MetricStream Reviews

My main use case for MetricStream is to design the GRC workflow. At PG&E, I leverage MetricStream GRC to support compliance with NERC, the North American Electric Reliability Corporation reliability standards, by designing and configuring the end-to-end compliance workflows. I collaborate with compliance subject matter experts, auditors, and other business stakeholders to translate the NERC standards and requirements into structured controls, assessments, and evidence collection processes, issue management workflows, and remediation tracking within MetricStream. I map regulatory obligations to control activities, configure the approval workflows, automate compliance attestations and notifications, and establish traceability between standards, controls, risks, findings, and corrective action plans. By doing this, it enables centralized compliance monitoring, improves audit readiness, reduces manual tracking efforts, and provides leadership with real-time visibility into compliance status across multiple NERC standards.

This solution streamlines compliance operations, reduces manual effort by approximately thirty-five percent, improves audit preparedness, and provides real-time reporting and dashboards for compliance leadership overseeing programs impacting about twenty-three thousand plus employees at PG&E. Overall, this was the specific use case I have used MetricStream for.

The top MetricStream features that I found most valuable are control and compliance mapping, workflow automation, issue and corrective action management, and the evidence management repository. Control and compliance mapping was one of the most powerful features for NERC compliance as we can map NERC standards and requirements directly to controls, risks, evidence, and corrective actions, creating end-to-end traceability. During audits, it is very easy to demonstrate which controls satisfy specific regulatory obligations.

Workflow automation allowed us to automate approval workflows, evidence collection requests, compliance attestations, and issue remediation activities, significantly reducing manual follow-ups and email-based tracking. The issue and corrective action management feature provides a structured process for tracking issues, assigning owners, monitoring due dates, and validating remediation activities. The evidence management repository creates a centralized location to manage everything from documents to reports, screenshots, and audit artifacts, creating a single source of truth.

Other helpful features include the dashboard and executive reporting, as well as risk control regulation relationships. These were the features I found most valuable in MetricStream.

Since I have used MetricStream for the last three years, one of the top improvements that comes to my mind is enhanced user experience and UX/UI. I believe that while MetricStream is highly configurable, some workflows can feel really complex for occasional users or first-time users, and I do not find the existing UI/UX experience very intuitive. A more intuitive interface with simplified navigation and role-based dashboards could reduce training time and improve user adoption for both first-time and occasional users.

Additionally, MetricStream could include advanced analytics and AI capabilities. More AI-driven insights using predictive risk analysis and intelligent recommendations could help organizations identify compliance gaps before they become audit findings. Furthermore, simplified configuration and integration could be beneficial; configuring workflows, forms, and integrations currently requires a lot of specialized expertise. Low-code or no-code enhancements and easier integration with enterprise systems such as SharePoint, ServiceNow, SAP, or Azure DevOps could reduce implementation effort and operational time.

The reporting needs enhancement, perhaps by including role-based reporting and simplifying the dashboard, which currently has too much information and can overwhelm first-time or occasional users. It would be better to show only what is necessary or introduce configurations to display what each user wants to see on their dashboard.

MetricStream could definitely improve its accuracy and reliability of output. It could provide more curated, personalized recommendations instead of generic suggestions. Additionally, MetricStream could develop recommendations that align with role-based dashboards instead of providing uniform recommendations across the board.

I have been using MetricStream for three years.

MetricStream's performance is reliable for daily compliance operations, reporting, and workflow executions. For large data loads and complex reports, it is important to maintain responsiveness and user experience, but overall, MetricStream performs well in managing large volumes of data.

MetricStream demonstrates strong scalability by supporting enterprise compliance programs with large volumes of regulatory requirements, controls, assessments, evidence records, and user activity. It effectively supports thousands of users and compliance NERC compliance workflows. Proper configuration, data management, and performance monitoring are important to maintain efficiency as usage grows.

The customer support is great. They assist with all initial questions and if any glitches occur, they are prompt in helping us understand how to configure things. Additionally, when needed, they help set up additional training to walk us through demos of each module to help us make the best use of MetricStream for our organization's needs.

