Hub & spoke architecture and expert guide

This article guides organizations through the Hub & spoke model, how to architect spokes to meet their needs, and best practices for deployment.

Topics covered in this article:

1. What is Hub & Spoke?

   1.1    The problem

   1.2    The model and solution

   1.3    Typical use cases

2. Benefits of Hub & Spoke
3. Architecting Hub & Spoke for your organization

   3.1    Understanding the Hub vs. a Spoke

         3.1.1    Content Management 

         3.1.2    Data Management

         3.1.3    Reporting

   3.2    Architecture/use case examples    10

         3.2.1    Holding company with many subsidiaries

         3.2.2    Healthcare organization managing multiple hospitals

         3.2.3    Technology provider managing multiple ISO 27001 certifications across products 

         3.2.4    Manage service provider delivering across multiple clients and service lines

   3.3    How to define a Spoke to meet your needs

4. Access management for Hub & Spoke

   4.1    Access management at the Hub    14

         4.1.1    Hub-level Role-Based Access Controls (RBAC)

         4.1.2    Controlling access to Spokes

   4.2    Access management at the Spokes

5. Configuration and content lockdown

   5.1    Mandating configuration across all Spokes from the Hub

   5.2    Locking content at the Hub

6. Scaling the Hub & Spoke model

   6.1    Leveraging Spoke Groups for Hierarchy Management

   6.2    Managing teams across geographies

7. Digital resources for Hub & Spoke 6clicks customers
8. FAQs

   8.1    Why would I choose Hub & Spoke over a Growth license?

   8.2    How does Hub & Spoke work for consultants, advisors, systems integrators, and managed service providers?

   8.3    Can you configure a Hub to connect to a Hub?

   8.4    Are there limitations to using Hailey in this model?

   8.5    How can I be sure data is segregated?

   8.6    In what case is a Spoke NOT required in the Hub & Spoke model?

   8.7    As a Spoke, am I limited to the content and configurations that are pushed into my environment from the Hub?

   8.8    How long does a typical Hub & Spoke deployment take?

   8.9    How many full-time employees would you recommend I need to manage a Hub & Spoke deployment?

   8.10    In the Hub & Spoke model, how would I employ a sandbox environment for non-production testing?

   8.11    How should I prepare for a Hub & Spoke implementation?

9. Getting started on your Hub & Spoke journey

   9.1    6clicks contacts

   9.2    6clicks success plans

10. Appendix A: List of out-of-the-box reports for Hubs and Spokes

    10.1    Hub level

    10.2    Spoke level

1   What is Hub & Spoke?

1.1   The problem

Michael Rasmussen, world-renowned GRC analyst and owner of GRC 20/20, published a solution briefing on the 6clicks Hub & Spoke model where he outlined the problems distributed organizations face today:

The world of business is distributed, dynamic, and disrupted. It is distributed and interconnected across a web of business relationships with stakeholders, clients, and third parties. It is dynamic as the business changes day by day. Processes change, employees change, relationships change, regulations and risks change, and objectives change. The ecosystem of business objectives, uncertainty/risk, and integrity is complex, and interconnected, and requires a holistic, contextual awareness of GRC – rather than a dissociated collection of processes and departments. Change in one area has cascading effects that impact the entire ecosystem.

The interconnectedness of risks and compliance requires 360° contextual awareness of integrated governance, risk management, and compliance (GRC) within a business and across businesses. Some organizations have an operating model that allows subsidiaries and divisions autonomy but still needs centralized consistency and reporting. Professional service firms also engage diverse organizations in a consistent framework and methodology and look to do benchmarking across clients. Across these various businesses, organizations need to see the intricate relationships of objectives, risks, obligations, commitments, and controls. It requires holistic visibility and intelligence of risk in the context of objectives. The complexity of business – combined with the intricacy and interconnectedness of risk and objectives – necessitates that the organization implements an integrated GRC management strategy, process, and architecture that can allow distributed and diversified businesses to work autonomously but provide some consistency in management and reporting.

In the end, organizations need to reliably achieve objectives, manage uncertainty, and act with integrity. This requires a 360° view of governance, risk management, and compliance within the organization and its relationships supported by an integrated information and technology architecture. Many organizations also require some level of autonomy within distributed businesses and operations while still providing centralized governance and reporting. This is also a need within professional service firms that manage a portfolio of clients in a GRC context. Organizations facing these challenges should look for technology that enables distributed and autonomous businesses to manage GRC in their context while still providing centralized governance, reporting, and benchmarking.

1.2   The model and solution

The 6clicks Hub & Spoke architecture for centralized GRC practices was built for organizations running a distributed risk and compliance function across multiple teams or businesses. The 6clicks Hub & Spoke model provides customers with a flexible way to run GRC programs across multi-entity organizations and use cases. It allows organizations to centralize their risk and compliance functions while empowering and providing teams with the autonomy they need to succeed.  Think of it as multi-tenancy for the Enterprise or managed clients.

Hub & Spoke is the perfect solution for large businesses, multinationals, franchises, private equity firms, government agencies, and MSPs requiring a centralized risk and compliance function that spans multiple teams, departments, or businesses. With the Hub & Spoke model, organizations can quickly and easily define the hierarchical structure that works best for them, which includes parent-child relationships between entities.

The Hub makes it possible to define risk and compliance best-practice and content centrally, which is 'pushed down' to Spokes (teams, departments, or businesses) that utilize the full suite of 6clicks GRC modules for day-to-day activities. Consolidated reporting and analytics are rolled up at the Hub level, giving the organization comprehensive, aggregated reporting and insights across all Spokes.

Designed to grow with you, 6clicks Hub & Spoke provides both flexibility and control for organizations managing multiple, autonomous entities.

1.3    Typical use cases

Hub & Spoke is ideal for all organizations managing a risk and compliance function that oversees distributed teams, departments, or businesses, regardless of industry. For any distributed business that wants to enforce best practices, optimize, and automate risk and compliance, and require rolled-up reporting and analytics, 6clicks Hub & Spoke is perfect.

The Hub & Spoke model has broad application across various organizational types. Some typical use cases for the Hub & Spoke model are listed below.

• Organizations that are managing GRC programs across:
  • • Organizational divisions or subsidiaries

• • • Geographical regions and/or jurisdictions
    • Portfolio companies and related, managing the due diligence of acquisition targets
    • Franchises
    • Healthcare networks
    • University systems
    • Local, state, or federal government departments
    • Distributed entities
    • Product lines
• GRC service delivery to clients through consultants, advisors, systems integrators, or managed service providers (MSPs)
• Managing risk registers across multiple product lines, business units, or teams
• Managing an enterprise risk management program
• Managing organizational entities whose risk and compliance needs are widely varied
• Managing compliance regulations or certifications across multiple product lines, business units, or teams.
• Reporting on GRC programs across hierarchical organizational structures
• Managing sensitive projects and authorized personnel access across GRC programs

Of course, the Hub & Spoke architecture can be utilized in a multitude of ways. If you’re unsure if this model is right for you or would like to discuss your needs further, we’d be happy to help.

2   Benefits of Hub & Spoke

The Hub & Spoke bidirectional data model allows for a truly holistic single-pane-of-glass view into a hierarchical GRC program. It helps to streamline, automate, and closely manage GRC programs. It also scales and grows with you, providing a flexible and cost-effective platform built to optimize and automate risk and compliance, regardless of your organization's size. Some of the primary value points are:

