Ep. 196: Amanda Cohen – Why your company needs a risk management makeover

Amanda Cohen is Vice President of Product at Resolver, where she helps businesses manage complex, interconnected risks more profitably. She speaks with Adam about the ugly duckling image many leaders have of governance, risk management, and compliance functions and why it’s critical for businesses to give their GRC operations a makeover before it’s too late.
https://www.youtube.com/user/ResolverGRC

Full Episode Transcript:
Adam:

I'm Adam Larson and welcome to Count Me In, the podcast focused on all the ways management accountants can help businesses thrive through smart financial management and data driven decision making. My guest today is Amanda Cohen, the vice president of product at Resolver, a software company helping businesses manage complex interconnected risks. We talk about the image problem that governance, risk, and compliance functions or GRC have at many businesses; namely, that they're tedious, repetitive and restrictive. Amanda explains how this negative perception of GRC actually hampers innovation and growth. The good news is Amanda has tips to transform this frog into a prince at your company, making GRC a more dynamic and valued partner to business operations and performance. I hope you enjoy this modern day fairytale featuring our favorite stars: management accountants.
Adam:

Amanda, thank you so much for coming on our podcast today. We're really excited to have you on and today we're gonna be focusing a lot on risk or governance, risk and, compliance, kind of the big three words governing organization. And one of the biggest things that we kind of wanted to focus on is, you know, there's an image problem that you've said a number of times that there's an image problem with with GRC. Can you kind of talk a little bit about that as we get started today?
Amanda:

Yeah, certainly. So I think a lot of it, well, I think there's a couple different angles that the governance risk and compliance space has a bit of an image problem. First and foremost, I don't think a lot of the organization understands exactly what they do and how they provide value to the organization. And so often they're seen as a barrier that maybe comes in a little late during the project or, or something that's preventing you from getting to your objectives. And really, I think that's all just in terms of the order of operations. If we can flip that around a little bit and bring these teams in earlier, it's not that person who's getting in your way of completing your project or helping you complete or achieve your objective. Really what you're starting to do is you are bringing them along for the ride and helping or using those teams to help guide your project and make sure that it's operating with the realm of what's appropriate for the organization.
Amanda:

And then they're gonna help you find really creative, suggestive alternatives to help move things. So that's kind of one area of the image problem is, you know, there's a barrier specifically that they seem to be imposing. And then the other one that we hear a lot from our customers is really that it seems like these teams are constantly asking me for the same information. And so, you know, you might get a request from someone in audit and they're looking for a bunch of documentation on how you run a particular process. And then two weeks later, two months later, someone from compliance is coming in and they're you the exact same question, you know, your internal controls team, same thing. And so it's like, why can these teams not just get together come up with some kind of strategy on how to collect that information and then reduce the onus on me because the business is really just trying to accomplish their job. It's not their job to provide you with the documentation. And so when there's more synergy between those teams it also reduces a little bit of that friction that you often get from the business.
Adam:

It almost seems like when you're looking at risk management from an organizational perspective, the organization's mission kind of needs to be the foundation of that. And the focus of that risk management, because otherwise everybody won't be on the same page if it's not there, how do you get there?
Amanda:

So, I mean, there's a couple ways to help be a part of those strategic decisions, be a part of what the organization is trying to accomplish. It really helps when you have buy in from the top. If your executive endorses and believes that risk and compliance has a place at the table during those discussions, it's gonna be a lot easier, but in order to, it's a bit of a chicken and egg, because it's also in order to be included in those conversations, you need to be providing insights. And so something that, you know, if all the risk function or the compliance function, whatever it may be is there. And they're just, you know, showing up at that board meeting, showing up at that executive meeting to present their five minutes on their findings and, you know, maybe their last regulatory audit, like, okay. But what have you uncovered what's in your data to help us understand, you know, how the organization is gonna achieve their objectives? Are there potentially a couple alternatives that we could consider or that we should be thinking about as we're making these strategic decisions? And so when risk can bring more valuable data that also helps propel them forward and allows them to be a part of that conversation and that'll help get that executive endorsement and then allow them to be, you know, help the organization achieve that mission that they're trying to accomplish.
Adam:

So I know that you know, it's probably rare that, you know, your CMA, your certified management accountant, your management accounting will lie awake at night thinking, oh no. What about that regulatory compliance document? It is something that's important. And a lot of times culture plays a role within the organization. How does the culture play a role, especially when it comes to risk? And, you know, you've talked a little bit about already about how, you know, the compliance person will come and say one thing and the other person will come and say and ask the same question. How can you establish a culture that'll help get everybody on the same page as well.
Amanda:

Well, I think when we're thinking about it from the lens of the finance team, often finance is thinking about your financial controls. But if you have just a limited view of the controls that are specifically financial, there's a lot of other things that happen within your business that could impact your ability to achieve your financial targets. So it is actually in your interest to understand your third party risk. We've all over the last two years experienced delays in supply chain. Okay. Well, how could that impact us achieving our objectives? You know, there's cyber risk. Okay, well, you know, do we have cyber insurance? Do we have all those things in place? And so it's not specific to one particular team because risk is pervasive. Everybody experiences risk throughout the organization. Number one experience is risk actually throughout their daily lives. You know, you were constantly making decisions that are risk based.
Amanda:

You just might not be thinking about it in the form of, you know, risk based decision making, the way we think about it kind of academically, or either, you know, as a risk function, but there's so many pieces to the things that are happening across your organization on a day to day basis that can help inform, you know, whether you're gonna financially, you know, continue to be a viable company. And another thing that the risk function really does track that actually, you know, has a direct impact for the financial team is loss events. So if you have that operational loss of team or operational risk team, sorry, within your organization that are tracking, you know, incidents and breaches and different loss events that are occurring throughout the organization, it's like, okay, well, are we seeing any trends in that data? Are we constantly being hit with the same type of incident over and over? That, you know, if we just rectify what's happening in that part of the organization, could we be saving ourselves a ton of money? And so if you start to embrace some of the data that the risk function has then you'll start to understand the value of it, and really be able to use that as part of your decision making process.
Adam:

So speaking of data, a lot of times, you know, we have a lot of data analytics going on within our organizations, especially within the finance function, finance and accounting function. And a lot of times organizations bring in some sort of, you know, high tech security management software, thinking that that's gonna solve everything. And in 2022, you know, threats are very real, there's so many cyber attacks happening all the time. Can we talk a little bit about what that looks like in an organization as they bring in, in a software, but knowing that that's not the final end all.
Amanda:

Yeah, so I mean, technology is great. It certainly helps propel things forward, but it's only as good as the data that goes into it. And, you know, it's only as good as like the process that you're able to implement and make it repeatable. So I guess there are a couple mistakes I see sometimes with people thinking that, you know, technology is gonna be their savior and this is gonna fix all our problems. And one it's trying to take on too much at the same time. So when you're looking for technology and you're looking at particular, well, any technology, but specifically within risk and compliance, you know, what are the pieces that you wanna get in place first? Is it just a little bit of process automation? Okay, great. We want some better reporting. Let's start there. Let's make that our goal for the first year or two, and then make sure you've got a platform or the technology that you choose is able to scale up with you because there's nothing more resource draining than having to reimplement technology all the time.
Amanda:

And so if you can slowly scale up and have something that's gonna allow you to build your program and build maturity into your program over, you know, the course of five, 10 years, then, then that's really an ideal state. The other thing is thinking about buying things all in isolation. So we just talked about, you know, that constant bombardment on the business for the same types of information. Well, if we can sit on the same form of technology and we can ask those questions once and share those insights between teams, then you're already starting to get value. Whereas, you know, historically we have seen a lot of organizations put their compliance program on one piece of technology, audits its, goes somewhere completely different. Their internal controls program is somewhere else, but then you're all using a lot of the same controls. You all see a lot of the same issues, you're all testing the same types of things. So why not share those insights? So, you know, think about something that's gonna grow with you, but also think about something that allows you to share data between teams.
Adam:

Do you have maybe some, an example that you can share about where this has gone well, and maybe hasn't?
Amanda:

Yeah, so often we find I guess where it doesn't go well is a lot of people dream up process in their head and they're like, it's gonna be great. We're gonna have, you know, five review steps and it's gonna go through this whole escalation cycle. And, okay, well now you've only introduced like a giant barrier from you getting between, you know, your initial objective and the conclusion of what you're trying to accomplish, whether it's a risk cycle or a risk assessment cycle, whether it's testing, whatever it may be. So think about streamlining that and not trying to tackle too much all at once. The more steps in your process doesn't necessarily make it better. It often just slows it down and stops you from being able to achieve what you're looking to do, where we see it go really well are teams that get together early.
Amanda:

So if you're trying to share data between risk compliance, audit, all of those different teams, there's certain data connection points that you really wanna get established early. You're all looking at controls. You're all looking at issues. You're all looking at, you know, corrective actions. So what are those common things that you're gonna collect across all the different teams and get in the room together early to figure out what's important to your team? You know, what does that process look like? You all also have different pieces of the puzzle that sit independently, but where there's those common data elements. And you're trying to capture all the same information, work together to find that because if not, you're gonna implement it one way and one part of the business in a completely different way somewhere else.
Adam:

