MetricStream Risk Management Solution v6.0
Strengths: Strong mapping for complex organizational models.
Weaknesses: On the high end of the price scale; documentation.
Verdict: Great high-end, fully integrated offering.
MetricStream Risk Management Solution enables organizations to identify, assess, quantify, monitor and manage their enterprise, operational and IT risks through an assessment-driven offering. MetricStream provides an integrated and flexible framework for documenting and assessing risks, defining controls, managing assessments and audits, identifying issues and implementing recommendations and remediation plans. The tool is part of the full MetricStream GRC offering. We reviewed the policy management and risk management components.
The tool is available as on-premise software or as a hosted solution. There is support for moving from a hosted solution to an in-house platform. MetricStream Solutions are deployed as an N-tier web-based application architecture and built on standards, such as J2EE and XML. The application layer runs on Oracle.
The user interface is web-based and done well. It delivers a large amount of information in an easy-to-navigate, non-cluttered and well-organized format. There are built-in productivity and collaboration tools and a pleasing geo-mapping tool for visualizing one's enterprise. There are plenty of templates available for policies, risk, controls, assessments and issue management all built around the COSO and ISO 31000 framework. One can create links among regulations, policies, risks, controls and organizations. This process takes complex relationships and makes correlating simple. Another solid outcome of this is an interconnection map that delivers a great graphical representation of all the above.
The tool is assessment-driven. Once created, the assessments are assigned via email to chosen parties. There are embedded links that will take them to their respective parts in the questionnaire. One answers specific questions and uploads any evidence required. Uploaded files are tracked to the individual question and available for any of the controls it supports. The modules are all fully integrated. The risk and control assessments integrate with the loss management engine. One can keep an up-to-date profile using continuous risk assessments for vulnerabilities, threats and external data feeds, and tie it all together using key performance and risk indicators.
There is an integrated issue-management module that tracks actions and remediations. We could not tell from the documentation if there was an integrated ticketing system for assigning work, but the product does have great integration capabilities to other third-party solutions.
The Policy Management Solution provides a flexible framework to streamline the creation and management of corporate policies to facilitate accountability and foster communication. The solution enables companies to adopt an electronic and automated approach to the development, maintenance and communication of policies and procedures across the enterprise.The annual support and maintenance cost is 20 percent for eight-hours-a-day/five-days-a-week, 25 percent for 24/5 and 35 percent for 24/7. By automating the entire risk management process through collaborative workflows and a common data model, the solution provides timely, actionable information.