Share on twitter
Share on facebook
Share on linkedin
Share on whatsapp

CRO Wisdom Episode 15: Paul Milkman, CISO, Operational and Technology Risk Leader, CIT

Atul Vashistha:

Hello, everyone. Welcome to another episode of CRO wisdom. I’m delighted today to have senior vice president and head of technology and operations risk and the CSO at CIT, Paul Milkman. Welcome.

Paul Milkman:

Thank you. It’s great to be here.

Atul Vashistha:

So Paul, one of the questions I always start with because we find that risk leaders often come from very, very different backgrounds. So how did your career in the risk management space begin?

Vendor risks and third-party risks are exactly the same as the risks that you have internally. And they really are the same. They’re just geographically different because they’re not in your shop.

Paul Milkman:

Really by accident and in two phases at two very different times. So in the late 90s I worked for at the time, a very large powerful company called Xerox. It is less so today than it was then, but I was offered a job. I had a role in technology and was offered a role in information security for the first time, which was the first sort of risk related thing I had done, that led to a career including consulting and in security and privacy for IBM. I led a consulting unit for the financial sector and then eventually got hired by a financial sector firm, but that was really all cyber related with business continuity and privacy elements starting to creep in. The risk management portion came when we had a head of operational risk, and this was at Fannie Mae, who basically just in learning what she knew, I realized I knew nothing about front end risk assessment or business risk.

And I think she probably realized that there was quite a bit I could teach her about controls and what actually went on the frontlines and down at the bits and bytes level or the operational level. And so between the two of us, I think we opened up sort of a knowledge base that allowed me to become a risk manager while doing some of these frontline roles. And it was a pretty big change over in the early 2000s. And so I’ve sort of considered myself a risk guy ever since, as opposed to just a cyber guy or something else.

Atul Vashistha:

Right, right. Interesting journey. So Paul, when you look at your role today, how would you kind of talk about your key priorities?

Paul Milkman:

Yeah, I think in my world, if you think of my role, I’ve worked at larger places and smaller places and currently at a midsize place. And so at a midsize place, your scope is a little broader. And so it’s a large portion of what we would call nonfinancial risk. So I’m interested in sort of all the processes that lead to control of some of the non-financial risks. And the big ones obviously right now you could rip right out of the headlines, right. Cyber for sure is a big deal, resiliency in the sense of ransomware and cyber going together. Certainly a big deal for a lot of firms. Less a problem in the larger banks and the midsize banks, but definitely a problem. And then really the whole nature of our third-party and hybrid relationships with everybody.

So at this point, any larger firm is so dependent on other, either technology partners, operational partners, processors customers, everybody’s manipulating data and transactions and money. And there are very, very different levels of maturity to various control programs. And so probably the single biggest priority right now is getting arms around all of the different third parties and trying to continually maintain good control relationships with them.

Atul Vashistha:

So, Paul, as you just said very clearly the headlines are about cyber and ransomware, but as we look at our third parties, particularly with COVID, we recognize that a lot of the risks that initially started were not really cyber. So how do you think about risk domains beyond cyber?

Paul Milkman:

Yeah, I mean, I think certainly every… It’s tricky because we talk about third party and vendor risks. Honestly, the vendor risks and third-party risks are exactly the same as the risks that you have internally. And they really are the same. They’re just geographically different because they’re not in your shop. The big ones I think really still are relating to data handling. Now we’re not talking about cyber or hacking. We’re just talking about people doing the right things with data within the law, the rapidly changing laws. I think the regulatory environment is constantly shifting. It’s not shifting quickly, but when you change presidential administration, the expectation and the FOSI of the different regulators changes a little bit. I think the one that’s probably on the horizon as kind of the next big thing again, is going to be reputational.

There’s so much capital flowing around and confidence in institutions, is not completely based on all of the objective baseline financials and other things that we used to see. So some of the nonfinancial risks around reputation, around proximity to bad things, proximity to people who sour in the marketplace. I think that’s one of the up and coming ones that we really to pay attention to for sure.

Atul Vashistha:

Yeah. Paul, in fact just this last week the house passed a disclosure requirement for public companies around the ESG practices as an example.

Paul Milkman:

Right. Yeah. And that is a growing, it’s a growing area of concern. I think certainly for banks, risk management, it’s like we add a new topic, a new risk and a new part of our taxonomy every year, or old ones that we’ve sort of forgotten about seem to pop up again, but the list never gets shorter. Sort of the sheer handling of risk data and risk infrastructure is definitely challenging.

Atul Vashistha:

Right. So Paul, very true the list doesn’t get shorter. And the other thing is this whole requirement of no longer enough to do an assessment on onboarding or once a year. Now I need to know their status continuously. Talk to us about kind of how you’re thinking about this whole move to continuous monitoring.

