Risk and Compliance Management: Differences, Similarities, and How to Integrate Them
We often hear risk and compliance management bundled together as a single discipline. While it’s true that risk…
Top 3 Quotes
Resources:
Transcript:
Jack Tanselle: The auditing and the monitoring, if you're doing those consistently, make it nearly impossible for your program to become stagnant, because they all provide output that show you new observations of where you can get better.
Host Megan Phee: Hi, I'm Megan Phee and this is GRC and Me where we interview industry thought leaders in governance, risk and compliance on hot topics, industry specific challenges, trends and more to learn about their methods, solutions and outlook in this space. On today's episode, my guest is Jack Tanzel. Jack has spent over 15 years in consulting working previously at Eli Lilly and Company and most recently Deloitte. He helps organizations develop strategies to drive results. On today's episode with Jack, we'll discuss how he works with clients today, how you can adopt continuous improvement in your programs and this concept of RAMP. R-A-M-P, what it is and what it means for organizations. Lastly, we'll have an interesting story about Jack's hidden talent, songwriting and performing. Now, here's my conversation with Jack.
MP: Thank you, Jack, for joining us today on another episode of GRC and Me.
JT: Thanks for having me.
MP: All right, so we want to get started and I'd love to learn a little bit about what led you to risk and compliance as a career path.
JT: It was not a preplanned journey. I went to a work at Eli Lilly and Company after getting my MBA at Northwestern in the late '90s. I spent seven years in the marketing organization at Lilly, which is how I got into risk and compliances. I did a lot of marketing and strategy work for Lilly. I was hired by a large consulting firm away from Lilly in the mid-2000s with the idea of doing more marketing strategies at work, but on of the very first projects that came to me, came through our forensics practice where the question was a global manufacturer has an R&D organization that doesn't know how much it's paying its healthcare professionals annually for a variety of services that health care professionals provide manufacturers. There was no one in the group that had had any experience conducting advisory boards or any other types of services. I had just come from an experience where that was all I was doing. It was a little bit of serendipity perhaps. Nine months later, I got a call from a conference organizer asking if I would speak on what we now think of as transparency reporting and tracking and aggregate spend. I found that a little odd at the moment, but realize that I had gotten into a project that was part of an early wave of an issue for the industry and there weren't that many people that had been involved in projects prior to me getting involved in that one that had had a lot of experience helping a company through that situation. That very project is what flipped me from coming at it from the marketing and strategy angle to that of addressing risk and compliance issues for these clients. That project led to another one led to another one, and over the course of several years I ended up gaining a tremendous amount of experience helping chief compliance officers in their teams and other risk and assurance functions around a lot of things having to do with the risk that comes with interactions with healthcare professionals, sales and marketing activities, medical affairs activities and those sorts of things.
MP: Thanks for sharing that. I know you're also a friend of LogicGate. You know the LogicGate founders pretty well. How did you come to cross paths with them?
JT: So the LogicGate founders spent some of their time at Navigant consulting and so did I. Your CEO Matt Kunkel and I worked together pretty diligently on a couple of different projects including one that in fact I think was a precursor to him and the others getting the ideas that that formulated later that to become LogicGate. we worked together on what was to be a workflow automation around the operations of a compliance department while at Navigant together.
MP: Awesome, fantastic. And so you mentioned, you know, you're helping customers in the healthcare industry, but I know you work with Life Science's clients today. You help them with the concept called RAMP. Can you describe what RAMP is and how does it benefit clients today?
JT: I think RAMP is, as far as I know, exclusive to life sciences. It might even be exclusive as an acronym in the context I know it to pharmaceutical companies. Probably a decade ago, one of the large pharmaceutical companies had a corporate integrity agreement with the US government and their risk assessment program had the acronym of RAMP, risk assessment and mitigation planning, because corporate integrity agreements are one of the things that many in the compliance world, whether you're working in house or for a consultant or for a law firm, corporate integrity agreements are one of the benchmarks of the types of things you would go look for to say, "What are the leading requirements? What are the leading trends? What's the government expecting?" Along with say the the OIG work plan, other guidance documents that get published. Corporate integrity agreements are a key document, so always check the new ones that come out.
Because of the prominence of this company and the prominence of corporate integrity agreements at the time and the fact that they were the first one to have the risk assessment be included in their corporate integrity agreement, the acronym of ramp generally caught on with life sciences and again, a specialty pharmaceutical companies. It's risk assessment and mitigation planning. It's designed to not only be about the risk assessment, but perhaps more importantly to be about the mitigation planning and the implementation and the idea of what more often than not becomes an annual cycle of let's assess the risk, let's identify some places to go, put some resources to mitigate those risks and let's see if we can't close the loop on that mitigation action and then have those actions perhaps serve as inputs to the next year's risk assessment, so you create sort of a virtuous cycle of activity
MP: In addition to RAMP, do you recommend companies adopt continuous improvement within their compliance programs?
