Rippling Automated Compliance

Rippling's mission is to "free smart people to work on hard problems." Rippling Automated Compliance exemplify that in every way by helping companies automate compliance process and get SOC 2 compliant quickly.
‍
The Automated Compliance team was founded in 2022 and I joined the effort in February 2023 as the second product designer. I worked on small improvements as well as 0-1 features across the entire product, which include app integration, policies, control remediation actions.

For this case study, I will focus on how I approached redesigning how a user remediates a failing control so that they can be SOC 2 compliant.

Target users
‍Startup founders
Enterprise compliance leads

Team
1 product designer
1 user researcher
2 software engineers

My role
Product design including research, interaction design, visual design and prototyping

Fig1 - New design for remediation guide

The context

Controls are security measures that organization put into place to satisfy SOC 2 requirements. An example would be a control to monitor employee handbook attestation. The job of the organization is to ensure this control is implemented effectively and that all employees attest to this document. This control would be failing if there remain employees who have not attested to this document.

How might we empower users to remediate issues without customer support?

The problem with the design today is that it isn’t immediately clear to user which actions they should take to remediate a failing control.

These actions live in different places: CTA in the remediation guide, CTA in the grid top right corner, CTA at item level for dismissing. Additionally, there are several scenarios that current UI doesn’t support such as: what happens when remediation action doesn’t apply to certain items? what is the status of the previous remediation action?

Fig2 - Current design in production

Fig3 - User feedbacks from usability research

Designing for novice vs. expert

Even though Rippling serves a wide range of customers, from startup founders who have no prior knowledge about SOC 2 to compliance leads who crave a powerful tool, the team prioritize designing for startup founders because by delivering on the strategy of default simplicity and powerful optional configuration, we can bias the defaults of our product to the busy startup founder while still meeting the needs of the compliance lead.

The design objective is to build a product that is both:
1. Extremely simple/clear to use for first-time users who care about getting a SOC 2 report ASAP
2. Powerful enough to support complex configuration and customization for power users as they dig deeper

Free smart people to work on hard problem

The team conducted usability research for the current build and through our research, we identified 2 goals to support our users and exemplify Rippling's mission:
1. Automate as much as possible by integrating tightly with Rippling's ecosystem
2. Give users clear action item by progressively disclose remediation actions based on severity and previous actions

Fig4 - Current remediation flow vs. Proposed update

Proposed updates

The current remediation flow requires user to login to Rippling, navigate to the Automated Compliance app, navigate to the Controls tab, select the failing control, then remediate issues. The feedback was that the navigation is cumbersome and complicated. People also don't want to be logging Rippling everyday to view the status of their controls.

My proposed update is to deliver the status of users' controls right into their inbox and only show the controls that are assigned to them. That way, users would know how they are progressing every day with remediating failing controls and can dive right into the control detail from the email.

Fig5 - Low-fidelity wireframes of various approaches

Shipped work

Even though the original scope of the project was to improve the UI for remediation guide, I found opportunities to improve the remediation flow more holistically.

This project required tight collaboration with engineers to ensure the product provides appropriate remediation actions at each stage of the remediation process, instead of overwhelming users with all available actions and put the decision making on users.

Fig6 - SOC 2 daily digest email

Minimize time spent on task with daily digest email

Based on usability research, I identified an opportunity to shorten the flow to remediate a control by delivering a status update right into user's inbox.

Fig7 - Redesigned remediation guide on control detail page

Simplify by progressively disclose remediation actions

The new design for the remediation guide summarizes the problem with the control and provides clear next step for user

Fig8 - Remediation progress once user selects a remediation action

Fig9 - Progressively disclose remediation actions based on severity and status of previous actions

Fig10 - Detailed view of items that need remediation so power users have more control over the actions they want to take

Reflection & next steps

This project is currently in development. Next step for this project is to monitor its efficiency by gathering user feedbacks and continue iterating.

Next projects

Rippling Device Management

Rippling mobile device management (MDM) software makes it easy for companies to manage their employees' devices, from computers to phones

View project

Vsimple

Vsimple is a workflow management platform built for manufacturers and distributors