MetricStream
MetricStream is a software vendor offering regulatory compliance, quality management and audit software solutions. The privately held company is headquartered in Palo Alto, California.
Official website: http://www.metricstream.com
Answers from a survey conducted in spring 2009:
1. How does your company define the term “GRC”?
We define GRC as systematic approach to defining and managing internal policies and practices for governance, risk and compliance for delivering better business performance.
MetricStream was the first company that articulated the vision of a single platform to address a broad spectrum of GRC needs of an organization – including operational compliance in areas like quality, safety, environment, supplier performance and other industry mandates. Lately, customers, partners, analysts and the marketplace at large have recognized the convergence that MetricStream had envisioned. GRC as a category will continue to subsume a number of new areas such as Green-Tech, CSR, Disaster Management and Supplier Governance.
2. How do you see the relation between Enterprise Risk Management (ERM) and GRC? Are they synonyms?
ERM is a part of GRC. ERM focuses on risks and response. Risk scenarios across industries can range from strategic and enterprise risks to a growing range of industry-specific operational risk issues such as product quality and supply chain risks in the manufacturing industry, regulatory in the energy and utility industry, financial risks and loss events in banking, pharmacovigilance in the life sciences industry and safety risks in the foodservices industry.
GRC is about effective corporate governance and better performance and aims to maintaining high trust and confidence in the corporation. GRC programs will ensure effective communication and oversight of policies and procedures by ensuring adequate transparency with appropriate checks and balances. GRC is also about achieving set performance goals and objectives in line with the expectations of several stakeholders.
3. Please describe the software architecture of your company’s GRC portfolio. (What are the components? How do they interact? How closely are they integrated? Same data model? Same interface? Single application? …)
Our core GRC platform, the MetricStream Enterprise Compliance Platform (ECP), is built on J2EE architecture and provides core services that enable rapid development and deployment of scalable, web-based applications that drive enterprise process management for governance, risk, and compliance. All GRC applications are built and deployed on the platform tightly integrate together to give the users and management a seamless environment which functions as a single system for managing GRC-related processes, issues and data. There are 9 patents held by MetricStream for different functionalities of its Platform.
MetricStream’s broad suites of web-based solutions are designed to enable customers to manage risk and compliance management processes and activities across a wide range of disciplines, including auditing, regulatory compliance, risk management, industry standards, quality programs and other corporate governance initiatives. The solutions enable real-time collaboration and information sharing across the organization and provide visibility into the risk management and compliance process. The MetricStream solution suite includes:
- Audit Management
- Operational Risk Management
- Enterprise Risk Management
- Regulatory Compliance Management
- Corporate Governance and Ethics
- Sarbanes Oxley Compliance
- Financial Controls
- IT Audits & Compliance
- Corporate Social Responsibility
- Policy and Procedure Management
- Case and Issue Management
- Training Management
- Six Sigma
- ISO 9000 Compliance
- Quality Management
- CAPA Management
- Nonconformance Management
- Supplier Quality Management
MetricStream uniquely combines software and content to deliver solutions with embedded best practices templates, access to compliance training programs, and integration of business processes with regulatory notifications and industry alerts.
All MetricStream applications are built on MetricStream’s Enterprise Compliance Platform, a robust and scalable infrastructure that provides core services and capabilities leveraged by each module. The platform provides key services such as business process modeling, workflow, configurable forms, collaboration, real-time exception tracking, email alerts and notifications, integration, reports, executive dashboards, business intelligence, analytics, and access control.
Customers can choose to deploy individual modules or a set of modules depending on their priorities and immediate needs. When deployed in combination, the modules tightly integrate together to give the users a seamless environment which functions as a single system for GRC related issues and data.
4. Are you trying to deliver a complete GRC solution covering all aspects of GRC, or are you focusing on certain aspects only? Which GRC capabilities are you delivering? e.g. audit management, risk assessment, risk reporting, access control…
MetricStream’s broad suites of web-based solutions are designed to enable customers to manage risk and compliance management processes and activities across a wide range of disciplines, including auditing, regulatory compliance, risk management, industry standards, quality programs and other corporate governance initiatives. The solutions enable real-time collaboration and information sharing across the organization and provide visibility into the risk management and compliance process. The MetricStream solution suite includes:
- Audit Management
- Operational Risk Management
- Enterprise Risk Management
- Regulatory Compliance Management
- Corporate Governance and Ethics
- Sarbanes Oxley Compliance
- Financial Controls
- IT Audits & Compliance
- Corporate Social Responsibility
- Policy and Procedure Management
- Case and Issue Management
- Training Management
- Six Sigma
- ISO 9000 Compliance
- Quality Management
- CAPA Management
- Nonconformance Management
- Supplier Quality Management
5. What is your GRC software’s unique selling point compared to competitor products? (Please explain why only your software can deliver this advantage.)
MetricStream’s platform-based architecture is a key technical differentiator as it enables us to provide a common technology infrastructure for meeting ERM needs, cross-industry mandates and regulations such as SOX, OSHA, EH&S, FCPA, and ISO standard as well as the industry focused regulatory guidelines from FDA, FERC, FAA, HACCP, OMB A-123, AML, Basel II and Data Retention laws. Key differentiating factors are:
- Scalable Solution Architecture
- Ease of Configurability and Flexibility
- Integrated Solution Suite
- Powerful Workflow and Collaboration
- Simplicity and Ease of Use
- Unparalleled Reporting and Analytics
- ComplianceOnline.com Powered Content
Market differentiators that have been instrumental is competitive customer wins include:
- MetricStream’s vision, corporate profile, thought leadership and market recognition that highlights aspects that make MetricStream a strong long-term partner for customers. This includes our involvement with and initiatives for Corporate Social Responsibility programs – both as a corporate philosophy as well as a part of our solution roadmap.
- MetricStream’s global customer-base among Fortune 1000 companies where the deployments are large, complex and intricate.
- MetricStream’s strategic partnerships and associations with organizations like NASDAQ-OMX, TATA Consultancy Services and Kleiner-Perkins.
6. What are the top five benefits your customers gain when deploying your GRC solution?
- Increased shareholder value through better management of risk across the enterprise.
- Rationalization of controls and risks across categories.
- Lower cost of compliance through faster mitigation and remediation of ‘issues’ – focus on issues by impact and likelihood.
- Better visibility and assessment of risk and control on compliance initiatives across the enterprise (or parts of the enterprise).
- Lower fees for external auditors and consultants.
7. As a rule of thumb, which GRC applications and technologies would you centralise? (Where would you apply single, company-wide solutions?)
Entire GRC has to be common and consistent across the enterprise. The three most important ‘keys to success’ for organizations as they develop their GRC program are:
- Strategic understanding of GRC so that its treated like a process and not a ‘project’
- Identify the Key Performance Indicators that affect their business and GRC programs
- Holistic view and framework of organizational risks and compliance areas – and the strategy to address them in an integrated manner – recognize the head and the long-tail of risks and compliance issues
- Centralized GRC strategy with decentralization execution (as needed) and ability for employees and the extended enterprise at all levels of the organizations to participate
8. Which areas of your GRC portfolio are you especially trying to improve / further develop in the near future?
- Extended risk management analytics to include extensive modeling capabilities, algorithms that can be embedded in all processes and applications deployed on the MetricStream platform
- Enhance GRC Analytics to incorporate Balanced Scorecard based key performance indicators and report against strategic objectives and goals
- Strategic Usability Framework of a user-centric design to improve the usability and to reduce the complexity of integrated GRC applications. This includes a number of portal enhancements, configurable gadgets, nifty widgets, etc., that allow users to interact with each other better and more easily
9. What is your company’s vision of an ideal GRC process / technology setup in the future? How does your vision differ from GRC process and technology landscapes in organizations today?
MetricStream sees the following major trends driving the GRC marketplace:
- The recession, failure of governance especially in banks, increasing regulations globally, consolidation trends will accelerate the focus of large corporations on Risk Management, Governance, Compliance Management and ROI driven Quality Management.
- Due to increasing inter-relations between different aspects of risk, the needed for a ‘federated approach’ to GRC will also continue to be a critical need.
- Larger corporations will want to deploy solutions that are capable of handling Risk Compliance Governance Performance Management on a single platform – though they may start in one area and extend over time.
- Vendor applications put in place in 2001 – 2004 will continue to be re-evaluated by corporations – in spite of budget pressures and replaced with true EGRC platforms.
- GRC as a category will continue to subsume a number of new areas such as Green-Tech, CSR, Disaster Management and Supplier Governance.
- While customer have so far focused on application functionality, technology and architecture will start to play an increasing role as customer will start viewing GRC as an infrastructure.
- From a vendor perspective, consolidation will continue in the space leading to more companies offering more holistic functionality.
10. What do you consider to be the key technologies employed in GRC in the future?
This technology architecture of future will provide unique benefits to customers. While the traditional approach has been to build an application for a specific business process, the right approach is of first creating the platform that provided the core services (like workflow, reporting, access controls, security, etc.) and then building applications on top of it. This delivers high degree of customer usability and gives the benefit of leveraging a common and shared plumbing while delivering applications that have a well-integrated back-end as well as front-end. This approach is followed by MetricStream focusing on advancing the technological capabilities while the business applications focus on how those capabilities can be leveraged for delivering superior business applications. Such architecture lends itself very well to being partner enabled and ensures easy integration and cross-functionality which inspires confidence among all partners and customers.