JT: I do think RAMP is a backbone, I mean any risk assessment program, whether you call it RAMP or something else. When the OIG first came out with their guidance for manufacturers on the seven elements of an effective compliance program, risk assessment was not explicitly listed and yet it is implied and many people often refer to it as the eighth element. It is a backbone or a foundational piece of any effective and sustainable program. One of the reasons for that is if it's a scheduled activity, again, probably on an annual basis, maybe it's monthly, maybe it's quarterly, but whatever your cycle is, it creates a dynamic for your program that makes it almost impossible for your program to become stagnant, which is what you're looking for. What are the things that can keep our program from becoming stagnant? Risk assessment is one of them.
Oftentimes some of the major activities that come out of the mitigation planning of RAMP are the auditing and monitoring exercises. The risk assessment is not designed to be an audit of every activity your company is doing. It's designed to scan across the breadth of what your company is doing and to repeatedly and continually assign maybe a score or some other way of weighing or ranking where do we carry the greatest risk and where do we want to put resources to dive deeper into some of those places where we either one, already know we have a control gap that needs to be fixed or two, we're not quite sure what's driving that risk. We're not quite sure how well controlled we are with that area. We need to conduct an audit, we need to do more monitoring.
Those things, the auditing and the monitoring are also activities that make it nearly impossible if you're doing those consistently and you're moving around on the different activities or companies conducting make it nearly impossible for your program to become stagnant because they all provide output that show you new observations of where you can get better. And so if you're conducting good risk assessment and you're following up with audits and monitoring as well as the investigations that should naturally be happening through your hotline and other ways of people reporting potential noncompliant behavior, those are all dynamic activities. While you've got your other elements around policies and procedures, training and communication that shouldn't be stagnant either, they have a much greater chance of growing stagnant if you're not conducting these other activities that have a chance to point out specific places for improvement. I would really hang on the idea that the RAMP program or whatever your company might call it, as well as the auditing and monitoring. The typically comes with it are the real critical dynamic pieces that keep a program getting better and better all the time.
MP: All right, thanks Jack. Are there any other examples of types of things companies could use or do to pursue continuous improvement?
JT: One other that comes to mind is the idea of assessing the compliance program as a whole. The previous examples we were talking about with risk assessment and auditing and monitoring, those are day to day activities that the compliance program, the compliance department should be conducting every day. Those activities can organically help you understand where the program can get better. But every so many years, two, three, four years, it is worthwhile to have someone else take a look at your program and come in and maybe give an assessment as well as conducting your own surveys with people in your organization, whether it's from the outside or from other people outside your department, getting other people to provide input to you on where the program is or isn't working. It's not part of the natural day to day elements. Risk assessment is not the same thing as conducting an assessment of your compliance program. All of those things can contribute to keeping your program dynamic, identifying risks or areas for improvement. When you add it all up collectively and done routinely, they contribute to a sustainable and effective program as much as anything.
MP: All right, Jack, how do you see things changing in risk and compliance in the near future and then also in the medium to longterm future?
JT: I think the leveraging of technology and automation to drive more efficient work and better decision making is already happening, but I think it will continue to gain a momentum within the life sciences world. I know within ... While I don't work in financial services or some other industries, I know that in the banking world and other financial services companies, leveraging analytics has become a critical part of reducing risk and mitigating against risk. I think that pharmaceutical and life sciences companies are working through individual use cases where they've identified an opportunity to automate a workflow, whether that's an inline business workflow or a workflow to help monitor something or to create better use of data that's already available to them to improve their analytics. What I see on a routine basis is many companies have their own distinct use case or two where they've leveraged or found an opportunity to further modernize their program. I think that's going to continue in an individual use case by use case example for many of these companies.
What I think is still to come is for companies to realize the holistic possibilities of strategic automation or modernization of not only the compliance department but all of the assurance functions that share both common workflow as well as use of the same data. For instance, an internal audit function conducts audits. A compliance function conducts audits. A litigation department may also conduct investigations, but that have the same steps in their workflow as the internal audit and the compliance department. There are workflows out there, and I know there are workflows in the LogicGate tool, that feed that concept. And so instead of functionally thinking about your budget as a compliance department or an internal audit department or litigation department, the company as a whole, realizing we have common workflow here, that one platform can help us. There's an of scale through that spend that these three functions as an example could benefit from that spend versus just one function. The same is true with analyzing how much money is being spent on certain healthcare professionals.
Those types of questions are applicable to not only the three functions I just mentioned, but to many in the business who want to do that. And so I think life sciences companies are working through a natural maturation cycle, if you will. We're still in the early days of figuring out how one use case can lead to a second use case can eventually get us to a strategic vision of how we can apply many use cases on technology platforms that will allow for that type of flexibility. I think if you don't do that, you're going to be held accountable by government regulators and government officials who have oversight responsibility. Eventually it'll be an expectation that you've invested in technology to improve workflow for better controls in flight and to be able to find data and find certain points of risk faster and better as a natural part of running your business.
MP: In working with customers, those that have been able to gain support and adapt technology to help them achieve those type of goals, what do you think they did well to get that support or what allowed them to be able to take that step forward?
JT: I think, one of the things that comes to mind to that question is that we've seen a number of companies identified that the skillset needs are changing. People who have a law background or an operations background or a finance background who have all been and will continue to be positive contributors to a compliance effort, they may not have an analytics background, they may not understand the technical aspects of what it means to understand where different data sources lie and how to grab that data, how to aggregate that data and then turn that into analytical tools and understand what may come from that. I think there's a skillset and certain companies that we work with have hired people into their compliance departments who are data scientists. I know that several clients we work with have former IT professionals now working in the compliance department where instead of going to ask IT if and how we can do this, they start by having this person maybe do some things for them, again, in that individual use case perspective, create some sort of machine learning tool that allows us to go through a particular use case one of the people in the department may have identified. That's really helping move through that maturation cycle of seeing a particular use case pay off only accelerates everyone involved realizing where else can we do this.
MP: We've talked a lot today about your background and the RAMP process and how you work with clients today, but we've also learned that you have another talent, which is that you are a talented singer. We'd love to learn a little bit more about the origin of that talent as well as your origin of risk and compliance.
JT: Oh boy. I had no idea we were going to go here. Yes, so music was a big deal in my house as a kid. My grandmother on my mom's side loved to play the piano and sing. My mom, my aunt and uncles on that side of the family were all not shy about singing. My sister's a really good singer and older than me. She started singing in church. I thought, "Well I can get up there and do that too." I started singing at a pretty young age at our church, performed throughout middle school and high school and variety shows and musicals. Even at Northwestern, at the Kellogg school, we did a skit every year. During my second year, I helped write a few songs and perform. I wrote a song to a the Bee Gees' tragedy and turned it into strategy and was one of the Bee Gees, and we went out and made fools of ourselves, but had a really good time.
Most recently in my professional life at a previous firm, we were at at an event and one Matt Kunkel and I were on the same team. We were all, each team was assigned to do something, singing to a song and create a parody. How Matt knew this, I don't know. He then turned to the rest of our team and said, "Jack will be our lead singer. We all can just stand behind them and back up." I couldn't believe it that he had outed me like that. It was Heard it Through the Grapevine. We had to come up with some way of pitching a new client on a service by changing Heard it Through the Grapevine. We had to rewrite the lyrics.
MP: Right, fantastic.
JT: Everybody told me when I was done that I was in the lead, because they were scoring this. The last team knew that one of the administrative assistants in the DC office had just finished performing on The Voice. They called her. They brought her over. They gave her their song as a total ringer. I had no chance at that point. When she got up there and started singing and I was like, "Oh, boy." In my little amateur world with some of these other people that tried to get up there, I might have had a chance, but when she started singing, I'm like, "Okay."
MP: Oh shoot.
JT: We all had a great time with it. Great lady. She was great at singing, and so we had a riot.
MP: That's really funny.
JT: Yeah, so thanks for that embarrassing moment.
MP: Uh-huh (affirmative), no problem.
JT: I appreciate you.
MP: Well, you know we at LogicGate, we have an in house band called Logic and the Goats.
JT: Oh wow.
MP: If you ever want to make your professional comeback, you are welcome to join us.
JT: I think I'd rather stay in the audience and watch them.
MP: That sounds good. Well, thanks again Jack for your time today. Thanks for joining us. This is Megan Phee with another episode of GRC and Me.
We often hear risk and compliance management bundled together as a single discipline. While it’s true that risk…
Cybersecurity incidents like ransomware attacks and data breaches are grabbing many of the risk and security headlines these…
Cyber attacks have been around for as long as the internet has existed, but they’ve been growing in…
Check Out the Fall 2023 Report
The modern risk and compliance environments that our businesses and organizations operate in have become far more complex…