Compliance Unfiltered is TCT’s new podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Risk Assessments (A Survival Guide)
Quick Take
On this episode of Compliance Unfiltered, we tackle every popular topic of Risk Assessments. We cover the important factors in understanding the various risks to a given organization, what a Risk Assessments is and why it’s important. Plus, why your Risk Assessments are something that should really be done by a third party.
Want to know what approaches are typically going to be involved in a Risk Assessment? We’ve got your covered. What type of planning is needed to set your organization up for success? We break it all down, from scoping to timeline.
By the end of this episode, you’ll know approximately how tall of a Risk Assessment Mountain you’ll have to climb.
In this episode, Adam and Todd discuss:
- What is a risk assessment (RA)?
- Why is an RA important?
- Why you should consider using a third party
- Typical approaches involved in a risk assessment
- Planning for your RA
- Timeline expectations
- Advice for companies heading into their first (or next) RA
Read Transcript
Intro
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Intro
Now, here’s your host, Todd Coshow, with Adam Goslin.
Todd Coshow
Welcome back to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the one, the only compliance expert himself, Adam Goslin. Adam, how are you today?
Adam Goslin
Morning. I’m doing great. I’m doing great. Well, for those, for those that actually, uh, for those, for those that know me, uh, know, know me well, I’m, I’m typically telling people more than it doesn’t matter whether it’s four in the morning or, you know, late morning, early afternoon, evening, you know,
Todd Coshow
7pm. Always morning, always morning energy. And that’s what I love about you, Adam. We’re having a conversation today about something that more and more people have been asking me about, at least in my professional life running business development for TCT.
Todd Coshow
And I know it’s something that is definitely near and dear to your heart. So talk to me more about risk assessments.
Adam Goslin
Yeah. So what we’ll do is we’ll start off, you know, with, you know, kind of what, what is it, you know, the, you know, some of the, some of the folks are going to be more seasoned and some not so much.
Adam Goslin
So, some are just kind of getting, getting, dipping their toe in the security compliance waters and about to go down, down the path. So, you know, the reality is a risk assessment is a, it’s an assessment of, you know, various risks for the organization.
Adam Goslin
You know, one of the, one of the, the interesting part parts about a risk assessment, and especially for, for those organizations in the security and compliance space, many of the, you know, many of the folks going through it walk in with this notion that, oh, well, this is a risk assessment that supports kind of my IT arena and my technology around fill -in -the -blank compliance standards.
Adam Goslin
So, you know, this is going to kind of stick, stick in the lane of IT only. And it’s, it’s probably one of the biggest misnomers is, and it’s something that folks will find surprising is as they go through that process, just how, a good risk assessment, just how broad the coverage is.
Adam Goslin
I mean, it can, it can cover all sorts of different, different aspects, you know, of the, of the target company. You know, in the, the risk assessment itself, you know, its nature depends on, you know, it depends on several factors for the, you know, for that target company, you know, what, what is the company, what do they do, you know, what business are they in, you know, et cetera, you know, what certifications they may be subject to.
Adam Goslin
There could be some specifics that, that are needed to support certain, certain standards. So that’s an important consideration. And which certifications are really kind of drive deeper questions from the, from the, the folks doing the risk assessment on, you know, what all that we need to be on the lookout for.
Adam Goslin
So, you know, if they’re subject to HIPAA, then they’ve got some medical data in the, you know, in the arena or we need to pay special attention there. They’ve got PCI that we know we’ve got to really look at the credit cards and how that workflow goes, et cetera.
Todd Coshow
Well, I was just going to ask, like, well, why is it really, you know, why is it super important?
Adam Goslin
So the reality is that it’s really a tool. It’s really a tool that can be leveraged. So we were talking about the different factors and whatnot that kind of play into the scope and scale. And one of the important things is that that risk assessment, once concluded, is intended to result in a written summary of all the risks that have been identified, rankings or priorities for those risks, their relative impact to the organization,
Adam Goslin
et cetera. And the risk assessment forms a really good kind of prioritization tool, not to be captain obvious, but the reduction of risks for an organization. It’s a good thing.
Todd Coshow
Overall, generally good, right?
Adam Goslin
Yeah, exactly. So that’s one reason why it’s important. But going back to that central register of risks that have been identified for the organization, for a lot of the companies that I’ve worked with, interfaced with, talked to, et cetera, many of them don’t have a central place to just put the to -do list of, hey, here’s where all the things we need to go and improve on and make better, et cetera.
