Tag: GRC

Categories
Innovation in Compliance

Innovation in Compliance – Gaurav Kapoor on Risk Management and the Role of AI in GRC

Innovation comes in many areas, and compliance professionals need to be ready for it and embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, Tom Fox interviews Gaurav Kapoor, Vice Chairman, Co-Founder and Board Member of MetricStream, discussing his extensive professional background, from co-founding MetricStream to his current focus on customer intimacy amid AI market disruptions.

Kapoor delves into the evolving landscape of risk management, emphasizing the importance of midyear reviews and integration of various risk themes like operational risk, audit compliance, and cybersecurity. He elaborates on the role of AI in GRC, stating how generative and agent AI can streamline compliance processes and enhance risk management strategies. The conversation also touches on the increasing significance of cybersecurity, geopolitical instability, and climate impact on risk assessment. Kapoor highlights the shift from compliance to a more resilient and risk-aware culture within organizations.

Key highlights:

  • The Importance of July in Risk Management
  • AI’s Role in GRC
  • Emerging Risks and AI Applications
  • Counseling Boards on Risk Management
  • Top Concerns for the Second Half of 2025
  • Evolving Role of Compliance and Risk Officers

Resources:

MetricStream Website and on LinkedIn

Gaurav Kapoor on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance and AI

Compliance and AI: Navigating Risk Management in the AI Era with Gaurav Kapoor

What is the role of Artificial Intelligence in compliance? What about Machine Learning? Are you using ChatGPT? These questions are just three of the many we will explore in this cutting-edge podcast series, Compliance and AI, hosted by Tom Fox, the award-winning Voice of Compliance. In this episode, Tom Fox speaks with Gaurav Kapoor, Vice Chairman, Co-Founder, and Board Member of MetricStream.

Kapoor shares his extensive professional background and the evolving landscape of risk management and compliance, emphasizing the growing importance of cybersecurity, geopolitical risks, climate impacts, and regulatory changes, all within the context of AI advancements. He also discusses how AI can streamline GRC processes, enhance decision-making capabilities, and transform traditional compliance frameworks into more strategic risk management approaches. The conversation also explores the evolving role of Chief Risk Officers and the need for a resilient, risk-aware corporate culture.

Key highlights:

  • Gaurav Kapoor’s Professional Journey
  • The Importance of July in Risk Management
  • AI’s Role in GRC
  • Emerging Risks and AI Applications
  • Counseling Boards on Risk Management
  • Top Concerns for the Rest of 2025
  • Shifting from Compliance to Risk Resilience

Resources:

MetricStream Website and on LinkedIn

Gaurav Kapoor on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
FCPA Compliance Report

#Risk New York Speaker Series – Exploring the Future of GRC with Michael Rasmussen

Join Tom Fox and hundreds of other GRC professionals in the city that never sleeps, New York City, on July 9 & 10 for one of the top conferences around, #Risk New York. The current US landscape, shaped by evolving policies, rapid advancements in AI, and shifting global dynamics, demands adaptive strategies and cross-functional collaboration.

At #RISK New York, you will master the New Regulatory Reality by getting ahead of US regulatory shifts and their impact. Conquer AI and Tech Risk by Safeguarding Your Organization in an AI-Driven World and Understanding the Implications of Major Tech Investments. Navigate Financial and Crypto Volatility by Protecting Your Assets and Exploring Solutions in a Dynamic Market. Strengthen Your GRC Framework by Leveraging Governance, Risk, and Compliance for Strategic Advantage. Protect Digital Trust by addressing challenges in cybersecurity and data privacy and combating misinformation. All while meeting with the country’s top #Risk management professionals.

