1. CASE STUDYMetricStream A MAJOR ENERGY COMPANY EMBRACES A HOLISTIC, STRA- TEGIC APPROACH TO RISK MANAGEMENT Customer The customer is one of the largest energy companies in the Unites States. It is home to a diverse mix of businesses that generate, supply and manage energy products and services for a broad spectrum of customers nationwide. Overview Risks are not new to the energy industry. Most companies have strategies in place to cope with cyber-attacks, natural disasters, downgrades in credit ratings and other risks. However, recent events, such as the financial crisis, have questioned the adequacy and effectiveness of these strategies. Risks are only becoming more complex and interdependent. At the same time, networks are expanding,Customer making it more difficult to manage enterprise-wide risks. Added pressure comes in the form of intenseONE OF THE WORLD’S LARGEST ENERGY regulatory scrutiny, as well as the demand for renewable energy sources.ORGANIZATIONS In lieu of such developments, the energy company’s goal was to foster a culture of proactive risk management across its employees and contractors. The company also wanted to make risk assess-Benefits ments an integral part of management decision-making.Elimination of redundant systems and activities The key to achieving this goal was an integrated risk and control management framework. It wouldWith MetricStream’s centralized platform, the energy help break down individual silos, establish common risk management processes, and improve visibil-company has eliminatedfive redundant risk systems, ity and transparency into these processes. At the same time, it would allow business and functionalover 300 complex spread sheets, and over 10 contentmanagement sites. As a result, costs and resources areas to independently manage and monitor their own risks and controls. However, this goal washave been saved. hindered by a number of organizational challenges:Mitigated threat of silosAcross business units, MetricStream has streamlined Challengesrisk and compliance workflows including SOX 404 Multiple risk and control terminologiestesting, risk management, legal regulatory compli- Each department in the company had its own risk and control terminologies. There were no commonance, NERC compliance, Enterprise Risk Manage- risk standards, definitions and risk rating methodologies. In addition, risks were classified based onment, disaster recovery, corporate audits and ITinfrastructure. Training process efficiencies have business units rather than corporate impact. This resulted in inconsistent risk evaluation, as well asalso been improved by tracking training statuses data discrepancies. Moreover, it was difficult for management to gain a clear understanding of thethrough the common GRC system rather than through impact of risks and controls, as well as the status of risk mitigation across the enterprise.separate initiatives. Redundant risk management activitiesUnification of risks The company employed multiple independent systems to manage its risks. Therefore, Enterprise risksMetricStream solution has helped the company were managed on one system, SOX risks and controls on another, and SOX control testing on a third.establish a unified rating scale to measure the prob- The lack of collaboration between thesesystemsresulted in the duplication of controls and risk mitiga-ability and severity of risks across the enterprise.This enables mangersto prioritize risks more sharply, tion activities which, in turn, increased costs.and determine which ones need more concentratedmitigation plans, as well as regular monitoring. Manual Inefficiencies The company used multiple complexspread sheets, email channels and content management sitestoStandardized risk-control self-assessments record their assessments of risks and controls. The task of manually entering details and updates onMetricStream Solution enables the company to cre- these systems proved laborious and time-consuming. In addition, the process was vulnerable to errorsate a common risk vocabulary and evaluation criteria. and subsequent data discrepancies.As a result, risk-control assessments and monitoringcan be standardized and streamlined across businessunits. In turn, the evaluation and reporting of risks Insufficient visibility into reportscan be improved. Managers can confidently decide The lack of a unified reporting system resulted in the production of multiple risk management reportswhether to enhance controls or accept risk levels as from each business unit. Consolidating these reports into actionable strategy at the enterprise levelthey are. was both complex and time-consuming. It required merging large sets of data at various levels of granularity to provide value-added information. Gaining quick access to the desired reports in theSeamless collaboration and information sharing desired format was not often possible.MetricStream solution breaks down organizationalbarriers by providing a single point of reference toshare information and coordinate risk management Change management threatprocesses. The centralized information repository As the company migrated to an integrated risk management model, the threat of disruptions to busi-enables policies, risk and control assessments and ness stability and sustainability were ever-present. Information could be lost, processes slowed down,other critical information to be accessed quickly and and procedural or human errors incurred. What was required was collaboration and coordinationsafely. It also establishes a single version of facts across departments, units and organizations. This was possible only though a centralized technologywhich, in turn, improves transparency, and helps framework.embed a strong risk culture across the enterprise.Moreover, it equips management with the rightinformation to make deliberate strategic decisions atany time.
