Categories
Innovation in Compliance

Innovation in Compliance: Paige Hanson and Brandon Woolf on Compliance as a Service and Affordable GRC Software for SMBs

Innovation comes in many forms, and compliance professionals need to not only be ready for it but also embrace it. Curious about Compliance as a Service and AI integration? Well, this episode is for you, as I have Paige Hanson and Brandon Woolf, co-founders of SecureLabs, discuss not only how AI technology can revolutionize compliance but also how the use of AI systems in Compliance as a Service is set to revolutionize the regulatory landscape.

Paige Hanson and Brandon Woolf are seasoned cybersecurity professionals. Hanson’s perspective, shaped by her role in developing a national training program for law enforcement and co-founding SecureLabs, emphasizes the importance of integrating security and compliance within organizations to foster a security-first culture and facilitate cross-departmental communication. She envisions a future where advanced AI systems enhance security environments and advocate for auditable processes for small to medium-sized enterprises.

Woolf, with his background in diverse cybersecurity roles, advocates for the integration of security and compliance within an organization. He highlights the importance of having a wide range of frameworks available to cater to the diverse needs of different industries and clients and sees a growing trend, especially for SMBs, in compliance as a service due to increasing security threats.

Key Highlights:

  • SecureLabs: Affordable GRC Software for SMB Compliance
  • Enhancing Organizational Culture Through Security Integration
  • Cybersecurity Compliance Benefits through Auditable Processes
  • Compliance Audits: Minimizing Fines Through Documentation
  • AI-driven Compliance Solutions for Enhanced Security

Resources:

Paige Hanson on LinkedIn 

Brandon Woolf on LinkedIn

securelabs.ai

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Innovation in Compliance

Innovation in Compliance – Matt Kunkel and Nick Kathmann on Dynamic GRC Systems with AI-driven Controls

Innovation comes in many forms, and compliance professionals must be ready for and embrace it. Today, I visited with Matt Kunkel, CEO of LogicGate, and Nick Kathmann, CISO at LogicGate, to consider how a dynamic GRC can help drive efficiency, compliance, and profitability.

With a background in business analysis and self-taught coding, Kunkel identified a need for a more comprehensive and user-friendly approach to governance, risk, and compliance (GRC) solutions, leading to the creation of Logic Gate. The platform was designed to meet businesses’ evolving needs without requiring constant developer intervention, utilizing a flexible data model and advanced graph database technology for superior efficiency.

Kathmann, with over 20 years of experience in security and compliance, stresses the importance of industry expertise in delivering effective solutions, focusing on ensuring the platform meets the highest security standards and adapts to changing business requirements seamlessly. Kunkel and Kathmann’s perspectives highlight the crucial role of innovative technology in simplifying GRC processes and addressing the complex regulatory, risk, and compliance needs of organizations.

Key Highlights:

  • Adaptive Logic Gate Platform for GRC
  • Harnessing Data for Strategic Compliance Oversight
  • Real-time Risk Optimization for Business Growth
  • Cyber Risk Alignment Between CISO and CEO
  • Executive Level Engagement for Cybersecurity Strategy
  • Tailoring Risk Communication to Stakeholder Priorities
  • Dynamic GRC Systems with AI-driven Controls

Resources:

Matt Kunkel on LinkedIn 

Nick Kathmann on LinkedIn 

LogicGate

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
FCPA Compliance Report

FCPA Compliance Report – Ryan Lougheed on Teamwork and Communication: Lessons from Esports and GRC

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, Tom Fox welcomes Ryan Lougheed, Director, of Product Management at Onspring.

Ryan Lougheed has over twelve years of experience in the Governance, Risk, and Compliance (GRC) field, currently serving as the director of a platform at Onspring, a SaaS GRC platform and business process automation platform. Drawing from his background in esports, Lougheed believes that teamwork and communication are crucial in both the GRC space and the world of esports. He emphasizes the importance of effective and efficient communication, especially in high-stress situations, and believes that these skills can be carried over to a compliance-focused career.

