1 00:00:06,100 --> 00:00:08,160 I'm Adam Larson and welcome to Count Me In, 2 00:00:08,500 --> 00:00:12,320 the podcast focused on all the ways management accountants can help businesses 3 00:00:12,340 --> 00:00:15,960 thrive through smart financial management and data driven decision making. 4 00:00:16,760 --> 00:00:20,520 My guest today is Amanda Cohen, the vice president of product at Resolver, 5 00:00:21,079 --> 00:00:25,440 a software company helping businesses manage complex interconnected risks. 6 00:00:25,900 --> 00:00:28,440 We talk about the image problem that governance, risk, 7 00:00:28,660 --> 00:00:33,400 and compliance functions or GRC have at many businesses; namely, 8 00:00:33,510 --> 00:00:36,200 that they're tedious, repetitive and restrictive. 9 00:00:36,900 --> 00:00:41,400 Amanda explains how this negative perception of GRC actually hampers innovation 10 00:00:41,420 --> 00:00:42,253 and growth. 11 00:00:42,540 --> 00:00:47,240 The good news is Amanda has tips to transform this frog into a prince at your 12 00:00:47,241 --> 00:00:47,700 company, 13 00:00:47,700 --> 00:00:52,479 making GRC a more dynamic and valued partner to business operations 14 00:00:52,659 --> 00:00:53,492 and performance. 15 00:00:53,960 --> 00:00:57,080 I hope you enjoy this modern day fairytale featuring our favorite stars: 16 00:00:57,370 --> 00:00:58,520 management accountants. 17 00:01:06,260 --> 00:01:09,000 Amanda, thank you so much for coming on our podcast today. 18 00:01:09,001 --> 00:01:12,480 We're really excited to have you on and today we're gonna be focusing a lot on 19 00:01:12,630 --> 00:01:15,760 risk or governance, risk and, compliance, 20 00:01:15,790 --> 00:01:18,959 kind of the big three words governing organization. 21 00:01:19,020 --> 00:01:22,640 And one of the biggest things that we kind of wanted to focus on is, you know, 22 00:01:22,670 --> 00:01:26,560 there's an image problem that you've said a number of times that there's an 23 00:01:26,561 --> 00:01:28,920 image problem with with GRC. 24 00:01:28,980 --> 00:01:31,640 Can you kind of talk a little bit about that as we get started today? 25 00:01:32,910 --> 00:01:35,360 Yeah, certainly. So I think a lot of it, well, 26 00:01:35,600 --> 00:01:39,240 I think there's a couple different angles that the governance risk and 27 00:01:39,241 --> 00:01:42,520 compliance space has a bit of an image problem. First and foremost, 28 00:01:42,640 --> 00:01:46,520 I don't think a lot of the organization understands exactly what they do and how 29 00:01:46,521 --> 00:01:48,320 they provide value to the organization. 30 00:01:48,321 --> 00:01:52,280 And so often they're seen as a barrier that maybe comes in a little late during 31 00:01:52,300 --> 00:01:53,240 the project or, 32 00:01:53,680 --> 00:01:57,000 or something that's preventing you from getting to your objectives. And really, 33 00:01:57,680 --> 00:02:00,480 I think that's all just in terms of the order of operations. 34 00:02:00,580 --> 00:02:03,800 If we can flip that around a little bit and bring these teams in earlier, 35 00:02:04,390 --> 00:02:07,400 it's not that person who's getting in your way of completing your project or 36 00:02:07,401 --> 00:02:09,440 helping you complete or achieve your objective. 37 00:02:09,441 --> 00:02:13,760 Really what you're starting to do is you are bringing them along for the ride 38 00:02:13,761 --> 00:02:17,639 and helping or using those teams to help guide your project and make sure that 39 00:02:17,640 --> 00:02:21,320 it's operating with the realm of what's appropriate for the organization. 40 00:02:21,620 --> 00:02:23,680 And then they're gonna help you find really creative, 41 00:02:23,681 --> 00:02:26,280 suggestive alternatives to help move things. 42 00:02:26,580 --> 00:02:29,760 So that's kind of one area of the image problem is, you know, 43 00:02:29,761 --> 00:02:32,880 there's a barrier specifically that they seem to be imposing. 44 00:02:33,220 --> 00:02:37,639 And then the other one that we hear a lot from our customers is really that it 45 00:02:37,640 --> 00:02:41,240 seems like these teams are constantly asking me for the same information. 