I have some general questions about scalability and user experience as we here at Convatec (www.convatec.com) consider adopting Eramba, and Esteban has kindly assented to my asking these questions directly from the community.
Has anyone successfully implemented Eramba on a global scale for a 10K+ employees organisation and, if so, have you found this easily scalable?
We are developing our own automated controls monitoring capability, so I am really interested to hear from anyone who has experience using the Eramba API to import control statuses directly into Eramba - if you have done this, what was your experience?
We have multiple accountability models within our organisation, which makes having a single organisational hirerarchy/taxonomy problematic. I’d be interested to hear from you if you have had similar challenges and how you solved them.
As I am new to the community, a little about me: I am CISO for Convatec and have, amongst many other experiences, a background in the development of GRC systems, having worked with the team that developed Archer, and having also developed what was to be an Open Source system as a branch from Tiki/CMS (Company lawyers, that’s all I’ll say). I was excited to learn about Eramba and have so far been impressed by the vision behind the system.
We have experience implementing eramba in large a middle organizations. Regarding your questions:
Although we have implemented eramba in large companies, we have rarely exceeded 500 users, so the problem with eramba is affordable. The keys for our success are:
As a good practice, before starting with this type of project, we usually face a project to create a Unified Control Framework, minimizing the number of controls, users and a common methodology.
Implement LDAP and a good **access management/**profile configuration, taking in account a light/basic profile that will be automatically assigned to new users. In our experience the 90-95% of users are light users that only need to contribute with the “tasks” that you assign to them (i.e. provide evidences, review a risk/control/policy…)
Think always in the usability of this kind users, they application must be self-training for them. You can do it thought notifications, explaining well what they have to do and where they have to click, and inserting direct links to the place where they have to perform their activities.
For 2nd line/supervisors, create some reports and filters where they can quickly monitor the activities performed by the others.
We have also implement automated controls within eramba (also using our own technology that is linked to eramba API). Basically we use control issue, that are filled with the basic information founded by the rule, the link to the control, a deadline, the responsible of taking actions/provide and action plan and an Excel File attached with the detail of the transactions that are causing the issue. At the end what we are implementing is a Continuous Control Monitoring model.
In order to solve the multiple models problem, you have different options:
a) Acquired one instance of eramba for each methodology/part of our organization and connect with eramba each others. For be honest, with the low cost of eramba should not be a problem for a large organization.
b) (Our recommendation) Use the Compliance module of eramba in order to load the different methodologies/taxonomies and use Compliance Mapping in order to establish the link between them.
I hope that our experience helps you and aim you to definitely join to this amazing community. Please let us know if you need anything else.
One final question: if you have experience in implementing for clients, would you be available to present your approach to my stakeholder here at Convatec?
Sure, I send you my contact details by private message.
Also, we are implementing eramba internally (for Deloitte Spain), so we are becoming end-users as well. We will have different business units/entities working together in the same application.
