SOC 2 School

Governance

Nov 5, 2020 2:30:00 PM / by Alex

We know many people get heartburn at the mention of governance. That is why this week we are breaking it down into bite sized pieces! This way you can nail down an approach to governance and demonstrate it clearly to an auditor, investor, or any entity that requires you to.


Take It For A Spin

Full Transcript



SPEAKERS 

Vikas Bhatia - Founder & CEO, JustProtect
Bryan Urias - Security Analyst, JustProtect

Bryan Urias

Hey, guys, welcome to our SOC2 School Episode Four. And I'm glad to receive you guys again. This week. I'm joined by Vikas Bhatia again. Hi, Vikas. How are you doing?


Vikas Bhatia 


Good! Bryan, how are you doing?


Bryan Urias 

Great, great. So this week, we want to talk about governance. How does governance affect startups? How does a startup establish governance and a chain of command?


Vikas Bhatia 


So governance is quite an overwhelming; it's quite an overwhelming term in itself, right? Like the first thing you think of is rules and authorities, and like it's, it's really overpowering. So let's let's break it down and make it really simple. When when you set up a company, you do so against certain rules and regulations that exist. So most startups will incorporate as a Delaware C. So Delaware city has some requirements, you've got to have a chairman of the board, you've got a board structure, you've got a company secretary, you've also got to do annual filings. So at the at the, you know, at the government level, if you will, that is your governance, when we file tax returns, that is governance. So essentially, we are we are performing governance functions anyway. But a company, like if someone is going through this SOC 2, really needs to think about what's the internal governance. So I always like to think of it like, yeah, who am I accountable to? So as the CEO, if you're a very small startup, then you there might just be, you know, yourself and your co-founder. Well, one is the chairman, and one is the company secretary, even though you play the role of CEO, CTO, etc. Or if you have investors, then you've got like a board or an advisory group. And essentially, you need to you need to be accountable to someone, ultimately, we are accountable to, to the rules and regulations that the government sets out the federal or state level, or at the industry level. But internal governance is just a reporting line. It's just it's just thinking about accountability. So how do you maintain the operations in accordance with rules, regulations, best practices, and report that and create an audit trail around it?


Bryan Urias 


This is excellent, Vikas. I'm really glad that you're sharing this with all the people watching. So at the same time, we want to know something a startup struggle with; how exactly do you show governance to the auditor? How do you show governance to prospective investors? How do you convince them that you are actually employing all of these things?


Vikas Bhatia 


That's a great question. So essentially, there's an easy way to do this. And it's regular meetings, and just regular documentation, we all hate documentation. But let's say, for example, you have a, let's say you have an extremely small, you know, two or five-person company. Well, at least on a weekly basis, your management team should be meeting and having regular touchpoints. So what we've done in the past, and what we see other people do is just have a, have a page on a Google share, or OneDrive, or Confluence, and just management meeting, date of the meeting, things that were discussed things that, you know, decisions that were made. For organizations that you know, for, particularly for startups that have investors or board, you may want to present the status of the company to the investors or the board on a quarterly basis. So you basically present, you know, you've had those meetings in your calendar, and you put together a deck, and you say, No, here's the status of the company, here's the status of finances, here's the status of sales. So by having these kinds of meeting minutes, and you know, if you click the comments below, and you tell us which templates you want, we'll happily provide access to the templates, so make sure you like and subscribe and do all that thing, press the bell, notification, maybe isn't that so? But, but, but it's really about having a regular cadence. It's really about having documentation. And it doesn't need to be formal. You know, in the olden days, we think of companies secretary, someone that's like literally scribing everything single thing that happens, it could be a working document that says on this date, we met, we meet weekly, there's a weekly cadence for investors or advisors, we meet every quarter, here are the updates, these are their feedbacks. Just keep your communication as an audit trail, whether it's an email, whether it's a follow on activities. But it's quite easy to do, especially if you're a startup that has a project management tool like JIRA or, you know, Asana or Trello. Because you can say, okay, every week, every quarter, every month, whatever we need to meet these people, but the documentation place now and the auditor asks for it you can demonstrate.


Bryan Urias 


Exactly. So this is exactly what we want to get out of this conversation. And while there are some smaller teams watching this, we want to know, if you can even have governance in place with a small team, how are startups able to set this forth and work with it?


Vikas Bhatia 


Yeah, so even if you're, if you're a two-man team, you still need to have some level of governance, like, you know that, for example, Delaware, requires you to have board meetings, it requires you to document manage shareholder issuance, or any advisor agreements have gone out any contracts that have gone out. So you need to be doing that at the company level. Anyway, when it comes to smaller teams, just having a literally a folder somewhere that has a document that says all business decisions, and if you have the date, who was present, so you can have a table, you say, this is the date, this is who was present, this is the discussion item. And this is what happened as a result of that. Those logs, if you will actually turn into very useful information, particularly as you go to raise money. If you merge with another company or looking to exit. If you are looking to work with a larger company, they're looking for that structure because otherwise, you will come across like you don't have any structure. You don't have any, you know, formalities when you need within your company; I completely understand that startups are really agile; there's lots of stuff going on. And you're always trying to develop code and sell etc. but as you mature as an organization, and particularly as you go for certifications, like the SOC, or ISO, HITRUST, you need to have that governance in place because there needs to be boundaries on what people can do or are doing.


Bryan Urias 


Right. And so this is what we wanted to touch on. You kind of mentioned it a little bit. But what are advisors and investors looking for? And you show them that you have governance? How does that motivate them to invest in your company to join your company and help you through your journey?


Vikas Bhatia 


So whether it's an investor or an advisor, they're committing their resources, you know, someone who's got 25-30 years experience, time is valuable to them. Time is money. So whether they're investing time or they're investing money, they want to do it with as little risk as possible, or at least a risk level that meets their risk appetite. So, for example, if someone asked me to invest in their company, whether it's time or as an advisor, so time, or as an investor, so money, I want to know that the people at the helm, right, the team at the helm, are really paying attention to the what the legalities and the formalities of the business, because I don't want to put my time or my effort, or my cash into a business that's disorganized, that doesn't meet its regulatory obligations. That could be a legal risk, a compliance risk, a financial risk. So all of these things could impact, you know, acquiring or working with advisors or investors, just to kind of, you know, double click on that for a second. For anyone that's done a pitch competition for anyone that's done, you know, some sort of presentation of their company. The reason why there is a quite rigid structure on, you know, what's the problem, what's the market, who's the team, what's the go-to-market, all of these kinds of various stages that you go through on a pitch deck, you're presenting to a potential investor or an advisor that you know what you're doing The governance is really the devils in the detail, right? The governance is the formalities behind it; do you actually have all of that in place. And the more mature your organization gets, the more money you raised, the bigger the company is that you work that you know the customers that you work with, the more you need to demonstrate your governance posture.


Bryan Urias 


Thanks, and I hope that has helped everybody listening to this or watching it or reading it in the transcript.


Vikas Bhatia 


If not, put it in the comments!


Bryan Urias 


Please, let us know. But thank you guys for watching because thank you for your time, and we'll see you guys again next week.

Vikas Bhatia 


Thanks, Bryan!

Take It For A Spin

Tags: compliance, cybersecurity, Strategy, assessments, SOC2, Risk Assessor, Startups, Leverage

Alex

Written by Alex

Comments