Case Study

Non-Profit Taps MetricStream to Establish Centralized GRC System with Over 3,000 Users

A government non-profit, which provides financial support to students, was facing some major challenges in the area of risk and compliance, stemming from manual and antiquated systems that led to both business process and privacy issues. The lack of an integrated approach, common governance, risk, and compliance (GRC) taxonomy, and harmonized processes resulted in limited visibility into overall risk and compliance posture. All these factors hampered effective decision-making.

To overcome these challenges, the organization started to look for a solution that could automate its manual GRC processes. It implemented MetricStream product built on the proven MetricStream Platform while running on the AWS cloud to achieve this goal. With MetricStream, the organization now has a centralized and automated GRC system used by 3,000 users who now speak a common risk language and share information in a streamlined manner.

The Antiquated and the Obsolete 

Prior to MetricStream, the organization faced a number of challenges due to its fragmented risk and compliance processes and dependency on manual and antiquated systems such as spreadsheets.

As various teams were working in silos, it resulted in multiple versions of the truth. The lack of a structured approach and automation made it difficult to segregate data. This, along with the lack of a standardized GRC nomenclature, led to a lot of inconsistency and incoherence in risk and compliance data. As such, the teams were spending a lot of time and effort collating the same data for multiple reporting purposes rather than analyzing it for risk intelligence.

All these factors led to a lot of redundancies and inefficiencies, impeding the organization’s visibility into risk and compliance posture and effective decision-making.

Embarking on the GRC Automation Journey 

The organization chose MetricStream to consolidate its GRC processes onto a single unified platform and embarked on its GRC automation journey in 2019. It implemented MetricStream’s Enterprise Risk Management, IT Compliance, Policy and Document Management, and Case and Incident Management products.

The products were deployed in a phased approach with multiple go-lives. The implementation process not only focused on product deployment but also helped the organization reevaluate their processes for each of their business use cases as they transitioned into the platform. With the implementation, the organization benefited from the resulting integrated GRC approach, which improved visibility into various risk and compliance processes, highlighted the relationships between them, reduced manual effort, and enhanced overall risk awareness.

Centralized Database and Single Version of Truth

With different business units using their own spreadsheets for risk and compliance data, there were multiple versions of truth and a lot of duplication of effort. With MetricStream, the organization has consolidated all GRC processes onto an integrated platform and established a centralized risk repository. This integrated and centralized approach has resulted in a single version of the truth with improved visibility into risk relationships – risks are now mapped on a many-to-many basis to controls, functions, processes, and more. This has also simplified and structured data collation and analysis.



Streamlined Incident Management 

MetricStream Case and Incident Management has significantly improved the organization’s visibility and understanding of the number of incidents and breach details. It has also simplified the process to raise observations and incidents which help to strengthen student privacy, while improving compliance and lowering risk.

Standardized GRC Taxonomy 

The previous lack of common GRC taxonomy resulted in different understanding and interpretations of risk, compliance, and related issues by various teams and business units. MetricStream helped the organization establish a common integrated GRC taxonomy. As a result, a common risk language is now spoken by various teams which has facilitated a consistent understanding of risks across the organization, thereby improving communication and information sharing.


  • Lack of common GRC taxonomy
  • Siloed risk and compliance processes
  • Reliance on manual and antiquated tools, such as spreadsheets
  • Poor visibility into organizational risk and compliance posture
  • No single source of truth

Business Value Realized


Common risk language and taxonomy


Centralized GRC system facilitating information sharing


Single version of the truth with over 3,000 users


Improved visibility and understanding on the number of incidents and breach details


Ability to easily raise observations and incidents, which strengthens student privacy while improving compliance and lowering risk


Improved information and analytics driving better decision making


Full Traceability and Audit Tracking

MetricStream has helped the non-profit standardize GRC frameworks and ways of working across the organization. It can now set up the GRC tool to support segregation of duties to control and manage data access. The implementation has facilitated real-time reporting with full traceability and audit tracking for all GRC processes.

Improved Efficiency with Automation

The implementation of MetricStream products and the resulting automated and standardized workflow for risk management, governance, compliance, and assurance processes have helped the organization to reduce manual effort and save the time spent on administrative activities. This, along with the centralized risk repository, has improved data quality and integrity, empowering teams to leverage analytical tools to turn it into actionable intelligence and make informed business decisions.

Overall, MetricStream has enabled the organization to advance on the GRC maturity journey with standardized processes and framework, automated workflow, and improved information sharing.

“Today we have a centralized GRC system, shared information, and a common language providing a single version of the truth with all 3,000 users on the system. We’ve finished the initial implementation program and we continue to onboard further use cases and mature the current implementation as we understand it further.”                                                                                                                                                 
Information Security Governance & Compliance Manager – Assurance Services at the organization.

Related Stories

Case Study

Leading Sports Footwear and Apparel Company Automates IT and Cyber Risk and Compliance

Case Study

Major Insurance Company Uses a Holistic Approach to Engage All Lines of the Business in GRC

Case Study

Leading UK Financial Institution Improves Risk Visibility With Single Source of Truth for Operational Risk Management and Compliance

Ready to get started?

Speak to our experts