The Client: Fortune 100 Health Care Company


The client used multiple disparate spreadsheets to assess and mitigate the supply chain risks associated with their products and manufacturing/ distribution sites. This approach was cumbersome and time-consuming, and limited overall visibility into risk. With MetricStream’s solution, the client was able to consolidate all risk processes and data in a single, scalable system that provided real-time risk visibility. They were also able to automate risk assessment process for maximum efficiency.

Download the Case Study


The client chose MetricStream replace their manual risk assessment processes with a more efficient, automated, and integrated approach. MetricStream Supply Chain Risk Assessment Solution provides a central, Web-based framework to consolidate and map together all supply chain risk assessment data, processes, products, sites, and owners. The solution streamlines and automates the supply chain risk assessment lifecycle – ranging from pre-work and risk planning, to sourcing of risks, exposure quantification, mapping, and issue management. This systematic and integrated approach simplifies risk assessments, improves risk transparency and accountability, and strengthens risk reporting and decision-making.

Below are the key highlights of the solution:

Centralized Risk Library: The solution captures and maps together all risks, products, sites, and risk assessments in a common library. This inter-mapping between various data elements has not only improved risk transparency, but also enhanced the efficiency of risk assessments. Instead of manually identifying which risk assessment is associated with which product or site, users have all the information they need at their fingertips. As soon as they trigger a particular risk assessment, the solution pulls up all the required data at one go, including the type of assessment, and the products and sites that need to be assessed. So all that the user needs to do is go in and assess those risks.

Product and Site Categorization: Before a risk assessment, all products are categorized into three types based on various factors. Similarly, all sites in which the products are manufactured are classified into three tiers. Depending on the product type or site tier, risk assessments and schedules are prioritized.

The MetricStream solution has completely automated this process of categorizing products and sites, thereby making it easier and more efficient for the SCRM group to determine which entities and risks need to be assessed on priority. The solution also links all risks to the associated site type (e.g. internal manufacturing unit, third-party distribution center), and risk assessment type (product risk assessment, site risk assessment, or joint risk assessment). This way, when a user triggers an assessment for a particular risk, the system tells them exactly which assessment should be conducted, and in which site.

In the next phase of implementation, the solution will further automate the risk assessments. After the first assessment is conducted, the solution will have the intelligence to automatically replicate the same assessment the next time. It will determine which products or sites need to be assessed based on their respective type or tier. This way, users do not have to spend time in planning and scoping their risk assessments.

Joint Risk Assessment: In some cases, the company conducts joint risk assessments for those sites that manufacture only one product or component. Both the product and the site are assessed at the same time to optimize efficiency. The MetricStream solution provides the intelligence to identify all the risks associated with each product and site, so that both assessments can be done together at one shot.

Determination of Sources of Risk: A week before the risk assessment, the MetricStream solution provides a form for users to initiate their groundwork for the assessment. The solution then routes this data to the SCRM group to determine the sources of risk. During this stage, users assess all the risks based on their impact and likelihood, as well as the preparedness of the organization to deal with these risks. The solution automatically scores these risks, and ranks them as high, medium, or low based on inbuilt methodologies and algorithms. The risk assessor then flags those risks that need to be assessed further, and the solution automatically moves them to the next level.

Exposure Quantification: In this stage of risk assessments, high-ranked risks are analyzed in greater detail. The MetricStream solution provides a 3x9 grid to assess the risks based on impact, likelihood, and preparedness, wherein each of these parameters is further sub-divided into cost, quality and compliance, and demand. Essentially, there are nine parameters which tell the user whether a risk should be ranked as high, medium, or low. The solution automatically scores these risks, and helps flag and route the critical ones for the last level of assessments.

Risk Mitigation Plan Map: In this phase, the MetricStream solution helps create a risk mitigation plan for the critical risks, and automatically routes it to the sector leads who are responsible for the product or site which these risks are associated with. These leads are expected to implement the risk mitigation plan, and bring down the risk score. The solution helps in tracking this process by maintaining a comprehensive map detailing the risks, scores, and mitigation plans. Every quarter, it enables the risk scores to be updated, and helps determine if further efforts are required to mitigate the risks.