46 00:02:41,980 --> 00:02:43,160 And so, you know, 47 00:02:43,660 --> 00:02:47,680 you might get a request from someone in audit and they're looking for a bunch of 48 00:02:48,400 --> 00:02:51,600 documentation on how you run a particular process. And then two weeks later, 49 00:02:51,919 --> 00:02:52,752 two months later, 50 00:02:52,760 --> 00:02:55,760 someone from compliance is coming in and they're you the exact same question, 51 00:02:56,480 --> 00:03:00,720 you know, your internal controls team, same thing. And so it's like, 52 00:03:00,721 --> 00:03:04,800 why can these teams not just get together come up with some kind of strategy on 53 00:03:04,801 --> 00:03:08,560 how to collect that information and then reduce the onus on me because the 54 00:03:08,760 --> 00:03:10,720 business is really just trying to accomplish their job. 55 00:03:10,790 --> 00:03:13,200 It's not their job to provide you with the documentation. 56 00:03:13,500 --> 00:03:18,160 And so when there's more synergy between those teams it also 57 00:03:18,190 --> 00:03:21,960 reduces a little bit of that friction that you often get from the business. 58 00:03:22,900 --> 00:03:26,280 It almost seems like when you're looking at risk management from an 59 00:03:26,281 --> 00:03:27,360 organizational perspective, 60 00:03:27,860 --> 00:03:31,800 the organization's mission kind of needs to be the foundation of that. 61 00:03:32,060 --> 00:03:33,880 And the focus of that risk management, 62 00:03:33,881 --> 00:03:37,880 because otherwise everybody won't be on the same page if it's not there, 63 00:03:38,000 --> 00:03:38,833 how do you get there? 64 00:03:39,820 --> 00:03:41,160 So, I mean, 65 00:03:41,161 --> 00:03:44,760 there's a couple ways to help be a part of those strategic decisions, 66 00:03:44,820 --> 00:03:47,800 be a part of what the organization is trying to accomplish. 67 00:03:48,260 --> 00:03:50,840 It really helps when you have buy in from the top. 68 00:03:51,540 --> 00:03:56,400 If your executive endorses and believes that risk and compliance has a place at 69 00:03:56,401 --> 00:04:00,720 the table during those discussions, it's gonna be a lot easier, but in order to, 70 00:04:00,830 --> 00:04:01,920 it's a bit of a chicken and egg, 71 00:04:02,200 --> 00:04:04,520 because it's also in order to be included in those conversations, 72 00:04:04,521 --> 00:04:08,960 you need to be providing insights. And so something that, you know, 73 00:04:09,060 --> 00:04:11,600 if all the risk function or the compliance function, 74 00:04:11,760 --> 00:04:14,120 whatever it may be is there. And they're just, you know, 75 00:04:14,121 --> 00:04:15,360 showing up at that board meeting, 76 00:04:15,361 --> 00:04:18,680 showing up at that executive meeting to present their five minutes on their 77 00:04:18,800 --> 00:04:22,240 findings and, you know, maybe their last regulatory audit, like, okay. 78 00:04:22,660 --> 00:04:26,920 But what have you uncovered what's in your data to help us understand, 79 00:04:27,540 --> 00:04:30,480 you know, how the organization is gonna achieve their objectives? 80 00:04:30,481 --> 00:04:33,600 Are there potentially a couple alternatives that we could consider or that we 81 00:04:33,601 --> 00:04:37,000 should be thinking about as we're making these strategic decisions? 82 00:04:37,020 --> 00:04:41,839 And so when risk can bring more valuable data that also helps 83 00:04:41,840 --> 00:04:45,120 propel them forward and allows them to be a part of that conversation and 84 00:04:45,121 --> 00:04:49,000 that'll help get that executive endorsement and then allow them to be, you know, 85 00:04:49,510 --> 00:04:52,640 help the organization achieve that mission that they're trying to accomplish. 86 00:04:53,900 --> 00:04:58,160 So I know that you know, it's probably rare that, you know, 87 00:04:58,870 --> 00:05:01,160 your CMA, your certified management accountant, 88 00:05:01,161 --> 00:05:04,800 your management accounting will lie awake at night thinking, oh no. 89 00:05:04,870 --> 00:05:07,839 What about that regulatory compliance document? 90 00:05:08,500 --> 00:05:09,720 It is something that's important. 91 00:05:09,900 --> 00:05:14,120 And a lot of times culture plays a role within the organization. 