This is a transcript of the podcast episode, Kristy Grant-Hart walks us through the compliance technology review, featuring a discussion between GRIP’s US Content Manager Julie DiMauro and Kristy Grant-Hart, Vice President, Head of Advisory Services for Spark Compliance.
[INTRO]
Julie DiMauro: Greetings, everyone, and welcome to a Global Relay Intelligence and Practice, or GRIP, podcast.
I am Julie DiMauro, the US Content Manager for GRIP, talking to you from New York City.
GRIP is a service that features a daily website of articles on a variety of compliance and regulatory topics. Plus, podcasts and other deep dives into compliance trends and best practices.
You can find the service at grip.globalrelay.com, and we hope you’ll connect with GRIP on LinkedIn.
I am so pleased to announce that today’s podcast session features Kristy Grant-Hart, Vice President, Head of Advisory Services for Spark Compliance, a Diligent brand. I’m going to ask Kristy to please introduce herself and describe her background before we kick off the program. Over to you, Kristy.
Kristy Grant-Hart: Hi, Julie. I am so excited to be on with you today. Thank you for having me. And to be talking about how to make technology assessments to decide if it’s going well for you or better. My background is originally in FCPA defense.
I did two corporate monitorships in Big Law. In 2011, I was moved to London to work on the LIBOR investigation for one of the big banks in Switzerland and London and ended up marrying a Brit, staying in London for the next nine years and at that point going in-house.
So first as the Director of Compliance for Europe, the Middle East and Africa for a big business travel company, and then as the Chief Compliance Officer for the joint venture of Paramount and Universal Pictures, running their program in 65 countries. During the COVID era, we came back to Los Angeles.
And in the period between 2016 and now, I started Spark Compliance, which is a consulting and training company. And we grew it from just me in my London apartment, having folks in Chicago and New York, Amsterdam and London, as well as Los Angeles. And two months ago, we were acquired by Diligent, which is a board, obviously, governance compliance company that does a lot of third-party software and policy management.
We couldn’t be more excited to have this new era in front of us.
Julie DiMauro: Congratulations. That’s such great news. I was so happy to hear it, Kristy. OK, let’s get going. Kristy, just to kick things off in the proper manner, can you tell us what goes into a compliance technology review?
Kristy Grant-Hart: Yeah, absolutely. So what we found is that a lot of companies buy software to help their compliance team, and they don’t know if it’s working or if it’s helping, or if, frankly, no one’s using it because they find it horrible. So they’re paying all this money for it, and they’re not actually using it, or they’re using it in a way that isn’t optimized for the team, or for the company as well, right? It’s not just the team using it. Frequently, it’s the company, too.
So what we decided to do was to make a qualitative and quantitative way of looking at this so that you can score properly and understand, are my solutions working for me? So what we did was we put together three variables on a one to five scale. So the first one is user friendliness. Basically that’s how easy is this to use? Is it intuitive? Does it take a long time to learn? And really, do people like it? Part one.
Part two is customization. So that’s how well can you customize this solution? Can people do it themselves, or do they have to buy time with the company to develop it more? Is it easy to customize on your own and customize to your needs?
And the third part is, third element really, is optimization. And so that really is, for me, it’s utilization and also how optimized is it for your company. So if you put these things together, how user friendly is my software? How customizable is it or customized now? And how well is it optimized and being used? You can get a really strong sense of, OK, these programs are working well for us and these are not.
So for each of those three categories, it’s one to five, five being they’re fantastic, one being it’s terrible. So you end up with a score for each between five and 15. And that really helps you to physically see in a report what’s working well. My whistleblower line is fantastic. My third-party risk management process is terrible. My policy manager is pretty OK. What do I need to focus on? Do I need to replace one of these? Do I need to talk to the people who are providing the software? What do I need to do? Really, it helps you understand what is going well.
Julie DiMauro: Now how do I prepare for one as a business? When you’re coming in, what is it that you have me do to set the table?
Kristy Grant-Hart: Sure. Basically, what you need to do is number one, categorize what you’ve already got. Because sometimes we have systems we don’t even know we have anymore.
Some of the companies that we work for are very large multinationals or they have very disparate business units that have different types of technologies they purchased. So if the compliance department wants to do a review like this either with someone like us or internally, what they need to first figure out is what have I actually got? What am I using?
