Growing regulatory environment, higher business complexity and increased focus on accountability have led enterprises to pursue a broad range of governance, risk and compliance initiatives across the organization. However, these initiatives are uncoordinated in an era when risks are interdependent and controls are shared. As a result, these initiatives get planned and managed in silos, which potentially increases the overall business risk for the organization. In addition, parallel compliance and risk initiatives lead to duplication of efforts and cause costs to spiral out of control. Governance, Risk, and Compliance process through control, definition, enforcement, and monitoring has the ability to coordinate and integrate these initiatives.
The span of a Governance, Risk and Compliance process includes three elements
Governance: With an increase in activism among shareholders and increased scrutiny from the regulatory bodies, corporate boards and executive teams are more focused on governance related issues than ever before. The governance process within n organization includes elements such as definition and communication of corporate control, key policies, enterprise risk management, regulatory and compliance management and oversight (e.g., compliance with ethics and options compliance as well as overall oversight of regulatory issues) and evaluating business performance through balanced scorecards, risk scorecards and operational dashboards. A governance process integrates all these elements into a coherent process to drive corporate governance.
Risk Management: With the recent jump in regulatory mandates and increasingly activist shareholders, many organizations have become sensitized to identifying and managing areas of risk in their business: whether it is financial, operational, IT, brand or reputation related risk. These risks are no longer considered the sole responsibility of specialists - executives and the boards demand visibility into exposure and status so they can effectively manage the organization’s long-term strategies. As a result, companies are looking to systemically identify, measure, prioritize and respond to all types of risk in the business, and then manage any exposure accordingly. A risk management process provides a strategic orientation for companies of all sizes in all geographies with a formal process to identify, measure and manage risk.
Compliance: An initiative to comply with a regulation typically begins as a project as companies race to meet deadlines to comply with that regulation. These projects consume significant resources as meeting the deadline becomes the most important objective. However, compliance is not a one-time event - organizations realize that they need to make it into a repeatable process, so that they can continue to sustain compliance with that regulation at a lower cost than for the first deadline. When an organization is dealing with multiple regulations at the same time, a streamlined process of managing compliance with each of these initiatives is critical, or else, costs can spiral out of control and the risk of non-compliance increases. The compliance process enables organizations to make compliance repeatable and hence enables them to sustain it on an ongoing basis at a lower cost.
Benefits of Taking an Integrated GRC Approach
Many organizations find themselves managing their governance, risk and compliance initiatives in silos - each initiative managed separately even if reporting needs overlap. Even though, each of these initiatives individually follow the governance, risk and compliance process outlined above, when they deployed software solutions to enable these processes, the selections were made in a very tactical manner, without a thought for a broader set of requirements. As a result, organizations have ended up with dozens of such systems to manage individual governance, risk and compliance initiatives, each operating in its own silo.
Majority of the Fortune 1000 organizations find themselves in this situation today. However, they are quickly finding that as the multiple risk and compliance initiatives become more intertwined from regulatory and organizational perspectives, multiple systems cause confusion due to duplicative and contradictory processes and documentation. In addition, the redundancy of work, as well as sheer expense of maintaining multiple point software solutions causes the cost of compliance to spiral out of control.
By taking an integrated GRC process approach and deploying a single system to manage the multiple governance, risk and compliance initiatives across the organization, the issues listed above can be easily addressed. Such an approach can :
According to a recent note from Gartner, “For Sarbanes-Oxley, we put the burden on a global Bank at about 0.2 percent to 0.4 percent on EBITDA. So if the Securities and Exchange Commission is one of 370 regulators for a global bank - to approach each regulatory program individually would eat up all the profits. Lots of companies have separate compliance programs for every regulatory regime. As regulatory regimes proliferate, a comprehensive compliance program keeps regulations from depressing earnings”. An integrated GRC approach enables an organization to integrate and streamline these individual compliance initiatives, so it can significantly reduce the cost of compliance.
