MetricStream ConnectedGRC - Now Integrated with AWS Audit Manager

My main use case for MetricStream  is the automation of the IT audit process, governance, risk, and compliance. I was working for a specific third-party client who was implementing MetricStream , and I was contracted to be the administrator of it. As an administrator, I started setting up MetricStream process by entering the controls and started by entering the business process, followed by the financial controls, and then the supporting IT general controls. For each of these controls, I would identify the point of contact, the process owners, and other relevant parties so that they would be responsible for sign-off on the controls. I configured the setup such that if an analyst or an IT audit GRC  analyst sends the control evidence, and if the sign-off is pending from the control owner, the control owner would receive a notification indicating that as part of the audit period, the sign-off has to occur. I also configured dashboards in MetricStream for the specific status of the IT audit, which mostly concerned SOX 404 IT general controls testing.

One major thing about MetricStream is its alerting, which was much better than the tool called Resolver GRC , where it not only provided dashboards or the status of the audits, but I could also attach evidences. In that way, evidences are not lost in emails for the audit; they are entirely within the tool.

The best features that MetricStream offers for the automation of audits include the alerting system and the ability to attach evidence. These two things are what I found to be among the best.

The evidence attaching system, in the absence of it, would have required sending the evidence in an email, which would result in a file sitting on the desktop. However, with the evidence attaching system, the file is now within the tool, so it is on the cloud. This way, one never faces issues if someone loses their laptop or if data corruption occurs; you still have access to the evidence of the audit period. It is not dependent on any person anymore. It is very easy to track back on the status of the audit since the application is in the cloud, and all the data is not shared via email, making it much more secure. The alerting system keeps the auditors informed about when an audit is pending, what the timeline is, so they understand their responsibility and are able to efficiently respond.

For our client, MetricStream made the audits incredibly efficient. In real time, I could provide the status of the audit to stakeholders, indicating which controls had deviations, which control was pending, and who it was pending on. It helps in bringing responsibility and ownership to a person, making it much more efficient and faster to conduct audits and understand audit status. Instead of having to hold status calls, with MetricStream, you could just log on, look at the dashboard, and understand where you are in meeting your targets.

There were definitely fewer daily status meetings required after implementing MetricStream; only a weekly status meeting was needed, which involved a walkthrough of the dashboard and what had been done. Overall, the audit time became much more efficient because it was now a nine to five process without last-minute sign-offs at midnight or one day before the audit.

MetricStream at that point did not have a template, and I had to build the entire SOX 404 IT general controls testing framework myself. It depended on how knowledgeable the person using it was. If pre-built templates existed for the latest ISO 27000, ISO 4200, or NIST 853 frameworks, that would be far more helpful.

If MetricStream could provide certifications that the public could learn about MetricStream rather than only offering them to partners, that would be beneficial.

I have been working in my current field for almost ten years, more than a decade of experience.

MetricStream is stable; I never faced any major errors or outages.

MetricStream was pretty scalable, and I was able to deploy it across multiple business processes and integrate it.

Customer support was very quick to respond anytime I needed assistance. I would rate the customer support about eight out of ten.

I was previously using Resolver GRC and switched because Resolver GRC did not have all the advanced capabilities that MetricStream had, including advanced features.

I definitely saw a return on investment; there was a lesser number of audit headcount required, which saved us money and time on audits. Overall, it helped us because I reduced the number of headcount and used MetricStream instead, and the number of hours I needed was less, with no overtime required.

My experience with the pricing, setup cost, and licensing was that it was reasonable.

I only evaluated Archer  at that time, but I preferred MetricStream over Archer .

Overall, the API integrations of MetricStream were very good, and I did not face any issues, so it was good.

I did not face any major challenges when customizing MetricStream to fit my organization's needs. The only point was that pre-built templates were absent, which led to a little bit of a learning curve. The good news was that I could customize it very well, so overall, the customization experience was good.

The reporting capabilities of MetricStream were amazing. The dashboards that I created for audits and the reports produced were very good. However, overall, the product did not have analytical capabilities at that time.

The user interface and user experience of MetricStream were intuitive and easy to use.

When I worked with MetricStream, the AI capabilities did not exist because I used MetricStream from 2011 to 2013, during which it did not have any artificial intelligence capabilities.

At the time I worked on MetricStream, AI capabilities were not in place, so I could not provide details about its accuracy and reliability of output.

In the era of different GRC tools available, my advice is that MetricStream is much more reliable because it has been around for a long time and has provided good support to everyone requiring it since the old days. Therefore, it is a reliable tool. I would rate this review overall a seven out of ten.

