls to comply with these requirements are complicated tasks, involving consistent attention, and tremendous resources, time and effort.

Why the company selected MetricStream?

Unified Framework: The MetricStream solution provides an integrated, automated and sustainable approach to IT-GRC.

Usability: The bank liked the easy and intuitive user interface which enabled them to perform tasks in simple steps.

Content support: The solution provides content support for most standards, policies and procedures harmonized with the desired compliance and regulatory framework.

Alignment with Business and IT: The solution provides the business intelligence required to inform IT strategy, and align IT-GRC with enterprise governance

Domain understanding: MetricStream is backed by a successful track record of supporting large banks in terms of integration, configurability, scalability and security

Scalability: MetricStream architecture can be extended to other areas of GRC, if required. The bank intends to scale this initiative in the coming years.


  • Improved IT-GRC management:
    MetricStream solution enables the bank to streamline and integrate multiple processes and systems, for a closed-loop, systematic and sustainable approach to IT-GRC. The solution also aligns IT-GRC with the bank’s overall GRC strategies for a cohesive, business-focused approach that benefits not only the bank, but its customers and stakeholders.
  • Process automation:
    MetricStream IT-GRC Solution automates end-to-end workflows, thereby enabling the bank to accelerate risk-control assessments, issue remediation and other critical GRC processes. More importantly, MetricStream’s automated capabilities enable the bank to save time, enhance efficiency, and divert valuable resources to other aspects of IT management.
  • Enhanced security:
    MetricStream solution is well-equipped to ensure the security of information through time-stamped audit trails, role-based access controls, electronic signatures and password management. Automated capabilities help eliminate the human error element.
  • Minimized redundancies, improved collaboration:
    MetricStream IT-GRC solutions are built on the MetricStream platform which extends across the enterprise, and enables the bank to manage all its GRC requirements from a single point of reference. The platform acts as the nucleus of the bank’s IT-GRC program, cutting across organizational silos for seamless collaboration between entities. It also integrates and streamlines end-to-end workflows, eliminating duplicate controls and redundant GRC activities.
  • Centralized information repository:
    MetricStream solution is equipped with a central repository for risks and control assessments, a library of controls and standards, and a policy/document management system. Integrated across the enterprise, this centralized framework of information provides easy access and search capabilities, and enables personnel to quickly locate and compare information for operational effectiveness.
  • Enhanced visibility:
    MetricStream solution is equipped with powerful dashboards, heat maps and scorecards which provide a complete, real-time view of the bank’s IT-GRC status. Drill-down capabilities enable the data to be viewed at finer levels of detail which, in turn, provide top management with the business intelligence required to make informed strategic decisions.

Get a demo Download RFP Template Pricing Contact