Enhancing Access Requests with Risk Detection
A key outcome was the discovery of two core personas: People Managers and Risk Owners. Created a tailored workflow that serves both use cases; simplified the explanation of risk information to help users take confident, informed mitigation actions.
Project Outcomes
Discovered a new Risk Owner persona., Addressed the issue of users multitasking. Further prioritized and simplified users' tasks.
Successfully launched the 2021 Releaseby adopting Risk Criticality and Presentation Ecosystem across other security products.
Helped support over 8 major clients (including Shell, BP, and more), impacting 1000+ primary users. Resolved 10+ customer tickets and improved NPS score by 30%.
Problem
How to Incorporate Risk content into the Request Review flow?
Previously, the Request Review flow was designed without risk considerations. However, with risk now enabled in our system, the review process has become a critical touchpoint for presenting and explaining risks to users. By providing relevant risk information within the flow, users can make informed decisions on whether to approve or reject access requests.
Original Design
The original design did not include risk information. The new requirement is to incorporate risk details to provide approvers with better context, enabling them to make informed risk-based decisions.
Understand User Story
The project focuses on Approvers, who are responsible for reviewing employee requests. Approvers are typically people managers overseeing their employees' access requests. The review process begins when Approvers receive a notification or locate a request number in their pending list. It concludes when they take appropriate action—either approving or rejecting each access request.
User Testing Results
Conducted a moderated usability test with six participants from two clients. Organized affinity notes from their feedback and gathered key insights for improvements.
Challenges
The primary challenge lies in balancing technical complexity with business simplicity.
Discovered...
This group has limited knowledge of risk and may not prioritize it. Their primary focus is reviewing requests based on whether an employee’s role should have access.
This group is responsible for setting up risk rules, reviewing risks, and ensuring security compliance within the company..
Ideation
Created two workflow designs and hand-sketched corresponding pages, then discussed them with the team:
People Managers and Risk Specialists:- Flow A – – Designed for People Managers, focusing on straightforward request reviews based on employee roles.
- Flow B – – Tailored for Risk Owners, incorporating detailed risk analysis and resolution steps.
Final Design
Addressed the challenges by designing distinct experiences for both
People Managers and Risk Specialists:- Waterfall Experience – Streamlined for People Managers, allowing them to review requests without needing to dive into risk details.
- Full Risk Page – Dedicated for Risk Specialists, providing in-depth risk information for thorough analysis and decision-making.
