Hi everybody, welcome to ComplianceLIVE, I’m Amanda Hosenfeld.
I’m Cailyn Gombka.
Amanda Hosenfield: “And, we are very excited for today’s show. Before we get started, we want to remind you that Mark from accounting would like everybody to know that this podcast is sponsored by ComplianceLine. Thank you to ComplianceLine for offering this space for valuable compliance and ethics related information. So, today we have a very special guest joining us in-house. If you’re watching the feed on YouTube or on our GoToStage platform, you may notice that Caylin and I are sitting on the same side of the table today.”
Cailyn Gombka: “This has never happened.”
Amanda Hosenfield: “This is weird, I’m always where you sit.”
Cailyn Gombka: “And that’s my spot.”
Amanda Hosenfield: “Yeah, this is obviously Caylin’s spot.”
Vanessa Mathews: “Musical chairs.”
Cailyn Gombka: “She’s in my spot.”
Amanda Hosenfield: “We gave you the seat of honor today. We are welcoming Vanessa Vaughn Mathews from Asfalis Advisors, thanks for joining us.”
Vanessa Mathews: “Absolutely, thank you for having me.”
Amanda Hosenfield: “Of course, now when we discussed this topic with our pre-production team and our peers, somebody said, “Ooh, the lady from Scandal “is coming on this show!” How accurate is that? So, tell us about Asfalis Advisors and what you do there.”
Vanessa Mathews: “I wish I could be the lady from Scandal and play Kerry Washington the way that she did, but I get that question a lot.”
Amanda Hosenfield: “Do you? okay.”
Vanessa Mathews: “I do, I do, so Asfalis Advisors is actually a business resilience company, and we are a professional services organization that helps people accomplish three things. We help you to identify risks before they happen, to plan for contingencies, and solve for crises. The way we do that from a discipline perspective is through crisis management, business resilience, risk management, and business continuity.”
Amanda Hosenfield: “Okay, so Caylin and I just did a huge show on business risk–”
Cailyn Gombka: “Risk management, yeah.”
Amanda Hosenfield: “Risk management, thank you, and your kind of group feeds into that, right?”
Vanessa Mathews: “Yep, absolutely.”
Amanda Hosenfield: “What made you get interested in this? It’s such a narrow topic.”
Vanessa Mathews: “Very, very, very narrow. So, taking it back, my major in undergrad was in-home land security and emergency management–”
Amanda Hosenfield: “Oh, wow.”
Vanessa Mathews: “And I attended Savannah State University, which is the first historically black college in the nation to carry the dual degree program, so it was a great opportunity for them to be a talent pipeline to the federal government. Well, upon graduation I found myself in a tornado with wind speeds exceeding 135 miles per hour.”
Amanda Hosenfield: “Like at college?”
Cailyn Gombka: “Legitimate tornado?”
Vanessa Mathews: “Legitimate tornado, so I’m sitting in my car in Atlanta, not in college, and it’s a beautiful day. A brick building crumbles to pieces next to me on a beautiful Friday afternoon, a light pole falls parallel to my car, my car starts shaking back and forth, windows burst, the car goes up in the air with me inside of it, and my car is totaled while I’m in the air–”
Cailyn Gombka: “Oh gosh!”
Vanessa Mathews: “There’s cars, dumpsters, billboards, sharp debris, everything you can imagine flying towards my head, and in that moment–”
Amanda Hosenfield: “Just because a tornado.”
Vanessa Mathews: “Just a tornado, on a normal Friday, and it was the first tornado on record that had never happened before, but what it taught me that day was just because it hasn’t happened yet, doesn’t mean you shouldn’t be prepared for it.”
Amanda Hosenfield: “Okay.”
Vanessa Mathews: “The other thing that I learned is, you’re not in control, right, so right now this is the time where coronavirus is running rampant. Everybody wants to know, well, what should I do and how do I respond? You’re not in control.”
Cailyn Gombka: “Right.”
Vanessa Mathews: “Right, and so that’s kind of how I, that’s how I found the passion, and that was the perfect storm that led me into what I do now.”
Cailyn Gombka: “What a great story. I think that–”
Amanda Hosenfield: “What a horrible story.”
Cailyn Gombka: “Horrible–”
Cailyn Gombka: “But what a great resilience story, yeah.”
Cailyn Gombka: “Horrible situation, but I love, we love hearing about kind of the root, what brought you to where you are today, and I think, ’cause we, I mean our CEOs talk about their story all of the time, and yours is wonderful.
Vanessa Mathews: “Thank you.”
Cailyn Gombka: “Yeah, you’re welcome.”
Amanda Hosenfield: “It’s horrible and wonderful.”
Cailyn Gombka: “It’s terrifyingly awesome.”
Vanessa Mathews: “It’s the perfect storm.”
Cailyn Gombka: “Like literally.”
