Irina Kotorova on women in SaaS and the future of the GRC industry

1. GRC’s relevance for modern companies
2. The challenges of „Women in Saas“ and diversity at Zazoon
3. How Irina Kotorova is shaping Zazoon’s development
4. Zazoon’s development and strategy for the future
5. Tech Trends and GRC Regulations in Harmony

Irina Kotorova is Chief Operating Officer (COO) at Zazoon. Before transitioning to the SaaS and GRC sector, she gained experience in critical infrastructures such as hydropower engineering, among others. In our interview, the COO talks about her journey into the tech industry, the importance of GRC for modern businesses, and how Zazoon uses artificial intelligence to keep companies agile and compliant.

GRC’s relevance for modern companies

What led you to your current role as a COO in a SaaS and GRC company?

Irina Kotorova: Before transitioning to the SaaS and GRC sector, I worked in critical infrastructure, specifically in the field of hydropower engineering. There, I was involved in project management and the integration of security and compliance processes in large-scale engineering systems worldwide.

This experience gave me a clear understanding of how important it is to build sustainable, verifiable, and reliable processes in an environment with increased responsibility and strict regulatory frameworks. I joined Zazoon with the goal of strengthening operational resilience and scaling the GRC platform. Today, I am responsible for processes, strategic development, customer success, and international market expansion.

For everyone who isn't quite sure what "GRC" actually means – how would you explain what Zazoon does, and why it's important for modern businesses?

Irina Kotorova: GRC stands for Governance, Risk and Compliance. It sounds formal, but in practice it is what helps companies not only survive but also grow sustainably in today's environment.

The team and I are working to make GRC accessible, understandable and effective, especially for organisations that utilise lots of manual controls or that are still working with spreadsheets and sharepoints.

Our platform is a GRC SaaS solution that combines management of internal policies and procedures, control of compliance (e.g., with ISO 27001 or DORA), risk assessment and analysis, including third party risk, automation of control: who, when, and what needs to be done – and whether it has been done – and much more. We offer all this in a single tool. The system is flexible, modular and easy to use.

Why is this important? Because today's companies cannot afford chaos in management. There are too many regulatory requirements, risks, cyber threats, and expectations from customers and investors. It is impossible to keep track of all this in your head or in a spreadsheet. And mistakes – whether data leaks, unrecorded risks, or outdated security policies – have real consequences: fines, reputational damage, and financial losses. We help our customers create a transparent, manageable and compliant management system without overburdening them with unnecessary bureaucracy.

The challenges of „Women in Saas“ and diversity at Zazoon

You're working in a particularly male-dominated corner of the SaaS and tech industry. What first attracted you to this field – and what has made you stay?

Irina Kotorova: Yes, it's true – the technology sector, and especially software development, has historically been quite male-dominated. But that never deterred me. Quite the opposite: I see the value I can bring. In addition to a systematic approach and focus on results, I bring a touch of empathy and a female perspective to the team – something that is often overlooked in technological environments. This helps to balance decision-making, create healthier team dynamics and build partnerships based not only on logic but also on empathy.

I was also attracted by the opportunity to solve complex, systemic problems: how to build transparent management, how to reduce risks, and how to comply with requirements without stifling business with bureaucracy. I love order, structure and real results, and in GRC and SaaS, that's at the heart of everything. And perhaps another factor is internal drive. Being ‘different,’ seeing that your approach works, and at the same time paving your way in an industry where you are not expected at first … and then people start listening to you.

Were there specific moments when you strongly felt that “Women in SaaS” is still more of an exception than a norm? What advice would you give to women facing similar challenges today?

Irina Kotorova: Yes, there have been moments when I felt a little bit that “Women in SaaS” might still be perceived as an exception. Whether it’s being the only woman in a technical meeting or one of just a handful at a company event – it’s noticeable. And whilst that visibility can sometimes feel isolating, it’s also a chance to stand out and shape the environment through presence and contribution.

The underrepresentation has many causes, some structural, some cultural, but that shouldn't stop anyone from entering the field. Personally, I’ve had mostly positive experiences. I’ve been met with respect, curiosity, and support far more often than with bias.

