Tag: GRC

Welcome to this special podcast series, Series Spotlight: Revolutionizing GRC with 6clicks, sponsored by 6clicks. This week I visit with Joe Schorr, Vice President (VP) of Global Channel Sales, Andrew Robinson, co-founder and Chief Information Security Officer, Stephen Walter, head of Marketing, Dr. Heather Buker, Chief Technology Officer, and Ant Stevens, co-founder and Chief Executive Officer. Over the series, we will break down 6ckicks Hub and Spoke approach, utilizing Artificial Intelligence (AI) and Machine Learning in governance, risk and compliance (GRC), curating and maintaining a robust GRC content, producing audit ready reports, and look at what’s next for 6clicks down the road. In Part 3, I am joined Stephen Walter to discuss curating and maintaining robust GRC content.
One of the more difficult issues facing the GRC professional or someone new to the space is the seemingly complexity of the issues in GRC. They can literally be overwhelmed. In a multinational organization there will be a myriad of different regulations. Of course, there is data literally across the organization, in multiple silos. Even if the compliance or GRC professional can get access to the data, they probably cannot interpret the data or, more importantly, know how to use it going forward.
Walter said that for someone just starting out at a budding GRC program “navigating the complexities of achieving and maintaining, compliance within a number of regulations and or authorities can be quite daunting.” With all these regulatory compliance requirements, comes content needs. Curating the needed content which could be regulatory or compliance content or it could be as wide and as varied as “content assessments, audits, frameworks, best practice, risk libraries, policies, and control sets.” Providing and housing all of these can present some serious challenges. Next, overlay that content spread through different management systems like Google or SharePoint; together with mailboxes and, as Walter notes, “it really creates chaos. Next consider outdated regulations, leading to outdated risk management policies and other required internal content materials, can all equal noncompliance with the legislations.”
One interesting observation was that because risk and compliance has been elevated in organizations, right up to the Board agenda, these conversations are resonating with companies. This allows smaller companies to have more robust risk and compliance functions through the use of GRC tools and advisors. Walter is seeing much less of a top-down approach where unilateral decisions are made the top. It can now be a more bottom-up approach, democratizing the approach to risk and compliance and bringing in the people that are actually in the trenches to convey their message upward in the company as well. This can make the job of a GRC professional much easier with the wide variety of stakeholders involved, there is something for everyone. A GRC tool allows for the jettisoning of outdated methods and processes so a company can innovate itself into a better system.
We turned to the pace of change brought about by the pandemic. As I have noted elsewhere, we had three to five years of change in 2020 alone. This was certainly true of the GRC space. Walter noted that 2020 and 2021 were “massive storms for regulators.” He pointed to cyber and information security as key areas that saw massive change both in the number of cybercrimes and the regulatory responses to them. Now overlay that with the increasingly complex system of regulations and rules that companies have to navigate, such as General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and even the cybersecurity laws of the People’s Republic of China (PRC), and you begin to see how risk in one area has grown almost exponentially. Of course, other regulatory responses from the US to Australia have been forthcoming so multi-national organizations face a wealth of new regulatory challenges. Simply keeping up with the regulatory changes can be daunting and using spreadsheets and word documents are simply not enough in 2021.
We then discussed the pace of change both on the regulatory and technology side. Many companies are still stuck in what Walter called the “Dinosaur Age” of using basic word processing skills and tools. Regulators in each country expect companies to know, understand and follow their respective laws and regulations. What is the response of a small to medium sized organization, who is resistant to the required change management and indeed in some ways is “a weird kind of cognitive dissonance?” However, this is the precise reason “why GRC solution tools are going gangbusters for affordability reasons at the moment.” Yet Walter cautioned “you need to be careful what GRC tool you adopt and make sure it’s not just a legacy tool with a facelift.”
Walter concluded with a few thoughts on the 6clicks content library, which he termed “massively rich.” It all begins with authority documents which are the standards, laws, and regulations. From there you move down to policies, which are the measures you put in place to mitigate risk or demonstrate compliance with the controls within them. Next these controls have responsibilities, such as “who does what, how often and when the control measures, which those responsibilities are maintain the effectiveness of that control.” Those are all there already inside the 6clicks content library and you can create your own.
