Organizations are striving to effectively manage the full spectrum of internal and external risks, ranging from strategic risk and operational risk, to legal risk, IT risk, and financial risk. Brand and reputation risks have also become critical in today’s digital age, particularly with the increase in social media interactions and cybersecurity threats.
Risk data plays a pivotal role in strategy and decision-making for the organization as a whole, as well as each business unit. Therefore, it is important to manage risks in a streamlined and consistent manner. It is also critical to foster an enterprise-wide culture of risk awareness where all business units, vendors, and partners take ownership for managing and reducing risk exposure in their respective operations. To achieve these objectives, organizations are increasingly choosing to implement a robust enterprise risk management (ERM) program.Download Fact Sheet
MetricStream Enterprise Risk Management App
The MetricStream Enterprise Risk Management App is one of the most advanced and comprehensive ERM technologies in the industry. Organizations across the world use the app to manage a wide range of risks and related activities in a systematic and integrated manner.
The app enables you to identify, assess, monitor, and manage enterprise risks effectively. It facilitates multi-perspective risk assessments based on different qualitative and quantitative factors. It also helps evaluate, rate, and score inherent and residual risks based on a configurable scoring logic and risk matrix.
Through the app, you can set up key indicators (for risks, controls, and performance), enable risk monitoring, and integrate issue management - all in a single system. Powerful analytics and reporting capabilities, paired with detailed graphical dashboards, heat maps, and charts, offer comprehensive and real-time visibility into risks, enabling you to make informed decisions.
The app is certified for conformance with global accessibility standards and best practices as defined by WCAG 2.1 Level AA and Section 508.
Why MetricStream Enterprise Risk Management App
Supports Multiple Risk Frameworks
Supports various risk and control frameworks such as COSO, COBIT, and ISO, giving you the flexibility to choose the right framework to suit your organization’s requirements
Links Risks to Performance
Helps correlate enterprise risk metrics to performance goals and strategic initiatives (E.g. enables conduct risks to be assessed or tracked via KPIs, and linked to incentives)
Facilitates Consistent and Streamlined Risk Management Processes
Standardizes risk management processes across the enterprise by providing a central, uniform repository of risk data, as well as implementing a systematic and closed-loop process for risk assessments; includes capabilities for ad hoc risk assessments, configurable risk scoring, and inclusion of qualitative and quantitative risk assessment factors
Provides a Consolidated Risk View
Aggregates and consolidates risk scores and ratings into reports based on different parameters, thereby providing visibility into risks across the enterprise; offers the flexibility to manage various critical or emerging risks, including IT risks and cybersecurity risks
Supports Informed Decision-Making
Delivers timely and insightful risk reports with an in-depth view of risks, considering the established risk tolerance levels
Enables Proactive and Effective Risk Mitigation
Provides integrated functionalities for control assessment, issue management, and risk analysis; helps identify and address gaps, areas of concern, emerging risks, as well as opportunities in a quick and effective manner
Integrates with Other GRC Processes
Integrates the risk management program with other assurance processes such as compliance management, policy management, and audit management, thereby enabling a cohesive approach to GRC
M7 Platform Highlights
Engaging and Personalized User Experience
Makes risk management processes context-sensitive and personalized for each user; facilitates an intuitive and engaging user experience
Supports app configurations and extensions in an upgrade-safe and scalable manner through the MetricStream AppStudio configuration framework; helps the organization adapt to change quickly
Mobility and Layering
Provides a responsive interface that allows risk management processes to be managed across devices; leverages REST API integration framework to layer risk management processes over heterogeneous IT systems and business critical infrastructure
Reporting and Analytics
Delivers powerful visualization tools and analytics to manage and monitor risk trends, data relationships, and actions in real time across the extended enterprise
Lean and Robust Architecture
Is built on a lean, modern, scalable, and extensible architecture that enables the global digital enterprises of today to seamlessly scale up and support new users, while also adding new apps and solutions to meet changing organizational needs
Process and Risk Repository
Centralized Risk Library
Structure a logical enterprise risk hierarchy, including objectives, processes, associated risks, and controls. Establish relationships between these data entities, and attach associated policies and procedure documents for reference.
Standardize risk data across business units through the central risk library which can be accessed securely from anywhere in the organization. Maintain all risk details such as risk description, category, hierarchy, ownership, and validity in a common risk register, and map this data to business units, processes, and mitigating controls.
Gain the flexibility to categorize risks, and define parent-child risk relationships. Create a risk and control matrix that can be assigned to processes, sub-processes, and locations, using best-practice forms, templates, and workflows. Set up risk assessment questionnaires and risk scoring algorithms, as well as different risk assessment perspectives to manage variations across multiple groups. Also, specify department specific controls or process specific controls defaulted during a risk assessment.
Risk Assessment and Analysis
Define Assessment Plan and Schedules
Leverage robust tools to plan, schedule, and perform risk assessments. Define several risk assessments within a single plan, and assign them to assessors, owners, and other risk stakeholders. Schedule one-time or recurring risk assessments. Additionally, set up ongoing assessments, re-assign tasks, and trigger mass updates for risk owners, assessors, and approvers.
Enable both a top-down and bottom-up approach to risk assessments. Evaluate inherent and residual risks quantitatively, as well as qualitatively. Measure and score risks from different perspectives (e.g. per business unit or process). Define your own factors for assessments along with the logic used, and specify how the overall control environment rating should be calculated.
