How Onspring Helped American Family Insurance Manage Organizational Change
An IT Risk & GRC Management Case Study
Organizational change is inevitable. That’s why it’s important to have the right tools in place to guide teams and organizations as they move through different business phases.
American Family Insurance, a U.S.-based insurance company in Madison, WI, with over 13,000 employees, recently faced a challenge to standardize numerous internal systems onto one security platform amidst quite a bit of organizational change. The company needed a tool that could manage and track potential risk and impact, which was impossible to accomplish properly with so many applications and technologies in use internally. After thoroughly reviewing many government, risk, and compliance (GRC) solutions, Onspring’s solution was exactly what the company needed and allowed them to quickly and easily implement a full-scale GRC solution to monitor potential risks.
With tens of thousands of employees, nine product lines, and five operating subsidiaries, American Family Insurance was facing challenges monitoring IT risks across the entire organization. IT risk management and governance information was decentralized and managed in stand-alone applications or Microsoft Office documents, leading to increased time to collect metrics data, conflicting data with no source of record, and limited visibility to related content.
American Family Insurance was looking to standardize their Information Security programs across their operating companies to minimize the impact of external factors that were causing change and disruption to current systems and processes.
Each of the five operating companies used different tools for each of their Information Security-related processes, often standalone applications, or Microsoft Office applications like Excel and SharePoint. These companies were also operating independently and had different methodologies for managing risk information, which generated many inefficiencies and made it hard to monitor risks across American Family’s entire portfolio.
This decentralization was a major pain point, forcing leadership to pull data from multiple systems and applications, and normalize the data to properly report on risk and compliance metrics. This became a risk in and of itself—there was conflicting data because there wasn’t one true data source. American Family needed a clear vision to tie information together that came from a single platform.
Multiple systems and applications being used to manage Information Security activities across five operating companies
Risk management completed manually in spreadsheets and word documents
Inefficient responses to regulatory changes
Operating companies working in silos
Source of record unclear for some GRC data elements
These factors drove the company to look for a GRC solution. So, in 2020, American Family organized a cross-functional team to look at different solution alternatives available in the marketplace and to define how that solution would benefit the company. After establishing three value propositions to find the right GRC solution, American Family’s risk management team identified Onspring as the only solution that not only met these value propositions but also solved the company’s consolidation problem, tracking and managing any risk that could become a threat to the company.
The three value propositions were:
- Reduce cost – American Family wanted to identify areas where technology overlapped, providing an opportunity to remove certain tools, as well as where technology was needed to deliver automation—eliminating the need for manual spreadsheets, duplicative functionality, and redundant data.
- Consistent and streamlined business processes – Through the power of automation, American Family looked to improve efficiencies across business units by streamlining risk and governance workflows as well as information management.
- Single source of truth – Consolidating tools across the operating companies into one platform was an important factor in giving American Family one defined source of record for data and reporting across the department. Not to mention it would specify one team in charge of managing the data, increasing the accuracy of the information and data being reported upward in the organization.
Once the value propositions were defined, the cross-functional team began identifying the top changes that Onspring could help American Family overcome. The team prioritized five areas of change. These—as well as how Onspring delivered value—are outlined below:
1 – Changes to processes, programs, and workflows
By using Onspring, American Family Insurance was able to set up its GRC instance in a clear, simple way. But planning for the instance was the first order of business. The team identified core priorities and key artifacts to ensure a successful implementation of Onspring and held discovery meetings with stakeholders to understand go-live expectations, basic requirements, dependencies, process workflows, and datasets.
Additionally, to stay on top of any potential process changes down the road, the team evaluated the maturity and stability of business processes, programs, and workflows. If the maturity was low, the team would focus on basic functionality and data relationships. If high, they would implement workflows, integrations, and advanced reporting.
The team also initially leveraged Onspring’s out-of-the-box configurations as much as possible. They knew that the Onspring solution was easy to adapt, refine, and enhance after its adoption.
To create accountability and transparency, American Family used Onspring process mapping to identify changes and track which applications supported which processes. This was an easy way for the team to know if a particular business process had changed and its impact. Onspring provided American Family with a solution that was far more scalable than what the company had been using previously.
2 – Changes to organization and people
Understanding how organizational information aligned with the user data was a major challenge American Family needed to overcome. Working with the HR, data governance, and business continuity departments, Onspring’s formula reference fields allowed the company to identify hierarchical reporting and approval structures as well as define mapping rules for the organizational structure.
Secondly, the company leveraged their data relationships present in Onspring. This allowed American Family to easily build workflows for each individual, providing a clear map to any risks that might emerge.
These capabilities gave American Family the ability to create admin dashboards to monitor and manage user changes. For example, if someone moved into a new role, business leaders were able to identify a replacement quickly in order to mitigate any potential risk.
