Categories
Coffee and Regs

CCOs & ESG – Preparing Now for What’s Next

Categories
Compliance Kitchen

Colonial Pipeline Hack Update


The State Department offers a large reward to bring those behind the Colonial Pipeline ransomware incident to account.  The Kitchen stopped by for more detail – tune in for a quick update.

Categories
Blog

Managing a Multi-Entity GRC Architecture with 6clicks Hub and Spoke

I recently visited with Joe Schorr about the managing a multi-entity GRC architecture with 6clicks hub and spoke for a sponsored podcast series. You can check out Joe’s podcast here. Joe is the VP and Global Head of Strategic Partnerships & Alliances at 6clicks. He handles global channels, which encompasses service provider partners and technology partners and the traditional channel resale role. We turned to the ‘hub and spoke’ model which 6clicks advocates. He said that 6clicks pioneered the evolution from a multi-tenant or federated approach of GRC architecture to hub and spoke model. The difference is that in a multi-tenant or federated approach it is seen as much more vertical or up and down the chain. But the hub and spoke is “just like with airline travel, back in the old days of networking, where we had hubs, routers and switches and the computers all hooked to a hub.”
Schorr went to explain, “in our model, we’re using what we call center of excellence, think of it as the headquarters or the hub or the terminal and an airport. And they have the different wings go out to the different entities.” The architecture can “pull different types of data and analytics from those entities, or those folks are out there bringing them back into the center of excellence.” Additionally, “the center of excellence by the same token can have a lot of centralized benefits like templates and controls which they are able to push that out at the same time to all these different entities.” Schorr believes it is “the holy grail of what people have been looking for; to control from a central location really complex information that require a ton of data flowing both ways.”
Moreover, the hub and spoke approach facilitates a GRC conversation with a wide variety of people. This could include compliance professionals, lawyers, other non-technical folks at the C-suite or executive level and certainly in the Board level and everywhere in between. It helps to define everyone’s role in the GRC and broader risk management process. Schorr said, “That’s beauty of it because you can craft it. For instance, in a Private Equity company with multiple portfolio companies, there is much sensitive information and, not everybody in every portfolio company needs to see what’s going on in every other portfolio company. This approach allows an organization to segregate all that data yet allows you the freedom to utilize the information you want to as access control is built into the architecture.”
We continued on the example of the private equity firm with multiple portfolio companies, which are sometimes in the same industry, but sometimes not. There is always a wide variety of data and disparate sources of data that you have to pull in. This disparate data has to be collected, in a manner that can be utilized by the private equity firm, the corporate office, whatever the hub might be. However, the stakeholders, corporate subsidiaries or portfolio companies at the end of the spoke might need that data to make tactical if not strategic decisions. Next, overlay reporting to senior management and then a Board of Directors, all in a changing regulatory environment. This hub and spoke architecture can be an incredibly powerful way to collect and utilize data. Schorr explained, “if you are hired to do a risk assessment against 200 portfolio companies, you have a massive set of risk data in all kinds of different things. You have collected data; you have interviews, you have done vulnerability scanning, you’ve done risk assessments, third party risk assessments, vendor assessments, everything you could possibly imagine. That is all rolled up collected somewhere and a bunch of smart people look at it and we’re all trying to grade it and do things manually and push it around. And at the end of the day, just like you said, this is really important.”
This approach allows you to prepare a Board level C-suite report. You can also create a functional management report for middle management as that level is usually the one which must read this and decipher it and then push it out. Schorr said, “there is also a bottom layer which a report needs to go out to. It’s almost a raw data level report that goes out to the people in the field or the people at those portfolio companies who are responsible for fixing things” the hub and spoke approach to 6clicks GRC architecture allows you to work on those levels.
For more information on 6clicks, check out their website here.

Categories
The Ethics Movement

Corporate Compliance and Ethics Week Celebration-Philip Winterburn on Passion Around Data-Based Decision Making in Compliance


In this special podcast series sponsored by Convercent by One Trust, we celebrate Corporate Compliance and Ethics Week 2021. Over this podcast series, I will visit with Convercent by One Trust employees on why they are so passionate about driving ethics to the heart of business. In this first episode, I visit with Philip Winterburn, Chief Strategy Officer at Convercent by One Trust. His passion is around bringing the rigor of data analytics to compliance and helping compliance officers to make data-based decision. Join the Convercent Converge community. It is the single best resource for information on all things ethics and compliance related. There are discussion threads, Q & A on specific topics and resources available to the compliance professional. Best of all, it is all free. Check out the Convercent Converge community by clicking here.

