This Chicago startup is disrupting the risk & compliance industry with untapped potential

• Some analysts estimate the software spend on risk and compliance was around $35 billion in 2019.

• Most software designed to help with GRC takes a long time to integrate and comes with parameters that limit what you can use it with and for.

• LogicGate software allows businesses to pick and choose apps and features that can accommodate specific GRC program requirements — no technical skills required.

The phrase ‘governance, risk and compliance’ (GRC) can magically cause anyone reading a report to stop paying attention.

GRC is one aspect of a business most people would prefer not to deal with. It’s complicated if you don’t have the expertise, and most GRC software takes over a year to integrate and comes with limitations.

In spite of its stupor-inducing effect, GRC is booming. Data breaches and the increasing popularity of cloud services have convinced companies to put time and money into getting their GRC ducks in a row.

Matt Kunkel, co-founder and CEO of LogicGate, understands GRC has a dreary reputation —  and he’s happy to be part of the team working to make it easy.

He and his co-founders designed a platform enabling companies to put together their own GRC program using drag and drop.

Matt Kunkel, CEO, LogicGate (Sam Fiske/Technori)

“You’ve got to make the tech flexible enough to meet any organization where it’s at in its risk and compliance maturity level,” Matt explains. “But it has to be easy enough to use that a lay business person can build out enterprise-grade risk and compliance solutions.”

Matt joined the podcast to talk about how to build GRC software that makes business owners’ lives easier, why cloud technology has got people worrying about GRC and the part he played in taking down one of finance’s greatest villains.

Interview Highlights — Matt Kunkel from LogicGate

Fighting crime with code

I grew up in Ann Arbor, Michigan — go Blue! I went to Indiana for undergrad: I was a finance economics major. I came to Chicago after school and started my career in the management consulting space as a business analyst at a firm called FTI.

Back then, you needed to know how to code to work on the big, fun investigations so I decided to teach myself. By the luck of the draw, one of the big ones that came up was the Bernie Madoff investigation. I helped code the solution that did all the fictitious profit analysis. 

I then moved to another consulting firm called Navigant Consulting. I built out its custom application development group and fell into risk and compliance. I ended up building JP Morgan Chase’s regulatory change management platform for its mortgage bank. That turned into its policy management platform and then into its controls management platform. I got a really deep domain expertise in that space.

Software that makes the least technical employee look like a GRC genius

Myself and my two other co-founders worked in the management consulting space for 10 to 15 years before we started LogicGate. We found that there was a huge gap in the marketplace.

This has traditionally been a really services-driven industry. There were some big legacy tech products that were trying to help folks understand risk and compliance better and put in programs to operationalize that. But the problem was these platforms were so rigid that there was a 12 to 18-month implementation process.

The problem with building custom tech was that the businesses changed and pivoted so fast. The risk and compliance departments who monitor businesses and provide transparency to the regulatory community and to the board of directors had to move with them. And then the tech that we were building had to move with it. When I left the consulting firm, we were making the lion’s share of our top line revenue on change orders to existing technologies.

We asked, how do we give business users in the risk and compliance groups the keys to the kingdom? You’ve got to make the tech flexible enough to meet any organization where it’s at in its risk and compliance maturity level. But it has to be easy enough to use that a lay business person whose technical acumen extends to an Excel pivot table can build out robust enterprise-grade risk and compliance solutions.

Why the cloud is “raining” customers who need GRC software

The growth rate of this industry is crazy, especially within the last five years. It’s because of a couple of things. One is privacy concerns over General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and all that’s happening with Facebook and the data privacy issues there.

Two is the emergence of the cloud. Now I can’t just put things behind my own firewall. The cloud allowed vendors like us to create businesses very fast to easily help other organizations. More organizations are outsourcing their activities to these vendors as opposed to doing it all internally. So now it’s not just you as a company that has to have great controls and great programs in place internally. The second you give your data to a vendor, it has to have those too.

The Target data breach — one of the largest data breaches in the history of the world —  didn’t happen because of Target. Target had amazing security controls. It happened because it had an HVAC vendor that didn’t have the appropriate controls in place.

Taking care of your GRC means you get to take fun risks

This is a huge industry. If you believe the analysts, the software spend on risk and compliance last year was $35 billion. It’s the biggest, sleepiest, unsexiest industry that no one knows about.

The whole ROI around this space is all bottom line-driven. We’re going to make things more effective and efficient so we can do things with less headcount. We’re going to protect you against data breaches. We’re going to protect you against all of these new regulations like the CCPA and GDPR that are coming up. It’s all about asset protection. What they don’t talk about in this industry — and what we’re bringing — is revenue generation.

We can use all of the risk data points in an organization, map them to the core business units, run an algorithm to quantify that and then prioritize it. It’s not just a conversation with the chief compliance officer. We can have conversations with CEOs and CFOs and say, your operation’s business unit is carrying $2 billion worth of risk. However, if you mitigate the top five percent of those risk data points that $2 billion goes down to $100 million. 

In theory the organization can then take on more strategic risk in that business unit and drive better top line outcomes.

Find this business interesting? Check out other interviews with similar companies:

• Scott Kannry and Brendan Fitzpatrick of Axis
• Darren Guccione of Keeper Security