This is a transcription of our interview with Will Anderson, CEO at Resolver.
You can watch the original video interview here or tune in to the podcast episode here
or via iTunes, Spotify and other podcast apps by searching “Risk Management Show”
Boris: Hello ladies and gentlemen and welcome to out interview with Will Anderson.
Will is a CEO at Resolver which is an integrated risk management software for mid to large-sized organizations. The solutions include risk management, corporate security, business resilience, and IT risk. Over 1,000 organizations worldwide depend on Resolver’s security, risk and compliance software. That’s about 1,000,000 people using Resolver each day. Wil,l thank you for coming to our Interview today.
Will: Thank you. I’m glad to be here today.
Boris: It’s my pleasure. Will, could you tell us a short story about yourself and what you guys at Resolver are up to these days?
Will: Absolutely. Our vision as a company is to empower business, to move faster. One of the things that we care deeply about is bringing up the relevance of risk management within corporations. Sometimes it has been positioned more as protection or a barrier, and we don’t see it that way. We believe the risk management adds a lot of value and that we need to have a seat at the table to have those discussions. But if we are going to do that, we have to be speaking the language of business.
And so when we have to be talking about how we can have that business achieve their mission, so we have to align to that. So our role in that is to transform risk management to risk intelligence. We want to make sure that we get away from the sort of nuts and bolts of it to really bringing more insight to the executive table, to help them make better decisions.
Boris: Will, could you tell us how Resolver differs from other software providers operating in this space and what are some examples of your customer’s use cases?
Will: I think the thing that we pride ourselves on is user experience. As I mentioned, our goal is to get insight to the executive, but that requires us to get it from the first line and the first lines are busy, they have day jobs. Historically what was happening was that any sort of assessment, whether that be a risk assessment, or a control assessment or asking someone questions about compliance, it’s going onto their desk and it’s being sent in Excel forms or sort of large enterprise software, that’s hard to use.
And so our vision from the beginning was that if we want to provide insight, we have to get good quality data and to get good quality data we have to be able to engage that front line with something that looks more like a consumer app. You don’t train somebody to buy something on Amazon and you don’t want to have to train people to enter their assessments. So the way we did it is when we built our software was instead of hard coding, everything we’ve used, what’s called no-code platform that allows us to tailor the platform to the exact needs of that customer.
Prior generations or our competitors, that are maybe up-market from us, would have done that with code. The problem with that is that it is expensive and it’s brittle. So when you want to change it, you have to call them and they send it to some developers and they change it. In our application it is changed by configuration. So once we come in with our services team will deploy something, we then train the administrators and they will then be able to change it however they want, because this is an agile industry and so you got to be able to change it on the fly.
Boris: Interesting. So no Code in the risk management, I never heard about it. Is it kind of a special category or you are creating category inside Risk Management Software?
Will: I think we’re one of the first, I would state that we’re flattered to see that when people do startups in this space, they typically follow along. That tells us that we’re on the right track. There’re certainly people in the IT Risk or IT assembly who taken this approach. And I think it’s necessary because risk is really different depending on how your business is structured. And so we’ve seen people come from an audit background that are used to sort of a hierarchy and Risk doesn’t work that way. You got to be able to connect a Risk to the things that you care about, whether that be a process or an objective or a decision or a project.
And that’s really hard to think about upfront all the possible permutations. And so I think now that No Code has been made a popular, it’s an obvious way. It’s an obvious tool to use for this problem because Risk is not really the same in any two implementations. So I think we’re probably the biggest that’s doing it this way, but there’s definitely some coming up behind.
Boris: So what are the trends? What are the major trends are you seeing in the risk management discipline since the beginning of a pandemic and how actually pandemic impacted your organization?
Will: It’s like anything else, it’s been an acceleration of an existing trends. We thought it was going to hit us. And again, our sales were slower in Q2 last year, but our customers are using us more than ever. And then we rebounded pretty hard and had record quarters thereafter because again, I would have thought that with budgets down that it would be hard to get risk management software bought. But I think that when something big, like this happens, a lot of people say, how do we prevent it from happening next time? And this is clearly the category that that happens.
And so we’ve done very well since then. In terms of customers, the things that we’ve seen in the field, obviously trying to get away from the biggest thing is we can’t do our sessions in person. And so it has really pushed people out of this mindset of having to sit next to people, to do the assessments, certainly in Europe.
Europe is much more mature than North America on the concept of the continuous assessment. This idea of having to do it without being in person and looking over someone’s shoulders, we’ve certainly seen that accelerated. There is more interest in business continuity, although I don’t know how permanent that’s going to be, I’m seeing, it’s kind of slowed down a bit on that front.
