Previously, the bank didn’t have clear GRC processes and workflows to manage risk and compliance initiatives. Neither did they have a common risk taxonomy. Foundational GRC elements, including risks, regulations, controls, processes, assets, and organizations were not clearly documented.
Determined to close these gaps, the bank adopted a streamlined and integrated approach to GRC, enabled by the MetricStream GRC Platform and integrated solution. The solution was rolled out in a phased manner, beginning with business continuity management, followed by operational risk management, compliance management, policy management, and internal audit.
With capabilities for BCM, ORM, compliance management, policy management, and audit management, the fully integrated GRC solution has allowed the bank to build a best-in-class GRC program that offers management teams timely visibility into risk and compliance.
Before the MetricStream solution, the bank’s readiness for business continuity management (BCM) had already been fairly high because they had an established business impact analysis (BIA) process, as well as an existing inventory of critical processes and clearly defined workflows.
The MetricStream solution took their approach further by automating BCM processes, while also amplifying their business value. For instance, earlier, the bank had qualitative methods to evaluate their recovery time objective (RTO), but now with the MetricStream solution, they have a clear scientific process to determine their RTO.
The solution’s crisis management functionality provides powerful support for users to declare, report, and follow a crisis to closure. It also provides capabilities for emergency mass notifications, enabling the bank to communicate effectively before, during, and after a crisis.
The solution supports more than 1,000 business-critical processes, while also enabling the bank to clearly identify the critical assets related to those processes.
Improved the bank’s understanding of risk through qualitative and quantitative risk
assessments, control self-assessments, and KRIs
Enhanced audit efficiency through risk-based audit planning, execution, and reporting
Strengthened visibility into enterprise-wide risks and compliance
Enabled continuous monitoring of compliance and key risks
Though the bank previously had an inventory of risks and controls, they didn’t have well-defined workflows for operational risk management (ORM). That has changed with the MetricStream solution. Today, the bank can integrate and align their operational risks, while also following a streamlined, consistent process to identify and mitigate these risks.
The solution supports a common risk taxonomy, as well as standardized processes for control testing, risk monitoring, mitigation, and reporting. The result is a strong risk culture characterized by improved transparency and accountability for risk across the three lines of defense.
Earlier, the bank’s compliance function would simply identify the different areas of compliance, leaving the business units to self-attest to their level of compliance. Today, with the MetricStream solution, a more comprehensive and objective compliance assessment is enabled to measure the level of compliance.
The solution allows the bank to map areas of compliance to risks and controls, so that they can effectively understand and manage their compliance universe. It also supports compliance test planning and execution.
While the bank previously had an existing inventory of compliance policies, the MetricStream solution has enabled these policies to be systematically and consistently managed across business units and divisions. The solution’s integrated data model makes it easy for compliance teams to understand the impact of regulations on policies, while also mapping them to the associated risks and controls, so that the bank can then take steps to be audit-ready.
The MetricStream solution enables the bank to create a risk-based annual audit plan that accommodates different audits across the organization. Audits can be scheduled periodically or on an ad-hoc basis for internal departments, processes, and projects.
Based on the master audit plan, the scheduler can select a team of auditors, and assign the audit responsibility with a due date. Auditors, in turn, can define checklists, track tasks, record findings and observations, and confirm the audit assignment as well as the completion of the audit. Thereafter, audit reports can be created and presented to the audit committee and the board.
With the solution’s centralized issue and action tracking capability, the bank spends less time remediating issues and planning actions.