Case Study

Leading Financial Services Company Strengthens Compliance with OCC’s Vendor Risk Management Guidelines

The Client: A publicly-traded financial services company serving retail investors through multiple branches across North America



The client needed a vendor risk management system that would enable and support compliance with OCC guidelines. MetricStream’s solution was the ideal fit as it offered the flexibility to assess vendor risks based on a “3-pillar” approach which had been validated by the OCC. The solution also streamlined and automated vendor risk management processes, as well as vendor due diligence, information management, issue management, and reporting.


The client drew up a comprehensive plan for Vendor Risk Management (VRM) which was then ratified with the OCC. To effectively implement the plan, the client needed a robust VRM solution. After an evaluation of multiple solution providers, MetricStream was selected due to their integrated approach to VRM, as well as their ability to facilitate compliance with the OCC guidelines. 

The MetricStream solution was deployed over MetricStream’s highly secure, private GRC Cloud. Today, the cloud-based solution is helping the client consistently identify, evaluate, track, and report risks across more than 200 vendors. Built on a centralized and scalable platform, the solution provides a single point of reference to manage vendor risks, maintain vendor information, conduct due diligence, remediate issues, and generate reports for analysis and decision-making. The solution has also automated vendor governance and risk management workflows for optimal efficiency. 

Below are the specific capabilities of the solution that are helping the client:

A common vendor database 
The MetricStream solution provides a central, Web-based repository to document and maintain information on all the client’s 200+ vendors. Authorized users from anywhere across the enterprise can log into the solution at any time, and view or search the vendor data. Pre-configured data upload templates have simplified the process of gathering vendor information, and feeding it into the solution. 

Central risk library
The solution maintains a centralized library of all vendor risks, including business continuity risks, contract risks, country risks, credit risks, customer complaints risks, IT risks, information security risks, insurance risks, and performance quality compliance risks. Each vendor is mapped to the associated risks, so that at a glance, the client can immediately understand the vendor’s risk profile - including risk severity and impact, consequences, risk score, mitigation plan, and associated issues.

Vendor selection and due diligence
Every time a new vendor is required, the MetricStream solution streamlines the process of vendor selection and due diligence. It also helps users select which due diligence process and risk applies to which vendors. Robust survey management tools and templates make it easy for users to create and send out surveys to internal business teams, assessing the need for a new vendor. Another set of surveys and checklists are sent to the vendor to evaluate their risks. Based on their responses, a risk score is assigned to the vendor. All risk assessments and computations are automated through the solution’s configurable algorithms which help calculate vendor risk impact, likelihood, and other factors.

Ongoing vendor risk assessments
All existing vendors listed in the MetricStream solution are classified based on their “criticality” to the client organization. The most critical vendors are automatically prioritized for periodic risk assessments. In compliance with OCC guidelines, the solution facilitates vendor risk assessments based on three broad pillars - (1) the vendor’s financial condition, (2) strength of the vendor’s control environment, and (3) quality of the vendor’s service and support. All vendor risk assessments and risk reports are built around these pillars to help ensure compliance with the OCC guidelines.

Issue Management
After a risk assessment is completed, any issues identified are routed for investigation, root cause analysis, and corrective action. Intuitive tabs in the MetricStream solution make it easy to log a risk issue, create an action plan, and track its implementation by the vendor. The solution enables a systematic, closed-loop approach to the entire issue management process to help ensure that nothing slips through the cracks, and that the risk issue is mitigated in a timely manner. 

Vendor risk reporting
A powerful reporting engine in the MetricStream solution automatically consolidates risk data from across the vendor network, and populates risk reports, helping the client analyze and compare vendor risks and issues at the enterprise level. Drill-down capabilities provide access to data at finer levels of detail. Additional tools such as risk heat maps, executive dashboards, and risk analytics further strengthen reporting. Users get all the data they need at their fingertips to proactively track vendor risk metrics, analyze trends, and make informed decisions. The solution also gives vendors access to track their risk reports and associated metrics.


In October 2013, the Office of the Comptroller of the Currency (OCC) issued a series of guidelines around risk management and oversight of third-party relationships. The regulatory body called for all banks and financial services companies to implement an effective third-party risk management process with appropriate measures for due diligence and third-party selection, contract negotiation, ongoing monitoring, documentation, reporting, and other phases.

To ensure compliance with these guidelines, the client chose to enhance their vendor governance and risk assessment processes. Yet the scale of this endeavor was substantial, given that there were over 200 different vendors ranging from service providers and outside counsel, to courier services, consultants, strategic outsourced partners, and external auditors. Each of these vendors came with different risks, be it business continuity risk, credit risk, information security risk, or country risk. The client had to understand which risks were relevant to which vendor, and then assess and monitor these risks on a regular basis to ensure that they didn’t spiral out of control.

Legacy systems at the client organization were not sufficiently equipped to meet these requirements. Often, the client had to assess vendor risks manually - an approach that was neither efficient nor cost-effective. Faced with these limitations, the client began to look for a new solution that would strengthen vendor governance and risk management in compliance with the OCC guidelines.

Why MetricStream?

The client chose MetricStream for the following reasons:

MetricStream’s integrated solution can be used to manage all vendor governance and risk management requirements in one cohesive framework

The same underlying platform can be extended in the future to manage other related processes such as vendor compliance and vendor audits

The solution can be implemented in line with OCC guidelines

MetricStream solutions are being used in some of the largest and most reputed financial services organizations in the world


  • A single system to manage risks across the entire vendor network
    The MetricStream VRM solution is used by up to 300 users across the enterprise to manage the risks associated with more than 200 vendors. The solution provides a “one-stop-shop” to not only assess vendor risks, but also manage vendor information, conduct due diligence, remediate issues, and manage risk reporting. Users can access all the vendor data they need in one place, instead of sifting through multiple documents or emails.
  • Greater consistency in risk information
    The solution has helped standardize vendor risk data across the client’s departments and functions. This has made it easy for users to compare, consolidate, and analyze data.
  • Compliance with OCC guidelines
    Through the solution’s “3-pillar” approach to risk assessments, the client can successfully assess, manage, mitigate, and report vendor risks in compliance with OCC guidelines.
  • Improved risk management efficiency
    Since all risk assessments, due diligence, and issue management workflows have been streamlined and automated, the client has saved significant time and effort. They now have the freedom to focus on more important tasks such as vendor risk analysis.
  • Faster time to value, lower total cost of ownership
    The solution was deployed over MetricStream’s GRC Cloud - a highly secure, private cloud environment which helped the client start using the solution quickly, and lower IT maintenance costs.

Ready to get started?

Speak to our experts Let’s talk