A

Welcome, everyone, to this episode of GRC and Me. I'm Megan Manifold, and in today's episode, we're diving deep into the retail sector, debunking common GRC myths and exploring the critical human element in building a robust compliance culture. I'm thrilled to be joined by two fantastic guests from Vinted, the popular online marketplace for buying, selling, and exchanging secondhand items, with a mission to make secondhand your first choice worldwide. Please welcome Elizabeth, the group risk and compliance officer, and Goda, Risk process manager. Elizabeth and Goda, welcome to the show. So I had the pleasure of meeting both of you last month at Agiliti in Chicago. But for our listeners at home, why don't we start with one thing that's not on your LinkedIn profile that they should know about you? Why don't you go first, Elizabeth?

B

Okay. So not on my LinkedIn. I just started working on my moto license. So when I'm not driving policies or talking about complaints culture, I'm learning how to take curves at the right angle. Literally.

A

Wow. Wonderful. As someone who is teaching their 16 year old how to drive right now, I know that that is a very exciting time for you. That's awesome. What about you, Doda?

C

Mine is not as exciting and way more predictable, but I'm a big Excel geek. I love spreadsheets. I do everything in spreadsheets. The last one that I did was when I was packing my holiday suitcase. I did a spreadsheet to show me the completion rate on my packaging. So I do everything in Excel.

B

You have to share that with us.

A

Yes. Seriously, as someone who's going on vacation in a couple of weeks, I might need that. I do plan my holiday meals around in a spreadsheet, so all of the meals and the timing of the oven and stuff like that. So we might have to compare spreadsheets there. Well, that is fabulous. So let's go ahead and get started with our mythbuster section. So I'm going to start with you, Elizabeth. Is this a myth or is this a fact that prioritizing a strong risk and compliance culture will inevitably slow down innovation and and the speed needed to compete competitively? Is that a myth or a fact?

B

That's a myth. I don't agree with that. So risk and compliance aren't just about rules or checklists. They will help people make the right choices when no one is watching. So when the culture is right, things actually move faster with more confidence. So it's definitely not about blocking innovation. It's about creating clear rules that support smart Decisions.

A

I like that. And I bet you know a little bit about that from driving too. When you have your seatbelts and your safety mechanisms, you can go a little faster, right? Oh, fabulous. Fabulous. All right, well, let's try another myth then. Goda. So how about this one? Getting employees to care about risk and compliance is mostly about mandatory training sessions, right? The strict policies, you can't realistically influence people day to day behavior. Is that true or false?

C

I think it's generally a myth with like maybe 10% of truth in it, you know, because still policies and trainings, they enable compliance and risk to work and do their job, you know, so they enable people to act in an appropriate way. However, I really challenge the mandatory and strict parts of your statement. I think it's way more important to have the right culture for people to do the right things and the right process integration for people to easily do the right things, you know, in their day to day jobs. So yeah, I think it's a myth. It's way more important to allow people to talk about risk and compliance and their day to day than to fill in spreadsheets and follow the strict procedures.

A

Yeah, make it more natural, weave it into the day to day. I like that, I like that. Awesome. Well, let's get into the questions then. I'm really excited about this and we'll start with you, Elizabeth, on this one. Data privacy, right. So data privacy in your supply chain obviously brings that complexity of risk there and for online retailers certainly. So to begin, can you tell us how you approach building that culture of compliance that Gota was just talking about and managing that risk not just internally, but across your network of vendors as well?

B

Yeah, sure. So something that we did recently, we've just redesigned our privacy policy to be more transparent and accessible to our users. Not because we have to, but because we believe trust builds loyalty, which is definitely a real business advantage. We also redesigned our code of conduct to make it publicly available. And so soon don't go on our website yet, it's not yet released, but we'll launch a public facing complaints page which is clear, visual and designed to earn trust with users and partners.

A

Wonderful, wonderful. Well then let's think about this then. Beyond that, what's, what's one of the most effective ways that you've found to actually embed that then into your, that culture of awareness and compliance.

B

So what we have done internally, we've met compliance and risk part of the way we work. So not a separate layer. We launched a new elearning with a Sponsor video to set the tone and paired it with practical tools like a downright manual transformed into an animated.

A

Awesome. Got anything to add to that?

