Holistic GRC with Jermand Hagan

Speakers:

Jermand Hagan, Paul Starrett

Transcript:

Paul Starrett
Hello, welcome to another PrivacyLabs podcast. My name is Paul Starrett, the founder remember, PrivacyLabs is one word. And I am doubly honored to have Jermand Hagan again, here for us to share his thoughts on a bit of a bigger topic, maybe we’ll only have time to cover it superficially, I just finished a podcast with Jodi Daniels, where we also took sort of a broader, a more holistic view of compliance and privacy and such. In these, these upcoming web, excuse me, podcasts are going to be more broadly painted. And I know that Jermand is his experience includes that very, sort of view of an enterprise, you would probably notice that we have had a prior podcast with Jermand I believe about a month ago, where we went pretty much under the hood with regarding audit, specifically and very much around artificial intelligence. Today, we’re going to get into a topic of GRC, governance risk and compliance. And I have to confess I had been in and around that topic, knowingly or otherwise. And it’s sort of a full pullback view of Firstly, I think anything that a company or an enterprise would think about, but I’ll be getting to that a bit later. For now, I want to give Jermand an opportunity to reintroduce himself and so Jermand, you want to tell us about yourself and 2fifthconsulting.com, and so forth,

Jermand Hagan
Will do so Jermand Hagan, owner of 2fifth consulting, thanks for having me back. more than happy to sit and talk a little bit about GRC. And its implementation. What does that mean for organizations of all sizes, I guess? So just by way of background, I’ve been involved deeply in to enterprise scale implementations of GRC, I won’t name the names, there’s not that many big ones out there. But a fairly familiar with what it takes to get a GRC package in the door of an institution. You know, understanding the politics of the institution, understanding the breadth of the product, in addition to the powerful capabilities that they can bring, because most GRC packages store a wealth of enterprise information. And the possibilities, frankly, in my view, pretty much endless. That said, 2fifth consulting, a company that right now today provides, you know, assurance, managed services and resiliency advice to organizations, and we could actually help with the implementation of a GRC package, and getting the most out of it.

Paul Starrett
Interesting, interesting. And before we came on here, I think, I think most people would have some sense of this, that the words governance risk and compliance, really, to me, when you just think about the words themselves are kind of ambiguous, and they almost seem to be a lot of overlap. Because if you have risk, you’re gonna want to have governance to protect to accommodate the risk, which means compliance. So there’s kind of this. I don’t know, when I hear the letters GRC. I wonder why are they put there separately? And what is what in your mind? I know, as we said, everyone might give you a different answer. But in your mind, what would How would you clear up? How would you end that ambiguous dilemma for us?

Jermand Hagan
So, so it’s interesting that you said that and just having a couple more minutes to think about, you know what that means to me. So that’s pretty much one of the first things that you have to conquer with the implementation of a GRC package. I think putting governance who’s running the risk, and who has the compliance portion of the product, in addition to processes because like you said, all of those functions provide some level of oversight. And when you think of what the banks call the three lines of defense, governance is generally a first line, then you have a risk organization. And then there’s some compliance function who’s looking at the regs, the rules and regs as we used to say, and then that third line of defense, which is audit, right, but right times you have organizations where compliance and risk overlap. There’s generally a power struggle of some sort, and then it becomes Okay, well, who’s on first How far does risk go into governance? Which is the first line of defense? How far does the governance sector bleed over into what is generally a typically risk? risk area? And, you know, on top of that, how far does risk overreach the compliance boundaries was generally always well defined. Is what audit does, which is which, which can get tricky at some organizations, because sometimes audit wants to overstep and want to be risk and compliance and governance. Right. So, you know, that is the first hurdle, I would suggest any organization overcome, right out the gate.

Paul Starrett
interest.

Jermand Hagan
There’s a second, who’s on third.

Paul Starrett
I see. I was afraid I asked, because it sounds like it can be a real bucket of worms. But hey, you know, that’s why people like us are here to help make that checkers not chess, right. Yeah, to make it. Yeah, to make it a manageable process. Interesting. And would you say that GRC for most enterprises that maybe even outside of financial services, which I know where most of your experiences, do you think it’s a fair statement? across the board for any vertical?