In this episode, Tom Fox welcomes Michael Rasmussen, a renowned expert in Governance, Risk Management, and Compliance (GRC), often referred to as the ‘father of GRC.’ Michael shares insights into his contributions to the field, including his work with the SEG GRC Capability Model. The conversation highlights Michael’s anticipated presentation on ‘The Future of GRC’ at the upcoming risk conference in New York City. Drawing inspiration from Star Trek (TOS, and how can you not love that?), Michael emphasizes the importance of managing business risks effectively. The discussion also touches on the benefits of face-to-face interactions and networking opportunities at such conferences.

Resources:

#Risk Conference Series

#RiskNYC—Tickets and Information

Michael Rasmussen on LinkedIn

Categories
Innovation in Compliance

Innovation in Compliance: Paige Hanson and Brandon Woolf on Compliance as a Service and Affordable GRC Software for SMBs

Innovation comes in many forms, and compliance professionals need to not only be ready for it but also embrace it. Curious about Compliance as a Service and AI integration? Well, this episode is for you, as I have Paige Hanson and Brandon Woolf, co-founders of SecureLabs, discuss not only how AI technology can revolutionize compliance but also how the use of AI systems in Compliance as a Service is set to revolutionize the regulatory landscape.

Paige Hanson and Brandon Woolf are seasoned cybersecurity professionals. Hanson’s perspective, shaped by her role in developing a national training program for law enforcement and co-founding SecureLabs, emphasizes the importance of integrating security and compliance within organizations to foster a security-first culture and facilitate cross-departmental communication. She envisions a future where advanced AI systems enhance security environments and advocate for auditable processes for small to medium-sized enterprises.

Woolf, with his background in diverse cybersecurity roles, advocates for the integration of security and compliance within an organization. He highlights the importance of having a wide range of frameworks available to cater to the diverse needs of different industries and clients and sees a growing trend, especially for SMBs, in compliance as a service due to increasing security threats.

Key Highlights:

  • SecureLabs: Affordable GRC Software for SMB Compliance
  • Enhancing Organizational Culture Through Security Integration
  • Cybersecurity Compliance Benefits through Auditable Processes
  • Compliance Audits: Minimizing Fines Through Documentation
  • AI-driven Compliance Solutions for Enhanced Security

Resources:

Paige Hanson on LinkedIn 

Brandon Woolf on LinkedIn

securelabs.ai

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Innovation in Compliance

Innovation in Compliance – Matt Kunkel and Nick Kathmann on Dynamic GRC Systems with AI-driven Controls

Innovation comes in many forms, and compliance professionals must be ready for and embrace it. Today, I visited with Matt Kunkel, CEO of LogicGate, and Nick Kathmann, CISO at LogicGate, to consider how a dynamic GRC can help drive efficiency, compliance, and profitability.

With a background in business analysis and self-taught coding, Kunkel identified a need for a more comprehensive and user-friendly approach to governance, risk, and compliance (GRC) solutions, leading to the creation of Logic Gate. The platform was designed to meet businesses’ evolving needs without requiring constant developer intervention, utilizing a flexible data model and advanced graph database technology for superior efficiency.

Kathmann, with over 20 years of experience in security and compliance, stresses the importance of industry expertise in delivering effective solutions, focusing on ensuring the platform meets the highest security standards and adapts to changing business requirements seamlessly. Kunkel and Kathmann’s perspectives highlight the crucial role of innovative technology in simplifying GRC processes and addressing the complex regulatory, risk, and compliance needs of organizations.

Key Highlights:

  • Adaptive Logic Gate Platform for GRC
  • Harnessing Data for Strategic Compliance Oversight
  • Real-time Risk Optimization for Business Growth
  • Cyber Risk Alignment Between CISO and CEO
  • Executive Level Engagement for Cybersecurity Strategy
  • Tailoring Risk Communication to Stakeholder Priorities
  • Dynamic GRC Systems with AI-driven Controls

Resources:

Matt Kunkel on LinkedIn 

Nick Kathmann on LinkedIn 

LogicGate

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
FCPA Compliance Report

FCPA Compliance Report – Ryan Lougheed on Teamwork and Communication: Lessons from Esports and GRC

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, Tom Fox welcomes Ryan Lougheed, Director, of Product Management at Onspring.

