Challenge

With tens of thousands of employees, nine product lines, and five operating subsidiaries, American Family Insurance was facing challenges monitoring IT risks across the entire organization. IT risk management and governance information was decentralized and managed in stand-alone applications or Microsoft Office documents, leading to increased time to collect metrics data, conflicting data with no source of record, and limited visibility to related content.

American Family Insurance was looking to standardize their Information Security programs across their operating companies to minimize the impact of external factors that were causing change and disruption to current systems and processes.

Each of the five operating companies used different tools for each of their Information Security-related processes, often standalone applications, or Microsoft Office applications like Excel and SharePoint. These companies were also operating independently and had different methodologies for managing risk information, which generated many inefficiencies and made it hard to monitor risks across American Family’s entire portfolio.

This decentralization was a major pain point, forcing leadership to pull data from multiple systems and applications, and normalize the data to properly report on risk and compliance metrics. This became a risk in and of itself—there was conflicting data because there wasn’t one true data source. American Family needed a clear vision to tie information together that came from a single platform.

These factors drove the company to look for a GRC solution. So, in 2020, American Family organized a cross-functional team to look at different solution alternatives available in the marketplace and to define how that solution would benefit the company. After establishing three value propositions to find the right GRC solution, American Family’s risk management team identified Onspring as the only solution that not only met these value propositions but also solved the company’s consolidation problem, tracking and managing any risk that could become a threat to the company.

The three value propositions were:

1. Reduce cost – American Family wanted to identify areas where technology overlapped, providing an opportunity to remove certain tools, as well as where technology was needed to deliver automation—eliminating the need for manual spreadsheets, duplicative functionality, and redundant data.
2. Consistent and streamlined business processes – Through the power of automation, American Family looked to improve efficiencies across business units by streamlining risk and governance workflows as well as information management.
3. Single source of truth – Consolidating tools across the operating companies into one platform was an important factor in giving American Family one defined source of record for data and reporting across the department. Not to mention it would specify one team in charge of managing the data, increasing the accuracy of the information and data being reported upward in the organization.

Solution

Once the value propositions were defined, the cross-functional team began identifying the top changes that Onspring could help American Family overcome. The team prioritized five areas of change. These—as well as how Onspring delivered value—are outlined below:

2 – Changes to organization and people

Understanding how organizational information aligned with the user data was a major challenge American Family needed to overcome. Working with the HR, data governance, and business continuity departments, Onspring’s formula reference fields allowed the company to identify hierarchical reporting and approval structures as well as define mapping rules for the organizational structure.

Secondly, the company leveraged their data relationships present in Onspring. This allowed American Family to easily build workflows for each individual, providing a clear map to any risks that might emerge.

These capabilities gave American Family the ability to create admin dashboards to monitor and manage user changes. For example, if someone moved into a new role, business leaders were able to identify a replacement quickly in order to mitigate any potential risk.

Without having immediate access to organizational hierarchy, that vacant role could go unnoticed for some time, leaving the organization susceptible to risk. By implementing Onspring, American Family was able to provide visibility to process owners to identify when an individual leaves the organization and what information needs to be assigned to a current employee (e.g., control owners, risk owners, policy owners, etc.).

3 – Changes to regulatory requirements and assessments

American Family adopted the Unified Compliance Framework (UCF) as a way to minimize the impact of regulatory changes. This framework is supported in Onspring.

As new versions of regulatory requirements and frameworks (e.g., PCI, NY DFS, NIST 800-53, etc.) are published, the team can leverage mapping to internal controls already completed in Onspring to save time and effort through:

• A data connector that allows the company to identify changes in regulations that apply to their organization, triggering the need for a regulatory review
• Consistent company control mapping to UCF common controls, regardless of authority document or framework version
• Efficiency gains from mapping once and using across many regulations, including internal control mapping, control evidence collection, and control testing results

4 – Changes to data sources, governance, and integrations

Identifying and relying on key datasets is a challenge in many organizations but crucial for an effective GRC platform. It’s important to ask questions such as: What if a source of record does not exist or is changing to a new application? What if data cleanup is underway or several competing spreadsheets are considered “the best” version of the data? Where do integrations add value?

Onspring’s integration capabilities were a strong benefit for American Family, as the company had many data sources. The company integrated its data in phases, starting with its organizational and people data from its HR system. By doing it this way, it minimized the ongoing manual administration of maintaining user and organizational information.

Secondly, American Family integrated its vendor and contract information, followed by business processes and business applications. Onspring’s Vendor Management solution and Business Continuity Solution were add-ons that helped integrate all American Family’s data sources. For application programming interface (API) integrations, the company:

• Focused on high-value data for consistent reporting across technology solutions
• Allocated time for developing, testing, updating, and troubleshooting
• Discussed any gray areas of overlap or gaps

They also began conducting data privacy assessments in Onspring, with data elements and data classification mapped to IT assets, which inform risk assessments. This data was previously limited in the Application Portfolio Management solution (outside of Onspring), so they now manage and report on it right in Onspring..

And finally, the team established a governance oversight committee to make decisions that impact multiple areas of data. It’s important to understand which source of record is used for each piece of data, who manages that information, and how that information is being updated. And as changes were being made to datasets in Onspring, Onspring’s change management process helped American Family see when changes took place and be notified of potential downstream impacts.

5 – Changes to the Onspring solution itself

The team knew that addressing the current climate of change in Onspring was important but so was accounting for future change. As Onspring usage and enhancement requests continued to grow and gain more value at American Family, the company needed to identify which methods provided agility and timely responses to user requests, while ensuring appropriate controls and governance maintained a stable environment.

Onspring gave American Family the ability to track and manage any changes to the solution itself. The company was implementing various Onspring solutions, so as it went through numerous test, build, and deployment phases over time, having this change management solution was extremely useful.

Using this function, American Family created documentations of the platform for two different perspectives: administrator and user.

For the administrative perspective, the company documented how Onspring’s solutions were being configured and how to package them for different environments. It also included troubleshooting tips.

Additionally, for the user perspective, the documentation included instructional content to help them use the solution. It explained how to submit requests, enhancements, and tasks within Onspring and showed the life cycle of making those changes as well.

Finally, through this process, the company identified opportunities for administrators to support the solutions their team is using more directly. This created a strong community of Onspring users and administrators throughout the implementation process and beyond.