Categories
Innovation in Compliance

Series Spotlight: Revolutionizing GRC with 6clicks: Part 1 – Managing a Multi-Entity GRC Architecture with 6clicks Hub and Spoke


Welcome to this special podcast series, Series Spotlight: Revolutionizing GRC with 6clicks, sponsored by 6clicks. This week I visit with Joe Schorr, Vice President (VP) of Global Channel Sales, Andrew Robinson, co-founder and Chief Information Security Officer, Stephen Walter, head of Marketing, Dr. Heather Buker, Chief Technology Officer, and Ant Stevens, co-founder and Chief Executive Officer. Over the series, we will break down 6ckicks Hub and Spoke approach, utilizing Artificial Intelligence (AI) and Machine Learning in governance, risk and compliance (GRC), curating and maintaining a robust GRC content, producing audit ready reports, and look at what’s next for 6clicks down the road. In Part 1, I am joined by Joe Schorr on Managing a Multi-Entity GRC Architecture with 6clicks Hub and Spoke.
Schorr handles global channels, which encompasses service provider partners and technology partners and the traditional channel resale role. We turned to the ‘hub and spoke’ model which 6clicks advocates. He said that 6clicks pioneered the evolution from a multi-tenant or federated approach of GRC architecture to hub and spoke model. The difference is that in a multi-tenant or federated approach it is seen as much more vertical or up and down the chain. But the hub and spoke is “just like with airline travel, back in the old days of networking, where we had hubs, routers and switches and the computers all hooked to a hub.”
Schorr went to explain, “in our model, we’re using what we call center of excellence, think of it as the headquarters or the hub or the terminal and an airport. And they have the different wings go out to the different entities.” The architecture can “pull different types of data and analytics from those entities, or those folks are out there bringing them back into the center of excellence.” Additionally, “the center of excellence by the same token can have a lot of centralized benefits like templates and controls which they are able to push that out at the same time to all these different entities.” Schorr believes it is “the holy grail of what people have been looking for; to control from a central location really complex information that require a ton of data flowing both ways.”
Moreover, the hub and spoke approach facilitates a GRC conversation with a wide variety of people. This could include compliance professionals, lawyers, other non-technical folks at the C-suite or executive level and certainly in the Board level and everywhere in between. It helps to define everyone’s role in the GRC and broader risk management process. Schorr said, “That’s beauty of it because you can craft it. For instance, in a Private Equity company with multiple portfolio companies, there is much sensitive information and, not everybody in every portfolio company needs to see what’s going on in every other portfolio company. This approach allows an organization to segregate all that data yet allows you the freedom to utilize the information you want to as access control is built into the architecture.”
We continued on the example of the private equity firm with multiple portfolio companies, which are sometimes in the same industry, but sometimes not. There is always a wide variety of data and disparate sources of data that you have to pull in. This disparate data has to be collected, in a manner that can be utilized by the private equity firm, the corporate office, whatever the hub might be. However, the stakeholders, corporate subsidiaries or portfolio companies at the end of the spoke might need that data to make tactical if not strategic decisions. Next, overlay reporting to senior management and then a Board of Directors, all in a changing regulatory environment. This hub and spoke architecture can be an incredibly powerful way to collect and utilize data. Schorr explained, “if you are hired to do a risk assessment against 200 portfolio companies, you have a massive set of risk data in all kinds of different things. You have collected data; you have interviews, you have done vulnerability scanning, you’ve done risk assessments, third party risk assessments, vendor assessments, everything you could possibly imagine. That is all rolled up collected somewhere and a bunch of smart people look at it and we’re all trying to grade it and do things manually and push it around. And at the end of the day, just like you said, this is really important.”
This approach allows you to prepare a Board level C-suite report. You can also create a functional management report for middle management as that level is usually the one which must read this and decipher it and then push it out. Schorr said, “there is also a bottom layer which a report needs to go out to. It’s almost a raw data level report that goes out to the people in the field or the people at those portfolio companies who are responsible for fixing things” the hub and spoke approach to 6clicks GRC architecture allows you to work on those levels.
Join us tomorrow where we take up utilizing machine learning and AI in your GRC practice with Andrew Robinson, 6clicks co-founder and Chief Information and Security Officer.
For more information on 6clicks, check out their website here.
 

Categories
The Ethics Experts

Episode 095 – Joseph Murphy

In this episode of The Ethics Experts, Nick welcomes Joseph Murphy, senior advisor at Compliance Strategists and director of public policy at SCCE, to the show.

