Welcome to another segment of CRO Wisdom. Today, we have the opportunity to speak with Yakut Akman, a leading expert in operational risk and third-party risk management. Yakut and I know each other for many years, when we both worked at Citi. Yakut, welcome to CRO Wisdom.
Great to be here with you, John.
Thank you. Well, here we go. I’m going to try and not hit you with too many tough questions, but we know each other long enough, that I can sneak one in now and then. What we ask a lot of our guests is, really, how did your career in risk management space begin?
It’s a very good question without a good answer. I think it’s sort of evolved over the years. I went into banking, when I didn’t think I would go into banking, in response to an ad. I ended up working 20 years in operations and technology, covering a number of banking products, and I found it quite interesting. I learned a lot.
And then they needed people with business experience in internal audit. I spent five years in internal audit, and that should have been a natural next step to go into risk management, as they were looking for someone to head up a risk management area in one of the sectors, because I understand operations and technology, as I say, have the wheels turn.
I understand how to assess, identify, and evaluate risk and controls. It really came together very nicely for me, as I became a more of a risk management expert.
In the current risk environment, what do you see as the key priorities?
In terms of third-party risk, or in general?
Well, I think, third-party risk, primarily. But there were some general changes that are happening across the entire risk landscape.
Yeah, there definitely is. I mean, there are new risks being introduced. Who knew of cyber risk when you and I first started our careers? Operational risk as a term did not even exist when you and I started, and we’re relatively young. So it really goes to show you how quickly things change.
All of these evolving risks, changing risks, really, to me, highlights the importance of understanding risk, having more of a risk culture in any organization, and making sure that people have a much better appreciation of identifying their risks and their controls, and making sure that they’re well-prepared, and not turn risk management into two things, one, a reactionary program, where, when there’s a problem, you throw money, resources, and what have you, or assign it to a risk management organization, versus the business really being responsible for managing risk. Let me stop there, because that was just a general answer, but because I don’t want to grow and identify each new risks that’s emerging now.
Well, we’re not going to let you off the hook completely. So we’re going to have a couple of questions here. These are questions that are going to highlight some of the current trends.
Yeah, it has become clear through COVID-19 that companies need continuous monitoring. How do organizations plan to incorporate continuous monitoring into a risk program?
Yeah, I don’t think this is actually a difficult question. If you thought this was a difficult question, I hope you have better ones, John, because this has been around quite a while, and I think the organizations have gotten pretty good at it over the years.
When I worked at Citi, we certainly had a lot of table topics to say sizes, and programs and documented actions. Over the years, we’ve definitely matured in terms of understanding our risks, and getting ready for potential problems.
To me, what is truly important in all of these exercises and being ready for any problems that are occurring, is making sure that the business understands, and business studies, the playbook, goes through the exercises, and they provide input into how these things are shaped, versus saying, “Oh, if something happens, where’s my call tree, who do I call, who’s going to manage this?”
They’re a part of the solution, because it’s their business, it’s their environment that will create the problem. If they don’t really understand how to address these things, they will never catch up after the fact.
Ah, good point, good point. Risk assessments, those hundreds and hundreds of questions about all topics, they’re challenging in this environment where we need information quickly. What other strategies are being pursued out there in the marketplace?
Good question, and we’ve been struggling with this. And I think, with the emergence of additional risk categories, it becomes pretty evident to me, may not be to everybody else, that organizations cannot really do everything on their own, identifying all the different risks and assessing them, and somehow treating them as one big box of risks that you can put your arms around, and then figure out how to mitigate those risks, is not realistic.
In my view, even the utilities that I try to do this on behalf of organizations, particularly in the third party area saying, “Okay, we will go and collect the information, because after all, everybody’s using similar vendors, everybody’s after the same set of data points, it’s good and normal.”
But at the end of the day, there’s so much data that needs to be collected. I don’t think it’s realistic to group everything under this big umbrella called third-party risk. Because when you think of it, everything that a company outsources is originally something that they were doing in-house.
Now under third-party risk, regardless of what may be outsourced, we throw that under a third-party risk. By definition, third-party risk could include everything that was that in-house.
Whether it’s cyber risk, information risk, contingency of business risk, human resources risk, other operational risks, we bundle everything under third-party risk, and good luck. How do you identify and assess and measure it? It’s not realistic.
