Share on twitter
Share on facebook
Share on linkedin
Share on whatsapp

CRO Wisdom Episode 12: Victor Meyer, COO, Supply Wisdom

John Bree:

Hello, and welcome to the next episode of CRO Wisdom, sharing the wisdom of risk leaders. Today, we are joined by Victor Meyer, the CEO of Supply Wisdom and former Global Risk Leader for Deutsche Bank. Victor, welcome, and let’s jump right in. I know there were a couple of things that you wanted to just mention about some very basic fundamental components of risk management. So would you take a minute just to kind of take us through those basic fundamentals we were talking about?

Victor Meyer:

Yeah, John, I mean, I’ve always often found it helpful, particularly in dealing with non-financial risks, where it’s often very, very difficult to assign an objective probability to these, to try to apply some basic principles or some rules of thumb, to try to contextualize and put a framework around these issues. So therefore I’ll preface what I’m going to say with that in mind. So you’re going to hear a little bit of first principles, frameworks, rules of thumb, ways of approaching problems, methodologies for viewing and contextualizing problems.

John Bree:

You know, I along with our audience are always interested in how risk leaders started their careers. Please tell us about your journey from your time in the US Navy.

What we’ve seen over the last year or so, particularly the pandemic has, I think, laid bare some of the weaknesses in the previous third-party risk management models. And that is that risk profiles change more rapidly than perhaps everyone expected. Number two, the supply chains for both physical and service are quite fragile, brittle, to use a word that’s frequently employed in the industry.

Victor Meyer:

Thanks, John. Well, as you know, I spent 20 years as a US Navy Seal in a number of different roles. So my interest and my aptitude in the area of risk was probably conditioned by that, because for each Seal mission there’s an enormous amount of advanced planning that’s required. There’s a very structured approach, but it’s one that allows for unconventional thought. And when you’re dealing with missions that carry a very high degree of risk and a very high degree of uncertainty, where it’s very difficult to assign objective probabilities to downside events, a very disciplined approach needs to be taken to risk management. And I think that’s where I sort of started my risk journey. It continued as I was leaving the Navy and transitioning to another career in finance when I had the opportunity to study risk in finance at the London School of Economics.

And I met the Chief Risk Officer at Deutsche Bank while I was there, who was quite a visionary in the area of nonfinancial risk, and brought me on board. One of the things that was I think important about his understanding and vision for risk, and this was way before. I mean, Basel was just coming out at this time, pillar two for operational risk management was just coming out at this point. And so the management of operational risk or non-financial risk was really at a very nascent state. But he concentrated on the far end of the risk spectrum in terms of probability and impact. He realized that the really damaging events could occur in the tails. And so that’s where he applied the majority of his risk mitigation and predictive efforts. And to this day, I think that’s the wise approach, as we’re seeing.

John Bree:

Yeah. It’s interesting you mentioned that. You always used to, when we used to work together, you had a comment we used to talk about why you always carry two radios when you were on a mission. And I think that talks about, right, you can tell that story. That talks about the little things that sometimes cause the problems.

Victor Meyer:

Yeah, there’s a number of aphorisms that drive certain behaviors, and it builds a certain culture around how to plan, and around risk management, and about managing, to downside and anticipating the downside events. And that particular aphorism is two is one, one is none. Whenever we’d go out in the field, you can absolutely guarantee that one radio would break. And so you always carried at least two. Or it’s the reason why seals carry a primary and a secondary, because if one jams then you always, you always have a secondary weapon.

John Bree:

It’s always about the little things. So in the current risk environment, what do what are some of the key priorities that you see, and what are you seeing from the industry in general?

Victor Meyer:

Well, look, things come full circle, don’t they? At least in my way of thinking. So I told you about the Chief Risk Officer at Deutsche Bank, Hugo Banziger, who thought about, whose efforts were focused on insights into the so-called fat tails, or very, very low probability but very high impact. And these were the exact same risks that we studied when I was the Vice Chairman of the World Economic Forum’s Global Agenda Council for both pandemic and for catastrophic risk, where we tried to assign specific attributes for catastrophic risk. They tend to be rapid onset, they tend to be cascading, and they tend to carry what’s often called novelty or intractability. That is, we haven’t seen this event in our loss history before, so we really don’t know what it looks like. Two really good examples are the thousand year earthquake at Fukushima Daiichi, where we had the 8.1 scale earthquake, which created a huge 10 meter tsunami, which took out all the cooling systems for four nuclear reactors and resulted in core breach in at least one of those reactors. So certainly we’d never experienced anything like that before. It was very clearly cascading.

