CASE STUDYMetricStream FORTUNE 500 ENERGY ORGANIZATION BUILDS A STRONG GOVERNANCE, RISK AND COMPLIANCE FOUNDATION Customer The customer, headquartered in the USA, is one of the largest energy companies in the nation. It generates, manages, supplies and distributes energy for commercial, industrial and public sector organizations, as well as residential communities. The company is also a leading advocate for clean, environmentally sustainable energy sources such as solar power and nuclear energy. Overview Today, the energy industry is under tremendous pressure to comply with myriad regulations including FERC, NERC, NRC, NIST, OSHA and EPA. These regulations are continuously evolving, thereby requir- ing companies to build a sustainable compliance management program. No longer can compliance be a one-time event, but an ongoing effort. In addition, robust strategies for risk, audit, compliance, ethics and legal management are critical for protection against failures in corporate governance, operational and financial inefficiencies. Apart from that, strategies for safeguarding the company’s assets, reputation, and ultimately, the interestBenefits of shareholders also needs to be devised. However, most of these risk and compliance strategies are managed through isolated, manual processes and systems. This raises project costs, duplicates ef-Automation of risk and compliance workflows: forts across the enterprise, and deflects resources away from key business initiatives.Automated workflows on the MetricStream inte-grated platform free the energy provider from the An integrated GRC approach will help in achieving sustainable compliance by facilitating the efficientextensive use of spreadsheets and other manual use of risk information in strategic decision-making, ensuring the usage of consistent terminologiestools. MetricStream Solution also enhances IT risk and methodologies across departments, establishing a risk-focused corporate culture, providing amanagement and business continuity by automat-ing risk assessment workflows for applications, comprehensive view of the organization’s overall risk profile, and delivering assurance to executiveinfrastructure, disaster recovery and cyber security. directors and senior management on the effectiveness of internal controls and frameworks.This dramatically increases efficiency, shortenscompletion periods, reduces coordination efforts, and The MetricStream customer places utmost importance on integrated regulatory compliance and riskdiminishes errors and possibilities of duplicate efforts. management. To streamline risk and compliance across its multiple businesses and thousands ofThe overall level of compliance across the enterprise employees and contractors, the energy major rapidly transitioned from a siloed, operational structurehas gone up significantly, while costs have come to an integrated, holistic GRC model. It established a centralized platform where all GRC initiativesdown. and information were unified, managed, shared across business units, and leveraged for better deci- sion making. It also improved GRC management efficiencies, lowered risks, ironed out discrepanciesGreater transparency: MetricStream Solution helps quickly and ensured enterprise-wide compliance with regulations at every step of the way.consolidate various data including risks, controls,tests and issues into a central library. This informa-tion is stored according to business unit, process,function and department. The latest information is Challengesmade available across the organization, increasing Lack of common terminology for risk and controls: Each department in the company used theirvisibility for the management to assess risk and con-trol activities, utilize existing sets of controls, avoid own terminology and processes to define and assess risks and controls. They lacked common riskduplication of assessments, and decide whether to standards, definitions and rating methodologies to provide a centralized perspective of risk. As aenhance controls or accept current risk levels. result, risk evaluation across the enterprise was not always consistent. This, in turn, hindered data aggregation and reporting to senior management.Centralized, sustainable risk management:MetricStream GRC platform provides a centralized Ad hoc compliance initiatives: The company is subject to multiple compliance requirements,framework for risk management, thus eliminating the including SOX, NERC, FERC and other Legal and Regulatory mandates. Compliance with each of theseneed for multiple systems and lowering maintenance regulations was managed separately by each department. There was no common platform unify-costs. It has enabled the company to eliminate fiveredundant risk systems, over 300 spreadsheets and ing these requirements, linking them with the appropriate controls, or enabling sharing of controls.over 10 content management sites. These tools have Consequently, controls and other related efforts were unnecessarily duplicated across the enterprise.been replaced with MetricStream’s standardized Visibility into enterprise-wide compliance management processes was also poor.risk libraries, consistent risk terminologies, and acommon framework for risk aggregation and control Difficulty in enterprise-wide auditing: The lack of an integrated audit management