Julia Hanbury

Senior Marketing Communications Manager

Modern Governance Summit day 1 highlights

More than 600 governance, risk, compliance (GRC), audit and ESG professionals assembled in Orlando, Florida, this week for Diligent’s Modern Governance Summit, the world’s premier GRC event. Across more than 70 sessions – including keynotes, panels and breakouts – participants are getting a first look at the trends shaping GRC and ESG, and exploring how having a clear view of risk is integral to driving greater success for their organization.

Below are the key highlights and takeaways coming out of day one of the conference. These include Diligent’s announcement of the Diligent One platform, what boards and executives need to know about the SEC’s upcoming climate disclosure rules, and how to strengthen your cybersecurity posture – to name only a few.

Opening keynote: Clarify risk, elevate purpose

Presented by Brian Stafford, CEO & President, Diligent

In his opening keynote, Stafford examined how risk and purpose are intertwined – how leaders in every industry are asked to balance short-term performance with long-term organizational health that serves shareholders and stakeholders alike. Whether that organizational health looks like commercial growth, or measurable progress toward a mission, or preparing the next generation of leaders, achieving that purpose is dependent on having clarity into the risks that may threaten it.

Stafford also announced Diligent One, a platform uniquely positioned to provide unprecedented clarity on risk, so directors, leaders and executives can make more informed decisions to achieve their purpose.

Key takeaways:

• Over the past decade, the role of governance, risk mitigation and oversight has shifted as the risk landscape has evolved. The number of risk factors disclosed by companies has been increasing every year from 2020 to 2023 – with companies reporting more than 34 risks in their most recent 10k filings. The top risks listed in company proxy statements in 2023 include market volatility and investments, regulatory compliance, operational efficiencies and challenges, third-party dependencies, and strategic planning and execution.

• To see the big picture, you need to start with the right information. Yet often that information or data lives in several separate systems accessed by many different applications. This is where risk lives — in the unconnected dots and space between siloed systems. The only way to see the risk is to see the whole picture: a complete view of governance, risk and compliance for your organization.

• Diligent One is the broadest GRC platform and the only platform to capture data from any information source and automate controls to provide continuous monitoring of risk and compliance, providing organizations the insights needed to clarify risk, elevate governance and achieve their purpose.

• Using the Diligent One Platform, customers will be able to:
  • Capture disparate data from across the organization to empower practitioners with a comprehensive view of their functional performance and health.
  • Contextualize data to surface risk to leadership, enabling them to make data-driven decisions based on a full view of organizational health and performance.
  • Curate data to be shared with your board in a simple, easy-to-consume format that enables better governance.

Learn more about the Diligent One Platform and how it can help your organization here.

Product keynote: Deliver risk clarity – a roadmap

Presented by Adam Bailey, SVP & Global Head of Product, Diligent

Bailey revealed how clarity comes to life for customers with the new Diligent One platform. Joined by members of the Diligent product team, Bailey shared how organizations can create unprecedented alignment across governance, risk, compliance, audit and ESG to be ready for anything.

Diligent One is the single source of truth that connects multiple streams of information and sources of data, using automation to pull it together and leveraging analytics to spot the anomalies and the opportunities. With Diligent One, the right people have what they need to know at the right time.

Key takeaways:

• The most successful organizations require a “corporate nervous system” communicating insight and information to and from the board through the executive team and the functional areas that drive the business forward.

• Diligent One is that nervous system. Company performance is delivered in curated reports. Leaders have a comprehensive view of operational health. AI empowers risk identification. Insights become easily shared. And governance is amplified.

• The Diligent One platform delivers:
  • A single source of truth — Consolidating different data from different systems to provide a single, unified representation of risk, reducing the chance of missing something important.
  • A frictionless user experience — Putting information in the same place at the push of a button to make your life easier and more efficient.A crisp, clean visual representation tells you what you need to know, when you need to see it.
  • The ability to maximize efficiency — Automation and analytics helps you provide more oversight with less resources. Continuous controls monitoring and trend identification ensures you have an up-to-date view of your organization’s GRC ecosystem.

• Diligent One combines everything you need to know about your organization’s GRC posture in a context that makes sense to you and your collaborators. Resulting in minimal overhead, minimal friction and maximum impact.

ESG & the SEC: Disclosure bootcamp

Presented by:

• Kristen Sullivan, Partner, Deloitte
• Evan Harvey, Managing Director, Deloitte
• Kate Wiese, Senior Manager, ESG & Sustainability, Deloitte
• Joanna Ziegelbauer, Senior Manager, Audit & Assurance, Deloitte
• Michael Levy, Chairman of the Board, The Institute of Internal Auditors
• David Metcalfe, CEO, Verdantix

The U.S. Securities and Exchange Commission (SEC) is expected to mandate climate disclosures, which has the potential to permanently alter corporate reporting in the United States.

In this session, panelists discussed why companies – of any size, both public and private – must prepare now for this shift. Key elements covered include how climate data should be measured, managed, disclosed and integrated into corporate strategy, and the risks, rewards and impacts that will likely play out.

Key takeaways:

• Organizations are demonstrating a range of reactions to mandatory ESG disclosures. Some view these disclosures in the context of stakeholder engagement, or as a recruitment technique to help onboard top talent. Some, especially if they are a supplier to the federal government, are already actively disclosing on ESG. And some prefer to ignore the looming disclosure requirement or are taking a “wait and see” approach. But when it comes to conversion on ESG there is a tipping point around the corner — and that is the burden of regulations over the next three years.

• For the next couple of years, companies that prefer to do the bare minimum in terms of ESG reporting are going to experience a sort of death by a thousand cuts by trying to comply with each new regulation as it comes out. Instead, organizations would benefit from establishing an ESG framework that allows them to comply with new regulations as they arise. Starting from scratch when a new regulation is passed is going to be very difficult, so companies should start now to be prepared.

• The concept of materiality — recognizing how sustainability issues factor into a company’s financial performance — is critical. It helps you mature your ESG program by focusing on where the key risks are. Typically, materiality assessments take place every 2-3 years now, but these will need to become annual events once the new SEC climate disclosure rules come into effect.

• Climate disclosures are a cross-functional effort and can involve groups who are not used to the rigors and controls of reporting financial information — this can lead to some gaps or inaccuracies. But it’s a great opportunity to bring different people across the organization together to create new efficiencies. Establishing good governance practices early on, at the beginning of a reporting cycle, can help move the process forward.

Learn more about the Diligent solutions that can help you with your climate disclosures here.

Third-party risk: Incorporating FCPA compliance & beyond

Presented by:

• Alexander Cotoia, Regulatory Compliance Manager & Consultant, The Volkov Group
• Andy Dunbar, SVP & CCO, Herbalife
• Cindy Morrison, Director of Global Ethics & Compliance, Post Holdings Inc.
• Michael Volkov, CEO, The Volkov Group

In the wake of recent enforcement actions, settlements, deferred prosecution agreements and regulator guidance, it’s crucial that organizations evaluate how they manage third-party risk. In this session moderated by Volkov and Cotoia, panelists discussed practical and actionable insights on how to effectively mitigate third-party risks and conduct due diligence in an environment of heightened overall risk. In addition, the group explored the essential steps to overcome barriers such as ESG, anti-bribery and corruption, compliance, cybersecurity, export and sanctions.

Key takeaways:

• When it comes to managing third party risk, if you don’t have an automated tool, you’re in trouble. That said, the Department of Justice doesn’t look favorably on fully automated programs either — human validation is still important to ensure you aren’t missing a risk that would disqualify a potential vendor. Striking that balance can be daunting, but it’s about progress, not perfection — you need to start somewhere.

• Organizations today are required to dig into third party backgrounds more closely. In fact, the SEC’s cybersecurity disclosure rules require more companies to disclose how they’re managing third-party risks. This is resulting in more IT and compliance partnerships, and IT is looking for a seat at the table to manage third-party risks.

• When you’re working with 400+ suppliers, managing and disclosing third-party data manually can be a nightmare. This is where software is necessary to collect data and feedback on third parties, as well as manage ongoing training and certifications.

Risk management: Unleash the power to drive business excellence

Presented by:

• Bronwyn Jesse, Risk & Controls Manager, City of Lethbridge
• Philipp Kiencke, Senior Consultant, dab: Daten – Analysen & Beratung GmbH
• Sumit Pal, InfoSec Leader, Cisco
• Renee Murphy, Distinguished Evangelist, Diligent

Risk management plays a pivotal role in ensuring success, resilience and long-term growth. Organizations across industries are increasingly recognizing the importance of effectively managing risks to achieve business excellence and deliver exceptional customer experiences.

This panel of industry leaders, moderated by Murphy, discussed real-world examples of organizations that have harnessed the power of Diligent HighBond to drive business excellence.

