Embarking on a Journey: From a Traditional Approach to a Single, Connected GRC System
In the past, the bank had used various, disparate, and sub-optimal legacy systems for risk management and business continuity. These systems gave rise to multiple silos of information that were often challenging to reconcile or integrate. The problem was amplified by the sheer number of geographically diversified teams working across multiple regulatory jurisdictions. Each team had their own risk processes, taxonomies, and systems which lacked the ability to adapt to dynamic risk management requirements. Moreover, the systems captured only 60% of risk assessment information, limiting the organization’s ability to develop sufficient risk thresholds and controls. Over time, it became increasingly difficult for the bank to aggregate key risk information from across businesses and geographies. The insights that flowed up to decision-makers were often delayed, thus reducing the effectiveness of business continuity and risk management.
In response, the bank began to develop a strategic vision of implementing a single, connected GRC system. They wanted to replace their fragmented, legacy infrastructure with a modern integrated approach to risk and compliance management solution. They needed a solution that facilitated the improved quality and effective cadence of data from the front line and deliver improved efficiency via an easy-to-use UI, which further led to the rapid adoption of the solution.
In short, the bank’s core focus was to enable integrated risk management by simplifying processes to improve user adoption and in turn, improve data quality. To support and enable these efforts, the bank chose to deploy MetricStream’s BusinessGRC. Today, 85,000 employees in 70 countries operating in 1200 branches are using the MetricStream Platform—directly impacting 100+ million customers in wealth management, banking, and insurance.
Global Bank Enhances Business Decision-making with MetricStream BusinessGRC
As a leading multi-national financial services company, the bank is expected to adhere to multiple regulatory obligations, while keeping possible disruptions and risks in check. These risks range from operational and IT risks, to mis-selling, regulatory, reputational, business disruption, fraud, and geographic risks – all of which need to be identified and effectively mitigated across the enterprise. Previous approaches to risk management and business continuity management were largely siloed and, thereby, difficult to scale or sustain.
Due to the vast geographic spread of the organization—the bank operates in 70 countries—a solution that enabled them to make risk-informed, agile decisions, across all lines of defense was required. Their goal was to integrate multiple risk initiatives so as to gain ‘a single source of truth.’ This required a solution that strengthened risk management and business resilience, while enhancing speed and agility in risk mitigation and business continuity. The solution needed to ensure that risk data is efficiently gathered, consolidated into common taxonomies, ranked, analyzed, formatted into reports, and then rolled up to the management team to support decision-making—all as swiftly and systematically as possible.
Aligning Risk and Policy Management for Better Governance
To strengthen their policies around risk management while also adhering to the Prudential Regulation Authority (PRA) guidelines, the refreshed Operational Risk Type Framework (ORTF) Policy and Standards, and the expectations set by the Group Internal Audit, the bank wanted to adopt a consistent, group-wide approach to policy and procedure management. With MetricStream’s BusinessGRC, the bank gained a structure and framework to link policies to the corresponding areas of compliance, risks, and controls for each business unit and process. The product’s standardized policy workflows and integrated data model enable end users to quickly understand how policies impact risk processes, controls, and regulations. Policy-related feedback from users is captured. With these capabilities, the bank has been able to strengthen overall governance, as well as the adoption of internal and regulatory guidelines.
With MetricStream’s BusinessGRC, the bank has adopted a standardized, enterprise-wide approach to policy and procedure management in compliance with the refreshed ORTF Policy and Standards, and to meet the expectations of its Group Internal Audit & PRA guidelines.
Challenges
- Multiple silos and legacy systems
- Fragmented visibility into key risk data
- Difficulty in proactively identifying and reporting key risks and issues
- Tracking and mitigating risks across a complex and geographically dispersed enterprise
- Need to simplify processes and increase user adoption, and by doing so, improve data quality
Business Value Realized
Enhanced preparedness for adverse macroeconomic
risks and systemic shocks
Continuous monitoring and strengthened visibility into org-wide risks
Improved employee accountability and understanding of risk
Optimized organizational structure with MDOS
Mitigated risks with integrated risk and control libraries
Streamlining Operational Risk Management
Operational Risk Management function is an important business function within the bank with multiple stakeholders, and key to a connected GRC system. With the MetricStream solution, deployed with modules for Libraries, Risk and Control Self-Assessment, Loss Management, Issues & Actions, and Reports, the bank was able to streamline operational management by shortening the cycle time and costs of risk assessments which led to improved overall efficiency
Optimizing Organizational Structure With MDOS
The bank being a global entity, has multiple layers of hierarchy across business units, functions, and geographical locations. However, the existing solution supported a Single Dimensional Organization Structure (SDOS) which made it inefficient as it was unable to support the complex organizational model of the bank. MetricStream enabled the shift from SDOS to Multi-Dimensional Organization Structure (MDOS) on the MetricStream Platform. This has not only helped the bank to recreate their organizational hierarchy but also enabled risk aggregation at any level of the organization giving clear visibility into risk exposures at multiple levels.
Effectively Managing Control Deficiencies
The bank had approximately 5000 controls and had outsourced the testing to different businesses which was leading to duplication of controls and efforts. With the MetricStream Centralized Risk and Control Library, the bank is now able to systematically plan and execute control tests that has led to the effective identification of any gaps and deficiencies. This made the entire exercise more efficient by reducing the time, cost, and resources alotted for control testing activity.
Building Resilience With Business Continuity Management
The bank wanted to ensure that business continuity planning was an essential part of their Group Operational Risk (GOR) strategy to ensure uninterrupted operations in the event of a crisis and respond and recover faster. With MetricStream Business Continuity Management, the bank has strengthened business resilience with a coordinated and agile strategy for recovery. Qualitative and quantitative assessments of business continuity risks impacting key processes and assets help the bank gain a comprehensive view of risks across geographies and business units.