And I guess for me the best example of all, and we’re in the middle of it, this pandemic. Very few people predicted it, although the more prescient people had warned against it, there was little in the way of public policy to be able to prepare for, or respond to such an event. And we’re seeing the social consequences of that are pretty profound, actually. And we’re only, in my view we’re still, 15 months on, we’re still at the end of the beginning, not the beginning of the end.

John Bree:

That’s a good point. We learned a lot from COVID, I think, and we’re going to continue to learn from that. One of the challenges that people face in the risk industry has always been how to do assessments and how to have an understanding of not only your third party vendors, but your entire supply chain. So what do you see the change coming from, static kind of a point in time multi-question risk assessments? How is the industry moving forward to start to deal with this need for information?

Victor Meyer:

Well, John, first I think there’s been… I wouldn’t exactly call it an imperceptible shift, because I think everyone, at least in the industries that I’m the most familiar with, healthcare, banking, financial services and insurance, utilities, we know what our dependency on third parties has been. In my experience, about 50% of the average bank’s cost basis is spent on third parties. And so there’s inherent and residual risk in that. And so it requires every bit as rigorous, if not a more rigorous approach around controls, the controls inventory and an assessment of controls effectiveness. I don’t think there’s much debate about that. However, it’s the how you do that is, it’s both art and science.

What we’ve seen over the last year or so, particularly the pandemic has I think laid some of the weaknesses in the previous third-party risk management models there. And that is that risk profiles change more rapidly than perhaps everyone expected. Number two, the supply chains for both physical and service are quite fragile, brittle, to use a word that’s frequently employed in the industry.

And in some cases, these risk profiles can change very, very dramatically, very, very quickly. Those would be some of, I like to look at attributes of systems and processes. These are some of my observations around some of the weaknesses in both the third party risk management process over the last year, and the attributes of supply chains across the board.

My interest over the last couple of years in the non-financial risks spaces has been on third party, because I think it’s the new cybersecurity risk. And indeed it’s got a cybersecurity risk element embedded in it, because the third party space is just an extension of the normal firm. I think what some risk practitioners are starting to realize, and what third party risk practitioners have known for quite some time, is that you need to apply the same rigor and methodologies and technologies in your third party space as you do in your own firm, including your captives.

John Bree:

That’s really important. That’s a good perspective on that, Victor. Another thing we’ve noticed over the years, I mean, traditionally, the focus on risk monitoring has always been sort of on the financial health and wellbeing of a third party vendor, as well as kind of the cyber risk associated with any vendor that’s handling data. But what other risks are you starting to see that are important? I mean we deal with things like location and the whole world of VSG and all those things. So do want to elaborate a little on some of the other risks that people have to pay attention to? Maybe some of those long tail things you talked about earlier.

Victor Meyer:

Well, I think risk managers are no different than admirals and generals, they tend to fight the last war. Look, there’s no… I don’t want to sort of play down the risks from cyber security controls weaknesses, as we saw with the Colonial pipeline, they’re very, very present. And the negative consequences of a risk crystallization are very, very tangible and very, very meaningful. Nevertheless, when I look at, for example, it’s very difficult for organizations to get out in front of these events. They tend to put priorities in one area based on what has happened to a peer, or what has happened in an industry, or where the regulatory attention is. And in the industry, the attention in the aftermath of the financial crisis was very much on conduct risk. Then it transitioned to cyber security risk, but there was very little attention to op resilience and almost no attention to pandemic.

And I think the same is true of environmental, social, and governance risk. There has been an enormous social change that has been caused on the back of the pandemic. And I think that individuals and companies are finally having to wake up to the impacts of, for example, climate change, of equity and equality. And reputational, the reputational damage that can occur as a result of, for example, undetected use of slave labor in a supply chain can be very, very severe. And they can, as I said, one of the aspects of catastrophic risk, those are the rapid onset. They are immediate.

