GRC 20/20 Research awarded MetricStream and Sterling Bank its 2013 GRC Value award in the Enterprise GRC category. MetricStream Enterprise GRC Solution Suite allowed Sterling Bank to transition from using hundreds of spreadsheets created every year to complete audits, credit reviews and risk assessments in addition to hundreds of other documents compiled to report on findings and risk summaries. Today’s system is a single-source GRC solution that integrates governance, risk and compliance functions and brings strong scores from regulators.
Sterling successfully used MetricStream’s single-source GRC solution suite, which consolidates various GRC functions, including enterprise risk management, internal audit, issue management, policy management, business-line risk assessment, regulatory compliance self-assessments and internal asset review, into one enterprisewide view. Benefits received in the short term (within one year) of implementation included:
- Automated end-to-end GRC workflow, eliminating the need for cumbersome spreadsheets, saving time and costs and minimizing error
- Ability to perform detailed risk self-assessments, define and assess controls, track loss incidents along with root causes and ownership, and quickly resolve any issues that arise
- Established a single risk framework and nomenclature within the GRC system, and a single source of truth
- Strong risk management grade from regulators
- Better board reporting and focus on the risks that matter
- Risk management is now 1 of the top-line corporate goals, raising awareness about its value
A long-term GRC vision
Among Sterling Bank’s long-term goals for the product is to push risk management down to the first line of defense, to ensure issues are identified as early as possible. This top-to-bottom approach should also involve the board of directors and actively engage them in GRC issues.
The MetricStream solution will be used for active monitoring of audit processes, risks and incidents, and ensure compliance with regulations such as SOX, GLBA, FDIC and FFIEC by all business units — and not just by the efforts of the risk and compliance staff. The solution provides a single and unified view into actionable business intelligence, active responses to risk and facilitates corresponding changes to strategy, all of which provides the bank with a competitive edge.
Risk, compliance, audit and policy in one enterprisewide view
Before MetricStream Enterprise GRC solutions was implemented, the various GRC initiatives at Sterling Bank — risk, compliance, audit, policy, etc. — were managed as separate programs, and as a result, due dates for issues could be missed and when reorganizations occurred, issues could fall between the cracks. A number of standalone software applications and point solutions catered to these individual programs and functions. There were serious challenges in ownership and transparency, which resulted from a prior inability to aggregate GRC data from across the enterprise in real time, and leverage this information to drive risk-based decisions and business strategy.
Sterling Bank used several data sources and manual processes that were labor intensive. GRC functions were spread across multiple unrelated departments. Consolidating all GRC programs and processes into a single platform enables the organization and every employee to work more collaboratively and more efficiently, while reducing costs and eliminating redundant activities.
MetricStream GRC solutions foster communication, collaboration and information sharing between business units and corporate functions. The bank can ensure ownership and transparency while aggregating GRC data from across the enterprise in real time, and leverage this information to drive risk-based decisions and business strategy.
A change in GRC culture
Sterling’s fraud risk assessment process previously contained over 300 different risks, many of them applicable to only one department. By rationalizing these risks for population into the MetricStream GRC solution, Sterling was able to eliminate and consolidate fraud risks into 70 risk categories companywide. This library of risks, controls, processes, assets, issues, regulations, products, policies and objectives enhances Sterling Bank’s risk management capabilities. Business managers have real-time access to the status of audit and exam issues rather than waiting to receive a periodic spreadsheet.
The GRC program facilitates a reduced-touch approach to GRC; business units no longer have to generate as many as eight risk assessments a year, since the GRC program provides multiple automated risk assessments in a single session. The following efficiency improvements have also been realized by the new approach, supported by MetricStream GRC solutions:
- Automated end-to-end GRC workflows eliminate the need for hundreds of documents and spreadsheets, saving time and costs and minimizing errors.
- Provides a single-source-of-truth for risk information with a universal risk taxonomy and nomenclature.
- Has served as a catalyst for establishing a sustainable risk culture across the enterprise.
- Promotes tracking and trending data for management committee and board reporting.
- Ability to isolate changes in self-assessment testing for immediate action.
- Risk is now embedded within decision making processes, and coordinated across business units.
- Empowering individuals and committees to be accountable in owning and/or escalating existing and emerging risks to management.
To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients