Integrated Risk Management Solution

We are happy to say our compliance to incident reporting and tracking in the new software is now at 96%, previously in the first edition, it was 4%. Our  action tracking today is at 89% and previously it was I think 17%.

Before we had manual duplicated workflows but now it's automated and efficient. Before we had siloed GRC data- compliance has one set of data, risk has one, audit has one, BCP has one. Now it's a single GRC data repository with clear ownership of each data elements and strong data governance. Before risk was seen as the work of the risk function now risk is everyone's business.

Our first line is no longer coming to us to fill requests on an ad hoc basis. We are not having to drop everything to pull reports out of MetricStream for them. They can go straight into the Tableau server, pull the report they need and they are good to go.

Embarking on a GRC program was really about delivering value and making sure we are not spending resources unnecessarily. We also wanted to enable the different lines of defense to deliver on their individual accountability.

In terms of benefits of implementation, we've achieved everything we set out to. We have a single source of the truth. The GRC platform is seen by the CRO as the place where all of the risk and control data and loss event data in Nationwide is mastered. It is the central record, the only record that we use to report to the regulator.

We have now started to see commonality between different organization unit's risk assessment. We are starting to see maturities in how we are identifying issues in that process. We also have action plans for the next quarter and so forth.

Using risk information during the time of the crisis is vital. So if anything the spotlight on MetricStream and the data within it and our ability to adapt that information has been huge. We are using the current environment as a lever to make sure we are keeping information up to date.