Once the value propositions were defined, the cross-functional team began identifying the top changes that Onspring could help American Family overcome. The team prioritized five areas of change. These—as well as how Onspring delivered value—are outlined below:
1 – Changes to processes, programs, and workflows
By using Onspring, American Family Insurance was able to set up its GRC instance in a clear, simple way. But planning for the instance was the first order of business. The team identified core priorities and key artifacts to ensure a successful implementation of Onspring and held discovery meetings with stakeholders to understand go-live expectations, basic requirements, dependencies, process workflows, and datasets.
Additionally, to stay on top of any potential process changes down the road, the team evaluated the maturity and stability of business processes, programs, and workflows. If the maturity was low, the team would focus on basic functionality and data relationships. If high, they would implement workflows, integrations, and advanced reporting.
The team also initially leveraged Onspring’s out-of-the-box configurations as much as possible. They knew that the Onspring solution was easy to adapt, refine, and enhance after its adoption.
To create accountability and transparency, American Family used Onspring process mapping to identify changes and track which applications supported which processes. This was an easy way for the team to know if a particular business process had changed and its impact. Onspring provided American Family with a solution that was far more scalable than what the company had been using previously.
2 – Changes to organization and people
Understanding how organizational information aligned with the user data was a major challenge American Family needed to overcome. Working with the HR, data governance, and business continuity departments, Onspring’s formula reference fields allowed the company to identify hierarchical reporting and approval structures as well as define mapping rules for the organizational structure.
Secondly, the company leveraged their data relationships present in Onspring. This allowed American Family to easily build workflows for each individual, providing a clear map to any risks that might emerge.
These capabilities gave American Family the ability to create admin dashboards to monitor and manage user changes. For example, if someone moved into a new role, business leaders were able to identify a replacement quickly in order to mitigate any potential risk.
Without having immediate access to organizational hierarchy, that vacant role could go unnoticed for some time, leaving the organization susceptible to risk. By implementing Onspring, American Family was able to provide visibility to process owners to identify when an individual leaves the organization and what information needs to be assigned to a current employee (e.g., control owners, risk owners, policy owners, etc.).
3 – Changes to regulatory requirements and assessments
American Family adopted the Unified Compliance Framework (UCF) as a way to minimize the impact of regulatory changes. This framework is supported in Onspring.
As new versions of regulatory requirements and frameworks (e.g., PCI, NY DFS, NIST 800-53, etc.) are published, the team can leverage mapping to internal controls already completed in Onspring to save time and effort through:
- A data connector that allows the company to identify changes in regulations that apply to their organization, triggering the need for a regulatory review
- Consistent company control mapping to UCF common controls, regardless of authority document or framework version
- Efficiency gains from mapping once and using across many regulations, including internal control mapping, control evidence collection, and control testing results