Based out of California, Jason Mefford is a well-known speaker on all things ethics, corporate governance, risk management, GRC, compliance and internal audit related. He has authored two books, Risk-Based Internal Auditing and Masters of Success.  He was also a contributing author on the OCEG GRC Capability Model v3.0. Mr. Mefford sat down with Reciprocity to discuss his new training platform, cRisk Academy, as well as changing an organization’s approach to risk.

Reciprocity: What’s interesting about cRisk Academy is that you bring with you both auditor and trainer experience. What was the catalyst for cRisk? How does your background uniquely situate the academy?

Mefford: I spent many years as both an external and internal auditor, was a Chief Audit Executive at two large companies, was responsible for information security, risk management, ethics & compliance, and have now been a trainer for many years. I understand the information that I needed to do my job better as an auditor, what I needed for the employees who worked for me, and now the needs of students I have in my courses.

Most people have a desire to understand risk better. Since the business context now changes rapidly, as a result of new technologies, it’s more important now than ever for individuals to understand how forces, events, and changes in condition impact their organization’s ability to meet their objectives. Companies that have been at the top of their industries now no longer exist, and some companies are now worth billions of dollars didn’t exist a few years ago.

Risk-based professionals need training to improve their professional competencies, but unfortunately many organizations have cut back on training budgets and often require professionals to “take vacation” in order to go to training. I also see a large demand for risk-based professionals outside the US wanting high-quality training. I spend most of my year traveling the world speaking and teaching, but I know I can’t reach everyone in person.

Also, as a trainer I personally wanted to provide a better option for authors. Many of the training companies and platforms do not pay authors enough to make a living, which I believe is very unfortunate. I realized there needed to be an option for students to get affordable training that they need, but also to fairly compensate expert authors. Since I couldn’t find one that existed, it seemed like the right thing to create one.

image: cRisk Academy

Reciprocity: What is your intended audience for cRisk? CISOs? CIOs? Auditors? Developers? Do you have any future plans to expand that audience?

Mefford: Our intended audience is anyone who considers themselves a risk-based professional and/or wants to “see” risk more clearly in their organization. That could be anyone in audit, risk management, governance, compliance, GRC, IT, etc… and even management. While many of our trainings are focused on helping practitioners do their jobs better, many of our courses are applicable to everyone in the organization, even the C-Suite.

We have an agreement with AuditNet® an online digital network where auditors share resources, tools, and experiences including audit work programs and other audit documentation. AuditNet® has been doing live webinars for many years and has a significant library of previously recorded webinars on internal audit topics. Our agreement allows us to publish the previously recorded AuditNet® webinars, and make the valuable learning available to auditors all over the world in an on-demand format. One of the problems with the webinar business has been once the webinar is over, the great content presented by experts is not longer available. We are happy to be able to provide a platform so auditors can now gain access to these previously recorded webinars from AuditNet®.

Many of the courses on our platform now are from AuditNet®, so they are specifically focused on improving internal audit practitioners skills.

We do have plans to add many more courses on corporate governance, risk management, ethics, and many more topics that are relevant to any risk-based professional.

 

Reciprocity: Talk to me about your platform. Since we’re all computer folks around here, what’s the difference between your platform and other training sites? Is this like a Netflix for webinars? Or an Amazon rental for webinars? 

Mefford: This is a great question and a great analogy to other entertainment platforms. Since my partner and co-founder has a background in the entertainment industry, we built our platform to match what people are used to doing with entertainment. We offer webinars, webinar replays, and on-demand training through our platform. Let me explain how it works using the entertainment analogy.

I personally have subscriptions to Netflix, Hulu, Amazon Prime, HBO Now, cable, and use Apple’s iTunes TV service. Most of those are subscription based, except for Apple. I pay monthly for the ability to watch movies and TV shows through those platforms whether I use the services or not. I don’t really like that option, especially my monthly cable subscription. I pay for cable so I have the ability to watch live sporting events, that are not available on one of the other platforms, but I also pay for many channels and programs that I don’t ever watch.

With cRisk Academy we wanted to provide an option that put the student in control of their schedule, and only have them pay for the content they want, without being locked into a subscription. I tend to find that even though I have several subscriptions, I am often left going back to Apple to find an on-demand option, so I have the flexibility to see what I want on my schedule.

I personally really enjoy the show “Game of Thrones,” and we can use that show to help illustrate how our platform works. “Game of Thrones” is an HBO original content program. If I want to watch the show I have a few options. I can watch it each week when a new episode is released on HBO. I can watch it through the HBO Now application. I can purchase it through Apple.

Since I travel often, it is difficult for me to watch the show at the appointed time each week. Watching at the appointed time is like attending a live webinar. It’s a lower investment, but I have to be available to consume the content at the appointed time, and I only get to watch it once.

