Compliance reimagined

Time: September 2022- October 2023

Company: RiskOptics (formerly Reciprocity)

Location: USA- Slovenia (remote)

My role: As the sole UX designer within the Squad, a cross-functional team comprising the Front-end Lead, Backend Lead, and Product Manager, I was responsible for shaping the overall experience of the compliance module. I collaborated with the design team and reported to the UX Director to make sure my work aligned with the overall design patterns.

‍

Situation

Riskoptics, formerly known as Reciprocity, launched on a mission to completely rewrite and redesign its product ZenGRC. A new strategy was created following the initial explorations and a change in the leadership team. The focus was on making compliance continuous while linking it to the company's business assets to create a comprehensive company risk posture. We wanted to attract new clients and ensure the smooth migration of existing clients to the new platform.

My responsibilities included leading the design process for the compliance component, which was one of the three main modules alongside risk and vendor. I also contributed to platform-wide design patterns and a cohesive design system.

Given the scope of the project, which spanned for year(s), we started by mapping out the traditional user journey during the audit process. Once we had this in place, we created a task-oriented flow to capture the main actions required to complete an audit from start to finish.

‍

‍

‍

‍

‍

We used the user journey as a guide to identify the smaller features and components required. Our team's approach was to first define the essential larger features, then work on the smaller ones and continuously improve as we progressed. Since we had to deliver the minimum viable product (MVP) in less than six months, it was critical to determine what to prioritize and what to exclude.

‍

The pieces that form the coherent system

When we were designing the compliance piece, we had to consider the entire system. Compliance is the foundation; however, compliance alone cannot provide the complete picture. Therefore, we had to contemplate every data point we collected and figure out how it fits into the bigger picture and how we can obtain the necessary data from the compliance workflow. We aimed to create a product that works as a coherent machine, even though the pieces were designed separately. This applies not only to product design but also to UI design. I collaborated with design teammates to ensure that we used coherent UX patterns, created new design system components, and improved the visual language.

‍

‍

The process

We approached the problem utilizing a combination of processes, with our most important guiding principles being iterative design and LeanUX. I also used the double diamond approach in my design process, as it ensures that I don't get stuck on the first solution and instead encourages me to explore multiple solutions and validate them.

‍

PROBLEM VALIDATION

Interviews

We were aware of the main objectives, but we needed to gain a deeper understanding of the problems at hand. To do this, I interviewed our internal GRC experts who had previously been our users. Through these interviews, I sought to understand the traditional compliance approach, their experience with clients, and the challenges they faced. Unfortunately, I was unable to speak directly to our clients due to internal CS limitations, so I had to gather as much information as possible from other sources.

‍

‍Gathering data

I always try to gather data whenever possible. Fortunately, we already had a lot of data available from the ZenGRCl. I worked together with our BI analyst to gather data using Heap and Segment. The reports were then created using Sisense. Our focus was on specific behaviors, such as identifying which Compliance features are used the most and how many frameworks each client uses..

‍

User personas

We had already defined user personas from years of working on the product, but since we wanted to expand our market to smaller teams and one-man compliance teams, we needed to understand new types of users. During the process, we realized that the size of the team does not necessarily correlate with their maturity level. Therefore, we created personas based on both the size of the team and their level of maturity..

‍

Journey map & tasks to be done

The next on the list was a journey map. We needed a full picture that would guide us when building the product. Our first step was to map out the traditional user journey in compliance audit based on our conversations with GRC experts. We needed to understand the tasks involved and how users typically completed them before we could add our improved journey with a continuous compliance approach.

‍

‍

CONVERGING ON A PROBLEM

We had to make a lot of important decisions quickly, and determining which problems to address wasn't easy. Although we knew that we needed to address them all eventually, prioritizing them was crucial to ensure that we could deliver value quickly. We focused on delivering an MVP and grouped features into categories based on their importance: essential, sales-oriented, and optional. We made decisions as a team, but the final decision rested with the product manager and product leadership.

‍

Let’s look into one of the problems we were solving with an iterative process.

‍

The problem

How do you connect control implementations with the requirement?

As part of a compliance management system, I worked on a project to establish a mapping system. Usually, requirements are met with controls, but in this case, we had a more complex scenario where controls formed the backbone of the mapping, but business objects needed to be connected to the requirements to satisfy them. When we started the project, I was given the information architecture and the goal of enabling different types of users. Our first priority was to address the needs of less experienced users. 

The primary challenge lies in allowing users to satisfy a requirement by creating multiple “implementations” and seamlessly connecting different types of business objects within a single “implementation.” Additionally, users needed the ability to generate multiple implementations, each featuring various types of business objects. Moreover, the solution needed to encompass the ability to spontaneously create new business objects in cases where the needed one is missing.

‍

Back to Research

My first step was going back to the research. I made sure to gain a deeper understanding of the problem at hand and the users' goals. To achieve this, I interviewed several experts, including the Director of Product, Lead Architect, and GRC professionals. Through these interviews, I not only sought to understand the desired outcomes of our users but also the objectives of our system and business.

