Blog Post

Q&A: For Risk Management Veteran Jonathan Prewitt, Excellence in Governance, Risk and Compliance is No Panacea


Jonathan, welcome to FTI Technology. Can you provide a snapshot of your professional background?

I’ve moved through many different roles and industries over the course of the past two decades, but all my work has centered on some form of risk management. After my time in the U.S. Navy, I spent time in numerous aspects of risk management for Harley Davidson Financial Services. At that time, Sarbanes-Oxley and other standards were coming into play, and I became involved in building control frameworks for those requirements, and eventually third-party risk, enterprise risk management and executive protection at other financial services, manufacturing and technology organizations. 

Overseeing and establishing these types of programs in house provides a lot of exposure to overlapping pillars of risk management, so I gained experience that spanned IT, compliance, governance, safety and the technologies that are relied upon to strengthen those safeguards. When I eventually moved into consulting, that background was immensely helpful in guiding how I developed managed services and risk frameworks for clients and helped them understand their specific governance, risk and compliance software needs. 

Can you give some examples that provide more color around the types of GRC projects you’ve overseen?

I’ve worked with numerous clients that are global organizations with complex regulatory obligations and strict industry requirements. The needs for fulfilling these often vary from region to region. Many of my clients have also been defense contractors, adding another layer of IT and risk conditions they have to meet to maintain their contracts. To that end, I’ve helped organizations simultaneously map risk frameworks for multiple global regions and automate compliance testing using custom-selected GRC tools. I’ve also worked with clients to provide IT risk management for defense contract administration, which included implementing additional, specialized controls and redesigning their compliance programs to ensure every check box required was completed correctly and set up for long-term reliability.

One example in the power industry was a client that had 14 different disparate regulatory compliance programs across the U.S. and Europe. Prior to my involvement, the company had not established IT and risk control frameworks, and had no way to view its risks holistically across all divisions of the business. I partnered with the teams there to bring everything into a single GRC platform, which allowed the company to manage, remediate and report on issues from a central view. This helped reduce risk, improve efficiencies and save roughly $1 million in annual overhead. 

Many of your projects have involved technology evaluations. Can you touch on some of the top considerations clients should have in mind when selecting GRC and related software?

Many companies have highly complicated environments and risk management is often siloed. When bringing in technology, it’s important to first consider how all relevant parties connect and overlap. Certain tools can be leveraged and customized to align every group/team with a control mechanism, automate how they are managed across custom workflows and ensure appropriate groups are notified when there’s a red flag. Obtaining a full picture of the organization and how various risks align and overlap is an important foundational element to a successful GRC technology deployment. For one former client, this ground-up approach of mapping across the organization and customizing tools in innovative ways according to specific needs resulted in bringing a very complex, dispersed organization into compliance with DOJ requirements in only a year, which the regulators thought would not be possible. 

Maturity assessments are also helpful in program and technology design and integration. A detailed assessment will clarify the current-state maturity of the program, identify gaps that need to be addressed and look for efficiencies that can be built into a tool. Similarly, organizations need to examine how they are using existing tools, what kind of value they are getting out of them and whether employees are effective in adopting them. Often, tools already in place can be reapplied and optimized so the organization can avoid new and unnecessary technology investments. 

How do technology needs vary from company to company?

There’s a wide spectrum of GRC tools, some of which are great for small teams, or IT-focused teams, or general corporate compliance, or internal audit functions. It’s often very difficult for organizations to see through the promised results and capabilities that are pitched during demos to grasp the reality of how a technology will perform when deployed. So, it starts with having baseline understanding of the needs and goals, and then working with experts who have the hands-on experience with a variety of tools, so they can advise on which are truly fit for the purpose at hand.

What is FTI Technology’s role in supporting these evaluations and selections?

We have the experience and industry perspectives needed to join any client and hear their challenges, then provide guidance for a practical and effective path forward. For some clients, this may mean improving or correcting existing technology deployments to help achieve the results they need from previous investments. Or, serving as a trusted advisor for evaluating and optimally implementing new solutions. In other cases, it may be a client facing new compliance requirements and unsure of where to begin. Ultimately, every client is different, so the services we bring to the table are intended to adapt accordingly. We also want to be there with the client every step of the way. Rather than installing a tool and leaving, we can help the program as it matures and grows to address evolving GRC needs.

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.