Drata
Enterprise Risk Management
Research / User Testing / UX / DesignDrata quickly established itself in the Governance, Risk, and Compliance industry, but were at risk of becoming victims of their own success. They had grown by exclusively serving small and medium businesses. The time had come to move upmarket and begin capturing enterprise prospects.
This required transforming the ad hoc Risk Management tool into a cohesive, scalable, and flexible product. As one of six team members, I led research, design, and ideation to define, validate, and deliver artifacts that would enable a robust enterprise-level solution.
Discovery
No formal user research had ever been done for Risk Management. It was a product built entirely on assumptions. We desperately needed to get to know our users.
I began interviewing customers at companies of all sizes. These interviews were supplemented with customer support and sales team interviews. I also combed through our archive of recorded customer calls leveraging deep keyword searches within the call transcripts. Findings were synthesized, tagged, and made available to product teams across the company.
Wireframes and low-fidelity designs were produced as research was conducted and I began incorporating usability and desirability studies into the process.
Multi-register dashboard desirability studies
Multi-register dashboards were tested early by using pre-existing designs as leaping-off points to minimize the amount of time spent designing. These were created along with risk register design candidates as a part of the whole testing suite. Ultimately, these were seen as secondary to the enterprise risk management effort as we needed to ensure a solid foundation first, and scheduled for later development.
Research Methods
Card sortingRemote moderated testingKey Findings
Our customers were using Excel as a solution for missing features and rigidity of our product.
Concept testingDiary studiesEvery organization’s approach to risk management was unique. There was no significant overlap.
User interviewsDesirability studiesBeing able to use multiple registers at once was the gold standard ask of enterprise customers.
Legacy code was a major hindrance as the original product wasn’t built on an actual table.
Proposed Approach
By forgoing larger, flashier enterprise features and building a proper, robust table component we enable our users to effectively engage with the product how they and their organization’s data requires. Removing pain points in the short term allows us to build a foundation that will serve us in the long term.
Additionally, the component is contributed back to the design system and used in a multitude of other products which alleviates numerous app-wide pain points.
The MVP
The deployed table solved several immediate problems for users. They could now sort, choose which columns/data points to show and hide, freeze columns to allow for scrolling across large quantities of data while still retaining critical context, and save views based on workflow or role.
Post-deployment user sentiment was overwhelmingly positive across SMB segments. Enterprise customers, while still voicing their desire for things like mixed register dashboards and register nesting, found the flexibility and scalability capable of meeting their sophisticated workflows.
Pinned filters allowed us to make better use of the horizontal space like the Excel experience that users had indicated they preferred. Table rows were cleaned up and standards defined for the variety of data that might be present. Everything was designed with responsive fallbacks for smaller viewports.
A toggle in the filters section allowed users to anchor the filters within the page as well if constant visibility was preferred. Table settings triggered by the icon in the upper right opened a modal. Data points, information density, and other quality of life settings are located here.
An empty state that accommodated all possible personas was designed. Each avenue for beginning the risk assessment process was laid out with an additional path to Drata's help articles. While there were plans for conditional empty states that were delivered based on organization size or industry, I designed a static catch-all for MVP purposes.
Each risk is supported by a multitude of Controls objects which function as criteria and evidence that the organization has taken steps to mitigate the risks. These are seen in the register images as the "DCF-123" pills below the risk titles. With the introduction of enterprise risk scaling, I designed a way that people administering controls could see where each one was being used, have access to the register(s) it appeared in, and take action directly if they had permissions to do so.
Post-script
The component was immediately made available in Drata’s component library and leveraged for numerous other products within their software suite. Because of the work done upfront, the effort required to meet the needs of other teams was minimized and encouraged rapid iteration across the organization.
Additional Delivered Projects
Role Based Access Control
Designed a full RBAC system for Drata’s software. Solution had to accommodate small, ten person organizations and scale to enterprise levels. Accounted for things like workspaces, divisions, and custom roles with granular permissions.
Residual Risk Scoring
Led research and design of Residual Risk feature. Solution enabled users to assign a calculated score after mitigating factors and evidence had been supplied during the assessment. These scores were factors in to their analytics dashboard, also designed as part of this effort, and risk posture status.
Onboarding Wizard
Designed an end to end solution aimed at easing onboarding pains for SMBs. Allowed users to establish relevant areas of concern in their register, gather risks pertinent to their organization’s operations, and a head start on scoring.