In response to constantly changing regulatory landscape including the mandatory Sarbanes-Oxley Act (SOx) compliance, the Company was experiencing the need to adopt technology and achieve higher performance faster.
This gave rise to the Company’s strong focus on common governance, risk and compliance (GRC) platform to integrate audit, compliance and risk management functions across the enterprise. A risk management initiative was started with an objective to streamline its risk management processes and gain clear visibility into risks, consistency across enterprise, and gain effective control.
Over the past several years the Company had implemented a number of point solutions for risk management, compliance assessments, and audit management. As part of the Company’s redefined focus on GRC, the management and its executive sponsors were committed to implementing a single, integrated solution for these disciplines.
The Company needed to consolidate various risk, compliance and audit processes on an integrated, enterprise-wide architecture, facilitating regulatory compliance and Operational Risk Management (ORM).
The Company conducted an in-depth analysis of compliance, risk and solutions available and short-listed the best-in-the-industry solutions. At the end of a detailed analysis of alternatives and three exhaustive rounds of elimination, MetricStream emerged as the preferred solution provider. MetricStream’s robust as well as flexible technology framework, sophistication of the solution to handle the requirements of the company and wide-ranging relevant experience in the industry contributed to the selection.
MetricStream provided the Company with a comprehensive compliance, risk and audit management solution based on MetricStream GRC Platform with modules configured to map the Company’s specific risk requirements in the areas of four risk disciplines: audit management, compliance management, operational risk management and SOx management.
MetricStream GRC solution: The MetricStream GRC solution provides end-to-end workflow automation across the Company’s business units and departments supporting the Company’s organizational model across business units as well as their mapping to different risk management roles and reporting relationships.
Users have a role-based portal access with options required for initiating actions, responding to events, managing and assigning tasks, viewing reports and dashboards, limited to their roles.
The system triggers email-based notifications and alerts to appropriate personnel to notify them of various events and requirements. MetricStream Briefcase option allows the staff to use the application and work offline.
The system includes unique capabilities such as visual tools, frameworks, workflows, forms, reports, dashboards, heat maps to facilitate information sharing and visibility.
Operational loss management: Losses are given a rating and they are assigned to roles along with access rights. The application triggers an automated notification of losses to relevant personnel when due date approaches. The solution includes loss event form template which can be assigned to end-users and inserted into a system-managed workflow process. Detailed user information is automatically recorded within the loss event form including the name of the user completing the form, date and time of completion, line of business (LOB) of the user. The LOB personnel can provide all the relevant data related to loss and link events to a control, subject to approvals and workflow rules.
The application supports linking actual losses to loss tolerances /appetites and general ledger (GL) transactions from this month and prior months can be loaded into the application for review and decision-making. The LOB personnel can select a GL transaction and designate it as an Operational Loss and link GL transactions to a single event.
GL data about the transaction, such as amount, GL date, account, company, cost centers number, LOB and sub-LOB of event is pre-populated in the loss event form and can also be captured on a real-time / batch mode from other applications.
Losses are linked to second and third hierarchy of Basel business lines. Application can import quarterly revenues from external system and link it to Basel business to support reporting.
Risk control self-assessment: Based on the organization role mapping, the LOB personnel at the Company are able to access the application. All risks are stored in the application with appropriate quantitative ratings and with an ability to tag certain risks as ‘key’. Multiple user attributes can be defined for a risk. MetricStream offers tremendous flexibility to create, change and configure workflows, unlimited user-defined fields for various attributes and any data-type (for example, drop-downs, value lists, date, text, pick-list), unlimited user-defined forms for various activities based on predefined templates and layouts.
MetricStream platform records all data modifications within the system, including user and system data. Any data field changes results in an auditable record of who, when, the old value and the new value. Data is never deleted from the database, so a full and complete audit trail is always available.
The solution supports ‘lock down’ of inherent risk through appropriate workflow and approval process. The solution delegates assessment object to another user for assessment and captures loss estimations as part of risk definition.
The solution captures control characteristics, such as type, significance, and frequency of testing and provides a common library of controls across the organization that can be cross-referenced to organization policies, procedures, and pertinent regulatory requirements.
The solution can associate tests or assessments with one or more controls as well as assess the operational effectiveness of controls. The solution automatically distributes assessments to multiple groups or individuals, followed by email notification and alert on schedule dates.
The solution also includes ability to provide sign-off on risk and control assessments that closes the assessment process and prevents further edits thereby enforcing accountability. The solution generates periodic reports to highlight the status of the assessment.
The solution allows files of any format to be attached at any stage of the process. Risk acceptance can be recorded, monitored and reported based on a user defined frequency. A centralized repository of issues and action plans focused on risk, controls, compliance is maintained.
The action plans can be of any type and can be related to any issue (including risk mitigation). An issue is closed only if all the related action plans are 100% completed.
Key risk indicator (KRI) analysis: Based on the organization role mapping, the LOB personnel at the Company are able to store KRIs and perform trend analysis on KRIs. The solution facilitates tracking risk metrics and thresholds. Data can be added manually or using automatic data inputs from internal as well as external data sources. The solution functionality includes flexible dashboard to define and monitor internal and external KRIs and monitoring risk values against threshold values. Automated alerts and notifications are triggered to relevant personnel when risk thresholds are crossed.
Depending on organizational needs, the assessment frequency of individual KRIs can be daily, monthly, quarterly or annual. User can define multi-level (up to five) quantitative thresholds for the management of KRIs. User defined attributes can be modified / retired / inactivated with an audit trail.