Key takeaways:

• If you know where your pain points are and the risks associated with them, you know how to mitigate them. You need the right technology, but you also have to bring best practices and learnings to the process as well.

• Put your corrective actions into your technology. Track your remediation actions and build up a risk library so you know not only how to mitigate similar risks in the future but can better identify the opportunities these risks present as well.

• Organizations should ask themselves how they are leveraging analytics. Data analytics are critical to bring together all the disparate views on risk and tell a unified story. If you aren’t running analytics all the time, you are running the risk of missing something.

• According to Forrester, on average Fortune 500 companies have six risk management platforms — and that’s after the last few years’ consolidation of solutions and vendors. Yet when working from six solutions, you can’t communicate properly; when you can’t communicate properly, it’s impossible to see the bigger picture.

IT risk management: Strengthen your cybersecurity posture from detection to recovery

Presented by:

• Alexander Arango, Deputy CISO & Head of Cyber Management, Mercury Financial
• Derek Vadala, Chief Risk Officer, BitSight
• Phil Venables, CISO, Google Cloud
• Henry Jiang, CISO, Diligent

Organizations face an ever-increasing threat of cyberattacks and data breaches. The ability to effectively manage IT risks and strengthen cybersecurity has become paramount for businesses of all sizes.

Led by Jiang, this panel of leading industry experts discussed practical strategies for organizations to enhance their defenses against cyberthreats and the value of establishing a robust IT risk management program.

Key takeaways:

• Organizations must ensure their risk posture is compatible with their mission, and cyber must be a core element of risk strategy. When you push down one risk, another spikes up, so finding that balance and what makes the most sense for your organization is key.

• IT risk is the core business risk today — every organization runs an IT business, no matter what you do. Whether it’s tires, financial services, healthcare and so on, your risks are broader in IT than in supply chain or HR.

• If you haven’t built the muscle memory on how to handle a crisis, it’s going to be a long and painful journey ahead. It's critical to run drills and tabletop exercises regularly so your team and the rest of the organization – all the internal stakeholders that need to support you through the incident – have that muscle memory built and regularly exercised.

• The best organizations are incredibly transparent with customers about incidents in addition to disclosing the right details that they are required to. Having a customer-first mindset when it comes to cyber incidents is critical for maintaining trust and loyalty these days.

Learn more about the Diligent solutions that can help you with your cyber disclosures here.

ESG & governance: Power your program with collaboration

Presented by:

• Patrick Gibbons, Partner, Orizontas
• Dr. Sudheendra Putty, Associate VP & Company Secretary, Cyient Limited
• Lorenzo Saa, Chief Sustainability Officer, Clarity AI
• Nithya Das, Chief Legal and Administrative Officer, Diligent
• Renee Murphy, Distinguished Evangelist, Diligent

At the heart of any good sustainability program is governance. Led by Murphy, this panel of experts across sustainability, law and governance explored the role of corporate governance in standing up an effective sustainability practice within organizations, and how governance professionals can help support the program and ensure board-level oversight.

Key takeaways:

• Governance will play a big part in driving the maturity of sustainability programs. If you’re able to intertwin ESG strategy with business outcomes, the less likely your budget will be taken away. Practitioners need to educate the board on ESG, and this starts by understanding the pressures that management and the board face and where they’re coming from.

• Upcoming SEC climate disclosure rules will be pivotal. These are important requirements to put on companies, but it will take them a long time to build the infrastructure to accurately report on it. Ideally, there should be a long phase in period for organizations to interpret the rulings. Large companies also have influence on the speed of ESG implementation and can use their position and stake to drive outcomes. Take for example Microsoft, which requires that its suppliers provide a certain amount of parental leave.

• ESG is here to stay, in certain ways. Whereas the last 12 months have seen a focus on greenwashing, organizations, stakeholders and investors are starting to unpack ESG and focus more on sustainability — scope 3 emissions should be a focus over the next 12 months. As well, sustainable supply chains are now necessary. As Joseph Zwillinger, the CEO of Allbirds said, a product can no longer be great unless it’s sustainable. This means that organizations need to start supplying carbon data to R&D teams.

• ESG should not be viewed in isolation – it needs to be part of the larger business strategy and on the growth roadmap. If you start talking about ESG from the risk perspective, there’s a greater opportunity to shift the conversation and impact the business materially.We don’t do risk management so we can take less risks, we do it to create more risks. Look at ESG as a risk, and you can make your program grow.