How Risk Cloud®️ Unites Privacy and Security Teams Using One Collaborative Platform
Security and privacy management is a team sport. Download our ebook to learn how the right strategy and tools can help you unify security and…
The Root of the Compliance vs Security Paradox
Join us for a friendly debate on why compliance is so misunderstood and the critical role it plays…
We’ve all heard the argument that compliance doesn’t equate to security. It’s rooted in the fact that security leaders must go beyond “checking the compliance box” by broadly examining the risk surface and the various bad actors and threats we encounter. Regulations and frameworks just cannot keep up. So, no, just being compliant does not make a company secure. But here is where the paradox sets in, without compliance you also cannot be secure. This paradox is created because in discussions peers, pundits and others in the community do not discuss which type of compliance they are referring to when they discuss this topic. In compliance there are actually 3 types! Two little “c” and the BIG C. Here are the 3: Regulatory Compliance - really is just another risk as it relates to the potential of being fined for being non compliance Framework Compliance - This is part of the Big C compliance. Organizations select frameworks that help guide their compliance programs And finally the BIG C. The C in GRC, the organization’s entire compliance program Chris (Cpat) Patteson, Field Risk Officer at LogicGate, and Praj Prayag-Deb, Director, Information Risk & Internal Controls at Horizon Media, debated and discussed this “paradox” of compliance vs security, the importance of the BIG C, and why without Compliance you also cannot truly be secure. Tune in for tips on finding the right balance between compliance and security in your organization.Straight From a CISO: 4 Cyber Risk Priorities in 2023
Learn how to manage cyber risk during times of economic uncertainty.
Eliminate cyber risk blind spots in the new year. LogicGate’s Field Risk Officer and Risk Wrangler, Chris Patteson, and Former CISO at Malwarebytes and DLL Group, Laura Whitt-Winyard, shared guidance for staying focused on managing cyber risk during times of economic uncertainty. You'll Learn How To: Do more with less across risk management teams Identify and prioritize risks with the largest impact Start translating cyber risk impact into financial terms Brace your team for inevitable change in 2023Horizon Media: Spinning Up a Cyber Risk Program from Square One
As a company grows, so does its responsibility for keeping its customers’ data and assets safe and secure.…
14 Quarters at the Top: Risk Cloud Named a Leader on G2 for Winter 2023
Check Out the Winter 2023 Report
For the 14th quarter in a row, LogicGate Risk Cloud has been named a Leader in the GRC Platform category on G2. Risk Cloud is a no-code risk and compliance platform that scales and adapts to your changing business needs and regulatory requirements. With solutions for every risk and compliance use case in one integrated platform, you’ll have everything you need to build, evolve, and communicate a market-leading risk strategy. Here are some highlights from the report: 99% of users rated LogicGate Risk Cloud 4 out of 5 stars. 92% of users said they’d recommend LogicGate Risk Cloud to a peer. 95% of users said they think LogicGate Risk Cloud is headed in the right direction. 98% of users were satisfied with LogicGate’s quality of support. 98% said it was easy to do business with LogicGate. Check out the full report to see why we’ve been at the top of G2’s GRC leaderboard for three and a half years running.Connect, Optimize, and Scale Your Cyber Risk Management Program
Build a Centralized View of Assets, Risks & Cyber Controls
Cyber risk management is a team sport. Everyone, from the frontline employees to the CISO, has a responsibility to protect your organization’s data and assets. So, start doing more – with less – by building a centralized and connected cyber risk management program that streamlines, automates, and provides maximum visibility across the entire organization. Get a glimpse into the power of connected cyber risk management.Streamlining GRC Controls to Optimize Cybersecurity
Find out how to take a proactive, connected approach to your cybersecurity risk management processes.
Looking to level up your cybersecurity program? LogicGate’s GRC Content & Strategy Senior Associate, Elli Sullivan, and a panel of industry experts sat down to discuss how optimizing cybersecurity risk management processes enables leaders to determine what investments best reduce risk. Check out the recording to learn how to: Simplify GRC and security operations by reducing the number of controls your organization has to deal with Develop a set of controls baselined to the internal and external requirements that your organization needs to meet And more!Enriching Third-Party Risk Processes with Targeted Risk Intelligence
Find out how to incorporate targeted risk intelligence and enrich your Third-Party Risk Management program.
Looking to level up your TPRM program? LogicGate Relationship Manager, Ashley Reece, and a panel of industry experts sat down to discuss how targeted risk intelligence and automated data feeds can enable you to recognize and respond to risk sooner, and increase operational resilience. Check out the recording to learn how to: Identify and prioritize the gaps in your security posture Link data feeds to your TPRM platform and enable real-time visibility Automatically validate information provided in risk assessments And more!Control Your Cyber Risk Posture - Tips From LogicGate's Risk Wrangler
Close out Cybersecurity Awareness Month with actionable tips from LogicGate's Risk Wrangler, Chris "Cpat" Patteson. From prioritization to…
Close out Cybersecurity Awareness Month with actionable tips from LogicGate's Risk Wrangler, Chris "Cpat" Patteson. From prioritization to vendor risk management, Cpat addresses some of the biggest problems facing cyber risk professionals on a daily basis.Take Control of Your Cyber Risk Posture
Celebrate Cybersecurity Awareness Month by better protecting your company and yourself online! Check out LogicGate's cybersecurity resource hub.
With fall in the air and October officially being Cybersecurity Awareness Month 2022 (honestly, shouldn’t it be every month?), now is the perfect time to learn how to better protect your company and yourself online. With bad actors targeting companies of all sizes and sectors, you need resilient cyber defenses to stay ahead. LogicGate’s Cybersecurity Hub is the perfect place to find helpful blogs, podcasts, and more, focused on topics like: Negotiating cyber insurance rates SEC’s proposed cybersecurity disclosure framework Optimizing your cybersecurity program And other news and ideas on how to strengthen your organization’s cyber defenses!Risk Cloud® Platform Accessibility
Building a culture of risk starts with platform accessibility.
We're committed to helping every risk owner streamline, automate, and scale their governance, risk, and compliance programs with Risk Cloud. That's why we're on a mission to achieve WCAG 2.1 AA standards in the coming months.How Risk Cloud®️ Unites Privacy and Security Teams Using One Collaborative Platform
Security and privacy management is a team sport. Download our ebook to learn how the right strategy and…
Security and privacy management is a team sport. Download our ebook to learn how the right strategy and tools can help you unify security and privacy teams and build an integrated risk and compliance program.Risk Cloud Named Leader on the G2 Grid for 13 Consecutive Quarters
The Fall 2022 G2 Grid Has Been Released
We're excited to share that for 13 consecutive quarters, Risk Cloud® has been named a leader on the G2 Grid for GRC platforms. At LogicGate, we bring all the pieces of GRC together in one collaborative platform so that your whole team can see, interact with, adapt, and build upon as necessary. With Risk Cloud, you’ll stop working in silos, and start identifying gaps in your risk programs, creating links across the enterprise, and uncovering risks you didn’t even know existed. Here are some of the key takeaways from the report: 99% of users rated Risk Cloud 4 or 5 stars 98% of reviewers said they were satisfied with the quality of support offered for Risk Cloud 98% of reviewers said it was easy to do business with LogicGate 94% of users believe Risk Cloud is headed in the right direction 92% of users said they were likely to recommend Risk Cloud Find out why we’ve been a leader for over three years by viewing the full report.Cyber Risk & Controls Compliance Solution
Prioritize cyber risk mitigation and response with Risk Cloud’s® Cyber Risk & Controls Compliance Solution.
Prioritize cyber risk mitigation and response with Risk Cloud’s® Cyber Risk & Controls Compliance Solution. Risk Cloud helps you link cyber risk to business impact, so you can add context to any risk decision by reporting what matters most to your stakeholders.How Risk Cloud's Intuitive Interface Simplifies The Change Management Experience
During a fireside chat, Edwin Ng, Associate Vice President of Cyber Security at Hyatt, talks about his team's…
During a fireside chat, Edwin Ng, Associate Vice President of Cyber Security at Hyatt, talks about his team's experience of implementing Risk Cloud. Do you want to see this "intuitive interface" for yourself? Request a demo today!Panel Discussion: GRC Trends in Banking
Learn how to navigate the regulated landscape of banking through first-hand advice and stories from senior governance, risk,…
Panelists: Laura Buckley, SVP Tech Risk & Compliance at Cadence Bank Ron Fox, Chief Compliance Officer at United Community Bank Jake VanDaalwyk, SVP, Director of ERM and Corporate Risk Strategy at Associated Bank Moderated by Patti Struble, Customer Success Manager at LogicGate, the panelists share methodologies and tactics for maturing, scaling, and automating your bank’s governance, risk, and compliance (GRC) program. Watch now to learn about: Solving for new regulatory requirements resulting from growth and expansion Risk & compliance trends in banking How they plan to integrate, automate, and mature their banks’ GRC programsHow Texas Mutual Improved Their Third-Party Risk Management Experience
In this excerpt from the GRC & Me podcast, Stephen Crouch, Senior Financial Risk Analyst at Texas Mutual…
Preparing For The Unknown: How Hyatt’s Cybersecurity Team (successfully) Navigated COVID-19
Enjoy a casual discussion between LogicGate’s CEO, Matt Kunkel, and Hyatt’s Associate Vice President of Cybersecurity, Edwin Ng,…
Enjoy a casual discussion between LogicGate’s CEO, Matt Kunkel, and Hyatt’s Associate Vice President of Cybersecurity, Edwin Ng, about successfully navigating turbulent times with the help of a holistic risk management program. Watch now to learn: How Edwin’s team at Hyatt has modernized their approach to risk management How the Cybersecurity and GRC teams at Hyatt pivoted during the rise of COVID-19 implementing new precautions and strategies How their risk management programs helped them operate quickly and effectively during a time of unprecedented change How Hyatt’s GRC strategy prepares them for future changes and obstaclesFive Board Questions That Security and Risk Leaders Must Be Prepared to Answer
Your board has questions. Now, you have the answers.
“In 2019, Gartner® conducted its security and risk survey and found that four out of every five respondents noted that risk influences decisions at the board level”. It’s no surprise that board members have questions about your company’s risk posture, but how do you anticipate what they’ll ask? Gartner report, Five Board Questions That Security and Risk Leaders Must Be Prepared to Answer, gives you: Guidance on the types of risk and security questions commonly asked Recommendations on how to prepare responses (especially when those questions may not have a clear answer) Tips on how to clear up confusion and drive the discussion Download the report now to get started. Gartner, Five Board Questions That Security and Risk Leaders Must Be Prepared to Answer, Sam Olyaei, Jeffrey Wheatman,19 July 2019 GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.Equiniti's Journey to a Connected Risk Program
Learn more about their story and how they use Risk Cloud to grow and scale as changes arise,…
[Webinar] Optimizing Controls to Mitigate Cybersecurity Risks
In this webinar with LogicGate and ITGRC you will learn how to optimize your cybersecurity program using personnel…
Speakers: Colin Whittaker & Andrew Egoroff, ProcessUnity; Dirk Schrader, Netwrix; Henry Jiang, Diligent; and Ashley Arkfeld, LogicGate. No matter how mature a cybersecurity program is, there always remains room for improvement. Digital transformation continually expands the scope of IT processes, and organizations continue to grapple with resource, staffing, and skill challenges. On this webinar, we’ll address how to augment staff expertise and resources with automation and continuous control assessments, enabling IT auditors and risk managers to work smarter and: Enhance security architecture to improve how segmentation is structured or controls are designed Use technology to automate, reduce human error, and focus your team on more strategic areas Reduce the time you need to keep up with risk assessments and meet compliance goals Optimize SOC processes and simplify risk initiatives View WebinarTeaming Up to Solve Third-Party Risk: How to Plan When You Don’t Know What You Don’t Know
Vendor risks aren’t slowing down. You shouldn’t either. Learn how to manage your third parties better.
69% of Enterprise Risk Decision-Makers Reveal that Their Third-Party Risk Program is Manual. You know that third-party relationships play a crucial role in your business’s success. Every third-party relationship you have represents increased exposure for data and privacy risks. Managing this important information manually is not a risk worth taking. This eBook will help you discover a better, more efficient way to manage third-party relationships without exposing your organization to reputational and/or operational risks. Also… Tips on how to build a robust third-party risk management (TPRM) program that connects all the dots Advice on how to make risk a team sport within your organization Insight into what an interconnected risk program looks like and how to make that your realityRisk Cloud Named Leader on the G2 Grid for 3 Consecutive Years
The G2 Grid for Summer 2022 has been released, and Risk Cloud has been named a leader once…
We're excited to share that for the third year in a row, Risk Cloud® has been named a leader on the G2 Grid for GRC platforms. At LogicGate, we bring all the pieces of GRC together in one collaborative platform so that your whole team can see, interact with, adapt, and build upon as necessary. With Risk Cloud, you’ll stop working in silos, and start identifying gaps in your risk programs, creating links across the enterprise, and uncovering risks you didn’t even know existed. Here are some of the key takeaways from the report: 99% of users rated Risk Cloud 4 or 5 stars 98% of reviewers said they were satisfied with the quality of support offered for Risk Cloud 98% of reviewers said it was easy to do business with LogicGate 94% of users believe Risk Cloud is headed in the right direction 92% of users said they were likely to recommend Risk Cloud Find out why we’ve been a leader for three years by viewing the full report.SOC 2 Compliance: Attaining Audit Maturity at Amount
Amount was preparing to spin-off from an industry-leading digital lending company. This transition brought up some challenges, but…
LogicGate Named a “Strong Performer” in the Forrester Wave™
LogicGate was named a “Strong Performer” in the Forrester Wave™: Third-Party Risk Management Platforms, Q2 2022.
The Forrester Wave™ report for third-party risk management (TPRM) platforms was just released, and we’re loving the results! LogicGate’s Risk Cloud® was named a “Strong Performer,” earning the highest possible score in the questionnaire customization, planned enhancements, and customer community criteria. (Thank you Risk Cloud users!) According to the report, “the strong roadmap prioritizes continuous monitoring, risk contextualization, and prioritization features; and the vendor has one of the most straightforward and unambiguous pricing models.” (All good news for you!) Download the report to view Risk Cloud’s grid placement and full evaluation scores.Risk Cloud Documents™
Automate your documentation and reporting processes.
Tired of wasting time formatting reports? Generate custom-branded templates and reports in PDF, Word, Powerpoint, or Excel format in just a couple of clicks with Risk Cloud Documents.Risk & Reward: Women in GRC Roundtable
Listen to an intimate roundtable discussion with four trailblazing women in the GRC space. Celebrate the impacts and…
LogicGate is honored to showcase and celebrate four amazing trailblazers who are making an impact on the GRC industry! Join Szuyin Leow, LogicGate's VP of Customer Success & Services, as she cultivates an empowering conversation with inspiring anecdotes and actionable insights. Learn more about our panelists and get inspired! WATCH NOW About Szuyin: Szuyin is the Vice President of Customer Success & Services at LogicGate. In her role, she works with LogicGate’s customers and partners to operationalize their governance, risk, and compliance objectives to deliver meaningful results and value through the LogicGate Risk Cloud platform. Prior to LogicGate, she worked as a cybersecurity GRC consultant at PwC advising clients across multiple industries on their Information Technology and IT Security programs.Risk Cloud Named a Leader on the G2 Grid for Spring 2022
LogicGate’s Risk Cloud platform has been named a leader on the G2 Grid Spring 2022 report.
We’re excited to share that for the 11th consecutive quarter (that’s almost 3 years for those of you counting!) Risk Cloud® has been named a leader on the G2 Grid report. At LogicGate®, we know shelfware is never an option. This is why we partner with our customers to provide top-tier implementation and ongoing platform support. This ensures that our customers can roll out and scale their initiatives now and in the future. Here are some of the key takeaways from the report: 99% of users rated Risk Cloud 4 or 5 stars 98% of reviewers said it was easy to do business with LogicGate 98% of reviewers said they were satisfied with the quality of support offered for Risk Cloud 94% of users believe Risk Cloud is headed in the right direction 92% of reviewers said they were likely to recommend Risk Cloud View the full G2 Grid for Spring 2022 for GRC PlatformsHow to Make Your Work Life Exponentially Easier With a Holistic GRC Program
If you want your GRC engine to run smoothly, you need to look at systems holistically. Create a…
You're probably here because "GRC as usual" isn't really working for you and you're hoping there's a better way. We get it. And you've come to the right place. When we say holistic GRC we're talking about finding a program that helps your business operate at optimum speed and efficiency. Sounds pretty nice, right? Download our holistic GRC eBook to: Discover what holistic GRC looks like in action (with real-life examples) Learn how making risk management a “team sport” is better for everyone in the company Break down silos and streamline audits by incorporating them into your GRC program Don't have time to read the eBook? Don't worry, we created an audiobook version (included in the download), too! Download NowInternal Audit: Finding Efficiencies through Analytics
Learn how the internal audit team strengthened their data analytics capabilities and automated their internal audit process to…
Fine-Tune Your Audit Process. Cancel Audit Stress.
With the Right Platform, You’ll Love Conducting Audits. (Or at Least Dread Them a Little Less.)
We’re just gonna say it. Audits get a bad rap. Yes, they can be tedious, time-consuming, and may cause you to pull out your hair and grind your teeth. But that might be because your audit platform isn’t carrying its weight. Risk Cloud® helps you automate and streamline your audit processes, breaking down silos so you have all the documents, processes, and compliance regulations you need in one place. With this holistic GRC tool, you can customize processes, generate reports in one click, and perform due diligence with precision and speed. So relax your jaw, stop yanking out your hair, and check out our infographic to see audits in a whole new light.2021: A (WILD) Year In Review
You liked it. Watched it. Or tried it out. Take a look at our year-end roundup!
2021 was another wild ride. But together, we transformed the twists and turns into some exciting headways. Catch up on the can’t-miss products, hot resources, and customer wins in our year-in-review infographic. Get a snapshot of the big moments — plus, preview what’s in store for 2022.[Webinar] GRC 101: Aligning Compliance, Security, and Business Goals
In this webinar with LogicGate and ITGRC you will learn how to incorporate governance, risk, and compliance processes…
Speakers: Speakers: Emily Affinito, LogicGate, Allan Liska, Recorded Future, Jonathan Ehret, RiskRecon, and Todd Boehler, ProcessUnity Organizations today are tasked with meeting the challenges of the current business climate, one of which is managing GRC processes which are often siloed. GRC has a wide reach and impacts many departments across an organization, but when it is done right, benefits accrue. Organizations that integrate GRC processes and technology across departments can ensure the right people get the right information at the right times; that the right objectives are established; and that the right actions and controls are put in place to address uncertainty and act with integrity. On this panel discussion webinar we will address how to align GRC Processes with your business goals, including how to: Enhance your risk posture and reduce costs Implement consistent operational processes Assess and manage risk and controls across the enterprise Track and monitor strategic GRC performance Make GRC-informed decisions related to enterprise development, procurement, and investment View WebinarRisk Cloud Named a Leader for GRC Platforms on the G2 Grid for Winter 2022
LogicGate’s Risk Cloud platform has been named a leader on the G2 Grid Winter 2022 report.
We’re excited to announce that Risk Cloud(R) has been named a leader on the G2 Grid Winter 2022 report for the TENTH consecutive quarter! That's 2 and a half years for those counting! At LogicGate, we acknowledge every organization is different, and at a unique spot on their maturity level. This is why we created Risk Cloud, the most nimble and collaborative GRC solution out there that helps customers proactively manage their GRC needs—allowing them to turn risk into a strategic advantage. Here’s some key takeaways: 99% of users rated Risk Cloud 4 or 5 stars 98% of reviewers said it was easy to do business with LogicGate 97% of reviewers said they were satisfied with the quality of support offered for Risk Cloud 94% of users believe Risk Cloud is headed in the right direction 92% of reviewers said they were likely to recommend Risk Cloud View the full G2 Grid for Winter 2022 for GRC platforms.LogicGate Recognized in the Gartner® Market Guide for the Second Consecutive Year
LogicGate is one of 13 vendors to to be named a Representative Vendor in the November 2021 Gartner®…
We're sorry, this resource is no longer available. Check out the following resources instead: How to Make Your Work Life Exponentially Easier With a Holistic GRC Program What is Third-Party Risk? The Definitive Guide to Risk Quantification We’re thrilled to share that for the second consecutive year, we have been named a Representative Vendor in the November 2021 Gartner® Market Guide for Third-Party Risk Management Solutions for Compliance! We think this is pretty cool! The report found that, “The marketplace for compliance third party risk management (TPRM) solutions remains highly fragmented, leaving companies with as many options as compromises in their search for a best-fit foundational solution.” Which we interpret as: it’s hard to find a dependable TPRM solution that’s meeting the full needs of users. As one of 13 Representative Vendors included in the Market Guide, we believe we are recognized for achieving marketing visibility and traction and representing the collaborative work management market as a whole. DISCLAIMER: Gartner, Market Guide for Third-Party Risk Management Solutions for Compliance, 13 December 2021, Nicholas Sworek, Zack Hutto GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.Risk Quantification 101: Communicate Risk in Dollars and Cents
In this webinar, LogicGate and Protiviti will explore the fundamentals of risk quantification and highlight how the practice…
Speakers: Mark Tattersall, LogicGate, George Quinlan, Protiviti View Webinar You need a way to effectively communicate risk with key stakeholders. By converting risk into a common language that everyone in the organization can speak, dollars and cents, quantification puts risk into perspective and ensures it’s taken into account from the top down. Access the webinar and watch as Mark Tattersall, VP of Product Management at LogicGate, and George Quinlan, Risk Quantification expert from Protiviti, dive into the foundation of risk quantification and its ability to transform your risk program. On this webinar, you'll explore: - The shortcomings of past risk communication practices - How risk quantification works - Tips for introducing risk at your organizationRisk Cloud Quantify™
Translate risk into financial values.
Quantify and communicate risk in the language every stakeholder understands — money. Risk Cloud Quantify™️ enhances traditional quantification techniques with Monte Carlo simulations and supports the Open FAIR™️ Model. From cyber risk to enterprise risk, we’ll help you communicate risk with clarity and confidence.Risk Cloud Exchange™
All the Applications, integrations, and guidance you need to scale and mature your governance, risk, and compliance program.
Explore how you can level-up your risk management program with Risk Cloud Exchange.The Definitive Guide to Risk Quantification
Validate decisions, see into the future, and start presenting risk in a language your organization understands—money.
Risk can be a confusing topic, summarized in heatmaps with low, medium, and high as the most accurate indicators. While valuable to GRC pros, it’s only a small piece of the puzzle. And, more importantly, it’s decidedly not speaking the same language as the rest of the organization. Risk professionals can now claim their seat at the table with risk quantification. Learn the fundamentals of risk quantification, what to look for in a solution, and how you can set your organization apart. Download Now[Webinar] Strategies to Turn Risk Into an Opportunity for Business Growth
On this panel discussion webinar we will address some of the key steps your organization can take to…
Speakers from: LogicGate, ThreatConnect, Proofpoint, MetricStream A strong proactive risk management culture enables an organization to be more nimble, adaptable, and change-ready. On this panel discussion webinar we will address some of the key steps your organization can take to strengthen your risk management culture now and fuel business growth, including how to: Ask the right questions to accurately assess the risks and put plans and controls in place to mitigate them. Drive enterprise-wide accountability to break down silos. Give your employees appropriate training to enable them to take ownership of risks and identify and manage them more effectively. Develop communications plans for when events negatively affect perception of your organization. Leverage the opportunities that align to your strategic goals. View WebinarLogicGate Named “Strong Performer” in the Forrester Wave™
LogicGate has been recognized as a “strong performer” by Forrester Research in the Forrester Wave™ for Governance, Risk,…
We’re excited to share that LogicGate has been recognized as a “Strong Performer” in the Forrester Wave™ for Governance, Risk, And Compliance Platforms, Q3 2021. This marks our first time being evaluated in the GRC wave, and follows our inclusion on the G2 Fall 2021 Grid report as a leader for GRC platforms for the 9th consecutive quarter. According to the report, “LogicGate is a user-friendly, highly configurable tool that deploys quickly and allows users to build what they need to meet changing market and business requirements.” Download the report to find out why Forrester Research named LogicGate a “strong performer” and view our platform's grid placement and evaluation scores. Get the Full ReportRisk Cloud Named a Leader for GRC Platforms on the G2 Grid for Fall 2021
LogicGate’s Risk Cloud platform has been named the top GRC platform on the G2 Grid Fall 2021 report.
At LogicGate, we know that every organization is different. Which is why we created Risk Cloud, a flexible platform that helps customers proactively manage their GRC needs—allowing them to turn risk into a strategic advantage. 99% of reviewers said it was easy to do business with LogicGate 95% of reviewers rated Customer Support, Training & Learning, and Implementation as LogicGate’s highest-rated features 94% of reviewers think Risk Cloud is headed in the right direction 99% of users rated Risk Cloud 4 or 5 stars Download the ReportLogicGate® Receives Honorable Mention in 2021 Gartner® Magic Quadrant™ for IT Vendor Risk Management Tools
Get an unbiased overview of the IT Vendor Risk Management market in 2021 Gartner® Magic Quadrant™ for IT…
Read the full Gartner® Magic Quadrant™ report to learn: A third-party, unbiased evaluation of each vendor A uniform set of evaluation criteria — so you can easily compare IT Vendor Risk Management Tools Insight into the significant movements in this growing and dynamic market Gartner®, Magic Quadrant™ for IT Vendor Risk Management Tools, Joanne Spencer, Edward Weinstein, Luke Ellery 30 August 2021 We are thrilled to receive honorable mention in this report. Risk Cloud® is a cloud-based platform with a suite of risk management Applications that transforms the way businesses approach their governance, risk, and compliance programs. By combining expansive GRC content and expertise with a progressive and flexible platform, anyone can create a holistic and evolving market leading risk program. The Gartner® document is available upon request from LogicGate®. Gartner® does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner® research publications consist of the opinions of Gartner®’s research organization and should not be construed as statements of fact. Gartner® disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Gartner® and Magic Quadrant™ are registered trademarks of Gartner®, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.Automate Your GRC Document Generation with Risk Cloud Documents
Are you spending hours manually creating your audit reports, policy documents, or incident management memos? With Risk Cloud…
Are you spending hours manually creating your audit reports, policy documents, or incident management memos? With Risk Cloud Documents, this process can be totally automated! Use our out-of-the-box document templates or build your own fully customized templates that match your organization's brand guidelines. Risk Cloud takes your selected data from multiple workflows and instantly merges it with your template, generating a customized report in seconds! This report can be exported in file formats like PDF, Word, PowerPoint, and Excel! No more copy-and-pasting information across systems to manually create documents. Spend time doing the work and let Risk Cloud create the reports. Save time, reduce risk, and create beautiful reports with Risk Cloud Documents.Roadblocks on the Path to Operational Resilience
Use this guide to help you navigate your path to operational resilience.
The path to operational resilience is not always easy, there may be roadblocks that present themselves, but according to the 190 respondents from LogicGate’s 2021 Risk Management Survey, risk leaders agree—achieving operational resilience is a must. Download our infographic to help you navigate your path to operational resilience: Download NowRisk Cloud Named a Leader for GRC Platforms on the G2 Grid for Summer 2021
LogicGate’s Risk Cloud platform has been named the top GRC platform on the G2 Grid Summer 2021 report.
Built by GRC professionals for GRC professionals, LogicGate continues to prioritize providing customers with a platform that helps them proactively manage their GRC needs—turning risk into a strategic advantage. 99% of users rated Risk Cloud 4 or 5 stars 95% of reviewers rated Customer Support, Training & Learning, and Implementation as LogicGate’s highest-rated features 94% of reviewers think Risk Cloud is headed in the right direction 99% of reviewers said it was easy to do business with LogicGate Download the ReportLogicGate and BankProv: Migrating to Risk Cloud for the Growing organization
As BankProv's business has grown, the company needed a proactive compliance management solution with more flexibility, active monitoring,…
6 Steps to Find the Right GRC Solution for Your Organization
Use these 6 steps to help you select the right GRC solution for your organization that fits in…
There's a lot that goes into finding the right GRC solution for your organization especially when you want to make sure it works well with your existing tech stack. Download our infographic and see our six steps to help you evaluate potential solutions and determine if they are the right fit for your organization: Download NowGRC Today: Risk Renaissance
Matt Kunkel, CEO & Co-founder of LogicGate, chats with Principal GRC Architect, Dustin Owens, about the recent Risk…
[Live Demo]: Meaningful Integrations to Enhance your GRC Program
Learn how LogicGate’s Risk Cloud solution and our Open API can be utilized to ingest data from outside…
Whether it’s bringing vulnerability data from active or passive scanners and relating it to your asset inventory, or tracking and initiating IT Tickets in other ticketing systems, Risk Cloud is perfectly positioned to automate your current manual processes. You'll walk away with a knowledge of Risk Cloud's most common integrations, as well as how to go about enabling them. LogicGate will also showcase our common native integration with Slack and the Risk Cloud platform. Come learn how the power of an open rest API with LogicGate’s Risk Cloud can further enhance the standardization and modernization of your Governance, Risk, and Compliance program. View WebinarGRC & Me Podcast: Exploring Risk Cloud Exchange | Season 3, Episode 1
Risk Cloud Exchange offers a central space with an expanding library of pre-built applications, regulations and integrations.
In this episode, Amrutha outlines how Risk Cloud Exchange can be used, as well as what led LogicGate to develop it. “What we wanted to create with the Risk Cloud Exchange was a central space where you could actually dive into the realm of what's possible using our technology,” she explains. On the content side, Emily describes how LogicGate incorporates stakeholder feedback to determine RCX content library priorities. One main goal is to offer resources and best practices that help customers stay ahead of industry trends. They discuss how customers can share feedback and make requests to help shape RCX content and technical functionality. Also covered: planned changes for RCX that will help customers visualize how a solution will work for them — before going live with it. HIGHLIGHTS 💻 Risk Cloud Exchange is a place where customers can independently discover and explore the content available to help and bolster GRC programs — regardless of maturity and knowledge level. 💻 Keeping up with the ever-changing needs of partners, customers and stakeholders is essential for a GRC program. RCX is constantly evolving based on stakeholder feedback. LogicGate analyzes feedback and feature requests to determine customer needs and the RCX content roadmap. 💻 Usability is key. It is critical that the RCX interface enables customers to actually find what they are looking for when they need it. Several things are already built into RCX to help customers find the most relevant solution for their use case, and there’s more on the horizon. 💻 “LogicGate is choosing to challenge the traditional GRC technology market by offering innovation and purpose-driven content, to allow its users to achieve positive business outcomes in regards to risk and governance, security, and compliance,” Megan notes.GRC & Me Podcast: Exploring Risk Cloud Exchange
After a short break, GRC Today is back with a special episode highlighting the Season 3 premiere of…
Listen to the full episode at podcast.logicgate.comHow Uphold Uses Risk Cloud's Slack Integration for Incident Management
Uphold identified LogicGate’s Risk Cloud platform as the all-encompassing platform they needed and has been able to leverage…
[Live Demo]: The Power of Reporting Insight & Data Visualization in LogicGate’s Risk Cloud
Whether it’s staying on top of a staff analyst’s upcoming deadline or displaying concise cost-saving metrics to an…
In this webinar, we’ll provide an overview of the reporting capabilities within LogicGate’s Risk Cloud. The objective of this session is twofold. First, we will showcase the intuitive report builder which empowers teams to build their own metrics and key performance indicators from the information captured in Risk Cloud. Then, we will highlight valuable reports and dashboards that are frequently used by LogicGate customers in quarterly board meetings. Learn how to glean reporting insights through connected applications. For example, let’s say two separate teams are managing Assets and Controls in the Risk Cloud platform. By establishing a connection between Assets & Controls, this allows for consolidated reports whereby control gaps or remediation plans can be prioritized by asset criticality. Control owners can efficiently coordinate a mitigation plan with the corresponding asset owner. View WebinarLife With a Modern GRC Solution
Risk leaders know their risk management solution is vital to their organizations, but many (almost 50%) say their…
We’re not here to tell you how important risk management is to your organization. You already know that. But if your GRC solution is unreliable and requires a lot of manual work, it can hold your organization back from being proactive and agile when assessing and navigating emerging risks. Fortunately, it’s possible to revitalize your risk management processes and see new opportunities open up around you. With a modern GRC approach and a trusted risk strategy partner, your organization can become nimble in the face of new challenges. Download our infographic to see what life can be like with and without a modern GRC solution: View The InforgraphicOperational Resilience: The New Paradigm for Risk
We asked 190 risk professionals what they’re concerned about, what they’re focusing on in 2021, and how they’re…
No matter the industry, no matter the company size, no matter the location—risk leaders were forced to quickly adjust to a massively evolving landscape in 2020. Did they adapt and keep up with the new challenges being thrown at them? How did they do it? And what are they doing differently now? We asked and 190 risk professionals answered. They shared with us what they’re concerned about, what they’re focusing on in 2021, and how they’re feeling about their risk programs. Download NowGRC Today Episode 4: "Health Days" vs "Sick Days"
On this episode of GRC Today, Matt talks about "Health Days" and why the LogicGate team added them…
On this episode of GRC Today, Matt talks about "Health Days" and why the LogicGate team added them to the employee benefits package. Matt also shares a personal story about how a recent Health Day helped him come back to work more focused. Do you want to join the LogicGate team? See what positions are open right now: https://www.logicgate.com/about-us/join-the-team/G2 Spring 2021 Grid Report for Top GRC Software
LogicGate’s Risk Cloud once again topped the G2 list of best GRC platforms on the Spring 2021 report.
With a focus on offering the best platform for businesses to proactively manage their GRC needs and establish a risk-aware culture, LogicGate prioritizes providing customers with the best possible experience. 99% of reviewers said it was easy to do business with LogicGate Risk Cloud 91% of reviewers said they would recommend Risk Cloud 93% of reviewers think Risk Cloud is headed in the right direction 98% of reviewers said they were satisfied with the quality of support offered for Risk Cloud Download the ReportGRC Today Episode 3: Using Information Security to Build Trust
In episode 3 of GRC Today, Matt speaks with LogicGate's own head of Information Security about how to…
Hear from LogicGate's own head of Information Security and learn: How to build trust with your customers and teams by being proactive The best way to clearly communicate your risk posture Risk is constant, but you can keep control by measuring and ranking your risksGRC Today Episode 2: How Core Values Shape Company Culture
In this episode of GRC Today, Matt Kunkel discusses the importance of core values, how they influence the…
When you talk about a company's "culture," you're really talking about their core values. In this episode of GRC Today, Matt discusses the importance of core values, how they influence the day-to-day operations at LogicGate, and shares some tips on how you can use core values to empower your employees. This web series, hosted by LogicGate co-founder and CEO Matt Kunkel, will discuss all things related to governance, risk, and compliance, as well as feature tips and takeaways from Matt on a variety of topics including leadership, company culture, and values.GRC Today Episode 1: GRC Trends in 2021
Welcome to GRC Today! In our series premiere, see Matt's predictions for key GRC trends he expects to see…
Introducing GRC Today, our biweekly web series hosted by LogicGate CEO Matt Kunkel. In our series premiere, hear the GRC Today origin story and get Matt's predictions for key GRC trends he expects to see in 2021. This web series, hosted by LogicGate co-founder and CEO Matt Kunkel, will discuss all things related to governance, risk, and compliance, as well as feature tips and takeaways from Matt on a variety of topics including leadership, company culture, and values.[Live Demo] Accelerate your IT Controls Management with LogicGate's Power Mappings
Speaker: Annmarie Rombalski, Senior Solutions Engineer at LogicGate Formally documented IT controls are more important than ever. Without them,…
Speaker: Annmarie Rombalski, Senior Solutions Engineer at LogicGate Formally documented IT controls are more important than ever. Without them, compliance teams are overworked and scrambling to gather information for various audits, and technical resources are repeatedly interrupted for evidence and compliance requirement artifacts. In this webinar, we will discuss the various levels in the journey to formalize policies and controls organizations may find themselves in, we will explore the differing needs from a Governance, Risk and Compliance tool as a result, and we will demonstrate how the LogicGate Risk Cloud can address those needs. We will also: Outline pain points you face with levels of organizational maturity in IT Controls Management and where you may fall within this spectrum Break down the silos between your departments with LogicGate’s power mappings that easily ties together your custom controls and map them across industry requirements, internal policies, risks, and more! Reduce redundancy by executing one control evaluation that satisfies many frameworks Real-time reports and dashboards for compliance coverage Demonstrate tactics and strategies to move your organization to the next level and enhance the efficiency and effectiveness of your IT Controls Management program View Webinar[Live Demo] Create Synergies Between Internal Audit and Risk Management Teams with LogicGate’s Risk Cloud
This webinar will focus on two Risk Cloud applications: Risk Management and Internal Audit.
