GRC and Access Governance better together

GRC and Access Governance
GRC and Access Governance

As organizations continue to accelerate digital transformation for increased competitive advantage and efficiency in today’s ambiguous and volatile world, businesses are struggling to keep pace with increased scrutiny from regulators, customer demands, and complexity from cloud and hybrid IT environments.

Whilst some risks decrease, others increase with digitization and there is a need for today’s dynamic enterprises to converge Identity Access Governance and GRC controls. This helps organizations strengthen their security posture and mitigate cyber threats whilst driving compliance and acting with integrity.

Join our thought leaders from CoreStream and SafePaaS as they discuss why GRC and Identity Access Governance need to work together to safeguard your organization from internal and external threats as well as protect you from increased audit scrutiny and allow you to achieve business objectives.


Emma: Hello, everybody and welcome to today's session, “Why GRC and Access Governance are the Digital Enterprise’s Perfect Partners.”

My name's Emma, and I'm here on the marketing team here at SafePaaS and I'm delighted to be joined by industry experts, Paul Cadwallader, and Adil Khan. Before we get started, a few housekeeping items. So this session will be recorded. All attendees are on mute. And if anybody has any questions, feel free to pop those in the control panel and we'll get to those at the end of the session. So, before we dive in, Paul, do you want to briefly introduce yourself?

Paul: Thank you very much. So, Paul Cadwallader, I'm Head of Business Development at CoreStream, but I've got more than around 20 plus years of experience in the GRC space, having been a former big four partner here in the UK.

Emma: Great, and we are still waiting for Adil to join but hopefully, he'll join soon. So in the meantime, this is the agenda we'll be following today. Just to get on the same page we'll be talking about, What is GRC? What is Access Governance? The challenges businesses are currently facing, drivers, best practices, and benefits. So, Paul, over to you.

Paul: Wonderful, thank you very much. So let's look at the definition. So I'm going to cover GRC. GRC Is much wider than often when people with a GRC alongside access governance, they think segregation of duties, or a particular software vendor because they have modules called GRC. It's actually all aspects of an organization. So if we think about governance, it's the setup and the processes to main to help reliably achieve objectives in an organization. And then from a risk management point of view, it's about addressing uncertainty. We actually look at ISO 31,000. It defines risk about as the effect of uncertainty on objectives. So, good risk management is about achieving those objectives, optimizing those risk-taking elements, and to create value, and say that's very much all about identification and management of uncertainty. Then compliance, the C of GRC, acting with integrity. That's about adhering to the regulations and but also anything in channels such as policy at any commitments. Or obligations could be contractual.

And so all of those things come together to help an organization act with integrity, GRC covers everything in the organization all the way from the whole top group parts, all the way through the entities, the processes, the assets and he covers all the kind of objectives such as strategic and departmental process-level objectives as well. So, it is much bigger than often people think when they hear GRC. Adil, from your point of view. How do you define access governance?

Adil: Yes. Thanks, Paul, for defining the high-level governance risk and compliance. When I think of access governance and what our customers are looking for, more specifically, I think of the, basically, the process through which you monitor and control access to enterprise systems in your, your company and your organization.

So, who has what access, how did they get it,  when, all of that information about Access has become really important as our customers have moved to a digital platform, whether it be an ERP system, a CRM, HCM, all of these systems, on-premise cloud, hybrid environment. Access governance has become a key top-of-mind, opportunity, and a challenge for our customers. Because we're accessing information about how we work, how we process, and how we execute our processes through the system, digital platforms. So, it's become really important to have the right level of access for the right individuals. And that's not just important for compliance, which is where a lot of these things started. For example, Sarbanes Oxley here in the US. But it's also important for cybersecurity and cyber threats that we're facing at a very increasing and rapid level. So that's where access governance comes in. To me, it's a subdomain of the overall GRC, and that's why I think the two topics fit together very nicely.

It's not the same thing as Access Management. Access Management is more about just basically your typical identity management. Or Active Directory where you put someone in the network when they start at your organization, you give them some privileges, and they've got access. There have been access management systems around for a long time, where SafePaaS comes in, is to take that system that you're using today for managing access and apply policies to that in such a way that you can control the risk in granting access and privileges at a very granular level to your identities and users that use those identities.

