Innovation in Compliance with Tom Fox

Jordan Domash is Tom Fox’s guest on this week’s episode of the Innovation in Compliance Podcast. Jordan is the General Manager at Relativity, a company that makes software to help users organize their data. The platform is used by more than 180,000 people around the world to identify key issues. Jordan has been leading Relativity’s communications surveillance product for the past few years and has been in charge of the sale and development of the platform. He joins Tom in the first part of this two-part episode to talk about his role at Relativity, data cleansing, and how the Relativity Trace platform helps its customers.The Importance of Data CleansingWith the move to remote work, individuals have come to rely on different sources such as Slack and Microsoft Teams to communicate with one another. Jordan tells Tom that this has led to an explosion in the amount of data that needs to be actively monitored, and that there is a larger need for data cleansing. He shares how Relativity is tackling this issue. “We've spent a lot of energy on the past couple of years answering the problem of how can we sift through all that content, focus specifically on what's risky, and what's relevant to a compliance team with as little review as possible, and really focus on being efficient with our time and actually detecting risks that are important,” Jordan remarks.Prevent Misconduct with Relativity TraceCompliance regulators are very concerned with how companies are preventing misconduct before it occurs. Tom asks Jordan to explain how Relativity Trace can help businesses with this problem. “By having a really effective program, you are setting the expectation that this behavior is not being tolerated at your organization,” Jordan begins. Relativity gives organizations the tools necessary to take action as soon as an incident occurs instead of waiting months, or until there’s a formal investigation. Trace is implemented in a way that’s aligned to the specific organization using it. It starts with a code of conduct, and understanding the risks that are specific to that business. Trace gives compliance teams the ability to enforce that code of conduct, make sure that the risks to the organization are being monitored, and that any violations are being detected quickly.Artificial Intelligence to Prevent MisconductArtificial Intelligence is used in three ways by Relativity Trace: to remove irrelevant content and junk, to pinpoint risk and misconduct and to add context to alerts that have been generated. Relativity has technology that removes spam, industry search reports and content that isn’t generated by a person. It strips out all non-human generated text from the monitoring process so that compliance individuals can only focus on the content that is potentially risky. “We bring the three or four or five most relevant communications to that alert to the forefront so the compliance officer can really focus on what the system is saying is the most relevant,” Jordan tells Tom. The Risk of Unstructured DataUnstructured data is the majority of data that lives in a company that has no hierarchy associated with it. Unstructured data comes in many forms and poses a problem for professionals because it makes it hard to search across an entire system. This type of data requires a different set of technology. A lot of suspicious items may be hiding in unstructured data, and this poses a challenge to compliance officers. It will be hard for them to search for information on specific individuals if the majority of that information is hiding in the unstructured data. Organizations should be conscious of where unstructured data lives, and should have processes that can look for hidden risks and remediate them. ResourcesJordan Domash | LinkedIn Relativity

Welcome to this special podcast series, Series Spotlight: Revolutionizing GRC with 6clicks, sponsored by 6clicks. This week I visit with Joe Schorr, Vice President (VP) of Global Channel Sales, Andrew Robinson, co-founder and Chief Information Security Officer, Stephen Walter, head of Marketing, Dr. Heather Buker, Chief Technology Officer, and Ant Stevens, co-founder and Chief Executive Officer. Over the series, we will break down 6ckicks Hub and Spoke approach, utilizing Artificial Intelligence (AI) and Machine Learning in governance, risk and compliance (GRC), curating and maintaining a robust GRC content, producing audit ready reports, and look at what’s next for 6clicks down the road. In Part 1, I am joined by Joe Schorr on Managing a Multi-Entity GRC Architecture with 6clicks Hub and Spoke.Schorr handles global channels, which encompasses service provider partners and technology partners and the traditional channel resale role. We turned to the ‘hub and spoke’ model which 6clicks advocates. He said that 6clicks pioneered the evolution from a multi-tenant or federated approach of GRC architecture to hub and spoke model. The difference is that in a multi-tenant or federated approach it is seen as much more vertical or up and down the chain. But the hub and spoke is “just like with airline travel, back in the old days of networking, where we had hubs, routers and switches and the computers all hooked to a hub.”Moreover, the hub and spoke approach facilitates a GRC conversation with a wide variety of people. This could include compliance professionals, lawyers, other non-technical folks at the C-suite or executive level and certainly in the Board level and everywhere in between. It helps to define everyone’s role in the GRC and broader risk management process. Schorr said, “That’s beauty of it because you can craft it. For instance, in a Private Equity company with multiple portfolio companies, there is much sensitive information and, not everybody in every portfolio company needs to see what’s going on in every other portfolio company. This approach allows an organization to segregate all that data yet allows you the freedom to utilize the information you want to as access control is built into the architecture.”  We continued on the example of the private equity firm with multiple portfolio companies, which are sometimes in the same industry, but sometimes not. There is always a wide variety of data and disparate sources of data that you have to pull in. This disparate data has to be collected, in a manner that can be utilized by the private equity firm, the corporate office, whatever the hub might be. However, the stakeholders, corporate subsidiaries or portfolio companies at the end of the spoke might need that data to make tactical if not strategic decisions. Next, overlay reporting to senior management and then a Board of Directors, all in a changing regulatory environment. This hub and spoke architecture can be an incredibly powerful way to collect and utilize data. Schorr explained, “if you are hired to do a risk assessment against 200 portfolio companies, you have a massive set of risk data in all kinds of different things. You have collected data; you have interviews, you have done vulnerability scanning, you’ve done risk assessments, third party risk assessments, vendor assessments, everything you could possibly imagine. That is all rolled up collected somewhere and a bunch of smart people look at it and we’re all trying to grade it and do things manually and push it around. And at the end of the day, just like you said, this is really important.”  Join us tomorrow where we take up utilizing machine learning and AI in your GRC practice with Andrew Robinson, 6clicks co-founder and Chief Information and Security Officer. For more information on 6clicks, check out their website here. 

Troy Fine is Tom Fox’s guest on this week’s episode of the Innovation in Compliance Podcast. He is the Senior Manager of Cybersecurity Risk Management and Compliance at Drata. Troy joins Tom to talk about data security, data protection, and risk management.Internal and External AuditingAuditing is external and internal. External auditing entails third parties coming in to assess a company's controls, security frameworks, and determining if they meet compliance requirements. Internal auditing involves people who work directly for the company they are assessing. They are a lot more involved with the business, and understand the requirements of the business better, so they take a more collaborative approach. Internal audit identifies the gaps within the organization, so the business can remedy them quickly, and so that the business can be prepared for an external audit. Troy points out that sometimes internal audit would assist external audit, with external audit relying on the testing that internal already performed. How Drata Scales Your CompanyIntegrity and trust are the core ethos of Drata. "We built this product so that our customers can prove to their customers that they could have trust in their data security," Troy tells Tom. Currently, the company has over fifty integrations that they can pull data and test from, as well as many new frameworks. What this means is that as Drata's customers get their own customers and more requests for compliance, Drata will be able to support them through additional controls. Customers and clients are able to create a more secure environment in their organizations and meet their compliance standards at the same time. Drata allows customers to manage their control environment via continuous monitoring. When an auditor comes in to assess, they can see the control operated over a long period of time.Assessing Third-Party RiskWithin the Drata platform, there is a vendor management page where customers can start monitoring their vendors. Customers can rank them from low to medium to high risk. For medium- and high-risk vendors, customers can log and track how well those vendors are meeting security requirements. "Part of our control testing is to check if the customer is monitoring their vendors appropriately," Troy remarks. "We want to make sure they're also monitoring their vendors, so we provide them a template that allows them to make sure that we're viewing the SOC 2 reports appropriately, and identifying any risk or end-user controls that they need to perform."Zero TrustTom asks Troy what companies need to be thinking about in terms of cybersecurity in the coming years. "A big area to focus on is going to be this idea of Zero Trust," Troy says. A greater emphasis on verification, based on location, customer behavior, or just a change in general, is going to be seen in the not too distant future. "As the workforce becomes more remote, the idea that somebody behind the keyboard is not the same person that was in your office is becoming a bigger question," he adds. Implementing Zero Trust frameworks is going to become more important.ResourcesTroy Fine | LinkedIn Drata

Dan Sholler is Tom Fox’s guest on this week’s episode of the Innovation in Compliance Podcast. He is the Software Product Marketing Leader at Exterro, an organization that creates software that helps clients address regulatory, compliance, and litigation risks at affordable costs. Dan joins Tom to talk about the work Exterro is doing in the realms of compliance risk governance.The Evolution of ExterroExterro has adapted its ability to measure its results more easily, as well as test alternative approaches. Dan explains to Tom that they can test alternative messages, as well as alternative means of delivering those messages. Technology can be used to drive some of the communication to make that initiative work. The Importance of Plan Sponsor AuditsPlan sponsor audits are significant because it’s a universal change in regulatory posture. This affects how compliance professionals need to think about their responsibilities. In the past, regulatory agencies would use a checklist for compliance personnel on compliance activities. They were more concerned with the end report. These audits shift the focus from the report ability of the compliance professional to the details of implementation that the compliance professional uses. These audits want detailed proof. In Lieu of Cyber Incident"When people think about cybersecurity, the first thought that comes to mind obviously is prevention," Dan remarks. The last few years have seen the escalation in cyber and ransomware attacks. It has also demonstrated that no amount of prevention is going to be good enough to limit the impact of those incidents. It’s not a matter of if, but when. The way compliance professionals limit that impact is a big part of what needs to be done from the cyber security perspective. "No one needs to respond to a [cybersecurity] incident in a technical sense," Dan says. What needs to be done instead, is to isolate whatever has happened within that environment and gather the relevant evidence in order to potentially catch the perpetrators. Business continuity also needs to be established, and the systems need to be brought back up as quickly as possible. Regulators will be looking at how tightly coordinated an organization's incident response plans are.Legal GRCLegal GRC is the governance risk and compliance activities that affect the legal and compliance organizations. Various operational activities have their own GRC and they are specific to those organizations, not a part of overall corporate governance. Dan tells Tom that Exterro is looking to bring together governance risk and compliance activities and its implementations into a single platform. This will make risk, controls, and implementation of those controls visible. This is important because there is a great deal of common processes that are cross-functional within legal and compliance.What's NextDan tells Tom that in the future it will be commonplace for GRC subsets that focus not only on GRC but also on the implementation of its controls. It's not just going to be about compliance with regulation, but also compliance with the policy. ResourcesDan Sholler | LinkedIn | TwitterExterro

This week’s guest is Lindsay Sweeney, Senior Manager of Communications at K2 Integrity, a risk, compliance, investigations, and monitoring firm. She graduated with degrees in journalism and history and was convinced that her career would be in either of those industries. However, she started working in a small shop whose clients were mostly associated with fintech; she would eventually join K2 Integrity. She joins Tom Fox to discuss how you can use social media and communications to drive home internal messages and get your message and brand out to your clients, customers, and the compliance community. At K2Within her first six months at K2 Integrity, the company expanded their presence in the media with a major financial crimes practice and merged with a financial integrity network in DC. From there, they kicked off a rebrand, which was both challenging and easier to do remotely due to the pandemic. She tells Tom, “It wasn't just a matter of changing our name in certain places,” she shares. “It was a matter of resetting how we think about ourselves and how we talk about ourselves, not just to clients, but also how we position ourselves internally.” Surprise!Tom asks Lindsay what the biggest surprises she’s had were like. “I don't know if [it was] a big surprise or more like little surprises along the way, but I've come to realize one as a communicator there is no such thing as overcommunication,” she responds. “Keeping people in the loop is not just beneficial for making sure that everyone knows where the steps are along the way, but you're going to get a different perspective from someone… that's going to change the way you do things… maybe you'll find a new way to do something that you wouldn't have previously thought of.”The Evolution of Content MarketingLindsay believes that personalization and targeted information in content marketing is going to become bigger; it was already in the works, but the pandemic has accelerated the process. Additionally, there will be increased focus on bite-sized content to accommodate the attention span of people at home.ResourcesLindsay Sweeney on LinkedIn

