Ep. 196: Amanda Cohen – Why your company needs a risk management makeover
I'm Adam Larson and
welcome to Count Me In,
the podcast focused on all the ways
management accountants can help businesses
thrive through smart financial management
and data driven decision making.
My guest today is Amanda Cohen, the
vice president of product at Resolver,
a software company helping businesses
manage complex interconnected risks.
We talk about the image
problem that governance, risk,
and compliance functions or GRC
have at many businesses; namely,
that they're tedious,
repetitive and restrictive.
Amanda explains how this
negative perception of GRC
actually hampers innovation
and growth.
The good news is Amanda has tips to
transform this frog into a prince at your
company,
making GRC a more dynamic and valued
partner to business operations
and performance.
I hope you enjoy this modern day
fairytale featuring our favorite stars:
management accountants.
Amanda, thank you so much for
coming on our podcast today.
We're really excited to have you on and
today we're gonna be focusing a lot on
risk or governance, risk and, compliance,
kind of the big three words
governing organization.
And one of the biggest things that we
kind of wanted to focus on is, you know,
there's an image problem that you've
said a number of times that there's an
image problem with with GRC.
Can you kind of talk a little bit
about that as we get started today?
Yeah, certainly. So I
think a lot of it, well,
I think there's a couple different
angles that the governance risk and
compliance space has a bit of an
image problem. First and foremost,
I don't think a lot of the organization
understands exactly what they do and how
they provide value to the organization.
And so often they're seen as a barrier
that maybe comes in a little late during
the project or,
or something that's preventing you from
getting to your objectives. And really,
I think that's all just in terms
of the order of operations.
If we can flip that around a little
bit and bring these teams in earlier,
it's not that person who's getting in
your way of completing your project or
helping you complete or
achieve your objective.
Really what you're starting to do is
you are bringing them along for the ride
and helping or using those teams to help
guide your project and make sure that
it's operating with the realm of what's
appropriate for the organization.
And then they're gonna help
you find really creative,
suggestive alternatives
to help move things.
So that's kind of one area of
the image problem is, you know,
there's a barrier specifically
that they seem to be imposing.
And then the other one that we hear a
lot from our customers is really that it
seems like these teams are constantly
asking me for the same information.
And so, you know,
you might get a request from someone in
audit and they're looking for a bunch of
documentation on how you run a particular
process. And then two weeks later,
two months later,
someone from compliance is coming in
and they're you the exact same question,
you know, your internal controls
team, same thing. And so it's like,
why can these teams not just get together
come up with some kind of strategy on
how to collect that information and
then reduce the onus on me because the
business is really just trying
to accomplish their job.
It's not their job to provide
you with the documentation.
And so when there's more synergy
between those teams it also
reduces a little bit of that friction
that you often get from the business.
It almost seems like when you're
looking at risk management from an
organizational perspective,
the organization's mission kind of
needs to be the foundation of that.
And the focus of that risk management,
because otherwise everybody won't be
on the same page if it's not there,
how do you get there?
So, I mean,
there's a couple ways to help be a
part of those strategic decisions,
be a part of what the organization
is trying to accomplish.
It really helps when you
have buy in from the top.
If your executive endorses and believes
that risk and compliance has a place at
the table during those discussions, it's
gonna be a lot easier, but in order to,
it's a bit of a chicken and egg,
because it's also in order to be
included in those conversations,
you need to be providing insights.
And so something that, you know,
if all the risk function
or the compliance function,
whatever it may be is there.
And they're just, you know,
showing up at that board meeting,
showing up at that executive meeting
to present their five minutes on their
findings and, you know, maybe their
last regulatory audit, like, okay.
But what have you uncovered what's
in your data to help us understand,
you know, how the organization is
gonna achieve their objectives?
Are there potentially a
couple alternatives that we
could consider or that we
should be thinking about as we're
making these strategic decisions?
And so when risk can bring more
valuable data that also helps
propel them forward and allows them
to be a part of that conversation and
that'll help get that
executive endorsement and then
allow them to be, you know,
help the organization achieve that
mission that they're trying to accomplish.
So I know that you know, it's
probably rare that, you know,
your CMA, your certified
management accountant,
your management accounting will
lie awake at night thinking, oh no.
What about that regulatory
compliance document?
It is something that's important.
And a lot of times culture plays
a role within the organization.
How does the culture play a role,
especially when it comes to risk? And,
you know, you've talked a little bit
about already about how, you know,
the compliance person will come and say
one thing and the other person will come
and say and ask the same question.
How can you establish a culture that'll
help get everybody on the same page as
well.
Well, I think when we're thinking about
it from the lens of the finance team,
often finance is thinking
about your financial controls.
But if you have just a limited view
of the controls that are specifically
financial,
there's a lot of other things that happen
within your business that could impact
your ability to achieve
your financial targets.
So it is actually in your interest
to understand your third party risk.