I think those were the big things that the COVID drove. Certainly Europe is driving a lot in terms of Incident management, there’s requirements in Canada and in EU to take that much more seriously. And so that’s probably the bigger driver we’ve seen in the last sort of three to six months.
Boris: So what role does technology play in risk management? What investment risk management should be thinking about this time? Because there are a lot of new technologies that you said such as artificial intelligence, machine learning, and we have been all the time people talk about this. Is this really going to be implemented? And what are your thoughts about this concept?
Wim: I think it is being implemented. I think there’s a role for risk to oversee it generally within the business, because it does create more risk. In terms of it being deployed in GRC, we have deployed it more on the Incident side because we get in narrative complaint. And what ends up happening is that that’s a block of text and you can search it, but sometimes you want to connect data points together. So the AI, we have deployed, we’ll go through a block of text and identify people, organizations, dates, times, places, that sort of thing, and turn it into usable tags.
So that if you have an organization show up multiple times in a compliance violation that will be picked up. If it’s just a narrative, it’s not. So that’s what we’ve done. And we are doing a little more work to try to ease that process. We’ve seen a little bit around kind of control similarity. This is stuff that we are looking at. We’re looking at sort of Risk comparison type work, but we watched the market pretty closely. I haven’t seen a ton of AI popping up in our competitor systems, specifically around risk and control.
We are partnered with a company called Assent Compliance who actually uses AI to pull down regulatory requirements. And that’s a phenomenal product. I can’t recommend it enough. I think that’s probably the most sophisticated I’ve seen in compliance AI doing it. In terms of like the in house GRC, I haven’t seen a lot, but we have a few ideas and we’re working on them. So I can’t really talk too much about them until we come up with them. So, watch this space, but I haven’t seen that one beyond that use case.
Boris: Assent Compliance is our partner as well. Interesting to me, we just spoke a few months ago. We spoke with the guys, we had two interviews with them
Will: They are doing great.
Boris: Will, tell me how is your team structured? How do you manage your IT structure, you outsourced, partially in Canada? What do you recommend for startups planning to create a SaaS tool with regards to managing IT teams?
Will: Well, hopefully they’re not going to compete with us. We’ve got enough already. We’re a global operation and we have offices all over the place. Our team started out in Canada and I think if you’re starting out, it’s important to have your developer sitting right next to you so that the people that talk to customers every day are sitting right next to them working on a whiteboard with the developers. It’s really critical when you’re dealing with architecture. Over time, we do a lot of our testing, we have a great office in Hyderabad.
They have been the backbone of our automation testing, and now we’re starting to build out a really capable development team there. And so I think when you’re starting, that doesn’t make a ton of sense, when you get to our scale, it starts to work out really well. So that’s kind of how we do it, we don’t outsource anything. There are some occasions when we partner with people, but we want to keep our development really tight and close to us, and we want them to be our team.
Certainly now that COVID taught us all that we can work remote that drives us to maybe have people elsewhere. They don’t all have to be sitting in our offices and in Toronto and Edmonton where we have a lot of developers and in Hyderabad. Now, I think anywhere that we work is going to be fine. But if you were starting out, I’d have them sitting in my hip pocket,
Boris: A few episodes back, we spoke with Tim Leech and he was very passionate about objective centric risk management. Do you share the same view or your system also combines other principles?
Will: Yes. I personally share the same view, but it also depends on what you’re trying to do from an enterprise risk management point of view. I would say that it is standard with Norman Marks, it’s the same way with Sergei, like all of the people that speak to this are following that process. And I think that’s absolutely true. There’s no sense in assessing a risk against something that doesn’t matter and what matters is ultimately the objectives of the corporation. And if you want to be relevant at the executive level, you have to talk in the line, which that they’re used to talking in. Now, that’s not all risk management, to me that’s enterprise risk management.
There certainly is still a place, if you’re working on projects, you’re going to assess them against projects. If you’re working in IT, you’re going to work them against applications. That’s more operational risk and more looking at controls.
So it depends on what you mean by risk management. I sometimes hear risk management use anonymously with ERM, or enterprise risk management. And I do think there’s a bit of a difference there. So there are places to use it but the one thing I would say that, you know, Steve, Norman, sorry, they all get right but don’t do it just to do it. You better be using it to make some sort of a decision or to work in some sort of operation.
It’s not just assessing risk to assess Risk, it’s like a box checking exercise and that’s not going to be valuable. So if it’s a project and it’s helping you do that project better then great. That’s a good use of it and If you’re not tying it to an objective, I don’t know why you’re doing it.