Amanda Hosenfield: “It sure is, yeah. So, in that moment, were you, I don’t know if scared is even the term that I would use, I’d be terrified, yeah, but then it morphed into–”
Vanessa Mathews: “Yeah, so at the time, I had an understanding of the educational foundation of homeland security, emergency management, public policy, terrorism, mitigation, natural disasters, how the federal government, how the private sector feeds into that. The tornado, or the perfect storm, was my own personal, real life crisis, so I was terrified, I was scared, and quite frankly, I thought, wow, this is how you’re gonna die, this is very traumatic.”
Cailyn Gombka: “Yeah, as for that, for sure.”
Vanessa Mathews: “But, as I continued to stay into the discipline and learn more, I needed that perfect storm to be my passion, because now when I am frustrated and concerned and irritated about what may be happening, I can go back to, I know why I do this and I know that I’ve been here before. Every crisis looks different for everybody, but for me, I almost lost my life, so I know what it’s like to not be prepared, to not be able to communicate. At the time of that, there was an SEC championship basketball game playing at the Georgia Dome, and the roof ripped off the dome in the middle of the game from the tornado, and 80,000 people started running outside. No sirens, no warnings, no communication, no nothing, and when you’re in crisis, it’s pure chaos. So, I know what it’s like to live through chaos, so who else better than to help you walk through that journey than us?”
Cailyn Gombka: “Right, and prepare for it. I think that the relatability you have really just makes you an expert, you know?”
Vanessa Mathews: “Yeah.”
Amanda Hosenfield: “So, for businesses or companies or entities, do you, you run the gamut, right? You, in any entity, can use your expertise, correct?”
Vanessa Mathews: “Absolutely, so we serve two types of customers as a professional services company. The first one that we are really, really wanting to be a solution for are small businesses. Those are firms between a quarter million to 10 million in revenue. They are growing, they care about clients, they care about making an impact with their solution, and risk management is not top of mind, but–”
Amanda Hosenfield: “Why do you think that is?”
Vanessa Mathews: “Because they’re so busy focused on growing the business and scaling and getting in the door with some of these larger companies, the risk is sales, the risk is marketing. That’s their primary concern. The second group of customers that we serve are what I call middle market. They are firms between 20 million up to a billion in revenue. They are folks that are competing at the Fortune 500 level, they are growing through mergers and acquisition. Their data may be fragmented. They may have over 500 to 1,000 employees, so their business is changing as they continue to grow in scale, and so for them, we see them in three types of categories. The first category is, you have nothing in place. You have no crisis management, you have no risk, you have no cyber security, you have no IT disaster recovery, you have no safety, you have no crisis communications, you have nothing. The second group has what I call something. You have pockets of resilience. You may have a cyber security department, or risk management department, but you may not have physical security or crisis management. And, the third group is a well oiled machine. You have all of the pockets of resilience that I mentioned, but you may be lacking the data or the intel to understand, well, what’s happening in the market, what are my competitors doing? And so, we help you to benchmark from that perspective and help you see what you sometimes can’t see.”
Cailyn Gombka: “Huh, I think that last part’s especially interesting for me because it seems obvious to say that, well, of course you would help those smaller companies kind of develop these departments within, structures, policies, procedures, et cetera, but when you get to the organizations that already have that in place, my thought was, well what then?”
Cailyn Gombka: “Well then, what do you do? Yep, yep.”
Cailyn Gombka: “Cause it seems like, they have it all figured out, but then it’s just, kind of like, that’s the preparation piece, right?”
Vanessa Mathews: “Well, you know too, so before I owned my own firm, I worked with the Department of Homeland Security, I worked for Gulfstream Aerospace Corporation, I worked for Lowe’s Companies, and I’ve worked with a number of suppliers that those organizations work with to support their operation, and one thing I’ve learned is that no matter how big the brand is, everybody has their own level of preparedness, and everybody has room for improvement. When I’m watching TV and I’m watching your company’s crisis fall apart on the TV, I know, I can look through our six lines of defense, governance, policy, processes, tools, culture, and validation, and I can look to see, hmm, based upon what I’m seeing on TV with Equifax, where might they not have been as prepared?”
Cailyn Gombka: “Where are the holes at?”
Vanessa Mathews: “If it’s Boeing, where might they not have been as prepared? If it’s Target with the data breach, where were the holes? And, it’s easy for us to see that. So oftentimes, we think, well it’s this brand or it’s that brand, they must have it all figured out. You’d be surprised.”
Cailyn Gombka: “Because there’s really not a standard for risk management. There’s not like, I think, HR is a department that I think of, every company kind of does it the same way, in a sense, but I think risk management, there is no, like everybody sees risk the same way.”
Vanessa Mathews: “Right, so there are professional standards, like we align our program to the International Standard Organization 31000, so everything we do is ISO 31000 aligned. We also align with the Enterprise Security Risk Management Framework, but to your point, everybody views and sees risk differently, which creates friction. Marketing and sales care differently about risk than finance and operations, right? HR people, they see the risk before it happens. They see the active shooter before they’re an active shooter, right?”
Cailyn Gombka: “Yeah!”
Vanessa Mathews: “They understand the people challenges, they understand what’s happening in the break room, and the folks in finance, they’re not visible to that risk, and so this person may wanna be gung-ho on risk management while this person just says, we just need a safety video and that’s it, and there you have friction that happens across the company.”