Adam Goslin
So for many organizations, it really becomes their first shot at having a single consolidated register of risks that now they can start picking off. And the most important part about the risk assessment, and this is really where I’ll see growth in the organization’s maturity over time, the very first time that they go in and do the risk assessment, it’s kind of like you can almost mentally watch everybody.
Adam Goslin
They wipe their brow. Oh, we made it. We made it through our annual risk assessment. And everybody breathes this big sigh of relief. They finish the risk assessment. They get their little piece of paper that has all these risks on it.
Adam Goslin
And then everybody goes and sticks it on the shelf and comes back to it next year. And it’s like, no, no, no, no, you’re missing the boat here. This is actually an awesome tool for organizations to be able to leverage.
Adam Goslin
They should be addressing those risks on a proactive basis throughout the year. Heck, adding new stuff to their list themselves throughout the year.
Todd Coshow
This is something to be fair, Adam, that you’re pretty consistent on, which is that compliance is a 365 -day -a -year job. It’s something that does require your focus consistently in order to be successful.
Todd Coshow
And maybe that kind of leads to a next question, especially when we’re talking about risk assessments. Maybe folks are a little too close to things. Why should a company consider using a third party?
Adam Goslin
Well, here’s the thing is that, you know, for, you know, for many organizations, I’ve kind of seen it play out in a number of different ways. You know, sometimes, very infrequently, do they have somebody internally that’s both, that both, number one, has the experience in order to do a really good job with the risk assessment, and two, is not, you know, is kind of separated from the, you know, from those operations personnel.
Adam Goslin
To where they can really take on, you know, truly objective, you know, kind of take on it. You know, oftentimes, what I’ll see is the folks that basically get the nod. It’s like, hey, you know, who, who, you know, for a lot of these organizations, who, okay, who’s going to do the risk assessment?
Adam Goslin
And, yeah, and everybody kind of points right. And eventually, somebody was the last one to sit down when the music stops, and they get nominated. And so, so as they go through that process, the problem is, is that if you think about it, right, I mean, you know, when you’re doing a risk assessment, you’re talking to, you’re talking to your boss, you’re talking to your boss’s boss, sometimes your boss’s boss’s boss, right? And here you are, the, you know, the four runs down on the ladder, you know, and, you know, to try and have a conversation around risk with, you know, the one of the uppity ups. It just, it just doesn’t, it just doesn’t play as well.
Adam Goslin
It puts them in an awkward position. They feel like, in some cases, they feel like they can’t ask those people questions, right? And so, and so, you know, leadership, you know, leadership would also have the propensity to avoid topics, right?
Adam Goslin
Well, you know, whatever, you know, Bob doesn’t really need to know this information. He’s not authorized. And it puts the leadership in kind of an awkward position at the same time. And the benefit of the external folks is that they, they don’t have a stake in that game.
Adam Goslin
They, they, their objective, you know, they don’t have, they don’t know how it’s always been. And that’s actually probably one of the, one of the key elements is that the, the person that comes walking in walks in with no assumptions.
Adam Goslin
They walk in with no foregone conclusions. They don’t know how you were doing this process yesterday, or for the last 20 years or whatever. So I call it, I call it coming in and asking all the dumb questions, you know, because you, you don’t know, right?
Adam Goslin
You just go, you walk in and you’re, and you just start, start picking away and picking away, asking questions. Oh, why is that? And where does this go? And whatnot? It’s kind of like a, it’s kind of like a kid, you know, experiencing something for the first time.
Adam Goslin
You don’t know any better. You just, you just go in and start, you know, start falling to your nose. And the more that you do them, the better you get at it.
Todd Coshow
That absolutely makes sense and talk to me a little bit more about what approaches are typically involved in this sort of a risk assessment.
Adam Goslin
Well, we were talking earlier about how the coverage is broad, right? So if you look at the typical, we’re going to put this in like a non -COVID world for right now. But the reality is that often it’ll be on -site visit with focus on being able to interface and interact with different personnel.
Adam Goslin
But specifically, the main reason for the on -site portion is so that you can put your eyeballs on things. You can see things. I can look at physical security of the facility. Depending on what the organization has in terms of their structure when you are gathering the upfront scoping elements, there may be vendors which you want to go in and see.
Adam Goslin
It could be that they’ve got a really super critical vendor that doesn’t take security and compliance near as seriously as the target organization. It could be that they have a COLA hosting facility that we want to go in.
Adam Goslin
And while, sure, I can go and take the SOC compliance or PCI compliance reports that they’ve got for the physical facility, that’s not going to tell me anything about the company’s cage that they’ve got at that facility.
