GRC & Me – Episode Summary

Episode: Mastering Continuous Assurance and Automation
Host: Megan Manifold (LogicGate)
Guests: Vikram Carr & Eric Tseng (Google)
Date: March 27, 2025

Episode Overview

This episode demystifies the concepts of continuous assurance and automation within Governance, Risk, and Compliance (GRC). Host Megan Manifold welcomes Google’s Vikram Carr and Eric Tseng for a deep dive into how leading organizations are automating controls, overcoming legacy misconceptions, streamlining evidence collection, and leveraging best practices—including AI. Insights span practical examples, pitfalls to avoid, and actionable advice for building resilient, scalable GRC programs.

Key Discussion Points & Insights

1. Myths & Misconceptions of Continuous Assurance

• Automation Isn’t Just for the First Line of Defense
  • Vikram challenges the notion that continuous oversight is limited to operations (first line), arguing that all lines—including auditors—can and should leverage automated, continuously collected evidence.
  • “There’s no reason why a second line of defense, third line of defense, a customer … or even a third party auditor can’t look at evidence that’s been automatically collected.” – Vikram (02:28)
• Standardization & Communication Gaps
  • Highlights a lack of standard ways to communicate compliance requirements and evidence across diverse stakeholders.

2. Data Integration: Centralized vs. Distributed Approaches

• Centralizing Data: Ideal but Impractical
  • Eric explains that while centralizing all relevant data would be beneficial, in practice it’s rare—especially at the scale of Internet data. Instead, distributed data access is favored.
  • “It’s very good to have all data in one place, but not necessary.” – Eric (05:43)

3. Google’s Journey: Building Continuous Assurance

• Early Adoption & Expansion
  • Google’s culture of innovation led to early adoption of continuous controls monitoring, initially in financial and cloud contexts.
  • Teams focus on automating controls critical for Google Cloud customers, involving collaboration with specialized engineering teams and AI efforts.

4. Continuous Assurance & the Three Lines of Defense

• Automation of Traditionally Manual Processes
  • Vikram shares how even business continuity planning, often manual, can be transformed via workflow automation—generating templated, customizable recovery steps.
  • “You can have an automated workflow that basically generates your business continuity plan … based on the data collected.” – Vikram (08:58)
• Auditor Perspective
  • Evidence generated automatically can be seamless for auditors—they only need to see results, not the process.
  • “They don’t need to know how you got it as long as you have it.” – Megan (11:06)

5. Adapting to Change: Flexibility in Automation

• Modular, Update-Friendly Design
  • Eric advises designing automation systems to adapt quickly to control or regulatory changes, using APIs and microservices for flexibility.
  • “Automation may have to be the go-to master to do that … design systems more modular, configurable and easily update.” – Eric (12:04)
• Automation for Policy Changes
  • Example of daily scanning for policy deltas and alerting stakeholders as needed (13:02–13:21).
  • Recommendations for smaller organizations: even periodic manual reviews can reduce risk of outdated controls.

6. Best Practices for Sustaining Automation

• Treat Controls as Code
  • Vikram advocates for a “controls as code” philosophy: controls, assurance activities, and monitoring should be automatable, integrated into SDLC and change management processes.
  • “You’re basically making sure that aspects of your code — be your control, the assurance activity, the testing capabilities — are amenable to automation.” – Vikram (14:06)
• Develop SLAs and SLOs for Controls
  • Mandate operational rigor around controls similar to IT service management (e.g., tracking uptime, root cause analysis).
• Iterative, Lifecycle Management
  • Controls must adapt as requirements shift (e.g., DORA regulations may require more frequent reviews), so maintaining robust lifecycle processes is key.

7. Encouraging Broader AI & Automation Adoption

• Start Small for Confidence
  • Eric suggests experimenting with bite-sized use cases, like uploading a regulation document to an AI agent for summarization, before scaling up.
  • “Start small … focus on those high-profile steps in the process. Try AI and then see what you get.” – Eric (19:19)
• AI is a Force Multiplier
  • Machines can accelerate tasks like reading large policy PDFs—but humans remain essential for nuance and judgment.

8. Strategies for Success (Final Advice)

• Eric: Prioritize automation “by design”—build unified frameworks early, as retrofitting is challenging. (21:23)
• Vikram: Treat controls as software; apply code-based lifecycle, automate process/governance-related controls, and bring orphan processes into normal IT rigor. (22:00)
• Megan: Ensure all stakeholders are engaged from the start to prevent rework or misalignment. Transparency is key. (23:11)

Notable Quotes & Memorable Moments

• On Forcing Function of Automation:
  “The most important aspect of continuous assurance… is that it really forces you to understand how a control operates. Because when you start thinking about how to automate something, you have to make sure you have a comprehensive understanding of what the business drivers and requirements are.”
  – Vikram (02:54)

• On Controls as Code:
  “The way to think about continuous assurance … it's controls as code. You're basically making sure that aspects of your code—be your control, the assurance activity, the testing capabilities, the monitoring—are amenable to automation.”
  – Vikram (14:06)

• On Automation and Market Access:
  “A compliance failure can get you blocked out of an entire regulatory market. And it could be a simple process breakdown.”
  – Vikram (17:35)

• On Gaining Confidence with AI:
  “Start small…upload your regulation into some AI agents, let them do some text summarization, ask some questions to figure out some insights and then start to build your confidence.”
  – Eric (19:08)

Timestamps for Key Segments

• 00:46 – 04:23 Myths and Misconceptions: Continuous oversight beyond first line of defense
• 04:48 – 06:00 Centralizing vs. distributing data for automation and AI
• 06:43 – 08:03 How Google’s team built out continuous assurance and automation
• 08:22 – 11:06 Example: Automated business continuity planning throughout three lines of defense
• 11:51 – 13:21 Adapting automation to regulatory and policy change; modular design
• 14:03 – 17:35 Controls as code, SLAs/SLOs, continuous lifecycle management
• 18:54 – 20:37 How to build comfort with AI/automation for GRC professionals: start small
• 21:23 – 23:11 Final advice and strategies for building resilient automation

Takeaways

• Continuous assurance isn’t just operational—everyone from internal audit to external regulators can benefit from automation.
• Treat controls like software: Build, automate, maintain, and adapt them with the same rigor—using SDLC, SLAs/SLOs, and iterative updates.
• You don’t need to reinvent everything at once—focus on high-value, high-impact steps and build confidence incrementally.
• Automate by design: Bake automation into your frameworks early for scalability and effectiveness.
• Keep all stakeholders involved and processes transparent to ensure sustainability and avoid pitfalls.

“From controls as code to security by design, automation is in everyone’s future.”
– Megan Manifold (23:08)