Being a large consulting and IT services major, the company managed 10,000 accounts and 60,000 projects across the world, each of which came with a different set of risks. Measuring the impact of all those risks on strategic performance goals was no easy feat. It required the company to first assess the risks associated with each project, and then map those risks to performance objectives across sales, delivery, business-enabling functions (e.g. HR, quality), and geographical operations. Those performance objectives, in turn, had to be mapped to strategic goals.
Sounds simple enough. However, each project owner tended to assess their risks in a manual, siloed manner. This, in turn, led to redundancies and delays in reporting. By the time risk data was rolled up to the CRO and other executives, they didn’t have enough time to implement corrective actions, resulting in dissatisfied customers. Moreover, since there was no common data model or framework to link risk impact to performance objectives, the CRO found it difficult to determine which risks needed immediate attention.
Meanwhile, as part of effective project governance, more than 60,000 audits had to be performed, including project audits, functional audits, IT audits, and vendor audits. The company did a good job of capturing audit findings, but other key details such as audit plans, objectives, scope, resources, and corrective actions were maintained in silos by individual team managers.
There was no way to link findings from various types of audits within a project or between projects. Nor was there a way to tie the audit findings back to risks. As a result, the CRO and other stakeholders didn’t have sufficient visibility into risks and their potential impact on strategic goals. Without this data, their efforts to strengthen business performance were limited. That’s when the company turned to MetricStream.
MetricStream implemented an integrated GRC solution for the company with capabilities for enterprise risk management, audit management, and SOX compliance management. Using MetricStream, the company has been able to align strategic and performance goals to risk management in compliance with COSO’s ERM framework.
The product enables project owners to identify risks, map them to the performance objectives of various business functions, and finally, link them to the company’s strategic goals. Thus, at a glance, stakeholders can determine how a customer satisfaction risk or delivery-related risk can potentially impact performance, revenue, and costs.
The product also streamlines risk and control assessments, injecting a fresh level of efficiency into these processes. Users can capture risk likelihood, qualitative and quantitative impact, ratings, and scores, as well as the effectiveness of the corresponding controls. This information is neatly aggregated and rolled up to the CRO and other stakeholders who can then slice and dice the data from various perspectives. The result is a truly comprehensive picture of risk which enables the executive team and board to make confident decisions that drive revenue, performance, and growth.
Project owners identify risks related to staffing, project scope, quality, contracts, relationships, customer budgets, infrastructure, etc.
Better predictability of performance and revenue in projects, accounts, and business units
among investors, analysts, customers, and the board regarding the company’s readiness to handle
Improved ability to build a case for risk management, and make informed decisions based on hard facts and metrics
The MetricStream product enables the company to manage different types of audits at the project and account level in a unified manner. It supports the complete audit lifecycle, ranging from audit planning and resource management to audit execution and reporting. Findings from various audits can be combined and correlated, enabling auditors to draw out meaningful risk insights at multiple organizational levels. These insights can be used to strengthen project governance and track progress towards project goals.
Audits can be prioritized based on various parameters like team size, billing potential, customer complaints history, productivity, and quality.
The product has enabled the company to streamline SOX workflows, including financial scoping, control testing, issue management, and reporting. This puts the SOX team in a better position to regulate the effectiveness of controls over financial reporting and governance.
The company now has complete visibility into which strategic performance goals and objectives are at risk, and which business units and projects will be impacted. This is in stark contrast to their earlier methodology of managing risks and audits at the project level without linking them to organizational goals.
Findings from audits can now be integrated with ERM to provide better oversight of risk. Similarly, ERM findings can be reused by audit, thereby minimizing redundancies and inconsistencies. This holistic approach has enabled the company to respond to risks and opportunities more proactively, manage business performance effectively, and strengthen confidence in the business’s ability to deal with potential risks.