From constraint to control: how CoreStream GRC transformed risk management at Pool Re

About Pool Re

Pool Re is the UK’s largest terrorism reinsurer, trusted by over 150 insurers and globally recognized as the leading experts in terrorism risk financing. Their mission is to provide financial protection against the risk of terrorism and, in so doing, enhance the resilience of the UK economy.

Established: 1993

Industry: Healthcare

Cover: £2.2 trillion of UK based assets

Paid out claims: £1.25 billion (adjusted for inflation)

Serve: 85% of the UK terrorism property insurance market

Challenge

A legacy risk management system that hindered, rather than helped, and led to the use of the spreadsheet safety net

When Helio Correa joined Pool Re as Head of Risk, he inherited a legacy risk management system that was falling far short of expectations. While the company had invested in a risk management tool, its functionality wasn’t fit for purpose, and adoption across the business was minimal. Instead of enabling effective risk management, the system became a barrier, slow, outdated, and cumbersome to use. 

Limited adoption and poor user experience

“The business was not using it as expected,” Helio explains. “They would log in maybe every 3 months unless they had to raise a risk event, and even then, we had to explain how to complete simple tasks.”

This lack of engagement undermined risk management efforts, as critical data remained siloed or out of date. It also led to significant support time needed from the Pool Re Risk team to continuously chase and then help employees navigate the system. 

Cumbersome reporting and data limitations  

Beyond usability issues, the platform lacked robust data analytics and reporting capabilities. Extracting meaningful insights required extensive manual effort, forcing the team to revert to Excel spreadsheets to bridge the gap.

“If I needed to create a report for the board, I had to export the data to Excel, clean it, build formulas, pivot tables, and manually generate charts. Sometimes we even had to go back and forth between Excel and the tool to make corrections,” Helio explains. “It was incredibly time-consuming and manual.” 

This inefficiency meant that what should have been a streamlined reporting process turned into a 3 week ordeal each quarter, consuming valuable time that could have been spent on strategic risk management. 

Rigid risk management system, slow response times 

Another major drawback was the tool’s inflexibility. Making even minor modifications, such as adding data fields or generating a new report, required raising a service request and waiting for an extended period, for the changes to be implemented. This lack of agility led to workarounds, with the team maintaining supplementary spreadsheets and performing tasks manually, defeating the purpose of having a dedicated risk management solution in the first place.  

Limited accessibility and control for risk owners  

The tool also restricted access for risk and control owners, further impeding efficiency.

“They couldn’t update descriptions, link controls, or attach actions. Even making simple changes like updating impact and likelihood required unnecessary bottlenecks,” Helio explains.

This meant the risk management team had to act as intermediaries for every minor adjustment, adding to the administrative burden.  

The search

An opportunity for change: the road to the right GRC solution

Defining the requirements

When Pool Re set out to find a new risk management solution, they approached the process with a clear but not overly complex set of requirements. They understood the importance of a system that was both flexible and efficient. However, as Helio discovered, finding a platform that could deliver on their needs was more challenging than expected. 

“We had what I thought were mostly basic requirements, but I was surprised how I couldn’t really find a tool that would give us everything we wanted initially,” Helio explained. 

The selection process

To ensure they found the right solution, Pool Re began with a list of approximately 20 different GRC providers. After initial discussions, they narrowed this down to 5 candidates that were taken through a formal procurement process, including in-depth demos and assessments.

“We developed a requirement document, and the companies had some time to provide written responses before we selected them for a demo,” Helio detailed. 

The process was rigorous, taking approximately 3 months in total. One key element was ensuring that each provider could demonstrate how their platform would handle Pool Re’s specific risk and control management processes. This included assessing how well the system would handle capabilities that had been major pain points with their previous tool, including: 

• Risk management reporting 

• Risk appetite 

• Risk event tracking 

• Policy attestation  

• Linking controls and actions 

CoreStream GRC stood out from the beginning for its streamlined thoughtful approach.

“From the very beginning, talking to your team, they were very accommodating and patient in explaining the capabilities of the tool. The platform was very visual, very easy to use, and very flexible. That was the biggest requirement for us,” Helio recalled. 

Discovering CoreStream GRC

Pool Re developed a structured evaluation process, breaking down their requirements into must-haves and nice-to-haves, and CoreStream GRC not only met but exceeded their expectations. 

“CoreStream GRC met all of our must-haves. The feedback was that it was one of the most robust responses we received.” Helio concluded.

Implementation

Kick-off: A collaborative approach, Pool Re and CoreStream GRC’s successful implementation  

The implementation process began with a focus on ensuring that CoreStream GRC’s solution was tailored to Pool Re’s specific requirements. Helio explained that the initial phase involved working closely with the CoreStream GRC team to understand their existing workflows and ensure the new tool would fit seamlessly with their processes. Helio emphasized the importance of working closely with the implementation team to refine the design:

“We were able to just then refine, review and refine,” Helio said.

This iterative approach via UAT instances allowed the Pool Re team to compare the new system with the previous one, ensuring they didn’t miss any important workflows and that the new tool was future-proof. 

