Blog Post

Q&A: Wajdi Kharrat Discusses Growing Demand for Risk Management Support in France


Wajdi, it’s great to have you on our growing IGP&S team. Can you talk about your background in this field?

For more than a decade, I’ve been focused on helping clients master risk, operations and compliance. My risk management experience extends across information systems, security and a myriad of data types. Compliance—particularly GDPR compliance in recent years—and anti-money laundering regulations have been a key focus of my work, and I’ve supported clients with improving performance and processes through the use of technology across these and other regulations. I’ve held management positions in global audit and advisory firms including Protiviti and Big 4 firms and gained significant corporate experience during my time working within the internal audit head office of an international insurance group. Through these experiences, I’ve come to learn that regulation is of course a driver of change, but more, an opportunity for organisations to create new programs and add business value.

What inspired you to pursue a career in governance, risk and compliance?

I believe that data is very important in our lives and global economies, and that managing data well is equally a financial opportunity, ethical duty and essential for risk mitigation. It’s this perspective and the ability to help clients recognize the tremendous business and reputational value that transparency, trust and sound governance can deliver that keeps me interested in this field.

I started on this path early in my career. My early roles were in private equity, and given my background and education in both business and engineering, I decided to move into a position that would allow me to exercise both skillsets together. My work evolved to focus on addressing challenges and enabling change across regulatory requirements, data and information systems. As data grows in volume and importance within corporations, this dual specialty is increasingly relevant to managing risk.

You’ve worked at several consulting firms. Why FTI Technology?

I’ve known and previously worked with a number of people who have joined FTI Technology over the years, and the firm has maintained a reputation for expertise, client service excellence and a strong workplace culture. The firm also focuses on highly challenging and interesting engagements in my fields of interest across technology, investigations and governance.

In addition to FTI Technology’s depth and breadth of capabilities, the team also has a shared vision of delivering high-quality, client-first solutions and services through technology. Such a collective and clear strategy is unique in this industry and was a significant factor in my decision to join the firm.

Clients in Europe have been dealing with significant changes in IG and privacy requirements in recent years. What do you see as the largest, most persistent challenges?

The ongoing mastery of data (i.e., understanding what data is in what systems, containing it, leveraging it and protecting it) that continues to multiply in volume and diversity is becoming a universal challenge. And the issues increase in complexity within organizations that operate across numerous jurisdictions or are dealing with legacy or inaccessible systems. The difficulties around truly mastering large volumes of complex information in practice are causing many organizations to run afoul of data privacy regulations and in turn suffer fines and other penalties. Under GDPR, we’re seeing an increase in the severity and frequency of data privacy sanctions against organizations that fail to meet defensible disposal and data retention requirements, even in situations where a data breach has not occurred.

Can you talk about the IG and privacy challenges unique specifically to clients in France?

We can’t have a conversation about challenges without discussing the impact the pandemic has had on corporate governance, risk and compliance. The impacts are seemingly endless, but the recent development of France’s mandatory health pass (a certificate that proves that a person has been either vaccinated against, tested negative or recovered from COVID-19) is of particular consequence in the context of data privacy compliance. The mandate requires businesses in certain categories (including restaurants, shopping, entertainment venues and exercise facilities) to check proof of health pass from patrons. In addition, the health pass can be mandatory for certain employees; and employers are requested to control and are allowed to collect evidence. This creates an entirely new set of sensitive data that businesses will need to process, or to collect, store and therefore protect, under GDPR. This is likely to cause unexpected headaches and new points of potential exposure for personal information.

I think organizations in France are also still adapting to the broader culture of IG that is needed to fully achieve a strong posture toward privacy. For example, the role of data privacy officer as required by GDPR is a relatively new role and is more demanding than the “CIL” role (“Correspondant Informatique et Libertés” under 1978 French Privacy Law). Another important role, especially within companies that deal with complex and large volumes of data, is chief data officer (CDO), which is also still somewhat of a work in progress at organizations that did not have privacy programs in place prior to GDPR taking effect. As organizations move toward a stronger corporate culture around governance and privacy, there’s a lot of opportunity to leverage it alongside people, process and technology to reduce risk and add business value.

What’s your philosophy regarding the use of technology to solve IG and privacy challenges? What are some examples?

Technology is a tool that supports and enhances human expertise. While the “people” part of the equation is still essential for the conception and design of programs and processes, we will increasingly rely on technology as the backbone of any initiative that interacts with large volumes of data. For example, AI and machine learning technologies can support with cataloguing sensitive information across numerous systems, or identify, investigate and analyze the impacts of a data breach.

Would you like to share anything about your life outside of work?

I love to travel, discover new places, experience different cultures and visit historical monuments, museums and parks. But the thing I enjoy most when travelling is the local food. I love trying culinary specialties and usually rank my favorite destinations based on the food: Venice for its delicious "pasta al nero di sepia" (squid ink pasta), Luxembourg for its "Kuddelfleck" (a spicy tripe dish) and Malaysia for its "Kampung nasi" (a spicy anchovy fried rice).

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.