Amii Barnard-Bahn, C-Suite Coach and Consultant, is Tom Fox’s guest on this week’s episode of the Innovation in Compliance Podcast. She is a compliance professional, an author, and a key speaker. Amii joins Tom to talk about her new book, The PI Guidebook: How the Promotability Index® Can Help You Get Ahead in Your Career, and how leaders can create a healthier workplace environment for their employees.How The PI Guidebook Helps Workplace CulturesAmii is a firm believer in the concept of radical self-reliance, especially in your career. She is a big advocate for employees learning how to own their jobs and thinking of their responsibilities surrounding their careers differently. Amii has created a framework within the PI Guidebook that helps them with this, and she has divided the framework into five key elements: self-awareness, external awareness, strategic thinking, thought leadership, and executive presence. Becoming efficient in these disciplines will go a long way at keeping you from becoming expendable. "You do these things [and] you're going to keep your career title, would be the best in that role, and you'll always be needed," Amii tells Tom.Who Can Use This Guide?Amii's Guidebook is applicable to anyone who wishes to start the process of their own self-assessment. Use it for yourself to grow a leader mindset; it can also help individuals in nonprofits or governments understand their client's perspectives, as well as how companies and organizations work. Young people reading the Guidebook will find advice that Amii wishes she had when she was their age. One key piece of advice she shares is how important networking is to your professional relationships. "What matters is 'do you play nice with others'," she stresses.The Need for The PI GuidebookAmii is certified in a range of assessments, but she found over time that there wasn't any assessment on the market that put control in the individual person's hands regarding their own self-development. The assessments do not give companies any ability in helping their employees in an impactful way. She created the PI Guidebook to counteract that. "It's much more powerful if you can evoke people's self-inquiry and curiosity about their own development," she remarks. Her guidebook helps create a dialogue between employer and employee. The employee can self-assess and the employer can say what else the employee may need to work on. It builds a rapport between them. Starting The Promotion ConversationTom asks Amii to give tips on employees asking for promotions Amii advises never bringing up promotions when your manager is sharing your performance review. Picking a quiet time when they are relaxed or want to chat is better. It's especially important to give them a heads up that you wish to speak with them and what you wish to speak about. Talk about projects that you might be interested in working on and express a desire at wanting to take on new challenges within the organization. ResourcesAmii Barnard-Bahn | LinkedIn | TwitterThe PI Guidebook

Debbie Mrzaek, President of The Sales Company, is Tom Fox’s guest on this week’s episode of the Innovation in Compliance Podcast. She has spent her career helping individuals and companies around the world as a sales consultant helping them develop good customer relationships. Debbie joins Tom to talk about sales processes and what compliance professionals can learn from sales personnel. Active Listening and Communication: The Key To Success in SalesActive listening is the key to success in sales, as the sales process is all about communication. Knowing when to speak and when to be quiet is vital, Debbie stresses: “If you’re talking more than 60% of the time, shut up. You’re not learning anything; you’re not getting any new information.” Learning to ask open-ended questions and allowing the other person to do most of the talking will go a long way. Anyone can learn the skills of a salesman, and you don’t have to be extroverted or a social butterfly to be successful in sales. All you need to do is be able to carry conversations and have genuine care for your clients. A Proper Sales ForecastA proper sales forecast isn’t one that’s done only once a year, but rather every day. Done this way, it drives the sales process further and also improves time management. Sales professionals can see at any point where they did well or where they went wrong. “Tackling the numbers, really understanding what they are, keeping up with them every single day, and knowing where you stand...and where you have shortcomings [can help immensely],” Debbie says. Tom adds that assessing your risk, and assessing them annually, as well as monitoring them and then adjusting your risk strategy where needed is also important.  Relationships are KeyThe traditional sales model has the sales professional go out and acquire the potential client then turn them over to the inside sales customer. This approach, Debbie remarks, has its flaws because the relationship the sales professional built with the client ends up being tossed over to a stranger. Relationships are a key part about sales. “We want to establish relationships where people can come back to us again and again,” Debbie says. She talks about the third sales model which she calls the flexible sales process. In this model, the sales professional acquires the client but gets to maintain the relationship whilst working closely with the inside customer service people. Everyone in the sales department is working together as opposed to individual silos with poor communication. Improving Your Sales ModelFor individuals established in business, improving the sales model will follow the lines of assessing what’s already been done in the sales department. It involves asking yourself questions like how long it took to close an opportunity with a client and whether or not that client has bought from you more than once. Sales personnel can then use that information when they’re forecasting what they want to do in the future. Tom remarks that these concepts are applicable for in-house compliance professionals as well. The Impact of COVID-19 and What’s NextThe pandemic has impacted the approach to sales, Debbie tells Tom. Going forward, people will decide how they want to connect and communicate with sales professionals, whether in-person, virtually, or a hybrid of both. Debbie stresses that sales professionals have to have conversations with each prospect about this because they need to know what their clients want. Sales in the future will continue to see more innovation with respect to technology and the availability of data. Salespeople are going to learn how to use data like AI. She also believes that these kinds of technologies will be more user-friendly in the coming years. *Check out Smarsh Advance, which will be held on November 9th. For information or to register, click here.* ResourcesDebbie Mrazek | LinkedIn | TwitterThe Sales Company 

Tom Fox welcomes back Alexander Dill on this week’s episode of the Innovation in Compliance Podcast. Alexander is a lecturer at UCLA, as well as an author and advisor, specializing in financial regulation, risk management, and compliance. Alexander and Tom talk about anti-money laundering and the key problems compliance professionals encounter.The Importance of Compliance Ratings Compliance SystemsCompliance rating systems were created to measure accuracy and integrity. After the events of Enron and WorldCom, there was a general criticism of credit rating agencies. Moody's Investors Service, where Alexander spent a considerable amount of time working, got a great deal of that criticism due to the organization's poor ratings performance and its lack of fraud rating. Moody's wanted to continue to self-regulate as opposed to being regulated by the global regulators, and so the creation of these compliance systems helped with that. Alexander explains that the initial work that was done with respect to the ratings systems, helped lay the foundation for compliance when it became heavily regulated after the financial crisis of Dodd Frank.The Compliance RegulatorsTom asks Alexander to explain the different types of regulators and what OFAC is. The main regulator for compliance is FinCen, which is the Financial Crimes Enforcement Network. FinCen is the primary rule making authority but delegates supervisory and examination authority to other agencies. Alexander goes on to list the other regulatory agencies. The regulatory agencies overlap, however the conflict that arises is that their objectives often do not align. "Banking agencies are focused on safety and soundness, and the law enforcement authorities spearheaded by FinCen focus on the law enforcement objective, so those don't always come together in a uniform manner," Alexander remarks. The Role of Corporate Governance and Risk ManagementThe main role of corporate governance in anti-money laundering is to maximize shareholder welfare. Corporate governance systems are designed to protect franchise value. The systems cover all material risks that arise from conflicts of interest within agencies. Risk management is important to anti-money laundering as it is a component of corporate governance. Alexander stresses that the risk management function should fit into the corporate governance framework to be effective.COVID-19 and BeyondThe pandemic has impacted the field of anti-money laundering and compliance in many ways, but perhaps the most notable way is that it enhanced fraudulent schemes. With a great deal of the world's population migrating online, it opened up the pathway for various cyber attacks and cyber related crimes. COVID-19 unfortunately created various opportunities for people to exploit online platforms. Alexander hoped that in the future the Anti-Money Laundering Act that was introduced last year 2020, will begin to bear fruit and that red tech innovation and machine learning will help to curb these issues. ResourcesAlexander Dill | LinkedIn | TwitterCheck out Professor Dill's book, Anti-Money Laundering Regulation and Compliance here.  