So it's really about defining the security process and policies for your organization, and that's how we see access governance.

Emma: What are some of the challenges that businesses are facing today?

Adil: OK, great question. These are some examples of the challenges we're seeing from our customers. The first, the most important one is integration, because I mentioned you have different systems today, and as we move to this digital platform, that,  for the most part, is hybrid for the enterprise customers, not just one size fits all. Departments and teams are empowered to go buy the best tools and products, digital products on the platform that enables them to do their work more productively, and more flexibly and in more agile way.  So, integration becomes the challenge or a barrier because now you have, for example, Okta or Azure or where you're doing Identity Management. And then you're doing change requests,  requesting your privileges through an ITSM system like ServiceNow. And then you're getting access to, let's say, a Workday as your HCM system when you first start, that's where you're putting your timesheets or expenses. You're using tools like CRM because you're in a customer service business using Salesforce. So your account information is in Salesforce, and then your bills are being paid in Oracle, or SAP that's where you got the back office. So, that challenge, what that means is that now you need some sort of a hub that can really define that identity and privileges that user has access to across all these environments, and the way they request access and how it gets fulfilled, then provisioned and approved that all. That becomes a challenge. And so customers are struggling with that. They're doing it in spreadsheets and doing it offline, with all the benefits many of the benefits of having a digital platform disappear.

If your users can get access to the right information, or on a least privileged basis. Because on one end, you're cutting down productivity and creating bottlenecks but on the other end if you open that up too much, you're inviting fraud and disclosure risks on your financial statements, ultimately, that impact your market value and your reputation. So that's kind of where we see the big challenge. And as we talk, I just mentioned, your dynamic workforce. So that's basically what the workforce is demanding from the companies and the IT Department says, “hey, we want the ability to work from anywhere.

We want the flexibility to work on different devices, and we want to be able to have an agile team where people change roles more frequently than they did in the old industrial world.” There are insider threats that we’ve talked about. So, that's a big reason why I mentioned previously compliance. These are the reasons, the drivers that Paul will talk more about that in a minute.

The other thing that's happening, some of the points at the bottom you can read on the screen yourself, that is important, is the complexity of your entitlements.  So you're dealing with, because you're dealing with multiple security models in a typical digital platform the hierarchies are different. And it's confusing security folks and our users because they're talking at different levels that are talking past each other. So when I say that the role is, let's say, a payables manager is being assigned to someone, is that OK to assign that role or not? I mean, maybe it's OK but maybe it’s not. Maybe that role contains the information about creating suppliers and paying supplier so it is probably not OK from an SoD perspective. You don't want the same person to be doing both of those activities, but maybe it's OK from security perspective, because they can't go and change the bank accounts. So, you really have to drill into these challenges and really talk to your customers to find where the challenges are. And then, the marketplace is demanding better security. So if you're doing business with your customers online, which many of us are in our employees, or online staff, is online, They're saying, we need our data protected. We need that information protected. We want to maintain the rights over that data. Just a couple of days, we heard the billion dollar plus fine that Facebook is facing out of GDPR. So, customers are worried about, you know, where their data goes and how it's stored, and where it's stored, a lot more interest in that, And so, all of these problems are being addressed through the broader use cases, around access, governance. Change management is another area we've talked about ITGC, and STLC controls. I'll close with that by saying that IT management is spending more time and money and pulling their hair out on ensuring those ITGC, IT general controls are effective. Because when you give someone access, they can go and change your configuration, let's say in your ERP system, and let us say they changed the approval hierarchy or a bank account or payment terms. That could be just an effect. Could be just a silly error because they're new to a system, they're not trained yet, or it could be more, for nefarious reasons or other problems within the process. So those are the kind of things that access governance helps you control. And we'll look at some examples later in the session.

Paul: For me, I mean I think Adil has really covered quite a lot of those things.