In the context of esports, Lougheed explains that communication is vital in a team of five players and that professional esports organizations provide resources such as physical trainers and sports psychologists to support their players’ communication skills. He also notes that the esports industry is evolving, with larger companies creating brands around individual streamers and organizations acting as agents to help grow the streaming culture. Join Tom Fox and Ryan Lougheed on this episode of the FCPA Compliance Report podcast to delve deeper into the importance of teamwork and communication in GRC.

 Key Highlights

  • GRC Collaboration and Communication
  • Streamlining compliance with Onspring’s centralized platform
  • Streamlining Communication in High-Stress Compliance Situations
  • Leveraging Esports Skills for GRC Success

Resources

Ryan Lougheed on LinkedIn

Onspring

Tom Fox

Instagram

Facebook

YouTube

Twitter

Categories
Innovation in Compliance

Third-Party Management: A risk-based approach – Part 4: Adam Bailey on Reporting

Welcome to a special 5-part podcast series sponsored by Diligent. Over this series, we will consider a risk-based approach to third-party risk management. Over this series, I will visit with Michael Parker, the Director of Advisory and Consulting Services; Stephanie Font, Director of the Optimizations Group; Kairi Isse, Managed Services Group Manager; Adam Bailey, Senior Vice President, Product Management and Alexander Cotoia, from the Volkov Law Group. In this Part 4, I visit with Adam Bailey to look at the role of the Board in risk, audit, compliance, and ESG and the reporting from executive teams and GRC practitioners to take risks and seize chances.

Bailey has worked to help organizations better manage their risk by providing insight and clarity to boards of directors. He strived to enable executive teams and GRC practitioners to assess and manage strategic risks, ultimately connecting boards, practitioners, and executives together to innovate and drive growth. With the complexity of third-party relationships continuing to grow, companies need to adopt a continuous improvement approach to contend with unforeseen risks. A corporate compliance function is not just something nice to have, but a must and a Board needs clear and relevant data to make the best decisions. Organizations need to use the necessary tools to ensure that Boards have the visibility to manage their third parties and make informed decisions.


Key Highlights

1. A compliance function must support leaders through its reporting work.
2. Companies can effectively manage third-party risk with a risk-based approach and robust processes.
3. Connecting Board, senior executives, and practitioners together to enable organizations to take risks and innovate is critical.

Notable Quotes

  1. “The key to this effective risk management is truly the follow-up, the ongoing follow-up to ensure that all the controls are in place and, if needed, are changed.”
  2. “Continuous blanket monitoring of all third parties with every risk asset you can think of is just not feasible and probably wouldn’t deliver the outcomes that we need.”
  3. “We know that change is constant, regulators are looking for risk management policies and practices which continually improve and evolve over time.”
  4. “We need robust processes and systems in place to make sure that when you create your third-party profile, it’s screened against sanctions lists, embargo watch lists, et cetera, to provide the rich data that’s there.”

Resources

Adam Bailey on LinkedIn

Check out Diligent’s 3rd party products and services here.

Categories
Blog

Reprioritizing Your Third-Party Risk Management Program -Reporting

Today’s business landscape is becoming increasingly complex and globally interconnected, with the average business now working with over 100 third-party vendors. While this presents a wealth of opportunities, it also brings a range of challenges for boards and GRC professionals alike when it comes to third-party risk management. I recently visited with Diligent’s Senior Vice President of Products, Adam Bailey on how to tackle these challenges and leverage third-party risk management to identify opportunities and equip boards to take risks, innovate and drive things forward. Here are the steps you need to follow to also get clarity, insight, innovation.:

  1. Understand the role of the board in oversight and provide clarity on third-party risk management.
  2. Board review Codes of Conduct.
  3. Continuous improvement view of risk management.
  4. Utilize real-time data to react to changing times.
  5. Ensure commitment to shared values and ethical cultures.