I personally think the day is going to come, probably pretty soon, when we will look for some expertise in each one of these risk categories, whether it’s information and cyber, whether it’s Compliance, some other grouping of HR. And then, there will be experts who will really size up the risks with vendors, and provide that information to the organizations.
They will take that info, and add it to their mix of risk assessment. And that’s how I think we’re going to be able to achieve efficiencies in the process.
I think that’s a really good point. I think you really hit the nail on the head, with all these new risk categories, and this vast amount of information that’s now available out there. Before I ask you about how AI and automation can help, could you give us a couple of comments on this, the hot item right now, which is ESG? And I’ll give you an example.
The New York banking authority, right, they just included climate risk in one of their requirements. So if you could just spend a minute or two on this overview, of where you think we’re going to go with this whole ESG category?
Good risk management is a competitive advantage. And it’s going to be one, more and more so over time, seeing what we’re seeing and experiencing. If you were not well prepared to handle a pandemic like COVID, not only have you lost money, God knows what else emerged as a result. But if you were well-prepared, if your risk management practices were really more or less in place, that became a competitive advantage. So everybody has to remember it.
To be honest with you, I may be in the minority here. I’m not very comfortable throwing everything in the kitchen sink under ESG. I mean, if somebody asked me, “Hey, Yakut, go and work on our risk as a framework, and make sure you group similar things together,” I wouldn’t have put together environment, climate, everything that is currently under ESG, into one category.
I think we’ve gotten to a point where there are all these strange risk categories, of things that, certainly investors are looking for. The whole society has turned these things into a somewhat of an important set of issues that we give a lot more importance to, and for all the right reasons, but as grouping them together, now we’re going to struggle.
I think organizations show, that it’s one thing to say, “Oh, we have an ESG program.” It’s another thing to really peel the onion and say, “What does that mean? Well, maybe we’re going to be looking for green in whatever, climate system, building.
And we’re also going to be paying more attention to minorities, and we’re also going to be promoting blacks,” which is all great, but can you really group them all together? They’re not really complementary, when you peel the onion.
I think it’s going to take a little bit of time for us to really figure out what exactly is ESG, because I don’t think you can assign an ESG czar, and make sure that he or she can monitor everything. So anyway, those are my thoughts.
It’s an interesting point. It’s something you and I both know well, both from Citi and my days with Deutsche Bank. It’s a whole different ball game when you’re dealing in an international environment.
Because I remember, when I first went from Citi in north America, and I went then to run the program and in Japan, a lot of the things that we looked at for, in the anti-money laundering area, didn’t apply, because Japan was a cash society.
We’re going to have to bring this whole cultural thing into it, but that’s a whole ‘nother topic. And I think maybe we’ll spend that on our next session.
What I want to get you on now is, with all of this, how do you think, AI and automation? I mean, do you see that really growing in the risk management field?
Yes, but let me just say one thing before I answer that question, because it made me think of this. There’s no question, as I said, we’re all struggling with exactly how do we put our arms around this? And great minds are coming together.
For instance, our risk organization, our risk board meetings are very helpful, under Atul’s leadership, and yours and others from your organization. I think, when we bring risk managers together, and we compare notes and we understand exactly how we’re struggling, or maybe we’ve found some solutions to some of these questions, it makes us feel good about what we have or haven’t been able to do.
And I think that’s exactly how we’re going to be moving forward. Now, artificial intelligence and everything else, yes, absolutely, technology is certainly driving a lot of things.
But having come through the ranks myself, and having done a lot of these things manually, I never forget the importance of the brains that program all these artificial, there is a real intelligence behind artificial intelligence. Let’s take that again. There’s a real intelligence behind artificial intelligence.
How these things are programmed so important, because we lose the touch, the understanding, the feeling of, what exactly is technology doing? What is that driving?
All these algorithms and what have you, even the stock market, right? Things take place. Then all of a sudden we say, “Oh, my God, we forgot to add XYZ in the formula.”
I’m a little weary of that, about putting too much stock on artificial intelligence, making risk management more efficient, better, cheaper, faster, whatever. I never underestimate the importance of the real minds behind all of this.
What I always remember when I learned that Citibank was, don’t automate a process that doesn’t work.
