For years, the company used several systems and manual processes for risk management, compliance, and audits. Each risk group leveraged their own tools and process libraries which were not integrated across the enterprise. The lack of a common taxonomy and risk framework meant that multiple risk management resources with different skill-sets and knowledge had to be appointed to maintain and communicate risk data. This siloed approach resulted in unnecessarily high maintenance costs. Moreover, it complicated the process of collecting and analyzing data for board-level reporting – so much so, that there was often a 2-3 month delay in the data reported.
As a result, the management and other stakeholders didn’t receive the timely risk insights they needed to understand critical risk areas and their impact on business objectives. Without this data, stakeholders found it difficult to make risk-reward optimized decisions. That’s when they turned to MetricStream to enable an integrated approach to governance, risk, and compliance (GRC) which, in turn, would facilitate a more unified and timely view of risks.
MetricStream implemented a holistic GRC solution for the organization’s three lines of defense with capabilities for policy management, case management, audit management, and compliance management. The solution has since enabled teams to develop and use a common risk and control taxonomy linked to regulations, policies, audit programs, and other related metrics. Through this taxonomy, teams can easily identify, collate, and organize risk data, while understanding inherent risk relationships. They have also been able to rationalize controls, reduce testing processes, and enhance data quality.
With the solution’s unified risk assessment capability, the organization has been able to streamline and align risk and control assessments across audit and compliance functions. Users can leverage common risk and control assessment frameworks, methodologies, and classifications to not only improve risk visibility at the enterprise level, but to also provide an individual process-level perspective of risk across the lines of defense.
Unified risk assessments provide a single view of inherent and residual risk exposure at various levels of the organization.
Increased risk and compliance visibility and accountability; greater leadership- and board-level confidence in the organization’s risk management abilities
Improved risk management maturity and capabilities in the first line of defense
Better visibility into risks and issues throughout the enterprise
A more adaptable, effective, and agile approach to data governance
Instead of managing risk issues and incidents in silos, the company can now integrate them on a unified platform. Stakeholders have also been able to define a common methodology for issue management across business functions, groups, and locations. The result? Fewer redundancies and inconsistencies as well as effective mitigation planning.
The three lines of defense now work together to define and approve the issue management process – including process standards, issue definition, classification, severity level, and reporting processes. This collaborative approach enables consolidated reporting to the management team who can then respond to critical issues proactively and effectively.
The solution enables the organization to streamline the creation, communication, review, and approval of policies across functions. It stores policies and procedures centrally, while mapping them to regulations, risks, controls, and processes. This integrated framework makes it easy for the company to identify the impact of regulatory changes on policies, while highlighting potential risks and gaps.
The solution also enables the company to manage a wide range of compliance requirements in an integrated manner. Users can efficiently perform control assessments, and identify high-risk areas as well as non-compliance incidents for remediation.
Through the solution, the company has enabled a systematic, structured approach to audit processes and activities, including risk-based audit planning and scheduling, field work, work paper management, issue management, and reporting. Auditors can prioritize their tasks and resources based on the areas of highest risk. They can also gain real-time insights into audit findings.
Powerful dashboards and reports enable the teams to conduct a “so-what” analysis for deep risk insights that can then be sliced and diced from different perspectives, and reported to the risk committee.
The integrated solution gives first line users high-quality risk data and reporting mechanisms to perform their day-to-day activities effectively. It has empowered them to easily manage and report an issue, incident, or risk, while taking timely and appropriate mitigating action which can then be reviewed by the second line. Essentially, the solution and its workflows connect all the lines of defense, thereby simplifying and accelerating the flow of risk information for quick analysis and decision-making