In this episode, Sabrina Serafin interviews Matt Kunkel, CEO of LogicGate. They discuss the areas of risk a business can encounter and how it may be inefficient to manage them manually. Robotic Process Automation (RPA) helps change these manual tasks to automated ones. Listen now to learn how RPA helps organizations mitigate risks and how to get started.
LogicGate is a software to services platform which operationalizes Regulatory, Risk & Compliance programs for multiple organizations. Learn more www.logicgate.com
Culture of Compliance: Understanding RPA with Matt Kunkel
This transcript was assembled by hand and may contain some errors.
It has been edited for readability.
Sabrina Serafin Welcome to Frazier & Deeter’s Culture of Compliance podcast series, where we discuss compliance as a competitive advantage in today’s marketplace. I’m Sabrina Serafin, partner and national leader of Frazier & Deeter’s Process, Risk and Governance practice.
Today’s topic is robotic process automation and we are talking to Matt Kunkel, the CEO of LogicGate, a software as a service platform which operationalizes regulatory risk and compliance programs for multiple organizations.
Prior to LogicGate, Matt spent over a decade building technology solutions to operationalize regulatory risk and compliance programs for Fortune 250 companies. Matt, welcome to the podcast.
Matt Kunkel Thank you for having me, Sabrina. Really excited to talk about the topic.
Sabrina Let’s get started with you telling us a little bit about LogicGate and what you do.
Matt Sure. As you mentioned, my name is Matt Kunkel. I’m the CEO here at LogicGate and one of our three co-founders. LogicGate is a next generation GRC- governance risk and compliance platform that helps organizations automate regulatory risk and compliance activities. We do that by a platform that we call the risk cloud.
We believe that there’s really five areas of key risk in any organization. There is third party risk, that’s your vendors or suppliers that you work with. More organizations are working with those third parties to execute on their own business strategies and goals. There is regulatory and compliance risk that I know you are all too familiar with, using words like CCPA and GDPR, all of the banking regulations, the energy regulations – you know, the whole gamut there.
Then there’s IT related risk. How do we protect our physical server assets in here? There’s business related risk, and then there are security related risk. On top of the risk cloud platform, we have out-of-the-box applications that we have created to help mitigate and track and quantify risk in these different domain areas. I think a beautiful byproduct, too, of what we are doing and where we see the industry going, is how do we take risk and use it as a revenue driver, not just risk being on the bottom line in asset protection, but really taking that and saying, “how can we form all of these risk vectors and risk data points that we get in an organization?” and use that to help drive top line revenues, not just bottom-line asset protection.
That’s something that we call risk intelligence and we keep working very diligently on and will continue over the coming quarters. That’s really where I believe that the industry is going when you think about kind of the governance risk and compliance base.
Sabrina You used the term “Next Generation GRC”, can you explain to us what you mean by that?
Matt What I mean by that is, if you look at the players in the space, there’s a lot of legacy players that have been out there for a very long time. Those technologies at the time were very good. And they focused on very specific things, but they were very hard and they were very “framework”, right? The data model for those for say, “hey, if you’re going to run a third-party risk management solution, this is how you should run it.” Unless an organization is slotted to exactly how that vendor said we should do it, it’s like a baby ERP implementation. In some cases, that’s 18 months.
I’ve worked with some vendors that actually never got the platform up and running off the ground. And there’s a lot of consulting fees in there. I think what we have seen in the consulting world and frankly why we created the company LogicGate is that more and more organizations are getting very unique and specific in how they do business and how they want to run their programs, the processes that they have in place to mitigate against the risk in their organization. Ultimately they want the technology to work and act like iPhones and Androids.
How do we give them technology that democratizes risk and compliance from a tech perspective, so that we don’t need engineers, we don’t need software developers? We can put the technology in the hands of folks that really understand our risk and compliance programs the best, the ones that have been doing it. The folks are in our second line of defense – give them the keys to the kingdom from a technology perspective so that they can operationalize these programs so they can use things, like RPA, to automate these programs. They can spend much more time not just focusing on the collection, the gathering, and the following up of data, but actually the analysis of the data.
Where are our gaps? Where does the data tell us that we have the biggest tools, the biggest problems? And ultimately, using the data to say, “hey, we can actually take on more strategic risk in these business units here to hopefully drive better topline outcomes in revenue.” It’s using the technology so that individuals aren’t doing the standard mundane follow up tasks, like tracking on Excel spreadsheets, e-mailing out notifications. But really relying on the tech to do all of that, such that they can gather and analyze the data and make strategic business decisions off of that.
Sabrina In case we have listeners who aren’t familiar with the robotic process automation, can you describe what RPA really is and how companies are using it to enhance risk management?
Matt Yes, of course. RPA, as you mentioned, stands for robotic process automation. At the highest level the concept is how do we use technology for repeatable processes to reduce human error and give employees time back in their day to make strategic decisions based on data and not have to spend a lot of time on those mundane manual tasks. Let me give you a real-life example here from one of our customers. I will use third party risk as an example of this, but RPA in the regulatory risk and compliance space cuts across many, many different solutions that they could be used for.
So supplier risk, it’s a big risk and a big compliance point for a lot of organizations out there. A lot of organizations are working with these third-parties and suppliers to execute on their strategic business plans. But as we give them more rich data, more data that has very sensitive information like HIPAA, PHI, PII, credit card information, how do we as an organization get comfortable that third-party is following the right policies, procedures, program and guidance frameworks similar that we have in our organization?
So we send out the questionnaire to collect the evidence from the supplier. Before this customer had our solution in RPA, they had to evaluate all of the different questions in there. What the supplier looked like, the risk profiles, all that on a manual kind of one off basis. Fast forward through when they implemented the solution and are using RPA, now we have set up “if/then” programable logic that says if this supplier goes out, depending on the types of suppliers, depending on the type of control frameworks that they have in place, the evidence around that, the system can automatically know if we should approve that vendor, or if we should disapprove that vendor. Then send them back a communication saying, “You need to provide evidence and guidance that you are doing these things or we can’t work with you.”
It’s really the capabilities within the program of how we can use technology to automate a lot of the tasks that required human eyes before, and that’s just one example of how organizations can use RPA.
Sabrina What are the areas that benefit most from RPA?
Matt When you think about the risk and compliance and regulatory space, it is ripe for RPA. We see that across our customer base. If you’re running a regulatory risk and compliance program appropriately, it’s really a process. The thing is like third party risk management, IP risk management, policy and procedure management, employee compliance, regulatory compliance, internal audit, incident management and tracking, case management, business continuity, even to some extents. The first part of this is you need to have the process in place.
If you have a really firm, good process in place, then you can use technology as an enabler to automate some of those key activities that happen during the process when we don’t have to put a human’s eyes on every step in the process. The technology knows what to look for, what to evaluate, and then how to route it automatically. I think, especially in a world in which we become more and more resource constrained, RPA can really help drive some significant ROI from a resource perspective.
Sabrina All right, you said it. Where do people come into the equation with all of this automation?
Matt Yes, that’s a great question. Technology is an amazing enabler, but technology is built by people who built on top of people. The people are the ones that have to design the programs, design the process. We call it phase zero, which is before we even think about technology. We need to think about what are the goals of the program and designing the program to meet those strategic goals and strategic objectives of the business unit, so that’s where the people start and come in.
What are the problems that we want to solve? What are the strategic objectives of this? And then how do we design out a program that can solve those now in here today and then we get a feedback loop. We understand what that looks like, we understand the information, we analyze the information and we feed that back into the system. I think that’s really where and when we talk about the next generation GRC is really what we are built on.
A lot of it, too, is the technology. Most GRC platforms out there are built on traditional relational databases, as a Sequel database and Oracle database, we’re built on something called a graph database. What the graph database allows us to do is very easily tweak the overall process without writing any code whatsoever. A business user in the risk, compliance and regulatory group can make these updates for themselves, but still maintain extremely robust reporting capabilities. So, it’s quick time to value, quick implementation and you have that.
The only constant that I know of in an organization is that there will be change, and what that means for the risk and compliance groups is if the overall business is changing, then the risk and compliance group needs to change to match that business; to mirror and provide the transparency and the guidance out there. I think that’s where the people come in.
The one other one that I would say is it’s a culture and you talk about this in your podcast, the Culture of Compliance, and that’s really where it starts. Technology is an amazing enabler, it’s an amazing driver and it’s an amazing force multiplier. But if you don’t have the right culture in place in an organization and if you don’t have the right process in place, that force multiplier becomes a force multiplier for bad, not good. We can start doing things from a process perspective that are really wrong and detrimental to an organization, so that’s really where the people come in.
Right off the bat is how do we design the process, can we meet the strategic objectives of the organization and then how do we instill the culture, which obviously needs to come from the top down of risk. It’s not just the technology, it’s the culture of getting that into the first line of defense, the second and third line defense, frankly.
