Want to share this?

Don: Good morning. Good afternoon. Welcome to the next episode of On Your Radar podcast. I’m your host for On Your Radar, Don India, and I have the unique pleasure of speaking with industry experts covering critical topics, focusing in the areas of governance, risk and compliance, privacy, overall corporate compliance, and cybersecurity.

And today is no different. Please allow me to introduce our guest today in On Your Radar. A veteran product manager, an international startup investor, an expert in governance, risk, and compliance, and today, head of risk solutions at ServiceNow. Aneesh, welcome to On Your Radar. Thank you for joining us.

Aneesh: Thank you. Pleasure to be here, Don.

Don: Aneesh, I appreciate you being here. Tell our audience a little bit about yourself before we really get into our topic of conversation today. I really want to understand your journey. How did you arrive at where you are today?

Aneesh: Yeah, sure. It’s been a long journey, uh, been building products for over 20 years.

I never wanted to be in engineering. I did, I ended up doing engineering, when there was so much hype about in India, this was back in India when everyone had to be an engineer or a doctor. Just maybe pretty much, so I was forced into engineering and then when I was doing engineering I was trying to get out of engineering to say, okay, this is not what I wanted to do. So, I ended up doing master’s in business administration and of course in between I was trying to get out of all the programming and during my masters I always thought I’m going to be an advertising person, Marketing and rising person.

But, there was in the final year, for campus recruitment, there was a company that came and gave me an opportunity to be in product management. So I did justice to my engineering and my masters in business. I said, go for it, because it was not an easy thing to get a product management job in software.

And it was not even something that was taught in MBA. So I grabbed that and that’s how I got into products. And then I was in various companies and I was very fortunate to join in 2010, in a GRC platform company and that’s how I got into GRC. I had no clue about what GRC meant was, what risk and compliance.

It was always something that was scary, right? I mean, as soon as you think about risk and compliance [you’re dealing with legal stuff and compliance].

So that’s how I ended up being in where I am. And it’s been 14 plus years in GRC, working with large organizations, helping with their initiatives and journeys in different risk and compliance, whether it is business continuity, IT and cyber risk, it’s privacy, operational risk, enterprise risk, audit, various other programs.

And of course it all started in SOX. You know, many years ago, and there’s so many different flavors of compliance and what it is today. I mean, the world has only become more complex with the regulatory landscape. So that’s how I landed up to where I am right now at ServiceNow, leading the products for us.

Don: Well, I appreciate that background. I’m going to layer one question in before I get into the, our real topic. So 2010 to 2024 in GRC. You’ve seen a tremendous amount of shift change, new technologies, old technologies, forming new technologies. Talk me through the construct of what you’ve been able to witness throughout the course of those 14 years.

And for our audience, what do they need to be thinking about in terms of the evolution of GRC over that period of time? Because it’s tremendous. And I believe the pace is going to continue to go even more rapidly as we progress forward.

Aneesh: Yeah. One thing that I say about risk and compliance, I mean, it’s a recession proof.

Education and GRCs decision proof doesn’t matter whether it was pandemic or, you know, when the economy was doing very well, there’s more regulation, [it] doesn’t stop. So, that hasn’t changed. And that will not change. Never. What has significantly changed is the interconnectedness of and the technology digitization, if you will, like digitization from risk and compliance was always there.

People wanting to move from paper to spreadsheet to, you know, Word document, PowerPoint. So that was digitization those days. And then from that to some online tool. But now, digitization has become more complex with new types of devices. Cyber has become much complicated. Data is all over the place.

And that has only just, you know, made things really, really complex. Now, IT and OTE devices to, you know, data governance, privacy. I think, you know, GDPR came out in 2018, it was, you know, put in effect. And now with EU AI Act, you can see how things have progressed from the SOX world to where it is now.

What remains constant is organizations trying to manage this complex landscape. Where do I start without actually buying the ocean? Some customers would like, I want to do it all because that’s what the regulatory expectations are.

The low hanging fruit, get quick wins, show value, and move forward. That has remained constant because otherwise the programs fail, right? So that we have constantly seen large organizations trying to think, we need to do it all and we need to do it all alone. And we know it best, you know, sometimes it hurts.

Don: I appreciate that. Thank you. So let’s dive into to, we already started the topic of conversation in the governance, risk, and compliance. Let’s talk more about the technology aspects of it. You are ingrained in this world 14 years. Share with our listeners what you see as the current pain points and obstacles organizations have with proper compliance.

You kind of alluded to it in that preamble of the, of the seven, of the 14 years. Talk a little bit more about the pain points that organizations have.

Aneesh: I think the biggest challenge, uh, remains the number of people to support the programs. So staffing those projects, budget constraints, and the number of regulations, uh, and as organizations grow, sometimes the size of these teams don’t.

There’s more work, there’s more, uh, regulatory landscape that needs to be monitored, so regulatory change is another, uh, aspect, and translating that regulatory change, uh, that’s evolving and that’s coming, uh, which is applying to these organizations, understanding the impact of those organizations, translating that to relevant policies, controls, you know, and process, you know, things that needs to be done to ensure, you know, it, the obligations are met.

