My name is Maureen Farmer, host of the Get Hired Up podcast, where we speak with global business leaders on topics relating to leadership optimization and career strategy in a really informal conversational style. Today's podcast will be of specific interest to audit committees, investors, companies, especially, but anyone in business today will want to hear about this topic and our guests' important work in the topic of voluntary reporting on data governance, cybersecurity, and AI.

About Jordan. Jordan Famularo is a strategist researcher with a broad range of analytical and convening experience in the areas of sustainability, investing, AI ethics, corporate responsibility, human rights, data governance, cybersecurity, digital inclusion and other topics and responsible tech, and serves as a consultant for corporate reporters and investors. Jordan is obsessed with discovery, particularly new solutions and questions that arise from putting together experts and ideas and cross disciplinary ways. Jordan has an international mindset with field work experience in Europe and Turkey, and interview experience with participants from North America, Europe, and Asia Pacific.

Energized by endeavors and corporate responsibility, technology governance, impact investing, ESG investing, sustainable finance, philanthropy, and responsible technology. She also enjoys hearing new perspectives and meeting new people.

She's intrigued to speak about golf, nature walks, travel, and the highs and lows of amateur gardening. Jordan is currently a program manager sustainability with SEMI, the industry association representing the global electronics manufacturing and design supply chain. And today she's speaking in a personal capacity. I'm also very pleased to call Jordan, my friend and colleague. It seems like just yesterday that we were having lunch together in New York this past June.

Welcome to the Get Hired Up podcast, Jordan.

Jordan Famularo

Thank you, Maureen. I'm really honored to be here and really appreciate the invitation to talk with you today.

Maureen Farmer

Awesome. The honor is all mine, and again, welcome. So I'd like to give a little bit of context to this important topic. I'm going to start with a few questions that we're going to focus on today, but I'm also going to ask you a little bit about your background and what's interested you in this topic. And I wanna start with this sort of intro. So corporate boards and CEOs must be aware of and actively comply with privacy and other related regulations, ensuring that technologies are among the key factors leveraged to assure compliance and preserve value for the corporation. So with that in mind, what's the role of data governance with respect to privacy? Where how do they intersect? Why is data governance policy important? And how does it impact how companies use their data assets? And what tools can companies use to self-regulate their data governance practices to ensure compliance as it relates to AI, data, and analytics? And I want to start there. We'll come back to the questions. I don't expect you to remember them, but just as a sort of preface to the conversation and where I would love to start Jordan, is to tell us a little bit about your background and why you're so interested in this topic.

Jordan Famularo

Sure, thank you. Be happy to do so. My background, I think the best term to describe it is interdisciplinary. I was one of those students in college who had real difficulty declaring a major. I think I didn't know it at the time, but I think in retrospect, I wanted to be weaving together different subjects all at once. And so I took as long as I possibly could to declare the major. I think by the end of your sophomore year, you're supposed to be decided at least at the school where I went. I went on to graduate school, you know, I couldn't really rest until I found a fresh way to tackle a problem. You know, I decided in college that I wanted to be well-rounded. I took a number of courses in STEM and really enjoyed those, but I was also super drawn to the humanities. And so I felt like I studied all of those things at once, I suppose, and got what I could from those and really enjoyed being an interdisciplinary scholar, I think, even though I was quite young at the time. And I did the same thing in graduate school. I entered a humanities program at New York University, and that was just a wonderful place to be. I was surrounded by brilliant people who were showing each other how to use approaches from more than one discipline to understand a subject in a new light. They were challenging each other in constructive ways. And I chose to do a PhD in the history of art. And I get a lot of questions about that. And I'd be happy to talk a bit about that later. Yeah, because it's a fascinating intersection as it relates to technology. And that's why I'm so excited about this particular topic today, because it has so much applicability across society. Yeah, as I understood it, you know, in that program, I was doing history of art, but at the same time, it was actually history of technology, anthropology, cultural studies, history of science, all of these things at the same time.

What I was trying to do was understand how humans relate to the things they make. You know, how do we make sense of the power that technology has over us? How do we make sense of the power that we have over technology? And I think that contributed to my path after graduate school. The COVID-19 pandemic began in the final months of my PhD program. And it was a difficult time, certainly around the world. And I was asking myself if I had learned anything or done anything that could equip me to tackle some sliver of the complexity and uncertainty that were enveloping us in that year. I was living in Silicon Valley at the time. And so I was right in the middle of this emerging paradigm shift where artificial intelligence and machine learning are one of the next mega trends with so much promise. But at the same time, I think so much peril and so much uncertainty around how they were going to affect society in our future. So I thought I can work on that. It was really the risk and the imagined power of these systems that got to me. And I thought that as someone trained in history of art and history of technology, that maybe I could bring some fresh perspective. And maybe I could draw on that deep interest I had in interdisciplinary work to team up with extraordinary people with different backgrounds and different kinds of expertise to you know, to produce new approaches to how we think about governing technology in ways that'll benefit society in the long run.

