Author: admin

Categories
Creativity and Compliance

Corporate Compliance & Ethics Week, Part 2-Talk Shows


Where does creativity fit into compliance? In more places than you think. Problem-solving, accountability, communication, and connection – they all take creativity. Join Tom Fox and Ronnie Feldman on Creativity and Compliance, part of the Compliance Podcast Network. In this episode Ronnie and Tom continue our five-part series on creative ideas you can use during the 2021 Corporate Compliance and Ethics Week.
In this Part 2, we discuss using talk shows to communicate about compliance. In this episode we consider how you can create a compliance and integrity themed Talk Show to help foster greater communications with your employee base. Tom and Ronnie both agree that Corporate Compliance and Ethics Week initiatives must be followed up throughout the year.
Some of the ideas include:

  • A talk show hosted interview Ethics Officer and Leadership.
  • A Letterman type talk show complete with Top-10 lists and desk bits.
  • Using Improv Performance to emphasize your Core Values around integrity, compliance and ethics and corporate culture.
  • You can do a show live or recorded but remember to avoid talking head.
  • Finally it can be dialogues or monologues.

Resources:
Ronnie Feldman (LinkedIn)
Learnings & Entertainments (LinkedIn)
Ronnie Feldman (Twitter)
Learnings & Entertainments (Website)
60-Second Communication & Awareness Shorts – A variety of short, customizable, quick-hitter “commercials” including songs & jingles, video shorts, newsletter graphics & Gifs, and more. Promote integrity, compliance, the Code, the helpline and the E&C team as helpful advisors and coaches.
Workplace Tonight Show! Micro-learning – a library of 1-10-minute trainings and communications wrapped in the style of a late-night variety show, that explains corporate risk topics and why employees should care.
Custom Live & Digital Programing – We’ll develop programming that fits your culture and balances the seriousness of the subject matter with a more engaging delivery.

Categories
Innovation in Compliance

Data Cleansing and Relativity Trace with Jordan Domash, Part 1


 
Jordan Domash is Tom Fox’s guest on this week’s episode of the Innovation in Compliance Podcast. Jordan is the General Manager at Relativity, a company that makes software to help users organize their data. The platform is used by more than 180,000 people around the world to identify key issues. Jordan has been leading Relativity’s communications surveillance product for the past few years and has been in charge of the sale and development of the platform. He joins Tom in the first part of this two-part episode to talk about his role at Relativity, data cleansing, and how the Relativity Trace platform helps its customers.
 

 
The Importance of Data Cleansing
With the move to remote work, individuals have come to rely on different sources such as Slack and Microsoft Teams to communicate with one another. Jordan tells Tom that this has led to an explosion in the amount of data that needs to be actively monitored, and that there is a larger need for data cleansing. He shares how Relativity is tackling this issue. “We’ve spent a lot of energy on the past couple of years answering the problem of how can we sift through all that content, focus specifically on what’s risky, and what’s relevant to a compliance team with as little review as possible, and really focus on being efficient with our time and actually detecting risks that are important,” Jordan remarks.
 
Prevent Misconduct with Relativity Trace
Compliance regulators are very concerned with how companies are preventing misconduct before it occurs. Tom asks Jordan to explain how Relativity Trace can help businesses with this problem. “By having a really effective program, you are setting the expectation that this behavior is not being tolerated at your organization,” Jordan begins. Relativity gives organizations the tools necessary to take action as soon as an incident occurs instead of waiting months, or until there’s a formal investigation. Trace is implemented in a way that’s aligned to the specific organization using it. It starts with a code of conduct, and understanding the risks that are specific to that business. Trace gives compliance teams the ability to enforce that code of conduct, make sure that the risks to the organization are being monitored, and that any violations are being detected quickly.
 
Artificial Intelligence to Prevent Misconduct
Artificial Intelligence is used in three ways by Relativity Trace: to remove irrelevant content and junk, to pinpoint risk and misconduct and to add context to alerts that have been generated. Relativity has technology that removes spam, industry search reports and content that isn’t generated by a person. It strips out all non-human generated text from the monitoring process so that compliance individuals can only focus on the content that is potentially risky. “We bring the three or four or five most relevant communications to that alert to the forefront so the compliance officer can really focus on what the system is saying is the most relevant,” Jordan tells Tom. 
 