Amanda Hosenfield: “That sounds so familiar, I mean, I’m just thinking back to our risk assessments that we did internally and how it’s like, as our HR liaison, I would go in and I would say, “This is really risky, guys. “We need to fix this risk,” and people were like, “Eh, it’s not as risky as this other thing,” and it’s like how do I convey that this is a huge risk that we’re taking on, do you find that a lot? Is that across companies, no matter what size, you’re always gonna have that friction?”
Vanessa Mathews: “Absolutely, absolutely, yeah.”
Cailyn Gombka: “I would think, to your point, every department kind of thinks that what’s happening within their department is more important, more risky than your department, so how do you get them on the same page?”
Vanessa Mathews: “That comes into play with the work we do in the world of business continuity. So, processes run the business, technology and people support those processes, so what I always like to figure out is what are your critical business functions? What are your top two to three things that if don’t do those things, Compliance Line is not a company. If you don’t do those two or three things, Boeing is not a company. If you don’t do those two or three things, Honeywell is not a company. What are your core critical functions? And, that’s what’s critical. Everything else is not critical, which means if there is a crisis and you only have space for 50 seats, who gets priority on those 50 seats? It’s that critical function that runs the company, and those support processes, like payroll, is pretty important.”
Cailyn Gombka: “Yeah, for sure.”
Amanda Hosenfield: “I mean, ya know.”
Vanessa Mathews: “Procurement, right?”
Cailyn Gombka: “Yeah.”
Vanessa Mathews: “Procurement, I need my goods and my services to support this operation, so you really have to help people to see the bigger picture, and then where do you tie into that bigger picture?”
Cailyn Gombka: “Kind of step outside of your department, look at what we’re about–”
Vanessa Mathews: “Yes.”
Cailyn Gombka: “And then, kind of take a new understanding from there. I think we do that here, and as part of that risk assessment, it’s nice because we kind of did like a department collaboration, and all the departments had to work together to identify and help solve for the risk within their individual departments, but also talk about the risk on the whole business level, so I think that that’s really important.”
Amanda Hosenfield: “Now, when you talk about crises, do you categorize them as in like internal crises, external crises, public, media crises, like what? I wouldn’t even know where to start to categorize things like that.”
Vanessa Mathews: “Yeah, so what you’ll find is everybody will do something different. The one I’ll steal is from Regina Phelps. She wrote a book called Crisis Management, and she categorized them into soft versus hard. So, your soft crisis is going to be the thing that, it’s hard for you to see it and touch it and feel it, and it’s not really tangible. So, the worse one I’ll give you is sexual abuse and misconduct, right? Soft crisis. The hard crisis is natural disaster that blows your building away. 9/11, you can see it, you can feel it, you can touch it. It’s more visible than a cyber breach, which would be soft, so those are how we, I actually just read her book a few months ago, and so those are some ways that we’re thinking about different ways to view what a crisis is, but some companies would say yes. If it’s internal versus external, what do I have more control over inside of the company versus things that, again, like the perfect storm, I can’t control that, right?”
Cailyn Gombka: “Right.”
Vanessa Mathews: “Or coronavirus, I can’t control that.”
Amanda Hosenfield: “Right, when you have a crisis happen, let’s say it’s a hard crisis, like a tangible 9/11 type, or a tornado type where you can see it and you can feel it and you can touch it. Where’s your starting point for a hard crisis? So, the building falls down in front of you, there’s a tornado, there’s an earthquake, there’s something that happens, what’s our first thing?”
Cailyn Gombka: “What’s step number one, what’s the plan look like?”
Vanessa Mathews: “Yeah, so I’ll take you back. Earlier, I mentioned our six lines of defense, governance, policy, processes, tools, culture, and validation. So, we call those the six lines of defense that every program needs, whether it’s cyber security, crisis management, business continuity and risk, every program needs those six lines of defense. At your home, you have lines of defense. You have a front door, you have a back door, you have a lock, you have glass, you have blinds, you have curtains, I have .380s, I have a dog, I have a husband who’s 6’5″, he is my line of defense, I have a security system so when something is breached, I have an indicator telling me that something’s wrong and I need to fix something. From a crisis management perspective, you need leading indicators, so there’s three things that any company should be looking at when you’re in crisis mode: your reputation, your profitability, and your ability to operate. In some companies, it can be one out of three, two out of three, or three out of three that bring you into a crisis. The number one problem is that many people don’t know what are my leading indicators that tell me that I’m in a crisis, so I think the first thing, at a very general perspective, is you have to be socially listening to what’s happening within the organization, so communication is first. Once you recognize that there’s a problem, you need to activate, then you need to monitor, and it’s a cycle that continues until you’re making a decision and you get back in that cycle, does that make sense?”
Cailyn Gombka: “Yeah, so what does that look like, what does being socially aware of what happens in your organization look like?”
Vanessa Mathews: “Yeah, so there was a company that we worked with, and what we found was the folks in public relations who were socially listening through social media and through news channels and employee forum groups that were web-based, they found instances where the company’s name was mentioned, sometimes good and sometimes bad. So, that’s an indicator, that’s telling you data and giving you intel, right?”