My main use case for MetricStream  is to design the GRC  workflow. At PG&E, I leverage MetricStream  GRC  to support compliance with NERC, the North American Electric Reliability Corporation reliability standards, by designing and configuring the end-to-end compliance workflows. I collaborate with compliance subject matter experts, auditors, and other business stakeholders to translate the NERC standards and requirements into structured controls, assessments, and evidence collection processes, issue management workflows, and remediation tracking within MetricStream. I map regulatory obligations to control activities, configure the approval workflows, automate compliance attestations and notifications, and establish traceability between standards, controls, risks, findings, and corrective action plans. By doing this, it enables centralized compliance monitoring, improves audit readiness, reduces manual tracking efforts, and provides leadership with real-time visibility into compliance status across multiple NERC standards.

This solution streamlines compliance operations, reduces manual effort by approximately thirty-five percent, improves audit preparedness, and provides real-time reporting and dashboards for compliance leadership overseeing programs impacting about twenty-three thousand plus employees at PG&E. Overall, this was the specific use case I have used MetricStream for.

The top MetricStream features that I found most valuable are control and compliance mapping, workflow automation, issue and corrective action management, and the evidence management repository. Control and compliance mapping was one of the most powerful features for NERC compliance as we can map NERC standards and requirements directly to controls, risks, evidence, and corrective actions, creating end-to-end traceability. During audits, it is very easy to demonstrate which controls satisfy specific regulatory obligations.

Workflow automation allowed us to automate approval workflows, evidence collection requests, compliance attestations, and issue remediation activities, significantly reducing manual follow-ups and email-based tracking. The issue and corrective action management feature provides a structured process for tracking issues, assigning owners, monitoring due dates, and validating remediation activities. The evidence management repository creates a centralized location to manage everything from documents to reports, screenshots, and audit artifacts, creating a single source of truth.

Other helpful features include the dashboard and executive reporting, as well as risk control regulation relationships. These were the features I found most valuable in MetricStream.

Since I have used MetricStream for the last three years, one of the top improvements that comes to my mind is enhanced user experience and UX/UI. I believe that while MetricStream is highly configurable, some workflows can feel really complex for occasional users or first-time users, and I do not find the existing UI/UX experience very intuitive. A more intuitive interface with simplified navigation and role-based dashboards could reduce training time and improve user adoption for both first-time and occasional users.

Additionally, MetricStream could include advanced analytics and AI capabilities. More AI-driven insights using predictive risk analysis and intelligent recommendations could help organizations identify compliance gaps before they become audit findings. Furthermore, simplified configuration and integration could be beneficial; configuring workflows, forms, and integrations currently requires a lot of specialized expertise. Low-code or no-code enhancements and easier integration with enterprise systems such as SharePoint , ServiceNow , SAP, or Azure DevOps  could reduce implementation effort and operational time.

The reporting needs enhancement, perhaps by including role-based reporting and simplifying the dashboard, which currently has too much information and can overwhelm first-time or occasional users. It would be better to show only what is necessary or introduce configurations to display what each user wants to see on their dashboard.

MetricStream could definitely improve its accuracy and reliability of output. It could provide more curated, personalized recommendations instead of generic suggestions. Additionally, MetricStream could develop recommendations that align with role-based dashboards instead of providing uniform recommendations across the board.

I have been using MetricStream for three years.

MetricStream's performance is reliable for daily compliance operations, reporting, and workflow executions. For large data loads and complex reports, it is important to maintain responsiveness and user experience, but overall, MetricStream performs well in managing large volumes of data.

MetricStream demonstrates strong scalability by supporting enterprise compliance programs with large volumes of regulatory requirements, controls, assessments, evidence records, and user activity. It effectively supports thousands of users and compliance NERC compliance workflows. Proper configuration, data management, and performance monitoring are important to maintain efficiency as usage grows.

The customer support is great. They assist with all initial questions and if any glitches occur, they are prompt in helping us understand how to configure things. Additionally, when needed, they help set up additional training to walk us through demos of each module to help us make the best use of MetricStream for our organization's needs.

We follow the training guide provided by MetricStream, and we are able to integrate it easily with our systems and data sources, although we did encounter some initial bottlenecks, which we resolved and moved forward.

In my organization, we have a MetricStream onboarding training that I took. Once I completed that, I gained a good understanding of how MetricStream works and started using it to build and design all the GRC workflows.