It is critical that a GRC solution must be able to address a wide range of compliance and risk management initiatives so that an organization can leverage GRC to deploy a consistent framework across the organization for compliance and risk management. Many vendors window dress their point solution by re-labeling it as a GRC solution or adding support for a few additional regulations to claim multi-regulatory label.
GRC Solution Framework and Key Capabilities
In order to articulate what makes a solution a GRC solution, we must first lay out a GRC solution framework. This framework identifies a comprehensive set of capabilities of a GRC solution and provides a benchmark to evaluate any solution against it and assess if it is a GRC solution or a point solution.
Capabilities of the GRC solution includes:
Examples of Multiple Initiatives Managed Using a GRC Solution
The section provides examples of how an integrated GRC solution manages the multiple Governance, Risk and compliance business initiatives at companies around the globe:
MetricStream is a market leader in Enterprise-wide GRC and Quality Management Solutions for global corporations. MetricStream enterprise solutions are used by leading corporations in diverse industries such as Automotive, Food, Pharmaceuticals, Manufacturing and Electronics to manage their quality processes, regulatory and industry-mandated compliance and corporate governance initiatives. In addition MetricStream’s ComplianceOnline.com portal is used by over a million compliance professionals worldwide to improve their work productivity and for professional growth.
MetricStream delivers the most comprehensive mapping of the GRC framework within the industry with the following unique capabilities:
Growing regulatory environment, higher business complexity and increased focus on accountability has led enterprise to pursue risk and compliance initiatives across the organization. However, these initiatives are uncoordinated in an era when risks are interdependent and controls are shared, leading to gross inefficiency, duplication of efforts and a silo view of the world. GRC systems through control, definition, enforcement, and monitoring have the ability to coordinate and integrate these initiatives and address the above mentioned issues. MetricStream provides the most comprehensive GRC solution in the industry today.
With a comprehensive set of GRC capabilities, support for a very broad set of compliance initiatives ranging from ethics and options compliance to SOX or internal audit to cGMP or ISO 9000, supplemented with rich industry content from ComplianceOnline.com - all built on an enterprise class platform make MetricStream the most compelling GRC solution in the industry today. For additional information, visit us at: www.metricstream.com
Appendix B: How MetricStream Addresses Various GRC Initiatives
In this section, we will discuss how MetricStream supports the various GRC initiatives within the industry - whether they are enterprise GRC initiatives or operational GRC initiatives.
Corporate/Enterprise GRC initiatives:
MetricStream addresses a number of corporate/enterprise GRC initiatives. These initiatives have activities that cut across multiple departments and are hence managed at the corporate level. Examples include:
Sarbanes-Oxley Act (SOX) mandates a stricter governance model and tighter internal controls for public companies. While companies in year 1 of the compliance pursued an open checkbook approach to SOX compliance with a project-oriented approach, majority of them are now focused on sustaining SOX compliance at significantly reduced costs by streamlining their SOX compliance process.
They are beginning to shift responsibilities for documentation and testing to the process owners, while keeping the overall ownership of Sarbanes-Oxley compliance still with the internal audit group. As a result, SOX compliance will become a part of the process owner's daily job and not a separate project with its own team of internal employees and external consultants. However, it is difficult for internal audit manager to transfer responsibility to process owners without having clear visibility into the project status, issues and activities at all times. In addition, before this transfer of responsibility, the entire process of scheduling, testing and remediation needs to be automated, so the internal audit manager can ensure repeatability over time and across business units. In addition, strict change control needs to be implemented for processes and controls and associated documentation to stay in sync (once it becomes integrated with daily operational processes), so that the investments in year 1 in documentation can continue to be leveraged.
MetricStream enables companies to address the above issues to significantly reduce their cost of Sarbanes-Oxley Section 404 (SOX 404) compliance. Using MetricStream SOX solution, companies can design, assess and improve internal controls under the COSO framework, monitor their compliance processes at any level of detail and easily provide evidence to the external auditors that an internal control was tested to the satisfaction of the internal audit group. Its document control capabilities provide a central repository with comprehensive change control capabilities. The SOX compliance solution also provides greater control and clear visibility into issues, status and plans to all stakeholders.
