Thriving In The Digital Age: Wes Carrington and GRC

Show Notes

Wes Carrington, an expert in governance, risk, and compliance (GRC) and artificial intelligence (AI), discusses the challenges and opportunities in the GRC and AI industry. He highlights the rapid pace of technological advancement and the need for responsible and ethical AI systems. Wes also emphasizes the increasing complexity of regulatory compliance requirements and the importance of robust GRC frameworks. He mentions the rise of cyber threats and the need for comprehensive cybersecurity measures. Wes concludes by discussing the future of GRC, including the integration of AI, the importance of continuous learning and adaptability, and the power of collaboration.

• The rapid pace of technological advancement in AI and machine learning offers tremendous potential for enhancing GRC frameworks but also introduces new risks and complexities.
• The increasing complexity of regulatory compliance requirements requires robust and adaptable GRC programs that can seamlessly integrate with existing operations.
• The rise of cyber threats necessitates comprehensive cybersecurity measures, including technological defenses, employee training, and third-party risk management.
• Opportunities in the GRC and AI industry include using AI and machine learning to enhance risk management processes, focusing on ethical AI and responsible development, adopting advanced GRC platforms and solutions, and integrating environmental, social, and governance factors into risk management strategies.
• Continuous learning, adaptability, resilience, innovation, ethical considerations, and collaboration are key skills and mindsets for success in the GRC and AI industry.

Transcript

Joe Crist (00:01)
Welcome to Thriving the Digital Age, your go -to guide for navigating the ever -changing world of business, technology, and innovation. I'm Joe Crist, your host, a seasoned entrepreneur and a tech enthusiast, here to connect you with the leaders shaping our future. Discover the secrets of Thriving the Digital Age. Each week, dive into practical insights, cutting -edge strategies, and the latest trends to help your business not just survive, but truly thrive in today's digital world. Don't miss out on the chance to get ahead. Subscribe now for weekly insights that will empower your business

to succeed in our fast -paced digital landscape. Today joining us is Wes Carrington. He's an expert in governance, risk and compliance, and artificial intelligence. Wes, could you please introduce yourself?

Wes Carrington, MBA, CLSSMBB, CTPRA, GRCA, GRCP (00:46)
Yeah, hey everyone. Again, my name as Joe mentioned is Wes Carrington. I am a Linkin Six Sigma Master Black Belt as well as a GRC auditor, certified third party risk assessor and GRC professional. My background stands, I am also a Purple Heart recipient and medically retired Marine Corps veteran. Presently, I serve as the Chief Risk Officer for Give Technologies. Our organization is dedicated to

leveraging cutting -edge technology to enhance governance, risk management, and compliance GRC frameworks. So over the past decade, I've been able to establish myself as a technically savvy strategist and tactician within the fields of GRC, AI, and compliance to include risk management. My experience spans across various industries where I have worked alongside clients as a trusted advisor, consultant, and subject matter expert.

My journey in these fields has been driven by a passion for cultivating data -driven consensus in collaborative environments and ultimately introducing actionable improvements that bolster my clients, partners, and customers' operational frameworks while also maintaining compliance and the support through established requirements. And thank you again for the introduction.

Joe Crist (02:03)
Wow, that's pretty interesting background. So Wes, with that, where do you see the challenges in the GRC and AI industry as well as the industries you serve?

Wes Carrington, MBA, CLSSMBB, CTPRA, GRCA, GRCP (02:18)
You know, that's a really great question and it's really multifaceted. So the challenges, Joe, that I see in in GRC, AI and not really agnostic of, but still with the risk management industries are really multifaceted and continuously evolving. Joe, one of the most significant challenges is the rapid pace of technological advancement. Should you understand being in digital transformation as a matter of expert fare, right? Particularly in the AI and machine learning.

areas as well. And so, Jo Wally's technologies offer tremendous potential for enhancing the GRC frameworks. They also introduce new risks and complexities. Ultimately, ensuring that AI systems are developed and deployed responsibly, ethically and in compliance with regulatory standards is ultimately paramount to any and all partners, clients, and customers I have been able to support throughout my career.

Another challenge I'm seeing is the increasing complexity of regulatory compliance requirements. Organizations must be able to navigate in today's age a labyrinth of regulations that vary by industry and geography. This complexity often leads to compliance fatigue, whereas organizations struggle to keep up with ever -changing requirements. The need for robust, adaptable,

programs that can seamlessly integrate with existing operations more critical than ever. And furthermore, the rise of cyber threats, as we know, presents a persistent challenge. As cyber attacks become more sophisticated, organizations must bolster their cybersecurity measures to protect sensitive data and maintain operational integrity from both their internal and external stakeholder perspectives.

This requires a comprehensive approach that includes not only technological defenses but also employee training and awareness programs. And to round it out, Joe, the integration of these third -party vendors and partners adds yet another layer of risk. Managing third -party risk through vendor management strategies is more critical now than ever in that

It effectively requires a thorough understanding of the vendor's operations, their ecosystem, security posture, and compliance status. Continuous monitoring mechanisms and assessments are essential to mitigate these risks and ensure that third -party relationships do not become a weak link in the organization's GRC framework.

Joe Crist (05:05)
Wow. So it's, but it was GRC is felt everywhere inside the organization. Right.

Wes Carrington, MBA, CLSSMBB, CTPRA, GRCA, GRCP (05:10)
It is. I mean, every level. I mean, even from an internal audit perspective, I mean, think about the three lines of defense model, right? I mean, you want to make sure this first, second, and third line of defense are always ways going to be cross training, having the continuance monitoring through not only just tools, but again, the integration of other teams into the internal audit GRC strategy, because ultimately these are these are board -sortified programs for the most part. And so making sure that

even say in the FinTech industry, making sure that your retail bankers, make sure they understand what is coming from the internal audit, enterprise risk management, MGRC officers within the state organization.

Joe Crist (05:53)
Okay, no, I mean that makes perfect sense. So I like that you mentioned the idea of three layers of security. That'd be defense in depth, right? Where you have one layer after another reinforcing itself. Could you give me a couple examples of what that would actually look like? And you mentioned finance. So what that would look like in finance, kind of as for the audience.

Wes Carrington, MBA, CLSSMBB, CTPRA, GRCA, GRCP (06:15)
Yeah, so it's really dig down to what that would look like in from a finance model. We're talking defense in depth. You know, I know a lot of us here this thing going on is the term of people process technology, right? That people process technology triad and you know, it doesn't come from a place or from time to time but is true to every organization even again, then takes in the financial industry and that sometimes have lags in.

say the technological deployment and the training that should be going on simultaneously with the deployment of that, even from say like a core replacement, right? Doing a full core replacement. And I've seen a lot of organizations trying to adapt with the digital age and trying to evolve their financial services organization to a true FinTech. And the true lag, so to speak, or the gap always comes down to the most critical component of the equation, Joe, and that is people. That is our

that are our team members, our staff, our interns, and even from my former mention was the third party risk perspective. I mean, many fintechs, I'm sure in your experience, as well you've seen that the contractor ecosystem, they help get projects done and done in time and done ultimately to the board and cease expectations is more critical than ever as well because again, they have to make sure that

continuous monitoring and deployment of new mechanisms, tools, applications and the like. That needs to be something that is at again a board certified type of initiative because if it's found a lot of shadow AI and even shadow GRC, so to speak, when you have these technological deployments in a fintech, so to speak, because you have say information security deploying something over here, but it ultimately isn't good for the organization, right? It's good for information security for the short term.

Well, again, depends on the death model. It's not just about a lot of tools in place. You've had to have governance with the human capital.

Joe Crist (08:19)
I 100 % agree with that. And I see one of the biggest challenge with that when you actually do start using a lot of third parties, it's, as you mentioned before, the shadow GRC, there's a lot of misalignment on governance policies because everyone has their, what they're doing themselves, but also how they interpret. When there's not a lot of alignment on that, then you start to see little holes and things fall into the crack, which obviously put the organization at risk, whether it be finance, pharmaceutical industry, or even government.