92 00:05:15,100 --> 00:05:18,880 How does the culture play a role, especially when it comes to risk? And, 93 00:05:18,881 --> 00:05:22,560 you know, you've talked a little bit about already about how, you know, 94 00:05:22,620 --> 00:05:26,680 the compliance person will come and say one thing and the other person will come 95 00:05:26,681 --> 00:05:28,040 and say and ask the same question. 96 00:05:28,460 --> 00:05:32,600 How can you establish a culture that'll help get everybody on the same page as 97 00:05:32,601 --> 00:05:33,434 well. 98 00:05:34,270 --> 00:05:37,760 Well, I think when we're thinking about it from the lens of the finance team, 99 00:05:38,170 --> 00:05:40,520 often finance is thinking about your financial controls. 100 00:05:41,020 --> 00:05:45,880 But if you have just a limited view of the controls that are specifically 101 00:05:45,881 --> 00:05:46,361 financial, 102 00:05:46,361 --> 00:05:49,560 there's a lot of other things that happen within your business that could impact 103 00:05:49,561 --> 00:05:51,720 your ability to achieve your financial targets. 104 00:05:52,220 --> 00:05:55,880 So it is actually in your interest to understand your third party risk. 105 00:05:56,089 --> 00:06:00,680 We've all over the last two years experienced delays in supply chain. Okay. 106 00:06:00,681 --> 00:06:04,440 Well, how could that impact us achieving our objectives? You know, 107 00:06:04,441 --> 00:06:08,160 there's cyber risk. Okay, well, you know, do we have cyber insurance? 108 00:06:08,260 --> 00:06:09,640 Do we have all those things in place? 109 00:06:09,700 --> 00:06:13,839 And so it's not specific to one particular team because risk is pervasive. 110 00:06:13,840 --> 00:06:16,480 Everybody experiences risk throughout the organization. 111 00:06:16,839 --> 00:06:20,040 Number one experience is risk actually throughout their daily lives. You know, 112 00:06:20,060 --> 00:06:22,839 you were constantly making decisions that are risk based. 113 00:06:22,860 --> 00:06:26,080 You just might not be thinking about it in the form of, you know, 114 00:06:26,081 --> 00:06:29,040 risk based decision making, the way we think about it kind of academically, 115 00:06:29,100 --> 00:06:31,400 or either, you know, as a risk function, 116 00:06:31,860 --> 00:06:35,320 but there's so many pieces to the things that are happening across your 117 00:06:35,321 --> 00:06:39,360 organization on a day to day basis that can help inform, you know, 118 00:06:39,361 --> 00:06:42,760 whether you're gonna financially, you know, continue to be a viable company. 119 00:06:43,140 --> 00:06:46,520 And another thing that the risk function really does track that actually, 120 00:06:46,740 --> 00:06:51,000 you know, has a direct impact for the financial team is loss events. 121 00:06:51,260 --> 00:06:55,680 So if you have that operational loss of team or operational risk team, sorry, 122 00:06:56,140 --> 00:06:58,880 within your organization that are tracking, you know, 123 00:06:59,070 --> 00:07:02,360 incidents and breaches and different loss events that are occurring throughout 124 00:07:02,361 --> 00:07:05,880 the organization, it's like, okay, well, are we seeing any trends in that data? 125 00:07:05,980 --> 00:07:09,440 Are we constantly being hit with the same type of incident over and over? That, 126 00:07:09,830 --> 00:07:14,080 you know, if we just rectify what's happening in that part of the organization, 127 00:07:14,081 --> 00:07:15,800 could we be saving ourselves a ton of money? 128 00:07:16,300 --> 00:07:21,200 And so if you start to embrace some of the data that the risk function has then 129 00:07:21,201 --> 00:07:22,840 you'll start to understand the value of it, 130 00:07:22,860 --> 00:07:26,080 and really be able to use that as part of your decision making process. 131 00:07:27,220 --> 00:07:29,240 So speaking of data, a lot of times, you know, 132 00:07:29,241 --> 00:07:32,880 we have a lot of data analytics going on within our organizations, 133 00:07:32,881 --> 00:07:36,040 especially within the finance function, finance and accounting function. 