We follow the training guide provided by MetricStream, and we are able to integrate it easily with our systems and data sources, although we did encounter some initial bottlenecks, which we resolved and moved forward.

In my organization, we have a MetricStream onboarding training that I took. Once I completed that, I gained a good understanding of how MetricStream works and started using it to build and design all the GRC workflows.

MetricStream delivers measurable return on investment by reducing manual compliance activities, improving audit readiness, and streamlining evidence management. At PG&E, we observe approximately a thirty-five percent reduction in manual effort due to workflow automation and centralized documentation, which leads to faster evidence retrieval, improved remediation tracking, and better visibility into compliance status. Therefore, I see a positive and substantial return on investment.

I did not handle the pricing, setup cost, and licensing aspects of MetricStream, as that was managed by another team at PG&E overseeing all applications. I was involved once MetricStream was deployed and started building the GRC workflows, so I do not have any experience with pricing, setup costs, and licensing.

Before selecting MetricStream, we evaluated other GRC platforms such as ServiceNow GRC, Archer, and SAP GRC based on scalability, compliance capabilities, workflow flexibility, and integration. I think MetricStream is a stable platform for managing enterprise compliance, supporting NERC standard requirements, audit, evidence management, and regulatory workflows reliably at PG&E.

My advice to others looking into using MetricStream is to clearly define compliance processes, data structures, and user roles before implementing it. Investing time in workflow design, stakeholder alignment, and user training is crucial to maximize adoption. Organizations should also focus on integration strategies, reporting needs, and continuous optimization to ensure MetricStream delivers long-term value for their GRC programs. I would rate this product a seven out of ten.

My main use case for MetricStream is the automation of the IT audit process, governance, risk, and compliance. I was working for a specific third-party client who was implementing MetricStream, and I was contracted to be the administrator of it. As an administrator, I started setting up MetricStream process by entering the controls and started by entering the business process, followed by the financial controls, and then the supporting IT general controls. For each of these controls, I would identify the point of contact, the process owners, and other relevant parties so that they would be responsible for sign-off on the controls. I configured the setup such that if an analyst or an IT audit GRC analyst sends the control evidence, and if the sign-off is pending from the control owner, the control owner would receive a notification indicating that as part of the audit period, the sign-off has to occur. I also configured dashboards in MetricStream for the specific status of the IT audit, which mostly concerned SOX 404 IT general controls testing.

One major thing about MetricStream is its alerting, which was much better than the tool called Resolver GRC, where it not only provided dashboards or the status of the audits, but I could also attach evidences. In that way, evidences are not lost in emails for the audit; they are entirely within the tool.

The best features that MetricStream offers for the automation of audits include the alerting system and the ability to attach evidence. These two things are what I found to be among the best.

The evidence attaching system, in the absence of it, would have required sending the evidence in an email, which would result in a file sitting on the desktop. However, with the evidence attaching system, the file is now within the tool, so it is on the cloud. This way, one never faces issues if someone loses their laptop or if data corruption occurs; you still have access to the evidence of the audit period. It is not dependent on any person anymore. It is very easy to track back on the status of the audit since the application is in the cloud, and all the data is not shared via email, making it much more secure. The alerting system keeps the auditors informed about when an audit is pending, what the timeline is, so they understand their responsibility and are able to efficiently respond.

For our client, MetricStream made the audits incredibly efficient. In real time, I could provide the status of the audit to stakeholders, indicating which controls had deviations, which control was pending, and who it was pending on. It helps in bringing responsibility and ownership to a person, making it much more efficient and faster to conduct audits and understand audit status. Instead of having to hold status calls, with MetricStream, you could just log on, look at the dashboard, and understand where you are in meeting your targets.

There were definitely fewer daily status meetings required after implementing MetricStream; only a weekly status meeting was needed, which involved a walkthrough of the dashboard and what had been done. Overall, the audit time became much more efficient because it was now a nine to five process without last-minute sign-offs at midnight or one day before the audit.