Maureen Farmer

And I think too, for the listener here today, we have an exciting asset for you. It's a template that Jordan has worked on as part of her work, and it relates to voluntary reporting on data governance, cybersecurity and AI. And so we'll make sure that there is a link to that gift in the show notes. I'd like to read a quote here that just came from the World Economic Forum's recent report on advancing data equity. So recommendations for key stakeholders to implement data equity for private sector companies, adapt to the evolving landscape of creativity and IP, adopt transparent ethics, approval processes, adopt transparent release processes and strategies, disclose non-human interaction, embed model and system traceability and accountability, employ diverse red teams, and that's not a topic I heard before. So employ diverse red teams and enable user feedback and audit of people's data. Implement ethical impact assessments, rigorous benchmarking against equitable data sets, implement transparent and inclusive auditing mechanisms. So with that, could I come back and ask the question around the role of data governance with respect to privacy and where do they intersect?

Jordan Famularo

Sure, I think the sharpest point where they intersect is compliance and legal risk. So as your listeners will know, we now have data privacy laws at national and sub-national levels, and then also in the case of something like the EU, a supranational level. And all of these laws are imposing higher and higher obligations around safeguarding personal information. And this kind of privacy-related legal risk is really just piling on top of data risks from other emerging regulation on AI systems, from cybersecurity laws, and these typically govern how companies prepare for cyber incidents and then also respond to them and disclose these incidents. So I think that compliance and legal risk is really where data governance and privacy intersect in the sharpest way, as I said. And I think if we wanted to speak a bit about considerations for boards, you know, I think this is the place where boards should be engaging with management to understand how the company approaches and assesses and monitors these risks. They may be regulatory risks or legal risks, as I said. There's also reputational risks to be thinking about related to data collection, related to data use, data storage, and we could go on. I think that there are a lot of other things that boards are hopefully doing already and equipping themselves to be able to do in an effective way going forward.

Maureen Farmer

So what's the risk? I guess it's an obvious question, but let's just talk a little bit about the obvious risk and any use cases that we can point to that may have grabbed an organization by surprise or by implication in terms of impacting the brand. 

Jordan Famularo 

Sure! On the one hand, regulators are finding sharper and sharper tools to enforce privacy regulations. And some of these go well beyond just fines. They can really impose almost existential crises for companies. So one example of this that's noteworthy is the Federal Trade Commission in the US has been sharpening its enforcement tool that it calls algorithmic disgorgement. And what this means is requiring companies through an FTC consent order to delete their AI models and delete their algorithms if it developed using data that the FTC has determined was improperly obtained. So what this means is if the company collected or otherwise acquired data in a way that the FTC finds improper, that the whole system that this data actually serves to build must be given up by the company. And this can be a huge blow to a company's core product, and that would be sort of beyond financial penalties. Does that make sense?

Maureen Farmer

Yeah, so I'm thinking of intellectual property as it relates to product development and all of those other things that maybe an organization was building and not realizing that the data that they were using was, you know, acquired inappropriately or stored inappropriately. Yeah, that makes complete sense, Jordan. And what can organizations do to prevent that type of a imposition of a fine or worse, the deletion of an algorithm that may have taken a team months or even years to create?

Jordan Famularo

Well, they've got to focus on sharpening their data governance and really making this an organization-wide framework for managing and organizing data, for collecting data, for monitoring it, for knowing how to dispose of it properly and when to dispose of it, how to secure it, all of these things. Data governance involves understanding the risks, managing and mitigating those risks, establishing some appropriate risk appetite and direction for management. These are things that I think boards are very fluent in, but applying them to data privacy and cybersecurity may be new for some board members depending on their experience. It's also going to involve implementing appropriate communication channels for internal reporting and then also external reporting on these issues. And I think that there are frameworks out there that boards and management can use for this and so some examples of these are NIST, and that stands for the National Institute of Standards and Technology, which is a US organization. They have a privacy framework, a cybersecurity framework, and then also an AI risk management framework. Those are helpful resources and things that I think are very commonly relied on by companies for guidance on these things. 