It’s a daunting task. Now, out of all of that, the governance, the important aspect is it needs to come top down.

Don: Uh huh.

Aneesh: We need to have really good, uh, executive direction, right from the board, and identifying key stakeholders, right from whether it’s Chief Compliance Officer or Chief Risk Officer or, you know, Chief Ethics, uh, uh, or Sustainability Officers, um, involved in the overall process, right?

That sets the tone and also to ensure organizations are not looking at this in a siloed way. It’s very easy for each department to find a budget and put some tool in place. And then realizing as an organization that there are so many different systems and processes in place, it’s hard to collect all of that information and to deliver that to the board to make an informed decision.

And what happens is when every department is looking at, okay, compliance is working on their own way, risk is looking at it in their own way, security operations running in their own way, or privacy teams, there is no same language being used. There’s no standardization of, you know, what a risk is, what is the definition of a risk?

What is the definition of an incident? What is the risk appetite? When they should, you know, worry about things and elevate, how should that be reported, right? All of that becomes really complicated. So, I would say the foundation aspect is a really an important element from a standardization point of view the standard risk taxonomy process and governance around In this sometimes it’s about change management, right?

Because organizations have done their own way, you know, they have to collaborate, which is hard for humans. Yep. Can you imagine? When it comes to collaborating in a corporate environment, it’s a change management, right? Collaborate, share information. Do it in a better way.

I think that’s one of the places where it becomes a challenge because there are tools. People have spent their lives putting those systems in place and now they have to shift to doing something in a very different fashion or format.

Don: Now I appreciate that. I’m going to go one layer deeper because you’re, you’re bringing up some semblances of your, of your overall background in the product management space.

Individual siloed organizations. Has been that way for a long, long time.

Aneesh: Yeah.

Don: And we’re seeing silos being broken down. And if we talk about the world of compliance, a world of privacy, the world of cyber, there’s blurring of all those lines because it has in no way, shape, or form of organizations have operate in individual silos of cyber individual silos of compliance, individual privacy can’t. It doesn’t work that way anymore. Yep. Most of the time, an event that would start as a cyber compliance event has the opportunity to turn into a privacy event. And it creates communication gaps across an organization because individual silos are still in effect. Talk to me about technology. How does technology help solve and bridge this gap between these individual silos organizations? And I know front and center of where you are today, you’re working to bridge that gap. So talk to us more about how technology plays an important role.

Aneesh: Yeah, technology, plays a significant role. It simplifies all of this, right? Without having humans worry about bringing information together, connecting the dots.

All of that and automating and moving things fast and really helping them focus on what really matters most and high value stuff rather than, you know, all of this stuff, right?

Listen Now: Role of Technology

Listen Now

Don: I appreciate that. I’m going to take it one layer deeper in terms of technology. So in my conversations with clients and prospects in our world, Aneesh, I get asked regularly, how is your technology reducing my enterprise risk as opposed to introducing risk?

Enterprise risk is a big concern. We all know that technology cannot insert incremental risk into an organization I know how my technology reduces risk, but when you look at the broad landscape of GRC as a whole, how are you talking to clients and prospects and just the overall ecosystem on reduction of enterprise risk as it pertains to the use of technology?

Aneesh: Yeah, so enterprise risk needs to be looked at it holistically. I mean, that’s why it’s called enterprise risk. It’s not just one, what, there’s not one type of risk, right? Yeah. Your people risk, your facility risk, your IT risk. Uh, or even with an IT very siloed, one compliance for a specific one geo, um, so it needs to be looked at holistically.

So how we are helping is bringing all of this together. I will give you a classic example of what’s happening right now in terms of privacy and data governance itself. If you see data governance, privacy, AI governance, all of that coming together in many ways because for AI data is required, data is the gold, which means there needs to be data governance around it.

And there is privacy aspect because what kind of data is being fed because there is a risk of the data being exposed so if you think of it data governance team needs to be involved privacy needs to be involved legal team needs to be involved because Do we have consent to use customers data partners data citizens data, right?

Now if you think of it HIPAA was always that healthcare information in a patient information should not be shared. Let’s say those kinds of information is being used for different purposes, even, even for providing better services. Now, if you use AI and AI, um, if it does not do a well, you know, good job and, you know, putting things out, which becomes sensitive in nature and reveals things that it shouldn’t, it becomes an enterprise risk.

And then what happens is it becomes an operational risk because there is a reputational impact. Then you’re dealing with a lawsuit legal cases, your expense goes high, then you get, you know, scrutinized by different regulators, because of, you know, what happened with the breach now either not reporting on time. So, everything is really connected from a enterprise risk point of view and what we are doing is providing a single place for managing different types of risks.

Think of each of these lists are categorized differently, right? Because there are different risk owners or risk champions who have their charter to ensure the risk is contained and minimized. Yep. And to be able to provide that view by different slice and dice and to be able to continuously monitor what’s happening.

As much as possible in real time or near real time so that it’s not too late when it happens, right? And it can be contained. So that’s what I’m focusing on.