We've all over the last two years
experienced delays in supply chain. Okay.
Well, how could that impact us
achieving our objectives? You know,
there's cyber risk. Okay, well, you
know, do we have cyber insurance?
Do we have all those things in place?
And so it's not specific to one
particular team because risk is pervasive.
Everybody experiences risk
throughout the organization.
Number one experience is risk actually
throughout their daily lives. You know,
you were constantly making
decisions that are risk based.
You just might not be thinking
about it in the form of, you know,
risk based decision making, the way we
think about it kind of academically,
or either, you know, as a risk function,
but there's so many pieces to the
things that are happening across your
organization on a day to day basis
that can help inform, you know,
whether you're gonna financially, you
know, continue to be a viable company.
And another thing that the risk function
really does track that actually,
you know, has a direct impact for
the financial team is loss events.
So if you have that operational loss of
team or operational risk team, sorry,
within your organization
that are tracking, you know,
incidents and breaches and different
loss events that are occurring throughout
the organization, it's like, okay, well,
are we seeing any trends in that data?
Are we constantly being hit with the same
type of incident over and over? That,
you know, if we just rectify
what's happening in that
part of the organization,
could we be saving
ourselves a ton of money?
And so if you start to embrace some of
the data that the risk function has then
you'll start to understand
the value of it,
and really be able to use that as
part of your decision making process.
So speaking of data, a
lot of times, you know,
we have a lot of data analytics
going on within our organizations,
especially within the finance function,
finance and accounting function.
And a lot of times organizations
bring in some sort of, you know,
high tech security management software,
thinking that that's gonna solve
everything. And in 2022, you know,
threats are very real, there's so many
cyber attacks happening all the time.
Can we talk a little bit about what that
looks like in an organization as they
bring in, in a software, but knowing
that that's not the final end all.
Yeah, so I mean, technology is great. It
certainly helps propel things forward,
but it's only as good as the data
that goes into it. And, you know,
it's only as good as like the process
that you're able to implement and make it
repeatable.
So I guess there are a couple
mistakes I see sometimes with people
thinking that, you know,
technology is gonna be their savior
and this is gonna fix all our problems.
And one it's trying to take
on too much at the same time.
So when you're looking for technology
and you're looking at particular, well,
any technology, but specifically
within risk and compliance, you know,
what are the pieces that you
wanna get in place first?
Is it just a little bit of
process automation? Okay, great.
We want some better
reporting. Let's start there.
Let's make that our goal
for the first year or two,
and then make sure you've got a platform
or the technology that you choose is
able to scale up with you because there's
nothing more resource draining than
having to reimplement
technology all the time.
And so if you can slowly scale up and
have something that's gonna allow you to
build your program and build maturity
into your program over, you know,
the course of five, 10 years, then,
then that's really an ideal state.
The other thing is thinking about
buying things all in isolation.
So we just talked about, you know,
that constant bombardment on the business
for the same types of information.
Well,
if we can sit on the same
form of technology and we
can ask those questions once
and share those insights between teams,
then you're already starting to
get value. Whereas, you know,
historically we have seen
a lot of organizations put
their compliance program on
one piece of technology, audits its,
goes somewhere completely different.
Their internal controls
program is somewhere else,
but then you're all using
a lot of the same controls.
You all see a lot of the same issues,
you're all testing the same types of
things. So why not share those insights?
So, you know, think about something
that's gonna grow with you,
but also think about something that
allows you to share data between teams.
Do you have maybe some,
an example that you can share about where
this has gone well, and maybe hasn't?
Yeah,
so often we find I guess
where it doesn't go well
is a lot of people dream up process
in their head and they're like,
it's gonna be great. We're
gonna have, you know,
five review steps and it's gonna go
through this whole escalation cycle. And,
okay,
well now you've only introduced like a
giant barrier from you getting between,
you know,
your initial objective and the conclusion
of what you're trying to accomplish,
whether it's a risk cycle or a risk
assessment cycle, whether it's testing,
whatever it may be.
So think about streamlining that and not
trying to tackle too much all at once.
The
more steps in your process doesn't
necessarily make it better.
It often just slows it down and stops you
from being able to achieve what you're
looking to do,
where we see it go really well
are teams that get together
early. So if you're trying to share
data between risk compliance, audit,
all of those different teams,
there's certain data connection points
that you really wanna get established
early. You're all looking at controls.
You're all looking at issues.
You're all looking at, you
know, corrective actions.
So what are those common things that
you're gonna collect across all the
different teams and get in the room
together early to figure out what's
important to your team? You know,
what does that process look like?
You all also have different pieces
of the puzzle that sit independently,
but where there's those
common data elements.
And you're trying to capture
all the same information,
work together to find that because if not,
you're gonna implement it one way and
one part of the business in a completely
different way somewhere else.
So now we've kind of talked
about the technology.