In light of recent corporate scandals, most boards have adopted strict corporate ethics compliance policies. A large number of companies have created roles of Chief Ethics Officer to ensure that they are embedding ethics into the corporate culture and developing and implementing improvements in internal control procedures to mitigate identified corporate ethics program risks. In addition, US companies are required to comply with Foreign Corrupt Practices Act (FCPA) and have to demonstrate that they have internal controls and processes for such compliance.
MetricStream enables organizations to continually audit their internal controls and communication processes to identify risks, validate compliance with corporate ethics policies and ensure that they have a mechanism to identify gaps and deficiencies and remedy them in a timely manner.
Stock Options Grant
In light of recent Stock Options backdating scandals, organizations are reviewing their option granting procedures to identify areas of exposure from past practices and to improve practices for the future. Incorrect practices in option grants can result in the organization taking incorrect tax deductions which may lead to requirements to revise prior tax returns and subject the company to IRS penalties. In addition if the compensation expense is not recorded or under recorded, then the historical financial results may need restating. Due to such practices, companies could face shareholder class action or pension plan lawsuits and may lead to fines, civil and criminal penalties. Officers and directors may be sued in derivative lawsuits for breaching their fiduciary duties in connection with the granting and improper reporting and other treatment of backdated options. Depending on the facts and circumstances, company indemnification and D&O insurance may not cover such liability.
New rules applicable to SEC reporting companies governing executive compensation disclosure went into effect on December 15, 2006. Required disclosures will include the grant date of options, fair market value on the grant date, the closing market price and the strike price of an option on the grant date if the latter is lower, the date the committee or board took action to grant the option (if different from the grant date), and a description of the methodology for determining the option price if it varies from the closing market price on the grant date.
MetricStream enables organizations to continually audit their stock grant processes and assess internal controls to identify risks and validate compliance with SEC requirements as well as the board compensation committee policies. In addition, MetricStream can ensure that companies have a repeatable mechanism to document gaps and deficiencies in their process and remedy them in a timely manner.
Companies operating in specific industries or geographies where they keep consumer information need to comply with regulations such as GLBA (Gramm-Leach-Bliley Act), HIPAA (Health Insurance Portability and Accountbility Act of 1996), SB 1386 (the California Security Breach Information Act), EU Data Protection Directive, PCI DSS (Payment Card Industry Data security Act) etc. These regulations and mandates aim to ensure that companies are providing increased protection to consumer information in their company databases. As a result, companies have developed internal controls and policies to ensure compliance with these regulations. Non-compliance can lead to significant fines and penalties and even revocation of business license in extreme cases.
MetricStream enables organizations to continually audit their internal controls and processes to identify risks, validate compliance with regulations and ensure that they have a mechanism to identify gaps and deficiencies to remedy them in a timely manner.
BSA (Bank Secrecy Act), initially designed for Anti-Money Laundering, established requirements for recordkeeping and reporting by private individuals, banks, and other financial institutions to help identify the source, volume, and movement of currency and other monetary instruments transported or transmitted into or out of the United States or deposited in financial institutions. BSA requirements were significantly updated due to the USA Patriot Act of 2001.
BSA compliance is critical due to the reputational, regulatory, legal and financial risk exposure to the financial institution for being involved in money laundering schemes or willfully violating the BSA statute. Civil money penalties and regulatory enforcement actions may be imposed for noncompliance with money laundering regulations which can endanger capital and earnings. Furthermore, banks may be criminally prosecuted for willful violations of money laundering statutes, which could ultimately lead to termination of FDIC insurance.
MetricStream enables financial institutions to continually audit their processes for filing of CTR/CMIR/FBAR forms, identification of suspicious transactions and filing a SAR form etc., as well as assess internal controls to identify risks and validate compliance with BSA requirements. In addition, MetricStream can enable them to have a repeatable mechanism to document issues and gaps in their process and remedy them in a timely manner.