Another thing about watching live TV is the commercials. Someone has to pay for the content. When we choose to watch live TV as a viewer we “pay” by having to watch the commercials from companies who are sponsoring the cost of the program. Most “free” webinars fall into the same category and require you to essentially watch a commercial from the organization sponsoring the webinar so you can watch for “free.”

We wanted a different approach where the student pays a small fee for the webinar, but receives hundreds of dollars in value from the presenter. Not only do the students get great content, to improve their career and help them do their job, but they also receive practical tools and special offers the presenter would normally charge their clients hundreds of dollars to receive.

If HBO offers reruns of the show, I could see when “Game of Thrones” was playing and watch a rerun. I would still have to schedule my time to be available for the rerun, but since there are usually several reruns, I would have more options.

This is like our webinar replays, only our platform allows students to select from several different time slots in the future, both during and after business hours, based on their time zone. No longer does one have to attend a webinar in the middle of the night.

Lastly, is the on-demand option. Since my schedule didn’t allow me to watch “Game of Thrones” live or as a rerun, I had the ability to purchase the entire season through Apple and watch it when and where I chose. Even though I have an HBO Now subscription, I am often blocked from using it when I am traveling internationally and can’t watch it on the airplane. For these reasons, I chose an on-demand option by purchasing the entire season through Apple. I paid more for the convenience, but then I could watch it when it was convenient for me. Another benefit, I can now watch the series as many times as I desire.

This is like our on-demand option. Once a student registers for the course, they can watch it when and where they like, as long as they have an internet connection. They can also watch and rewatch the training as many times as they want. All of the training remains in the student’s account forever.

Just like Apple, where I have the ability to purchase individual episodes or the entire season, we also offer the ability to register for individual 1-2 hour sessions, or get the entire “season” what we call bundles. You save when you purchase a bundle, just like you save when you get the whole season.

By offering training as webinars, webinar replays, and on-demand we are trying to provide students with flexible options to meet their schedule.

Image: cRisk Academy

Reciprocity:  From the perspective of a client, I love that these are individually priced. My state recently instituted a CLE requirement that makes it cost ineffective for me to retain ongoing licensing. Explain to me what the options are for individuals in my situation.

Mefford: Your experience reminds me of an experience from my own life. I had just moved to California and had just gone through the reciprocity process to get my California CPA license. I was already a licensed CPA in Idaho, but now that I had a license in two states I was hopeful my employer would support me in paying for my CPE training and licensing in both states.

When I approached my boss he said, “I know you spent a lot of time and effort getting your CPA. Most people who get it would hate to let it go.”

He was thinking exactly what I was thinking. I would hate to let any of my certificates or licenses lapse because of the time and effort I put into getting them. It’s unfortunate some companies are not supporting their employees now in their professional development. The employees really want to maintain them and shouldn’t let all that hard work go down the drain because of lacking CPE.

Luckily for me he was very supporting, and my company at that time and helped pay for my licenses and CPE training. Now that I am on my own, I pay thousands of dollars a year to maintain all of the certification, licensing, and CPE on my own. I do that because I worked so hard to obtain those certifications and licenses in the first place, that I don’t want to let them lapse.

As I mentioned before, many people who work for large organizations are asked to pay for it themselves. One reason for creating cRisk Academy is to help people have access to CPE at a much lower cost, on their time schedule.

We have also taken an approach to make our trainings available in smaller sizes (1 or 2 hours) and bundled into larger courses of multiple hours or days. This was a way to help students customize their learning experience so they only get what they need, and what they can afford, when they want it.

I remember a story from business school one of my professors told us about toothpaste. Toothpaste is something we use each day and don’t really think about. We buy large tubes and use it for weeks or months at a time. The story he told us was about how some consumer products companies that make toothpaste actually create special “one-time-use” packaging for certain parts of the world. It seemed odd to me at first until he explained they needed to do that because some people in the world can only afford to pay for a single serving of toothpaste. To them, brushing their teeth was a luxury they couldn’t afford everyday.

That story has stuck with me, and I guess one reason we do this is to help people that only need a “single” serving of training, instead of a full three-day course. It also is helpful for individuals who get to the end of their CPE year and see they are a few hours short. Now with cRisk Academy, they can purchase just the hours they need to maintain their CPE.

 

Reciprocity:  When looking at CLE requirements, many people think that having an “accredited” program is necessary. Is this true? How do you feel cRisk Academy can change that mindset?

Mefford: I’m going to let you in on a little secret that will probably make the accrediting companies mad.