Without having immediate access to organizational hierarchy, that vacant role could go unnoticed for some time, leaving the organization susceptible to risk. By implementing Onspring, American Family was able to provide visibility to process owners to identify when an individual leaves the organization and what information needs to be assigned to a current employee (e.g., control owners, risk owners, policy owners, etc.).
3 – Changes to regulatory requirements and assessments
American Family adopted the Unified Compliance Framework (UCF) as a way to minimize the impact of regulatory changes. This framework is supported in Onspring.
As new versions of regulatory requirements and frameworks (e.g., PCI, NY DFS, NIST 800-53, etc.) are published, the team can leverage mapping to internal controls already completed in Onspring to save time and effort through:
- A data connector that allows the company to identify changes in regulations that apply to their organization, triggering the need for a regulatory review
- Consistent company control mapping to UCF common controls, regardless of authority document or framework version
- Efficiency gains from mapping once and using across many regulations, including internal control mapping, control evidence collection, and control testing results
Solve Your GRC Challenges
Learn how a ready-made GRC suite in Onspring provides instant ROI with flexibility to grow and customize your processes.
4 – Changes to data sources, governance, and integrations
Identifying and relying on key datasets is a challenge in many organizations but crucial for an effective GRC platform. It’s important to ask questions such as: What if a source of record does not exist or is changing to a new application? What if data cleanup is underway or several competing spreadsheets are considered “the best” version of the data? Where do integrations add value?
Onspring’s integration capabilities were a strong benefit for American Family, as the company had many data sources. The company integrated its data in phases, starting with its organizational and people data from its HR system. By doing it this way, it minimized the ongoing manual administration of maintaining user and organizational information.
Secondly, American Family integrated its vendor and contract information, followed by business processes and business applications. Onspring’s Vendor Management solution and Business Continuity Solution were add-ons that helped integrate all American Family’s data sources. For application programming interface (API) integrations, the company:
- Focused on high-value data for consistent reporting across technology solutions
- Allocated time for developing, testing, updating, and troubleshooting
- Discussed any gray areas of overlap or gaps
They also began conducting data privacy assessments in Onspring, with data elements and data classification mapped to IT assets, which inform risk assessments. This data was previously limited in the Application Portfolio Management solution (outside of Onspring), so they now manage and report on it right in Onspring..
And finally, the team established a governance oversight committee to make decisions that impact multiple areas of data. It’s important to understand which source of record is used for each piece of data, who manages that information, and how that information is being updated. And as changes were being made to datasets in Onspring, Onspring’s change management process helped American Family see when changes took place and be notified of potential downstream impacts.
5 – Changes to the Onspring solution itself
The team knew that addressing the current climate of change in Onspring was important but so was accounting for future change. As Onspring usage and enhancement requests continued to grow and gain more value at American Family, the company needed to identify which methods provided agility and timely responses to user requests, while ensuring appropriate controls and governance maintained a stable environment.
Onspring gave American Family the ability to track and manage any changes to the solution itself. The company was implementing various Onspring solutions, so as it went through numerous test, build, and deployment phases over time, having this change management solution was extremely useful.
Using this function, American Family created documentations of the platform for two different perspectives: administrator and user.
For the administrative perspective, the company documented how Onspring’s solutions were being configured and how to package them for different environments. It also included troubleshooting tips.
Additionally, for the user perspective, the documentation included instructional content to help them use the solution. It explained how to submit requests, enhancements, and tasks within Onspring and showed the life cycle of making those changes as well.
Finally, through this process, the company identified opportunities for administrators to support the solutions their team is using more directly. This created a strong community of Onspring users and administrators throughout the implementation process and beyond.
Over the full 15-month implementation process—including implementing Onspring’s GRC, Vendor Management, and Business Continuity solutions—the company experienced the following benefits from Onspring:
Applications consolidated or replaced by Onspring
Requests completed using Onspring
Business processes enabled through the platform
included in the original business case were successfully implemented
outside the original business case were also implemented to meet the needs of American Family’s organizational companies, users, and administrators
American Family Insurance’s GRC journey was so successful that it began receiving requests almost weekly from other organizational companies to implement Onspring for their business processes, to solve their challenges, and to help consolidate some of their tools and applications.
The company saw tremendous results with Onspring and is optimistic about its risk journey, seeing plenty of other opportunities, use cases, and business problems where Onspring can be brought in to increase efficiency and drive results.
Want to explore more?
2023 SC Media Awards Finalist for BCDR
Onspring’s BCDR Solution Named a 2023 SC Award Finalist in the Trust Award Category
Cybersecurity Insurance Policies Explained
Learn the essential elements of a cybersecurity insurance policy and what the implications are for information security experts.
Best Practices for Cybersecurity Insurance Compliance
Get tactical advice to stay compliant with your cybersecurity insurance policies from information security experts.