Ryan Lougheed has over twelve years of experience in the Governance, Risk, and Compliance (GRC) field, currently serving as the director of a platform at Onspring, a SaaS GRC platform and business process automation platform. Drawing from his background in esports, Lougheed believes that teamwork and communication are crucial in both the GRC space and the world of esports. He emphasizes the importance of effective and efficient communication, especially in high-stress situations, and believes that these skills can be carried over to a compliance-focused career.

In the context of esports, Lougheed explains that communication is vital in a team of five players and that professional esports organizations provide resources such as physical trainers and sports psychologists to support their players’ communication skills. He also notes that the esports industry is evolving, with larger companies creating brands around individual streamers and organizations acting as agents to help grow the streaming culture. Join Tom Fox and Ryan Lougheed on this episode of the FCPA Compliance Report podcast to delve deeper into the importance of teamwork and communication in GRC.

 Key Highlights

  • GRC Collaboration and Communication
  • Streamlining compliance with Onspring’s centralized platform
  • Streamlining Communication in High-Stress Compliance Situations
  • Leveraging Esports Skills for GRC Success

Resources

Ryan Lougheed on LinkedIn

Onspring

Tom Fox

Instagram

Facebook

YouTube

Twitter

Categories
Innovation in Compliance

Third-Party Management: A risk-based approach – Part 4: Adam Bailey on Reporting

Welcome to a special 5-part podcast series sponsored by Diligent. Over this series, we will consider a risk-based approach to third-party risk management. Over this series, I will visit with Michael Parker, the Director of Advisory and Consulting Services; Stephanie Font, Director of the Optimizations Group; Kairi Isse, Managed Services Group Manager; Adam Bailey, Senior Vice President, Product Management and Alexander Cotoia, from the Volkov Law Group. In this Part 4, I visit with Adam Bailey to look at the role of the Board in risk, audit, compliance, and ESG and the reporting from executive teams and GRC practitioners to take risks and seize chances.

Bailey has worked to help organizations better manage their risk by providing insight and clarity to boards of directors. He strived to enable executive teams and GRC practitioners to assess and manage strategic risks, ultimately connecting boards, practitioners, and executives together to innovate and drive growth. With the complexity of third-party relationships continuing to grow, companies need to adopt a continuous improvement approach to contend with unforeseen risks. A corporate compliance function is not just something nice to have, but a must and a Board needs clear and relevant data to make the best decisions. Organizations need to use the necessary tools to ensure that Boards have the visibility to manage their third parties and make informed decisions.


Key Highlights
1. A compliance function must support leaders through its reporting work.
2. Companies can effectively manage third-party risk with a risk-based approach and robust processes.
3. Connecting Board, senior executives, and practitioners together to enable organizations to take risks and innovate is critical.

Notable Quotes

  1. “The key to this effective risk management is truly the follow-up, the ongoing follow-up to ensure that all the controls are in place and, if needed, are changed.”
  2. “Continuous blanket monitoring of all third parties with every risk asset you can think of is just not feasible and probably wouldn’t deliver the outcomes that we need.”
  3. “We know that change is constant, regulators are looking for risk management policies and practices which continually improve and evolve over time.”
  4. “We need robust processes and systems in place to make sure that when you create your third-party profile, it’s screened against sanctions lists, embargo watch lists, et cetera, to provide the rich data that’s there.”

Resources

Adam Bailey on LinkedIn

Check out Diligent’s 3rd party products and services here.

