
The Client: Fortune 100 Consumer Goods Company



The client found it increasingly impractical to manually assess risks across thousands of third parties worldwide. MetricStream’s solution offered them a way to automate third-party risk assessments for optimal efficiency. It also delivered complete, near real-time visibility into third-party risks across the globe, enabling the client to make informed sourcing decisions.


After a comprehensive evaluation of multiple third-party risk management solution providers, MetricStream was chosen by the client based on the strength of their offering, as well as their reputation as a GRC market leader.

MetricStream delivered a centralized solution that scales across the client’s global enterprise, integrating all third-party risk assessment and onboarding processes in a centralized system for complete transparency and visibility. The solution also links risk assessment processes with strategic decision-making for better third-party governance.

Today, anyone with an organizational ID can access the system, and create a new third party, instead of waiting for it to be performed by a select group of managers. The solution processes each third-party request, and triggers a systematic workflow of screening and risk assessments to determine if the third party should be on-boarded or not.

Adding further efficiency, the solution automates third-party risk assessments and qualification. It also enables any third party from across the globe to fill in their risk assessment surveys directly in the system, thereby saving the client the time and effort of manually distributing surveys and collecting responses.

Below are the detailed capabilities of MetricStream’s Third-Party Risk Management Solution:

Empowering users across the enterprise to search and add new third parties on their own
The MetricStream solution consolidates all global third-party data in a single, centralized database. Tens of thousands of employees from multiple countries worldwide can log into this database, and search for a particular third party with the help of intuitive search and reference tools. If the third party does not exist in the database, users can independently create a requirement for a new third party.

Automating third-party screening
When a new requirement is created, the solution throws up a simple, lean form to the user to capture basic data about the suggested third party. Based on the user’s responses, the solution automatically screens the third party based on certain parameters such as the country in which they operate, as well as the category and type of services they will provide to the client. It then leverages complex algorithms to calculate which risk assessments and surveys need to be performed on the selected third party. The third parties that don’t pass the screening process are flagged. For instance, if a third party is located in a country where trade sanctions have been imposed, the solution disqualifies them from further assessments, and also sends an email notification to the client’s legal team. 

Streamlining third-party risk assessments and qualification
Based on the results of the screening process, the solution categorizes the third party into a particular risk area, and determines the type of risk assessment surveys that need to be administered to them. For instance, if it finds that the third party is located in a country with a high corruption index, the solution automatically administers an anti-bribery survey to them. The selected third party receives an automatic email notification with instructions and log-in details which they can use to access the MetricStream solution, and respond to the risk surveys. 

The solution also provides the flexibility for third parties to download their surveys as spreadsheets, and send them to sub-contractors and other fourth parties to fill in the required information. This data can later be uploaded into the system.

There are three primary surveys issued to third parties:

  • Anti-bribery survey - This survey helps assess the risk that a third party might bribe a client employee, thereby violating laws such as the FCPA and the UK Bribery Act. The survey is divided into three layers
    • Anti-bribery certification
    • Anti-bribery remediation
    • D&B risk indicator -- i.e. integration with Dun & Bradstreet (D&B) databases to validate the information provided by the selected third party. D&B analyzes the data, and provides a color-coded report indicating the risk of doing business with the third party. This data is automatically integrated into the MetricStream solution.
  • Privacy survey - This survey helps assess the third-party risks associated with information privacy. There are two levels to the survey. Level A has a basic set of privacy questions. Based on the responses, the solution determines if the Level B survey needs to be administered or not. For instance, if the Level A survey finds that a third party is sharing personal customer information with sub-contractors, the solution automatically rates the third party as high risk, and issues the Level B survey to them to gather more risk data.
  • Information security survey - This survey helps evaluate if third parties pose significant data security risks to the client. Again, there are two survey levels. If a company does not pass the Level A survey, then the solution administers a Standard Information Gathering (SIG) survey to assess their information security risks further.

Depending on the responses to these surveys, the client decides whether or not to qualify the selected third party.

Delivering multi-language support
Given that the client’s third parties are spread across multiple countries with different language requirements, the MetricStream solution provides multi-language support. Third parties accessing the solution can choose from six languages to fill in their surveys - English, Chinese, Spanish, Arabic, Russian, and Vietnamese. All survey questions will be displayed in the selected language. 

MetricStream will continue to work with the client towards providing support for up to 14 languages.


The client has a massive network of third parties worldwide, including suppliers, contractors, and consultants. Every month, multiple new third parties are added to this network to meet the client’s growing business requirements. Yet, each third party introduces multiple risks, including bribery risks, product safety risks, and information security risks - all of which directly impact the client’s reputation and credibility.

To keep these risks in control, the client thoroughly assesses each third party before and after they are on-boarded into the organization. Yet, over time, these assessments became increasingly complex and cumbersome. Whenever there was a request for a new third party, it had to be routed through a few select managers in the organization. They were the only ones with access to the third-party database, and therefore, they bore the entire responsibility of tracking thousands of third parties, and assessing the associated risks.

Adding to the challenge, each risk assessment was performed manually. Therefore, it took up considerable time and effort, and slowed down the onboarding process.

Meanwhile, if the management team wanted visibility into the status of third-party risks and onboarding, they had to send out a request, and wait for reports to be manually generated. This again took time, and delayed decision-making processes.

It quickly became evident that the existing approach to third-party risk assessments and onboarding was neither practical nor viable. With more third parties came more risks that needed to be assessed as quickly and efficiently as possible. So, the client began looking for a new solution to automate and accelerate their risk assessments.

Why MetricStream

The client chose MetricStream for the following reasons:

Market leadership: MetricStream GRC solutions are widely used across the retail and consumer goods industry

Scalability: Thousands of employees and third parties from across the global enterprise can access the MetricStream solution over a web-based interface.

Automation: The solution replaces cumbersome manual tasks with swift, automated workflows.

Extensibility: In the future, the client can extend the solution to other GRC areas such as third-party compliance management, third-party audits, and social compliance



  • Third-party risk assessments have become faster and more efficient
    The solution has automated the entire process of screening third parties, categorizing them based on risk, and then conducting risk assessments. The client has thus saved significant time, and can focus their efforts on more critical activities such as third party risk mitigation.
  • Managers have better visibility into third-party risks
    All risk assessment survey data, responses, results, and scores are consolidated in a central database where they can be easily tracked and analyzed. Users can quickly generate multiple risk reports to support sourcing decisions. In addition, graphical dashboards can be leveraged to gain near real-time visibility into the status of risk assessment processes.
  • It is easier to create and onboard new third parties
    No longer do employees have to route their new third-party requests through a cumbersome process of review and approvals. All they need to do is enter their requests into the MetricStream solution with a few basic third party details. The solution takes care of the rest.
  • Third party communication and coordination has improved
    Through the MetricStream solution, third parties can automatically receive risk assessments and surveys, fill them in or route them to their sub-contractors, and then upload the data back into the system for review - all in their preferred choice of language. Automated alerts help ensure that the process is completed in a timely manner.