This allows a GRC professional or a risk and compliance professional to put all of these documents into a system and manage it all in the one place. It creates what Walter called “a single point of truth, where you can keep an eye on everything, both internally and externally with the hub and spoke, which is multi entity.” If you are at a company with multiple entities running multiple autonomous GRC programs, “you can keep an eye on that too.” Finally, the control tool authority gap analysis with an AI engine can then identify where those issues may exist. As Walter concluded, “I think once you bring all of that together, you’ve really got something very, very special.”
Join us tomorrow where we take up the topic of producing audit-ready reports with 6clicks Pixel Perfect™, with 6clicks Chief Technology Officer, Dr. Heather Buker.
For more information on 6clicks, check out their website here.

Welcome to this special podcast series, Series Spotlight: Revolutionizing GRC with 6clicks, sponsored by 6clicks. This week I visit with Joe Schorr, Vice President (VP) of Global Channel Sales, Andrew Robinson, co-founder and Chief Information Security Officer, Stephen Walter, head of Marketing, Dr. Heather Buker, Chief Technology Officer, and Ant Stevens, co-founder and Chief Executive Officer. Over the series, we will break down 6ckicks Hub and Spoke approach, utilizing Artificial Intelligence (AI) and Machine Learning (ML) in governance, risk and compliance (GRC), curating and maintaining a robust GRC content, producing audit ready reports, and look at what’s next for 6clicks down the road. In Part 2, I am joined by Andrew Robinson to discuss utilizing ML and AI into your GRC practice.
We began with the very basic proposition that many compliance professionals and others are scared by AI in the GRC space. Robinson believes it is based on the fear of the unknown, both to many inside and outside of GRC. Yet, increasingly GRC professionals see how AI and ML can be used within reg tech, technology companies, as well as in the compliance space to move forward through taking advantage of natural language processing. Robinson explained this is a component of ML that can help understand text. There is a lot of text in the world of compliance. When you can then overlay an AI component on all the standards, laws, and regulations any multi-national organization must follow, you begin to see the power of such a tool.
We next turned to dealing with compliance across multiple jurisdictions. For GRC professionals working internationally, Robinson said they must “maintain mappings or what you commonly call in the US ‘crosswalks of compliance’ frameworks.” He went on to explain these frameworks are “useful because it can allow a consultant to help a client understand how they might stack up against a particular standard. Robinson provided the example that if an organization is already complying with ISO 27,001, through these mappings, it might be able to give them an idea about what that level of compliance they have through the lens of a different framework or standard that may be relevant like the NIST cybersecurity framework.”
Yet the 6clicks approach is much more than a regulatory approach. It is a business centered approach which provides discreet business advantages. Indeed, this is one of the reasons I find the 6clicks approach so exciting as it creates a business advantage by performing quality GRC. These tools increase efficiency and profitability. Robinson went further noting, that “we come out with a public estimate of 10 times saving in using machine learning to assist with building up GRC mapping.” That is some serious productivity savings and increase.
However, this productivity increase and potential cost saving does not remove the human element. This final concept is critical in moving forward. Robinson said, “I’m of the view that humans have a very important role to play. This role is supervising the machine learning models to make sure that what they are producing and the results that they are coming out with are accurate and reliable.” If they are using spreadsheets and word documents; they should, come to terms with the fact that companies and clients no longer want spreadsheets and word documents as a deliverable. GRC professionals and consultants need to need to start using similar tools and improving the way that they service their clients. Clients, both in-house and external, are starting to demand and look for this approach. Robinson noted, “the reality is that if you are doing anything else it will be seen as subpar, and no one wants to be delivering sort of subpar products. I look for a solution that can meet your customer expectations and help you deliver your services long into the future.”
We concluded by looking at GRC tools with ML and AI at a strategic level, at the senior executive level and even at the Board of Director level. Robinson feels that management at this level “understands the benefits because they understand the problem.” Their goals are to simplify compliance while understanding risk exposure. From this point, management can move to create a risk-based solution. Robinson believes, these are the types of “business problems that executives are dealing with on a daily basis. Having awareness of the machine learning model can help them navigate that complexity.” From where I sit, when you can take a tool that improves business process efficiency and use it to increase profitability through more effectual risk management it is a win for everyone.
