StratexPoint is one of the most comprehensive and effective Enterprise Governance, Risk and Compliance (GRC) solutions on the market today. Many of our customers are constantly impressed with how increasingly valuable their investment in StratexPoint is, especially with the influx of new regulatory rules encompassing the industry. As our customers mature their approach, build out their GRC frameworks and continuously look for productivity improvements, and as regulatory demands increase, many are utilising the extensive range of the solution’s capabilities more and more.
However, there are some capabilities that are not widely used, often because they were developed in conjunction with a specific customer’s needs. These capabilities can now be used across our customers’ StratexPoint frameworks to provide further reassurance of effective strategy execution within appetite in line with the new regulations.
In a series of three posts, we will provide an outline of three little known but high value capabilities within StratexPoint which you, our customers, may not be utilising to the fullest potential. We will also outline scenarios where they can be used. These capabilities include:
1) Stratex Bridge
2) Stratex Timebox
3) Stratex Benchmarking
Part 1: Stratex Bridge
Stratex Bridge is a utility within StratexPoint that enables the solution to summarise indicator, risk exposure and control effectiveness information from one instance of StratexPoint and transfer the summarised information to another instance of StratexPoint.
This capability was developed in conjunction with a large defence contractor who deployed StratexPoint to underpin their cyber risk transformation program. They used StratexPoint to help them identify and document all the information assets they had within their business. They then completed an initial risk assessment to identify critical and non-critical information assets, followed by the application of a risk and controls framework to the critical information assets. This framework included the business outcomes that the information asset was aligned to, such as objectives, processes, initiatives, risks, controls, actions, issues, and of course, indicators. Indicators included Key Performance Indicators (KPIs) to measure the business outcomes, Key Risk Indicators (KRIs) to measure changes in risk levels and Key Control Indicators (KCIs) to measure changes in control effectiveness levels.
One of the challenges related to this project was reporting risk exposure, control effectiveness, actions and issues status, indictor trends and status to senior management. The challenge was that out of the 11,000+ information assets defined, over 80% of the critical assets were deemed ‘secret’ and the majority of the senior management were not cleared to know the details of the assets. However, as a PLC there is an obligation in company law and corporate governance regulation that the senior management needs to determine the firm’s willing to take risk, i.e. its risk appetite, and monitor and manage the firm’s exposure to risk in line with its risk appetite.
So, the challenge was providing the senior management with a way of setting risk appetite and monitoring exposures at a summary level around business units and information assets without being aware of the full details in line with security measures.
The solution was the Stratex Bridge. This utility is designed to be used in a situation where there are two separate instances of StratexPoint which need to exchange information. In this case, there was an instance of StratexPoint deployed on both the secure and non-secure SharePoint environments.
Stratex Bridge was originally designed to extract summary level risk exposure, control effectiveness and action issues and indicator status information. Through a bi-directional FTP transfer, the summary information from the secure instance was loaded into the non-secure instance of StratexPoint and the summary information from the non-secure was loaded into the secure instance of StratexPoint. The information is summarised on each side so that no identifying information is moved between instances and therefore there is no way for senior management in the non-secure environment to see information at the asset level, and vice versa.
The main benefit of this approach is that management in both the secure and non-secure environments have a complete picture of the performance of the business at any level, and are able to understand the risk appetite and risk exposures across the business (as well as spot trends etc.) without breaching any security clearances. Both the secure and non-secure environment hold a complete picture of the business even if just at a summary level, and of course a drop-down to more details is provided if secure clearance is granted.
This project was, and continues to be, a major success and played a large part in our customer moving from a situation where Ministry of Defence contracts worth millions were at risk, to a situation where our customer used their newly found cyber risk management capabilities in sales pitches to secure additional defence contracts.
So how else could this capability be deployed?
Two use cases come immediately to mind.
1) For firms who currently have, or are in the process of implementing different board and governance structures for parts of their business e.g. where a bank has implemented the UK Government’s ring fence for its retail banking business, using Stratex Bridge would enable both the main board and the retail banking board to have a complete picture of the group without having access to sensitive information on either side. This could be an effective way of demonstrating the separation of the retail bank within the group, while enabling the main board to fulfil their obligations under UK company law and corporate governance regulation. It would also provide both boards with the information they need, as well as the ability to demonstrate that the information was available to them when making decisions; something that must be taken into account in line with the impending Senior Managers Regime (SMR).
2) Stratex Bridge also allows firms to seamlessly exchange data between themselves and their outsource partner in instances when firms have outsourced key business processes. In such situations, key performance management, operational risk management and conduct risk management information can be automatically extracted from the outsource provider’s environment and loaded at a summary level into the firm’s environment. Equally, compliance monitoring and quality assurance information can be extracted from the firm’s environment and loaded into the outsource provider’s environment. Using Stratex Bridge alongside the Relationships and Compliance Monitoring capabilities within StratexPoint would enable an open, transparent and productive relationship to emerge between the firm and its outsource partners.
As firms increase collaborations across their supply and demand chains, and as regulatory pressures increase, there will be multiple scenarios where the Stratex Bridge can be used to automate the exchange of summary level enterprise performance, governance and enterprise risk, operational risk, and conduct risk and compliance information securely and seamlessly between parties.
Our next blog explains the capability of Stratex Timebox, which delivers significant, crucial value for firms and individuals included in the Senior Managers Regime (SMR).
If you would like to discuss the capabilities of Stratex Bridge in more detail, do not hesitate to get in touch!