Right? It's, it's a really big challenge to manage a large organization with a very strong GRC presence because as you start bringing others in, it just becomes disconnect. Right?

Wes Carrington, MBA, CLSSMBB, CTPRA, GRCA, GRCP (09:03)
Well, and to your point also, Joe, within the financial services industries and FinTech specifically, I see the incumbent hiring and or the sourcing of GRC subject matter experts more than ever. GRC a decade ago, that was something that external consultants were providing intelligence and insights to organizations around. Now,

It's not just one person's job. Yes, you have a super matter expert that you want internally or in the or if you're even externally sourcing, bringing a consulting in again, making sure communication is there, right? Because it can fizzle and fizzle. You have these brand new tools. You have these different training sessions. But if it doesn't actually take a concrete type of form in the organization, again, you're going to find constant

gaps, constant shadow GRC gaps. And that comes down to what does the performance of the organization look like? Because GRC is a business problem at the moment, but also a business opportunity.

Joe Crist (10:18)
Absolutely. So with that, that's very interesting. I think that really does bring up the question. It's what solutions or opportunities can those in our audience and companies bring on or start implementing to actually help with their GRC practices?

Wes Carrington, MBA, CLSSMBB, CTPRA, GRCA, GRCP (10:35)
actually a really good question and I thank you for bringing that up Joe. So despite the challenges GRC with AI and the risk management fields across industries for those watching the AR audience, one of the most exciting opportunities lies in the use of AI and machine learning to enhance risk management processes and internal control.

AI can analyze vast amounts of data to identify patterns and anomalies that human analysts might miss. Again, going back to the balance of the human capital component with the governance balance within the organization. This capability can significantly improve the accuracy and efficiency of risk assessments, analyses, and compliance monitoring and the like.

Another opportunity I'm seeing is the increasing emphasis on ethical AI and responsible development. As organizations recognize the importance of building trust with stakeholders, again, both internal and external, there is a growing demand for GRC and AI systems that are transparent, fair, and accountable. This shift presents an opportunity for GRC professionals to

play a pivotal role in guiding the development and implementation of ethical AI and GRC integrated frameworks. The adoption of advanced GRC platform and solutions is also a significant opportunity in that the opportunity lies, GRC is the umbrella of enterprise risk, of integrated risk, and the operational and financial risk for those in the fintech and financial industries. And so,

Ultimately, these platforms can streamline processes, automate routine tasks, and ultimately provide the real -time insights into an organization's risk landscape and posture. By leveraging these tools, organizations, and our audience watching today, you can enhance your ability to manage risk coactively rather than reactively and respond swiftly to emerging threats.

And to build on that, the focus on environmental, social, and governance factors, ESG factors, is creating even new avenues for GRC professionals and subject matter experts and the like. As investors and consumers increasingly prioritize ESG considerations, organizations must integrate these factors into their risk management and operational risk management strategies.

This trend offers an opportunity for those super matter experts within an organization around GRC, internal audit and enterprise risk to contribute from an AI ESP perspective to sustainable business practices and drive long -term value creation. And I think lastly, the circuit allowed the growing importance of cybersecurity. Joe presents opportunities for professionals with expertise in both GRC and cybersecurity. As organizations seek to

tech their digital assets and comply with cybersecurity regulations, there is even more than high demand from professionals who can bridge the gap between GRC, IT security, and IT risk within multiple industries. This convergence of disciplines offers many exciting career prospects for those with the right skill sets.

Joe Crist (14:23)
You know, you brought up something really interesting. So obviously with the economy, the way it is, everybody is looking for a job that pays well. and obviously GRC is very needed, right? It's not just the ability to make sure you're doing the right thing, but it's also how to protect yourself and something happens. Right. It's a way to mitigate risks. So as you mentioned before, you talked about, you know, career skills, right? How, how to build like.

the perfect GRC cyber person. So kind of give me an example of what that would look like just for those in the audience who are actually looking to occur like this and so they know where to start.