Sabrina Matt, as service providers, I can say that I have not seen a strategic plan in any organization that doesn’t have RPA on their list. The challenge has been, I know I need to incorporate this strategy, but how do I get started?
Matt Yes, great question. I think there’s a couple things in kind of low hanging areas to get started. One is you’ve mentioned it, if we have top down leadership team from a strategic plan and strategic objective, that’s a great first start. Then it starts with the process, what do we want to put in place from a program perspective to meet the objectives, these strategic objectives that we have? It’s the “P” in RPA, right? It’s the process. Then, like I said before, if we have the wrong process in place, the best technology in the world can’t fix that and frankly, the best technologies in the world will make that worse; it could be a force multiplier for bad not good in there.
So, it starts with the program, starts the strategic objectives, and then you go to the process off of those strategic objectives. I also would say we call it the crawl-walk-run approach. We don’t need to build a rocket ship day one, let’s build a bicycle. What are the first goals? What are the easy steps that we can get, the quick wins, and lean ourselves into this? Then how do we crawl, walk, run our way from having nothing? Most folks that I talk to right now are like spreadsheets, emails and file shares and they’re like, “I want to go to RPA tomorrow.” I’m like, “Well, let’s map out the process and the program. Let’s then put you in the technology and get a quick win with one or two of these processes and then we can start using RPA to link these together and provide the algorithms and the logic behind it.”
Then I mentioned before, it’s the human factor. At the end of the day, technology is great, but unless you have a technology that is very, very easy to use for the first line of defense and the adoption is extremely high, you’re not going to get anything out of it. So how do we implement quick time of value there? How do we make it very easy and simplistic for our brother in the first line of defense to help capture and collate that information that we need to then make the strategic decisions off of it.
Sabrina Now, you touched on this earlier, but considering this is the Culture of Compliance podcast, one of your areas of focus is helping organizations better manage compliance. Can you talk about some of the challenges compliance professionals are facing in today’s environment?
Matt Yes, happy to. I think the biggest one that I see is when I talk to folks in the compliance groups and the risk groups in organizations is they have this persona of being cops. Being the “no police” in there. How do we foster the culture of, we’re not the “no police”, we’re your strategic partners such that we are making good strategic decisions for an organization. And really, where I want to take the industry is how do we get those folks equal seats at the table as their chief revenue officers, the chief marketing officers that can help drive strategic top line revenue in an organization, not just asset protection revenue generation in there. I think there’s a couple of things that we can do with that.
One is how do we align risk and compliance to strategic business unit and strategic objectives within the organization? For example, if I’m a small startup company and there’s a big contract with a large organization that we can win, you’re probably in your cloud hosting providers, you’re probably going to have to be SOC compliant. So, how do we get that as a strategic objective in our organization to become SOC compliant such that we can win larger and larger deals?
Two, is an education process. We have to educate the first line of defense of saying, “I’m not here to make your job more difficult, I’m here to help you in that.”, and identify those business champions in there. A big one too that I see, is risk and compliance professionals, they have a hard role, they have a really difficult role. They have to be super strong leaders and communicators to demonstrate influence over these people without formal authority. Most times they’re not the business unit bosses, but they have to get the buy in from these business units or else it’s not going to work. Then ultimately, is how do we use technology as an enabler to help get buy ins to say, “We’re going to use this piece of technology to make your life massively easier, to still execute on our strategic risk and compliance scores.”
I think the last thing is making sure that when you’re evaluating a service provider, especially from a technology perspective, you make sure that the technology can morph with you as your risk and compliance matures over time. Then you also look at the company as a whole and who you’re going to partner with. Technology is an amazing thing and it’s an amazing force multiplier, but ultimately, you’re going to interact with business people and individuals in that organization as a partner. And I can assure you things will go badly. There’s no technology that you implement and you turn on and everything’s working perfectly.
So, who do you want to be in the trenches with when things don’t go right, that can very quickly make it better and make it right for you and solve problems with you. So those are the pieces of feedback that I would give as it relates to what I’m seeing. How do we go from the “no police” to “Man, you’re going to help us drive revenue in this organization.”
Sabrina Thank you so much. LogicGate is obviously a champion for the compliance professionals, and we really appreciate you joining us today.
Matt Thank you so much Sabrina, it was great to chat with you and I wish you luck.
Sabrina Thank you to our listeners for joining Frazier & Deeter’s Culture of Compliance podcast. Please join us for our next episode, as we continue to discuss transforming compliance requirements into investments in your business.