Governance, Risk and Compliance- Energy Industry by metricstream2000


More Info
									                                                            CASE STUDY
MetricStream                                                FORTUNE 500 ENERGY ORGANIZATION BUILDS A STRONG
                                                            GOVERNANCE, RISK AND COMPLIANCE FOUNDATION
                                                            The customer, headquartered in the USA, is one of the largest energy companies in the nation. It
                                                            generates, manages, supplies and distributes energy for commercial, industrial and public sector
                                                            organizations, as well as residential communities. The company is also a leading advocate for clean,
                                                            environmentally sustainable energy sources such as solar power and nuclear energy.

                                                            Today, the energy industry is under tremendous pressure to comply with myriad regulations including
                                                            FERC, NERC, NRC, NIST, OSHA and EPA. These regulations are continuously evolving, thereby requir-
                                                            ing companies to build a sustainable compliance management program. No longer can compliance be
                                                            a one-time event, but an ongoing effort.

                                                            In addition, robust strategies for risk, audit, compliance, ethics and legal management are critical for
                                                            protection against failures in corporate governance, operational and financial inefficiencies. Apart
                                                            from that, strategies for safeguarding the company’s assets, reputation, and ultimately, the interest
Benefits                                                    of shareholders also needs to be devised. However, most of these risk and compliance strategies are
                                                            managed through isolated, manual processes and systems. This raises project costs, duplicates ef-
Automation of risk and compliance workflows:                forts across the enterprise, and deflects resources away from key business initiatives.
Automated workflows on the MetricStream inte-
grated platform free the energy provider from the           An integrated GRC approach will help in achieving sustainable compliance by facilitating the efficient
extensive use of spreadsheets and other manual              use of risk information in strategic decision-making, ensuring the usage of consistent terminologies
tools. MetricStream Solution also enhances IT risk
                                                            and methodologies across departments, establishing a risk-focused corporate culture, providing a
management and business continuity by automat-
ing risk assessment workflows for applications,             comprehensive view of the organization’s overall risk profile, and delivering assurance to executive
infrastructure, disaster recovery and cyber security.       directors and senior management on the effectiveness of internal controls and frameworks.
This dramatically increases efficiency, shortens
completion periods, reduces coordination efforts, and       The MetricStream customer places utmost importance on integrated regulatory compliance and risk
diminishes errors and possibilities of duplicate efforts.   management. To streamline risk and compliance across its multiple businesses and thousands of
The overall level of compliance across the enterprise       employees and contractors, the energy major rapidly transitioned from a siloed, operational structure
has gone up significantly, while costs have come
                                                            to an integrated, holistic GRC model. It established a centralized platform where all GRC initiatives
                                                            and information were unified, managed, shared across business units, and leveraged for better deci-
                                                            sion making. It also improved GRC management efficiencies, lowered risks, ironed out discrepancies
Greater transparency: MetricStream Solution helps
                                                            quickly and ensured enterprise-wide compliance with regulations at every step of the way.
consolidate various data including risks, controls,
tests and issues into a central library. This informa-
tion is stored according to business unit, process,
function and department. The latest information is          Challenges
made available across the organization, increasing          Lack of common terminology for risk and controls: Each department in the company used their
visibility for the management to assess risk and con-
trol activities, utilize existing sets of controls, avoid
                                                            own terminology and processes to define and assess risks and controls. They lacked common risk
duplication of assessments, and decide whether to           standards, definitions and rating methodologies to provide a centralized perspective of risk. As a
enhance controls or accept current risk levels.             result, risk evaluation across the enterprise was not always consistent. This, in turn, hindered data
                                                            aggregation and reporting to senior management.
Centralized, sustainable risk management:
MetricStream GRC platform provides a centralized            Ad hoc compliance initiatives: The company is subject to multiple compliance requirements,
framework for risk management, thus eliminating the         including SOX, NERC, FERC and other Legal and Regulatory mandates. Compliance with each of these
need for multiple systems and lowering maintenance          regulations was managed separately by each department. There was no common platform unify-
costs. It has enabled the company to eliminate five
redundant risk systems, over 300 spreadsheets and
                                                            ing these requirements, linking them with the appropriate controls, or enabling sharing of controls.
over 10 content management sites. These tools have          Consequently, controls and other related efforts were unnecessarily duplicated across the enterprise.
been replaced with MetricStream’s standardized              Visibility into enterprise-wide compliance management processes was also poor.
risk libraries, consistent risk terminologies, and a
common framework for risk aggregation and control           Difficulty in enterprise-wide auditing: The lack of an integrated audit management system made au-
monitoring.                                                 diting a laborious, resource-intensive and time-consuming process. Internal auditors found it challeng-
                                                            ing to aggregate isolated audit data from various departments and businesses across the enterprise.
                                                            Compounding the challenge was the lack of integration between Audit, Risk and Compliance programs
                                                            which hindered the adoption of a risk-based approach to auditing. And given the massive size of the
                                                            organization, it was difficult to estimate the resources, time and effort necessary to plan and execute

                                                            Siloed systems: Over the years, each department acquired their own set of point solutions for their
                                                            own individual requirements. The result was hundreds of isolated solutions that made it increasingly
                                                            difficult to track the enterprise-wide GRC status at any given time. Operational risks, vulnerabilities
                                                           and mitigations were tracked on one system, Financial, SOX risks and controls on another, and audits
                                                           on a third. The compliance team managed its own set of applications, as did the risk team. This siloed
                                                           approach hampered visibility into risks and controls, and their relation to business processes. It also
                                                           resulted in inconsistent standards, and redundancy of risk and compliance management efforts, not to
                                                           mention duplicate costs.

                                                           Usage of custom-built, in-house applications: Hundreds of spreadsheets, and email-based ap-
                                                           plications were used to track and monitor compliance, as well as to assess risks and controls within
                                                           departments. These tools required a large amount of co-ordination and effort, and involved laborious
                                                           processes. There was also the risk of manual errors and reduced efficiency. Personnel working on
                                                           these tools required a lot of time to complete tasks.

                                                           Insufficient reporting capabilities: The lack of unified reporting resulted in managers and board
                                                           members, as well as various teams, having difficulty in getting the required information quickly in the
                                                           desired format. It was also challenging to merge large sets of data on processes, risks and controls at
                                                           various levels of granularity to provide value-added information to various stakeholders.

Benefits                                                   Solution
                                                           The company was determined that its GRC program would not be merely about demonstrating compli-
Improved risk control: MetricStream Solution               ance to regulators. It wanted to establish a world-class corporate governance process, and a compli-
supports the implementation of a unified rating            ance and risk framework built on the principles of proactivity, integration and communication. Such a
methodology to measure and document risk impacts           framework would not only ensure sustainable compliance with various regulations, but it would also
categorized by seven risk types – Liquidity, Market,
                                                           provide excellent insights for better decision making.
Credit, Operational, Environmental, Business, Stra-
tegic and Reputational. The advanced capabilities of
MetricStream Solution enable the company to identify       To achieve this goal, the company created a top-down approach to risk and compliance management,
and assess risk. Using the risk assessment data, the       which enabled it to focus on those risks and controls that had the greatest impact on company profit-
organization will be able to determine if controls are     ability. It also established a strong communication and education program for employees, encouraging
adequate, or if risks can be accepted. The solution        them to be more responsible and accountable for risk management. In addition, an effective communi-
also enables the company to discover incidents and         cation plan was created for GRC-involved committees, as well as the Management and Board.
issues on time, resolve them quickly and efficiently
manage loss event data.
                                                           The company’s goal was to create a proper governance structure and processes, integrate risk
Creation of a strong risk culture: MetricStream So-        management into strategic decision-making, ensure continuous compliance, and harmonize GRC
lution helps the company establish an enterprise-wide      processes across the enterprise. To that end, it was looking for an integrated GRC solution that could
risk-focused culture through a top-down and bottom-        streamline, standardize, automate and unify all GRC programs, while improving cost-savings and
up approach to risk identification and management. It      efficiencies.
also helps educate individuals on understanding risks,
and taking the responsibility to maintain them at ac-
                                                           The company conducted a detailed analysis of industry options and selected MetricStream as the
ceptable levels. Being built on a centralized platform,
the solution enables the company to identify risks         preferred GRC solutions provider. The basis of the selection was MetricStream’s integrated single
in any area, and map them back to each business            platform, broad range of solutions, and its industry track record of hugely successful implementations
process. It also delivers risk assessment results in       in global Energy & Utility companies.
real-time, enabling managers to plan reviews for the
completeness of risk identification, and the efficacy of   MetricStream delivered a comprehensive set of solutions on a common platform, including enterprise
plans to enhance controls or accept risks.                 risk management, legal and regulatory compliance, NERC and SOX compliance, business continuity
Decreased costs of regulatory compliance: With
                                                           management, issue management and remediation, and policy/document management.
automated and streamlined compliance activities,
quality time and resources can be focused on high          MetricStream Platform is future proof, and can be easily extended to meet the future GRC require-
risk areas for more productive work. The single plat-      ments of the company, such as managing new compliance regulations, risks and audits. The Metric-
form solution for all the GRC needs of the company         Stream Application Studio enables the Internal IT team and users to create additional GRC applica-
has lowered the costs of regulatory compliance.            tions, and deploy them on the same platform without expending much time and effort. Users do not
                                                           have to undergo additional training, as the usability of the tools is very similar to previous applications.

                                                           MetricStream Integrated GRC Platform: MetricStream Solutions are based on MetricStream GRC
                                                           Platform - a Web-based comprehensive application that enables end-to-end process automation and
                                                           visibility, collaboration between various groups, centralized libraries and an integrated approach to
                                                           GRC. The platform supports the customer’s organizational model across all business units and depart-
                                                           ments, as well as their mapping to different roles and reporting relationships.

                                                           Users have role-based portal access with options for initiating actions, responding to events, manag-
                                                           ing and assigning tasks, and viewing reports and dashboards. The system also triggers email-based
                                                           notifications and alerts to appropriate personnel to notify them of various events and requirements.
                                                           Enterprise Risk Management: MetricStream Enterprise Risk Management (ERM) Solution helps the
Benefits                                                   energy provider identify, assess, quantify, monitor and manage risks from across the enterprise in an
                                                           integrated manner.
Enhanced training: MetricStream Solution contains a
robust compliance training management system that
                                                           Data is consolidated in a reusable library comprising risks, corresponding controls, assessments,
manages registration, remote participation, feedback
and course material. Employees are able to respond         results, key risk indicators, events such as losses and near-misses, issues and remediation plans.
directly to training through the system. Therefore,        Risks are highlighted depending on their impact or bearing on various functions and processes. This
compliance coordinators can easily track and report        data then rolls up to senior management, and is used to create standard as well as customized reports
on the status of employee training, without resorting      for identifying risks to business performance, operational efficiency and non-compliance across the
to manual tracking measures.                               enterprise.
Enhanced Audit Management: MetricStream
                                                           Industry best practices embedded in the solution help the company define the scope of processes and
Audit Management Solution will strengthen the
organization’s audit processes by streamlining audit       sub-processes for risk management and the development of control and test libraries. MetricStream
planning, scheduling and execution, and improving          has enabled the company’s RCSA methodology that supports a repeatable risk-control self-assess-
the efficiency of resource management and document         ment. It enables each business unit to identify and manage risks and controls independently. At the
management. The company can rely on audits to              same time, it collates the information together for managers to gain visibility into the risk manage-
embed a strong risk culture across the enterprise.         ment status across the enterprise.
For instance, self-identified control deficiencies may
not be penalized, and risk ratings can be based on
residual risk levels.
                                                           The solution also supports top-down and bottom-up risk identification and management. Across
                                                           processes, risk and control data are linked, enabling easy sharing of information.
Strengthened SOX 404 compliance: MetricStream
Solution helps the company create a comprehensive
database of financial controls. It also consolidates
financial reporting risks for SOX 404 testing, partially
automates the scoping of risk assessment, facilitates
and certifies control testing and evaluation, simpli-
fies issue management and streamlines workflow
management. Consequently, the company can ensure
consistent SOX compliance.

                                                           Compliance management & tracking: MetricStream offers the industry’s most advanced and
                                                           comprehensive Integrated Compliance and Issue Management solution. It equips the energy company
                                                           with the technology and best practices to ensure continuous compliance with various regulatory
                                                           requirements, while lowering the associated costs.

                                                           The solution is pre-loaded with all NERC, FERC and Regional Reliability standards and requirements.
                                                           This centralized repository of information enables users to quickly search for and access informa-
                                                           tion. It also helps managers structure the information in an organized hierarchy, beginning with each
                                                           compliance regulation, and moving down to their respective requirements, standards and controls.
                                                           This well-laid out framework helps improve the efficiency of searching for controls, and coordinating
                                                           control-based activities, enterprise wide. The underlying data model is architected to accommodate
                                                           many-to-many modeling requirements, as well as to navigate multiple dimensions via navigation
                                                           Any changes in regulations such as FERC and NERC prompt the system to automatically send out
                                                           update alerts, and import new requirements and content from regulatory websites. The respective
                                                           users are alerted with details of non-compliance that have emerged because of new regulations or in
                                                           changes to existing ones. Version control capabilities are provided to manage changes efficiently. In
                                                           fact, the company can monitor the progress of NERC-CIP version migration from V2 to V3 to V4.

                                                           Managers are free to configure compliance workflows to suit their management of regulatory require-
                                                           ments and controls, as well as various processes such as report creation, feedback approval and as-
                                                           similation, and version control. An integrated Issue Management module captures all violation issues
                                                           and monitors remediation plans.

                                                           SOX compliance: MetricStream enables the company to significantly reduce its cost of Sarbanes-
                                                           Oxley (SOX) compliance. Managers are able to leverage COSO and COBIT frameworks, design, assess
                                                           and improve internal controls, and monitor compliance processes at any level of detail.

                                                           The solution follows a top-down risk-assessment approach which simplifies workflows, quickly high-
                                                           lights areas that require attention, and improves transparency into financial risks. It allows process
Why MetricStream                                           owners to test and manage controls on their own, while collating data across the enterprise for audi-
                                                           tors to gain top-level visibility into the status of SOX compliance. Any issues that arise are immedi-
MetricStream’s solution provides a unified ap-             ately routed to MetricStream Issue Management module for immediate investigation and remediation.
proach and an integrated solution to meet strategic
objectives, as well as regulatory and compliance
                                                           Automated alerts keep the process on track and ensure that each issue is resolved and closed.
                                                           Multiple procedures for surveys and certifications, which affirm the strength of internal controls and
                                                           adherence to policies, are supported within the solution. It harmonizes all control frameworks into a
MetricStream Platform and its various solutions could
easily replace existing solutions for ERM, compliance      centralized library, enabling users across SOX, Regulatory and Reliability / NERC compliance to share
and audits.                                                controls and results of control assessments. This prevents duplication of assessments - especially
                                                           with regard to IT controls – and hence improves cost-effectiveness and efficiency.
MetricStream Solution provides a centralized library
to hold policies, certifications, risk and control as-     Ethics & Legal Compliance: MetricStream Compliance Solution is leveraged by the Legal, Ethics
sessments, compliance requirements and all other           and Compliance teams to efficiently streamline compliance management, and establish a proactive
documentation for easy review and reference.               and ongoing process of compliance. The Ethics & Compliance team uses MetricStream solution for
                                                           the creation and distribution of online compliance surveys for thousands of employees to certify that
MetricStream Solution demonstrated the ability to          they’re complying with specific standards. The results are automatically collected and stored in a
handle the customer’s specific requirements for an
                                                           central repository for easy access and retrieval by top managers.
ERM framework, risk terminology, consistency, rank-
ing methodology and more.
                                                           Audit management: MetricStream Solution will be extended to help the company adopt a risk-based
MetricStream Solution ensures security of electronic       approach to Corporate and Environmental audit management. The solution will enable efficient col-
records, and provides time-stamped audit trails,           laboration, planning, scheduling and auditing, while allowing audit findings to be reviewed, shared and
role-based access controls, electronic signatures and      analyzed by a team. A robust analytics and reporting capability with graphical dashboards will track
password management.                                       each audit from initiation to closure, giving managers real-time visibility.
MetricStream has the ability to support large leading
organizations, and meet their IT requirements in the       The solution will facilitate audit and risk information sharing among peers and audit stakeholders. It
areas of integration, configurability, scalability and     will also enable the company to efficiently manage resources, track budgets, configure audit profiles,
security.                                                  plan audits, record audit milestones and re-scope audits. It contains innovative capabilities to improve
                                                           auditor performance by conducting multiple audit tasks simultaneously, collaborating on reviews, get-
MetricStream offers a broad set of solutions on a          ting fieldwork approvals and delegating tasks.
Web-based platform with capabilities to map its of-
fering to all governance, risk, compliance, and quality
processes within the company.

MetricStream’s solution provides key services such
as workflows, configurable forms, collaboration,
real-time exception tracking, email alerts and notifica-
tions, integration, reports, executive dashboards,
business intelligence, analytics, and secure access

For more information, visit

Copyright 2011. All Rights Reserved.

To top