Enterprise Risk Management (ERM)
Risk within an enterprise can come from various sources including mergers/acquisitions requiring extensive integration in a business unit, new regulations that may be subject to varying interpretation or entry of a company into a new market with substantial exposure and return. By implementing an enterprise risk management (ERM) framework, organizations can reduce the likelihood of unexpected disruptive business events in their environment. As a result, they can increase their operating margins, reduce earnings volatility, enhance process efficiency, improve regulatory compliance and optimize cash flow reserves.
MetricStream enables organizations to identify, assess, quantify, monitor and manage their enterprise risk in an integrated manner. It brings together all risk management related data - a reusable library of risks and their corresponding controls and assessments; results from individual assessments; key risk indicators; events such as losses and near-misses; issues and remediation plans - in a single solution. Its workflow capabilities streamline the risk assessment process. Once risk has been assessed, it enables organizations to prioritize using risk heat maps and make strategic decisions on risk response.
Operational/Functional GRC initiatives:
In addition, MetricStream addresses a number of departmental/operational GRC initiatives. Within these initiatives, the activities are primarily owned and managed within a specific department or function. Examples include:
ISO 9000/TS 16949/Quality Management
Many organizations are deploying industry standard quality management methodologies based on ISO 9000 or related specifications developed for specific industries such as TS 16949 for the automotives industry and ISO 13485 for the medical device industry. These standards bring the organizational focus on customer satisfaction and continuous improvement and take a process-centric approach towards quality management and assurance.
MetricStream offers industry's most advanced and comprehensive suite of solutions to support ISO 9000 compliance. It tracks events as they move from one stage to the next, even across departments and groups, to ensure a closed loop quality management process. For instance, a document change can initiate a training request and CAPAs triggered as a result of audit findings are tied to the audit.
The solution enables organizations to maintain a centralized repository of process documentation, SOPs, batch records, regulatory filing, and quality reports with change control capabilities. It provides capabilities to efficiently plan, schedule and conduct audits (such as supplier audits or quality audits), allows audit findings to be reviewed and analyzed by a team, enables initiation of follow-up activities such as corrective/preventive actions when needed and provides the ability to monitor the entire process. In addition, the solution supports flexible product inspections. Once issues are identified, it tracks them and enables triggering CAPAs, performing root cause analysis, assigning follow up actions while effectively tracking and routing cases from initiation to closure. Finally, it provides complete visibility into quality system database with comprehensive reports and dashboards as well as event-based notification.
FDA cGXP/ISO 13485/21CFR Part 11
Companies in pharmaceutical, biotechnology or medical devices industries are constantly pushing the boundary of innovation to develop new products. In addition, the industry is constantly being challenged to meet the rising standards of quality and to comply with rigorous regulatory requirements.
Traditionally, homegrown systems, stand-alone applications, or even manual paper-based system have been used to manage quality at departmental level. Such point-solutions fail to address systemic quality problems because they lack a broad enterprise reach. In addition, such point solutions cannot scale well significantly raising the cost of compliance and increasing the risk of non-compliance with FDA's GXP regulations.
MetricStream solutions are widely being used in the life science industry for supporting key processes and requirements for 21 CFR Part 11, Part 210-211, Part 820 / QSR, Part 606, ICH Q7A compliance for:
The solution enables organizations to maintain a centralized repository of process documentation, SOPs, batch records, regulatory filing and quality reports with change control capabilities. The solution tracks non-conformance and deviations and enables triggering CAPAs, performing root cause analysis, assigning follow up actions while effectively tracking and routing cases from initiation to closure. Finally, it provides complete visibility into quality system database with comprehensive reports and dashboards as well as event-based notification.
Mandates by the FDA and the USDA such as HACCP procedures and ISO 22000-based food safety management systems are the basis for many compliance and quality programs in the food and beverage industry. Improperly trained employees, substandard products or poor service can cost millions of dollars a year in lost sales for the business and leave the door open to more severe consequences.