Adam Goslin
Certainly, the on -site interviews are really helpful. Just because.
Todd Coshow
in a non -COVID world, right? Yeah, yeah, yeah.
Adam Goslin
Yeah, yeah, the on -site interviews are super helpful because it’s one thing for me to sit and be talking with somebody on the phone where they can mute and roll their eyes or whatever, right? Or look at me fearful, you know, look fearful as you’re asking a question they’re uncomfortable with or whatever, you know, but those on -site cues actually really help, not only with just the interpersonal interaction, but, you know, really gives you another input for, you know, for being able to pay attention to as you’re going through, you know, going through and talking to folks at the company. The other element too about being on -site and being able to talk with people is oftentimes things will come up where, you know, whatever, you know, Mary always carries the records at the end of the day and she goes and she brings them over here and she gives them to Bruce, right? Or that, yeah, the shredding vendor shows up, right? And they’re picking up all of the, you know, all the shredding. I’ve found, I’ve actually called the task some of the, you know, some of the company shredding vendors because they were handling the, you know, handling the carding of the materials for shredding inappropriately or not securing them properly, et cetera.
Adam Goslin
So it’s so helpful to, you know, to be in there. But the last piece of the, you know, the kind of the scale of the approach is the critical workflows within the organization. As you’re going in and kind of seeing based on the type of the company and what they’re doing and how they’re doing and whatnot, you can then go through and review, okay, so I’m seeing this, maybe it’s some physical element.
Adam Goslin
Maybe they’re putting things on disc or tape or physical paper or whatever. Now I can get, or electronically, and now I can go in and ask questions. I can go walk over to so -and -so’s desk and hey, show me, show me where you put this.
Adam Goslin
Like, oh, I can’t tell you how many times I found stuff that, you know, you go walk over to, you know, to a particular department. Hey, so show me where you store this. And, you know, sure, there is nuts, right?
Adam Goslin
They bring up this spreadsheet with all of this stuff in it. It’s not encrypted and they shouldn’t be storing it. No, no, no, no, no, nobody knew about it except for, you know, this person in this department, you know, type of thing.
Adam Goslin
So it’s really, really helpful to, you know, to be in and onsite, that type of thing. Thanks for having us. Bye -bye.
Todd Coshow
and it makes a ton of sense. Now I’m a big proponent of planning your work and working your plan. So for those out there that are just kind of looking at this with fresh eyes, what type of plan is typically needed for a successful risk assessment?
Adam Goslin
Well, the scoping elements are really the critical part, right? The planning that goes in, the planning to plan, yes, I fit in an office -based quote. Outstanding. So, yes, yeah, thank you, I’ll be here all day.
Adam Goslin
The scoping is critical. The reality is that if you don’t get the scoping right, then you’ve got far less of a chance of the outcome of the risk assessment being what’s desired. So, you know, going through, usually up front, go through, like, the data flows for any critical data that they’ve got, going in and looking at all the list of vendors that they have, you know, knowing what those vendors do, what is their role, how do they operate, asking questions about the relationships there, you know, certainly looking at the vendors from the perspective of, you know, do the vendors have, already have a billion certifications or have they never, you know, have they never gone through anything with security or compliance and they just, you know, it’s all part of their agreement.
Adam Goslin
So, you know, you’ll discover some things there. Personnel reviews, so typically going in, gathering up the list of, I’ll typically go in and say, give me an export list of all the people at the organization, first names, last names, how long they’ve been there, so start date is another element, and then their, who’s their boss, you know, and if you can get that type of information, now you can go through and figure out, okay, well, you know, now I got the structure for the departments and things along those lines. And then the last piece from the scoping perspective is knowing the locations that we’ve got because that’s really going to drive the, you know, kind of drive the, in the days of on -sites, that’s going to drive the, you know, the travel schedule, the order of where you want to be and when, how long you need to be there, things along those lines.
Todd Coshow
Well, and I mean, I think that’s the perfect segue here, Adam, because the next section of this that folks are going to want to know about it is being able to plan the actual risk assessment input gathering is with any sort of compliance engagements, how you gather that information and where you’re able to store it and what you’re able to do with it is sometimes one of the most challenging ways to get things taken care of.
Adam Goslin
Yeah, actually, I’ve had I’ve had a lot of fun over the years trying to trying to create gut, create, recreate, freakin schedule. Because I mean, seriously, some of these are some of these are really complex, you know, say you’ll have, you know, you’ll have several dozen, you know, maybe two to three dozen people that we’ve got a that we got a hit to certain people in certain locations.