MetricStream delivers measurable return on investment by reducing manual compliance activities, improving audit readiness, and streamlining evidence management. At PG&E, we observe approximately a thirty-five percent reduction in manual effort due to workflow automation and centralized documentation, which leads to faster evidence retrieval, improved remediation tracking, and better visibility into compliance status. Therefore, I see a positive and substantial return on investment.

I did not handle the pricing, setup cost, and licensing aspects of MetricStream, as that was managed by another team at PG&E overseeing all applications. I was involved once MetricStream was deployed and started building the GRC workflows, so I do not have any experience with pricing, setup costs, and licensing.

Before selecting MetricStream, we evaluated other GRC platforms such as ServiceNow  GRC, Archer , and SAP GRC based on scalability, compliance capabilities, workflow flexibility, and integration. I think MetricStream is a stable platform for managing enterprise compliance, supporting NERC standard requirements, audit, evidence management, and regulatory workflows reliably at PG&E.

My advice to others looking into using MetricStream is to clearly define compliance processes, data structures, and user roles before implementing it. Investing time in workflow design, stakeholder alignment, and user training is crucial to maximize adoption. Organizations should also focus on integration strategies, reporting needs, and continuous optimization to ensure MetricStream delivers long-term value for their GRC programs. I would rate this product a seven out of ten.

My main use case for MetricStream  was that I was a developer and I prepared templates for a client while also testing the UI platform for the client.

I can give a specific example of a template I prepared for a client. We had a task about what the client wanted, about the solution, about governance, about the tech template, and about SOX compliance. After we had some points, I created forms. It was basically something similar to Microsoft Forms. I prepared templates within MetricStream  and took these blocks to create components together, something resembling Lego parts.

When I was a developer, this was a quite narrow template, and it consisted mostly of pieces from a constructor. I created one large form for the client. However, the main issue is that if a client needs something larger or more custom, there are no tools to change these blocks. Instead, I need to create a task for the developer team. Additionally, my customer team from MetricStream is located in India. A significant issue is with technical support because for the first month, they do not have any time and they do not want to change anything. Basically, I only have access to the UI and do not have access to the code base. However, for developers preparing solutions for clients who need to make a change in the code base, it would be much easier to change our own code rather than wait two or three months.

The best features MetricStream offers are the nice dashboards. However, I believe that the same system could be built much cheaper. With the help of one Python developer and one data engineer, it could be created more easily. To me, it appears to be mostly a marketing-driven product, functioning basically as a better package for something similar to Microsoft Forms.

Regarding features, I think it was nice when I knew what was needed, and when a client had seen the issue beforehand. MetricStream is something like an all-in-one solution where I do not need to write scripts or conduct audits. However, it may be a cheaper option when an audit is not necessary, such as a Microsoft audit or governance audit. It might be cheaper for two or three months, but when deeper research on a company is needed, it is not suitable. Essentially, it is an audit platform with a nice dashboard.

MetricStream has positively impacted my organization because we sell it in Europe. However, I implemented it at a couple of companies and I do not see any positive impact. For the client, they can see a nice platform with a friendly UI and a dashboard. For a developer, there is basically no added value because all these things can be obtained from scripts. Scripts can be written easily and are a really cheap alternative. I do not see any reason to buy MetricStream for a couple of thousand euros per month when scripts can be written with internal audit, cyber risk audit, or policy searching capabilities. Essentially, it is a business version of Grafana .

A specific example of how a client benefited from using MetricStream is that it is better for usability. If a client needs to check risk inside a cloud environment or internal environment, they have a nice dashboard with compliance status, open issues, and key risk information. If the management part is implemented, there is also a nice dashboard with compliance status ranging from zero to 100, control test requests and results, and a nice dashboard from the forms.

MetricStream can be improved in the area of developers. There are two parts of developers: those who prepare solutions for clients and those from India who support the application. The support part is terrible, rating about one out of ten. The support quality needs significant improvement.

I have been using MetricStream for one to one and a half years.

MetricStream is stable, but if there is an issue, it will be complicated to resolve with the support team.

The scalability of MetricStream is basically easy. I can create many forms, but there is a cost associated with it.

The customer support of MetricStream is terrible.

Before MetricStream, we used Databricks  and scripts for audit checks and our cybersecurity implementation. However, the business decided to switch to MetricStream and started selling MetricStream to other clients. I do not think it was a good solution because after a couple of months or years, we came back to manual checks.

I did not purchase MetricStream through the AWS Marketplace .

My company had a business relationship with the vendor other than being a customer because I was a reseller at my old company. Currently, I do not use MetricStream in my current job.

I have not seen a return on investment.

The advice I would give to others looking into using MetricStream is to not use MetricStream. I would rate this recommendation a four out of ten.