"My advice to other women is not to ‘fit in’ but to create your own space. Don't be afraid to be structured and empathetic, analytical and gentle, if that's your style."

– Irina Kotorova, COO at Zazoon

You don't have to copy a ‘masculine’ tone to be heard, and you don’t need to and – dare I say – should not compete with men. Competence, confidence, and positivity are the three pillars. And if you are underestimated, don't try to convince with words; do it with actions. Surround yourself with open-minded, upbeat, and honest people. With the right people around you, you’ll not only thrive – you’ll help redefine what “normal” looks like in this space.

Zazoon’s committed to equality and diversity. What concrete steps is the company taking to ensure these values go beyond just words?

Irina Kotorova: Our team consists of people with a wide range of cultural backgrounds and experiences, but they all have one thing in common: they are professionals in their field, and at the same time incredibly kind, respectful, open people who are always a pleasure to communicate and work with.

What do we do specifically as a team to foster equality and diversity?

1. First, we take a careful approach to hiring. We don't have a ‘cultural filter’ in the spirit of ‘we are looking for people who are like us.’ On the contrary, we look at who is still missing from the team and how a person will complement, rather than repeat, the existing dynamics.
2. Second, we have a flat decision-making structure. Everyone has a voice, regardless of position, age, or experience. 
3. Thirdly, we take a flexible approach to working conditions. We take into account parental responsibilities, mental health, and personal rhythms. This is not about leniency – it is about respect for the individual.

I am convinced that equality and diversity are not just ‘nice to have’ but a strategic advantage, especially in the global SaaS model. It makes us smarter, more flexible, and more resilient.

How Irina Kotorova is shaping Zazoon’s development

As COO, which professional and strategic topics are currently top of mind for you?

Irina Kotorova: I am currently concerned with three key areas:

1. Process scalability

We are growing, and we need customer onboarding, support, quality control, and compliance to remain stable as our volume increases. I focus on automation without losing flexibility, especially in areas related to performance monitoring, service level agreements, and repetitive operations.

2. Entering new markets

We are expanding our presence beyond DACH – our current priorities are the UK, Scandinavia, and the Middle East. This requires a review of our operating models, from partnership agreements to process localisation and adaptation of compliance modules to local regulations.

3. Integrating GRC into customers' daily practices

Our goal is not just to ‘deliver the product,’ but to make it truly work for the customer. This means simple integration with their existing systems, a clear structure of responsibility and a cycle of continuous improvement based on feedback. That is why I am actively involved in both product development and UX discussions.

"All of this requires a balance between control and trust, speed and stability. For me, operational efficiency is not about control for control's sake, but about ensuring that the entire system works as a single organism and does not hinder growth."

– Irina Kotorova, COO at Zazoon

Zazoon’s development and strategy for the future

Zazoon has been around for more than 20 years now. How has the company evolved since it was founded, and how do you stay ahead of the curve?

Irina Kotorova: 20 years is rare for a technology company in the GRC sector. We have come a long way from consulting expertise in IT reputation to a full-fledged SaaS product that now works with customers across Europe.

What helped us survive and grow:

1. We weren't afraid to rethink our approaches. Where people used to work, we introduced automation. Where templates used to be lacking, we built a flexible architecture with standardised modules. We constantly monitored changes in regulations, technologies, and the mindset of our customers themselves – and adapted faster than the big players did.
2. We remained independent. This allowed us to stay focused on long-term product quality rather than short-term metrics. We don't build ‘presentations for investors’ – we build a living, applicable tool for real people.
3. We have always been close to our customers. This is not a marketing phrase – we personally delve into their pain points, analyse processes, and see what really works and what gets in the way. For us, being ahead is not about fashion but about relevance.

As a COO, Irina Kotorova is shaping the development of the software company Zazoon. Image: Zazoon

Which tech trends are currently most relevant for you, and how do you reconcile innovations like cloud technology, automation, and AI with strict GRC regulations?

Irina Kotorova: Given the specific nature of GRC, each of these technologies must not only be ‘new’ but also manageable, explainable, and compatible with regulatory frameworks. We work on cloud, which provides flexibility and scalability, but our architecture is designed to comply with data protection, access audit, and isolation control requirements.

