Staying in the Fed’s Favor: Navigating Government Contracts with Intel Federal’s John Griffin
Chris Clark: Hi, welcome to GRC ME, a podcast where we interview governance, risk and compliance thought leaders on hot topics, industry specific challenges, and trends to learn about their methods, solutions, and outlook in the space, and hopefully have a little fun doing it. I'm your host, Chris Clark. With me today is John Griffin. John is the compliance program manager at Intel Federal, he has over 20 years of focus on a diverse set of GRC topics, including regulatory compliance, internal audit, and governance and contracting, and has in- depth experience in areas such as international trade finance, import control, export control, FCPA, anti boycott, FAR, and CAS. John, welcome. Could you tell us a little bit more about yourself?
John Griffin: Sure. Actually, I've spent 38 years in government contracting starting back in the'80s, so I've had the ability to watch as things change, regulatory changes, business changes, so it's been a unique opportunity. Currently, I'm working for Intel. I was hired in to help them assimilate into the US federal regulatory environment, and as you can imagine, compliance is probably one of the largest challenges they've had. Wrapping their head around that being a commercial company and understanding how intense and in depth the regulatory oversight is anytime you take money from the government. That's it for my current job, been in it now for nine years as of last month.
Chris Clark: That's crazy, 38 years is pretty incredible. I'd be interested, what advice would you give to someone either getting started, or exploring, or in their career in GRC?
John Griffin: One of the backgrounds that helped me to become a better risk manager, a better compliance officer, a better internal auditor is understanding contracts, since contracts are so finite. When you sign a contract, you live with what you have. So then understanding what you signed up to, especially in an environment where you have quite a few clauses that are directed into each of the contracts. We have what they call the Christian Doctrine, which means even if they don't put the clause in there, it's a given that that clause exists for that contract. So I've always told people, and it's not my wisdom, it's the practice of most government contractors is that, you would get into the contracts area, understand that better from how you're forming those because that's really establishing your compliance base for that program, and also how it affects the rest of the company.
Chris Clark: That's so interesting to think about. I guess reflecting for myself before LogicGate, I spent time working on software contracts, particularly in the concept of license compliance. And similarly, it's interesting to think about how that type of agreements and those types of, to your point, finite documentation, sets the basis for risk in a lot of ways. In reflection, that's super powerful.
John Griffin: When you're talking about risk, you're saying to yourself that from a compliance standpoint, or from a GRC standpoint, you have the risk that comes with business, just business risks. But then on top of that, you pile on regulatory, or CMMC, or NES, any of those new requirements. And then on top of that, what you've now signed up for and that individual contract. So without staying on top of your risks and understanding your risks as you assume them, you're not going to be very effective. So your background in licensing especially, because that can be one where you could lose your intellectual property if you're not properly licensing, or you could be at risk of a lawsuit if you're not protecting a third party software. So your background probably has really helped you.
Chris Clark: Before we jump further into the meat of this discussion, I always like to take a second and jokingly discuss risk management in real life. So just as risk managers, we tend to focus on it within a business context, but there are little things that we do every day to manage risk in our own life. And I always like to think about, for me, one thing that I always do is I like to mitigate out the risk of I'm going to call sleepiness. So in the morning, I am not at my best when I haven't had my cup of coffee. And so one of the things that I always do to prevent making mistakes in the morning is I always plan out my outfits the day before I go to bed because at that point I'm still very active and mentally on top of it. I will pick out whatever workout clothes, or my outfit for the day because I know mentally that's how I get ahead of either waking my wife up in the morning on accident, or stumbling and picking something in the dark that doesn't work. So just a goofy example of how I try to mitigate risk in my day- to- day. I'd be interested, John, if you have anything similar. How do you manage risk in your personal life?
John Griffin: It's funny you should mention that, my daughter used to get a kick out of it. I was working downtown Chicago for Boeing headquarters, and it was a trying trip. And I used to use the train to recalibrate my day and try to ignore the things around me, but you kid around about laying out your clothes. I would lay out my breakfast plate, toothpick for the cutup banana, knife, toast sitting there, everything awaiting my getting up in the morning so I didn't have to worry about all those things on top of focusing myself on what the day should be. So you call it quirky or goofy. I agree. And my wife and my daughter would agree as well. We have risks all the time that we take. I had risks just going into Chicago, not taking the right train, or taking the risk of missing the train, but that's how we think. We think in terms of how do I mitigate my risk? I travel for Boeing all over the world doing Foreign Corrupt Practices Act. I would actually literally get my seats on each of the planes going between countries. I would lay out my timeline, the time differences, my meetings. I would have to meet with the ambassadors and also with the audit firm in the country, and all the dealers. I would have everything laid out four weeks in advance, Chris, because I did not want to have the risk of missing a flight, or throwing things off. So I think my mindset was always going towards, I'm going to be in compliance, I'm going to be at risk, because I saw that the best solution for risk is preparation and focus. I love your story.
Chris Clark: Thank you. The example you just laid out is taking that to the extreme when you're talking about your Boeing experience and the Foreign Corrupt Practices Act. Could you give a little bit of background on the FCPA and what you learned practicing that all those years?
John Griffin: Sure. Well, part of my experiences was working in accounting and sitting down with financial documents, and be able to tell a story. So I'd sit down and I'd look at year over year what things were, I'd look at the relationships between different accounts, and I would be able to form a picture of what the company was doing, maybe not having the why they were doing it, but I would get pretty close. And then you take that and you apply it going internationally. So you start out with, I'm going to meet with these dealers or these agents, a lot of them tied to the actual government of that country, and I'm going to try to evaluate their books and see what's going on. Because the old adage, follow the money, believe me, money cannot hide corruption. You follow the money and you'll find things. And many times I've drilled down to different accounts, different countries, translated statements, financial statements into English, and came up with a real story before I even got on the plane to go evaluate the groups. And of course, we were looking at high risk because we're dumping billions of dollars into these people's purchasing process and they're getting a high commission. And the governments, now you have US government and you have that in-country government that you need to comply with. So that was very important is just to be able to look at the financials and tell a story. And I think you can do that with a lot of different things. I use financials only because that's the only external elements that I could get my hands on immediately. For instance, years ago, we would look at subcontractors to find out if they were viable because we were going to dump a lot of our business into that company. And I mentioned this when we were talking previously, one of the things that I would do is I would go out three times a day right around each shift change, and I would count the number of cars in the parking lot. And if I found that some of their shifts were eliminated, or they were skinnied down, I could tell that the company might be having problems because we kept track of the cars in their parking lot the last time we were there. And inevitably, we would go in and find that they were heavily leveraged, heavily in debt, and we were their main business so that if something happened, we would be the ones that would lose out. So any different elements you can see and identify risk, and I think that's where having an automated tool helps to do that because that's one less element, one less step you have to take in your mind of keeping track of things. So yeah, a lot of interesting things, ways of assigning or finding risk.
Chris Clark: That car example is just so interesting to me. And it's interesting in the sense of, if you were to go and look at a company and look at the risk associated, or just try to figure out how is the company doing. There's the normal ways of it, what are your financials, stuff like that. But then you all had this heuristic, this other area where you would just count the cars from the shifts. And I'd be interested in what are other ways that you think risk managers can think about things that are off the beaten path, so to speak? How did you learn that counting cars was the way to determine whether a company was doing well or not?
John Griffin: Yeah. It was when I was with Honeywell, and there were some folks that had been there for a while that were experts within the industry. As a matter of fact, they were recognized by President Clinton and brought to the White House, and I tagged along as a matter of fact, because they were so progressive on not only identifying risk, but also helping to mitigate that risk to build up small businesses. So they had experience, that's what it was. They just looked for things that would be attributes of potential risks, they would look for signs. And I know through training I've had, years ago I worked for Harris Corporation and they had some brilliant legal minds there that came up with some red flags that you just never would think about. But now their old hat, people know that they need to look for transactions in cash, or looking for where money is being sent in a major purchase or sale. And a lot of these you can pick up. Now, a lot of the consulting firms put together these risk programs where you can go in and they'll talk about things, especially FCPA. FCPA is one where they're expanding their knowledge base, and their experiences are popping up quite a bit. We would actually, when I would go in country, I would actually start reading newspapers that addressed the dealer, I would search for that. You could do searches for that. We would do a red flag company, we would do background checks. You'd look for the same name of somebody in different ways. Matter of fact, we had one instance when I was at General Dynamics where we had a whistleblower contact the federal government. So the government was coming in on Monday and we had to figure out on a Friday afternoon what was going on. So I went over to the location where the employee worked, and the way I found that out, this is a little story, a side story, I hope I'm not boring anybody. But the government, DCA auditors came in and they wanted to pull the timecards of all the employees in a particular department, but they wouldn't tell us which one. So I gave them access to the timecards, and I told them, my process is that I take this pink card and I slip it in where I'd taken the card out of, and then you can go use the copy machine down the hall to make your copies. Well, they didn't realize it was copy machine right next to the cards, so they pulled the cards and they went down to make their copies. And while they were there, I pulled the pink cards and wrote down the name of the person because they were all in departmental order, or excuse me, name order. So I took down the names of the people, looked at who was in front of those people, figured out they were all in one department, 384. So I knew where the actual location was, it was in Diamond Bar. So I went out to Diamond Bar and I started looking for anomalies. I started with purchase orders because that's always fraught with potential fraud, and I noticed inconsistencies where they were purchasing more than they should have of these particular power units. And I tried to identify one piece of equipment that had a serialized number, the smallest one too, so it wouldn't be too difficult for me. So then one of the engineers that worked there played basketball with me on Friday nights over at Steelworks, and he hung out with me and we went and pulled some of these power units, found out that they were switching the power units from one contract to another contract because they were running late on that contract. Plus one was a cost type and one was a fixed price. So the fixed price contract, you only get so many dollars and then you're cut off. Cost type contract. The government reimburses for everything. So they were taking the power units off the cost type contract and moving it to the fixed price contract, which is a huge no- no for the government. So I took copies of all the purchase orders and went and played basketball. Monday morning, I came in early and I noticed the purchase orders were in a different place on this desk. And as I pulled them, I looked, and the information at the top was different, but you could tell it might've been whited out. So then we looked at the name of the person who sat at that desk, and they had a different name from the manager who was signing the purchase orders. But then we looked at the HR information, it turns out this secretary lives at the same address as this manager, turns out it's his daughter- in- law. So they were conspiring to defraud the government this way. And on top of that, it had been reported to the ethics director three months before, and he didn't do anything about it. So we walked three people out the door just simply based on slipping pink cards into a timecard tray.
Chris Clark: Have they made a movie about this yet? Have you started a movie, John?