C

Yeah, I think besides trainings, it's also very important for us as an organization that we are constantly seeking feedback from our stakeholders, really try to collaborate in many ways with the people who will then need to create the culture, you know, because we are just two of us doing our things. So I think it's just easier to embed it when we have this conversation. You know, lines open and they see that it's compliance as part of their job. It's not just us imposing something, you know, additional to them.

A

Yeah, yeah. And that's interesting too, because I think, you know, to some degree, if you're in the office, it's a little bit easier. You see those people every day. I'm curious. Logic 8. We have a pretty big remote presence and, you know, vinted does as well. How is this different based on, you know, that in person remote, or even some of those hybrid cultures where you have some folks in the office and some at home.

B

So I will start. I'm almost fully remote, so I'm home, I'm working from home. So definitely the culture doesn't spread on its own. It's not a myth, so it needs to be intentional. So what we're doing is we're using digital tools, clear guidance, and we are trying to make our resources easy to find, not hidden in a folder.

A

Yes, yes, I'm sure that accessibility is definitely one of the things, especially internally, making sure everybody can get to them. Gotta do anything to add to that.

C

Yeah, I think just adding on. On the difference. You know, like before COVID when we were like 100% in person environment, I used to do my risk workshops, you know, 100% in person. I had everyone in the room, and it was kind of easier to workshop together, thing together because you see those people and you actually can have them engaged for at least like 45 minutes of an effective workshop. You know, with remote culture, it's way harder to get people engaged because whenever they feel like something is irrelevant, they start looking at their slack messages or emails, which doesn't happen that much in person because there's more accountability. So I feel like the tooling, as Elizabeth said, and finding the right tools for increasing the engagement is very important. I'm not only talking about GRC tools like Logic, but also about some collaboration tools like whiteboard tools and so on that allow you to involve people more while they're live on your Camera.

A

That's a really great point. And I know personally, when I was back in my cybersecurity role, one of the things we were working on was that training and specifically phishing training at the time. But can you give me an example then of a GRC training? Any topic really that you found that genuinely engaging or impactful with your users? Because I think sometimes you kind of mentioned it there. It becomes almost like a check the box activity. Like, oh, we have to do this as part of onboarding, for example. But do you have any examples like that of a really good one? Maybe?

B

So, you know, the new E learning that we released on compliance is a really good example because we asked one of our executive member to start with a short video which is definitely setting a human and relatable tone right from the beginning. And then we completely refreshed our privacy. Also E learning with a test at the beginning, meaning if you are good, you do not have to follow like 30 minutes training. You just go directly to the key takeaway and you have like real situation in simple language. So I think this is one of the way where you can have people really feeling empowered and engaged into your training.

A

Well, I like that. So if you already know the topics, you can kind of test out of it. Where was that when I was going through the training? Oh, wow, that's, that's wonderful. And God, I see you nodding along. Anything to add to that?

C

Because it was exactly my thoughts when I saw the new privacy trading, I was like, finally someone did this in an easy ways that I don't need to waste two hours of my time on repeating the information that I already know. So I think, yeah, that was really great and I hope that we will have more trainings like that. I think another thing that is really impactful and engaging is just doing really targeted training for targeted groups of people. Like in risk management, we recently changed our risk assessment methodology and currently I have like around 15 different training sessions with different teams around the topic. And every time I do it, it's a bit different because I try to ensure that it's relevant for the specific team. I use the examples that are relevant for them, we go through the assessment criteria that are most relevant for them and so on. So I feel like this keeps them a little bit more on their toes because they understand it's what they work with, it's their daily work, you know, and not something completely out of their scope.

A

Yeah, you got to make it relevant to make them care about it, to, to get the point across. There wow. Well, that's, that's really wonderful. I think we all can take a page out of, out of vintage book.

B

Vintage book.

A

Excuse me there. For, for training. Well, wonderful. Well, let's, let's shift a little bit because I want to talk a little bit more about sort of the industry where, where you're at and particularly, you know, with, with the marketplace sector that you guys are in there. What are some of the biggest, you know, blind spots that you're seeing, you know, out there? And I varies by, by industry. So I mean, I'm interested to hear specifically about some of those where you are both maybe by industry, by location. What are some of those blind spots? Elizabeth, you want to start?