At the top of the page, he talked about kind of the siloed organization almost because business functions and these days it is easy to adopt Cloud technologies SaaS-based solutions, go out and buy them. And so that's a real challenge and a headache for those wanting to provide the governance of access to company's data. That's definitely one of the big challenges in the space. Plus, also, from my point of view, I often see some of the more operational dimensions, the access management aspects in terms of so the access governance aspects move quicker than the overall governance and policy of the organization. And so you get a disconnect, a dislocation between what the overall governance says, from an organization budget who can do what where becomes disconnected from reality because access governance evolves quicker. Because of having to respond to today's drivers. So coming together,  it's definitely a big challenge for organizations, to then help manage that risk and demonstrate compliance with expectations of customers, regulators, auditors, All of those are driving those demands. And that's a big challenge for organizations with all those aspects going on.

Emma:  What are some of the drivers then, Paul?

Paul: So, today, well, I would see is, is, is the digital transformation. There are so many organizations transforming their business models, their operating models, to be able to respond to the changing demand in the marketplace for their organizations. Everything moves online kind of adoption in terms of people moving, everything from, typically, an on-premise kind of capability through to the cloud. That aspect means, it's an opportunity to re-engineer the fabric of the organization, the structure, the processes of how everything works. So that's a big driver for getting access, and governance, integrated with understanding the ongoing risks and threats to an organization. Particularly as organizations, you, nearly every organization now will have cyber risk as one form or another in its top 10 risks, Almost every single one well, and, and, and any adoption of approaches such as zero trust, means that you really do need a handle on access governance to be able to deliver on that and management of that, of that risk. So I think that's as a driver alongside, because organizational executives who have got far more focus on this this than ever before and they're starting to understand or understand the inter-connected play of risks to business. If you manage those, you get successful outcomes as a business. If you don’t, it can create reputational damage, it can create regulatory pain for you, customers, auditors, and the like. If you don't manage some of these risks and because systems, technology and the protection of that nature becomes so critical to organizations. Access governance is critical.

Adil mentioned it as a challenge but it's also a driver as well - this move to hybrid environments where some people will be more in the office or at home, and it will be flex and fluid and particularly as extended enterprises continue, so what I mean by that is where you rely on organizations outside of your own business to deliver part of your services or products, because that's the service and so forth. That hybrid environments of the extended enterprise, because you've got outside parties, accessing your data your systems, is getting the another big driver with what's going on. Then if we think about regulations, increasingly there are more regulations coming out around not only managing your own business but that of your supply chain. Naturally that started in much more of an ESG space and more in the kind of worker welfare modern slavery, increasing the environmental dimension around your supply chain. But if we think about ESG, a good portion of some of those elements are about personal privacy. And so there's aspects of regulations, and supply chain, and everything else are going to start to increase and bring in, access governance, and security related topics, into those aspects.Those drivers are making organizations think about in a much more joined-up, collaborative way, how to respond to what's going in the market. The challenges we've highlighted in the past and still today is that silo-based approach of acquiring systems, managing things, and so forth. And so, the more Holistic Framework Type, Collaborative thinking is  definitely a driver, and also a key to success in terms of bringing access governance together into wider GRC and management.

Adil, I don’t know if you've got any additional thoughts on drivers out there that you're seeing as well.

Adil: Yeah, I mean, the more I’m hearing from the customers that are focused on the access issues. So I think inefficiencies are another driver. I just wanted to elaborate on that. There are a number of inefficiencies that or bottlenecks, that our customers are reporting to us. When they come to us with these problems of compliance and governance and so forth. And as I mentioned briefly in the previous slide is that it's really around having this fragmentation of an access governance process. They're doing it, because they're good companies, and that's why they talk to us, because they want to improve on something they're already going, but it distracts them from their day jobs. To put it very simply.

I mean, we're all on a mission to do something for the market, for our customers, grow, take care of our employees, But this piece really bogs you down, and there's an audit fatigue that we hear from our customers. Sometimes that also accelerates into a finding in an audit, let's say, which is a significant deficiency or even a material weakness, and that basically is a debt or a sentence for a company because you have to spend unlimited amounts of time and resources to resolve those issues and make sure they don’t reoccur. And trying to do that in spreadsheets and standard reports out of these systems is literally a fool's error. So you have to find ways to get out there. So that's a very practical driver, that here from the IT folks in organizations, audit folk's internal audit folks in your organizations where they're doing the best they can, but unfortunately, it's not good enough, given the complexity of their enterprise, and there's time to move back to their day jobs and cut the cost of this shadow work that goes on from teams to teams across the enterprise, that really bogs down people into the audit area. Many times, they are not the audit experts. Most IT people haven't gone into, taken deep audit and risk management classes, or studied, or worked in that field. So you feel like you're just being pinged for things, you don't fully understand why you're doing. Lets you lose focus. So I think giving us giving them a system that orchestrates all that helps them go back to the jobs that they're initially hired for, so we're seeing that as a big driver as well.