Maureen Farmer

Can we talk a little bit about your project with Berkeley as well?

Jordan Famularo

Sure!

Maureen Farmer

Yeah, because I've seen the tool, I've used the tool, the prompts, your report and the actual, the white paper and the actual tool itself. I mean, from a practical point of view, and I want all podcast episodes to be really practical. So maybe we could talk a little bit about your work. I know you interviewed a lot of people around the world on these different topics. And you developed a really robust voluntary reporting mechanism for organizations. So maybe we could talk a little bit, first of all, why would any organization want to voluntarily report? And secondly, talk a little bit about the tool and the process that developed through your methodology.

Jordan Famularo

Yeah, so I'd be delighted to talk a bit about some research I led while I was a postdoctoral scholar at the University of California, Berkeley. I had this amazing opportunity because I was posted at the Center for Long-Term Cybersecurity, which is all about bringing together diverse theories and experts from different disciplines and practitioners from different fields as well. And it was here I was able to co-design some research with practitioners on the ground that have stakes or work directly in communication from companies to investors on digital responsibility issues like AI, data governance, and cybersecurity. I was able to design some research that culminated in a consensus building study with an interdisciplinary panel of experts. And I can tell you a little bit about the composition of that panel. 

Maureen Farmer

I would love that. How did and how did you find them? I know the research was very comprehensive, the interviews that you did, and I would love to know a little bit about how you went about that and what the outcomes were.

Jordan Famularo

Sure. Well, like any research, it started with the landscape analysis of what organizations have already provided a guidance or voice or research on disclosure by corporations on digital responsibility issues. So these can fit into different buckets. They may be institutional investors who publish strategy documents or reports of their stewardship activities. Another bucket would be multi-stakeholder organizations such as the United Nations Principles for Responsible Investment, which many of your listeners will know as the UNP PRI. Another might be the World Economic Forum. There are also non-profits like the World Benchmarking Alliance, and Equal AI. And then also really importantly, there are independent standard setting bodies that are working to establish sustainability related reporting standards globally. They may have started out providing standards on more familiar sustainability issues like greenhouse gas emissions, but in recent years, they've started to publish and even revise standards they've already published on digital responsibility topics. So two important ones here are the Global Reporting Initiative, and then the Sustainability Accounting Standards Board, which many know as SASB, which has in recent years been consolidated into the IFRS Foundation, International Financial Reporting Standards Foundation. This latter organization, for a long time, as many of your listeners will know, has set standards for financial reporting, but now has an extremely influential initiative to establish sustainability-related financial reporting standards. So, my first step was just to understand that landscape of organizations.

And so, then I started looking for practitioners who were either on the inside of these organizations or have some stakes in the game with respect to working with these organizations to come to consensus on which of these standards make sense for which companies and in which places, which is a extremely complicated topic. But the kinds of people that work in this space may be attorneys or risk consultants who can bring experience advising companies on reporting financial risk to this new area where sustainability risk is also something that needs to be carefully disclosed and a full strategy around this. Others may be practitioners who work for some of these nonprofit or advocacy organizations, they often have a focus on digital rights. So thinking about digital technology in a human rights context is something that they are quite expert in. And I believe you just delivered a presentation to an organization on this topic, too. Yes, I did. So I presented this work to a technology and human rights working group for an investor advocacy organization. And this was a great venue to present the work and get feedback because we had human rights practitioners and experts in the same room as institutional investors who get together regularly to think about how they can engage companies on these issues in an effective way. So that was really fantastic because I think there's awareness that companies are receiving a lot of demands from different directions on how they manage and govern digital technology and an effective way for advocacy organizations and investors to communicate their needs is to sort of work in a way that strategically bridges their interests and kind of concentrates their asks from companies in a way that's collaborative and not separate because it kind of focuses companies attention.

Yeah, so on a practical level, the research I led built a template that offers some reporting guideposts for companies and investors and also observers of corporate disclosure like advocacy organizations. Anyone who has stakes in corporate communication on digital responsibility topics. And so there were two aims. The first goal was to offer a user-friendly template that's also systematic and also empirically tested that guides voluntary disclosure by companies on three digital responsibility topics. Those are data governance, cybersecurity, and AI. At the same time, this template would inform investor expectation for what companies should be reporting on these issues.

Maureen Farmer

So this tool, once it's completed, with the prompts are here and they have the disclosure, is that funneled through from internal audit into an audit committee or obviously used to inform corporate communications publicly facing and internally, is that right?