Speaker: Sam Pranckus, Solutions Engineer at LogicGate In this webinar, we will focus on two of our applications - Risk Management and Internal Audit - and demonstrate how teams can share information to streamline their annual planning and ongoing assessment processes. We will discuss the benefits of collaboration between Audit and Risk teams, and the rationale behind integrating various aspects of each program. The objective of this course is to highlight areas where Audit and Risk teams can share information, which will eliminate redundancies and harmonize the 3 Lines of Defense. We will start with the fundamental building blocks of an Enterprise Risk Management (ERM) and Internal Audit programs. We will then focus on potential “connection points” to provide Internal Audit insight into ERM assessment scores and vice versa. Audit and Risk teams can leverage the relationships between various data points to make informed decisions, and influence the strategic outlook for the organization. We will also demonstrate: Risk Cloud’s Application marketplace which consists of “best practice” templates for a wide range of use cases Risk Owners ability to leverage Internal Audit testing results to mitigate Inherent Risk levels to an acceptable Residual Risk. The rationale behind this feature is that, as the Audit team conducts potentially hundreds of tests over a period of time, the results from audit fieldwork can help the Risk owner understand how well the Control environment is actually operating and factor this into their evaluations Internal Audit teams can utilize Risk assessment scores to prioritize upcoming audit activity and build a Risk-based Annual Plan Connection points between various data objects such as processes, risks, controls, policies, and Strategic Objectives - so that Internal audit coverage is aligned to critical risks that potentially prevent your organization from meeting Strategic Objectives Flexible Risk Assessment methodology to accommodate your team’s preferred methodology whether it is a standard Impact X Likelihood or more complex methodologies that factor in Velocity, Speed to Mitigate, Controls Effectiveness, etc. Prioritization of upcoming Audit Activity from an Audit Manager standpoint, the Risk Cloud’s scoring methodology dictates the audit frequency and gives management a holistic view of all auditable entities, including date of last audit and date of next planned audit View Webinar[Live Demo] Automate Your Regulatory Library, Get Granular with Obligations & Close Compliance Gaps with Risk Cloud
Keeping up with the ever-shifting regulatory tides feels increasingly impossible as regulations continue to change with more frequency,…
Speaker: Marc Van de Ven, Senior Solutions Engineer at LogicGate When you take compliance tasks off of spreadsheets and email, you can start to realize the benefits of centralization and automation. In this webinar, we’ll explore key components of any regulatory compliance program, and we’ll discuss how LogicGate’s Risk Cloud can help you prevent compliance tasks from slipping through the cracks. We’ll also discuss: The various components of a regulatory compliance program: We’ll review different components to a regulatory compliance program and how we provide a scalable platform to support you as as your organization grows & matures How to filter out regulatory white noise & define obligations to streamline compliance Add-on components: Discuss other ‘components’ that you can gradually add to your program as needed, based on when you are ready from a maturity perspective. Components can include: Compliance Risk Assessments, Regulatory Change Management & Horizon Scanning. Downstream effects: Review how to link policies & controls to get immediate insights into impacted policies and work that needs to be performed Reporting: Preview the reporting capabilities and Risk Cloud’s reporting capabilities help internal teams stay on track with internal due dates, and easily provide key compliance information to external auditors & regulators. View Webinar[Live Demo] Third Party Risk Management: Breaking down silos between your procurement and info security teams
In this webinar, we'll focus on Third Party Risk Management applications in Risk Cloud and dive into best…
We'll demonstrate how teams can streamline their vendor onboarding and ongoing due diligence assessment processes by breaking down silos between procurement and info security teams while mitigating risk. We'll also discuss the ability to leverage out of the box industry-standard questionnaires into your assessment processes, as well as the ability to digitize and automate your existing questionnaires, resulting in quicker response rates and automatic risk tiering of your vendors. View the webinar here: View Webinar2020 Year in Review
Check out LogicGate's most popular resources from 2020!
Join LogicGate in revisiting your favorite podcast, blog, success story, and more from this year, and see how Risk Cloud users transformed their risk management programs with the 2020 LogicGate Risk Cloud Year in Review Infographic. Download NowG2 Winter 2021 Grid Report for Top GRC Software
LogicGate’s Risk Cloud once again topped the G2 list of best GRC platforms, placing first on the Winter…
With a focus on offering the best platform for businesses to proactively manage their GRC needs and establish a risk-aware culture, LogicGate prioritizes providing customers with the best possible experience. 99% of reviewers said it was easy to do business with LogicGate Risk Cloud 91% of reviewers said they would recommend Risk Cloud 95% of reviewers think Risk Cloud is headed in the right direction 98% of reviewers said they were satisfied with the quality of support offered for Risk Cloud Download the ReportRegulatory Compliance: Effectively Managing Your Regulatory Obligations Register
Struggling to understand what your organization needs to comply with? Wasting too much time and resources scraping through…
Wasting too much time and resources scraping through regulations and building your obligation register? You’re not alone. Firms spend hundreds of hours mining regulations to understand what they need to comply with. They then have to repeat this process with every new change in regulation. The more products/services/regulators you have or the more regions you operate in, the more complex this becomes. Speakers: Brian Clark, Founder and CEO, Ascent ; Marc van de Ven, Senior Solutions Engineer, LogicGate Moderator: Dominick Campagna, Director, Solutions Engineering & Sales Enablement, LogicGate Description: In this webinar, we’ll walk you through regulatory compliance insights and best practices to save you time and resources. We’ll discuss why it’s more effective to start at the line level of regulation and determine your obligations from the bottom up, and we’ll walk you through how to set up a sustainable and repeatable process to do so. We’ll also walk you through the benefits of automation and how to decide on what you can and should automate. There are many different ways to look at the “compliance tech stack,” and we’ll discuss the most effective strategies. Learning Objectives: Understand the difference between “top down” and “bottom up” approach to understanding what requirements apply to you Evidencing compliance — how to evidence that you’ve been in compliance, especially during a pandemic when the labor force is spread out Rising Board concerns - how to balance budget with increasing compliance costs (how do you balance in-house staff, outsourcing, and technology?) Setting up a repeatable process around your compliance program to manage change & downstream impactAutomated Integrations for Third-Party Risk Management with ITGRC
In this webinar with LogicGate and ITGRC you will learn how to strengthen your third-party risk management process…
Speakers: Emily Affinito, LogicGate, Allan Liska, Recorded Future, Jonathan Ehret, RiskRecon, and Todd Boehler, ProcessUnity High-Profile Data Breaches have placed a spotlight on the risk of cyber security breaches with vendors and subcontractors, expanding the need to have greater rigor in third-party risk management and ongoing risk assessments. By integrating third-party risk management systems with other enterprise systems, external data sources, and analysis and reporting applications, and organization can deliver significant benefits and centralize processes into a single, automated platform that standardizes workflows and reduces manual effort. On this CPE accredited webinar our panel of experts will address how to strengthen your third-party risk management process for improved efficiency and effectiveness, and get more from your platform investment through automated integrations with a broader digital ecosystem. Attendees will learn: - How integrations with external data sources accelerate the assessment process and improve security, financial, and reputation risk reviews, - Where to connect to internal systems — ERP, GRC, CRM, Contracts, and more — throughout the third-party management lifecycle, - The pros and cons of various integration methods and how to make a best-fit choice, - How to strengthen and streamline your third-party risk management efforts.GRC & Me Podcast: Is GRC a Subset of Cybersecurity?
Is GRC a Subset of Cybersecurity, or is it the other way around? In this episode of GRC…
Now the principal and partner at Agile GRC Solutions, Scott Jordan puts it simply on this episode of GRC & Me: “I’ve seen a few things in the market.” Specifically, he’s watched as companies large and small have become more vulnerable to ransomware and other types of cyberattacks. While assessing the damage, he’s spotted a few common mistakes, which he calls “security landmines.” GRC tools like LogicGate are powerful and necessary, but they work best when the humans wielding them are doing their due diligence. That’s where Scott and his experience come in. That is if he can resist the tempting job offer from his eight-year-old daughter...LogicGate and Ziff Davis: From Legacy System to Intuitive Internal Audit
Find out why the LogicGate Risk Cloud was the right choice for Ziff Davis' Internal Audit initiatives
Fall 2020: Top Rated GRC Platforms on G2
Risk Cloud is the #1 highest rated GRC Platform on the Fall 2020 G2 Grid Report. See how…
The LogicGate Risk Cloud topped this quarters G2 list of best GRC platforms with the highest overall satisfaction ratings, and was designated as a "Leader" in the GRC software space. Risk Cloud's strong performance was bolstered by high scores across all categories: 98% of users gave Risk Cloud 4 or 5 stars 94% of users believe Risk Cloud is headed in the right direction 91% of users said they would recommend Risk Cloud 98% of users believed LogicGate has great quality of support Get the Full Report!GRC & Me Podcast: Adapt to Change with Flexible Data Models
Legacy technology’s grasp on GRC processes is slowly loosening. As LogicGate’s Director of Customer Success Szuyin Leow explains,…
A former cybersecurity consultant, Szuyin now helps LogicGate’s customers leverage the flexible data model that powers the risk cloud platform the company is recognized for. Adaptability is key across any industry, and that’s what this model specializes in, even in a climate with many unknowns. In this episode of GRC & Me with host Megan Phee, Szuyin explains that compared to rigid data models, flexible ones let organizations “slot things in where they're needed” when external changes force a shift within data structures and new requirements must be implemented. Still, the grass isn’t always greener. Too much design and customization can pose an obstacle for organizations building out their data structures, but Szuyin and her team encourage them to follow LogicGate’s best practices. Can you guess how flexible data models benefit industries outside of GRC? That’s what the LogicGate Risk Cloud IRL competition will reveal.Webinar: Executive Tips to Modernize Your Compliance Program with ITGRC
Join LogicGate, ITGRC, and a panel of experts in exploring the current compliance landscape and challenges facing today's…
Speakers: Kevin Jacobson, LogicGate; Chase Hinson, OneTrust; Todd Boehler, ProcessUnity, Jason Rohlf, Onspring Under the weight of new and changing regulations around the world, many organizations struggle to achieve compliance. They often lack a holistic view of their compliance profile and face increasing challenges due to digital transformation. Chief Compliance Officers who take a top-down approach are often met with resistance, but a successful program requires management to actively participate, not just sign off. Organizations can no longer afford to apply check-the-box approaches to compliance. Executive management must take a variety of actions to demonstrate leadership and commitment to the company’s compliance management program. On this webinar our panel of experts will discuss the current compliance landscape and challenges facing today's organizations, and they will address best practices to modernize your compliance program, including how to: - Use a risk-based approach to meet regulatory demands. - Employ digital transformation in the management of compliance obligations. - Understand the impacts of regulatory changes and minimize resource-intensive manual processes. - Get buy-in from other departments and create a working group of stakeholders to develop and improve your compliance program.GRC & Me Podcast: Return to Work with Confidence (and avoid GRC Pitfalls)
In this episode of GRC & Me, Priyam Shah discusses how the PwC x LogicGate Risk Cloud™️ relationship…
Because PwC resolves complex GRC issues across various industries, Priyam says its collaboration with LogicGate was natural to support the facilitation of the “return to work” program PwC created as a part of its pandemic response. In this episode of GRC & Me with host Megan Phee, Priyam discusses how the PwC x LogicGate Risk Cloud™️ relationship helped organizations bring their workforce back to the office by providing the necessary controls and processes. She also shares thoughts about what to consider as you discover the right tools and solutions for your programs as well as rising trends in the GRC landscape. Then Megan and Priyam discuss common pitfalls faced by companies along with different points of the GRC journey. When it comes to your governance structure, what do you think is preventing you from seeing the value you need? (Hint: Enabling all your programs at once!)LogicGate Named in 2020 Gartner Magic Quadrant for IT Vendor Risk Management Tools
Get an unbiased overview of the IT Vendor Risk Management market in Gartner’s 2020 Magic Quadrant for IT…
Read the full Gartner Magic Quadrant report to learn: A third-party, unbiased evaluation of each vendor A uniform set of evaluation criteria – so you can easily compare IT Vendor Risk Management Tools Insight into the significant movements in this growing and dynamic market Gartner, Magic Quadrant for IT Vendor Risk Management Tools, Joanne Spencer, Edward Weinstein, 24 August 2020 This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from LogicGate. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.GRC & Me Podcast: A Conversation on Risk Language
Asureti co-founder and Practice Director, Melissa Ryan, discusses the importance of language when talking about risk.
Since she’s worked with people across business operations, the multi-faceted data protection expert has seen firsthand how a common language can bridge gaps between departments, allowing for truly valuable and meaningful conversations. That technical jargon flying across your teams? It actually pulls your organization further apart. Melissa uses a risk rating matrix, for example, to better facilitate communications with clients. These tools — or points of reference like taxonomies — contribute immeasurable value when they are defined through a shared language and then used across the business. “We find that leaders who are leveraging these common definitions, these standard rating, and translation tools, and incorporating them into a GRC technology are truly finding enhanced value,” explains Melissa. Here’s the key: Make sure the underlying structure, calculations, and design of the common language of your tools and technology are consistent. Ready to learn how to connect the dots between the teams in your risk organization?Proactive Risk Management: Transform Your Risk Strategy
In this infographic we share the benefits of transforming your risk strategy from reactive to proactive, and what…
Click here to download the PDF version.GRC & Me Podcast: Agility 2020 Highlights
In this weeks episode of GRC & Me, we revisit some highlights from LogicGate's first-ever user conference, Agility…
Couldn’t make it? Tune in to this special episode of GRC & Me with host Megan Phee for highlights from the engaging conference that featured a line-up of notable hosts, including LogicGate’s all-star leadership team: CEO Matt Kunkel, VP of Product Management Mark Tattersall and CFO Kevin Jacobson. Through riveting presentations, the leaders addressed the current state of the GRC space, where it’s going and how the LogicGate Risk Cloud™ can build a new path forward. Listen as Matt discusses the importance of enterprise risk management in the emergence of the risk cloud, as Mark explains how vital customer feedback is during product development, and as Kevin shares his journey with the risk cloud to more effective vendor management. While next year’s plans develop, ponder this: What do you want to learn at LogicGate’s 2021 user conference to sufficiently strengthen your organization’s risk protocols in an evolving and post-pandemic environment?Top 4 Takeaways from Agility 2020
Whether you attended every session or didn’t attend, we wanted to share the top 4 biggest takeaways that…
Click here to download the PDF version.GRC & Me Podcast: Transformative Risk Management
In this weeks GRC & Me episode, we discuss the concept of transformative risk management.
Why? Because risk management is no longer done by standalone entities. Like herd immunity, transformative risk management introduces the idea that if one organization in the risk ecosystem is weak (or strong!), everyone else is, too. One band; one sound. Enter Jannie Wentzel, a partner and principal consultant at Cential, who authored a whitepaper about the emerging tools and technologies that are transforming risk management today. Together, Jannie and David assert that transformative risk management’s emphasis on data will provide leaders the confidence to base critical decisions and drive valuable business solutions for each participant in a risk ecosystem. With host Megan Phee, these GRC experts posture that risk leaders will soon shift their understanding of compliance-focused risk management and GRC as a whole. Could this be the Next Big Thing of risk?GRC & Me Podcast: What is The Risk Cloud™?
In this weeks GRC & Me episode we answer the question: How can The LogicGate Risk Cloud enable…
Historically, the old-school GRC software space aimed to operationalize regulatory risk and compliance and security programs in two ways: 1) Using technology platforms with rigid data models and 2) Using point solutions — that don’t integrate well with other applications — to solve specific use cases, third-party risk and more. In Matt and Jon’s opinion, that’s why The Risk Cloud™ represents a departure from what we know about GRC. In this episode of GRC & Me, tune in to hear how these visionaries have disrupted the GRC industry with The LogicGate Risk Cloud, a platform that presents a solution and has the flexibility to reimagine what risk is entirely. With host Megan Phee, they discuss The Risk Cloud’s extensibility at length, especially what it enables companies (and risk managers!) to do. After listening, ask yourself this: How can The LogicGate Risk Cloud enable effective risk operation for you?G2 Summer 2020 Grid Report for Top GRC Software
LogicGate named a top GRC Software Solutions on the G2 Grid for Summer 2020.
One of just a few GRC Solutions to be designated a market “Leader,” The LogicGate Risk Cloud's strong overall performance was bolstered by high scores across all categories: 94% of users believe LogicGate is headed in the right direction 80% of users said they would recommend Risk Cloud 98% of users believed we have great quality of supportGRC & Me Podcast: How LogicGate Uses The LogicGate Risk Cloud
A simple question — “why?” — jumpstarted Heath Anderson’s journey with governance, risk, and compliance (GRC). Today, he’s…
GRC & Me Podcast: How LogicGate Uses The LogicGate Risk Cloud
For his first-ever podcast appearance, Heath Anderson, LogicGate's Information Security Manager, joins an episode of GRC & Me…
The LogicGate Risk Cloud is essential for Heath, and not just because he was able to adjust his program to accommodate society’s new normal — it automates Control Management activities and even revealed how he and his team could improve their third party risk management return on investment (ROI) metrics. Plus, can you guess the neat hobby that gets his creative juices flowing?GRC & Me Podcast: Cyber Risk as a Business Risk
In the Season 2 premiere of GRC & Me, Megan is talking to John Mumford, Chief Risk Officer…
Agility 2020 - LogicGate's Virtual User Summit
Join LogicGate customers and other industry analysts as they host exploratory sessions about the current state of the…
Join LogicGate customers and other industry analysts as they host exploratory sessions about the current state of the GRC space, where it’s going, and how LogicGate is building a new way forward.LogicGate's Origin Story
Hear from our three co-founders (Matt Kunkel, Jon Siegler and Dan Campbell) talk about LogicGate's humble beginnings, what…
Hear from our three co-founders (Matt Kunkel, Jon Siegler and Dan Campbell) talk about LogicGate's humble beginnings, what sparked the idea of a flexible, easy-to-use GRC platform and the company's rapid growth.A Rock 'N' Roll Company Culture
LogicGate's Chief Revenue Officer, Karry Kleeman, speaks candidly about why he starts a rock band at every company…
Watch the video above to learn more about LogicGate's Chief Revenue Officer, Karry Kleeman, and the LogicGate culture as a whole!The Risk Cloud: Your Guide to the Future of GRC
We see a future where risk professionals not only predict and manage risk with confidence, but proactively turn…
In our guide, The Risk Cloud™: The Next Frontier in GRC, you’ll find out how and why businesses must evolve to a new world of risk that requires leaders to adopt governance, risk and compliance solutions that empower their teams to make better decisions, generate more revenue, and enable smarter risks. You’ll learn: How risk professionals can earn and keep the attention of the C-suite and their revenue-driving counterparts The best way to design a program agile enough to stay a step ahead of the next threat to your assets Why housing all of your risk data in one interconnected system is critical to success (yes, it’s possible!) The potential of saving hundreds of thousand of dollars by automating repetitive tasks and freeing your team up to do more strategic work How important it is that the technology you choose balances out-of-the-box capabilities with the flexibility to adapt to your business’s unique needsRisk as a Team Sport: Taking a Cross Functional Approach to Risk Management
Learn how taking a cross-functional approach to risk management will drive success for your business.
Duration: 60 minutes Panelist: LogicGate: Matt Kunkel GRC 20/20: Michael Rasmussen In this webinar we: Outline the critical risk-related business issues that different organizations face (macroeconomic, strategic, operational) Explain the importance of cross-functionality and the necessary roles/positions that play into successful risk management Present tactics organizations can use to develop standard policies, measurement methodologies and risk frameworks that can be leveraged cross-functionally, throughout the organizationPowering Through a Pandemic: How to Create an Effective Response Plan in the Midst of a Crisis
In this webinar, we’ll cover strategies and techniques executives can use to respond swiftly to a crisis, focus…
Duration: 60 minutes Panelist: Moderator: Megan Brown Templar Shield: Nic Friedman LogicGate: Szuyin Leow Description: When COVID-19 made landfall in the United States, it brought economic turmoil unlike the country has ever experienced. All of a sudden, business professionals were forced to confront the prospect of managing their companies in a less certain economic climate. In this webinar, we’ll cover strategies and techniques executives can use to respond swiftly to a crisis, focus on their mission, and helm their companies through a downturn.GRC & Me Podcast: How Does a Risk Management Company Handle the COVID-19 Pandemic?
In this special episode of GRC & Me, Megan sits down with LogicGate CEO Matt Kunkel and CMO…
G2 Spring 2020 Grid Report for Top GRC Software
LogicGate named a top GRC Software Solutions on the G2 Grid for Spring 2020.
One of just a few GRC Solutions to be designated a market “Leader,” LogicGate’s strong overall performance was bolstered by high scores across all categories: 93% of users believe LogicGate is headed in the right direction 89% of users said they would recommend LogicGate LogicGate also appeared on the Spring 2020 Momentum Grid—its second-straight appearance. LogicGate earned a Momentum score of 92%—the highest on the Grid and well above the Grid average of 53%. LogicGate outpaced the competition in other categories as well: 100% Review Growth (vs. 60% average) 91% Employee Growth (vs. 38% average) 93% Social Growth (vs. 42% average) 86% Web Growth (vs. 48% average)[Video] Incident Management with Risk Cloud
LogicGate offers one central entry point for all reported incidents. Incidents across the organization and across geographies have…
The Risk Cloud™️ offers one central entry point for all reported incidents. Incidents across the organization and across geographies have a solitary, automated process to manage reported incidents and related activities. Video Transcript: At many companies, incidents just cause confusion. When they occur, managers are left asking: Who owns it? Was it closed? What should we prioritize? What’s even going on? It’s easy to see why. Usually it’s because the incident was submitted through e-mail or some other unsystematic way, leaving managers with no easy way to view all reported incidents in one spot—let alone the assets and controls they’re linked to. All of the tracking, linking, and resolution activities simply can’t be properly captured without a solid system. Imagine these issues at scale! If managing one incident is hard, managing incidents across divisions and geographies is a nightmare. Here’s a typical scenario. A data breach gets logged The dev team just closes it out, not giving it much thought. Little did they know, the breach is tied to data privacy regulations and reporting needs. If these aren’t followed up upon, they can cause problems such as major fines down the road—all because they didn’t communicate the incident to the right people, at the right time. Don’t let this happen to your company. Before your incidents lead to more...incidents...look to LogicGate. LogicGate offers one central entry point for all reported incidents. Incidents across the organization and across geographies have a solitary process to manage reported incidents and related activities, including the ability to prioritize them by severity rating. Incidents get automatically routed to different groups for action based on what is being reported. From the platform, incidents can be linked to other processes such as regulatory reviews, policies and procedures, vendors, and audits. In one report, you can see how all your incidents are tied to all of your compliance programs. You’ll also be able to put the right process in place so your incidents are resolved according to your company’s service level agreements. Use the conditional workflow builder to route incidents to the appropriate parties, set up notifications, and meet those SLAs. Incidents can be escalated to different roles and groups. Required fields in the LogicGate form builder ensures you capture the information you need. With your process configured, resolution activities and responsible parties can be easily reported on. Productivity reporting helps you identify bottlenecks within your process, so you can allocate time, training, and resources effectively. With standardized incident metrics at your fingertips, you’ll have the vision and understanding to make the right decisions at a large scale. Stop tracking incidents in different places, with different methods, and through different people. Put an incident plan in place. Make better decisions. Look to LogicGate.Risk Cloud® Integrations
Integrate and optimize your risk and compliance program with 100s of integration capabilities insides Risk Cloud
Unlock the full power of your tech stack and gain better visibility into business risk with native and custom integrations from LogicGate Risk Cloud. We’ll help you bring all of your governance, risk, and compliance processes into one, connected ecosystem so you can save time and maximize value from your tech investments.Automating GRC To Increase Business Value with ITGRC
GRC is neither a project nor a technology, but a corporate objective for improving governance through more-effective compliance…
Speakers: Matt Kunkel, LogicGate, James Rice, Greenlight Technologies, and Allan Liska, Recorded Future To address this challenge, many businesses are opting for an automated GRC (eGRC) solution, which aims to resolve the challenges associated with scattered and disconnected operational security processes through the centralization of data, alignment of processes and workflows, and clear enterprise-level visibility with trend and analysis metrics and reporting. The benefits of Automating GRC are substantial when businesses have a mature GRC program in place. Attend this expert CPE webinar to gain insights on: Understanding the GRC Business Drivers. Defining Your GRC Strategy. Developing a GRC Roadmap that is aligned with the Mission, Value, and Strategic Agenda of Your Business. Getting Leadership Support and Enabling Cross-Departmental Collaboration.Risk Cloud® Platform Features
All the functionality you need. No coding necessary.
Risk Cloud is an agile GRC process and workflow automation platform that combines powerful functionality with an intuitive design to transform mission-critical governance, risk management, and compliance activities. The platform includes a robust array of features that help users get the most out of their GRC programs. Learn about all of the features that come packaged with Risk Cloud.G2 Winter 2020 Grid Report for Top GRC Platforms
LogicGate is the highest ranked GRC software and leader on the Winter 2020 G2 Grid Report.
One of just a few GRC Solutions to be designated a market “Leader,” LogicGate’s strong overall performance was bolstered by high scores across all categories: 96% of users rated LogicGate 4 or 5 stars 97% of users believe our product is headed in the right direction 91% of users said they would recommend LogicGate Winter 2020 also saw LogicGate make its debut on the G2 Momentum Grid. LogicGate earned a Momentum score of 92%—the highest on the Grid and well above the Grid average of 53%. LogicGate outpaced the competition in other categories as well: 100% Review Growth (vs. 60% average) 91% Employee Growth (vs. 38% average) 93% Social Growth (vs. 42% average) 86% Web Growth (vs. 48% average)GRC & Me Podcast: Emily Heath on Why The GRC World Needs An Overhaul
For our season finale, Megan welcomes Emily Heath, Chief Trust & Security Officer at DocuSign. Emily discusses exciting…
EPISODE NOTES Top 3 Quotes “Trust really is ‘security, compliance, and privacy’—it's the three-legged stool.” “The ‘compliance’ is a byproduct [of risk], ‘governance’ is the way you operate, but how you truly define ‘risk’ is where the focus is.” “Sensitive data being pushed around an organization through e-mails and spreadsheets—that kind of model is not sustainable.” Resources: Connect with Emily on LinkedIn Connect with Emily on Twitter DocuSignLogicGate's 2020 Research -ERM and the Modern Organization
What do CEOs think about enterprise risk management (ERM)? And how do they view the ERM efforts of…
In LogicGate's 2020 research report, Enterprise Risk and the Modern Organization: A View from the Top, we explore how modern ERM programs operate—from tactics and personnel to its place in the company’s broader strategy. We also dive into the shortcomings that these CEOs see in their programs—now and in the future.GRC & Me: Karry Kleeman on "The Value of SaaS in GRC"
Karry Kleeman, Chief Revenue Officer at LogicGate, has 30+ years of leadership experience in enterprise software. In this…
window.addEventListener("message", function(message){if(message.origin === "https://grcandme.com" ) { if( message.data.event) { if(message.data.event === "castedSizeUpdate") { var casted_episode_player = document.getElementById('casted-embed-' + message.data.payload.slug); if(casted_episode_player) { casted_episode_player.height = message.data.payload.height;}}}}}, false) EPISODE NOTES Top 3 Quotes "There's a number of players providing solutions, but only a small number of true winners that will emerge to set this new standard for usability and effectiveness combined with affordability." "Risk and compliance needs change so fast that the technology has to be flexible enough to keep up." "The market is wide open for a company to set the pace for the rest of the pack and for the industry." Resources: Connect with Karry on LinkedIn Connect with Karry on Twitter Transcript: Karry Kleeman: There's a number of players providing solutions, but only a small number of true winners that will emerge to set this new standard for usability and effectiveness, combined with affordability. It's really a great time to be in GRC. Host Megan Phee: Hi, I'm Megan Phee, and this is GRC & Me, where we interview industry thought leaders in governance, risk and compliance on hot topics, industry-specific challenges, trends and more. Learn about your methods, solutions and outlook in this space. My guest today is Karry Kleeman, Chief Revenue Officer at LogicGate. Karry has over 30 years of experience in global enterprise software sales, and today Karry and I talk about the value of a software as a service delivery model for GRC, what's exciting about GRC today, and we end with a discussion on how he fosters a positive culture by starting a rock band at every company he joins, whereby he assures that he won't be quitting his day job anytime soon. And now my conversation with Karry. Thank you, Karry, for joining us today on another episode of GRC & Me. KK: Thanks, Megan. Great to be here. MP: So let's start off. Will you share with the listeners a little bit more about your sales background? KK: Yeah, for sure. I started my career in sales during my college years, and my primary motivation was to defray some of the costs. That's code language for I needed money. At first I sold advertising time for a media company, and then I hit pay dirt when I joined IBM while I was still in college. I was a lead generation specialist and I also sold IBM's lower end product line, things like personal computers and PC-related products. I really enjoyed that. I found out I was pretty good at it, and it helped me get through college, get my degree, and get ready for the journey. The experience working at IBM not only set the tone for a career in sales, but it cemented the kind of job I wanted, which was a sales job with a technology company. MP: So is that background, is that what led you eventually to SpringCM, which is now DocuSign? KK: Yeah, for sure. I had a great experience prior to that with a start-up company that moved from zero in revenue to about a hundred million dollars in revenue, and went through fast growth, to IPO, to global expansion, and I got to be a part of all of those phases. And then you fast forward the tape a few more years than I care to admit to, and just prior to joining the LogicGate team here, about a year ago, I was on the executive team at Chicago based start-up called SpringCM, which is now a DocuSign company. As the Chief Revenue Officer for SpringCM, I was part of the team that led the acquisition of SpringCM by DocuSign after growing the company's revenue pretty dramatically and building a global footprint of about 675 customers and 190 employees. MP: Fantastic. Now I know you worked at SpringCM, which is now DocuSign, on that contract management, the buy-side contract management, and also vendor management. Was that your first foray into this GRC type of experience? Is that what led you to kind of be interested in moving into a company that serves as more of that GRC market? KK: We were adjacent to governance risk and compliance through this contract management and vendor management use case. It opened my eyes a little bit to the challenges and the opportunities to operationalize not only contract management and vendor management, but things that were going on around risk in doing business with third parties and procurement kinds of applications. And in fact, during the interview process here at LogicGate, I was able to talk to a couple of customers that were really, really adept in understanding the difference between coming at the buy-side contract management and procurement side of the house from a GRC perspective versus a contract management perspective. Certainly opened my eyes. MP: So Karry, you've enjoyed particular success in the software as a service space. Tell us a little bit more about the emergence of software as a service, as a business model, in your lifetime, and how you originally got involved with it. KK: Yeah, cool. Software as a service has grown rapidly. Something like 80% of all applications for businesses will be SaaS in a year or so. It's really pretty amazing when you think about it. There are some great SaaS companies to be admired and great examples to be followed. In fact, there's no shortage of ambition here at LogicGate. We believe that we will disrupt the GRC space by providing the simplest and most effective SaaS platform that can help companies undertake certain measures, because the regulations say that they should, and if the rules aren't followed, there could be fines and penalties and reputational harm. And on the positive side, good compliance just manifestly means good business. And SaaS has been able to overtake so many industries so quickly, because like the overall subscription economy that we live in, it provides a reduced time to utility or benefit, far lower costs, a pay-as-you-go model, and rapid iteration on changes, updates and improvements in the process and in the technology. MP: So Karry, why is GRC a perfect fit for a software as a service delivery model? And most importantly, what is it about that software as a service delivery model that's allowing start-ups like LogicGate to really make headway? KK: Well first of all, Megan, I think the real winners here are customers, those who are making investments in managing risk and compliance. Risk and compliance needs change so fast that the technology has to be flexible enough to keep up. People and processes change. And before companies like LogicGate, routine change orders required trained personnel and complicated adjustments, and it affects the company's ability to be innovative and responsive, makes them too slow or even unresponsive. The giants in this market didn't really grow up in a SaaS business model. They were what is referred to as an on-premise or on-prem model with kind of a late nineties code base. And those legacy GR players have done really very little to do the things in their product and in their business model to provide adaptability and an excellent customer experience. We've got an opportunity to change that here at LogicGate and in the governance risk and compliance market. MP: Great. What else would you say, Karry, is exciting about risk and compliance, or GRC, today? KK: Yeah, the market is really wide open for a company to set the pace for the rest of the pack and for the industry. It's a very fragmented competitive landscape with a few, as I said earlier, large expensive solution providers that have been widely panned by customers as rigid and too costly. So that presents really the perfect conditions for disruption, sort of the perfect storm. Customers demand a simpler user experience. They demand almost a point solution implementation curve, and a lot closer to a point solution price than a really monolithic system at a really expensive price. MP: I think you're right on. I think the market is demanding more of these GRC providers. LogicGate is fitting into a sweet spot there that is really carving out a path that hasn't been there before. Where else do you see the market going in the future? KK: I think the need for GRC is only getting stronger. There's a number of players providing solutions, but only a small number of true winners in the current sort of group of companies in our space, including LogicGate, that will emerge to set this new standard for usability and effectiveness, combined with affordability. It's really a great time to be in GRC. MP: Awesome. And finally, if you are following us on LinkedIn, you might've seen a post that Karry had, a little bit about an element that he does to instill a positive culture at every company that he goes to. And really it was an article on LinkedIn talking about how he starts a rock band, and he has started one at LogicGate. So we'd love to talk a little bit more about that. Tell us why you do this at every company you go to and what does it mean to you? KK: Yeah, thanks for asking me that question. I love this question. The short story here is why not? I like to find something fun and unique to do in the context of the work environment, and I love music and pop culture, as do so many others. And I'm really just trying to create an opportunity for my coworkers to express themselves in a different way, and to kind of bring their full selves to work. It ends up being a lot of fun to do these kinds of things. And although our band, which is called Logic and the Goats, has the ability to be pretty good, we're not going to be quitting our day jobs, I promise you. MP: Absolutely awesome. Well, thank you so much, Karry, for joining us on another episode of GRC & Me. KK: Great to be here. Thanks.Controls Mapping is Hot. It's Also Difficult.
Watch this webinar to hear from Gary Elens, Tom Cornelius, and Megan Phee Brown on how controls mapping…
Unfortunately Controls Mapping is harder than it sounds. In this webinar, we’ll take a closer look at what’s driving the interest in this new compliance frontier, and offer some recommendations for getting there yourself. You’ll hear from Tom Cornelius, Senior Partner at Compliance Forge, as well as Gary Elens, Director of Customer Success at LogicGate. Megan Phee Brown, LogicGate’s Head of Strategic Alliances, will serve as our moderator for the session. Webinar Learning Objectives Discuss an overview of controls and controls mapping Understand the drivers behind the recent interest Understand reasons why it’s harder than it sounds Discuss recommendations for how to adopt controls mapping Discuss cautionary tales and what to watch for Moderator: Megan Phee Brown, Head of Strategic Alliances, LogicGate Speakers: Tom Cornelius, Senior Partner, Compliance Forge Gary Elens, Director of Customer Success, LogicGate[Video] Compliance Management with Risk Cloud
With LogicGate's Compliance Management solution, you'll keep your team in sync, on top of tasks, and ahead of…
With The Risk Cloud™️ Compliance Management solution, you'll keep your team in sync, on top of tasks, and ahead of deadlines. Video Transcript: Compliance tasks have a funny habit of slipping through the cracks. Do the following sound like your company? Compliance duties are spread throughout your business, and come due at different times of the year Employees don’t have a central place where they can keep track of all their requirements, status updates, and owners—if they know who is responsible for them in the first place. You fear missing a compliance deadline because it will impact the business and your job Deadlines become fire drills: owners chase people through email, phone, smoke signal—whatever it takes to get their sign-off. With LogicGate, you can escape the compliance confusion spiral and your fear of missing a deadline. The platform pulls all compliance tasks into one central system. Task owners can set automatic email reminders and task notifications based on predetermined frequencies, so assigned stakeholders are kept in the loop and held accountable. All parties understand task statuses, from the time they’re generated to the time they’re completed. Within the LogicGate Reporting Suite, managers can take a step back and check on the overall status of the compliance program. Here, they’ll get the big-picture snapshot of tasks, organized by status, owner, and when they are due. From automated notifications to monthly reports, LogicGate puts you in the cockpit of your compliance program. Request a demo today.GRC & Me Podcast: Jack Tanselle on "Pursuing Sustainable and Continually Improving Programs"
On today's episode, Megan chats with Jack Tanselle. Jack is the Managing Director at Deloitte and even though…
EPISODE NOTES Top 3 Quotes "Risk assessment is not the same thing as conducting an assessment of your compliance program." "The risk assessment is not designed to be an audit of every activity your company is doing; it’s designed to scan across the breadth of what your company is doing." "The skill-set needs are changing." Resources: Connect with Jack on LinkedIn Connect with Jack on Twitter Connect with Deloitte on LinkedIn Deloitte US Deloitte UK Navigant Consulting Huron Consulting KPMG LogicGate Matt Kunkel LinkedIn Transcript: Jack Tanselle: The auditing and the monitoring, if you're doing those consistently, make it nearly impossible for your program to become stagnant, because they all provide output that show you new observations of where you can get better. Host Megan Phee: Hi, I'm Megan Phee and this is GRC and Me where we interview industry thought leaders in governance, risk and compliance on hot topics, industry specific challenges, trends and more to learn about their methods, solutions and outlook in this space. On today's episode, my guest is Jack Tanzel. Jack has spent over 15 years in consulting working previously at Eli Lilly and Company and most recently Deloitte. He helps organizations develop strategies to drive results. On today's episode with Jack, we'll discuss how he works with clients today, how you can adopt continuous improvement in your programs and this concept of RAMP. R-A-M-P, what it is and what it means for organizations. Lastly, we'll have an interesting story about Jack's hidden talent, songwriting and performing. Now, here's my conversation with Jack. MP: Thank you, Jack, for joining us today on another episode of GRC and Me. JT: Thanks for having me. MP: All right, so we want to get started and I'd love to learn a little bit about what led you to risk and compliance as a career path. JT: It was not a preplanned journey. I went to a work at Eli Lilly and Company after getting my MBA at Northwestern in the late '90s. I spent seven years in the marketing organization at Lilly, which is how I got into risk and compliances. I did a lot of marketing and strategy work for Lilly. I was hired by a large consulting firm away from Lilly in the mid-2000s with the idea of doing more marketing strategies at work, but on of the very first projects that came to me, came through our forensics practice where the question was a global manufacturer has an R&D organization that doesn't know how much it's paying its healthcare professionals annually for a variety of services that health care professionals provide manufacturers. There was no one in the group that had had any experience conducting advisory boards or any other types of services. I had just come from an experience where that was all I was doing. It was a little bit of serendipity perhaps. Nine months later, I got a call from a conference organizer asking if I would speak on what we now think of as transparency reporting and tracking and aggregate spend. I found that a little odd at the moment, but realize that I had gotten into a project that was part of an early wave of an issue for the industry and there weren't that many people that had been involved in projects prior to me getting involved in that one that had had a lot of experience helping a company through that situation. That very project is what flipped me from coming at it from the marketing and strategy angle to that of addressing risk and compliance issues for these clients. That project led to another one led to another one, and over the course of several years I ended up gaining a tremendous amount of experience helping chief compliance officers in their teams and other risk and assurance functions around a lot of things having to do with the risk that comes with interactions with healthcare professionals, sales and marketing activities, medical affairs activities and those sorts of things. MP: Thanks for sharing that. I know you're also a friend of LogicGate. You know the LogicGate founders pretty well. How did you come to cross paths with them? JT: So the LogicGate founders spent some of their time at Navigant consulting and so did I. Your CEO Matt Kunkel and I worked together pretty diligently on a couple of different projects including one that in fact I think was a precursor to him and the others getting the ideas that that formulated later that to become LogicGate. we worked together on what was to be a workflow automation around the operations of a compliance department while at Navigant together. MP: Awesome, fantastic. And so you mentioned, you know, you're helping customers in the healthcare industry, but I know you work with Life Science's clients today. You help them with the concept called RAMP. Can you describe what RAMP is and how does it benefit clients today? JT: I think RAMP is, as far as I know, exclusive to life sciences. It might even be exclusive as an acronym in the context I know it to pharmaceutical companies. Probably a decade ago, one of the large pharmaceutical companies had a corporate integrity agreement with the US government and their risk assessment program had the acronym of RAMP, risk assessment and mitigation planning, because corporate integrity agreements are one of the things that many in the compliance world, whether you're working in house or for a consultant or for a law firm, corporate integrity agreements are one of the benchmarks of the types of things you would go look for to say, "What are the leading requirements? What are the leading trends? What's the government expecting?" Along with say the the OIG work plan, other guidance documents that get published. Corporate integrity agreements are a key document, so always check the new ones that come out. Because of the prominence of this company and the prominence of corporate integrity agreements at the time and the fact that they were the first one to have the risk assessment be included in their corporate integrity agreement, the acronym of ramp generally caught on with life sciences and again, a specialty pharmaceutical companies. It's risk assessment and mitigation planning. It's designed to not only be about the risk assessment, but perhaps more importantly to be about the mitigation planning and the implementation and the idea of what more often than not becomes an annual cycle of let's assess the risk, let's identify some places to go, put some resources to mitigate those risks and let's see if we can't close the loop on that mitigation action and then have those actions perhaps serve as inputs to the next year's risk assessment, so you create sort of a virtuous cycle of activity MP: In addition to RAMP, do you recommend companies adopt continuous improvement within their compliance programs? JT: I do think RAMP is a backbone, I mean any risk assessment program, whether you call it RAMP or something else. When the OIG first came out with their guidance for manufacturers on the seven elements of an effective compliance program, risk assessment was not explicitly listed and yet it is implied and many people often refer to it as the eighth element. It is a backbone or a foundational piece of any effective and sustainable program. One of the reasons for that is if it's a scheduled activity, again, probably on an annual basis, maybe it's monthly, maybe it's quarterly, but whatever your cycle is, it creates a dynamic for your program that makes it almost impossible for your program to become stagnant, which is what you're looking for. What are the things that can keep our program from becoming stagnant? Risk assessment is one of them. Oftentimes some of the major activities that come out of the mitigation planning of RAMP are the auditing and monitoring exercises. The risk assessment is not designed to be an audit of every activity your company is doing. It's designed to scan across the breadth of what your company is doing and to repeatedly and continually assign maybe a score or some other way of weighing or ranking where do we carry the greatest risk and where do we want to put resources to dive deeper into some of those places where we either one, already know we have a control gap that needs to be fixed or two, we're not quite sure what's driving that risk. We're not quite sure how well controlled we are with that area. We need to conduct an audit, we need to do more monitoring. Those things, the auditing and the monitoring are also activities that make it nearly impossible if you're doing those consistently and you're moving around on the different activities or companies conducting make it nearly impossible for your program to become stagnant because they all provide output that show you new observations of where you can get better. And so if you're conducting good risk assessment and you're following up with audits and monitoring as well as the investigations that should naturally be happening through your hotline and other ways of people reporting potential noncompliant behavior, those are all dynamic activities. While you've got your other elements around policies and procedures, training and communication that shouldn't be stagnant either, they have a much greater chance of growing stagnant if you're not conducting these other activities that have a chance to point out specific places for improvement. I would really hang on the idea that the RAMP program or whatever your company might call it, as well as the auditing and monitoring. The typically comes with it are the real critical dynamic pieces that keep a program getting better and better all the time. MP: All right, thanks Jack. Are there any other examples of types of things companies could use or do to pursue continuous improvement? JT: One other that comes to mind is the idea of assessing the compliance program as a whole. The previous examples we were talking about with risk assessment and auditing and monitoring, those are day to day activities that the compliance program, the compliance department should be conducting every day. Those activities can organically help you understand where the program can get better. But every so many years, two, three, four years, it is worthwhile to have someone else take a look at your program and come in and maybe give an assessment as well as conducting your own surveys with people in your organization, whether it's from the outside or from other people outside your department, getting other people to provide input to you on where the program is or isn't working. It's not part of the natural day to day elements. Risk assessment is not the same thing as conducting an assessment of your compliance program. All of those things can contribute to keeping your program dynamic, identifying risks or areas for improvement. When you add it all up collectively and done routinely, they contribute to a sustainable and effective program as much as anything. MP: All right, Jack, how do you see things changing in risk and compliance in the near future and then also in the medium to longterm future? JT: I think the leveraging of technology and automation to drive more efficient work and better decision making is already happening, but I think it will continue to gain a momentum within the life sciences world. I know within ... While I don't work in financial services or some other industries, I know that in the banking world and other financial services companies, leveraging analytics has become a critical part of reducing risk and mitigating against risk. I think that pharmaceutical and life sciences companies are working through individual use cases where they've identified an opportunity to automate a workflow, whether that's an inline business workflow or a workflow to help monitor something or to create better use of data that's already available to them to improve their analytics. What I see on a routine basis is many companies have their own distinct use case or two where they've leveraged or found an opportunity to further modernize their program. I think that's going to continue in an individual use case by use case example for many of these companies. What I think is still to come is for companies to realize the holistic possibilities of strategic automation or modernization of not only the compliance department but all of the assurance functions that share both common workflow as well as use of the same data. For instance, an internal audit function conducts audits. A compliance function conducts audits. A litigation department may also conduct investigations, but that have the same steps in their workflow as the internal audit and the compliance department. There are workflows out there, and I know there are workflows in the LogicGate tool, that feed that concept. And so instead of functionally thinking about your budget as a compliance department or an internal audit department or litigation department, the company as a whole, realizing we have common workflow here, that one platform can help us. There's an of scale through that spend that these three functions as an example could benefit from that spend versus just one function. The same is true with analyzing how much money is being spent on certain healthcare professionals. Those types of questions are applicable to not only the three functions I just mentioned, but to many in the business who want to do that. And so I think life sciences companies are working through a natural maturation cycle, if you will. We're still in the early days of figuring out how one use case can lead to a second use case can eventually get us to a strategic vision of how we can apply many use cases on technology platforms that will allow for that type of flexibility. I think if you don't do that, you're going to be held accountable by government regulators and government officials who have oversight responsibility. Eventually it'll be an expectation that you've invested in technology to improve workflow for better controls in flight and to be able to find data and find certain points of risk faster and better as a natural part of running your business. MP: In working with customers, those that have been able to gain support and adapt technology to help them achieve those type of goals, what do you think they did well to get that support or what allowed them to be able to take that step forward? JT: I think, one of the things that comes to mind to that question is that we've seen a number of companies identified that the skillset needs are changing. People who have a law background or an operations background or a finance background who have all been and will continue to be positive contributors to a compliance effort, they may not have an analytics background, they may not understand the technical aspects of what it means to understand where different data sources lie and how to grab that data, how to aggregate that data and then turn that into analytical tools and understand what may come from that. I think there's a skillset and certain companies that we work with have hired people into their compliance departments who are data scientists. I know that several clients we work with have former IT professionals now working in the compliance department where instead of going to ask IT if and how we can do this, they start by having this person maybe do some things for them, again, in that individual use case perspective, create some sort of machine learning tool that allows us to go through a particular use case one of the people in the department may have identified. That's really helping move through that maturation cycle of seeing a particular use case pay off only accelerates everyone involved realizing where else can we do this. MP: We've talked a lot today about your background and the RAMP process and how you work with clients today, but we've also learned that you have another talent, which is that you are a talented singer. We'd love to learn a little bit more about the origin of that talent as well as your origin of risk and compliance. JT: Oh boy. I had no idea we were going to go here. Yes, so music was a big deal in my house as a kid. My grandmother on my mom's side loved to play the piano and sing. My mom, my aunt and uncles on that side of the family were all not shy about singing. My sister's a really good singer and older than me. She started singing in church. I thought, "Well I can get up there and do that too." I started singing at a pretty young age at our church, performed throughout middle school and high school and variety shows and musicals. Even at Northwestern, at the Kellogg school, we did a skit every year. During my second year, I helped write a few songs and perform. I wrote a song to a the Bee Gees' tragedy and turned it into strategy and was one of the Bee Gees, and we went out and made fools of ourselves, but had a really good time. Most recently in my professional life at a previous firm, we were at at an event and one Matt Kunkel and I were on the same team. We were all, each team was assigned to do something, singing to a song and create a parody. How Matt knew this, I don't know. He then turned to the rest of our team and said, "Jack will be our lead singer. We all can just stand behind them and back up." I couldn't believe it that he had outed me like that. It was Heard it Through the Grapevine. We had to come up with some way of pitching a new client on a service by changing Heard it Through the Grapevine. We had to rewrite the lyrics. MP: Right, fantastic. JT: Everybody told me when I was done that I was in the lead, because they were scoring this. The last team knew that one of the administrative assistants in the DC office had just finished performing on The Voice. They called her. They brought her over. They gave her their song as a total ringer. I had no chance at that point. When she got up there and started singing and I was like, "Oh, boy." In my little amateur world with some of these other people that tried to get up there, I might have had a chance, but when she started singing, I'm like, "Okay." MP: Oh shoot. JT: We all had a great time with it. Great lady. She was great at singing, and so we had a riot. MP: That's really funny. JT: Yeah, so thanks for that embarrassing moment. MP: Uh-huh (affirmative), no problem. JT: I appreciate you. MP: Well, you know we at LogicGate, we have an in house band called Logic and the Goats. JT: Oh wow. MP: If you ever want to make your professional comeback, you are welcome to join us. JT: I think I'd rather stay in the audience and watch them. MP: That sounds good. Well, thanks again Jack for your time today. Thanks for joining us. This is Megan Phee with another episode of GRC and Me.Assessing the Costs and Benefits of ERM: An Inquisition
Every project must be analyzed from both cost and benefit perspectives, and building a technology-enabled ERM program is…
This eBook offers clarity by prescribing not a precise method for calculations, but rather the right questions executives need to ask before embarking on the project. Download the eBook and learn how to: Articulate a strategy for your ERM program Bring the right stakeholders to the table Understand the non-monetary costs and benefits of an ERM program Sell the program to board members and executives Understand how The Risk Cloud™️ can power your long-term strategy Much more[Video] Questions to Ask Your GRC Software Provider
Are you asking the right questions of your GRC vendor? You should be demanding the features and benefits…
Are you asking the right questions of your GRC vendor? You should demand the features and benefits that will make your program and people as effective as they can be—today, and well into the future. Video Transcript: Are you asking the right questions of your GRC vendor? You should be demanding the features and benefits that will make your program and people as effective as they can be. Let’s look at some examples. With LogicGate, you can start with our industry-standard best practice templates. You can then configure them with our visual workflow builder to align with your company’s unique process, complete with custom fields and assigned user roles. But the power of LogicGate doesn’t end there. Say you start with your control audit process against SOC2 and ISO 27002 requirements. With LogicGate, these automatically map together through the Secure Controls Framework. No manual mapping required. Now let’s fast forward a few months. Let’s say you’re getting close to signing a large contract with the government. Your organization needs to meet NIST 800-53 requirements to demonstrate FISMA compliance in order to move forward with the contract. Now what? You’ll want to link that framework to SOC2 and ISO 27002 to accelerate this process. With LogicGate, you can easily add these frameworks to your program and report on your compliance coverage. It’s also no sweat to change and adjust your existing data structure over time. This means you can start with the data structure you have, and look to the future with confidence knowing you’ll be able to add to and customize your program as it evolves. The same goes every time your team needs to add in a new application. What happens when you need to find the different activities associated with each framework, such as a control evaluation, risk, exception, or policy? With most GRC vendors, you might need to work backward through ISO, SOC2, and the Secure Controls Framework just to find an item. That’s a lot of extra clicking. Why not go straight to it? With LogicGate, you can. In the LogicGate platform, you can start anywhere within your data structure and find the information that it’s linked to. For example, you can go directly to a SOC2 or ISO requirement and see every activity or asset that’s associated with it, such as a policy, exception, risk, system, internal control, or evidence you have gathered. No more endless clicking through various record hierarchies just to get to the information you need. Are you asking whether your GRC vendor can do these things? If so, are you asking how much it will cost? What about how long it will take? How easy is it to actually perform them? With LogicGate, you get a flexible platform that’s ready to grow and adapt with your program—whatever the future holds.GRC & Me Podcast: Dominic Vogel on "The Journey of Cyber Security"
Dominic Vogel, Chief Security Strategist at Cyber SC, joins Megan to discuss how small businesses can use basic…
EPISODE NOTES Top 3 Quotes “I'm a firm believer that cyber security is very much a journey.” “Do the basics and do them well—that's a strong foundation.” “Doing security from a sustainable point of view is trying to develop the right people, the right processes and technologies, which would allow for cyber resilience against whatever the threat landscape might be.” Resources: Cyber SC Connect with Dominic on LinkedIn Connect with Dominic on Twitter Cyber SC Facebook Cyber SC Twitter Cyber SC YouTube Channel Episode Transcript DOMINIC VOGEL: It's very interesting to see cybersecurity tied to a very clear business driver, which up until recently was just not the case and it's definitely seen as being a core need for why security is so important. HOST MEGAN PHEE: Hi, I'm Megan Phee and this is GRC & Me where we interview industry thought leaders in governance, risk and compliance on hot topics, industry specific challenges, trends, and more to learn about your methods, solutions and outlook in this space. Today our guest is Dominic Vogel. Dominic is a chief security strategist at cyber se and today's episode, Dominic will share advice for small to mid sized businesses on their journey to cybersecurity. We'll discuss global trends and security issues that you is in Canada and lastly we'll talk about how he leveraged his comedy to bring light to an often dry topic. All right, Dominic, thank you so much for joining us today on another episode of GRC & Me. DV: Thank you for having me, Megan. MP: Great. Well let's get started. We'd love to learn a little bit more about your background. How did you come to be in the position that you are today? DV: Yeah, I always love sharing my career narrative. Uh, I'm definitely one for oversharing. All the [inaudible] I've always wanted to be in cybersecurity and I've been very fortunate. I've only done that my entire professional career. Uh, I remember entering first year of university, I knew I wanted to do cybersecurity and I was very fortunate enough to get an entry level job when I graduated, uh, with a liberal organization as a security and men just running their McAfee endpoint suite. It was just a fantastic way to start my career. And I like to say that I, I serve my corporate time. I served about 10 years in various corporate roles, mainly in the credit union system here in Canada. My last corporate role, I was in charge of a cyber security team. And then one day I realized that I no longer enjoyed the corporate world. And I believe it was about four years ago this past summer. And when I went out on my own and formed cyber SC, which is my consulting company and something which I've just been, uh, lovingly growing over the past four years, serving the small and midsize businesses. MP: Oh, fantastic. That's a really interesting journey. You could take your experience from the corporate world and bring it now to this and SMB market. So that's great. So since you help startups and the SMBs with their cyber security, you probably see organizations wrestle with these challenges at every step of growth and maturity. So in your experience, what is the right time to incorporate cyber security into their strategic planning and how can start ups or smaller organizations lay the foundation? DV: Yeah, that's $1 million question there, Megan. It's that point. When do you start? And we've worked with organizations and stripes as small as three people. I'm a firm believer that it's never too early to start doing cyber security, right? Even if it's just a matter of using multifactor authentication for whatever systems a three person startup is leveraging. That to me is still being able to put out some foundational building blocks. So it's never too early. But when we're talking about that broader strategy in terms of what type of cyber security controls, governance or start up you're looking at, I truly believe that the sooner you do that and the earlier you do that, it'll save a ton of money and pain down the road. A favorite story of mine is actually a one of my earliest clients. They were I when I joined them, I believe they were a 20 person company. Very early on they realized that they wanted to do security well and they see what, tell us what we're not doing and tell us what we need to do and we're going to be aggressive with that because we know that down the road we want to make sure that we're in a good space when it comes to cybersecurity. So we went through the CIS top 20 security controls at the time that was very malleable for a startup and you'll go in through the different security journey with them when they became a 50 person company than a 75 person company. And then one day they were a 200 person company and the security aspects that they tackle it was very different. That's why we always say security is a journey. It very much more with the organization and it was fulfilling at the end of my time with that organization because they got so large that I said, you need an in house CIS, so, and they were shocked by that. They said, we've never had a consultant say you no longer need us. I'm a firm believer in understanding that cyber security is very much a journey and that regardless of where you are in that journey, you do need to plan for cybersecurity. It's just what it looks like is very different depending on where you are. MP: Yeah, and so for small businesses, when they're on that journey and they're just starting out, how can they remain mindful of budget concerns as they're starting to develop a cybersecurity program in your opinion? DV: For sure. I'm a firm believer in being able to at least do the basics and do them well. And then even just choosing a framework, I'm a big fan of using the the CIS top 20 critical controls and even for a, when I start off with a lot of these startups or smaller organizations rather than even fully saying on all 20 let's break that down into the most critical, the top six and that's covering items like asset management, vulnerability management, controlled administrative privileges, having a sufficient logging and monitoring. Those are all foundational building blocks and where a business and organization is able to do those basics and do them really, really well. That's that strong foundation and without that other security technologies like SIM or next generation firewall or what have you, all those tools and platforms to be truly effective, they need a very firmly rooted foundation and that's where being able to sort of break down those controls into the most critical ones tend to really resonate with small and midsize businesses. MP: I'm glad you had talked about the CIS controls. I actually just learned about this personally within the last week. I've been familiar with NIST and ISO, but I wasn't really familiar with the CIS controls set. And after I dug into this 20 core controls and learned, yeah, how it is a really great entry point to understanding, you know, where do you need to address areas within your business and then eventually you can map those to NIST or ISO or other requirements that you have. So I'm glad you mentioned that. Yeah, I think that's a great tactical and practical way for folks to begin their journey, um, into cybersecurity. So other than scale, how do you think small businesses when it comes to cybersecurity, how do you think differs from the corporate or the enterprise needs? DV: Yeah, yeah, it's definitely a different beast. I think it's both on the needs where it's different, but also with the firm, the resources are the resource restraints where it's very different as well. With a lot of these smaller midsize businesses, it varies so much in terms of what type of it team they have. Some of them will have just one it guy or girl who handles everything or there may maybe two or three people, others there'll be no internal it team whatsoever. There's fully outsource relying on an it managed service provider. So there's a lot of different wants is there in terms of who's ultimately, at least on the it side, we'll be able to help from that implementation point of view for the, for a lot of the security controls when we're talking about the needs, I definitely see that the needs, especially with the small midsize businesses being acutely tied to the uh, broader vendor risk management movement, we're seeing with larger organizations and more in the enterprise realm as we're seeing larger organizations and enterprises really clamped down on their supply chain that's really affecting the small and midsize businesses. I'm really seeing that as being one of the main motivators for doing cybersecurity well. We've had diamonds, I would say more than 50% of our clients reach out to us based on the fact that they are struggling with a lot of these vendor questionnaires or vendor risk management that the companies that they're trying to supply their tools, platform or services to, they're clamping down on them and they're not sure how to answer those questions and they don't want to lose out on these contracts. So it's very interesting to see cybersecurity being tied to a very clear business driver, which up until recently was just not the case. And I'm definitely seen as being a core need for why security is so important. MP: Yeah, I think that's a really interesting point. You mentioned this trend here on the implications on vendors and even folks having to think about the way that they manage vendor management internally and there is a lot of trends and security and compliance that are global in nature simply because business as we know has very few borders. But that being said, would you be able to share a little bit about security issues that you see in Canada and how they differ from anywhere else in the world? DV: I would say a lot of the, uh, at least from the user perspective in terms of fishing business, email compromise, there's been a huge uptick in that type of activity in Canada. The Canadian businesses, they definitely were not in the cross hairs in prior years, but I would say within the past couple of years, stuff like ransomware, business, email compromise, and these are all things which were relatively low from the [inaudible] perspective. But there's been a huge uptake. And I think one stat I read recently that can, is a in the top three in terms of countries that get hit by those types of attacks. So it's interesting to see that threat profile change so quickly. I would say the other core difference in terms of the underlying cyber risk is that there's a different privacy landscape in Canada compared to the U S I'd say the Canadian privacy landscape is rapidly changing and it's certainly closer to the GDPR in the EU. And also we're seeing that in the States as well. With California, the privacy landscape has been rapidly changing and that's very much affecting how cyber security is approached with Canadian businesses. MP: Thank you for sharing that. And you know you're kind of a self appointed chief security strategist, which I love. So what would you say are things that are top of mind for you as a chief security strategist? What keeps you up at night? DV: A lot of what keeps me up is worrying about my clients and then our clients in terms of being able to really understand that the fact that more so than at any point in my career, the threat landscape is just changing just so rapidly and trying to keep up with the threats, with the risks and what are the right technologies. Are we using the right tools or platforms? It's a very, very confusing time at this point in history for even for the most seasoned cyber security professional. It's very much that unknown piece that keeps me up. Just trying to figure out are we doing enough? It's a question which is becoming increasingly more difficult for me to answer. For me, one of the saving graces I truly believe is the advancement in a lot of these frameworks. Michael, I mentioned CIS. Another big one which I'm very eager to learn more about is fair framework, which really focuses on being able to quantify cybersecurity risk and really attach key business metrics to why cybersecurity investment is warranted. Being able to have those types of more business level discussions rather than focusing around qualitative risks or qualitative metrics. That adds a lot of comfort to the levels of discussions that we're having with our clients. So that's part of what's helping me sleep a bit better at night as well. MP: Good. That's good. Great. Well thanks for sharing that. And I know Dominic, in our conversations before, you've talked about this term sustainable security. So can you talk a little bit about what that means and how can companies attain that? DV: That's the term and I can't take full credit for it. I did see it somewhere about three years ago, but I don't remember where I saw it. So I'll take partial credit. I suppose for it, but we're very much at this point in history and what the whole notion of any endeavor it needs to be sustainable. To me, doing security from a sustainable point of view is trying to develop the right people, the right processes and technologies, very much acting in a very strong symbiotic fashion, which would allow for a greater cyber resilience against whatever the threat landscape might be. To me, unsustainable security is trying to solve the security problem or paradox I suppose by just trying to put in random technologies without any rhyme or reason and just trying to find the problem with various technologies that's not sustainable that might help you in the long run, but without a very cohesive governance and risk based approach to how you tackle cybersecurity. And like I said, laying out that from a people process and technologies point of view, that is the way to do things from a sustained fashion, not just choosing technologies haphazardly. And unfortunately we see a lot of security professionals who do that. So that to me is the difference between sustainable versus unsustainable security. MP: All right, Dominic. Well, thank you for that guidance. And lastly, as you heard in my introduction of you today, we learned that you're also a comedian, so tell us more about that. How did you get into comedy and do you ever use your comedy in the business cybersecurity world? DV: Yeah, call me is something which is, which is core to my personality and ever since I was a little kid, that's all I ever wanted it to be. Jay Leno, Dave Letterman, those were my heroes and I like to brand myself as being a no cyber comedian just because it helps with it from a dialogue perspective with non technical people, cybersecurity is a very dry subject. Even on a good day, I'm someone who's been doing this my entire career and I still have a tough time reading my way through various white papers and listening to people giving the same old boring advice. I very much tried to inject the comedy and flair in my talks when I do you have any presentations? When I'm meeting potential clients, when I'm dealing with my existing clients, that's how you end up with really engaging dialogue. I'm a firm believer in comedy and it's power to lead a systemic change. And in the field like cybersecurity, where sometimes you need to make advances in leaps and bounds, you need a very core and important fueled to to make that happen. And to me, comedy is that fuel to make incredible change happen. MP: Awesome. I love that, Dominic. Well, thank you for sharing more about your advice, how you work with customers today, and then your personal experience of leveraging comedy in the cybersecurity space. Megan, thank you again so much. This was an absolute blast. Awesome. All right. Thank you listeners for joining us on another show. Until next time, this is Megan Phee with GRC & Me.Team Select and LogicGate: Managing Change
Find out why LogicGate was just the tool Team Select Home Care needed to achieve its Compliance goals.