1. Clear segregation between entities
   • Easily manage autonomous GRC programs across subsidiaries, depts, regions, franchises, private equity portfolio companies, service clients, healthcare networks, university systems, state municipalities, etc.
   • Each entity can operate largely autonomously, adopting functionality at its own pace.
   • Each team's data can be managed individually, including the team configuration, user access, and permissions.
2. Ease of content management across a distributed business model
   • Content within the 6clicks library can be tailored and made available for each managed entity.
   • Entities can manage their custom content within their 6clicks instance in addition to the standardized content provided by the parent or Hub-level organization.
3. Hub-level management capabilities
   • Users at the Hub level can create templated entities with assessment templates, policies, risks, projects, and incident response playbooks to enforce a standardized approach to GRC.
   • Users within the Hub team can access each entity's account as an advisor/manager.
   • The Hub can initiate risk reviews to get a quick snapshot of risks within the entities at a board or senior executive level.
4. Cross-functional data visibility and roll-up reporting
   • Curate a single-pane-of-glass GRC landscape regardless of how many separate entities your organization is required to manage
   • Template reporting across entities to ensure real-time and holistic risk reporting
   • Reduce audit fatigue and alleviate the hassle of tracking down data across entities
   • Integrate bi-directionally with current systems and bring all GRC and Security data into one platform
   • Holistically manage your security and risk posture at the Hub, while entities mature at their own pace

In short, developing a holistic view of your organization's GRC program utilizing 6clicks creates immediate value and ROI for your organization.

3   Architecting Hub & Spoke for your organization

3.1   Understanding the Hub vs. a Spoke

The Hub provides a centralized 'parent' team, which oversees a number of 'child' teams called Spokes. Spokes typically represent a team, department, service line, business, or entity running a GRC program and require some level of separation and autonomy.

The Hub is where content, such as audits and assessments, control sets, and risk and issue libraries are created and global configurations defined. These are then 'pushed' down to Spokes, where daily GRC-related activities are undertaken. Team members at the Hub can drop down into Spokes they have access to, for supporting these activities. Additional team members can be added directly to Spokes, limiting their access to a single Spoke and providing flexible user access management options.

Moreover, Spoke templates can be defined at the Hub, which are 'shell' Spokes with pre-populated content. Spoke templates expedite Spoke provisioning and enablement, meaning you can spin up turn-key Spokes in seconds. You can also define Spoke hierarchies using Spoke groups, which provide a powerful and structured way to define, manage and report on and across your organizational hierarchy (example below).

It's important to note that, while the Hub & Spoke model promotes and enables a centralized approach to GRC, it still gives the autonomy to each entity to adopt GRC implementation at their own pace. Aspects such as user access, configurations, permissions, etc. can be managed for each entity individually. More on this below.

3.1.1   Content management

The Hub makes it possible to define risk and compliance best-practice and content centrally, which is 'pushed down' to Spokes (teams, departments, or businesses) that utilize the full suite of 6clicks GRC modules for day-to-day activities. A Hub can create and manage content (assessments, control sets, authorities, playbooks, and more) from the Hub and distribute to Spokes or use our content from the 6clicks Content Library.

For more information on pushing content to one or more Spokes, see this Knowledge Base (KB) article.

In addition to content managed and published by the Hub team, Spokes are empowered to create and manage their own content and templates as required. This ensures full flexibility for teams to manage their risk and compliance content needs – whether it is standardized/centralized from the Hub, or a bespoke framework need for a particular Spoke.

3.1.2   Data management

We must start by distinguishing between data and content:

In 6clicks nomenclature, Content is representative of the templates used throughout the platform, such as standards, laws, regulations, compliance frameworks, assessment templates, internal control sets, issue libraries, risk libraries, and projects/playbooks.

Data represents the tasks or actions created in a workflow using a template or piece of content, such as an assessment task, issue action, or risk treatment plan, for example.

While content can be managed and distributed from a Hub or within a Spoke, data is only managed within each Spoke. The Hub can access data at the Hub level for reporting purposes but does not manage data at the Hub level – data and task management activities are conducted from within a specific Spoke.

3.1.3   Reporting

In the Hub & Spoke model, organizations can aggregate reporting from across Spokes at the Hub level and use hierarchical Spoke groups to define an organizational structure for more flexible reporting, creating a single-pane-of-glass view across its GRC landscape. Consolidated reporting and analytics are rolled up to the Hub level, giving the organization comprehensive reporting and insights across all Spokes.

Hubs can also template dashboards at the Hub level and share them down to Spokes using Spoke templates. This would ensure that Hub-level users see the information and reports they require within their respective Spokes in a standardized manner. Of course, Spoke level users could create their own dashboards within their Spoke, given the right role permissions, separate from the Hub shared template.