Emma: Great insight and what about some of the use cases to unify GRC and IGA access governance Paul?

Paul: I’ll kick that one off. I’ve alluded to a couple of them already, but I'll just unpack those a little bit more. So, say, for example, a reference side, the being, often, you want one of the key risks organizations face. And then we have a multitude of things organizations will do, in response to that. There'll be about employee training. I imagine everybody on this webinar will have received training of some kind around it, the human in the middle is off to the point of failure  in the cyber dimension Organizations will be performing vulnerability assessments and various things cross that perimeter and on systems and on which they use. But this notion of zero trust as a key pillar to a successful cyber program. And so lock everybody out and give what they need to perform their job role, is absolutely a key use case around how organizations are starting to respond to that risk. It’s  one of the key control, one of the key mitigation to that risk in terms of bringing through those aspects from managing cyber risk. Managing access is a key dimension. So that the integrated play, as things start to come together between your mitigating response to those strategic risks will obviously be multi-faceted, but access governance is a key growth area in terms of organizations using those controls and technologies like SafePaaS that is able to manage these aspects.

The other one I've already referred to is that extended enterprise, the outsource capability, or whatever you want to call it in terms of organizations outside of your boundary walls, how do you want to view it, having access to your systems to perform things on your behalf. That could be because you’ve outsourced the function, or it can be because your business model needs distributors, you have franchisees, or whole different business models. That data within your systems and that information is key to be able to use more increasingly, organizations, successes built on the day-to-day hold about that business, about their customers, and so forth, as therefore, you need to be able to trust the third parties, but also manage what they have access to. Again, a policy-based access governance approach to managing that access from an external party point of view is that active approach, alongside all the other techniques you would do to, monitor ongoing risk around these third parties, and that they're complying with the relevant laws and regulations on your behalf, and so forth. As well as managing them their access..

And another one for me that I've personally experienced in some of the work I've done in my career is working with organizations where they've set up joint ventures. And those joint ventures can have a multitude of external parties involved in them. And often, employees of those, kind of shareholders that come together into the JV. And now, in certain circumstances, those organizations. So, for example, if we think about oil and gas companies coming together into JV's to be able to then explore and extract oil and gas. Though each begetting relevant volume shares different paying different royalties and different elements, they'll be commercially and competitively sensitive information flows happening all the time in the joint ventures. Those Employees at those little companies, gas companies are really running the JV and so, I've seen access governance be used in a really proactive way to firewall off secondees from each of the companies in the JV from seeing information related to another member of that JV, and it's a critical component managing the risk and the regulatory requirements from an anti trust point to me around information flow, particularly commercially sensitive information. So, to me access governance is becoming more critical tool in the management of risks and in the compliance with regulatory obligations. And sometimes an obvious, because they are not directly related to IT or information security, can be things like antitrust. The technology there from the likes of a SafePaaS is absolutely critical in helping achieve that risk management approach and compliance with these regulations. Adil, what about yourself, any kind of use cases or case studies?

