Case Study

Fast-Growing Mid-Sized Financial Services Institution Unifies Risk Processes, and Harmonizes Risk Language across the Enterprise

The Client: A Leading Mid-sized Financial Services Institution



The client is a well-capitalized organization, poised for rapid growth. Yet, like many other mid-sized financial services institutions, the client faces the challenge of balancing numerous complex risks and regulatory compliance pressures with limited resources and lean IT infrastructure. Moreover, the organization’s operations are dispersed across multiple locations, making it difficult to harmonize risk taxonomies, or consolidate risk reports in a cohesive top-level risk view.

In deciding to upgrade their risk management infrastructure, the client chose MetricStream due to the company’s extensive track record in successfully enhancing risk management programs for multiple mid-sized financial services institutions. MetricStream implemented its risk management solution for the client, helping them integrate enterprise-wide risk management processes and data in a centralized, Web-based framework that has improved top-level risk visibility, and enhanced collaboration on risk-control self-assessments, risk mitigation, issue remediation, and risk reporting.

The solution has provided the capability to be integrated with a predefined risk and control library from RiskBusiness, a leading international risk advisory firm with proven experience in designing and delivering leading risk practices. RiskBusiness’ content has enabled the client to establish standardized and consistent risk taxonomies and Key Risk Indicators (KRIs) based on industry standards and best practices.

The solution was deployed within a matter of weeks due to the flexibility of the MetricStream GRC Cloud. MetricStream added further value by calling in its risk experts to closely guide the client in strengthening their risk management program based on industry best practices.


MetricStream Risk Management Solution has provided the client with a single, centralized system to identify and assess risks and controls, investigate and remediate any issues that arise, and roll up risk data from across business units and locations to support decision-making at the enterprise level. The solution also offers access to RiskBusiness’ pre-loaded risk library which has helped the client centralize and harmonize risk definitions across the enterprise.

Below are the capabilities of the MetricStream solution:

Risk-Control Self-Assessments (RCSAs)

The solution supports RCSAs at multiple levels of the client organization, including the corporate level, business unit level, and process level. These assessments, which are based on configurable methodologies and algorithms, provide a clear view into the client’s risks, enabling the risk management team to determine the most appropriate risk mitigation and control strategies.

The solution streamlines the entire RCSA lifecycle - right from planning and scheduling, to implementation, review and approval, and reporting. It also supports both quantitative and qualitative risk scoring based on various factors, including risk impact and likelihood. Users at various levels of the organization can independently assess their risks, leaving the solution to automatically consolidate and roll up the data for enterprise-level risk reporting and analysis. Meanwhile, powerful risk analytics coupled with graphical dashboards enable the client to closely track each stage of the RCSA in real time, and proactively spot recurring issues.

Centralized Risk Library

Through the MetricStream solution, the client can access the RiskBusiness taxonomy library – an online encyclopedia of standard, operational risk classification structures, as well as a KRI library --a framework of 2,000 pre-defined operational risk indicators. MetricStream seamlessly mapped these libraries to the client organization’s hierarchy, structures, risk categories, and business functions/ activities. The client has thus been able to standardize their risk language across departments, business units, and locations, and enhance their ability to report and interpret risk data.

Issue Management

Any issues that arise from risk assessments, audits, or other risk processes are routed by the MetricStream solution through a systematic process of investigation, root cause analysis, and remediation. Automatic notifications and alerts keep the process on track, helping the client ensure that each issue is closed in a timely manner. At every stage, the status of issue management action can be tracked in real time.

Risk reporting

Powerful dashboards, charts, score cards, and heat maps in the MetricStream solution provide quick and real-time insights on risk management, while highlighting high-risk areas. The solution also provides flexible reporting capabilities that automatically consolidate risk data, and populate predefined reporting templates. Users can efficiently track risk profiles (at various levels of the organization), results of RCSAs, control ownership, issues, successes, failures, and trends. The ability to drill down helps the client view risk and control data at finer levels of detail.


