MetricStream

FORTUNE 500 ENERGY ORGANIZATION BUILDS A STRONG GOVERNANCE, RISK AND COMPLIANCE FOUNDATION
Customer
The customer, headquartered in the USA, is one of the largest energy companies in the nation. It generates, manages, supplies and distributes energy for commercial, industrial and public sector organizations, as well as residential communities. The company is also a leading advocate for clean, environmentally sustainable energy sources such as solar power and nuclear energy.

CASE STUDY

Overview
Today, the energy industry is under tremendous pressure to comply with myriad regulations including FERC, NERC, NRC, NIST, OSHA and EPA. These regulations are continuously evolving, thereby requiring companies to build a sustainable compliance management program. No longer can compliance be a one-time event, but an ongoing effort. In addition, robust strategies for risk, audit, compliance, ethics and legal management are critical for protection against failures in corporate governance, operational and financial inefficiencies. Apart from that, strategies for safeguarding the companys assets, reputation, and ultimately, the interest of shareholders also needs to be devised. However, most of these risk and compliance strategies are managed through isolated, manual processes and systems. This raises project costs, duplicates efforts across the enterprise, and deflects resources away from key business initiatives. An integrated GRC approach will help in achieving sustainable compliance by facilitating the efficient use of risk information in strategic decision-making, ensuring the usage of consistent terminologies and methodologies across departments, establishing a risk-focused corporate culture, providing a comprehensive view of the organizations overall risk profile, and delivering assurance to executive directors and senior management on the effectiveness of internal controls and frameworks. The MetricStream customer places utmost importance on integrated regulatory compliance and risk management. To streamline risk and compliance across its multiple businesses and thousands of employees and contractors, the energy major rapidly transitioned from a siloed, operational structure to an integrated, holistic GRC model. It established a centralized platform where all GRC initiatives and information were unified, managed, shared across business units, and leveraged for better decision making. It also improved GRC management efficiencies, lowered risks, ironed out discrepancies quickly and ensured enterprise-wide compliance with regulations at every step of the way.

Benefits
Automation of risk and compliance workflows: Automated workflows on the MetricStream integrated platform free the energy provider from the extensive use of spreadsheets and other manual tools. MetricStream Solution also enhances IT risk management and business continuity by automating risk assessment workflows for applications, infrastructure, disaster recovery and cyber security. This dramatically increases efficiency, shortens completion periods, reduces coordination efforts, and diminishes errors and possibilities of duplicate efforts. The overall level of compliance across the enterprise has gone up significantly, while costs have come down. Greater transparency: MetricStream Solution helps consolidate various data including risks, controls, tests and issues into a central library. This information is stored according to business unit, process, function and department. The latest information is made available across the organization, increasing visibility for the management to assess risk and control activities, utilize existing sets of controls, avoid duplication of assessments, and decide whether to enhance controls or accept current risk levels. Centralized, sustainable risk management: MetricStream GRC platform provides a centralized framework for risk management, thus eliminating the need for multiple systems and lowering maintenance costs. It has enabled the company to eliminate five redundant risk systems, over 300 spreadsheets and over 10 content management sites. These tools have been replaced with MetricStreams standardized risk libraries, consistent risk terminologies, and a common framework for risk aggregation and control monitoring.