B

Yeah. So one of the biggest I have is about regulations. So I will be fully transparent and honest. We don't know all the laws that apply to us. I'm sorry, I have to say it loudly. We don't know the one that applied today and even less that are the one that are coming tomorrow. We're operating, as you said, you know, across multiple countries and in a fast evolving areas like AI and sustainability. So we know the main regulations, but every country will apply rule differently or slightly differently. So that is where it gets complex. But on the good side of it, we're improving our monitoring and we are adding three controls into our processes. So not just to track the laws, but to apply them. So the goal will not be to be 100% compliant or 100% perfect, because no one can do that. Right. But it's to be ready and able to adapt. So what we're doing and our purpose is really to build the mechanisms to stay ahead, not just to catch up.

A

Yeah, yeah, no, that's a great point too. And especially as companies expand globally, different areas, different regions, you know, to your point, right, there could be something that you're unaware of. And I'm curious then, how are, how are you measuring that as you're, as you're going through and looking at some of that. And maybe it's not just the regulation, but really the impact on your organization and your culture.

B

So what we have done, last year, it was beginning of 2024, we launched a survey to assess how knowledgeable and empowered our employees feel when it comes to compliance. We asked really simple questions such as, do you know where to find fault policies? Do you know who we are or who to contact? I would be transparent. We were quite surprised by some of the answers. So it showed that we definitely needed more visibility. But after the survey, people started to reach out to us. So honestly, that was already a win because the culture started to spread. Right. So now we are trying to track engagement with the training and the feedback to the training that we have.

A

That's wonderful. Yeah, just making them aware of who to go to can make such a. Such a difference. Gota, anything you'd like to add to that?

C

I think generally, Megan, like to answer your first question on blind spots. I think measuring the impact and measuring the culture overall is like one big blind spot in the GRC as an industry, because it's quite hard to. To measure these things as they're very often like soft things that you cannot really measure. What we did for Enterprise Risk Management World was that we asked external consultants to do the job for us and to assess the maturity of our framework, which was quite a successful project, I would say, which gave us a lot of information on our impact that we do to the organization as a whole, to our leadership, executive leadership, and so on. So I would say that this is one of the things that we will definitely use in the future as well. After some years pass and we try to increase our maturity and our impact, we will definitely try to again assess it through the external consultants.

A

Yeah, and I'm really impressed listening to you guys talk about this too, because it seems like you've got a really solid strategy with that visibility and that transparency, not just internally with training and that culture, but even just you just mentioned kind of proactively looking at your growth, growth and where you are and how you can improve there. So I gotta ask then, how are you gaining and maintaining that sort of executive sponsorship and support? Because I think for a lot of folks listening, they might be thinking like, yeah, this is great, but how do I get my CEO to sign on? How do I get budget for this? So what tips do you guys have for demonstrating that value to your leadership and getting that buy in?

B

So maybe the main points I would share on this one is on our strategy. So when we started, you know, to create that department on compliance and Risk two years and something ago, we started to build our strategy, vision, mission, etc. And right from the beginning, we involved the top management, not necessarily all of them, but the main ones. So they felt really empowered. They had the possibility to comment, they had the possibility to ask questions. So they were not just informed. And when your leadership says that the GRC is a business enabler and they are invited to shape our direction, then the sponsorship become kind of natural. Right. And the second thing that we have done is we are sharing Regular updates with them. So with the success story, not just the issues, and also a huge, like, annual report with some metrics and KPIs. So this also help us to ask for resources, whatever it's human resources or budgets, because they know directly where we are going. And we're also sharing the maturity assessment on a regular basis. So we are updating it so they see where we are going, what is good, what is area of improvement. So this is how they feel empowered.

A

Wow. Wow. That level of transparency, I'm sure, is very much appreciated. And Goda, I know you mentioned a little bit of the maturity there as well. How does that play into it when we're talking, talking about some of that ownership and in there?

C

I think it's one of the key things for evolving in terms of maturities is to have that ownership in terms of top management and the key people. In our case, as Elizabeth said, we try to involve them as much as possible. But also, I think for grc, it's very important. And it's coming back to your first myth that you shared with us, you know, about creating complexity and slowing down the organization. We need to convince our leadership about this every day. Almost like Elizabeth, correct me if I'm wrong, but we constantly get this feedback of, why are you doing this? Will this, like, slow us down? And, you know, so it's very important for us to constantly show them that we are, like, trying to solve problems and not creating additional ones for them to think about. And I think we, we are doing that through just ensuring that whatever we do comes from some kind of a problem solution situation. It's not just a box ticking that we need to do something, but we are trying to ensure that if we implement a new process, a new whatever committee, a new KPI on the organization, that it's because it will solve some kind of a problem to someone, including our leadership. I think that's one of the great ways to show them that we are there to help them, not to stop them. In a way.