Wes Carrington, MBA, CLSSMBB, CTPRA, GRCA, GRCP (15:01)
Yeah.

So I gotta say, and I'm gonna take a step back here, so my first, if you will, encounter or experience with GRC was while I was still in the Marines. In the Marines, I helped with operational risk, as well as geospatial risk, and GRC, governance, risk, and compliance, those terms fluttered around a lot, but they were never together, right? It was never GRC. It was, how are you gonna assess, analyze, or prove upon, and...

Ultimately enhance our total warfighter power overseas by assessing the governance risk and compliance facets of geospatial operational risk strategies for units Deploy both CONUS and outside the United States so kind of driving myself forward to address your question Joe For those who are really looking to kind of get their feet wet so to speak or just totally jump on in and be a pure GRC practitioner

good start is to look at either your CompTIA Security Plus certificate that's really good way in. They teach a lot of good GRC and then blended IT security strategies now. You can also where I started at with the Open Compliance and Ethics Group, OSEG, currently serve on the board for their GRC professional and GRC auditor approval certifications for following

individuals who do what I actually take the exam and undertake the actual course with the associate knowledge relevant and such. And so I gotta think probably the good shoe in the game would probably be the CompTI Security Plus and are the GRC professional because both are really going to give you what you need to be able to establish a really good baseline for a GRC.

IT security, IT risk, enterprise risk career. Because there's so many avenues and so many certifications out there, right? We want to make sure you focus on the right thing. And for those who are more mid -career and make a shift or feel a bit stagnant or plateaued, a good way is not only to take the information I just shared around the CompTIA, Security Plus, and GRC Professional through OSEG.

is to look at doing your C -Risk. C -Risk is a great point to get in as well. Also your CISSP for those who are more mature within the cybersecurity space and want to start really, really digging into what cybersecurity and GRC means for the organization. And the CISSP will definitely take you there as well. You know, many consider it the gold standard cybersecurity in the world. And I got to say, from a GRC perspective, I got to say I support that as well.

Joe Crist (17:56)
Okay, well, I love that. So yeah, it's when it comes to education and really breaking into the field sort of a case in some other way to go. I know what the.

Wes Carrington, MBA, CLSSMBB, CTPRA, GRCA, GRCP (18:02)
Yeah, I think the next biggest piece there, Joe, is why you wouldn't remain certification driven. Seek out internships, seek out mentors, network. Networking, as we all know, I mean, we've all heard it right, your network is your net worth, right? And so what you can bring to the organization, I mean, there have been so many opportunities that have been presented to me in my own career. I mean, it's so very thankful. I mean, I've had clients that

I worked with 10 plus years ago that are now CISOs at an organization and brought me on as an external consultant to help with their GRC strategy and GRC tool deployment. So it just really is about again, digging your heels, not only in the education aspect, Joe, but also to our audience, making sure that you are also looking to make a full jump into the GRC space. Again, network, network. I mean, in leading tools, like again, an Omni -channel approach.

going to the organization's page via LinkedIn, following, speaking with a hiring manager, following the application on LinkedIn. Recruiters and hiring managers, they love that. They love it. They want to see proactive candidates that are seeking to help fulfill and ultimately augment and improve their organization's performance, whatever that looks like for that specific use case and scenario.

Joe Crist (19:25)
Nice, very cool. You know, that's a big, that's great, right? That's a, as organizations change, they need to be hiring the right people and have that right practices and policies in place. What's going to find interesting too, and a conversation I just had recently with somebody was the rate the world is changing, right? If you look at the last four years of life on earth, how much has happened, right? So with the world moving as fast as it is and things changing,

What does the future look like for GRC from what you experience and what you think your clients may experience and just the world in general?

