Explore the right questions to ask before buying a Cyber Governance, Risk & Compliance solution.
Learn More
Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.
Learn More
Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream
Learn More
Download this report to explore why cyber risk is rising in significance as a business risk.
Learn More
Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey
Learn More
The Client: A Leading Provider of Financial Guarantee Insurance Solutions and Services.
Overview
Financial guarantee insurers play a key role in reducing the credit risks that debt issuers encounter. Yet by acting as guarantors, these insurers face considerable risks themselves - be it credit risk, operational risk, or financial statement risk. It is crucial to the health and reputation of these firms to implement effective risk assessment and mitigation strategies, and to ensure that strategic decisions are informed by risk at every step.
As a mid-market but fast-growing financial guarantee insurer, the client wanted to scale up the breadth and depth of their risk management processes. The organization was also keen to strengthen SOX compliance monitoring, and integrate it with risk management.
To achieve these objectives, the client needed to implement a centralized framework for enterprise risk management and SOX compliance. They also had to automate risk and compliance processes, improve visibility into risks and controls at the enterprise level, and leverage advanced analytics to better anticipate and respond to emerging risks.
MetricStream has enabled them to meet these objectives through an integrated risk and compliance management solution, built on a common GRC platform, and supported by powerful risk reporting and analysis capabilities. These tools have given the client a robust framework to perform risk assessments, enhance SOX compliance, and track all risk-related issues across strategic, financial, and operational risk categories. The client has also been able to build a culture of risk awareness that permeates throughout the enterprise. The fact that the solutions could be deployed over MetricStream GRC Cloud has enabled the client to realize faster time-to-value at optimal costs.
Solution
After evaluating multiple vendors, the client decided that MetricStream would be best suited to meet their requirements for a comprehensive, integrated, and agile risk and SOX compliance management solution. Implemented on a common GRC platform, the solution extends across the client’s enterprise, consolidating all enterprise risk and SOX compliance data in a centralized framework for enhanced information-sharing and top-level risk visibility. The solution has also streamlined risk and SOX compliance processes, introducing a greater level of efficiency.
Below in greater detail, are the capabilities of the MetricStream solution:
Enterprise Risk Management (ERM)
The MetricStream solution enables the client to manage a wide range of risk related activities – right from risk identification and documentation, to risk-control self-assessments (RCSAs), risk mitigation, monitoring, and reporting - all in a single system. It also helps map all risks and controls to the associated processes, assets, and entities for complete transparency and accountability.
When it comes to RCSAs, the solution supports multi-dimensional risk assessments based on various qualitative and quantitative factors. It also enables inherent and residual risk scoring. These assessments and computations are driven by configurable methodologies and algorithms, and provide a comprehensive picture of risk impact and likelihood across the client’s enterprise.
All risks, controls, assessments, results, key risk indicators, issues, and other risk related data are brought together in a common repository for easy tracking and information-sharing.
Risk Reporting and Analytics
The MetricStream solution automatically consolidates risk assessment data from across departments, business units, and locations, and rolls it up to the top-level management teams, providing a comprehensive and in-depth picture of enterprise-wide risk profiles. This visibility enables stakeholders to make well-informed decisions on how to best respond to risk across various areas.
A range of powerful dashboards, heat maps, charts, and reports deliver quick and real-time insights into risk and control information, and provide drill-down capabilities to access data at finer levels of detail. The solution also helps the risk management team track the status and progress of risk assessment and mitigation processes at various levels of the organization, so that they can identify areas of concern.
In the near future, the client will be implementing MetricStream capabilities for scenario analysis and R analytics. These tools will help them automatically consolidate massive volumes of data from across the enterprise, model various risk scenarios, and glean risk insights, patterns, and trends to better anticipate and respond to risks.
SOX Compliance
The MetricStream solution enables the client to create and document internal controls, while also automating control testing. A comprehensive repository maintains all control and compliance information, so that the client can quickly and easily provide evidence to regulators and external auditors that a control was satisfactorily tested.
Using the solution, the client has implemented a systematic and closed-loop approach to SOX compliance surveys and certifications. All control assessment information is automatically rolled up to the top management for review and certification. Meanwhile, the compliance team can track the status of SOX compliance processes, as well as compliance issues and plans - all, in real time and at any level of detail.
Issue Management
Any risk or SOX compliance related issues are automatically routed by the solution through a streamlined cycle of investigation, root cause analysis, and documentation. At every stage, the risk and compliance teams can track the status of the issue and progress of the remediation plan. Automatic alerts keep the process on track, and help ensure that the right people are addressing the issue in a timely manner.
Challenges
Before upgrading their risk and compliance systems, the client faced the following challenges:
- Insufficient collaboration on risk management activities: Effective coordination and communication on risk related processes are essential to avoiding redundancies, and minimizing issues and losses. Yet the client had multiple teams assessing and managing their risks and controls in separate silos. There was no common system to support collaboration and information sharing.
- Manual inefficiencies: The client used paper-based tools and spreadsheets to document, assess, and report their risks. As a result, they ended up spending a lot of time filling in forms and reports, rather than analyzing and pre-empting risks. This was neither efficient nor sustainable.
- High costs of SOX compliance monitoring: As the organization grew, it became more difficult to monitor and test SOX compliance controls using manual tools and processes. Compliance surveys and certifications were physically distributed, gathered, and consolidated -- an approach that was tedious and resource-intensive.
- Lack of top-level visibility into risks and compliance: The client did not have a centralized system to track the full range of risks and issues in real time. Neither did they have a way to monitor the status and progress of SOX compliance programs at the enterprise level. This made it challenging for them to identify and resolve risk and compliance concerns in a timely manner.
Why MetricStream was Selected?
MetricStream solutions have been successfully used by leading mid-sized financial services institutions to manage multiple GRC programs
MetricStream offers the flexibility of deploying its solutions over MetricStream GRC Cloud - a state-of-the-art virtualized environment that is secure, scalable, and enables quick solution deployment
The MetricStream solution provides a rich range of advanced capabilities of drive optimal value from risk management and compliance activities
The MetricStream platform is extensible -- the client can add on MetricStream solutions for other GRC activities such as regulatory examination management, internal audits, and operational risk management.
Benefits
- Facilitates an enterprise-wide culture of risk awareness
The MetricStream solution is used by 54 employees i.e. over 80% of the client organization. It has helped the client embed risk assessment and mitigation practices across business activities at almost every level of the organization. This approach has positioned the client to create an increasingly better governed and risk-aware enterprise. - Improves visibility into risk and SOX compliance management
The MetricStream solution is built on a scalable GRC platform that provides a common point of reference to manage and track the full range of risk related activities as well as SOX compliance. Graphical dashboards, reports, charts, and heat maps enable in-depth and real-time tracking of risk processes. - Standardizes risk processes and nomenclature
While the client already had a comprehensive risk library, the MetricStream solution has enabled them to centralize and standardize the risk and control language across the enterprise. All risk data is integrated in a single repository that can be accessed from anywhere across the enterprise through a web-based interface. - Strengthens SOX compliance, reduces associated costs
The MetricStream solution has introduced a new level of order and consistency in SOX compliance processes across the enterprise, minimizing redundancies. The solution has also automated SOX control testing, reducing compliance costs.