Obviously it takes people
to run that technology.
Can we maybe discuss a little bit of
the skills and competencies that the
accounting and finance team will need
as they are running as they're kind of
complimenting a successful,
like risk management program in
their company and their organization?
Yeah, certainly.
So the ideal state for most technology
that you implement is not that you need
to be a coder. You shouldn't
need to do any of those things.
So in terms of technology investment,
hopefully there's none there.
If that's the route you're going
down from a technology provider,
there's other options and, you
know, maybe keep, keep looking.
But in terms of how the data that's
getting connected or that you can be
leveraged across the
GRC function by finance,
make sure that you are getting the
types of outputs that you want.
So if you need an overview of kind of
your comprehensive control environment and
how that's trending over time, you know,
you should be able to get that information
in the system or have it be able to
be extracted and sent over to you so
that you can have that visibility,
but you really want a view that's catered
to just the information that you need.
So as one of these programs, as being
implemented within your organization,
think about the outputs that you want.
You definitely wanna view of how the
controls are operating. You know,
how frequently these things are being
tested. You know, what are the outputs,
where are the major gaps? What are
the remediation activities look like?
And how long are those
gonna take to complete?
So those are the types of dashboards or
reports that you wanna have access to
when you either log into the system or
something that should be really easy to
be shared out with you,
so that you can always have
that information at your
fingertips because you are
equally relying on a variety of these
controls. And so if there are something,
if there's anything going wrong with them,
then you wanna make sure that you
have complete visibility to that.
And you understand the
remediation program in place.
That makes a lot of sense,
cuz you have to kind of be on top of
it and be able to see it from that
overarching view.
But obviously it's good that you
don't have to be a coder as well.
No, you definitely don't wanna
have to take that on as well.
I mean, yeah.
Accountants are seeing more and more
the need for having the skills of a data
scientist as they get
into all of these items.
Do you think that data analytics is
gonna continue to be on the rise in the
future as we go forward five, 10
years so much is gonna be changing.
How do you see that looking for the
accountant as they're looking in the GRC
function?
Absolutely. I think that, you know,
it's no longer acceptable to just
particularly on the risk side,
you've got this stereotypical view of
someone putting almost like a traffic
light report in front of you. Here's
my top 10 risks. This one's red,
this one's yellow when the rest of
them are green, that's not sufficient.
You need to understand what's the
underlying data that's supporting that
decision. How did you come to the
conclusion that that's high risk?
Is it high risk everywhere
across the business?
Is that concentrated one
part of the business?
And so having the high level view,
but then also the ability to drill
into that data is really fundamental.
Additionally, in order
to get those insights,
we can't exclusively rely on
humans coming in to input them.
There are so many systems.
Everybody has technology in some
capacity within their function.
You know, it might not be
super mature everywhere,
but there is technology
being used everywhere.
And so what are the different types of
insights that you can pull from your
different systems to make sure that
your risk data is really up to date and
really accurate? So, you know, is there
something coming out of, you know,
your CRM?
Is there something coming out of your
marketing data that you might wanna make
use of your financial systems?
So pulling that data together and then
making sure that you've got, you know,
a pulse on your key risk indicators,
your key progress indicators you know,
that's really gonna make sure that you're
keeping on top of your risk levels and
risk exposure across the organization.
So as we kind of wrap up the conversation,
I kind of wanna end where we started
and the compliance image problem.
Let's say there, if you could give our
audience maybe two or three things,
two or three pointers of like, okay,
what are three ways that we can start
off by getting a better image of our
compliance image of our compliance
program so that we can, you know,
do better in our organization?
What would those be?
I think it's really articulating
the value. It's not compliance.
Isn't just putting a training program
in front of you so that you can skip
through to the end. It's like, why
do you need to understand that?
Why is that information important?
And how does that as an
organization help us be better.
It doesn't help if members at the top
of your organization are not putting
forth, you know,
the right example if they
are not endorsing compliance
and risk methodologies
and that culture. So it's really,
I think without articulating how
these functions bring value to the
organization, it's really hard to overcome
that image problem. And then again,
reduce the burden.
I think the more cumbersome it is
for people to provide you with the
information, the worse
response you're gonna get.
If it's always a two hour interview where
they have to sit down and walk through
their entire methodology,
that's really cumbersome.
And if that interview happens
every two weeks, that's awful.
So how do we really reduce that
friction and make it super,
super simple to provide you with
the information that you need,
what you're doing by
providing risk compliance,
audit the information they need should
be no more difficult than it is to,
you know, buy a pair of shoes online.
You should be able to just come in,
submit the information that you need
to, and then move on with your day.
This has been Count Me In,
IMA's podcast providing you
with the latest perspectives
of thought leaders from
the accounting and finance profession.
If you like what you heard and you'd
like to be counted in for more relevant
accounting and finance education,
visit IMA's website at www.imanet.org.
