Governance Risk and Compliance Coordinator at HUB International
Real User
Top 10
2024-10-11T16:10:00Z
Oct 11, 2024
I wish there were more customization options, particularly within the privacy rights automation module. More customization on the backend would allow for adjusting specific category labels tailored to our objectives. While they allow for some customization and adding of different categories, some predetermined categories are not modifiable.
Information Security Officer at a financial services firm with 11-50 employees
Real User
Top 10
2024-10-09T13:34:00Z
Oct 9, 2024
There could be enhancements related to AI. Any improvements AI could provide to make the automation process more efficient would be beneficial. Additionally, machine learning could be included to better assess vendor security posture.
Cyber Security Consultant at a tech services company with 51-200 employees
Real User
Top 20
2024-05-31T15:14:22Z
May 31, 2024
The platform was not built in a way that allowed multinational entities to use it seamlessly. You could only create one organization. So you create the organization, and then you need to create countries. Suppose a bank had affiliates in Ghana and Kenya. We couldn't use the solution to ensure that a person in Kenya would only have access to things related to Kenya. We had to improvise to do it, but it was quite obvious that the architecture was not designed for multinational companies like the bank I worked for, which had affiliates in 35 countries. Another issue I had with the tool was regarding the controls. Suppose you have to audit an organization in the risk assessment against ISO 27001 or some other regulation. In some instances, the solution won't have the copyright or the license for a particular regulation. Even though you see ISO 27001 in the tool, you, as an entity, are supposed to buy those controls into the platform. That made things difficult for us because now we needed to launch another request for a quotation or another RFT to get those regulations bought into the platform.
Compliance Analyst at a computer software company with 1,001-5,000 employees
Real User
Top 20
2024-04-25T15:27:00Z
Apr 25, 2024
There are several areas for improvement. One is the integration capability. Connecting various DSAR systems can be time-consuming if a single integration takes months to complete. This integration challenge becomes more pronounced as data volumes grow and spread across different systems. One potential solution could be dedicating resources to support integration efforts, preferably individuals familiar with the OneTrust platform and the systems it needs to integrate. This approach could streamline the integration process and mitigate potential missteps, even for non-technical personnel.
We encounter difficulties creating multiple platforms or interfaces and manual processes for changing certain settings. Additionally, they could work on the issue related to a controller release in the development environment.
Group Head of Risk at a retailer with 1,001-5,000 employees
Real User
Top 10
2023-03-27T05:14:35Z
Mar 27, 2023
Speaking about the room for improvement in the solution, I mainly feel that it is not a GRC tool. So, I think that it is more of an IT risk management tool. Basically, it's very good at IT business management. It's not a good tool for governance risk and compliance beyond IT risk management. If you want to use it for business, financial, reputational, health and safety risks, or any other type of risk relevant to your industry or your organization, it's not ideal, and you probably have to get a different system. In short, it does risk management better than most generic GRP tools. However, most of the good GRC tools that are business focused also do IT risk management well enough, which is why OneTrust GRC is not a good enough solution by itself. In future releases, the solution should work over its ability to manage business risks by incorporating something like an enterprise risk management module.
Senior Enterprise Risk Manager at a retailer with 10,001+ employees
Real User
Top 10
2023-02-13T20:29:43Z
Feb 13, 2023
The product itself, and perhaps most importantly, is not truly designed to fit the way people and users do their work. There are limitations to customized workflow automation, and they need to increase both the available automation and the customized workflow.
Governance, Risk Management & Compliance, Director IT at Tangoe
Real User
2022-08-22T20:46:03Z
Aug 22, 2022
OneTrust GRC's workflows aren't automated and need to be manually driven. Its audit and compliance also aren't very flexible, and the integration between its different modules isn't 100% and needs to be improved.
Manager, Information Security Risk at a university with 1,001-5,000 employees
Real User
2021-05-28T18:09:00Z
May 28, 2021
They could improve by offering free help. A solution, a lot of times, is not just the use of the solution. For example, it is the overall engagement, how well do they support the system, what is their SLA, and how long their response time is to an issue. It would be beneficial if they had some type of professional services where they offer the first five hours of professional services a year for free. That would be a substantial benefit rather than having to buy professional services or professional services packages.