Cailyn Gombka: “Yeah.”
Vanessa Mathews: “On the cyber security side, they could see they were getting hacked by various companies all around the world 50,000 times in a minute. So, but if cyber security and public relations are not in a room together and you’re not communicating, then you’re missing it, and the number one issue in every crisis is communication. So, I think about diversity, equity, and inclusion. Many people don’t include those players at the table from a crisis management perspective. They’ll have the IT person, they’ll have security, they’ll have cyber security, they’ll have HR, they’ll have general counsel and operations, but they don’t think about inclusion and diversity. How do we prevent some of these blunders where people just may not be culturally aware or culturally sensitive to where it’s race, whether it’s gender, whether it’s LGBTQ, whatever that dynamic is from an inclusion and diversity perspective, many companies are missing it, and that risk bubbles up into a crisis because you don’t have the right players at the table. So I think the first problem is get the right players at the table where they can build a relationship and establish trust, and we can really talk about what are the risks and the crises that we’re looking at, and then how can I better work with you and not work in silence?”
Cailyn Gombka: “Right.”
Cailyn Gombka: “I think that that’s really interesting. Do you find that organizations, maybe even the larger ones, they don’t include the diversity and inclusion kind of people side of things in their risk assessment programs?”
Vanessa Mathews: “From my perspective, we view business resilience, in four perspectives: people, operations, infrastructure, and technology. Your people are number one because they’re gonna create the crisis or execute the risk mitigation. I think most people understand that people are going to create the crisis, and you need people in every aspect of your business, but I think sometimes the bigger you get, you can grow out of touch–”
Cailyn Gombka: “It’s underestimated, maybe.”
Vanessa Mathews: “Right, or you just may lose sight of it, and that’s why I think it’s always important to have, so we always align business resilience to the game of basketball. In the game of basketball, you have an owner, a coach, and a team. The owner is the executive sponsor. The coach is the person who is accountable and responsible for crisis management, for business resilience for whatever that program is, and the team are the stakeholders. That’s IT, that’s physical security, communications, HR. You need those same players on both sides, whether you’re playing the game of basketball or whether you’re building a company that’s going to truly be resilient.”
Cailyn Gombka: “I see, how does this translate into those smaller organizations?”
Vanessa Mathews: “Yeah, great question. So, what we started last year is I took a look and I said, okay, small business between a quarter million to 10 million, zero to 50 employees. They are at risk. They employ 1/3 of our workforce, and they’re trying to do business with these larger companies. That’s how they grow.”
Cailyn Gombka: “Mm-hmm.”
Vanessa Mathews: “I love that. But, how do we take this concept of risk management, crisis management, cyber security and scale it down to a level that makes sense to a small business owner? And so, that’s when we pivoted and said, you know what, we have the ability to serve them where they are because we can get access to that network a lot easier than our competitors, and so we like to really make things simple because when you overcomplicate things, you just overcomplicate it and it’s hard to solve it, so the approach that we laid out for you, people, operations, infrastructure, and technology, if you can’t see it, you can’t solve it. So, that’s the first step is getting them to see. If you can’t see it, you can’t do anything about it, right?”
Cailyn Gombka: “Mm-hmm.”
Vanessa Mathews: “Then we help them build their lines of defense, the governance, the policies, the processes, the tools, the culture, and the validation. When I say culture, your risk program, you crisis program, your cyber program will only go as far as your culture allows it to, so to your point about friction, how are we managing the culture of the company and how it aligns to our resilience framework, and so what we’ve done is, Asfalis means safe, secure, ensure. So, safe is the first step. That’s where we help them build their lines of defense. Secure is we help you to build the internal capacity, so what are the processes and the systems and the tools that you need to truly grow your risk program to support your operation, ’cause risk is there to support the operation. If there’s no operation, you don’t even have any need for risk. And then lastly, sure, is how do we integrate it into your culture? One of my friends works for a financial services firm, and they have this term where they say, hypothetically speaking, secure the box, and everybody knows when you say secure the box, that means control alt delete, lock your screens, lock the doors, make sure there’s no piggybacking, make sure your cars are locked, your doors are locked. Everybody knows what secure the box means, right? Because they’ve trained, they understand that, and people know that’s in their culture, it’s embedded, so it’s not just for the risk manager or the safety person to manage risk, it’s everybody’s responsibility, right?”
Amanda Hosenfield: “Everybody has something to do to make that successful.”
Vanessa Mathews: “Absolutely, cyber security is everybody’s job, safety is everybody’s job, and so how do we help you get from nothing to it’s integrated into your culture, and that’s what we do through the safe, secure, and sure approach.”
Cailyn Gombka: “I think that that translates so well for ComplianceLine because we’re so much about culture, and we speak so much about culture on this podcast alone.”
Amanda Hosenfield: “A lot.”
Cailyn Gombka: “I mean, every episode we throw it in there, so do you find that your small businesses are really into that piece of culture? Like, is that an easy task, helping them integrate it into their culture?”