The Risk of Unstructured Data
Unstructured data is the majority of data that lives in a company that has no hierarchy associated with it. Unstructured data comes in many forms and poses a problem for professionals because it makes it hard to search across an entire system. This type of data requires a different set of technology. A lot of suspicious items may be hiding in unstructured data, and this poses a challenge to compliance officers. It will be hard for them to search for information on specific individuals if the majority of that information is hiding in the unstructured data. Organizations should be conscious of where unstructured data lives, and should have processes that can look for hidden risks and remediate them. 
 
Resources
Jordan Domash | LinkedIn 
Relativity
 

Categories
Daily Compliance News

November 9, 2021 the Stupid Texts edition


In today’s edition of Daily Compliance News:

  • McDonald’s CEO in hot water over texts.(WSJ)
  • South African whistleblower flees country. (YaHooNews)
  • Corruption hurdle in climate change fight. (YaHooNews)
  • Rogers gets his company back. (Bloomberg)
Categories
Blog

Utilizing Machine Learning and AI in Your GRC Practice

I recently had the chance to visit with Andrew Robinson to discuss utilizing ML and AI into your GRC practice for a sponsored podcast.  Robinson is the co-founder and Chief Information Security Officer at 6clicks. You can check out Robinson’s podcast episode here.
We began with the very basic proposition that many compliance professionals and others are scared by AI in the GRC space. Robinson believes it is based on the fear of the unknown, both to many inside and outside of GRC. Yet, increasingly GRC professionals see how AI and ML can be used within reg tech, technology companies, as well as in the compliance space to move forward through taking advantage of natural language processing. Robinson explained this is a component of ML that can help understand text. There is a lot of text in the world of compliance. When you can then overlay an AI component on all the standards, laws, and regulations any multi-national organization must follow, you begin to see the power of such a tool.
We next turned to dealing with compliance across multiple jurisdictions. For GRC professionals working internationally, Robinson said they must “maintain mappings or what you commonly call in the US ‘crosswalks of compliance’ frameworks.” He went on to explain these frameworks are “useful because it can allow a consultant to help a client understand how they might stack up against a particular standard. Robinson provided the example that if an organization is already complying with ISO 27,001, through these mappings, it might be able to give them an idea about what that level of compliance they have through the lens of a different framework or standard that may be relevant like the NIST cybersecurity framework.”
Yet the 6clicks approach is much more than a regulatory approach. It is a business centered approach which provides discreet business advantages. Indeed, this is one of the reasons I find the 6clicks approach so exciting as it creates a business advantage by performing quality GRC. These tools increase efficiency and profitability. Robinson went further noting, that “we come out with a public estimate of 10 times saving in using machine learning to assist with building up GRC mapping.” That is some serious productivity savings and increase.
However, this productivity increase and potential cost saving does not remove the human element. This final concept is critical in moving forward. Robinson said, “I’m of the view that humans have a very important role to play. This role is supervising the machine learning models to make sure that what they are producing and the results that they are coming out with are accurate and reliable.” If they are using spreadsheets and word documents; they should, come to terms with the fact that companies and clients no longer want spreadsheets and word documents as a deliverable. GRC professionals and consultants need to need to start using similar tools and improving the way that they service their clients. Clients, both in-house and external, are starting to demand and look for this approach. Robinson noted, “the reality is that if you are doing anything else it will be seen as subpar, and no one wants to be delivering sort of subpar products. I look for a solution that can meet your customer expectations and help you deliver your services long into the future.”
We concluded by looking at GRC tools with ML and AI at a strategic level, at the senior executive level and even at the Board of Director level. Robinson feels that management at this level “understands the benefits because they understand the problem.” Their goals are to simplify compliance while understanding risk exposure. From this point, management can move to create a risk-based solution. Robinson believes, these are the types of “business problems that executives are dealing with on a daily basis. Having awareness of the machine learning model can help them navigate that complexity.” From where I sit, when you can take a tool that improves business process efficiency and use it to increase profitability through more effectual risk management it is a win for everyone.
For more information on 6clicks, check out their website here.

Categories
Compliance Kitchen

Colonial Pipeline Hack Update


The State Department offers a large reward to bring those behind the Colonial Pipeline ransomware incident to account.  The Kitchen stopped by for more detail – tune in for a quick update.

