In this episode of the award-winning podcast FCPA Compliance Report, you’ll get to know Onspring’s platform director, Ryan Lougheed, and hear his predictions for the future of compliance in GRC and the use of generative AI in compliance.
Misplaced your AirPods? We’ve got you with these transcribed highlights.
Key Highlights:
Staying Current on Regulatory Change
Tom: Every compliance professional I know is from a company that may think they only have to comply with a small number of laws or a multinational. Practitioners you work with have the concern, “How do I keep abreast of current regulations in my field? How do I know what I’m doing today fulfills the legal and regulatory compliance requirements? How can I have a unified environment where I’m comfortable and can advise the business?
How does Onspring help organizations stay current on regulatory change and create a unified environment for the compliance professional?
Ryan: Regulatory changes are made and communicated by the regulatory bodies, which means you have to be listening when they are communicated. Not everyone is able to read and consume communication from the regulatory bodies in real-time, so practitioners use content-providing organizations that feed the changes to them. The next step is for the practitioner to action that data, which is where Onspring comes in.
Onspring is a platform that centralizes data for action. We work with integration partners to bring regulatory content in. Our partners continuously keep our customers informed on the regulatory changes that impact their business, then use alerts to update team members with reviews that are necessary.
When you know a control or citation has changed, team members review it and go through the regulatory management process inside Onspring. By bringing content together, our customers can discuss gap analyses and identify how to link controls together.
We partner with Unified Compliance Framework (UCF), so when UCF content is ingested into Onspring, our customers review regulations and controls to run a gap analysis. The conversation becomes, “I want to bring in this new regulation that just came down. Do we already support these controls? Do we not? Do you know where we need to go from there?”
Tom: That’s a pretty sophisticated analysis where you can look at a new regulation and see if you have the controls in place to meet it or if you need to create a new control or perhaps modify existing controls.
How does Onspring help a compliance professional think through that process?
Ryan: It goes back to the regulation and the controls in place at an organization. Bringing all these elements into Onspring creates a centralized environment with a common language. Add policies to regulations and controls, and a full picture is painted.
With Onspring, you can map regulations, controls, and policies to one another through relationships. These relationships are the genesis of reporting, so you can ask and see immediately, “Of the 20 regulations listed, how many internal controls do we have tied to those?” This is the type of data that shows your gaps front and center. This is a pretty simplified view, but it takes a long time for most people to get there if they don’t have a platform like Onspring to centralize and relate their data.
You’ll have to have me back as a guest in the future and I’ll give you a tour of our AI elements.
Running a Continuous Gap Analysis
Tom: In 2017, I created a spreadsheet where I took the COSO internal controls framework, five objectives, 17 principles, and 84 points of focus and mapped it against the 10 hallmarks to an effective compliance program with three key KPIs for each hallmark.
It was a very, very, very large spreadsheet. I sense that Onspring is a little bit past that. In 2015, that was revolutionary in terms of a gap analysis on corruption compliance professionals. What you’ve described is almost, I don’t want to say, continuous controls monitoring, but maybe continuous gap analysis, allowing a compliance professional to keep anything from slipping through the cracks.
Ryan: Running a continuous gap analysis is one way to explain how Onspring helps businesses by relating data points. If you leverage content partners like an Ascent, Regology, or Unified Compliance Framework to bring regulatory data into Onspring, then you keep a constant feed of what is changing that specifically impacts your business. Alerts come directly to your team from Onspring, which then instigates an automated workflow defined by the organization’s regulatory change management process.
Maturing Process Workflows
Tom: Let’s talk about workflow. I advocate that effective compliance makes your business more efficient because I believe good compliance is essentially good controls, whether financial or other. It is critical to have a process where you can look at your gaps and, more importantly, have a workflow for it.
When you sit down with a GRC professional or even a chief compliance officer, are they a lawyer like me who may or may not understand workflow, where you really have to educate them? Or has the market matured? Or has your client base matured enough that you can move a little bit further down in your discussions with them?
Ryan: The level of understanding regarding workflow in a GRC professional depends on where that individual is in their career and the organization’s maturity level.
An individual with a background in compliance will know the importance of process and likely has a strong idea of effective workflow. Individuals who appreciate a streamlined workflow immediately recognize the value in Onspring because of the project task automation. We keep work moving and data connected from one person and project to the next.
In a non-automated world, a compliance veteran would lose their mind viewing and updating controls in a spreadsheet. No one would be notified of any changes, so the data remained in a silo, failing to inform teams and stakeholders of business implications.
In the Onspring world, a compliance veteran or rookie can review controls, make changes, and notify team members simultaneously and in real-time. Other teams or departments can become part of the review process while still moving forward in the workflow process. Time doesn’t slow down for everyone to participate in Onspring because we’re going to the people with the right information.
Let me give you an example:
I send you an email.
You’re really busy and didn’t see or read the email. A ball was dropped, and you may have missed a due date.