Collaboration and customization: ensuring fit for the future

A key element of the successful implementation was the constant back-and-forth between Pool Re’s team and CoreStream GRC’s experts. According to Helio, the CoreStream GRC implementation team, not only listened attentively but also offered insightful advice and alternative solutions. They were transparent about potential challenges and risks, which helped Pool Re make informed decisions. 

“It wasn’t just about listening and then doing the configurations in isolation,” Helio noted. “There was a lot of back and forth, and having someone (CoreStream GRC’s Head of Client Design) who truly understands risk management and compliance was very helpful.” 

Helio specifically appreciated the way CoreStream GRC’s team was able to adapt to Pool Re’s niche requirements. For example, they managed to accommodate a unique risk assessment framework that was critical for Pool Re.

“There is no one in the industry which does that, but they were able to accommodate that very easily,” Helio mentioned. 

Meeting the deadline: a timely delivery 

The project timeline was a key concern for Pool Re, particularly since they had a hard date to meet as the contract of their existing tool was coming to an end, and so the team worked tirelessly to meet the deadline. Completing the custom implementation from beginning to end in 8 weeks.  

Helio shared, “In fact, we went live with a soft launch a week before!” This proactive approach allowed the Pool Re risk team to test the tool and gather feedback before the official launch, ensuring a smooth transition. Weekly meetings and ongoing engagement between Pool Re and CoreStream GRC were crucial in fine-tuning the design and ensuring the tool would be ready on time.  

“There were a few things we missed in the initial requirement, but the team was very accommodating, very patient. Sometimes we go into crisis mode, but they’ve taken it very nicely, and we are very happy with the final outcome.” 

A successful launch and positive feedback 

The successful launch of the system was met with positive feedback from the Pool Re team. Helio expressed his satisfaction with the final product, particularly with how well the customizations were executed.

“Everyone is very happy with the tool,” he said. The risk-on-a-page feature, initially considered a challenge by other vendors, was successfully implemented, offering a more streamlined way to assess and manage risks.” 

Solution 

From frustration to efficiency: Pool Re found the perfect GRC solution in CoreStream GRC 

The risk management solution that Pool Re implemented included a range of functionalities designed to enhance efficiency, flexibility, and data visibility. Key features included: 

• Intuitive user interface – A simple, easy-to-use system that allowed non-risk professionals within the business to engage with risk processes without extensive training. 

“If you need to engage the business to get stuff done in the system, then it has to be simple to use because they won’t be working on the tool on a daily basis like we are. So it has to be quite intuitive, very easy to use.” – Helio Correa 

• Flexible configuration – The ability to make system changes in-house without needing to submit requests to vendors, reducing delays and improving efficiency. For more complex changes, having a flexible tool that the support team can adapt quickly, and resolve the request promptly.  

• Advanced data analytics & reporting – Powerful dashboard capabilities that allowed users to quickly visualize risk data, filter key insights, and generate reports at the click of a button, ready for meetings and wider reports.  

• Automated risk tracking & management – A structured approach to tracking risk events, policy attestations, and controls, reducing reliance on manual processes, email chases and tracking on spreadsheets.  

• Seamless data export & integration – Easy extraction of risk data into Excel or PowerPoint, streamlining quarterly risk reporting: “On a quarterly basis, I would say I’m probably saving a week or more just by having less data manipulation, fewer workarounds, and getting the data I need in a consistent format. For the ExCo, I don’t think I need to produce any reports anymore. They get everything they need from the dashboards. That alone saves us a lot of time because of CoreStream GRC.”  

• Executive dashboard for senior leaders – A high-level view tailored for executives, enabling them to monitor department-wide risks and take action proactively. 

• Alignment with IT Security & ESG Values – CoreStream GRC met Pool Re’s stringent IT security and ESG requirements, ensuring robust data protection, compliance, and ethical best practices. CoreStream GRC’s commitment to high standards of governance and responsible technology use positioned them as a true partner, fully aligned with Pool Re’s core values and operational commitments. 

By adopting CoreStream, Pool Re has not only streamlined its risk management but also unlocked new opportunities to enhance its overall risk strategy:

“I’ve now got the time for more assessments, more assurance reviews, more deep dives, more engagement with the business. Improving quality.” 

Looking ahead: expanding the GRC platform for future needs 

With the system now in place, Pool Re is already expanding its use beyond risk management, demonstrating its trust in CoreStream GRC as a long-term solution. The combination of a powerful platform and a highly responsive team has left Pool Re confident in its ability to adapt and grow with CoreStream GRC into the future.  

Reflecting on the move from Pool Re’s previous tool, Helio didn’t hold back in his praise for CoreStream GRC:

“The previous tool didn’t meet my expectations. From day one, I felt the need for change. But with CoreStream? Very happy, very happy.” 

Unlock the Full Potential of GRC with CoreStream 

Pool Re’s successful implementation of CoreStream GRC’s Risk Management solution showcases the power of a flexible, intuitive, and analytically rich platform, backed by a responsive and knowledgeable team. CoreStream GRC has become a trusted partner in their journey toward a more efficient and future-proof solution. 

If you’re looking for a GRC platform that truly works for you, just as it has for Pool Re, contact us today to discover how CoreStream can support your organization’s needs.