MetricStream

A LARGE COOPERATIVE BANK INTEGRATES GRC PROCESSES FOR SUPERIOR MANAGEMENT OF RISK, IT COMPLIANCE AND SOX PROGRAMS
The MetricStream GRC platform to streamline GRC programs across different business units of a leading cooperative bank

CASE STUDY

Customer
The customer is a cooperative bank that offers competitively priced financing, community development grants, and other banking services to help member financial institutions make affordable home mortgages and provide economic development credit to neighborhoods and communities. The banks members are commercial banks, credit unions, savings institutions, community development financial institutions (CDFIs) and insurance companies headquartered in the US. The bank raises funds in the global financial markets and distributes the proceeds to members and local communities.

Overview Benefits
Increased Transparency: The MetricStream solution provides powerful analytics and intelligent reporting capability with KRI charts to track each risk linked with its KRI have resulted in real-time visibility into risk, IT compliance and SOx management programs for the bank. The management of the bank has access to latest information and comprehensive picture of the risk and compliance profile of the organization with complete transparency. Improved Collaboration: The integrated approach to GRC and availability of a central system for risk management has introduced a spirit of collaboration in the bank. Various teams and process owners can work closely with each other using the integrated platform, the central risk library and the document repository. The integrated framework, workflows and email alert capability facilitate deeper collaboration leading to effective risk management. Real-Time Risk Intelligence: Quarterly and monthly trending analysis along with the ability to drill-down into each report and dashboard to see the underlying details enables risk managers and process owners at the bank to know the reality at every step and evaluate their progress on risk management programs. Automated alerts for events such as exceptions and failures eliminate any surprises and make the process predictable and well-planned. Harmonized Risk and Control Content across the Organization: Central library of risks, controls and KRI automation has made a significant positive impact on risk management capabilities of the bank. Tracking and evaluating risks has become automated, more systematic as well as accurate. The bank is able to implement recommendations and remediation plans quickly, ensuring risk levels are within the predefined thresholds. Reduced SOx Compliance Cost: Systematic, automated and workflow-driven process across the banks enterprise for SOx compliance with standardized design and assessment of internal controls, workflows, and monitoring has helped the bank to minimize its costs for SOx compliance.

The bank needed to automate and centralize its entire range of requirements for IT compliance, risk management and SOx management. The bank wanted to integrate its GRC processes on a central platform for foolproof management of the entire spectrum of its requirements. The bank was managing its GRC programs including risk, SOx and IT compliance using manual processes and stand-alone legacy systems. The bank needed a central repository that would allow it to enhance collaboration across business units, streamline content and increase transparency in its risk and compliance process. Success in this scenario was possible with a more evolved and matured integrated enterprise risk management program that would provide greater transparency and a consistent view of risk and compliance programs across the enterprise. This was necessary for more effective decision making and for improving performance across the board, as well as reducing the cost of regulatory compliance and reporting.

Challenges
Lack of collaboration across business units: Various departments at the bank managed IT compliance, operational risk and SOx in a siloed fashion, duplicating efforts while managing similar risks separately in the process. This compartmentalized approach to managing GRC resulted in excess effort, time and cost for the bank. The enterprise risk function was not aligned centrally with corporate governance and reporting, and the ownership and accountability for risk was not clearly defined. Impacted productivity: The bank managed its risk and compliance requirements using manual processes based on e-mails, phone calls and spreadsheets. This absence of an automated tool exposed the processes and the data involved to high security risks with no appropriate control on the accessibility of the information. Hence the bank was looking at a secure database reporting and transparency in the entire risk management process. Need to upgrade risk infrastructure and lack of technological advancement spelt the challenges the bank was facing. These issues were impacting the banks productivity levels. Higher cost of compliance: Managing the GRC activities in silos with no central repository for data was leading to inconsistencies, inability to automatically aggregate the information for analysis, repetitive efforts, inaccessible or hidden information, difficulty in accessing relevant documents, document management, and many such issues. These added up to result in increased compliance cost for the bank.

Solution
After assessing several leading GRC products in the industry based on a set of benchmarks, the bank selected MetricStream Solution as the most appropriate answer to its requirements because of MetricStreams integrated approach to GRC with a combination of out-of-the-box as well as configured solutions for both control and flexibility.

