Quantivate’s Vice President of Enterprise Risk Management Services, William “Bill” Hord, was recently interviewed at DRJ Fall 2018, Disaster Recovery Journal’s annual conference. He spoke with Alex Fullick, host of the podcast Preparing for the Unexpected, about how organizations can integrate their risk management activities.
Read some highlights from his interview below.
Alex: So what does Quantivate do, and what do you do as the VP of Enterprise Risk Management Services?
Bill: Well, in a nutshell, Quantivate provides a comprehensive, integrated solution for governance, risk, and compliance. It’s a software suite that provides a systematic approach to defining and managing GRC initiatives.
Our solution really allows organizations to align their risk management, their business continuity, their vendor management, IT, and so on, with corporate strategy. We have seven modules that integrate together and share various data points across risk management as a whole.
As for me, I oversee the enterprise risk management services, and we work with all of our clients to assist them in either building out risk management programs or maturing their existing risk management programs, regardless of whether that’s from an enterprise perspective, business continuity, vendor management, or another area.
Alex: So let’s say I’m the BCP/DR [business continuity plan / disaster recovery] guy. How do I use this tool?
Bill: The way you use this tool is it allows you to do your BIAs, your business impact analysis, and then create your plans across the various processes. You’re able to leverage all of your dependencies and document those dependencies and then be able to create your plans from that and develop your RTOs [recovery time objectives], RPOs [recovery point objectives], things of that nature.
The notifications that are built inside of the system are probably one of the bigger features. When you talk about managing business continuity across an enterprise, a lot of times people say, “I don’t have time to babysit.” So the system allows you to set up broadcasts and notifications that not only allow you to see what’s going on and what needs to be done, but also provides that gentle reminder to your subject matter experts that we need some data.
Alex: Before we came on air, you mentioned that other areas can use this tool. Let’s say I’m an IT professional working in information security. How do they leverage that? How do [different departments or business units] end up walking towards the same end goal and not just using everything in a silo?
Bill: That’s a great question, because we see that quite a bit. When we go in and do some analysis [for customers], we look at: “What is your GRC solution today?” Because it’s not that folks don’t have it; the issue becomes that [their solutions] are very siloed in nature in a lot of cases.
So Quantivate has what’s called shared attributes — think of it as a data element, whether that is a vendor’s information, or information that’s coming from a dependency related to business continuity, or a control inside of IT. Any place that that information is applicable in terms of those other disciplines — vendor management, business continuity, enterprise risk — any place that those are utilized, it’s updated in real time.
So say, for example, you’ve got your vendor management folks, and they’re constantly doing due diligence on the vendors: they’re adding new vendors; they’re removing vendors; they’re even changing technical contact information around those vendors. Well, that information also is (or should be) leveraged inside of business continuity in some instances, because vendors are dependencies inside of business continuity.
Sometimes it happens in that siloed environment that the vendor management team adds a vendor or changes some technical contact information, and they don’t necessarily remember to tell the folks in business continuity…
Alex: It’s not sometimes, let me tell you!
Bill: Exactly, so by having a relational database across all of our modules, if you’re utilizing vendor management and business continuity and you make that update, what’s going to happen in real time is where a shared attribute is being utilized in business continuity, it is then instantly going to be updated [in vendor management] and notifications sent out.
Therefore, you don’t have to worry about duplication of data; you don’t have errors from people typing in the phone number or name wrong or whatever the case may be — that data stays in sync, and it happens in a real time environment.
Want to hear more insider information about Quantivate’s GRC solutions? Listen to the full interview.
Or get valuable tips on evaluating enterprise risk management software products and vendors in Quantivate’s new ERM Software Buyer’s Guide.