Don: Now, Aneesh, I appreciate that great insight for our audience. If you think about starting simple and growing it equally, having it in a centralized repository dashboard of your entire corporate risk and what is your risk appetite?

There are two different things, but being able to visualize corporate risk is going to be a critical component. Uh, as we continue to move forward, as regulations continue to, I’m going to say expand, but new ones are being created as well. Just beyond the overall expansion. Yeah. Two more, two more questions just to, to, to really round this whole thing out, right?

We talked about the overall enterprise risk. You talked about the risk appetites. You talked about the different lines of ecosystems trying to work together. So for our audience, tell us the groupings of individuals that need to be communicating together. Because siloed privacy, siloed CIOs, siloed cybersecurity, how should they be working together?

What is the optimal way organizations need to be running this visibility into enterprise risk and their overall corporate compliance?

Aneesh: Yeah, it is a very complicated setup. And as organizations grow, it becomes difficult, right? Because there is, there is an enterprise risk group. Then there is a cybersecurity group led by the CISO, usually under the CIO’s organization.

And then there is a general counsel under which privacy, legal, you know, others come in. If you look at the recent, I think, Gartner study, which said it’s so critical for general counsels to work with the CISOs. Because the CISOs are dealing with all the cyber incidents along with privacy aspects today.

It rolls into the CIO because it’s about information. And now CTOs are worrying about building out AI capabilities and making it available. So, now CTOs have to work very closely with the CIOs, with the privacy teams, with the data governance team, with the corporate compliance team, with the enterprise risk team to build products, deliver services, and ensure you’re complying to various, you know, standards, regulations and everything else.

So it’s absolutely critical for everyone to work together. And you can see there’s so many different parties and that’s where workflows become very important. You need almost like a checklist for a specific type of thing, like if you’re launching a new product. Who are the folks who need to be involved in the process?

You have to give a sign off for a new business initiative or a new product launch so that when it releases, it has everything in place. If there is a breach, who are the stakeholders who need to be involved in reviewing and signing off before it actually gets communicated to the regulators? It needs a process, and that’s where governance comes into the important aspect.

And that translates into having the right set of governance and policies in place so that it becomes very clear. No one is scratching their head trying to figure out what needs to be done in a specific situation. If you think of it business continuity? As a as a domain has been there for a very long time and everyone is aware of business continuity, whether it’s a disaster recovery or general business continuity point of view.

They have done this exceptionally well forever because you know, if something fails something goes wrong. What do I need to do? Right? The fire drills to an evacuation didn’t do this. We have to take the same concept and apply it for everything. What’s on your radar for remainder of 2024?

Um in 2024, I would not just say 2024 and because it’s going to be long, long journey.

Don: You’re a long term thinker. I got you.

Aneesh: Long term thinker. Yes, long term thinker. It’s going to take a while for and some of those things now given the evolving complex landscape, my focus is always on how do I simplify, how do I [make it easier] for customers, right?

So that they can focus on high value stuff rather than chasing things that are just so trivial and wasting their effort with less resources or with existing staffing – how to do more, how to do better, how to ensure organizations can roll out their GRC programs more effectively and improve the efficiency of the first line so that risk and compliance should not be just, you know, a five or ten member team’s job. It should be every employee’s business. You see something, you report, be involved in the process. How do we encourage that behavior? Which means the software has to be really simple. It has to be easy to, you know, adopt.

Programs have to be easy to roll out, in terms of, you know, a lot of integrations out of the box that provides that insight. People get the value of, you know, quick insight, quick information to do their job better. My focus, and I would say that’s why I said it’s not a 2024 thing, because it’s about user experience.

It’s about user experience. It’s about how do we simplify risk and compliance. In this complex interconnected world, there’s so many different stakeholders have to come together, collaborate.

Don: Thank you for joining us. Again, I’m going to invite you back because we have a lot to unpack integrations, AI, and who knows what happens in the next three months.

We’re going to have more regulations come down the pipe too. We know it. Likely an AI version of the EU AI regulation will be in our legislation in a very near future, which we can unpack as well.

Aneesh: Very much, very much. And I think that’s where workflows, automation, whether it’s AI, Gen AI doesn’t matter fundamentally.

It’s some technology that will have an implication. There’s also, I want to call out, we jointly have to help our customers in, in this journey because it’s not, it’s not one person who can actually help. Agreed. It’s an ecosystem to bring these different types of integrations, different types of insights for our customers to be able to help.

Don: Yep. So Aneesh, I appreciate it. We’ll get you on again. We’ll, we’ll unpack it. For all those listening, thank you for listening to your On Your Radar podcast made possible by the privacy and compliance innovators at Radar First. Radar First offers SaaS solutions to simplify decision making mandated by new and changing compliance regulations.

You can learn more at RadarFirst. com. And if you like what you heard today, be sure to follow On Your Radar for upcoming episodes. The next episode will be available next month. Thank you and enjoy the rest of your day.

Reduce Notification Time and Lower the Risk of Noncompliance & Fines