Adam Goslin
You know, the first thing you got to figure out is, hey, are we going to do this thing? You know, what elements of this no matter what, what elements of this are we going to do remote versus in person, you know, operating in even in a non COVID world, you don’t need to do everything while you’re sitting right there.
Adam Goslin
You know, and sometimes it makes more sense to do some of those some of the pieces and elements remote. But figuring out where are we going to need to where we’re going to actually need to be on site versus what can we you know, what can we handle remotely and, you know, and whatnot planning out those on sites.
Adam Goslin
So we talked about, you know, kind of the locations and you know, and whatnot. So there’s a couple of different factors that play into the the notion of the on site planning both for travel and all that fun stuff is, you know, once I’ve got all those prior inputs, now I’ve got a much better idea of, okay, well, what departments do I need to hit at what location if I’ve got this, you know, if the way that the organization structured,
Adam Goslin
they’ve got this drug, corporate headquarters, and, you know, I can I can nail out, you know, 12 of the departments, you know, while I’m there, and it’s a gigantic facility. Well, I know that I’m going to need, you know, need more time for getting through all the interviews, seeing all the departments that walk around to the location, things on those lines.
Adam Goslin
And so, you know, we’ve also got an account for if the organization has like a corporate headquarters, you know, a development office at another state, and then they’ve got this hosting company where they’ve got a colo cage, you know, and they’re all in different states, you know, and whatnot.
Adam Goslin
Well, now we need to also plan in, you know, that kind of the navigation, right, I want to make sure that the team’s getting in there that, you know, the evening before the, you know, the onsite starts, then, you know, then we’ve got our schedule during the onsite, but we’ve got to give them time to be able to get to the airport and get through security and, you know, drive there and, you know, and whatever.
Adam Goslin
So, we got to figure all that piece out. And then finally, the onsite, onsite meals. People don’t think about that. That’s super important. Eating’s good. Here’s the weird part is that is that both the onsite, but the onsite audit site kind of cycle, and the onsite risk assessment activities, they’re both just draining.
Adam Goslin
It’s so draining. You’ve got to, your brain’s going a million miles a minute, you’re you’ve got to be kind of on and on point, you’re connecting dots between the last eight conversations that you’ve had, you’re trying to take notes and whatnot.
Adam Goslin
There’s a lot that goes into it. So certainly keeping the crew that’s going through the process, that is good. But one of the things that I typically recommend, you know, recommend to organizations is, you know, choose, maybe use some of the time for some lighter topics or something, you know, over lunch, you know, that we bring into the, you know, bring into the office, we’re not wasting time, you know,
Adam Goslin
driving to, you know, fill in the blank location, that type of thing. But the onsite location meals need a little bit of a little bit of thought both that and, you know, sometimes the depending on the client, you know, they may want to go out to, you know, go out to dinner for truly, you know, you know, off the clock style conversation.
Todd Coshow
Yeah, that makes sense. Well, what type of planning or excuse me, timeline is, is typical for risk assessment. We’re talking about all of these moving parts here. But maybe for somebody who’s looking at this for the first time, what is a good timeline to anticipate for this?
Adam Goslin
Yeah, well, and it’s funny that you kind of, you talk about, you know, people’s expectations walking in, right? I mean, you know, in more, way more than one case, you know, people thinking, oh, well, we’re just going to go fill out this checklist and we’re done, right?
Adam Goslin
Not if we’re doing it right. You know, the reality is that there’s usually about at least two to four weeks of planning, you know, with all the things that we were talking about, the stuff you got to sift through, you know, questions, confirmations, you know, lining up the schedule, et cetera, it just takes time.
Adam Goslin
So generally speaking, two to, you know, two to four weeks of planning, we’ll go into it. And then it really, it does depend, the actual onsite interviewing and traveling timeframe, you know, just as a general rule, often will span among, you know, between one to two months.
Adam Goslin
And that’s just because of the, you know, the travel schedules, who can be where and when people are off and, you know, trying to get everywhere you need to go get and all that fun stuff. So you got basically two, about a month or so planning, a month or two of execution.
Adam Goslin
And typically, depending on the size or scale, you’re probably looking at another two, you know, two, three weeks or so afterwards for just the team that’s doing the actual assessment to go out, generate, generating the report.