system made au-monitoring. diting a laborious, resource-intensive and time-consuming process. Internal auditors found it challeng- ing to aggregate isolated audit data from various departments and businesses across the enterprise. Compounding the challenge was the lack of integration between Audit, Risk and Compliance programs which hindered the adoption of a risk-based approach to auditing. And given the massive size of the organization, it was difficult to estimate the resources, time and effort necessary to plan and execute audits. Siloed systems: Over the years, each department acquired their own set of point solutions for their own individual requirements. The result was hundreds of isolated solutions that made it increasingly difficult to track the enterprise-wide GRC status at any given time. Operational risks, vulnerabilities
MetricStream and mitigations were tracked on one system, Financial, SOX risks and controls on another, and audits on a third. The compliance team managed its own set of applications, as did the risk team. This siloed approach hampered visibility into risks and controls, and their relation to business processes. It also resulted in inconsistent standards, and redundancy of risk and compliance management efforts, not to mention duplicate costs. Usage of custom-built, in-house applications: Hundreds of spreadsheets, and email-based ap- plications were used to track and monitor compliance, as well as to assess risks and controls within departments. These tools required a large amount of co-ordination and effort, and involved laborious processes. There was also the risk of manual errors and reduced efficiency. Personnel working on these tools required a lot of time to complete tasks. Insufficient reporting capabilities: The lack of unified reporting resulted in managers and board members, as well as various teams, having difficulty in getting the required information quickly in the desired format. It was also challenging to merge large sets of data on processes, risks and controls at various levels of granularity to provide value-added information to various stakeholders.Benefits Solution The company was determined that its GRC program would not be merely about demonstrating compli-Improved risk control: MetricStream Solution ance to regulators. It wanted to establish a world-class corporate governance process, and a compli-supports the implementation of a unified rating ance and risk framework built on the principles of proactivity, integration and communication. Such amethodology to measure and document risk impacts framework would not only ensure sustainable compliance with various regulations, but it would alsocategorized by seven risk types – Liquidity, Market, provide excellent insights for better decision making.Credit, Operational, Environmental, Business, Stra-tegic and Reputational. The advanced capabilities ofMetricStream Solution enable the company to identify To achieve this goal, the company created a top-down approach to risk and compliance management,and assess risk. Using the risk assessment data, the which enabled it to focus on those risks and controls that had the greatest impact on company profit-organization will be able to determine if controls are ability. It also established a strong communication and education program for employees, encouragingadequate, or if risks can be accepted. The solution them to be more responsible and accountable for risk management. In addition, an effective communi-also enables the company to discover incidents and cation plan was created for GRC-involved committees, as well as the Management and Board.issues on time, resolve them quickly and efficientlymanage loss event data. The company’s goal was to create a proper governance structure and processes, integrate riskCreation of a strong risk culture: MetricStream So- management into strategic decision-making, ensure continuous compliance, and harmonize GRClution helps the company establish an enterprise-wide processes across the enterprise. To that end, it was looking for an integrated GRC solution that couldrisk-focused culture through a top-down and bottom- streamline, standardize, automate and unify all GRC programs, while improving cost-savings andup approach to risk identification and management. It efficiencies.also helps educate individuals on understanding risks,and taking the responsibility to maintain them at ac- The company conducted a detailed analysis of industry options and selected MetricStream as theceptable levels. Being built on a centralized platform,the solution enables the company to identify risks preferred GRC solutions provider. The basis of the selection was MetricStream’s integrated singlein any area, and map them back to each business platform, broad range of solutions, and its industry track record of hugely successful implementationsprocess. It also delivers risk assessment results in in global Energy & Utility companies.real-time, enabling managers to plan reviews for thecompleteness of risk identification, and the efficacy of MetricStream delivered a comprehensive set of solutions on a common platform, including enterpriseplans to enhance controls or accept risks. risk management, legal and regulatory compliance, NERC and SOX compliance, business continuityDecreased costs of regulatory compliance: With management, issue management and remediation, and policy/document management.automated and streamlined compliance activities,quality time and resources can be focused on high MetricStream Platform is future proof, and can be easily extended to meet the future GRC require-risk areas for more productive work. The single plat- ments of the company, such as managing new compliance regulations, risks and audits. The Metric-form solution for all the GRC needs of the company Stream Application Studio enables the Internal IT team and users to create additional GRC applica-has lowered the costs of regulatory compliance. tions, and deploy them on the same platform without expending much time and effort. Users do not have to undergo additional training, as the usability of the tools is very similar to previous applications. MetricStream Integrated GRC Platform: MetricStream Solutions are based on MetricStream GRC Platform - a Web-based comprehensive application that enables end-to-end process automation and visibility, collaboration between various groups, centralized libraries and an integrated approach to GRC. The platform supports the customer’s organizational model across all business units and depart- ments, as well as their mapping to different roles and reporting relationships. Users have role-based portal access with options for initiating actions, responding to events, manag- ing and assigning tasks, and viewing reports and dashboards. The system also triggers email-based notifications and alerts to appropriate personnel to notify them of various events and requirements.
MetricStream Enterprise Risk Management: MetricStream Enterprise Risk Management (ERM) Solution helps theBenefits energy provider identify, assess, quantify, monitor and manage risks from across the enterprise in an integrated manner.Enhanced training: MetricStream Solution contains arobust compliance training management system that Data is consolidated in a reusable library comprising risks, corresponding controls, assessments,manages registration, remote participation, feedbackand course material. Employees are able to respond results, key risk indicators, events such as losses and near-misses, issues and remediation plans.directly to training through the system. Therefore, Risks are highlighted depending on their impact or bearing on various functions and processes. Thiscompliance coordinators can easily track and report data then rolls up to senior management, and is used to create standard as well as customized reportson the status of employee training, without resorting for identifying risks to business performance, operational efficiency and non-compliance across theto manual tracking measures. enterprise.Enhanced Audit Management: MetricStream Industry best practices embedded in the solution help the company define the scope of processes andAudit Management Solution will strengthen theorganization’s audit processes by streamlining audit sub-processes for risk management and the development of control and test libraries. MetricStreamplanning, scheduling and execution, and improving has enabled the company’s RCSA methodology that supports a repeatable risk-control self-assess-the efficiency of resource management and document ment. It enables each business unit to identify and manage risks and controls independently. At themanagement. The company can rely on audits to same time, it collates the information together for managers to gain visibility into the risk manage-embed a strong risk culture across the enterprise. ment status across the enterprise.For instance, self-identified control deficiencies maynot be penalized, and risk ratings can be based onresidual risk levels. The solution also supports top-down and bottom-up risk identification and management. Across processes, risk and control data are linked, enabling easy sharing of information.Strengthened SOX 404 compliance: MetricStreamSolution helps the company create a comprehensivedatabase of financial controls. It also consolidatesfinancial reporting risks for SOX 404 testing, partiallyautomates the scoping of risk assessment, facilitatesand certifies control testing and evaluation, simpli-fies issue management and streamlines workflowmanagement. Consequently, the company can ensureconsistent SOX compliance. Compliance management & tracking: MetricStream offers the industry’s most advanced and comprehensive Integrated Compliance and Issue Management solution. It equips the energy company with the technology and best practices to ensure continuous compliance with various regulatory requirements, while lowering the associated costs. The solution is pre-loaded with all NERC, FERC and Regional Reliability standards and requirements. This centralized repository of information enables users to quickly search for and access informa- tion. It also helps managers structure the information in an organized hierarchy, beginning with each compliance regulation, and moving down to their respective requirements, standards and controls. This well-laid out framework helps improve the efficiency of searching for controls, and coordinating control-based activities, enterprise wide. The underlying data model is architected to accommodate many-to-many modeling requirements, as well as to navigate multiple dimensions via navigation trees.