134 00:07:36,380 --> 00:07:39,760 And a lot of times organizations bring in some sort of, you know, 135 00:07:39,761 --> 00:07:41,920 high tech security management software, 136 00:07:41,921 --> 00:07:45,320 thinking that that's gonna solve everything. And in 2022, you know, 137 00:07:45,321 --> 00:07:48,560 threats are very real, there's so many cyber attacks happening all the time. 138 00:07:49,060 --> 00:07:52,920 Can we talk a little bit about what that looks like in an organization as they 139 00:07:53,290 --> 00:07:57,680 bring in, in a software, but knowing that that's not the final end all. 140 00:07:58,910 --> 00:08:02,840 Yeah, so I mean, technology is great. It certainly helps propel things forward, 141 00:08:03,020 --> 00:08:06,560 but it's only as good as the data that goes into it. And, you know, 142 00:08:06,950 --> 00:08:11,720 it's only as good as like the process that you're able to implement and make it 143 00:08:11,721 --> 00:08:12,554 repeatable. 144 00:08:12,780 --> 00:08:17,760 So I guess there are a couple mistakes I see sometimes with people 145 00:08:17,761 --> 00:08:19,000 thinking that, you know, 146 00:08:19,001 --> 00:08:22,440 technology is gonna be their savior and this is gonna fix all our problems. 147 00:08:22,460 --> 00:08:25,360 And one it's trying to take on too much at the same time. 148 00:08:25,900 --> 00:08:29,880 So when you're looking for technology and you're looking at particular, well, 149 00:08:29,881 --> 00:08:32,840 any technology, but specifically within risk and compliance, you know, 150 00:08:32,870 --> 00:08:35,080 what are the pieces that you wanna get in place first? 151 00:08:35,380 --> 00:08:38,160 Is it just a little bit of process automation? Okay, great. 152 00:08:38,161 --> 00:08:40,400 We want some better reporting. Let's start there. 153 00:08:40,690 --> 00:08:43,040 Let's make that our goal for the first year or two, 154 00:08:43,220 --> 00:08:47,559 and then make sure you've got a platform or the technology that you choose is 155 00:08:47,560 --> 00:08:52,400 able to scale up with you because there's nothing more resource draining than 156 00:08:52,401 --> 00:08:54,520 having to reimplement technology all the time. 157 00:08:55,179 --> 00:08:58,880 And so if you can slowly scale up and have something that's gonna allow you to 158 00:08:58,881 --> 00:09:02,640 build your program and build maturity into your program over, you know, 159 00:09:02,660 --> 00:09:06,600 the course of five, 10 years, then, then that's really an ideal state. 160 00:09:07,429 --> 00:09:10,610 The other thing is thinking about buying things all in isolation. 161 00:09:11,070 --> 00:09:12,770 So we just talked about, you know, 162 00:09:12,771 --> 00:09:17,410 that constant bombardment on the business for the same types of information. 163 00:09:17,600 --> 00:09:17,891 Well, 164 00:09:17,891 --> 00:09:22,010 if we can sit on the same form of technology and we can ask those questions once 165 00:09:22,011 --> 00:09:23,690 and share those insights between teams, 166 00:09:24,000 --> 00:09:27,130 then you're already starting to get value. Whereas, you know, 167 00:09:27,131 --> 00:09:31,210 historically we have seen a lot of organizations put their compliance program on 168 00:09:31,370 --> 00:09:34,210 one piece of technology, audits its, goes somewhere completely different. 169 00:09:34,929 --> 00:09:36,690 Their internal controls program is somewhere else, 170 00:09:37,030 --> 00:09:39,929 but then you're all using a lot of the same controls. 171 00:09:39,930 --> 00:09:41,570 You all see a lot of the same issues, 172 00:09:41,571 --> 00:09:45,170 you're all testing the same types of things. So why not share those insights? 173 00:09:45,630 --> 00:09:48,520 So, you know, think about something that's gonna grow with you, 174 00:09:48,521 --> 00:09:51,440 but also think about something that allows you to share data between teams. 