A government non-profit, which provides financial support to students, was facing some major challenges in the area of risk and compliance, stemming from manual and antiquated systems that led to both business process and privacy issues. The lack of an integrated approach, common governance, risk, and compliance (GRC) taxonomy, and harmonized processes resulted in limited visibility into its overall risk and compliance posture. All these factors hampered effective decision-making
To overcome these challenges, the organization started to look for a solution that could automate its manual GRC processes. It implemented MetricStream's ConnectedGRC products running on the AWS cloud to achieve this goal. With MetricStream, the organization now has a centralized and automated GRC system used by 3,000 employees who now speak a common risk language and share information in a streamlined manner.
The Antiquated and the Obsolete
Prior to MetricStream, the organization faced a number of challenges due to its fragmented risk and compliance processes and dependency on manual and antiquated systems such as spreadsheets. This resulted in a “reactive” approach to GRC that failed to provide information on a timely basis.
As various teams were working in silos, it resulted in multiple versions of the truth. The lack of a structured approach and automation made it difficult to segregate data. This, along with the lack of a standardized GRC nomenclature, led to a lot of inconsistency and incoherence in risk and compliance data. With the organization required to frequently provide information to regulatory bodies, the teams were spending a lot of time and effort collating the same data for multiple reporting purposes rather than analyzing it for risk intelligence.
All these factors led to a lot of redundancies and inefficiencies, impeding the organization’s visibility into risk and compliance posture and effective decision-making.
Embarking on the GRC Automation Journey
The organization chose MetricStream to consolidate its GRC processes onto a single unified platform and embarked on its GRC automation journey. It implemented MetricStream’s Enterprise Risk Management, IT and Cyber Compliance Management, and Policy and Document Management products.
As requested by the organization, the products were deployed in a phased approach with multiple go-lives, starting with the capturing organizational structure, processes, and roles, and mapping these to product workflows and roles. The implementation process not only focused on product deployment but also helped the organization reevaluate their processes for each of their business use cases as they transitioned into the platform. With the implementation, the organization benefited from the resulting integrated GRC approach, which improved visibility into various risk and compliance processes, highlighted the relationships between them, reduced manual effort, and enhanced overall risk awareness.
Centralized Database and Single Version of Truth
With different business units using their own spreadsheets for risk and compliance data, there were multiple versions of truth and a lot of duplication of effort. With MetricStream, the organization consolidated all GRC processes onto an integrated platform and established a centralized risk repository. MetricStream’s flexi data model allowed the organization to add additional levels in the product based on their organizational hierarchy and map all GRC elements, including an extensive set of libraries for risks, controls, processes, policies, and assets in a comprehensive manner. This integrated and flexible approach resulted in a single version of the truth with improved visibility into risk relationships – risks are now mapped on a many-to-many basis to controls, functions, processes, and more. This has also simplified and structured data collation and analysis.
Standardized GRC Taxonomy
The previous lack of common GRC taxonomy resulted in different interpretations of risk, compliance, and related issues by various teams and business units. MetricStream helped the organization establish a common integrated GRC taxonomy. As a result, a common risk language is now spoken by various teams which has facilitated a consistent understanding of risks across the organization, there by improving communication and information sharing
Simplified IT Compliance
A government non-profit, which provides financial support to students, was facing some major challenges in the area of risk and compliance, stemming from manual and antiquated systems that led to both business process and privacy issues. The lack of an integrated approach, common governance, risk, and compliance (GRC) taxonomy, and harmonized processes resulted in limited visibility into its overall risk and compliance posture. All these factors hampered effective decision-making
MetricStream enabled the company to easily perform data checks and control testing on all information assets and quickly identify and address any gaps or loopholes in their data processing activities. The product establishes a central structure of the overall IT and cyber compliance hierarchy, which simplifies monitoring and tracking various compliance management activities.
Full Traceability and Audit Tracking
MetricStream has helped the non-profit standardize GRC frameworks and ways of working across the organization. It can now set up the GRC tool to support segregation of duties to control and manage data access. The implementation has facilitated real-time reporting with full traceability and audit tracking for all GRC processes.
Well-Organized Policy Management
The organization has implemented MetricStream Policy and Document Management to efficiently create, post, and distribute policies, and ensure their enterprise-wide acceptance. The product maps policies to regulations, risks, controls, and processes, enabling the organization to quickly adapt to regulatory changes.
Improved Efficiency with Automation
The implementation of MetricStream ConnectedGRC products and the resulting automated and standardized workflow for risk management, governance, compliance, and assurance processes have helped the organization to reduce manual effort and save the time spent on administrative activities. This, along with the centralized risk repository, has improved data quality and integrity, empowering teams to leverage analytical tools to turn it into actionable intelligence and make informed business decisions.
Overall, MetricStream has enabled the organization to advance on the GRC maturity journey with standardized processes and framework, automated workflow, and improved information sharing.
“Today we have a centralized GRC system, shared information, and a common language providing a single version of the truth with all 3,000 users on the system. We’ve finished the initial implementation program and we continue to onboard further use cases and mature the current implementation as we understand it further.”
Information Security Governance & Compliance Manager – Assurance Services at the organization.
