Brian Stafford is the CEO of Diligent, the world’s leading GRC software as a service provider with more than 500 million in revenue.
One million users from 25,000 organizations across over 130 countries rely on Diligent to create impact for all stakeholders through modern governance, risk and compliance (GRC) solutions, including 81% of the Fortune 100.
Stafford is a board member at Brooklyn Academy of Music, the former head of McKinsey’s software as a service practice and the author of Governance in the Digital Age.
Below, Stafford explores GRC, its meaning for modern-day business and how companies can implement GRC strategies to drive future success.
Q) Can you define for us what governance is, and how it drives and relates to risk management and compliance?
BS: Governance, in its simplest form, is taking the right information from wherever it exists within the enterprise, or from outside it, and delivering that information to the board, the CEO, the CFO, the GC and other leaders to help them ask the right questions and make the right decisions.
Over my last six years at Diligent, we’ve seen governance become even more important. If you look at all the issues and news out there, all that information is targeting the company, the CEO, the CFO, and the board, with enormous financial and reputational repercussions if not handled properly.
Over time, issues around environmental, social and governance (ESG) initiatives, around compliance – these are board-level issues, and boards historically haven’t had access to the information required to help them be better stewards of the organization. At Diligent, we have started to put that all together for the board.
Q) What is the board’s role in GRC? What do boards need and how do we get it to them?
BS: The issues of risk and compliance are board-level issues that actually impact the long-term health and sustainability of the company, and they impact on the interconnectivity with regulators.
For investors, too, it’s become an even bigger issue with the rise of ESG. When you talk to our more than 700,000 board members and leaders who use our solutions, they tell us they would like better insight, better information and more transparency around risk or compliance.
They will tell you very candidly that the amount of information and how it’s shared varies dramatically across the organization. They want standardized information across each of the companies whose boards they sit on. They need more visibility and more assurance that they have the information they need to know all the issues associated with risk and compliance around the organization.
Ultimately, that all rolls up to the CEO, CFO, and general counsel. And, as we all know, GRC-related issues can get the board in trouble and get the company in trouble.
So, increasingly you’re seeing board members wanting more detail and more knowledge. They want to know what those best practices are, what those templates in those frameworks are across each of the organizations. We see more need every day for the board and more visibility on risk.
Q) Boards need accurate information to be able to guide the organization better, and GRC has to be able to deliver, or it fails the board. More detail is needed, but how do we deliver that detail?
BS: It’s one of my favourite questions to ask the board after they’ve had the CSO come in and give a presentation around cyber risk. After the presentation, did you feel better or worse off than before you actually had that discussion?
The subjects are complicated: Do you overshare and get lost in the weeds? Do you under-share and not give your board the confidence that you have visibility into the different issues? Part of governance is helping to take all the awesome practitioners who exist within risk, compliance and audit – individuals who have lots of data and who help to distil it in a way that lets the board consume that data in a strategic way, enabling them to better understand trade-offs.
Ultimately, no organization is going to be without risk. Risk is there to prioritize areas where you’re taking or mitigating risk, and making sure there’s a clear view of the risk across an organization.
At Diligent, we’ve built up frameworks and best practices that boards want to see reflected in the risk information presented to them; it’s how they actually want to see compliance. This will differ by industry, or by size of company or location. Our goal is to take all of those frameworks and best practices that we have within Diligent and merge them with risk and compliance data so that you eliminate that disconnect.
We often see that disconnect – the CCO goes into the board and they’ll ask questions and piece together different reports, but it’s not that helpful. We have the unique ability to piece together those frameworks and best practices, all those templates that exist at board level, and connect them to all the dashboards that currently exist within risk and compliance systems.
Ultimately, what might be helpful in the middle of the organization is not helpful on a more senior level and at other categories.
Our companies have done that really well, with ERP (enterprise resource planning) software, with CRM (customer relationship management) software. But it’s actually never done as effectively with GRC. So, right now you have as many quizzical looks coming out of the board as you have people nodding their heads and feeling confident.