 1.Understand the role of the Board in oversight

Understanding the role of the Board in oversight and providing clarity on third-party risk management is an essential step in any risk management strategy. Obviously, the Caremark Doctrine is the leading authority which Boards must follow. But more than simply oversight to  meet a legal requirement, businesses should see the business opportunity by creating a business process which connects employees, compliance professionals, executives, and boards together in a seamless process. This connection enables a culture of continuous improvement that starts at board level and cascades down through the structures of the business. This allows two-way communication between boards and compliance professionals, so that boards can clearly communicate their risk management strategy and expectations. 

  1. Board review of Codes of Conduct

A key role for any Board is to review and refresh if needed your organization’s Code of Conduct on a regular basis. When it comes to third-party risk management this is needed to  ensure that the third parties are following the company’s established guidelines. A Board should understand the importance of third-party risk management and how to fulfill their role of oversight. There should be an enterprise-wide single source of data for every Board to ensure effective governance, risk and compliance. Boards should also be provided with dashboards to allow for continuous monitoring of third-party relationships and to provide real-time information and data to enable businesses to react to changing times. Ultimately, companies need to show that their Board is making a good faith effort to address risks by having due diligence processes in place and effective plans to monitor those processes.

  1. Continuous improvement view of risk management

A key role for any Board is to implement a continual improvement view of risk management. This shifts an organization’s focus from a one-time due diligence approach to ongoing, rigorous due diligence designed to identify risk areas and set benchmarks for improvement. This allows a Board to have a clear view of the risks involved and make informed decisions. A two-way dialogue is also important, with data flowing up to the board and actions cascading back down to the compliance team. 

  1. Utilize real-time data to react to changing times

There is probably no more important task for a Board in 2023 than responding to changing times. Obviously Covid-19 is still in front of mind, but the change political, geographic, economic and even climate changes are moving much more quickly now. For a Board to provide effective oversight, it must have access to real-time data to react to changing times. This is both from a regulatory perspective and a business/reputational perspective. All internal stakeholders should be connected with enterprise-wide single source of all nonfinancial data required for effective governance, risk, and compliance. The platform also provides real-time information and data so Boards can quickly react to changing times. Furthermore, the platform adds relevancy and context to the risk data which helps Boards make informed decisions based on the potential upside and downside of taking on certain risks.

  1. Ensure commitment to ethical values and ethical cultures

It really all does start at the top and Boards must ensure commitment to ethical values and ethical cultures. Boards should mandate that companies adopt a continual improvement view and embrace not just one and done due diligence, but ongoing monitoring and continuous improvement. Boards should mandate that organization enforce their commitment to ethical values, ethical cultures, and honest business practices. When it comes to third parties, Boards must understand the risk each third-party poses and to consider the business in question and the sort of inherent nature of the dealings with that third-party. Having a robust platform also provides real-time information and data throughout the relationship with the third-party, dashboards to monitor third-party information, and a single source of truth for all nonfinancial data. This allows for a two-way dialogue between GRC professionals and the board to ensure that the board has the clearest, most relevant, and most targeted information to inform better decisions.

For more information, on Diligent’s Third-party Risk Management solution, click here.

Listen to Adam Bailey on the podcast series here.

Categories
Innovation in Compliance

Risk Management and Corporate ESG with Dan Zitting


 
Dan Zitting, previously Chief Product Officer, now holds the title of CEO at Galvanize, a software company that helps its clients achieve their goals and objectives. He is also now the Chief Product Officer of Diligence. Tom Fox welcomes him back to this week’s show to take a look back at the GRC professional’s role in corporate ESG and risk management. 
 

 
GRC On The Frontline
A company’s defenses have to be in the remit of their GRC professional, not left up to the CSO. Dan remarks that while there is engagement by GRC professionals in minimizing company cyber risk, more needs to be done. GRC professionals have to ask themselves if they are managing cyber risk in ways that are helpful to the company’s CSOs, by providing tools and resources to support them. “There’s still work to be done in making sure that everything we’re doing from a policy, controls, and compliance standpoint is actually adding value for the CSO and helping them deploy their programs, as opposed to just feeling like they’re being checked on by the police to see if they’re doing it right,” Dan tells Tom. 
 
