Dan Sholler is Tom Fox’s guest on this week’s episode of the Innovation in Compliance Podcast. He is the Software Product Marketing Leader at Exterro, an organization that creates software that helps clients address regulatory, compliance, and litigation risks at affordable costs. Dan joins Tom to talk about the work Exterro is doing in the realms of compliance risk governance.

The Evolution of Exterro

Exterro has adapted its ability to measure its results more easily, as well as test alternative approaches. Dan explains to Tom that they can test alternative messages, as well as alternative means of delivering those messages. Technology can be used to drive some of the communication to make that initiative work. 

The Importance of Plan Sponsor Audits

Plan sponsor audits are significant because it’s a universal change in regulatory posture. This affects how compliance professionals need to think about their responsibilities. In the past, regulatory agencies would use a checklist for compliance personnel on compliance activities. They were more concerned with the end report. These audits shift the focus from the report ability of the compliance professional to the details of implementation that the compliance professional uses. These audits want detailed proof. 

In Lieu of Cyber Incident

"When people think about cybersecurity, the first thought that comes to mind obviously is prevention," Dan remarks. The last few years have seen the escalation in cyber and ransomware attacks. It has also demonstrated that no amount of prevention is going to be good enough to limit the impact of those incidents. It’s not a matter of if, but when. The way compliance professionals limit that impact is a big part of what needs to be done from the cyber security perspective. "No one needs to respond to a [cybersecurity] incident in a technical sense," Dan says. What needs to be done instead, is to isolate whatever has happened within that environment and gather the relevant evidence in order to potentially catch the perpetrators. Business continuity also needs to be established, and the systems need to be brought back up as quickly as possible. Regulators will be looking at how tightly coordinated an organization's incident response plans are.

Legal GRC

Legal GRC is the governance risk and compliance activities that affect the legal and compliance organizations. Various operational activities have their own GRC and they are specific to those organizations, not a part of overall corporate governance. Dan tells Tom that Exterro is looking to bring together governance risk and compliance activities and its implementations into a single platform. This will make risk, controls, and implementation of those controls visible. This is important because there is a great deal of common processes that are cross-functional within legal and compliance.

What's Next

Dan tells Tom that in the future it will be commonplace for GRC subsets that focus not only on GRC but also on the implementation of its controls. It's not just going to be about compliance with regulation, but also compliance with the policy. 

Resources

Dan Sholler | LinkedIn | Twitter

Exterro