Right, that’s very true.
And we made a few of those mistakes over the years.
Oh, my God. I have lots of examples, but we don’t have time for it right now.
I always say to people, the only reason I’m good at this is because I made more mistakes than most. But anyway, I got a couple of real quick ones for you.
One is, Bloomberg recently declared the chief risk officer or risk manager to be a hot job. Do you really think that we’re going to see this field grow over the next 10 years?
I like the term “hot job,” yes. I think I had a hot job hot, right? That’s how you define hot, right? Absolutely.
I mean, risk is here to stay, risk is growing. Why? Because I think, regardless of their levels, their years of seniority, people’s understanding the professional’s understanding of risk is diminishing. And I think risk is becoming a risk in and of itself.
Risk management is something that is so, so, so critical. Because nowadays, once something flares up, the potential impact on the earnings of a company, it’s huge. But that also, when we talk about the chief risk positions being a hot position, we’re very significant, blah, blah, blah, that’s wonderful.
But that also worries me. Because then, starting with the board of a company and the seniors, and what have you, if they say, “Well, I have a great senior risk manager, my chief risk manager is so and so,” whatever, if they somehow allocate the responsibility and the accountability to that risk manager, then good luck.
To me, as I started saying this, in the beginning of this nice conversation, risk management has to be a part of an organization’s DNA, has to be their culture. Because the people who really do things on the ground, they know exactly where the bodies are buried, where the problems are.
One of my favorite sayings is, “Problems don’t age well. So if people don’t have the mindset,” and raise their hands and say, “Hey, we have a problem here. How are we going to solve this? Let’s bring our heads together,” you can have the hottest chief risk manager, that’s not going to help.
Okay. Reputations are built over the years, but they can be destroyed in an hour.
Because at the end of the day, nobody wins, if one party loses. You’re only as strong as your weakest link in risk management.
And that’s it. So two quick ones. What did you, what resources did you rely on over the years, to really move up through the risk profession, and really stay abreast of what changes, and what’s going on?
I learned a lot over the years, to be honest with you. If I knew then what I know now …
I think I would have done certain things differently. I think, similar to what I said before, I better understood the importance of, as a risk manager, my role, and educating and influencing our business managers’ understanding of risk, and what it meant, in terms of potential impact on their revenues, on their day to day operations, and so on and so forth, and making them a part of the solution.
And making sure, that while I was certainly responsible and accountable, I included first, second and third line, in coming up with a solution. The best example was when I was at Citi as a chief third-party management officer.
We had a huge regulatory issue, and typically, you let the first line, maybe second line work together, and then Audit comes and criticizes you. I asked Audit, as well as the second line, to be at the table with us.
And I said, “This is the time for us to criticize each other, debate or whatever, come up with a solution. Because against the regulators, we’re all on the same team. Nobody wins if one of us loses.”
I think those are the things that I’ve learned, and eventually, it really paid off, but we’re all in it together. I think, as an organization, if, starting with the board, everybody really understands how important risk management is, and what does it mean?
How can we really make a difference by working together, by collaborating, providing from, debating each other? I would invite people to debate me.
I’m like, “This is what I think, but tell me, what am I missing?” Sometimes there is an intimidation factor, because your too senior people don’t, but you have to make them more comfortable.
Because at the end of the day, nobody wins, if one party loses. You’re only as strong as your weakest link in risk management.
Well, Yakut, that’s really fabulous advice, and we thank you so much. I remember hearing a long time ago, from a mentor I had, who said, “Remember, John, risk is not a spectator sport.”
No. Not at all.
You described that fabulous. Everybody’s got to be in it.
But I will tell you, good risk management is a competitive advantage. And it’s going to be one, more and more so over time, seeing what we’re seeing and experiencing. COVID is a great example, right? If you were not well prepared to handle a pandemic like COVID, not only have you lost money, God knows what else emerged as a result. But if you were well-prepared, if your risk management practices were really more or less in place, that became a competitive advantage. So everybody has to remember it.
Yakut, thank you so much. This was great advice, great information, and we’re so happy to have you on our Risk Board.
If anyone that wants to learn more about that, you can just check riskboard.com, or you can always check with us at Supply Wisdom. So again, thank you. Everyone stay safe.
This was a lot of fun. Thanks for inviting me.