Categories
Blog

Managing a Multi-Entity GRC Architecture with 6clicks Hub and Spoke

I recently visited with Joe Schorr about the managing a multi-entity GRC architecture with 6clicks hub and spoke for a sponsored podcast series. You can check out Joe’s podcast here. Joe is the VP and Global Head of Strategic Partnerships & Alliances at 6clicks. He handles global channels, which encompasses service provider partners and technology partners and the traditional channel resale role. We turned to the ‘hub and spoke’ model which 6clicks advocates. He said that 6clicks pioneered the evolution from a multi-tenant or federated approach of GRC architecture to hub and spoke model. The difference is that in a multi-tenant or federated approach it is seen as much more vertical or up and down the chain. But the hub and spoke is “just like with airline travel, back in the old days of networking, where we had hubs, routers and switches and the computers all hooked to a hub.”
Schorr went to explain, “in our model, we’re using what we call center of excellence, think of it as the headquarters or the hub or the terminal and an airport. And they have the different wings go out to the different entities.” The architecture can “pull different types of data and analytics from those entities, or those folks are out there bringing them back into the center of excellence.” Additionally, “the center of excellence by the same token can have a lot of centralized benefits like templates and controls which they are able to push that out at the same time to all these different entities.” Schorr believes it is “the holy grail of what people have been looking for; to control from a central location really complex information that require a ton of data flowing both ways.”
Moreover, the hub and spoke approach facilitates a GRC conversation with a wide variety of people. This could include compliance professionals, lawyers, other non-technical folks at the C-suite or executive level and certainly in the Board level and everywhere in between. It helps to define everyone’s role in the GRC and broader risk management process. Schorr said, “That’s beauty of it because you can craft it. For instance, in a Private Equity company with multiple portfolio companies, there is much sensitive information and, not everybody in every portfolio company needs to see what’s going on in every other portfolio company. This approach allows an organization to segregate all that data yet allows you the freedom to utilize the information you want to as access control is built into the architecture.”
We continued on the example of the private equity firm with multiple portfolio companies, which are sometimes in the same industry, but sometimes not. There is always a wide variety of data and disparate sources of data that you have to pull in. This disparate data has to be collected, in a manner that can be utilized by the private equity firm, the corporate office, whatever the hub might be. However, the stakeholders, corporate subsidiaries or portfolio companies at the end of the spoke might need that data to make tactical if not strategic decisions. Next, overlay reporting to senior management and then a Board of Directors, all in a changing regulatory environment. This hub and spoke architecture can be an incredibly powerful way to collect and utilize data. Schorr explained, “if you are hired to do a risk assessment against 200 portfolio companies, you have a massive set of risk data in all kinds of different things. You have collected data; you have interviews, you have done vulnerability scanning, you’ve done risk assessments, third party risk assessments, vendor assessments, everything you could possibly imagine. That is all rolled up collected somewhere and a bunch of smart people look at it and we’re all trying to grade it and do things manually and push it around. And at the end of the day, just like you said, this is really important.”
This approach allows you to prepare a Board level C-suite report. You can also create a functional management report for middle management as that level is usually the one which must read this and decipher it and then push it out. Schorr said, “there is also a bottom layer which a report needs to go out to. It’s almost a raw data level report that goes out to the people in the field or the people at those portfolio companies who are responsible for fixing things” the hub and spoke approach to 6clicks GRC architecture allows you to work on those levels.
For more information on 6clicks, check out their website here.

Categories
The Ethics Movement

Corporate Compliance and Ethics Week Celebration-Philip Winterburn on Passion Around Data-Based Decision Making in Compliance


In this special podcast series sponsored by Convercent by One Trust, we celebrate Corporate Compliance and Ethics Week 2021. Over this podcast series, I will visit with Convercent by One Trust employees on why they are so passionate about driving ethics to the heart of business. In this first episode, I visit with Philip Winterburn, Chief Strategy Officer at Convercent by One Trust. His passion is around bringing the rigor of data analytics to compliance and helping compliance officers to make data-based decision. Join the Convercent Converge community. It is the single best resource for information on all things ethics and compliance related. There are discussion threads, Q & A on specific topics and resources available to the compliance professional. Best of all, it is all free. Check out the Convercent Converge community by clicking here.

