I recently visited with Joe Schorr about the managing a multi-entity GRC architecture with 6clicks hub and spoke for a sponsored podcast series. You can check out Joe’s podcast here. Joe is the VP and Global Head of Strategic Partnerships & Alliances at 6clicks. He handles global channels, which encompasses service provider partners and technology partners and the traditional channel resale role. We turned to the ‘hub and spoke’ model which 6clicks advocates. He said that 6clicks pioneered the evolution from a multi-tenant or federated approach of GRC architecture to hub and spoke model. The difference is that in a multi-tenant or federated approach it is seen as much more vertical or up and down the chain. But the hub and spoke is “just like with airline travel, back in the old days of networking, where we had hubs, routers and switches and the computers all hooked to a hub.”
Schorr went to explain, “in our model, we’re using what we call center of excellence, think of it as the headquarters or the hub or the terminal and an airport. And they have the different wings go out to the different entities.” The architecture can “pull different types of data and analytics from those entities, or those folks are out there bringing them back into the center of excellence.” Additionally, “the center of excellence by the same token can have a lot of centralized benefits like templates and controls which they are able to push that out at the same time to all these different entities.” Schorr believes it is “the holy grail of what people have been looking for; to control from a central location really complex information that require a ton of data flowing both ways.”
Moreover, the hub and spoke approach facilitates a GRC conversation with a wide variety of people. This could include compliance professionals, lawyers, other non-technical folks at the C-suite or executive level and certainly in the Board level and everywhere in between. It helps to define everyone’s role in the GRC and broader risk management process. Schorr said, “That’s beauty of it because you can craft it. For instance, in a Private Equity company with multiple portfolio companies, there is much sensitive information and, not everybody in every portfolio company needs to see what’s going on in every other portfolio company. This approach allows an organization to segregate all that data yet allows you the freedom to utilize the information you want to as access control is built into the architecture.”
We continued on the example of the private equity firm with multiple portfolio companies, which are sometimes in the same industry, but sometimes not. There is always a wide variety of data and disparate sources of data that you have to pull in. This disparate data has to be collected, in a manner that can be utilized by the private equity firm, the corporate office, whatever the hub might be. However, the stakeholders, corporate subsidiaries or portfolio companies at the end of the spoke might need that data to make tactical if not strategic decisions. Next, overlay reporting to senior management and then a Board of Directors, all in a changing regulatory environment. This hub and spoke architecture can be an incredibly powerful way to collect and utilize data. Schorr explained, “if you are hired to do a risk assessment against 200 portfolio companies, you have a massive set of risk data in all kinds of different things. You have collected data; you have interviews, you have done vulnerability scanning, you’ve done risk assessments, third party risk assessments, vendor assessments, everything you could possibly imagine. That is all rolled up collected somewhere and a bunch of smart people look at it and we’re all trying to grade it and do things manually and push it around. And at the end of the day, just like you said, this is really important.”
This approach allows you to prepare a Board level C-suite report. You can also create a functional management report for middle management as that level is usually the one which must read this and decipher it and then push it out. Schorr said, “there is also a bottom layer which a report needs to go out to. It’s almost a raw data level report that goes out to the people in the field or the people at those portfolio companies who are responsible for fixing things” the hub and spoke approach to 6clicks GRC architecture allows you to work on those levels.
For more information on 6clicks, check out their website here.
[View source.]