ESG and Investment
Investor dollars are fueling the growth and expansion of ESG and aren’t only coming from investment funds anymore. Private equity firms and banks are getting involved. If someone wants to borrow money, insurance companies assess ESG risk as part of their overall risk management strategy. “If companies want to access capital, they need to have an ESG program in place,” Tom remarks.
 
A Role To Play
The best way, Dan suggests, to get GRC professionals to understand the ownership roles they have to play in ESG, is by creating a center of excellence for ESG. By creating this center, and making ESG a business objective, you can then split the responsibilities across the organization. “Splitting the responsibilities across those different lines of defense for those different functions in a way where somebody…can get a combined view of how effective we think we are from an ESG standpoint, should be the goal,” Dan adds. 
 
The Importance of Real-Time Reporting
Real-time reporting is the G in ESG. Being able to give an accurate picture of risk to a company’s board is intrinsic to ESG, and is vital to acting on those risks efficiently. “Risk professionals too often are asking ‘Why don’t I have real-time information,’ instead of actually being the one out creating it and bringing in the technical skill necessary to be able to analyze data fast enough to get real-time insight,” Dan expresses. Governance in the present and future needs to move at a pace faster than it has in the past, in order to report on risks. Being able to point out to the board when governance is failing, so that measures can be implemented, is also extremely important. 
 
Resources
Dan Zitting | LinkedIn | Twitter 
Galvanize
Diligence
 

Categories
Innovation in Compliance

Series Spotlight: Revolutionizing GRC with 6clicks: Part 5 – What’s Next For 6clicks?


