After considering several risk and compliance solution providers, the client zeroed in on MetricStream. They liked MetricStream’s comprehensive solution functionalities, graphical reports and dashboards, workflow tracking tools, and the ability to balance global and local compliance requirements. More importantly, MetricStream offered them a way to implement a single, cohesive risk and compliance management system across their global enterprise.
Since it has been implemented, MetricStream Enterprise Risk and Compliance Management Solution has helped the client streamline and automate their risk and compliance workflows across the globe. Over 110 users leverage the solution to efficiently identify their risks, perform risk-control-self-assessments, establish risk mitigation measures, track their KRIs, and strengthen risk reporting.
The solution also supports compliance testing, survey management, and issue and action plan management, enabling the client to strengthen compliance and credibility with regulators.
The Solution
MetricStream Enterprise Risk and Compliance Management Solution has enabled the client to implement a systematic and automated approach to risk assessments and scoring, compliance assessments and controls testing, and issue and corrective action management. The solution has helped create a tightly mapped structure of the client’s global risks (parent-child), corresponding risk assessments, ratings, controls, evidence of control effectiveness, KRIs, and other key risk data for enhanced transparency. A common repository stores all global risk and compliance documentation and evidence, while powerful reports and dashboards enable consolidated risk and compliance reporting.
Below are the capabilities of the solution that are being leveraged by the client:
Risk Library
Through the MetricStream solution, the client has created a comprehensive, centralized library of all their enterprise risks, controls, and related processes. Risks have been defined in a hierarchical manner with clear parent-child relationships. In addition, each risk is mapped to the appropriate controls and business processes. Therefore, at one glance, stakeholders can view the risks distributed across the organization, the controls used to mitigate these risks, control type (prevent/ detect), risk and control owners, associated KRIs, and other key data.
Risk Assessments and Scoring
The solution enables the client to define, plan, perform, and manage their enterprise and operational risk assessments from three perspectives - org-risk, process-risk, and org-process-risk perspectives. Each risk - be it operational risk, market risk, or credit risk - is assessed and rated based on its frequency and severity. Therefore, a risk which receives a frequency rating of 1 is rare, while a risk that is graded at 6 is highly likely to occur. Similarly, a risk that receives a severity rating of 1 is likely to have a minimal impact, while a risk rated at 6 is likely to be catastrophic. Color coded charts support the risk rating process by highlighting high risk areas.
Based on the risk scores, the MetricStream helps define controls, and then assess their effectiveness. Given that all risk and control data is integrated together, the client can easily view inherent and residual risk scores, the controls used to mitigate these risks, and evidence of control effectiveness.
Compliance
The MetricStream solution provides a common, collaborative framework to manage compliance with the full range of global and local regulations. All business processes in the scope of compliance, along with the associated risks and controls, policies and procedures, regulatory requirements, and filing schedules are linked together in a comprehensive compliance and control hierarchy. This framework has enabled the client to structure and streamline their compliance processes so as to avoid duplication of effort.
Using the solution, the client can efficiently plan, implement, document, and manage compliance tests and surveys either periodically, or based on compliance schedules and associated risks. The solution supports assessments based on comprehensive checklists, and provides tools to score, tabulate, and report the results. Since all assessments are stored in a central repository, the client can easily search through the data to provide evidence to external regulators that controls are in place to ensure compliance.
Issue Management
All issues that arise during the risk assessment or compliance testing process are routed by the solution through a systematic process of investigation and corrective action. Users can initiate an issue, review and implement the appropriate action plan, and see it through to closure. Each issue is assigned a unique case ID so that it can be tracked in real time as it moves from one stage to the next. Automated alerts help notify the appropriate personnel to follow up on each issue, and trigger escalations if deadlines are not met.
Reporting
The MetricStream solution provides a range of graphical dashboards, reports, risk heat maps, and other charts which are vital for the client to track their risk profiles, control ownership, assessment plans, issues, corrective action and other key data. These reports can be accessed globally, and display real-time information.
The solution also provides a compliance certification dashboard with an in-depth view of regulatory certification and reporting tasks, due dates, requirements, and the progress of compliance. These tools enable the client to consistently track if all organizational branches and offices are complying with the applicable laws and regulations.
The client has the flexibility to create, edit, and manage a variety of standardized, configurable, ad hoc, and scheduled reports. Reporting workflows are automated, helping the client save considerable time and effort. In addition, a Reports Wizard allows users to develop their own reports without any programming.