Evaluate each risk by responding to one or more factors (quantitative as well as qualitative). Document findings or issues, attach evidence, and route the data for review and approval. Ensure that assessment scores are combined to flow up into an overall risk score.
For each assessment, define and assign factors based on which the risks will be assessed. The factors can either be quantitative (where risks are assigned numeric scores) or qualitative (subjective responses). Further classify the quantitative factors as standard (without weights) and non-standard (with weights). The factors can also be flat or hierarchical in nature.
Add Risks and Controls on the Fly
Add new risks and associated controls (from the library or in an ad-hoc manner) during the assessment or approval stage. This approach helps in identifying new risks from the first line of defense, and building risk and control libraries. Define the level at which these ad hoc risks can be added. Once assessed, view the details of the added risks in the risk register report and heat map, as well as the overall roll-up score and rating. Also, delete risks or controls (either ad hoc or scoped as part of the plan) while performing an assessment.
Identifying Threats and Opportunities
During a risk assessment, classify each risk as either a threat or an opportunity along with a level (such as high, medium, and low). Thereafter, trigger the appropriate risk response - be it to mitigate, accept, avoid, transfer, share, or ignore the risk, aligning with your organization’s stated objectives.
Leverage advanced tools such as executive-level dashboards, reports, risk calculators, and heat maps (based on different risk matrices – 3x3, 3x4, or 10x10) to gain comprehensive visibility into the risk analysis process and data. Highlight key risk metrics, as well as the compliance status.
Risk Scoring and Aggregation
Define the logic for computing inherent and residual risk scores based on individual perspectives. Also, determine the factors (standard or non-standard) and sub-factors (max, average, sum, min) for risk scoring algorithms.
Through the app’s risk matrix configuration (RMC) feature, solve the variations in risk assessment methodologies. Aggregate risk scores across the risk hierarchy of organization, product, process, asset, objective, and geography. Then, roll up the risk scores based on averages, worst-case scenarios (maximum) or best-case scenarios (minimum) depending on the organizational need. Route them to the corporate level where they can be monitored against the corporate risk appetite.
Gain the option of defining or assigning weights to organizational levels (in terms of percentages or numerical values), and calculating risk scores based on these weights. Also, rate and rank risks based on the scores.
Control Design and Assessments
Once the key risks are identified and prioritized, define a set of key controls to mitigate those risks (leveraging industry frameworks such as COSO). Assess the overall environment based on multiple factors and a scoring methodology, both of which are configurable. Also, define control test plans or assessments (based on predefined criteria) in the form of surveys and questionnaires to determine the operational effectiveness of internal controls. Assign these tests or self-assessments to a chosen team or an individual member (as tester or assessor) along with details such as testing milestones, due dates, and task details. Enable multiple control level tests, including independent evaluations of control testing, as well as control scoring and reporting. Base the assessments and ratings on configurable attributes, including control strength. Override the overall effectiveness rating if desired. Capture and record non-compliance issues or control deficiencies, and incorporate them in the issue remediation process.
Key Metrics Monitoring
Define key indicators for selected risks (KRIs), controls (KCIs), and performance objectives (KPIs). Measure and track these metrics against set thresholds to identify potential threats which need to be mitigated proactively. If a threshold is breached, ensure that alerts and notifications are automatically sent to the relevant personnel. Through dashboards, gauge the performance of key metrics, and analyze risk trends over a period of time to assess breach patterns. Use the risk metrics for future risk assessments and control tests. Extend the KPIs to track the risk appetite, both at the business unit level and the organization level.
Monitoring and Reporting
Leverage powerful dashboards, reports, and heat maps to gain quick and real-time access to information on risk management across the enterprise. Through graphical charts, capture and track details on risk profiles, risk-control assessments, control ownership, status of remediation, successes, failures, and trends. Report risks based on various dimensions such as the number of open issues for the risk, KRI trends, mitigating controls, and the number of risks falling within each risk level. Drill down to access the risk and control data at finer levels of detail. In addition, choose from various statistical and trend analysis tools to closely monitor remedial action plans. Pull out a word document report, export the details, or print them for reporting, analysis, and presentations during stakeholder meetings.
Create multiple heat maps, and access all required details even on a mobile device by simply clicking on a cell in the heat map. Easily select or filter details to display on the heat map, including information on inherent risks, residual risks, individual risks, or just the number of risks. View the movement of risks from inherent to residual based on the effectiveness of controls. Also, provide annotations (capturing the justification behind the risk profile and mitigation plan), and share the heat map with other stakeholders.
Through every stage, ensure that risk managers are able to consistently keep a tab on the progress of risk management programs, learn lessons, detect changes, and identify emerging risks.
Issue and Action Management
Simplify the management of findings and issues arising from risk and control assessments. Once issues are identified, documented, and prioritized, trigger a systematic mechanism of investigation, action planning, and remediation through the app’s underlying workflow and collaboration engine. Prioritize issues based on rating, impact, likelihood, or type. Also, recommend action plans for the treatment of issues (such as modification of controls). Monitor the status of issues at every stage, along with the progress of the remediation process. Keep the process on track through automatic alerts which help appropriate personnel address the issue on time. Ensure that all exception issues remain open till the action plans have been carried out, and the results have been verified for effectiveness.