Welcome to this special podcast series, Series Spotlight: Revolutionizing GRC with 6clicks, sponsored by 6clicks. This week I have visited with Joe Schorr, Vice President (VP) of Global Channel Sales, Andrew Robinson, co-founder and Chief Information Security Officer, Stephen Walter, head of Marketing, Dr. Heather Buker, Chief Technology Officer, and Ant Stevens, co-founder and Chief Executive Officer. Over the series, we broke down 6ckicks Hub and Spoke approach, utilizing Artificial Intelligence (AI) and Machine Learning in governance, risk and compliance (GRC), curating and maintaining a robust GRC content, producing audit ready reports. Today, in our concluding episode, Part 5, I am joined by 6clicks co-founder Ant Stevens, as we look down the road for what will be next for 6clicks.
Stevens said that 6clicks was founded some two and half years ago to bring an affordable, accessible and easy to use, GRC capability to lots of businesses around the world. The second related mission “was to ensure that the platform was effective in driving productivity gains for both businesses and advisors and by advisors such as lawyers, accountants, general business management consultants and business advisors. These goals were achieved through a platform built from the ground up. We thought about GRC, we identified some things that were necessary for us to have in place to compete effectively in the market.”
There are other areas which Stevens believes are necessary to support the next generation of GRC products. 6clicks broke down the foundational building blocks into effectively four areas. The first was a functionality that supports the processes related to GRC. The second was content; “audit and assessment templates, risk libraries, policies, and controls sets, standards, rules, and regulations, basically all of the text or the reference points that companies need in order to make that functionality work.”
Next Stevens said, “we saw the future and we certainly see the future as having artificial intelligence baked into lots of areas of the products and the reason for that.” This last component allows a compliance or GRC professional “to take complex activities or time-consuming activities and make them a lot easier.” All of this is built around 6clicks platform, or “what we call a hub and spoke type approach which I know you discussed in Part 1 with Joe Schorr.” This makes the tool quite “useful for multinationals, with lots of divisions, useful for private equity companies, useful for holding companies. These are the four building blocks that 6clicks focuses on and we keep making those things better. That is what creates a foundation for us in terms of innovation.”
We turned specifically to AI. Here Stevens sees the application of AI into two buckets. The first is to help businesses automate or streamline what otherwise would be a complex and time-consuming activity. The second is to identify things in data that even a professional would struggle to do effectively, without the use of some sort of technology. That is what I have called ‘finding patterns in raked leaves.’
Here Stevens turned to Haley, the 6clicks AI intelligence engine. Now “Haley helps companies with two major challenges. One is to identify similarity across standards, laws, or regulations that they need to comply with. Most are still doing this using manually spreadsheets, multiple tabs and feed lookups. There is overlap across multiple jurisdictions around the world which are generally seeking to do similar things. Businesses need to think about that in a unified way. Haley’s first application is identifying similarity across standards, laws or regulations. The second challenge is to take an existing control framework within a company and quickly identify where the gaps are relative to a standard law regulation.”
These functions are what compliance and GRC professionals do all the time. While they can do  this manually with “Haley you can do that in seconds. I think the opportunity in the GRC space is to continue to apply artificial intelligence and those sorts of ways. But also to start to think about how we can use artificial intelligence to identify trends in data or insights into data that otherwise would be difficult to identify.” Stevens provided the example of taking incidents and looking for those that might be demonstrating a broader trend or an issue within an organization. Alternatively, trying to understand overlap between different risks so we can develop treatment plans and remediation activities can be more effectively targeted.
I asked Stevens if he could look down the road a bit and perhaps give us a teaser about what 6clicks might be developing. He said, “it is around our mission focusing on making GRC affordable and accessible for businesses. In the long-term, I think there is much to further automate processes for advisors, and we’re going to focus on that. To me that represents huge opportunity for innovation. We are going to look at tools, techniques to enable GRC professionals make all of this more of a reality.” Another initiative is what Stevens termed “a marketplace” which can be “be tailored by advisors for their clients. What we want to do is take this concept to the next level and allow individuals to seamlessly share, as part of their community, in a crowdsource context, both content and best practices that they have identified within the 6clicks platform and make that available to all the 6clicks users around the world.” Most excitingly for me Stevens added, “we want to bring that same sort of capability into the world of risk and compliance.”
I concluded by asking Stevens about his innovation philosophy ensuring you hit the mark, in innovation recognizing there are multiple players just in the innovation process in the GRC and wider risk and compliance space. He said, “for us at 6clicks, we have a three horizon model in the way that we think about innovation. The first is to focus obviously on the very immediate needs that customers have things that might not be working the way they expect, to things that could be improved very obviously based on feedback. The second is things in the near term, which is a combination of things that people have told us that they need and things they have expressed some sort of interesting having.” The third and final horizon is a combination of the 6clicks “view of where the opportunity lies in terms of improvement. We strike a balance in being sufficiently bold about the future that we see, but at the same time grounded in it and getting feedback from customers. In this third horizon we think about innovation manner, as in the way that we think the world should work, which requires a lot of creativity.”
Stevens ended by relating “we try and get the balance right there. It’s not easy. It’s very tough. But that is the way we think about our engineering philosophy and innovation philosophy. It influences the type of people that we attract or that are keen to work with us. We share that focus of short, medium, long-term thinking.”
For more information on 6clicks, check out their website here.

Categories
Innovation in Compliance

Series Spotlight: Revolutionizing GRC with 6clicks: Part 4 – Producing Audit-Ready Report with 6clicks Pixel Perfect™


Welcome to this special podcast series, Series Spotlight: Revolutionizing GRC with 6clicks, sponsored by 6clicks. This week I visit with Joe Schorr, Vice President (VP) of Global Channel Sales, Andrew Robinson, co-founder and Chief Information Security Officer, Stephen Walter, head of Marketing, Dr. Heather Buker, Chief Technology Officer, and Ant Stevens, co-founder and Chief Executive Officer. Over the series, we will break down 6ckicks Hub and Spoke approach, utilizing Artificial Intelligence (AI) and Machine Learning in governance, risk and compliance (GRC), curating and maintaining a robust GRC content, producing audit ready reports, and look at what’s next for 6clicks down the road. In Part 4, I am joined by 6clicks Chief Technology Officer, Dr. Heather Buker and we take up producing an audit-ready report with 6clicks Pixel Perfect™.
Buker is the transitional resource who takes the engineering and tech part of the 6clicks solution and puts it into a workable solution for customers. She says of herself, “you can see me, affectionately, as a translator if you will of the product and functionality and how that translates to business use cases, value propositions and things that clients really care about.” She went on to note, “functionality is only as good as the value proposition that it serves. I am here to make sure that those two things meet. I’m kind of the bridge.”
It used to be that the byword for data and data processing was GIGO (garbage in, garbage out). However, now it has evolved to “data is only as good as what you can get out of it. So, it’s not enough to just collect the data and give organizations a sort of single source of truth for their GRC programs anymore. Right? That’s what every SAS solution in the GRC space is really striving for. But, furthermore, users want easy, efficient ways to get that data out of the tool. So, it’s always a bit of an uphill battle when it comes to reporting, you know, there’s a constant flow of new requirements. Every organization has a different use case that needs supporting et cetera, and users have to be able to get their GRC data out of the tool and make it digestible for a wide variety of audiences. And that’s really the key right there. The wide variety of audiences we’re trying to satisfy with reporting needs, what good is it to track their risk and compliance data? If they can’t show/prove to an auditor or their Board members on their current risk posture at the monthly meeting, simply put it isn’t. So, assets reporting is, and frankly always will be, a critical piece of the GRC SAS solution puzzle”.
The problem that the 6clicks Pixel Perfect™ helps solve is repeatability. As Buker explained, “The more we can make GRC processes repeatable, even when it comes to reporting, the easier our platform will be to use and the more widely adopted we can become. To solve for this in the reporting world, we decided to automate report generation.” I asked her for an example, and she said, “6clicks Pixel Perfect™ can take a completed PCI DSS assessment and return Section Six of the report on compliance, filled out an audit ready.” This means a template mandated by the Security Standards Council to drive this functionality and ensure the report is ready to be submitted and properly formatted when generated. All an organization has to do is complete their PCI assessment and the platform will perform our “6clicks magic on the other side and deliver the PCI form from those assessment results minus all of the hassle. We are talking hours upon hours of time savings for QSAs merchants and others on their engagements.”
We concluded with some of Buker’s thoughts on how multiple stakeholders can use the information that 6clicks Pixel Perfect™ solution creates, up and down the chain in an organization, literally from the technical folks on the front lines up to the Board of Directors. She emphasized “what this functionality has to be, has to be up and down, high level, low level, right to Board members who have their monthly meeting or senior management that maybe, managing multiple projects across various lines of business. They don’t always know what they’re looking at when they look at some of these low-level risk, detailed reports or even data in general. We must make it digestible for them. We have to make it meaningful for them. We have to be able to produce reports and analytics at a really high level.”
Buker had a great phrase, that it all has to be in an “accordion range. That is, from highest level to lowest level and then back.  And that’s really like the secret sauce of reporting and analytics in the GRC space. Being able to take it full circle from driving change to implementing change and all of the various levels in any organization.”
Join us tomorrow where we conclude our series by visiting with company co-founder Ant Stevens as we explore what’s next for 6clicks.
For more information on 6clicks, check out their website here.

Categories
Innovation in Compliance

Series Spotlight: Revolutionizing GRC with 6clicks: Part 3 – Curating and Maintaining Robust GRC Content


Welcome to this special podcast series, Series Spotlight: Revolutionizing GRC with 6clicks, sponsored by 6clicks. This week I visit with Joe Schorr, Vice President (VP) of Global Channel Sales, Andrew Robinson, co-founder and Chief Information Security Officer, Stephen Walter, head of Marketing, Dr. Heather Buker, Chief Technology Officer, and Ant Stevens, co-founder and Chief Executive Officer. Over the series, we will break down 6ckicks Hub and Spoke approach, utilizing Artificial Intelligence (AI) and Machine Learning in governance, risk and compliance (GRC), curating and maintaining a robust GRC content, producing audit ready reports, and look at what’s next for 6clicks down the road. In Part 3, I am joined Stephen Walter to discuss curating and maintaining robust GRC content.
One of the more difficult issues facing the GRC professional or someone new to the space is the seemingly complexity of the issues in GRC. They can literally be overwhelmed. In a multinational organization there will be a myriad of different regulations. Of course, there is data literally across the organization, in multiple silos. Even if the compliance or GRC professional can get access to the data, they probably cannot interpret the data or, more importantly, know how to use it going forward.
Walter said that for someone just starting out at a budding GRC program “navigating the complexities of achieving and maintaining, compliance within a number of regulations and or authorities can be quite daunting.” With all these regulatory compliance requirements, comes content needs. Curating the needed content which could be regulatory or compliance content or it could be as wide and as varied as “content assessments, audits, frameworks, best practice, risk libraries, policies, and control sets.” Providing and housing all of these can present some serious challenges. Next, overlay that content spread through different management systems like Google or SharePoint; together with mailboxes and, as Walter notes, “it really creates chaos. Next consider outdated regulations, leading to outdated risk management policies and other required internal content materials, can all equal noncompliance with the legislations.”
One interesting observation was that because risk and compliance has been elevated in organizations, right up to the Board agenda, these conversations are resonating with companies. This allows smaller companies to have more robust risk and compliance functions through the use of GRC tools and advisors. Walter is seeing much less of a top-down approach where unilateral decisions are made the top. It can now be a more bottom-up approach, democratizing the approach to risk and compliance and bringing in the people that are actually in the trenches to convey their message upward in the company as well. This can make the job of a GRC professional much easier with the wide variety of stakeholders involved, there is something for everyone. A GRC tool allows for the jettisoning of outdated methods and processes so a company can innovate itself into a better system.
We turned to the pace of change brought about by the pandemic. As I have noted elsewhere, we had three to five years of change in 2020 alone. This was certainly true of the GRC space. Walter noted that 2020 and 2021 were “massive storms for regulators.” He pointed to cyber and information security as key areas that saw massive change both in the number of cybercrimes and the regulatory responses to them. Now overlay that with the increasingly complex system of regulations and rules that companies have to navigate, such as General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and even the cybersecurity laws of the People’s Republic of China (PRC), and you begin to see how risk in one area has grown almost exponentially. Of course, other regulatory responses from the US to Australia have been forthcoming so multi-national organizations face a wealth of new regulatory challenges. Simply keeping up with the regulatory changes can be daunting and using spreadsheets and word documents are simply not enough in 2021.
We then discussed the pace of change both on the regulatory and technology side. Many companies are still stuck in what Walter called the “Dinosaur Age” of using basic word processing skills and tools. Regulators in each country expect companies to know, understand and follow their respective laws and regulations. What is the response of a small to medium sized organization, who is resistant to the required change management and indeed in some ways is “a weird kind of cognitive dissonance?” However, this is the precise reason “why GRC solution tools are going gangbusters for affordability reasons at the moment.” Yet Walter cautioned “you need to be careful what GRC tool you adopt and make sure it’s not just a legacy tool with a facelift.”
Walter concluded with a few thoughts on the 6clicks content library, which he termed “massively rich.” It all begins with authority documents which are the standards, laws, and regulations. From there you move down to policies, which are the measures you put in place to mitigate risk or demonstrate compliance with the controls within them. Next these controls have responsibilities, such as “who does what, how often and when the control measures, which those responsibilities are maintain the effectiveness of that control.” Those are all there already inside the 6clicks content library and you can create your own.
This allows a GRC professional or a risk and compliance professional to put all of these documents into a system and manage it all in the one place. It creates what Walter called “a single point of truth, where you can keep an eye on everything, both internally and externally with the hub and spoke, which is multi entity.” If you are at a company with multiple entities running multiple autonomous GRC programs, “you can keep an eye on that too.” Finally, the control tool authority gap analysis with an AI engine can then identify where those issues may exist. As Walter concluded, “I think once you bring all of that together, you’ve really got something very, very special.”
Join us tomorrow where we take up the topic of producing audit-ready reports with 6clicks Pixel Perfect™, with 6clicks Chief Technology Officer, Dr. Heather Buker.
For more information on 6clicks, check out their website here.

Categories
Innovation in Compliance

Series Spotlight: Revolutionizing GRC with 6clicks: Part 2 – Utilizing Machine Learning and AI in Your GRC Practice


Welcome to this special podcast series, Series Spotlight: Revolutionizing GRC with 6clicks, sponsored by 6clicks. This week I visit with Joe Schorr, Vice President (VP) of Global Channel Sales, Andrew Robinson, co-founder and Chief Information Security Officer, Stephen Walter, head of Marketing, Dr. Heather Buker, Chief Technology Officer, and Ant Stevens, co-founder and Chief Executive Officer. Over the series, we will break down 6ckicks Hub and Spoke approach, utilizing Artificial Intelligence (AI) and Machine Learning (ML) in governance, risk and compliance (GRC), curating and maintaining a robust GRC content, producing audit ready reports, and look at what’s next for 6clicks down the road. In Part 2, I am joined by Andrew Robinson to discuss utilizing ML and AI into your GRC practice.
We began with the very basic proposition that many compliance professionals and others are scared by AI in the GRC space. Robinson believes it is based on the fear of the unknown, both to many inside and outside of GRC. Yet, increasingly GRC professionals see how AI and ML can be used within reg tech, technology companies, as well as in the compliance space to move forward through taking advantage of natural language processing. Robinson explained this is a component of ML that can help understand text. There is a lot of text in the world of compliance. When you can then overlay an AI component on all the standards, laws, and regulations any multi-national organization must follow, you begin to see the power of such a tool.
We next turned to dealing with compliance across multiple jurisdictions. For GRC professionals working internationally, Robinson said they must “maintain mappings or what you commonly call in the US ‘crosswalks of compliance’ frameworks.” He went on to explain these frameworks are “useful because it can allow a consultant to help a client understand how they might stack up against a particular standard. Robinson provided the example that if an organization is already complying with ISO 27,001, through these mappings, it might be able to give them an idea about what that level of compliance they have through the lens of a different framework or standard that may be relevant like the NIST cybersecurity framework.”
Yet the 6clicks approach is much more than a regulatory approach. It is a business centered approach which provides discreet business advantages. Indeed, this is one of the reasons I find the 6clicks approach so exciting as it creates a business advantage by performing quality GRC. These tools increase efficiency and profitability. Robinson went further noting, that “we come out with a public estimate of 10 times saving in using machine learning to assist with building up GRC mapping.” That is some serious productivity savings and increase.
However, this productivity increase and potential cost saving does not remove the human element. This final concept is critical in moving forward. Robinson said, “I’m of the view that humans have a very important role to play. This role is supervising the machine learning models to make sure that what they are producing and the results that they are coming out with are accurate and reliable.” If they are using spreadsheets and word documents; they should, come to terms with the fact that companies and clients no longer want spreadsheets and word documents as a deliverable. GRC professionals and consultants need to need to start using similar tools and improving the way that they service their clients. Clients, both in-house and external, are starting to demand and look for this approach. Robinson noted, “the reality is that if you are doing anything else it will be seen as subpar, and no one wants to be delivering sort of subpar products. I look for a solution that can meet your customer expectations and help you deliver your services long into the future.”
We concluded by looking at GRC tools with ML and AI at a strategic level, at the senior executive level and even at the Board of Director level. Robinson feels that management at this level “understands the benefits because they understand the problem.” Their goals are to simplify compliance while understanding risk exposure. From this point, management can move to create a risk-based solution. Robinson believes, these are the types of “business problems that executives are dealing with on a daily basis. Having awareness of the machine learning model can help them navigate that complexity.” From where I sit, when you can take a tool that improves business process efficiency and use it to increase profitability through more effectual risk management it is a win for everyone.
Join us tomorrow where we take up the topic of curating and maintaining robust GRC content. With 6clicks Head of Marketing, Stephen Walter.
For more information on 6clicks, check out their website here.