2. MetricStreamAutomation SolutionMetricStream ERM Solution has enabled the com-pany to automate end-to-end workflows such as risk To achieve its goal of an integrated risk management model, the companydrew up an extensive busi-identification, monitoring and issue remediation. As ness plan beginning with the creation of a governance structure. This structure was to be based ona result, the need for manual, paper-based processes a top-down and bottom-up approach to risk management. At the top, a risk committee wouldset thehas been eliminated, and the time and effort required tone,and at the bottom, employeeswould be educated and motivated to assess and mitigate risks.for various risk related activities has been reduced. Information wouldseamlessly flow up and down this channel, enabling the creation of a strong riskThe risk of manual errors has also been minimized. culture. Roles and responsibilitieswere identified for various stakeholders in the new risk management model. Risk Framework Risk Definitions For instance, the Board of Directors would identify the risk appetite, while the business units would Ability to generate or obtain populate the risk register with regular risk and control self-assessments. •Corporate Funding sufficient cash, in a timely •Collateral Requirements manner, to meet demands as Liquidity •Contingency Funding they arise (expected and unexpected) The foundation of this new risk management model would be an integrated GRC system. The system had to enable enterprise-wide collaboration, eliminate redundancies and improve transparency into •Market Factor Sensitivity Potential loss arising from risk management processes. •Volume Risk •Market Liquidity adverse movements in Market external market variables •Investment Performance After considering several solution vendors, the company selected MetricStream. The selection was Risk of loss inherent in based on MetricStream’s advanced single platform approach to risk management, as well as its •Settlement Risk •Counterparty Performance business segments, resulting from counterparty failure, successful track record in the energy industry. MetricStream also impressed with the flexibility of its Credit •Supply Chain decreased creditworthiness, and poor performance platform to scale up to address future GRC requirements. •People •Process Risk of loss from inadequate The companypurchased MetricStream Integrated GRC platform with solutions for Enterprise Risk or failed internal processes, •Financial Reporting •System people, financial reporting, Management, Corporate Compliance Management, Corporate Audit Management, Issue Management Operational systems, or external events •External and Policy/Document Management. Risk of loss and •Law Changes •Non-Compliance associated harm due to the company’s For the purpose of this study, Enterprise Risk Management will be the focus. •Environmental Impacts interaction with theEnvironmental •Environmental Positioning environment Enterprise Risk Management •Industry Changes •Demand Changes Risk of unsuccessful performance due to potential threats, actions, MetricStream Enterprise Risk Management Solution helps the company identify, assess, quantify, or events adversely affecting the Business & •Competition •Political Risk organization’s ability to achieve its monitor and manage its enterprise risks in an integrated manner. The solution is built on asingle Strategic objectives web-based platform that extends across the company’s departments, units, suppliers, branches and Potential negative publicity locations. Itconsolidates risks and controls, identifying concentrations and interdependencies. As a •Unethical Behavior regarding business •Crisis Management practices, regardless of result, the companyis able to streamline risk management workflows and establish a closed-loop risk •Association Risk validityReputational management process across the enterprise. MetricStream solution also integrates enterprise-wide risk assessments, the results of which can be leveraged by multiple business units and functions including Risk, SOX, Corporate, Audit, Environ- mental, IT and Business Continuity departments. This collaborative pattern of functioning helps the companybreak down operational silos and eliminate redundancies. The solution also enables risk and control assignments to be independently managed downstream, while simultaneously rolling information back upstream to provide enterprise-wide visibility for manag- ers. Top-down and bottom-up risk identification and managementare supported. Therefore, while risk identification may occur in any area, it is automatically mapped back to each business process. Issues that arise during risk or control tracking are automatically routed to an issue management module. Here, a systematic mechanism of investigation and remediation is set off by the underlying workflow and collaboration engine. Simultaneously, automatic alerts and notifications are sent to the appropriate personnel for investigation and remedial action. Central risk repository MetricStream provides a centralized library and framework to collate all risks, controls,key risk indicators, key performance indicators, regulations, policies and other vital information.A common risk register brings together all risk management data including risk description, severity, impact, consequences, risk ratings, mitigation plans and related emerging issues. Data is made available to all of the company’sbusiness functions, and can be shared or aggregated to enable more informed decision making. Communication is improved,while risk vocabularies and evalu- ation criteria are standardized.