John Bree:

What are your thoughts about, as we’re starting to see the fallout continue from the pandemic, and now we’re starting to see issues about, I mean, really hard-hitting economic issues, where countries are just not generating the revenue they did. Tourism was a disaster last year. And while we are going through a recovery, it’s going to be a slow recovery. I mean, I’m going to pull on your background a little bit with the London School Of Economics. I mean, how do you see the economic situation in many countries impacting their ability to actually recover?

Victor Meyer:

It’s interesting. I think it’s the financial crisis cascading risks played in reverse. So the financial crisis, the way the financial crisis played out, there was laymen caused a great liquidity crisis. So it was a liquidity crisis. And then there was a credit crisis, and then there was a financial crisis, and then there was a fiscal crisis, and then there was a social crisis. Here you’ve got an epidemiological crisis that has caused a social crisis. And now you’re going to see various manifestations of financial risk cascade throughout, fiscal crisis, inflation. Those will be some of the downside risks that we’ll start to see. And if you remember, the financial crisis took years to play out. This is much more rapid, and it’s much more multifarious, is I guess the word I would use. Lots of risk crystallization events occurring simultaneously, each one of those creating second, third, and fourth order effects. Very difficult to predict.

John Bree:

Well, as companies now are pulling various solutions to get an understanding of what you know is called risk intelligence or risk information, how do you see automation, artificial intelligence, all that helping pull all that massive amount of data into a usable format?

Victor Meyer:

Well, I think number one, artificial intelligence is not a solution. It assists human decision-making. Every firm’s risk appetite is slightly different, and therefore firms will act in a different way. Every firm’s risk exposures are different. What artificial intelligence and machine learning allow us to do is aggregate large amounts of risk information into a form that’s readily consumable, and on which risk decisions can be taken.

John Bree:

Interesting. Kind of switching topics a little bit here, Bloomberg recently declared that the Chief Risk Officer and the Risk Manager to be a hot job. What are your thoughts on that, about people thinking about entering that field?

Victor Meyer:

Well, John, I think one of the things I’m pleased to see is that non-financial risk has started to get the attention and appreciation that it deserves. And it’s started to as well become perceived as a valuable part, element of a comprehensive risk management approach. Certainly in financial services, market risk and credit risk have been dominant. Non-financial risk, however, has been where the major losses have occurred and where the huge operational disruptions. I don’t think any risk manager would have been able to predict that we would be operating 100% remotely for in some cases more than a year. And so, this is a little bit of the 911 report, failure of imagination. It’s also a little bit of failure imagination.

One point that I really want to make is one of the very important components of risk management that humans combined with good risk management practice in artificial intelligence and machine learning is identifying risk hotspots, and then playing that forward and saying, what happens if these risks crystallize in a certain way? We call this a pre-mortem, that is you’re doing an after action report in reverse. You’re trying to anticipate what actions are going to be happen. And the human brain is uniquely qualified to be able to do this. And you develop different scenarios, and you run scenario based exercises, and it helps develop from an organizational point of view the muscle memory that allows firms to transition upon reasonably weak signals from a business as usual mode to task organized, to be able to bring together large amounts of information about risk exposures, and then to be able to anticipate what actions need to be taken before those impacts become catastrophic or near catastrophic.

John Bree:

Yeah, I noticed you mentioned credit risk and market risk, and kind of what I hear in the industry, credit risk and market risk were always about forecasting, anticipating what was going to happen. And I think your point is well taken that the nonfinancial risk has to start to catch up with that and use some of the techniques that have been used and proven in other parts of the risk environment. So that’s a good point. Let me ask you another question. What kind of resources do you see people in the industry relying on to kind of get a handle on all this? Both systemic and staffing wise, but what tools are out there that can help people pull all this data together?

You go into risk management situations with body armor, knowing it’s going to succeed four out of five times, but you’re going to take a round. So you have to have consequence management in place. So then you are able to, as I said, pivot the organization.

Victor Meyer:

Well, as you know, my interest over the last couple of years in the non-financial risks spaces has been on third party, because I think it’s the new cybersecurity risk. And indeed it’s got a cybersecurity risk element embedded in it, because the third party space is just an extension of the normal firm. I think what some risk practitioners are starting to realize, and what third party risk practitioners have known for quite some time, is that you need to apply the same rigor and methodologies and technologies in your third party space as you do in your own firm, including your captives. I mean, just let’s look at what’s happening in India over the last couple of weeks with the pandemic. I would not differentiate between firms in the financial services area that are running their operation support clearing and settling operations in a captive from those that they’ve outsourced to a vendor. Those organizations are experiencing the same level of stress and the same level of attrition. I would struggle to in any way between how those positions are responding.

