Leveraging Residual Risk Data to Go Beyond Reporting

[00:00:14] Speaker A: Hi everyone and welcome to the Ethicast. I'm your host, Bill Coffin and in this episode we're going to discuss inherent and residual risk with Craig Moss, Executive vice president of Measurement at Ethisphere and a director at the Digital Supply Chain Institute and the Cyber Readiness Institute. Craig is a prolific thought leader, public speaker and author on the subjects of value chain holistic risk assessment and AI. And his most recent byline, leveraging residual Risk Data to Go Beyond Reporting, provides a fascinating look at the connections between inherent and residual business risk and how strong controls such as compliance and forward thinking use of data can create sustainable long term value creation for enterprise. Craig, welcome back to the Ethicast. It's wonderful to see you again, Bill. [00:00:58] Speaker B: It's great to be here. I always love talking to you about these topics. [00:01:02] Speaker A: Well, my first question to you is can you talk about the relationship between an organization's inherent and residual risk and how management systems and control such as compliance, provide a linchpin between those two? [00:01:16] Speaker B: Yeah, for sure, for sure. So inherent risk is really the risk that a company faces based on what they do, where they do it, who they do it with. So for example, if you're selling to the government, you're going to have certain types of corruption risks in certain countries. If your supply chain is going into some certain emerging markets, your inherent risk is going to be higher related to certain environmental and social or labor rights issues. It's hard for a company to change their inherent risk because that's really the nature of their business. What companies can do is reduce their residual risk, their leftover risk, and they can do that by putting better management systems and controls in place. So that's really the difference. And right now with the prevalence of, there are a lot of systems out there, software systems that are scraping public data to create very sophisticated inherent risk tools. But that's harder, that's an easier step than actually gauging your residual risk. So what I've been focused on for the last few years and actually for quite a while is how do you start to make it scalable for companies to understand their residual risk? And you do that through putting together more sophisticated maturity management systems and controls. [00:02:42] Speaker A: Now when you talk about those management system and controls, I know, you know, it's, it's, and you mentioned this in your article and your other writing as well. Data has become sort of at the front and center of all the, of all these things. And it's, it's. Data is kind of a tiger by the tail. You can rely on it so much, but then quickly overwhelm yourself with that data. So can you talk a little bit about not just how data, you know, fuels this approach that you're talking about, but how you can do it responsibly and make data work for you and not against you? [00:03:08] Speaker B: Yeah, that's something that we've observed a lot. A lot of companies are flooded with data and in fact there's a lot of companies actually set up what we'll call sustainability or compliance reporting departments that are responsible for just collecting the data to fulfill reporting requirements. And one of the earlier articles I wrote for the Dow Jones Risk Journal, I went into that about the idea of needing to use data to go beyond reporting to actually shaping the future. And that's one thing that I really think companies need to focus on is reporting is inherently an activity to report on the past. That same data, looked through a different lens or different mindset, can be used to shape the future. So that's one of the things that I think is important related to that. The quantity of data that people get is one issue, but the quality is the other issue. And one of the things that I see with a lot of organizations, we'll be looking at a company's supply chain due diligence questionnaire and in it they have a bunch of yes and no questions. And to me that is collecting data that is of really limited value compared to a maturity assessment. So the difference here, like if I ask a company typically like, do you have an anti corruption policy? Right. That's the kind of question that a company could say yes and they could have two lines in their code of conduct. Another company could say yes and they have a 40 page policy written by an international law firm so that yes, they're both telling the truth, but the value of the data you get back is really not very useful. The same thing holds true for all of the different compliance and sustainability topics. Social compliant, do you employ, do you employ forced labor? Everybody's going to say no. In fact, a quick story on that, I was doing work a couple years ago and it happened to be related to cybersecurity and data protection. I was talking to a tier one contractor to the Department of Defense and they had to fill out these assessments, like self assessments every year, questionnaires from the government. And so I said to the guy, the CEO, I said, so what's this process like for you? And he said, Craig, we've got this figured out. We know that we need to say yes at least 80% of the time or somebody's going to come and look at us. But if we say yes, more than 90% of the time they don't believe us and they're going to come look at us. So we always say yes between 80 and 90% of the time. I say, has anybody ever checked on that? He said, nope, not once. So there's an example