A Major Energy Company Embraces a Holistic, Strategic Approach to Risk Management
The customer is one of the largest energy companies in the Unites States. It is home to a diverse mix of businesses that generate, supply and manage energy products and services for a broad spectrum of customers nationwide.
The Client: A Major Energy Company
Risks are not new to the energy industry. Most companies have strategies in place to cope with cyber-attacks, natural disasters, downgrades in credit ratings and other risks. However, recent events, such as the financial crisis, have questioned the adequacy and effectiveness of these strategies. Risks are only becoming more complex and interdependent. At the same time, networks are expanding, making it more difficult to manage enterprise-wide risks. Added pressure comes in the form of intense regulatory scrutiny, as well as the demand for renewable energy sources.
In lieu of such developments, the energy company’s goal was to foster a culture of proactive risk management across its employees and contractors. The company also wanted to make risk assessments an integral part of management decision-making.
The key to achieving this goal was an integrated risk and control management framework. It would help break down individual silos, establish common risk management processes, and improve visibility and transparency into these processes. At the same time, it would allow business and functional areas to independently manage and monitor their own risks and controls. However, this goal was hindered by a number of organizational challenges:
To achieve its goal of an integrated risk management model, the company drew up an extensive business plan beginning with the creation of a governance structure. This structure was to be based on a top-down and bottom-up approach to risk management. At the top, a risk committee would set the tone, and at the bottom, employees would be educated and motivated to assess and mitigate risks. Information would seamlessly flow up and down this channel, enabling the creation of a strong risk culture.
Roles and responsibilities were identified for various stakeholders in the new risk management model. For instance, the Board of Directors would identify the risk appetite, while the business units would populate the risk register with regular risk and control self-assessments.
The foundation of this new risk management model would be an integrated GRC system. The system had to enable enterprise-wide collaboration, eliminate redundancies and improve transparency into risk management processes.
After considering several solution vendors, the company selected MetricStream. The selection was based on MetricStream’s advanced single platform approach to risk management, as well as its successful track record in the energy industry. MetricStream also impressed with the flexibility of its platform to scale up to address future GRC requirements.
For the purpose of this study, Enterprise Risk Management will be the focus.
Enterprise Risk Management
MetricStream Enterprise Risk Management Solution helps the company identify, assess, quantify, monitor and manage its enterprise risks in an integrated manner. The solution is built on a single web-based platform that extends across the company’s departments, units, suppliers, branches and locations. It consolidates risks and controls, identifying concentrations and interdependencies. As a result, the company is able to streamline risk management workflows and establish a closed-loop risk management process across the enterprise.
MetricStream solution also integrates enterprise-wide risk assessments, the results of which can be leveraged by multiple business units and functions including Risk, SOX, Corporate, Audit, Environmental, IT and Business Continuity departments. This collaborative pattern of functioning helps the company break down operational silos and eliminate redundancies.
The solution also enables risk and control assignments to be independently managed downstream, while simultaneously rolling information back upstream to provide enterprise-wide visibility for managers. Top-down and bottom-up risk identification and management are supported. Therefore, while risk identification may occur in any area, it is automatically mapped back to each business process.
Issues that arise during risk or control tracking are automatically routed to an issue management module. Here, a systematic mechanism of investigation and remediation is set off by the underlying workflow and collaboration engine. Simultaneously, automatic alerts and notifications are sent to the appropriate personnel for investigation and remedial action.
Central risk repository
MetricStream provides a centralized library and framework to collate all risks, controls, key risk indicators, key performance indicators, regulations, policies and other vital information. A common risk register brings together all risk management data including risk description, severity, impact, consequences, risk ratings, mitigation plans and related emerging issues.
Data is made available to all of the company’s business functions, and can be shared or aggregated to enable more informed decision making. Communication is improved, while risk vocabularies and evaluation criteria are standardized.
MetricStream ‘s information repository is equipped with an easy archival and search capability which enables users to quickly check if a risk related issue was resolved, or if a specific control was tested. This way, process repetition can be avoided, and data consistency maintained across the enterprise.
Risk Control Self-Assessments (RCSA)
MetricStream solution supports a repeatable RCSA process where each business unit identifies the risks impacting its process, and assigns probability and impact estimates. The risk assessments are based on configurable methodologies and algorithms which provide an in-depth view of the organization’s risk profile, enabling managers to prioritize their risk mitigation plan for optimal returns.
Once risk self-assessments are completed, MetricStream Solution aggregates the risk data, control effectiveness monitoring and management reporting. At every stage, risks are linked with the appropriate mitigating controls, processes and policies. This simplifies information sharing and enables risk managers to monitor controls more effectively. Controls are defined and assessed based on predefined criteria and checklists which support the scoring, tabulating and reporting of results.
With MetricStream solution, the energy company can track risk metrics, loss events and near misses, along with their root causes and owners, as well as their remediation plans. The company can also monitor risk thresholds through Key Risk Indicators which provide automatic notifications whenever these thresholds are breached. Executive dashboards provide further visibility into the risk analysis, highlighting the severity and likelihood of risks along with their current positioning.
