Blog

On episode 30 of Coffee Chat with CastleHill, Tim Carbery is joined by Ashish Shrowty and Constantine Karbaliotis to discuss data privacy and its status as an enterprise priority for companies internationally. Shrowty also demonstrates how his company, Divebell, will assist organizations in automating their data privacy platform.

Ashish Shrowty trained as an engineer before spending over twenty-five years in the tech industry. In that time, he became well-versed in data management, building products and teams for finance and healthcare organizations. He is adept in information lifecycle management programs, data science programs, and held several leadership positions before co-founding Divebell, a company focused on intelligent data privacy.

Constantine Karbaliotis has worked in data privacy for nineteen plus years; or, as his tagline goes, “before data privacy was cool.” A lawyer based in Toronto with multinational experience in global privacy programs, as well as a stint as the chief privacy officer at Mercer, he is an expert in dealing with US and EU data privacy issues.

A DATA GOVERNANCE CURSE

The European General Data Protection Regulation is one of the critical modern advances in data security. Often noted for its role in driving accountability, transparency, data security and redefining data ownership, GDPR’s impact on information governance within and outside of the EU should not be understanded.

“GDPR has set the tone internationally for where countries are going with their laws,” States Karbaliotis.

Prior to GDPR, a person “would have expected that companies would be able to tell somebody what they know about you, be able to tell you where the data is, how its flowing, and yet: that’s not really possible,” he explains.

“Companies finally had to get their act together to be able to respond to the legal requirements. To do most of the things that are required by that law, you actually have to know where your data is.”

Companies’ scramble to ensure their GDPR-compliance created a unique opportunity for the individual consumer to become significantly more educated on privacy regulation. Over the past few years, this information has precipitated a shift in data governance from a corporate-centric view to an individual-centric view of data.

“There is no question that the spam we all received in 2018, saying, ‘Can we keep writing to you for GDPR,’ educated the whole planet in a way that privacy professionals have never been able to – because, of course, it would have been against the law,” Notes Karbaliotis. “Consumer expectations are as much a driver now as the laws are.”

Numerous components complicate a company’s ability to effectively govern the customer/consumer data they manage. Company turnover, legacy processes and spotty internal controls, combined with poor documentation, leave many organizations burdened with clunky interfaces and mysterious data caches that dramatically increase their risk.

“If you don’t know where your data is and what it is, it’s very hard to respond to, for instance, an individual’s data subject access requests,” Points out Karbaliotis. “What do I know about John Doe? When they, as they are entitled to under many laws, ask, ‘What do you know about me? Could you not sell it? Could you please delete it?’ Those fundamental things, because our information governance has been so poor, have been difficult for companies to implement.”

“Systems get built and the people who built it leave. You don’t have any documentation, things just sort of grow haphazardly through your organization, and then we have spaghetti – we’re trying to figure out how things thread together.”

GDPR implicates third-party management, as well. Smaller organizations linked to larger businesses are held to the same expectations of data governance, impacting the entire supply chain.

“For many businesses who are now tied to big companies, those expectations are getting passed down by contract… because supply chain is really how data is percolating out,” Karbaliotis says of the implications GDPR has for third-party risk management. “That’s a profound change now, for organizations. Before, it was just compliance— nobody wants to spend money on compliance.”

“Well, the Europeans know that,” He laughs, “and that’s why they made the fines as big as they are. When revenue is at stake, companies are paying attention.”

“It’s an n^th party problem,” Agrees Carbery. “It is a full supply change problem, and with the proliferation of cloud technologies and capabilities, that is a blessing and, in some cases, a data governance curse.” 

DIVEBELL

In the slurry of changing regulations, modified contractual clauses, and innumerable technologies through which data may be collected and stored, it is difficult to fathom how any one company can elegantly track and maintain its understanding of where data resides. Divebell offers a solution for organizations seeking to improve the effectiveness of their data governance and privacy activities.