Challenges
Lack of common terminology for risk and controls: Each department in the company used their own terminology and processes to define and assess risks and controls. They lacked common risk standards, definitions and rating methodologies to provide a centralized perspective of risk. As a result, risk evaluation across the enterprise was not always consistent. This, in turn, hindered data aggregation and reporting to senior management. Ad hoc compliance initiatives: The company is subject to multiple compliance requirements, including SOX, NERC, FERC and other Legal and Regulatory mandates. Compliance with each of these regulations was managed separately by each department. There was no common platform unifying these requirements, linking them with the appropriate controls, or enabling sharing of controls. Consequently, controls and other related efforts were unnecessarily duplicated across the enterprise. Visibility into enterprise-wide compliance management processes was also poor. Difficulty in enterprise-wide auditing: The lack of an integrated audit management system made auditing a laborious, resource-intensive and time-consuming process. Internal auditors found it challenging to aggregate isolated audit data from various departments and businesses across the enterprise. Compounding the challenge was the lack of integration between Audit, Risk and Compliance programs which hindered the adoption of a risk-based approach to auditing. And given the massive size of the organization, it was difficult to estimate the resources, time and effort necessary to plan and execute audits. Siloed systems: Over the years, each department acquired their own set of point solutions for their own individual requirements. The result was hundreds of isolated solutions that made it increasingly difficult to track the enterprise-wide GRC status at any given time. Operational risks, vulnerabilities

MetricStream
and mitigations were tracked on one system, Financial, SOX risks and controls on another, and audits on a third. The compliance team managed its own set of applications, as did the risk team. This siloed approach hampered visibility into risks and controls, and their relation to business processes. It also resulted in inconsistent standards, and redundancy of risk and compliance management efforts, not to mention duplicate costs. Usage of custom-built, in-house applications: Hundreds of spreadsheets, and email-based applications were used to track and monitor compliance, as well as to assess risks and controls within departments. These tools required a large amount of co-ordination and effort, and involved laborious processes. There was also the risk of manual errors and reduced efficiency. Personnel working on these tools required a lot of time to complete tasks. Insufficient reporting capabilities: The lack of unified reporting resulted in managers and board members, as well as various teams, having difficulty in getting the required information quickly in the desired format. It was also challenging to merge large sets of data on processes, risks and controls at various levels of granularity to provide value-added information to various stakeholders.

Benefits
Improved risk control: MetricStream Solution supports the implementation of a unified rating methodology to measure and document risk impacts categorized by seven risk types Liquidity, Market, Credit, Operational, Environmental, Business, Strategic and Reputational. The advanced capabilities of MetricStream Solution enable the company to identify and assess risk. Using the risk assessment data, the organization will be able to determine if controls are adequate, or if risks can be accepted. The solution also enables the company to discover incidents and issues on time, resolve them quickly and efficiently manage loss event data. Creation of a strong risk culture: MetricStream Solution helps the company establish an enterprise-wide risk-focused culture through a top-down and bottomup approach to risk identification and management. It also helps educate individuals on understanding risks, and taking the responsibility to maintain them at acceptable levels. Being built on a centralized platform, the solution enables the company to identify risks in any area, and map them back to each business process. It also delivers risk assessment results in real-time, enabling managers to plan reviews for the completeness of risk identification, and the efficacy of plans to enhance controls or accept risks. Decreased costs of regulatory compliance: With automated and streamlined compliance activities, quality time and resources can be focused on high risk areas for more productive work. The single platform solution for all the GRC needs of the company has lowered the costs of regulatory compliance.