And then getting ready to ask the correct users for their information and feedback. So preparing maybe a questionnaire or understanding what you’re going to be asking and thinking about when those contracts may be renewing so that you understand are we looking at potentially replacement or are we looking at how we optimize now with what we’ve got.
Julie DiMauro: Now, as part of my compliance program review annually, I look at some of these things and sometimes the IT team does their own audit. How does this differ from those activities?
Kristy Grant-Hart: So the program review in and of itself, typically those are done on some variation of the seven elements of an effective compliance program. And the technology obviously fits in, right? So in the case of policies and procedures, policy management software would be one element of that.
As would third-party management software be one element of your third-party risk management. But third-party risk management is also looking at from an appraisal standpoint, is my scoping correct? Is my workflow right? Does my due diligence questionnaire too heavy handed or not heavy handed enough? That’s very different than how does my software fit for purpose within my organization.
Are your policies overly long, legalistic? Can people find them? There’s all kinds of questions that aren’t, is that technology serving me properly and are people using it? So they make sense as being part of the whole ecosystem, but this is a very specific focus on whether it’s working for you or not.
Julie DiMauro: So just as a follow up, looking at the context of how this fits into the compliance program and your annual and semi-annual reviews of it, organizations for many years have classified cybersecurity as being a top risk for them. It’s always in the top three, if not number one. How does the tech assessment interact with these IT reviews like ISO 27001 or SOC 2 audits? How does this fit into that rubric?
Kristy Grant-Hart: So I think that this is the next thing after they’ve gone through that, right? We don’t want any of our software to fail, cyber review, right? Or privacy review. This really is looking at how well are we optimizing the software that’s already passed this? How well are we able to make sure that it’s fit for purpose and that the money we’re spending on it is getting us the outcomes that we need?
So I would say that step one is making sure that any software you have dealing with compliance program has a really strong security and can pass those kinds of tests. But then the next part is, OK, it’s good enough from that perspective, but is it actually working for us? And which ones do we need to prioritize either shifting, changing, or optimizing? And which really we can kind of leave alone because they’re doing a good job for us.
Julie DiMauro: Now thinking about technology and some new technology being brought into a program to work alongside older technology, as we call it legacy technology, there’s always some issues involved in that. I hear about it all the time. What are some of the problems you’ve seen and solutions that you’ve come up with and recommended?
Kristy Grant-Hart: Well, the legacy systems, I mean, the big challenge is always to make sure that we get as many APIs, the ability to talk from one program to another. So one of the things, if you’re getting new technology, is to simply ask the question, which systems does this system talk to already and which ones are you building.
Because a lot of times those legacy products, if they’re not being very supported anymore, if the companies that made them have moved on to shinier things, it can be really difficult because they may have critical systems.
But the more we can get them to talk to each other, the better. The other thing is to call your sales representatives or your point person to ask about the product roadmap for the new product. Maybe the new product will be able to take over some of that functionality, maybe that the legacy product did.
Or maybe they can create an API that will allow that information share to happen. So it’s really trying to figure out what solutions you can have while continually dealing with what you’ve got.
Julie DiMauro: Now what’s the approach that your team takes when you spot opportunities for improvement or products that aren’t working well in one or more areas after a tech assessment? What is your recommendation or report look like?
Kristy Grant-Hart: So the report would have all three of those scores for each of the pieces of technology. So if we’re just pretending that we’ve got whistleblower, third party policy manager, you would have scores for each of those for that user friendliness optimization and for the customized element of it.
And then there’s, OK, well, like a regular, almost like a risk, like a heat map. You say, well, this is our biggest problem. This is our second problem. This is our third. And then it’s the decision of how problematic is the problem. So it may be that it’s best to focus on one that’s clearly standing out as a problem. Or it may be, you know what? All three are pretty good. Let’s focus on this low hanging fruit version.
And one of the things we always do is have those tech reps talk to us about what the roadmap looks like. Because a lot of times it’s going to solve some of those issues. If one client has a burning issue, frequently lots of them do.
So part of what happens is understanding what that looks like. The other thing is sometimes people don’t have fixes turned on. Right? Like maybe the software was updated or they don’t have the new report in the on switch. And then they’re not getting the benefit of the technology as much as they could. So those are definitely places to start with.