Paul Milkman:

Yeah. It’s really an imperfect, it’s an imperfect situation, certainly for a heightened standards bank. It’s a bit problematic. And, the reality is no one today has the same level of maturity around infrastructure, information sharing, public-private partnership, private-private partnership, and the overall program investment as say, the large banks do, right. They’ve just been managing the financial and nonfinancial risks for decades and the maturity in the spend absolutely shows. But in order to really serve our customers and they could be retail customers or consumers, or traders, or anybody else, or commercial lending, or other types of businesses. To really serve people you’ve got to take advantage of some of the innovation that the fintechs are bringing and that some commoditized processes are bringing and cloud is bringing.

And so you’re now instantly dealing with people who aren’t banks and assessing them, I think to your point, isn’t particularly hard. You can do due diligence and ask them how they’re handling a particular control area or managing a particular risk. And what we’re finding is the level of sophistication of our own oversight programs has had to increase dramatically. If you talk to a firm that’s at the lowest end of the maturity scale, they may be very immature and not have done business with a large company before. You’re really translating the language of risk for them into things they understand. And so in order to really operate with them, inter operate them, you’re almost teaching them the things that you’re going to monitor and you’ll get as many of them into the contracts as you can but you’re always going to have to limit your risk, limit your overall risk profile and posture with those types of vendors, because they aren’t going to get it anytime soon. They are going to mature, but they’re not going to mature quickly.

And then you have sort of middle level firms and large firms, and you have different degrees to which you can say, map your controls to our controls across a broad operational spectrum or operational risk spectrum. And we’re just going to accept your reporting as is. And we don’t really want to see detail that provides this liability, but we want to see your summaries and we can map those to our own dashboards. And then you get some that are sort of in between where you’re mapping your framework to their framework. They’re pretty different. And you’re going to get the most of what you can. The staffs that are required now, just to monitor those interactions with those three different sizes of vendors or three different maturities of vendors is substantial.

And so where you might’ve had a few people signed to establish a vendor management framework, and you might have trusted your individual relationship managers with each of those vendors before. Now you actually have to have both second line and first line people for those in the line of defense models who actually are positioned to do the detail work. And it’s not okay in the eyes of the regulators to just assume because it isn’t yours, it’s somebody else’s liability. It’s clear now that our liability lies all the way from bottom to top in a transaction.

So the number of people who really understand risk management broadly for a given industry in banking, isn’t so bad. But the number of people who would understand how to do the same types of work for a utility or a midsize manufacturer, or even in healthcare. There’s a massive shortage of people who understand broadly what basic risk frameworks look like and how you assess and decide where to spend your next dollar in terms of reducing your residual risk and your risk to your customers and partners.

Atul Vashistha:

So Paul, with all these increasing needs and requirements, there’ve been some really amazing AI automation tools in the market, particularly around risk management. Can you talk kind of from your perspective of what you’re excited about or what do you actually, also at the same time, worry about when you think about those?

Paul Milkman:

My counter to the question, I’ve found AI to be for the last 15 years, really the biggest disappointment in both technology and risk management. I think basic analytics, basic rule design, machine learning to accelerate the ability to analyze data. I believe all those things are incredibly powerful, but they’ve really been powerful since the 70s, that isn’t really new. The idea that a model can give you the characteristics in an actionable way that you want, I think is trickier. One of the largest banks in the US spent a lot of money on a big, to the tune of $200 million a year, the most AI available. They had the most data elements available that anybody has ever tried to use in operational risk.

They put 150 people in a room and they made it run for a couple of years. And within a couple of years, it had been taken over by marketing because marketing was able to use suggestive data out of the consumer and transactional data that the cyber people were never able to really get an advantage from. And so I think it’s been disappointing outside of marketing in general, I think in risk management the level of detail required to run a good risk management program requires a really firm connection between the risks, and the size and type of those risks that exist for any given asset or business, and the very specific controls that can actually impact your residual position. I think most people get that wrong. If you have that fundamental thing wrong, AI is not going to help you.

If you analyze the threat level against one very specific thing that that may or may not be important to you. So I tend to think that AI still has a way to go before we see some broad implications from it. And maybe I’m just an old fuddy duddy, but I’m pretty technical. And I’ve tried, and I understand data management pretty well. And then I’ve attempted to do some pretty sophisticated things with it, but I, so far I’ve been pretty disappointed.

Atul Vashistha:

Right. At the same time. I think when we think about other areas of automation, like you said, Paul, like bots and machine learning, they’ve really helped companies get access to better data, analyze better data. But I understand what you’re talking about in terms of predictive analytics kind of leveraging AI for some of that, the promise has not been fully lived up to for sure.

Paul Milkman:

Sure.