The initiative behind Divebell was fueled by a common frustration in the world of data privacy. Shrowty outlines a not-so hypothetical situation from his own experiences: “The constant theme that we hear is: I am being asked to attest to what kind of information exists in all of this data that I have, which is moving and changing every day. It’s my name on that spreadsheet that is going up to the regulators.”

“It’s frustrating,” He emphasizes. “I am challenged, because if I don’t know that information, and, god forbid, if I give out the wrong information, it’s my neck on the line.”

Initial attempts to mature data governance and privacy management focused on automating the workflow, a pursuit that ultimately fell flat. “To us, that’s not really automation,” says Shrowty. “The hard part is doing a rapid survey of all the data landscape that is out there, which, by the way, is growing. Data is growing like crazy with cloud, all these macro forces that are enabling companies to store a massive amount of information.”

Divebell automates data governance and privacy management by creating a system that allows officers stakeholders to quickly and efficiently locate answers to their most fundamental – and pressing – questions.

“The thing you really have to automate is the process of figuring out where the information is, what kind of information it is, who is accessing this information, where it is flowing – these are the tough questions that you need to be able to answer effectively and continuously,” he states. “There are new technologies, new techniques, and we strongly believe that it is doable. That it is where the force of technology should be employed, to understand where the data is.”

To aid clients in understanding their data, Divebell has curated a streamlined process that offers companies a without a significant impact on their day-to-day operations.

“Divebell has the ability to deploy what we call ‘sensors’ in a lightweight fashion so that you are able to do a data survey in an automated fashion,” Shrowty explains. Divebell is designed with three crucial elements of data management in mind: the ability to selectively scan data; the ability to manage data within the boundaries of the organization; and a highly sophisticated system aimed at weeding out ‘false positives.’

“This industry has been plagued by false positives,” He sighs. “When you are trying to find out what kind of information exists, there is always that accuracy problem… we pride ourselves on a lot of investment that we have put into a very accurate detection techniques and classification techniques.”

 “One of our principles at Divebell is that we want to enable organizations to use data to drive the business forward – but how can we help them be responsible and better custodians of that data?” Shrowty concludes. “Data governance has been around for a while, but for the longest time, it has taken a backseat. Now, with the focus on customer data rights, privacy and security, being in this umbrella of data governance, it’s getting a new push to say: yeah, we are going to use this data, but we are going to do it responsibly, and we need to have the appropriate controls in place to make sure that the pipeline is moving in an appropriate manner.”

CastleHill can help you to integrate your data governance and privacy management risk management. Whether it’s linking your GRC policies and procedures into Divebell as part of the scan, driving remediation of policy and regulatory breaches or just ensuring that the overall process is integrated with your GRC platform, CastleHill can help to mature your data governance and privacy management capabilities.

Hear more about the future of data privacy, Divebell, and integrating with broader risk management at: Coffee Chat with CastleHill | Episode #30: Data Privacy; Data is a Risky Asset – YouTube or email us at info@castlehillrisk.com

To learn more about Divebell, visit them at: www.divebell.com

On this episode of Coffee Chat with CastleHill, Managing Partner Tim Carbery is joined by Wolters Kluwer’s Senior Specialized Consultant, Elaine Duffus. A former career compliance officer and attorney, Duffus works with Wolters Kluwer to provide financial firms worldwide with compliance solutions.

Follow along at Episode #28: Automation, Optimization, Success as they discuss upcoming trends in the ESG space and how automation such as Wolters Kluwer’s regulatory change data feed is the key to an organization’s success.

The Right Things for the Right Regulators

While Environmental, Social, and Governance criteria have been around for several years, the speed at which new regulations are released has increased significantly. In the wake of weather-related factors such as flood and fire, the continuing impact of the COVID-19 pandemic, and social upheaval across the world, a fundamental shift is occurring in the way that ESG regulation is being considered.

“What role can corporate governance play in addressing some of these factors?” Asks Duffus. “It’s getting broader now. What can we do, in our business model, for the greater good? Because, frankly, we have to.”

