This is a transcription of our interview with Anton Lissone, CTO at SAI Global.
You can wach the original video interview via the link below.
https://globalriskcommunity.com/video/interview-with-anton-lissone-cto-at-sai-global
Boris. Welcome to the Risk Management Show. I am Boris, founder and CEO at Global Risk Community. In this episode, we are talking with Anton Lissone, CTO at SAI Global. SAI Global is the leading provider of integrated risk management solution, assurance and property services. SAI Global helps organizations protect their brands by proactively managing risks to achieve Business excellence, growth, sustainability, and trust.
Anton, welcome to our show today. I really appreciate your time and look forward to our conversation today. Could you tell us a short story about your company SAI Global and what are you guys up to these days?
Anton: Well, as you mentioned, SAI Global, comes from the Standards Australia Institute. We will be primarily talking about one of the divisions within SAI Global today, which is Risk and Learning division. We really have a wide portfolio that covers all kinds of use cases in the GRC space combined with Risk and Compliance Learning.
This is a combination of software services, elearning and content, both SaaS, as well as associated with implementation and advisory services to help our customers in their journey. So that's what we're all about.
Boris: Well, so what actually SAI Global does in relation to Risk, Audit Management and what is your best type or ideal customer? And could you tell us perhaps how you're different from other providers in this space?
Anton: Well, GRC stands for Governance, Risk and Compliance. This is a broad term which is used to cover a lot of different use cases. The ones that you mentioned, Risk management and audit are two important ones together with Internal Control and then there are other ares like Business Continuity management, Vendor management and Policy management, and some others.
Specifically to Risk Management and Internal Audit, there are a few different angles that we cover from a risk management perspective. We have, for instance, quite advanced environmental health and safety software that allows you to do operational Risk management mainly for health and safety purposes for plants, manufacturing, organizations, mining companies, et cetera. So that's one angle. The other angle is Operational Risk Management for financial services. This is a slightly different angle because we're talking about the financial services risks, capital modelling for solvency requirements, as well as value at risk calculations and those types of risk management principals.
And then there's also IT Risk Management, where we are talking about Business Continuity management, Operational Resilience, Vendor Risk management or 3rd party risk. So, it’s pretty broad. And then if you look at the audit, it typically covers similar use cases, but then ultimately as a third line of defence. So when we look at Internal Control, which is typically a second line of defence function, then audit would do a third line inspection on top of the result done by the second line.
We also have a lot of customers that do very advanced corporate audits or Audit Management which include the entire cycle for annual audit planning, documenting and creating actual audit engagements, time recording, time writing, pretty much anything that is a key to a day in a life or any given auditor in an organization.
When you ask me a question about what customers do you serve well, we can serve both simple ones and more complicated.
In a small audit shop that has five auditors, for example, where their primarily goal is to let’s say do inspections at Burger King on many different locations. They go through their inspection list and they make sure that everything that they need to check is done within that franchise.
On the other end there are more complicated audits where, for example we have a large bank that has 2000 auditors globally working in different regions and different countries.
Certain auditors are specialized in Credit Risk, others in market risk. And the way they determine what to audit, is not just by frequently looking at the branch office but by using a risk based approach, and then determine what to cover. They do specific procedures for when they get to the branch office, they look at the particular process and cover the actual narratives of the process.
Then they determine what's the scope and the controls the auditors have to actually test it and do special engagements that they've received from the board. So those are very different ways of doing audit.
So we cover with our software pretty much the capability for both sides of the customers spectrum. The customer could start small, grow large, they can use our software for one or a few use cases and then grow and we can grow with our offering along with the maturity or the use cases that the customer wants to automate.
The same applies to Risk Management where there are companies that do only quarterly Risk Assessments at the Board level, identify risks, put them on the heat map, get the action items, and then they follow those through the workflow.
On the other hand there are banks, they document very vigorously the risks, controls and costs associated with these processes. They do risk and control self-assessments pretty much every month. The data then rolls up into risk aggregation, which drives their Risk Posture and that goes into their model for capital calculation, and solvency to determine how much do they actually need to retain on the balance sheet, et cetera.