Jermand Hagan
Well, yeah, absolutely. So I think there’s, you know, space for GRC, in any line of business, any vertical, if you’re really serious about capturing your holistic risk for the enterprise, alright. And it’s not just capturing the risk and issues across the board. But quantifying those issues, issues and risks, where you can make fairly high level decisions, before something happens to help you with investment, or, you know, just to understand where you are, and displaying good management, because I think any organization is going to have issues and risks that they take, you won’t be in business unless you have some of those. But if you know what they are, you know where they are, you’re taking proactive decisioning and methods and measures to overcome them, or at least mitigate them to a level that’s not that that’s acceptable, then you’re ahead of the game by far in generally, that’s what the auditors and regulators want to see anyway. So yeah, so I think, any vertical, any, any line of business, definitely, there’s room for GRC.

Paul Starrett
Got it. Got it. That’s good to know. So I think, again, in our last podcast, we really, like remember us discussing the three lines of defense, I think, in this one, I’d like to focus on the actual implementation. Before it gets to audit, of course, that’s a piece of it. But and also, if possible, here to focus on the data, and the technology. Because there are so many things, there’s training, they’re staying up to date on what the laws are, and what laws apply to your physical locations and your different, you know, different sectors within your business. But I think that the data is often really where the action is. And so with regard to helping people get their GRC package, or their GRC implementation in place, how would you normally approach the data side of things? And the reason I say that, in part is because you and I, our firms would work together, because we bring in things like, you know, data lineage and other holistic packages that we can use, like One Trust or Centrl. And we have, you know, some engineers and data scientists, of course, we work in artificial intelligence, how do you normally approach the data piece, or the technology piece of GRC? Let’s just say before it gets to audit, I know they play a role, but how do you see that?

Jermand Hagan
O, I would say this about a GRC implementation. When you go into it, I think management and everybody on board needs to really understand what they want to get out of it. Right? Because, you know, they, you know, garbage in, as they say, is garbage out. You know, what is it garbage in? is garbage out? You can, right? Because GRC packages is so big. I think, well, at least the corporations that I’ve been involved in, they’ve taken approaches where it really wasn’t a holistic GRC approach. We started off with, you know, compliance, which basically risks and issues around compliance rules and regulations. And then another instance, we began to grow and start to rope in SOX work, which is…

Paul Starrett
Sarbanes Oxley, SOX

Jermand Hagan
Exactly IT controls and things like that. And then you start to quickly realize that you don’t have the holistic picture. And you actually need the holistic picture, no matter how much you try to stratify your output, right, because we started to learn that a lot of things. And a lot of processes are commingle together. So once you try to stratify your output to be only compliance are only Sox, or only security, you’ve left out a lot of the major processes in other areas across the organization. So if you really, really want to get the most out of the product, I think you really have to go after what the product was intended to do, which was holistically captured risk processes across the entire organization, which is the enablement of senior management management to make those decisions. But with respect to data, all the underlying information that you’re capturing, in order to produce the output needs to be accurate as well. Right. So you can’t have how can you say incomplete process documentation, we really can’t have incomplete control documentation, your risk assumptions need to be as complete as possible. And that’s very difficult to do. In an implementation, where people’s sole focus isn’t really implemented a GRC package, you know, they want to, they’re doing the jobs day to day. And it’s hard to bring in knowledgeable expertise, like you and me, to help them along with what the pitfalls are, and who you really need to talk to, to get down to the nitty gritty. So, you know, my advice is, try to make, you know, use the product as is intended to be used, because that’s how you’re going to get the most out of it. And take your time during the implementation by actually getting all and I wouldn’t say all because you’ll never get ball, but getting a fair amount of accurate underlying data to produce the information that’s going to be output to prevent the garbage in garbage out syndrome.

Paul Starrett
Interesting, interesting. And I couldn’t agree more if we do say so ourselves that they would want to try to bring in 2fifth and PrivacyLabs, I think together because again, I I wouldn’t presume to have your skill set. And of course we bring, we spend a lot of time on our side and PrivacyLabs in being able to, you know, to to map, do data mapping, and to do data lineage and to run searches and review the laws and see how those, those are helped to capture the data into classified ways. So it can be properly monitored and governed and made compliant. And properly risk controlled.

Jermand Hagan
I will say is once you have good data, then the possibilities are endless, right? So when we start to think about AI and the modeling and things like that, that’s when you start to reap the benefits of the implementation, right, you start to get your predictive analysis, you, you start to make better decisions, because of the tools that you have, that are available to you. For instance, when you start to catalog, a lot of your risk, security and change documentation and IT scenario, you’ll start to get trends and be able to you know, have predictive patterns that help you make decisions, maybe you shouldn’t make so many changes in October, maybe you should put certain things out in your project schedule to November or February when things die down, because you have the historical trending and kind of more predictive indicators that say, hey, you know what, this is a heavy time this is you know, end of close, things like that.

