An ERM case study from financial services
Overwhelmed by the volume of manual effort required to manage global oversight of their enterprise risk management program, the Head of Information Security sought to increase operational efficiency while decreasing risk exposure. By applying process automation to their workflows and driving insights from custom real-time reports, this global enterprise took its risk management program to the next level.
increase in employee efficiencies
This enterprise risk management team of six was looking to consolidate the disparate tools and storage facilities in use to manage SOX, SOC1 and PCI compliance, IT risk management and remediation, vendor risk assessments, internal and external audits, security awareness training, plus federal, state and international regulatory exams. Without a way to connect data in real-time, it was impossible to keep tabs on the current status of compliance initiatives and third-party risk.
SOX data requests
unique vendor risk assessments
business continuity plans
distinct management tools
(Word, PowerPoint, Excel, PDF, Access, email, ServiceNow)
separate data storage facilities
(SharePoint, intranet, vendor portals, MS Access DB, ServiceNow)
Using the Onspring Governance, Risk & Compliance Suite, the team consolidated all data collection and record-keeping, added automated surveys for vendor risk assessments, and created real-time visibility of compliance initiatives using dynamic dashboards with the ability to drill into details.
Automating vendor risk assessments
Out of 180 vendors, 120 were assessed annually and the other 60 were assessed every other year based on their risk tier. Managing the volume, timing and accuracy was a tedious and inefficient process at best. Once a risk assessment was initiated, information was stored in any number of stages on file shares in at least 180 sub-folders. The team relied on Microsoft Access to track and manage the assessment schedule, vendor tiering, all reporting—even executive board reports had to come from Microsoft Access.
To streamline the management of annual survey assessments, service records were created in Onspring with a workflow that scheduled and deployed vendor surveys via email to external and internal recipients.
Survey responses automatically fed back into Onspring to document:
- Vendor Findings
- Vendor risk linked to the risk register
- SLA tracking
With this workflow design, all vendors were added to an automated schedule and now receive an email with a survey link. Once surveys are completed, answers and any supporting documents, like required SOC1 or PCI AOC reports, are documented directly into Onspring.
No more chasing loose files. No need for 180 sub-folders.
Findings are also auto-generated in Onspring based on survey responses, which saves valuable time. For example, if a vendor answers, “No, we do not have a vulnerability policy,” that finding is automatically entered and visible for analysis.
No need for manual entry.
Creating real-time compliance visibility
Whereas surveys provided critical data input for vendor risk management, this enterprise risk management team also was in urgent need of effortless and up-to-date reporting.
“Real-time status monitoring? We had none. We had to pull reports out of MS Access or look at individual spreadsheets. Any sort of consolidated reporting and metrics aggregation was coming from multiple sources. Sometimes that took days.”
Dynamic dashboards were created in Onspring to display vendor profiles, services and findings areas, plus heat maps for risk, life cycle funnels, and charts to highlight overdue and upcoming assessments.
From the new vendor survey approach, the team could now slice survey data into any number of ways to monitor status in real-time. Additionally, assessment activity, vendor findings and high-level integrations fed into each vendor profile, which automatically ran data variables such as:
- Aggregate contract dollar sums
- Vendor tier
- Risk score
There was no need to run separate analytics for each of these items anymore.
Reporting capabilities advanced workflow transparency as well. By adding a vendor operations dashboard, vendor analysts could log in to quickly gauge workload based on each real-time reporting, such as addressing compliance issues (previously mapped from PCI controls to vendor assessments), plus:
- Findings & tasks
- Downward trending
- Contract details
- Review schedules
- Outstanding surveys
- Vendors with key risks
A truly comprehensive governance, risk and compliance program built to serve current and future needs of this enterprise.