Skip to content

Case study · GRC platform · 2026

Easycompliance Risk management

Rebuilding the risk lifecycle of an enterprise GRC platform — turning a set of disconnected tables into one connected system where every risk ties to its controls, assets, indicators and evidence.

Role
Product Designer & Team Lead
Team
4 designers · 4 devs · 1 PM · 1 QA
Timeline
8 months
Platform
Web App
Easycompliance — the connected risk register and risk-detail views of the GRC platform

01

Overview

Project info

Easycompliance is a GRC platform (governance, risk & compliance) used by enterprises in regulated industries. Risk Management is its core module — where teams identify, score, treat and monitor risk across the business. I led design for a ground-up redesign of the module, owning both the hands-on work and the design direction for a cross-functional team of four designers.

−58% Time to log & assess a new risk (22 → 9 min)
88% Risks mapped to controls & assets (from 31%)
−44% Time to assemble audit evidence

02

The challenge

The legacy module was a stack of disconnected tables. A risk lived in isolation from the controls, assets and indicators that gave it meaning — so assessors re-entered the same data, audit prep was manual, and leadership had no trustworthy view of residual risk.

Fragmentation
Risks, controls, assets and issues lived in separate lists with no link between them.
Data trust
Scores were entered by hand and couldn’t be traced to evidence; no single source of truth.
Scale & roles
Analysts, risk owners and auditors shared one dense interface, and the data set was growing fast.

03

The before

What the module looked like before the redesign — disconnected tables, no shared context.

Legacy risk register — a flat list with no residual score, alerts or treatment
Risk Register — a flat list. No residual score, alerts or treatment.
Legacy risk detail — no tabs, no score, no linked controls
Risk detail — no tabs, no score, no linked controls.
Legacy catalog — assets with no mapping to risks
Catalog — assets with no mapping to risks.
Legacy issues — a bare list with no priority or remediation
Issues — a bare list with no priority or remediation.

04

Approach

  1. Research

    Phase 01 · research Discovery

    Interviewed risk managers, internal auditors and CISOs, and shadowed live assessments. Mapped the end-to-end risk lifecycle and found the same data re-keyed up to four times.

  2. Information architecture

    Phase 02 · information architecture Structure

    objects linked to a single risk

    Re-modelled the risk as a hub, not a row: a single risk now connects Controls, Assets, Key Indicators, Issues, Exceptions and Tasks. Introduced the Catalog (assets, processes, threats, vulnerabilities) and reusable Risk Libraries.

  3. Systems & leadership

    Phase 03 · systems & leadership Scale

    As team lead, I set the direction for four designers and built a shared component system (data tables, filters, bulk import, scoring) so four engineers shipped consistently and design review stopped being a bottleneck.

  4. Prototyping & validation

    Phase 04 · prototyping & validation Proof

    Tested the risk-detail tabs and scoring with real assessors; iterated until logging and linking a risk felt fast and trustworthy.

A risk only means something in context — so we designed the risk as a hub, not a row.

05

The solution

Connected risk detail

One risk, six linked views (Profile, Tasks, Key Indicators, Issues, Exceptions) with a live residual score, owners and alerts in the header. Context travels with the risk.

Connected risk detail — six linked views with a live residual score, owners and alerts
Connected risk detail — final screen.

A register that reasons

Residual score, treatment method and live alerts (escalate, active exception, treatment in progress) surface in the list, with one-click export to XLS/PDF for audit.

Risk register with residual scores, treatment methods, live alerts and export
A register that reasons — final screen.

Catalog with mapping

Assets, processes, threats and vulnerabilities, each mappable to risks — so coverage is visible, not assumed.

Catalog of assets, processes, threats and vulnerabilities mapped to risks
Catalog with mapping — final screen.

Reusable risk templates

Reusable risk templates standardise language and scoring, and cut new-risk creation from minutes to seconds.

Risk Libraries — reusable risk templates that standardise language and scoring
Reusable risk templates — final screen.

06

Results

−58% Time to log & assess a new risk (22 → 9 min)
31 → 88% Risks mapped to ≥1 control or asset (link coverage)
−44% Time to assemble audit evidence (~3 → ~1.5 days)
61 → 80% Risk reviews completed on time
49 Reusable risk templates (used in ~70% of new risks)
−40% New-analyst time to first assessment

Within two quarters, risk work shifted from data entry to decision-making. Assessors trusted the numbers, auditors found evidence in clicks instead of emails, and leadership finally read residual risk from one place — the connected register became the system of record for the business.

07

Reflection

Leading both the pixels and the team taught me to design the system, not just the screen. The biggest unlock wasn’t a feature — it was the data model behind it. If I ran it again, I’d bring engineering into the IA phase even earlier; the hub model only worked because we agreed on it before a single screen was built.

Awareness10 — the security awareness platform dashboard

Next case

Awareness10 / Security awareness training

Continue

08

Let’s Connect

Looking for a designer who can bring clarity to complex products and improve business outcomes? Let’s connect.

Download CV