Julie DiMauro: You just brought up something that made me think, involvement of the technology provider. What is your interaction with those people in those companies?
Kristy Grant-Hart: Right. Well, I’m going to be talking from a point before we were acquired by Diligent, because obviously we were more agnostic at that point. But what would happen was that doesn’t stop people listening from this podcast from doing the exact same thing, which is calling those people and saying, this is where I have my issue. Can you tell me about the product roadmap? Can you tell me what you’re planning on prioritizing? Can I give you feedback for what I need? And do you have any suggestions about how I can fix this problem?
Because ultimately they want to continue to be your vendor. Right. And the more that they can know about what is happening in real life with your product, the better.
I mean, one of the things I see is a lot of times, technology companies are built by engineers and really smart people who maybe aren’t ever in the compliance officer seat. And so the feedback you’re giving them is making them better too. So I think that going in and having conversation about how it can be better and what they can already do for you that maybe you don’t even know about is a really powerful way of moving the relationship forward.
Julie DiMauro: Do your recommendations include training people so that they’re better able to use the technology to their fullest?
Kristy Grant-Hart: Absolutely. I mean, when you’re looking at your tech assessment, part of it is the customization and optimization also come back to you as the tech user. Right. So it’s not always the obligation of the company providing the software to make sure you know how to use it well, or that you’re training other people on using it well.
It’s very simple things like doing video walkthroughs of one of your people that you’re just … there’s tools like Freecam where you’re able to just record your screen and the voiceover it so that it becomes much easier to use and you have ways of seeing it. People learn differently.
Some people like to have visual flowcharts showing them go from step A to step B to step C and other people really like the walkthrough and to just talk through it as it’s happening. So I think that there’s a lot of value there and some tech companies do product updates that they have webinars and things.
So I think that it’s not just about … this is a two-way relationship, right? So it’s your user and how their experience is, but their user experience could be improved simply by better knowledge.
Julie DiMauro: Absolutely. Now, can you tell us maybe three of the problems that you have traditionally seen in these reviews? Almost always there in some form and you’re prepared to deal with them right from the start.
Kristy Grant-Hart: Number one, it’s the most common one is this doesn’t work. And when they just say this doesn’t work, a lot of the time the answer is the way it was implemented does not work for you.
And this is especially … I’ve seen this more often with third-party program software than anything because if people don’t take the time, whether it’s Diligent or anybody else’s, if they don’t take the time to think about how essentially heavy-handed an approach they want to take or how risk-based they want it to be, if they don’t take the time to think programmatically about that, they’ll end up typically with one setting.
Every third party goes through this process. Now you’ve defeated your risk-based approach. The business hates you because you’re only doing one level of review and it’s not risk-associated. So the number one is it doesn’t work. And then my question is, OK, how did you do this implementation? Or what were you thinking when you did it? Have the business changed so significantly that the original implementation workflow doesn’t make sense? So I think that’s the first thing.
The second thing I see all the time is that you, compliance officer, don’t know how to run the reports or understand what data is available. So so many of the technology companies have appropriately gone all in on data analytics and dashboards and things like that. Those things don’t self-populate, though. They can’t necessarily create a dashboard from your imagination that has all the data points you need. Because companies are different. They have different things they need.
So if you have never learned how to do the reporting or never asked somebody to teach you or never asked them to help you set up those reports, it may be that you have data analytics you do not know about and do not understand how to access. But it’s there for you. So I think those two, it doesn’t work because I didn’t implement it correctly or it’s not fit for purpose now. And the second one is that I don’t know what kind of data I can get out of this and how to make a story with it.
And the third one is that very few people, in my experience in our industry, know how to ask about the APIs and understand how the information flows work. I think people see that they think of it as being independent systems that don’t ever talk to each other. There’s a whole lot of systems integrate with SAP or some of the large systems that people … enterprise systems that really can work with a number of other smaller in comparison type systems.
Julie DiMauro: Are there any challenges that have been brought into the equation with more work from home arrangements? You know, I’m just thinking of a couple of and we’ll talk about artificial intelligence, but something that we’re doing more often in, just in the last five years.