Jordan Famularo

Yes. So the template itself looks very much like the guidance published by global standard setting organizations for sustainability reporting. So what this looks like, very simply is an Excel template that lays out the topics, lays out what to disclose and what kinds of units of measurement to use if it's a quantitative disclosure. It also provides a reference to the source from which that disclosure comes and that may be an existing standard set or guideline but it may also be guidance provided by the investor community or by multi-stakeholder organizations like the UN PRI or guidance from a non-profit such as the World Benchmarking Alliance so that folks who are using this template know where this guidance comes from. And then finally, there are contextual sections that give the user a sense for why this disclosure is important to the company's stakeholders. What relationship does it have to historical events or current controversies on digital responsibility topics, or intersections between privacy law and business use of personal data, for example.

Maureen Farmer

Awesome. Jordan, what do you think is going to be important for organizations over the next little while to attend to as their evolving reporting commences as you know, new regulations are coming about? 

Jordan Famularo

ure. Well, I think about 50,000 companies around the world are paying extreme attention to developments in the EU around the corporate sustainability reporting Sustainability Reporting Directive, also known as CSRD for short, which is bringing a paradigm shift in expectations for corporate disclosure on a range of environmental, social, and governance issues. And wrapped into this are digital responsibility issues such as cybersecurity, data governance, and to some extent AI. And the preparation that companies are needing to do to comply with the CSRD in the timeline that's laid out is really extensive. And so in some of my interviewing with technology companies, this regulation is taking up a significant chunk of resources from their sustainability or ESG teams. I think one thing that's not, maybe not widely known, if you are not working on corporate reporting on a day-to-day basis is that the regulation I was just talking about in the EU affects companies around the world because companies that have significant operations in the EU are in scope. So it does affect North American companies.

Maureen Farmer

Okay, I didn't know that. Okay, that's interesting. So there's large, like major pharmaceutical companies that are headquartered in the EU that would have operations all around the world. So that's what you're saying they would all have be impacted by this.

Jordan Famularo

Well, yes, the CSRD matters because even if your company's not headquartered in the EU, but it has significant operations in the EU, the company may still be in scope of the regulation and have obligations. The other reason why it matters is that through competitive processes and supply chains, companies in scope may then push recording requirements on their business customers and suppliers to obtain information that these companies need to have in order to comply with the CSRD. So if I am a small company in North America, but I'm a supplier for an EU company that needs to report against the CSRD, that EU company may come to me asking for information about my data governance or my greenhouse gas emissions or other topics that are related to sustainability reporting.

Maureen Farmer

It's such a complicated topic. 

Jordan Famularo

Yes, so we have a mix of companies that are formally in scope of the regulation, but then it has these cascading effects that go much wider through business to business relationships.

Maureen Farmer

So I guess if you go back to the third question that I have is what tools can company use to self-regulate aside from the tool that you outlined here? What other tools?

Jordan Famularo

Sure, I'm glad you asked. At the same time that I was working on this research at the University of California, Berkeley, there was a visiting scholar who published some amazing research and we actually were thought partners for each other. And so I think it's actually quite relevant. Laura George Schaffner, whose faculty at the E.M. Strasburg Business School, came over to California and produced another reporting template. And this was to supply boards, also security executives, and investors with an instrument for monitoring risks and opportunities related to cybersecurity, primarily. 

So not only monitoring those risks and opportunities, but also disclosing and evaluating them. And it works across industries. It's also set to follow principles of the IFRS Foundation, which your listeners may know as a longstanding set of standard setter and financial reporting. So what this does is provide a spreadsheet for boards, security, executives and investors that has a set of financial statements in one tab, and then it takes the user through how you would make adjustments to financial statements based on evaluation of cybersecurity risks and opportunities. This is an amazing task. This is something that has really challenged companies. And I think it brings a lot for companies and investors. So for companies, it helps them showcase a responsible digital technology approach. And I think importantly, it guides them to disclose information in monetary terms, which is a very huge challenge, I think, for companies in cybersecurity, for cybersecurity topics. And then for investors, I think what's important here is it helps them acquire information from companies about security risks and opportunities that are relevant to financial materiality. And that's really important. That has so far been an area of little progress. And so I really like this research that Laura led. You know, I think as we're going through this paradigm shift in which sustainability accounting is adapting to look much more like financial accounting, we need the expertise and the practitioners to be able to sort of to affect this change. And so there are credentials out there that allow professionals from a range of different backgrounds to understand in an effective way, the links between financial performance and sustainability. So one credential that I've been pursuing is the fundamentals of sustainability accounting or FSA credential that's offered by the IFRS Foundation. And I'd highly recommend it to anyone who's interested in verifying their expertise in sustainability disclosure and analysis in a context where financial materiality is important.