MetricStream
MetricStream provided the bank comprehensive solutions to manage overall risk and IT compliance - with capabilities for policy management, issue management and SOx compliance. Delivered on the MetricStream GRC platform, the solution provides automated, streamlined and centralized workflows, processes, IT as well as asset data, control testing and reporting requirements in these areas. Risk Management: The MetricStream Risk Management solution provides a centralized risk framework to manage all risks faced by the bank and capabilities to assess, analyze, and monitor these risks. The solution helps the bank in documenting and assessing risks, defining controls, and implementing recommendations and remediation plans. Using the solution, the bank can capture detailed information on risk, assign risks to appropriate risk owners, define risk categories and sub-categories and allocate risk to different units, divisions, products. Risk Documentation and Assessment: The solution supports comprehensive identification and documentation of banks risk and risk appetite. The risk assessment computations are based on configurable methodologies and algorithms giving the bank a clear view of its risk profile and enabling its managers to prioritize their response strategies for optimal risk/reward outcomes. The system integrates all operational risk management related data and processes in a central library of risks and their corresponding controls and assessments, results from individual assessments, key risk indicators, loss events (including near-misses), issues and remediation plans. Risk Metrics: The solution provides key risk indicators (KRIs) with capabilities for tracking risk scores and metrics. The solution includes predefined or expected risk scores and thresholds. The solution captures actual risk scores and compares them with the expected scores and determines deviation from the risk threshold in terms of the severity of the risk as critical/high/low. When thresholds are breached, automated notifications are triggered by the system to relevant personnel. It provides a KRI chart that indicates the performance of each KRI for a specific period. Risk Controls: Design and Assessment - Once the key risks are identified and prioritized, the solution leverages the flexible risk-control framework to enable the bank to define a set of controls that mitigate those risks to acceptable levels. The risk team at the bank can attach associated policies and procedure documents for reference. The team can schedule assessment plans to evaluate the effectiveness and the design of the controls as per the test plans documented. The solution provides comprehensive reports and dashboards to effectively analyze the control assessment results and evaluate residual risks. Risk Monitoring: Executive Dashboards provide the bank enterprise-wide visibility into the risk management process and highlight issues that need to be addressed in risk heat maps. The solution helps the risk team to track risk profiles, control ownership, assessment plans, remediation status on graphical charts that can be accessed globally and display real-time information. Ability to drill-down provides an easy way to access the data at finer levels of detail. In addition to pre-configured standard risk reports, the system supports configuration for ad-hoc or scheduled reports to view metrics by a variety of parameters such as by process, by business units, by status and more. IT Compliance Management: MetricStream Solution has provided a common compliance framework and an integrated approach to manage the entire pool of IT compliance requirements of the bank. Within this framework, regulatory requirements are documented systematically and evaluation is conducted for the internal controls that fulfil compliance mandates. IT controls are designed and operated in an organized manner with systematic responses to issues of non-compliance and deficiencies. Remediation of issues and corrective actions complete the loop. The solution includes COBIT framework for risk and control assessment and allows the bank to harmonize controls across multiple IT governance and regulatory compliance programs such as BASEL, AML, PCI DSS, SOx and others.

MetricStream
Why MetricStream
Technology Innovation: TheMetricStream solution is built and deployed on innovative MetricStream GRC Platform, a robust infrastructure that provides powerful capabilities and core services such as workflows, configurable forms, collaboration, real-time exception tracking, email alerts and notifications, integration, reports, executive dashboards, business intelligence, analytics, and secure access control. Simplified User Interface: The MetricStream solution has a role-based, easy-to-use interface minimizing the learning curve and ensuring quick adoption. The solutions have an intuitive structure and the navigation follows a natural flow as per the business rules. High-Degree of Flexibility: The MetricStream solution is shipped with out-of-the-box functionality based on industry standards and best practices. MetricStream also provides tools to configure and model the solution exactly as per an organizations business processes and environment. Application forms, fields, and workflows can be rapidly created and modified to match specific business processes, terminology, and rules without any programming or code change. Solution Extensibility: Deployed on a scalable platform infrastructure, the MetricStream solution can be extended to various areas of GRC seamlessly. The scalability can match the business growth of organizations effortlessly. Market Leadership: MetricStream is a market leader for Governance, Risk, Compliance (GRC) and Quality Management solutions, offers the industrys most advanced and comprehensive solution designed to help large organizations manage GRC related activities, data and processes. Thought Leadership: MetricStream has created one of the most visited compliance destinations on the web, ComplianceOnline.com. Compliance practitioners use ComplianceOnline to search for content, access latest thinking, innovative ideas and best practices. This portal is visited by hundreds of thousands of compliance professionals annually and has a member base of over 100,000 compliance professionals who receive value on a daily basis. The portal is fully integrated into MetricStreams application suite.

Configured to accommodate the banks specific requirements, the issue management module supports detection, recording, tracking, investigation, escalation, analysis, and closure of IT exceptions and instances of non-compliance with IT GRC for the banks IT Compliance team. MetricStream policy management module (document management system) provides a central repository to store and organize documents, policies, inventories, flow-charts, process documentations, standard operating procedures. These documents are used in IT GRC to link processes and controls. SOx Compliance Management: The MetricStream solution has automated the entire SOx compliance process for the bank. It helps the bank design, assess and improve internal controls under the COSO framework, monitor its SOx compliance processes at every level of detail and provide evidence to the external auditors that internal controls were tested to the satisfaction of the internal audit group. The solutions document control capabilities provide a central repository with audit trail and change control management. The solution supports procedures for surveys and certifications for affirming the strength of the internal controls and adherence to policies. This information rolls up to executive management who can review and certify overall risk and control assessment for the bank as per SOx 302 requirements.

For more information, visit www.metricstream.com Copyright 2011. All Rights Reserved.