Discover how MetricStream enabled Bank of Tanzania to establish a long-term GRC program that touches all dimensions of the organization and drives significant efficiencies while reducing risk. In the process the bank became one of the pioneers in the region to implement a large-scale GRC project.
Financial services organizations face complex multi-faceted risk environments. Exponential growth and change in regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, disruptive technology, legacy technology, and business data encumbers financial services organizations of all sizes. Managing complexity, keeping change in sync, and risk managed in this context, is a significant challenge for boards, executives, as well as governance, risk management, and compliance professionals (GRC) throughout the business.
The modern financial services organization is:
The components of governance, risk management, and compliance fail when managed in isolation. Decentralized, disconnected, and distributed systems of the past catch the financial services organization off guard to risk and expose the organization. Complexity of business and intricacy and interconnectedness of GRC data requires that the financial services organization have an integrated approach to GRC. Dissociated data, systems, and processes leaves the organization with fragments of truth that fail to see the big picture of performance, risk, and compliance across the enterprise. This is the problem: financial services organizations are so dynamic and changing and knee-deep in risk and compliance checkboxes and remediation they cannot devote sufficient resources to the ‘change’ agenda. This is complicated by the exponential effect of risk on the business.
Managing GRC activities in disconnected silos leads the financial services organization to inevitable failure. Reactive, document-centric and manual processes for GRC fail to actively manage risk in the context of business strategy and performance, and leave the organization blind to intricate relationships of risk across the organization. Siloed GRC initiatives never see the big picture and fail to put GRC in the context of business strategy, objectives and performance, resulting in complexity, redundancy, and failure. The organization is not thinking about how GRC processes and controls can be designed to meet a range of risk and compliance needs. An ad hoc approach to GRC results in poor visibility across the organization and its control environment, because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches risk in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about risk and understand its impact on the organization.
A nonintegrated approach to GRC impacts business performance and how it is managed and executed, resulting in:
The Bottom Line: The Governance, Risk Management, and Compliance architecture is about the interactions and relationships of cause and effect across various platforms supporting the business. As a result, this fails when risk issues are addressed as a system of parts rather than a collective whole. A complete situational and holistic awareness of GRC is required across all operations, processes, relationships, systems, transactions, and data in order to see the bigger picture of risk and its cascading impact on organization performance and strategy.
The Bank of Tanzania is the central bank of the United Republic of Tanzania and is responsible for issuing the national currency, the Tanzanian shilling. The bank is governed by a Board of Directors consisting headed by its Governor and assisted by three deputy governors in Administration, Economic and financial policies and Financial stability.
For years, the bank had a fragmented, manual, siloed, document, and spreadsheet approach to manage risk, compliance, audit, policies, and issues. This approach led to inconsistencies in risk data which, in turn, made it difficult to analyze risks at the enterprise level. The variety of siloed repositories, spreadsheets, and unassociated databases led to an inability to aggregate data at an enterprise level to drive risk-based decisions.
The bank struggled with the lack of a formal risk management process. Business units were managing their risks in an informal approach. It was difficult to calculate the exact cost for risk management in terms of time, money, and other resources. Overall, the bank was incurring high costs on compliance and audit follow-ups as well as costs on contract initiation. It was taking the bank around four weeks to review contract documents, around three weeks to respond to audit findings and issues, and around three weeks to perform risk assessments and reporting.
The lack of an integrated GRC framework made it impossible to model and map complex organizational hierarchies and structures with every department and business line working in silos. Lack of collaboration and communication made it challenging to collaborate and work together. With GRC information trapped in scattered documents and databases it was not possible to integrate with existing enterprise and third-party systems to pull and push data to manage GRC. This resulted in lack of visibility to the enterprise risk and compliance management process.
Silos of GRC processes were as follows:
With the Bank of Tanzania constantly facing challenges with this approach, and to stay relevant in a highly dynamic banking environment, the bank decided to adopt a federated approach to manage their GRC operations. After evaluating several GRC solutions, they decided to go with MetricStream’s enterprise GRC platform to build a strong risk culture and enhance their brand and reputation. After successful implementation of MetricStream’s Integrated GRC solution, the bank has become one of the pioneers in the region to implement a large-scale GRC project.
Their goal was to implement an integrated GRC program to automate the bank’s day-today GRC related activities. The project objective was to automate manual GRC activities across the bank in a more efficient, streamlined, and integrated manner and to ensure that the bank would adopt a paperless approach to execute all of its GRC activities.
