Drive a Connected GRC Program for Improved Agility, Performance, and Resilience
Power Business Performance and Resilience
Discover ConnectedGRC Solutions for Enterprise and Operational Resilience
Explore What Makes MetricStream the Right Choice for Our Customers
Find Everything You Need to Build Your GRC Journey and Thrive on Risk
Learn about our mission, vision, and core values
Learn how MetricStream’s TPM solution provided a comprehensive framework to manage risks from the extended enterprise, ranging from fraud and data security related risks, to business continuity and bribery and corruption risks
As one of the world’s largest payment technology providers with links to merchants, customers, and banks across geographies, the company has a highly complex operational ecosystem. Not only do they have to collaborate with traditional third-party agents like retailers, franchises, and banks, but they also have to deal with a rapidly growing digital ecosystem of data storage owners, processors, digital wallet operators, payment facilitators, and others. Meanwhile, many third-party agents, including banks, come with their own merchants and vendors (fourth parties).
To keep this entire ecosystem running smoothly, the company needs to have comprehensive controls in place, as well as a holistic view of risks – be it data privacy risks, geopolitical risks, or regulatory risks. Data fraud is a particularly important concern that has pushed the company to find more effective ways of identifying and responding to the risks in the extended enterprise.
Why Traditional Approaches Failed to Work: For years, the company’s third- and fourth-party risk management processes were manual and informal. Each vendor was subject to multiple types of risk assessments from various risk stakeholders looking to evaluate internal and external fraud, information security, compliance with the Payment Card Industry Data Security Standard (PCI-DSS), business continuity, data governance and privacy, anti-bribery and anti-corruption, anti-money laundering (AML), and sanctions violations.
A single vendor assessment usually took about 45 to 60 days. That, in turn, delayed risk reporting, and left the organization vulnerable to a range of issues with significant financial and reputational impact. Overall, there were more than 300,000 parties in the extended enterprise that needed to be assessed. However, in the absence of a well-defined risk management strategy, these assessments became increasingly challenging and time-consuming. Many of them were managed through emails, making it nearly impossible for the company to track responses, collate data, and generate risk insights.
In other words, it was simply not sustainable to continue using manual tools and processes. That led the company to approach MetricStream for an automated solution to help them enhance the way they identified, assessed, and monitored their third- and fourth-party risks.
Improved Third-Party Data Consolidation and Consistency: MetricStream’s solution for third-party management has helped the company establish a comprehensive risk assessment framework for the extended enterprise. It integrates with the company’s home-grown systems to gather information on existing and new third and fourth parties, including corporates, service providers, merchants, and other institutions. All this data is maintained in a single, comprehensive repository that can be accessed by various risk stakeholders. The approach has helped improve data consistency, while reducing redundancies.
Enhanced Agility and Risk-Based Decision-Making: The solution enables the company to automatically segment vendors based on critical parameters such as service type, volume of transactions, access to personally identifiable information (PII), and exposure to fraud and money laundering. Each entity is then categorized based on the level of risk exposure and impact. In this way, about 75% of third and fourth parties have been categorized as “low maintenance,” 10% - 20% as “moderate maintenance,” and 1% - 3% as “high maintenance.” Based on this hierarchy, the company can efficiently prioritize their risk assessments, and make informed decisions about their extended enterprise.
Simpler Risk Assessments and Monitoring: From the results of the segmentation process, the company can define the appropriate level of due diligence, as well as the type of risk assessment required for each third party. For Through the solution, the company can efficiently evaluate multiple third- and fourth-party risks, ranging from fraud and data security related risks, to business continuity and bribery/ corruption risks. low-risk third parties, the solution helps in monitoring negative news and regulatory issues associated with these firms. It also tracks if risk levels are moving from low to medium.
For medium and high-risk third parties, the solution triggers risk assessments, and helps determine if appropriate controls have been established. For those third parties that can have a catastrophic impact on the organization, the solution enables both risk assessments and onsite audits. Using iPads, assessors can verify and validate the claims made by the third party at the time of the assessment.
Through the solution, the company can efficiently evaluate multiple third- and fourth-party risks, ranging from fraud and data security related risks, to business continuity and bribery/ corruption risks.
Automated alerts and notifications help the company communicate with and track responses from all entities across the extended enterprise. Meanwhile, an intuitive interface gives third parties access to their assessments and helps ensure a quicker response time.
More Timely Risk Insights: Based on the assessment findings, the solution generates reports that provide deep insights into the risk exposure of the extended enterprise. In-built risk heat maps help in categorizing vendors according to their risk likelihood and impact. With this data, the company can take quick, appropriate mitigation action. They can also keep various stakeholders informed about the status of third-party risk profiles, while escalating relevant cases.