This process is much more complicated. They also tie historic loss registrations and recovery simulations which do value at risk simulations et cetera.
So that's the other side of the spectrum. Our software can manage both simplistic and very complicated use cases doing a continuous risk assessments. And then even further down the line, there are now companies started to do data analytics where instead of saying, let's do RCSA every month, we're going to just take in feeds from all across the organization, the emerging risks, actual incidents, findings that have been raised, news feeds, et cetera.
And then based on all of those data points, we determine when do we think our residual risk rating has to be adjusted. And then as we go along, as we identify those types of data points, update risk assessments and see if we need to do something else more tenuous. That's also starting to happen, which is even more complicated because you have to get all of their data integrated with all kinds of the actual systems.
In some cases they have to use artificial intelligence, machine learning algorithms to make it smarter and better.
So this is very broad and we can tailor it for both simple and the complicated use cases. For the other use cases besides risk and audit it is a similar story - moving from simplistic, to more complicated to data driven and to some degree of machine learning and artificial intelligence eventually. What they all have in nature is that they start to grow more data, more integrations with all systems.
So that's really the entire product portfolio how we can help our customers.
Boris: Well, I tell you, you have a lot on your plate. You are a CTO, a very young person, so you have a lot of work to do. I wonder, in many industries COVID-19 has accelerated move to digital transformation. As the Microsoft CEO, Satya Nadella put it: “We saw two years of digital transformation in two months”. What changes are you seeing in the market, especially now in this COVID situation, can you tell us perhaps how your clients are impacted by this crisis and what organizations will need to do in order to adapt?
Anton: I think there are two very immediate use cases. Obviously one is operational resilience programs or Business Continuity management solutions. Now all of a sudden people see that they need to be resilient. What do we do to work from home? What are the problems that we run into if all of a sudden everyone works from home, is VPN connected, is bandwidth good enough et cetera? So there are a lot of things in operational resilience that people are now starting to ask questions bit by bit.
So there's a renewed interest in Business Continuity management and operational resilience.
Also on the environmental, health and safety side, obviously, there's a lot of need for our customers. What happens in their office locations, who got ill, who did not got ill, if people got sick do they saying that they get COVID or they get something else.
So they need to figure how to create a program to get people back to the office in the safe manner and then obviously that leads to change and adjustments in policies where our Policy management solutions come in.
We make sure that people are aware of the new policies, that they sign off to the policies and combined with our learning we can train and explain them how do you behave at the workplace.
I think the fallout of this COVID crisis will probably show that there are more organizations, which haven't been in resilience, didn't have enough capital saved up to get through this crisis that now are trying to close offices. That will have a huge impact overall on our economy, as well as how people look at risk, risk management and Internal Control.
I think we are in the fortunate position that we have such a wide product portfolio that can get customers through this situation. I think even in a longer term, and this is not only relates to us, but as more companies try to adapt systems to be less people intense or depending on people to have better decisions, they will go through the digital transformation.
Like they go with their digital transformation on their GRC processes, they will also go into some more digital transformation, as the Microsoft CEO said on their primary operating systems like ERP. As those systems become digital, it will also bring risks that will change slightly in nature because the risks are associated with Digital Business or cyber security are very different with risks associated with more people intense business.
So there will be an update to how people behave, to how the controls are documented, how the controls are executed, including what type of data do they actually cover and what is the evidence that those controls are effective, which will then again change the opportunity for us to actually be able to do more things like continuous monitoring, continuous auditing because all of the data is available.
We can use some advanced techniques like process mining to further optimize. So by providing all the tools for the second line functions they can easy determine whether, for example, this is an effective way of doing a Vendor onboarding, is this an effective way of writing a new policy and so on.
I think there's massive change, but the focus right now is on what can we do now to stay ahead of this COVID situation. And after that, some people look back to this change and this process and then they can drive further digital transformation.