3. MetricStream MetricStream ‘s information repository is equipped with an easy archival and search capability which il enables users to quickly check if a risk related issue was resolved, or if a specific control was tested. R eta This way, process repetition can be avoided, and data consistency maintained across the enterprise. Business Continuity Ris k Cre ket Le dit ga l r na Risk Control Self-Assessments (RCSA) Ma Genera l io at Info er n MetricStream solution supports a repeatable RCSA process where each business unit identifies the Op ma s Techn olo Libraries Hu ource risks impacting its process, and assigns probability and impact estimates. The risk assessments are gy s Hierarchy Re tion Business Corpo based on configurable methodologies and algorithms which provide an in-depth view of the organiza- r ntal Processes Secur ate tion’s risk profile, enabling managers to prioritize their risk mitigation plan for optimal returns. o nme ity Envir R e mp e gu lia dit rat Co SOX Finance- Once risk self-assessments are completed, MetricStream Solution aggregates the risk data, control lat nc Au rpo or e effectiveness monitoring and management reporting. At every stage, risks arelinked with the appropri- Co y ale ol es ate mitigating controls, processes and policies. This simplifies information sharing and enables risk W h managers to monitor controls more effectively. Controls are defined and assessed based on predefined criteria and checklists which support the scoring, tabulating and reporting of results.‘MetricStream has played a critical role in ourquest to build a proactive, fully integrated riskmanagement framework. Their Enterprise RiskManagement solution has seamlessly aligned Processeswith our strategic vision, as well as our sys-tems, processes and units. It has broken downsilos, streamlined risk processes and helpedus build a more collaborative, efficient andsustainable risk management framework. We Metrics & Risksare delighted with the results, and look forward Loss Datato extending the platform to other critical GRC MetricStreamareas,” said a spokesperson from the company. Risk Controls Assessments With MetricStream solution, the energy company can track risk metrics, loss events and near misses, along with their root causes and owners, as well as their remediation plans. The companycan also monitor risk thresholds through Key Risk Indicators which provide automatic notifications whenever these thresholds are breached. Executive dashboards provide further visibility into the risk analysis, highlighting the severity and likelihood of risks along with their current positioning.
4. MetricStream Risk reportingWhy MetricStream MetricStream solution categorizes riskson various levels and presents them through detailed risk heat maps which can be accessed globally. These heat maps and related graphical chartsdisplay real-timeMetricStream’s solution provides a unified approach information, and can be drilled down to view the data at finer levels of detail.and an integrated solution to meet strategic objec-tives, as well as risk and compliance requirements. Operational risks, corporate risks and other high level risks are highlighted depending on their impact on various functions and processes. This data then rolls up to the centralized core library and canMetricStream Solution provides a centralized libraryto hold policies, certifications, risk and control be used to create standard as well as customized reports for risk management activities across theassessments and all other documentation for easy enterprise.review and reference.MetricStream Solution demonstrated the ability to Sample Top Risks Remote Moderate Likely Frequenthandle the company’s specific requirements for anERM framework, risk terminology, consistency, rank-ing methodology and more. • LiquidityMetricStream Solution ensures security of electronic Probability • Marketrecords, and provides time-stamped audit trails,role-based access controls, electronic signatures and • Creditpassword management • OperationalMetricStream has the ability to support large leadingorganizations and meet their IT requirements in the • Environmentalareas of integration, configurability, scalability andsecurity. • Business & Strategic RareMetricStream offers a broad set of solutions on a • Reputational Insignificant Minor Significant Major CriticalWeb-based platform with capabilities to map its of-fering to all governance, risk, compliance, and quality Impactprocesses within the company. The reports offer risk metrics by a variety of parameters such as by process, business unit or status. They also offer regular trending analyses which enable risk managers to stay updated on the progress of risk management programs. Automated alerts, provided for exceptions and failures, eliminate unpredictable events and stabilize risk management processes.For more information, visitwww.metricstream.comCopyright 2011. All Rights Reserved.