MetricStream at that point did not have a template, and I had to build the entire SOX 404 IT general controls testing framework myself. It depended on how knowledgeable the person using it was. If pre-built templates existed for the latest ISO 27000, ISO 4200, or NIST 853 frameworks, that would be far more helpful.

If MetricStream could provide certifications that the public could learn about MetricStream rather than only offering them to partners, that would be beneficial.

I have been working in my current field for almost ten years, more than a decade of experience.

MetricStream is stable; I never faced any major errors or outages.

MetricStream was pretty scalable, and I was able to deploy it across multiple business processes and integrate it.

Customer support was very quick to respond anytime I needed assistance. I would rate the customer support about eight out of ten.

I was previously using Resolver GRC and switched because Resolver GRC did not have all the advanced capabilities that MetricStream had, including advanced features.

I definitely saw a return on investment; there was a lesser number of audit headcount required, which saved us money and time on audits. Overall, it helped us because I reduced the number of headcount and used MetricStream instead, and the number of hours I needed was less, with no overtime required.

My experience with the pricing, setup cost, and licensing was that it was reasonable.

I only evaluated Archer at that time, but I preferred MetricStream over Archer.

Overall, the API integrations of MetricStream were very good, and I did not face any issues, so it was good.

I did not face any major challenges when customizing MetricStream to fit my organization's needs. The only point was that pre-built templates were absent, which led to a little bit of a learning curve. The good news was that I could customize it very well, so overall, the customization experience was good.

The reporting capabilities of MetricStream were amazing. The dashboards that I created for audits and the reports produced were very good. However, overall, the product did not have analytical capabilities at that time.

The user interface and user experience of MetricStream were intuitive and easy to use.

When I worked with MetricStream, the AI capabilities did not exist because I used MetricStream from 2011 to 2013, during which it did not have any artificial intelligence capabilities.

At the time I worked on MetricStream, AI capabilities were not in place, so I could not provide details about its accuracy and reliability of output.

In the era of different GRC tools available, my advice is that MetricStream is much more reliable because it has been around for a long time and has provided good support to everyone requiring it since the old days. Therefore, it is a reliable tool. I would rate this review overall a seven out of ten.

My main use case for MetricStream is for audit and risk management.

We utilize MetricStream for audit and risk management by developing risk dashboarding and risk library development, standardizing libraries across enterprise organizations where risk management, corporate audit, and other business units can all utilize the same system of record and libraries.

MetricStream's shared system works well across all business units by standardizing similar risks and controls that exist across multiple business units. For instance, IT risk management and information security risk management have overlapping risks and controls, but we standardize them into one centralized risk and control.

The best features MetricStream offers take into consideration all the elements of a full governance, risk, and compliance system from both risk management to corporate audit, being able to develop applications within the solution that meet our needs, having a degree of full customization, as well as reporting, utilizing Infolets and Info Centers to establish reports that may not typically be out of the box and are definitely value-added.

MetricStream's customization and reporting have helped my work significantly. Compared to other systems, we have had the ability to essentially write SQL code that allows us to develop a report in real time that gives us insight into various different KPIs or KRIs leveraged across the organization. In comparison to other systems where you might be limited on what you can develop a separate report on, most of the fields and data captured within MetricStream have been reportable.

A favorite aspect I have regarding MetricStream is a love-hate relationship. The record level security sometimes backfires in terms of configuration, but usually it is relatively easy to work around.

MetricStream has positively impacted my organization by reducing silos across the organization. Having a centralized risk library maintained by risk management allows the corporate audit team to shave time off annual planning and enables more audit work to be done by ensuring validity of risks and controls in the system to support audit testing.

Since implementing MetricStream, audit teams have shaved about two weeks off of annual planning across various teams, allowing audit departments of about 140 auditors across maybe 10 teams to squeeze in 10 extra audits, one audit per each team, if not additional testing.

MetricStream can be improved in several areas. Sometimes the overall flow of the application can seem a bit clunky, based on feedback from clients.