‍

Exploring different solutions for the problem

The main challenge we faced was not in the process of connecting but rather in defining the business object. To simplify the solution, we categorized business objects into four groups. After that, I started exploring the design of the mapping system itself. I created wireframes to explore mapping options, which made it easier to present to others and receive feedback.

‍

‍

‍

Narrowing down to the MVP solution

After designing multiple options, I validated the logic with GRC experts and focused on content and results to align with GRC guidelines. Then, I validated with engineers, product directors, and PM.

‍

SOLUTION #1
‍Full screen with “multiple-add” process 

Our first solution was a Wizard, which enables the user to choose the type of business assets from 4 options: People, Services, Processes, or Policies. Subsequently, the user can either choose from a list or add a new one directly. Multiple groups of implementations can be selected simultaneously. This feature enables the user to fulfill any requirement with as many business objects as they need at once. I decided to opt for a full-screen solution to allow the user to focus on the task at hand without any distractions. I created wireframes for the entire process and developed a prototype to test it.

‍

‍

Internal testing with a prototype

After completing the prototype design, I conducted an internal validation to gauge user understanding of the flow and their ability to navigate the design successfully. I also performed a heuristic evaluation with the design team and UX director.

When we got positive feedback, we moved to the next stage… As we were following Lean UX principles and needed to show results quickly, we did not perform extensive user testing but rather moved on to building the first version.

‍

So.. we built MVP

We developed the MVP using logic and simple designs, utilizing existing components.

‍

‍

After the feature had been living in the wild for a while, we got feedback (especially from sales) that it was too complicated and hard to understand, so we simplified it further.

‍

‍

SOLUTION #2
Single add

In order to simplify and limit user interaction while maintaining the system's robust functionality, we made changes to the implementation process. We removed the option to import multiple implementations at once and replaced it with a quick and simple "Add Implementation" button. When clicked, this button prompts a dropdown menu that allows users to select the type of implementation they want to add. After selecting the desired type, a list of existing business objects of that type is presented to the user, enabling them to easily locate the relevant object. If the necessary business object is not present in the list, there is a dedicated button for creating a new one of the selected type. 

However, even though we acted on the sales request, we recognized that some expert users may require more expedited actions, so we also planned for an advanced feature: an import CSV function. That would allow expert users to import bulk data, bypassing the step-by-step process designed for less experienced users.

‍

‍

Moving on to designing high-fidelity UI‍

During the UI design phase, my focus was on the visual aspects of the design, such as presenting information in a clear and navigable way. I concentrated on two main points - action hierarchy and accessible information. Since there were multiple actions that the user could take, we ensured that there was a clear visual hierarchy, displaying the actions where and when they were needed. In terms of accessible information, we carefully structured the information, paying attention to what was vital and what could be pushed down. It is important to note the entry point screen for adding control implementations. This screen required a balance between displaying a lot of information and maintaining a clear hierarchy of actions.

‍

‍

‍

‍

The result

The main objective of the second iteration was to boost the sales team's confidence in giving demos. We consider it a success that the sales team expressed genuine satisfaction and confidence in promoting the feature. The simplicity and clarity of the feature made it easier for them to deliver more effective demos, which ultimately contributed to a noticeable improvement in the conversion rate.

While the numerical data supported the positive sentiments, it is difficult to attribute the observed outcomes solely to the features introduced in this case study as several features were introduced simultaneously during this period.

‍

‍

We received positive feedback from our sales team, but as expected, more experienced users began expressing a desire for a faster and more advanced method of managing multiple implementations. We had already considered this issue, so we created a separate initiative to address it.

‍

*For confidentiality reasons, some numbers may be omitted or obstructed and names changed to ensure anonymity.

‍

Learnings

‍

🤚 Insist on user testing
Speed is a crucial factor in Lean UX, and because of that, there may be a lack of user testing. However, I have realized that even if the leadership is initially hesitant to validate with users, there are ways to obtain validation quickly. By conducting quick “unofficial” user testing, I can gain better insights and confidence for my decisions while not holding back the engineering process.

‍

⚡️Quick iterations = better results
Quick iterations are crucial for achieving better results in any project or task. Instead of trying to perfect every aspect of the project from the start, it is more effective to iterate often. This approach allows you to learn from each iteration and continuously improve your work.

‍

🚧 Design is never really done
Design is an ongoing process that never truly ends. There is always more work to be done, but limited time to do it. Therefore, we had to prioritize the most important aspects that brought the highest value to our users and leave some pieces undefined for the time being. For instance, we ensured that our design system remained flexible, allowing us to revisit it in the future.

‍

✅ Collaboration is key to success
Especially when in a remote environment, it is vital to communicate often and involve all the stakeholders early.

‍

Building a platform

Over the course of this year-long project, I led the design of compliance features from their inception to approximately 80% completion. This progress was significant, shifting from a state where sales were hindered by feature limitations to a point where only minor enhancements were needed. designed various features, including compliance program setup, automated evidence collection, manual evidence submission, navigation patterns, dashboard, comments, and asset editing. Below, I included a few more snapshots of the work I was doing.

‍