Risk IT Case Study: MetLife Enhances Risk Management 


About the Enterprise

MetLife, Inc. (www.metlife.com) is a leading provider of insurance and other financial services to millions of individual and institutional customers throughout the United States. Outside of the US, MetLife companies have direct insurance operations in Asia, Latin America and Europe.

Situation and Benefits

MetLife has robust operational risk management programs and is focused on continually enhancing them to provide the highest level of protection. Operational risk management has never been more important than in today’s environment, and as an industry leader, MetLife considers averting risk to its clients, stakeholders and reputation to be paramount. While every business is exposed to some level of risk, it is MetLife’s attention to and successful management of those risks that set it apart from the others. Establishing IT risk management processes and embedding them into the business has allowed MetLife to reduce operational losses, effectively prioritize investments, confidently react to business changes, and concentrate resources on addressing high risk areas.

MetLife seeks to continually enhance its IT risk management processes to keep pace with leading practices, the dynamic regulatory environment and the ever-changing technology environment. Many MetLife IT risk professionals participate in a variety of research groups and professional organizations, including ISACA, to remain current on industry best practices and other companies’ risk management protocols. To this end, when ISACA released its draft Risk IT Framework, MetLife IT risk professionals reviewed and compared the framework with MetLife’s IT risk management practices to locate improvement opportunities to enhance its risk management programs. Given the widespread adoption of the COBIT framework, MetLife professionals anticipated and prepared for the Risk IT Framework to become a globally accepted source of best practices.

When the final draft was published, MetLife’s IT risk professionals quickly leveraged the document to create a MetLife-specific IT Risk Management Framework. While ISACA’s version was easily understood and digested by risk professionals, MetLife customized a framework that used internal terminology, summarized certain areas, and expanded on others to ensure the document could be easily understood and used globally across the enterprise. The tailored version enables management to understand, consider and communicate all aspects of managing IT risk consistently across the global enterprise and better connect them to business operational risk activities.

MetLife’s IT Risk Management Framework is not intended to be a policy or procedure, but rather a description of what processes and activities management should strive to mature in accordance with existing company policies. Similar to the ISACA Risk IT Framework, the MetLife IT Risk Management Framework is composed of three domains: risk governance, risk evaluation and risk response. It provides details on the processes and associated activities required to meet the objectives of these three domains, including who is responsible, accountable, consulted and informed (RACI) on each of these activities, as well as potential metrics that can be used to monitor risk management activities and the state of compliance with risk management policies and standards.

Once the MetLife IT Risk Management Framework was drafted, IT risk professionals in coordination with Internal Audit performed a process maturity analysis to identify processes and activities that they wanted to focus on for continuous improvement (see   attached template). The IT Risk and Compliance Group then prioritized the focus areas and created a three-year continuous improvement road map that is primarily focused on converging the activities of MetLife’s various risk functions to reduce assessment fatigue within IT and the business lines while increasing process efficiency and effectiveness. Progress towards the road map is overseen by the leaders of the Operational Risk Management, Internal Audit, and IT Risk and Compliance functions. Finally, the framework was presented at a high level (see figure below) to the Audit Committee and senior IT leadership to add momentum to the continuous improvement efforts.

Plans for the Future

The IT Risk and Compliance Group at MetLife plans to use the MetLife IT Risk Management Framework to perform a process maturity analysis on an annual basis, updating its continuous improvement road map based on the results of the analysis, regulatory requirements, available resources and management’s desired process maturity.