Boris: Absolutely. I would like to ask you a personal point of view. What is the commonly held belief as it relates to risk management that you are strongly or even passionately disagree with?
Will: I think it’s that one. When you speak to the experts, I think we all say the same thing, you do need to tie to objective. I think that there’s some place where we go to far.
So if I’m going to say something unpopular with your practitioner, it’s that doing like a quarterly assessment and doing a risk registry and a heat map isn’t enough.
But I think on the expert level, that’s not controversial is this idea of modeling everything. I think that goes too far and maybe I would differ from some people in that. I think there’s a place for it. But the idea of putting that into a GRC system doesn’t make a lot of sense to me. To me, it’s like doing your budget in your ERP.
I think you need the flexibility of a purpose-built modeling solution. And I think if you get really tied down that everything must be quantified and everything must be modeled, you’re going to miss some nuances that you can’t model.
Now. I think quantification is very important. I think sometimes using a high, medium, low becomes meaningless, like, I don’t want to quantify it because I don’t know. I think that, I don’t know, is it really valuable conversation?
Is that a $10 million problem or a hundred million dollar problem? I don’t think it matters if it’s 97 or a hundred, but it does matter if it’s 10 or a hundred. So I’m not saying don’t quantify, but I’m saying there’s a lot of things on this world that you can’t model. And if you focus only on modeling, you’re going to miss some qualitative things that I think are important.
Boris: Okay, fantastic. And so looking broadly in your industry, what are the major trends in your space that you expect will take place in the coming few years? And what should we expect from you guys in the future?
Will: I think it depends in the GRC that it’s different continent by continent. If you look at North America, we have to catch up to Europe and Australia, New Zealand.
Every customer that we sell in Europe is doing continuous assessment, they are looking all the time and highly quantified. We have some very sophisticated customers that are there. But I would say that the bulk of the people we talked to for the first time are not there yet, but it’s definitely becoming very important and it’s driving forward.
We’re seeing a trend to more integration. Doing these things in silos doesn’t make sense. If you’re having audit, like why not audit based on your risk scores, like don’t audit a control that you’ve already said is not functioning just fix it. You should be auditing the controls you say are strong for areas that you say are high risk. And so I think we’re seeing a lot of integration on the European side. And then obviously the cyber stuff I think is a little bit overblown.
I’m on the board and the board of a public company and they want to talk about cyber risks. And it’s important in a tech company like us. Like it’s obviously our most important Risk as a tech company as it can put our lights out.
So we take it very seriously, but in other organizations it’s one of many risks. And so I think that the board should make sure that they’re thinking holistically because in many industries, its regulatory risk or safety risk, there are other things that I think are as important. I think it’s just new in a little bit frightening.
And so it’s not bad. It’s actually very well controlled. I think there’re great standards for it. So I guess that is the trend seeing, and maybe that’s my controversial statement is we’re maybe a little over-focused on that and we are going to lose sight of something that’s equally big, it doesn’t have the attention today.
So I guess I’ll answer both those questions in one there.
Boris: So if we summarize in, if someone who is listening to this interview would like to walk away with one or two major takeaways, what would that be?
Will: The first one is again, consumerization and focusing on your first line. If you are not getting good data, there’s no sense in focusing on reporting and all of the other stuff. If your data is no good or you’re getting it a month behind, you’re in trouble. COVID is a great example, like who had a pandemic on their January, 2020 Risk plan? And if you were doing a quarterly, you’d come back in April and the world is upside down. This is an extreme example, but those kind of high velocity risks happen all the time.
So I think that’s the first thing, be very focused on the front line, get integrated with them to make it easy for them.
And then I guess the second thing would be integration. Now we are seeing more and more of that and I don’t think buying siloed systems for SOX and ERM, and compliance and IT Risk makes sense. They may be have more bells and whistles, but you’ll gain more by asking the assessment once instead of asking people the same thing at different systems or trying to stitch them together.
So those were the two pieces of advice I would have — focus on the front line user and focus on integration and sharing data before worrying about every bell and whistle.
Boris: Fantastic. Those were all my questions. Perhaps you would like to add something?
Will: I don’t, I think those were all the right things. We love working people, feel free to call us, we write a lot, we’re not the hard sell organization. So we’re fundamentally interested in this space and love talking to people. I’m on LinkedIn a lot, we post a lot of stuff, so reach out to me. We’re always happy to talk to people and have the debate.
Boris: Fantastic. Thank you Will for, for your time. And I wish your company high growth in the coming period. And I would like to hear from you from you in a few months, what, how are you doing?
Will: Yeah, absolutely. We look forward to it. Thank you.