Wes Carrington, MBA, CLSSMBB, CTPRA, GRCA, GRCP (20:06)
You know, you made a good point there about, you know, the last four years really just kind of turned the world on its head, right? But if anything, the last four years have exposed the concrete and tactical gaps and ultimately the measures that need to be put in place from a GRC perspective. GRC in the last four years, there's no longer a conversation amongst the C -suite, amongst the board.

Joe Crist (20:13)
Bye.

Wes Carrington, MBA, CLSSMBB, CTPRA, GRCA, GRCP (20:32)
amongst the team internally or at a department level, it made it to where organizations have to implement a GRC strategy because, again, we're changing regulatory compliance aspects of the adherence thereof. I mean, organizations have to be able to evolve and pivot on drop of a nail, right? Like that. I mean, and so...

GRC and integrated risk management approach. I mean that has been most successful because again now it's almost laid out for you, right? Because like the last four years again, I've really shown how our consumer base, right? So those again external stakeholders here, shareholders, your customers, consumers, clients, partners and the like, again, they are helping to drive organization strategy now. Like from my former point around ESG.

I mean, in the environment of social governance has become, I mean, top mind for consumers from many organizations. I mean, their end users are thinking about that first before they seek out a service or seek out the partner. They are looking at what does that organization's ESG footprint look like today and moving forward? And what are they doing to support those measures to put them in place?

Joe Crist (21:52)
Right. So, you know, from the sounds of it, I do work a lot with, with, you know, agile practices. It sounds like GRC couples actually perfectly with business agility. Right. So because the world does change so fast actually having that agility to change your governance, the, the understand of risk and, and be not just reactive, but proactive about it, right. And getting ahead of it and also ensuring your compliance stays compliance because

You know, regulations do change and having that awareness will really, really help with keeping your company in the paper for the right reasons. Right. So, no, but that's really interesting. So when it comes to, I guess, the people looking for careers in the GRC field.

Wes Carrington, MBA, CLSSMBB, CTPRA, GRCA, GRCP (22:32)
Absolutely.

Joe Crist (22:46)
Is there anything that I guess future looking right where it's these skills are going to become it's more needed. Like I imagine things with like AI, like I understand how to use AI tools and there's a lot of good GRC tools out there as well. But like having that knowledge, I imagine will be pretty useful for getting there the next gig.

Wes Carrington, MBA, CLSSMBB, CTPRA, GRCA, GRCP (23:05)
Absolutely.

Right, absolutely. Well, and to build on that as well, Joe, I mean, knowing what the balance between GRC and AI deployment looks like from an external perspective, and I speak specifically to many of the consultants, right? Many organizations who are in the consulting and advisory space, no matter, and then even more preface this, more cross industries, right?

and building on our last time, the last four years, speaking from the external shareholder perspective or external stakeholder perspective, they're expecting even more now from consultants coming in to help support or resolve an issue to enable and empower business efficiency and resiliency and agility. So no longer can the consultant, unfortunately, and I'm sure you've seen in your time as well, Joe, it's from a digital transformation perspective also that

the consultant effect, they come in to solve a part of the problem, they put a bandaid on it and then they leave. And so then DRC, if they're solving or helping to support a brand new, say, issue management tool to help support DRC within the organization. Well, now the tools, they've helped deploy it. Who knows how to use it? Are the access rights pretty proper? Are the CUECs continuing using any controls in place proper to be supporting that?

And have they actually truly solved the business's need? No, they haven't. Right. So I think for a lot of organizations and consultants alike, it has made us that much more accountable. And personally, I love that because you're constantly learning in the process, right? It isn't just leaving this problem and moving on. It's not about how can I build with you, right? Not build something for you and give it to you.

Joe Crist (25:02)
Yeah, the idea of a partnership, right? And that's not only good for the client because now they have that resource that they can always tap into and there's that growth they have together. But it's also good for the consultant as well because obviously they have continued business, right? And it really does help consultants who want to do good in the world and like really do want to help their company partner with as opposed to... Exactly.

Wes Carrington, MBA, CLSSMBB, CTPRA, GRCA, GRCP (25:22)
still be.