Prior to implementation of the project, MetricStream and the bank as a client conducted a joint project risk analysis with a project risk register and mitigation strategies. This was a tool that helped all project stakeholders to track risks and manage them in a timely manner. They were regularly reviewed under technical and steering meetings that discussed progress, analyzed challenges, and made decisions on how to resolve them accordingly. With this approach the team managed to implement and meet all objectives within preset time with expected quality and within budget.
Right at the start of the engagement, the project teams from MetricStream and the bank worked in close collaboration and care to map out requirements of the project in detail. The teams meticulously listed details and mapped them with MetricStream’s App capabilities. This ensured all the requirements were met by the MetricStream Apps with minimal customization resulting in Phase I of the project being completed in a record time of six months. To increase the speed of the implementation and to reduce multiple back and forth interactions, MetricStream consultants were present on the client premises, which helped the team minimize the telephonic/internet-based communication and increase face to face interaction.
The suite of MetricStream apps implemented in a single MetricStream solution included:
The short-term benefits the bank achieved in the first-year of implementation were:
The projected ongoing long-term benefits for the bank over three to five years are:
GRC is an integrated capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and acting with integrity [COMPLIANCE].1 Successful GRC strategies deliver the ability to effectively mitigate risk, meet requirements, satisfy auditors, achieve human and financial efficiency, and meet the demands of a changing business environment. GRC solutions should achieve stronger processes that utilize accurate and reliable information. This enables a better performing, less costly, and more flexible business environment.
GRC 20/20 measures the value of GRC initiatives around the elements of efficiency, effectiveness, and agility. Organizations looking to achieve GRC value will find that the results are:
GRC 20/20 has evaluated and verified the implementation of MetricStream at the Bank of Tanzania and confirms that this implementation has achieved measurable value across the elements of GRC efficiency, effectiveness, and agility. In this context, GRC 20/20 has recognized MetricStream and the Bank of Tanzania with a 2016 GRC Value Award in the domain of Enterprise GRC.
Using MetricStream, the Bank of Tanzania has been able to identify both quantitative (hard objective facts and figures) and qualitative (soft subjective opinions and experience) measure of value as they pertain to the human and financial efficiencies they have benefited from. These include:
Using MetricStream, the bank has identified both quantitative and qualitative measures of value as they pertain to the effectiveness of enterprise GRC that it benefited from, these include:
Using MetricStream, the bank has identified both quantitative and qualitative measures of value as they pertain to the agility of enterprise GRC that it benefited from, these include:
The greatest strength of this case study is building a successful integrated GRC framework across the Bank of Tanzania, which acts as the nucleus for the variety of risk, compliance, audit, policy, issues, and business continuity management processes. These were earlier being managed in silos and as separate programs, thereby creating inefficiencies in the overall organization. This implementation of MetricStream has increased the situational awareness of GRC within the bank, enabled employees to engage in GRC, and is the backbone in the creation of a risk-aware culture across the bank. An integrated GRC approach with MetricStream’s GRC platform enables the bank to establish long-term GRC oversight that touches all dimensions of the organization and drives significant efficiencies while reducing risk. They now have in place a robust infrastructure to address GRC issues in a collaborative and efficient manner, which is integrated with the overall business objectives of the organization.
After successful implementation of MetricStream’s Integrated GRC solution, the bank has become one of the pioneers in the region to implement a large-scale GRC project. It has underscored the bank’s responsibility towards all its stakeholders and has set an example for other banks and companies in the region to start building GRC programs in their respective organizations.
GRC 20/20 Research, LLC (GRC 20/20) provides clarity of insight into governance, risk management, and compliance (GRC) solutions and strategies through objective market research, benchmarking, training, and analysis. We provide objective insight into GRC market dynamics; technology trends; competitive landscape; market sizing; expenditure priorities; and mergers and acquisitions. GRC 20/20 advises the entire ecosystem of GRC solution buyers, professional service firms, and solution providers. Our research clarity is delivered through analysts with real-world expertise, independence, creativity, and objectivity that understand GRC challenges and how to solve them practically and not just theoretically. Our clients include Fortune 1000 companies, major professional service firms, and the breadth of GRC solution providers.
GRC 20/20 research reports are written by experienced analysts with experience selecting and implementing GRC solutions. GRC 20/20 evaluates all GRC solution providers using consistent and objective criteria, regardless of whether or not they are a GRC 20/20 client. The findings and analysis in GRC 20/20 research reports reflect analyst experience, opinions, research into market trends, participants, expenditure patterns, and best practices. Research facts and representations are verified with client references to validate accuracy. GRC solution providers are given the opportunity to correct factual errors, but cannot influence GRC 20/20 opinion.