ORTEC

How ORTEC powers global audit and IT and security risk management with OneTrust GRC

meeting of three colleagues from outside office building

ORTEC has a simple vision of leveraging data and mathematics to create value for businesses and society. Almost 40 years after their founding, ORTEC is the world’s leading supplier of mathematical optimization software and advanced analytics with 1,500 employees and offices in 13 countries around the globe. The company continues to optimize business processes for more than 1,200 leading companies, enabling them to make a significant contribution to a better world.

In 2018, in the midst of the European Union’s General Data Protection Regulation (GDPR) and earning their ISO 27001 certification, ORTEC made a bold decision in order to optimize their own business processes: stop using email and spreadsheets to manage global governance, risk and compliance (GRC). This transformation accelerated when ORTEC tapped OneTrust for IT and Security Risk Management and Audit Management.

Here’s a 360-degree view of how ORTEC used OneTrust to tackle regulatory gaps, engage their lines of business to keep risk data current, and take an automated approach audit management.

Addressing the multiple GRC challenges of today

The influx of technological advancements today is creating drastic change in the regulatory environment while posing significant challenges for global businesses. Specifically, businesses are required to comply with a host of different standards, frameworks, and regulations. As a result, identifying the overlap between initiatives and controls can be time-consuming and get lost across stakeholder interpretations and data management technologies.

"Businesses face a variety of challenges and restrictions based on the GRC frameworks they abide by. As such, it is essential to have a centralized way of monitoring and managing control efforts. GRC technology makes it easier for a business stay in control of these frameworks from a process standpoint. The technology highlights what risks the business needs to be aware of and offers controls to mitigate risk where possible."

 

Marcel Lodewijk, Data Protection Officer

Choosing OneTrust to accelerate and centralize GRC operations

ORTEC’s search for a GRC platform was driven by customer demand and the organization’s privacy and security department. It quickly became clear that ORTEC would need to implement some sort of tooling because spreadsheets would not be sufficient to identify overlaps between the two. Recognizing the alignment between their risk management and audit program for ISO 27001 as well as the detailed requirements for privacy regulations like the GDPR, ORTEC was looking for a single technology platform that could bridge the gap between the two initiatives.

ORTEC came across OneTrust when the Privacy, Security, and Governance company acquired DataGuidance, a global regulatory research software that helps build and maintain compliance programs. After talking to the OneTrust GRC team, ORTEC saw the opportunity to minimize overhead and increase efficiency and eventually implemented the technology.

Empowering a global team to support proactive risk management

With 1,500+ employees across the globe, ORTEC implemented OneTrust GRC’s IT and Security Risk Management (ITRM) platform to better engage the first line of business and keep risk data up-to-date while retaining business context.

How does a first line friendly approach work? We outline ORTEC’s ITRM workflow here:

  1. ORTEC’s security team nominates a business owner’s (BO) and assigns each one a risk assessment within the OneTrust GRC platform.
  2. Each assessment focuses on the domains that are part of the standards, frameworks, or regulations in question.
  3. For each domain, the BO helps identify availability, impact, and confidentiality details through a series of business process- oriented questions. Specifically, the BO is presented with a possible risk and has to reply by telling how likely it is that this risk poses a real threat and what impact would it be.
  4. Based on these responses, ORTEC’s assessment reviewer receives auto-populated risks and has the responsibility to adjust or flag additional risks where necessary.
  5. From there, a risk owner is automatically assigned and mitigating controls and measures are identified.
  6. As a result, all activities and documents go into a treatment plan for mitigation and monitoring. Once all risks are addresses, ORTEC can circle back and conduct an annual review of risks and processes.

"OneTrust GRC’s ITRM solution is straightforward and rather self-explanatory. One of the greatest benefits is that it enables our team to link controls and risk mitigation efforts for across standards, frameworks, or regulations, so we’re minimizing the amount of time and effort spent on risk management without compromising on disciplines."

 

Marcel Lodewijk, Data Protection Officer

Reimagining audit management with automation from OneTrust

OneTrust GRC’s Audit Management gives ORTEC the data access and context necessary to take a proactive, risk-based approach to auditing. The Audit Management solution assigns internal auditors and leverages OneTrust Athena AI and RPA technology to help ORTEC prioritize action and work towards executing previously manual tasks.

OneTrust enables ORTEC audit and risk management process and report all findings into the platform. The company can create risk management reports of these efforts for process owners as well as share these reports with external auditors to verify our GRC efforts.

ORTEC has also experienced an impressive return-on-investment (ROI) with OneTrust GRC’s Audit Management.

"OneTrust has changed the way ORTEC works with external auditors. Our conversations continue to highlight how easy it is to navigate the technology as well as how it provides a complete audit history as to what risks occur, how they are mitigated, and what it means for future risk levels."

 

Marcel Lodewijk, Data Protection Officer

A responsive solution from technology to teams

ORTEC’s ongoing experience working with the OneTrust’s support teams continues to thrive well into their implementation.

"If we ever have a suggestion or come across a bug with the OneTrust GRC technology, the support team is always available via the support desk or a quick ticket. OneTrust also follows up with us after the ticket is fulfilled to ensure we had a good experience. The entire organization really has a customer first attitude, and it shows."

 

Marcel Lodewijk, Data Protection Officer

A future proof GRC program

By leveraging OneTrust GRC, ORTEC is making IT and Security Risk Management and Audit Management a fundamental part of their business. Not only can the company evaluate and report on risk in
a more automated and efficient manner, but their first line business users are more engaged in risk management activities. Combined,
this elevates ORTEC’s position as a leader in the industry and further supports their mission of using data in a smart way to help businesses become more efficient, adaptive, effective and sustainable.

Moving forward, ORTEC plans to expand their use of OneTrust. With a growing customer base and an increasing set of privacy laws and security frameworks worldwide, ORTEC is evaluating OneTrust Vendorpedia to automate and streamline the vendor management lifecycle, from onboarding to risk mitigation and offboarding.

"A major goal over the coming years is empowering our business units and departments to get certified for relevant standards and frameworks. We are confident that OneTrust will help us do just that."

 

Marcel Lodewijk, Data Protection Officer


You may also like

Webinar

Third-Party Risk

Staying vigilant: 7 practical tips for ongoing third-party risk monitoring

In this webinar, we'll share seven practical tips for effective third-party risk monitoring, helping you to identify new risks and take timely action to protect your business.

August 02, 2023

Learn more

Webinar

Third-Party Risk

Automating third-party management workflows: 5 ways to drive alignment across teams

Join us as we explore how automating third-party management workflows streamlines processes, drives alignment across teams, and reduces reduntant work.

July 19, 2023

Learn more

Webinar

Third-Party Risk

Are your third parties a privacy compliance liability? 5 tips to reduce your exposure

Join our webinar and learn how to create an effective, privacy-focused third-party risk management (TPRM) program that streamlines recordkeeping and reduces your risk exposure.

July 05, 2023

Learn more