Bluegreen Vacations believes in the power of vacation. A leader in vacation ownership, the company’s 222,000+ owners and guests enjoy vacation experiences across a range of exciting destinations.

Business Challenge

Manual processes were hindering visibility and efficiency around SOC and SOX compliance, with the CIO and Chief Accounting Officer pushing for improved insight.

Solution

ZenGRC provides a single, automated system of record for all programs, going beyond compliance to improve risk management and internal audits.

With an enterprise-wide source of truth, Bluegreen has insights and analysis to simplify audit and compliance management with easy access to information and continuous monitoring.

Results

  • More SOC and SOX compliance efficiencies with less effort
  • At-a-glance GRC visibility for C-level executives
  • Broad internal usage — across IT, accounting and other LOBs
  • Quickly catch and remediate risk with real-time updates

Manual Processes Hinder Visibility — and Speed

“When I started at Bluegreen, we conducted our SOC and SOX audits with spreadsheets and emails, as is the norm at many organizations, We were getting the job done, but it was cumbersome, requiring ongoing exchanges with internal staff and auditors to ensure individuals had what was needed to move the audit towards completion.”

— William Haines, Director, IT Risk and Compliance with Bluegreen

Manual processes also impeded real-time visibility into audit progress. For example, the company’s SOX audit is run in multiple phases, each having upwards of 250 requests. Bluegreen’s CIO and the company’s Chief Accounting Officer wanted instant audit insight, with information at their fingertips about status and remaining outstanding tasks. In addition, the final 60 days of the audit period would be a mad rush to finalize items to meet the deadline, leading to the organization to seek out a trusted GRC solution to be done with spreadsheets for good.

A Cost-benefit Analysis

When conducting its search for a GRC solution, Bluegreen was focused on functionality, but also cost. Yes, features were key, but so was a fast and easy implementation without extravagant licensing fees, as the infosec team had to secure management buy-in to get the purchase approved.

“ZenGRC was simple, yet powerful, and it was clear after seeing just the first product demo that the solution could address what we were trying to get done — quickly and affordably, Then, the Reciprocity implementation team made it clear they understood our pain points and had people in place, including GRC experts, to get us deployed ASAP.”

Two Buyers Better Than One

To broaden the value of ZenGRC across Bluegreen, the IT group asked the mortgage department to also participate in the Reciprocity demo, recognizing the potential benefits the solution could bring to their mortgage-focused SOC audit.

“We wanted a business stakeholder to get on board with ZenGRC, so the purchase wasn’t purely IT-driven. And, no surprise, the mortgage department loved it, resulting in us becoming co-sponsors of the solution, which proved instrumental in getting us implemented.”

Enterprise Risk Management — an Added Bonus

Bluegreen’s solution requirements were initially focused on supporting its SOC and SOX audits. However, once ZenGRC was in place, the organization realized the same automation, visibility and efficiency benefits could help reduce its risk exposure — addressing vulnerabilities from a single application.

“Risk was not a criterion we were trying to solve, but when we started using ZenGRC, we saw an opportunity to broaden usage and reduce any lingering manual IT risk management processes. Today, we use the platform to help identify, track and remediate risks, and have fast visibility through reporting to see where we stand at any given time — and communicate that insight to management.”

Internal Audits Benefit, Too

But Bluegreen didn’t stop with compliance and risk. The organization is also using ZenGRC to support internal audits of its 100-plus enterprise applications, enhancing data privacy, particularly among newly onboarded SaaS solutions. In addition, while the mortgage department was an early user of ZenGRC for SOX, Bluegreen’s accounting group continued to use their own processes for the framework — a massive undertaking with more than 100 business process controls. When the organization decided to decommission the application used by accounting, the group was left looking for a new solution.

“Accounting started talking about the need for compliance software and we were quick to say, ‘Wait a minute, we have a solution in place and ready to go. And the beauty of it was that our internal auditors on the IT side, who are involved with SOX controls processes, had already been using ZenGRC for internal audits, resulting in an extremely fast transition”

Kudos from CIO — and Third-party Auditing Firm

The feedback from Bluegreen’s executive team has been fantastic, with the CIO maintaining up-to-date visibility into risk status, risk posture and which risk areas require the most attention. In addition, the company’s third-party SOX auditor, a regular user of ZenGRC, finds the platform intuitive and simple to use, driving efficiency for internal and external users.

“Knowing exactly where we are during the course of any audit, at any point in time, has been a game changer. The time and effort it took us to manage audits and compliance has easily been cut in half, replaced with newfound efficiency and a trusted GRC foundation that benefits our entire organization.”


ABOUT RECIPROCITY: Reciprocity powers the fastest, easiest and most prescriptive information security solutions through one simple yet powerful platform that efficiently organizes and intelligently optimizes infosec programs.

Reciprocity, ZenGRC and the Reciprocity logo are trademarks or registered trademarks of Reciprocity, Inc. in the United States and other countries. All other company and product names are the property of their respective owners.