MetricStream solution categorizes risks on various levels and presents them through detailed risk heat maps which can be accessed globally. These heat maps and related graphical charts display real-time information, and can be drilled down to view the data at finer levels of detail.
Operational risks, corporate risks and other high level risks are highlighted depending on their impact on various functions and processes. This data then rolls up to the centralized core library and can be used to create standard as well as customized reports for risk management activities across the enterprise.
The reports offer risk metrics by a variety of parameters such as by process, business unit or status. They also offer regular trending analyses which enable risk managers to stay updated on the progress of risk management programs. Automated alerts, provided for exceptions and failures, eliminate unpredictable events and stabilize risk management processes.
Why the company selected MetricStream?
MetricStream’s solution provides a unified approach and an integrated solution to meet strategic objectives, as well as risk and compliance requirements.
MetricStream Solution provides a centralized library to hold policies, certifications, risk and control assessments and all other documentation for easy review and reference.
MetricStream Solution demonstrated the ability to handle the company’s specific requirements for an ERM framework, risk terminology, consistency, ranking methodology and more.
MetricStream Solution ensures security of electronic records, and provides time-stamped audit trails, role-based access controls, electronic signatures and password management
MetricStream has the ability to support large leading organizations and meet their IT requirements in the areas of integration, configurability, scalability and security.
MetricStream offers a broad set of solutions on a Web-based platform with capabilities to map its offering to all governance, risk, compliance, and quality processes within the company.
Multiple risk and control terminologies: Each department in the company had its own risk and control terminologies. There were no common risk standards, definitions and risk rating methodologies. In addition, risks were classified based on business units rather than corporate impact. This resulted in inconsistent risk evaluation, as well as data discrepancies. Moreover, it was difficult for management to gain a clear understanding of the impact of risks and controls, as well as the status of risk mitigation across the enterprise.
Redundant risk management activities: The company employed multiple independent systems to manage its risks. Therefore, Enterprise risks were managed on one system, SOX risks and controls on another, and SOX control testing on a third. The lack of collaboration between these systems resulted in the duplication of controls and risk mitigation activities which, in turn, increased costs.
Manual Inefficiencies: The company used multiple complex spread sheets, email channels and content management sites to record their assessments of risks and controls. The task of manually entering details and updates on these systems proved laborious and time-consuming. In addition, the process was vulnerable to errors and subsequent data discrepancies.
Insufficient visibility into reports: The lack of a unified reporting system resulted in the production of multiple risk management reports from each business unit. Consolidating these reports into actionable strategy at the enterprise level was both complex and time-consuming. It required merging large sets of data at various levels of granularity to provide value-added information. Gaining quick access to the desired reports in the desired format was not often possible.
Change management threat: As the company migrated to an integrated risk management model, the threat of disruptions to business stability and sustainability were ever-present. Information could be lost, processes slowed down, and procedural or human errors incurred. What was required was collaboration and coordination across departments, units and organizations. This was possible only though a centralized technology framework.
Elimination of redundant systems and activities:
With MetricStream’s centralized platform, the energy company has eliminated five redundant risk systems, over 300 complex spread sheets, and over 10 content management sites. As a result, costs and resources have been saved.
Mitigated threat of silos:
Across business units, MetricStream has streamlined risk and compliance workflows including SOX 404 testing, risk management, legal regulatory compliance, NERC compliance, Enterprise Risk Management, disaster recovery, corporate audits and IT infrastructure. Training process efficiencies have also been improved by tracking training statuses through the common GRC system rather than through separate initiatives.
Unification of risks:
MetricStream solution has helped the company establish a unified rating scale to measure the probability and severity of risks across the enterprise. This enables mangers to prioritize risks more sharply, and determine which ones need more concentrated mitigation plans, as well as regular monitoring.
Standardized risk-control self-assessments:
MetricStream Solution enables the company to create a common risk vocabulary and evaluation criteria. As a result, risk-control assessments and monitoring can be standardized and streamlined across business units. In turn, the evaluation and reporting of risks can be improved. Managers can confidently decide whether to enhance controls or accept risk levels as they are.
Seamless collaboration and information sharing:
MetricStream solution breaks down organizational barriers by providing a single point of reference to share information and coordinate risk management processes. The centralized information repository enables policies, risk and control assessments and other critical information to be accessed quickly and safely. It also establishes a single version of facts which, in turn, improves transparency, and helps embed a strong risk culture across the enterprise. Moreover, it equips management with the right information to make deliberate strategic decisions at any time.
MetricStream ERM Solution has enabled the company to automate end-to-end workflows such as risk identification, monitoring and issue remediation. As a result, the need for manual, paper-based processes has been eliminated, and the time and effort required for various risk related activities has been reduced. The risk of manual errors has also been minimized.