Right, becoming that trusted advisor and partner to the organization.

Joe Crist (25:29)
Yes, and I think that's a very critical move that a lot of the consulting industry needs to push towards where it's we are not a

solution provider or a solution partner.

Wes Carrington, MBA, CLSSMBB, CTPRA, GRCA, GRCP (25:42)
Absolutely. You don't get looked at as a vendor, right? You get looked at as somebody who is actually critical to the business.

Joe Crist (25:51)
Absolutely. I love that. And I really, I do see some of that now and I'm really glad a lot of things in the industry is moving towards that direction.

Wes Carrington, MBA, CLSSMBB, CTPRA, GRCA, GRCP (26:00)
Well, I mean, being that solution partner, that trusted advisor, Joe, I mean, you're able to come in and get no longer be the bandaid, right? You're going to come in and truly again ensure that organizations posture is fit to their vision, right? Vision strategy and tactical appointment alignment, right? And understanding that helps organizations who are seeking the partner with their future clients and such.

Again, be viewed as a subject matter expert versus again, somebody who just put something, put a bandaid on a problem and then put it back up on the shelf and let it get dust.

Joe Crist (26:43)
That is so, so true. You know, we covered a lot today and you know, I definitely feel smarter now after talking to you. So with that, for the audience, I want to give them something from you, right? What's one piece of advice that you could give our audience? It doesn't have to be related to GRC or anything else, but what do you think would benefit our audience the most today?

Wes Carrington, MBA, CLSSMBB, CTPRA, GRCA, GRCP (26:51)
Yeah.

Again, multifaceted my parting advice, we did cover a lot of really, really great critical aspects of being a GRC professional and the opportunities within the space and what it looks like to make people process technology perspective. Joe, as we navigate the complexities of the GRC AI and risk management landscapes, both present and moving forward, it's just holistically

Joe my into the audience my parting advice is to embrace continuous learning and adaptability and and you heard me right Continuous not continual right continual only for a set period of time continuous learning and adaptability the pace of change in our Inter

to the networking opportunity earlier to get into the DRC space. And again, that comes from seeking to get into those opportunities to expand knowledge and skills, whether through those formal certifications, training program, and or self -directed learning. Another piece of advice here to the audience is to cultivate a mindset of resilience and innovation. That is key.

because challenges and disruptions are ultimately inevitable. It's a matter of not when, but the timing thereof, right? Because it's going to happen, unfortunately. But being able to be proactive there in that they present opportunities for growth and improvement, right? You get what's called failure analysis and you get lessons learned strategies behind that. And so approaching these challenges, everyone, to...

with a solution oriented and solution partner based mindset, don't be afraid to think outside the box. I mean, because that's what GRC is becoming. It's so blended in the organization now. And it's become sticky, so to speak, right? And it's a part of it. And so innovation often arises from the willingness to explore new ideas and be able to take calculated risks. Additionally, prioritizing ethical considerations

all aspects of your work. The decisions that we make as GRC, subject matter experts and professionals, they have far reaching implications, some even further than we can even see in the black and white. And it is our responsibility to ensure that our actions uphold the highest standards of integrity and accountability. And through fostering a culture of ethical behavior and responsible decision making, we

build trust with stakeholders and contribute to the long -term success of our organizations. Lastly, never underestimate the power of collaboration. The complexities of GRC and AI cannot be navigated alone. Building strong, trusted relationships with partners, colleagues, and clients leverage their expertise and perspectives.

By working together, we can achieve ultimately greater outcomes and drive meaningful change in the GRC AI and risk management fields. And again, thank you everyone for the opportunity to be able to share my insights today. I do look forward to continuing the conversation here with Joe and exploring the future of our industry together.

Joe Crist (30:47)
Thank you so much, Wes. And everybody, that was Wes Carrington. As I said before, he's a GRC and AI expert. I want to thank the audience for coming out, watching our show. Tune in next week, we have another exciting episode. And keep on thriving at digital age.