Solution
Why a Manual and Siloed Approach to GRC Didn’t Work :Being a global, cloud-based enterprise, the company manages more than 5,000 compliance requirements across 20 different programs globally. These requirements range from FFIEC regulations, to the FedRAMP program, as well as HIPAA, HITRUST, and mandates from the DoD.1
The company also has to ensure that their global employees, numbering in the tens of thousands, have attested to IT security policies. These policies, in turn, are aligned to more than 70 IT standards. Added to that are an extensive number of IT certifications and audits that have to be managed throughout the year.
In the past, the company had used homegrown techniques and spreadsheets to manage IT compliance, policies, audits, and risks. Their processes and controls were neither scalable nor integrated and, thus, costly. The lack of a common risk taxonomy as well as a standard compliance framework and control testing process further complicated governance and compliance.
To strengthen digital innovation, the company’s strategy was to acquire new businesses aligned with its own strategic initiatives. This approach, while profitable, increased the number of regulations that the company had to comply with. Change management processes were largely manual and therefore time-consuming, resource-intensive, complex, and costly.
Meanwhile, teams that managed IT compliance, audits, security, engineering, and sales were unable to effectively collaborate and align compliance requirements with the company’s business objectives. Siloes were rampant, and that, in turn, delayed the process of collecting and analyzing IT compliance data for executive-level reporting. All of these factors slowed down decision-making.
To overcome these challenges, the company began assessing various governance, risk, and compliance (GRC) solutions in the market. They eventually selected the MetricStream Enterprise GRC Solution to help them manage a wide range of regulatory requirements and risks, while strengthening collaboration and coordination across teams.
Reducing Compliance Costs, Strengthening Compliance Intelligence : MetricStream’s integrated GRC solution for the company includes capabilities for IT compliance management, enterprise risk management, audit management, policy management, and SOX compliance management.
The solution has enabled the company to automate their IT compliance management workflows, while consolidating compliance data in a centralized repository. A common control framework, maintained by the solution, makes it easy to manage and monitor compliance requirements. Pre-defined, real-time reports and user-specific dashboards offer executive management the visibility they need to track the company’s overall compliance profile.
The solution also integrates with a leading thirdparty HR tool named Workday to pull user-specific information on the company’s permanent employees, business partners, and a select set of consultants and auditors.
Minimizing Policy Management Redundancies and Inefficiencies : The company now has a flexible system to streamline and automate workflows across the policy and document management lifecycle. Policies can be mapped to the company’s compliance regulations and controls, while policy attestations and exceptions can be tracked efficiently. Graphical reports and dashboards increase the transparency of the entire policy and document management process.
Using the solution, the company has been able to harmonize controls across multiple IT standards and compliance requirements – specifically, 300 controls across more than 5,000 IT compliance requirements which, in turn, has enabled a 90% consolidation in effort.
Streamlining Audit Management : The MetricStream solution facilitates a systematic and structured approach to audit activities, ranging from audit planning, scheduling, and scoping, to issue remediation and reporting. A centralized repository stores all audit findings and artifacts. Rich operational and management reporting capabilities strengthen risk-awareness, enabling senior stakeholders in the company to make better and faster decisions.
Improving Visibility into Enterprise Risks : Using the solution, the company has implemented an organized and efficient approach to enterprise risk management. The tool supports industrystandard risk assessment methodologies and standards, while delivering a real-time view of risks across the organization. Risk owners can conduct simple or advanced assessments using multiple factors and advanced risk scoring methodologies across business units, regions, and products. Users gain a holistic view of risk management programs and metrics through role-based reports and dashboards.
Optimizing SOX Compliance : The solution has given the company an enterprise- wide internal control management platform to support SOX compliance workflows, including risk assessment planning and scheduling, as well as control testing and assessments. Compliance dashboards and risk heat maps deliver enterprise-wide visibility into financial control management and compliance processes.
1FFIEC - Federal Financial Institutions Examination Council; FedRAMP - Federal Risk and Authorization Management Program; HIPAA - Health Insurance Portability and Accountability Act; HITRUST - Health Information Trust Alliance; DoD – Department of Defense
Challenges
- Adhere to a growing volume of IT regulations
- Track policy attestation
- Accelerate audit cycles, and reduce audit costs
- Conduct advanced risk assessments
- Ensure control attestation compliance