GRC Keynote: Understanding the Neuroscience Behind Poor Thinking
"What would it mean for you if you could use significantly more of your brain power?" asked workplace psychologist Jason Jones, in his Tuesday keynote presentation, "The Neuroscience of Leadership and Performance." After spending more than 20 years studying human motivation, performance, and workplace engagement, his goal is to help clients around the world correctly leverage the power of their brains to work better and succeed.
The brain is a remarkable organ, Jones said. While weighing only three or four pounds, it contains more than 80 billion neurons that continue to make trillions and trillions of neuro connections all the way up to death, as well as enough blood veins to wrap around the world four times. However, the functions of the brain in certain situations often result in poor chemistry that inhibits a person's ability to think well.
According to Jones, there are two primary types of brain chemistry that result from the mixture of neurochemicals. One type is threat chemistry, which consists of cortisol and adrenaline, both of which are designed to keep people alive in moments of danger but also give them feelings of fear, loss, hopelessness, embarrassment, and confusion. Thrive chemistry, on the other hand, involves the mixture of dopamine and oxytocin, which gives people feelings of empowerment, confidence, openness, hope, and excitement, while also allowing them to bond and collaborate with others.
To increase emotional intelligence and supercharge cognition, it is important in times of stress for people to step back and check their brain chemistry, Jones said. For example, they should ask themselves how they are feeling, if they are upset, and if they are in a poor chemistry environment, and take actions to improve it.
One of the best things one can do, according to Jones, is just breathe; studies show that just taking 15 seconds to breathe four or five times is enough to bring a person's neuro chemistry back into balance. People can also improve their cognitive fitness by getting enough sleep, drinking plenty of water, taking breaks during the day, exercising, and even just going on vacation to rejuvenate the mind. — Logan Wamsley
Evolving Into the Internal Auditor of the Future
In Tuesday's midday session, "Internal Audit Evolution by Unnatural Selection," Julio Tirado, director of internal audit for SpiritBank, proposed that internal auditing needs to modernize learning practices, anticipate learning goals, and prioritize competitiveness.
To modernize learning practices, Tirado recommended modular learning programs, such as Massive Open Online Courses and virtual labs. Additionally, he advised internal audit functions to have their own innovation labs where they can incubate ideas and learn by experimentation.
Tirado said internal auditors must evaluate their own performance and competencies, invest in their professional development, and prioritize the skills they wish to develop as part of a personal strategic plan. To position themselves as the internal auditors of the future, Tirado outlined several examples of plans for building competencies in the basics of computing, hardware and software, networking, cybersecurity, and programming.
He noted that The IIA and ISACA offer courses and certifications for IT fundamentals and IT general controls auditing. Even if they haven't obtained the full certifications, Tirado said internal auditors can learn from the study guides, videos, courses, and similar preparatory materials developed for those credentials.
For a deeper dive into cybersecurity, Tirado described resources from CompTIA, IT Pro TV, Cybrary, Udemy, and ISACA CSX. Many of them offer experiential virtual learning labs for hands-on learning.
Internal auditors should have fundamental coding and programming skills, as well, Tirado said. To start, he recommended learning the Python programming language because it is relatively easy and popular in web and mobile app development and can be used with ACL and IDEA data analytics software. Python can be used as a building block for data science, visualization, artificial intelligence, machine learning, and robotic process automation.
Advice for Mitigating Third-Party Risks
Today's global companies may have hundreds or even thousands of third-party relationships. While any of these business partners can introduce risk, not all relationships are equally risky, said Natasha Williams, senior manager for Global Compliance at Bio-Rad Laboratories.
During a session titled "Executing Third-party Audit Rights," Williams offered tips on setting up and monitoring third-party relationships to ensure companies have the upper hand. "Compliance and regulation requirements are not only for our country but for any business partner," Williams pointed out.
Organizations that do business with untrustworthy third parties could find themselves facing fines, losses, litigation, sanctions, or negative press. For publicly traded companies, a violation of the U.S. Foreign Corrupt Practices Act (FCPA) is particularly damaging. "Once you have an FCPA violation and fine, it's out there. You always have to explain your way out of it."
The remedy lies in a robust risk assessment process, due diligence, and well-written contracts with a right-to-audit clause, Williams said. For instance, she recommends creating a scored risk profile for each partner, dependent on factors such as geographical location, level of corruption, and whether the partner has a compliance program. Scores can also include answers from due diligence questionnaires and a standard country perception index score.
For more important partners, external as well as internal due diligence may be necessary, Williams said. External due diligence is conducted by vendors in the third party's home country. These companies can provide more detailed research, are aware of hidden risks, and can conduct ongoing monitoring of third parties.
Williams also underscored the importance of well-structured contracts, with a clear definition of the services to be provided, agreements to allow reviews and audits to be conducted, reporting expectations, and compliance and anti-corruption requirements. Although some vendors will give reasons why they don't need to be audited or try to limit the scope of an audit, Williams cautioned the audience not to let them do that.
"Always include audit rights in the agreement and a contract that gives you the leverage," she said. — Christine Janesko
Organizational Transformation With RPA
An afternoon session, "Adding Value Around Your Organization's Digital Transformation Initiative," discussed how Ciena, a telecommunications equipment and software services provider, implemented robotic process automation (RPA). Ciena wanted to move into data analytics and away from data sampling, freeing field auditors from mundane tasks, said Rocco Imperatrice, the company's director of global internal audit. At the same time, Ciena's audit committee wanted more use of analytics.
The project made little headway, and at the end of 2019, internal audit reallocated personnel and resources, Imperatrice said. The company tasked Amanda Speaks, from Ciena's internal audit department, as its digital transformation expert. It also brought on board RTM, an audit, tax, and consulting services provider, and Automation Anywhere, an RPA software developer. With the end of the budget year looming, the team faced a two-and-a-half-week deadline to develop RPA tools.
During the GRC 2020 presentation, Robert Herman, director of risk consulting robotics and intelligent automation leader at RTM, said the team established goals, including creation of a component library of processes that could be reused, involvement of as many key systems as possible, the provision of hands-on training to Ciena staffers who would become "citizen developers," and the development of a proof of concept. Getting key stakeholders on board, including IT, was crucial, he said.
Speaks worked with RTM and Automation Anywhere to develop 14 automation components and the proof-of-concept. The proof-of-concept uses a bot to check the accuracy of shipment and delivery dates, replacing the time-consuming manual pulling and entry of waybill data. Other bots created by Ciena's citizen developers are used by corporate security to track expense reports and IT tickets, and to issue status reports.
Among the lessons learned, is that it is easy to get started with RPA because it is not especially expensive and free options are available, Speaks told the session audience. IT buy-in is crucial for scalability. While RPA is not a cure-all, it can fill specific gaps where the process is well suited to automation, she said. — Geoffrey Nordhoff