Challenge: Aggressive Board Mandate Triggers Lofty Company Goal
Companies are often cautioned against rolling out new large-scale programs all at the same time. Pushback from the status quo, steep learning curves, and lack of adoption have killed many programs with grand visions.
When an Alaska-based telecom was given a mandate by its board to create a broad-reaching governance, risk and compliance (GRC) program managing everything from audit and compliance to third-party risk and business continuity – success was not assured. The telecom provider faced a number of challenges, including a staffing shortage, customer demands, a dynamic regulatory environment and the off-the-grid nature of Alaska. They relied on spreadsheets, email and tribal knowledge for a patchwork compliance program, and lacked a comprehensive view of real risk areas. To make it even more challenging, the Board requested the new GRC program to be up and running in 18 months.
Solution: NAVEX Global’s Advanced GRC Platform, Lockpath
To build a security compliance program, the telecom company hired a seasoned CISO with experience building similar programs. The company then formed a GRC team to integrate the entire GRC ecosystem at once. It was an aggressive strategy that runs counter to the standard practice of building out one practice area before expanding outward.
For the new GRC team to be successful, the telecom company needed a technology solution that could handle data documentation and act as a collaboration tool to support the new ecosystem.
They chose Lockpath, NAVEX Global's GRC platform, which is designed for integrated risk management. Lockpath delivered on the company's needs; namely, a collaborative tool with automation and functionality specific to the company's use cases. Once data is in Lockpath, it becomes actionable information that is then reported to business units to help them take action or make an informed decision.
The GRC team was able to take a lifecycle approach to security compliance. It started with a controls framework design that lead to a current state assessment, followed by risk prioritization, remediation and reporting, with ongoing maintenance and, when necessary, updating the framework. Lockpath supports every stage of this lifecycle.
Saving Hours & Dollars Running a GRC Program
Using Lockpath, the telecom company's GRC team created a custom control framework to comply with various regulations and standards, including HIPAA, PCI DSS, SOX, ISO 27001 and NIST 800-53. They tracked progress within Lockpath, reporting remediation efforts back to the business units to aid decision-making regarding security compliance.
The telecom company relied on Lockpath not just for security compliance and documentation but also for audit, operational risk, business continuity, third-party risk and physical security - a challenge for the company with offices in the remote villages in Alaska with the potential for wildlife encounters.
Using Lockpath, the company reduced costs related to audit findings management by 80%. Managing risk exceptions and audits was streamlined, even though the exception process contains multiple approval workflows. Audits became so efficient that a single internal auditor was able to conduct several audits, offering more comprehensive results without adding headcount.
The GRC team also relied on Lockpath to manage its business continuity program's business impact analysis (BIA) for various adverse events. Lockpath’s real-time data access saved each department an average of 200 hours by preparing their BIAs in the system. Prior to Lockpath, each department would take weeks to gather records and supporting data for the company's business continuity plan.
Results: A Snapshot View At The 18-Month Mark
Over the course of 18 months, the telecom company used Lockpath to implement the following programs: records and information management, business continuity, security compliance, audit, enterprise third-party risk management, policy lifecycle management and SOC 2.
The company accomplished all this within budget and on schedule, resulting in hundreds of hours and thousands of dollars saved. The future also looks promising with plans to grow and mature all programs, plus a new goal to achieve ISO certification.