GRC & Me Podcast: Rafael Moscatel on the “Olympics of Privacy”
Rafael Moscatel, managing director at CAPP, joins GRC & Me to discuss how his background in law and…
EPISODE NOTES Top 3 Quotes “The more that you can show your customers that you're being a good steward with their data, the more they're likely to trust you. And from a reputational standpoint and a branding standpoint, that's always one of the best benefits and one of the reasons that consumers will choose one product or service over the other.” “And I think if you look carefully, the CCPA is quite a blessing. It helps reduce expenses and monetize the information life cycle because you have a better understanding of what's under the hood in your company.” “...you know there's not one silver bullet when it comes to preparing data for an information governance strategy, IG is essentially a multidisciplinary type of approach.” Resources: Connect with Rafael on LinkedIn Connect with Rafael on Twitter Rafael’s Website The Little Girl With the Big Voice Episode Transcript RAFAEL MOSCATEL: The more that you can show your customer that you're being a good steward with their data, the more they're likely to trust you, and from a reputational standpoint and a branding standpoint, that's always one of the best benefits and one of the reasons a consumer will choose one product or service over the other. HOST MEGAN PHEE: Hi. I'm Megan Phee and this is GRC & Me where we interview industry thought leaders in governance, risk, and compliance on hot topics, industry-specific challenges, trends, and more. Learn about your methods, solutions and outlook in this space. Our guest today is an author, privacy expert, filmmaker, and he's the managing director of Compliance and Privacy Partners, Rafael Moscatel. During our episode today we will talk about his journey within privacy roles working at organizations such as Farmers Insurance and Paramount Pictures over the last 20 years. We'll discuss this article Seven Ways to Repair Data in the Age of Privacy and Information Governance. Raphael says it best. "Content may still be King, but now the rights to some of it belong to the people." Thank you, Rafael, for joining us today on another episode of GRC & Me. RM: Thanks, Megan. Thanks for having me. MP: Of course. Let's start off. I would love to hear a little bit more about your experience. I know your background at law firms, you worked at Farmer's Insurance, you spent some time at Paramount Pictures, and now you're doing your own thing. I'd love to hear a little bit more about your experience, and as you walk through your journey of your background, you also had shared with me the other day a really interesting story about this concept of the Olympics of privacy, and I know our listeners would love to hear about that story. So would you be so kind just to share your background and then a little bit more about that Olympics of privacy event, what it was, and what it meant to you? RM: Yeah, I'd love to. I began very early on working for law firms and consulting companies, specifically in employee benefits law firms, and that was around 1996 when HIPAA first came out, which was a kind of an omnibus bill around privacy and protection of data and which had some guidance on technology as well. It was really fascinating to me and it was something that I immediately gravitated towards because I've always seen myself as a type of a liaison between technology, which is one of my passions, and law and compliance. So I settled in there for a little while, and at some point the office of the general council at Paramount Pictures heard about me and they offered me a position working at the Melrose studio doing compliance and records management and information governance for them, so I stepped in to fill in on their data classification policy, their email retention policies, and their privacy policies. It's a multinational conglomerate, so they're always going through mergers and acquisitions, and so a lot of policy work that was being done and folding in some of the sister companies into the greater governance plan for Viacom's. I worked closely with that group, and then I got this great opportunity at Farmer's Insurance where I was for the last few years before I started my own company. I began working there originally under the, I believe it was the business improvement group or the project management group, and very quickly we realized that this was something that needed to, this program that I was tasked with, needed probably to be under a compliance arm, so we quickly realigned and restructured that group under that compliance discipline. We started moving forward on a roadmap which would essentially define our information governance policy, and I stayed there for quite awhile right up until the point the California Consumer Privacy Act came into effect. Then I, something very interesting happened in my life. I was invited by a colleague of mine in Brussels to what he called the Olympics of Privacy. I thought that that was kind of a branding gimmick for the organization, and so my wife and I decided to make a trip out of it. She'd wanted to see Paris for her whole life and I said, "Well, we'll just hop over there after Brussels." But little did I know that he had kind of made that up and there was really no Olympics of Privacy. There was of course a conference, a significant conference that ended up being a really watershed moment in privacy policy worldwide, but I got on the plane and I headed out there, and as I was heading out there, I tweeted, "I'm heading to the Olympics of Privacy," assuming that that's what everybody was calling it. I sat down in the hemisphere, which is what the European Union parliament building is called. There's two different hemispheres or parliamentary bodies, I believe. You sit down there and Giovanni Brunelli, who actually just passed a couple of weeks ago, gave this stirring speech about privacy and he kind of looked out across this kind of very disciplined group of compliance people, and also Tim Cook was there, Tim Berners-Lee who invented the Internet, so to speak, and when he concluded his speech, he looked out and I almost felt like he looked directly at me and he said, "And now let the Olympics of Privacy begin." It turned out that the IDCC or the privacy commissioner's group had actually picked up my tweet when I was flying over there and circulated amongst its members, so it was kind of serendipitous that it ended up being part of the opening keynote for this 40th conference. But it was quite an event and it's something that kind of put me on the path that I am right now with my company Compliance and Privacy Partners. MP: That's fantastic. What an amazing moment that must've been, just sitting there and hearing him say that. You just mentioned it was kind of a watershed moment for those in compliance and privacy. Why do you think it was? RM: Well, the reason I say that is because the conference came about a year and a half after the GDPR law, the General Data Protection Requirement went into effect. Tim cook actually spoke at the same conference. Tim Berners-Lee was there, the King of Spain and it was essentially the launching of this very powerful law, which we see constant headlines. I think the Wall Street Journal ran an article just yesterday on privacy. It seems like it's always in the news, and this was in some ways kind of the kickoff or the message that Giovanni and the rest of the data commissioners were sending to the world, to say that we need better policy around privacy and it begins now. That really was the big event, and I think having all the commissioners from the 28-member use states and so many international people there, it really solidified this message, which is now being discussed all over the world from Asia to right here in California where they've passed a pretty comprehensive consumer privacy law. MP: Speaking of that, as a resident of California, you're ... and a privacy expert, you're familiar with CCPA, and the other day you were sharing with me, Rafael, a story about your experience interacting with the State of California and their records retention process. I think when we as consumers or at the organization level, we see and read about CCPA and we're thinking about the implications to us as professionals, as business owners, as well as consumers. It's sometimes nebulous to think about the implications to us as individuals. Would you be able to share your experience? I think it really gives context to the legislation not only as CCPA, but the statewide legislation and broader privacy legislations and why they're vital to consumers and not business detractors. RM: I mean, privacy by nature is personal and it's really served to drive home the point about information governance and data security and all of these tangential type of issues because people have personal connections with privacy. It's something that brings out areas of our lives that really hit home. When we're talking kind of about these existential issues with records or data governance, they're important, but how does it really affect me? I do have a personal connection with the State of California. I believe it's now sixth or seventh largest economy in the world, but even when I was born back in 1977, it was a very large bureaucracy. I was a late discovery adoptee, which means that I didn't learn until very late in life, until I was about 30 that I had been adopted, and it was only a testament to the discipline and best practices of the State of California and their social services department that I was able to learn about my own adoption. I had actually written a letter kind of on the fly to the State of California and I had ... didn't know where I was adopted from it, but I was living in California, so I thought I'd give it a try. I sent this note to Sacramento, I believe, and then just like that scene from Back to the Future where Doc gets the letter 150 years later after? Well, anyway, I received a manila envelope, and in this manila envelope were 30 or 40 different records collected from various different medical groups and social services groups around the time of my adoption describing everything from the condition of my mother when she gave me up to medical issues pertaining to my birth. It was just eye opening, and I thought it was so remarkable, Megan, because if but not for the best practices and privacy standards of the State of California, I would not be able to learn so much about my own history, which of course helps me now that I have children because I can pass that information on to them. But if you think about it, it's really fascinating that this file or this set of files collected sat somewhere protected for 30-odd years, and the rules in place and the policies in place were effective enough to actually produce that document all of those years later. So I really have an appreciation for records management and the handling of governance and a lot of the policies behind what makes a process like that possible and stable, and so that's kind of, that was my own personal experience with records. MP: Is that what led you to do what you do now with the consulting practice that you lead? RM: Yeah. Well, I mean, it certainly did, and I've also like many people had other experiences related to my own privacy, the privacy now of my family, but that was certainly a big event for me about 10 years ago. Again, I had worked with the HIPAA law for some time and also doing related compliance work before that, so it crystallized around the time of the 40th annual conference that I went to in Brussels and definitely was a watershed moment in my own life. MP: Thank you for sharing that. I hear about this regulation and legislation, but when you put a personal story to it, we understand why this legislation exists and why organizations need to take it seriously and need to follow the best practices to ensure secure records retention processes. RM: The California Consumer Privacy Act in some ways is really an extension of those best practices, and here you see California leading the way in developing those protocols, really recognizing very early on that consumer data is very critical. I mean, 20 years ago it was health data and that's still important, but also today and with the cybersecurity issues we have, the data breaches, the ransomware, financial information is now becoming paramount, and that financial information and consumer information is really a key to allowing criminals to exploit other avenues, and not just that, for corporations to abuse personal privacy. But when I look at the CCPA, I like to look at the opportunity of it and I think if you look carefully, the CCPA is quite a blessing. I mean, it doesn't need to be a burdensome requirement on corporations. First, it helps reduce expenses and monetize the information life cycle because you have a better understanding of what's under the hood in your company. Second, it presents opportunities for better governance to avoid those fines and also litigation exposure, and you see, especially with information governance teams coming into address CCPA or kickoff and run the CCPA projects, there's a focus kind of not just on checking the boxes on compliance, but taking another lap around the litigation exposure that you have when you don't properly manage those records and retain them properly. And then finally, as you were mentioning earlier, it's really fosters that trust and enhances the customer experience because the more that you can show your customer that you're being a good steward with their data, the more they're likely to trust you, and from a reputational standpoint and a branding standpoint, that's always one of the best benefits and one of the reasons a consumer will choose one product or service over the other. MP: Thanks, Rafael. I think that's a great point. When you look at the CCPA, what is your opinion of it? RM: We're looking at a January 1st kickoff of this law and it's going to look back 12 months. It's pretty comprehensive. I think the challenges are going to be in terms of how companies adapt to them, and I think it's very vague in terms of guidance that we have right now. If you are the type of company that is making over 25 million in revenue or meeting some of these other requirements, you're looking at a significant investment in a project to overhaul your data landscape, and so although it does seem like the law is clear cut, what's not clear for many companies is how to execute on a plan to reach compliance. I think as we go into the next year we'll get additional guidance from the attorney general on exactly what companies need to do, but you're familiar with compliance and if we look at organizations like the Department of Insurance, sometimes it takes years for this type of stuff to be worked out. It may be in some cases there's a little overkill on some of the projects, and in other areas companies may not be doing enough, so we'll really have to see what the state attorney general does in terms of the enforcement actions, and I think that that will ultimately guide companies in tweaking their existing programs. I also don't think a lot of companies have jumped on board yet and they're waiting for some enforcement to take place, so there's probably a second and a third wave of enforcement, but overall I do think it's a good comprehensive first step. I think your listeners would really be interested in seeing how this legislation took shape. It originally began as a ballot measure, and quickly the social media companies and big data companies got in because they feared that it would be a little bit too restrictive. That article I mentioned in the Wall Street Journal actually just spoke about how they're actually running ads on social media trying to tamper down the law itself now because they're concerned about its impact on business and marketing. MP: Hmm. That's interesting. I have another question for you in regards to CCPA. We've been talking a little bit more about how it applies to policy management, but you mentioned to me the other day it does have implications to vendor risk management. Can you share with the listeners why that may be? RM: Yes. It's interesting you bring that up because we're living in a cloud-based world now, so the data isn't just on premise. In many cases it's in the cloud or in a variation in the hybrid cloud, and that has serious implications for the CCPA because under the CCPA you're not just obligated to take care of and provide data from your own systems, but those that are managed for you, including software as a service and repositories like Box that are kept offsite. So from that standpoint, third party vendor risk is critical and it has to start being baked into the overall compliance process. That means you need to identify vendors and service providers that are impacted by the CCPA. If that personal data does exist with those vendors, you need to be able to perform a contractual review to validate compliance based on those requirements, and you need to document your approach to all of these contracts versus attestation, which is another approach, another avenue that certain companies are taking in making their service providers attest to certain quality control measures that they've taken for their data. But beyond that, you have to establish plans to engage those vendors for contractual changes because these laws are going to continue to get modified and change. You need to establish a controlled and timeline for the completion of attestation questionnaires, which you may provide to them. All of those processes and controls related to your third party vendors are critical again because they collect that data, so companies need to be mindful of what's outside their walls as well as what's within them. MP: We're going to switch gears because I know you recently wrote an article in a publication regarding best practices for privacy and policy management. Would you be able to share a few of those tips with us today? RM: I've been looking through this actually because the more I think about it, there's not one silver bullet when it comes to preparing data for an information governance strategy. IG is essentially a multidisciplinary type of approach where you're essentially gathering the best minds around your organization to make decisions about data that are not in a vacuum so that they'll be longstanding and support longterm strategy. But even if you check all the boxes on CCPA, Megan, it's still not going to prepare you for the overall needs that you'll still be subject to for so many of the other laws, including HIPAA and Sarbanes-Oxley and so many, so I put together a list of initiatives where you can have some quick wins. I would say definitely learn how to automate your records retention schedules. There are thousands of records subject to thousands of different statutes and regulations. It's not enough to get a cookie cutter or a templated retention schedule. Really need to look into what types of records you have and then see how best you can automate that with research that feeds into you and tells you if the laws have changed rather than periodically making those reviews, which can be quite cumbersome and expensive, especially if you're hiring outside counsel. The second tip I would mention is I call it covering your assets, but really it's getting ahold of your enterprise architecture landscape, and in many cases, companies already have a lot of these resources at their fingertips so it's a matter of getting the right people in the room, in this case, taking your retention or records management people and introducing them to your enterprise architects and your IT groups so that you can really get on the same page around retention and assets and know how to protect the paper as well as the digital information. There's a lot of great tools out there now that can be leveraged for both of these cases, especially with CCPA or GDPR. It's not enough to know where this information is. You need to know how it flows upstream and downstream in particular when you're deleting data that may have unintended consequences on some of the systems that you're working with. That's that second piece. I also would say that companies need to be careful and methodical around their legal holds because as they're destroying or cleaning up data, they could run afoul of litigation or court orders and then end up with an adverse inference ruling or an accusation of spoliation, and that can of course lead to terrible reputational damage. Then there's some other tips, too. You can find them in the article. One being activating file analysis tools. Companies just don't realize they're just junking up their environments and their shared drives and their SharePoint and their Boxes and their Dropboxes with a whole lot of material that doesn't need to be there, but it's almost impossible to tackle it with a manual effort. There's amazing tools out there right now that do the file analysis for you, and while you're getting rid of the junk, you can also identify personally identifiable information or other vulnerabilities. Just kind of taken all together, it's more of a holistic way of looking at the data in your organization and making a commitment to really having a more holistic and healthy approach to the stewardship there. And then finally, the best practices piece in terms of policy. I mean, policy management is the backbone of good information keeping, record keeping, and records management. It's policy that ultimately governs and guides all the practices that our companies do in which they will ultimately be judged and regulated on. The regulators almost always go immediately to the policy to see if the company is putting its best foot forward in executing on what it says, and so I think good policy management systems are critical to that effort. MP: Thanks, Rafael. Where can the listeners read more about not only this article for data preparation and a new regulatory climate, but also, I know you have a book called Tomorrow's Jobs Today, which is advice and insights from thought leaders around a variety of things including privacy. Where could folks learn more about this? RM: Folks can come straight to my website, which is just my name, rafaelmoscatel.com. There's links to a lot of this content and my company Compliance and Privacy Partners, as well as the book, which comes out next year in probably January or February, which is a set of interviews actually with thought leaders in privacy and policy, Internet of Things, AI, and those types of subjects. If they visit that, they'll definitely be able to find all the links to the resources I mentioned. MP: Fantastic. Along with a passion for privacy and compliance, you have another interesting interest, which is filmmaking. I could be stepping out of turns here but Rafael, were you a theater kid growing up? Did you participate in front of the camera before you took an act into filmmaking? RM: I had a couple little dalliances with that prior to one film that I made a last a few years ago. My father was close with an actor many years ago. His name was Michael Landon, and so I ended up being a child actor for a very, very brief time on Little House on the Prairie. After that, some years later when I learned about all of this adoption, I discovered that my biological parents were entertainers. The only problem was with that was my grandmother never received an obituary, and so I felt very strongly that she should have some type of honor or memorial. So my wife and I set out to make a film about her. At the time I was working for Paramount Pictures, and the VP of intellectual property there told me I had to proceed very carefully because there was so much copyrighted material, it would be difficult to make a story about our life. RM: So he connected me with Stanford's Internet Society and I received a grant from them to do all of the legal and fair use work, which made this film possible, which I made, which was called The Little Girl with the Big Voice. It's the story of a radio star from the 1930s and '40s who kind of hit it really big and then drifted into obscurity as the years went on and kind of exactly how that happened. That was my foray into that, and I ... it was kind of fun because I got to use my knowledge of archives and records management to kind of support the film. MP: Where could the listeners check it out? RM: It'll be on iTunes likely this Christmas as well as YouTube, Vimeo, and probably in a hotel room somewhere. MP: Well, fantastic. Rafael Moscatel, thank you so much for joining us today on GRC & Me. RM: It was a pleasure, Megan. Thank you for having me. MP: And thank you all for listening today. If you're interested in learning more about how LogicGate can operationalize your GRC and privacy program, visit our site at logicgate.com. And until next time, this is Megan Phee with GRC & Me.G2 Fall 2019 Grid Report for Top GRC Platforms
LogicGate is the highest ranked GRC software and leader on the Fall G2 Grid Report.
100% of users rated LogicGate 4 or 5 stars 100% of users believe our product is headed in the right direction 99% of users were satisfied with the quality of support #1 in speed to value with a 8-month ROI—the fastest on the grid 93% of users said they would recommend LogicGateGRC & Me Podcast: Bryan Graf on Cybersecurity as a Positive Business Driver
Bryan Graf, Senior VP at Abacode, joins GRC & Me to discuss cybersecurity. With more than 12 years…
EPISODE NOTES Top 3 Quotes “Ultimately, you wouldn't go through any of these assessments unless it's driving business.” “You don't want to be more secure just so you can be more secure, it's got to be a part of your overall business plan.” “You have to start looking at this as a positive business driver instead of something that is just a line item that costs money at the end of the year.” Resources: Connect with Bryan on LinkedIn Abacode Cybersecurity Website Abacode Cybersecurity LinkedIn Abacode Cybersecurity Twitter Abacode Cybersecurity Facebook Tampa Bay Dalmatian Rescue Show Transcript BRYAN GRAF: Everyone understands that there's security risks and there are bad actors out there trying to get the data, but they have no idea even where to start. "Do I start with endpoint protection? Do I start with SIEM and ESOC? Do I start with a risk assessment, a penetration test?" You need all of these, but what order do you do them in? HOST MEGAN PHEE: Hi. I'm Megan Phee, and this is GRC & Me, where we interview industry thought leaders in governance, risk, and compliance on hot topics, industry-specific challenges, trends and more. Learn about your methods, solutions, and outlook in the space. We have a very special guest with us today. His name is Bryan Graff, and he's a senior vice president of Abacode Cyber Security. Welcome, Bryan. Thanks for joining us. BG: Thank you for having me, Megan. MP: All right. So today, we're going to talk all about cybersecurity. But more importantly, I want to just know more about your journey. So if we could just start off by giving us a little background about yourself. So, how did you get to where you are now? BG: I started off my career at KPMG in IT audit, helping organizations get through Sarbanes-Oxley assessments. IT audit was still relatively new at that point. It was kind of tacked on as a component of financial statement audits. And after Enron and WorldCom, the federal government put more regulations on publicly traded companies that not only required them to shore up their financial statements and assure that those numbers were correct, but also that the systems that information was hosted on also had security mechanisms to make sure that overall the financial statements were correct. So from that organizations, then quickly realized that, "Well, a lot of my data is not on my systems, it's on a third-party system." So audits had to be completed on third-party systems so that publicly traded organizations could then sign off saying that my data is secure, whether it's on my system or not. So from that, SAS 70s were born out, which were control assessments over organizations that are third-parties with access to financial data. That expanded into nonfinancial data, which is where SOC 1 and SOC 2 came from. So for nine years, I spent my time doing assessments and then managing and building divisions to do assessments for SOC 1, HIPAA, ISO 27001, PCI. Our firm grew into pretty much every type of third-party assessment you could do. After those nine years, we started to realize... or I started to realize that these companies that were requesting these audits were not ready for these audits. They were being requested to go through these assessments by their customers, but they would get the list of requirements and they were nowhere near ready. So I kind of switched from doing the assessments, I say, "Going the prosecution to the defense," and I helped the organizations get through that audit and put in their GRC programs. Now, I was just doing policy and procedure, and I was documentation and compliance. I was approached by Abacode a little over a year ago because they had kind of the same roadmap where they wanted GRC as a component or really driving all of their services. So I took my knowledge of GRC and helped them build packages so that an organization going through a SOC 2 or an ISO 27001 for the first time, that has very little in terms of security and compliance maturity, instead of having to pick 10 or 11 different security services that they may need to pass an audit, now they're just purchasing SOC 2 readiness assistance, ISO 271 readiness assistance. So that's how I landed here at Abacode, basically infusing security into GRC because that's the driving force of organizations implementing security services. MP: Yeah. Great. As you've seen client security needs evolving over time and over the last few years, what trends are you witnessing today in regards to cybersecurity? BG: Well, the attacks are getting more and more sophisticated. It's no longer just a 15-year-old in the basement trying to hack into your system just to see if they can. These are state-sponsored organizations. These are large criminal organizations that use a variety of techniques to get into your systems, steal your data, and get credentials to your systems. So now, we see coordinated attacks where an office will be broken into, a laptop will be stolen, a phishing campaign will begin. All this is coordinated. It's not just one person doing this. So if the attack is on multiple fronts, you have to have a robust security and compliance program in place that already has some mechanisms in, already can predict, and prevent, and detect cybersecurity attacks. MP: Great. Bryan, in working together, I've heard you talk to your clients about different compliance standards from that GRC perspective. So, how can a company understand and identify which standards apply to its own situation? BG: The easiest way to determine is what are your customers asking for? So your customers will bring you requests for, "I need you to have a SOC 2 assessment." Or, "I need you to be ISO 27001 compliant." If you've never heard of those before, and there's a pretty easy way to determine what standards apply to you. If you have a publicly-facing web application and you are hosting customer data, if you bring in, if you transfer, or process, or store customer data, you more than likely need a SOC 2. If you are going to be doing business in Europe or anywhere outside of the U.S., basically, at some point, an enterprise customer's going to ask you for ISO 27001. If you are dealing with healthcare data in any way, more than likely you are under HIPAA regulation. If you store, process, or transmit credit card data, you are subject to PCI. So it really depends on the industry you're in, the data that you process, store, and transmit, and whether you are acting as a third party for another organization. If you're B2B, you're more than likely under a lot more regulation than B2C. If you are a government vendor, you're probably under even more regulatory compliance requirements, but it really depends on the industry you're in and the data that you're dealing with. MP: Mm-hmm (affirmative). Working here at LogicGate, I often hear customers want to comply with FedRAMP and we hear that often, whether they're seeking to be FedRAMP approved. Could you share with our listeners kind of the Reader's Digest version of what is FedRAMP? What does it mean for organizations? That would be great. BG: Sure. So FedRAMP is a program started by the federal government to streamline the process of approving a service for a federal agency to use, an internet service or a web application. So if you were a government agency and you want to use a payroll application, well you can't just sign up for any payroll application. That data needs to be protected in accordance with FISMA. So if you are using a third party or if you're a federal agency and you're using a private business application, you have to ensure that that application has the same safeguards as your internal government systems and networks. So FedRAMP was a way for an organization to go through an assessment at one time and then they could sell their services to any federal agency. So prior to that, if you had a payroll service and you got approved by the EPA, you would have to go through a separate process to get approved by the FBI or whatever other agency there was. So that made things almost impossible for anything other than the largest enterprise organizations because it's a very intense process to get approved by federal agency to sell your services, especially if you're housing their data. So FedRAMP was an attempt to streamline that. I would say by streamline, I'm doing air quotes right now. It still is by far the most intense, arduous assessment process there is out there. If you think you want to go through FedRAMP, you are probably not ready for FedRAMP. FedRAMP requires intimate knowledge of NIST 800-53 of the FedRAMP and process, the agency procurement process. It's not like any other assessment out there. Most audits are just a test. A proctor comes to your office, and they asked you questions. They ask for evidence. You pass, you get your report. FedRAMP is not like that. There are multiple stages. You need an agency sponsor. If you do not have a sponsor, you have to go through what's called the PMO route, meaning the FedRAMP PMO office itself and a trio of agencies will review your security package and make sure that it complies with all FedRAMP standards before you are given what's called an authority to operate, meaning that you are now allowed to sell to federal agencies. It's usually an 18-month process, and I've seen articles stating that the average cost by the time the organization has done is usually about $1.5 million. So I've joked several times that I talk companies out of FedRAMP as much as I talk companies into FedRAMP. Because it is a substantial investment and if you don't already have an agency sponsor on the other side waiting to buy your service, you're taking a very large gamble by going through this process. So I would definitely do your research, talk to 3PAOs. A 3POA is a third-party assessor organization that has been approved by the FedRAMP program to do the assessments. I started one of the first FedRAMP 3PAOs over at Schellman back in 2015, but you really want to make sure that, A, you have the business and you have the internal commitment from management and the budget to go through FedRAMP. Because it's going to fundamentally transform the way you do business. MP: Well, that was great. I was just going to ask you before they go down this journey, what should customers be doing internally before they seek outside counsel? So you mentioned make sure that the budget's allocated, stakeholder involvement, anything else that you think that folks should do to get their house in order before they go down this journey? BG: Well, if you've never been through any type of assessment before, you definitely don't want FedRAMP to be your first type of assessment. If you're required to undergo FedRAMP by an agency that you're already servicing, more than likely you're under some other sort of B2B compliance requirement, be it SOC 2 for some of your other customers. So I would at least look other avenues in terms of, "What can we do in terms of compliance to drive business before undergoing FedRAMP?" Because it's basically like skipping kindergarten, high school, college, and going straight to surgery medical boards. It is the absolute hardest test you could possibly take. So you probably want some practice first, and there's probably other things you can do first. Because ultimately, you wouldn't go through any of these assessments unless it's driving business. Security is a great driver for compliance, but really you don't want to be more secure just so you can be more secure. It's got to be a part of your overall business plan. This has to be a positive driver and FedRAMP can be that, but you have to be in the right position for that to be the case. You already have to have relationships with the program managers over in these federal agencies. Have you talked to them? Are they willing to sign a letter? Are they willing to officially sponsor you? Are they willing to sign an agreement or even a purchase order with the stipulation that you will undergo FedRAMP in the next few years? There are ways around... not around, but there are ways to navigate the assessment process to do it in an intelligent manner. You have to engage the agency. You have to understand why you are doing this and whether it's worth it. MP: Great. So how do you help in your role today at Abacode? How do you help customers navigate this? So once they've identified the standards that they need to implement or they understand FedRAMP is a journey that they need or want to take within their organization, how do you help them with that? Do you help them in the beginning to do that research, or where would you say you are value for customers in the market is today? BG: Well, we would want to do a pre-assessment first, and make sure that you have even the lowest baseline of security mechanisms in place, and that it's possible for you to put in the additional mechanisms to make sure that you comply with the NIST 800-53 control requirements to pass FedRAMP. So that initial pre-assessment is vital because you don't want to start down this path and realize, "Oh, I can't put in this patch, or I can't implement this encryption protocol because of the way my system is built." So either you build a completely different system or you just wasted that last three months before you got to that control that now you cannot implement. I do want to say that FedRAMP, it is a baseline of controls. That means you do not need every single control in the moderate baseline in place. You do have to document why a certain control isn't in place. Maybe it's not applicable to specific system or your service. Maybe you have a compensated control. So just because you can't do something NIST 800-53 is telling you to doesn't mean you can't go through FedRAMP, but if you hit three, or four, or five of those, then you have to start taking a step back and thinking, "Okay, do I want to completely overhaul my infrastructure or is this maybe something I maybe shouldn't be doing at this point?" So that pre-assessment is the first step. You definitely need someone who has gone through this process before. I'm going to keep harping on it, but it's not just implementing security mechanisms, and policies, and procedures. It's a complete process. It's a procurement process. It is a relationship process between the agency and between the FedRAMP PMO. There's a lot of back and forth. Government agencies can throw you curveballs. To have someone that's been through that process before is completely vital. You will hit speed bumps, and you will find yourself in very uncomfortable situations. And then you'll be so deep into the process, it'll be hard for you to turn around if you don't have somebody that's been through this process several times before. There aren't very many of them because there's only been a few, maybe 200 and something organizations that have even gone through FedRAMP. So the number of personnel that have successfully seen an organization through this process is still a very low. MP: Yeah. You hear it often, but I think those numbers kind of bring it home to think, "Is this important now in the journey of a customer's experience or in a company's organization's experience?" I love that you mentioned, Bryan, don't go at it alone. So make sure that you have a plan in place, you have resources to support you, resources who have done it before. So thank you for sharing that with us. We talked through what a company should be mindful of in regards to cybersecurity at trends and evolutions over time. We've talked through compliance standards, ways to identify what's applicable for your business, and then we talked a little bit about that journey of FedRAMP, and what to be aware of before you go down that path, and how to successfully navigate the waters. So, Bryan, anything else that you'd like to share with our listeners today in regards to GRC best practices or cybersecurity trends? BG: I would definitely look at GRC as a part of the way you do business instead of something you tack on at the end because somebody asked you to or because it's a part of the audit. Once you start to understand the GRC process, it definitely helps in terms of implementing IT security and IT operations. As you grow as a business, these decisions become harder and harder and they multiply exponentially in terms of, "Okay, now you have to expand. Are you going to the cloud, or are you staying on-prem? Are you virtualizing? Which SIEM service are you going to use? What endpoint protection are you going to use?" All of these questions, they're going to pop up whether you have a program to handle them or not. If you are just dealing with them as they come along, you're definitely going to make mistakes and implement security mechanisms that don't work with your other security mechanisms. And you're just trying to keep your system going at that point. To have management commitment to that, "Okay, we're going to sit down at the executive level every quarter or every six months and say, 'Okay, where are we at? Where are our biggest security and operational risks? Where do we need to focus our attention?'" That's always the start of a proactive and effective GRC program, which eventually will affect your business in a positive way because your customers will eventually be asking for this way if they haven't already. If it's already there, then that's a market differentiator. You have to start looking at this as a positive business driver instead of something that is just a line item that just cost money at the end of the year. If you do it that way, then yeah, that's all it's going to be. But if you use it to your advantage... Your competitors are still struggling with this. So if you're the first one to stop struggling with it, you look a lot better than them. MP: Great. Thank you, Bryan. So thank you so much for your time with us today. I have one last question. We know that you are a cybersecurity expert. You're a GRC guru. You've been a really great tactical resource on the call today with our listeners or on the podcast today. But we also know you're an avid dog lover, so we'd love to talk a little bit about your work with dogs. I know from working with you, you foster dogs from time to time, but tell us a little bit about that. Like, what led you to have that passion, and how do you work with dogs today? BG: Sure. So I work with an organization called the Dalmatian Rescue of Tampa Bay. I don't know why it's called that. It's not specific to Dalmatians at all. But we take in dogs from high kill shelters and place them with foster homes basically just to get them out of the shelters, to give them time to get adopted. So there is an epidemic in a few different states to where there just aren't enough, especially in rural areas, there are just more animals than there are shelters and kennels. So we have a lot of volunteers that will drive and fly dogs from Georgia and from other states all the way down to Florida. We have a network of basically foster homes that we place dogs in. So I'm just a foster parent, so I just take dog every month or so. I have the easiest job. My volunteering is basically I let a dog crash on my couch for a few weeks. MP: That's great. BG: So the organization is great. They put the dogs up on the adoption websites like Petfinder and Adopt a Pet. It's been great. I think I've had my 11th dog fostered and adopted about a month ago. I'll be getting another one, probably the next three weeks, trying to figure out my travel schedule so that that works out. If you are interested in it, I had a few reservations when I was first starting. I was like, "Well, what's going to happen if the dog never gets adopted or if I get attached?" It's easier than you think. I think I got to say it's probably the easiest community to serve as you could possibly do. MP: You're providing a whole nother level of security. Right? BG: Right. Yes. MP: Yeah. Fantastic. Well, Bryan, thank you so much for your time today. Keep up the great work on the cybersecurity and GRC front, and thanks for your work with dogs.[Video] Controls Management with Risk Cloud
LogicGate’s software provides full visibility of your controls in one responsive toolkit.