Below are various reporting examples from the 6clicks platform for board and executive-level reporting for organizations in the Hub & Spoke model. It’s important to note that these are sample screenshots and not an exhaustive capture of all available out-of-the-box reporting options in 6clicks.

A full list of available out-of-the-box reports at the Hub and Spoke levels, respectively, is available at the end of this document. Additionally, organizations can slice and dice their GRC data and present it in a format that meets their specific needs using our self-service reporting options available in our business intelligence (BI) tool.

The screenshots below indicate a dashboard-style approach to reporting. However, 6licks offers export to various formats (PDF, Excel, Word) for external delivery as well as options to build real-time PowerPoint presentations and Word document reports in the platform.

Create dashboards of pertinent program information at the Hub across multiple entities or at the Spoke level for entity-specific reporting needs:

Compare assessment results across Spokes for benchmarking:

Identify trends in your data using progress and trending charts:

Show control effectiveness and control testing results:

Track overall program tasks across one or more entities:

3.2   Architecture/use case examples

In each of the diagrams and use case examples below, the following color key can be used:

• Navy blue = Represents the Hub tenant
• Green = Represents a Spoke group or categorization of Spokes
• Orange = Represents a separate spoke/autonomous GRC

3.2.1   Holding company with many subsidiaries

A holding company may own and operate hundreds of offices or subsidiaries across many countries or jurisdictions. This is especially true for organizations that grow through acquisition. For this use case, the 6clicks Hub & Spoke model enables such firms to manage each subsidiary, categorized in its respective region, autonomously and in a highly scalable manner (i.e. ability to handle the growth of multiple subsidiaries per year).

In the below architecture example, the Parent company is the Hub, and example subsidiaries A, B, and X are grouped Spokes under the US Region while subsidiaries C, D, and Y are grouped Spokes under the APAC region, and so on. The parent company can then publish down corporate policies, for example, to each subsidiary group to ensure adherence while empowering the subsidiaries to operate their GRC programs separately from one another and mature at their own pace otherwise. In this grouping model, the Parent company can also publish US-specific policies, for example, to all subsidiaries in the US region.

3.2.2   Healthcare organization managing multiple hospitals

With Hub & Spoke, a healthcare provider with multiple entities or divisions, either in various locations or all in one, can allocate a 'Super Administrator' with full view and access management. Essentially, each entity or division becomes a categorized 'Spoke' within the top view portfolio.

In this example, the Healthcare Headquarters operates as the Hub and has categorized its spokes by General Care, Emergency/Urgent Care, and Specialist Care with different locations and units within each operating as their own Spoke. Hospitals A, B, and X are in the General Care group, for example. This empowers each location to manage its assets, risks, and HIPAA compliance, for example, separately from one another while maintaining visibility at headquarters.

3.2.3   Technology provider managing multiple ISO 27001 certifications across product lines

The 6clicks Hub & Spoke model is key to allowing various business units to capture and manage their respective risk and compliance requirements and still meet the organizational compliance requirements. As well as reduce the number of tools and techniques used to document and manage each ISMS. In Hub & Spoke, 6clicks allows business units to autonomously maintain their specific business needs while allowing the organization to enforce compliance requirements from a global perspective and gives the birds-eye view of each business line’s compliance levels.

In the depiction below, the Corporate Org is the Hub managing multiple products, each with its own ISO 27001 certification and ISMS needs. Product 1, Product 2, and Product 3 through Product X are individual Spokes in this architecture and the Corporate Org has not employed any Spoke grouping. In this example, the Corporate Org at the Hub level has visibility into the required corporate risks and overall compliance levels while leaving the management of each ISMS to the respective product line resources and teams.

3.3.4   Manage service provider delivering across multiple clients and service lines

In this example, the MSP offers three service lines: ISO 27001 readiness, Vendor Management as a Service, and vCISO services. The MSP can share its content with one or more clients based on what services have been contracted. The partner can create their proprietary vendor assessment template, for example, at the Hub level and share it with all the clients who contract Vendor Management aaS through the partner.

