The Client: Global Investment Management
In today’s uncertain and highly regulated economic environment, investment management firms are under a lot of pressure to demonstrate stronger risk and audit management practices. Regulators are looking to see if firms have an effective risk governance framework in place, with well-defined processes for the three lines of defense i.e. the business, the risk management function, and internal audit.
The client organization was committed to effective risk management and auditing - yet they were limited by cumbersome spreadsheets and manual processes. Employees inevitably spent a substantial amount of time filling in spreadsheets with details of risk assessments, audits, or issues. This often delayed reporting, and made it difficult to track risks, audits, and other metrics in a timely manner.
MetricStream enabled the client to introduce a high degree of automation and consistency, accelerating risk and audit processes, and helping stakeholders make decisions faster and with greater accuracy. MetricStream also improved process transparency by integrating people, processes, and technology involved in risk and audit management, into one common framework. The MetricStream solution, which is used by 20 people across the enterprise, was deployed over the MetricStream GRC Cloud, helping the client realize faster time-to-value without compromising on security and reliability.
The risk and audit teams use separate MetricStream applications integrated in a common solution. The risk team uses the solution to systematically assess the inherent risks in the enterprise, implement controls, measure residual risk, and monitor risk activities. Meanwhile, the audit team leverages the solution to plan and schedule audits on business processes, define and manage auditor timesheets, record audit findings, manage audit recommendations, generate audit reports, and track and remediate audit issues.
The MetricStream solution has helped the client streamline and automate their risk and audit management processes for greater efficiency and time-savings. Built on a scalable GRC platform, the solution extends across organizational siloes, providing a single, centralized framework to manage risk and audit activities, processes, and data.
Although the risk and audit teams have separate applications for their processes and requirements, these applications are integrated on a common platform, so that visibility at the enterprise level is not compromised - stakeholders can track the organization’s risk profile and audit activities in real time from one system.
The MetricStream solution provides the following capabilities:
Enterprise Risk Management (ERM)
Through the solution, the client has enabled a streamlined and integrated approach to the entire process of identifying, assessing, managing, mitigating, monitoring, and reporting enterprise risks. The solution helps manage 100+enterprise risks ranging from market, liquidity, and capital risk, to operational and reputation risk, to third-party risk.
Through the solution, risk managers have built a centralized risk library that consolidates all risk data, including risk description, severity and impact, consequences, and mitigation plans. Each risk is mapped to the associated processes, categories, scenarios, assets, and entities for complete transparency.
The solution also supports risk assessment planning, scheduling, and execution, as well as review and approval of findings. Users can conduct either periodic or ad hoc risk assessments, and trigger automated updates for risk owners, assessors, and approvers.
Risk managers use the solution to evaluate the organization’s inherent and residual risks based on multiple qualitative and quantitative factors. All risk assessments are driven by in-built, configurable methodologies and algorithms that help automatically calculate each risk’s likelihood, severity, impact, and other characteristics. Based on this data, users can identify each risk as a threat or opportunity, and trigger the appropriate risk response - be it risk mitigation, acceptance, avoidance, sharing, or ignoring.
Based on the risks identified, the solution enables the client to define the appropriate controls to address those risks. It also supports control assessments based on pre-defined criteria and checklists, and provides a mechanism to score, tabulate, and report the results.
At every stage, powerful risk heat maps, dashboards, and reports provide complete, real-time visibility into the ERM process, enabling risk managers to keep a close watch on the progress of risk management programs, learn lessons, detect changes, and identify emerging risks.
Internal Audit Management
The MetricStream solution enables and supports the process of planning and conducting audits on 69 business processes, ranging from RPS reporting, fee calculations, and investment compliance, to brokerage oversight, asset management, and equity trading. The solution is used to conduct 250-300 audits every year.
Based on the risks in the business processes, the audit team leverages the solution to develop a systematic internal audit plan with detailed checklists, evaluation criteria, and tasks. The solution provides a number of advanced capabilities to strengthen audit planning, including an audit advisor, audit pool manager, budget manager, audit milestone tracker, distribution lists, and shared calendars.
Each audit can be scheduled either periodically or on an ad hoc basis. As soon as an audit is initiated, automatic notifications are sent out to the relevant auditor with the assigned tasks and responsibilities. Auditors can use the solution to record their qualitative and quantitative findings, along with detailed observations and recommendations.
The solution also offers a unique time-sheet management capability that captures the time spent in each internal audit activity. This enables the audit team to better track the progress of each audit, measure it against pre-defined milestones, and accordingly plan and utilize their audit resources.
A unique offline audit briefcase enables auditors to record their findings at sites where there is no network connectivity. They can enter their data as usual on their systems, and later synchronize it with the central audit database when network connectivity is restored.
Any audit issues that arise are routed by the solution through a systematic process of documentation, investigation, and remediation. Each issue can be correlated with past data for quick analysis. In addition, a web-based interface makes it easy to communicate and facilitate teamwork on issue management and exception cases across business departments. Automatic alerts and notifications keep the process on track by reminding the relevant personnel to trigger the required investigations and remedial actions.
Throughout the entire audit and issue management process, the MetricStream solution provides complete visibility into the status of various tasks. Graphical executive dashboards with drill-down capabilities provide audit statistics by a variety of parameters such as audited process, schedule, audit results, and issues identified.
Based on the client’s needs, MetricStream has configured the solution to upload closed legacy audits. Specialized templates have been built to consolidate audit data and integrate it into a central archive. Thus, at the click of a button, the solution can provide users with complete historical and real-time access to all internal audit data and history.
Before implementing the MetricStream solution, the client encountered the following challenges:
Time-consuming risk management processes: Risk managers had to manually sift through numerous spreadsheets to consolidate risk assessment results, prepare reports, and understand the organization’s enterprise risk profile.
Lack of consistency in risk language: The client did not have a uniform library of risk and control terms, concepts, and methodologies. This often resulted in discrepancies, making it difficult to study, analyze, and communicate risk data.
Insufficient visibility into audit activities: There was no way to track audit efforts at the enterprise level in real time. As a result, the audit team was not able to effectively measure the time taken for audit activities, or to identify gaps and areas of concern in a timely manner.
Delays in issue management: All audit issues were managed manually. Since this took a lot of time and effort, it was not easy to track the status of audit issues at an enterprise level.
The client chose MetricStream for the following reasons:
MetricStream has an impressive track record in GRC solution deployments for not only large financial services institutions, but also mid-market firms that are looking for lean solutions with a lower total-cost-of-ownership. The client could manage risk and audit processes on two separate applications, while still integrating data on a common platform for complete top-level visibility.
MetricStream solutions offered the flexibility to meet the client’s unique needs (e.g. uploading closed legacy audits).
The MetricStream platform can be extended to manage other GRC areas such as operational risk management, regulatory compliance, or policy management.
The MetricStream solution could be quickly and cost-effectively deployed over the state-of-the-art MetricStream GRC Cloud.