Kristy Grant-Hart: So I think the answer is if you have employees that are less technologically sophisticated, it is much more difficult for them to turn to the person next to them and say, how do I make this work? Because in an office environment, “hey, Julie, can you come over” and that kind of help isn’t as readily available.
So I think it actually when you have technology that isn’t working well for you or isn’t working well as it’s been implemented, that those problems are exacerbated by people working from home.
Julie DiMauro: Absolutely. Now, can you speak in general terms about the effective compliance program in 2025? First of all, I want to start with artificial intelligence. I mean, it’s all we talk about, you know, you go to a conference, they weave it into almost every single panel in some way. And there are a number of hearings going on, of course, in various branches of the government and regulatory agencies as well.
So how does AI fit into all of this and change these technology reviews and maybe add extra risk that you’re looking at, you know, more complex technology and skill sets needing to meet these demands?
Kristy Grant-Hart: Yes, AI really is the drinking game ward of 2025. It’s very impressive. You know, you had to take a drink every time you heard AI. None of us would be conscious.
So, like, AI is making everything faster, right? But I think that the question mark when you’re doing something like a tech assessment review is really, in what way is the impact of this artificial intelligence on this product affecting my user experience? What is the AI doing to affect its customizable capacity to work for my company? What effect is the AI making to my ability to optimize the product? I mean, if AI is being done in ways that are beneficial to my user experience, then that can be fantastic.
So from a review process in terms of the kind of review that we’re looking at or doing, it’s not necessarily about whether it’s AI enabled or doing something zingy with AI. It’s about what is the outcome of that experience on my user or what is it making it easier for me? Is it making it more intuitive?
Is it learning so that I’m able to accomplish these tasks faster? That’s all going to affect my scoring in a positive way. Because the fact that you put an AI sticker on it doesn’t matter to me. In this review, I’m looking at what’s the outcome of my experience with the customization, with the user interface, and with the ability to optimize. So I think AI can be absolutely brilliant for those experiences. It just depends on how it’s being deployed.
Julie DiMauro: Absolutely. And you know, and I do want to backtrack to one question that I should have asked earlier, which is, is there a typical point in time when someone, a company, reaches out to you for the technology review?
Kristy Grant-Hart: It’s just usually when they’re frustrated.
Julie DiMauro: What has gone wrong, typically?
Kristy Grant-Hart: Yeah, no, there’s actually a couple of places when this happens. One of them is a lot of times when we’re doing a program assessment generally. So we’re doing the standard, OK, we’re looking at your policies, procedures, code, governance, ordering, all those things, right? Tone to the top, leadership. And they say, you know what, there’s this overlay we can do with looking at your technology and how it’s being used. That would always be part of our consideration in your program assessment.
But we’re going to actually have a whole layer that’s specialty to this. People really like that. So that’s the most frequent time that we get this request. But we also get it when they just say things aren’t working in our systems, or we have so many disparate systems, we don’t even know what we have. And that is a conversation starter for, OK, what if we aggregate all that information, evaluate it with a methodology, and then give you the tools to see what do you want to do next with this?
Julie DiMauro: Absolutely. Now, getting back to 2025, in light of a new regulatory regime and administration, I’m just looking for your thoughts here on how tech developments and new approaches are maybe changing your approach with regard to technology reviews and compliance program reviews.
If you care to comment, it’s top of mind for compliance officers right now. What do I do now? How do I prepare for all of the uncertainty that seems to be just, really, that’s all we know that’s happening right now is that there is uncertainty and going to be for a while. How do you adequately deal with that?
Kristy Grant-Hart: There’s answers to every single area of compliance law. I think that that’s probably true. But focusing when you’re talking about regulatory expectations with respect to technology and AI, I think that the most important things right now are to recognize that regulators have put out very high expectations.
I think, frankly, sometimes very unreasonable expectations about how much data people should have about their capacities for data analytics, about AI governance structures and management. If you look at the most recent update to the DOJ’s evaluation of corporate compliance program and guidance, there’s all kinds of words in there about how much data people should be able to access and how they should be using AI and how they should be able to understand everybody else’s programs too in the whole company.
Frankly, I think it’s really the fact that I think it’s a high bar doesn’t actually matter because I am not a prosecutor or a regulator. If we know that, then we absolutely have to be pushing further and drilling down into how can I get these data analytics? How can I have the programs talk to each other? How can I systematize understanding risk in a real time?
