One of the World’s Largest Insurance and Reinsurance Providers Streamlines and Integrates Their IT GRC Program
The Client: Leading property and casualty insurer with operations in multiple countries.
With IT GRC data scattered across multiple organizational systems, the client struggled with a lack of sufficient visibility into their IT GRC program, as well as data redundancies, and spiraling costs. The MetricStream IT GRC Solution enabled them to integrate their IT GRC processes in a single system, while also streamlining and automating workflows. The result was a stronger IT GRC program with better efficiency and better data visibility.
After evaluating multiple IT GRC solution providers, the client chose MetricStream to provide a single, integrated solution that would help them manage a range of IT GRC needs, including security, policy management, IT risk and IT control frameworks, compliance assessments, continuous monitoring, certifications, and reporting.
Using the MetricStream Solution, the client has been able to streamline, automate, and standardize their IT GRC processes and controls, thereby improving productivity, and saving both costs and time. The Solution scales across the enterprise, integrating fragmented IT GRC activities and data in a single point of reference. This holistic approach facilitates efficient utilization of IT resources, and minimizes redundancies in effort. It also helps ensure that the company’s resources are focused on the IT risk and compliance issues that have the most urgency and potentially, the greatest impact on the business.
Below are the key capabilities of the IT GRC Solution that are benefiting the client:
Centralized IT GRC Information Repository
The MetricStream Solution offers a central repository to maintain all IT risk and control assessments, as well as IT controls, standards, policies, and documents. The underlying flexible data model helps in mapping these data entities together in a many-to-many fashion. Integrated across the enterprise, the web-based repository makes it easy for users across locations to quickly browse, locate, and compare IT GRC information through intuitive data search and access tools.
Mapping of IT Compliance and Controls
The Solution enables the client to define and maintain a centralized, highly mapped structure of their IT compliance and control hierarchy, including IT assets and processes, associated risks, controls to mitigate the risks, and programs to assess the controls. The Solution also links associated policies, procedures, reporting requirements, and regulatory filing templates and schedules. This flexible relational data model enables the client to better understand the relationships between various IT GRC data elements and the way they all tie together to impact the business.
Integration with Unified Compliance Framework
The Solution integrates with the Unified Compliance Framework (UCF) – a comprehensive library that maps more than 9,000 IT control statements to more than 1,200 regulations, standards, and frameworks, including PCI DSS, COBIT, and SOX. Through the UCF integration, the client has been able to harmonize IT controls, minimize redundancies, and simplify compliance with regulations and standards.
The UCF content Includes: 9,300+ Control Statements, Audit Guidelines, Citations, Configurable Items (CIs), Policy Statement Content, Research Sites List, Authority Documents List, Metrics, Roles Definitions, Monitored Events, and Compliance Document Templates.
Control Surveys and Self-Assessments
The Solution facilitates a systematic and consistent approach to IT control surveys and self-assessments. Users can easily create survey questionnaires using the intuitive forms and workflows in the Solution. The surveys are then distributed to the relevant personnel with the help of automated alerts and notifications sent out by the Solution. Once the respondents fill in the survey, the data is routed by the Solution for review and approval.
Certifications and Issue Tracking
Through the MetricStream Solution, certification and sub-certification tasks can be triggered to various control owners. Users can select multiple controls while setting up the certification plans. During the certification process, compliance managers can view the tasks and test results across the enterprise in real time. They can also track all open and outstanding control issues, as well as planned corrective actions.
The MetricStream Solution is equipped with powerful dashboards, heat maps, and scorecards which provide a comprehensive, real-time view of the client’s IT GRC program. Drill-down capabilities enable the client to view data at finer levels of detail, and identify areas of concern and opportunity. The Solution also generates IT compliance and risk status reports for multiple regulations and frameworks at the departmental level, business division level, and organizational level.
Faced with an increasing range of IT regulations, legislations, and partner mandates, the client realized that they needed a new approach to IT GRC. Without a single, unified IT GRC system, they couldn’t address the full gamut of IT compliance and risk needs in an integrated and cost-effective manner.
Most of their data around IT compliance, assets, risks, controls, and policies was scattered across various systems, inboxes, and devices. Not only did this fragmented approach make it difficult for users to find and locate the information they needed, but it also created additional costs and complexities in terms of managing multiple disparate systems.
The other challenge resulting from these data siloes was that content such as IT controls ended up being duplicated across multiple business functions, creating confusion and inefficiencies. Often, users would find so many versions of the same document that they weren’t able to identify which one was most recent.
Adding to the challenge, multiple company mergers and acquisitions resulted in a maze of disparate and disconnected IT systems. Managing IT GRC requirements across this ecosystem became increasingly complex and time-consuming, especially because most IT GRC processes were performed in a highly manual and siloed manner.
A Stronger, More Integrated IT GRC Program
The MetricStream Solution has replaced various, siloed IT compliance and control systems with a single, integrated solution to manage and track multiple IT GRC processes. The Solution aligns IT GRC with the client’s overall GRC program, facilitating a holistic approach that benefits the bank, as well as its customers and stakeholders. In addition, the Solution enables the company to effectively manage IT assets by proactively aggregating and correlating threats and vulnerabilities from across information sources.
Improved Efficiency through Automation
By streamlining and automating multiple IT GRC workflows, the Solution accelerates IT control assessments, issue management, and other IT GRC processes. It also helps the client save time, enhance efficiency, and divert valuable resources to more critical processes.
Control Harmonization, Minimization of Redundancies
The Solution leverages MongoDB-based connectors to upload content from the UCF framework. By integrating with UCF data, the client has been able harmonize IT controls across the enterprise, and thereby minimize duplication of control data and other inefficiencies.
Built on the MetricStream GRC Platform, the Solution provides a single toolset to manage an extensive range of IT GRC requirements. It acts as the nucleus of the IT GRC program, cutting across organizational siloes, and allowing stakeholders to easily collaborate and share data.
The MetricStream Solution rolls up IT GRC data in real time, enabling stakeholders to slice and dice the data based on various parameters, and derive the risk intelligence needed to make informed decisions. The Solution also helps ensure the security of information through time-stamped audit trails, role-based access controls, electronic signatures, and robust password management.