I appreciate me being a young CTO of a large organizations, but don't forget, we have so many different products, we have so many product managers that work with us. We have really good experts that know the Health and Safety area very well and we have experts that know Financial Services very well. So I'm fortunate enough to work with them every single day.
Boris: Anton, I'd like to ask you your personal opinion, what is a commonly held belief as it relates to risk management and audit that you personally disagree with, or what is the one common myth about Risk management that you want to debunk?
Anton: Well, there are a few different angles to look at it. If I go all the way back in my career, I actually started at KPMG working on continuous auditing. And when I joined, almost 17 years ago, I was an auditor at large Dutch multinationals to look at their financial books, as well as the system related to their financial reports.
And what stroke me was that there were a lot of manual work being done by auditors. And there are a lot of ways to do this better. Instead of doing a reasonable assurance, you could get to absolute assurance by not looking at sample size, but looking at the entire population, data, technology, machine learning, but also computer assisted audit techniques as we called them in the past.
It has been evolved drastically and can be done better now and I'm very passionate about this topic.
If you do this properly, it actually takes a lot of work away from people in the first and second lines. And it is also not just about monitoring. It actually becomes a risk mitigating measure because you can actually set and get alerts very early in the process.
We actually reduce the correction that can actually prevent people from making particular mistakes.
We've been trying to sell it at SAI Global for quite some time now and we actually have customers that do it, but I think there is so much to gain in this market, by doing more continuous monitoring and continuous auditing.
If you read many LinkedIn posts lately from Risk experts, you will hear this debate about two major topics. One is actually what is a useful way to do Risk Management but people tend to forget is that this mostly depends on the person that wants to do Risk Management.
There are people that say that heat-maps are fundamentally wrong because they are qualitative and people overestimate or underestimate risk, but it is a way of prioritizing your actions, whether that's entirely accurate or not, you have to start somewhere.
Some companies are not mature enough to do everything based upon risk analysis, project risk analysis, correlations, et cetera. So the right answer for every organization depeends on their maturity. Sometimes it is as simple as just working with heat-maps and sometimes it is as complicated as to incorporate the risk assessments and quanifications
The only thing that is really relevant is to pick the right way to start. We have done implementations where we've done risk correlations but their maturity wasn't really up to that level, but you still push the system that does that. It won’t be a successful implementation.
So what you deliver ranging from the simple risk management solution through the complex Risk management solution it has to match with the maturity of the customer, often they over estimate that maturity.
So you have to be very cautious about it, just start somewhere with something that, you know, can be a success, learn from that, and then evolve and make it bigger.
And that lead us to another debate point which is the legacy GRC platforms versus new GRC applications.
People that think they know everything or external consultants from Big4 offer help every time on the right methodology and people get different advise because it's tailored to their specific organization.
That means that in the past, a lot of this software platforms like ours needed to be very flexible and cover all that capability. But it also means you get pretty complicated software and that implementation tasks can be pretty long.
On the other side of this spectrum we now see companies that have gone through this two or three times, or have learned from their peers. And they don't want to go through a lengthy implementation, they just want somebody that tells them how they are supposed to do it or how they can get 80% there. “Let me do that for the first year and then we'll see where the ship lands and if we need, we will make it more complicated”.
This is the approach where the market is going today.
I think that partially it also has to do with COVID because when people now make investments, their ROIs need to be much more clear and they have to get to the business value much quicker, not after a six months of implementations and debates.
The real question is not whether this old or new software but why there is a difference and what type of software suits for what type of buyer. We still sell both. We still sell to customers that say: Anton, give me Business Continuity Management live in 3 days.
We also have customers who say no, Business Continuity Management for us is really complicated because we have 400 factories across the globe. Their Safety instructions and policies are very different. There are different people, different training, different language, and this obviously becomes more complicated.
So you can't just force that 3-day implementation standard out of the portfolio on the company that has much more needs.
So that's also where our organization comes in well because we can actually tailor it to both types of customers using the same technology. And it also allows them, for example, if they decide to start with something simple, they can still evolve into that other piece, which is more tailored, more integrated into their existing systems.