One of the biggest accrediting companies in the US is the National Association of State Boards of Accountancy (NASBA). NASBA was created to help ensure Certified Public Accountants (CPAs) training is high quality and has reciprocity agreements with all of the state boards of accountancy. The idea is that if a training is NASBA accredited, it would be accepted by any state board of accountancy in the US for CPE purposes. For this reason, many people look specifically for NASBA accredited courses.

The reality is, only a handful of state boards of accountancy in the US require CPE to be NASBA accredited. I am personally a CPA in two different states and neither requires my CPE to be NASBA accredited. Each state does have their own CPE requirements, but those vary from state to state and are usually based on topic areas instead of accreditation.

Internationally NASBA accreditation is not relevant unless the student is a US CPA; and, as I already said, their state may not even require NASBA accreditation.

I have many different certifications and two CPA licenses. Only one of my certifications is particular about having accredited training, which means I am free to choose the training I need for the others, within the parameters of my certifications and licenses, to have most of my training qualify for my annual CPE requirements.

We decided not to go through the NASBA accreditation process, as it is very cumbersome and costly, especially in an online training format. We decided that since most people using our training platform wouldn’t require NASBA accreditation, there was no reason to add extra cost to our trainings when it wasn’t needed.

Our platform is perfect, for someone in your situation, who can’t afford the time away from work, or the large investment required to obtain in-person accredited training to maintain their certificates and licenses. It also allows you to customize your learning experience to get exactly what you need to do your job and meet your individual CPE needs.

One last comment on this area. It is important for people to focus on why we need to obtain CPE, not just obtaining CPE. Certifications and licenses mandate a certain number of CPE hours each year to help ensure professionals are staying relevant with changes and are competent to do their jobs. One’s focus should be obtaining the training they need to improve their career and do their job, not just getting CPE “hours.”

I think that is also one of the benefits of our training platform. Students can get the training they need to improve their career, and use the training for their CPE requirements. We offer CPE certificates for all of our courses once the course is completed, so students can track their training hours and use it in their CPE reporting each year.

 

Reciprocity:  Your book really tries to get auditors to think differently, more holistically, about the way the audit process fits into the greater scope of business. Can you explain to me some of the ways in which you approach audit differently from others? Why do you feel this approach is better for an organization?

Mefford: The name of my book you are referring to is Risk-Based Internal Auditing. I used that title because lots of auditors realize they need to use a “risk-based” approach to auditing, but there are some misconceptions about what it really means to be risk-based in your audit approach.

What I advocate is “focusing on objectives, not internal controls.” I like to joke that an auditor never sees an internal control he/she didn’t want to audit. This causes many auditors to believe they need to test all of the controls in their organizations.

The real trick is to only audit key controls that relate to response activities their organizations are using to help meet key objectives. Auditors tend to focus first on controls instead of taking a couple of steps back and considering the organization’s objectives. As a result, they audit the details instead of looking at the bigger picture where they can provide more value to their organizations.

There are really three things that affect whether an organization achieves its objectives, which go back to the concept of Principled Performance®. Organizations are trying to reliably achieve objectives (performance) while addressing uncertainty (risk/reward) and acting with integrity (mandatory and voluntary compliance). Auditors should be focusing on the forces, events and changes in condition, that impact their organization’s ability to achieve objectives in those three areas. My book helps to explain how auditors can focus on the “significant” items.

The concept of Principled Performance®, created by OCEG, the organization that invented GRC, is really what my book is about. How auditors can help provide assurance to their board and management that the organization is on track to meet its objectives. This approach is better, since it focuses the auditor’s efforts on what matters most to the organization, not just what the auditor wants to, or thinks is important to audit.

This is a common theme I teach people in all of my trainings, including those on the cRisk Academy training platform.

 

Reciprocity:  One of the things we talk about constantly in infosec is building a culture of compliance and awareness. From what you’re telling me about your approach to audit and cRisk, it feels as though this is very much on your mind. How would you envision cRisk adding to culture shift within organizations?

Mefford: For organizations to succeed in the future they must be more risk aware. They must practice the concept of Principled Performance®. The risk-based professionals we are trying to reach through cRisk Academy need to clearly understand forces, events, and changes in conditions. They need to learn a language they can use to help others in their organization understand these concepts.

Culture in an organization is based on values and beliefs that lead to individual behaviors. The way to change culture is changing belief. Belief changes through education and experience.

If an organization wants to build a culture of compliance and awareness, their employees need to be educated (that’s where cRisk Academy comes in) and have experiences that support that culture.

Cultural change is a long-term process that requires repetition, another way cRisk Academy helps. Our on-demand trainings are available to the student as long as they maintain their account. They can go back and watch the video lectures again and again, until they really understand the concepts and can apply them in their job.