Drata
Enterprise Risk Management
Research / User Testing / Prototyping / Design / UATDrata quickly established itself in the Governance, Risk, and Compliance industry, but the time had come to move upmarket from SMB organizations and capture enterprise prospects.
This required transforming their primitive Risk Management product into a cohesive and scalable solution. As the designer on a team of six, I led research, ideation, and design of the robust, enterprise-level MVP and the post-launch iterations.
Discovery
Risk Management product had been built entirely on assumptions. No formal user research had ever been done. I desperately needed to get to know our users.
I began interviewing customers at companies of all sizes. Customer support and sales team were interviewed and I dug through our archive of recorded customer calls. Findings were synthesized, tagged, and published for product teams across the company to use.
Wireframes, journey maps, and low-fidelity designs incorporating my findings were created as the research effort continued.
Research Methods
Card sortingRemote moderated testingKey Findings
Customers supplemented their workflows with Excel to solve missing functionality and product’s rigidity.
Concept testingDiary studiesEvery organization’s risk management methodology was unique. There was no significant overlap or standard at all.
Semi-structured user interviewsUsability testingUsing multiple registers to manage idiosyncratic risk programs was the biggest ask among enterprise customers.
Legacy code was our biggest hindrance as the original product was built a la carte with no components used whatsoever.
Proposed Approach
Through extensive customer research and close collaboration with cross-functional partners, we identified where the product was falling short and what users actually needed to move their work forward. Rather than prioritizing large features, we made a deliberate decision to invest our efforts in a solid foundation. Building a robust, full-featured table component addressed critical pain points immediately by giving users control over their data including freezing and hiding, sorting, and custom views based on user role. It created a standardized, agile experience for Drata as a whole, and the GRC team a foundation on which we were able to scope post-launch releases.
These components now serve the needs of multiple products across the organization. This upfront investment continues to pay dividends with each subsequent iteration of the risk management product.
The MVP
The delivered table components solved several immediate problems for users. They could now sort, choose which columns/data points to show and hide, freeze columns to allow for scrolling across large quantities of data while still retaining critical context, and save views based on workflow or role.
Post-deployment user sentiment was overwhelmingly positive across SMB segments. Enterprise customers, while still voicing their desire for things like mixed register dashboards and register nesting, found the flexibility and scalability capable of meeting their sophisticated workflows.
Pinned filters allowed us to make better use of the horizontal space like the Excel experience that users had indicated they preferred. Table rows were cleaned up and standards defined for the variety of data that might be present. Everything was designed with responsive fallbacks for smaller viewports.
A toggle in the filters section allowed users to anchor the filters within the page as well if constant visibility was preferred. Table settings triggered by the icon in the upper right opened a modal. Data points, information density, and other quality of life settings are located here.
An empty state that accommodated all possible personas was designed. Each avenue for beginning the risk assessment process was laid out with an additional path to Drata's help articles. While there were plans for conditional empty states that were delivered based on organization size or industry, I designed a static catch-all for MVP purposes.
Each risk is supported by a multitude of Controls objects which function as criteria and evidence that the organization has taken steps to mitigate the risks. These are seen in the register images as the "DCF-123" pills below the risk titles. With the introduction of enterprise risk scaling, I designed a way that people administering controls could see where each one was being used, have access to the register(s) it appeared in, and take action directly if they had permissions to do so.
Multi-register dashboard desirability studies
While the updated risk library and risk register were first priority, new multi-register dashboards concepts were also tested. Being able to demonstrate a holistic picture of the product’s trajectory to leadership was essential. Post-launch feedback was critical, but having research-backed starting points would continue to aid our efforts to deliver a sophisticated product.
Dashboard concept: multiple, nested registers
Dashboard concept: multiple, discrete registers
Dashboard concept: multiple registers, full user control over data manipulation
Dashboard concept: discrete register cards
Additional Deployed Projects at Drata
Role Based Access Control
Designed a full RBAC system for Drata’s software. Solution had to accommodate small, ten person organizations and scale to enterprise levels. Accounted for things like workspaces, divisions, and custom roles with granular permissions.
Residual Risk Scoring
Led research and design of Residual Risk feature. Solution enabled users to assign a calculated score after mitigating factors and evidence had been supplied during the assessment. These scores were factored in their analytics dashboard, which was also designed as part of this effort, and overall risk posture status.
Onboarding Wizard
Designed an end to end solution aimed at easing onboarding pains for SMB users of risk. Allowed users to establish relevant areas of concern in their register, gather risks pertinent to their organization’s operations, and get a head start on scoring.