SITUATION & BUSINESS CHALLENGE
The governance, risk management and compliance (GRC) team within a major division at a global technology company was finding it difficult to categorize, track and see through to completion thousands of GRC-related issues, some very critical in nature.
The team was undermanned and under-resourced to mitigate an ever-growing pipeline of issues related to privacy standards, internal and external audits, business continuity, and a variety of security risks. Workers tasked to solve these problems found it difficult to convince higher-level managers to prioritize these matters atop the mountain of daily issues they already faced.
A significant challenge for the team was a rudimentary issue tracking/reporting solution in use. The outdated solution had insufficient reporting capabilities and was difficult for workers to master, sometimes resulting in duplicated entries and other errors.
Short-handed and in need of fresh resources and ideas, the team began to look externally for assistance. Whoever came on board would need to quickly learn to navigate the complexity of the company’s communication structure. Knowing when to push and when to defer to stakeholders would require experienced, self-organizing resources with the right know-how and agility to learn quickly on the job.
From prior engagements within the division, GRC saw AIM Consulting as a trusted partner with a proven track record of delivering solid and effective resources and turned to AIM’s Cloud & Operations practice for help.
AIM delivered a team of five consultants to the GRC team in the initial stages of the project. After onboarding and getting up to speed with the company’s processes and technologies, they began to decipher how to engage with different stakeholders and groups within the division. Despite the steep learning curve, AIM soon gained a foothold within the team and division and established trust and strong rapport with stakeholders.
As the relationship evolved, AIM resources grew more familiar with the GRC team’s tools and practices, including the outdated issue tracking/reporting solution. Over time, AIM’s creative thinking and ingenuity sparked enhancements in automation, reporting and additional tools. AIM developed and continues to evolve a solution that leverages Visual Studio Team Services to query the GRC’s and other teams’ SQL databases, pulling information into robust PowerBI dashboards that provide numerous capabilities to stakeholders, including:
- Real-time insight into the health of the issue pipeline, assignments, and issues in need of further visibility and attention.
- The ability to determine at a glance what issues to focus on, and the state and size of issue pipelines for determining the best methods and avenues toward resolution.
- The length of time it takes to resolve issues, according to severity, and the number of issues successfully resolved over chosen periods of time.
- The capability to showcase the overall GRC effort and easily report team and issue health to their superiors.
Additionally, AIM created custom reports on demand, leveraging its extensive PowerBI skillset as part of its partnership in PowerBI and other technologies with Microsoft Corporation.
With every success, the AIM team grew to work more independently in a managed-services scenario within the GRC team, handling an increasing number of issues on its own while also working more with internal audit teams. The maturation enabled a stunning reduction in the number of external issues needing resolution, from 30% to around 5%.
The AIM team interacted with hundreds of the company’s employees across many divisions for issue resolution, tracking and managing each issue to completion. This included categorizing and tracking each issue, determining which team at the company needs to own it, getting that team to accept responsibility to resolve it in the necessary timeframe, and mitigating the issue until full resolution. AIM negotiated to whatever level necessary to get teams to address the issues.
Among the wide variety of issues handled on a regular basis are the following:
- Risk — in the areas of operations, information security, technology, and more.
- Compliance — regulatory measures such as SOX, GDPR and others; and legal, quality, and organizational compliance.
- Business continuity — disaster recovery and failover, ensuring mitigation plans are in place for certain types and lengths of outages.
- Security — for example, ensuring that the correct traffic is encrypted in the cryptography and communication channels between the client and its customers, and that the channels are secure enough.
The client has embraced an agile philosophy enterprise-wide, even within non-development functional groups such as GRC teams. With the client’s expectation for this GRC team to adhere to agile methodology, AIM became an even stronger partner choice because of its extensive agile knowledge and experience.
As the project matured, the client requested more mid-tier and higher-level AIM resources, showing the strong level of trust in the partnership and level of service AIM delivered.
The client is thrilled with the engagement, having received much more value than anticipated in terms of AIM’s self-organization, ingenuity, agile competence, and PowerBI and other technical expertise. The GRC team how has a trusted set of processes and dashboards that help it manage an ever-growing set of complex issues around compliance, security, and risk and business continuity.
Because of a client requirement not to have vendor workers assigned to a project for more than 18 consecutive months, AIM has replaced its team members with equally skilled resources on a continual basis with no interruption of consistency or expertise.
The team and solution continue to evolve, enhancing efficiencies for the GRC team, and other groups at the company are now reaching out to AIM to help enhance their own GRC solutions.