John Griffin: It's funny because it didn't seem like we were doing risk assessment, didn't seem like we were doing an investigation, it just seemed like we were just doing our job. The engineer, he loved being involved in this. Because engineers, they're board stiff anyway, so this was like James Bond to him, and it fell in our lap. These people, sometimes when they are in a perpetual fraudulent mindset, they eventually get sloppy. And that's what these people, they just got sloppy. They'd been getting away with it for so long, they had the ethics director turn their back, so they didn't think anything of it. So I think it was because they were a little more sloppy that I was able to find this. I actually got promoted to General Dynamics internal audit at that point, so that was nice. That was a cush job.
Chris Clark: Well, to follow that point is, you've had these different roles, whether that's Foreign Corrupt Practices, whether that's internal audit, whether that's regulatory compliance. I know that I at points think of these as very distinct areas of risk, and so what I'm interested in is, have you had to change your mindset and your approach to risk as you've moved to these different roles? How have you had to adjust, or learn, new topics and processes as you've moved to these different roles in these different areas?
John Griffin: No, that's a great question. So certainly it's a skill that is acquired and you leverage off of other people's brilliance. And as I moved into different roles, I always had that mindset that there was a right way of doing things. There is risk associated with not doing things the right way, or running the business in an unhonorable way because then you have people that are taking risks to make things look good. I think my depth of where risks are grew as I went between each of the different functions. But part of the reason that I was given those roles is because I did have that mindset of compliance, basically was my forte. So being able to go into contracts and work as a contract manager, subcontracts, trade finance, program management a little bit, international program manager, I wasn't an expert in those, but I brought that mindset. And so there were benefits to having me move into those roles. But for each group that you learn about, but even now today, I do not depend on my knowledge of a particular area. Once we have a risk that's identified, I sit with the risk owner and I try to understand the ramifications. Because for me, I need to promulgate that up to our board of managers to let them know what the risks are. And if I don't understand those risks, and I don't think there's anyone in the world that understands every functional group, or every aspect of business, or every contractual requirement and what the risk is. One thing we do, I have to salute the contracts, they actually have a contract clause matrix that lists every clause that we've ever accepted by the government, every regulatory requirement and what the risk is. We actually have a repository that you can go to and say, " Gosh, what's the risk of having this particular 32. 405 clause in here?" And it will explain what the risk is. So I've helped to populate that, but I've also been a beneficiary of using that.
Chris Clark: That's super cool. And when we think about regulatory compliance, a lot of that we think about is how are you fulfilling an obligation? And it's more general, it's not in doing business with the federal government, it's in complying with the laws and regulations of the land. But when you're doing business with the government, there's such an intersection there. And I don't want to say that your contract is law, but it's very similar in that sense of you need to risk assess your obligations and the controls that you have in place to comply with those. That's just a fascinating mindset shift, I think for a lot of risk managers.
John Griffin: Yeah. The federal government mandates quite a bit, but I always step back and tell our people that, a good business that's running profitable will follow these same things, they just don't mandate them. So it's not like the traditional view of the government coming in and messing things up. Every regulatory law or standard that's in there came from case law, and there's a reason why it's in there. And your point about the contracts, for the most part, contracts is your particular legal standard for executing on that particular program. However, there is a caveat. There are certain clauses, or federal acquisition regulations, that cannot be mandated away. So you can't put a clause in there that says, you can drink as much alcohol as you want and charge it to the government. Alcohol is unallowable to the government, they don't like that, so you have to pull that out. So there are some things that cannot be. Even the strength of a contracting officer who is what they call a warrant officer. He has the purse strings to use money of the government to buy things. Even that powerful position cannot mandate away certain requirements. But for the most part, I'm going to execute a program, a contract is my constitution, basically.
Chris Clark: The business relationship there is just fascinating. You're working with the government, but then you also have vendors and third parties that you're working with. How does it affect how you supply your business, or vendor business, or third party risk? That's such a higher level of scrutiny in your suppliers, and even your fourth parties. How is that risk landscape different?
John Griffin: Yeah, so you would think that, oh boy, we're doing business with the federal government, we got all kinds of risk at our subcontractor or procurement level. But the way it's set up is, first of all, picture the fact that I'm the prime contractor, I'm the one that has a relationship with say the Department of Defense. So I have that responsibility towards them. Now they send me a contract that has hundreds of different clauses and requirements, I then turn around to a subcontractor and I flow those down to the subcontractor. So what I have done is now I have a relationship directly with the supplier, the supplier does not have a relationship with the Department of Defense, they have a relationship with me. So they're responsible for complying with those things. But at the same time, when you flow those down, a lot of the responsibility is gone because you've done your due diligence. Now, there are certain elements of federal contracting that you are required to do a little more. You might have the supplier complete a survey, or if you take property and you lend it to the sub, and it happens to be the government's property, then you would go in and do audits. So there is some extension of that, but the risk is mitigated through those slowdown clauses. It's basically saying, " Hey, you said you're going to do these things if you don't, it's contractual non- compliance, and I can go after you." And turn to the government and say, " Oh boy, I don't know what to do with these guys." So that's how you mitigate the risk with a subcontractor.
Chris Clark: And with that, is it always all of those clauses are passed down? Are there situations where you are almost risk ranking some of those clauses passed down?