Q) How can you engage with and explain to the board about the meaning and significance of GRC, and how can you get them involved?
BS: That’s exactly what we’re doing for our clients. Boards operate at such a high level, they’re often bringing together a wealth of different experiences from different industries. The most important thing in that dialogue between a company, the C-suite and the board is helping to make sure that the information gets translated in the right way. People can then ask the right questions and make decisions based on that information.
There’s the software component, but we also help bring the two communities together. If you look at those 700,000 board members using our applications and combine that figure with the hundreds or thousands of risk and compliance professionals, we’re starting to build groups to create communities.
The reality is that a board member wants to pass on what they would like to see in an enterprise risk management presentation to the head of risk. But that dialogue doesn’t happen.
It’s about the ability to have our clients on the risk side – whether it’s cyber risk, third-party risk or different components of it – hear directly from board members. Our users can present what’s helpful, what they’d like to see, and show an example of what good is, and that’s what you have in our application.
Currently, you have a gap between people in the middle of the organization who are data experts, and people at the top who want the right information at their level, to be able to help with pressure testing. We’re putting that all together for our clients.
In five years’ time, that data on different parts of risk is going to become so much more important. You’re going to see companies who are held to non-financial metrics and standards in their reporting – such as ESG; reducing climate change; diversity, equity and inclusion (DEI) – all that data must come from internal systems before it gets bubbled up to the board. The board can then say, for example, “I’m going to tie your compensation to how much you move the needle on racial diversity across your company.”
All that information needs to come together in a way that’s easier to digest. Demand just continues to increase.
Those risk and compliance factors have historically been shared with the board and the C-suite, which then interpret different data and ask how they can make organizations better. But we’re seeing that issues like ESG regulation and modern slavery, which boards have been debating and discussing internally, are now being required to be disclosed.
Not just declaring and understanding what that data point is, but the strategy for improving it over time, is going to become a very real thing for many public companies, and increasingly for private and private equity companies as well.
Q) What advice can you give on the need to connect both the operational “in-the-weeds” elements of GRC and top-down strategic governance? How can we deliver on this?
BS: A lot of this comes from better understanding at the board level of what the strategy is, then making sure the data can better represent that strategy. We too often see across our clients that materials that end up getting shared with the board are incredibly dense – detailed material with reams and reams of data.
When people in organizations say they’ve eliminated all risk – it’s just not true. If you’re going to go in and move radically into digital transformation, you’re opening up risk on the cyber side. If you don’t move more radically to digital transformation, you’re opening up risks from getting attacked from other players who offer more capabilities.
I believe starting out with that strategy, and then plumbing that data into that strategy, is incredibly effective and helpful. We have the templates and best practices for clients, but they can actually see how it’s possible to have that conversation around strategy.
Many times, our clients have asked us how to communicate cyber risk to the board. This used to be a conversation between the C-suite and the board. But now those conversations, those assets, and the tools involved are available to risk and compliance professionals through our application.
Q) You’ve recently expanded your presence in the GRC space. You have the leading board portal for that top-down perspective, and now you’ve acquired Galvanize and Steele, two risk and compliance SaaS providers, to further develop Diligent’s operational GRC aspects. How do you see these elements integrating and providing value to the organization?
BS: There has historically been a disconnect between the board, the CEO, the CFO, and other layers within the organization from a risk and compliance perspective. And we think we have the best opportunity to combine those two.
We acquired risk and compliance SaaS providers because it’s what our board member users asked us to do. They said these issues are becoming more and more important – they’re now dealing with increased fines, notoriety and negative press. Our board members have asked how we can help them to connect to risk and compliance information, help interpret it and make it make sense. And that’s what we’re poised to do.
We’re excited to do this for our clients – to make communication happen seamlessly so that everyone can digest that information and have the potential to make sure an organization can improve.
