Risk management had always been fundamental to the company’s governance practices. But as the scope, complexity, and interconnectedness of risks grew, the limitations of existing risk management processes became evident. For instance, risk assessments—although clearly defined—weren’t always consistent across business units. Nor were they linked to risks and objectives at the corporate level. This hampered risk visibility.
Meanwhile, the process of compiling risk registers and reports was becoming more laborious and resourceintensive since most of the data was scattered across spreadsheets and presentations. To top things off, risk mitigation actions weren’t always formally defined and tracked, making it difficult for the organization to ascertain its true risk posture.
Internal auditors and second-line assurance functions had their own set of challenges. Legacy tools were slowing down efficiency and limiting the adoption of agile-based audit methodologies. Processes like audit planning, resource allocation, and reporting had to be managed manually through spreadsheets. Even action management with auditees was coordinated manually via emails. This left little time for auditors to do anything else. At a larger level, regulations across the UK and globally were becoming more rigorous. Cost pressures in the company were also escalating. All these challenges prompted the company to upgrade to a more robust tool for risk, compliance, and audit management.
MetricStream emerged as the solution of choice. With the MetricStream Platform and products, the company was able to strengthen risk visibility, preparedness, and response. Audit and compliance efficiency also improved, enabling teams to provide assurance faster and more effectively. Furthermore, running on the AWS Cloud delivered scalability and security.
Today, frontline teams are using MetricStream to efficiently plan, schedule, and perform over 100 risk assessments. The platform has standardized assessments across business units, so that risks can be communicated and reported in a more consistent manner. It has also reduced the cycle time and costs of risk management processes by streamlining and automating workflows.
Intelligent risk libraries provide a common integrated risk taxonomy that makes it easy for users to understand how various risks are connected to each other, as well as to assets, business units, objectives, and other elements.
Tailored heat maps and risk registers give front-line leaders a real-time view of the risks, issues, and status of mitigation actions in their business units. This helps them stay on top of things, and proactively address both risks and opportunities as they arise.
Today, the platform is used by almost 400 people in the company. Its easy-to-use features and intuitive interfaces have simplified adoption even among infrequent front-line risk assessors and action owners.
Faster, more consistent risk processes thanks to
workflow automation and standardization
A holistic view of risks at
both the business unit level and corporate level
Streamlined audit cycles aligned with agile methodologies
More informed decision-making with real-time risk and audit intelligence
MetricStream enables the internal audit team to apply an agile methodology across the various types of audits, including standard audits, project risk reviews, functional assurance reviews (evaluation of second-line maturity and effectiveness), and financial control assurance reviews.
The entire audit lifecycle—right from audit planning and resource management, to workpaper management and reporting—is managed in a single, unified system instead of multiple spreadsheets. Workflow automation has accelerated auditing and saved resources. Assurance teams have more time to explore audit findings, uncover valuable intelligence, and guide leadership teams on how to best improve the organization’s risk and compliance posture.
Any issues that are found during the audit or assurance process are systematically investigated and remediated on the MetricStream Platform. Through the platform, assurance teams can directly collaborate with issue owners to define action plans and track them right up to closure. They can also swiftly pull together data on audit findings and actions to generate draft and final audit reports.
With MetricStream, risk findings are automatically consolidated and rolled up from the business unit level to the corporate level, giving stakeholders a unified, 360-degree view of the top risks. Internal audits and compliance assurance reviews are also linked to risk findings to provide richer intelligence.
Through interactive dashboards and reports, leadership teams can slice and dice the data to identify key areas of concern. They can also understand the dependencies between risks, business objectives, and mitigation strategies. Predictive risk metrics deliver forward-looking risk visibility to proactively anticipate and prevent adverse risk incidents.
With these capabilities, the company is able to make stronger and quicker decisions that build business resilience. They can also foster confidence with customers and regulators by demonstrating a strong risk governance and assurance program.