As ESG’s scope widens, organizations may find themselves buried under the onslaught of new information. Multi-national firms are likely already working through these changes, but for those organizations that are solely based in the United States, Duffus recommends looking overseas for guidance.

“I would be looking to global standard setters, like the International Association of Insurance Supervisors, the Basel Committee, to start giving us some guidance,” She suggests. “From there, look at who you care about as an organization, who supervises you, who is examining you, and also the places where you get horizon scanning information.”

Small companies will also feel the effect of the sheer quantity of regulation being pushed down the pipeline. The Biden administration has taken an especial interest in ESG, considering it a “whole of government problem.”

“There’s decisions being made. For that smaller firm, I would look to where there has been some established regulation already,” Notes Duffus. “Maybe you aren’t going to make any hard and fast decisions or change policies as a result, but it certainly will keep you plugged into where the wind is blowing.”

Automation in the Age of Information

In her role as Senior Specialized Consultant at Wolters Kluwer, Duffus speaks to companies on a daily basis about their compliance program management. The number of firms which remain analog is often surprising.

“There are still those who remain in a manual mode, using Excel or Access databases, things like that, to conduct their reg change and their risk assessments and all that. Frankly, the days of being able to continue to do that are behind us.”

Automation comes with numerous perks. For one, the sheer influx of information puts analog processes at a severe disadvantage – computerized processes are capable of filtering and organizing data at a far greater rate than human contemporaries. But automation offers companies greater power than just collecting information. It provides users with a star map; a way to not just navigate ESG, but to use change to your advantage.

Automation allows users to, through a series of meta content and tags, comb through a staggering amount of information and pull out those pieces relevant to the organization. By creating this web, companies can tailor their regulatory change process to best support their operations and cut out the noise.

“When something comes to my attention, maybe it was a speech that the Fed made and they really made this point about where they’re headed on some ESG element – maybe I want to get that off to my board ASAP. I want to make sure that they have seen it and understand it and contact me if they don’t,” Duffus says. “Think of what would happen in a manual sense. A number of emails flying around, I have to save them somewhere to show when they knew, how they knew, here it is in this folder. Say I leave the company – where are those records now?”

“As complicated as things have become, even without ESG but now adding these issues on top of all that compliance departments have to manage today, there really isn’t another way to do it in my view but to automate that process and to connect those things that need to be connected,” Urges Duffus.

Automation is also notable for its ability to dispense information across a company, helping large organizations ensure their entire employee body is up to speed. “One of the challenges is making sure that the rest of the organization is aware of these things – being able to distribute it in an efficient way and get the information out to the impacted parties,” Notes Carbery.

Furthermore, the documentation built into automation provides companies with a strong defense again review.

“A regulator might not be able to say that you are ‘wrong’ because you made a certain decision, but they could say, ‘You didn’t even consider this item, you didn’t even look at it and weight its risks to your organization,” Points out Duffus. “The connections need to be made and the record kept more fulsomely.”

A Strong Defense is a Proactive Offense

As ESG continues to develop, companies’ best bet is to remain proactive in their approach to regulatory change management. Those organizations with a strong process for acquiring, filtering, and distributing information relating to ESG will be in a significantly better position to weather the expanding rate at which regulations are being presented.

“I can’t imagine how you are doing effective scenario analysis if you are not looking at the full gamut of what is coming down the road,” says Carbery.

That road can take surprising forms. Effective horizon scanning includes sources such as speeches, posts, and blogs – many of which are overlooked in more traditional processes.

“I think it’s the OCC that has a blog – and they aren’t putting these items out anywhere else. It’s not a law, rule, or regulation, of course, but it does give you a sense of what they are thinking about that topic and how things are probably going to play out,” States Duffus. “Something that automation can do to help you get there is by tagging. If that information doesn’t hit one of the things you are looking for, then no one has to look at it. You are saving resources. If it does, then of course there is going to be a deeper dive.”

“In the old way of doing things, every single item has to be pulled out and looked at, and it’s just not sustainable,” Concludes Duffus.

“We are in a long series of events that the regulatory bodies are going to continue to react to, with a very large set of variables,” Carbery agrees. “The most critical piece is getting that process down.”

To hear more about how automation will set up your organization for success, join us at our joint webinar and demo with Wolters Kluwer and Archer on November 4^th, 2021, or email us at info@castlehillrisk.com .

Ford’s Model N cars (the Model T’s predecessor) were built by workers adding parts that were laid out on the floor.

Policies have often been managed individually, like the autos which were built prior to the Model T. They are the foundation for all risk and compliance decisions and solutions. They are an integral part of a corporate planning and Risk Management strategies.  Policies are the basis of critical controls and serve to mitigate risks to an organization.

Ford’s innovation and standardization reduced the time it took to build a car from more than 12 hours to two hours and 30 minutes.

Policy management is that same standardization for policies. It is process of creating, communicating, and maintaining policies and procedures within an organization throughout all the stages of the policy life cycle. Organizations need a formal policy management process to reduce risk, legal costs and the time it takes to identify and resolve problems. Keeping policies current with continuously evolving laws and regulations is a constant and growing challenge. Having documented guidelines for creating and distributing policies, or a “Policy on Policies” is essential. This serves as the basis of a consistent and reliable policy management program within an organization, provides clear documentation for how to create policies and specifies a process for approvals and distribution.

A strong Policy Management strategy is a clear indication of the strength of management and its ability to meet regulatory and governance obligations. It is a focus of Board-level management who must ensure alignment with the organization’s vision and mission. Moreover, exhibiting robust policy management is important to clients, regulators, investors, partners, suppliers and others that an organization interacts with. A single defined source of the truth enables an organization to more easily establish policies and procedures as well as document which version of a policy was applied to a regulatory request. A schedule for reviewing and updating policies with appropriate risk weightings will enable regulators and auditors to review the riskiest interactions first and allows policy administrators to set thresholds for policy reviews vs. being dismissed automatically as a false positive.

Ford authorized the motion-study expert Frederick Taylor, to make processes even more efficient.

To develop and manage the strategy with respect to how an organization manages their policies, organizations frequently form a Policy Oversight Committee. The committee is tasked with the responsibility for developing and implementing policies, procedures, and controls. Policies and procedures must be more than theoretical principles or ideals. Policies must be linked with regulations and associated with related risks, controls, processes, risk indicators, incidents, issues, etc.

In some cases, there are many departments that own various parts of a policy. This can cause confusion and at times redundant policies. Every policy should have a clearly defined owner who is responsible for creating, circulating and maintaining the policy. Fragmentation of ownership both complicates management of policies and makes it more difficult to attain a centralized and standardized system to alleviate policy management challenges. The owner is responsible for knowing when a policy needs to be updated, modified or discontinued based on organizational and regulatory changes. Additionally, the owner should be responsible for sending out timely updates on every policy, specifying how it affects the organization and overseeing associated testing.

To address the communication issue in the factory the Ford Motor Company established a school, with classrooms right in the factory.

Once a policy is written and approved, its distribution and attestation that it has been read and understood, are paramount. A single source where policies can be viewed makes the process more straightforward and prevents employees from accessing outdated documents. Documenting understanding is a key item for both management and regulators. Reducing the gaps in policy understanding can also offer practical insights to its implementation. Employees also require periodic re-training to ensure that they remain top of mind. As employees change roles, supplemental policy training may also be needed. Policies must be disseminated in each language of choice, so that there is appropriate communications across multiple geographies.

At times rules are violated. These exceptions and their approvals need to be documented. Improper violations must be addressed. Maintaining proper lineage between policies and procedures helps to document and track exceptions as well as demonstrates efforts to control and correct violations. Each exception request must be analyzed for potential impact and a risk rating assigned. The process for determining an exceptions risk rating must be well documented. Proper approval and management authorization are required for each exception and an expiration date should also be assigned. With any volume of exceptions, it is important that they are stored in a central repository and can be accessed by staff. Changes to the business or regulatory environment may also necessitate the reevaluation of previous exceptions.