Adil: Yeah, great insight, Paul. So I will take maybe a step more towards the segregation of duties which is where I think GRC and IGA meet for many of our customers. Our customers have documented good risk and controls and GRC products like the one you have Paul. So they'll go in and they'll put in the risk control matrix and they'll put in things around reconciliation things around…So, if you think about from process risk, controls perspective. So you have a record or report process. You have procure to pay process, etc… And so you will put in, highlight all your risk. You will put in the controls that mitigate that risk. And then you have some kind of a program to ensure that those risks are continuously mitigated through management certification and attestation, independent controls testing, and so forth. So that's been in place. It's a mature process been in place certainly it's been automated. Next is, you know, OK, so I've got all these controls that we believe our company follows, but how do I test them. And segregation of duties is one of those use cases, where the two meet really nicely. So I'll just pick on that example. So you may have a control saying that, we don't allow people that enter journals to post journals, or create a supplier to pay suppliers. These may be the high-level policies in your GRC module, and now you'll want to be able to unify that with your IGA policies, which means that, to have true governance across the enterprise, as Paul was saying earlier, access governance becoming more important. So now, you want to basically enforce those controls to ensure that your controls are effective, and they're operating effectively, just like they're designed. And so, it's one thing to design a control, it’s another to verify the operating effectiveness of it. And to do that, SafePaaS will take that information from the GRC platform and generate the SoD policies that I just talked about. So, you can't pay the supplier if you create a supplier, change credit limits on customers if you are sending them orders because you can cause rev rec issues. So, and then there's sensitive access to kind of goes in the same category in that use case on the top second box there. And that's basically, who can access employee data, who can access customer credit cards. Those kinds of sensitive informations, supplier bank accounts. So that kind of goes hand in hand. So, now you've got all these policies, but now you want to ensure that these policies are always effective because digital platforms are super fast and things can happen in minutes, seconds, and therefore fraud can happen fast. Errors can happen quicker. So, what we do with the policies with IGA that SafePaS has is we basically prevent that from happening. So, whether it's somebody requesting access to conflicting entitlements or sensitive access to something they shouldn't have access to see the data or they are just performing their process, they are executing a process And they can do conflicting transactions like creating suppliers and paying suppliers. So we catch that, we prevent that from happening. We detect that, obviously make sure, in the first place you don't have roles assigned to users that can perform that, then where we come together and become unified is where sometimes you'll have a situation like, I'm thinking of one of our clients that has small distribution centers all over the world, they are in the chemical industry, and they have small offices, but they have the same people doing shipping and receiving which generally is a problem. It is against their policies, but they're not going to go hire, double thier workforce just to control that. So those are the examples where you have circumstances or business constraints where you need to rely on compensating controls. So in this example for this customer, the way they compensate for that risk of the same person shipping and receiving the merchandise these chemicals which are very pricey, is that they do an inventory on a perpetual basis. They also have other inventory controls that are confidential, I won't get into the details, but all these inventory controls are in place, but these inventory controls are actually in their GRC platform.  So now, for us to say that we're going to grant access to someone in The Netherlands so they can ship and receive out of the warehouse we want to tie that back to the compensating control that's sitting in that unified platform, on the GRC platform, because that control needs to be tested and verified on a periodic basis, to give the confidence and trust to management that the compensating controls effective.  So now you have a challenge if you don't have a unified platform, because now you've got to, you know, go back to the offline worl which is full of errors and mistakes and time-consuming and all the usual problems. So by unifying these platforms, what you can now do is take the risk and control information from the GRC platform, plug that into the compensating control in your access governance platform. And so, the two systems are truly unified, and you reduce that, you can break down the silos. So, on and security, doing this piece, and IT, doing that piece, finance, during the other piece, compliance, doing it. So, you break down those silos, and that's where you get efficiencies, that's where you get to remove the bottlenecks. You get to optimize your business, and you become more and more of a proactive GRC organization, move that up the maturity level. In most companies it's not unified, they're still at the early stages, and informal stages or reactive stage which is where you find a problem and then you go fix it, That's costly, because then you've got a reputation risk, depending on the size of the problem. You've got management challenges, you've got auditor, findings, many other problems  not to mention distraction from your day jobs. So by unifying the two platforms you can really integrate the controls framework that you build in your GRC software, with the access controls, policies that are actively monitoring your user activities in that digital platform on which your business runs today. So that's kind of a big one that I'm close to.

Emma: Excellent. And how about the benefits? What are the top benefits for a unified approach to GRC and access governance?

Paul: I mean, from my perspective, First of all, it's about driving standardization and driving automation and efficiency. So, days gone by, and certainly many organizations submitted stuff, will be done manually in terms of a process to manage and continuously review.It may also be done, if you are an organization with multiple locations. It may not be standardized. And, to say, driving efficiency which is to me the number one aspect around, not only the access governance with the whole process in terms of making sure things are efficient. But actually, how that then feeds through into the wider risk landscape and conformance reporting that will flow up an organization. Access governance is one part of the control to managing the overall flow of information around what are the risks we have as an organization? And, how well are we managing them within that governance aspect. So, achieving objectives as an organization, an objective is not just strategic, it could be ensuring we get things made and delivered to our customers on time.

All of these things are inter-connected, and so that aspect around bringing it all together in an efficient way, So the access governance, feeding into the GRC framework, tooling, and then up through the 3 layers of an organization is absolutely key to reducing, timing, reporting, reducing the amount of  time it takes to manage risk and resilience and compliance. I think, as well, driving effectiveness, as Adil has spoken about, already, I'm talking about fewer things sifting through the gaps to improving effectiveness but also the audit trail of who did what and when that defensible system record. So that that supports your ability to demonstrate compliance, act with integrity as well as then managing, managing the risks but having that auditable capability. So  when you already says the regulators come in, you can demonstrate that the holistic management of risk of which access governance is one of the key components.

Also, if we think about, kind of, agility, and the third pillar here, from my perspective, and we talked about this earlier onin the challenges. Organizations are becoming very fluid, in terms of people continually changing roles to meet the needs of the businesses as people rotate.  But also, the demands of the younger generation workers wanting to have that constant challenge and move around an organization. As well as organizations, having much more flexible models, and maybe more traditional ways of working. And the ability to have agility through policy and structure, rather than, rules in access governance is  key to managing that risk.

So, particularly as businesses, re-organize, to pivot, to ever-changing demands that need to have agility through the technological capability of the integration between GRC and access governance is critical to me. Adil, from your point of view, what other benefits have you been seeing out there as these worlds kind of merge.

Adil: Paul, thanks for covering the benefits. I can maybe just add a few examples that might be relevant to customers I've been in the trenches with for many, many years. And talk to them about what they get out of it. So just kind of talking through it like almost like a case study of some examples that I see.

The benefits are wide-ranging. I think these are great for categories to think of it this way. We're going to talk a lot about efficiency. I think that's been the theme today on this webinar. And that's probably the number one, as we obviously called it out here. And so, if you go in and get rid of bottlenecks, I mean, governance still is very much a fragmented process in most, even mature organizations because because it's siloed. So, I think by unifying these key areas of your governance, which is, How do you mitigate risk? How do you stay compliant with regulations and so forth, and then, you how do your internal controls, work,  can provide that in governance.

So, because it's scattered throughout the organization it tends to be reactive and also siloed, which means that some controls are over-tested, some are missed completely. That's how you end up with audit fatigue and findings. So what I see from our customers is that they're making the decision to integrate all of their GRC activities, including access governance, into a single platform to drop those barriers and become more proactive.

And I can tell you an example on the West Coast, I worked with a client recently that basically, was deploying a new ERP system in the cloud. And they were doing these things in many different systems. So they had IDM systems, They had some home-grown survey like tools where they could, you know, ask their management to review the controls. They had some point solutions for doing audit. So, the internal audit had its own set of tools to be able to test the controls, using whatever methodology you have.

And so, they brought us in to look at access governance, and when we started looking at their, segregation of duty controls or sensitive access controls, it became really clear to us that for us, to really solve their problems, we had to unify the rest of these areas, the audit, the compliance, the finance, IT. And so we opened up a dialog with all of these key stakeholders. And essentially, what that led to is this vision of the need to combine all of these activities on same platform, it’s not easy, unless you've done it before. Because you can end up with a lot of time wasted from senior executives.You know, so, for example, the questions we were getting well, but the way we test to control from internal audit has to match with the way our external audit.

You’re randomizing methodology or your work paper, your sampling approach, all of that has to be aligned. So we really can't use the same system that compliance uses for doing SOX certification and ITGC folks that were doing Access Governance said, But we can't use any of those systems because…you have to kind of start at a template level, library of controls level. And then, kind of drill down into, OK, what are the common testing procedures we have so, that we have a common framework on how, when you say, control is operating effectively, it should be the same definition.