of the data being really worthless that's going back to the people sending out the assessment. So that is really not helping you understand your residual risk. [00:06:09] Speaker A: Yeah. Now in your article you write something really fascinating. I'm going to quote you here you write, quote, by focusing on management systems to reduce residual risk, companies are turning compliance and sustainability from a check the box exercise into an activity that can become a competitive advantage. An effective way to get buy in for using management systems to reduce residual risk is to link it to improving business performance. End quote. Super fascinating statement. I would love if you could expand upon that a little bit. [00:06:39] Speaker B: Yeah, yeah, for sure. So I'm going to step back and then I'll dive into this. So one, when we look like in the article, I talk about a holistic compliance and sustainability or ESG program. So if you look at a company, every company has, let's say, 10 different risk categories. Corruption, trade, sanctions, social cyber, data protection. We can go into that a little bit later. But the idea here is that if you start to understand your inherent risk across the holistic spectrum and then start to look at your control or system maturity and your residual risk, that's what allows you to prioritize where you want to really reduce that residual risk. That's where you can start to create a competitive advantage for yourself. So easy examples Apple. If you look at the TV ads that Apple does now, they talk about data privacy. They say iPhones protect privacy better than other phones. They're taking a compliance related issue and turning it into a competitive advantage in the product. Patagonia does that with environmental compliance. Different topics. It would be senseless for Patagonia to pick data privacy as their competitive advantage topic. But it makes perfect sense for it to be environmental compliance because it's outdoor wear. Right. Their customers care about that. So that is one of the ways that you do it. But you need to be able to do that in a logical, systematic way. And that's why collecting that data. So going back to that, Apple's inherent risk on data privacy is incredibly high because they collect huge amounts of data on millions and millions of people. Extremely high inherent risk, very low residual risk because of all the systems and controls they have in place. Same thing with Patagonia. They have picked out one inherent risk and put really sophisticated controls in place to reduce the residual risk down to a level that they can tolerate. The other thing I want to point out here is in every company, you need to understand your risk tolerance, because that's a key part of it. And for a lot of companies I talk to, they kind of have a vague general idea of their different compliance and sustainability risk, but they haven't really bought it through to a level to a degree where they can collectively agree on what risk will we tolerate, what level we're never going to reduce risk. And that's the other thing that companies sometimes forget is they think, oh, if we put enough in place, we'll eliminate the risk. You never eliminate the inherent risk. All you're doing is reducing it. In fact, the analogy that I use in a lot of presentations is a tightrope. So every company is on a tightrope. And your inherent risk, let's say you're 1,000ft up. What you're trying to do is to put controls in place to lower the tightrope to a level where you're comfortable or can tolerate getting on the tightrope. You never get off the tightrope. But if you bring it down where it's six inches off the ground, most people say, hey, that's cool, not a problem. If it's 300ft off the ground, some people might say, I still might do that. And other people might say, no way. So that becomes part of what companies have to do is that whole idea of risk tolerance in creating a culture in the company where it's consistent. If you're a global company, you don't want people in country A thinking that tightrope. I'm good with the 200ft off the ground without a net. And the other people in country B saying, it's got to be 10ft off the ground, and I want a net underneath me that creates a culture where it's really inconsistent. [00:10:32] Speaker A: Yeah, well, Craig, I absolutely love that metaphor. I think it's really impactful. But let me ask you this. You talk about a holistic range of compliance and sustainability risks. Why do you suggest companies assess their inherent risks in all of those categories? Like, why should they be spending time evaluating the maturity of the management systems they have in all the risk areas? Isn't that some of that time a little unnecessary? [00:10:56] Speaker B: Yeah, I mean, it is if you do it in too much depth. But to do it at the right level, to do a quick assessment across the risk topics, corruption, data privacy, conflict of interest, antitrust, social, environmental, cyber data. The reason it's important is a couple things. So number one, it's really important because it enables you to have a logic as to why you chose certain things to focus on, right? You can go to your stakeholders, your board, your investors, or the public and say, hey, the reason we chose to focus, put more effort in anti corruption instead of trade sanctions is, is for this reason we did an inherent risk assessment looking across our holistic portfolio of risks. And we decided that in a thoughtful process that these were the three or four risks that were most relevant to our organization. That becomes a really important thing to do. The other thing that is important about