175 00:09:52,690 --> 00:09:53,523 Do you have maybe some, 176 00:09:53,530 --> 00:09:57,790 an example that you can share about where this has gone well, and maybe hasn't? 177 00:10:00,050 --> 00:10:00,480 Yeah, 178 00:10:00,480 --> 00:10:05,380 so often we find I guess where it doesn't go well 179 00:10:05,600 --> 00:10:08,300 is a lot of people dream up process in their head and they're like, 180 00:10:08,330 --> 00:10:10,420 it's gonna be great. We're gonna have, you know, 181 00:10:10,450 --> 00:10:13,740 five review steps and it's gonna go through this whole escalation cycle. And, 182 00:10:13,970 --> 00:10:14,261 okay, 183 00:10:14,261 --> 00:10:18,380 well now you've only introduced like a giant barrier from you getting between, 184 00:10:19,120 --> 00:10:19,530 you know, 185 00:10:19,530 --> 00:10:22,740 your initial objective and the conclusion of what you're trying to accomplish, 186 00:10:22,741 --> 00:10:27,100 whether it's a risk cycle or a risk assessment cycle, whether it's testing, 187 00:10:27,460 --> 00:10:28,293 whatever it may be. 188 00:10:28,600 --> 00:10:33,420 So think about streamlining that and not trying to tackle too much all at once. 189 00:10:33,880 --> 00:10:34,713 The 190 00:10:36,341 --> 00:10:39,100 more steps in your process doesn't necessarily make it better. 191 00:10:39,400 --> 00:10:42,980 It often just slows it down and stops you from being able to achieve what you're 192 00:10:42,981 --> 00:10:43,814 looking to do, 193 00:10:44,630 --> 00:10:49,580 where we see it go really well are teams that get together 194 00:10:49,670 --> 00:10:53,100 early. So if you're trying to share data between risk compliance, audit, 195 00:10:53,200 --> 00:10:54,140 all of those different teams, 196 00:10:54,370 --> 00:10:57,620 there's certain data connection points that you really wanna get established 197 00:10:57,630 --> 00:11:01,500 early. You're all looking at controls. You're all looking at issues. 198 00:11:01,501 --> 00:11:03,540 You're all looking at, you know, corrective actions. 199 00:11:04,000 --> 00:11:07,740 So what are those common things that you're gonna collect across all the 200 00:11:07,741 --> 00:11:11,860 different teams and get in the room together early to figure out what's 201 00:11:11,861 --> 00:11:15,100 important to your team? You know, what does that process look like? 202 00:11:15,400 --> 00:11:18,740 You all also have different pieces of the puzzle that sit independently, 203 00:11:19,000 --> 00:11:21,460 but where there's those common data elements. 204 00:11:21,580 --> 00:11:23,380 And you're trying to capture all the same information, 205 00:11:23,770 --> 00:11:25,820 work together to find that because if not, 206 00:11:25,821 --> 00:11:28,780 you're gonna implement it one way and one part of the business in a completely 207 00:11:28,781 --> 00:11:29,620 different way somewhere else. 208 00:11:30,080 --> 00:11:33,020 So now we've kind of talked about the technology. 209 00:11:33,890 --> 00:11:36,140 Obviously it takes people to run that technology. 210 00:11:36,640 --> 00:11:39,660 Can we maybe discuss a little bit of the skills and competencies that the 211 00:11:39,661 --> 00:11:43,460 accounting and finance team will need as they are running as they're kind of 212 00:11:43,461 --> 00:11:45,100 complimenting a successful, 213 00:11:45,101 --> 00:11:49,100 like risk management program in their company and their organization? 214 00:11:50,450 --> 00:11:51,283 Yeah, certainly. 215 00:11:51,400 --> 00:11:56,000 So the ideal state for most technology that you implement is not that you need 216 00:11:56,001 --> 00:11:58,720 to be a coder. You shouldn't need to do any of those things. 217 00:11:59,179 --> 00:12:03,120 So in terms of technology investment, hopefully there's none there. 218 00:12:03,220 --> 00:12:05,720 If that's the route you're going down from a technology provider, 219 00:12:06,161 --> 00:12:08,559 there's other options and, you know, maybe keep, keep looking. 