Categories
Innovation in Compliance

Series Spotlight: Revolutionizing GRC with 6clicks: Part 1 – Managing a Multi-Entity GRC Architecture with 6clicks Hub and Spoke


Welcome to this special podcast series, Series Spotlight: Revolutionizing GRC with 6clicks, sponsored by 6clicks. This week I visit with Joe Schorr, Vice President (VP) of Global Channel Sales, Andrew Robinson, co-founder and Chief Information Security Officer, Stephen Walter, head of Marketing, Dr. Heather Buker, Chief Technology Officer, and Ant Stevens, co-founder and Chief Executive Officer. Over the series, we will break down 6ckicks Hub and Spoke approach, utilizing Artificial Intelligence (AI) and Machine Learning in governance, risk and compliance (GRC), curating and maintaining a robust GRC content, producing audit ready reports, and look at what’s next for 6clicks down the road. In Part 1, I am joined by Joe Schorr on Managing a Multi-Entity GRC Architecture with 6clicks Hub and Spoke.
Schorr handles global channels, which encompasses service provider partners and technology partners and the traditional channel resale role. We turned to the ‘hub and spoke’ model which 6clicks advocates. He said that 6clicks pioneered the evolution from a multi-tenant or federated approach of GRC architecture to hub and spoke model. The difference is that in a multi-tenant or federated approach it is seen as much more vertical or up and down the chain. But the hub and spoke is “just like with airline travel, back in the old days of networking, where we had hubs, routers and switches and the computers all hooked to a hub.”
Schorr went to explain, “in our model, we’re using what we call center of excellence, think of it as the headquarters or the hub or the terminal and an airport. And they have the different wings go out to the different entities.” The architecture can “pull different types of data and analytics from those entities, or those folks are out there bringing them back into the center of excellence.” Additionally, “the center of excellence by the same token can have a lot of centralized benefits like templates and controls which they are able to push that out at the same time to all these different entities.” Schorr believes it is “the holy grail of what people have been looking for; to control from a central location really complex information that require a ton of data flowing both ways.”
Moreover, the hub and spoke approach facilitates a GRC conversation with a wide variety of people. This could include compliance professionals, lawyers, other non-technical folks at the C-suite or executive level and certainly in the Board level and everywhere in between. It helps to define everyone’s role in the GRC and broader risk management process. Schorr said, “That’s beauty of it because you can craft it. For instance, in a Private Equity company with multiple portfolio companies, there is much sensitive information and, not everybody in every portfolio company needs to see what’s going on in every other portfolio company. This approach allows an organization to segregate all that data yet allows you the freedom to utilize the information you want to as access control is built into the architecture.”
We continued on the example of the private equity firm with multiple portfolio companies, which are sometimes in the same industry, but sometimes not. There is always a wide variety of data and disparate sources of data that you have to pull in. This disparate data has to be collected, in a manner that can be utilized by the private equity firm, the corporate office, whatever the hub might be. However, the stakeholders, corporate subsidiaries or portfolio companies at the end of the spoke might need that data to make tactical if not strategic decisions. Next, overlay reporting to senior management and then a Board of Directors, all in a changing regulatory environment. This hub and spoke architecture can be an incredibly powerful way to collect and utilize data. Schorr explained, “if you are hired to do a risk assessment against 200 portfolio companies, you have a massive set of risk data in all kinds of different things. You have collected data; you have interviews, you have done vulnerability scanning, you’ve done risk assessments, third party risk assessments, vendor assessments, everything you could possibly imagine. That is all rolled up collected somewhere and a bunch of smart people look at it and we’re all trying to grade it and do things manually and push it around. And at the end of the day, just like you said, this is really important.”
This approach allows you to prepare a Board level C-suite report. You can also create a functional management report for middle management as that level is usually the one which must read this and decipher it and then push it out. Schorr said, “there is also a bottom layer which a report needs to go out to. It’s almost a raw data level report that goes out to the people in the field or the people at those portfolio companies who are responsible for fixing things” the hub and spoke approach to 6clicks GRC architecture allows you to work on those levels.
Join us tomorrow where we take up utilizing machine learning and AI in your GRC practice with Andrew Robinson, 6clicks co-founder and Chief Information and Security Officer.
For more information on 6clicks, check out their website here.
 