In 1902 Henry was dismissed by his board of directors from the company that carried his name because of his inability to bring a car to production.

Taking the time to create a policy management process is not a trivial endeavor.  Much thought and collaboration are required as well as backing from Senior Management. Once you have it up and running, enforcing the policies, handling exceptions and managing regulatory changes becomes much more of a standard process in a well-defined assembly line instead of reinventing the wheel each time. 

On episode twenty-six of Coffee Chat with CastleHill, Managing Partner Tim Carbery continues the discussion around Environmental, Social, and Governance compliance.

Joining him is GRC and ESG consultant Tom Birmingham, governance, risk, and compliance professional with twenty-five years experience in the energy industry. He seeks to support companies’ transitions towards more sustainable, ESG-oriented workplaces, with an especial focus on reporting, measurement, and programming.

THE THREE THEMES OF GRC VALUE PROPOSITION
To frame the conversation, Tom Birmingham introduces three themes relevant to GRC value proposition to an organization. The first is the most straightforward: protecting corporate value by maintaining a robust understanding of basic compliance requirements.

The second proposition concerns a company’s business change management processes. As ESG requirements remain in development, it is crucial that organizations improve their processes, systems, and procedures to best support efficient change management. The more efficient an organization’s change management process is, the more adaptable – and therefore, competitive – an organization will be.
“You have to get better about managing change around all of these requirements in the ESG field, particularly around reporting and measurement,” Urges Birmingham. “If you do it in an organized and sustainable way, in my own opinion, you get better at it, you get more efficient at it, and then you are much more able to adapt and remain competitive.”

The third value proposition is in helping company-wide business strategy adoption.
“There are a lot of initiatives that the C-Suite likes to push down into the organization. Governance, Risk, and Compliance professionals really understand how that is supposed to ripple through the organization from a policy perspective, from procedures, control environments, training, data management,” Explains Birmingham. He recommends team leaders make use of these professionals’ skills by folding them into corporate strategy. “All the elements of a robust risk and compliance program are the same things that one would like to see in a successful strategic initiative. Bringing compliance and risk professionals to the strategy table is a good move by the C-Suite to understand how to make their strategy stick in their organization.”

INTERNAL AND EXTERNAL PRESSURES
With an increased interest in ESG comes new regulations and expectations for the energy industry, both internally and externally. Internally, Birmingham notes the usefulness of a strong governance organization to improve a company’s risk data flow.

“I had a couple of opportunities to work in different corporate structures and it really opened up my eyes to the difference between a centralized governance and compliance approach versus a decentralized approach,” he says. “When we talk about trying to standardize and automate the flow of compliance-related information, it’s really helpful to have a strong central operation that can organize and standardize all the policies and procedures that you want to push down into the organization. The trick is to balance that with decentralized decision making.”

The energy industry has been under increased scrutiny from external sources, as well. “There’s a lot of growing expectation from regulators, shareholders, and consumers around responsible behavior of companies. Part of that is coming from a look at how well companies do operate: how efficient they are, whether they can get things done in a short period of time, whether they are cost-effective,” explains Birmingham. But beyond the traditional pressures of shareholder investment, Birmingham notes a new trend rising in the energy industry.

“What’s really interesting on the ESG front is the shareholder interest in companies’ non-financial performance. I think the shareholder and investment community are really getting pressure themselves from their investors, saying, ‘Hey, how risky is my investment in this economy, in this industry? I need more information to make an informed decision,’” says Birmingham. “Increasing interest increases pressure on companies to get better at their reporting.”
“It’s really interesting how the pressures are mounting rapidly in the energy industry and how those pressures will mirror themselves in other industries,” comments Carbery. “From an ESG-perspective, is this focus really driven by the environmental aspect, or are there social and governance aspects of it, too?”
“It’s definitely all three,” confirms Birmingham. “The challenge is trying to manage all three at the same time.”