220 00:12:09,059 --> 00:12:13,840 But in terms of how the data that's getting connected or that you can be 221 00:12:13,841 --> 00:12:15,880 leveraged across the GRC function by finance, 222 00:12:17,110 --> 00:12:20,080 make sure that you are getting the types of outputs that you want. 223 00:12:20,220 --> 00:12:23,880 So if you need an overview of kind of your comprehensive control environment and 224 00:12:23,881 --> 00:12:25,920 how that's trending over time, you know, 225 00:12:26,220 --> 00:12:29,960 you should be able to get that information in the system or have it be able to 226 00:12:29,961 --> 00:12:33,120 be extracted and sent over to you so that you can have that visibility, 227 00:12:34,309 --> 00:12:37,850 but you really want a view that's catered to just the information that you need. 228 00:12:38,350 --> 00:12:42,890 So as one of these programs, as being implemented within your organization, 229 00:12:43,020 --> 00:12:44,610 think about the outputs that you want. 230 00:12:44,630 --> 00:12:47,690 You definitely wanna view of how the controls are operating. You know, 231 00:12:47,790 --> 00:12:51,650 how frequently these things are being tested. You know, what are the outputs, 232 00:12:51,651 --> 00:12:55,010 where are the major gaps? What are the remediation activities look like? 233 00:12:55,030 --> 00:12:56,970 And how long are those gonna take to complete? 234 00:12:57,309 --> 00:13:01,730 So those are the types of dashboards or reports that you wanna have access to 235 00:13:01,731 --> 00:13:05,050 when you either log into the system or something that should be really easy to 236 00:13:05,051 --> 00:13:06,010 be shared out with you, 237 00:13:06,270 --> 00:13:09,410 so that you can always have that information at your fingertips because you are 238 00:13:09,559 --> 00:13:13,370 equally relying on a variety of these controls. And so if there are something, 239 00:13:13,990 --> 00:13:15,450 if there's anything going wrong with them, 240 00:13:15,451 --> 00:13:18,010 then you wanna make sure that you have complete visibility to that. 241 00:13:18,011 --> 00:13:20,170 And you understand the remediation program in place. 242 00:13:21,580 --> 00:13:22,630 That makes a lot of sense, 243 00:13:22,910 --> 00:13:26,510 cuz you have to kind of be on top of it and be able to see it from that 244 00:13:26,511 --> 00:13:27,470 overarching view. 245 00:13:27,490 --> 00:13:30,429 But obviously it's good that you don't have to be a coder as well. 246 00:13:31,510 --> 00:13:35,030 No, you definitely don't wanna have to take that on as well. 247 00:13:35,309 --> 00:13:36,510 I mean, yeah. 248 00:13:36,511 --> 00:13:40,030 Accountants are seeing more and more the need for having the skills of a data 249 00:13:40,390 --> 00:13:43,110 scientist as they get into all of these items. 250 00:13:43,929 --> 00:13:48,750 Do you think that data analytics is gonna continue to be on the rise in the 251 00:13:48,751 --> 00:13:53,110 future as we go forward five, 10 years so much is gonna be changing. 252 00:13:53,770 --> 00:13:57,150 How do you see that looking for the accountant as they're looking in the GRC 253 00:13:57,390 --> 00:13:58,223 function? 254 00:13:58,600 --> 00:14:00,790 Absolutely. I think that, you know, 255 00:14:00,820 --> 00:14:04,750 it's no longer acceptable to just particularly on the risk side, 256 00:14:04,970 --> 00:14:08,190 you've got this stereotypical view of someone putting almost like a traffic 257 00:14:08,191 --> 00:14:11,230 light report in front of you. Here's my top 10 risks. This one's red, 258 00:14:11,231 --> 00:14:14,429 this one's yellow when the rest of them are green, that's not sufficient. 259 00:14:15,050 --> 00:14:18,670 You need to understand what's the underlying data that's supporting that 260 00:14:18,830 --> 00:14:21,270 decision. How did you come to the conclusion that that's high risk? 261 00:14:21,290 --> 00:14:23,150 Is it high risk everywhere across the business? 262 00:14:23,170 --> 00:14:25,350 Is that concentrated one part of the business? 263 00:14:25,650 --> 00:14:27,350 And so having the high level view, 264 00:14:27,351 --> 00:14:30,470 but then also the ability to drill into that data is really fundamental. 265 00:14:31,710 --> 00:14:33,590 Additionally, in order to get those insights, 266 00:14:33,790 --> 00:14:37,790 we can't exclusively rely on humans coming in to input them. 267 00:14:38,080 --> 00:14:39,590 There are so many systems. 268 00:14:39,620 --> 00:14:43,590 Everybody has technology in some capacity within their function. 269 00:14:44,380 --> 00:14:46,720 You know, it might not be super mature everywhere, 270 00:14:46,721 --> 00:14:48,880 but there is technology being used everywhere. 271 00:14:49,100 --> 00:14:52,240 And so what are the different types of insights that you can pull from your 272 00:14:52,241 --> 00:14:56,960 different systems to make sure that your risk data is really up to date and 273 00:14:56,961 --> 00:15:01,160 really accurate? So, you know, is there something coming out of, you know, 274 00:15:01,310 --> 00:15:02,143 your CRM? 275 00:15:02,220 --> 00:15:04,960 Is there something coming out of your marketing data that you might wanna make 276 00:15:04,980 --> 00:15:06,520 use of your financial systems? 277 00:15:06,980 --> 00:15:10,920 So pulling that data together and then making sure that you've got, you know, 278 00:15:11,000 --> 00:15:15,320 a pulse on your key risk indicators, your key progress indicators you know, 279 00:15:15,380 --> 00:15:19,760 that's really gonna make sure that you're keeping on top of your risk levels and 280 00:15:19,761 --> 00:15:21,480 risk exposure across the organization. 281 00:15:23,380 --> 00:15:25,120 So as we kind of wrap up the conversation, 282 00:15:25,160 --> 00:15:28,760 I kind of wanna end where we started and the compliance image problem. 283 00:15:29,890 --> 00:15:34,040 Let's say there, if you could give our audience maybe two or three things, 284 00:15:34,100 --> 00:15:35,640 two or three pointers of like, okay, 285 00:15:35,910 --> 00:15:40,240 what are three ways that we can start off by getting a better image of our 286 00:15:40,241 --> 00:15:44,400 compliance image of our compliance program so that we can, you know, 287 00:15:44,500 --> 00:15:46,520 do better in our organization? What would those be? 288 00:15:47,920 --> 00:15:51,680 I think it's really articulating the value. It's not compliance. 289 00:15:51,681 --> 00:15:55,000 Isn't just putting a training program in front of you so that you can skip 290 00:15:55,001 --> 00:15:58,120 through to the end. It's like, why do you need to understand that? 291 00:15:58,180 --> 00:15:59,520 Why is that information important? 292 00:15:59,580 --> 00:16:02,040 And how does that as an organization help us be better. 293 00:16:02,740 --> 00:16:06,480 It doesn't help if members at the top of your organization are not putting 294 00:16:06,690 --> 00:16:07,523 forth, you know, 295 00:16:07,660 --> 00:16:12,600 the right example if they are not endorsing compliance and risk methodologies 296 00:16:12,800 --> 00:16:14,800 and that culture. So it's really, 297 00:16:15,160 --> 00:16:18,680 I think without articulating how these functions bring value to the 298 00:16:18,681 --> 00:16:22,560 organization, it's really hard to overcome that image problem. And then again, 299 00:16:22,660 --> 00:16:23,493 reduce the burden. 300 00:16:23,920 --> 00:16:27,600 I think the more cumbersome it is for people to provide you with the 301 00:16:27,601 --> 00:16:30,080 information, the worse response you're gonna get. 302 00:16:30,081 --> 00:16:33,760 If it's always a two hour interview where they have to sit down and walk through 303 00:16:33,761 --> 00:16:36,240 their entire methodology, that's really cumbersome. 304 00:16:36,460 --> 00:16:40,080 And if that interview happens every two weeks, that's awful. 305 00:16:40,180 --> 00:16:43,320 So how do we really reduce that friction and make it super, 306 00:16:43,321 --> 00:16:46,000 super simple to provide you with the information that you need, 307 00:16:46,190 --> 00:16:48,920 what you're doing by providing risk compliance, 308 00:16:48,921 --> 00:16:51,960 audit the information they need should be no more difficult than it is to, 309 00:16:51,961 --> 00:16:55,280 you know, buy a pair of shoes online. You should be able to just come in, 310 00:16:55,281 --> 00:16:57,760 submit the information that you need to, and then move on with your day. 311 00:17:00,510 --> 00:17:01,800 This has been Count Me In, 312 00:17:02,430 --> 00:17:06,359 IMA's podcast providing you with the latest perspectives of thought leaders from 313 00:17:06,360 --> 00:17:07,880 the accounting and finance profession. 314 00:17:08,020 --> 00:17:11,400 If you like what you heard and you'd like to be counted in for more relevant 315 00:17:11,401 --> 00:17:16,040 accounting and finance education, visit IMA's website at www.imanet.org.