Maureen Farmer

I wonder if that would be included in corporate governance training. I must look into that. 

Jordan Famularo

Yeah, I think so. You know, the list of credential holders is public information. So I guess, you know, outside this call, we could take a look at, you know, what kinds of professionals have already earned this credential. But I think you're probably right.

Maureen Farmer

Another question I want to ask what is your favorite restaurant? Maddie and I are podcast producer and I have been compiling a list curating a list for the past four years now since we started the podcast as a traveler's resource for already vetted restaurants. So you know what it's like when you go to a new place and they all look so good. How do you choose? Well, this can be a way to choose a restaurant that you can feel confident in. So by all means, let us know.

Jordan Famularo

Ok, great! Well, for folks visiting Silicon Valley, there are two amazing Mediterranean restaurants in Palo Alto, and I honestly have a hard time choosing one over the other. One is called Taverna and the other one's called Evvia. They both offer some of the freshest seafood I've ever had, honestly. And I'm just sort of obsessed with Mediterranean food.

Maureen Farmer

Oh, me too. Oh, I love seafood. I could have it every day.

Jordan Famularo

And they both have really lovely places to dine outside. And so that's another reason why I like them.

Okay. And then for folks who may be visiting Sicily in the future. One of my favorite places there is in Ragusa. The restaurant's called Duomo. And Sicily as a whole is one of my favorite places in the world. I think it's because it's almost a compendium of different civilization and cultures just because of where it is in the world and its history. So this restaurant sort of brings that to life for me. I think the cuisine there is of course Mediterranean, but it incorporates elements from Middle Eastern cuisines and Northern Africa as well as other places in Europe. Also Sicily overlooks the Mediterranean Sea, so can't get much better than that.

Maureen Farmer

No way. Absolutely. And I'd love to ask you a little bit about your amateur gardening. Tell me a little bit about that.

Jordan Famularo

Well, I describe myself as a black thumb instead of a green thumb. I just really have struggled. And it's very ironic because my mother and grandmothers are all amazing gardeners. So I'm not sure what happened. I didn't get the right genes, but I did not grow up in California. And so I'm not super familiar with the soil and the abundance of things that will grow here. But I think gardening for me brings a sense of wonder. Usually it's when I'm observing or taking joy in other people's gardens, since mine seem to have some trouble. But I do have some small successes in my own yard. And so that brings me joy too.

Maureen Farmer

I think I'm a black thumb as well. I enjoy looking at other people's gardens and visiting gardens, not so much my own. And I remember going to the San Diego Zoo with a friend a few years ago, and I love animals, but I have to say it was the flora that I was more interested in than the animals. It was just astounding in San Diego, the beautiful flowers and shrubbery and foliage was just absolutely stunning.

Jordan Famularo

I think as a little girl, I visited California and I just thought of it as kind of almost an otherworldly place, I think because of the amazing array of plants that will grow here and their growing season is year round for the most part.

Maureen Farmer

Yeah, such a temperate place. My last question for you today, Jordan, is this, what has surprised you most in your career so far?

Jordan Famularo

I think what surprised me most is an observation that a mentor shared with me that really changed my way of thinking about my own personal path in my career. The person said to me when I was sort of in the midst of a career pivot and was sort of grappling with what it means to change disciplines or change fields. And the person said to me, you know, the world is changing. So you're adapting to it. And it was a new perspective that was fresh for me. Maybe other people think of their careers that way naturally, but for me, that wasn't natural and it was a light bulb moment, I think, for me that helped me move forward with more confidence.

Well, it's a journey of discovery, isn't it? And responding to the happenings in the world. And we talk about the learning organization, not as a professional development discipline, but more of emerging and learning organization where we're adapting to trends, adapting to realities and becoming stronger as a result of that. And I find that very, very fascinating as well.

And Jordan, thank you so much for taking the time to discuss this important topic with me. And Jordan, how can people get in touch with you? I forgot to ask that question. How can people get hold of you?

Sure, I'm on LinkedIn. And I really welcome with connecting other people there. So please don't hesitate to reach out if you wanna talk about any of the issues that Maureen and I discussed today. Jordan Famularo, that's F-A-M-U-L-A-R-O. You know, I feel like I'm always in learning mode. So that's one reason why I love connecting with other people is I feel like I've always got something I can learn.

Maureen Farmer

Thanks again, Jordan. We'll talk to you soon!

Jordan Famularo

Thank you!