Boris: I wonder what tips do you have for risk managers to help their organizations to stay on course during this crisis? For example, what are some things that they should start doing right now that they are not doing currently? And other way around - what they should stop doing, right that they are not doing currently.
Anton: I think we ran through this obviously ourselves as a global company as well. it's that Risk Management when normally they implement the software, they are not in a big crisis, right? And you shouldn't confuse Crisis Management going through a rough period such as COVID or a security incident or something else that has occurred.
The behaviours that you show there are very different form, being a Risk Manager on the front line saying: what can go wrong, how should I prepare for what actually can go wrong?
Once something actually goes wrong, there a lot of things that are different from how you anticipated it before and what actually went wrong. So don't stick to what you written down in your Risk Metrics or your RCM and the controls you need to execute.
Instead, go into crisis mode, figure out how to solve it now, reassess the situation, re-evaluate what’s still relevant, and obviously make sure that you do retrospective analysis afterwards. Because while you're in the situation, you might make assumptions or adjustments through the way you operate to keep your head above water or stay out of the Risk but this might not necessarily be the most effective way to do it.
So afterwards always do a retrospective analysis where you figure out whether you responded to it correctly, Yes or No, what is the most effective way to do it? And then what do you need to change to be better prepared next time.
I think also what the experience has shown us is that we can't prevent or we can't predict black swans. Obviously there are some videos on the internet from 10 years ago where Bill Gates said that the pandemic will occur sooner rather then later.
And I guess that has come to fruition, but nobody really takes that into account when modelling black swans, and then trying to figure out how to prepare for this. So when you're looking at Risk management, some of it is also trying to do with unknown and uncertain, you can't fix everything by just implementing Controls. You also have to make sure what Risk Management actually means which is knowing that some things are not known upfront. So that's mitigating measure might be that you scale up quickly your crisis response team to solve particular problems.
It's not just about the event of nature as much about the collective nature afterwards that you can apply to.
Boris: So what we should expect from you guys in the future in terms of products and services, and if looking broadly in your industry, what are the major trends if you can say in a few words?
Anton: I think I've touched on the most important ones already. First is that shift from complicated, expensive to more standardized SaaS solutions which generate quick value and are ultimately at the lower cost of ownership, which is also what our roadmap is aligned to.
These are mainly out of the box SaaS solutions that are ready in three days. That's one thing to look at.
The second thing is that the GRC space is such a broad area with solutions.
Some companies are buying it for some point solutions such as Business Continuity or Vendor Risk Management, but ultimately two or three years down the line, when they got the value from such application and they've learned from it, they might want to add something new modules like Policy Management or Internal Control and not have all the applications do the same things.
They just wanted to act like having multiple apps on Appstore in your iPhone. Now I want to do Risk Management, now I want to do Policy Management, now I want to do Audits or Inspections and they want that to be quickly available at that point.
So again, we are continuously working with making sure that all of those use cases and we have about 20 today can be covered on the same platform that we provide for. I think this will continue to grow
And then the maturity of what we need to cover is very important. Many companies in the GRC space talk about artificial intelligence, natural language processing and machine learning. This is how marketing works.
You have to throw in some buzz words to sound credible to show your thought leadership, but the point is there are really valuable things in those technologies that can actually help you, but they will only help you if you find the nail to hit the hammer with it.
What are the practical use cases that are causing pain in your day-to-day Business, in your decision, making the decision making that you can do better or faster based on those modern techniques, which is also why we are working on that.
Let me give you an example. We are working with large banks and they are getting a hundred or 200 regulatory updates every single week, and then phase one would be, can I get those updates in a harmonized format so that I can push them through the workflow?
Sure. You can do that after you've done that for half a year, you'll find out that for a certain regulator or a certain topic or about a certain market, that particular workflow should be handled by this person because he is the subject matter experts, right?
You can do that by SMEs or you can use a system to learn by itself because this is simply how the workflow went in the past. So we can now predict what is the upcoming workflow for the incoming regulatory change, who's really the expert best equipped to handle that question.