If we were using Onspring, you would have received email, slack, or text notifications. A reminder is as simple as, “Hey, Tom, you have something to take a look at. Review the item now to push to completion by the due date” can keep progress moving.
Maturing a GRC Team
Tom: Who do you typically see on a GRC team? And why is it so critical that a compliance professional literally go across the aisle to work with a GRC team?
Ryan: A typical GRC team will include audit, risk, and compliance. A mature, synchronous GRC team will include audit, risk, compliance, information security, and business continuity.
When these teams work well together in a centralized system, information sharing occurs that informs and advises each department to improve the organization’s overall risk posture.
A centralized data platform creates a system that enables compliance to monitor controls, review policies, conduct control operating tests, and house evidence for other teams to access. A well-orchestrated GRC team can provide requests to individual departments without disrupting work, like stopping to create a report to share information or typing up a status report on the current lifecycle stage of a review.
These requests and reviews can be akin to audit items. If controls are not performing to standard, those controls become risks. When your GRC team works inside a centralized system like Onspring, controls, risks, and stakeholders are connected.
Risk managers are automatically alerted when there’s a failed control. Audit no longer needs to ask standard questions in an audit project because there is a documented history of evidence proving each control’s effectiveness.
You’ll have to have me back as a guest in the future and I’ll give you a tour of our AI elements.
Delivering Effective Experiences for External Stakeholders
Tom: We have focused on internal stakeholders, but there’s another universe out there called external stakeholders. Talk to us about the Onspring portal and how it facilitates everything we’ve been discussing with an external stakeholder audience. Why is working with external stakeholders not considered a one-and-done activity? Why do you need an ongoing relationship?
Ryan: Any relationship between your organization and an outside stakeholder should be considered a partnership – an ongoing relationship to foster development and service one another’s business needs.
Whether the external stakeholder serves as a supplier of one-time goods for your business or an external auditor on a three-year contract, you want to deliver the best experience you can to them.
Your reputation and ability to provide value throughout your entire business process is what makes a lasting impression and helps sustain your business viability.
We use the Onspring Portal as a means to provide a targeted and effective experience for external stakeholders. The Onspring Portal is a way to share and receive only the most necessary information between a customer and its external stakeholders, like vendors, partners, board members, and external auditors.
The portal is powerful because everybody is together in a centralized source, with controlled access, in a collaborative environment, and speaking the same language. They can work together as a team to progress their goals efficiently versus using utility communications that could seem a little combative with an outside source.
Documentation and communication in the Onspring Portal is also auditable, creating real efficiencies beyond just speed through automated workflows and reporting.
Tom: In a regulator’s mind, if it’s not auditable, it never happened. Whether that could be an external regulator, an internal auditor, or another stakeholder looking at your organization, so I’m always concerned about auditability.
How AI Infiltrates GRC
Tom: I’m really intrigued by where you see all of this down the road, but I want to overlay AI into that. How do we think about the use of AI with some of the tools you’ve described and some of the challenges we’ve discussed?
Ryan: AI is the Wild West right now. The AI industry changes literally every day, every week, every month. When we think about AI moving forward from 2024 to 2025, we have a couple of areas of focus.
The first is in regard to how AI should be used to improve work.
The second is in regard to how AI will be regulated.
Many ideas are being floated about policy, but regulation around AI will determine how our industry ethically and safely applies it to business. We believe it is important to have controls in place to ensure any AI being used in a business does not leave data to the public. Data privacy is our number one priority, and we cannot let our guard down to introduce a new technology with the promise of reward but also with serious unintended consequences.
Enabling AI to improve natural language processing presents as low-hanging fruit for organizations because of the time to implement and ROI. We’re exploring what AI can do to enhance the existing workflows and reporting in Onspring while simultaneously ideating new use cases that deliver value in the real world through efficiencies and insights.
You’ll have to have me back as a guest in the future, and I’ll give you a tour of our AI elements.
Bonus material: Check out the full episode to hear more and listen to Ryan’s esports experience.
FCPA Compliance Report is the longest-running podcast in compliance. Check out all of their podcast episodes online.
Actionable insights we think you’ll like
What is Business Continuity & Disaster Recovery (BCDR)?
Discover how Business Continuity & Disaster Recovery (BCDR) can be your business's lifeline in the face of unexpected disruptions. Learn to safeguard operations, minimize downtime, and protect against financial loss with a proactive BCDR strategy.
What is Regulatory Compliance?
Regulatory compliance is more than a legal obligation; it means fostering a culture of integrity and trust within your organization. Learn how best to adhere to industry-specific regulations, to protect your business, to build stronger relationships with stakeholders, and to create a safer environment for everyone involved.
Guide for Building an Internal Control Testing Program
This guide simplifies the creation of a robust internal control testing program, ensuring that your business remains secure and compliant. Learn how to effectively assess, test and document controls for optimal risk management.