The Risk Cloud™️ platform provides full visibility of your controls in one responsive toolkit. Video Transcript: Do your company’s risks, controls, and control assessments live in one place? Or do you have to search for them every time you need them? Does it vacuum up valuable time and energy that could be better spent elsewhere? LogicGate’s Controls Management Solution gives your Risk and Control Owners a break from the disorganized mess of spreadsheets, email, and documents. With LogicGate, they’ll be working from one central hub, where they’ll work from industry standard control frameworks or your internally developed control sets. They won’t have to leave LogicGate to manage control activities. Your team will monitor controls assessments, gather evidence, and much more, right in the platform. They’ll seamlessly collaborate and share information, such as tracking findings or triggering automatic emails when an assessment is kicked off. When the right people are notified of updates in the moment, they’ll always be working with the correct, most current information. No more emailing back-and-forth or duplicating work. Since the entire program lives in one place, owners can easily monitor assessment performance over time. They’ll be able to measure control effectiveness and find deficiencies in order to make sure the right work is being done on schedule. If control gaps are found, they can initiate corrective action workflows to ensure steps are taken to address the deficiencies. Your tasks, questionnaires, and reminder notifications, all customized to match your unique process and keep owners accountable. It’s time to take control over your controls. Request a demo today.GRC & Me Podcast: Donata Kalnenaite Talks CCPA
In today's episode, Donata Kalnenaite joins GRC & Me to share her expertise concerning the California Consumer Privacy…
EPISODE NOTES Top 3 Takeaways Consumers are demanding transparency. As a company, you need to be clear about what's happening with their personal information. You need a full understanding of who you’re sharing information with. You don't want to be held liable for a vendor who misused data. Resources: Termageddon Connect with Termageddon on Twitter Connect with Termageddon on Facebook Connect with Donata on LinkedIn US Federal Privacy Law Tracker GDPR CCPA Show Transcript [Host Megan Phee] Hi, I'm Megan Phee. And this is GRC & Me, where we interview industry thought leaders in governance, risk, and compliance on hot topics, industry specific challenges, trends and more. Learn about their methods, solutions, and outlook in the space. On today's episode of GRC & Me, I have a very special guest. She's the president of Termageddon. More than that though, she's experienced corporate and data privacy attorney. Donata is a Certified Information Privacy Professional, and she has a background working with Illinois State Bar Association in customers to help them create policies to keep their business protected. So Donata has a really interesting background of why she became a lawyer. She came from an immigrant family. Her father came to the United states from Lithuania when he was in his late 20s, and she came to the US when she was 12. Her father did not speak English and he was getting married. So he asked Donata to come to a meeting with his lawyer to translate. She'd never met a lawyer before, so she asked a lot of questions about how he got into law, more about his profession, his education. She says that she wishes she could remember the name of that attorney who inspired her, but his openness to answer questions and to speak with someone so young about his profession. And it really inspired her to go to college to study law and now become a practicing attorney. So Donata, thank you so much for joining us today. [Donata Kalnenaite]: Hi Megan. Thank you so much for having me. I'm very excited to talk about this stuff today. [MP]: All right, so let's get into this. So based on your experience, we're excited to hear from you what's been going on with the regulations, whether it's GDPR to CCPA. So I'd love to begin today on a high level, what is the purpose of CCPA? [DK]: Yeah, so it kind of at least in my opinion, it has a couple of different purposes. So the main purpose would be to further Californian's right to privacy by giving them a way to control their personal information and by giving them certain rights. So the legislature found that Californians were very interested in protecting and safeguarding their privacy. That kind of goes through the rest of the country as well. But since it's Californian legislature, that's what they're focusing on. So they were interested in keeping pace with technology developments and the privacy implications of those developments and to protect Californian consumers from unauthorized disclosure of personal information and the loss of privacy. So one of the things that I thought was very interesting with the CCPA is that the legislators and the people who actually wrote it, named the Cambridge Analytica scandal. And that's kind of really what I think spurred all of these legislative changes right now, not just in California, but in other states as well, is the whole Cambridge Analytica thing. [MP]: And regards to CCPA, do you know how long the bill had been in the works and who or what was behind its support? [DK]: Yeah, so it really wasn't in the works for very long, right? When you think about GDPR and some of the other laws, they were in the works for years to come to an agreement, but California kind of did it a little bit differently. So in 2018, there was a real estate developer who spearheaded an effort to include a new privacy law, the Consumer Right to Privacy Act of 2018 and it was added on the November 2018 valid because there were so many people that were interested in it. So Californian legislature, they didn't really like the Consumer Right to Privacy Act of 2018 there's a lot of rights that consumers got with that Act. It was very ... Some people would say that it was very unfriendly to businesses. So basically what they did is they negotiated past the CCPA instead it exchange for an agreement to drop the Consumer Right to Privacy Act from the ballot. So it really wasn't on the ballot for long, it passed on June 28th so it was in the works for approximately three weeks. [MP]: Wow. [DK]: Yeah. Now those three weeks there's a lot going on, and they had to draft the whole thing and everything like that. And some people are arguing that because it was such a short amount of time, the law itself is a little bit confusing. So there's drafting errors, there's spelling errors, those things that are not clarified is very broad. And it's unclear whether or not the legislature actually intended it to be that way, or whether or not those were drafting errors that were caused by the short timeline of this bill. So a lot of the people who support this bill are obviously privacy activists, consumers, there are some legislatures. So Ed Chow, who's a member of the California State Assembly and Robert Hertzberg, who's a state senator were the main legislatures behind the law. [MP]: That is really interesting, and you mentioned it because it was drafted in a broad context. So I think some folks, whether it's businesses or consumers, their question is, who does this apply to? So could you just share, to whom do you think the CCPA regulations apply to? [DK]: Yeah, so it applies for any for-profit legal entities, so like LLC, corporation, partnership that collects consumers' personal information, that does business in California and then needs one of three different kind of factors. So if they have a no gross revenue above $25 million, if they annually by receiver share the personal information of 50,000 or more consumers, households or devices, or if they derive 50% or more of their annual revenues from selling the personal information of consumers and consumers are defined as California residents. So it seems like it would apply mostly to really large businesses or businesses that deal in a lot of data on a frequent basis or businesses that sell personal information. [MP]: And so you mentioned the consumers are defined as California residents. So how does the CCPA affect those consumers today? [DK]: Yeah, so the CCPA provides certain rights to consumers or California residents. The rights are knowing what personal information is being collected about them. To having proper and clear disclosures in like privacy policies and things like that, know whether that personal information is sold or disclosed, and to who California consumers have the right to say no to the sale of their personal information. They have the right to access their personal information and then they also have the right to equal service and price, even if they exercise their privacy rights. So you can't discriminate against somebody because they asked you not to sell their information. [MP]: Okay. Yeah. So it sounds really similar to GDPR legislation and the requirements there. So what would you say are the fundamental differences between CCPA from GDPR? [DK]: So the laws are ... They're pretty similar. GDPR was created to protect the fundamental rights and freedoms of people and the right to the protection of personal data, which is very similar to CCPA, but the GDPR was also created to provide a single set of rules that apply to every country in the EU to reduce confusion over different regulations. And that's obviously not the case in the United states or what the CCPA kind of follows just Californians and it doesn't prescribe a larger set of rules for the whole country. But there's a couple other larger differences in that. So the CCPA has a limitation on how it applies to you in terms of revenue or sale of personal data or collection of personal data. GDPR is a lot broader in application than the CCPA. GDPR also does not include a specific right to opt out as sale of personal data and CCPA does. But under GDPR you could probably get a similar fact by exercising other rights such as the right to restrict processing. GDPR also includes the right to have your data transferred to another data processor as CCPA only requires businesses to provide access to their data. I think that's actually a very interesting concept because I've been reading a lot about people saying if you have the right to data portability, that would mean that you could actually leave services that abuse your rights. So you could take all the data that Facebook has on you and you could have them transferred onto another social networking platform and then you could have Facebook delete that data that they had on you and you could effectively easily move to another service which I think is interesting. [MP]: Yeah, that really is. [DK]: Yeah. And the CCPA does not include a right to correct data that is incorrect and GDPR does have that. CCPA does not include the right to restrict processing except for the sale of data, and GDPR does include such a right. So I think what the CCPA, it's kind of a lot more narrow in terms of what you can prohibit a business from doing with your data. CCPA does not have the right to object to automated decision making and GDPR does have that. And then the approach to calculating fines and penalties are different between the two laws. So the CCPA is a lot more clear cut about exactly what penalty applies in what context. And GDPR is a lot more broad, there's a lot more room for decision making in terms of what kind of a fine should apply to this business. [MP]: And now when it comes to penalty provisions, what types of penalty provisions would you say the CCPA holds today? [DK]: Penalties under CCPA are $2,500 per violation and 7,500 per intentional violation. So it's kind of interesting that there is a set number that's applied to the loss of your data or to the misuse of your data. Now the CCPA also provides a private right of action for anyone whose data has been breached as a result of poor security practices. But it does not have a private right of action for just data abuses, which is also a very hot topic right now to talk about private right of action. And some states have proposed laws that have a private right of action, but a lot of business interests are fighting against that. So it'd be interesting to see if a law does pass with a private right of action and then what enforcement of that looks like and how quickly data privacy lawyers or corporate lawyers kind of start suing under that. [MP]: So what do you think in practicality, what would be the top three to five things a company might want to do today to ensure compliance? [DK]: One of the most important things, and maybe we won't count this as one of the three, is to actually start thinking about this stuff. So the law goes into effect January 1st, but enforcement starts on July 1st, 2020. And that seems like a very far away kind of, but it really isn't preparation should be started now because it does take a long time to do all of this. But I think the first thing people should do is make sure they're providing clear and adequate disclosures as to what information they collect, who they share that information with, and what they do with that information. So transparency is very important to consumers right now and you want to make sure that you're clear about what's happening to personal information because if you're not clear, then there's room for interpretation and people can misunderstand, and then get upset about things that are happening that you might have disclosed but not disclosed as clearly. Or if you don't have any kind of privacy policy or any kind of communication about what you do with private information that can actually lead to sales slow downs and things like that and people will not actually purchasing products or services from you because they see that you don't really care about that. And there's something that they do actually really care about now, which is a huge shift. And I think you should make sure that you have a full and complete understanding of who you share information with. So you have to disclose who you share information with. So you do have to make sure that you're not sharing information with somebody who is using that information questionably or has had a track record of privacy violations. So understanding the practices of each vendor that you use, compiling risk assessments and making sure that your contracts adequately cover those risks is something that I would say would be extremely important because you don't want to be held liable for a vendor who misuse data because if you didn't vet them properly, if you didn't do the right risk assessments, or continuously to them that's something that can fall back on you. And then also preparing for data subject requests. So make sure that your IT infrastructure is set up correctly so that you're able to access the full amount of data provided to you by a person and then you can easily provide that person with access to their data. There's something that GDPR covers as well, and I know that some companies that dry runs before the effective date of GDPR, so basically someone in your team at a random date, random time sends you like a fake data subject request and your team has to respond to that subject request promptly and accurately and kind of during a dry run exercise to that, I think would be really helpful for businesses because they can see where they're failing, they can see which staff need more training, they can see if they need additional software that they can use and things like that. So that's something that I would definitely recommend as well. [MP]: That's great Donata, and those are really good tactical tips, I think that people could start doing now to be prepared for that. So that's great. Thanks for sharing that with our listeners. And now when I came to the EU regulators to really impose GDPR, we'll say punishment, it took a while. So do you think it'll take the same amount of time for US regulators and the CCPA for action to be applied? Do you think action will be swifter for their punishment or their fines to be affecting the companies that are outside of compliance? [DK]: So it really kind of depends right on what the public opinion is at the time. I know with GDPR it took a while to actually find companies and then do all of that. But on day one of GDPR there's actually a lot of complaints filed, and you can tell that was public opinion things change, right? So if the public opinion on data abuses is what it is now, I would say that the attorney general is going to have to act swiftly in terms of bringing enforcement. So there's a lot more interest of consumers in terms of protection their data right now. So it is possible that people would be submitting requests early on, which means that infringements are going to happen early on and then the attorney general is going to have to force a law early on as well. So that kind of goes back to your previous question as well. I think companies should be ready to receive and answer data subject requests on July 1st or actually January 1st because that's when it goes into effect. So I really would say that public opinion is what it is right now, it's very against data abuses, it's very against the collection and sale of private information. So I really hope that this is not a law that's going to be sitting on a shelf and collecting dust. But considering the current data and privacy climate, I would say that, that would be unlikely that it's just going to sit there and nobody's going to enforce it for a while. I would say that enforcement is likely early on. [MP]: Yeah, that's really interesting. I would hope so too. Now do you think that the CCPA is a bellwether for broader federal regulations to come? This is just the beginning of a wave of future regulations, I know there's been talks of SB 220 and NYPA, what do you think? Is this a trend that'll be happening? [DK]: Yeah, so a lot of states are copying CCPA in their proposed laws. So there's actually, I believe it's 10 states right now that have their own proposed bills on the books that are being considered. I do think that a lot of states will go that way. I think in terms of the federal government, federal regulators, they're taking notice as well. So some of the proposed federal laws cited the need for a blanket regulation concern in privacy. They cited California passing CCPA, they've cited other states proposing their own bills or passing their own privacy laws, and they're kind of moving towards the idea that we need a general federal law that applies to all states and possibly preempts the laws of the other states as well. And there's also the industry interests that are kind of rebelling against the CCPA because they believe it's really harsh towards the industry and really restrictive and will stifle innovation, which I'm not sure how much I'd buy that arguments. So they're pressuring the legislature to pass a more industry friendly bill, whether that be on a state level or a federal level, which I think would be interesting. I just read an article the other day saying how federal regulators are working through recess to try to come up with some kind of federal privacy law, which I think is really interesting. I mean, you'd never see them working through a recess for anything, so kind of really shows just how much the public cares about this and how much the public is pressuring them and how much industry interests are pressuring them as well. [MP]: Yeah, that's really interesting. Are there any other trends that you predict that we will see at either at the consumer level or at the organization level? [DK]: Yeah, so I think there's the overall trend is state laws versus federal laws, what is going to be the law of the land? Is each business going to have to somehow cobble up compliance considering 50 states privacy laws or is there going to be a federal law that kind of blankets all of that? There's a very clear trend towards a disclosure and notice requirements. There's a trend away from the sale of data, I think that's something that people are especially upset about is the sale of their data for profit, not for actual need and a lot of the laws and the bills that are being proposed named the sale of data very specifically as something that a consumer should have the right to opt out of. And the trend towards accountability and responsibility and towards giving personal data some value, there used to be ... There's still kind of is that way, the saying that your personal data has no value to you unless it was breached. You can't collect damages on a privacy breach unless it was used to steal your identity, unless there was actual damages. And there's a lot of cases that site that with actual damages in terms of identity theft and things like that, we're saying that people can't get compensation if their data is just breached and not used by anyone for something bad. So I think we're moving away from that, we're moving more towards your data has value regardless if it's stolen, regardless if something bad is done with it. So I think that's interesting. And I think very interesting thing that I've been seeing is the provision of rights that would normally apply to the consumers above all states and applying those rights to all consumers. So when you run a website, it's kind of difficult to parse out who's from California, who's moved there, who's moved away from there, and then some residents of let's say Illinois, might not be very happy about residents from California in getting all these privacy brides from a business, but then the residents from Illinois don't get it. So there are some websites that I've seen that parse out the rights by Californian consumers, or they have a separate policy for Californian consumers. But I've also seen policies that kind of group all consumers together and just give them all the rights regardless of where they're located. And I think that's very interesting as well. And I think that'll increase if there are more states that pass privacy laws, because it'll be really hard to parse out who's from where. And then also it would be very long privacy policy if you're kind of giving different rights to people who live in different states. [MP]: Right. [DK]: So I think that's something that'll be very interesting to watch. [MP]: Yeah, I agree. And how folks stay proactive in the face of some of these changing legislations. So [DK]: would you share with us, how do you work with organizations today with Termageddon? [DK]: Yeah, so I'm the president of Termageddon and we generate privacy policies, terms of service and user license agreements and disclaimers. So our policies actually update automatically when the laws change. So when the CCPA comes out, we'll be pushing an update to all policies and basically people don't have to do anything else, maybe answer a question or two, and their stand in terms of compliance for their privacy policy. And the way we work is basically you just sign up for an account, you answer a few questions. So for example, what information do you collect on your website? Who do you share it with? And then our system populates an embed code, which is then put on your website. And that basically shows your policies and allows us to automatically update them whenever the laws change. So we're a technology company, but I'm the one who actually wrote all the policy questions and the text and I'm the one who keeps up to date with all the laws and tracks them and all of that. So that's been a really interesting job lately. A couple of years ago, there really wasn't anything going on. I mean you had GDPR, but that was pretty much it. And now like I have a privacy law tracker on a state and federal level, and that's on our website too, which lists all the laws and everything, and then it's a lot. [MP]: I can imagine. I can imagine and share with us, what was the origin of creating your company? What led you to say there should be a technology offering for folks to have policies that are updated and what was the impetus behind beginning Termageddon? [DK]: So before I began Termageddon, I was in private practice and I worked at a software development shop a long time before that. And I kind of fell in love with the tech world and became really interested in it. And then I met my fiance who used to own a web development agency as well and we were just sitting one night over dinner and I used to write privacy policies for clients all the time. And he would have clients asked him what to do for a privacy policy, but they'll say, “I can't afford $1,000 to get this written for me.” And we were just kind of chatting over dinner and kind of saw the need for that. I saw a lot of generators that would charge you extra if you wanted to put your policy on your mobile website, or charge you extra if you wanted to do limited liability. And I'm like, "Well this isn't fair." And he saw a lot of generators that were kind of getting some free money from web agencies and for referring their clients. It's like, "Well that's not fair either." So we kind of just combined the two and it just happened. [MP]: Awesome. That's fantastic. And I know you today with the Illinois State Bar Association, you speak and kind of hold courses on this type of topic, whether it's GDPR or educating other attorneys on the importance of privacy and what privacy policies should contain. Tell us a little bit about, why you do that and what you believe the value to be and should other state associations be doing this as well? [DK]: Yeah, so a lot of attorneys focus on their area, right? So if you're a medical malpractice attorney, you're going to focus on medical malpractice. If you're a corporate attorney, you're going to focus on the law on forming LLCs or corporations. A lot of attorneys that I've spoken to actually don't even think about privacy or data or privacy policies and don't know that they actually need one, which I think is interesting. Right? But at the same turn, like I wouldn't know what a medical malpractice lawsuit looks like. As an attorney you kind of have to know what you're good at and then leave the rest to the rest because that's just the way the law works. There's too much to know and too much to understand. So I decided to do a course on GDPR for lawyers because that's something that a lot of lawyers had questions about and their clients had questions about them too and a lot of times you'll ask your corporate lawyer about technology questions or privacy policies even though that's not kind of their area of focus. And we held a course with the ISBA and actually the ISBA actually just created a Privacy in Technology Law Group, which I joined, which I think is really interesting. But I think that other groups like the American Bar Association and places like that should consider holding courses on things like privacy because it's something that's very, very important right now. And not just from a legal perspective, from a personal perspective too. Mean people are always losing their privacy rights now and getting their information infringed upon and breached and all of that. And that's something that's a very important topic in the legal community. I do hope to see more courses like that and more people get involved and be interested in this kind of stuff. [MP]: Okay, great. So Donata, I thank you so much for taking some time to explain to us a little bit about CCPA, the origin of it, the direction of where legislations might be going. In summary, I have some takeaways just from our discussion today. You'd mentioned to the listeners, one preparation should be started now, I think that's great tactical advice. You mentioned to prepare for those data privacy subject requests today, it'll allow you to see gaps in your IT infrastructure, your process challenges, to make sure that you're responding to those requests in a timely manner. So I think that was really helpful. So do you have any other tactical advice that you would recommend or any other takeaways that you'd share with the listeners today? [DK]: Actually, I have a clear understanding about how it impacts you on whether or not it impacts you. I mean, it's very easy to say, “Okay, $25 million, I'm not making that amount of revenue, or I'm not collecting the data of that many people.” But if you really actually look at what you collect, you might be surprised. So really make sure that it doesn't apply to you and make the conscious decision with that. And don't just say, “Oh, well, I'm just small potatoes, and it's not a big deal." [MP]: Yeah. I think that's an excellent point. All right, well wonderful thank you so much for sharing your expertise and your experience with CCPA. Until next time, this is [MP]: Phee with GRC & Me.Controls Compliance Solution
Automate and Scale Your Controls Compliance Program
Avoid control redundancy, automate tedious workflows, and improve program efficiency by dynamically linking risks, controls, evaluations, and evidence in one platform. Risk Cloud® includes dozens of industry-standard frameworks to help you build a connected and automated control management program that scales.GRC & Me Podcast: Neil Watkins and the Concept of Defensibility
In today's episode, Neil Watkins, co-founder and Chief Operating Officer of Asureti, shares his views on the necessity…
EPISODE NOTES Top 3 Takeaways Defensibility is the ultimate concept that everybody drives to—whether they say it out loud or not. In the security landscape we see today, there are many opportunities for improvement. Even when I employ all of my resources, even when I put my best foot forward out there, failures can occur in my ability to protect data. Resources Asureti Website Connect with Neil on LinkedIn Show Transcript [Host Megan Phee]: All right, Neil. Thank you for joining us on today's podcast of GRC & Me. So let's first off tell me more about Asureti. [Neil Watkins]: Sure. Asureti is a company focused on SRCP. In fact, we built Asureti because in the marketplace, we couldn't find anybody who uniquely covered all those concepts. We found many companies who actually proclaimed they could do GRC, which is just typical governance, risk, and compliance. So we've developed a concept called manage assurance. So we do it in an advisory role, an operational role, but we basically provide our services who either can't, don't want to, can't afford to insource it, or simply just want the output from it. [MP]: And in your introduction, you mentioned the acronym SRCP. So can you share what is that, and how does it differ from traditional concepts within GRC? [NW]: Sure. For many years, the GRC has been simply governance, risk, and compliance. We found that through our practices, there were many missing components to that framework going forward. Security, risk, compliance, and privacy are the four acronyms used to make SRCP. So the inclusion of the security practices, which had been long since isolated, but overseen by compliance functions and directly feed to risk, were still allowed to live in a silo to operate a little bit freely from that process. So we believe its inclusion into the acronym and to the practices was key. And as we continue to move forward into the future it has to be included as a forefront thought leader, and a process of which must be adopted to these organizations. I want you to think about like in a military concept, where they have the concept of what's called sectors of fire. So in other words, each person had a unique landscape, but they also overlapped at the same time. And that's the same concept of that, where everybody would look out into their landscape, cover their area of visibility, but no one concept covered them all. Well the SRCP concept creates that horizontal layer that allows the practices to operate efficiently, in concert with one another, both taking in the feeds and the inputs, and providing the feedback from their own skillsets, and operate in a much more effective way for organizations if they employ them in that manner. [MP]: And do you find that organizations have a solid strategy around the principles of GRC today? [NW]: It's ironic that both in public and private companies, the answer to that wants to be yes. But in the landscape that we see out there today, there are many opportunities for improvement. So when it all kind of starts down with the mandate of operational governance, we find that many don't employ that in an effective manner, or sometimes often at all. So when it comes down to how does a policy read, or is it even a policy, we find companies sometimes don't even want to use the word policy, because it specifically gives some organizational, cultural affect to their people, that they have to behave in a certain manner. So they find it to be too restrictive in a business environment, that has to be adaptive, free-thinking, fast, and growing at a rapid rate. So policies in that framework seem to be restrictive. So there seems to be a hesitance out there, even though it kind of makes sense for them to exist. Because that governance framework is what companies use to rely on how they operate. Each individual looking at the horizon, operating independently, can come back to that common set of rules and say, “Am I doing my job effectively? Am I doing it within the guidelines provided?” Sometimes, “Am I doing it safely?” Some of those questions are answered by that governance structure. But ironically, sometimes it still doesn't exist. But without that cornerstone and that mandate, the programs around data protection, or the security, risk, compliance, and privacy that I spoke about earlier, are ineffective or non-existent as a result. Because even though individual departments will run around, trying in good faith to execute their skill craft on behalf of the organization, the lack of mandate prevents some of its growth and effectiveness as a result. Well when it comes to certain things like this, the organization has to employ legal regulatory oversight. Risk, compliance, privacy, operations, executive management, and the security team have to function to provide adequate protection. Without the governance establishing that requirement, it often doesn't get done. [MP]: And so you talked a lot about the landscape that an organization should have. So, what are the functions, or organizational pieces that need to be in place in order to achieve this? [NW]: Sure. When I talked about it just a moment ago, and I briefly overlaid them really quick is, you have the legal department. The legal department is key for understanding regulatory requirements, interpretation of commercial effect, in other words the contracts you sign that say you have to do certain things, and the understanding of any kind of mandate the organization must find. The risk organization, whether it's formal or informal, is the process of identifying what risks to the strategy of an organization exist. And the reason we talk about all of these in a concerted fashion is, they all feed into an element of risk to the operation. So it can be risk to revenue, risk to growth in a strategy, risk to strategic enablement, risk to the existence of an organization if absolutely done right. And the other one, the cornerstone of that is a compliance function. I know compliance has a kind of a mixed feel for it within an organization about what it is. But it really is the entity who's responsible for making sure that what we are supposed to do is being done, and being done within an acceptable level according to what we said we were going to do, or with what a regulatory framework says you must do. And of course, you have the privacy group on its rise to the organization now, because people, individuals and their data are becoming more aware of where it lives and what's being done with it, and they want to make sure that there's an element of control and adequate protection. Operations of an organization in its generic form, those are the ones out there trying to execute the strategy, tactically employing these things, moving information along. They are a cornerstone to this as well, because it's not unheard of for them to move at the speed of business, and sometimes forego their requirements for adequate protection or compliance and everything else, because the most cornerstone of their job is to enable the speed of the business, and the growth of whatever their strategy is. And of course, technology and security teams, where they're a last part of that. So technology drives how the mission is done in most companies. So they are strategic to that, and the security team is the one who's wake up every day in a vigilant fashion, to find ways to use technology to make sure that what we said we were going to do, what we need to do, and of course at its cornerstone, what they feel compelled must happen, gets done in a unique way. So those cornerstones are legal, risk, compliance, privacy, operations, executive management, technology and security teams. Listen to the complexity and number of participants in a simple design of adequate data protection. Sure. Good enough is the concept that I use to describe what we should aspire to do. There are many people out there that believe it's all a nuisance and a drag on operational expense to an organization. I will do this with the minimum amount of effort and spend necessary, because I must focus on driving my company's strategy, profitability, or non-profitability if that is the case. The other out there think in a lot of ways, that they must do it to the best of their ability at all times, every day. And that is what you want to employ culturally, but the reality of all that is, if you do everything with the most expensive, most time-consuming, most focus, it will be an effective program until somebody simply undermines a common principle. We see this happen all the time in the headlines, where somebody will spend millions of dollars on a security function. And yet they're breached and people are wondering, how did that happen? Well that just kind of shows you the adversary's willfulness, their discipline to approach, and everything else in some of those cases. So here you are, the operational leader of the organization says, “I spent millions of dollars and it still happened.” How does that occur? Well, it occurs because perfection was never the goal. But to understand where the threats may be, to prepare for adequacy on that, to look at it and understand the risks of it, and to continuously prepare to harden that response really is the goal from that perspective, that leads to that good enough principle. And in the end, it is the combination of an organization's risk appetite, risk understanding, landscape, financial wherewithal, and operational constraints that will create good enough. [MP]: All right. Thanks for sharing that. And you, you've also mentioned in discussions kind of this concept of defensibility. So can you share, what does that mean for organizations in practice? And what should they be thinking about, whether it's in terms of preparedness or potential consequences to their organization? [NW]: Sure. Defensibility's kind of the ultimate concept that everybody drives to, whether they say it out loud or not. You have to think about anything that you're going to defend the decisions that you made. So that is kind of the root of defensibility. Did we do it, did we do it right, and did we do it adequate will always be the question, either as an assessment factor, or as after-effect of something unfortunate happening, a business disruption, a loss of data or key information. Again, it doesn't take much to grab from a headline that you look out there and see massive amounts of data were lost in the most simplistic of ways. And then at the time, the organization tries to go back like we do so many times, and recreate why it happened. And then they find that it's a simple failure of things. In the world of this complexity, and when I talked about all these things working in a concerted fashion, something like that is always bound to happen. It doesn't make it excusable, but it makes it a realistic approach to all of that. So the defensibility is the idea around some key components that I'm going to spell out, that prepares an organization should it go through this, to say these key things. So even when I employ all of my resources, even when I put my best foot forward out there, failures can occur in my ability to protect data. The speed of business drives it, change and evolution drives it, all kind of things. But if I'm looking at it from as a core component, I have the governance in place, I have the right assignments and I have the right team engaged, that's kind of the first pillar of all of that. But when you asked about the landscape out there, I would argue that still companies struggle with that, because they don't understand the importance of it. And you hear the cliché of, well nothing bad has every happened before. Well nothing bad happens until it does, and that this kind of opportunity and this kind of approach prepares you for that moment should it ever occur. And quite frankly, even if it doesn't, there are some things out there that say you really must do this. And it was ironic that the Department of Justice had released some recent documentation over these things, and it's really ironic that they talk about the effects of a disciplined operating compliance program. And I'll read the three things that they talk about. It says, "Is the program well designed? Is it applied effectively? And does it work in practice?" The concept of defensibility covers all of those. With good governance and strategy that you have around these programs, overlaying it with a horizontal function that allows them to be seen uniquely, and then steps of defensibility I measured out a moment ago, would uniquely answer all of those questions, as is part of the normal operations. [MP]: That's wonderful. Well, thank you. So Neil. You shared with us some really great concepts there, around SRCP, the landscape organizations should be mindful of, the concepts of defensibility. Anything else that you'd like to share with our listeners? [NW]: Yep. The last part is, all of this seems to be very daunting, large, and effective. And as a result, most people don't even start. They use that as the barrier to their success, or the fear of their success in that regard. My encouragement is, find technology enablers, like LogiGate out there, that are quick and effective to market to help you create that horizontal overlay and visibility into what's happening, and to monitor and engage at a very cultural level the willingness of it, the importance of it, the training to do so. And of course, the continuous assessment of are we doing it well against it? Because again, these things constantly change, but I hear more times than not, the barrier to this is either culture, speed of business, or the right technology enablers. Because it is so broad, those things can cause people to not start. Don't let that be the problem in all of this. One person, one department can make significant impact to all of these requirements if they simply just take it in a very pragmatic, risk-based, stepped approach. [MP]: Fantastic. Well thank you Neil, for sharing your insights and your thoughts with us today. We appreciate it, and stay tuned for another episode of GRC & Me.From Ad Hoc to Agile: Chart a Course for Enterprise Risk Management Maturity
Watch this webinar to hear from Michael Rasmussen and Szuyin Leow on charting a course for Enterprise Risk…
Enterprise Risk continues its rapid climb upwards on boardroom agendas, and it shows zero signs of slowing down. You might even be searching right now for ways to measure risk management at your own company, and how it supports—or runs counter to—the organization’s overall strategy. In this webinar, our panel of experts will help bring the intricate, interconnected, and fast-evolving picture of Enterprise Risk into focus. They’ll talk about what the concepts of program maturity and agility really mean, and offer some practical advice on how to make sure they’re given the proper consideration by your company’s leadership. You’ll hear from: Michael Rasmussen, GRC Pundit and founder of GRC2020.com Szuyin Leow, Director of Customer Success at LogicGate Mary Beth Mathias (moderator), Customer Success Manager at LogicGate Duration: 60 minutes Moderator: Mary Beth Mathias Panel: Michael Rasmussen, Szuyin LeowGRC & Me Podcast: Introducing Megan
In this short episode we’ll introduce you to our new host, Megan Phee. We are excited to have…
EPISODE NOTES Show Highlights: [00:22] A new taste of the podcast [00:26] Meet our new host [00:55] What to expect moving forward Resources: Connect with Megan on LinkedIn Connect with Megan on Twitter Connect with Megan on LogicGate Show Transcript HOST MEGAN PHEE: Hi, there, my name is Megan Phee and this is a quick special announcement for GRC and Me. If you are tuning in for the first time, welcome. And if you're already a dedicated listener, well the podcast may sound a little different, because I'll be your new host. So, in some ways this hosting gig is a perfect blend between my background and education and my current job of head of strategic alliances at LogicGate. I studied broadcast journalism back in school and I've always been fascinated by the field. However, my career led me down the path to risk and compliance, and I'm guessing many of you have taken a winding path to your own roles within risk and compliance. But I couldn't be more excited to bring the two together and I can't wait to see where this podcast takes us. In most ways, the podcast will remain the same. Our goal is still to consist of interviews with thought leaders in GRC. Discussing everything from methodologies and frameworks to hot-topics and cultural nuances. So, with that mission in mind, we will look to share stories and lessons that rarely get discussed or celebrated, helping you to drive change. So think of this podcast is a dynamic medium for discussing pertinent topics, shaping your increasingly important responsibility and complicated endeavors. So, please continue to tune in each episode to learn why GRC is so critical to the future of any organization, where the industry has been, where it's going. So, until next time, this is Megan Phee, with GRC and Me.[Video] Policy & Procedure Management with Risk Cloud
LogicGate's Policy Management Software gives you the power to automate routine compliance activities. It's like having a personal…
The Risk Cloud™️ for Policy Management gives you the power to automate routine compliance activities. It's like having a personal assistant to help manage your mission-critical risks. Video Transcript: Every company has standard Policies and Procedures, but often they cause something else: PROBLEMS. Policies are important, of course. They keep the company on the right track—but managing these rules is usually easier said than done. Why is this? For one, employees may not all be working from the same policy information. Second, the policy drafting, review, and approval steps may not be standardized across functions—creating a patchwork of inconsistent guidelines. Then once policies are established, they’re scattered in difficult-to-find places, leaving employees in the lurch when they need them the most. It doesn’t have to be this way. LogicGate’s Policy and Procedure management platform pulls your company’s polici into one central platform. Employees only access the most current policy versions that will be used across all business units and processes. When policies are updated, they’re updated everywhere—so your Regulatory, Controls, Compliance, and Risk teams all have their eyes on the right information. Creating new policies begins with a standard, streamlined workflow, from initial drafting to final approvals. Quickly add employee attestation steps to make sure the right people are in-the-know. Create custom tags and unique field captures using our drag-and-drop form builder, so your end users can quickly access and complete their work. You can set also automatic reminders to ensure policies get reviewed on a periodic basis. That’s LogicGate’s Policy and Procedure Management Platform. Request a demo today.GRC & Me Podcast: Alexei Sidorenko - The Most Controversial Risk Thought Leader
Today, we are excited to have Alexei Sidorenko calling in from Spain to discuss industry-specific risk methodologies. Alexei…
EPISODE NOTES Top 3 Takeaways Risk Management is not really a profession. It's a competency that should be part of most (if not all) degree programs. Most organizations have been disillusioned with the astrology version of risk management. Sometimes, even a little quantification improves the quality of decision-making significantly Show Highlights [01:17] Alex shares what the Risk Academy provides [03:02] How Alex got into risk [05:13] Alex's "controversial" blog [08:04] Methodologies, strategies, importance [13:52] What forces Alex to be controversial [16:16] Brilliant idea of dumbing it down [17:42] Approaching risk quantification [20:37] The real question: how complex can we go? [23:29] How and when organizations should approach quantification [26:00] An unrealistic fairytale based on averages [29:03] Cultural difference in risk management approach [30:00] Alex's predictions in the coming years [34:17] Final nuggets of wisdom Resources RISK-ACADEMY Connect with Alex on LinkedIn Connect with Alex on Twitter Prospect Theory: An Analysis of Decision Under Risk by Daniel Kahneman and Amos Tversky Judgment under Uncertainty: Heuristics and Biases by Daniel Kahneman and Amos Tversky Foundations of Behavioral and Experimental Economics by Daniel Kahneman and Vernon Smith How to Measure Anything: Finding the Value of ‘Intangibles’ in Business Probability Management Conference Monte Carlo Simulation Moneyball The Flaw of Averages: Why We Underestimate Risk in the Face of Uncertainty by Sam L. Savage Show Transcript ALEXEI SIDORENKO: Risk managers, if they are willing, have the most amazing tools at their disposal to really change how organizations land, forecast, budget, and make decisions. HOST KELLEY SPAKOWSKI: Hi, I'm Kelley Spakowski and this is GRC and Me, a podcast where I interview industry thought leaders in governance, risk, and compliance on hot topics, industry specific challenges, trends, and more to learn about their methods and solutions and outlook in the space. Today, I have with me Alex Sidorenko calling in from Catalonia, Spain. Alex is an expert in risk with over 14 years of risk management experience in private equity, sovereign funds, investment authorities, and venture capital firms across Australia, Russia, Oman, Poland and Kazakhstan. In 2014, Alex was named the risk manager of the year by the Russian Risk Management Association. Alex is currently director of Risk-Academy. Alex, welcome. Would you like to explain to us a little bit more about what the Risk-Academy provides? AS: Hi, Kelley. Thank you so much for having me. It's a great pleasure to speak to your audience. KS: Thank you. AS: Risk-Academy is a fun story. It started many years ago when I was still head of risk of one of the biggest venture capital funds in Russia, and I had this internal weird desire to share everything I do. So I created an online portal in Russian at the time, which shared all the templates, the methodologies, video recordings from the conferences, master class, so basically everything I did outside of my job. And that kind of continued as I later moved as the head of risk of one of the biggest sovereign funds in Russian. So the Risk-Academy continued and it's now the biggest risk management brand in the Russian speaking world. But about three years ago, I moved most of my IP in English and now Risk-Academy is the place where I write a lot of articles, where I do a lot of videos and I provide a lot of training sessions for either risk managers or the decision makers that want to apply risk tools to better make investment, or strategic, or operational budget decisions. So Risk-Academy, essentially, is the place to learn about risk management, but also, a consulting house that does a lot of work when clients request for it. KS: Close Wonderful. And I understand you have podcast episodes as well. AS: I do. I do. I think, as of as of today, I have like 300 plus articles, 400 plus videos, three books and something like to a hundred different podcast episodes. KS: Wonderful. What a great resource. Okay. How did you get into risk? AS: That's, I guess, a pretty typical student story. As many people in their early twenties, I had no idea what I wanted to do. So my dad was doing a PhD in chemical engineering at one of the best universities in Australia at the time. And he said, "My university has just started this new and exciting degree in risk management. Why don't you try it?" And just like any young student, I said, "Dad, I don't care, so I'll do it." And I signed up for this degree and it was- KS: That's great. AS: ... very hilarious because later, once we finished, we were the first ever undergraduate intake for the risk management degree. So we were the first ever bachelor's of risk management in the country in Australia. And it was kind of like, finally, because the university canceled that degree a few years later. So we were the guinea pigs in a failed experiment and I think the experiment failed because risk management is not really a profession. It's a competency that should be part of most degrees if not all the degrees at university. So it was it wasn't exciting start of the career realizing that you [inaudible 00:04:15] and the market doesn't really appreciate you being there. KS: Yeah, that's fascinating. And this was in Australia you said at Monash? AS: Good. Monash University. Yeah. And it's by pure chance that I have a second degree in statistics because I was so good at statistics. The faculty for statistics and econometrics kept sending me letters. Do a second degree in statistics. Do second degree in statistics. So I kept ignoring them for a year and then on the second year I, again, got really good marks for stats and I decided to do a second degree in statistics. I mean, thank God. Who knew risk management is actually about math as much as it is about everything else. KS: Yeah, I was going to say those really go hand in hand so I'm sure that serves you quite well. AS: Absolutely. KS: So one of the things that I really like about the content that you put out there, especially your blog, is that you claim to be the most controversial risk blog. What makes it controversial and why is that your goal? AS: That's a really good question and I mean I can't really say I have thought about it a lot. I think somebody said that it was controversial and somebody on Linkedin kept calling me controversial Alex or something. So I just kind of [inaudible 00:05:25] said, "Fine, I'll go with it." It wasn't necessarily the intention, but I guess the general observation ... I mean now in the age of social media, we, all of us, we can track engagements, we can track a lot of statistics on how certain messages get better or worse received by the audience. And I've been saying pretty much exactly the same thing for the last maybe 10 or 12 years. And the first seven years out of that last 10 have been pretty uneventful. I've been saying exactly the same message, but it just really wasn't widespread. It wasn't received as well. And I think when I kind of got sick of it and I started challenging and questioning some of the norms or some of the accepted practices in risk management and exposing some of the silly things that we do as risk professionals, still do, then I immediately ... It was really a no brainer. The engagement skyrocketed compared to your average mile, the friends [inaudible 00:06:29] everyone [inaudible 00:06:29] nice position. In the age we live now, I don't know why that happening, but it just makes perfect economic sense to do it, to be more controversial than not. I received dozens of messages every day saying whether they like or don't like something. Most people are still pretty shy so they send personal messages instead of just commenting under the article. And for every one message that I get from people who hate the format or the form in which I communicate and they find it insulting or they find it too controversial or too difficult to absorb, for every one person who dislikes the approach I take, I get like 10 or more people saying, "Thank you. Finally, we heard the messaging. It will help us get the message across. So even in that regard, even though a small ... and it's, it's by far the minority, small percentage of people very much dislike the way I present information. Majority of the people find this helpful. So again, even in this regard it works and everybody who claims it would have been so much better if I chose a much milder form of communication, that's actually not true. I mean, I've tried different formats and statistically speaking, this is by far the most engaging one. I guess in 2019, it's nice to be controversial. That's all I can say. KS: I agree with you. I like it. I think that risk and compliance right now is really ripe for some disruption and challenging status quo. So I think it's great and I just was curious, so thank you. Something else that I really like about your approach and I agree with and I want to really highlight on GRC and Me is that you encourage using risk for strategy. So what methodology do you recommend? How is it applied to strategy and then why is that important? AS: Yep. It's kind of funny. I was just writing another article on that topic just before we got our call. If we ask how old is risk management, people usually will divide into two kinds of camps. One will say risk management is ancient because that's what people did when they were building pyramids. And then the kind of camp, people would say risk management is relatively new. In the 70s and 80s, that's when the whole concept of GRC and ERM became more prominent. Well, in reality, I mean both of those groups are wrong because the modern day practice or theory of risk management and the science behind mismanagement, really started in kind of in 16th and 17th century when some of the mathematicians starting to quantify uncertainty and using mathematics to help them make decisions about future. These are strategic decisions, better investment decisions, better operational decisions. It doesn't really matter that much. The whole idea of using mathematics to make sense of uncertainty, which is highly complex, unpredictable by definition, is about 16th, 17th century. And we've kind of, we've lived with that science of risk management and then it was first called probability theory. Then, in the early 20th century, it kind of developed and evolved into decision science, and by the 1970s, some of the psychologists kind of jumped on board and we had neuroeconomics developed on top of it. So in probability theory with decision science, with neuroeconomics of risks, psychology. All of that kinds of merge and by 1970s, we had what was a pretty solid foundation for risk management. But then in the 80s, a miracle happened because I guess that's what usually happens when something is very interesting but highly complex. Somebody hijacked it and really decided to dumb it down to make it, I guess appealing and relevant for the majority of the people. It's like astronomy existed for so long, but that was too complex and it was highly mathematical to comprehend. So somebody came up with astrology. Astrology is basically your fairytale ... I mean, fairytale. It's not real science. It's basically BS and that's what most of the modern day risk management theories are. They're basically astrology of proper decision science. And so what I've been supposedly controversial about in my articles and in my work, I'm trying to bring the risk community back to almost like 1970s saying, "Well, we've had all the good tools and we had all the science behind proper risk based decision making for ages and we don't really have to recreate the wheel and the existence of the new artificial intelligence or cyber risks doesn't really change much. I mean the math is still the same." All I've been trying to do is say, "Well, if you want to make a strategic decision or an investment decision, or a budget decision for that [inaudible 00:11:49] , well we actually have all the methodologies we need to do that and if we want to make a choice between different strategic alternatives, so decision trees are still as powerful as they ever were. In fact, decision trees still drive a large portion of artificial intelligence algorithms out there together with neural networks. Both tools are old. And so for strategy, integrating risk management that the strategy just, it makes perfect sense, but it's not unique or new in any way. I mean this is what risk management was always about in 15th century, in 16th century, in 17th century, 18th century, 19th and 20th. I think it's unreasonable for us in the 21st century to consider it somehow an innovation. But to integrate into strategic planning, we still use decision trees, which are old. We still use scenarios and simulations. And simulations, the multicolor engine for a algorithm for stimulating the possible future outcomes has been developed in '45, '46 so that's what, 75, almost, years old and as powerful as it was when it was developed to create the atom bomb or nuclear weapons. So I obviously think risk management is important, not just in strategy but in any kind of decision making because it just makes so much sense to do risk analysis, not once a quarter as we're used to doing it once a year, once every six months, but actually do the risk analysis before an important decision is being made by the management or the investment committee or whoever or as personally in life. And the good news is, we have all the tools necessary to conduct risk analysis before making decisions. KS: That's the old, if it ain't broke, don't fix it, methodology. AS: Well, kind of, which is weird because I mean I'd love to see risk management associations and risk consulting powerhouses come up with better ways to apply those existing tools. But that's not unfortunately what they do, which kind of forces me to be controversial. That's not what they do. They recreate the wheel instead and ironically, they don't give us better tools. They actually give us tools that are significantly worse. And, again, we know for a fact that the methodologies that are commonplace in risk management right now, for example, using heat maps for trying to multiply likelihood by consequence and getting like a risk level. We know for a fact that those methodologies provide much poorer results. They're much less accurate than any of the like 70 year old tools, which is bizarre. KS: Yeah. Do you think it's the human element that is breaking down the mathematics of it? AS: It's difficult to say. I think it's more the kind of the entrepreneurship spirit because whoever's made this popular and the Douglas Hubbard is, in his book ... He's publishing he another book on risk management very time soon, which I'm really looking forward to. But in his book, he actually went on a quest to find the patient zero, find that person who hijack risk management and turned it into astrology. KS: I want to read that too. AS: Yeah, I know. Isn't it exciting. It's amazing. Somebody seriously hijacked risk mismanagement in 1980s and turns it into literally astrology. Your average risk management report is no different from a horoscope. It's just as accurate and it's just as dangerous to use for any kind of proper decision making. So on one sense, it's horrible that this happened, but then on the other sense you can kind of understand how entrepreneurship and making money is that carrot that's dangling in front of the people because decision science, and math, and cognitive biases, and risk perception, it's hard. It's difficult. That's why they have whole departments in Pentagon. And that's why CIA spends millions on researching this. It's actually really difficult. And somebody had a brilliant idea, why didn't I dumb it down for everyone? Well, I'm going to lose all of the important information and it will become a horoscope, but I'll be able to sell millions of copies and that's literally ... I mean, astrology, if you think about it, it's hugely popular. I mean, people are making ridiculous amount of money on horoscopes and everything else. So from a commercial point of view, makes total sense. From an ethical point of view, very questionable practice. KS: Sure. Now I'm curious, what's your astrological sign? AS: Aries. KS: Aries. AS: I think because when I was born, I was Aries, but remember how they moved the whole thing- KS: Oh yeah. AS: ... years back. KS: That was not accurate. That was disproven. But to your point, it's all hokey, fakery anyway. AS: Exactly. KS: But now the controversial title makes sense because Aries is the bull, so. AS: Yeah, I guess. KS: Okay. So something that I keep hearing a lot lately and it's not a new methodology, but it's just really coming full circle now I think is risk quantification. It's been really hot. So why do you think that is and when should it be considered and then how do you recommend organizations approach risk quantification? AS: Yeah, which is fascinating because risk quantification can literally mean like a million different things. From very simplistic scoring methodology, saying, "Look outside. If the sky is blue, then it's going to be a good day," to like a complex Monte Carlo simulation model that runs like 10,000 scenarios, trying to figure out what the possible range of outcomes is, so highly broad, complex. The good news is that almost everything we do is some form of quantification, and over the last 50 years a number of scientists have done a lot of research trying to figure out, trying to answer the age old question who's better, a human or an algorithm. And unless something new comes up in the near future ... at the last conference, the portability management conference in U.S. ... I think it was again Douglas Hubbard who was sharing the stats, but there was approximately 150 studies in different fields of life conducted to determine who's better human intuition or some sort of algorithm, some sort of quantification, even the most basic quantification. And out of the 150 ... I mean, I may be wrong. It could be 130 and it doesn't matter. You get the volume of research. It's been extensive. And out of the 150, two studies have shown that human intuition is similar or slightly better than an algorithm and everything else. So 148 showed that actually using some sort of algorithm is much better than relying on our intuition. If we look at the situation from that perspective ... and all your listeners, you're more than welcome to disprove that. Run your own study, prove us otherwise, but until then we have to rely on ... And it's a large population of scientists that tried to answer that question and the study covers all different fields: agriculture, pharmacy, engineering, oil and gas, governments. It's like it's a very broad spectrum of study. So from that perspective, it's a no brainer. You have to quantify everything if it's a big enough decision. If it's significant enough and it's not trivial, if it's going to cost reputation or money, then quantification is definitely the way to go because the alternative to quantification is to not use anything and rely on your intuition, which is a pretty dangerous bet, it seems, based on the research I conducted as of as of now. So quantifying is kind of the only way it seems. The real question is how complex can we go? How complex do we need to go? And here again, there are different schools of thought. For example, the school of thought by Daniel Kahneman and Thomas [inaudible 00:20:47], Vernon Smith, all the oldest researchers in cognitive biases and human risk perception and risk psychology say that because we are inherently irrational in our decision making, because we fall into so many different cognitive biases, because the quality of our decision making depends on how much glucose or sugar we have in our blood, whether we are tired or not of whether we're happy or not, what colors we're wearing, because we're so highly influenced by all these many different random factors, we really have to apply proper [inaudible 00:21:25] that quantitative tools to help us make decisions. And then of course there's the school of thought by [inaudible 00:21:32] who says that no model can really be predictive of the future because the future is highly complex and the [inaudible 00:21:40] are hidden from our comprehension that we have to use the models, but we also have to have downside protection no matter what. So basically those schools of thought still say we have to apply some sort of tools. And the good news is sometimes even a little quantification improves the quality of decision making significantly. We don't actually have to run highly complex Monte Carlo simulation to make a better decision. Sometimes even adding a little bit of analysis to our decision making ... I mean sometimes even extrapolating the future. Sometimes creating a scoring model based on a number of the factual, observable items can significantly improve the decision making. And Douglas Hubbard has an amazing book called How to Quantify or How to Measure Anything. He argues that sometimes three observations is enough to improve decision making, not to make the decision making perfect, which is not our objective but to improve our decision making compared to just intuitive thinking. [inaudible 00:22:51] with quantification has actually been hot since 15th century but now kind of everybody's finally getting the hang of it because I think part of it is that most organizations have been disillusioned with that astrology version of risk management with DRM style discussions, realizing that having a heat map of your strategic risks doesn't actually change how you budget or make multi-billion dollar [inaudible 00:23:19]. We've had all the tools to help us make better decisions. So how do I recommend organizations approach with quantification and when should it be considered? I think it's the first point to realize is that quantitative risk analysis tools is actually like a whole spectrum of tools starting from very simple decision trees, which you could draw on a napkin to scoring methodologies, which again are relatively simple two scenario analysis, which is super basic to more complex simulation models, which are slightly more complicated. But if the price is high enough, if the reputational damage is significant enough, then running a simulation, even though it's complicated it's not a deal breaker. It's not that difficult. It takes maybe an extra day to run the simulation and maybe like an extra week to find all the necessary assumptions and verify assumptions and actually create the model. I think a week to like a multi-million dollar decision or a multi-billion dollar decision is literally the least of the troubles that you have. KS: Right, exactly. Thank you. I think that's really insightful. Even just considering three objective opinions is better than one or two. I think that's really helpful information for the audience. It kind of reminds me too of ... Did you ever see that movie Moneyball, was about Billy Bean and how he uses saber metric analysis on- AS: Yeah. exactly. KS: ...Baseball players scouting? Yeah. AS: Yeah, he- KS: It's a little bit like that. AS: Absolutely. I mean he was the first in the industry, in the sport industry. He used very simple math to significantly improved decision making. KS: Yeah, that's fascinating. AS: Which is essentially what risk management is all about. I mean whatever industry we are working on, we can use some of the basic risk management tools that we have and significantly improve the quality of decision making that executives have. I mean this is just mind blowing stuff and it's mind blowing because this theory has been proved by the Danish mathematician in 1906. It's called Jensen's inequality. This is groundbreaking because most executives still have no idea and this is how business operates, ignoring that finding. Can you just imagine this is not 110 ... 1906 so 110 years ago a mathematician proved that when you build your business plans, or budgets, or investment proposals, or literally anything else, or production forecasts or anything, well, sales forecast, when you build anything in business based on single point estimates, especially if those single point estimates are what people call most likely or averages, you're pretty much guaranteed to have an unrealistic result. This is how everyone does it in business right now. He took this idea and made it very popular in his book Law of Averages, which is amazing, but he's basically saying if your company is planning, and budgeting, and forecast using averages, which is what every single company on the planet does, things you signed off on that budget or that business plan or that strategy, you're pretty much guaranteed to have an unrealistic target because you've just taken out all of the uncertainty out of the equation and you've created this unrealistic fairytale. And so of course whenever we're working with our clients ... we're the training producers for some of the biggest corporations in Russian speaking countries. Whenever we talk to them we're saying, "Well we've had since the dawn of time, since the 16th century, we had the solution." What's the alternative to planning and budgeting and forecasting with single points estimates? Well, of course we can do that with ranges. We have the techniques to create business plans with ranges that will give you distributions with single point forecast. Basically what they're saying is that the way business planning is happening right now in 99.9% of companies in the world, pretty much guarantees rational results because it ignores risk and we actually have the solutions. We've had it for at least 70 years to overcome that, to improve our planning, which is fascinating. I think risk managers, if they are willing, have the most amazing tools at their disposal to really change how organizations plan, forecast, budget, and make decisions. KS: Yeah. Fascinating. And I totally agree. So this is actually a really good segue because I'm curious about, you have such worldly experience in risk management and I have to think that just based off of our conversation even so far, you mentioned how our humanity kind of plays a role in our gut decision making and we've got dopamine firing, influencing our decisions. So what differences do you see in risk management globally? Culturally, are we really different across the different countries in terms of how we approach risk management? AS: That's a very good question. The short answer is I'm sure we are different, but because most of the people on the planet are so fundamentally wrong in their approach to risk and uncertainty in general, that our cultural differences are insignificant compared to our methodological differences, so I can kind of put it that way. We're so inherently ignorant of uncertainty and risk when we make decisions in the workplace that some countries are slightly worse. Some countries are slightly better at it, but we are kind off by a mile and plus/minus hundred meters is not the real problem per se. KS: My next question, since we've been talking about predictive analysis, what are you predicting for the next couple of years in the risk management space? AS: I sincerely hope that the messages that myself and many other risk managers have been pushing for years will become more mainstream. I hope that we will switch from having conversation about risk and the risk levels to having conversations about uncertainty affecting objectives, or decisions, or forecast of budgets and we will actually finally find that magic pill, which by the way, I have a sense that I think I might have found it recently, finding that magic pill to sell the idea of thinking in ranges and scenarios and simulation the futures of the executives. I just think it's so ironic that before making any kinds of decision any kind of big decision, the CEO would call his tax advisor. He would call his legal team. He would call his finance team to first figure out what the potential problems are, and then run some sort of scenarios to figure out what's the best approach. I mean, most executives do that as a given. No one would make a decision without first consulting at least somebody in finance, tax or legal team. And yet, almost no one calls the risk manager for the same advice because I think we've not done well in selling our tools, our expertise as being able to add and make sense of uncertainty in the future decision making. Fingers crossed, I've only been saying exactly the same thing for the last seven years. Fingers crossed, business plans of the future will not have a single target. It will not just say we want revenues of 100 million. It will say we want revenues from 80 to 105 million and this is the kind of the probability of achieving our objectives. We will actually stop talking about relative things when we talk about the future and we will appreciate that uncertainty has a huge impact on the future and we will be honest with our shareholders and government regulators about the effect that uncertainty has on objectives. I mean, I was amazed when I was still the head of risk of one of the big sovereign funds in the country. I was amazed my CEO had the courage to take the Ministry of Finance the calculations that we've done and he's shown that ... We build this strategy until like 2020. This was quite a few years back and that strategy basically said that there was a 30% chance that the strategy will not work. And in fact, if it doesn't work, we may lose quite a lot of money and this is how much money we will lose with 90% confidence interval. I thought it was just amazing. I've never seen anything like that when the companies were honest with the government and the regulators and the public about the level of risk they're taking and how that risk, if it happens may affect the bottom line. I sincerely hope this is the future that we are moving towards. KS: I hope so too and I think we're right there. I think we're at that tipping point just because I feel like a lot of organizations are taking another look at risk and really wanting to change and improve their programs. They're starting to invest in the tools and technology that they need to set their programs up for success, which I think is a really good starting point. You have to have a foundation of gathering that data to be able to do anything smart with it. So I think we're on that precipice. So I'm hopeful with you as well. AS: Absolutely. KS: Well, this was really eyeopening and sort of a brief little history on risk, so thank you for that. I'm going to say you are refreshing and very reasonable, not controversial at all. AS: That's what I've been saying all this time. I mean, I personally don't think I'm controversial. All I'm saying is wake up. The things that we're trying to do for the last 30 years don't work as well as we want. Maybe the problem is not that executives aren't listening. Maybe executives are actually very clever that they're not listening to some of the nonsense that we're trying to sell them. And why don't we go back to the drawing board and use some of the tools that the engineers, scientists, doctors have been using to make decisions under uncertainty for the last century. KS: I agree. Get back to the basics. All right, well, Alex, that rounds out our conversation. I really appreciate you coming on GRC and Me. I think this was great information for our audience, so thank you for that and I wish you the best of luck with the academy. I'm going to be tuning into your content as well, so thank you. AS: It's a pleasure. Thanks Kelley.GRC & Me Podcast: Terri Sands - Risk and Compliance in Finance
In this episode, Kelley talks with Terri Sands, founder of Secura Risk Management. Terri shares her thoughts on…
EPISODE NOTES Top 3 Takeaways It's tough to keep up without good technology Transparency between parties is difficult in the financial industry A single point of failure can also be a single point of fraud Show Highlights: [02:50] Risk management challenges for smaller financial institutions [07:13] The significant irony in financial institutions [09:01] What Terri brings to the table [10:50] Creating a culture of risk awareness [12:24] Reactive planning versus strategy planning [14:25] The shift Terri has seen [15:32] The unfortunate indicator [16:45] Terri's opinion on banks reducing their operational costs [19:43] One challenging area in heavily-regulated organizations [21:37] What works and what doesn't for acquired financial institutions [25:03] More tips for acquiring financial institutions [26:49] Guilty by association [27:59] Wrapping up with the most shocking fraud story Resources: Secura Risk Management Website Connect with Terri on LinkedIn Connect with Terri on Twitter Ozark Show Episode Transcript HOST KELLEY SPAKOWSKI: I'm going to get us started with a quick tip. Today is actually around data privacy, it's actually two tips to get you started. First, learn about your data sources. Find out where and how long it is being stored and how it's being used. Then, develop a consent policy to process personal data and acquire consent from customers. TERRI SANDS: It's calm water if your strategizing, and you're doing different things like that to plan, rather than to be reactive and wait for an external auditor or even worse, a regulator, tell you that you are inefficient, or you have this reputational risk because you did not know that you were dealing in a world of spreadsheets, and because you were so busy there, you missed the big thing that caused a data breach, or reputational damage. KS: Hi, I'm Kelley Spakowski, and this is GRC and Me. A podcast where I interview industry thought leaders in governance, risk, and compliance on hot topics, industry specific challenges, trends, and more, to learn about their methods, solutions, and outlook in the space. Here with me today, to discuss risk and compliance in finance is Terri Sands, founder of Secure Risk Management. Secure is a boutique consulting firm, and membership organization that works closely with financial institutions, many of them small banks and credit unions to safely change with growing technology and regulatory requirements. So, thank you for joining me, Terri. I really appreciate you being here. TS: Thank you for having me. KS: We actually met at one of your membership forums. It was awesome. You hosted it in Lake Oconee, am I saying that right? TS: Absolutely. KS: Lake Oconee, Georgia. It was awesome, at a really nice Ritz on a lake there, very quiet. I can't wait to go back. While I was there, I just, I instantly knew I wanted to have you join me on GRC and Me, because you have such a great pulse on the day-to-day challenges in community banking, as well as, the big picture priorities, so you're really able to build a solution approach that is both top-down and bottom-up that drives meaningful change. So, I'm really excited to chat with you about some of your insights in banking. TS: Thank you. KS: So, Terri, you are training many regulatory agencies on payments risk, anti-money laundering practices, enterprise risk and fraud mitigation. What challenges do smaller financial institutions have in their risk management programs? TS: Well, there's a few. The transparency between parties is tough with financial institutions. You have the first, second, and third lines of defense, and because of old habits, there might be a siloed area here, and a siloed area here. Senior management or executive management may not have the transparency that they think they have, so you may have different lines of businesses doing duplicate processes, duplicate workflows, or doing things that do not make sense, but because they're so siloed it's tough. And certainly technology, and what you guys offer, kind of bring that together. The other thing is, it's difficult to keep up with all the regulatory requirements with few people. I work with a lot of smaller financial institutions, but I also see this in good sized financial institutions, where you have like, one person. One person is the BSA Officer, they're also the IT Security Officer, and then they head up Deposit Operations, and Electronic Banking. And so, you have that dynamic where one person is trying to do everything without technology. A lot of times without good technology. And then they're over the first line of defense employees that are trying to keep up with all the regulatory requirements. And so, if you think about some of these regulatory requirements, whether it's regulation E, or whatever regulatory requirement it is, you've got all these deadlines. You've got 10 days, 45 days. If you're trying to keep up with policies or procedures, you update them annually, who owns it, where your risk assessment here. So, it's really tough, and so, without good technology it's really hard, and especially in the world in which we live today with all the fraud that happens. The fraudsters are trying to get to the financial institutions, because they hold the assets. They're holding the money. Then you have that dynamic. So, it's tough to keep up with everything without good technology. And the struggles that we see are data. The inability, or unwillingness to use data to predict future strategies. So, data is another one, and probably the last thing that we see most of, and probably the number one challenge is the usage of spreadsheets, and other inefficiencies. It's kind of using a spreadsheet to enter information, which is tedious. So, financial institutions, they find themselves in these precarious situations with understanding how they have so much risk, "Where did all this risk come from?" Because it's basically, they're spending more time on preparing the data than monitoring and evaluating, and really managing the risks. It's this habit forming spreadsheet world, Kelley, that's when I actually approached LogicGate. I did the demo because I was a big fan of it, because it's simple, it's not overwhelming, and it truly is user-friendly. And the ability for risk management to be better managed through rules based technology is a plus, because it's really hard with all the things that you have to do to also have to prepare to monitor, prepare to do these things. So, technology adds that layer of support. It's like having a virtual employee. So, I like LogicGate, is truly a great resource for smaller financial institutions. KS: Yeah, I appreciate that. One of the things that I thought was really interesting is, a lot of the folks I met at your forum who are performing these functions at these banks and credit unions, this is just one element of their job. They're wearing so many different hats. So, I can't imagine, if I had to go to a spreadsheet to aggregate or manipulate this data, or gather it, that would be totally on the bottom of my list of things to do. TS: Right, exactly. KS: At the end of the day, because that's just not the fun work. It's really tedious, so I hear you, and I agree. In your opinion, is it difficult for these financial institutions to become efficient when there are so many fintech companies to choose from now? TS: Here's the thing, and I talk to so many financial institutions about this, it's overwhelming. I put myself in their shoes, and you've got to think about all the technology companies that are approaching financial institutions, "We can do this for this, and we can do this for this." So, you've got that coupled with the fact that, kind of going back to one of the challenges is, that's not my only job. Sometimes, I've seen with financial institutions, that they're so busy with inefficiencies, they don't have time to be efficient. So, the irony here is significant. Unfortunately, some financial institutions learn of significant inefficiencies through regulatory scrutiny. Sometimes it's the reactive piece of them. They wait, because they think everything is fine, until a regulator comes along, and whether it's a consent order, or almost a consent order, or a super bad audit, they're basically finding themselves having to deficient staffing models. Or, they have good people who simply leave because the environment is so overwhelmingly inefficient that they can't continue in that type of environment. Truly, the problem solver is education, things like this. And also, it's calm water if you're strategizing, and you're doing different things like that to plan, rather than to be reactive and wait for an external auditor, or even worse, a regulator, tell you that you are inefficient, or you have this reputational risk because you did not know that you were dealing a world of spreadsheets, and because you were so busy there you missed the big thing that caused a data breach, or other reputational damage. It's really bringing fintech companies, and that's what we love doing, is bringing fintech companies that make sense, to financial institutions. And especially with us, we deal with a lot of smaller financial institutions, but bringing that good technology to a financial institution to say, "This will solve your problem," and that's what I love doing so much. And then when you put really good technology into a financial institution, and they start working it, it's just like, "Why didn't we do this sooner?" Because then, that's when you learn the regulation. When you have the technology helping you keep up and do the enterprise risk management, and do all that, that's when people learn the content. So, it's always really interesting with this, but again, that's the challenge, and quite frankly, the other thing is asking the question, who at the financial institution is going to ask the question, "What takes you the longest to do? What is the most difficult part about managing risk today, and how can I help you do that job better?" Senior management, and I'm seeing a lot of this over the past year, where senior management is really taking a deeper dive into that first line of defense. The people who are doing the work every day and saying, "Okay, what can we do to help you out?" Unless you have that environment, then you're going to be dealing with spreadsheets, and you're forcing yourself into a reactive mode. But the challenges, in terms of fintech companies, is trying to fit what you need with what's out there. And so, that's a big challenge. KS: Yeah. This is across the board. I see this really not just in finance, but in a lot of different industries, that environment that you spoke of. What we're calling it is, creating a culture of risk awareness. You can't do that if you don't have visibility into these areas, and I don't know if this is something that you are noticing in finance as well, but in other industries these different areas, or workstreams if you will, the data is siloed. So, you've got a group of people that are managing compliance related things, another group managing policy and procedure, maybe another team that is responsible for risk management and mitigation, and then you've IT, and there could be different departments that have their own way of measuring and mitigating risk. So, everything is managed separately, and the data is siloed in spreadsheets. So to actually get accountability and visibility across those data points that really tree up into an overall risk strategy for the organization, they just can't do it. We're seeing a shift in other industries to get that more proactive approach, and actually, realize that, "Hey, we can use risk data as a strategy for the organization," to create new business opportunities. Things like identifying a merger acquisition strategy, or gaining a certification, or rolling out privacy as a part of their service level to customers, and actually using these as new business opportunities, and a strategy for a competitive edge. Is this something that you're seeing banks and financial institutions moving towards? TS: It's interesting, in the past year and a half, probably, I have seen a shift in more strategy. I'm happily seeing the steady increase really focusing on strategy planning with financial institutions and companies, rather than reactive planning. Because reactive planning is just not as fun. Reactive planning, it's all about time. You're already in trouble at that point, whether you've had a big fraud event, or regulatory consent, or something even more significant. So, just talking to CEOs and CFOs, and really all types of employees within those financial institutions, it does seem like financial institutions are taking more of a proactive approach to their risk management strategy, and listening to the people who are in the best position to tell them what they need. And so, they're really using risk management as a strategy. The thing that I think, which is great is that, financial institutions, used to, you started with risk management, and then you worked down, so a lot of financial institutions would say, "No, we can't bank that client. No, we can't have that product," but if you have a true blue, enterprise risk management program, where you have technology, like obviously LogicGate, helping you out, you can start with the customer first and say, "We want to bank that customer," Or, "We want to offer that product or service," and then you can work from the customer. Not start with risk management, because the customer is going to be the point from which you're going to say, "What do you need, and what do we need to do?" And so, if you have the technology and the transparency, and every level knows what's going on, you have such a competitive advantage over other financial institutions and companies, because everything is transparent. And then you've got everybody working together. I've also seen a shift, and again, I think this goes hand-in-hand with the technology is, if you have the technology to be able to open all the doors, it's like go into a financial institution and opening all the doors to all of these departments and saying, "Everybody, come into the lobby, and let's all talk." To me, that is truly enterprise risk management, where everybody is collectively agreeing on something, risk management can be managed a lot easier, and you can talk about strategies and technology efficiencies, enterprise risk management. And it's always been my experience that if you do this as a team with good technology, and you listen to everyone's thoughts, it is truly a success. Unfortunately, I see financial institutions still today, work on spreadsheets. To your point, Kelley, you've got somebody working in compliance on their stuff, and you've got the sales folks over here selling it, and fighting back and forth with risk management and compliance people. That is, to me, it's always been the indicator that you do not have an enterprise risk management program with good technology to be able to help you. I've been into financial institutions that they say they have this enterprise risk management program, but it really isn't. They're dealing with spreadsheets, and it's really siloed risk management. So, you really need good technology, and the ability to see, you've got to see the blue sky, because if you're surrounding yourself with spreadsheets, you're trying to manage policies, and vendor management, and risk assessments with spreadsheets, you are truly, and it doesn't matter what size you are, you are truly, in today's environment, with all of the external threats, you're setting yourself up for failure. It's not a sustainable risk management program. KS: Yeah. I think at it's best, you're just behind. You're lacking. But at it's worse, it could be really catastrophic. It could result in something that cripples the business. TS: Right. KS: Yeah, I think that's a great point. You mentioned efficiency. Something we see, financial institutions are wanting to reduce operating costs. In your opinion, what do you see, in terms of banks reducing their operational costs more effectively, competing in the financial industry? TS: This is kind of a hot potato topic these days. It's interesting. You might hear, financial institutions really talking about, "Hey, we want to reduce those operating costs," but then you walk into a room, into the same, you may walk into the operations center, and you're surrounded by stacks of paper. People around you looking like they're about to cry because they don't know what to do with these stacks of paper. But I am happy to say that, like I said, over the past year and a half, there does seem like a lot of financial institutions, and the smaller ones too, we work with financial institutions that are 50 million in assets, but they operate so efficiently and effectively, we've got some financial institutions who have virtual employees. And basically, there is technology that is really running manual reports, doing different things, helping the operational folks. And while the operational folks are really focusing on things like fraud prevention, risk management, compliance management. So, you're seeing a shift in the doers, like I'm sitting there, and I am either typing out something, a spreadsheet, an Excel spreadsheet, I'm dying in the world of Excel, or I am writing all of these things. Instead of that, you're seeing an uptick of people really focusing on risk management. In risk management, you don't have to be typing on a spreadsheet to say that you're doing risk management. Risk management is about monitoring, evaluation data, keeping up with things, understanding things, communicating out to the business line so that they can go sell and do those things. The last thing you want to do is make risk management this dreadful thing that takes way too long to do. Then you've lost your competitive edge to be able to go sell. So, I do think people are looking at operating costs simply because, it is negatively impacting that front line to be able to go sell, and bring in deposits. If I am a sales person, and I'm spending half of my time doing operational risk management functions, half of the time I'm not selling, I'm not bring in deposits. So, that is where that becomes a crippling process. So I think reducing operational costs has a lot to do with the inefficiencies on the front line and on the sales side, because they're doing all of this stuff that they should not have to do. KS: 100%. You know, I'm going to go off on a brief tangent here, but your statement about the stacks of paper making people cry just reminded me of something. I'm speaking with a bank currently, and they are looking at incident management solutions. They are doing the right thing. They are being proactive. They want to streamline this, and one of the things that she asked me, and I think this is also one of the areas of challenge for these types of heavily regulated organizations is, it's like, they're chasing their tale constantly. One of the things she asked me is, "Can we import all of our historical incident cases into your technology?" My answer was yes, but then I was like, "Well, let's dig into this. How much history are we talking? How many cases?" "Hundreds of thousands. We've got a regulatory requirement that, for one of the departments, it requires us to keep the entire history, the lifetime of incidents. So, it's like, more than 10 years of incidents." And I thought, "Oh my God. When are you ever going to reference an incident that happened more than a decade ago?" TS: Right. KS: They are just like, in a sea of non-useful data at that point. TS: Exactly. KS: It's not that we can't meet that need, but I just [inaudible 00:20:42] in that moment, because there is this kind of, I don't know if it's a chicken and egg analogy, but how can we move forward if we are held back by historical data that we can't efficiently manage? TS: Agree. KS: So I thought that was interesting. TS: Yes. KS: So my task to her was, "Hey, go back and challenge your legal team, and find out what you really need to keep, and let me know if it's seven years, five years, three ideal," because less is more in an instance like that. TS: That's exactly right. KS: Do you see anything significant in the risk management space through financial institution merger and acquisitions? We're seeing that this is a trend. It's been a trend for a bit now, but it's definitely going to increase through 2019 and 2020. Specifically, what do you think works, and what do you think doesn't work when financial institutions merge, or get acquired? TS: There's a couple of things. The first thing that I see, financial institutions, if you sit on the sidelines and you watch financial institutions, the acquirer and the one being acquired. I see sometimes it's, the acquirer comes in and just swoops it up and they're not listening. It's who's got the best in show technology? Sometimes it's on both sides. The advice that I would give to an acquiring financial institution is pay attention to all, do an inventory of technology, and see what works best with what the smaller financial institution has, because maybe they have a best in show thing on their side, and maybe you have a best in show technology on your side. So one is, listen to each other, because I think that's important. The other thing I think, if you were an acquiring financial institution, you don't just wake up and become an acquiring financial institution. Most of the time, you're in business to do that. So, a lot of the audits that I've done over the past several years in financial institutions who are acquiring other, they're in the business. They do that. Historically, they do that. They find themselves in an incredibly risky position because their program may not be sustainable for where they are in the moment. And so, when they take over another financial institution, it only gets worse. I talked to several financial institutions. They're either hitting the billion dollar mark, or they go to the three billion dollar mark, or even more significantly, the 10 billion dollar mark, and I will say, "You're dealing in spreadsheets. This monitoring system that you have here was not even made to monitor what you're monitoring." Or, "Your technology is antiquated." Or more so than anything, "There's way too many manual processes." And then you've got layers of people trying to manage to those spreadsheets. So, for financial institutions who are in that business, who are acquiring, they have got to get an enterprise risk management program, because they will find themselves, as you get bigger in asset size, regulatory audits get worse. They just do. They get more intense. And so, the regulators, which they should, because you're responsible for more consumers. You've got more commercial clients, you've got more opportunity for fraud. There's more opportunity for AML risk, regulatory consent risk, it's important that these acquirers get with the program, and make sure that they have a sustainable program for years to come. They need to plan on not just today, because if you acquire a financial institution that's even 200 million in assets, and you're 10 billion in assets, it's still a 200 million dollar organization that you're going to pull in, and 200 million even, pulling into a financial institution that is managing risk to spreadsheets and inefficiencies, is not good. And so, that's unsustainable for even today. So, I think that what I see is, financial institutions acquiring financial institutions, and I've talked to many, and especially over the past six months, is really, what do we need to do to get into a new program that we're growing in. Acquiring financial institutions know their strategic plan. It's not a secret to them. They know what they want to do. So, if you know what that plan is, you're going to work to a three or five year plan. Your enterprise risk management needs to be with a three or five year plan, whatever. But if you're just dealing in the moment, every day is going to be a new day to you, you're just playing with time. And it's just a matter of time before something happens again. And like I have on my website, it takes one regulatory consent order, one thing that can cause you reputational damage, that you would never, ever be able to acquire a financial institution again. So, it's basically being in a sustainable enterprise risk management environment, surrounding yourself with good people, and technology that really works for you. Not that you have this technology in the middle of you that doesn't work. Sometimes I see financial institutions who have enterprise risk management technology, and they don't use it because it's bad, so they do all these workarounds around it, and they let it sit there, and pay for it. The technology is sitting there not being used, so you're working three times as hard for technology, which is completely ironic. So, I think the sustainability of risk management programs, especially for acquiring banks, is significant, and it's something that is on the regulatory radar. When I do training for regulators we, all the time, talk about acquisitions and mergers, because those financial institutions are at risk more than other financial institutions. KS: Yeah. Absolutely. It's funny, too, we have such a crazy environment right now, just in business, but personally, with guilt by association. Just in this whole M&A between financial institutions, just got me thinking, too. My mom always used to say, growing up, "Treat others how you would like to be treated." If you have a good business practice, and process in place for these procedures, you're going to attract other organizations that have those good practices and strategies in place, too. And you want to be doing business with somebody who is doing business that way, because if they've got something hiding in the closet, you are going to be guilty by association. TS: Right, exactly. I think that this is kind of a thing that financial institutions who acquire other financial institutions need to be paying close attention to. KS: 100%. Well, to round out our episode, I know you have rolled up your sleeves, and dealt with a lot of fraud cases. I'm just curious, what is the most shocking fraud story? TS: Several years ago I was doing an audit of a bank, and I came across something that didn't make sense, and I went to the person and asked her, "Can you help explain?" And she was babbling on. Whatever she said did not make sense, and she kept babbling on, babbling on, babbling on. Interesting enough, during that audit, it was the first time that I'd ever caught fraud actually performing an audit. And so, she was responsible for everything. And talk about spreadsheets, kind of bringing this around, she had a stack of papers and spreadsheets, and all of this other stuff, and she was the go-to person for the president of the bank. She was the go-to person for everyone. It was difficult because they fired her. They went through the whole thing. It was pretty significant. The interesting thing, it's like, you have to pay attention to your surround. The interesting thing is that, here's a person who made like, 30 thousand dollars a year. She was responsible for everything, making 30 thousand dollars a year, and she was driving like, a brand new Jaguar. It was some crazy expensive car. So, every single day, they came into work, she pulls in the front with her brand new Jaguar. She goes on vacations. She did all this extravagant stuff, and even when she was not there, she had her backup do the fraud. So, the backup was doing the fraud, so she had organized fraud within the financial institution, and because they were so inefficient, she made things so layered and inefficient, she was able to get by with the fraud. And because everything was so siloed, she was able to get by with that. And I think that was probably the wildest thing, because every day was a new day. No one put things together. No one. So, it was kind of like, all the things we talk about, data, working in silos, one person trying to do everything. That was the point in time when I thought, "You know what?" It was my first opening, grand opening, to fraud mitigation, because it was a lesson to me, and I was just doing the audit. This happens even today, and this was 15 years ago. So, think about the significance of fraud today, and think about your surrounding yourself, so if you're working in silos, and doing all that, you are opening yourself up even more today, than like, 15 years ago. So, this stuff still happens. She was working her own organization in the bank. That was wild. It was just wild. KS: That is wild. So, a single point of failure can also be a single point of fraud, is what you're saying. TS: A single point of fraud, exactly. KS: I'm a big fan of the Ozark show, and it reminds me of that, all the paper shuffling- TS: Absolutely. Exactly. KS: That's crazy. Well, thank you so much for joining me on GRC and Me. I hope you'll come back for another episode. We just scratched the surface today on hot topics in this industry, and we'd love to have you back, and maybe we can feature a key study, something that we've done together. TS: Perfect. Thank you so much for having me.Risk Cloud® Onboarding
Launch your program quickly with step-by-step guidance from our expert Implementation team.
Risk Cloud® Reporting
Share connected risk insights within the business context.
Risk Cloud's built-in reporting and dashboards aggregate qualitative and quantitative risk data across every business unit so you can share insights and prioritize resource allocation across your environment.Risk Cloud® Differentiators
Learn why leaders like you choose Risk Cloud.
With so many governance, risk, and compliance solutions out there, choosing the best platform for your needs can feel overwhelming. Learn how Risk Cloud's flexibility, scalability, and ease of use separates us from the rest of the pack.G2 Summer 2019 Grid Report for Top GRC Platforms
Download the G2 Summer 2019 Grid Report to learn more about LogicGate and the other top GRC platforms.
Here are some of our highlights from the report: 100% of users rated LogicGate 4 or 5 stars 100% of users believe our product is headed in the right direction 98% of users were satisfied with the quality of support #1 in speed to value with a 7-month ROI—the fastest on the grid 94% of users said they would recommend LogicGateGRC & Me Podcast: Matt Kunkel - Starting LogicGate
CEO Matt Kunkel shares his journey launching and leading LogicGate—a company helping organizations of all sizes bring unprecedented…
EPISODE NOTES Top 3 Takeaways: There's a big need in the marketplace for a technology that’s flexible and dynamic, yet easy to use from an end-business-user perspective. “I took an educated bet that the market was right for a disruptive perspective.” “Everyone is somewhere between ought-to-buy and needs-to-buy a GRC platform.” Resources: LogicGate Website Connect with Matt on LinkedIn Connect with Matt on Twitter Navigant Group Dodd-Frank Ruling GDPR California Consumer Privacy Act Episode Transcript HOST KELLEY SPAKOWSKI: Hi, I'm Kelley Spakowski, and this is GRC and Me, a podcast where I interview industry thought leaders in governance, risk and compliance on hot topics, industry-specific challenges, trends, and more, to learn about their methods, solutions, and outlook in the space. This is the LogicGate story which as it turns out starts with conquering risk, and then taking on a personal risk, right? MATT KUNKEL: It does. KS: And I've got Matt Kunkel with me here. He's our CEO of LogicGate. MK: Thanks for having me Kelley. KS: Thank you for joining. I'm really excited to capture this story about how the committee got started. But, I want to take a back step and understand your background, and what led you to getting the company started. And, funnily enough, we actually attended an event together, the Secure Risk Management Forum in Georgia two weeks ago, and you even mentioned a little bot more of your background that I hadn't heard before, which was you actually had your hands in a couple of projects related to the Lehman Brothers fallout, as well as the Bernie Madoff Scandal, as well. So, I want to hear about that too, because that's incredible. KS: You were born in 82 right? MK: I was. [inaudible 00:01:49] me here. KS: Well, I was too. But, I think that's really incredible considering your background and how young you are, and where you're at. So, tell me more about your involvement in those projects, and then take me to the JP Morgan Chase Project. MK: Sure. Was a Midwest guy, grew up in Ann Arbor, Michigan, but ended up getting out and went to school in Indiana, and was a finance, economics major there, and through school found my way to Chicago, working for a management consulting firm called FTI. And, this is in the early to mid 2000s. And back in those days you needed to know how to code a little bit to really get on the big fun investigations, and one of the partners that FTI landed a job with the Bernie Madoff investigation, and really we needed part of FTIs responsibility and doing all fictitious profit analysis around that so to say. "Hey we need to sue [inaudible 00:02:46] for a couple of billion and give it back to these mom and pops." I really helped coded out the solution that did a lot of that fictitious profit analysis. And then very soon after that, Lehman brothers went bankrupt, and we, myself and my team coded a big part of the solution that unwound a vast majority of the Lehman's transactions on the debtor side. That's really where I cut my teeth in application development, and using technology to solve problems. And from there moved over to another consulting firm, called Navigant Consulting. At Navigant started up their custom app dev group, and really what we did is we built very large-scale, Fortune-100 companies, GRC program's, governance risk and compliance programs, partnering in conjunction with the folks in our financial services practice, in our energy practice, and in our healthcare practice. One of the bigger jobs that we did was to help J.P. Morgan Chase specifically, their mortgage bank, get out of a consent order with the OCC, which is the Offices of Currency Controller, and a big consent order against them. Basically, what was happening is within mortgage there is tens of thousands of regulations that they have to follow from the federal level, but also the state and local jurisdictions that they are doing business in. KS: And this was a result of the that new, the Dodd Frank ruling? MK: Correct. This is part of what came out of Dodd Frank. It was just really more transparency and more, "Hey here are rules and regulations that specifically mortgage companies, banks in general, specifically mortgage banks, need to follow to make sure that we don't get ourselves into situations like the financial crisis again." And, it was just a laundry list of these regulations. And, the government comes in and says, "Okay, Chase tell me how you're compliant with line 12,852 of this huge Code of Conduct, and what policies do you have in place? What procedures you have in place? What system controls you have in place to get compliance with this?" Frankly, there's just so many in there. There's just such a big spiderweb because one regulation could relate to many different business units that Chase has in there. And, those business units could be using different policies, procedures, system controls to follow that. So, there is a huge spiderweb effect that happened, and really just ultimately Chase couldn't provide the visibility and transparency, let alone to their Executive Board, but more importantly to the regulators that they were doing this. KS: And that web that you mentioned, what was that constructed of at J.P. Morgan at the time? MK: Affectionately, what we call duct tape and bubblegum, which is spreadsheets, emails, file shares, a hodgepodge of really Microsoft Office products that they were trying to cobble this web together with. They had failed their consent order twice previously. Then we came in, and really partnered with our folks in our financial services group that gave the subject matter expertise around the specific policies, and controls that needed to be put in place. In my team, we built the technology to really take all those regulations, break them out into sub-components, have a mechanism to assign those sub-components out to specific business units that they apply to, then had a mechanism to do what we call an assessment to say what policy, procedure, system control we have in place. There wasn't anything in place. We had a gap. Maybe if there was something in place, but it wasn't up to date, we have a partial gap. And then what is the process by which we get compliant, right? And those recall findings. We've findings off of that, and then we created action plans, and action items to get those gaps remediated. And, most of the time that was getting policies and procedures up-to-date. Sometimes implementing system controls in place, or sometimes just saying, "Hey, we know that we have a potential gap here, and we're okay with that from Chase's perspective because of XYZ," and that typically was Executive sign off [inaudible 00:06:54] that. KS: Tell me about the Executives you worked with at J.P. Morgan. Who let this project, and just give me a little bit of background on- MK: Yeah, it was from the top. Jamie Diamond was signing off on the ultimate invoices that we were sending Chase. There's a guy by the name of Kevin Water, who is the CEO Chase's mortgage bank at the time. And then there is another fellow by the name of Roland Hargrove, he was the head od special projects for Chase, and he ultimately headed up this project. We work very closely with them at Chase. KS: It's incredible. And how long was this project? MK: Frankly, I think its still probably going on. We started it may be in 2014-15 timeframe, somewhere in there. Part of the reason I think Chase ultimately went with Navigant is, we said, "Hey, we can get you our technologies stood up and running in a very short time period." And they, I think, had realized after failing two consent orders that they needed some technology to actually operationalize the program, and keep the program of regulatory compliance evergreen. They put some resources in stock behind, "Okay, Navigant can actually give us a subject matter expertise, but they have this technology group that can actually execute and build us out. What we need from a technology perspective in a very short order." KS: Got it. And, that was you and how many other people? MK: A small army of people involved in that. Many, many, many developers, many business analysts from our requirements gathering perspective, and many subject matter experts that relates to financial regulatory compliance. KS: Okay. And you guys were holed up in? MK: We're in lovely Jacksonville, Florida for the most of the time. It's great. Great weather. Great to get out of Chicago during the cold winter months, and and hang out there. But, definitely spent some time in New York at the corporate headquarters, and then in Columbus, Ohio which is where a lot of their writing team is, their policy writing team. So, we spent some time there as we were building outcome of the next evolution in phase of their platform which was the old policy and procedure management module application that bolted onto the upfront assessments. KS: Awesome. So when was the, "Aha" like, light-bulb moment for you during this process? MK: Yeah. I was just sitting down, and talking to the Chase Executives, and they were saying, "Love the platform that you've created, [God 00:09:33] helped get us out of this consent order. We feel really good about that. But, there's just these constant change orders coming in for the platform, and frankly it's always gonna happen. And, the business is moving so fast, the regulatory landscape is moving so fast that we're always reliant on you at Navigant. And frankly, that's costing us a lot of money. We would like the platform that our Chase employees in the regulatory and compliance group to be able to make the updates ourself, and make our business analyst make the same updates our dev team is making." And that was kind of the light bulb moment for me. That was the one where I was like, "Well, if we could do that, I really think that there is a big need in the marketplace for a technology that is that flexible in that dynamic yet that easy to use from a end business user perspective, and in an administrator of a platform like that that have no technical acumen whatsoever. Excel is where they live their lives. But, if they can make enterprise grade technology, I think you have something in the marketplace. So, spent some time talking with my two co-founders, John and Dan. Dan was on the technical team at Navigant, and John was on the customer success implementation team. And, really looked at many different solutions that we'd created over this time period, and just came up with a thesis that, it doesn't matter if you're doing a third party risk assessment, or controls assessment, or policy management, or enterprise risk management, or incident tracking, or you need to be NIST compliant, SOCK compliant, ISO compliant, HIPAA compliant. Ultimately, at the end of the day, really what the technology is doing is just a process. We're just logically moving work inside and outside an organization. We're routing that work on a sophisticated rules engine, depending on how the business users are answering and providing data to us. We're automating things that happen on recurring time frequencies in their. And then we're providing some really nice visual appealing analytics, and reporting to get the insights out of that. And that's what we ultimately came up with LogicGate, and being able to use the consulting experience to create and pre-populate that templates so folks have a starting spot. But, then I'll empower them really. And, that's kind of our why is is really digital empowerment, and being able to empower business users in the organization to use very easy enterprise grade technology to transform their organization, and transform their lives too. We really thought that we had something there. KS: That's incredible. So, where were you at personally, when this light bulb moment happened? And, how did you pull the trigger, and decide to leave your comfortable position, and take a huge risk of starting a technology firm? MK: Yep. Practically speaking I was in Jacksonville, Florida in a car with one my co-founders John thinking about this, and bouncing these ideas off of each other, and then we looped in Dan to the conversation. But non-practically, I was in a great spot. I was very quickly ascending at Navigant, and running a very large P&L, and had built out a practice. I spent a lot of time doing that, and a lot of energy doing that, and I got myself into a pretty cushy spot. But, really just saw that there was a huge, huge need in the marketplace for this. And frankly, took a bet, a very educated bet that the market wasn't very big, the market was ripe for a disruption perspective, because most of the technology is quite outdated, and quite antiquated, that a very new, modern, built on new and modern technology, and something called a graph database would would really take off. And, I think we've in a very short period of time kind of validated that thesis. And. now are just working on building them, and scaling the team, and getting more brand awareness around what were doing, and a lot of training and education to customers that GRC can be fairly easy to implement in organizations. Obviously change is always hard. But, if you make the technology very easy to understand for the business user in the first line of defense, that's a big part of it. I think we've got a lot of solid adoption from very large brand names down to very in a 50% mom and pops that need to be PCI compliant, or NIST compliant, or HIPAA compliant in there, and working on the [inaudible 00:14:06]. KS: Absolutely. Well obviously I'm on board. So, really glad that you decided to take the leap, and take the personal risk, and start the company. I think one of the things that is most interesting to me is the fact that this solution, this platform that you built is so applicable, no matter the size of the organization. It's an issue that is relevant to really small startup companies, and really big companies just like J.P. Morgan Chase. MK: Yeah, totally. Our CRO has a saying that everyone is somewhere between ought to buy and means to buy a GRC platform in there, and obviously LogicGate is the one that he thinks is most applicable to that. But, it is. I think ultimately more and more risk and compliance issues are being brought to light. And, there's just obviously with data issues like GDPR, and the California Consumer Privacy Act, and in all the things that are happening with Facebook. Frankly, I just think there's more transparency that the Board and Executives want, and the people to provide that transparency in organizations are the risk and compliance groups in there. So, there's a lot of tailwinds that we have at our back, and more and more cloud saas providers need to be SOCK compliant. And, so how did they do that in a very easy, effective, efficient manner, right? And, technology is really an enabler to help them do that. And that's really what we are. Ultimately at the end of the day we are subject matter experts on risk and compliance. We hire all of our customer success folks come from big consulting firms where they have already done many, many, many GRC implementations, and are subject matter experts on SOCK requirements, and NIST compliance, and PCI compliance, and how to put together an enterprise risk management program. We're just using LogicGate as the vehicle from a technology perspective to make that much more effective, efficient, easier. But, ultimately I look at the company as risk and compliance subject matter experts with a technology wrapper around it. KS: Absolutely. So, we have a mascot at this company. It's the goat. Some people think that stands for greatest of all time, but that's not actually how the goat came to be. Can you give me some insight into how the goat came to be? MK: It's true. Although, I would like to say that we hopefully empower our customers to be the greatest of all time with LogicGate, and that is what the goat now stands for. The origin origin of the goat though was Dan, our CTO, he actually coded out the entire MVP of the platform by himself. Extremely, extremely bright person. I mean honestly, I've never worked with a dev that's so intelligent. And, for whatever reason with what came into his mind every time the application boots up, he did some ASCII art, which is basically art in ones and zeros, and it is a giant picture of a goat in there. And, we're going through a program, and one of the teams next to us saw the boot up script, and they're like, "Oh my God! What is that?" And he goes like, "Oh, that's a goat." And he goes, "You guys are the goats." So, we happily took that name on, and it's kind of just evolved as the company mascot now. But, I have now evolved that into, we empower clients to be the greatest of all time. KS: Love it. I love the goat, and we really do take the goat to heart on the team. I think we passed out goats at the RSA conference. MK: We did. They were huge hit. We passed that about 500 little stuffed goats that everyone very much enjoyed. KS: That's great. So we're building a goat community, and hoping that you join us. So, just to round things out here, what's next? What do you envision for user community, for the platform, and for the company? MK: Yeah. You know I think the ultimate vision is we want to be the number one player in the GRC market. And the way to do that is to make our customers and clients hyper successful by using our platform right is, how do we honestly advance our customers career, and the champions in those organizations that are using our platform? And, if by using our platform that evolves their career, and that gets them the higher points that they want to, ultimately I think we're going to win, right? And, it's always just a customer centric view and focus that we have at the organization. And then everything else of where the company wants to get you in the heights that we can get to, I think that that is 100% achievable with the size of the market, and the fact that there is no real clear cut player in the GRC space, or IRM space right now. So, everything is focused on the customer. We take care of the customer, ultimately they're gonna take care of us, and ultimately LogicGate's going to be a huge success. KS: Awesome. Thank you so much for joining me. On my next podcast episode I'm actually talking with Terry [inaudible 00:19:15] from Secure Risk Management. We're going to be focusing in on trends in small banking and what they're experiencing, and risk and compliance. So, this was great, great story and background in our experience in that space specifically. MK: Awesome. Can't wait to tune in to listen to that. KS: Great. Thank you. MK: Thank you.Enterprise Risk Management Solution
Learn More About Enterprise Risk Management With Risk Cloud®
Get complete visibility into your organization’s assets, risks, and controls with Risk Cloud’s Enterprise Risk Management Solution. It centralizes and automates every aspect of your Enterprise Risk Management program, so you can get a holistic view of your risk environment, identify areas for improvement, and unlock insights into your future risk landscape.Automating Your Third-Party Risk Management Program
Register to get up-to-date on successfully implementing an automated third-party risk management program.
Many corporations haven’t adopted automation in their third-party risk management programs. The lack of automation can be traced to a few core reasons. Disparate systems, out-of-date data, and inconsistent policies can all stifle a company’s ability to modernize its third-party risk management program—and companies often suffer from more than one of these. When applied effectively, automation can not only help prevent these roadblocks, it can also drive the efficiencies procurement and compliance leaders are looking for. Join this CPE-accredited panel webinar as our expert panel address some key steps to automating third-party risk management, including how to: Manage an up-to-date vendor master to create one source of truth across the entire corporation Leverage automation and machine learning to standardize data governance Drive efficiencies and reduces costs, while ensuring the highest accuracy in your third-party risk management programGRC & Me Podcast: All Things Implementation with LogicGate's Szuyin Leow
Looking for a GRC tool but not sure where to start? Szuyin Leow is here to help! She’s a…
EPISODE NOTES Top 3 Takeaways: Focus on critical items first and make sure you have people and processes in place beforehand. If technology is flexible, you can continue to scale and grow and change your processes over time. Start simple, drive value in one place, and then build that over time. Resources: LogicGate Connect with Szuyin on LinkedIn Read up on Szuyin’s Work on Medium Episode Transcript HOST KELLEY SPAKOWSKI: Hi, I'm Kelley Spakowski and this is GRC & Me, a podcast where I interview industry thought leaders in governance, risk and compliance on hot topics, industry specific challenges, trends and more, to learn about their methods, solutions and outlet in the space. I have Szuyin Leow with me, or Meow as we like to say, because she is a cat lover. A cat lover by night, but by day, she loves helping clients in onboarding and implementation of risk and compliance projects. Welcome Szuyin. SZUYIN LEOW: Thank you. Happy to be here. KS: Thanks for joining me. So I wanted to have you on an episode to tackle the topic of implementation, because it's a big part of a project like this and certainly an area of challenge and pitfalls and I want to help inform my audience about what they need to consider and also help them avoid some of those common pitfalls. So, I'm really excited to have you on and I want to understand first and foremost your background in consulting and why you got started. SL: Sure. Yeah. So, before joining LogicGate, I worked at PWC and was a cybersecurity and privacy consultant, and in that role I worked with a lot of customers in various industries and worked with them on helping them to develop and operationalize their cybersecurity programs. So, that ranged from actually performing some cybersecurity assessments myself to writing policies and procedures to helping more of the C level develop their cyber security programs and strategies. And throughout all of that work, really a common theme I found was that there were challenges in terms of collaboration across teams. There were challenges in terms of really getting to operationalize and automate processes and have centralized views into data. And then when I found out about LogicGate and some of the other technology solutions that were available, really opened my eyes to the opportunities in technology beyond just spreadsheets. That's what got me excited about working for a company where we could really help to build and implement solutions in a more powerful way. KS: Awesome. So when clients first come to you for an implementation, what are the common challenges about getting started? Because one of the things that I find during the evaluation phase is clients commonly, they don't know where or when to get started. Timing and maturity are both things that they're considering. A lot of times prospects will tell me, "Well we haven't quite figured out how we want our framework or method to look, or we don't even have a risk register started," for example. What do you recommend to clients in that situation and where and when should they get started? SL: Yeah, it can be really overwhelming. There is so much to consider in the world of governance, risk and compliance, so definitely can relate to what those customers are facing. In terms of getting started though, there are some key things to keep in mind. First of all, if you are going to invest in a technology solution, you want to make sure that technology is actually going to be implemented successfully, right? So, one of the big things we've found is you can buy as much technology as you want, but that technology is only going to work if you have the people and the processes in place to actually support that technology. And as someone who works at a technology company, maybe there are some people who wouldn't want me to say that, but it's so, so true. So definitely when implementing a GRC solution, you'll want to make sure that, first of all, you have the right stakeholders at the table to provide input on what that technology should include and how it should work. Then you're also going to want to make sure that you have the right processes developed and defined to support that technology. So, definitely getting alignment on those process requirements before you start to even get your hands into a tool I think is the number one thing that I would recommend. Another thing is when customers come to the table often for a GRC solution, they are looking for the full package, right? They want a fully working GRC platform, and if they could have that yesterday, they would want that. While that would be amazing, it's just not realistic. So, a lot of technology solutions out there do have templates available that you can use, but oftentimes you're going to need to have some sort of customization built into the tool, because not every single organization is unique and so your business is going to have its own unique requirements that you need to build into that technology. And that can be a challenging process when you have multiple people involved. And so another thing we found is by focusing on one module or use case first rather than trying to build a full GRC platform all at once and trying to boil that ocean, you can instead focus on one that you think is going to be super valuable and critical to your organization, roll that out first. Give value to your end users so that first process initially, help them buy into that technology solution through that first process, and then get them involved to help roll out the rest of your GRC platform going forward. Both of those things I think are super important in terms of focusing on a critical item first and also making sure you have the people and process in place beforehand. Another thing I would mention is oftentimes customers will get super excited when they see what they can do in a technology solution and that's super empowering and that's great, but sometimes that can lead to customers wanting to try and make whatever they're building initially perfect and they are going to try and almost make it too complex or robust on the first go. And so another thing that I would definitely encourage any person who's implementing a new technology solution to embrace is the concept of keep it simple and less is more, because that will often help that technology to be easier for end users to actually adopt and also just keep it easier for admin users to manage going forward. And certainly if that technology is flexible, you can continue to scale and grow and change your processes over time. KS: Yeah, I think that's a good point. I think it's also something to consider when you're looking and evaluating software. When you are looking at something that is really complex with lots of bells and whistles and that's trying to boil the ocean for you, is that really going to be a good fit? And is that something that you can adopt and get value out of? It might not be. SL: Definitely. KS: Yeah, I like that simple start and driving value in one place and then building that over time. So, in your opinion, is it difficult for small and mid-sized companies to ditch the, we like to call it duct tape and bubblegum, but spreadsheets and email and implement a software solution, and what's holding them back or keeping them in that status quo space? SL: Sure. One of the biggest challenges for small and mid-sized companies is often that risk and compliance teams in those companies could be a one person show or maybe a two or three person show. And because it's a small team that's managing all of these responsibilities, those people are juggling a lot. And for them to throw into the mix, the thought of implementing a brand new technology, that can sometimes be too much to handle and ... KS: Daunting. SL: The scope. Totally. In the scope of all of their other day to day activities. And so I think that's often the biggest challenge, is getting over that fear that by implementing a technology, you're going to lose out on time in other places. Now, that may be true, but what you have to look at is the light at the end of the tunnel, which is by investing that time and implementing the technology that should ultimately, if that technology is good, that should save you so much more time after that technology has been stood up. So, that's one of the things I think that technology providers can look at is showing users how that technology is going to change the way they work and change their effectiveness and their jobs. So, that's definitely one piece. Once you get over that hump, I think there's obviously still some more change management pieces that come into play. It's hard to get people to change their habits and learn something new. So, another thing is if that technology that you found is user friendly and really intuitive to use, obviously that's going to make it easier for these owners of GRC programs to be more willing to invest in that technology and buy into it. KS: Yeah, I totally agree. No pain, no gain, right? SL: Exactly. Yes. KS: But you take into consideration when you're building out an implementation schedule that people have day to day jobs, so ... SL: Absolutely. KS: That's all a part of it as well. Don't bite off more than you can chew and take the time to be thoughtful in how you schedule the implementation activities. So with risk and compliance programs trying to support constant change, how can they be more strategic and proactive, and how can they avoid essentially chasing their tail on these regulatory changes, business changes, as that can be driven by external factors? SL: Yeah, absolutely. I think you hit the nail on the head there that oftentimes we don't have control over those changes. They are so often driven by external factors with changing regulations, changing standards. So I think it's first of all being aware of that and understanding that and then making sure that as an organization you're prepared for that. So again, it comes down to your people and processes, making sure that you have a process defined to handle those changes, and once you've defined that process, making sure that that is clearly communicated across the organization to the appropriate individuals so that they can respond in the right manner. This is something that ideally your GRC technology will be able to support you with as well. We've worked with many customers to help them put together workflows to keep track of these changes and notify the right individuals. So, that's part of developing that process and that program. If you can automate that in your technology too, even better. I think another piece of it is just being aware of trends in the industry to help you be proactive. A great example would be GDPR was all the talk last year when that finally went live, and for smart individuals here in the U.S. Who maybe didn't have to comply with GDPR, because they don't have any EU citizen data. They probably realized that that trend happening over in Europe was eventually going to come here to the states and we're already seeing that with California and CCPA. So, just being aware of where the industry is going and what some of those changes are that might affect your programs and your requirements can help you get a head start on moving your program in the right direction. KS: Right. So, my next question is implementations are risk-taking endeavor in and of themselves. How can companies prepare for and ensure a successful go live and how do they avoid losing that momentum post implementation? SL: Great question. Yeah, so one of the things that I would definitely recommend, really anytime you're making an investment, but especially in terms of implementing technology, is making sure that from day one you have thought about how you're going to measure and communicate your success with that solution. So, that's thinking about what are your objectives and goals in terms of implementing this technology and what metrics are we going to use as an organization to prove that we've actually met those goals and objectives. This is something that we try to work with all of our customers to do in terms of being a implementation provider, because not only is that going to help our customers realize the value of the technology that they're pouring so much time and effort into, but also helps us as implementers to see, okay we've checked the box on these requirements that our customer has asked us to fulfill and we are able to see that we are actually driving value at the company through what we've built and configured. So definitely communicating about those metrics and putting processes into place to collect that data and then report on it later, I think is super critical. One thing to think about in terms of defining metrics and objectives is making sure that you are covering all of the different audiences involved in your implementation. So that includes the end users who every day are going to be working within that technology. If you are working with external partners, like vendors for any sort of third party risk management, getting feedback and input from them, and of course thinking more high level in terms of managers and approvers, directors and sea level, and your board in terms of what high level insights they're looking for from all of your data. So, one of the things we've definitely found with customers is they might not think about these metrics when they're first looking for a technology solution. They start to think about them, obviously once they've gone live and they've built a process, but by that point, it can be hard to make sure ... If you haven't been thinking about metrics beforehand, it can be hard to make sure that your process has actually been built to capture that data appropriately. So, by thinking about it from the very beginning, that can, one help you just stay focused on your target, but also two, make sure that you're building your program and your process and your technology in the way to actually support those metrics. Once you've actually gotten those metrics, I think the other big thing is in terms of communicating the results to those different audiences that we talked about, making sure that you are using those numbers and that data in a way that's going to engage and empower those users and those different stakeholders, especially at the end user level. By having them engaged in that conversation around success and objectives early on, you're going to get so much more buy in from them and really empower them to feel like they are impacting that process and driving change in a meaningful way. And I think that's true both within your risk organization or compliance organization, but also across the business. So, any other stakeholders that you are asking for in terms of action or data that they're providing you, making them feel like they are a meaningful part of the process for sure. KS: Great. When you talk about metrics at a high level, it's things like time spent, cost, right? SL: Definitely. KS: And also resources, like how many resources are involved in executing on this one thing? And what's the cost of those resources? I mean, these processes are involving high level resources, and when they're bogged down by this administrative work, it's really not a good use of that resources time. SL: Definitely. KS: So, those are some high level areas. Anything else that you would recommend they look at for a high level metric? SL: Yeah, I think one thing I'd expand on with the example you just gave, which is a great example, is people will think about time savings as one of the metrics they want to capture, but oftentimes they might not think about it one step further, which is now that you've saved that time, what are those employees that are having that time saved, what are they able to do now with their extra time? And oftentimes you'll find that the efficiencies gained in maybe some of that administrative work they were doing previously, they are now able to spend on some much more valuable, meaningful work that's contributing to your business objectives overall. There are plenty of other things you can look at in terms of metrics. In the GRC space, obviously one of the things we look at is risk levels, and not only necessarily looking at how are we able to overall drive down this risk score for XYZ risk, but also being able to bubble that up to a more holistic perspective across your organization. And you could that down by departments, by geography, by products, by services. So, thinking about the different lenses from which you want to view all these data points is important as well. KS: Yeah, that's interesting. I'm going to go off on a brief tangent, but just today I had a call with somebody who wants to implement the fair risk methodology, which actually quantifies risk and also quantifies the cost of mitigating that risk. And they ... SL: Absolutely. KS: Want to use that to actually go and lobby for budget for things, because they're able to say, "Hey, yeah, it's going to cost us this much to make a change to mitigate, but the risk potentially could cost this much," and kind of use that as a way for getting buy in on budget, which I thought was really interesting. SL: Yes. I think that that is definitely a trend we're seeing as well, being able to use these metrics. Anytime you can put a dollar value on the table, that's going to be more impactful, right? KS: Exactly. SL: But yeah, being able to use the metrics to drive business making decisions and in cases like that, especially when you can put a dollar value on, here's the potential impact that this risk could have, but also when you've then tied to that risk to maybe high level business drivers that your company is working on, or high level objectives and they can see from that objective level, well this objective could be impacted by this risk and this risk has number of dollars associated with it in terms of impact. But then this objective could also be impacted by two other risks that also have dollar values associated with them. And then they can bring all of that together and see the total dollar value of impact that could potentially occur on that objective. And then compare that with the potential dollar value of mitigations you can put in place. I totally agree that, I mean that's so much more data in terms of being able to make smart business decisions on what risk are we going to accept versus what are we going to address proactively? KS: Awesome. So, what trends are you seeing and what solutions are making the biggest impact? SL: Sure. Right now in terms of what our customers are asking us most for, in terms of implementing their GRC solutions, I think there are, we kind of have our big three right now, which is enterprise risk management, of course. Third party risk is huge. A lot of people are looking at ways to get a better handle around the vendors and suppliers that they're working with and what type of risks they might be introducing to their ecosystem. And then the third one is controls management or controls assessments. Those are the top three use cases or modules that we're seeing are being asked for the most. And I would say also have the biggest impact. One thing to point out about those three use cases is all of them have tie ins across the board, across your GRC platform, right? So, from the enterprise risk management perspective, a lot of times those enterprise risks are tied to controls or policies. And so having a platform where you can manage both your enterprise risk management solution and your policy and procedure management solution, and then tie those together and see the relationships between them, so critical. Same thing for third party risk. You'll often want to be able to see your third party risk assessments in the same solution where you're managing procurement and contracting of those vendors, and link those to IT risks or enterprise risks that you're tracking in your GRC program. So, definitely that points, I think too, another big trend to just overall, which is getting a place where you can centralize your data and get a holistic view into risk across your entire organization. In those three that we just mentioned, there are so many different teams across an organization that impact all of those different use cases, compliance teams, risk teams, IT security teams. There are so many people that work together to get that overall GRC program to run. And one of the biggest challenges that companies often face is they don't have a solution that allows those teams to really seamlessly work together and collaborate. So, one of the biggest things that technology solutions can bring is that centralized repository where teams can make decisions together and really see those relationships across their different business units. KS: Yeah, I would agree with that. And I think that vendor risk management being one of the key areas that's a hot priority right now is it relates back to that, making the case for the dollar impact, because vendor management is enabling you to do business with other vendors, which is helping grow your business. So, I think that's indication as to why that's one of the hot areas. SL: Definitely. Yeah. And in general, I think that whole concept of using risk to inform your business making decisions just ties into the overall trend of trying to be more proactive and strategic with the information we're getting from our risk programs and making sure that from the very beginning we are tying our risks to business strategies and objectives. And when we do that, we are, as we alluded to earlier, able to make GRC something that is cared about at the board level and make it just a much more meaningful conversation topic. KS: Yeah. Changing it from a dark rain cloud above your head to actually something that is meaningful and easier and exciting to discuss, because you're able to see ahead and take action and make a change that's positive for the business is key. SL: Definitely. KS: Yeah. Well thank you so much for joining me on this episode of GRC & Me. I hope to have you back, because there's so much more to discuss. I think we just scratched the surface. But implementation is definitely a major area of concern when clients are looking at these projects, and I'm really glad that you came on and kind of shared some of your techniques and advice for that process and I think it was really, really helpful. SL: Well, very happy to be here. Thank you Kelley. KS: Thank you.[Video] Third-Party Risk Management Solution
Learn More About Third-Party Risk Management With Risk Cloud®
Risk Cloud makes it easy to assess and report third-party risks from one automated platform. It centralizes and connects all your vendor information, controls, audits, and documentation – so you can efficiently assess third-party risks and implement strategies to improve your risk posture.GRC & Me Podcast: Matt Kunkel on the Key Benefits of a Flexible Data Model
On the show today we have Matt Kunkel, CEO of LogicGate, a leading GRC process automation platform. Matt…
EPISODE NOTES Top 3 Takeaways A data model is the underlying architecture that underpins any GRC program. We live in a world that is constantly moving, changing, and evolving. That’s why flexibility in business systems is key. Flexibility means being able to put a program in place on day one, without a final vision of where it’s going—it can change and adapt to changing requirements along the way. Resources: LogicGate Website Connect with Matt on LinkedIn Connect with Matt on Twitter Episode Transcript HOST KELLEY SPAKOWSKI: Hi, I'm Kelly Spakowski and this is GRC & Me, a podcast where I interview industry thought leaders in governance, risk and compliance, on hot topics, industry specific challenges, trends and more to learn about their methods, solutions, and outlooks in the space. Today I have with me Matt Kunkel, CEO of LogicGate, to discuss flexible data models. MATT KUNKEL: Hi, Kelly. Thanks for having me. KS: Thanks for joining. I want to understand your background. I know you have a lot of experience in risk and compliance projects, specifically in the financial market sector. Tell me a little bit more about your background and how you got started. MK: Yeah. So I spent probably the last 13 years in the consulting space developing risk and compliance applications for very large organizations like JP Morgan Chase and developed their regulatory change management application, and then their policy management application, things for Sanofi Aventis, which is a very large pharmaceutical company developing their enterprisers' management, applications, things for Facebook. The list goes on and on. MK: And really just, we were doing custom application development which means you needed a custom data model for each specific application that we were creating in the space. KS: Very interesting. And I understand you were a part of some pretty high profile projects, things related to some regulatory requirements. Can you tell me more about those projects? MK: Yeah. So, we, the big one I think that you're speaking to is at JPMorgan Chase and getting them out of a OCC consent order, and really what that revolved around was, they had all of these mortgage banking regulations, so about 30,000 plus federal, state and local mortgage banking regulations, and then what the office of currency control wanted to know is, how is Chase compliant with those? What policy procedure system control do they have in place? What is the evidence that they can provide that they do have this in place? And if they don't have any evidence, how do we actually get that evidence in place and remediate that. Right? And you can think about that. That's a big data model. We've got structures of the regulations and then those regulations ties to the different business units that they're associated with, it could be one or many. Those tie to the different assets that they're using to provide evidence for. That could be a large amount that are more policies and controls, but it could be a system control. That then tied to an assessment of, yes, we are compliant, no, we're not compliant, maybe we have a partially compliant, we have a gap. That then tied to a whole system of, if there was a gap, how do we remediate that gap or sign off on that gap? So, all of those things in tandem combined, that makes up a data model, in the background, and in the foreground who have a nice little application that provides the data up to you nicely and moves things along in the process and makes sure that the end business users get the data that they need in a timely manner. KS: Right. And that is a perfect segue. So, with this, obviously, flexible data model is really key. And now that you're in the GRC solution provider space I think you really understand that in your innovating here. So, why are data models so important to an effective GRC program? MK: A data model really is the... and it's not just the GRC program, it's any program. A data model is the underlying architecture that pins the program that we are providing in here and that we're delivering up. I think specifically when you're talking about the flexibility of the data model, where that comes into play and why that's important, is because of many different reasons. The change that happens in the organization and rapidly, rapidly changing. Two is because nothing in the organization is permanent, so if you start with something down the road you might not know where you want to go and you need the flexibility of putting something in place day one, but not having the final vision of where it's going, and you can have the flexibility to morph along the way. And three, is it presents different approaches. And maybe, for example, one business unit wants to do something one way with their processes and their procedures and another business unit wants to do something in a totally different way. That's not saying one's better than the other, it's just how the organize their business and do their business. But then, having that roll up to a larger holistic view in there. That's really kind of what having that flexible data model allows organizations to do. And if you have a traditional data model, it is a upfront, we define the processes and the programs and the protocols and how we want our systems to work. And then we've defined that. And then we build that and implement that and put that into place. The problem with that is that it's just not realistic. We don't live in a world that is static. We live in a world that is constantly moving and constantly changing and constantly evolving. The business landscape evolves, the regulatory landscape evolves in here, we get into new lines of business. And specifically, as it relates to risk and compliance, they're put in place to monitor the business, and provide transparency to the executive team and the board on how the business is performing, as it relates to regulatory, risk and compliance matters. And if the business is moving, they have to move ... KS: Mm-hmm (affirmative) MK: ... and if they have to move, the technology that they're using to operationalize their business has to move. And if you have a nonflexible data model in there, a framework data model, that means that change is just dramatically stunted, and you can't make efficient change in the manners in which you want to. And that means, time and also cost. KS: Yep. On one of the issues you touched on is that lack of vision. I hear it so commonly from risk and compliance professionals. Well, we don't know what we don't know yet. So, I think that this is a really interesting way to allow for that. It's okay, you don't have to know because the data is going to move with you. MK: A great point on that is, I was talking to Asiso and he gave me just an amazing, amazing kind of analogy about this. And he said, "Listen, I look for someone on my team for a job that I need to fill today. But really, what I'm ultimately hiring 'em for, is down the road, what I believe they can do and be within the organization. Right. I don't know what that is, I don't know what that's going to be yet. But I'm hiring them for where they can grow into." He said. When we evaluate software, that's what we're looking for as well. Right. We're looking for a piece of technology that can meet the need that we need today, whether it's third party risk management, or IT risk, or policy management, or controls management, or employee attestation. But ultimately what we want is a technology that is flexible enough and nimble enough, that can morph with us at the organization changes and evolves down the road. KS: Right. And not only that, but support different types of maturity levels and complexity, too. MK: A hundred percent. KS: Awesome. The flexible data model, you kinda already touched on this, but I want to dig in a little bit to understand how it's really different from other data models. Can you elaborate on the key differences... MK: Yeah so traditional, kind of relational, data model, that's like a sequel or an oracle, kinda those are the big, two traditional data bases behind these models. They're just frameworked, right? And what we do is when we, and actually the development methodology is called waterfall. So you define all of your business requirements up front. You get a bunch of stakeholders in the room. You identify, kind of, you know what are the requirements in here. What are the business processes that need to be supported? How do we scope all that out? What are the data we need to display and collect? And we create tables, and those tables link together and you create a framework data model. And then, probably within the last, I'll call it, I don't know, decade or so, six and ... probably really an earnest, the last four, to five, to six years, different data base technologies come out. No sequel. Neo4j is the one that we use, and is the one that I think is a big player in the market. It's a lot of what the social networking sites are built on top of. And what that allows you to do is create relationships with different entities and these really tables that can very easily be linked together on the fly, real time, without having to define the architecture upfront and knowing exactly what you want to build, upfront, in here. KS: Very interesting. So, why would somebody choose this model over another? And what are the key benefits? MK: Yeah, I think, there's a couple reasons, right? And I think some of them we've hit on. One is if they are a hyper growth company, that doesn't know where they're going to be 12-18 months down the road. And they want to start now, right so they can get something up and running. But it allows them the flexibility to as their organization morphs and evolves, and as their programs, the risk and compliance programs morphs and evolves, very easily able to update the technology on that. That's one. I think, two is, we talked about this a little it, it allows for different approaches, right? We don't have to have one framework data model, we can have multiple data models running on the same, kind of platform that focus on our IT risk management group, and then maybe how marketing is doing their risk management can be wildly different, yet still roll up to kind of the holistic enterprise view in there. And then lastly, I think it's, just change is happening so rapidly these days, right? Businesses are moving and evolving so fast, and so is the regulatory landscape, that it allows organizations to not be pigeonholed to one frameworked environment. And then if they want to change it in six months, you know, that's another six months to get up and running, right? You can very easily be able to change the underlying architecture. And then, ultimately, I think different organizations are doing things in different ways. KS: Mm-hmm (affirmative). Do you think that's why some of the old ways of doing things ad hoc in Excel and email, and whatnot, different drives and different documents, do you think that's maybe why that's persisted. Because change is happening so rapidly that some technology can't keep up with it? MK: Oh, for sure. I mean, I think that's a big part of it, right? And I think another big part of it is they see themselves and say, "Hey, this is where we are today." Right? "And we're using spreadsheets and emails and we'd love to use the technology, but it's going to take a big lift to get how we do things today into the model that this piece of technology is built around." Right? This frameworked model, in there. A lot of time and a lot of cost in that. And with a flexible data model, it is a much dramatically smaller lift to take, "Hey! This is what we're doing today and these spreadsheets and emails and file shares and Microsoft Office kind of product, and get that into a very robust, enterprised technology that gives you the audit ability, that gives you the automation, that gives you the efficiencies in there as these larger tools, but it allows them to wrap exactly how they are doing something around their process with the technology. The technology just wraps right around that. KS: So valuable. Why do you think the data model flexibility is important to the future of organizations? And how do you see this innovating how we do business? MK: Yeah, well, I just think the big thing is the rate of change within the world, right, and in organizations specifically. You know, it's exponential. That is something that I don't think anyone would disagree that is going to slow down in any way. So as we are changing from a society and organizations faster, and faster, and faster, the technology that we are using to operationalize, frankly, our lives and how we do our work, needs to adjust and move and change faster, and faster, and faster. And if you're built on very nimble, flexible technology and date models, you're able to do that. KS: How do you think this is going to influence industries? Not just companies, I think that value is pretty clear, but how do you think this will change industries and how we're doing business? MK: Yeah, it's a good question. I think, kinda, the jury is still out on that one. And we'll see over time from an industry perspective. But, ultimately what it will allow us to do is get to places from a peer industry perspective faster... KS: Mm-hmm (affirmative). MK: ...then we have gotten there ever before, right? Just, it's a trickle down effect. If the companies are moving faster because they can morph and change and evolve, and adjust faster to market trends and other factors out there, then just industries as a whole are going to bolster up and be able to move faster. KS: What innovation is developing from the flexible data model? MK: Yeah, so the data models that, I mean, the big ones that are out there are kind of the no sequels of the world, then you know, 4Js of the world, but I think there's a lot of innovations that are trending from these flexible data models. And what folks in organizations are able to do with them, and frankly it's the applications internally that they're able to create in a very short time period. It's almost creating, what I'll call citizen developers... KS: Mm-hmm (affirmative). MK: ...meaning that analysts, folks with no real technical in coding experience, can actually build out applications to enhance and make their business lives more effective and efficient. And then really change, that will allow organizations to kinda change the trajectory and how they're going and their growth patterns and what they can provide to their consumers and their customers. KS: I think that's such an interesting point. You know, and I think that actually speaks to how it's changing the way we do business. If you think about the past, there was a really had line between IT and the business units. And IT really controlled all of the technology and ownership of that technology. And really, things are changing. And users are way more technically savvy. They're leaning in. They want more ownership over their business solutions. And so I think that this is making that kind of tech more accessible to them. And spreading that technological resource across the company a little more evenly, too. Which I think is giving the business side more agility and strategy over technology and data. MK: One hundred percent. I couldn't agree with you more. KS: What if advice to you have to organizations who want to move towards this model? MK: I would say, move and move fast. And the reason why is you can always change it later, right? That's the beauty of the flexible data model is that you get up and running with something and then inevitably, as your business morphs and changes, or evolves or if it just wasn't initially thought out in the way that it practically works, it's very easy to change going forward. So, move and move fast. KS: That's a great point. And you've helped companies move from an old model to this flexible data model. MK: Mm-hmm (affirmative). KS: What obstacles did they have? And were they just perceived obstacles and how did you help them overcome that? MK: Yeah, I think the biggest obstacle, again, moving from whether it's the Microsoft Office Suite and spreadsheets and emails or a legacy plot form on to something new, is just change management and then option. And getting that rolled out within the organization and making sure that the appropriate buy in from stakeholders are there. But from a technical perspective, there's not really a lot of large obstacles when moving from, you know, spreadsheets, emails, file shares, to a flexible data model, or from a legacy technology system into a flexible data model as well. KS: Fantastic. Well, this was really interesting conversation. I think that the flexible data model is super exciting. I think if you're in risk and compliance, really any function, you should be thinking about this and demanding it of your business solutions. Because it's going to allow you to be much more agile. So thank you so much, Matt, for joining me on this episode to talk about flexible data models. I'm sure I'll have you back on to talk about other things. We can even do a deeper dive on this. But this is a really great start and thanks again. MK: Great, thanks for having me, Kelley.GRC & Me Podcast: The Why Episode
What if you could hang out with GRC experts, ask them about their favorite methodologies, tools, and tips,…
Just like the billion-dollar GRC industry it covers, GRC & Me helps companies achieve their revenue goals while managing risk and compliance issues with integrity. This podcast is perfect for you if: You’re in a role concerned with corporate governance, risk management, or compliance (GRC) You want to protect your company and your brand, or… You simply love GRC like Kelley does! Tune in every month to learn from GRC experts and thought leaders, catch up on industry-shaping news, and better understand the decisions that drive results in your company. Connect with Kelley on LinkedIn. Episode Transcript KELLY SPAKOWSKI Hi, I'm Kelly Spakowski and this is GRC and Me. This is our very first episode. So if you're tuning in, thank you and welcome. I'm glad you found me. Why am I starting a podcast? Well, I work in risk and compliance and I want to bring a voice to professionals in GRC. GRC stands for governance, risk, and compliance and encapsulates many different processes that help assure organizations reliably achieved objectives, addresses, uncertainty, and acts with integrity. This podcast is a safe space for knowledge share on pertinent topics, shaping this increasingly important responsibility and complicated endeavor. So if you're in a role that requires risk awareness, if you're concerned with mitigation, if you're a chief of something, if you have a GRC title. Maybe you love compliance, and I know there's folk that do, or maybe you simply just love your company and you want to protect its brand at all costs, tune in and please join me. Avoiding risks tends to be a thankless job and only the big catastrophes get the headlines. But really it's the day to day mitigating work, the small corrections that avoid the iceberg. And that's what I want to discuss. I will be interviewing thought leaders in GRC discussing everything from hot topics, methodologies, frameworks, cultural nuances, you name it. I want to hear from you. My goal is to enable those in risk and compliance to be business enablers and an ally to revenue growth. With that mission in mind, we will look to share stories and lessons that rarely get discussed or celebrated in the goal of making an impact on your ability to drive change and also support a positive trajectory for not just your company, but your career. In my next episode, I'll be meeting with Matt Kunkel, CEO of Logic Gate. Definitely tune in and I can't wait to share. Thanks so much.GRC & Me Podcast: Michael Rasmussen, the Father of GRC
In today's episode, GRC2020.com founder Michael Rasmussen joins us to discuss agile solutions and all things GRC. He…
EPISODE NOTES Top 3 Takeaways It’s important to first establish what your company is trying to accomplish with its GRC program. Frameworks are like the human body; you've got multiple systems involved. All those come together to help form a GRC program. In light of data breaches, consumers are picking up on privacy. They're demanding better practices with their personal data. Resources: Connect with Michael on LinkedIn Connect with Michael on Twitter GRC 20/20 GDPR California Consumer Privacy Act Ten Thousand Commandments The Competitive Enterprise Institute Episode Transcript Michael Rasmussen: At the end of the day, GRC is something organizations do, it's not something they buy. I get frustrated when an organization comes in and tells me; We just bought GRC, now come and tell us how to do GRC. That's putting the cart before the horse. What are you trying to accomplish? And from there, can we establish what technology's going to help us accomplish that? Kelley Spakowski: Hi. I'm Kelley Spakowski, and this is GRC And Me, a podcast where I interview industry thought leaders in governance, risk, and compliance on hot topics, industry-specific challenges, trends, and more to learn about their methods, solutions, and outlook in this phase. Today we have Michael Rasmussen with us to talk about all things GRC in general. Really excited to have him here. He is known as the father of GRC. Michael, welcome. MR: It's a pleasure to be here. KS: I'm super excited to have you on because you are the father of GRC. Can you give me a little bit more about how that came to be, and how you got involved in this industry? MR: Well, I... there's a dichotomy because there's a what GRC is, but then, there's also how I came to formulate GRC, because GRC is much broader than technology. But, as far as the GRC acronym, back in February 2002, I was working at Forester Research, and it's been seven years at Forester now, 12 years on my own. But, in 2002 on a cold snowy day in the Chicago office of Forester, I just got done with a briefing on a solution that can map risk and controls, and policies, and I; Wow! This is great. MR: When I was an IT Security Consultant in the Chicago [inaudible 00:01:43] markets, I was looking for something just like this. And so then, there's a whole market for this. And so, what do we call it? And at that point, you know, I thought; Well, it has a governance aspect, of, you know, understanding what our objectives are, and the risks to those objectives, and compliance obligations, and so, labeled it GRC, thus creating the GRC market. MR: Now, what's important to understand is, GRC's more than technology. In fact, every organization does GRC today, whether they call it GRC, ERM, IRM, XYZ, ABC. Everybody's got some approach to GRC, whether they use the acronym or not. You're not going to find an organization that says; We don't govern the organization, we can care less about risk or compliance. Every organization has, you know, some approach to Governance, Risk Management, and Compliance. MR: And so, to me, what's important to understand is that, while there's a market for GRC technology, at the end of the day, GRC is something the organization's do, it's not something they buy. I get frustrated all the time when, you know, like an insurance company called me in and said; We just bought GRC, now come and tell us how to do GRC. That's like putting the cart before the horse. KS: Right. MR: It's like, you're doing GRC already today, in some aspect. What are you trying to achieve? What are you trying to improve? How do you want to make things more efficient, effective, and agile? And then, let's talk about how to improve that, because there's some foundation of Governance, Risk Management, and Compliance, whether it's reactive firefighting through more structured and integrated, every organization's doing it in some way right now. KS: Yeah. That's interesting. So, when they say, help me do GRC, do think they're actually referring to; How do I operationalize this? Because, traditionally, we've just had, you know, Becky or one, you know, one person that actually own GRC for the organization. MR: Well, the challenge is, we've had multiple owners of GRC. And, it reminds me of the Winchester Mystery House in San Jose, California, the sprawling mansion that was built in the 1800s. It cost 5.5 million dollars to build in the 1800s. That's one expensive house today when you're calculate inflation. It had, it was built over 38 years, and had about 140 different builders. At the end of the day, it doesn't make a lot of sense. MR: It's got 10 thousand windows. It's got doors that open to walls, 20 foot drops of staircases that go up and down to nowhere. Skylights are in floors instead of ceilings. That's most organizations' GRC programs today. Over the last 38 years, they had to have 140 different builders of GRC in different departments doing their own little thing and manual processes or point solutions, without thinking big picture of how this should be designed. MR: The Winchester Mystery House had no design, no blueprint, no architect, but had 147 different builders. You know, that's exactly where organizations are at with GRC in a lot of cases, is they've had all these different builders without stepping back and saying; How can we design this? KS: I love that analogy. I like that return on investment too. I think I'll run with that. That's a good Segway to, you know, talking about how GRC is really moving from a nice to have, into a priority for a lot of organizations. What do you see going on there? Why do you think that's happening? MR: A lot of it is coming from multi-faceted environments. There's a lot of regulatory change, changing laws, rules, regulations, enforcement actions. It's not just the regulation itself, but, it can be the enforcement of that regulation. You know, global financial services firms are doing a 216 regulatory change events every business day, coming from 905 regulators around the world. That's just one aspect. We're not even talking healthcare and all these other industries. So, lots of regulatory change. There's lots of risk change, changing geopolitical risks all around us. Changing economic risks. Changing technology risks, and society, industry demands. But, at the same time, the business itself is changing. You have changing strategy and processes, changing employees, people moving from one department to another. And people that enter and exit the organization. Third-party risks of changing vendors and suppliers, and outsourcers, and service providers, and contractors, and consultants, and temporary workers where half of our insiders are no longer employees, but they're third parties. MR: And then, the whole area of mergers and acquisitions, and how that impacts and organization. The challenge there, in answering your question, is, you have to keep all that change in sync. Now, I can devote a ton of experts to be knowledgeable about regulatory change, but that doesn't make me compliant. As the business changes, I'm out of compliance. I've got to keep the business change in sync with the risk change, in sync with the regulatory change. And, that's the challenge. KS: Mm-hmm (affirmative). Yeah, great point. So, what we've found is, a lot of organizations, who are looking, or maybe are kicking the tires with solutions to support GRC, and a change, really, in GRC. They, up until this point, have been essentially keeping the lights on. Why is that not a fit anymore? And, I think you've kind of just said it, because all of these moving pieces are not in sync. But, can you elaborate more on why an organization should really ditch the spreadsheets, and email, and have a strategy around GRC? MR: Partly, to answer that, first off, it's because organizations are distributed, dynamic, and disrupted. You know, we've distributed operations across third-party relationships, around the world, and all these different interactions and transactions. And, it's very dynamic and distributed. And, it's dynamic in constantly changing, and it's just referencing on regulatory change, risk change, and business change, which leads constant disruption as well. In that context where you're trying to manage things, the lot of manual processes things slip through the cracks. Things get missed and overlooked. And then, we get into hot waters. I was talking to one bank, in which, you know, they went to more of a technology approach for defensible GRC. Because, the Federal Reserve had come in and said; You're not going to pass your next regulatory exam if you continue to manage GRC in documents, and spreadsheets, and emails. We want to see a complete record, auto trail, a system of record. What was assessed? What day and time? Who assessed it? Then somebody came back a week later, or two weeks later to try to paint the rosy picture to get the organization out of trouble, or, you know, bypass the regulator. They want to see that day and timestamp of that complete auto trail and history of all those different interactions on the assessments, and controls, and policies. Documents, spreadsheets, and emails don't get you that system of record and auto trail that the regulators and auditors are starting to look for. On top of that, you know, it's around efficiency, effectiveness, and agility. How can I make my processes for related to GRC more efficient? Time saved. Dollar saved. More effective being accurate, complete, thorough, as well as agile and responsive to a dynamic business environment. You know, one organization I was talking to is spending 200 FTE hours building an interview report for the Board of Directors and Compliance. Now it takes them less than a minute. But, if it takes you 200 FTE hours to build a report, you're certainly not agile. KS: Yeah. MR: And, if you're trying to find transient patterns and see that where things are going wrong, and if you're doing that once a year, and it takes you 200 hours to build that report, things are slipping through the cracks, and big issues are going unnoticed, if you don't have that at your fingertips. That's an issue. That's a challenge in organizations. We need that visibility. And, documents, spreadsheets, and emails don't get us there. They don't allow us for that ongoing monitoring, and instant understanding of what's going on in the environment, and being able to identify key risk indicators and trends that can be monitored on a minute by minute, second by second basis. KS: Great point. So, for the organizations who are now realizing; Okay, we're ready to take on GRC, they're past this point. And, they're looking at how they can be more strategic in a GRC strategy. There's a lot of different frameworks out there. How do they decide what framework is the best fit? And then, how do they actually take a technology, operationalize it, and then build a strategy around that? MR: Great question. There are a lot of frameworks. And, frameworks are like the human body. You look at the human body, you got multiple systems involved. You've got the skeletal system, the muscular system, the nervous system, the respiratory system, the digestive system. You know, that's like frameworks. There's frameworks that can model the different parts of, like, the body of different components of it. You know, you got risk frameworks. You got compliance frameworks, and audit frameworks. And so, all those come together to help our former GRC program. There's no one framework or standard out there that is a perfect fit for every organization. And so, it's about taking these frameworks, and applying them to your organization, modifying them, so that it makes sense for your organization. And, like the human body has different systems, we might bring together different frameworks to build and compose that. Now, the sort of uber framework to sort of manage all this, that I like is, the OCEG GRC Capability Model. Now, I helped contribute to that, so, I've got an interest in that. But, you know, when we built version one around version three of the GRC Capability Model, now, we've looked over a hundred different, you know, frameworks and things out there from Australia, New Zealand, 4360 was the management standard, which became ISO 31000. MR: Did the ISO 27000 standard, ISO 9000. COSO ERM, COSO Internal Control, COBIT. You name it, we looked at a lot of different frameworks and standards. So, what if some of the common Governance, Risk, and Compliance processes and activities across all these frameworks? And from there, we came up with all these components and elements, and each component to be able to manage that. The existing version three includes the learn, where we understand the environment. The internal and external context, stakeholders and culture of the organization from the align, where we identify risk, we... and compliance, and obligations. And, we assess that. And, we define activities. And, from there, we move into perform, and where we document controls. We have new policies, communication and training programs, and hotlines, and incentives for reporting issues. And to be able to manage that process. And then, we monitor where we provide audited insurance and validation of the program. But, it... to me, the GRC capability models are the good uber framework to encompass all of them. But, really, it provides integration. But, I describe the juice and capability models being really a Rosetta Stone of frameworks that sort of provides some of the common 80% commonality between different frameworks. But, the other frameworks are still needed. It's just sort of more of a translation stone. KS: That makes total sense. So, do the decisions need to be made on the framework and the methodology before the technology? What do you recommend there? Because, I think a lot of organizations really struggle. They say; Well, we haven't quite decided how we want to run our program. We don't know what methodology is a best fit. We haven't decided on a framework. So, we're just not ready for technology. Do you agree with that? And, what's your advice there? MR: It depends. KS: Okay. MR: There's always, you know, little factors and things that can influence that. KS: Yeah. MR: To me, I mean, we can talk about an enterprise GRC type strategy, or multiple departments are coming together to cohesively look in how we approach this. Or, we could talk about, you know, very specific department needs, which are easier to get our hands around. If we don't have that enterprise GRC strategy in place, how can I solve department problems? And, what type of solution can I pick out there from a technology perspective that can, not only solve my department problems, but could eventually be leveraged for other needs across other departments as well? Because, if all I'm looking at is my department, I might pick something that couldn't be leveraged with other departments, and might limit me in the future. And so, looking at what could possibly happens is important. Now, obviously, the best point of reference is, being able to understand, and will be able to build that collaboration across departments so that you can select the right framework and technology to fit that. Ultimately, it's good to understand what framework you're going to have, so the technology can be adapted to it. As I mentioned earlier, I get frustrated when an organization comes in and tells me; We just bought GRC, now come and tell us how to do GRC. That's putting the cart before the horse. What are you trying to accomplish? And, from there, can we establish what technology's going to help us accomplish that? And, what frameworks? KS: Great advice. What trends are you seeing, and what do you think those trends indicate? That's a pretty broad question, but, I'm ready for the broad answer! MR: Well, there's growing regulatory concerns across industries. And, changes in enforcement actions, and increased enforcement on that. A lot of geopolitical unrest, and understanding, you know; What's happening in the world right now with different, you know, political regimes, and changes, and shifts, and different trajectories of different countries and things like that? And, what does that mean to a dynamic and distributed business environment that goes around the world? You talk about Brexit and United Kingdom and things. Or, import and exports, and sanctions, or whatever it might be that, there's a lot of things influencing that. There's a lot of shifts and things internally on greater responsibilities and oversight. Compliance is a function that's maturing rapidly in organizations where it used to buried in the legal department. Now, corporate compliance, more and more is reporting outside of legal, in its own entity in the organization. We're seeing trends there. Internal audits being challenged to be able to do more than just traditional internal controls, or financial reporting-type audits, where we see more and more IT audits over years, but now, operational audits, out in business operations, and even third-party audits. There's a lot of different parts of the organization that are very dynamic in shifting and changing right now. KS: Awesome. What success metric should be priorities for GRC teams? When they're implementing GRC technology, what recommendations do you have for achieving those outcomes? MR: I break it down to those three areas of value; efficiency, effectiveness, and agility. The efficiency metric is; time saved, money saved. You know, before, you know, it was taking me this much time and effort, and cost me this much money to do things related to GRC. Now, I've reduced it to this figure. Effectiveness, you know, how more accurate, complete, thorough, reliable is our GRC related information? How timely is it? That also ties into the third element, the agility. How can we keep up with the changing and dynamic regulatory and risk environment, and business environment, and stay current with the changing business? On top of that, agility is also the ability to be responsive. How can we quickly identify issues and resolve them before they become bigger issues? KS: I love that. The effectiveness piece, do you think that's hardest one for people to get their finger on, because maybe they don't have those data points, even, you know, if they're starting a GRC program from scratch? MR: Effectiveness can be challenging. But, I find that a lot of organizations is the efficiency piece. That, they just haven't measured the actual human capital cost of GRC in their organization. As I mentioned the one organization that was spending 200 FTE hours, after they really dug into it to build one report for the Board of Directors. There's multiple reports. That was just one report on an annual basis for the Board of Directors and Compliance. 200 FTE hours, and it now takes them less than a minute. You can build out a value proposition from there. You know, a firm I was just talking to is spending, you know, their competitor spends six FTEs managing their third-party relationships and suppliers. What they spend, this organization, was one FTE, you know, because they have an automated process. You know, six employees, and you calculate full-time equivalent benefits and salaries, and things out there against one employee with the technology that can enable that. Same amount of suppliers, two different companies. Different contrasts. KS: That's huge. So, those are huge numbers. It comes full circle back to that Winchester House analogy and all the time and resources spent on that. You have people that own little bits of it. And so, the work is really spread around and kind of lost in the scenes. That's interesting. So, in a recent GRC 20/20 piece, you contrasted agile GRC solutions with legacy players. How do you define agile, and what do you think is behind the emergence? MR: Great question. The emergence is, technology that's evolved. I've been monitoring this GRC market since 2002. So, we're in 2019, that's, you know, 17 years now. Technology is not the same today as it was in 2002. KS: No way! MR: We have a lot of different technology. And so, some of these legacy [inaudible 00:17:35], they cost a lot of money to implement. I was doing an analysis of the different ROPs I've interacted on, and found that, those that Gardner enforced are put up in the upper right, in the leader's quadrant of the wave and magic quadrant. They typically have a ratio of every dollar you spend on software license, like subscription license, you're spending three to five dollars in implementation and build out. That's expensive. And, those that are outside that, is more of a ratio of .5 to 1.5. And so, I'm not talking management consulting. I'm just talking about configuration and build out of the platform. You know, technology's changed significantly, and the more established, you know, legacy of being with players are very costly to implement and own in the organization. And, organizations are starting to catch up on that, and understand that there's more agile technology available in the market. The way I define agile GRC technologies, one is the user-interface. How intuitive is it to use? How willing and engaging is it, not only for the second lane of defense, the risk and compliance and security officers and managers? As well as the third line and the auto professionals. But, also the frontline employees, the first line of defense. How easy is it for them to use and read policies, go through training, take assessments, report issues and things? You know, so, when an element of agile as a usability intuitiveness. Another piece of agility is the ability of the solution to be easily configured and adapt to the organization without custom coding that breaks on upgrades, or takes six months to make a change with, you know, a certified expert that costs 130 thousand dollars a year to make that change. You know, how agile is the solution itself to be adapted to the organization rapidly? And then, scalability of it too, is important. You know, can the solution scale with me and help me through mergers and acquisitions as the business evolves and changes? That becomes important. KS: Yeah. The adoption to the business, I think, is huge, which I think gets lost in conversation a little bit. The ability to bring the business users who are actually close to the needs and the requirements, regulatory business and otherwise, bringing them closer to the technology, and actually giving them control over how that's configured, I think is huge, rather than passing it off to an IT resource who might not necessarily know the nuisances of the needs of the business. It reduces a lot of friction there. What are the differentiating factors among GRC solutions that will establish industry leadership positions versus ones that won't? MR: First and foremost, to me, today in this agile market that we need, is the total cost of ownership. What is the cost, not only to acquire the solution, but to actually implement, and own, and maintain the solution? There is a LinkedIn post out there from last August that compared, you know, the implementation. I'm not going to name names here. But, of one of the major GRC BMS platforms that Gardner loves a lot, to the lyrics to the song, Hotel California. That, basically, you're trapped and can't get out. You know, they said, after spending 500 thousand dollars in software licensing, and two million dollars in implementation, three years later, they're just getting some basic functionality working. That's not agile. I mean, today's technology for GRC needs to be rapidly implemented and molded to the organization to be able to bring value and return to the organization. To me, that's critical. KS: Yeah, the evolving piece, I think is, you hit it on the nose. I hear that very commonly. People are very committing to a piece of a technology because they feel as though they're locked in to that, you know, initial configuration at that point, which agile solutions are now really unlocking that for people, so, really great point. Do you foresee massive data breaches to continue? And, if so, how will they shape the future of GRC? MR: Data breaches are definitely going to continue. It's just the complexity of the world that we live in. I mean, you go back a couple years ago to the Target breach, one of the largest credit card breaches in history. The doorway into that was an HVAC vendor. The heating and air conditioning had a connection with the Target Network and Environmental Monitoring. And, a hacker broke in. The heating and air conditioning vendor was able to compromise point-of-sales systems across Targets. That's the interconnectedness. Now, the heating and air conditioning vendor is not a traditionally team vendor. But, they're being connected to the network, and were given access. It could be anybody, a supplier, vendor, outsourcer, service provider. Our risks are multiplying with a lot of these third-party relationships. And, over half of data breaches are not with traditional employees, but they're with third-party relationships now. And now, we have a concern with the Internet of things that the next major breach can come from the microwave in the break room that's connected to the Internet. KS: Right. Exactly! Medical devices, multi-function devices often get overlooked. These are all new things that are being folded into the risk profiles. MR: Yep. KS: So, yes. That's fascinating. And, I agree with you. I don't think it's going to slow down. I think it will just increase. How do you expect the regulatory landscape in the U.S. to evolve in the coming years, and especially in light of GDPR and key California Privacy Consumer Act? MR: That's a loaded question! That can get into political ideology and things too, and... KS: We don't need to go into politics, but, yeah! MR: Yeah! But, one thing that happens year over year with whatever administration it is, is regulations and things grow. I mean, one of my favorite annual reads is the 10000 Commandments that comes out of the Competitive Enterprise Institute from Kolkata Institute on that, you know, just that the actual impacting cost of regulation at the U.S. Federal Government, not even talking about State and Local governments. There's a lot that happens in changes. Now, California tends to be a trendsetter. So, what happens in California, other states pick up upon, and then eventually, it might get implemented in Federal regulation, because organizations say; Oh, but I they didn't want regulation before. So, you... now you got to do something, because now we have, you know, 48 of the 50 states doing something here in different ways. We need consistency. And so, you know, when you look at mandatory disclosure laws that came out, you know, a decade ago. California started that. And then, within two years, it was like 48 states had similar laws. You know, now, with California's Consumer Protection Act, which, you know, is very GDPR-like, from the EUGDPR-type regulation, you're going to see other states pick up on that too. And, at some point, organizations are going to say; This is a mess. Because, the government's got to step up and have over sweeping regulation on this so it's consistent. KS: Yeah. Absolutely. And, I think consumers are really picking up on privacy, and they're starting to dial into that, and you know, start to question some of the companies that they do business with. They want to know about their data. They want to know, is it being protected? They want to know how it's being used, because of all the, you know, the exposure that have happened through breaches like Target, and you know, what's going on with Facebook and other social media platforms. Privacy is top of mind. So, whether it's coming via regulation, it's certainly coming from consumers that are demanding better practices with their personal data. MR: Yeah. KS: Thank you so much for joining me on GRC And Me. It's been a great podcast. Your expertise in this phase because of the complexity is just really, really great to have on, and I know my audience will really appreciate it. So, thank you so much for joining me, and I hope you'll join me again. MR: Certainly will. Thank you.Third-Party Risk: Driving Cross-Functional Alignment Across the Vendor Lifecycle
Catch up on modern frameworks and methodologies for managing your network of third-party vendors and suppliers.
In recent years, companies have increasingly come to rely on networks of third-party vendors to help them compete. These vendor relationships are not only more numerous, but more sensitive information is being shared across them as well—bringing a host of oversight concerns including lack of control, cybersecurity threats, and risks to reputation. In this eBook we'll introduce some methods for managing the relevant parties and keeping third-party risks in check. Topics include: Tools and technologies Methodologies and frameworks Risk assessments Security by Design principles Much moreWebinar: Third Party Risk & Driving Cross-Functional Alignment Across the Vendor Lifecycle
Join our panel of experts for an informative discussion on the subject of Third Party Risk Management, from…
LogicGate Senior Customer Success Manager Szuyin Leow moderates a webinar on the topic of Third Party Risk Management, and how to drive cross-functional alignment across the vendor lifecycle. Szuyin was joined by panelists Melissa Ryan and John Madick, Practice Directors at Asureti, a LogicGate partner. During the discussion, the trio of experts covered a wide array of topics pertaining to Third Party Risk Management, including: Third party risk assessments Industry trends Driving cross-functional alignment Consequences of poor third party managementLogicGate and Intradiem: Promoting Trust
Intradiem needed help with a number of its GRC processes, from ISO and SOC2 controls to Business Continuity…
G2 Fall 2019 Grid Report for Top GRC Platforms
Download the G2 Fall 2019 Grid Report to learn more about LogicGate and the other top GRC platforms.
Here are some of our highlights from the report: 100% of users rated LogicGate 4 or 5 stars 100% of users believe our product is headed in the right direction 99% of users were satisfied with the quality of support 7 month ROI payback period on average - the lowest on the top performer list 91% of users said they would recommend LogicGateA Guide to Enabling and Protecting Your Business with Smarter Infosec Strategies in 2020 and Beyond
Learn the four pillars of a sound IT Security program—and why they're so important to your company's mission.
In many companies, Information Security is thought of as something like asset protection—hardly related to the core business activities that contribute to the company's bottom line. In this eBook, we'll explain why this way of thinking is incorrect. Today IT Security is a critical piece of every company's revenue-driving activities—and those that don't recognize it as such could be putting their futures in jeopardy. Download our free eBook and learn how to: Transform compliance into a business driver Shorten the IT audit process Implement a robust Risk Acceptance program Build out an Incident Response plan Perform actionable gap analyses Much moreCritical Actions to Survive a Data Breach in 2019 & Beyond
Today’s organizations face a cybersecurity landscape more difficult to navigate than ever before.
In this webinar you will learn the critical actions for responding to a data breach, security analytics for incident detection and response, determining the extent of damage once a breach is detected, steps to contain affected systems, and much more.Regulatory Compliance Solution
Comply With Constantly Changing Regulatory Requirements and Pass Your Next Exam or Audit
Stay compliant with relevant regulations, automate tedious workflows, and avoid fines with Risk Cloud®’s Regulatory Compliance Solution. Risk Cloud dynamically links regulations, obligations, assessments, exams, and findings in one platform and integrates with regulatory content providers to uncover compliance gaps.Internal Audit Solution
Shorten Time to Audit With a Connected View of Controls, Risks, and Evidence
Identify issues and correct compliance gaps before they are discovered by external auditors. With Risk Cloud®, you can perform due diligence with precision and speed, efficiently collect evidence, and report what matters most to your stakeholders.Environmental, Social, and Governance (ESG) Solution
Use Risk Cloud to measure, track, and report on your company’s ESG goals and initiatives — all in…
Measure, track, and report on Environmental, Social, and Governance (ESG) initiatives to show stakeholders progress and results. Risk Cloud’s ESG Solution improves visibility of ESG-related risks, assesses the impact of your ESG initiatives, and tracks performance across the seven key areas outlined in ISO 26000 to evaluate your program’s effectiveness over time.Applications
Connect, scale, and automate your risk and compliance programs with purpose-built Applications aligned to industry frameworks.
Risk Cloud is home to a complete suite of flexible Applications that transform the way you manage your governance, risk, and compliance programs. Applications address distinct use cases based on widely adopted standards and critical control frameworks, so you can get your GRC program up and running in no time.Operational Resiliency Solution
Build Operational Resilience and Recover From Business Disruption
Plan for and recover from disruptive events faster by centralizing business continuity and response planning in a single, easy-to-use platform. With out-of-the-box workflows and checklists, Risk Cloud® helps you identify and track critical functions, systems, and disruptions from one location.Policy Management Solution
Learn how the LogicGate platform can improve your policy management program.
From drafting, reviewing, and approving policies to tracking employee attestations, Risk Cloud® helps you streamline and automate every aspect of your policy management program. Quickly identify and correct compliance gaps as they emerge and remediate policy violations year-round.How to Build Organizational Support for ERM
Gain support from your entire organization for an enterprise-wide ERM program that can change your risk culture.
The demands placed on risk managers have significantly increased over the past five years. One new responsibility involves becoming the champion for risk-management processes within the organization—not always an easy sell. Download our free ebook and learn how to: Build a business case for ERM technology Create a culture of risk in your organization Use technology to facilitate buy-in for your ERM program5 Practical Steps to Scale Your Vendor Risk Management Program
Listen as GRC experts discuss the practical steps you need to scale your vendor risk management program.
In this webinar, our panelists offer actionable advice on a wide array of VRM topics, such as gaining executive buy-in, conducting due diligence, leveraging automation, and protecting against vendor breaches. You'll hear from: Todd Boehler Scott Schneider Jake Olcott LogicGate's Matt KunkelManaging Third Party Risk in the Age of GDPR
Third-party relationships can add an extra layer of complexity to your GDPR compliance strategies.
Since the EU's adoption of GDPR, there has been a growing focus on third parties that process or store personal data on behalf of another company. In this webinar, we identify best practices for managing third-party relationships with respect to GDPR and how to operationalize your manual processes to ensure compliance. You will learn how to incorporate GDPR requirements into your existing policies and procedures, how to gain visibility into the personal data that leaves your organization, and several other tactics to ensure your organization stays GDPR compliant.[Video] LogicGate: Building the Future of GRC Automation
LogicGate can help your organization reduce risk and ultimately improve operational efficiencies.
The Risk Cloud™️: Building the Future of GRC Automation In this video, you will learn how The Risk Cloud™️ can help your organization reduce risk and ultimately improve operational efficiencies. Leave the spreadsheets, emails, and file shares behind by moving to a robust enterprise-grade solution without the costs or implementation time of legacy GRC software.GDPR Compliance
Learn how GDPR could affect your company—as well as how to manage its many compliance requirements—by reading LogicGate's…
GDPR changed the way all multinational companies deal with EU personal data. In this eBook you will receive an introduction to the eight articles of GDPR and how they affect the storage, protection, and usage of personal data. You will also learn the importance of GDPR Compliance and how it can impact organizations across many industries, as well as how to implement and automate GDPR compliance processes.Third-Party Risk Management Solution
Identify, Assess, and Quantify Third-Party Risks With Risk Cloud
Efficiently assess third-party risks, implement strategies to improve your risk posture, and onboard vendors faster. Risk Cloud’s Third-Party Risk Management Solution centralizes and connects all your vendor controls, audits, and due diligence in one secure, collaborative platform.Risk Cloud® Platform Overview
Build a connected risk and compliance program that scales and adapts to your evolving business needs.
The Risk Cloud™️ can help build a repeatable process for managing the full scope of your GRC processes, including IT Security Risk, Third-Party Risk, Regulatory Compliance, and more. Find out how to operationalize your compliance program by reading our Platform Brochure.Enterprise Risk Management Solution
Risk Cloud puts you at the center of all Enterprise Risk Management processes so you can identify, assess,…
Quickly assess and take action on the biggest risks facing your organization with a connected view of risks and controls. From automations and integrations to dashboards and analytics, Risk Cloud®’s Enterprise Risk Management Solution includes everything you need to assess, communicate, and strategically mitigate enterprise risk.Data Privacy Solution
Streamline and automate data privacy tasks without hassles — all in one place.
Mitigate compliance gaps and quickly implement process changes by streamlining and automating your data privacy program. From data subject access and consumer rights requests to data processing activity management and impact assessments, Risk Cloud® has you covered.Sorry, no results found.
