Prior to MetricStream, the organization faced a number of challenges due to its fragmented risk and compliance processes and dependency on manual and antiquated systems such as spreadsheets.
As various teams were working in silos, it resulted in multiple versions of the truth. The lack of a structured approach and automation made it difficult to segregate data. This, along with the lack of a standardized GRC nomenclature, led to a lot of inconsistency and incoherence in risk and compliance data. As such, the teams were spending a lot of time and effort collating the same data for multiple reporting purposes rather than analyzing it for risk intelligence.
All these factors led to a lot of redundancies and inefficiencies, impeding the organization’s visibility into risk and compliance posture and effective decision-making.
The organization chose MetricStream to consolidate its GRC processes onto a single unified platform and embarked on its GRC automation journey in 2019. It implemented MetricStream’s Enterprise Risk Management, IT Compliance, Policy and Document Management, and Case and Incident Management products.
The products were deployed in a phased approach with multiple go-lives. The implementation process not only focused on product deployment but also helped the organization reevaluate their processes for each of their business use cases as they transitioned into the platform. With the implementation, the organization benefited from the resulting integrated GRC approach, which improved visibility into various risk and compliance processes, highlighted the relationships between them, reduced manual effort, and enhanced overall risk awareness.
With different business units using their own spreadsheets for risk and compliance data, there were multiple versions of truth and a lot of duplication of effort. With MetricStream, the organization has consolidated all GRC processes onto an integrated platform and established a centralized risk repository. This integrated and centralized approach has resulted in a single version of the truth with improved visibility into risk relationships – risks are now mapped on a many-to-many basis to controls, functions, processes, and more. This has also simplified and structured data collation and analysis.
MetricStream Case and Incident Management has significantly improved the organization’s visibility and understanding of the number of incidents and breach details. It has also simplified the process to raise observations and incidents which help to strengthen student privacy, while improving compliance and lowering risk.
The previous lack of common GRC taxonomy resulted in different understanding and interpretations of risk, compliance, and related issues by various teams and business units. MetricStream helped the organization establish a common integrated GRC taxonomy. As a result, a common risk language is now spoken by various teams which has facilitated a consistent understanding of risks across the organization, thereby improving communication and information sharing.
Common risk language and taxonomy
Centralized GRC system facilitating information sharing
Single version of the truth with over 3,000 users
Improved visibility and understanding on the number of incidents and breach details
Ability to easily raise observations and incidents, which strengthens student privacy while improving compliance and lowering risk
Improved information and analytics driving better decision making
MetricStream has helped the non-profit standardize GRC frameworks and ways of working across the organization. It can now set up the GRC tool to support segregation of duties to control and manage data access. The implementation has facilitated real-time reporting with full traceability and audit tracking for all GRC processes.
The implementation of MetricStream products and the resulting automated and standardized workflow for risk management, governance, compliance, and assurance processes have helped the organization to reduce manual effort and save the time spent on administrative activities. This, along with the centralized risk repository, has improved data quality and integrity, empowering teams to leverage analytical tools to turn it into actionable intelligence and make informed business decisions.
Overall, MetricStream has enabled the organization to advance on the GRC maturity journey with standardized processes and framework, automated workflow, and improved information sharing.
“Today we have a centralized GRC system, shared information, and a common language providing a single version of the truth with all 3,000 users on the system. We’ve finished the initial implementation program and we continue to onboard further use cases and mature the current implementation as we understand it further.”
Information Security Governance & Compliance Manager – Assurance Services at the organization.