Categories
Blog

Reprioritizing Your Third-Party Risk Management Program -Reporting

Today’s business landscape is becoming increasingly complex and globally interconnected, with the average business now working with over 100 third-party vendors. While this presents a wealth of opportunities, it also brings a range of challenges for boards and GRC professionals alike when it comes to third-party risk management. I recently visited with Diligent’s Senior Vice President of Products, Adam Bailey on how to tackle these challenges and leverage third-party risk management to identify opportunities and equip boards to take risks, innovate and drive things forward. Here are the steps you need to follow to also get clarity, insight, innovation.:

  1. Understand the role of the board in oversight and provide clarity on third-party risk management.
  2. Board review Codes of Conduct.
  3. Continuous improvement view of risk management.
  4. Utilize real-time data to react to changing times.
  5. Ensure commitment to shared values and ethical cultures.

 1.Understand the role of the Board in oversight

Understanding the role of the Board in oversight and providing clarity on third-party risk management is an essential step in any risk management strategy. Obviously, the Caremark Doctrine is the leading authority which Boards must follow. But more than simply oversight to  meet a legal requirement, businesses should see the business opportunity by creating a business process which connects employees, compliance professionals, executives, and boards together in a seamless process. This connection enables a culture of continuous improvement that starts at board level and cascades down through the structures of the business. This allows two-way communication between boards and compliance professionals, so that boards can clearly communicate their risk management strategy and expectations. 

  1. Board review of Codes of Conduct

A key role for any Board is to review and refresh if needed your organization’s Code of Conduct on a regular basis. When it comes to third-party risk management this is needed to  ensure that the third parties are following the company’s established guidelines. A Board should understand the importance of third-party risk management and how to fulfill their role of oversight. There should be an enterprise-wide single source of data for every Board to ensure effective governance, risk and compliance. Boards should also be provided with dashboards to allow for continuous monitoring of third-party relationships and to provide real-time information and data to enable businesses to react to changing times. Ultimately, companies need to show that their Board is making a good faith effort to address risks by having due diligence processes in place and effective plans to monitor those processes.

  1. Continuous improvement view of risk management

A key role for any Board is to implement a continual improvement view of risk management. This shifts an organization’s focus from a one-time due diligence approach to ongoing, rigorous due diligence designed to identify risk areas and set benchmarks for improvement. This allows a Board to have a clear view of the risks involved and make informed decisions. A two-way dialogue is also important, with data flowing up to the board and actions cascading back down to the compliance team. 

  1. Utilize real-time data to react to changing times

There is probably no more important task for a Board in 2023 than responding to changing times. Obviously Covid-19 is still in front of mind, but the change political, geographic, economic and even climate changes are moving much more quickly now. For a Board to provide effective oversight, it must have access to real-time data to react to changing times. This is both from a regulatory perspective and a business/reputational perspective. All internal stakeholders should be connected with enterprise-wide single source of all nonfinancial data required for effective governance, risk, and compliance. The platform also provides real-time information and data so Boards can quickly react to changing times. Furthermore, the platform adds relevancy and context to the risk data which helps Boards make informed decisions based on the potential upside and downside of taking on certain risks.

  1. Ensure commitment to ethical values and ethical cultures

It really all does start at the top and Boards must ensure commitment to ethical values and ethical cultures. Boards should mandate that companies adopt a continual improvement view and embrace not just one and done due diligence, but ongoing monitoring and continuous improvement. Boards should mandate that organization enforce their commitment to ethical values, ethical cultures, and honest business practices. When it comes to third parties, Boards must understand the risk each third-party poses and to consider the business in question and the sort of inherent nature of the dealings with that third-party. Having a robust platform also provides real-time information and data throughout the relationship with the third-party, dashboards to monitor third-party information, and a single source of truth for all nonfinancial data. This allows for a two-way dialogue between GRC professionals and the board to ensure that the board has the clearest, most relevant, and most targeted information to inform better decisions.

For more information, on Diligent’s Third-party Risk Management solution, click here.

Listen to Adam Bailey on the podcast series here.

Categories
Innovation in Compliance

Risk Management and Corporate ESG with Dan Zitting


 
Dan Zitting, previously Chief Product Officer, now holds the title of CEO at Galvanize, a software company that helps its clients achieve their goals and objectives. He is also now the Chief Product Officer of Diligence. Tom Fox welcomes him back to this week’s show to take a look back at the GRC professional’s role in corporate ESG and risk management. 
 

 
GRC On The Frontline
A company’s defenses have to be in the remit of their GRC professional, not left up to the CSO. Dan remarks that while there is engagement by GRC professionals in minimizing company cyber risk, more needs to be done. GRC professionals have to ask themselves if they are managing cyber risk in ways that are helpful to the company’s CSOs, by providing tools and resources to support them. “There’s still work to be done in making sure that everything we’re doing from a policy, controls, and compliance standpoint is actually adding value for the CSO and helping them deploy their programs, as opposed to just feeling like they’re being checked on by the police to see if they’re doing it right,” Dan tells Tom. 
 
ESG and Investment
Investor dollars are fueling the growth and expansion of ESG and aren’t only coming from investment funds anymore. Private equity firms and banks are getting involved. If someone wants to borrow money, insurance companies assess ESG risk as part of their overall risk management strategy. “If companies want to access capital, they need to have an ESG program in place,” Tom remarks.
 
A Role To Play
The best way, Dan suggests, to get GRC professionals to understand the ownership roles they have to play in ESG, is by creating a center of excellence for ESG. By creating this center, and making ESG a business objective, you can then split the responsibilities across the organization. “Splitting the responsibilities across those different lines of defense for those different functions in a way where somebody…can get a combined view of how effective we think we are from an ESG standpoint, should be the goal,” Dan adds. 
 
The Importance of Real-Time Reporting
Real-time reporting is the G in ESG. Being able to give an accurate picture of risk to a company’s board is intrinsic to ESG, and is vital to acting on those risks efficiently. “Risk professionals too often are asking ‘Why don’t I have real-time information,’ instead of actually being the one out creating it and bringing in the technical skill necessary to be able to analyze data fast enough to get real-time insight,” Dan expresses. Governance in the present and future needs to move at a pace faster than it has in the past, in order to report on risks. Being able to point out to the board when governance is failing, so that measures can be implemented, is also extremely important. 
 
Resources
Dan Zitting | LinkedIn | Twitter 
Galvanize
Diligence
 

Categories
Innovation in Compliance

Series Spotlight: Revolutionizing GRC with 6clicks: Part 5 – What’s Next For 6clicks?