MetricStream provides end-to-end HACCP & ISO 22000 compliance software solutions to support safety and quality compliance programs in the food and beverage industry. It enables foodservice companies to capture, route, correct, prevent and analyze system-wide issues between their organization and their trading partners. Unlike records in spreadsheets, paper-based procedures and email-based processes, MetricStream HACCP & ISO 22000 business solutions give companies the ability to collaborate with their partners, provide a real-time view into quality data and enables issue-tracking for a closed-loop compliance process. By unifying all compliance and quality data into one central repository, food and beverage companies can leverage robust reporting, dashboard and alert capabilities to easily identify trends, overdue actions and other performance metrics while maintaining detailed scorecards against Key Performance Indicators (KPIs).
IT Audit and Compliance
In most companies, key operational processes are managed by Information Technology systems. An IT organization, with well defined internal controls, enables companies to identify and manage their IT related risks. Ability to manage and contain such risks is critical to ensuring compliance with regulations and mandates such as Sarbanes-Oxley Act (SOx), Gramm-Leach Bliley Act (GLBA), and Health Insurance Portability and Accountability Act (HIPAA).
Most organizations regularly test the internal controls within their IT organization to ensure secure and continuous operation of their entire information systems infrastructure. Such controls, typically derived from COBIT control processes, reduce IT related risks and form the basis for good IT governance. The IT Auditing and Compliance process is inherently complex as it involves multiple internal and external stakeholders. Existing audit infrastructures have evolved from the bottom up and organizations lack a single system of record preventing top down visibility and control.
MetricStream provides a comprehensive solution for IT Audit and Compliance. Designed to support the COBIT framework, the solution ensures sustained compliance of IT controls at significantly lower costs. It enables organizations to define the controls they want to test, maintain a repository of tests, perform assessments, identify issues and drive the remediation process. It also enables multiple stakeholders to have visibility and control over the entire IT Audit process and provides a single system of record for IT audits.
Most companies run operations in accordance with government regulations, industry mandates and corporate governance standards. As a result, they are required to conduct regular audits to ensure compliance. With increasing business complexity and the rising number and types of audits companies need to conduct, audit managers are realizing that point-solutions and spreadsheet based systems are not suited for managing audit programs.
Challenges being faced include data inconsistency due to varying practices across regions and business units, poor analytics due to lack of visibility and access to information, and productivity loss due to manual processes for information routing and communication. These issues increase the risk of noncompliance as the system does not guide users based on regulatory requirements and cannot enforce a process for audits, corrective actions and investigations. Even if companies are compliant, it is difficult to provide evidence of compliance from an audit standpoint.
MetricStream solution provides the building blocks for streamlining audit management process in organizations. It provides the flexibility to support any type of audits, simple or complex, internal and external and for any regulation or function. It enables centralized control of audit resources and planning to support auditing as a corporate function. It provides comprehensive scheduling assessment and tabulation capabilities. Powerful reporting and analytics on audit data are made easily accessible. Advanced capabilities like built-in workflows, email based notifications and alerts, risk assessment methodologies and offline functionality for conducting audits at remote field sites allow organizations to implement the industry best practices for efficient audit execution.
Since the USA Patriot Act of 2001 was signed; exporters are under a greater level of scrutiny regarding global trade practices than ever before. They must have a repeatable process for ensuring compliance with the two key requirements:
Most exporters find themselves challenged to ensure 100% compliance with trade regulations, leading to potential fines, penalties and jail sentences, as well as loss of ability to export goods.
MetricStream enables organizations to continually audit their internal export processes and test internal controls to validate sustainable compliance and ensure that they have a mechanism to identify gaps and deficiencies in their process and remedy them.
The litigation and discovery environment is changing very quickly due to benchmarks like Zubulake and use of electronic discovery as a routine element of most matters. Based on the emerging Zubulake V and Delaware standards for preservation and production, organizations must have a repeatable process for communicating and ensuring legal holds, to prevent disposal of relevant electronic data. Non-compliance creates a huge financial exposure due to the risk of significant fines and penalties. In addition, organizations must ensure that the corporate retention policies are defined, communicated and being followed.
MetricStream enables organizations to continually audit their internal retention processes and test internal controls to evaluate sustainable compliance with corporate retention policies, validate that they have a repeatable process for ensuring legal holds and make certain that they have a mechanism to identify gaps and deficiencies in their process and remedy them in a timely manner.
Operational Risk Management (ORM)
Operational risk can come from various sources including mergers/acquisitions requiring extensive integration in a business unit, new regulations that may be subject to varying interpretation or entry of a company into a new market with substantial exposure and return. By implementing a risk management framework, organizations can reduce the likelihood of unexpected disruptive business events in their environment. As a result, they can increase their operating margins, reduce earnings volatility, enhance process efficiency, improve regulatory compliance and optimize cash flow reserves. It is a challenge to engage a cross functional team in an ORM initiative that is enabled by email and spreadsheet.
MetricStream's solution integrates all risk management related data - a reusable library of risks and their corresponding controls and assessments, results from individual assessments, key risk indicators, events such as losses and near-misses, issues and remediation plans - in a single solution. It leverages best-practices content to help define the scope of processes and sub-processes for which risk management needs to be performed, and to help develop control and test libraries. Its workflow capabilities streamline the risk assessment process. Once risk has been assessed, it enables organizations to prioritize using risk heat maps and make strategic decisions on risk response. Its workflow-rich solution enables organizations to easily track issues and drive their remediation process to ensure risk mitigation. In addition, the feedback loop enables organizations to develop new controls to lower the likelihood of recurrence of near-misses and unplanned events.
The California energy crisis, the Enron meltdown, and the fitful development of competitive wholesale power markets spurred Federal Energy Regulatory Commission (FERC), the agency that regulates the interstate transmission of natural gas, oil and electricity, to action in recent years to strengthen its policing of regulatory compliance, primarily through its Office of Enforcement. FERC has devoted significant resources to market oversight, regulatory and reliability auditing and investigation. Energy companies that fail to adopt effective, comprehensive regulatory compliance programs do so at their peril. Improper trading activities in the electricity and natural gas markets have triggered investigations and prosecutions that have resulted in criminal convictions and fines.
MetricStream enables energy companies to continually audit their internal controls and processes to identify risks of non-compliance, validate compliance with FERC regulations and ensure that they have a mechanism to identify gaps and deficiencies and remedy them in a timely manner.
Environmental Health & Safety (EH&S)
Workplace safety is emerging as one of the key risk management and regulatory compliance areas. As a result of this trend, traditional workplace environmental health and safety compliance systems, which were designed to be point solutions at a plant level, are giving way to enterprise-wide safety management systems. Such systems need to comply with the OSHA 29 CFR regulations and support the OSHAS 18001 framework, while providing enterprise-wide visibility into incidents and trends, corrective actions and process metrics.
To streamline Environmental Health & Safety (EH&S) programs and support compliance with various federal, state and local reporting requirements, companies are looking at ways to automate environmental health and safety related processes. MetricStream’s environmental health and safety software solution enables organizations to effectively comply with regulatory mandates around EH&S by automating their procedures to discover and document safety issues as well as to track, manage, and close corrective actions.
Key capabilities of the MetricStream solution include the ability to capture and report incidents and provide information on hazardous material, initiate and implement containment, corrective and preventive actions and powerful reporting and analytics by a variety of parameters such as by incident, by plant and by division. Executive dashboards provide real-time visibility into key process indicators and email-based alerts and notifications ensure prompt response.
MetricStream GRC solutions can enable companies to streamline compliance with other regulations such as FAA and EPA, internal initiatives such as retail audits or supplier quality audits as well as industry mandates such as TREAD amd BASEL II.
Best practices content and training from ComplianceOnline.com
It is simply not enough to have an enterprise solution that enables an organization to have a central document repository of all relevant process documentation, drive audits inspections or assessments, track non-conformance and manage the corrective action and remediation process.
There are two other key components needed for a solid and repeatable GRC initiative:
MetricStream addresses this issue head-on with its popular ComplianceOnline.com portal, which is integrated with its enterprise solutions. Key capabilities include: