Innovation in Compliance with Tom Fox

Welcome to a special six-part podcast series, sponsored by Exiger, on the TRADES Framework, a conceptual, strategic and practical guide for Third-Party and Supply Chain Risk Management designed by Exiger to help organizations achieve supply chain resiliency and optimize risk management at any phase of maturity. In this episode, I visit with Laura Tulchin, ESG Solutions Lead and Peter Jackson, ESG Solutions Lead and Peter Jackson - Director of SCRM Data Management & Innovation on assessing your current risks.Highlights include: A is for assessing risks. What is the ESG angle? Why is the maturity of your program critical? How do you put this into practice? Source provenance and authentic markers. ResourcesExiger TRADES FrameworkExiger WebsiteLaura TulchinPeter Jackson

Welcome to a special six-part podcast series, sponsored by Exiger, on the TRADES Framework, a conceptual, strategic and practical guide for Third-Party and Supply Chain Risk Management designed by Exiger to help organizations achieve supply chain resiliency and optimize risk management at any phase of maturity. In this episode, I visit with Theresa Campobasso, Senior Account Manager, National Security and Intelligence and Matt Hayden, Deputy Lead of GovTech Solutions (Former Assistant Secretary of Homeland Security for Cyber, Infrastructure, Risk, and Resilience) on risk methodology.Highlights Include: R is for Risk Methodology. Look at risk from multiple levels. Determining your Crown Jewels. Look at Macro Risks. Join us in our next episode where we discuss how to assess current risks with Laura Tulchin and Peter Jackson.ResourcesExiger TRADES FrameworkExiger WebsiteTheresa CampobassoMatt Hayden

Dan Zitting, previously Chief Product Officer, now holds the title of CEO at Galvanize, a software company that helps its clients achieve their goals and objectives. Tom Fox welcomes him back to this week’s show to talk about fraud risks, and what it means for the compliance professional.A Period of ChangeRapid change during the pandemic is the main catalyst for the increase in fraud. The move to remote work created new susceptibility to cyber fraud. “The pandemic and the news, and noise created around it, created all kinds of new ways for clever social engineers to talk people into doing things they shouldn't be doing,” Dan explains to Tom. It’s important for GRC professionals to be aware of and ready for change, he adds. We have to realize that change has sped up and will continue to do so in the business environment, regulatory environment, and social justice areas. The rate at which change will increase will be much greater in the future than it has been in the past.Choosing The Right TechnologyChoosing the right technology to support anti-fraud programs is important. GRC professionals have to shift controls and assess risk fast enough to deal with all the changes that are occurring around them. Having the proper technology on hand can help make their jobs easier. “A lot of technology is effectively built around manually filling out forms, and creating workflows between people to capture risk or assess risk or evaluate controls, and that is just far too slow-moving,” Dan remarks. We need to create automation primarily from data and technology that can evaluate very quickly. We also need to be able to leverage machine learning which will help us identify data that we might not have otherwise known.  Fraud as a Bigger Focus & The Importance of GovernanceHow fraud connects to the broader array of cybersecurity risks makes it a major focus for CEOs and senior executives. Leaders are seeking to learn more and educate themselves on how compliance officials are analyzing and monitoring the risks, something that was not done as often in the past. Interest in governance within the compliance sector is also gaining headway. Dan explains to Tom that organizations need to have overarching governance strategies that dictate how they look at the incoming risks to the business. ResourcesDan Zitting | LinkedIn | Twitter Galvanize

Discover the importance of transparency in third-party and supply chain risk management, including understanding inherent and imposed risks. Learn about the three levels of strategic, program, and entry elements in risk management. Join experts as they discuss how Exiger's TRADES Framework revolutionizes risk management in 2021.

Tracy Manning is the Director of Financial Crime at LexisNexis Risk Solutions, and is Tom Fox's guest this week on this episode of the Innovation In Compliance Podcast. She is a digital identity and financial crime expert, and currently leads the Commercial Strategy and Product Innovation for Financial Crime Market at LexisNexis. In this episode, Tracy and Tom are discussing the growth of digital transactions in the past year and what issues it may pose for compliance.The Growth of Digital TransformationTracy remarks that the pandemic spurred digital growth, especially digital transactions. Digital commerce grew 44% last year, and its rate of acceleration is about five to seven years ahead. She adds that surveys show that these trends will not reverse, even as the world reverts to pre-pandemic environments. Greater the Explosion, Greater the Risk “With this explosion obviously we have greater opportunities, but I think perhaps greater risk,” Tracy says. While the vast growth of digital transformations is a plus and makes for greater opportunities for companies with respect to data, it also poses greater risks. Criminals have found new ways and schemes for evading financial crime control. Tracy explains key ways they leverage the anonymity of these faceless transactions. She adds that the onus is on companies to protect consumer data from these bad actors.Key Questions & GuidanceNow that businesses are physically reopening, Tom asks Tracy to share some advice LexisNexis gives to companies. Tracy explains that companies are stumped on how they can transform their processes to better identify financial crime risk, create better customer experiences, and meet the emerging regulatory requirements. She adds that the most important challenge companies seek help with is achieving all these simultaneously. LexisNexis counsels these companies to keep their eyes on recent enforcement and newly published guidance due to the emergence of new threat schemes. It’s also important for companies to have a tool that can effectively meet regulatory demands, which can also create an improved customer experience. “Looking at digital identity is very, very critical...Digital evasion requires digital solutions,” she tells Tom. What’s NextAs digital transactions evolve, Tracy stresses that companies need to evolve their compliance for this new digital normal by applying additional layers of digital identity intelligence within their organizations in a multi-layered approach. “An additional layer of digital identity intelligence is absolutely key to optimizing the customer experience...It can potentially allow you to identify good trusted customers and expedite their experience,” Tracy tells Tom. She adds that to fight financial crime, as well as having an additional layer of digital identity, companies need to have networks of their own. ResourcesTracy Manning | LinkedIn | Twitter

David Carns is the Chief Revenue Officer at Casepoint LLC, an eDiscovery platform for the artificial intelligence space. He is an attorney and technologist who has always been fascinated by the intersection between law and technology. Tom Fox welcomes him to this week’s show as they talk about his current role at Casepoint, the evolution of eDiscovery, and what it means for compliance and compliance professionals.How Casepoint Has EvolvedCasepoint was initially focused on law firms but, as David explains to Tom, their expertise and knowledge on legal techniques are now spread out to all sectors and segments in the legal industry. The platform of Casepoint has also evolved from consultancy to predominantly software. Its legal discovery platform has moved beyond eDiscovery towards more of a development environment that supports legal workflows. “What Casepoint has become, is for many people a repository of either discovery ready data or data around internal investigations ...it has expanded quite a bit beyond just eDiscovery and its document management for a variety of use cases that we find today,” David tells Tom.Subject Access RequestsThe main challenge with respect to data discovery in Europe is subject access requests. “Companies or individuals don’t necessarily want to avail themselves or their data to US jurisdiction,” David remarks. There is a strong interest in having data centers based in Europe, he adds, along with a desire from European-based companies to use those data centers. There is, however, a concern from people within the EU about the privacy implications surrounding such a move. The Shift to Cloud-Based TechnologyThe pandemic transitioned the global working environment to a remote one. With this, came the boost in the adoption of cloud-based technology. David explains to Tom that cloud-based tech has its advantages over on-premise tech in three major ways: convenience, efficiency, and its ability to quickly implement machine learning. It’s much easier for Casepoint to adopt cloud-based applications, and cloud-based tech passively applies machine learning from documents and provides feedback to the appropriate users. For all these reasons, it’s no wonder cloud-based tech was adopted and embraced so quickly during the work-from-home period, and it’s also why it won’t be going away even after we return to the regular work environment, David points out. He predicts that the technology will most likely be used in a hybrid way in the future. Looking To The FutureTom asks David what compliance professionals, lawyers, and firms need to be thinking about when it comes to eDiscovery, and data management in the future. David advises that companies and corporations should pay very close attention and keep a handle on all the locations of their data. “If there are only references to URLs or data identifiers, are we making sure that that data is being collected and preserved in a way that can be used for future investigations, litigated matters, jurisdictional issues, those sorts of things?” he argues.ResourcesDavis Carns | LinkedIn | Twitter 

