GRC/IRM: Full Flow

Excellent initiative!

You will record it and post it later right?

E

Thanks Eric! The link should work , if not will share a new one...

In just over 1 hour I managed to convert most of the UI facing GRC Indicator activities to Flow Designer and replaced the daily scheduled job for executing all indicators.

Main query I have on Before business rules, and not sure those can be resolved with FD just yet, so they will get parked.

Next session to work through the business rules , table by table 🙂

Fantastic stuff!

Part 2: Going Live in 15 mins... https://youtu.be/TCIhvIeVhLE

Findings / musings: Converting Business Rules to Flow Designer... 

Before, Delete operations are not available as triggers in Flows... 

> Workarounds: Trigger in BR, and call sub-flow ?

Previous object is not available?

>  Workarounds: If necessary, trigger from BR and pass in explicitly ?

When building actions from BR embedded script with no return value

> Suggest: create a return/output anyway? might be useful debug / future connectivity between flows/actions

Convert a business rule to a Flow Designer action in 10 mins: 

Part 3: Issues - going live in ~5 mins: https://youtu.be/Orp7SchU9vg

Live in 8 mins, sorry should have shared the link sooner: https://youtu.be/A1SzMtIiw_k 

Few more findings...

Seems we cannot un-publish an action once published

Handling of input/outputs as arrays or objects seems like it is expected/required to be hardcoded structure 😕 

API Methods which are called from a BEFORE business rule will not have an update() within the script, so - for example - Control Test does not set the Issue field... 

How Attestation Issues and Indicator Issues work

Part 5 https://youtu.be/uB4Cg_XBh9o LIVE NOW

Big learnings today. 

Definitely should include sub-flows wherever an action is being called.

How to set up sub-flow outputs.

Before migrating public methods, should focus on the actual call - as not all public methods are being called directly from an endpoint (BR, UI Action, etc) and could be called from another API...  validate first, and probably change direction and convert BRs first, not API methods. My supposition that all public API methods should be converted to actions is fundamentally flawed... 

BEFORE business rules cannot be converted to Flow Designer, due to dependencies on the 'current' object either by dot-walking or field value processing. 

What is the reason for changing the functionality to Flow Designer if the functionalities are already OOB?

Hey Sanjiv, good question 🙂

Mostly... For fun, but primarily investigative purposes!

Whenever we talk about Flow Designer the question about what should and shouldn't be built in flow designer is mooted, and some of this uncertainty is underpinned by not knowing what can and can't be built in flow designer... 

When considering application design, I saw it pretty clearly that public API methods should be built as actions in flow designer, but that supposition has been clarified in the latest episode. 

For GRC, which I know pretty well, functionality is moving into Flow Designer (see PER V10.1), so this series is a stress test of Flow Designer; as well as a deep dive into how GRC actually works under the bonnet... You will get to see the various APIs and how they are triggered/from where, and start to better visualise how GRC actually works.. 

My starting point is an existing application that already works, so it should be a pretty fair test.

Please, let me know what you think... 

I will also try and outline some of the pros and cons, but one major PRO , is the ability to debug and visualise the execution of particular flows/subflows/actions - regardless of where they are being called from... Sys Logs become secondary... 

Thats good to know

Live now : https://youtu.be/kQYVpU8byGk 

Hi Phil,

Thank you for sharing information.

Live at 2100 GMT: https://youtu.be/3Txm1pYB9ls Part 7: GRCUtils 

Not sure how far we will get, due to the scale of this - but a very exciting part of the application which mostly runs ASYNC, so perfect candidate for Flow Designer... (he says...) 

Going Live: https://youtu.be/IkS9azOLpRg

Just to let you know I have wound this project up with the Finale in Quebec, where I share my findings:

It is ~3 hours long so maybe I should clip out the intro... thanks to everyone who has followed along; maybe a more concise summary is required!

Spoilers: I did not manage to convert the entire suite of GRC, and stopped around the 12 hr mark. Learned lots along the way... tried to share them 🙂 

Subscribe to the channel for more related content, mostly unscheduled/ad-hoc live streams: PhilGoesDeep - YouTube

@Phil Swann @Eric Feron -- why is the Indicator PASS/FAIL result left up to the System Owner? We want the SCA to PASS or FAIL the Indicator. I think creating a Flow will be the best way to do this. Has anyone modified the Indicator Task Form/Result to something else? Any suggestions are welcome! Thank you in advance. 

@Marriam We have a process where owner/delegates submits the evidence and then it goes to Compliance Manager. 

The compliance manager has option to approve or reject or mark the task as failed.

The owner and delegates also has option to mark the task as failed, if they dont have the evidence for that cycle. That saves some time for the compliance manager.

Marking the task failed, creates an issue for the owner and they need to fix the issue so that the issue doesnt occur again.

@SanjivMeher what is that process? can you share more details? TYSM! 

@Marriam We mostly use the out of box functionality. 

A task is created from indicator task and assigned to control owner.

Email is sent to control owner at the end of the day with all the tasks created.

We have created few UI actions, such as Submit for Review and Failed.

When owner wants to submit evidence for review, they attach the evidence and click submit for review.

Email sent to compliance manager that owner has submitted evidence for review. And indicator task state moves to Review.

Failed closes the task with result as failed which creates an issue for the owner and mark the control as non-compliant.

Compliance manager has two options, Approve, Reject, Failed. Approve moves the task to closure and Reject moves the task back to Open state. Failed closes the task with result as Failed and creates an issue and mark task as non-compliant

@SanjivMeher thank you so much! So you're not using Flow designer to achieve this?

No. Unless you have to automate evidence collection. We use flow designer to automatically collect evidence for control owners. They just certify and submit the evidence for review.

 I am trying to use OOB functionality... As you know in Authorization packages we can assign a SCA to that particular package; we are trying to assign the Indicator Task to the specific SCA but facing challenges achieving this. Can't identify the relationship between Authorization Package and Indicator Task... do you have any suggestions to accomplish this or is that not possible? The other solution proposed is to create an Assignment Group and have the SCAs assign tasks to themselves-but that is not ideal because each mont there may be up to 200 tasks, that is why we're trying to use an auto-assign feature. TYIA!