This is a transcription of our interview with Liam Healy, SVP and Managing Director at Diligent about ESG, Legal Operations and CyberSecurity.
You can watch the original video interview here or an audio podcast here. You are also welcome to subscribe to our podcast in all major podcast apps by searching "Risk Management Show".
Boris: Welcome to our interview with Liam Healy. Liam is a SVP and Managing Director at Diligent, which is a market leading provider of the comprehensive Governance software solution. Liam thank you for your time and for coming to our interview today.
Liam: Absolutely. Thanks for having me again.
Boris: This is our second interview is Liam. For those who didn't listen to our first interview, I advise to go a few episodes back and find one of those interviews in the beginning of August. We saw high engagement on this episode and we are happy to invite Liam for the second interview. Today we will do a deep dive into some of the major topics and what happened with Diligent from July.
We will talk about the Environment Social and Governance, Evolution of Legal Operations and Cyber Threads.
Liam can you tell us a little bit what Diligent has been up to since we spoke in July and what's something you or your team have recently achieved that you are really proud of?
Liam: Sure. And thanks for having me again, Boris. It's good to connect with you and with the audience. Hope everybody is safe and well during the ongoing pandemic and trying times, certainly for everyone. Having me back, hopefully that means that the first segment went well.
Since July, Diligence been up to a lot. A key focus has been in a couple of areas and we can talk more about it, especially about the Operational Governance and ESG and Cybersecurity and such, which we're hearing a lot about.
The two key areas that we've been spending a lot of time have been secure executive collaboration or as many individuals know the Board, but not just the parent board or the PLC board at the very top of an organization, but also the entities and the subsidiaries and the directors that permeate throughout the organization.
So we have been spending a lot of time there cultivating our solutions to help solve the challenges that we're hearing from our customers.
And then the second, which feeds directly into that is Operational Governance. And that's kind of the iceberg below the water, if you will, which is getting the right information to the right people at the right time. So that directors can ask the best questions and operators or executives can make the best decisions. That's harder than it's ever been in a hundred percent distributed workforce or almost so in the world we're in today. And so we've been spending a lot of time there and managing our solutions to make sure that they fit the needs of our customers.
What are we most proud of? I think the resilience of our employees and specifically how our teams have answered the bell during really difficult times for our customers, each of our customers have different circumstances. We have over 19,000 customers in different industries and the pandemic and their day to day has changed drastically in some cases.
I'm incredibly proud of the resilience that our team has shown to be able to get in front of that work with our customers closely. Start with yes, and figure out how afterwards to try and make these, these tough times for many organizations a bit easier.
Boris: So let's dive specifically now in this ESG topic or Environmental Social and Governance which we hear on the news all the time.
What are the biggest challenges organizations are facing when it comes to implementing ESG goals?
Liam: Yes, It's a thoughtful question. It's hard. It is top of mind for a lot of reasons, but it's difficult. It's difficult from what we're seeing simply because until recently there haven't been a standard set of metrics, whether they be financial metrics or a nonfinancial metrics that organizations can benchmark themselves against to how well they're doing in any of those given areas.
And so until recently, while many organizations are going about ESG or each of those areas individually and working very hard to set a set of standards to measure themselves by, there hasn't been until recently a common set of standards in. We've worked closely with E&Y and with the World Economic Forum, as well as the international Business Council, IBC with a set of standards that they've put in place.
There are a couple of different sets of standards now across the globe that organizations are pledging to that they're going to manage themselves to and benchmark themselves against.
The internal auditors are going to work through the compliance pieces to make sure that they're checking the boxes. Having that in place and managing through that, we've worked closely with them to release, those standards through our application and be able to have our customers to tap into those in and start to leverage those or manipulate them a bit so that they fit their organizations and institutions a bit more clearly
That’s been in a really tactical challenge. I think the more philosophical challenge that we're seeing is simply the shift of shareholder capitalism and stakeholder capitalism as it relates to ESG.
And a lot like corporate social responsibility years ago has continued to evolve. I think what we're seeing is that it's not a IF it’s a WHEN organizations are getting on board and being able to prove how well they are doing in each of those areas or in totality through ESG.
Because capital, whether it be the investors and raising funds or human capital individuals seeking top talent and supporting their employee base or individuals and Capital groups are leaning in and saying they want to attach themselves to organizations were ESG is top of mind and not just top of mind, but it can be proven.
