H&R Block Uses Quick Wins to Build a Long-term GRC Program
A Financial Services Case Study
H&R Block’s comprehensive GRC vision was comprised of 13 wide-ranging programs spanning all three verticals of Governance, Risk, and Compliance. These robust programs included training and awareness, vulnerability management, third-party risk, metrics, enterprise policies, and regulatory compliance.
Moving all 13 programs out of a legacy software system and into Onspring required a strategy that not only delivered quick implementations with immediate ROI but a long-term approach for enterprise-wide value.
H&R Block successfully launched their first program in Onspring within 30 days while building rapport across teams and creating continuous support from executives to sustain long-term success.
The comprehensive GRC team at H&R Block is actually comprised of 13 wide-ranging programs, spanning all three verticals of Governance, Risk, and Compliance.
For a long time, the functions performed within the GRC team were all being done in a vacuum, largely disconnected from the business and from each other. For example, the team wrote policies that lacked meaningful guidance and were not fully communicated across the business. Risk assessments lacked meaningful analysis, which meant findings were largely ignored, and every audit was a mad scramble to gather and submit evidence.
The GRC team started making significant progress addressing these core issues and wanted to use Onspring to supercharge their efforts and maximize limited team resources. Leaving a combination of spreadsheets and their legacy platform, the team estimated it would take approximately two years to tackle building all-new GRC programs and implementing each within Onspring using their current people and resources available.
Management was not willing to wait two years to get value out of the purchase, and the CISO was definitely not willing to wait two years to see results. The team knew they needed to break their long-term GRC strategy down into smaller, more manageable pieces, which is where it started to get more complex.
The H&R Block GRC team started by determining the impact of loading each individual GRC program into Onspring. Stack ranking each program meant they had to make hard decisions about what would provide significant impact immediately.
This determined their list of Big Wins: things that would make news across the organization because of the value created from improved functions for people. However, the impact was just one facet, as high-impact functions are usually the most complex and time-consuming to implement.
So the team evaluated the people and resources required to implement each program into Onspring, then stacked ranked by level of effort. This process provided the Quick-win Candidates: things you can deliver quickly (and usually with fewer waves than Big Wins) to generate buzz about the new platform and the value it brings right away.
Spotlight: Policy Management
Identified as a quick win, policy management became the first GRC element implemented in Onspring by the H&R Block GRC team.
The out-of-the-box Onspring policy management solution was used because of its fast implementation ability and also because it could be easily adjusted by the GRC team to fit a few nuanced needs.
- Dashboards & reports are already set up; the GRC team just needed to add data.
- Existing workflows are designed using best practices the team could follow.
- Easy editing by business admins meant the team maintained control over policy draft & approval processes.
- Avoided expending resources to gain buy-in from stakeholders whenever changes needed to be made.
- Any existing H&R Block process that was inefficient or ill-defined could be adjusted to match the best practices Onspring offers.
Policy management serves as a foundational block to an overall GRC program, so initiating Onspring implementation with this program set the long-term roll-out up for success.
The connected nature of policies within the larger GRC program meant H&R Block could now see if a control or policy section was orphaned. This enabled continuous visibility into which controls were supported by a policy and which policy sections were not enforced by a control. This also created a pseudo-gap analysis as they expanded the use of the Onspring platform.
Spotlight: Third-party Risk Management
The second program rolled out, third-party risk management, was the defining factor behind the Onspring launch at H&R Block because of its executive visibility, customization needs, and speed to launch requirements.
This new process managed end-to-end vendor management needs:
In the new process, once a new vendor intake form is completed, Onspring creates a supplier engagement record, while automatically making an initial determination whether a risk assessment is needed.
This allows the risk analyst to simply confirm the automated determination, removing much of the manual work.
If a risk assessment is needed, the analyst can automatically deliver the security questionnaire and documentation requests to the vendor based on the risk tier associated with that engagement.
Once the vendor returns the security questionnaire and any required security documentation it automatically populates back into Onspring. Automated notifications are sent to all stakeholders involved to alert them of its completion and the associated decision.
Two important, time-savers were created:
- Centralized risk assessment information (security questionnaire, documentation & communication)
- Initial security questionnaire scores and highlighted areas where the risk analyst needs to focus attention
Given that security questionnaires contain 100+ questions, this is a massive time saver and reduces the likelihood of human error from missing incorrect answers.
“The power of Onspring is its ability to create connective tissue between the three different verticals of governance, risk, and compliance.
Our ability to map controls to all of our regulations and policies allows us to pass any audit with the same control library, making auditing simpler and less time-consuming.
As we were reviewing Onspring, we saw just how simple it would be to manage and knew that simplicity, plus its power, was exactly what H&R Block needed.”
– Michael Meis, Cybersecurity leader