For the Vendor Risk Module I see only minor functionality improvements needed. Many are already being addressed and OneTrust is very responsive to customer feedback and suggestions. The Vendor Risk dashboard has seen a lot of improvement and is now interactive. Release frequency is three to four weeks.
OneTrust is
the largest and most widely used technology platform to operationalize privacy,
security and third-party risk management.
More than 2,500 customers, both big and small and across 100
countries, use OneTrust to demonstrate compliance with privacy
regulations including the GDPR, California Consumer Privacy Act, Brazil LGPD,
and hundreds of the world's privacy laws.
OneTrust's size
and scale allows it to offer the easiest-to-use and most affordable solution
for implementing use...
I wish there were more customization options, particularly within the privacy rights automation module. More customization on the backend would allow for adjusting specific category labels tailored to our objectives. While they allow for some customization and adding of different categories, some predetermined categories are not modifiable.
There could be enhancements related to AI. Any improvements AI could provide to make the automation process more efficient would be beneficial. Additionally, machine learning could be included to better assess vendor security posture.
The platform was not built in a way that allowed multinational entities to use it seamlessly. You could only create one organization. So you create the organization, and then you need to create countries. Suppose a bank had affiliates in Ghana and Kenya. We couldn't use the solution to ensure that a person in Kenya would only have access to things related to Kenya. We had to improvise to do it, but it was quite obvious that the architecture was not designed for multinational companies like the bank I worked for, which had affiliates in 35 countries. Another issue I had with the tool was regarding the controls. Suppose you have to audit an organization in the risk assessment against ISO 27001 or some other regulation. In some instances, the solution won't have the copyright or the license for a particular regulation. Even though you see ISO 27001 in the tool, you, as an entity, are supposed to buy those controls into the platform. That made things difficult for us because now we needed to launch another request for a quotation or another RFT to get those regulations bought into the platform.
There are several areas for improvement. One is the integration capability. Connecting various DSAR systems can be time-consuming if a single integration takes months to complete. This integration challenge becomes more pronounced as data volumes grow and spread across different systems. One potential solution could be dedicating resources to support integration efforts, preferably individuals familiar with the OneTrust platform and the systems it needs to integrate. This approach could streamline the integration process and mitigate potential missteps, even for non-technical personnel.
We encounter difficulties creating multiple platforms or interfaces and manual processes for changing certain settings. Additionally, they could work on the issue related to a controller release in the development environment.
The product is not that easy to set up. It is also not easy to get used to the naming convention. It requires in-depth training.
Speaking about the room for improvement in the solution, I mainly feel that it is not a GRC tool. So, I think that it is more of an IT risk management tool. Basically, it's very good at IT business management. It's not a good tool for governance risk and compliance beyond IT risk management. If you want to use it for business, financial, reputational, health and safety risks, or any other type of risk relevant to your industry or your organization, it's not ideal, and you probably have to get a different system. In short, it does risk management better than most generic GRP tools. However, most of the good GRC tools that are business focused also do IT risk management well enough, which is why OneTrust GRC is not a good enough solution by itself. In future releases, the solution should work over its ability to manage business risks by incorporating something like an enterprise risk management module.
The product itself, and perhaps most importantly, is not truly designed to fit the way people and users do their work. There are limitations to customized workflow automation, and they need to increase both the available automation and the customized workflow.
OneTrust GRC's workflows aren't automated and need to be manually driven. Its audit and compliance also aren't very flexible, and the integration between its different modules isn't 100% and needs to be improved.
They could improve by offering free help. A solution, a lot of times, is not just the use of the solution. For example, it is the overall engagement, how well do they support the system, what is their SLA, and how long their response time is to an issue. It would be beneficial if they had some type of professional services where they offer the first five hours of professional services a year for free. That would be a substantial benefit rather than having to buy professional services or professional services packages.
For the Vendor Risk Module I see only minor functionality improvements needed. Many are already being addressed and OneTrust is very responsive to customer feedback and suggestions. The Vendor Risk dashboard has seen a lot of improvement and is now interactive. Release frequency is three to four weeks.