And you're seeing even at a very low metric level, millennials and individuals that are choosing the top institutions around the world to work at are giving up certain perks so that they can align with institutions that their belief systems match. And that's powerful, but that's hard to get right. And so we're seeing a lot in that, and that ties specifically into a lot of the areas that we're working with around Operational Governance.
It's great for a Board to ask a question how are we doing with ESG and to be able to prove that. It's a different set of challenges to take a lot of that decentralized information throughout an organization and manage it effectively and make sure that the right individuals have a line of sight, can manage those areas.
Not just that they have a set of obligations in place internally and externally that they can check the box on, but that they can manage over time, the risk that comes with each of the areas that, that support ESG.
And so that that's hard and the bigger the institution, the harder that gets globally. And so, yes, we've spent a lot of time on the operational piece of that.
Boris: Why is it so difficult to measure right the progress of ESG initiatives in companies?
Liam: The first is again, a different set of questions is tough to manage. How well are you doing on the test? Right. And so I think it's just getting to a common set of standards that the world would agree by. I think that's one of the first steps and we've made great strides, not we Diligent, but we as far as the business community around the world have made great strides in getting to a level playing field that we can manage by.
That's the first piece. The actual management of it, or the tactics of it is extremely difficult. Because of the decentralized nature of information across an organization. And being able to pull that together to have a common view at an institution to be able to say, here's where we are good, or here's where we are not good, and be able to report that effectively.
Often we find in conversations with many of our customers it's not a unique challenge. We often find that it's a kink in the chain or it's a bit of a disjointed process where this information is first gathered and then reported on.
That makes it really difficult. I think the proliferation of legal operations in many institutions is helping to solve some of those challenges. I think it will be the Office of the General Counsel or in many cases, what is now falling on the CIO plate, who often is now being looked at it as a COO.
To manage through that information, put it into a structure that it can be reported on, gathered effectively, identify risks, put remediation plans in place.
It's hard if you have many of those processes running simultaneously at different rates of speed, if you can get them unified in some form or fashion, it's a bit easier. There is no silver bullet on that, but we're seeing Legal Operations making great strides there.
Boris: Which have been the biggest challenges Legal Operations teams faced as a result of this COVID pandemy
Liam: If I were speaking of behalf of our constituency, I think it would be resourcing. If you look at some of the benchmarking and research recently, some of the top risks, the Internal Audit or the Legal Operations in particular as they were working with compliance and audit together to solve, many of these challenges have been, the first is Cyber that that's always the top risk.
The second is the change in regulatory requirements is fast and furious. No human can keep up with that right now. The changes, especially with pandemic, the changes in every jurisdiction around regulatory requirements being passed.
The third is the digitization of legal information, taking it out of the proverbial, filing cabinet and getting it into a centralized repository to manage the corporate records and your processes. Again, not all in one place often. That’s hard and the workload is increasing exponentially.
I'm not to quote any specific research on this call, but the research that we've seen and been looking at closely with our customers has been that the workload is outpacing the investments in proactive resources that are going in to support that function.
So it's great that it is up and running and moving in a very positive direction, but it simply needs more resources. That's the first.
With that as organizations invest in Legal, Operations, it is a Standardized Set of Processes, a baseline or a foundational playbook to manage each of their areas.
So I don't know that it's so much a challenge as it is more is taking, all of the ships that have been at sail for a long time and making sure that they are navigating at the right direction and trying to streamline that on a common foundation. We're seeing great strides from many of our customers.
Again, I'm not to name any of them in particular, but great strides by individually organizations that have invested heavily in Legal. Operations where they have teams of people that are coming in, they're choosing a system of record, and they are integrating those systems of record to all of their major corporate systems. They are setting a foundation in a process in place by which to manage all of the information with a corporate record.
So whether they're a public company and there are filings that they need to do and compliance, obviously in every jurisdiction, they need to stay on top of, or even some smaller private companies who are focusing on liquidity events, whether those be recapitalizations or IPOs any event where the corporate record is at play. You're streamlining that information.
So that they're are always ready to be audited, or whether that be internal or externally, always ready to make that information a competitive advantage if you will. And that can mean a lot of different things, but it really is just the getting the resources and getting the foundation in place. That's what we're seeing, being the typical challenge. I think that will change over the next, the next few years.