So now we've kind of talked about the technology. Obviously it takes people to run that technology. Can we maybe discuss a little bit of the skills and competencies that the accounting and finance team will need as they are running as they're kind of complimenting a successful, like risk management program in their company and their organization?
Amanda:

Yeah, certainly. So the ideal state for most technology that you implement is not that you need to be a coder. You shouldn't need to do any of those things. So in terms of technology investment, hopefully there's none there. If that's the route you're going down from a technology provider, there's other options and, you know, maybe keep, keep looking. But in terms of how the data that's getting connected or that you can be leveraged across the GRC function by finance, make sure that you are getting the types of outputs that you want. So if you need an overview of kind of your comprehensive control environment and how that's trending over time, you know, you should be able to get that information in the system or have it be able to be extracted and sent over to you so that you can have that visibility, but you really want a view that's catered to just the information that you need.
Amanda:

So as one of these programs, as being implemented within your organization, think about the outputs that you want. You definitely wanna view of how the controls are operating. You know, how frequently these things are being tested. You know, what are the outputs, where are the major gaps? What are the remediation activities look like? And how long are those gonna take to complete? So those are the types of dashboards or reports that you wanna have access to when you either log into the system or something that should be really easy to be shared out with you, so that you can always have that information at your fingertips because you are equally relying on a variety of these controls. And so if there are something, if there's anything going wrong with them, then you wanna make sure that you have complete visibility to that. And you understand the remediation program in place.
Adam:

That makes a lot of sense, cuz you have to kind of be on top of it and be able to see it from that overarching view. But obviously it's good that you don't have to be a coder as well.
Amanda:

No, you definitely don't wanna have to take that on as well.
Adam:

I mean, yeah. Accountants are seeing more and more the need for having the skills of a data scientist as they get into all of these items. Do you think that data analytics is gonna continue to be on the rise in the future as we go forward five, 10 years so much is gonna be changing. How do you see that looking for the accountant as they're looking in the GRC function?
Amanda:

Absolutely. I think that, you know, it's no longer acceptable to just particularly on the risk side, you've got this stereotypical view of someone putting almost like a traffic light report in front of you. Here's my top 10 risks. This one's red, this one's yellow when the rest of them are green, that's not sufficient. You need to understand what's the underlying data that's supporting that decision. How did you come to the conclusion that that's high risk? Is it high risk everywhere across the business? Is that concentrated one part of the business? And so having the high level view, but then also the ability to drill into that data is really fundamental. Additionally, in order to get those insights, we can't exclusively rely on humans coming in to input them. There are so many systems. Everybody has technology in some capacity within their function. You know, it might not be super mature everywhere, but there is technology being used everywhere.
Amanda:

And so what are the different types of insights that you can pull from your different systems to make sure that your risk data is really up to date and really accurate? So, you know, is there something coming out of, you know, your CRM? Is there something coming out of your marketing data that you might wanna make use of your financial systems? So pulling that data together and then making sure that you've got, you know, a pulse on your key risk indicators, your key progress indicators you know, that's really gonna make sure that you're keeping on top of your risk levels and risk exposure across the organization.
Adam:

So as we kind of wrap up the conversation, I kind of wanna end where we started and the compliance image problem. Let's say there, if you could give our audience maybe two or three things, two or three pointers of like, okay, what are three ways that we can start off by getting a better image of our compliance image of our compliance program so that we can, you know, do better in our organization? What would those be?
Amanda:

I think it's really articulating the value. It's not compliance. Isn't just putting a training program in front of you so that you can skip through to the end. It's like, why do you need to understand that? Why is that information important? And how does that as an organization help us be better. It doesn't help if members at the top of your organization are not putting forth, you know, the right example if they are not endorsing compliance and risk methodologies and that culture. So it's really, I think without articulating how these functions bring value to the organization, it's really hard to overcome that image problem. And then again, reduce the burden. I think the more cumbersome it is for people to provide you with the information, the worse response you're gonna get. If it's always a two hour interview where they have to sit down and walk through their entire methodology, that's really cumbersome. And if that interview happens every two weeks, that's awful. So how do we really reduce that friction and make it super, super simple to provide you with the information that you need, what you're doing by providing risk compliance, audit the information they need should be no more difficult than it is to, you know, buy a pair of shoes online. You should be able to just come in, submit the information that you need to, and then move on with your day.
Outro:

This has been Count Me In, IMA's podcast providing you with the latest perspectives of thought leaders from the accounting and finance profession. If you like what you heard and you'd like to be counted in for more relevant accounting and finance education, visit IMA's website at www.imanet.org.

 
©Copyright 2022 Institute of Management Accountants. All rights reserved.