Brad Moore, the President and CEO of Global Cannabis Applications Corp, started his career in marketing, working at Kodak, where he got an exceptional education in how to sell. His company is creating innovative strategies and solutions in the cannabis space. Always someone to be on the cutting edge of technology. He and Tom are discussing blockchain technology, navigating an industry without nearly enough data, and helping end-users make the best possible decisions.Push-Pull EducationBrand and brand awareness is how you “cross the chasm” between an idea and the market. In his current industry, there is a cultivator at one end and a consumer at another, but the data and understanding that should help regulatory bodies facilitate communication between the two aren’t available. This means there is a lot of work that has to be done in education. It’s using a push-pull strategy to provide the education required to do certain things or communicate certain things, and that’s the pull strategy – the education, and that is what is going to get the company over the chasm.Unique ChallengesOne of the challenges Brad faces in his company is the huge variances that can occur between plant to plant. It’s not like a formulation that goes into a pill or a vaccine, so the different regulatory bodies have had to make decisions about how to tax and regulate it. To make their products available, they have to abide by rules made by people who don’t have all of the data. Brad is using innovative technologies to try and change that. Advocacy for patients informs a lot of his work, particularly making sure that end users have all of the information that they need to make informed decisions.The Importance of Branding.He talked about the Brand “Citizen Green” and what it needed to do for the company and for the market. He makes the comparison to a parent company and its subsidiary brands. Ultimately it means one thing, however, which is better outcomes for medical cannabis patients – Citizen Green, that is what it means.   Process-Driven ApproachTom asked Brad about the process-driven approach used at GCAC, and Brad describes the different stakeholders involved in the company and the industry as a whole, and how he spent a great deal of time learning from different countries and how they arrange different processes in the industry. This is how they started to identify areas for improvement and innovation. He is now using blockchain technology to help consumers learn about products – which also helps suppliers and retailers get the information they need to provide good service and better products. Thanks to Blockchain technology, there are now user experience data attached to every gram of product, which is critical because plants change.Partnerships and Looking to the FutureJeffrey Hayzlett, who Brad first worked with at Kodak has taken a role as chairman of the board at GCAC, and Brad explains how their partnership has evolved over time. This kind of good working relationship with experts is important during uncertain times. Brad goes on to talk about how the blockchain basis of the company has been valuable during the pandemic. He believes that the blockchain mechanism he is using to solve problems in the cannabis industry is going to be very broadly applicable to any business dealing with consumables, or that otherwise deal with a lot of variance in their products.ResourcesBrad Moore on LinkedInCannappscorp.com  // Info@Cannappscopr.com CitizenGreen.io

Tom Fox’s guest on Day 5 of Microsoft Week is Jesus Fernandez. Jesus is the Senior Program Manager at Microsoft. He specializes in data intelligence, risk management, and policy compliance. He joins Tom to talk about his role at Microsoft, data analytics, and its role in compliance, and the future for this industry.Driving Compliance Through Data AnalyticsTom asks Jesus to explain how he uses data in compliance. Jesus tells Tom that Microsoft uses data to decide which partners to keep conducting business with. Deciding which partners need support and where the company needs to focus its energy is vital, and analyzing the data helps them make those important decisions. Tom remarks that Jesus and his team not only use data analytics to drive compliance but to also help businesses run more efficiently. Data From a Compliance PerspectiveTom asks Jesus to give an example as to how data analytics has helped improve operations at Microsoft. Jesus responds that it started from looking at data from a compliance perspective: examining deals with Microsoft clients that were suspicious, and paying more attention to them specifically. From that, Jesus explains that he and his team looked at the market of each of the countries in which Microsoft conducts business, to see how it was doing and if there were any deviations from the norm. "We want to look at them - at the partner and the customer ecosystem - and try to see which partners are doing great, which ones are not doing that well and try to connect why those activities could be," he tells Tom.The Impact of COVID-19 on Digital & Data Analytics in ComplianceThe pandemic has helped Microsoft teams to be more comfortable with the use of data analytics. The challenge with this, Jesus explains, is that companies may not be initially receptive to changes in their processes, especially if they have their own data processes that are working well for them. Due to the pandemic, employees are using more technology and are more willing to look at data and improve the way that they are working, based on the feedback they get.What’s NextCompanies and compliance functions need to rely on more data in the coming years. Jesus adds that experts within our organizations need to be thinking about how data helped them answer some of the questions they may have had. One of the challenges companies will face in the future is that their data may be disconnected or without structure. Listen here to Microsoft Week episode 1, featuring Alan Gibson, Director of Legal and Compliance Innovation at Microsoft.Listen here to Microsoft Week episode 2, featuring Abbas Kudrati, Chief Cybersecurity Advisor for Microsoft Asia’s Enterprise Cybersecurity Group.Listen here to Microsoft Week episode 3, featuring Joseph Davis, Microsoft’s Chief Security Advisor for Health and Life Sciences.Listen here to Microsoft Week episode 4, featuring Erica Toelle, Senior Product Marketing Manager for Records Management and InfoGov.ResourcesJesus Fernandez | LinkedIn Anti-Corruption Technology Solutions