Boris: And what specifically, you guys at Diligent help Legal Operations to meet their goals.
Liam: Thank you for asking. If I were boiling it down a very simply, modernizing Governance in our view is again, simply getting the right information to the right people at the right time, so that directors can ask the best questions and operators or executives can make those best decisions.
And if you think, very simply again, this is again a very remedial example, but the boards, whether they be the parent board or subsidiary boards and committees that are reviewing information at a given point in time to ask those questions or make those decisions, they have to digest the information.
There are a pre-reads, there are actions and follow ups to those agendas, all of which is being fed by the operational piece of gathering that information, moving it throughout an approval process, being able to report on it, getting it in front of those people.
And we can help in two very simple areas: being a system of record for all of that information and having it reside in one repository to be able to move around through a set of process Management and approvals, as well as a data integrity, moving that all around and then getting it in front of those individuals through our Boards Applications and having directors being able to log in to one place to get the information, review it, digest it, and then come out of the meetings with clear actions and followups.
Having that in a closed loop site, in a system that is secure is where we really hit the ball out of the ballpark. I mean, and that's our bread and butter, which is top of mind for, for CSOs right now given with all of the technology that's out there and all the disparate systems, sensitive information is flowing throughout an organization and not always inside of a secure network.
That is a very real challenge that we are helping with.
Boris: I would like to do hear your personal opinion. As it relates to Governance, what should the corporate boards stop doing right now that they are currently doing and a another way around what they should start doing, that they are not doing
Liam: Personal opinion of what should boards do that they're not doing right now or invest more in? I think a big topic clearly is to be intentional about the diversity of their organization, not just within the entire organization, but it specifically at the director level for the boards that, that those individuals sit on at the subsidiary level, at the entity level.
And certainly at the current board level, create seats that are diverse and inclusive. And if you think of DEI and that is a very real topic that when you don't have all the right voices at the table and you can't get a 360 degree view on what quote unquote right could look like. I think certainly it is a topic, but I think that look to quote an individual close to me, sunlight is a great way to cleanse so like shining a big, bright light on it is important.
I think Boards needed to keep that in mind that if they're not being intentional about that sort of a movement. I think that’s important.
What should they continue doing that they're doing really well is more investment in governance. Governance is never been in the spotlight more than it is today and it really hasn't gotten a refresher over the past couple of hundred years is what it seems like.
And so I think just continuing to ask questions and be curious, and spend the resources, time, money, obviously, but the intellectual resources to know where can they make it better throughout their institution because Governance is important. And I think we all know that, but I don't know that we've all been as intentional as we could be about that. And we want to help with that.
Boris: Fantastic. So let's jump into the third topic, which is our main goal today is about the Cyber Risk. What are the biggest Cyber Security threats organizations are facing globally?
Liam: There are a lot clearly the, one of the topics or challenges that is front facing for us right now that we're hearing a lot about is the movement of information and the storage of that information, the most sensitive information, the gaps that are being that are created in that Management process of getting the right information to the right people at the right time.
And I think that we're hearing more and more now about the risks that the office of the CIO is facing in owning the operational piece of Governance. And not just that the office of the General Counsel is the customer of the office of the CIO, but more in asking the questions around what is the outcome that you're trying to achieve.
And what should a director's know about managing the risk of information flow of the most sensitive information throughout the business? Where is it tight? Where is it loose? What's our exposure?
in some cases you have to use as an example not naming any application and such, but a real example is depending on where organizations are storing their information, there's massive litigation risks in not knowing all of the contents that are being stored, where they are being stored, who has access to those.
And then if information needs to be recalled and used how it is then flowing freely about in the institution. And when you think of Cyber Risk in particular, as it relates to operational governance or managing risk, sometimes we're our own worst enemies. And we're hearing that a lot these days with how information can move about a business. And for example, misplacing or miss handling a version 13 of a board pack or a board deck with information that might not even be complete, might be more damaging than then losing access to the final version because it's incomplete information.
And so the question is, how do you move that around when there are directors that will request - send this to my Gmail or send this to My Yahoo or text me the information, because they want to be able to carry their duties out as they should easily. And they just want to be able to access the information and ask great questions and rightfully so, but sometimes ease of uses is tugging at the heartstrings of control and security and where institutions don't have that in their grasp, they're, they're exposing their organizations to massive risk.