Vanessa Mathews: “So, I don’t think so because culture, so again, it… It’s hard to grow these types of programs if your culture won’t allow it, so if your leadership team doesn’t have the culture or the appetite, then it’s gonna be a slow process.”
Cailyn Gombka: “Right, yeah.”
Amanda Hosenfield: “Right.”
Vanessa Mathews: “And that’s what I call, you plant seeds, you water it, you put some flowers around it, let it grow, come back, plant some more seeds, and sometimes it just takes a little bit of time, so for our framework, governance and policy are the two things that have the least amount of change. The processes, the tools, the culture, and the validation, those will change more, but even with culture, that’s not going to change immediately. That’s a slow process, where you really have to be intentional, so just how you guys are big on culture at ComplianceLine, what did it take to get there?”
Cailyn Gombka: “Many years. Yeah, a lot of work, a lot of trial and error, I think a lot of attention.”
Vanessa Mathews: “Communication.”
Cailyn Gombka: “Yes.”
Vanessa Mathews: “And getting everybody on the same page, like you have to over communicate, and then you have to be consistent, and what you guys know is it starts at the top.”
Amanda Hosenfield: “Right.”
Vanessa Mathews: “You talked about, at the beginning, our leaders always share a story and we know what their story is. That’s culture, and it starts at the top, and so not every company is maybe cognizant, or maybe sometimes it’s just like risk, maybe they just don’t understand how important risk is or how important the culture piece is. That’s something that we’ve been taking a very hard look at. There’s two reasons why we let go of people and help them find where they should be, and it’s not with us. It’s trust and integrity, so we hire for trust and integrity, and it’s a part of the responsibilities on me as the leader to set the tone and the expectation. And so, whether you are a strategic partner, whether we are partnering with you on a podcast, or whether we’re doing work with you as a client, if you don’t align back to the core values and our purpose, our purpose is to help leaders leave a legacy, we’re all about legacy. Our brand promise is we do not deliver plans that sit on a shelf and collect dust. No one pays me to give you a big booklet that you’re never gonna read that’s not gonna be valuable.”
Cailyn Gombka: “You may never hear from me again, right, yeah.”
Vanessa Mathews: “Right, and so all that ties back into the culture, and so every time we have a staff meeting or any type of report that we’re doing internally, I start it with the purpose, with the brand promise, and our core values.”
Cailyn Gombka: “Love that.”
Cailyn Gombka: “So, it’s in there.”
Cailyn Gombka: “I think that that, our day one, we’ll call it day zero, anytime we hire someone, the first thing that employee does when they walk in ComplianceLine doors is they sit in a day-long session with our CEOs and we talk about our values, what is our purpose, why are you here, why are we here? And, I think that it just really sets the tone for their employment here and setting them up for success.”
Vanessa Mathews: “Yep, absolutely.”
Amanda Hosenfield: “Okay, so I have a chicken and egg question.”
Vanessa Mathews: “Chicken and eggs”
Amanda Hosenfield: “Uh-oh. Mm”
Amanda Hosenfield: “I mean, this is what I’m really curious about, though, in the whole crisis management arena, is it a we write 30 policies just in case something happens, or there are some things that are predictable, so hurricanes, like we should have a hurricane policy because we get hit once every five years, I mean, it’s not an uncommon thing, but like a terrorist style attack, how many companies in New York had a terrorist attack policy or procedure for crisis management? Like, how much is it, like we’ll have a terrorist policy here at ComplianceLine, but then we’ll also have a dog attack policy, and–”
Amanda Hosenfield: “Is it over prepare, is that?:”
Amanda Hosenfield: “Right, like where’s the line that a company should prepare for? Should we prepare for if a truck runs into the building? Should we prepare for whether that old video of our CEOs goes viral? That was a joke, there’s no video, but where’s the line that we should prepare? How much is too much to prepare for, or is there too much?”
Vanessa Mathews: “Yeah, so I think this is a great question, and this sometimes can make people feel overwhelmed and frustrated with the process, which is why we went back to people, operations, infrastructure, and technology because any risk that you’re having in your business is happening in those four categories, unless it’s a black swan, like in 911. That’s a black swan, I just, I couldn’t plan for that one, right?”
Amanda Hosenfield: “Right, right.”
Vanessa Mathews: “So, how we do it at Asfalis is we take an all-hazards approach. My challenge is, if I have a hurricane plan and a cyber plan and a fire plan and a CEO fell out of the airplane plan, if I have all these plans, what happens is people operate in silos, so you’ll pick up the hurricane plan, which has a lot of great information, and you can probably use that, and the other three plans that you’ve written, but you only go to the hurricane plan when there’s a hurricane.
Cailyn Gombka: “Got it.”
Vanessa Mathews: “So, I don’t do, excuse me, we don’t follow that same approach.”
Amanda Hosenfield: “A plan per incident.”
Vanessa Mathews: “Correct, so our approach is, again, if you plan for the people, risks, the operational risks, the infrastructure risk, so if you lose your water, your energy, your power, your access to getting to your facility, the infrastructure that you drive on everyday, or your technology, your risk or your crisis is gonna come out of those four different categories, so that’s the first thing. Number two, it also depends on your company, so I worked in aviation and manufacturing before I started my own company, and they were in a hurricane–”
Amanda Hosenfield: “Prone area?”
Vanessa Mathews: “Prone area, thank you.”
Amanda Hosenfield: “You’re welcome.”
Vanessa Mathews: “With tornadoes.”
Amanda Hosenfield: “Oh, okay.”
Vanessa Mathews: “They just keep coming back, right? So, the number one risk was, of course, an aircraft crash, so of course we had an aircraft crash plan, right? The other risk was a hurricane. What happens when there’s a hurricane that affects not only the 5,000 people, but the 60 airplanes that we have outside, how do we get them out and so they’re not damaged ’cause that’s property and our product, so it also depends on the type of company that you’re working with in terms of what plans you actually need, but the third thing that I think people don’t prepare for, which is why I don’t like having one plan for everything is, no one plans for the cyber breach that also affects the, or excuse me, no one plans for the cyber attack that happens on the financial services center, so we’re in Charlotte, so the RNC is coming to Charlotte in, what, six months now, right?”
Amanda Hosenfield: “Yeah, pretty close.”
Vanessa Mathews: “We’re number two, number three in financial services. The biggest risk is the cyber attack that happens on the financial services, like the Bank of America is headquartered here, okay. We also are within a 20 mile radius of two nuclear power plants, so what happens if a cyber breach and a nuclear reactor risk happens at the same time?”
Cailyn Gombka: “Ah.”
Vanessa Mathews: “No one plans for that.”
Cailyn Gombka: “No.”
Vanessa Mathews: “So, if you pick up the cyber plan, are you gonna have a full response? No, if you pick up the response plan for the nuclear reactor, is that gonna give you the full response? No, so that’s why I don’t plan for that, and I think many people, we can know what our risks are, but we don’t plan for them happening at the same time.”
Cailyn Gombka: “Yeah, never. Yeah, yeah, you know I think no one’s thinking that, like super worse case scenario.”
Amanda Hosenfield: “It’s not just the bad, but like the extra bad.”
Cailyn Gombka: “What if it all happened at once?”
Vanessa Mathews: “Or, if it’s so, what’s your busiest time of the year at ComplianceLine?”
Cailyn Gombka: “We have a busy beginning of the year, I think.”
Vanessa Mathews: “All right, so what happens if, in February, there is a water leak in the call center?”
Cailyn Gombka: “Hmm, yeah, what does that look like? We have to displace everyone in the call center, where do they go?”
Vanessa Mathews: “And one founder is out of the country.”
Cailyn Gombka: “Oh yeah.”
Vanessa Mathews: “And can’t get here, and his brother’s sick.”
Cailyn Gombka: “Yeah, then what’s the plan?”
Vanessa Mathews: “Right, its’ two risks happening at one time.”
Cailyn Gombka: “I should know the answer.”
Amanda Hosenfield: “Yeah, I’m looking at you–”
Amanda Hosenfield: “What is the answer?!”
Cailyn Gombka: “I don’t know, I’m the policy person! Um”
Amanda Hosenfield: “I’m gonna go with corner crying, that’s how I’m… Gotta, um.”
Cailyn Gombka: “Call the plumber!”
Amanda Hosenfield: “I feel so unprepared for this situation!”
Vanessa Mathews: “Does that make sense?
Amanda Hosenfield: “Yeah, it does, I think, yeah, so it’s not like you have all of these separate policies and you can pick one. It’s like you were saying, it’s not a pick up the book when this thing happens, it’s–”
Vanessa Mathews: “Because, you can waste your time planning for that thing that will never happen, and quite frankly, people wanna, as unfortunate as it is, active shooters happen everyday, but the likelihood of them happening may be slim to your organization. Now, in this day and age, I would highly recommend any company, if you have an employee or if you don’t, if you work at a co-working station and you’re one employee, you need to have a plan on what you’re going to do in that 20-story building that’s full of glass. What are you going to do if you hear someone that’s actively shooting and you need to get out? Have you practiced that plan before? Do you know where the emergency exists are? If there’s only one way in and one way out and there’s nowhere to hide, are you prepared for that? So, I think every company has to be realistic about, yeah, you probably do need an active shooter plan, or training, you need a cyber security plan because, seriously, any company is susceptible to a cyber breach, and a cyber breach will take your operation and hold it hostage, and you can’t do anything.”
Amanda Hosenfield: “That’s not a water main break, that’s a you cannot conduct any type of business.”
Cailyn Gombka: “It’s a business crumble.”
Vanessa Mathews: “That means your clients can’t get to you at ComplianceLine, your employees can’t access the files that they need to support your customers, you vendors, your suppliers, you can’t pay people. You truly are out of oxygen holding onto your last breath in a cyber breach, and the worse thing that you should be doing in a crisis is planning. You should only be executing.”