MetricStream Any changes in regulations such as FERC and NERC prompt the system to automatically send out update alerts, and import new requirements and content from regulatory websites. The respective users are alerted with details of non-compliance that have emerged because of new regulations or in changes to existing ones. Version control capabilities are provided to manage changes efficiently. In fact, the company can monitor the progress of NERC-CIP version migration from V2 to V3 to V4. Managers are free to configure compliance workflows to suit their management of regulatory require- ments and controls, as well as various processes such as report creation, feedback approval and as- similation, and version control. An integrated Issue Management module captures all violation issues and monitors remediation plans. SOX compliance: MetricStream enables the company to significantly reduce its cost of Sarbanes- Oxley (SOX) compliance. Managers are able to leverage COSO and COBIT frameworks, design, assess and improve internal controls, and monitor compliance processes at any level of detail. The solution follows a top-down risk-assessment approach which simplifies workflows, quickly high- lights areas that require attention, and improves transparency into financial risks. It allows processWhy MetricStream owners to test and manage controls on their own, while collating data across the enterprise for audi- tors to gain top-level visibility into the status of SOX compliance. Any issues that arise are immedi-MetricStream’s solution provides a unified ap- ately routed to MetricStream Issue Management module for immediate investigation and remediation.proach and an integrated solution to meet strategicobjectives, as well as regulatory and compliance Automated alerts keep the process on track and ensure that each issue is resolved and closed.requirements. Multiple procedures for surveys and certifications, which affirm the strength of internal controls and adherence to policies, are supported within the solution. It harmonizes all control frameworks into aMetricStream Platform and its various solutions couldeasily replace existing solutions for ERM, compliance centralized library, enabling users across SOX, Regulatory and Reliability / NERC compliance to shareand audits. controls and results of control assessments. This prevents duplication of assessments - especially with regard to IT controls – and hence improves cost-effectiveness and efficiency.MetricStream Solution provides a centralized libraryto hold policies, certifications, risk and control as- Ethics & Legal Compliance: MetricStream Compliance Solution is leveraged by the Legal, Ethicssessments, compliance requirements and all other and Compliance teams to efficiently streamline compliance management, and establish a proactivedocumentation for easy review and reference. and ongoing process of compliance. The Ethics & Compliance team uses MetricStream solution for the creation and distribution of online compliance surveys for thousands of employees to certify thatMetricStream Solution demonstrated the ability to they’re complying with specific standards. The results are automatically collected and stored in ahandle the customer’s specific requirements for an central repository for easy access and retrieval by top managers.ERM framework, risk terminology, consistency, rank-ing methodology and more. Audit management: MetricStream Solution will be extended to help the company adopt a risk-basedMetricStream Solution ensures security of electronic approach to Corporate and Environmental audit management. The solution will enable efficient col-records, and provides time-stamped audit trails, laboration, planning, scheduling and auditing, while allowing audit findings to be reviewed, shared androle-based access controls, electronic signatures and analyzed by a team. A robust analytics and reporting capability with graphical dashboards will trackpassword management. each audit from initiation to closure, giving managers real-time visibility.MetricStream has the ability to support large leadingorganizations, and meet their IT requirements in the The solution will facilitate audit and risk information sharing among peers and audit stakeholders. Itareas of integration, configurability, scalability and will also enable the company to efficiently manage resources, track budgets, configure audit profiles,security. plan audits, record audit milestones and re-scope audits. It contains innovative capabilities to improve auditor performance by conducting multiple audit tasks simultaneously, collaborating on reviews, get-MetricStream offers a broad set of solutions on a ting fieldwork approvals and delegating tasks.Web-based platform with capabilities to map its of-fering to all governance, risk, compliance, and qualityprocesses within the company.MetricStream’s solution provides key services suchas workflows, configurable forms, collaboration,real-time exception tracking, email alerts and notifica-tions, integration, reports, executive dashboards,business intelligence, analytics, and secure accesscontrol.For more information, visitwww.metricstream.comCopyright 2011. All Rights Reserved.