Really that, when you’re looking at how your technology is functioning, what you’re using now and what you will use in the future, it’s getting to the right stories that tell you where you actually have risk. The other challenge is, OK, congratulations, you have so much data and so what? The data itself doesn’t matter.
It’s the story that it tells and it’s the outcomes that it’s driving. Getting your head around the idea, they expect me to understand the story the data is telling me. How do I engineer this data to tell me a story?
Julie DiMauro: But at the same time, if you’re looking at this regulatory regime and you’re thinking cybersecurity rules could be a little bit more relaxed right now and there’s really definitely an appetite for innovation versus regulation and that there’s a little more opportunity to play in the sandbox and try new things.
Does that give companies a little bit more leeway in this area to be a little more creative, new technologies and introduce new ways of using technology?
Kristy Grant-Hart: Probably, but it also is balanced by and nobody wants their cyber breach. Right? The fact whether or not the different regulators are going to come down with a hammer and fine you, the reputational damage, the individual people damage, the ability to end up in the front cover of – pick your newspaper – for having had some giant cyber issue or AI gone awry and taking over the world or whatever it is, is very much still real.
In certain areas of prosecution, I think in the bribery space and in some of the other ones there is an easier argument for why it doesn’t matter as much now. When you’re talking about things like cyber and privacy and AI, first of all, we still have Europe. Europe still exists and they’re very interested in all of this regulation.
But secondarily, people still care, consumers still care. And those types of things, especially in the fast moving parts of the world like technology, I think that it couldn’t be more important no matter what’s happening with the regulatory regime.
Julie DiMauro: Absolutely. A variety of stakeholders care from activists, investors to customers and the employees of these organizations as well. So absolutely. To the extent that certain states within the United States have certain rules and obviously in other countries they do, you have to be obviously very, very mindful of that.
And I’m just thinking of chatbots that haven’t worked and legal briefs using AI. All of these things cause reputational damage. Why run the risk when you can put up some guardrails and take your time with it?
Kristy Grant-Hart: Absolutely. I mean, the AI gone wrong stories are part and parcel to my favorites. You know, where chatbots give employees wrong information that they then act on and then they try to be fired for it and the chatbots told me I could and the court said, yes, it did. So you’re stuck with that.
Or the discoverability of AI note takers, putting down information, not understanding sarcasm and having it say, oh my God, I’m going to kill him and realizing that that actually meant it didn’t mean it was not a death threat. It was said in sarcasm. And those are all those kind of things where we don’t pay enough attention to risk.
Julie DiMauro: Unbelievable. But at the same time, you know, it is believable because we’ve been kind of inundated with all of this technology, all of it all at once. And, you know, it’s tempting to want to use it more fully and beat your competitors. Right. I do get that aspect. Just a final question for you. I want to turn to you and your career trajectory.
I’d love to, you know, have you talk directly to more junior compliance officers, people just entering the field or thinking of making a change into consulting. What are your words of wisdom based on your background to make keep them motivated?
Kristy Grant-Hart: So I think that if you’re younger, either in age or in seniority in this industry, I think that it is very valuable because those types tend not to hear, oh, but that’s all that’s how we’ve always done it here. We’ve always done it that way.
We shouldn’t change it because when you’re young in a career, you have so much better perspective, whether you’re transitioning from somewhere else into compliance or if you’re just coming up in your 20s into the field. I think that you have so much more capacity for shift and that’s incredible and something that’s a gift. So take that as an advantage as opposed to anything else.
And, you know, I would also say that coming in, you want to always build your people skills and your network because AI can do a lot of things. But AI is very bad at teaching people empathy and teaching people understanding and teaching people how to help other people with their career moves and the kind of strategy that comes out of human.
So those two things together, I think, make for a great compliance officer or consultant and that that’s the place that they should be focusing on the fact that I always come back to, which is we are in a career that changes the world and changes the way people experience commerce. If you can remember that it is an incredibly powerful place from which to act.
Julie DiMauro: Kristy, thank you so much for your words of wisdom right there and for joining us today on this group podcast.
And thanks to everyone for listening in as ever. Please explore our articles and other podcasts at grip.globalrelay.com, and please tell your colleagues about us. We will see you back here for another podcast session soon.