Fixing the Cracks
Over the years, the company’s risk, compliance, and assurance processes had become increasingly siloed. Audit, SOX, risk, compliance, and policy-related data were scattered across systems, making it difficult for teams to track key risks, such as trading, financial, sanctions, Environment, Health, and Safety (EHS), and other issues. Without a unifying platform, they couldn’t effectively coordinate and collaborate on assurance findings.
Redundancies in control data and testing efforts weren’t uncommon. What’s more, the alignment between audit and compliance taxonomies was limited. This hampered efforts at comparing findings and identifying risks.
Outdated systems and manual processes only added to the challenges, making the processes time-consuming business functions. The company needed to revamp its systems and enable a more cohesive approach to assurance—one that would help them cut across audit, risk, controls, and compliance silos to gain a consolidated view of risks across business units and geographies.
Setting It Up
MetricStream emerged as the preferred choice to meet these requirements. The MetricStream Platform provided a centralized foundation to integrate GRC processes and strengthen risk visibility. Built on the platform were the MetricStream Internal Audit, SOX Compliance, Enterprise Risk, Regulatory Compliance, Regulatory Change, and Policy and Document Management products, which together helped the company streamline and automate workflows and enhance overall efficiency and resilience.
The products were implemented out-of-the-box with some minor changes as requested by the customer to best fit their requirements. The company has a dedicated business unit that leverages Compliance Management, Regulatory Change Management, Policy and Document Management, and Enterprise Risk Management, while another part of the business is using Internal Audit and SOX Compliance products. It uses surveys for inherent and residual risk assessments.
With the implementation, the company has successfully completed over 300 risk assessments with results aggregated through automation. It has also considerably cut down on the efforts by consolidating metrics across 3,000 controls.
Challenge
- Outdated assurance systems and manual processes
- Low visibility into risks
- Siloed systems which limited collaboration between audit and compliance functions
- Inconsistent risk and compliance taxonomies
Business Value Realized
A real-time and holistic view of risks across audit and compliance functions
Improved efficiency with automated assurance processes
Better coordination and communication through a common system
Smarter risk reporting and communication with standardized taxonomies
Single Source of Truth on Risk
MetricStream offers the company a unified view of risk, internal audit, SOX, compliance, and internal controls across the enterprise. The platform maps risks to compliance requirements, internal controls, control tests, assessments, processes, and other data elements in a single framework. This gives users a holistic and contextual view of risk.
The platform also standardizes risk, compliance, and control taxonomies, making risk reporting and communication much more consistent. Teams across assurance functions now have a common system to exchange data, and collaborate on risk findings. No more duplication of effort or information. Everything is clearly mapped and streamlined in the MetricStream Platform for optimal efficiency.
Streamlined Risk Assessments and Controls Testing
The company undertakes a Compliance Enterprise Risk Assessment (ERA) at least annually or more frequently in case of a material change to its risk profile and/or changes in compliance laws and regulations. Prior to implementing the MetricStream Enterprise Risk and Compliance products, it was tracking its risks manually.
The use of MetricStream advanced technologies equipped the company to take an innovative and streamlined approach to managing risk and controls assessments from start to finish. It now has a consistent global process for compliance controls, controls testing, risks, assurance, monitoring, regulatory changes, policies, and key metrics monitoring. The company can now efficiently manage compliance controls testing process from planning to recording test execution results, house the risk taxonomy and controls library, and track issues and action plans.
Simplified Regulatory Change Tracking
For the first time, the company has the ability to map regulatory obligations to policy, risks, and controls. MetricStream provides a simplified front-end form to capture and track all compliance policies and relevant regulatory changes through the tool, enabling the company to effectively de-risk regulatory challenges.
Effective Policy Management
With MetricStream, the company now has a centralized repository to store and access the latest policies. It has helped streamline and simplify the creation and communication of organizational policies. In addition, mapping policies to regulations, risks, and controls have significantly strengthened compliance while highlighting potential risks.
Enhanced Agility in Internal Auditing
MetricStream Internal Audit Management is helping the company improve its audit productivity, while also identifying and responding to risks faster. Auditors can create dynamic audit plans, assign tasks, record their findings, and attach supporting evidence all in one system.
The product supports a risk-based approach to auditing, enabling teams to prioritize and direct audit resources to the areas of highest risk. Since auditing has been integrated with SOX compliance, teams across both functions can effectively coordinate control testing activities to minimize redundancies.
MetricStream also strengthens visibility into audit findings, helping the audit team deliver valued, trusted advice to the board and leadership.
Improved Confidence in SOX Compliance
MetricStream SOX Compliance Management helps the company simplify compliance monitoring by unifying risk and control data management across financial processes. The product simplifies control testing, documentation, and certifications with systematic workflows. It also helps rationalize controls, thus reducing compliance efforts and costs. Real-time reporting enables teams to deliver swift assurance around SOX compliance, strengthening stakeholder confidence.
Streamlined Regulatory Compliance Management
The company has to ensure compliance with a plethora of regulations across jurisdictions, including those from the European Banking Authority, the U.S. Securities and Exchange Commission (SEC), and others. MetricStream Compliance Management has helped the company strengthen compliance by proactively identifying regulatory changes and assessing their impact on the business. Using the product, it can not only track the regulatory changes but also manually test the impact and ascertain how it needs to be implemented. Furthermore, the company is also better equipped to manage internal controls as well as identify issues and track them to closure.
Better Insights to Drive Performance
To conclude, powerful analytics, reports, and dashboards in MetricStream give the company in-depth visibility into risks, internal audit results, SOX compliance findings, regulatory changes, and internal controls. Decision-makers can leverage rich visualizations of the data to understand the top risks, issues, and opportunities. They can also slice and dice the information from various angles to compare findings across risk, internal audit, compliance, and more. The result is a strategic view of the company’s overall governance, risk and compliance (GRC) posture that enables leadership teams to make better-informed decisions.
Related Stories
Case Study
Major Insurance Company Uses a Holistic Approach to Engage All Lines of the Business in GRC
Case Study
U.S. Telco Giant Makes Cybersecurity Decisions 60% Faster by Quantifying the Dollar Impact of Cyber Risks
Case Study
Baptist Health Care Improves Audit Efficiency and Visibility With MetricStream
Subscribe for Latest Updates
Subscribe Now