Cailyn Gombka: “Mm-hmm, that’s a, uh, yes, you’re right. Just thinking back to, I’ve been with ComplianceLine for six or seven years now, so I’ve seen ComplianceLine come from kind of before our current state, very small to where we are now, and just in other businesses I’ve worked for, it’s like react to the crisis, not necessarily execute the plan that’s prepared for the crisis. Not saying that that’s what we do now, but I’ve been in experiences where that was the plan, it’s just react.”
Vanessa Mathews: “Yeah, and to your point about preparedness, so you have to have a team, you have to have the right players, that goes back to the diversity inclusion folks and the HR people, you have to have a team, you have to have the right seats with the right people doing the right things, right? They also need to be communicating, but the third piece is, is you will perform how you practice. So, every company should be practicing. I worked with large companies, I’ve worked with small companies. Take 30 minutes out of a bi-weekly staff meeting and throw out a scenario, and the person who knows all the answers, make that person be quiet, and say hey, you’re out sick, you can’t respond. I want everybody else in this room to tell me what you would do in this type of scenario, and that’s how you start to train people, that’s how you get the muscle memory, and what happens is, number one, it’s team building, but then number two, your team will start to learn how to trust one another because they can say, Amanda’s got it, I know she’s gonna do these first three steps, and if she doesn’t do it, she’s already identified who her backup is, and her backup is in the room and we’re training with them. Many companies don’t train, that’s the problem.”
Cailyn Gombka: “They’re scrambling for the book, flipping through the pages, right?”
Vanessa Mathews: “The first time you’re practicing.”
Amanda Hosenfield: “How do I interpret this?!”
Amanda Hosenfield: “I don’t, the manager didn’t write anything down about this!”
Vanessa Mathews: “Absolutely.”
Amanda Hosenfield: “Where’s the book? Amanda had locked the book in her drawer!
Vanessa Mathews: “It’s in that water leak!”
Cailyn Gombka: “Oh my gosh!”
Cailyn Gombka: “I think that the practice piece is something that I wouldn’t really think about. It’s like, okay well, we have it, it’s there, here’s where it’s supposed to be if you need it, good luck.”
Vanessa Mathews: “So, I come from, again, a background in aviation. Pilots train over 1,500 hours a year, so I always say when a bird hits the engine and the engines fail, my pilot is not scrambling, my pilot knows exactly what to do. They pull up the book, they open to page 10, they’ve got literally 10 steps, they click, flip, pop, communicate, and they make a decision, period.”
Vanessa Mathews: “Cause it’s muscle memory, I trained, I practice 1,500 hours a year. Now granted, as a company, you don’t have the capacity to train 1,500 hours a year.”
Amanda Hosenfield “I tried, they won’t let me. They won’t let me do 1,500 hours in training a year.”
Cailyn Gombka: “No, right?”
Amanda Hosenfield: I have literally tried.”
Cailyn Gombka: “So, is this like, you’ve mentioned team a lot. Have the right players in the seat. So, is there like a crisis team, what does that look like?”
Vanessa Mathews: “Yeah, absolutely, so every company should have your crisis manager. That’s the person who is, who has the ability to make the decisions, and outside of, so if you’re a small business, outside of your CEO and your co-founder, who is the next person that really has the ability to make the D. I call it who has the ability to make the D? Then, you need somebody who’s responsible for public relations. Who is getting the message out on social media if there is a press release, if there’s an interview with the sheriff’s department, or if you need to communicate with the public information officers from hospitals or different groups, who’s their primary point-of-contact? I would recommend somebody on the team from an IT perspective because you never know what’s gonna happen there, or just a liaison. I would also recommend a safety and security lead, and someone from general counsel. That would be my core, and maybe add in HR because, again, people, right? That would be my core. If it gets to be something that exceeds that core team and I need my ad hoc resources, I would pull in whoever is responsible for the operation. If the operation is affected, if the call center’s affected, who’s the head of operations? That person needs to be in the rooms ’cause you can tell me, well, can we revert calls to Columbia or Arizona, or what systems do we need to support that workforce over there, or from a third party risk perspective, do we have any vendors and suppliers that can help us? You also need logistics. What do you need to support this crisis? Is it meals ready to eat, is it plane tickets, is it hotel rooms, what are your logistics? A finance perspective, how are you managing the cost of this crisis, will your insurance company pay for business interruption insurance, how are you tracking that? So, what are the measures that finances is helping the company to leverage and use so that when this is all said and done, I have my documentation and what I need. And so, you wanna make sure you have your core ad hoc team that, no matter what, these are the people that cone in the room and who are their alternates, and then you also need that ad hoc planning team.”
Amanda Hosenfield: “I feel woefully unprepared to even step outside of this studio.”
Vanessa Mathews: “That’s why you have me.”
Amanda Hosenfield: “I don’t know. I don’t know what’s gonna happen the second that I step out there.”
Cailyn Gombka: “But earlier you mentioned, and I wanted to circle back to this, that what happens when the nuclear reactor crisis happens and we have this cyber security attack? What happens when two of these big things happen at once, and I’ve been thinking this whole time, like that’s so unrealistic because it’s normally one thing at a time, but thinking back on it, when crisis happens at work, normally it’s like everything happens at once, the sky falls.”
