IT GRC and beyond with Modulo Risk ManagerTM
Challenges
• Automate the IT GRC process to eliminate manual costs associated with risk assessments, consolidate IT GRC data into a common format, and automate workflow
• Communicate risk in a timely and consistent fashion with different information for different stake holders
• Rationalize controls and create efficiencies around design, testing and reporting to meet increased regulatory scrutiny across all disciplines including HIPAA, PCI and SOX
Solution
Modulo Risk Manager enabled Synovus to achieve its governance, risk and compliance audit goals on time, on budget and do twice as much with the same resources. Synovus is also leveraging Modulo to mature their information risk process into an operational discipline, providing a more complete picture of the company's risk posture.
“Using an innovative approach to GRC with Modulo we have been able to streamline our risk assessments, reduce our control testing and expenses, and improve our communication of risk to various lines. This was necessary to understand the complex and dynamic dependencies of IT resources to support critical system availability and confidentiality. By implementing a GRC platform to define dependencies and control effectiveness we can better understand our risk profile and make important strategic decisions.”
Results
• Creating efficiencies and consistency by unifying silos of data into one automated governance, risk and compliance program
• Completed 40% more risk assessments without adding any additional resources
• Finished risk assessments two months ahead of schedule
• Do twice as much with the same resources
• Attained a complete picture of the company-wide risk posture for improved business decision making platform, they will be able to more easily customize and scale the product to meet the growing needs of the organization as well as to integrate it with other existing processes and technologies.
Challenges
Faced with increased regulatory scrutiny across all disciplines and an exponentially more complex environment as a result of consolidation, Synovus was under pressure to complete more risk assessments. Additionally, Synovus was in the process of evolving its information risk practice into a broader, more mature operational risk discipline in order to get a complete picture of the organization's risk posture. This extensive GRC initiative spanned three core needs:
• Automate the IT GRC process to eliminate manual costs associated with risk assessments, consolidate IT GRC data into a common format, and automate workflow
• Communicate risk in a timely and consistent fashion with different information for different stake holders• Rationalize controls and create efficiencies around design, testing and reporting to meet increased regulatory scrutiny across all disciplines including HIPAA, PCI and SOX
Solution Overview
The Synovus information risk team was closely watching the GRC industry for a while, and was waiting for the right combination of technology advancements and the right vendor fit before choosing a solutions vendor. The team was looking for a GRC platform that could meet three key requirements:
• Ability to deploy rapidly
• Flexibility and compatibility with internal methodologies, such as vendor management and business continuity planning
• Good partnership with a vendor who understood their needs and that they could grow with in terms of future functionality With Modulo Risk Manager, Synovus was able to realize these efficiencies and consistencies early on in the project, extend these benefits to other areas of the business, as well as to better understand and communicate the overall business risk posture.
“Our team is better positioned to add value, establish meaningful relationships, influence drivers of behavior, and make the right decisions to manage risk effectively in the organization. I've learned that risk communication is one of the most critical services that we provide.”
Modulo Deployment Details
Synovus started the GRC process with an asset inventory of people, processes and technology – no small task for an organization with thousands assets to manage. Because Modulo Risk Manger offers strong relationship mapping between business processes, system dependencies, and assets, the solution aligned very well with the Synovus approach and was quickly implemented. Synovus also evaluated the Modulo risk calculations against its own internal methodologies, and chose to adopt the Modulo risk analysis index based on Probability, Severity, Relevance (PSR) for each absent control. Next Synovus identified and assessed the relevant controls in their environment and began the risk assessments - looking at risk at both an individual bank level as well as at a corporate level. Synovus evaluated 60-70 business processes in just nine months and is now extending the Modulo solution to other methodologies including vendor management, incident response and business continuity planning.
Synovus also discovered unexpected benefits from the Modulo GRC approach, such as dashboard capabilities and drill down views into different risks and their underlying causes - even risk analysis on a blend of qualitative and quantitative controls and drill down from different perspectives.
Why Modulo?
Synovus evaluated several GRC vendors and determined that not only did Modulo meet their core criteria, but also that the company culture and partnership approach was a strategic benefit. Early on in the process, Synovus met with Modulo executive team and gained invaluable insights into how to develop requirements and how to expand into initiatives related to operational risk, leveraging things like taxonomies around the products and the functions within the company and then aligning with risk and controls.
“Modulo 'gets it' in terms of understanding the challenges in risk management. They are a strategic partner to us and are extremely well trained and responsive. Modulo proves that it is easy to grow with an IT GRC platform into broader operational and enterprise risk approaches, rather than the other way around.”
Looking Ahead
The Synovus team expects to continually find new uses for the flexible Modulo Risk Manager platform that streamline and improve their security, risk and compliance management initiatives. From an IT risk perspective, Synovus will extend the program to tie company policies and industry controls (such as those for COBIT and SOX) to the Modulo framework controls for more efficient rationalization of controls. They also plan to integrate data from third-party vulnerability scanning systems into the model for a more complete picture of gaps and risks. From an operational risk perspective, they plan to record and report data losses due to process and technology failures or fraud to proactively identify exposures before they impact the business. Finally, with the transition to the next generation Modulo Risk Manager Web-based “Working with key partners like Modulo we have a unique opportunity to expand our management and communication capabilities into operational risk. By leveraging a common taxonomy of business process, products, controls and risk, we are much better positioned to manage risk more effectively."
Customer
Synovus (NYSE: SNV) is a financial services company with more than $32 billion in assets based in Columbus, Georgia. Synovus Financial Corp.'s banking divisions provide commercial and retail banking, investment and mortgage services to customers in Georgia, Alabama, South Carolina, Florida and Tennessee.
Synovus recently consolidated its 350 independently chartered bank branches. With 6,700 employees and a heterogeneous environment spanning a variety of operating systems, servers and application platforms as well as legacy systems for each of the back end core banking platforms, the infrastructure of the multi-bank model was complex. As a result of this consolidation as well as an increasing number of regulations to comply with – from PCI, HIPPA, FFIAC, OCC, SOX, GLBA, FFIEC, and SECISO to FDIC as well as other federal and state government requirements – Synovus information risk team was responsible for completing twice the amount of audits with the same number of resources as well was streamlining its overall governance, risk and compliance program.