From my understanding and what I have heard from developers within MetricStream during my deeper use of the application, the application seems to have been developed within silos, and the interaction of certain applications internally could definitely be improved in terms of the overall coding that exists between applications within the solution.

The only improvement I suggest for MetricStream is to gather a collaborative think tank from several of the largest clients and compile feedback to prioritize suggested enhancements from multiple organizations.

I have been using MetricStream for a combined total of about six years.

MetricStream is mostly stable.

MetricStream's scalability is adaptable, though the biggest issue I have encountered with clients has been around upgrades that require re-implementing customizations to the out-of-box solutions after significant upgrades.

Customer support from MetricStream has been great. We had to engage with senior management from time to time, but they were responsive and quick in working through our issues.

Before MetricStream, we used Archer, Ideagen, and Thomson Reuters Paisley. We switched because MetricStream was much more robust.

I have not seen specific metrics on return on investment with MetricStream, outside of reducing silos and allowing time savings off of annual planning.

In terms of pricing, setup cost, and licensing for MetricStream, we did run into issues with insufficient licensing, but the ability to acquire new licenses was relatively quick and effortless.

Before choosing MetricStream, we did evaluate other options depending on the client. We chose Archer for one installation and Thomson Reuters for another implementation.

My advice for others looking into using MetricStream is to ensure collective representation from all business units that will be clients of the application across the organization. For example, in a bank, make sure you have audit, risk management, and other departments involved. I would rate this review a 7.

My main use case for MetricStream was that I was a developer and I prepared templates for a client while also testing the UI platform for the client.

I can give a specific example of a template I prepared for a client. We had a task about what the client wanted, about the solution, about governance, about the tech template, and about SOX compliance. After we had some points, I created forms. It was basically something similar to Microsoft Forms. I prepared templates within MetricStream and took these blocks to create components together, something resembling Lego parts.

When I was a developer, this was a quite narrow template, and it consisted mostly of pieces from a constructor. I created one large form for the client. However, the main issue is that if a client needs something larger or more custom, there are no tools to change these blocks. Instead, I need to create a task for the developer team. Additionally, my customer team from MetricStream is located in India. A significant issue is with technical support because for the first month, they do not have any time and they do not want to change anything. Basically, I only have access to the UI and do not have access to the code base. However, for developers preparing solutions for clients who need to make a change in the code base, it would be much easier to change our own code rather than wait two or three months.

The best features MetricStream offers are the nice dashboards. However, I believe that the same system could be built much cheaper. With the help of one Python developer and one data engineer, it could be created more easily. To me, it appears to be mostly a marketing-driven product, functioning basically as a better package for something similar to Microsoft Forms.

Regarding features, I think it was nice when I knew what was needed, and when a client had seen the issue beforehand. MetricStream is something like an all-in-one solution where I do not need to write scripts or conduct audits. However, it may be a cheaper option when an audit is not necessary, such as a Microsoft audit or governance audit. It might be cheaper for two or three months, but when deeper research on a company is needed, it is not suitable. Essentially, it is an audit platform with a nice dashboard.

MetricStream has positively impacted my organization because we sell it in Europe. However, I implemented it at a couple of companies and I do not see any positive impact. For the client, they can see a nice platform with a friendly UI and a dashboard. For a developer, there is basically no added value because all these things can be obtained from scripts. Scripts can be written easily and are a really cheap alternative. I do not see any reason to buy MetricStream for a couple of thousand euros per month when scripts can be written with internal audit, cyber risk audit, or policy searching capabilities. Essentially, it is a business version of Grafana.

A specific example of how a client benefited from using MetricStream is that it is better for usability. If a client needs to check risk inside a cloud environment or internal environment, they have a nice dashboard with compliance status, open issues, and key risk information. If the management part is implemented, there is also a nice dashboard with compliance status ranging from zero to 100, control test requests and results, and a nice dashboard from the forms.

MetricStream can be improved in the area of developers. There are two parts of developers: those who prepare solutions for clients and those from India who support the application. The support part is terrible, rating about one out of ten. The support quality needs significant improvement.