Atul Vashistha:

Yep. So Paul, because of all of this complexity, all these new requirements, all of these challenges, let’s turn to kind of personal development. So Bloomberg magazine recently called risk manager a hot job. What, what do you think?

Paul Milkman:

Yeah, I think it depends which risk management job it is and what industry you’re in. I think it’s certainly, chief risk officer in particular I think, and more senior levels sort of risk managers with a subject matter expertise. And I would extend this over into a compliance. Many, many, many more industries are blooming to a point where they actually now understand the importance of better risk management. You would see it in pockets if you’re building aircraft engines at General Electric years ago, they had really interesting and very capable risk management practices but a lot of the other parts of the company wouldn’t have. Obviously banking is banking, and there aren’t that many new giant banks, right. There’s been a lot of consolidation.

So the number of people who really understand it broadly for a given industry in banking, isn’t so bad. But the number of people who would understand how to do the same types of work for a utility or a midsize manufacturer, or even in healthcare. There’s a massive shortage of people who understand broadly what basic risk frameworks look like and how you assess and decide where to spend your next dollar in terms of reducing your residual risk and your risk to your customers and partners. And so I think it’s absolutely a hot job, but like the housing market in many places, in many industries there’s a real supply shortage. So it won’t appear as a hot job because he can’t even hire some of the people that you want, but I’m sure it will mature. And, across industries in general, not just in banking, it will be in interesting.

Atul Vashistha:

Yeah, definitely. The demand for those roles is really high. So Paul, what resources do you rely on to make yourself a better risk leader?

Paul Milkman:

Yeah, I think it’s an interesting question. You can interpret what you mean by resources a number of different ways. I think the anchor that everyone as a risk professional needs to have is that thing that I mentioned before, which is that having a methodology around how you think about relating some of those key definitional areas. You really need a good definition for inherent risk and you need a model to size it. You need a mental model to be able to compare different types of risk. You need to be able to say, “That type of privacy risk is roughly the same as that size of financial reporting, accuracy risk, or that size of resiliency risk.” You need to be able to talk in practical terms to board members, regulators, senior leaders. And the ability to articulate risk, both in terms of inherent and residual position, as well as the relationship between controls to those residual positions, in whatever facet of risk you’re working, you’ve got to be able to do it, and you’ve got to be able to do it at a level of elevator speak.

You have to be able to speak simply about boom, boom, boom. These are our risks. These are how we size them. Here’s the controls we have lined up against them. And our final position is moderate, or our final position is however you do it. And if you don’t get the linguistics right, and I was an English major in college. And so I have kind of a weird background to be doing what I’m doing, but I’ve always really focused on how do you make something demonstrable or translatable or relatable to your audience? And your audience could be a software developer. It could be somebody doing a process at an operational center. It could be a regulator, it could be a board member. It could be an investor, it could be anybody. So, how do you make sure you have the risk language that will work for all of them? And it still represents something objective.

Atul Vashistha:

Paul, that’s really helpful because it actually answered what was going to be my last question, which is, what risks do you have for future risk leaders? And I think you articulated some of them extremely well. Is there anything else you would say to somebody who’s wanting to make a career in risk?

Paul Milkman:

It really is that, it’s probably don’t assume that risk management is as mature in the non-financial areas as it is in say credit. And so don’t take anybody’s word, mine included as verbatim, the only way to do it. Definitely keep an open mind and make it make sense to you. If you can’t explain your basic risk management processes and risk management reporting to somebody in an elevator in 27 seconds, they probably don’t make sense. And you’ve really got to work to make it practical and make it make sense. I think it’s the single most important thing, as opposed to getting lost in the numbers and then the jargon that we sometimes use. That would probably be my best advice for a future risk leader.

Atul Vashistha:

Paul, thank you so much for making time to not just share your experience, but also share your knowledge with the audience. Really appreciate it.

Paul Milkman:

Thank you. I appreciated being here.

Share on twitter
Share on facebook
Share on linkedin
Share on whatsapp

Speakers

Atul Vashistha


Chairman & CEO

Supply Wisdom

Atul Vashistha is recognized globally as a leading expert on globalization, governance, and risk. He has authored three best-selling books: The Offshore Nation, Globalization Wisdom and Outsourcing Wisdom. Atul pioneered the global sourcing advisory space in 1999 when he founded Neo Group and is also the founder and Chairman of Supply Wisdom. Founded in 2012 as an early warning service for business disruption risk, today, Supply Wisdom® is the market leading patented real-time and continuous risk intelligence and monitoring solution. Atul serves on the boards of the US Department of Defense Business Board (Vice Chair), IAOP, Shared Assessments, and Zemoga.

Recent Conversations

Stay Updated

We will notify you when a new conversation is posted

Recommend a Speaker