Paul Starrett
Right. That sounds I don’t think I could have put it any better way. And interesting, because I think that that again, it kind of brings me back to the way I see this is of course, you have to have training and awareness and you have to have a you know, management that is that is investing in the in the culture of compliance and risk and governance. But it is ultimately about data, generally speaking, that is really where this really you spend the most amount of time and so again, I think when you bring in the world team to guide the GRC process from the standpoint of what it needs to do with the input, that you have the right professionals who can see horizontally to to your point earlier how you want the GRC, talking to each other, and being holistic and not being tentacles that are kind of off the left hand doesn’t know what the right hands doing. So, and then things like that people sometimes get a little bit not scared, but they hear the word automation, anything ugh, you know, which we’ve brought up before, and I won’t go into that right now. But there’s very straightforward ways of tightening up things and bringing them together in automation, including artificial intelligence. So I just want to keep that in there. Because that’s what we we do spend a fair amount of time on. And that is a very attainable thing way of speeding processes up reducing human error and so forth. I think, you know, this is this was going to be a faster sort of shorter kind of an approach, because we are doing such a high level piece here. Now, we’ve talked about privacy is I guess, privacy, compliance security. Would it be fair to say since we since the PrivacyLabs has that word in it, private just for our audience, privacy and security? Imagine, run across GRC? Or would you say that it’s more under one of the GRC? Or am I overthinking this?

Jermand Hagan
No. Again, so, you know, when I talk about when I talked earlier about understanding who are in the respective roles of risk and compliance, privacy is an has been generally a compliance function, because the notification portion, coupled with the legal the statutory portion of the law, which drives what you can and can’t do, and what’s what’s, I guess, PPI versus not PPI, that’s generally led things to be a compliance function. But you do some some organizations I’ve been involved in, that has had the privacy function placed in risk, I don’t know, if either, is better than the other. But the function and a role is generally the same. So I think when you introduce risk, part of the conversation has to be privacy risks. It always has been. So if you caption all your risks, it could be a privacy risk, but privacy doesn’t necessarily always spill over into security. Right? So there are instances where you have you’ve had privacy issues, but it generally was an information as well, maybe you could classify as an information security problem, but it wasn’t due to the technology. Right? I say, Oh, you’ve had privacy situations that didn’t evolve from a technology issue. So but, you know, I think just to get back to the point, privacy definitely has a role in GRC. Right?

Paul Starrett
I see. Yeah. And I guess it depends on how you define it, and who owns it, and so forth. Because, you know, I’m, and it could be more than data, it can be, you know, bad processes, and, and, and other similar issues. So, I guess it’s, I guess, the bottom line is really hard to say, when you all you talk about as a word, exactly where it should fit in how why you shouldn’t, you know, define it as something else. I think that’s maybe getting a little bit carried away with it. But nonetheless, the question does get brought to most people’s minds is where does privacy fit in the office? So…

Jermand Hagan
Well, yeah. So you know, just a five minute conversation, you can see why it gets tricky, right? So and yes, sometimes a land grab internally. Right? Is it risk? Is it compliance? Is it security? So it could be all three, right? I’ve seen it. Unfold is all three. So it’s just as you know, again, you just really need to define who’s doing what or you know, hey, maybe it’s just not only the privacy group, who is managing some of these issues. You have the security team, also managing some of the incident response portions you have legal actually reviewing who, who you know, who you need to notify and when, and how much notification you need. So privacy isn’t always you know, in one vertical because of the breadth of the of the rules.

Paul Starrett
ALright. Got it. Got it. Yeah. And I suppose we could go on, we could probably have a dozen podcasts that are an hour each on this topic, right. But just for the sake of the comfort of the listeners, would you say that it’s possible to have a manageable, easily digestible path to GRC compliance or GRC? success?

Jermand Hagan
Easy path? I will say no. way, you can make it manageable. Yes. Okay. With the right help the right background, people like yourself, and me who’ve stepped in all the potholes that come along. Absolutely. Yeah. You just have to know how fast you want to go.