Welcome to this special podcast series, Series Spotlight: Revolutionizing GRC with 6clicks, sponsored by 6clicks. This week I have visited with Joe Schorr, Vice President (VP) of Global Channel Sales, Andrew Robinson, co-founder and Chief Information Security Officer, Stephen Walter, head of Marketing, Dr. Heather Buker, Chief Technology Officer, and Ant Stevens, co-founder and Chief Executive Officer. Over the series, we broke down 6ckicks Hub and Spoke approach, utilizing Artificial Intelligence (AI) and Machine Learning in governance, risk and compliance (GRC), curating and maintaining a robust GRC content, producing audit ready reports. Today, in our concluding episode, Part 5, I am joined by 6clicks co-founder Ant Stevens, as we look down the road for what will be next for 6clicks.
Stevens said that 6clicks was founded some two and half years ago to bring an affordable, accessible and easy to use, GRC capability to lots of businesses around the world. The second related mission “was to ensure that the platform was effective in driving productivity gains for both businesses and advisors and by advisors such as lawyers, accountants, general business management consultants and business advisors. These goals were achieved through a platform built from the ground up. We thought about GRC, we identified some things that were necessary for us to have in place to compete effectively in the market.”
There are other areas which Stevens believes are necessary to support the next generation of GRC products. 6clicks broke down the foundational building blocks into effectively four areas. The first was a functionality that supports the processes related to GRC. The second was content; “audit and assessment templates, risk libraries, policies, and controls sets, standards, rules, and regulations, basically all of the text or the reference points that companies need in order to make that functionality work.”
Next Stevens said, “we saw the future and we certainly see the future as having artificial intelligence baked into lots of areas of the products and the reason for that.” This last component allows a compliance or GRC professional “to take complex activities or time-consuming activities and make them a lot easier.” All of this is built around 6clicks platform, or “what we call a hub and spoke type approach which I know you discussed in Part 1 with Joe Schorr.” This makes the tool quite “useful for multinationals, with lots of divisions, useful for private equity companies, useful for holding companies. These are the four building blocks that 6clicks focuses on and we keep making those things better. That is what creates a foundation for us in terms of innovation.”
We turned specifically to AI. Here Stevens sees the application of AI into two buckets. The first is to help businesses automate or streamline what otherwise would be a complex and time-consuming activity. The second is to identify things in data that even a professional would struggle to do effectively, without the use of some sort of technology. That is what I have called ‘finding patterns in raked leaves.’
Here Stevens turned to Haley, the 6clicks AI intelligence engine. Now “Haley helps companies with two major challenges. One is to identify similarity across standards, laws, or regulations that they need to comply with. Most are still doing this using manually spreadsheets, multiple tabs and feed lookups. There is overlap across multiple jurisdictions around the world which are generally seeking to do similar things. Businesses need to think about that in a unified way. Haley’s first application is identifying similarity across standards, laws or regulations. The second challenge is to take an existing control framework within a company and quickly identify where the gaps are relative to a standard law regulation.”
These functions are what compliance and GRC professionals do all the time. While they can do  this manually with “Haley you can do that in seconds. I think the opportunity in the GRC space is to continue to apply artificial intelligence and those sorts of ways. But also to start to think about how we can use artificial intelligence to identify trends in data or insights into data that otherwise would be difficult to identify.” Stevens provided the example of taking incidents and looking for those that might be demonstrating a broader trend or an issue within an organization. Alternatively, trying to understand overlap between different risks so we can develop treatment plans and remediation activities can be more effectively targeted.
I asked Stevens if he could look down the road a bit and perhaps give us a teaser about what 6clicks might be developing. He said, “it is around our mission focusing on making GRC affordable and accessible for businesses. In the long-term, I think there is much to further automate processes for advisors, and we’re going to focus on that. To me that represents huge opportunity for innovation. We are going to look at tools, techniques to enable GRC professionals make all of this more of a reality.” Another initiative is what Stevens termed “a marketplace” which can be “be tailored by advisors for their clients. What we want to do is take this concept to the next level and allow individuals to seamlessly share, as part of their community, in a crowdsource context, both content and best practices that they have identified within the 6clicks platform and make that available to all the 6clicks users around the world.” Most excitingly for me Stevens added, “we want to bring that same sort of capability into the world of risk and compliance.”
I concluded by asking Stevens about his innovation philosophy ensuring you hit the mark, in innovation recognizing there are multiple players just in the innovation process in the GRC and wider risk and compliance space. He said, “for us at 6clicks, we have a three horizon model in the way that we think about innovation. The first is to focus obviously on the very immediate needs that customers have things that might not be working the way they expect, to things that could be improved very obviously based on feedback. The second is things in the near term, which is a combination of things that people have told us that they need and things they have expressed some sort of interesting having.” The third and final horizon is a combination of the 6clicks “view of where the opportunity lies in terms of improvement. We strike a balance in being sufficiently bold about the future that we see, but at the same time grounded in it and getting feedback from customers. In this third horizon we think about innovation manner, as in the way that we think the world should work, which requires a lot of creativity.”
Stevens ended by relating “we try and get the balance right there. It’s not easy. It’s very tough. But that is the way we think about our engineering philosophy and innovation philosophy. It influences the type of people that we attract or that are keen to work with us. We share that focus of short, medium, long-term thinking.”
For more information on 6clicks, check out their website here.