Issue Management: All high risks that are shortlisted in the map phase are treated as risk issues. The MetricStream solution routes each of these issues through a systematic process of investigation, analysis, and remediation. Each issue is marked with a unique ID so that it can be easily tracked as it moves from one stage to the next. Automated alerts and notifications help keep the process on track, and make sure that the responsible personnel remediate the issues within the stipulated timelines.

Reporting: The MetricStream solution provides the ability to automatically capture and roll up risk assessment data, and populate risk reports. This automated approach saves time and effort. Coupled with powerful graphical dashboards, the reports provide close to real-time information on the risk assessments conducted, critical risk areas identified, and the impact of these risks on the company’s revenue. Armed with this risk intelligence, the management team is well-positioned to make informed and proactive business decisions.

Analytics: In the next phase of implementation, the MetricStream solution will provide complete and real-time visibility into all the key risks that have been assessed, along with their impact and mitigation plans. It will also track the effectiveness of mitigation strategies based on how well the risk score is coming down. In addition, based on the risk assessments results, the solution will automatically suggest areas of improvement and preventive actions, so that the management team can decide on the best course of action in a timely manner.


The client has a large global supply chain that supports various stages of product manufacturing, processing, and distribution. To effectively manage and mitigate risks in this network, the client established a Supply Chain Risk Management (SCRM) group which is responsible for assessing the risks associated with all products, as well as the sites in which they are manufactured, stored, and distributed locally or globally. Multiple risk factors are evaluated, including glitches in manufacturing processes, labor shortages at manufacturing sites, socio-economic and political issues in the country of production, and even the distance from the manufacturing unit to the loading trucks.

The biggest challenge lies in the scale and scope of these risk assessments. There are hundreds of products, as well as manufacturing and distribution sites, each with varying levels of risk. Every year, the SCRM group has to prioritize these products and sites based on specific parameters, conduct three separate levels of risk assessment on each short-listed entity, report the results, recommend and implement a mitigation plan, and monitor the risk scores to see if they are decreasing.

Previously, most of these processes were conducted manually - a range of spreadsheets would be used to record, manage, and track risk assessment data. Yet this approach became increasingly time-consuming, and would often lead to duplication of data across spreadsheets. More importantly, it resulted in a deluge of data scattered across documents which, in turn, complicated risk reporting. If a report had to be prepared, users had to manually sift through various spreadsheets, find and consolidate the required data, normalize and clean this data, and then upload it into reporting frameworks to be sent to the management team. This was a laborious process, and would inevitably lead to delays in identifying and mitigating risk issues.

Why MetricStream?

The client chose MetricStream for the following reasons:

  • Leading healthcare and pharmaceutical companies across the world choose MetricStream to power their risk and compliance programs
  • MetricStream has consistently been ranked by analysts and industry experts as a leader in the Governance, Risk, and Compliance (GRC) field
  • The MetricStream Supply Chain Risk Management Solution provides a common, scalable framework to manage risks in an integrated and transparent manner
  • The solution is packed with cutting-edge risk reporting capabilities that provide real-time business intelligence
  • The solution can be completely configured to meet the client’s specific requirements


  • A single source of truth for all risk assessment data:
    All risk data is normalized and captured in a single, central framework. Therefore, at the click of a button, users get a 360-degree view of all the risk intelligence associated with a product or site. Being web-based, the solution can be accessed globally. It is used by the SCRM team to record and manage risk assessment data across more than 150 global sites.
  • Quicker reporting, improved decision-making:
    Since all the require risk information is available at their fingertips, the management team can immediately determine the impact of a product on revenue, the associated risks, and the steps that are being taken or need to be taken to mitigate those risks.
  • Enhanced risk assessment efficiency:
    The solution is almost completely automated. For instance, at the click of a button, it tells the user what products and sites need to be assessed, what their categorization is, which risks have been removed/ added, and other key data. It also automates risk reporting. Thus, users can spend more of their time and effort on important tasks (e.g. risk analysis), and less on paperwork.

Get a demo Download RFP Template Pricing Contact