Categories
Creativity and Compliance

Corporate Compliance & Ethics Week, Part 1-Introduction


Where does creativity fit into compliance? In more places than you think. Problem-solving, accountability, communication, and connection – they all take creativity. Join Tom Fox and Ronnie Feldman on Creativity and Compliance, part of the Compliance Podcast Network. With this episode Ronnie and Tom begin a five-part series on creative ideas you can use during the 2021 Corporate Compliance and Ethics Week.
In this Part 1, we discuss what we will communicate in the series. In our first Siskel and Ebert Point/Counter-Point, Ronnie comes in smoking on what he thinks about Corporate Compliance and Ethics Week and Tom has a more lawyerly, measured approach.  Tom and Ronnie both agree that Corporate Compliance and Ethics Week initiatives should only be seen as a starting point and must be followed up throughout the year.
Some of the ideas include:
§  You should promote your compliance program and its resources.
§  Endeavor to be welcoming and positive and approachable.
§  Demonstrate how compliance integrates and embeds into the business.
§  Any initiatives you begin must be followed up throughout the year.
Resources:
Ronnie Feldman (LinkedIn)
Learnings & Entertainments (LinkedIn)
Ronnie Feldman (Twitter)
Learnings & Entertainments (Website)
60-Second Communication & Awareness Shorts – A variety of short, customizable, quick-hitter “commercials” including songs & jingles, video shorts, newsletter graphics & Gifs, and more. Promote integrity, compliance, the Code, the helpline and the E&C team as helpful advisors and coaches.
Workplace Tonight Show! Micro-learning – a library of 1-10-minute trainings and communications wrapped in the style of a late-night variety show, that explains corporate risk topics and why employees should care.
Custom Live & Digital Programing – We’ll develop programming that fits your culture and balances the seriousness of the subject matter with a more engaging delivery.

Categories
The ESG Report

ESG and Compliance- Reporting and Monitoring


 
Tom Fox believes that the compliance department is best positioned to lead the ESG function, and in this solo episode, he continues to explain why. He focuses on reporting and ongoing monitoring which, he says, should lead to continuous improvement.
 

 
ESG Reporting
At first glance, ESG reporting may seem outside the scope of the compliance professional; if you look deeper, however, you’d realize that it’s a large part of what they do every day. Compliance understands and leads the process of detailed documentation in order to satisfy regulatory requirements. The problem for ESG is that there are no universally accepted reporting standards. Regulatory bodies around the world, particularly in the EU, have started to come out with ESG reporting frameworks, so the process is evolving. Compliance professionals should keep abreast of these developments. Tom comments that many companies are already doing ESG reporting in some form, as evidenced by their corporate reports which include ESG information. This matters, he says, because “companies with good ESG practices have lower cost of capital, better operational performance, and better share price.” These companies also are more attractive to investors and potential employees.
 
ESG Reporting for Compliance Professionals
What should compliance professionals think about with regard to ESG reporting? Tom lists 6 key areas, including:

  • understand what your company is already doing on sustainability;
  • carry out an assessment of stakeholder ESG behaviors;
  • don’t disregard sustainability as simply a cost, but see it as a way to make you a better company.

 
The efforts you make as a company to operate sustainably impact the wider community, and your reports are a way to have those efforts acknowledged. “The bottom line is that much of the work done by compliance can be used as a basis for your ESG reporting,” Tom reminds listeners. “Verifiable ESG reporting …allows stakeholders to compare performance and make meaningful decisions. Transparency is critical to the process. …This transparency and its reporting enables shareholders and stakeholders to gain a clearer picture of companies direction and progression.” He shares some additional ways companies can improve their ESG reporting, including integrating ESG data and mindset into everyday business operations.
 
ESG Monitoring
You can’t manage what you don’t measure, Tom points out. Shareholders, investors, and stakeholders want to confirm that a proper plan is in effect to monitor ESG KPIs. Companies that take ESG seriously must have a central management committee. “The key is a standardized approach to ESG data collection and monitoring; this is because, without standardization leading to consistent reporting practices across an organization, it can be challenging to understand and compare performance progress towards targets,” he explains. Your framework must include quantitative and qualitative metrics. He gives some examples of ESG metrics, including those set by the World Economic Forum. These ideas are nothing new to compliance professionals, he remarks; another reason why they are best suited to lead the ESG function. 
 
Resources
Tom Fox email
FCPA Compliance and Ethics blog
 

Categories
FCPA Compliance Report

Mike DeBernardis on Q3 Compliance and Enforcement Highlights


In this Episode of the FCPA Compliance Report, I have thrilled to have back fan favorite Mike DeBernardis, partner at Hughes Hubbard. Mike is back for our quarterly FCPA and compliance review and in this episode, we look at highlights from Q3 2021. Highlights of this podcast include:

  1. FCPA Enforcement Actions-WPP and Credit Suisse. What are the key lessons learned?
  2. What does it mean to extend at DPA?
  3. Pandora Papers-how do you think this will drive the move for greater transparency around trusts and other opaque corporate forms?
  4. SEC

a.       Increased enforcement and admissions of liability in settlement docs.
b.       ESG Reporting requirements-what does this mean for corps
c.       Increased scrutiny for both crypto and SPACs
5. National Security Directive coming out in December.
6.HughesHubbard annual FCPA alert

Resources

Mike DeBernardis on Hughes Hubbard website.

 
 

Categories
Daily Compliance News

November 8, 2021 the Leading with Love edition


In today’s edition of Daily Compliance News:

  • Trying to fix PG&E.(WSJ)
  • New SEC whistleblower chief. (WSJ)
  • Return of Willard? (WaPo)
  • Environmental hero or legal outlaw? (NYT)