The solution supports assessment status management and allows files of any format to be attached at any stage of the process.
Scenario analysis: The application allows the Company to capture scenario exposure estimates based on the buckets approach and store the same for historical analysis. User defined attributes can be modified, retired or inactivated and a complete audit trail is always available. The precise capture parameters and reports have been configured based on the specific requirements of the Company.
Capital modeling: The solution allows the Company to configure and generate frequency curve, as per the specified loss model. The system integrates with the Company’s existing software and tools in a secured way that run the algorithm for generating the curve.
The system provides some out-of-the-box algorithms and can be configured to create multiple severity distribution modeling curves. The system is capable of setting up any number of parameters and incorporate correlation matrices to capital requirements for each risk factor or at an aggregated level.
Using the solution, the company can define and maintain a centralized structure of the overall compliance and control hierarchy including processes and assets in scope, risks for the processes and assets, controls to address the risks and mechanism to assess the controls. It includes associated policies and procedures, reporting requirements and filing templates and schedules for various regulations.
The Company can design assessment plans to evaluate and ensure the effectiveness of the controls and assign these based on roles and responsibilities. Assessment plans can also be scheduled periodically or triggered based on the Company’s compliance requirements and associated risk.
The system implements rigorous change control to ensure processes and their documentation always stays in sync and also provides integrated audit trails and change history reports. The solution supports quantitative rating at the requirement level as well as comprehensive reporting at multiple hierarchy levels.
Audit management: The MetricStream solution allows the auditors at the Company to create an audit program with a well-defined objective and scope tied to risk, compliance and quality management processes and cycles. Auditors can organize an audit in a logical structure and hierarchy with detailed audit templates and work orders. Evaluation and pass/fail criteria, checklists and tasks that need to be performed for executing the audit can also be defined.
The solution supports creation of the risk-based audit plan based on the risk rating of related risks and processes. Audits can be schedule periodically or triggered on an ad-hoc basis for internal departments, specific products and processes. Based on the master audit calendar, a team of auditors can be selected and assigned the audit responsibility with a due date. Automatic notifications are sent to the auditor as well as the entity to be audited.
The application sends automatic alert to issue the Audit Announcement letter based on the audit schedule as soon as the audit project is created. The letter is generated in predefined templates in MS Word format and has all the information about the audit. Audit / Assessment milestone dates are captured, including kickoff, draft report, final report, closing meeting, and audit closure.
Audit project status changes automatically based on the workflow rules sand can be changed manually based on appropriate approvals. The system provides a number of reports and dashboards to view the projects status. Audit managers can track the status of the audit and measure the progress against milestones to ensure timely execution. Time tracking capability captures the time spent in auditing for optimal resource utilization.
The solution supports work paper management and allows auditors to index and store supporting documents, findings and analysis results for each audit program engaged under the audit plan. The system allows auditors to attach supporting documents such as reference information, user manuals, transaction report, meeting minutes as reviewed by the auditor, during the audit program in various electronic file formats. All attachments are centrally stored and users participating in the audit workflow can access and view them at any time. The solution allows ownership to be transferred based on approvals and business rules.
The audit assignment report can be generated with comprehensive information including working lists outlining all audits, sorted by multiple criteria, including their risk weight or the pre-defined frequency. The reports provide a drill down view of audit projects with a variety of parameters such as by audited entities, audit schedule and calendar, finding reports, and corrective and remediation actions triggered.
The solution provides a unique offline capability to allow auditors to enter audit findings in notebook computers or handheld devices at remote field sites without access to the corporate network and synchronize the data with the central repository when they can access the network.
Sharper focus on risk
Improved risk avoidance
Increased organizational accountability
Significant cost reduction and better resource management
Insufficient visibility and inconsistency: The management of the Company needed to gain a clear enterprise-wide visibility into the control systems, risk metrics and compliance information that would help them efficiently oversee the audit, compliance and risk management functions at the organizational level.
The Company followed four different risk processes across organizational functions based on four different applications, increasing the complexity as well as maintenance, training requirements and costs involved.
Disorganized risk management: Risk assessment processes were resource consuming and repetitive. They did not provide adequate amount of information and efficient tracking of risk management. Undue effort and time was spent on completing the day-to-day risk processes while effective assessment and analysis of risk was lacking. This had resulted in disproportionate risk management: certain risks not been identified and certain other risks excessively managed.
Restricted reporting and analytical capabilities: The audit group at the Company was spending excessive time and effort to compile audit reports and generate numerous other reports required to track status as well as to analyze trends.
The legacy applications were not able to capture all the data necessary for risk analysis. Key areas such as controls were maintained in documents disallowing analysis.
Stand-alone solutions and reporting silos: The Company was using a set of non-integrated departmental solutions, each solution focusing on a specific process or risk department resulting in reporting silos. Reporting across disciplines and any reuse of audit or assessment information between systems required manual compilation of data across solutions to produce the operational and management reports. This became more challenging with each group defining their own definitions and metrics of risks, controls and other entities they managed.
Compliance with regulatory requirements: Several new regulations mandate a stricter governance model and tighter controls. The Company was facing a challenge executing all critical operational controls for regulatory compliance, assessing the effectiveness of these controls, and subjecting the assessment report to the scrutiny of independent auditors.
The Company selected MetricStream for this engagement based on its following capabilities: