MetricStream FORTUNE 500 ENERGY ORGANIZATION BUILDS A STRONG
GOVERNANCE, RISK AND COMPLIANCE FOUNDATION
The customer, headquartered in the USA, is one of the largest energy companies in the nation. It
generates, manages, supplies and distributes energy for commercial, industrial and public sector
organizations, as well as residential communities. The company is also a leading advocate for clean,
environmentally sustainable energy sources such as solar power and nuclear energy.
Today, the energy industry is under tremendous pressure to comply with myriad regulations including
FERC, NERC, NRC, NIST, OSHA and EPA. These regulations are continuously evolving, thereby requir-
ing companies to build a sustainable compliance management program. No longer can compliance be
a one-time event, but an ongoing effort.
In addition, robust strategies for risk, audit, compliance, ethics and legal management are critical for
protection against failures in corporate governance, operational and financial inefficiencies. Apart
from that, strategies for safeguarding the company’s assets, reputation, and ultimately, the interest
Benefits of shareholders also needs to be devised. However, most of these risk and compliance strategies are
managed through isolated, manual processes and systems. This raises project costs, duplicates ef-
Automation of risk and compliance workflows: forts across the enterprise, and deflects resources away from key business initiatives.
Automated workflows on the MetricStream inte-
grated platform free the energy provider from the An integrated GRC approach will help in achieving sustainable compliance by facilitating the efficient
extensive use of spreadsheets and other manual use of risk information in strategic decision-making, ensuring the usage of consistent terminologies
tools. MetricStream Solution also enhances IT risk
and methodologies across departments, establishing a risk-focused corporate culture, providing a
management and business continuity by automat-
ing risk assessment workflows for applications, comprehensive view of the organization’s overall risk profile, and delivering assurance to executive
infrastructure, disaster recovery and cyber security. directors and senior management on the effectiveness of internal controls and frameworks.
This dramatically increases efficiency, shortens
completion periods, reduces coordination efforts, and The MetricStream customer places utmost importance on integrated regulatory compliance and risk
diminishes errors and possibilities of duplicate efforts. management. To streamline risk and compliance across its multiple businesses and thousands of
The overall level of compliance across the enterprise employees and contractors, the energy major rapidly transitioned from a siloed, operational structure
has gone up significantly, while costs have come
to an integrated, holistic GRC model. It established a centralized platform where all GRC initiatives
and information were unified, managed, shared across business units, and leveraged for better deci-
sion making. It also improved GRC management efficiencies, lowered risks, ironed out discrepancies
Greater transparency: MetricStream Solution helps
quickly and ensured enterprise-wide compliance with regulations at every step of the way.
consolidate various data including risks, controls,
tests and issues into a central library. This informa-
tion is stored according to business unit, process,
function and department. The latest information is Challenges
made available across the organization, increasing Lack of common terminology for risk and controls: Each department in the company used their
visibility for the management to assess risk and con-
trol activities, utilize existing sets of controls, avoid
own terminology and processes to define and assess risks and controls. They lacked common risk
duplication of assessments, and decide whether to standards, definitions and rating methodologies to provide a centralized perspective of risk. As a
enhance controls or accept current risk levels. result, risk evaluation across the enterprise was not always consistent. This, in turn, hindered data
aggregation and reporting to senior management.
Centralized, sustainable risk management:
MetricStream GRC platform provides a centralized Ad hoc compliance initiatives: The company is subject to multiple compliance requirements,
framework for risk management, thus eliminating the including SOX, NERC, FERC and other Legal and Regulatory mandates. Compliance with each of these
need for multiple systems and lowering maintenance regulations was managed separately by each department. There was no common platform unify-
costs. It has enabled the company to eliminate five
redundant risk systems, over 300 spreadsheets and
ing these requirements, linking them with the appropriate controls, or enabling sharing of controls.
over 10 content management sites. These tools have Consequently, controls and other related efforts were unnecessarily duplicated across the enterprise.
been replaced with MetricStream’s standardized Visibility into enterprise-wide compliance management processes was also poor.
risk libraries, consistent risk terminologies, and a
common framework for risk aggregation and control Difficulty in enterprise-wide auditing: The lack of an integrated audit management system made au-
monitoring. diting a laborious, resource-intensive and time-consuming process. Internal auditors found it challeng-
ing to aggregate isolated audit data from various departments and businesses across the enterprise.
Compounding the challenge was the lack of integration between Audit, Risk and Compliance programs
which hindered the adoption of a risk-based approach to auditing. And given the massive size of the
organization, it was difficult to estimate the resources, time and effort necessary to plan and execute
Siloed systems: Over the years, each department acquired their own set of point solutions for their
own individual requirements. The result was hundreds of isolated solutions that made it increasingly
difficult to track the enterprise-wide GRC status at any given time. Operational risks, vulnerabilities
and mitigations were tracked on one system, Financial, SOX risks and controls on another, and audits
on a third. The compliance team managed its own set of applications, as did the risk team. This siloed
approach hampered visibility into risks and controls, and their relation to business processes. It also
resulted in inconsistent standards, and redundancy of risk and compliance management efforts, not to
mention duplicate costs.
Usage of custom-built, in-house applications: Hundreds of spreadsheets, and email-based ap-
plications were used to track and monitor compliance, as well as to assess risks and controls within
departments. These tools required a large amount of co-ordination and effort, and involved laborious
processes. There was also the risk of manual errors and reduced efficiency. Personnel working on
these tools required a lot of time to complete tasks.
Insufficient reporting capabilities: The lack of unified reporting resulted in managers and board
members, as well as various teams, having difficulty in getting the required information quickly in the
desired format. It was also challenging to merge large sets of data on processes, risks and controls at
various levels of granularity to provide value-added information to various stakeholders.
The company was determined that its GRC program would not be merely about demonstrating compli-
Improved risk control: MetricStream Solution ance to regulators. It wanted to establish a world-class corporate governance process, and a compli-
supports the implementation of a unified rating ance and risk framework built on the principles of proactivity, integration and communication. Such a
methodology to measure and document risk impacts framework would not only ensure sustainable compliance with various regulations, but it would also
categorized by seven risk types – Liquidity, Market,
provide excellent insights for better decision making.
Credit, Operational, Environmental, Business, Stra-
tegic and Reputational. The advanced capabilities of
MetricStream Solution enable the company to identify To achieve this goal, the company created a top-down approach to risk and compliance management,
and assess risk. Using the risk assessment data, the which enabled it to focus on those risks and controls that had the greatest impact on company profit-
organization will be able to determine if controls are ability. It also established a strong communication and education program for employees, encouraging
adequate, or if risks can be accepted. The solution them to be more responsible and accountable for risk management. In addition, an effective communi-
also enables the company to discover incidents and cation plan was created for GRC-involved committees, as well as the Management and Board.
issues on time, resolve them quickly and efficiently
manage loss event data.
The company’s goal was to create a proper governance structure and processes, integrate risk
Creation of a strong risk culture: MetricStream So- management into strategic decision-making, ensure continuous compliance, and harmonize GRC
lution helps the company establish an enterprise-wide processes across the enterprise. To that end, it was looking for an integrated GRC solution that could
risk-focused culture through a top-down and bottom- streamline, standardize, automate and unify all GRC programs, while improving cost-savings and
up approach to risk identification and management. It efficiencies.
also helps educate individuals on understanding risks,
and taking the responsibility to maintain them at ac-
The company conducted a detailed analysis of industry options and selected MetricStream as the
ceptable levels. Being built on a centralized platform,
the solution enables the company to identify risks preferred GRC solutions provider. The basis of the selection was MetricStream’s integrated single
in any area, and map them back to each business platform, broad range of solutions, and its industry track record of hugely successful implementations
process. It also delivers risk assessment results in in global Energy & Utility companies.
real-time, enabling managers to plan reviews for the
completeness of risk identification, and the efficacy of MetricStream delivered a comprehensive set of solutions on a common platform, including enterprise
plans to enhance controls or accept risks. risk management, legal and regulatory compliance, NERC and SOX compliance, business continuity
Decreased costs of regulatory compliance: With
management, issue management and remediation, and policy/document management.
automated and streamlined compliance activities,
quality time and resources can be focused on high MetricStream Platform is future proof, and can be easily extended to meet the future GRC require-
risk areas for more productive work. The single plat- ments of the company, such as managing new compliance regulations, risks and audits. The Metric-
form solution for all the GRC needs of the company Stream Application Studio enables the Internal IT team and users to create additional GRC applica-
has lowered the costs of regulatory compliance. tions, and deploy them on the same platform without expending much time and effort. Users do not
have to undergo additional training, as the usability of the tools is very similar to previous applications.
MetricStream Integrated GRC Platform: MetricStream Solutions are based on MetricStream GRC
Platform - a Web-based comprehensive application that enables end-to-end process automation and
visibility, collaboration between various groups, centralized libraries and an integrated approach to
GRC. The platform supports the customer’s organizational model across all business units and depart-
ments, as well as their mapping to different roles and reporting relationships.
Users have role-based portal access with options for initiating actions, responding to events, manag-
ing and assigning tasks, and viewing reports and dashboards. The system also triggers email-based
notifications and alerts to appropriate personnel to notify them of various events and requirements.
Enterprise Risk Management: MetricStream Enterprise Risk Management (ERM) Solution helps the
Benefits energy provider identify, assess, quantify, monitor and manage risks from across the enterprise in an
Enhanced training: MetricStream Solution contains a
robust compliance training management system that
Data is consolidated in a reusable library comprising risks, corresponding controls, assessments,
manages registration, remote participation, feedback
and course material. Employees are able to respond results, key risk indicators, events such as losses and near-misses, issues and remediation plans.
directly to training through the system. Therefore, Risks are highlighted depending on their impact or bearing on various functions and processes. This
compliance coordinators can easily track and report data then rolls up to senior management, and is used to create standard as well as customized reports
on the status of employee training, without resorting for identifying risks to business performance, operational efficiency and non-compliance across the
to manual tracking measures. enterprise.
Enhanced Audit Management: MetricStream
Industry best practices embedded in the solution help the company define the scope of processes and
Audit Management Solution will strengthen the
organization’s audit processes by streamlining audit sub-processes for risk management and the development of control and test libraries. MetricStream
planning, scheduling and execution, and improving has enabled the company’s RCSA methodology that supports a repeatable risk-control self-assess-
the efficiency of resource management and document ment. It enables each business unit to identify and manage risks and controls independently. At the
management. The company can rely on audits to same time, it collates the information together for managers to gain visibility into the risk manage-
embed a strong risk culture across the enterprise. ment status across the enterprise.
For instance, self-identified control deficiencies may
not be penalized, and risk ratings can be based on
residual risk levels.
The solution also supports top-down and bottom-up risk identification and management. Across
processes, risk and control data are linked, enabling easy sharing of information.
Strengthened SOX 404 compliance: MetricStream
Solution helps the company create a comprehensive
database of financial controls. It also consolidates
financial reporting risks for SOX 404 testing, partially
automates the scoping of risk assessment, facilitates
and certifies control testing and evaluation, simpli-
fies issue management and streamlines workflow
management. Consequently, the company can ensure
consistent SOX compliance.
Compliance management & tracking: MetricStream offers the industry’s most advanced and
comprehensive Integrated Compliance and Issue Management solution. It equips the energy company
with the technology and best practices to ensure continuous compliance with various regulatory
requirements, while lowering the associated costs.
The solution is pre-loaded with all NERC, FERC and Regional Reliability standards and requirements.
This centralized repository of information enables users to quickly search for and access informa-
tion. It also helps managers structure the information in an organized hierarchy, beginning with each
compliance regulation, and moving down to their respective requirements, standards and controls.
This well-laid out framework helps improve the efficiency of searching for controls, and coordinating
control-based activities, enterprise wide. The underlying data model is architected to accommodate
many-to-many modeling requirements, as well as to navigate multiple dimensions via navigation
Any changes in regulations such as FERC and NERC prompt the system to automatically send out
update alerts, and import new requirements and content from regulatory websites. The respective
users are alerted with details of non-compliance that have emerged because of new regulations or in
changes to existing ones. Version control capabilities are provided to manage changes efficiently. In
fact, the company can monitor the progress of NERC-CIP version migration from V2 to V3 to V4.
Managers are free to configure compliance workflows to suit their management of regulatory require-
ments and controls, as well as various processes such as report creation, feedback approval and as-
similation, and version control. An integrated Issue Management module captures all violation issues
and monitors remediation plans.
SOX compliance: MetricStream enables the company to significantly reduce its cost of Sarbanes-
Oxley (SOX) compliance. Managers are able to leverage COSO and COBIT frameworks, design, assess
and improve internal controls, and monitor compliance processes at any level of detail.
The solution follows a top-down risk-assessment approach which simplifies workflows, quickly high-
lights areas that require attention, and improves transparency into financial risks. It allows process
Why MetricStream owners to test and manage controls on their own, while collating data across the enterprise for audi-
tors to gain top-level visibility into the status of SOX compliance. Any issues that arise are immedi-
MetricStream’s solution provides a unified ap- ately routed to MetricStream Issue Management module for immediate investigation and remediation.
proach and an integrated solution to meet strategic
objectives, as well as regulatory and compliance
Automated alerts keep the process on track and ensure that each issue is resolved and closed.
Multiple procedures for surveys and certifications, which affirm the strength of internal controls and
adherence to policies, are supported within the solution. It harmonizes all control frameworks into a
MetricStream Platform and its various solutions could
easily replace existing solutions for ERM, compliance centralized library, enabling users across SOX, Regulatory and Reliability / NERC compliance to share
and audits. controls and results of control assessments. This prevents duplication of assessments - especially
with regard to IT controls – and hence improves cost-effectiveness and efficiency.
MetricStream Solution provides a centralized library
to hold policies, certifications, risk and control as- Ethics & Legal Compliance: MetricStream Compliance Solution is leveraged by the Legal, Ethics
sessments, compliance requirements and all other and Compliance teams to efficiently streamline compliance management, and establish a proactive
documentation for easy review and reference. and ongoing process of compliance. The Ethics & Compliance team uses MetricStream solution for
the creation and distribution of online compliance surveys for thousands of employees to certify that
MetricStream Solution demonstrated the ability to they’re complying with specific standards. The results are automatically collected and stored in a
handle the customer’s specific requirements for an
central repository for easy access and retrieval by top managers.
ERM framework, risk terminology, consistency, rank-
ing methodology and more.
Audit management: MetricStream Solution will be extended to help the company adopt a risk-based
MetricStream Solution ensures security of electronic approach to Corporate and Environmental audit management. The solution will enable efficient col-
records, and provides time-stamped audit trails, laboration, planning, scheduling and auditing, while allowing audit findings to be reviewed, shared and
role-based access controls, electronic signatures and analyzed by a team. A robust analytics and reporting capability with graphical dashboards will track
password management. each audit from initiation to closure, giving managers real-time visibility.
MetricStream has the ability to support large leading
organizations, and meet their IT requirements in the The solution will facilitate audit and risk information sharing among peers and audit stakeholders. It
areas of integration, configurability, scalability and will also enable the company to efficiently manage resources, track budgets, configure audit profiles,
security. plan audits, record audit milestones and re-scope audits. It contains innovative capabilities to improve
auditor performance by conducting multiple audit tasks simultaneously, collaborating on reviews, get-
MetricStream offers a broad set of solutions on a ting fieldwork approvals and delegating tasks.
Web-based platform with capabilities to map its of-
fering to all governance, risk, compliance, and quality
processes within the company.
MetricStream’s solution provides key services such
as workflows, configurable forms, collaboration,
real-time exception tracking, email alerts and notifica-
tions, integration, reports, executive dashboards,
business intelligence, analytics, and secure access
For more information, visit
Copyright 2011. All Rights Reserved.