In this model, each client operates in their own Spoke with the partner delivering the contracted services. The Managed Service Provider is the Hub-level account. Client A, B, and X have all contracted ISO 27001 readiness services and thus have been categorized into the ISO 27001 Readiness Spoke group. Clients can also be grouped into one or more service lines based on their agreement with the partner. For example, while clients A and B have been grouped into ISO 27001 Readiness, they have also purchased vCISO services through the MSP. Therefore, you’ll see they are categorized under the “vCISO Services” Spoke group in the architecture example below.

3.3   How to define a spoke to meet your needs

As enterprises are exploring the Hub & Spoke model, we are often asked how Spokes are or should be defined for that organization. The Hub & Spoke model allows for a lot of flexibility in its architecture. We appreciate this can be intimidating at first. As such, we’ve included a few questions below to ponder when architecting the Hub & Spoke to meet your organization’s needs:

• Do we have autonomous entities, like subsidiaries, today? This creates a natural definition for Spoke – each subsidiary can operate its respective GRC program in its own Spoke environment.
• How do we manage risks today? Do we need to segregate our risk register between multiple teams, divisions, or products, for example, and ensure no cross-functional data visibility?
• Are we managing multiple ISMS programs across various business units or subsidiaries?
• How do we segregate data in our GRC program today? By team? Product? Use case? Something else?
• Do we have teams with varying use cases or tools they’re using today that we want to integrate into one platform? Generally, in this case, it’s most useful for each team to have their own dedicated Spoke.

4   Access management

In the Hub & Spoke model, access control is multilayered to support granular requirements at both the Hub and Spoke levels. Organizations can control: 1) who has access to the Hub and what level of access, 2) who has access to multiple Spokes and what level of access in each, and 3) which team members have access to only one Spoke.

4.1   Access management at the Hub

4.1.1   Hub-level role-based access controls (RBAC)

We offer several roles OOB in 6clicks for managing access at the Hub level. These OOB roles are:

• Administrator – All permissions granted to this user by default. This user can see all data and perform all functional actions across all modules within the Spoke.
• Advisor – Nearly synonymous with Administrator level permissions with the exception of Spoke group management functions. Typically used for users at the Hub who will be managing multiple Spokes.
• Contributor – This user role only has access to view the risk review functionality at the Hub.
• Owner – Owners have access to view and manage risk reviews at the Hub but no other functionality.
• User – This is the default role at the Hub level. The User role has access to create, edit, update and push all content types to Spokes and manage content library items. Effectively, this role has permissions to all Hub level data and functionality except the Administration panel (i.e. managing users, permissions, integrations, etc.)

In addition to the roles we offer OOB, organizations can create their own hub-level roles or modify the roles we provide. There are varying levels of permissions available at the Hub level to enable proper segregation of duties and least privilege. For a full list of available access control functions at the Hub level, see this KB article.

4.1.2   Controlling access to spokes

Core risk and compliance members interacting and engaging with entities across the organization have RBAC controlled role permissions. This means they can only see and access the teams they are working with directly. All this can be managed by the centralized Hub team.

It’s important to note that, just because a user has access to the Hub doesn’t mean that the same user has been granted permissions to Spokes in the environment. These are purposefully maintained separately to ensure granular and flexible access controls.

If your organization would benefit from all Hub-level users automatically gaining access to all Spokes, this can be enabled on a role-by-role basis at the Hub. To give a certain Hub role access to all Spokes, from the Hub, navigate to Administration > Roles > Click on a role > Edit > Check the “Access all spokes” box under General:

If turned on for a role, any user with that role assigned at the Hub-level will automatically gain access to all Spokes in the environment with role of ‘Advisor.’

You can also enable this Spoke access option on a user-by-user basis from the Hub by navigating to Administration > Users > Choose a user > Edit > Check the “Access all spokes” box under General in the Permissions tab.