Paul Starrett
That’s what I was looking for. Absolutely. Yeah, somewhere. Yeah. Cuz I think that’s kind of what we’d like to think. And I think it’s a very attainable thing. Because, again, we have sort of walked that walk before, or crawled that crawl as we said earlier. I think let’s see, I think I had one other. This, I this was not a scripted, of a podcast as we’ve had in the past. And I wanted it to be that way. Because it’s such a broad topic. I think, as far as tools to help implement, I know, for example, One Trust, a tool, a platform, I’m a big fan of, to know of a platform called Centrl it’s called OnCentrl, no ‘a’, they’re very good with generally, but they’re good with cybersecurity and some other verticals. Do you have any, to those tools? I just like the One Trust or those types of tools? Or are there tools that you say when you say package that you think of? What do you mean, when you say package, because I know you have packages that you offer, help us understand what package means and how that may or may not overlap with some of these other solutions, like One Trust and Centrl?

Jermand Hagan
Well, I’ve had the opportunity to review what One Trust does. And it seems like a very capable package. In the banks that I’ve worked, we’ve used GRC, Thomson Reuters GRC. And Bewise, I’m not sure if those are the same names anymore, there was another one that skips my mind. But those were the you know, back in my day, I’m kind of dating myself, you know, a guy with 20-28 years experience, 30 years experience, something like that. Back in 2004, there were only three products, now the market is flooded. So with managed service, and all these other tools and technologies that people are employing, I’m sure the options are endless, I think what you really need to do is go out and pick a product that has the tennets that your avail that that you’re interested in, whether it be security, Incident Management, vendor management, operational risk, audit, compliance, etc, you probably just need to choose technology is moving so fast, the overall goal is going to be the same, you know, going through the implementation, at least, maybe three and a half times. I don’t think, you know, I’m not I’m just a skeptic. It won’t be easy. It will be a long road that I would encourage people not to give up on, I’ve started GRC implementations and stopped and went to another product only to go through the same headaches again, of processing, the skin, all that stuff all over again. So I think if you if you choose a package, you have to just look at it as a tool. But you’re But know, the tool isn’t going to solve your problem. Right? There’s a lot of work that needs to be done. You have a strong grasp on your processes, strong grasp on your controls, strong grasp on risk, and also know your leadership who’s on board who’s not, and get in those that aren’t on board on board, because that will make it much more helpful and easier to those in the mix of action. Not to mention your end result is going to be that much better, much more better. You know, I’m a strong believer in the products. I think you can get a lot out of them. You just have to have a management team who are fully vested in moving something like this, which is a very heavy lift forward.

Paul Starrett
Yes. And I think the laws are starting to make that more to motivate people to think that way because of they’re becoming more onerous. I did want to end on a positive note though, and I think you would probably agree that in my in my podcast, Jodi, she She was she brought up at the end of the podcast that this is really a it’s an a very commercially enabling effort because it’s becoming the new normal that companies start to brag about the fact that they’re privacy compliant, that they are secure, that they are careful with their processes that they, you know, are a trustworthy organization. So it becomes an enabling thing. It lets people know that you are, you know, you think about their their data and their information and your interactions with them. And I would venture to guess you would agree to that.

Jermand Hagan
Yeah, no, I totally agree. I think it could be a strong selling point. I just caution. Also, I have a couple of companies that I can sell for. I caution, promoted something like that only because sometimes that throws you into the fray of being a target. Right? Oh, I had the best security and

Paul Starrett
I see

Jermand Hagan
privacy, and we protect your data this way. And that way, only to be caught up in something, you know, you only to put yourself in the target situation, which you probably wouldn’t have been if you hadn’t been you know, posting it all over social media that you’re so great and grand. hackers are pretty tricky that way.

Paul Starrett
Interesting. Okay. I have not heard that before. It makes sense. But that’s great advice. That’s why you’re on here. But maybe, maybe maybe to put it out there with a little bit more in a soft way. So in your face, neon neon lights, you maybe want to have a little lamp in the corner with a

Jermand Hagan
little we care about you. For me, that’s

Paul Starrett
a well, it will charge people for that, that you can copyright that phrase for them. Absolutely. That’s what these are all about. Well, listen, juwan I think that really kind of gives us a great use of this time here. And thank you so much. You’re always such a pleasure to interview and it’s so nice to have your your background and experience as a part of this. And thank you again, and we’ll have more we love it. alright sir. Well, listen, you have a great week and our listeners, just real briefly PrivacyLabs as we’ve been talking about. We unify efforts using the tools that we just discussed, like One Trust and Centrl and whatever else be out there that might be appropriate for you. We also work with automation, artificial intelligence, we are particularly adept at using cybersecurity and so forth, because of how, how important that is to most of these laws. And then finally, audit. And again Jermand and I have gone down that path together. So in any event, thank you all and look forward to our next podcast. Thank you.

Jermand Hagan
Thanks again Paul

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email