So, we had to do quite a bit of work to really get the same lingo or same nomenclature going in the organization. And once we did that, then the efficiency just became so obvious to everybody, because we took the nomenclature of five different groups within your enterprise, and baselined them to a common reference point. And once that happens, then we could, when we talk about access controls, and access governance, it's very clear where that maps back to for the internal audit or compliance for finance, For IT security, etc…And so the rest of the job becomes a lot easier. So that's just an example that I thought, I share an efficiency.

That might be helpful. I'll pick maybe one more example, since we have a little bit of time. And then we'll open it up for questions.

So, one of the last points. I'll pick number four, Active governance and integrity. I also had the opportunity to work with a top university that is on the West Coast that has one of the highest profiles of Alumni that run companies like Google and Facebook and so forth. So what I found working with this university, which is, again, a completely different context than a public company in the US, is that they don't have a mandate.

They don't have a mandate like SOX or some other regulatory mandate, but there's been, universities, if you have worked with them, you know that they're pretty open minded, sort of places where controls are almost seen as no against the grain. And they're very smart people at this place. So it was more of a cultural challenge for us, till we really, the light bulb went on one day, we're getting a lot of pushback that, hey, we trust our people. I don't know why these auditors keep telling us we need to do things differently. And they tell us, we have to have controls. Obviously, you have controls. So sometimes you also get that right, very informal approach, even though it's very sophisticated Top of the World University, they just don't pay a lot of attention to the controls the way an insurance company would or a bank.

So what we did for them is really talking about, OK, we know you don't want to constantly look over the shoulder of your professors and department heads and your student population. But we also agreed that you want to be out of the papers. Because they had, they were in the papers because somebody used a grant to buy a boat, and they ended up getting their brand tarnished if you will, The people that grant money for universities are these endowments These are documents that are very, very strict about what to where their money goes.

So they certainly didn't want to be in the paper about that. So what we came across was this idea of active governance. What that means is that we want you to go into your day job and invent the next Google, or whatever you guys want to do. But you want to have a system that actively monitors those policies and processes so you are not burdened with it. And that seemed to have resonated really well with the senior executives and the board. And so, what active governance basically means, to this client, this university client, and now we do that for many other clients, is that we're going to enable, embed the controls within the business processes themselves. We're not going to constantly look over people's shoulders. So it's slightly different than monitoring controls. Monitoring controls are like, OK. I'm going to monitor your thresholds, if you tolerate within the threshold, you're OK if you go above the threshold we're going to send an e-mail to you and your boss and everybody else and embarrass you. And that's not a culture for every company.

So embedded controls are where, within the process, let's say, I just happened to have privileged access where I can go in, see a supplier data and also pay supplier, but I can't update a supplier. However, we changed some technology and suddenly that control is gone. In other words, the control is not working inside the ERP. That's where active control comes in. Because now, the active control, like the way we do it at safePaaS is enables you to block that user problem, doing that activity that can cause a compliance issue, an audit finding, no financial problem, and disclosure, whatever, that risk is security risk. So, active governance is the way this organization, this educational institution, the way they use that, is to be able to do their business as usual. But they've got these guardrails - these Active governance guardrails, which are active controls. Essentially that in the background are monitoring. But they're not just sending out, you know, messages out to annoy people. They actually get, prevent the risks from occurring because these controls are preventive in nature. They're embedded in the system as a byproduct of this. So this was the big win. Because they didn't want to create a huge audit department in each of their campuses. So they were able to use a tight audit team, centralized team in the controller's office, and then they were able to then use this active governance to really enable their key systems, or they consider their financial systems, cash management systems, and  other business systems. These kind of controls where they could then tweak them and adjust them.

When it was time for audit, instead of auditing every transaction or just doing sampling methodology like a three-way match, they're able to simply point to the active governance controls and say, “Look, we haven't had an incident in these three incidents came up and we were able to prevent that from happening.” So, the benefit that they've seen from this solution by unifying GRC, active governance, or access governance, which is active in their environment is that they have significantly reduce no more than 50% the time they were spending on remediation and issues, and they're still able to do their jobs and work on their, real mission of building a great educational institution. So active governance is another huge benefit that I can share with you. Certainly a lot of stories around it and so forth, as well. But I think we have five minutes left, So I'll stop here.