Before implementing the MetricStream solution, the client encountered the following challenges:

  • Limited resources: Since the risk management team consisted of just two people - the Chief Risk Officer (CRO) and Enterprise Risk Management (ERM) manager, it became increasingly difficult to manage and track all risk related processes and data, especially as operations scaled up.
  • Siloed risk management: The client had operations across various locations where each office used their own independent systems and processes to assess risks.  It was challenging to consolidate and monitor these risks at the enterprise level without a centralized system.
  • Increasing regulatory pressure: Being in the highly regulated financial services industry, the client has to comply with a number of regulatory requirements from authorities such as the Consumer Financial Protection Bureau (CFPB) and Office of the Comptroller of the Currency (OCC). Meeting these requirements efficiently called for a more advanced risk management system.
  • Manual limitations: Most risk management processes such as risk scoring were managed manually using paper-based documents and spreadsheets. This approach was time-consuming and inefficient, besides being prone to the risk of human error.
  • Need to standardize and harmonize risk taxonomies: As part of their risk program upgrade, the client wanted to synchronize risk and control definitions and relationships across the organization. Yet without a set of guidelines, they would have to painstakingly research and create their own risk taxonomies.

Why MetricStream was Selected?

The client chose MetricStream for the following reasons;

MetricStream brings to the table a track record and industry expertise that spans both large and mid-sized financial services organizations - its solutions are bring leveraged by some of the biggest and best-known firms, as well as leading mid-sized companies in the financial services industry

The MetricStream solution integrates with the comprehensive and industry-leading RiskBusiness risk library.

Not only does MetricStream provide advanced solutions, but it also guides organizations in building a formal and robust ERM program based on industry best practices.

The MetricStream solution is flexible (can be mapped to each organization’s unique structures and requirements), as well as sustainable.

The underlying GRC platform is extensible, so that other MetricStream solutions can be seamlessly integrated - the client is already keen to implement MetricStream solutions for Operational Risk Management (ORM), compliance management, and audit management.


  • A single system to manage disparate risk processes
    The MetricStream solution provides a single point of reference for the client to streamline and consolidate the entire range of risk management processes across 22 users located in different business units and locations. This integrated approach has improved risk process coordination, information-sharing, and risk visibility.
  • Harmonized risk content
    The RiskBusiness library embedded in the MetricStream solution has helped the client develop a common and consistent risk taxonomy. Therefore, despite the variations in risk assessment processes and methodologies across business units, all the risk data is reported using the same risk vocabulary. This makes it easier for the risk management team to analyze risk data at the enterprise level, and identify areas of concern or opportunity.
  • Improved risk visibility and maturity
    The MetricStream solution seamlessly rolls up risk assessment data from across the enterprise to the top-level risk management team, thereby providing a complete understanding of organizational risk. The solution also supports quick recognition of potential high risk or medium risk areas, so that the appropriate response can be determined proactively and effectively. As a result, the client can manage risk on par with the best in the industry, and strengthen regulatory compliance, despite having fewer resources than their larger industry counterparts.
  • Accelerated and efficient risk processes
    Risk process automation, enabled by the MetricStream solution, has alleviated the risk management team’s burden of administrative tasks such as notifying users about risk assessment schedules, or populating risk reports with findings. Since these processes are automated, the risk management team is free to concentrate on more important activities such as risk analysis and mitigation.
  • Better preparedness for regulatory examinations
    By enabling a structured and consistent approach to risk management, the MetricStream solution has helped the client be better prepared for regulatory examinations and oversight. Moreover, since all risk related data is stored in a centralized repository, the client can quickly and easily respond to regulatory requests for information, and show evidence of the effectiveness of their risk management processes.
  • Quick time-to-value
    The solution was deployed over MetricStream GRC Cloud - a cutting-edge private cloud infrastructure with robust security - which has enabled the client to realize faster time to value, as well as increased agility and low total cost of ownership.

Ready to get started?

Speak to our experts Let’s talk