AI, Simplify, and Oopsies: Inside Consero
Hi, Friends!👋 Summer is such a great time of year to get out and do new things, and I was super lucky to do just that in late July. For the first time, I attended the Consero Chief Ethics & Compliance Officer Forum. This particular event was in awesome Denver, Colorado, but they host these all over the globe.
Bottom line: If you’ve never been, I highly recommend it! The group is Goldilocks perfect (not too big, not too small) and you’ll leave having participated in some fantastic discussions and learning opportunities!
An important note about this conference: it’s NOT recorded or streamed. You must be present to participate and, to foster a supportive environment where we can have honest conversations, Consero has a “no recording or media” policy. 🔒
That being said, I really want to share with you some of the things I’m thinking about based on those conversations. Here’s how I plan to do that: Because not all of these ideas are exclusively mine, I will put things that others said or suggested in quotes, but I won’t actually name any of the individuals. I hope that helps keep it anonymous while still bringing these important topics to our larger E&C community. Here we go!
“AI is a fad.”
Can you sense the sarcasm in this quote? As expected, artificial intelligence was the hot topic in many of the sessions. I don’t know about you, but there is a part of me that wishes that AI would get the Project Runway treatment: “One day you're in; the next day you’re out.”
Source: Bravo's Project Runway
However, AI’s here to stay and has the ability to change our world radically. Like all technological advances, you can use it for good or evil. We spent quite a bit of time talking about how best to leverage the positive aspects 😇 while taking actions to mitigate the bad ones 👿. Here are some things to consider:
- Re-visit, and if needed revise, record retention policies and procedures. “Make sure [if] you’re including things like AI-generated notes, meeting minutes, or transcripts, [you are] indicating whether those are official business records—or if they only become official records after a human has reviewed and verified them.”
- “Governance is NOT one-size-fits-all.” Before jumping headlong into adopting a cybersecurity framework (like NIST) take the time to determine if it’s right for your organization, or if it’s even required. Compliance with such frameworks is a massive undertaking and shouldn’t be taken lightly. There are some awesome aspects that can help enhance your processes even if full adoption isn’t necessary or appropriate. Consider adopting only those elements that will strengthen your risk management positions. Keep and iterate from the good ideas, and leave what you don’t need.
- “Build a common vocabulary.” There are so many people throwing around the term “artificial intelligence” that it’s sometimes hard to know exactly what they’re referring to. And, if your goal is to manage risks around the use of these kinds of applications, you need to make sure all stakeholders are aligned on the definitions. It may seem boring, but coming up with a dictionary of terms that everyone within your organization uses to communicate about AI (or really any risk issue) ensures a shared understanding of the terms and concepts.
Simplification is the name of the game.
Show of hands: Who loves spending hours on compliance training? Yeah, I didn’t raise my hand either. 🙅 And, newsflash, neither did any of your employees. So, here we are again … What are we gonna do about training?
Ok friends, you know we Broadcats talk about this ALL THE TIME, so I’m not going to repeat everything here. Check out literally any of our blog posts, and odds are we’re talking about how to make training better.
[Full disclosure: My inner dialog was going crazy during this discussion and I was desperately trying to not be ‘that’ vendor.] | Source: NBC's Superstore
However, here are a few of the ideas that came up that are worth repeating:
- Create a “Collision Calendar.” Make a list of the training you own. Then ask other departments for a list of the training they assign, and start building a comparison list (your "collision calendar") that charts it all out. You'll end up with a great visual of the training your employees experience, and can then start the important work of making sure it's all appropriate, accurate, targeted, and (most importantly) not duplicative. This one is going to take some effort, but if it’s done well, you will be creating a wealth of value for your org!
- Ask yourself, “Is it fit-for-purpose?” Again, not a new concept, but I liked how this phrase put a slightly different spin on the process of targeting your training. This question requires you first to investigate the risk, and then determine if the proposed training solution is the right one to address both that risk and its audience. This too will take a lot of work, but IMHO, it’s the right work!
- Measurable and approachable are not mutually exclusive. It might feel like a comprehension quiz or attestation are the only ways to measure if your training was effective. (They’re not.) Or that training has to be funny or silly to engage your audience. (It doesn’t.) It just takes a bit of out-of-the-box thinking to create approachable comms that can be measured. Regular readers of our blog posts know we’ve got a lot of thoughts on this, but here’s one real-life example: Whenever someone is approved to travel, send them a checklist of things to know and prepare for prior to the trip—like cybersecurity precautions, export control, bribery warnings, and expense procedures. The checklist is approachable because it’s useful and accessible at the exact time it’s needed, and it’s measurable because an audit around those issues will identify whether your incident rate drops.
Did anyone see that CrowdStrike issue coming?
It totally shut things down, but it wasn’t a hack. As one individual put it, “Who had ‘Vital Vendor makes an Oopsie’ on their bingo card?”
Source: YouTube's First We Feast
In our line of work we spend a lot of time thinking about bad actors—and rightfully so. What this particular situation highlights is that we’re all humans, and humans make mistakes. And, just like a hack, this mistake had tons of downstream consequences.
Important lessons for all of us coming out of this incident are to:
👀 look for business-critical processes where human errors could have big impacts,
🚩 educate our teams to build important issue-spotting abilities,
➕ consider redundancies to mitigate reliance on any one solution or platform, and
🔊 ensure your speak-up culture is strong so teammates feel comfortable raising questions and concerns before deploying products, services, or updates.
That's all for today, but in the meantime, I want to encourage you to think about these topics. Let's get a conversation rolling! (Like Consero, I promise what we talk about will stay anonymous!)