Tom Fox’s guest on this episode of the Innovation in Compliance podcast is Erica Toelle. Erica is the Senior Product Marketing Manager for Records Management and InfoGov at Microsoft. As a long-time member of the Microsoft community, she has been dedicated to growing the information governance and records management business and listening to customers and partners to make solutions better. Erica joins Tom to talk about her role at Microsoft, and how the info governance and record management space will evolve in the near future.Improving OperationsErica loves to help companies improve their operations using technology. It's interesting to work with an organization's compliance experts and help to translate their requirements into Microsoft technology, she tells Tom. “The pace of change in technology has been fast the last 20 years and there are often better ways of doing things, but you have to balance doing things the best way with disrupting productivity and business through change,” she remarks. She argues that it’s better to use a solution that everyone finds easy to use but only has 80% of the desired features, than one that has 100% of the desired functionality but which no one wants to use. “As the compliance person, if you make a solution that's too hard to use because it's your ultimate compliance dream, people are going to use their company credit card to buy a different cloud subscription….or figure out how to share files with people outside the company,” she says.Translating Microsoft Offerings To Solve Compliance NeedsThe main issue Erica sees with respect to translating Microsoft offerings to solve compliance needs is that there aren't clearly defined roles and responsibilities in the organization. “In order to really create a good offering around any of the compliance tools, you have to get the business decision-makers and the business experts together with IT, and then figure out how you want to work together and divide those roles and responsibilities,” she comments.What’s NextThe records management industry needs to shift its thinking to a more electronic approach. In the coming years, we’re going to see artificial intelligence be leveraged more to deal with the volume of electronic records. Listen here to Microsoft Week episode 1, featuring Alan Gibson, Director of Legal and Compliance Innovation at Microsoft.Listen here to Microsoft Week episode 2, featuring Abbas Kudrati, Chief Cybersecurity Advisor for Microsoft Asia’s Enterprise Cybersecurity Group.Listen here to Microsoft Week episode 3, featuring Joseph Davis, Microsoft’s Chief Security Advisor for Health and Life Sciences.Tune in tomorrow for episode 5 featuring Jesus Fernandez.ResourcesErica Toelle | LinkedIn | TwitterMicrosoft 365 Compliance

Joseph Davis, Microsoft’s Chief Security Advisor for Health and Life Sciences, is a trained medical practitioner, but his professional background is “almost 100% IT and cybersecurity.” He has always been interested in technology: in medical school he helped develop a program to assist clinicians in diagnosing their patients more accurately. He joins Tom Fox on Day 3 of Microsoft Week to talk about the role of cybersecurity in life sciences and the traits cybersecurity professionals need to do their jobs effectively.The Role of CybersecurityTom asks, “What is the role of cybersecurity in the healthcare life science industry today?” Joseph responds that it’s a must-have since this industry is considered critical infrastructure. People’s lives depend on keeping systems and processes safe from cyber attacks, he points out. Most medical devices now have communication components such as WiFi or Bluetooth - these are called connected medical devices - so they are vulnerable to cybersecurity breaches which can cause them to malfunction. Joseph tells Tom that it’s more imperative now for providers in the healthcare industry to vet their supply chain, but smaller companies may not have the resources to do so, leaving them more vulnerable to bad actors.Serve with HumilityCybersecurity affects every department, so leaders need to get everyone on board. This requires humility, diplomacy and flexibility, Joseph says. Tom asks him to talk about his blog post, Ego and the Role of Cybersecurity Leaders, and why you have to take ego out of the equation. “I like to serve humbly,” he responds. “The focus really needs to be on protecting the organization and safety... I think when we’re so focused on where we are in our career… our focus gets distorted.” Tom comments that most cybersecurity professionals he knows have a calm disposition. He asks why this is necessary and helpful in the role. You have to keep a cool head, Joseph answers. Bad things are going to happen, and many things will be out of your control, so you have to be flexible. “Control lightly” those things that you can control, and always remember that you’re working with a team. Tom quotes Joseph’s blog, “Every trust decision is a risk management exercise.” They agree that every decision - in life and in cybersecurity - carries some form of risk and is founded on trust of the outside world.Keeping Clients Up-to-DateJoseph says that his role at Microsoft is “to work exclusively with senior leaders at each of one of my customers to bring them up to speed on the modern workplace and how we're approaching cybersecurity in the more hybrid environment that we're living in now.” He finds that while some customers are eager to embrace innovation, others are entrenched in their traditional methods. “The problem with many of the customers that we have currently is that their approach is fighting the last attack or the last type of compromise that they had; whereas their threat actors are constantly evolving and finding new ways in,” he tells Tom. He and Tom discuss whether the defense and depth approach still has value. Joseph comments that identity has to be considered as well: “Attackers these days they're not really breaking in as much as logging on,” he remarks. He advocates for computer-aided interventions and data encryption as the last facet of security. “You can’t rely on the user to be your last line of defense,” he emphasizes.Listen here to Microsoft Week episode 1, featuring Alan Gibson, Director of Legal and Compliance Innovation at Microsoft.Listen here to Microsoft Week episode 2, featuring Abbas Kudrati, Chief Cybersecurity Advisor for Microsoft Asia’s Enterprise Cybersecurity Group.Tune in tomorrow for episode 4 featuring Erica Toelle.ResourcesJoseph Davis at LinkedIn Microsoft Security Blog Blog post: Ego and the Role of Cybersecurity Leaders