John Griffin: Yeah, that's a great question. So I'll just tell you the biggest distinction. When I'm working with the federal government, I'm selling them a product, and that product is now considered a defense article, so I'm selling them something. It needs to be handled under cost accounting standards. But if I have a supplier, say they're building laundry wraps, and they're commercially available and they sell them commercial. Well, I can't slow down all those clauses to them because they aren't actually providing the government a non- commercial item, meaning a defense article item. So I will just flow down a few clauses, or I'll go to them and ask them to sign what's called a commercial item determination, a CID, which basically they support the fact that they do multiple sales in this to commercial companies. They sell them to Walmart or Target or whatever, and they do what they call a PRD, which is a price reasonableness determination. They say, " Yeah, we're charging you $ 50 bucks, we charge everybody$ 50 bucks. And we looked at the catalog over here, there's another company, a fly by night that's charging$ 48. So we're pretty close." Now those are the only things that subcontractors going to need to be responsible for. Now they don't have any of those other cost accounting standards, and there's like, I forget, 21, 22 standards that they have to maintain. And the reason the government did that is they wanted to be able to use commercial companies because they realized that when you're paying a company to develop something and then create it, there's a lot of investment that's coming from the government. But if I can go to somebody and they already have the product, plus it's encouraging companies to come up with products that could be bought by the government, and might have a commercial market as well. So to your question, there are situations where we don't flow down any of the cost accounting standard clauses, which are numerous, or some of the federal acquisition regulations, but we would have to get them to affirm that they are a commercial company.
Chris Clark: Gotcha. It makes a ton of sense. One thing along those lines, you mentioned it encourages companies to develop products that are both commercially and federally valuable, and compliant. How would you even think about that from a risk perspective? How do you do that almost risk benefit analysis before developing a product?
John Griffin: Sure. No, that's a great question. So when I worked at Honeywell, Honeywell makes filters. I've got three of them in my house right now that are 25 years old. But we also made these particular AUPs, I forget what they're called, the airflow processes in aircraft, and they had to be configured to a standard, to a fighter jet. And the standards, the mill stats were so difficult to match, so we could not subcontract that because we didn't have any subcontractors that had these mill standards or had ISO 9, 000, or 9,001 at the time. So we built those ourselves. And there would be a risk going to a subcontractor, that's why we went out to the subcontractors and got them certified so we could get those out. So you're looking at risk, and the government says if this is something that's critical, the part that if it fails, we can't pull a jet over at 40, 000 feet, you just crash in the ground, that item is at risk. So we have to have more standards around that, more requirements there, more testing. And even testing as it gets shipped and comes to the government through their government freight forwarder, they will test it there when it gets there, and then they'll actually take some and do their stress tests, and their temperature tests, and all those. So as a part becomes more critical to the government, there's more risk associated with it. And that's when you're looking at a subcontractor, the subcontractor's not your company, so you don't have the control over that. So a lot of times companies will just do that themselves, build that sub part, or subassembly themselves.
Chris Clark: So when you look at another company to do business with, because you've been a part of these, and I think your story earlier around the father and purchasing person who pushing through contracts on fixed costs. When you look at doing business, I'm assuming that it's not just the compliance with what they're trying to sell, but it's their risk profile as a company. When you are working with your vendors and your third parties, how do you think about not just the risk of your relationship with them, but their culture of risk as an organization?
John Griffin: So my answers are going to be 30 years old. So the first thing I would do is generate a Dun& Bradstreet to look at their financial position. Then what we would do is, we would ask them for a listing of all their clients and the amount of business with each client. So if you think about it, if I'm the largest customer they have, that's a risk. And by the way, if I am looking at them and they are the only supplier, they're a sole source, then I have a risk too. So there I want to be even more prescriptive on going out and making sure they're going to be solvent for the next X number of years, especially with vendors and government contracts. The money is made in government contracting through spares, if you're doing manufacturing, your money is always made in spares. Once the government buys a tank, they can't go to Radio Shack to get parts for it. They have to come to you, and that's where you make your money. Companies actually set up these demo depot, or these areas right out where the tanks are being used or being maintained, and they have a storehouse of parts. So parts is really important. So if I'm looking at a vendor and I'm finding out they're only going to be viable for three years, I know that my contract goes for five years, and then I'm looking at 25 years useful life of this tank. So we've got 25 years of spares, but if this company is not going to be solved in three years, I have to go find another company, and I have to pay to have them set up all their machining, their standards, to start all over. So it's very important when you look at vendors, you look at them for, first of all, what are you contracting with them and are there other alternatives? What is your relationship in their portfolio? Are you the largest contractor they have? Because then they're dependent on you if something happens. And then I like to actually go to the site and go in the wrong door and have to walk all the way through the facility, and I would look to see, are there machines that are out of service? Are there machines that have a repair sign on them? Is there an excess amount of tooling in the tool area, meaning they're not using them as much. Those are telltale signs that there's something going with the company. When companies can't pay to fix their equipment, then they're down to using half the number of equipment to do the same amount of business, you're at risk because now if one piece of equipment breaks down, you're liable not to get your parts. And then you have to look at, well, if we're the smallest customer they have, we know that we're last in line. Another big thing that people don't think about is, as a contractor, a prime contractor, you're giving them special tooling. And these are, how to describe them, they're like applications for machines that are specified for making a certain part, and they can cost tens of thousands of dollars, and you're giving them to your supplier. If your supplier is not doing well, they're not going to maintain those toolings and you're going to lose the value of those toolings. Or if they go insolvent, then they put everything up for sale, your tooling could be lost. And then you turn around to the government saying, " You've lost your tooling." There's all kinds of reasons to keep your finger on the pulse of their finances and their business. If they come back and ask for an advance, I would start looking for another vendor. If they have a change in ownership or leadership, we've seen where there was one thing in Texas where the father had passed away and the son took over. It was a business that didn't have anything to do with aerospace or anything like that, but it was owned by General Dynamics. And we went down there and looked at this, and we asked about accounts receivable, and they opened up a drawer and there was a Rolex watch and a set of keys to an aircraft. So instead of getting payments from their vendors, they were just taking gifts. So right there, we should have known well in advance that this was a company. And I wasn't involved in this, when we sent three other auditors down there, we spent about a month finding all kinds of things. And all these red flags should have been caught by Arthur Anderson at the time, because Arthur Anderson had just been in there and signed off on this company. They even said they evaluated the accounts receivable, they obviously didn't. Another key point, don't depend on a third party to do your due diligence. That was a good lesson. And of course, Arthur Anderson is not around anymore, that tells you a little bit about their work quality. But that's what I'd say is, just look for different changes in the company, or anomalies. Or don't just say, " Oh, the son's taking over the business, no big deal." That's where I start ratcheting up my oversight, go visit them, do things like that. If they're a critical vendor, if they're not, start looking for alternatives. And I guess you should also always have a bench of alternatives when it comes to subcontracts.
Chris Clark: That's so interesting. Before working at LogicGate, I worked at Deloitte and it's fascinating because even when I was there 20 years after Enron, and I think WorldCom, Arthur Anderson, you can still feel the ripple effects of it throughout those industries. And I think the example you gave is interesting to hear how we set up a system of this where they were meant to come in and do audit and confirm accounts receivable, all of that, and then you just checking a little bit extra, were able to find the risk there and mitigate it in its own way.
John Griffin: What triggered us to go there is the son died in a plane crash, that's why I mentioned the keys. So if he had not crashed his plane, I don't know how deep we would've been with that company. I think we would've lost quite a bit of our reputation with that company because it was a broad based company doing concrete line, things like that, and it was nationwide. Building highways, basically. So yeah, good point.
Chris Clark: That's incredible. Yeah, and it's also interesting, this seems like it's been a recurring theme of this conversation where there's these things that seem like everyday life, like counting cars. I don't want to say someone passing away, but these events that you wouldn't expect or directly correlate with financial audits, or audits in that sense, or risk, but they're things you're identifying as reasons to investigate in a business.
John Griffin: That's a good point. Let's face it, change is a point in time where you have the highest potential of risk, right?
Chris Clark: Oh, 100%. Yeah. It's interesting to hear these really tangible examples of that. So we've talked a lot about the groups that you've done business with, and your suppliers, and your subcontractors. How have you built partnerships throughout your organizations to help strengthen the culture of risk? So for example, at Boeing or Honeywell, how have you built a culture of risk internally at your organizations?
John Griffin: Yeah. There's so many things that you can do. I always engage leadership in advance of meetings where we had some difficult topics to talk about relative to risk, or escapes, and I always would talk to people in advance one- on- one. Bad news is easier to give one- on- one where people don't have an audience, or they're not subject to public ridicule. So I always found that was a really small but good practice, so that when I get into a meeting and I start talking about where we have some issues, I've already got an advocate there. Or I've already pulled that person into the problem and they're now going to help with the solution. Some of the other things that I have done is, I make sure that when we have our control review board meetings where we get a group of experts and staff to come together to talk about issues, I asked those managers to have one person come with them to the meeting that would not normally go to that meeting. And the reason I want them to do that is because I want them to see how a risk is identified, how if then the statements, how you identify root cause, how the root cause should address the then statement, how we then set up both mitigating controls to address what happened and sustain controls. When I was at Boeing, one of the things that the corporate controller told me once was, " I'm so sick of people telling me that we have these major problems that cost the company millions that they're going to institute training." That's not the answer. It might be one of the solutions, but it's not the answer to every risk. Doing a really strong root cause analysis is so critical. And by having people who would not normally be exposed to that process brought in as observers of that, what we ended up doing is every person that came to those meetings left, and now they were another set of eyes out there looking for issues. And whereas my control review board that I've been managing now for nine years, started out with only the staff would come up with issues. They would come in with issues, and they would only come in with issues when they rose up to their level, and they would have to take months to get to them, or multiple escapes to get to them. Now what we have is we have people out there unbeknownst to themselves, policing our processes. And most of the issues that I have come into my control review board are identified by people who are executing processes, who are working with other groups, who are at the worker level, and they're bringing those in. And they're also bringing those in with a better understanding of what happened. See, previously we had an executive come in and they were parakeeting what the person below it told them, they didn't have any depth to their understanding. So engaging everybody in that process. Another thing we do is we have this thing called Ask the Expert, where we bring in experts to just talk about topics once a month. And what I've told people is, don't board people with citing standards or regulations or anything like that, come in as if you're talking across the table in the cafeteria from somebody and explain what your risk area is, what your responsibilities are, what we need to watch out for, and then end with how they can help. So we did that for enterprise risk management, and we had over 120 people voluntarily call into this meeting. And we've had many hits after that where people have gone into the material that's housed in a general area to look at that material after the fact. So people are very interested in how we manage risk because they realize that there is so much risk involved, especially with our company, which is a commercial company now doing business in the federal space. There's nothing more at risk than that, because you're bringing in literally no standards. Get the product out the door regardless of who we have to kill to follow the requirements, make sure you're doing everything. Even closing out a contract takes Herculean effort. Engaging people at all levels and making sure they understand the enterprise risk management process, and what risk is, and how we manage it. People start thinking through that. I had people coming to me with an issue saying, " I found this, I saw this going on, and I think as I was thinking through the process, I think this is where we might have the issue. And I was also thinking that based on my experience, we might be able to use this particular application to manage this and control a better." So they're coming to me with the risk, the root cause, and the solution because they understand the whole process better, and it's not rocket science. I have a problem in my home, I just don't throw mud at it. I actually sit down and figure out what happened, why did it happen? How do I fix it? If I fix it myself does that raise the risk level? Probably, yes. So contract somebody to come in. Who do I get? Well, I have to go through a certain process to make sure I get the right person. I apply that every day in my life. So everyone has that. It's like a gene that's buried deep down, that until people are exposed to what it means to identify risks within an organization, it's dormant. And then when people see that, and people start thinking that way, now what you have is you have a group, a whole organization, that is aware of risk, they're aware of how it's mitigated, and they're policing every day.
Chris Clark: That's so cool. And the other piece that you mentioned where, it's not just that they're aware of the risk and they're policing it, but you're also starting to turn everyone into a problem solver, in a way, because they're starting to think of what's the root cause of this? How can we mitigate, how can we solve these problems? Where I can imagine that it's not just helping to mitigate those risks, but it's also helping to turn you into a strategic advantage as a more, I don't know, just a more efficient and effective company as well.
John Griffin: Well, that's exactly right. One of the other elements that I've introduced to the company is, I was just a little green belt, that's not a big deal, we had to do that when our company was bought by GE. And I understand that there's a way of doing process mapping where you can go in and lay out the as is map, what we're doing now, so you can fly above the process and see where the controls and processes are, and then as a team look at that and say, " Holy crap, we've got a gap here, we've got duplication here, we've got all this." So part of what I have introduced is, every day evaluating controls and processes, not just from a risk standpoint, but also from a productivity, and from an efficiency. But risk is also in there because if something is not being done, it couldn't be a risk. So from our process mapping sessions, and I've run probably since I've been here, maybe 12 or 13 of these, we have had dozens of risks that have been identified and promulgated through the control view board, and up through the enterprise risk management process, and eventually addressed. So process mapping is another thing. There's nothing better than actually having a layout of what your processes are showing all the key controls, all the key processes, roles and responsibilities. I had one process map where two people told me they were doing the same thing and they were confused at why the other person was doing it. So we decided who was the best person to do it, and somebody now saves time not having to do this particular report. Then you can take that and you can use it as a learning tool when you bring new people on board and say, " Here, sit down and look at this. This is basically how our little group works, how things run through our group." Plus for us, when the federal government comes in, if we can show them a process map that shows our controls and processes as they're doing their scoping of that particular process for audit, they're going to see we have all these controls in place and they're not going to test them. They're going to say, " Why test them? They've got control there." So a whole bunch of reasons. So process mapping is another great way of getting people involved in evaluating processes, controls and the risks that are associated with them.
Chris Clark: Yeah, that's so cool. We've started to build that muscle here as well of just how do we start to map out our processes, ensure that they are effective control and mitigate risk. Where is, to use the terminology, where's the mudo? Where's the waste associated in these processes so we can save people time and work better together? So I love that. I love that as an example. It's a methodology and a thought process that works in every part of an organization.
John Griffin: I believe it does.
Chris Clark: Yeah. So we've talked a lot about this. I'd be interested though, as you think about the future of GRC, what keeps you up at night? Where are you worried about risk?
John Griffin: The space that I always worry about risk is when we get into a position where there's desperation. We sometimes align people's goals and objectives to financial or to program execution, and my concern is that we get to a point where we cut corners, or we ignore a particular requirement or regulations because we want to get things done. Because they come from a commercial environment where that is common. But for us, I think it's the GRC, the compliance program probably has the biggest concerns and worries is because we know that there's always that tendency when people have done commercial work for 28 years, and now they've been in a federal position for two years, you might default back to that. So we make sure that we do, I mentioned the ask the expert where we talk about what the ramifications are, what the requirements are. And the most important thing is, we tell people why they have to do things this way. Again, I mentioned earlier that a lot of what the government purports that we need to do through regulation or Cost Counting Standard, or whatever it might be, is best practice. It's a good practice. So when people say, " Why do I have to fill out my time card every day?" I say, " Well, let's take a look at this. So it makes it more accurate if you do that. Plus, if you didn't fill out your time card all day, your manager could sit down and figure out what contracts he's overrun on and tell you to charge a different one, and now you become at risk for an audit and potentially an act of fraud. There's a false claims act because time cards go into invoices, go to the inaudible." So I tell people this and they sit back and go, " Well, how does that affect me? Why do I have to do it daily?" "Well, wait until the end of the week and you fill out your time card, do you remember what you worked on every single day and how much time you had?" "Well, I think I can do that." Well, the government doesn't believe that everybody can do that because most contractors, their engineers have five or six projects they're working on every day back and forth, and they have to keep track of those. So there's a reason why they're doing it, and it rains on the righteous and the unrighteous. So you have to do it too. inaudible and people go, " Oh okay, well that makes sense." So if you tell people, especially the engineers we have are brilliant people. They're brilliant people. If you tell them why we need to do a particular thing, they're more likely to do it. This where we dictate you've got to do this, and that's that because the government says so, it doesn't cut it. And I think you do that for most risks when you're talking about why we're not doing it this way. Well, here's what can happen. That's why I like the if then statement, when we start creating the if then statements when we identify a risk, I can see people squirming in their seats. " I didn't realize that could happen. Oh my gosh, good Lord." And in a lot of cases, they're culpable as well. So they could be up for fraud or penalties, so I try to not beat people up, but let them know that you got to put your big boy pants on when you're dealing with the government and follow the standards because there is consequences to making promises that you don't keep. Or big girl pants. Sorry.
Chris Clark: I think to your point, it's interesting that, I think about this a lot, the psychology of compliance and how in a way there's this basic, I feel like there can be a culture where compliance is the stick and not the carrot. Where it's like, you do this because the government says you have to do it. It's almost a fear- based approach to compliance. Whereas when you shift to more of a, here's the why, here's how it benefits you, and here's how it becomes better, it shifts to this compliance can become a carrot that people do because it adds value. And it helps them understand that this isn't a rule for rule's sake, it's a rule because there are consequences and better ways of working. And that shift I think is such a light bulb moment, it was for me, but for other organizations as well. And it's interesting to hear just so many little examples of that in what you're doing.
John Griffin: My boss, when I was in Harris Corporation, he was the director of compliance, and he had a contracts background, so he dealt with people, he negotiated things. He was a brilliant, man, but he didn't know anything about compliance or risk or anything. But I'll tell you what he did have is, he would sit down and say, " We are going out there to audit these people, not to beat them up, but to find where we can help them." And that was the mindset. And we started going out and they would rate us. They would rate us for first of all, one through 10, how applicable was the audit to their concerns. And then second rating was, how well did we do? And those two ratings, if they were separated by more than two points, we had to do a corrective action and find out what we did wrong. We were driven to do the right thing and work with the auditee. And the funny thing is, within three years, people we had audited were calling us up to come in and do a process analysis of a different process in their organization because they saw it as beneficial because the audits that we did had given, like you said, we didn't stop on the risk of a stick. Instead, we found ways that they could do things better and be more regular. But I never walked in saying, " I know more than you." I walked in saying, " Teach me about your processes. I know enough to be dangerous." And then as I was going through it, and if I found something that I thought should be changed, I actually sat with the task owner to talk to them about that and get their feedback. And so when I go into the exit conference, when I bring this up, leadership would look to the expert and actually say, " Yeah, this is a great thing to do. So I like the idea of being perceived as someone who's helpful. I've seen some abrasive people in audit, I've seen some abrasive people doing risk management that are just like the soup Nazi for goodness sake, they're just very strict. Then I've seen people, like my old boss, Terry Pfizer, he was a brilliant example of just, you can do business with people, get them to do the right thing without browbeating them. So I agree with you.
Chris Clark: Just going back to the psychology of risk, that concept of just trying to building credibility as a member of an organization or as a new partner to someone. You can build credibility through knowledge where, like you said, you knew enough to be dangerous, and then you build credibility through seeking to understand this other person's, and this process, why they do things the way that they do. The last piece then I think is, of that almost approach is there's then, in the way you're advising and trying to add value to them is not, to your points, acting like you know more than them, but acting as a partner of how can you message potential improvements in a way that isn't slap on the wrist, but is instead a, would this work better approach. And I think for me, that's a really helpful mental model of, know your stuff, seek to understand, be a partner, as a compliance risk model for working with the business.
John Griffin: Well, that's a brilliant summary. I wholeheartedly agree.
Chris Clark: Well, that was all the risk questions I had. We do tend to end this on something we call risk or that, where we just pose different, sometimes goofy, sometimes not questions about risk. So first off, some of your earlier stories, John, really seem like you were acting as a detective and investigating risk and fraud. So my first question is, who do you think would be a better auditor, Lieutenant Colombo or Sherlock Holmes?
John Griffin: I like Colombo.
Chris Clark: Okay. All right.
John Griffin: Sherlock Holmes was too cocky, and nobody smokes a pipe.
Chris Clark: That's all fair points. So next one would be, there's a lot of buzz around emerging technology. So I think blockchain was the hot word a couple of years ago, right now artificial intelligence is bigger. I'd be interested in, and I think your perspective is going to be awesome on this is, do you think the technology itself, so artificial intelligence, or the regulations on the technology will have a bigger impact on the GRC industry?
John Griffin: That's a very interesting question. So just this morning I was solidifying a briefing on putting together the Ask the expert with a young lady, I won't mention her name, but she does a daily newspaper that's picked up by over 8 million people. She's brilliant. She talks about AI, and I love her analogy, she said, " There's a movie called Unstoppable and it's got Denzel Washington and Chris Pine, and it's about a train that unfortunately is started up and disabled the brakes, and it's run away and it's going to hit this town and destroy it. And it's the efforts they're trying, the federal government and the safety boards, and everyone's trying to stop the train." And she equates IA is something like that. And she's saying that, just like the internet AI is something that we've got to start regulating, or looking at regulations now, or else we're going to run some big problems. So I think the risk for GRC is that if we do not start taking this more serious and letting folks know what their ramifications are, then it's going to be a tremendous risk. But if GRC is involved in helping to set parameters, you can even do those within your own company, which would start to mitigate the risk of the abuse of AI, or the issues that are surrounding AI. She brought up a couple examples, I'll just share these with you real quick. There was a mother got a phone call while at the soccer game, and in the middle of the soccer game she heard her son's voice on the other end saying, " Mom, they took me from the game, help me, help me, help me." And then the voice came back on and said, " Go get X number of dollars from your bank and meet us here." And she stopped what she was doing and started to move towards the car, but turned to a friend and said, " I've got to leave, they've abducted my son." And the lady said, " Well, he's over there at the concession stand, I can see him from here." So they had called the person's house, got a three second snippet of their voice, and were able to turn that into a voice that would respond to the person on the other end. So just some horrible applications of AI. So there's personal risk, but there's also business risk that I don't think we quite have our arms around. So my step towards making sure we don't have a problem is education. Our president agreed, last week I sat in on the executive board for my boss and I mentioned this and he said, " Look, let's get this out to everyone, explain to them what it is. Talk about status, keep people apprised of the changes in AI through her newsletter that she has, and make sure people are educated on this." And I think that's important. The internet came and people didn't know anything about it until somebody said, " Push this button, you go in here, you can search this." And all of a sudden their information is being taken inaudible. So I think awareness of AI and this potential of the benefits of it are tremendous, but also looking at it from a risk standpoint on how it could be abused, or how it could be used against us. I hope that helps.
Chris Clark: I don't know if I'm on to swear on the podcast, but if I could, this would be the moment where I react with a holy cow. Those stories are crazy. When I've asked that question before, we've never gotten quite that almost extreme of a response where it's almost to the point where you are simulating a person, or taking other thoughts to this level. But to your point, I think for the business side of things, it helps us be smarter in the risk space, but it also helps our attackers be smarter. And so it's almost like playing this constant battle of education and enablement to ensure that the members of our organization are able to react and able to see through those things. So I think that example, it's pretty incredible.
John Griffin: Well, let me give you a positive example too, so we don't leave on a bad note. Okay. This person who was presenting, again, she's just incredible, so knowledgeable. She said that she could go in and give the AI app, this particular app that they put together, her name and information, and three minutes later they will have a full biography written on her ready to publish. Because they can go into Facebook, they can go into news articles, they can go to all these things, school records, military records, and they can pull all this information in no time. And it was just her asking, " Hey, could you develop a..." So there are some incredible advantages to AI that if we ignore AI completely, that's a risk too. A risk of losing business to a third world country, or one company who's dominating. So there's that risk as well.
Chris Clark: That's cool. AI writing my autobiography, Chris Clark.
John Griffin: Yeah, mine would come back. It's going to be a brochure. Sorry.
Chris Clark: I love the examples of someone listening to other thought leaders in the space. John, I'd be interested, this last question, what are you reading? What do you follow to just keep up in the space? There's always interest in learning how others are learning about risk, and about our industry, and about business. So any recommendations for our listeners?
John Griffin: Yeah, there's a couple of groups that I have worked with in the past. Some very helpful groups that have jumped in when I've asked a question. Matter of fact, right now I'm trying to look up one that just sent something this morning. Gardner topics are always good to go into those, they publish some great things that motivate audit talent to build new skills, executive leadership, strategic risk management. These are just some of the seminars that they're providing gratis in the future. And then there was a couple of others I'd have to go in. There was actually a gentleman who wrote a book in Australia, I did reach out to him and he sent me a copy. I'm still yet to read it, but he had a great approach on how to identify risk. I could try to get that information to you probably towards the end of the week, or maybe next Monday if you want to include that. But I'll tell you one group, I heard them at a conference and I reached out to them, and next thing I know I was talking with the president on that particular topic. And they gave me some metrics to put together for a company, and I presented them to our executive staff, and it completely changed their direction on how they were managing risks just from that one interaction to that company. I can't remember what the company's name was because so many out there, but I'll try to look it up.
Chris Clark: Up. Was it LogicGate?
John Griffin: Yeah. Well, LogicGate, of course. It's the dual solution for all parties.
Chris Clark: No, I'm joking. Well, if you have those resources, at the very least, I'd love to hear them. Those are all the questions I had today. Any last thoughts that you'd like to leave with the group?
John Griffin: To be a thought leader within your group. I constantly am thinking of ways of communicating, how to communicate. There's different ways of communicating with different generations, and different functions. Engineering is different from contracts. Keep relationships strong with your different functional groups, especially find someone within the group that you have a lot of respect for and that has that risk mindset. And try to put together an informal compliance champion with each of your groups. That's helpful because then they promulgate your information to their group, and the group always respects somebody in their group better than they do a compliance person. So try to build those bridges, those relationships. But that's probably it.
Chris Clark: Well, thank you, John. It was great having you on. We really appreciate all the insights. And looking forward to talking to you later.
John Griffin: Great. Nice being had. So thank you.
When doing business with the federal government and its myriad agencies, organizations are bound to run into plenty of mandates, regulations, and other requirements. Navigating them all can cause a headache for even the most detail-oriented compliance managers.On this episode of GRC & Me, Chris Clarke is joined by Intel Federal’s Compliance Program Manager, John Griffin. Griffin draws on his decades of experience in federal contracting and working with government agencies at companies like Honeywell and Boeing to explore methods for better managing product development and performing diligence on third-party vendor relationships while operating under strict and stringent government standards and requirements. Plus, learn a few of Griffin’s more creative methods for determining how risky a particular organization might be to work with.