And sometimes they know that, and there's just not an intentional movement to change that. And I think that is now falling more on the critical thinking in nature by which CIOs are becoming more like CEOs these days and leaning in, and operating with their legal counterparts to tighten that up a bit. That is, right now one of the biggest, obviously Cyber is top of mind, everywhere are all the time, but that is one of the biggest things that we are getting asked about every day.
And especially in a world where we are a hundred percent distributed a in today's world, of course,
Boris: Provided that virtual work is still ongoing around the world. What do you see company leaders, make a priority in technology to combat this threat?
Liam: They're doubling down in, there are two areas that we're seeing a lot of. The first is in an audit of systems, what are the systems that they are using for what processes and applications, what information is it managing, and seeing a bit of an audit.
The first 90 to a, a 120 days was creating continuity from the transition from being in office is everyday to being remote everyday.
And during that peak, there was a different set of challenges to the world seems to have settled into a remote work environment. And over the last few months, since July, since we spoke that normalization now is creating the opportunity for institutions to get back on to the front foot.
So they're doing a bit of the auditing, have their systems understanding where they are and how their information flows throughout the organization. What are the investments they can make to shore up VPNs and secure access, especially for those sensitive information.
So, doing an audit there and then creating new policies in many cases, new policy on how the information is being managed.
It has provided a unique opportunity and shine a spotlight on organizations, not a new problem, right. But highly highlighting an existing opportunity and challenge that they're facing to get it right. And, now that we've been in this for, nine ish months going on 10 months, you know, I would find it hard to believe that many organizations will go back to an every day in the office environment.
And I think in many organizations have seen productivity go up, they've had to force themselves to get better access virtually and figure out those processes. So it will be interesting to see, to see how we evolve.
Boris: Interesting. And how does someone listening to this for the first time, or maybe even a it expert should go about it, how's it? How would you prepare for next year? For example, do you have some tips?
Liam: It depends on. If you are listening to it for the first time in your, in your life. And you're thinking about it at that time a year. If you are on a calendar fiscal year in your budgeting, or you are trying to finalize budgets for next year, I think one of the things that I'm hearing a lot of from counterparts in the industry and individuals that own budgets is that your first half of the year will probably going to look a lot like this year did when it comes to travel and expense and management, a virtual world versus an office world.
So planning that way, being prepared for the first 180 days of next year, but the back half of the hunt of 180 days, in 2021, we'll probably look a little bit different. So, being prepared with investments to wrap it back up to a certain areas, that's a rare, we don't see a lot of it being a hundred percent virtual next year, obviously, but we see that the Evolution will come back to more travel on and such. So I think there are investments there to just be aware of as you plan for next year.
Operationally is, again, the investments we're just seeing lots of organizations invest in getting on the front foot of shoring up their Operational side of Governance, making sure that they've done an audit of their systems, their process who has access to what and looking at how they manage that best.
So I really think that the easiest way, if you're a first-time listener, the easiest way or the best way I've heard it described to me from a customer is it's like an iceberg.
I think I've probably used this analogy before from them is it's like an iceberg at the top of the iceberg is above the water.
Everyone knows the Board. Everyone understands who the Board is. They know their responsibilities. They know they understand who's on the hook for how the business is managed, what they don't understand, or what they don't often see is what's below the water.
And that is the 80% of the iceberg that sits below the water is that operational pieces, the investments and time and money and intellectual thoughtfulness that goes into managing that process.
And that is the entire group structure of a business. And every piece that goes into it, trying to have them be aligned and, and uniting all the different departments to, to make that work. Well, those are the two key areas that we are constantly hearing are front of mind right now. And, and the operational piece is big.
Boris: We touched the major three points, and I wonder if there is something that I didn't ask you that you want to add.
Liam: No, nothing, else to mine. Thank you. Is the biggest thing. Thanks to you. Thank you to your listeners. I always have a fantastic discussion. it's great to catch up.
Boris: Thank you. Liam and I wish you were a company, a company Diligent a greater success in the coming period. And The, I know you have a lot of work to do in a lot of the coming of new customers, the old ones. So I wish you a good luck.