4.2   Access management at the Spokes

We offer several roles OOB in 6clicks for managing access at the Spoke level. These OOB roles are:

• Administrator – All permissions granted to this user by default. This user can see all data and perform all functional actions across all modules within the Spoke.
• Advisor – This is a Hub-level user who has been granted permissions to the Spoke. By default, this user adopts the same access levels as the Administrator role.
• Contributor - This user role only has access to view the risk review functionality, complete risk reviews, and see risks in the register they’ve explicitly been granted access to via the access members list.
• Owner – This role can manage, create, and view risk reviews and risks in the system. However, this permission does not grant access to all data. Users with this role can only access risks they have explicitly been granted permissions to on the access members list.
• User - This is the default role at the Spoke level and automatically given to users that are added to the environment without a role specified. Similar to the Hub, this role has all available permissions and data visibility at the Spoke except Administration panel functions and risk workflow staging management.

In addition to the roles we offer OOB, organizations can create their own hub-level roles or modify the roles we provide. There are varying levels of permissions available at the Spoke level to enable proper segregation of duties and least privilege.

5   Config and content lockdown

5.1   Mandating configuration across all Spokes from the Hub

We understand the importance of process standardization across an organization. That’s why we enable organizations to define best practice workflows and custom fields at the Hub level and enforce them down at the Spoke level. This ensures that all Spokes in the environment are following the same risk methodology, for example.

For more information on mandating risk framework or methodology at the Hub across all Spokes, start with this KB article about field management and this KB article about risk workflows.

5.2   Locking content at the Hub

In many instances, a Hub-level administrator or partner may want to lock content to prevent editing by a Spoke before use to ensure standardization. To handle this use case, we introduced a content-locking option on templates created at the Hub. This is an optional feature and can be utilized on a template-by-template basis across assessment templates, control sets, project plans, and playbooks.

For example, Hub-level administrators can configure a proprietary assessment template to share across one or more Spokes. As a result, a Hub admin may want to lock the template for editing to ensure Spokes are using a standardized and mandated assessment approach. This is possible for various content template types at the Hub level. This means that if a locked template is downloaded in a Spoke environment, it cannot be modified by the entity before use. A locked piece of content can be identified by the lock icon at the Hub and Spoke levels. Example below for a locked assessment template:

6   Scaling the Hub & Spoke model

By design, the Hub & Spoke model is scalable both horizontally and vertically. This enables organizations to continue to adapt their 6clicks solution to a growing and changing organization.

6.1   Leveraging spoke groups for hierarchy management

Spoke groups allow you to organize Spokes into groups for categorization, better management, and organization. Groups can be set up to have parent-child relationships, giving you the flexibility to create your organizational structure or better organize clients. A Spoke can belong to one or more groups in this hierarchical model.

Using Spoke groups, organizations can filter Hub-level reporting based on groups, share content based on groups, and more. Below is a visual depiction of the Spoke group model in action.

[insert diagram here with updated colors].

See this section for example use cases that may need to leverage Spoke groups.

6.2   Managing teams across geographies

For organizations with teams or entities in multiple geographies, we have a few options:

• Create your Hub environment in the geography with the highest concentration of entities or the strictest data sovereignty rules and use Spoke groups to organize Spokes into their respective region(s); or
• Create multiple Hub environments – one in each geography (see more information on reporting across Hubs here).

We service many large, multinational organizations with this need today using one of these two options. Either of these provides a viable solution for organizations operating globally. For more information on our current data center locations for hosting your 6clicks Hub & Spoke environment, head here. If you don’t see your preferred hosting location listed, please contact us.

7   Digital resources for Hub & Spoke 6clicks customers

For organizations getting started in a Hub & Spoke deployment, we recommend the following Expert Guides in addition to the various Knowledge Base articles linked throughout this guide:

• Getting started tips and tricks for 6clicks Hub & Spoke
  • This Expert Guide covers navigation at the Hub level, administrative setup, and how to jump into your first Spoke.
• Understand the architecture of the 6clicks Partner solution (for partners or MSSPs only)
  • This short article outlines the architecture & billing of a partner or MSSP, which is streamlined via the Hub & Spoke model.
• Exclusive Content Library
  • Discusses how to share content (assessment templates, risk, and issue libraries, control sets/policy documents, and more) across Spokes.

