Project Description

An ERM case study from financial services

Overwhelmed by the volume of manual effort required to manage global oversight of their enterprise risk management program, the Head of Information Security sought to increase operational efficiency while decreasing risk exposure. By applying process automation to their workflows and driving insights from custom real-time reports, this global enterprise took its risk management program to the next level.

20%

increase in employee efficiencies

Profile

Company: 2nd largest money transfer business

Industry: Financial Services

Reach200 countries (20% of global money transfers)

Solutions: Governance Risk & Compliance Suite

Challenge

This enterprise risk management team of six was looking to consolidate the disparate tools and storage facilities in use to manage SOX, SOC1 and PCI compliance, IT risk management and remediation, vendor risk assessments, internal and external audits, security awareness training, plus federal, state and international regulatory exams. Without a way to connect data in real-time, it was impossible to keep tabs on the current status of compliance initiatives and third-party risk.

750

SOX data requests

180

unique vendor risk assessments

120

business continuity plans

90

PCI tests

7

distinct management tools
(Word, PowerPoint, Excel, PDF, Access, email, ServiceNow)

5

separate data storage facilities
(SharePoint, intranet, vendor portals, MS Access DB, ServiceNow)

Solution

Using the Onspring Governance, Risk & Compliance Suite, the team consolidated all data collection and record-keeping, added automated surveys for vendor risk assessments, and created real-time visibility of compliance initiatives using dynamic dashboards with the ability to drill into details.

Vendor Management Icon Onspring Blue Solid

Automating vendor risk assessments

Out of 180 vendors, 120 were assessed annually and the other 60 were assessed every other year based on their risk tier. Managing the volume, timing and accuracy was a tedious and inefficient process at best. Once a risk assessment was initiated, information was stored in any number of stages on file shares in at least 180 sub-folders. The team relied on Microsoft Access to track and manage the assessment schedule, vendor tiering, all reporting—even executive board reports had to come from Microsoft Access.

To streamline the management of annual survey assessments, service records were created in Onspring with a workflow that scheduled and deployed vendor surveys via email to external and internal recipients. 

Survey responses automatically fed back into Onspring to document:

  • Contracts
  • Vendor Findings
  • Vendor risk linked to the risk register
  • SLA tracking

With this workflow design, all vendors were added to an automated schedule and now receive an email with a survey link. Once surveys are completed, answers and any supporting documents, like required SOC1 or PCI AOC reports, are documented directly into Onspring.

No more chasing loose files. No need for 180 sub-folders.

Findings are also auto-generated in Onspring based on survey responses, which saves valuable time. For example, if a vendor answers, “No, we do not have a vulnerability policy,” that finding is automatically entered and visible for analysis.

No need for manual entry.

Report-Export-Options-in-Onspring

Creating real-time compliance visibility

Whereas surveys provided critical data input for vendor risk management, this enterprise risk management team also was in urgent need of effortless and up-to-date reporting.

“Real-time status monitoring? We had none. We had to pull reports out of MS Access or look at individual spreadsheets. Any sort of consolidated reporting and metrics aggregation was coming from multiple sources. Sometimes that took days.”

Dynamic dashboards were created in Onspring to display vendor profiles, services and findings areas, plus heat maps for risk, life cycle funnels, and charts to highlight overdue and upcoming assessments.

From the new vendor survey approach, the team could now slice survey data into any number of ways to monitor status in real-time. Additionally, assessment activity, vendor findings and high-level integrations fed into each vendor profile, which automatically ran data variables such as:

  • Aggregate contract dollar sums
  • Vendor tier
  • Risk score

There was no need to run separate analytics for each of these items anymore. 

Reporting capabilities advanced workflow transparency as well. By adding a vendor operations dashboard, vendor analysts could log in to quickly gauge workload based on each real-time reporting, such as addressing compliance issues (previously mapped from PCI controls to vendor assessments), plus:

  • Findings & tasks
  • Downward trending
  • Contract details
  • Review schedules
  • Outstanding surveys
  • Vendors with key risks
Scaling Enterprise Risk Management without Doubling Your Team

Result

A truly comprehensive governance, risk and compliance program built to serve current and future needs of this enterprise.

Centralized repository housing:

  • SOX/SOC1/PCI controls
  • Testing inventory & evidence
  • Enterprise risk
  • Business continuity plan
  • Vendor risk assessments

Automated workflows:

  • Controls testing
  • Vendor risk assessments

Aggregated data with:

  • Status visualization
  • Drill-down capabilities

Download this case study

Regulation Solutions for NIST NERC CMMC GDPR by Onspring
Analytics Creates Better Decision Making