Vanessa Mathews: “Yeah, and I don’t typically like to use the large event that will never happen because, to your point about why don’t people prepare, it’s because to them it’s unlikely. Like, how many times have we witnessed a 9/11?”
Cailyn Gombka: “Right, one time, yeah.”
Vanessa Mathews: “Rare, right? But for me, it’s more about the workplace violence issue, so it may not be your employees, but who are they connected to that can come in to this facility, or come to your property, and cause damage or harm to the business? It could be a leak, it could be a window burst last night because a car ran through it and somebody was out here having a fight two nights ago and it affected your company, right? It could be that small thing that we’re not thinking about, and that’s why you need to see people, operations, infrastructure, and technology. Where are my risks, and then once you know that, every risk has a root cause, it has an event, and it has an impact, so if you can dissect what your risks are and get to the root of the issue from a training perspective, now you know where you need to spend your time. What am I really solving for?”
Amanda Hosenfield: “Gotcha, so we have that, it’s the similar situation when I taught school, where they were like, we have fire drills, we have earthquake drills, we have hurricane drills–”
Cailyn Gombka: “Lockdown.”
Amanda Hosenfield: “Lockdown drills now. I mean, we didn’t have ’em when I taught, but now they have lockdown drills, and I remember very clearly when we, this was before all of the school shootings that have happened in recent years, but we had a teacher whose ex-husband came on property, and a very angry ex-husband, and we didn’t have any lockdown drill, protocols at that point, so to that point, we would’ve thought, when would we ever need that?”
Cailyn Gombka: “Sure.”
Amanda Hosenfield: “And I get that a lot, just like annual required training, why do I have to take this sexual harassment training? This stuff will never happen here at our office, but we need to be prepared just in case it does.”
Cailyn Gombka: “Yeah, no one’s coming in with a flash drive plugging it into our computers, why do I need to learn about cybersecurity?”
Amanda Hosenfield: “Exactly. We could just talk about this stuff all day with you. That is true.”
Vanessa Mathews: “That would be fun.”
Amanda Hosenfield: “I would love for you to stay, just talk about how woefully unprepared I am.”
Cailyn Gombka: “Right, it’s live. We could walk through every facet, yeah.”
Amanda Hosenfield: “How can people get in touch with you if they’re interested in what your company has to offer?”
Vanessa Mathews: “Absolutely, so first I personally am on social media at Vanessa V Mathews with one T, we are very unique. Our company is on social media at Asfalis Advisors, A-S-F-A-L-I-S Advisors with an O, R-S, and our website is www.asfalisadvisors.com.”
Cailyn Gombka:”Great, thank you.”
Amanda Hosenfield: “Will you come back?”
Vanessa Mathews: “Uh, sure.”
Amanda Hosenfield: “Sure, anytime!”
Vanessa Mathews: “Anytime!”
Cailyn Gombka: “Anytime, Amanda!”
Cailyn Gombka: “We could make it a lunch meeting next time.”
Cailyn Gombka: “Yeah, we should do that.”
Cailyn Gombka: “We could go over all of our policies.”
Cailyn Gombka: “Yeah, we’ll bring our book.”
Vanessa Mathews: “We’ll do a lunch-and-learn.”
Cailyn Gombka: “Yeah, we need a lunch-and-learn.”
Amanda Hosenfield: “Actually, don’t threaten me with a lunch-and-learn. I will absolutely do a lunch-and-learn.”
Cailyn Gombka: “Mm-hmm, it’s been valuable for us.”
Amanda Hosenfield: “Yeah, I’m going through everything and, like now that I wanna go do, like it’s energizing. Do you look at the world through, I know we just kinda wrapped this up, but do you look at everything, like watch TV, and look at, drive down the road and think, whoop, there’s risk, there’s risk? Like in your personal life.”
Vanessa Mathews: “Yeah, so I do. Most people in my profession, we wake up reading and learning about everything that happened the day before and what’s coming up next, so one of my friends asked me, “Do you go to see a counselor? “You just have like a lot of bad information “that comes in everyday, and you’re processing it,” but it’s a fair question, especially when we think about mental health, I think it’s very important. I actually did start working with a counselor last year just to talk through things because it’s a lot. You have the expectation from clients, and then being a business owner and wanting to make sure that you can meet the needs of your workforce, but then also, how do I personally handle all of that, and similar to you, married last year, so I have a personal life that I really enjoy. I have a company that I have to run, and then I have expectations, and people are depending on us to make the right decisions, and so I go to counseling, to answer your question.”
Amanda Hosenfield: “I mean, it’s risky not to take care of your mental health.”
Vanessa Mathews: “It is, that is a risk!”
Amanda Hosenfield: “You are welcome. This was a job interview.”
Cailyn Gombka: “Identify!”
Vanessa Mathews: “We are learning today, ladies.
Amanda Hosenfield: “Well, thank you again for stopping by. We appreciate your time and, well with ComplianceLive, I’m Amanda Hosenfeld.”
Cailyn Gombka: “I’m Cailyn Gombka.”
Amanda Hosenfield: “And, stay compliant.”