Solution
The company was determined that its GRC program would not be merely about demonstrating compliance to regulators. It wanted to establish a world-class corporate governance process, and a compliance and risk framework built on the principles of proactivity, integration and communication. Such a framework would not only ensure sustainable compliance with various regulations, but it would also provide excellent insights for better decision making. To achieve this goal, the company created a top-down approach to risk and compliance management, which enabled it to focus on those risks and controls that had the greatest impact on company profitability. It also established a strong communication and education program for employees, encouraging them to be more responsible and accountable for risk management. In addition, an effective communication plan was created for GRC-involved committees, as well as the Management and Board. The companys goal was to create a proper governance structure and processes, integrate risk management into strategic decision-making, ensure continuous compliance, and harmonize GRC processes across the enterprise. To that end, it was looking for an integrated GRC solution that could streamline, standardize, automate and unify all GRC programs, while improving cost-savings and efficiencies. The company conducted a detailed analysis of industry options and selected MetricStream as the preferred GRC solutions provider. The basis of the selection was MetricStreams integrated single platform, broad range of solutions, and its industry track record of hugely successful implementations in global Energy & Utility companies. MetricStream delivered a comprehensive set of solutions on a common platform, including enterprise risk management, legal and regulatory compliance, NERC and SOX compliance, business continuity management, issue management and remediation, and policy/document management. MetricStream Platform is future proof, and can be easily extended to meet the future GRC requirements of the company, such as managing new compliance regulations, risks and audits. The MetricStream Application Studio enables the Internal IT team and users to create additional GRC applications, and deploy them on the same platform without expending much time and effort. Users do not have to undergo additional training, as the usability of the tools is very similar to previous applications. MetricStream Integrated GRC Platform: MetricStream Solutions are based on MetricStream GRC Platform - a Web-based comprehensive application that enables end-to-end process automation and visibility, collaboration between various groups, centralized libraries and an integrated approach to GRC. The platform supports the customers organizational model across all business units and departments, as well as their mapping to different roles and reporting relationships. Users have role-based portal access with options for initiating actions, responding to events, managing and assigning tasks, and viewing reports and dashboards. The system also triggers email-based notifications and alerts to appropriate personnel to notify them of various events and requirements.

MetricStream
Benefits
Enhanced training: MetricStream Solution contains a robust compliance training management system that manages registration, remote participation, feedback and course material. Employees are able to respond directly to training through the system. Therefore, compliance coordinators can easily track and report on the status of employee training, without resorting to manual tracking measures. Enhanced Audit Management: MetricStream Audit Management Solution will strengthen the organizations audit processes by streamlining audit planning, scheduling and execution, and improving the efficiency of resource management and document management. The company can rely on audits to embed a strong risk culture across the enterprise. For instance, self-identified control deficiencies may not be penalized, and risk ratings can be based on residual risk levels. Strengthened SOX 404 compliance: MetricStream Solution helps the company create a comprehensive database of financial controls. It also consolidates financial reporting risks for SOX 404 testing, partially automates the scoping of risk assessment, facilitates and certifies control testing and evaluation, simplifies issue management and streamlines workflow management. Consequently, the company can ensure consistent SOX compliance.

Enterprise Risk Management: MetricStream Enterprise Risk Management (ERM) Solution helps the energy provider identify, assess, quantify, monitor and manage risks from across the enterprise in an integrated manner. Data is consolidated in a reusable library comprising risks, corresponding controls, assessments, results, key risk indicators, events such as losses and near-misses, issues and remediation plans. Risks are highlighted depending on their impact or bearing on various functions and processes. This data then rolls up to senior management, and is used to create standard as well as customized reports for identifying risks to business performance, operational efficiency and non-compliance across the enterprise. Industry best practices embedded in the solution help the company define the scope of processes and sub-processes for risk management and the development of control and test libraries. MetricStream has enabled the companys RCSA methodology that supports a repeatable risk-control self-assessment. It enables each business unit to identify and manage risks and controls independently. At the same time, it collates the information together for managers to gain visibility into the risk management status across the enterprise. The solution also supports top-down and bottom-up risk identification and management. Across processes, risk and control data are linked, enabling easy sharing of information.

Compliance management & tracking: MetricStream offers the industrys most advanced and comprehensive Integrated Compliance and Issue Management solution. It equips the energy company with the technology and best practices to ensure continuous compliance with various regulatory requirements, while lowering the associated costs. The solution is pre-loaded with all NERC, FERC and Regional Reliability standards and requirements. This centralized repository of information enables users to quickly search for and access information. It also helps managers structure the information in an organized hierarchy, beginning with each compliance regulation, and moving down to their respective requirements, standards and controls. This well-laid out framework helps improve the efficiency of searching for controls, and coordinating control-based activities, enterprise wide. The underlying data model is architected to accommodate many-to-many modeling requirements, as well as to navigate multiple dimensions via navigation trees.