A

Yeah, yeah, absolutely. When everybody's involved, there's more of that coming to the table of a holistic solution there and really having that ownership. Well, I gotta say, listening to y' all talk, it makes me a lot more comfortable wanting to shop on vinted, certainly. And that's really part of it, right? Is building that customer trust. And so. So. But frankly, I mean, that can be challenging. And it sounds like you guys have a really solid approach to it. So for those listening at home, maybe what are some, like a couple of those more human centric GRC practices that organizations should prioritize, because that's really, at the end of the day, what we're talking about here, right. Is that human connection going on beyond technology. So what advice do you guys have for them?

B

So I mentioned earlier trust and transparency. So I think first we have to be clear and honest, so not just legally correct. And the second tips is more like we have to be consistent so people and our users will trust us when our actions will match our words. So that's kind of my key takeaway here.

A

Yeah, yeah, absolutely, absolutely. Koda, anything you'd like to add that before we wrap up?

C

I think I can tell you something like very specific to the risk management world. I think it's very important to look at your risk not only through the impact on your organization, but also through the impact on your customers, in our case, our members on the marketplace. It's very important to assess that to understand your biggest risks and biggest concerns in the organization. Because if you do that, naturally the customers will be just way more happy and safe.

A

Yeah, yeah, absolutely. I mean, I know I feel safer and happier about shopping on Vinted for sure. So. Well, this has been absolutely amazing. And as we move to wrap up, you know, we always like to leave folks at home with some strategies for success. So knowing what you know today about the human side of grc, right, what proactive cultural investments or these kind of people centric strategies, as we mentioned, would you recommend that organizations prioritize so that they can really ensure that success beyond just sort of the standard control frameworks? Elizabeth, why don't you go first?

B

Sure. So I would say first you have to start with people, meaning you have to involve the business early to use real life examples and to keep the messages really simple. But you should not hide the risks. Second one, you should invest in storytelling. Celebrate the wins, not just the mistakes. And finally, and I already mentioned it, but build trust. Culture grows when people feel safe to ask questions and raise concerns. So when the culture is right, compliance becomes part of how we work, not an obstacle.

A

Absolutely. And Koda, what advice do you have for our listeners at home?

C

I think I'll not say anything new, but I think every organization is. Is different that it's really like from my personal experience, it's really. There is nothing more important than collaboration and listening. That's like the, the best human centric approach that, that you can have really. When you take the feedback, you listen and then you try to adapt to show them that their feedback is valuable. You know, and that, that you really understand it. You know, like I will again shout out to our privacy team, but what they did this Monday is we had a lunch and learn session with Privacy team because everyone loves free food, right? So if people don't go and listen to your online trainings, maybe lunch and training is like the greatest idea that you can have, which is really people centric. People are happy, they're eating, they're listening, and they learn something new about privacy. So I think it's really important to adapt to your organization because in GRC especially, I think there's no, no one way to do things right. There are so many options that you can choose from on how to do things. So being agile and change when needed is crucial.

B

And making fun make it.

A

Yes, yes. Actually, it's so funny you were going to say. Because that's what I was going to say is really taking that one step further of really becoming friends with some, I don't want to say friend, you know, their coworkers and stuff, but really having that friendly, fun relationship. Because if you can be seen more as that collaborator, you know, maybe like you said, you buy them lunch or, you know, everybody goes out for coffee or for a beer after work or something like that, then when something goes wrong or you know, something happens, it's a lot easier to respond to or to get that person to help because they've been engaged all along. So Fabulous. Fabulous. Well, you've heard what we had to say. Now tell us in the comments. Knowing what you know today, what proactive investments can you make to build a people centric strategy at your organization? That brings us to the end of this insightful episode of GRC and Me. A huge thank you to our guests, Elizabeth and Goda from Vinted for sharing their expertise on the human side of risk and compliance. Today we've explored the importance of fostering a strong compliance culture that goes beyond the mere policies and controls. As Elizabeth and Goda highlighted, proactive cultural investments and people centric strategies are key from day one. We'd love to hear your thoughts in today's discussions. Please share your comments and have a great day. See you next time on GRC and Me.