Adam Goslin
And then from there, scheduling, you know, kind of a review session with the, you know, with the key personnel from the key departments. It’s important when you’re, you know, kind of when you’re bringing back the, when you’re bringing back the results, you know, you want to sit down and take some time and share that with the client and explain things and well, why did you think that?
Adam Goslin
You know, the reality is, is that, is that sometimes there are findings that, you know, that you, that as a practitioner, you’ll come up with and somebody, you know, it’s based on the input you received from the people that you were talking to or what you saw.
Adam Goslin
But, you know, you may be mistaken. There might be reasons for it there, you know, whatever it may be. So, you know, in that session, oftentimes, it’s more often than not, there’s a couple of tweaks that’ll end up happening, you know, during that session.
Adam Goslin
And then sometimes, depending on the findings, I’ve had a couple of different risk assessments where some of the things that came up as we were going through and kind of collecting inputs and whatnot really were not for, you know, kind of the whole group of, you know, kind of key personnel.
Adam Goslin
And so, on occasion, it’s been appropriate to have, you know, a limited executive level type of review where you can go sit and go through all of the, you know, all of those key, maybe sensitive findings that, you know, I don’t feel comfortable just sharing with everybody under the sun type of thing.
Adam Goslin
But sometimes those types of things will come up and you just need to, you need to handle those properly because, you know, otherwise you’re, you’re really doing an injustice to the, you know, to the, to the company, the organization, you know, et cetera.
Adam Goslin
So, I will typically handle those delicately, if you will.
Todd Coshow
No, that makes sense. Anytime that you’re talking about conversations at that exec level, tact is certainly key. Well, that said, and thank you for that, Adam, because that is just a bucket full of information that I know a lot of people staring at and down the barrel of a risk assessment are going to be really excited to hear, just to make them feel like they’re not so alone.
Todd Coshow
And maybe with that in mind, I guess kind of the only question that really is left to ask is for a company heading into their first or maybe after a painful first one, for a company heading into their next risk assessment, what’s the biggest, best, what type of advice would you have for them?
Adam Goslin
Well, a couple of things. So number one, in advance of all of this rolling out, making sure that you tell all of your staff, all your vendors, it’s really, really important to have them being open and honest with their input.
Adam Goslin
One of the things that I’ll do as I go through that risk assessment process, and basically I say this to every single person, that you can tell us anything going on, any risk you see to the organization, et cetera.
Adam Goslin
Please let us know. The first time that we go in and do it, I think everybody is a little cautious because they’re afraid that they’re going to open up and that the risk assessment team is going to immediately tag their name next to, Sarah said, ha, ha, ha, ha, right?
Adam Goslin
So it’s a concern. And I try to make it clear to them on the first run -through that tell us anything, we’ll genericize as best we can. I mean, if you’re the only person that does this function or whatever, then it’s kind of hard to shield that.
Adam Goslin
But generally speaking, we can put the findings in such a way that it’s not Mary said, fill in the blank. But they don’t know who it came from and whatnot. And oftentimes, what’s very interesting is that people in different departments are observant, right?
Adam Goslin
I mean, there’s often ripple impacts from one department through another, et cetera. And so the folks that end up receiving the results, they can’t just depend on, oh, well, he was speaking to Belinda.
Adam Goslin
And I know Belinda would have said something like, you can’t depend on that because I can’t tell you how many times I’ve probably in at least a third of the findings, at least maybe even 50%, the finding didn’t come out of the target department I was talking to.
Adam Goslin
It came out of some other department that’s pointing out shortcomings in what they’re receiving as deliverables of the fact that they can’t get answers or whatever it may be. So oftentimes, it’s kind of crisscrosses across the organization.
Adam Goslin
The other important advice that I would give is for those that are kind of at the top of the food chain for the organization. Well, let’s call it board level, execs, upper level management. The one thing that they really need to keep in mind is that this process, when done properly, is undoubtedly, absolutely going to reveal a boatload of things and a boatload of risks and stuff they never thought of and stuff that they had assumed and,
Adam Goslin
you know, and, and, and, you know, the reality is, is that for those folks, they need to remember that the whole reason we’re doing this process is so that we can improve the company. You know, we want to make sure that the results of this are viewed educationally.
Adam Goslin
You know, I’ve seen a couple of organizations that basically, you know, would take their, you know, kind of take their internal personnel, the task for, why the heck are we doing blah, blah, blah, blah, you know, and heads are rolling and whatnot.
Adam Goslin
I try to make it as abundantly clear to the, you know, especially to the leadership that, you know, we’ve got an opportunity here to use this as an educational tool to make improvements in the organization.