Cecilia Akuffo is Tom Fox’s guest on this week’s episode of the Innovation in Compliance Podcast. Cecilia is a Talent Acquisition Partner who has extensive experience in management, interviewing, recruiting, and social media. Cecilia works in the higher education industry as a Tech Recruiter. She joins Tom to talk about her career, workplace dignity, and what she is looking forward to in the future.Setting The Tone in Talent AcquisitionTalent acquisition communications training is crucial in the compliance context because that's where it all starts, Cecilia points out. The first time you look at someone's resume, or the first time you have an interaction with them in the talent acquisition process, you can start to convey your company's values, culture, and expectations. Doing recruiting right sets the tone at the beginning for how you expect individuals to comply within your organization. The Evolution of Talent AcquisitionThe main evolution in the world of talent acquisition is that it is its own entity within organizations. In the past, recruitment was not seen as much of a big priority, and companies did not actively invest in that part of their organization. Now, talent acquisition has multiple departments, and companies have recognized the need to focus on getting talent for their organizations.Workplace Dignity Tom asks Cecilia to talk about her podcast, and why workplace fairness and dignity is important. Cecilia explains that she wanted to highlight companies that normalized their employees coming to work in exchange for a paycheck, but not accepting abuse as part of the package. The companies that perform the best are the ones where the employees feel that the executives reflect the values that they expect of their workers. When fairness is emphasized, a healthy work environment is established.Diversity and InclusionAlong with an emphasis on dignity and fairness, companies need to have diversity and inclusion. Diversity is being invited, and inclusion is valuing whatever contribution you have to offer. "Inclusion is not just having people at a certain level speak… It's also inviting other voices, including those that may not have the same kind of power," Cecilia says. Give everyone an opportunity to have their voice and contribution be seen and heard.What's NextTom asks Cecilia what is her vision for the podcast network and for talent acquisition. "The most important thing driving me is related to workplace fairness and dignity," she begins. There are many podcasts that focus on diversity and inclusion but not enough that focus on what is truly happening in the working world. Cecilia wants to focus on workplace dignity to bring more attention to the issue.  ResourcesCecilia Akuffo | LinkedIn | TwitterWorkplace Fairness and Dignity

Welcome to this special podcast series, Integrity Matters: Culture, Training and Compliance, sponsored by K2 Integrity. This week I visit with Koby Bambilia, Managing Director, and Tina Rampino, Associate Managing Director. Over the series we have broken down corporate culture, compliance training and communications. Topics included breaking down the big picture on culture, espresso shots of training, skills development and regulatory changes, tailored and risked based training and operational aspects of training. In this concluding Part 5, I am joined again by Tina Rampino who reviews key operational aspects of training, including budget, delivery and more.We began with a discussion of one of the most critical issues around compliance training, but one I believe does not get nearly enough discussion in the compliance community, that being the issue of budgeting. During times of economic stress compliance training budgets are often tightened. Rampino believes this approach needs to be avoided. The reason is straight forward, “investing in training and professional development for employees can save money in the long-run, both operationally and when it comes to regulatory requirements. An institution’s greatest asset is their employees and especially when you’re entrusting them to protect your institution from risk.”This means that if you are providing employees with ongoing training to assist them to continuously refine their knowledge and skills; it will also keep them engaged and incentivized to take compliance more seriously. Moreover, as Rampino noted, “developing and retaining employees is beneficial to financial institutions in the long-run and demonstrates sustainability within the compliance program.” Instead of cutting back on training budgets in general, institutions should assess the training needs as they align with the greatest risk and find ways to deliver the most targeted and relevant training across the enterprise. Rampino advocates several different styles of compliance training. These include, having a “balance of online/in-person training; including independent or self-guided training; as well as hands on training with an instructor.”We concluded with Rampino’s thoughts on regulatory expectations around compliance training. She believes, “Regulators are more interested than ever in seeing that an institution is investing in a sustainable, scalable, and dynamic training program. They want to know that an institution understands their risks and that it demonstrates that with the training that is provided to their employees. Regulators are expecting more targeted and role-based training offerings and that the content is evolving as the risks evolve.”K2 Integrity has developed an online training platform and resource center, Dedicated Online Financial Integrity Network (DOLFIN), to help clients with their training requirements and provide more diverse options for training content and modalities. Find out more about DOLFIN here. For more information on K2 Integrity click here.