John Bree:

Victor, you made some important points that sort of got me thinking a little bit. During my career in risk and operational risk over the years, I always believe that governance control compliance risk was there to not say no to the revenue side of the house, but to say how. To help them be successful, help them grow, help them achieve. How do you feel about the need to have risk as sort of the front end, getting to early stages of product and process development?

Victor Meyer:

You know, John, I’ll use an example from Deutsche Bank, in an area that you might not expect, in the fraud area. When you have a good partnership between risk and the business, when you have a good risk culture in a particular business area, then you can, that is an entirely achievable outcome. I recall the day when in prime finance, which interestingly enough is where the Archegos event happened, was in Credit Suisse’s prime finance business. And other firms had exposures to this as well, fairly significant exposures, and that story didn’t end well for them.

Deutsche Bank way back when was an exception when we put in place a hedge fund due diligence process that was upstream of the know your customer new client adoption. So we collected, manually in this case, a large amount of intelligence on the firm that was on the other side of the table as we were evaluating that firm as a potential client. But we had a very, very good idea about the inherent risk of doing business with that firm. If we felt like a firm was going to be problematic down the road, we just would never engage in that relationship. It was a very, very matured approach to risk, and it was exactly what you’re talking about. And in some cases we were able to have a very straightforward conversation about… Which for example, we had one conversation where we had to ask one of the hedge funds if they would consider as a condition of the lending to have one of the directors step down, which they did.

John Bree:

Yeah, so that’s looking ahead. And I think it shows the value of getting involved in an early stage to anticipate some of the problems that may come, and actually dealing with those problems. So before I let you go today, I have one question that I know everyone on our audience wants to hear is, so with all your experience, having come from the Navy Seals into the many years in the business and through your education, so what advice would you give to future risk leaders if you had to give your kind of one minute pitch on where they should be thinking, where they should be focusing, some of the challenges they may face?

Victor Meyer:

I had a very interesting conversation with the CrowdStrike team, but it applies across the board to many risk disciplines. And their approach is, never just focus on one area of risk management. So they said, you need to focus on intelligence, know everything that you can know about the threat environment, or about the potential risk exposures. You need to focus on the controls environment, the presence of controls, and the effectiveness of controls. And if a control is not effective, then there needs to be a plan to mitigate that, the so-called path to green, and or compensating control if there will be an excessive delay in mitigating that.

And lastly, you go into risk management situations with body armor, knowing it’s going to succeed four out of five times, but you’re going to take a round. So you have to have consequence management in place. So then you are able to, as I said, pivot the organization. Task organized to, for example, respond to a data breach, respond to a significant reputational risk issue, because no matter how effective your risk intelligence, no matter how good your controls environment, there will be controls failures, and you need to be able to respond to them.

John Bree:

Good point. Thank you. I guess agility is what it’s all about. And I think we’re going to see a focus on that. Well, Victor, I want to thank you very much for your insights and some of your great perspectives. And CRO Wisdom will be back with another episode very soon. Thank you all, and have a great day.

Share on twitter
Share on facebook
Share on linkedin
Share on whatsapp

Speakers

Victor Meyer


COO

Supply Wisdom

Victor Meyer is Chief Operating Officer at Supply Wisdom, the leader in continuous risk intelligence. A former U.S. Navy SEAL, Victor Meyer held a wide variety of roles at Deutsche Bank from Group Head of Operational and Anti-Fraud Risk to group-wide responsibility for Third Party Risk Management, Information Security and Operational Resilience. He was also a former Vice-Chairman of the World Economic Forum’s Global Agenda Forums for Pandemic and Catastrophic Risk.

John Bree


Chief Evangelist & CRO

Supply Wisdom

John is Chief Evangelist & Chief Risk Officer with Supply Wisdom. Prior to joining Supply Wisdom, John held senior positions in New York, Tokyo, Singapore and London for Citi and Deutsche Bank covering corporate, investment, commercial and consumer banking internal and vendor operations. John is a member of the Shared Assessments US and UK Steering Committees and Co-Chair of the Financial Industry Vertical Strategy Group.

Recent Conversations

Stay Updated

We will notify you when a new conversation is posted

Recommend a Speaker