The biggest fear of a CEO, CFO or board member is missing something. Whatever red flag might exist, it likely shows up in a system somewhere. The problem lies in bubbling that up so that people see it and ask the right questions.
Comparing what companies do across each industry, looking at reports used at the CEO, CFO and board level, and then combining that with the data from the dashboards that come from Steele and Galvanize – we have the opportunity to do that and set companies up for success.
The chief risk officer, the chief financial officer and the chief compliance officer each gets to leave the board room having had a productive meeting. I think this will ultimately make organizations stronger and tighter in their GRC policies, and make them more effective.
Q) How can an organization become agile while navigating and using risk to the organization’s advantage as a tool?
BS: Agility is one of the essential points, and one of the biggest changes in GRC. Years ago, governance maybe happened four times per year. One board meeting would be about strategy, the next about risk and so on.
Now it’s weekly or monthly, with all board members joining in, so priority lies on trying to be more agile as an organization, not waiting for a consulting company to put together a report for the board meeting that’s taking place in two months’ time.
You have way more data and insights, so you can respond faster, and the connection between strategy and GRC is really important, especially at times of crisis. Waiting two months is just not good enough.
Looking at the strategy and the data, we’re going through a model that was scrutinized for fidelity of information by companies 20 years ago. This was about enterprise resource planning (ERP), application performance standards (APS), etc.
For the last 10 years, people have been more focused on growth – CRM, Salesforce, marketing, automation and Adobe. GRC will help corporations be more agile for the next 20 years or so.
We’re moving into a world where people care about the non-financial metrics more than they ever have before, asking questions about how diverse an organization is, what the environmental footprint is, if it traffics in modern slavery anywhere in its value chain. Those things which people just talked about in the past, or posted about on their website, are now going to be required disclosures.
Q) What should organizations, and particularly boards, be thinking about regarding ESG and building their strategy around ESG, and the supporting role GRC plays?
BS: I think it’s going to be a clear driver of strategies, not just for the board, but just for companies over the next five to 10 years and more.
There are two other pressures that are driving it: One is that your employees increasingly want to work for an organization that is more purposeful, and that stands by the same values as they do.
The second factor is that customers increasingly want to buy from organizations that are purposeful, and to which they aspire. As a corporation, you might want to do it because
you’re worried about regulators, or because you’re actually being successful playing that strategy out. You might be playing to win – making sure that you can be employer of choice that people want to buy from can help you win in the market. Investors will see this too,
ESG is a really big opportunity. It’s going to be a component by which boards and C-suites will have to define their strategies for the next five to 10 years.
ESG is going to force less of a quarterly mindset focus and push more of a long-term strategy, which I think is good. It’s going to focus on our communities, our resources, and how we can invest in the right way.
It’s going to affect how companies and C-suite compensation is going to change over time. So, where you were previously compensated based on what the total return to shareholders might be, or what your quarterly profits are, now you’re actually going to be compensated as a CEO, CFO or member of the C-suite based on whether you moved the numbers on sustainability: How are you doing on your carbon emissions? Are you improving diversity? Those are metrics that ESG investors are pushing more for. We saw that in the oil and gas industry with activist investors taking the ESG approach. You’re going to see this become more mainstream.
Whether it’s the Biden administration or TCFD (Task Force on Climate-Related Financial Disclosures) or other regulations, ESG is here to stay. You need to have a strategy to show how you’re improving those non-financial metrics more over time than your competitors.
I think many organizations are getting ahead of it. But those other organizations who are not are really going to have to start moving, because we see this changing over the next six to 18 months.
Q) How does a top-down board-driven strategy enable the organization to be not only resilient, but also agile?
BS: Make sure there’s alignment on strategy. Make sure that there’s clear alignment and communication around what the strategy is for the board around risk and compliance, and make sure your departments realize that as well.
Within our solutions, through our community of users, there are many examples of how companies communicate their strategy by industry or segment. So, I think that alignment is important. That’s the first step of setting up an organization for success.