Q&A: Modernizing and Prioritizing a Governance, Risk and Compliance Strategy

Mike, Michael, collectively, you both bring significant in-house and consulting experience to FTI Technology, across privacy and compliance domains. Can you share the highlights of your background in the GRC space specifically?

Spadea: My background spans working as a global privacy counsel at Barclays and leading regional data risk and privacy practices at a Big Four consulting firm. I’ve built and scaled practices that navigate complex regulatory landscapes, including GDPR, CCPA and HIPAA, and have developed compliance frameworks and led strategic governance initiatives for Fortune 1000 clients.

Carter: My most memorable work in the risk and compliance space often relates to advisory or in-house compliance roles where we were able to make rapid, material improvement to compliance programs that were experiencing significant regulatory issues. Building up the effectiveness and defensibility of compliance programs tends to open up more opportunities for a business to focus on growth and the building of new products and services. As a former chief compliance officer, understanding and preparing for the tough questions examiners and regulators will ask helps me advise clients on their compliance roadmaps to maintain a strong posture and avoid violations.

Adjacent to our extensive work in information governance, privacy and security, FTI Technology’s Risk & Compliance expertise covers a lot of ground, including artificial intelligence applications for compliance, antitrust compliance programs, compliance assessments and support for implementing GRC tools. What areas are you focusing on for further growing the practice through the coming year?

Carter: There is little doubt that issues surrounding consumer protection and data protection are being prioritized by regulators more than in previous years. Deploying strong mechanisms to prevent and detect fraud and scams against vulnerable customer populations has become a critical component to business reputation and maintaining financial partnerships. Collecting, maintaining, using and disposing of customer information is no longer an adjacency to cybersecurity programs. Many global regulatory regimes and more U.S. states are enforcing appropriate handling of sensitive customer data at the operational level of business, making strong governance a critical corporate priority. 

Spadea: We’re also emphasizing our focus on helping clients strengthen trust, navigate complex GRC technology and address emerging regulatory risks. This will include bringing our trustworthiness framework to more clients to help them realign stakeholder perceptions and strengthen credibility, and providing strategic guidance, operational alignment and technology enablement to provide sustainable solutions for multi-dimensional challenges. In terms of GRC technology, clients are looking for help with optimizing their investments, across the spectrum of selecting tools, implementing them, integrating systems and building more resilience into their GRC technology stack. 

How does our team stand out from other providers in this space?

Spadea: Our team stands out through a unique combination of technical expertise, regulatory acumen and strategic foresight. We have deep experience working with complex data types, applications and systems in high-stakes environments, enabling us to make sense of challenging data landscapes with precision. Our data innovation lab allows us to develop, test and refine solutions in real-world scenarios, ensuring that our strategies are practical and impactful.

We also align risk and governance initiatives with our clients’ business objectives, enabling them to move faster, compete more effectively and achieve sustainable commercial success. Our deep familiarity with regulatory expectations allows us to anticipate potential challenges and build robust frameworks that reduce uncertainty, helping our clients achieve compliance while maintaining flexibility to pursue strategic goals.

What are the top issues driving our work with clients and our new solution areas?

Carter: Embracing and integrating new technology into legacy systems and programs is one of the most common challenges we are seeing. Deploying technologies to reduce residual risk, while also understanding what new external technologies are changing inherent risks to compliance and overall business growth seems to be top of mind for many legal department leaders CCOs and chief risk officers.

Spadea: Our work is driven by a confluence of factors impacting the risk and compliance landscape, particularly around data privacy, cybersecurity, regulatory compliance, and emerging litigation trends. Complex data privacy regulations and cybersecurity risks continue to be major challenges for most companies. Additionally, enforcement actions by the Securities and Exchange Commission and other agencies have heightened the focus on compliance with electronic communications and data retention rules. Pixel or adtech-driven litigation is another emerging concern, as companies are being scrutinized for tracking technologies that may unintentionally collect and share sensitive data, exposing them to lawsuits.

What’s not being talked about in the GRC space but should be?

Carter: Customizability and scalability of GRC tools. Many GRC technology service providers are moving towards multi-domain solutions to address AML, fraud, sanctions and third-party risks. Common issues in attempting to provide a “single compliance solution” reside in the customizability of controls, rules, thresholds and case management. Often, as companies and compliance programs grow, a lack of ability to customize how technology tools function often results in more (costly) manual processes, unidentified risks and overdependency on a single vendor that creates longer-term issues with compliance program adaptability.

Are there any major, common blind spots you think clients need to know more about?

Carter: The devil is always in the data. Common blind spots include the structure and quality of data among many disparate compliance technology platforms. Most importantly, understanding what data is not showing in any given system and what risks remain unknown due to data management and data model validation issues, are causing unexpected gaps in companies’ compliance efforts and operational inefficiency.

Spadea: Many organizations are using outdated, manual compliance programs that are overly complex and reactive, which delays decision-making and increases risk. Additionally, it’s common for compliance issues to be addressed in a piecemeal fashion, which causes redundancies. Leveraging technology to manage and reduce risks is a growing expectation, and regulators are now expecting organizations to use the data they have to identify risks proactively. Without modern tools and data utilization, companies risk being seen as non-compliant, even if their programs are well-documented.

Related topics:

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.