I have been using MetricStream for one to one and a half years.

MetricStream is stable, but if there is an issue, it will be complicated to resolve with the support team.

The scalability of MetricStream is basically easy. I can create many forms, but there is a cost associated with it.

The customer support of MetricStream is terrible.

Before MetricStream, we used Databricks and scripts for audit checks and our cybersecurity implementation. However, the business decided to switch to MetricStream and started selling MetricStream to other clients. I do not think it was a good solution because after a couple of months or years, we came back to manual checks.

I did not purchase MetricStream through the AWS Marketplace.

My company had a business relationship with the vendor other than being a customer because I was a reseller at my old company. Currently, I do not use MetricStream in my current job.

I have not seen a return on investment.

The advice I would give to others looking into using MetricStream is to not use MetricStream. I would rate this recommendation a four out of ten.

We are system integrators. We propose solutions to the customers.

They have now reworked it. The interface is mobile-friendly and it is getting a good response from our customers. It's a very good feature that the product offers. It is also available as a cloud option, which is getting a lot of interest from customers who are looking into the GRCC.

It is very useful, especially in the solution platform.

It has good features and good functionality, and our customers feel there is a lot of merit in that.

I think that the portal is constantly improving. They do their own enhancements very often. They keep doing those enhancements from their site itself.

As we are system integrators, we rely on the customer's feedback. We have not had any customers complain or express any concerns with the product.

There can be some small updates done with the interface.

I would like to see out-of-the-box integration with more security, it would be helpful.

We have been working with MetricStream for more than four years.

It's a pretty stable product.

MetricStream is a scalable product, depending on the customer's needs.

I would say that our clients are medium-size companies. 

It is difficult to define them, and it depends on the vendor. 

If it is $100,000 or more it would be considered to be a large enterprise company, or if it's $50,000 it would be a medium-sized company.

If customers are faced with any challenges, the support team is really responsive and very fast to address any concerns.

They have a good technical support team that is based out of India. 

They do a fair job.

The integration is very easy and it is fast.

In regards to deployment, most are out of the box.

The pricing is reasonable.

They are flexible in terms of customers' needs. We have seen customers who have a smaller compliance team, and they have been able to support them as well as large enterprise and global customers.

We have aligned with MetricStream only. We will recommend it, but we have seen comparisons between MetricStream and RSA Archer from when we have come across those customers. We have been head to head in those comparisons.

My advice is to be sure to have your use cases very clear in what you want to achieve, be it risk management or just relations management. If it's an audit, you have to be very precise and clear as to what your needs are. Based on that only, you should be evaluating it, because it is all modularized. There are more than 15 or 16 modules of MetricStream solutions available. 

The customer has to be very clear as to which module they are interested in and what they want to implement.

I would rate MetricStream an eight out of ten.

Where we are using it is for enterprise risk management and operations risk management.

It allows us to have all the information in a single place and provide real-time indicators and information for our executives.

• Usability 
• Ease of configuration

We would like to have more dashboards and reports, such as geographical and trend reports in the next version. Also, an improvement in the mobile version would be helpful.

It is very stable. Performance is very good.

It scales very well. We are working very well with the solution.

The technical support is very good but sometimes we need to have local or Spanish language support. That is something that will be a challenge for them.

We were using some other solutions and the reason we switched was the scalability and performance of the solution and, in some cases, the ease of use.

The most important thing when selecting a vendor is that the product perform and work for the specific needs that we have. Being able to configure and to customize a solution to our needs is a very important factor. In addition, we look for support from the vendor or a local partner for doing the implementation. Finally, the price.

The initial setup was complex in terms of understanding the velocity of the solution and the platform. After that, the initial configuration was very well done, it was not so complicated.

I would rate it a nine out of 10 because it's a very good and scalable solution that can be configured to our needs. The only issue is in terms of support within the local language.

Evaluate it, do a proforma proof of concept before deciding. In this proof of concept be sure to test your use cases and evaluate how easy it is to configure a solution to handle your use cases.