MetricStream
Any changes in regulations such as FERC and NERC prompt the system to automatically send out update alerts, and import new requirements and content from regulatory websites. The respective users are alerted with details of non-compliance that have emerged because of new regulations or in changes to existing ones. Version control capabilities are provided to manage changes efficiently. In fact, the company can monitor the progress of NERC-CIP version migration from V2 to V3 to V4. Managers are free to configure compliance workflows to suit their management of regulatory requirements and controls, as well as various processes such as report creation, feedback approval and assimilation, and version control. An integrated Issue Management module captures all violation issues and monitors remediation plans. SOX compliance: MetricStream enables the company to significantly reduce its cost of SarbanesOxley (SOX) compliance. Managers are able to leverage COSO and COBIT frameworks, design, assess and improve internal controls, and monitor compliance processes at any level of detail. The solution follows a top-down risk-assessment approach which simplifies workflows, quickly highlights areas that require attention, and improves transparency into financial risks. It allows process owners to test and manage controls on their own, while collating data across the enterprise for auditors to gain top-level visibility into the status of SOX compliance. Any issues that arise are immediately routed to MetricStream Issue Management module for immediate investigation and remediation. Automated alerts keep the process on track and ensure that each issue is resolved and closed. Multiple procedures for surveys and certifications, which affirm the strength of internal controls and adherence to policies, are supported within the solution. It harmonizes all control frameworks into a centralized library, enabling users across SOX, Regulatory and Reliability / NERC compliance to share controls and results of control assessments. This prevents duplication of assessments - especially with regard to IT controls and hence improves cost-effectiveness and efficiency. Ethics & Legal Compliance: MetricStream Compliance Solution is leveraged by the Legal, Ethics and Compliance teams to efficiently streamline compliance management, and establish a proactive and ongoing process of compliance. The Ethics & Compliance team uses MetricStream solution for the creation and distribution of online compliance surveys for thousands of employees to certify that theyre complying with specific standards. The results are automatically collected and stored in a central repository for easy access and retrieval by top managers. Audit management: MetricStream Solution will be extended to help the company adopt a risk-based approach to Corporate and Environmental audit management. The solution will enable efficient collaboration, planning, scheduling and auditing, while allowing audit findings to be reviewed, shared and analyzed by a team. A robust analytics and reporting capability with graphical dashboards will track each audit from initiation to closure, giving managers real-time visibility. The solution will facilitate audit and risk information sharing among peers and audit stakeholders. It will also enable the company to efficiently manage resources, track budgets, configure audit profiles, plan audits, record audit milestones and re-scope audits. It contains innovative capabilities to improve auditor performance by conducting multiple audit tasks simultaneously, collaborating on reviews, getting fieldwork approvals and delegating tasks.

Why MetricStream
MetricStreams solution provides a unified approach and an integrated solution to meet strategic objectives, as well as regulatory and compliance requirements. MetricStream Platform and its various solutions could easily replace existing solutions for ERM, compliance and audits. MetricStream Solution provides a centralized library to hold policies, certifications, risk and control assessments, compliance requirements and all other documentation for easy review and reference. MetricStream Solution demonstrated the ability to handle the customers specific requirements for an ERM framework, risk terminology, consistency, ranking methodology and more. MetricStream Solution ensures security of electronic records, and provides time-stamped audit trails, role-based access controls, electronic signatures and password management. MetricStream has the ability to support large leading organizations, and meet their IT requirements in the areas of integration, configurability, scalability and security. MetricStream offers a broad set of solutions on a Web-based platform with capabilities to map its offering to all governance, risk, compliance, and quality processes within the company. MetricStreams solution provides key services such as workflows, configurable forms, collaboration, real-time exception tracking, email alerts and notifications, integration, reports, executive dashboards, business intelligence, analytics, and secure access control.

For more information, visit www.metricstream.com Copyright 2011. All Rights Reserved.