Categories
Creativity and Compliance

Corporate Compliance & Ethics Week, Part 1-Introduction


Where does creativity fit into compliance? In more places than you think. Problem-solving, accountability, communication, and connection – they all take creativity. Join Tom Fox and Ronnie Feldman on Creativity and Compliance, part of the Compliance Podcast Network. With this episode Ronnie and Tom begin a five-part series on creative ideas you can use during the 2021 Corporate Compliance and Ethics Week.
In this Part 1, we discuss what we will communicate in the series. In our first Siskel and Ebert Point/Counter-Point, Ronnie comes in smoking on what he thinks about Corporate Compliance and Ethics Week and Tom has a more lawyerly, measured approach.  Tom and Ronnie both agree that Corporate Compliance and Ethics Week initiatives should only be seen as a starting point and must be followed up throughout the year.
Some of the ideas include:
§  You should promote your compliance program and its resources.
§  Endeavor to be welcoming and positive and approachable.
§  Demonstrate how compliance integrates and embeds into the business.
§  Any initiatives you begin must be followed up throughout the year.
Resources:
Ronnie Feldman (LinkedIn)
Learnings & Entertainments (LinkedIn)
Ronnie Feldman (Twitter)
Learnings & Entertainments (Website)
60-Second Communication & Awareness Shorts – A variety of short, customizable, quick-hitter “commercials” including songs & jingles, video shorts, newsletter graphics & Gifs, and more. Promote integrity, compliance, the Code, the helpline and the E&C team as helpful advisors and coaches.
Workplace Tonight Show! Micro-learning – a library of 1-10-minute trainings and communications wrapped in the style of a late-night variety show, that explains corporate risk topics and why employees should care.
Custom Live & Digital Programing – We’ll develop programming that fits your culture and balances the seriousness of the subject matter with a more engaging delivery.

Categories
The ESG Report

ESG and Compliance- Reporting and Monitoring


 
Tom Fox believes that the compliance department is best positioned to lead the ESG function, and in this solo episode, he continues to explain why. He focuses on reporting and ongoing monitoring which, he says, should lead to continuous improvement.
 

 
ESG Reporting
At first glance, ESG reporting may seem outside the scope of the compliance professional; if you look deeper, however, you’d realize that it’s a large part of what they do every day. Compliance understands and leads the process of detailed documentation in order to satisfy regulatory requirements. The problem for ESG is that there are no universally accepted reporting standards. Regulatory bodies around the world, particularly in the EU, have started to come out with ESG reporting frameworks, so the process is evolving. Compliance professionals should keep abreast of these developments. Tom comments that many companies are already doing ESG reporting in some form, as evidenced by their corporate reports which include ESG information. This matters, he says, because “companies with good ESG practices have lower cost of capital, better operational performance, and better share price.” These companies also are more attractive to investors and potential employees.
 
ESG Reporting for Compliance Professionals
What should compliance professionals think about with regard to ESG reporting? Tom lists 6 key areas, including:

  • understand what your company is already doing on sustainability;
  • carry out an assessment of stakeholder ESG behaviors;
  • don’t disregard sustainability as simply a cost, but see it as a way to make you a better company.

 
The efforts you make as a company to operate sustainably impact the wider community, and your reports are a way to have those efforts acknowledged. “The bottom line is that much of the work done by compliance can be used as a basis for your ESG reporting,” Tom reminds listeners. “Verifiable ESG reporting …allows stakeholders to compare performance and make meaningful decisions. Transparency is critical to the process. …This transparency and its reporting enables shareholders and stakeholders to gain a clearer picture of companies direction and progression.” He shares some additional ways companies can improve their ESG reporting, including integrating ESG data and mindset into everyday business operations.
 
ESG Monitoring
You can’t manage what you don’t measure, Tom points out. Shareholders, investors, and stakeholders want to confirm that a proper plan is in effect to monitor ESG KPIs. Companies that take ESG seriously must have a central management committee. “The key is a standardized approach to ESG data collection and monitoring; this is because, without standardization leading to consistent reporting practices across an organization, it can be challenging to understand and compare performance progress towards targets,” he explains. Your framework must include quantitative and qualitative metrics. He gives some examples of ESG metrics, including those set by the World Economic Forum. These ideas are nothing new to compliance professionals, he remarks; another reason why they are best suited to lead the ESG function. 
 
Resources
Tom Fox email
FCPA Compliance and Ethics blog