Now, if you take that even further, if a document lands on the desk of the person, for instance, this is something about Credit Risk, that person will determine whether this regulatory change has impact on my Credit Risk policy or my policies on Money Laundering or on the anti-terrorism financing, etc.
So today they bind those regulatory notifications to such a policy manually and then somebody goes in to the policy to determine which particular section of my policy needs to be updated. This can be supported by natural language processing. We can actually match and embed the sentences in regulatory texts as well as in the policies.
So when it lands automatically on the desk of the person, we could tell the person - here are the five sections or the five articles in your internal policies that we are most likely think you need to update and then trigger the workfkow.
Sure, there are real, tangible benefits in applying modern techniques, but it is for every company to figure out where can we provide value and we will bake that into the product.
What we're still trying to figure out is where our customers are experiencing more pain how can we help them with some of this stuff.
So these are some of the major trends that we see. Another trend is Learning. We all know that everyone in the organization gets its security training once a year and you have to go through a bunch of questions and it might be email involved in it.
You have to click on five pieces in that email that you typically look at to determine if it's spear phishing or not. Is that really effective? In the past for regulators it was good enough to say, look, everybody did the training and they signed over on this, hence we did our best to make sure that we didn't finance terrorism or that an insider trading did not occur, but that's not enough anymore.
They are now asking you to show them whether you actually changed the behavior of people. Showing that they just do the course once a year is not going to be enough to prove that you changed that behavior.
When this becomes really interesting is that data that we capture in our GRC systems and in our integrated risk management systems can actually help prove that they did training, but also the behavior of people based on the training have changed and that certain decisions that we support in our GRC application can actually drive behavior of people.
So we think there's a massive market for integrating ethics and compliance learning and training as well as Risk Management applications.
It's also for the human aspect to be able to substantiate it to a regulator or to any other party that you've been able to affect the behavior of people to watch the reduction of the human risk. So I think that's probably the last biggest trend that we see in this market today.
Boris: From our own perspective, as a Global Risk Community, what would you suggest how can we contribute to the process of better understanding of this complex world of Risk Management?
Anton: That's a good question. I think there should be more interaction between users of GRC platforms. GRC platform is just a tool and there is a saying that fool with a tool is still a fool. The value that you get from the tool is directly correlated, with the intelligence of people working with the tool. What they put it into the tool, or what they take out of the tool or what to do with the stuff that they take out. I've worked with different GRC applications, saw different ways of doing things and that there are a lot of things that they can learn from each other.
So we are trying to bring customers together, to talk to each other, what works for you, what was for us that we learned from each other, can we adapt our processes.
So we bring them together. We want them to talk more, share more. And I love the conversation about the actual risks and I get that. It's also important that more people stopped to share the experience with these applications and how they can be better tailored to actually facilitate that day to day job.
Boris: To summarize, if someone who is listening to this interview would like to walk away with one or two major takeaways, what would it be?
Anton: Oh, that's easy - use SAI Global software, this is the best GRC software in the world. Yes. I know I'm biased, but I still think that's true. Everyone wants to get to the business value quickly. Especially now when budgets are limited. We have to show that there's an ROI within a short period to actually make buying decisions. And we want to do that with the customer. Every conversation that we have starts with Yes. Yes, we want to have a standard, Yes we want to have a best practice and yes we want to do it agile.
And they always end with these 400 must haves that also must have been done. Those two things collide. There is a way to develop these 400 into 3 different phases. Start with phase one, make it success, learn from it, get the value and they have to face 2.
So for all those customers out there that are looking for massive GRC journey and there are still a lot of RFPs in the market that really show very big projects,
Stick to smaller deliverables, get the value quickly, get it into the hands of the users and have them evolve with the software because how they work with the software is equally as important as what the software does. I think that's biggest factor to contribute to success with implementing our software.
Boris: Okay, Anton. Thank you for your time. And I wish you a and your guys at SAI Global to grow your company and become a world leader in this GRC software space.
Anton: Thank you very much for me at the time was, and looking forward to in the next time,
Comments