Join us tomorrow where we take up the topic of curating and maintaining robust GRC content. With 6clicks Head of Marketing, Stephen Walter.
For more information on 6clicks, check out their website here.

Welcome to this special podcast series, Series Spotlight: Revolutionizing GRC with 6clicks, sponsored by 6clicks. This week I visit with Joe Schorr, Vice President (VP) of Global Channel Sales, Andrew Robinson, co-founder and Chief Information Security Officer, Stephen Walter, head of Marketing, Dr. Heather Buker, Chief Technology Officer, and Ant Stevens, co-founder and Chief Executive Officer. Over the series, we will break down 6ckicks Hub and Spoke approach, utilizing Artificial Intelligence (AI) and Machine Learning in governance, risk and compliance (GRC), curating and maintaining a robust GRC content, producing audit ready reports, and look at what’s next for 6clicks down the road. In Part 1, I am joined by Joe Schorr on Managing a Multi-Entity GRC Architecture with 6clicks Hub and Spoke.
Schorr handles global channels, which encompasses service provider partners and technology partners and the traditional channel resale role. We turned to the ‘hub and spoke’ model which 6clicks advocates. He said that 6clicks pioneered the evolution from a multi-tenant or federated approach of GRC architecture to hub and spoke model. The difference is that in a multi-tenant or federated approach it is seen as much more vertical or up and down the chain. But the hub and spoke is “just like with airline travel, back in the old days of networking, where we had hubs, routers and switches and the computers all hooked to a hub.”
Schorr went to explain, “in our model, we’re using what we call center of excellence, think of it as the headquarters or the hub or the terminal and an airport. And they have the different wings go out to the different entities.” The architecture can “pull different types of data and analytics from those entities, or those folks are out there bringing them back into the center of excellence.” Additionally, “the center of excellence by the same token can have a lot of centralized benefits like templates and controls which they are able to push that out at the same time to all these different entities.” Schorr believes it is “the holy grail of what people have been looking for; to control from a central location really complex information that require a ton of data flowing both ways.”
Moreover, the hub and spoke approach facilitates a GRC conversation with a wide variety of people. This could include compliance professionals, lawyers, other non-technical folks at the C-suite or executive level and certainly in the Board level and everywhere in between. It helps to define everyone’s role in the GRC and broader risk management process. Schorr said, “That’s beauty of it because you can craft it. For instance, in a Private Equity company with multiple portfolio companies, there is much sensitive information and, not everybody in every portfolio company needs to see what’s going on in every other portfolio company. This approach allows an organization to segregate all that data yet allows you the freedom to utilize the information you want to as access control is built into the architecture.”
We continued on the example of the private equity firm with multiple portfolio companies, which are sometimes in the same industry, but sometimes not. There is always a wide variety of data and disparate sources of data that you have to pull in. This disparate data has to be collected, in a manner that can be utilized by the private equity firm, the corporate office, whatever the hub might be. However, the stakeholders, corporate subsidiaries or portfolio companies at the end of the spoke might need that data to make tactical if not strategic decisions. Next, overlay reporting to senior management and then a Board of Directors, all in a changing regulatory environment. This hub and spoke architecture can be an incredibly powerful way to collect and utilize data. Schorr explained, “if you are hired to do a risk assessment against 200 portfolio companies, you have a massive set of risk data in all kinds of different things. You have collected data; you have interviews, you have done vulnerability scanning, you’ve done risk assessments, third party risk assessments, vendor assessments, everything you could possibly imagine. That is all rolled up collected somewhere and a bunch of smart people look at it and we’re all trying to grade it and do things manually and push it around. And at the end of the day, just like you said, this is really important.”
This approach allows you to prepare a Board level C-suite report. You can also create a functional management report for middle management as that level is usually the one which must read this and decipher it and then push it out. Schorr said, “there is also a bottom layer which a report needs to go out to. It’s almost a raw data level report that goes out to the people in the field or the people at those portfolio companies who are responsible for fixing things” the hub and spoke approach to 6clicks GRC architecture allows you to work on those levels.
Join us tomorrow where we take up utilizing machine learning and AI in your GRC practice with Andrew Robinson, 6clicks co-founder and Chief Information and Security Officer.
For more information on 6clicks, check out their website here.