A Day in the Life of a Risk and Compliance Manager at Google
Aditya's role as a Risk & Compliance Manager at Google involves a multifaceted approach to risk management, encompassing "risk assessments from start to finish," including designing mitigation plans. A significant project involved overhauling access management systems, balancing ease of access with robust security protocols, and developing incident management processes for responding to and preventing security breaches, creating postmortem reports for leadership.
Risk Assessment, Access Management, Incident Management, Project Management, Cross-functional Collaboration
Advizer Information
Name
Job Title
Company
Undergrad
Grad Programs
Majors
Industries
Job Functions
Traits
Aditya Ravikumar
Risk & Compliance Manager
UC Irvine, 2014
UCLA Andersson, MBA (in progress)
Economics
Technology
Legal
None Applicable
Video Highlights
1. Working on risk assessments from start to finish, including defining the scope, engaging stakeholders, developing scoring methodologies, and creating mitigation plans.
2. Overhauling access management systems to improve the efficiency and security of data access for employees, collaborating with various teams like security and engineering.
3. Designing and implementing incident management processes to effectively respond to security breaches and other incidents, conducting thorough investigations, developing mitigation plans, and preparing post-mortem reports for leadership
Transcript
What does a day in the life of a risk manager look like?
I would say that the title "risk manager" can be quite generic. It ultimately depends on the function you're working within.
For my most recent role as a risk manager within the HR department, there were a couple of key responsibilities. I was in charge of all risk assessments from start to finish. This included deciding on the scope of the assessment and engaging the appropriate people from both the supplier management and supplier sides.
My responsibilities also involved communicating what we were looking for and what we needed from them. I was also responsible for putting all of that information together, developing the scoring methodology, and creating mitigation plans for identified risks.
Other responsibilities included supporting various initiatives and programs. One significant project was overhauling our entire access management system. Managing who has access to which systems and data, and provisioning that access, can be challenging, especially in a large company.
I worked with various teams, including security and engineering, to design a system for granting employees access to sensitive data. This allowed for access to be limited to specific employee subsets or for set periods.
The goal was to create a sophisticated way to manage access without delaying the process. We aimed for employees to gain necessary access within a few days, not months, while ensuring they weren't given access to unnecessary information.
Additionally, I was involved in incident management, which included developing an effective process for triaging incidents like security breaches. If a breach occurred, we would be responsible for responding and working with vendors to resolve it.
This involved ensuring the breach or leak was stopped and remedial actions were put in place to prevent recurrence. We designed a process for responding to incidents based on their severity, from initial triage to assigning personnel for investigation.
The process included developing a mitigation plan and preparing a postmortem report for leadership. This report would detail what happened, how it happened, the actions taken, and plans to prevent future occurrences. This provides a good overview of the basic responsibilities.