Case Study

Leading Sovereign Wealth Fund’s Risk, Audit, and Issue Management Processes Now Run On MetricStream

One of the largest sovereign wealth funds in the world was facing a number of challenges with its manual and non-standardized approach to risk, audit, and compliance management. This included inconsistent and error-prone reporting, limited visibility into risk and audit insights, inefficient and delayed processes, and more. 

To overcome these challenges, the organization sought a solution that provided a single platform with a gold source of data that could be relied upon to make decisions using insights on risks, controls, audits, policies, and importantly, issues and action plans. It chose MetricStream’s BusinessGRC product line to improve Operational Risk, Internal Audit, Policy Management, and SOX Compliance Management programs. The implementation has empowered the organization to make more agile, risk-informed decisions by leveraging built-in reports, dashboards, and risk heat maps that enhance risk visibility.

The Need for Overhaul

Prior to MetricStream, the investment institution was managing risk and audit across multiple departments largely with spreadsheets, which are manual, time-consuming, and error-prone. The management did not have an integrated view of their risks nor actionable and timely audit intelligence, which hampered decision-making.

As a rapidly growing and dynamic organization with archaic processes, any hierarchy changes required tedious manual intervention from the audit and risk teams. The lack of integrated workflow and non-standard control testing processes across functions led to errors in reporting, which had inconsistencies and took much longer to be generated through a manual process. Consolidation of these reports not only took time but also hindered complete visibility into areas of concern resulting in delayed and ineffective business decisions.

The organization chose MetricStream to help it establish a single integrated platform for managing risk, audit, and compliance functions while providing independence and flexibility to each team to configure workflows relevant to them. MetricStream’s federated data model ensured data consistency across business functions and aided in aggregated reporting. The implementation has enabled the organization to make more confident, risk-aware decisions with timely and data-driven insights. They also have a consolidated single source of issues and action management for efficient issue resolution.

Getting Started

The organization embarked on its GRC journey with MetricStream in 2020. Phase 1 involved the implementation of Operational Risk, Policy and Document, and SOX Compliance Management while Internal Audit was deployed in Phase 2. They have recently been upgraded to the latest product release and moved from On-premises to Cloud-hosted services (AWS, Bahrain).

Gold Source of Data

The organization was managing risk, audit, and compliance activities across multiple departments through a manual and siloed approach. Disparate and non-standardized workflows and data led to multiple versions of the truth, making it difficult to aggregate and analyze consistent data at the enterprise level. One of the key objectives of the organization to embark on the GRC transformation journey was to standardize their GRC program on a single platform.

With MetricStream, the investment institution now has a gold source of data with a centralized repository that enables it to map risks on a many-to-many basis to controls, functions, processes, and more. This essentially means that while each business unit or department can perform their own risk assessments, the results can be rolled up and aggregated at the enterprise level, providing the top management with a single, consolidated view of risks. The implementation has helped the organization to transform raw data into actionable insights, thereby enhancing visibility into risk relationships and providing audit intelligence.


  • Manual and siloed risk and audit processes with limited visibility
  • Non-standard control testing process resulting in reporting errors
  • Inconsistent reports and no single source of truth
  • Delayed and inefficient processes

Business Value Realized


Single source of truth


Comprehensive visibility into
top risks


Greater efficiency with automated and streamlined assurance processes


Improved management of issues and actions


Risk-Based Internal Audit

Previously, the organization had complex and manual internal audit processes, which made providing timely audit intelligence a daunting task. With MetricStream Internal Audit Management, the internal audit team can plan and schedule audits by identifying auditable entities based on their risk ratings and manage audit workpaper and findings in a systematic manner. The product has also established structured processes for generating audit reports. Intuitive dashboards provide real-time access to audit intelligence for efficient decision-making.

Streamlined Issue and Action Management

MetricStream helped the organization replace its manual approach to issue and action management with a more automated and systematic approach. Consolidating all issues and actions into a single source has helped enhance the efficiency of the resolution process. The product has improved the transparency of the processes with clear accountabilities as users can now track the status of issues and actions end-to-end at any given point of time.

Simplified SOX Compliance Processes

MetricStream SOX Compliance Management has helped the organization ensure compliance with SOX by establishing a centralized framework that ties together risk and control data management across financial processes. It now has systematic workflows for planning and scheduling risk assessments, control testing, documentation, and SOX certifications. Real-time reporting and comprehensive dashboards with drill-down capabilities further strengthen visibility into compliance processes.

Effective Policy Management

With MetricStream Policy and Document Management, the organization now has a centralized repository to create, store, and access all the organizational policies. It has established well-defined processes to effectively create and communicate policies and associated changes. Furthermore, the product has helped map policies to regulations, risks, and controls, thereby enabling the organization to strengthen compliance and quickly identify areas of concern.

Overall, MetricStream BusinessGRC has empowered the state-owned fund to advance on the GRC maturity curve with better risk visibility, improved assurance, and robust compliance processes. It has enabled the organization to overcome the shortcomings of manual processes and make data-driven and risk-aware decisions

Related Stories

Case Study

Top Entertainment Company Digitally Transforms Internal Audit, Risk, and Compliance Management to Thrive on Risk With MetricStream

Case Study

Global Air Services Provider Empowers Frontline to Flag Risks With a Uniform Approach Across Geographies

Case Study

A Fortune 1000 Insurance Company Moves Up the GRC Maturity Curve With MetricStream