The client evaluated multiple enterprise risk management solution providers, and ultimately selected MetricStream. Their choice was largely determined by the MetricStream Enterprise Risk Management Solution’s ability to automate and integrate risk analysis, as well as its flexibility to be configured to the client’s unique risk requirements.
Since its implementation, the MetricStream solution has significantly improved the efficiency and effectiveness of the client’s risk assessments, while also providing real-time visibility into risks, and enabling risk metrics to be defined and tracked against set thresholds. The solution is leveraged by core risk managers to assess risks across different entities and operating divisions on an annual basis. It simultaneously enables the core risk group to conduct fraud and project risk assessments. Any issues that arise are routed through a systematic process of investigation and remediation in the solution.
Below are the key capabilities of the solution that are supporting the client:
Central Risk Library
The solution enables the client to develop and maintain a logical and well-organized structure of their risk hierarchy in a central risk library. Here, key risks are mapped to the associated strategic objectives, as well as controls, processes, projects, operational divisions, and entities. All required details such as risk description and ownership are defined, while multiple levels of risk categorization and sub-categorization are supported. Fraud risks such as bribery or asset misappropriation are also consolidated in a central fraud universe for easy reference. This integrated framework enhances risk transparency and accountability. It also helps maintain a consistent risk taxonomy across the organization.
Risk Assessments and Scoring
The solution supports multiple types of risk assessments at the client organization, including entity level risk assessments, operational division risk assessments, process risk assessments, project risk assessments, and fraud risk assessments. The entire assessment workflow is streamlined – right from defining assessment plans and schedules, to performing the actual evaluation, recording findings, as well as exceptions, and routing the data for reviews and approvals. This systematic approach minimizes redundancies, and helps ensure consistency in risk assessments at various levels of the enterprise.
The solution is used to assess, rate, and score both inherent and residual risks based on various qualitative and quantitative factors. The main measurement criteria risk impact and vulnerability (likelihood) are each linked to multiple attributes to provide a more comprehensive understanding of risk. For instance, the risk impact category “compliance,” is linked to fines, penalties, and lawsuits. Meanwhile, for fraud risk assessments, the solution provides the flexibility to support a different set of impact and vulnerability criteria.
Once the risks are scored and rated, the solution enables users to assess the associated controls based on their design and operating effectiveness. The controls are evaluated in a systematic manner, using configurable algorithms.
Advanced heat maps, including a fraud scenario heat map, deliver a birds-eye view of the top risk and control metrics, enabling the client to determine the appropriate response - be it to accept, mitigate, transfer, or ignore the risk.
Through the MetricStream solution, the client can create KRIs and tag them to the associated risks, along with clearly-defined thresholds. If a threshold is breached, the solution automatically alerts the relevant personnel. It also provides the ability to measure the performance of key risk metrics.
All issues that arise during a risk assessment are routed through the MetricStream solution for investigation, action planning, and remediation. Issues can be prioritized based on impact, likelihood, or type. In addition, a unique reference number attached to each issue makes it easy for the client to monitor the status of the issue as it moves from one stage to the next. Automatic alerts keep the process on track, and help ensure that the issue is addressed in a timely manner.
Powerful dashboards, reports, and charts offer the client an integrated and in-depth view of risk at multiple levels of the organization. These reports are automatically populated with data, enabling the client to quickly access the required risk intelligence. Stakeholders can view KRI reports, a list of risks by criticality, risk summary reports, risk score trend dashboards, and more to get a clear understanding of the organization’s risk profile. They can also drill down to view the data at finer levels of detail.