×
Case Study

MetricStream Helps Leading Stock Exchange and Financial Information Company Unify Operational Risk and Resilience Framework

One of the world’s oldest stock exchanges and a leading global financial markets infrastructure and data provider was looking to consolidate and unify operational risk and resilience framework across its three major businesses under one program. It sought a software solution that could drive down silos and enhance communication, collaboration, process efficiencies, and reporting across the group, and ultimately deliver resilient services to its customers.

The firm chose MetricStream to integrate its risk and resilience framework and transform its governance, risk, and compliance (GRC) program. MetricStream BusinessGRC software provides a single point of reference across multiple functions to efficiently manage risks, compliance, and key metrics. Real-time reporting, analytics, and intelligence help the firm accelerate decision-making, and optimize opportunities for success while sustaining integrity

"Our risk function should be able to better support sustainable business growth. To help deliver on that vision over the course of this year, we've been working with MetricStream to deliver an integrated GRC program across multiple business units and all three lines of defense." 
- Head of Enterprise Risk at the firm.

Getting Started With the GRC Journey

Previously, the organization’s three business groups had their own approaches and programs for managing operational risks, controls, regulatory requirements, policies, and third parties with manual processes and no common taxonomy. This resulted in redundancies and organizational silos, which hindered effective collaboration, communication, and reporting. It also made it difficult to gain a holistic view of risk and compliance posture.

The organization embarked on a GRC transformation journey to integrate all these disparate programs – risk, compliance, and internal audit, as well as link resilience to risk with one consistent framework. A key driver for change was the need for the organization to break down silos, condense teams, and align working practices. It was aligned with the company’s strategic initiative to move to the cloud.

The firm selected MetricStream to help implement a comprehensive GRC solution encompassing multiple functions and business groups, driving standardizations. It implemented MetricStream’s BusinessGRC products, including Operational Risk Management, Operational Resilience Management, Compliance Management, Policy and Document Management, Regulatory Engagement Management, Business Continuity Management, SOX Compliance, and Third-Party Risk Management.

Common GRC Taxonomy and Centralized Risk Repository

A key focus area of the GRC implementation was ensuring that the organization had robust data, which was centralized in terms of collection, accessible by relevant stakeholders, and used in business decision-making. 

With MetricStream, the organization has successfully established a standardized GRC taxonomy across the groups. This has helped bring together data from risk, compliance, and internal audit functions across groups. 

Today, the firm has a centralized repository of organization units, processes, and regulations with full linkages of all risks, controls, and checklists on MetricStream, which serves as a single source of truth for multiple stakeholders across business groups, functions, and departments. This has been instrumental in enabling the firm to break down organizational silos, both in terms of framework and approach, and making sure everyone is looking at a consistent set of data, speaking the same risk language, and having a consistent understanding of risks and issues.

Objectives

  • Standardize risk and control frameworks across 3 groups
  • Manage risk holistically and link it to business decisions
  • Link resilience to risk with one consistent framework
  • Drive down silos and bring programs processes under a single integrated group
  • Improve communication, collaboration, efficiencies, and reporting across the group
  • Demonstrate stronger risk management and governance to the regulators
  • Deliver the goal to provide resilient services to our customers

Business Value Realized

  • Single point of reference across multiple functions to efficiently manage risks, compliance, and key metrics
  • Improved business processes, enhanced operational efficiencies, and reduced operational issues
  • Real-time reporting, analytics, and intelligence help accelerate decision-making
  • Increased visibility and measurement into key compliance risks by mapping regulations, business processes, controls, and compliance requirements with policies
  • Consistent, coherent, and unified approach to operational risk and resilience

Unified Operational Risk and Resilience Framework

“Resilience” was one of the primary outcomes that the organization wanted to achieve – making sure that it was providing resilient services to its customers. It wanted to establish a unified approach across both operational risk and operational resilience processes. This involved implementing the following steps:

  • Step 1: Understanding Business Services
    What services are being offered to customers that should be resilient? How to identify the important business services? What are the recovery time and recovery point objectives for those services?
  • Step 2: Understanding the Dependencies
    How are the important business services supported by technology, facilities, third parties, people, and the data that underpins them?
  • Step 3: Assessing the Risks
    Assessing that if a technology asset failed, or if a certain supplier wasn't there, or if the data was missing, what is the risk associated with that?
  • Step 4: Stress Testing and Scenario Planning
    Running scenarios and stress tests for important business services to identify any gaps that need to be addressed and/or enhance processes for effective risk mitigation.
  • Step 5: Self-Assessment
    Report the learnings and actionable insights to relevant stakeholders, including the board, to help the organization become more resilient, and understand how to improve the robustness of its services offered to customers.

With the implementation, the organization has implemented a robust operational risk and resilience framework into a system, which has helped establish a centralized repository of all risk-related activities, reduce manual work, and improve reporting. MetricStream Operational Resilience Management has enabled the firm to improve business processes, reduce operational issues, cut costs, and make its services more resilient.

Business Continuity Planning

The firm’s Business Continuity Management team has been under the spotlight for its reliance on a combination of manual processes and legacy systems amid an increasing number of threats globally. With MetricStream, the organization performed stress testing and scenario planning exercises from a business continuity perspective, which helped in identifying the interdependencies between third parties, cyber, operational risk, and other areas, and understanding their impact on the organization. Understanding this interconnectedness enabled the firm to improve its processes and establish a more holistic and integrated approach to business continuity planning.

Regulatory Compliance

One of the key goals of the firm’s GRC transformation initiative was to ensure absolute compliance with regulatory mandates. The organization sought to upscale the compliance team and demonstrate stronger governance and risk management to the regulators. MetricStream helped the organization streamline and automate its compliance management processes, enhancing visibility into key compliance risks by connecting the dots between regulations, business processes, controls, policies, and compliance requirements.

Policy and Document Management

MetricStream helped the organization replace its manual and time-consuming policy and document workflows with streamlined and well-defined processes for creating, managing, and communicating organizational policies easily and effectively. All policies and documents are now maintained in a centralized policy portal, which has simplified managing policy attestations, and exceptions. MetricStream Policy and Document Management’s intelligent search capabilities powered by NLP technology enable the organization to quickly scour thousands of enterprise-wide policies and documents to find the information needed.

SOX Compliance

For several years, the firm’s global SOX team has been building workarounds and internal systems to manage the global SOX program. However, the process became difficult to maintain and enhance over time.

With MetricStream SOX Compliance Management, the organization has a centralized compliance framework for SOX in place along with streamlined processes for risk assessments, control testing, and issue remediation.

Conclusion

By embarking on the GRC transformation journey, the organization realized that implementing a technology solution is only one aspect of it, but getting the full value from it is predicated on a firm-wide risk-aware culture, ensuring relevant data is getting into the system, engaging key stakeholders early on, and communicating project objectives and business impact changes in a transparent manner. MetricStream has been a trusted partner to bridge the gap between the technical software tool and its business requirements, enabling it to successfully achieve its goals of unifying operational risk and resilience framework, driving process efficiencies, and getting actionable insights for better-informed decision-making.

lets-talk-img

Ready to get started?

Speak to our GRC experts Let’s talk