Is well known in the community we find “Templates” (policies, controls, risks, mappings, etc) pretty useless and even more now with AI. We see more and more our customers using ChatGPT asking this sort of questions:
If we could add to that question, please format this so i can “import it to eramba”, that would be very nice for people starting in the GRC space (and even for those that claim 150 years of experience).
Templates don’t work because everyone does things differently, but they do work when you would like to know “what questions needs answers to determine if we have a solution for a particular problem”.
It would be interesting if these questions could be automatically embeded in eramba, for the time being we are busy with the new UI but i do see some of this taking place next year.
Have you guys seen real implementation on this sort of space?
Hi,
I have seen TPRM solutions leveraging AI in three ways:
-
The business uploads all its approved policies and standards, and the AI TPRM platform generates an adaptive questionnaire to use for supplier assessments. It is done in a “copilot” manner so you can amend and tweak before you make your questionnaire final.
-
When a request is sent to the supplier to fill out the questionnaire, the supplier is given the option to upload their information security documents, SoA, policies, standards, procedures, etc and the AI pulls out the pertinent information and pre-populates the questionnaire, again in “copilot” mode so allowing the supplier to review all answers before submitting.
-
The AI evaluates the answers provided by the supplier against the baseline created with the initial questionnaire creation and business profile, and automatically assesses the risks with a suggestion on whether this is above or below tolerance.
The clear benefit is the sheer time reduction in completing a questionnaire meaning it is more likely to be done in a timely manner and with a bit more accuracy (assuming the supplier’s uploaded documents were accurate in the first place).
2 Likes
not sure if I totally follow the ask/question - but we build a lot of our assessments through Claude’s innate knowledge of Eramba coupled with proprietary information of our risk program and supplemental documents. It was very effective at turning them into (mostly) compatible assessment templates to ask a variety of risk scenarios/observations.
If there was a “community library” it could be useful but requires a lot of resources to maintain and carries limited value as a raw csv (i.e. is more valuable as a database to reference) or some elemental object that could be used to generate risk, threats, etc. with relevant tags/metadata.