Adam Goslin
And the really, the way that they handle it is really going to drive the benefit of doing this process. And the way I look at it is you have to do it anyway for your compliance. So you might as well make it as effective as humanly possible.
Adam Goslin
You know, you know what I mean? And so, you know, the the the the their implications of, you know, being open and honest, we want the people to to really give us those, give us those inputs. And I’ll tell you what, the single best way to make everybody in the organization just pucker up and stop talking is to get flamed over, you know, over what happened through the process.
Adam Goslin
So, you know, the, the, the most interesting part about this for me is I as I look at. as I look at, you know, risk assessments that, you know, that we’ve done in every single one that we’ve performed, you know, the first year, I talked about people kind of puckering up and whatnot.
Adam Goslin
It’s like, they don’t trust that they’re not going to get thrown under the bus. And so I really got a real fear. Yeah. Oh, for sure. You know, because we kind of talked about it in one of the, one of the prior podcasts, but some of the bad assumptions that the, you know, that the leadership makes about what it folks know and don’t know about security and compliance.
Adam Goslin
And it really kind of plays here too, in that, in that these folks are walking in and they’re in some cases, they’re in some cases, I’m sorry, I’m so proud of some of these people because they’re just fearless, you know, they’re like, Oh, hell yeah, I’ll tell you exactly what’s wrong here.
Adam Goslin
And they got, they walk in with a notepad and they got a list of things. That’s, that’s very, very unusual. Generally speaking, it’s kind of like trying to extract information out of people the first time that I go through it.
Adam Goslin
And everybody, it’s, it’s kind of funny because everybody, you know, you can kind of feel that tension rising, right? Oh boy. Oh boy. The good, he’s going to be given the presentation to the management and how hell’s going to break loose.
Adam Goslin
And, and when, when the, when the, you know, I prepped the, the management properly, when I’ve gotten through to the, you know, to all the front liners and, you know, and levels of management that are providing inputs.
Adam Goslin
And then we have that meeting and a bomb doesn’t go off immediately as soon as the meeting’s done. And heads aren’t rolling, you know, a month or two later, et cetera. I’ll tell you what, man, it’s magic because you get to, you get to year two and year three.
Adam Goslin
And what I see consistently is the next year, I’ll hear more. I can’t tell you how many times that I’ve done, like, I’ve done a risk assessment for an organization. I’m on year five. Okay. And, and I’m done in year five.
Adam Goslin
I’m somebody, somebody finally trust the process enough to reveal fill in the blank, right? I don’t work there. I don’t know what they’re doing on a day in, day out basis, how they’re handling it, what the risks are, et cetera.
Adam Goslin
I’m just trying to do my, my best to, you know, to, to try to extract this. Right. And year five, I’m still finding out new stuff. Cause somebody finally, you know, finally kind of got the, got the memo that no, they’re not going to get too tossed into a lion pit or something over it.
Adam Goslin
So, so yeah, that, that’s probably all the way around establishing, you know, kind of a, a, a good level perspective, you know, within the organization, building that trust between management, the employees and, you know, and the, the organization doing the risk assessment, that’s key.
Adam Goslin
Because it really in the grand scheme of things, it just helps that, that company to be able to, to just get better and better and better as they go, as they go over time. And especially if they take the net results of that, of that risk assessment and, and proactively address items, you know, I, I, I tell companies to say, look, take your risk assessment, right?
Adam Goslin
As soon as you walk out, like basically, as soon as you walk out of the download, you know, the Vulcan mind mill download dump meeting of, you know, Hey, let’s go walk through all these from whoever did the risk assessment.
Adam Goslin
As soon as you finish that schedule, a meeting internally, go ahead and say, okay, of these risks, we want to bite off these three, you know, next quarter and, and then every quarter go in and, and choose some more off of there, you know, and whatnot, and make it more part of the DNA of the organization than, than an annual event.
Adam Goslin
And it will really, really, really pay off in spades. Perfect.
Todd Coshow
Adam, I can’t thank you enough for that and I’m sure everyone who’s staring down the barrel of their next risk assessment, who listened to this podcast, is feeling the exact same way. That is all the time we have today for this episode of Compliance Unfiltered.
Todd Coshow
I’m Todd Coshow
Adam Goslin
And I’m Adam Goslin. I hope we helped get you fired up to make your compliance suck less.
Todd Coshow
Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow.
Todd Coshow
And I’m Adam Goslin. I hope we helped get you fired up to make your compliance suck less.
Follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