8   FAQ’s

8.1   Why would I choose Hub & Spoke over a Growth license?

The 6clicks Growth license is perfect for small to medium-sized organizations with a team managing a single GRC program, think of it as single-tenancy. The Hub & Spoke license becomes the best option for organizations managing GRC programs across multiple teams but may be overkill for a smaller flat organizational structure, whose needs would be better served with a Growth license.

8.2   How does Hub & Spoke work for consultants, advisors, systems integrators, and managed service providers?

While there is functionally no difference in the application of Hub & Spoke for Enterprise vs. Advisors, 6clicks offers a white-labeled Hub & Spoke environment that allows our partners to provision and manage all GRC-related client engagements and services centrally from a custom branded Hub, promoting their service offerings and intellectual property (IP).

Client teams (Spokes) can be created from templated teams designed for specific offerings, minimizing setup time. Advisors can then easily be granted access to client teams, and client users can be invited into their team at the right time, depending on the engagement. In this case, the same RBAC granularity is employed. Build customer stickiness and revenue share with us through the 6clicks partnership program.

8.3   Can you configure a Hub to connect to a Hub?

For organizations with complex organizational hierarchies, we recommend our Spoke group functionality. In most instances, this solves the Hub-to-Hub requirement.

For organizations that are operating across geographies with data sovereignty requirements driving the need for multiple Hubs, we recommend looking into reporting options via an external BI tool, like Power BI or Tableau. Often the Hub-to-Hub need mostly relates to a desire to report across multiple environments. Pulling data from 6clicks APIs to a single BI tool satisfies this multi-Hub reporting requirement well.

8.4   Are there limitations to using Hailey in this model?

For Enterprise deployments of Hub & Spoke, Hailey AI can be utilized to:

• Conduct crosswalks between external standards, regulations, and frameworks;
• Identify gaps in internal controls or policies to external regulations; and
• Write or update internal control descriptions or overviews using Ask Hailey.

For Advisors leveraging Hub & Spoke for service delivery, please contact your 6clicks representative to explore which license options include the Hailey AI feature set for your clients.

8.5   How can I be sure data is segregated?

As previously noted in this guide, there are several access control layers in the Hub & Spoke model to prevent unwanted cross-pollination of data and configuration across Spokes. Each Spoke is treated as a separate tenant in the environment where access must be explicitly granted (at the Hub or Spoke level) and data explicitly created within a Spoke. There is no cross-sharing of data in this model between Spokes.

At 6clicks, security and building trust is in our DNA. For more information on our security program and the measures we take to ensure platform security, please visit our website here.

8.6   In what case is a Spoke NOT required in the Hub & Spoke model?

We do not recommend creating individual Spokes for entities that do not require GRC functionality. If you have entities who only respond to a routine corporate assessment, we recommend creating a dedicated Spoke in your Hub & Spoke model for this assessment cadence. Then, each entity can be treated as a “third party” within that Spoke and assessed on your required cadence. The value of this approach is the cost savings from mitigating the need for Spokes for a single use case and also the ease with which you can create, send, and manage multiple assessments.

The general rule of thumb is, if the entity doesn’t need to manage its risks, issues, incidents, policies, third parties, or another GRC use case distinct from the rest of the entities, we do not recommend a separate Spoke for that entity.

If you have questions about your specific use case and best practices, please contact your 6clicks representative. We’re happy to discuss our best-fit design recommendations for your organization.

8.7   As a Spoke, am I limited to the content and configurations that are pushed into my environment from the Hub?

This is the beauty of the Hub & Spoke model – while Hubs can push down content and configuration to the Spokes, Spokes also have the autonomy to build, create, and use their own content when required. Content and configuration do not have to originate from the Hub and Spokes are not limited to only the content provided by the Hub.

However, there may be times when a Hub mandates certain configuration or locks content for editing – in which case the Spoke must follow the configuration or content requirements as mandated by the Hub organization.

8.8   How long does a typical Hub & Spoke deployment take?

While this depends on the number of Spokes, stakeholders, and use cases, our clients enjoy a speedy deployment and implementation with 6clicks. As a reference point, we have a client who deployed 165 Spokes across three use cases implemented and in production in six total weeks. This included training exercises for administrators and advisor level users. As a rule of thumb, Hub & Spoke deployments take weeks, not months.

Once you purchase your 6cilcks Hub & Spoke license, we’ll get your environment stood up in no more than 5 business days. Once you have access to your environment, our Customer Success team will set up a kick-off meeting to establish your 30/60/90-day implementation plan. Depending on your preferred success plan, we will make sure you have the right level of expert guidance and support to suit your needs and meet your goals.

8.9   How many full-time employees would you recommend I need to manage a Hub & Spoke deployment?

As you’d imagine, the answer to this question is heavily dependent on several program related factors. Such factors could include number and complexity of Hub mandated use cases, volume and frequency of assessments, cadence around policy reviews, are third party assessments and management in scope, how many Spokes are you managing, do your Spokes have their own administrators separate of Hub-level users or is the Hub managing the entire program across all Spokes, etc.

In the example cited above (question 8.8), this organization started with 165 Spokes and has grown to 195 Spokes. The day-to-day support of the 6clicks platform involves the delivery of Spoke user training, administering a semi-annual risk assessment to each business unit (Spoke), conducting the corresponding review of responses and evidence (including back/forth Q & A), managing findings and risks created base on assessment results, ensuring that Dashboards are built, populated, and maintained with the relevant KRI’s for board reporting, liaising with 6clicks technical resources and staying current with newly released 6clicks functionality. The client accomplishes all these activities across 195 Spokes using one full-time employee (FTE).

8.10   In the Hub & Spoke model, how would I employ a sandbox environment for non-production testing?

Generally, organizations deploy a Spoke dedicated to sandbox testing in their production Hub environment. If your organization requires a full Hub & Spoke sandbox environment, please reach out to your 6clicks Account Executive regarding options for this deployment type.

8.11   How should I prepare for a Hub & Spoke implementation?

Ahead of your kick-off meeting, it’s most beneficial to identify and prepare the following information:

• Identify key stakeholders and their roles in the implementation;
• Identify and prioritize key use cases, content requirements, and data migration needs;
• Gather any existing process documentation you wish to implement in 6clicks; and
• Establish desired production go-live dates and reverse engineer your goals based on that date. In your kick-off call, we will help you establish your 30/60/90-day plan but having your desired go-live date helps us determine the critical path to ensure you achieve that date.

Coming to your kick-off call with the above information and a few key business decisions made ensures a more expedited onboarding and implementation process. You can also peruse the Success Launchpad and Knowledge Base to begin familiarizing yourself with our digital resources and the 6clicks product.

9   Getting started on your Hub & Spoke journey

9.1   6clicks contacts

Have questions about the Hub & Spoke model that weren’t covered in this expert guide or want more information on licensing and pricing? Don’t hesitate to reach out to us today and we’ll be happy to assist.

If you have product functionality specific questions or feedback, please reach out to our customer support team.

9.2   6clicks success plans

Our goal is to ensure that our customers achieve the value in 6clicks they have come to expect. While the 6clicks AI-powered GRC solution provides software that’s smart, not complicated, we know a little extra support goes a long way. That’s why we provide two success plans for our clients to choose from to best fit their needs.

• Standard success – Learn at your own pace with quick, self-guided resources at your fingertips. Take advantage of our experience built for the ultimate self-starter.
• Premier success – Reach your goals faster with access to expert guidance tailored to your risk and compliance outcomes.

If you have questions regarding which success plan best suits your needs, please reach out to us or peruse the full list of success plan benefits here. We look forward to working with you on your 6clicks journey!

10   Appendix A: List of out-of-the-box reports

Below represents a list of available out-of-the-box reports at both the Hub and Spoke levels, respectively, as of June 2023. We are always improving our OOB reporting options, so you can count on these lists actively growing!

10.1   Hub level

10.2   Spoke level