Our Solutions Have Helped Major Corporations
Through Integrated Compliance Approaches, Risk Management, and more
CASE STUDY: Global Oil and Energy Company
Integrated Compliance Approach
Our client, a global oil and energy company, had multiple compliance siloes in place to provide assurance against internal and external technology requirements including Sarbanes Oxley, PCI DSS, technical security standards, project health checks and internal audit.
This led to a number of inefficiencies:
- Multiple testing of the same controls by different stakeholders
- Requirement for projects to engage with multiple risk and control teams to ensure projects were compliant
- Assurance activity heavily focused on a relatively small number of critical systems, with no assurance over the majority of the IT estate
2M Consultancy developed an integrated control framework, which enabled a clear linkage between the various internal and external control standards and regulations. We developed a custom solution to hold this framework and an interface between this and the client’s configuration management database, ensuring a view of compliance against an up to date list of IT systems.
2M Consultancy also developed a core set of controls, based on industry good practice such as ISO27001, to be applied as the minimum standard for all systems, regardless of criticality. Compliance with this core control set was measured via an on-going self-assessment programme. We embedded checkpoints into the project management lifecycle to enable early identification of new systems that were in scope for regulations, and to ensure that project managers were provided with a clear view of the controls with which they needed to comply.
CASE STUDY: Global Payments Company
Our client, a global payments company, was reliant on Word and Excel-based reporting and tracking to underpin their enterprise risk management process. Risks identified by internal audit and by projects were managed using similar manuals processes. This resulted in a number of challenges:
- Disproportionate amount of time being spent on manually-intensive risk reporting
- An inconsistent approach to the quality of risk documentation and risk ratings
- Risks being maintained and updated by the risk team meant a lack of ownership of risk by the business
- Enterprise risk management, project risk management and audit treated as standalone processes with no overlap
We had to find a way to automate their risk reporting, and to inform those necessary to make changes.
2M Consultancy were initially engaged to develop an enhanced enterprise risk management framework and to roll it out using a tailored Archer solution.
This pilot led to a second phase of work to develop project risk management capability and audit management capability on Archer, and to integrate this content with the enterprise risk management solution.
The third phase of work has now started and will bring the client’s policies and regulations into Archer and enable them to be mapped against the risk framework. Regulatory and policy assurance work will also be captured in Archer, enabling a single view of risk and compliance across the organisation.