this is you're also. You have that logic then, but it also gives you a logic for why you prioritize. Why did we prioritize it? Well, because we saw that our inherent risk in labor rights is very high and we saw that our inherent risk in whatever conflict of interest was low. Therefore, you can prioritize why you're spending the next six months or year focused on reducing the, putting in better controls to reduce the risk in labor rights. So it just gives a better logic to it. The other reason, Bill, is that a lot of the companies that I work with expand internationally. So you go to a new market, your risk profile changes, you have a new product launch, your risk profile changes, a new law comes into place, your risk changes, or you buy a company. A lot of companies right now that I've been working with in the like in the software space, they've been transitioning to new models where they're collecting, storing and processing more consumer data. So in the past, if you were like doing all like on premise stuff for enterprises and you weren't collecting any data, and suddenly your marketing people and product development people say we should really be going to a SaaS model, a software service model where we're holding more data. Your risk profile has radically changed. So the other reason I suggest companies do it is that they're not in a static environment and their risk will change over time. [00:13:37] Speaker A: So in just the few minutes we have left, I know this article you recently put out as part of a series that you're developing. Can you give us a sneak peek as to, you know, what's coming down the pike in this series? Like, what are you going to be working on next? [00:13:48] Speaker B: Yeah, for sure. So the first one was about the whole, like a call to action that companies need to go beyond reporting and use data for taking action. So then the Second one is what we're talking about. The next one, which will be published soon, is a deeper dive looking into supply chain due diligence and the OECD guidelines and then specifically the management systems to meet that kind of supply chain due diligence regulation and the role of social compliance auditing in that. So that's the next one coming out. Beyond that, I'm going to go in two directions. One, I'm going to be doing an article looking at the use of generative AI to be able to take good residual risk data and use generative AI to extrapolate and create predictive analytics about a much larger set of suppliers. So you could take the data from 100 if you get the right data, and then extrapolate back out and have meaningful predictive analytics on 10,000 suppliers, for example. So that's one direction that I'm going to go with an upcoming article. The other one, I actually have a call with the editor tomorrow to go over it, but I think that's probably the next one on my list is about the Gen AI topic. [00:15:06] Speaker A: Indeed. Well, sounds super fascinating. I can't wait to read it. But in the meantime, if somebody out in the audience is listening to this and they're going, you know what, I want to talk to Craig about how all these things can apply to my organization. What, what's the best way for them to get in touch with you directly? [00:15:20] Speaker B: For sure. Just send me an email at Craig Moss, mossphere.com Happy to hear from you. I'm happy to talk to you about the work that we do with organizations. We've actually done this kind of holistic residual risk assessment for literally hundreds and hundreds of companies around the world. It's quick, efficient, and I'd love to talk to you about it. [00:15:45] Speaker A: Well, Craig, this has been a wonderful conversation and it's always a treat to learn about the connection between risk compliance and business sustainability from you. So thank you once again for joining us today. [00:15:54] Speaker B: It's been a pleasure. I look forward to the next time. [00:15:57] Speaker A: Well, to read Craig's article Leveraging Residual Risk Data to Go Beyond Reporting, please visit the Dow Jones Risk Journal. We'll also leave a link to Craig's article in the show Notes for this episode. On a related note, Ethisphere has just published its latest report, AI in Ethics and Compliance Risk to Manage, Tool to Leverage, which features an overview of AI regulatory trends, AI governance best practices, and use cases from ENC leaders at Cargill, Palo Alto Networks and Verisk who are integrating AI into their team's daily work. It's a great report. You don't want to miss it. To get your free copy of it, visit ethisphere.com Also, we have a pair of terrific free webinars connected to this report that are starting to launch tomorrow, October 2nd, and then again on October 14th. To register for both of these events, visit ethisphere.com events or hit the link in this episode. Show Notes the first webinar Avoidable AI A GCSECO Playbook, kicks off tomorrow at 1:00 Eastern and features Ethisphere's Erica Salmon Byrne, as well as a panel of experts from our partner Davis Wright Tremaine. This is going to be an outstanding discussion on AI regulatory risk. I'm very much looking forward to it. Well, thanks for joining us. We hope you've enjoyed the show. [00:17:08] Speaker B: Thanks. [00:17:08] Speaker A: New episodes each week. Be sure to follow ethisphere here on LinkedIn as well as to subscribe to us on YouTube, Apple Podcasts, and Spotify. Every like comment and share really helps us spread the word about best practices and business integrity, and we deeply appreciate your support. That's all for now, but until next time, remember, strong ethics is good business. Bye now. [00:17:36] Speaker B: SA.