We implement automation wherever it is possible to reduce routine tasks, such as auto-execution of control tasks, reminders, and reporting. This reduces the burden on users, but we always leave room for manual intervention where conscious decisions are required.

As for AI, we see it as an enhancement to expertise, not a replacement. For example, we are planning to implement an interactive AI chatbot to analyse policy texts, find a compliance gap, or summarise a document. Also, the plan is to integrate a regulatory monitoring mechanism powered by AI that would enable users with a better compliance readiness: the tool will be automatically scanning regulatory websites and alerting responsible users with any upcoming changes that are relevant to their organisation.

How do you approach product development and improvement at Zazoon? What matters most to you during that process?

Irina Kotorova: For me, product development is always about consistency, applicability and sustainability. I really focus on how processes work in a specific type of organisation: where the real pain points are, where there is a lack of transparency, where there is human risk.

Another important aspect is balance between flexibility and control. In GRC, you can't develop a one-size-fits-all solution. We build our product in a modular way so that each company can adapt the system to its regulatory requirements and internal roles, while maintaining the logic of control, approvals and traceability. It is important to me that each function is scalable, resistant to changes in standards and fits into the overall product strategy.

Zazoon GRC auf OMR Reviews

Tech Trends and GRC Regulations in Harmony

New EU directives, ESG reporting obligations, stricter data protection laws … how can companies remain agile and compliant in such a tightly regulated landscape?

Irina Kotorova: It is definitely a challenge. My answer is: only a systematic approach will work.

Companies that try to ‘patch up’ new requirements manually – with a spreadsheet, a new process, or a temporary consultant – will, sooner or later, run into chaos.

"What really works is a unified, living and centralised system with roles, checkpoints, automatic reminders, and connections between departments. This provides transparency and predictability."

– Irina Kotorova, COO at Zazoon

And, without automation, there will be no flexibility – only overload. The world is changing, and what was relevant a year ago may no longer be true today. Companies that build an adaptive management model respond more quickly to changes in legislation instead of ‘catching up’ with it.

What changing requirements do you see for GRC software in Switzerland, Germany and Europe, and how is Zazoon responding to them?

Irina Kotorova: We observe that compliance expectations across DACH and the EU are evolving from general documentation and oversight toward operationalised compliance. Regulatory requirements are becoming not only more detailed but also implementation-specific.

The clearest trend is a shift toward regulatory specificity and enforcement automation. In Germany, BaFin and IDW PS 980 emphasise systematised internal controls and real-time monitoring. The EU is pushing forward with NIS2, DORA, and CSRD, each demanding structured risk, continuity and sustainability controls. In Switzerland, FINMA is expanding requirements on IT risk and operational resilience, especially for supervised institutions.

"Another fundamental shift is the regulatory response to emerging technologies, especially AI. The EU AI Act and the new ISO/IEC 42001 standard for AI management systems are shaping how companies must assess, govern and document the use of AI across their operations. For businesses, this creates a dual imperative: adopting AI to stay competitive, while ensuring it is secure, explainable and legally compliant from day one."

– Irina Kotorova, COO at Zazoon

At Zazoon, we respond to these changes with several actions. For example, we are integrating AI into our compliance modules – not only to help clients adopt AI securely, but also to stay ahead of how regulators themselves are using it, such as BaFin’s AI-based supervision tools. This means our clients can expect earlier, more automated detection of compliance gaps.

And finally, looking ahead once more: where do you see the GRC industry going, and what’s next for Zazoon in the coming years?

Irina Kotorova: I am convinced that the GRC industry will become increasingly aligned with real business processes. We are moving away from the ‘report for the sake of reporting’ model and towards integrated, dynamic management, where risks, policies, controls and compliance are integrated into the company's daily operations.

What we can expect in the coming years:

• Stricter regulatory requirements, especially in cybersecurity, ESG and supply chains
• Growing demand for automation and predictive analytics 
• A shift in focus from a ‘compliance tool’ to a platform for sustainable organisation management

For Zazoon, this is a window of opportunity. In the coming years, we will strengthen our international presence, expand our partner network and invest in AI features – but only where they make GRC more transparent and manageable.