ProcessUnity CSO Todd Boehler discusses 25 years of GRC evolution, the rise of TPRM, proactive risk strategies, AI/ML in compliance, and ProcessUnity’s differentiators.
Todd Boehler, Chief Strategy Officer at ProcessUnity, brings a quarter-century of GRC expertise to the forefront of our conversation. From witnessing the evolution of risk management from manual processes to AI-driven solutions, Boehler offers a unique perspective on the industry’s pivotal shifts. We delve into how GRC has transitioned from a broad compliance bucket to a strategic business driver, particularly in Third-Party Risk Management (TPRM).
In this interview, we explore ProcessUnity’s proactive approach to anticipating emerging challenges, the impact of customer feedback on product development, and the company’s strategy for integrating AI/ML responsibly. Join us as we uncover the pressing issues in TPRM and the future of GRC in a cloud-dominated world.
Excerpts from the interview;
From 25 years in the GRC business to CSO, you’ve witnessed over two decades of GRC evolution. What are the most pivotal shifts, and where is the landscape headed?
GRC is an acronym that has many meanings for many people. Companies traditionally treat GRC as a catch-all for anything related to organizational risk and compliance. These programs were largely manual and varied in adoption, from those owned by auditors to companies implementing 3LOD models (3 lines of defense). GRC has evolved from these standpoints to tie business value to specific functional areas, namely, Third-Party Risk Management (TPRM). As a result, TPRM has seen huge improvements in technology and automation to ascertain risk understanding inside the organization and across all integrated third parties. The future will focus on enabling efficiency and a strong corporate culture for risk and compliance awareness, driving data and automation to eliminate manual, point-in-time activities. Plus, as AI is adopted and applied to empower teams, we’ll continue to see greater efficiency developments.
How does ProcessUnity’s product roadmap anticipate—not just react to—emerging risk and compliance challenges?
ProcessUnity’s roadmap development relies on an outside-in approach to innovation. As a customer-first organization, we listen to our customers, third parties, exchange members, and our wide array of partners and industry/regulatory experts to understand:
- The state of risk and compliance, including the most pressing challenges,
- How can we anticipate the needs of our customers to enable their growth?
We know that business is increasing rapidly and that change is continuous. Unexpected risk is a given. We operate with a deep awareness of these challenges embedded in our customer-centric design strategy. This strategy breeds investment-proof solutions that stand the test of time and variability.
Also Read: Joel Burleson-Davis Tackles Rising Cyber Threats with AI and Passwordless Strategies
Can you share a specific instance where customer feedback directly shaped a ProcessUnity product or strategy?
We have a member of our customer advisory board and a Fortune 50 financial services firm that leverages ProcessUnity for enterprise-wide third-party risk management. They’ve shared their challenges in developing GenAI tools and use cases that will support their third-party risk program. We aligned our investments with GenAI and were able to partner with them to ensure our strategy would satisfy their requirements for unstructured evidence analysis. This type of customer feedback and partnership is a key ingredient to our roadmap investments and a major influence on our design strategy.
Given the cloud’s dominance, how does ProcessUnity address its clients’ inherent security and compliance anxieties?
In looking at enterprise risk domains, cybersecurity and third-party risk are the largest and most complex, requiring the most inspection and understanding. The ProcessUnity Global Risk Exchange, a part of our solution suite, includes cyber risk data on the top SaaS and cloud providers. Clients can quickly consume risk profiles and assessment information that help them gain assurance that their data is protected and that their cloud providers and vendors are aligned with their control standards. With proper authorization, these providers can share their security profiles with their customers in a community-led effort to reduce vendor fatigue, increase client visibility, and reduce redundancy.
What’s the most pressing, yet perhaps under-discussed, challenge in third-party risk management, and how is ProcessUnity tackling it?
The most pressing challenge with third-party risk management is the time it takes to gather and evaluate third-party risk data. Companies need this data to reach a business decision. Still, with large vendor populations, complex data that requires a subject-matter expert review, and limited resources, organizations struggle to get a complete picture of risk. They’re forced to choose between coverage and completeness while not placing a burden on the business. ProcessUnity works with clients to understand the current state of the TPRM process in their organization, then helps them mature their program to reduce cycle times by up to 85%. We help customers achieve these results by providing automated risk profiles for 100% of third parties, enabling a complete risk evaluation across the portfolio. Additionally, we see the ability to stay ahead of emerging threats and vulnerabilities in the extended vendor ecosystem as a pressing yet under-addressed issue. This year, we released an innovative Threat and Vulnerability Response solution to help our clients build a best-practice process around this challenge.
Ultimately, the confluence of emerging risk severity and high reliance on third parties means that TPRM requires technology, automation, and data covering multiple business functions to present identified risk to the right person at the right time and monitor this activity to meet compliance requirements and pass audits. ProcessUnity delivers on all these requirements while enabling clients to achieve a mature, best-practice TPRM program.
Also Read: How YugabyteDB Future-Proofs Enterprise Data with Scalability and Resilience
How will AI/ML reshape GRC solutions, and what’s ProcessUnity’s approach to integrating these transformative technologies?
ProcessUnity is driving industry leadership and transformation through proven value and applied innovation. While there are many small startups in AI/ML, it is not as simple as launching a GenAI tool using a public LLM; the use case needs to be well thought out, securely delivered, and compliant with customer policy. It should also seamlessly integrate into the process it intends to help. The risk of poor AI implementation is introducing greater complexity into a function already drenched in complexity. ProcessUnity has invested in responsible AI driven by our data science department. The team gathers business requirements and develops integrated models that scale while protecting customer and third-party data. With this knowledge, our AI/ML technologies are incorporated into our core product offerings, simplifying adoption and maximizing time to value.
In a crowded risk management market, how does ProcessUnity differentiate itself, particularly with offerings like the Global Risk Exchange, and what are your strategic growth priorities?
ProcessUnity is the only provider in the market that provides a 360-degree view of third-party risk with data, AI, and automated workflow. We support the largest, most highly regulated companies globally and have translated that experience through our out-of-the-box best practice programs. Our focus, which we are successful in, is to help all customers accelerate their programs and gain the most out of their third-party relationships. From a data perspective, we provide attested and validated assessments from highly sought-after third parties and automated risk profiles incorporating predictive analytics and firmographic analysis to give companies a rapid, up-to-date understanding of risk. As we further our growth strategy, we plan for continued investment in enriching this data by considering multiple risk domains and external intelligence. In addition, we will continue to invest in GenAI to ease the burden of reviewing vendor assessment responses. Finally, we will invest in the third-party experience to provide and maintain their data, improving collaboration between our clients and their business partners.