Check out Episode 26: ESG Risk Management Insights from the Energy Industry to hear more about the changing landscape of ESG, or email us at: info@castlehillrisk.com

Welcome to Coffee Chat with CastleHill, the show where CastleHill’s Managing Partner Tim Carbery interviews experts from around the globe about emerging risk topics and trends. In this week’s episode, Tim is joined by Guan Seng Khoo, Ph.D. to discuss the importance of performance scenario analysis and environmental data factors.

Dr. G.S. Khoo began his career as a university professor researching semi-conductors with supercomputers, a skill set that ultimately extended into environmental analysis. With a long history of research modeling and a passion for the outdoors (including a recent nature guide focused on the flora and fauna of Singapore), he is an authority on analyzing non-standard measures. 

Non-standard analytics present a unique problem to most organizations. “One of the interesting aspects of the environment, social, and governance part of analytics is that there is no single standard across the world, no single standard in most countries,” Tim points out.

Without a global standard, organizations investing in improving their ESG capabilities are uncertain about how to allocate their funds and resources.

“Most firms tend to adopt the simplest approach, which is convenient in the sense that they usually procure their information from an information service provider,” says Dr. Khoo. “The danger is that they may be missing the trees from the forest or, vice-a-versa, the forest from the individual trees. Most of the information service providers tend to focus on the financial impact, the environmental impact, and the social impact, but what they miss in terms of the data – the approach that they have today by adopting ratings from somebody else – is how to measure environmental risks.”

In-house risk model teams offer organizations the opportunity to be more thorough. “When I was doing it, I realized that the more independent you are, the more granular you can go,” notes Dr. Khoo. “With purchasing data and models from information service providers, the danger is that you depend on them… the expanse of alternative data is so wide, especially in environmental risk management, that sometimes for different sectors you may have to curate a different selection of choices of data rather than just using all the available data wholesale. The granularity may be missing. The focus may be missing.”

Granularity and focus offer greater control and accuracy, which support improved ESG risk rankings. Combined, those factors become compelling tools for organizations interested in managing their environmental impact.

The sheer range of possibilities for managing ESG components and measures can be overwhelming. From natural disasters to social issues, it can be daunting for organizations to factor ESG risk into their existing business models.

“What if you were able to manage the wastefulness of your business model?” Dr. Khoo asks. “The idea is to make use of the ratings you have today to try and make the business model or economy more circular. If you assess a company by profit against the waste it produces, it gives you an opportunity to redesign your business model.”

By linking ESG performance to improved business models, companies have an incentive to invest in a higher quality of analysis. As to how organizations can improve, Dr. Khoo offers a recommendation: a performance scenario analysis.

Take climate change as an example of scenario analysis’s efficacy. “Since there is so much uncertainty about climate change’s impact because in between the manifestation of the outcome there could be episodic events like a natural catastrophe, the most optimum method by which you assess the most possible outcomes of this particular investment you make, whether it’s ESG positive or not, is through performance scenario analysis,” Dr. Khoo states.

“It’s like you are investing in an option. You consider all the in-the-money cases and the out-of-money cases. With ESG, you must consider both aspects, in-the-money, and out-of-money, and then, if it’s out-of-money, you assess judgmentally with your fellow peers if that is the worst case that can happen. If it is very likely to happen, what should we be doing right now? Should we be transforming the business? Should we be avoiding the business? Should we be enhancing the business in another direction? Scenario analysis gives you a chance to ponder the various options.”

Performance scenario analysis provides a framework with which companies can view the many aspects of ESG horizontally. It encourages organizations to take a comprehensive view of the numerous potential risks attached to environmental change and empowers those organizations to create business models capable of withstanding multiple scenarios.

Dr. Khoo sums up the many benefits of approaching ESG risk from a performance scenario analysis perspective:

“It is always better to be prepared than to be reactive.”

Check out the full conversation below or email us at info@castlehillrisk.com to hear more about performance scenario analysis and what organizations can do better today to plan smartly for tomorrow: