Atul Vashistha:
Hello, everyone. Welcome to another episode of CRO Wisdom. I’m delighted to have today with us Linda Tuck Chapman, who is the CEO of the Third Party Risk Institute and ONTALA Performance Solutions. Linda also comes to us from a background where she was the chief procurement officer and head of supplier management, third party risk management at Scotiabank, Fifth Third Bank, and the BMO Financial Group. Linda, welcome.
Linda Tuck Chapman:
Thank you very much, and thanks for having me here today. I appreciate it.
Atul Vashistha:
Absolutely. Linda, let’s start first with, whenever I’m talking to risk leaders, they have very different stories about how they ended up in risk. Let’s hear your story about how did your career in risk management start.
Linda Tuck Chapman:
It’s an interesting thing. Obviously I came out through the procurement stream and back in as early as 2000, the Canadian regulators started really looking at what they thought they should do in terms of, at the time, vendor risk management. Those were early days for me. That was actually when I was at Scotia. I’d already been at BMO and, in procurement you do look at risk and not in the way that we do today. When I was with Scotia, I had the good fortune to work with the regulators through my role at Scotiabank and start to form the first guidance in terms of third party risks. It was very compliance focused. It was really trying to get a handle on what compliance requirements that you have, and basically at that point in time, it was pretty much a reporting function to determine who you’re outsourcing to and where, which is a bit tricky.
Scotia is a very, very international bank and, at the time, they were in 48 countries so it’s a little hard to say when you’re outsourcing to a foreign country. Anyhow, that was really when I got into it. I’ve always had a real interest in it because I recall one of the senior vice presidents at the bank saying to me, “How do we know where the goalposts are for what we can know what’s the worst and what we can’t?” I said, “Gosh, that is such a good question. I really going to have to spend some time thinking about it.” Anyhow, so that’s really where it started. And then, in 2004, I went to Fifth Third Bank and it’s certainly no secret that they had some regulatory challenges at the time.
I had the great good fortune to work for Greg Carmichael, who is their CEO now, and at the time he was COO. He was very clear. He came from manufacturing. He had a very good handle on supply chain, which is different obviously than the services that support a financial institution. We had a lot of regulatory attention because of the problems the bank had had. At that point in time, I remember the regulators coming in and saying, “Okay, so we want to see all of your technology contracts. We want to look at the risk profile,” and I said, “Well, that’s probably not exactly what you really mean so let’s think about what would be helpful in terms of understanding the risks that that bank had acquired through its technology contracts.” At the time, also, I was on the operational risk committee for Fifth Third Bank and brought a lot of new ideas because, at the time, operational risk was really focused on fraud and teller losses.
This had a really interesting and meeting new dimension for the bank to contemplate. Anyhow, it went from there. I started on Teleperformance Solutions in 2008. I took the big plunge. I left a job, it was a very, very big bank and I started my own business consulting. Good and bad. Fairly quickly after that, the financial crisis hit and that’s when I really started getting into third party risk management because, at that point in time, I think that it was on the minds of CEOs everywhere, who are we doing business with and what risks did they present to us? I would say most companies at that time could not answer that question. That’s not that long ago. Well, it goes from there. I could go on and on, but I love this topic because there’s so much to learn things. Change all the time and third party risk, that’s what I focus on entirely.
Atul Vashistha:
Linda, it’s very clear you’ve been involved from the very early stages as regulators started to think about outsourcing, supply chain risk, and then as you think about from a bank perspective, the right words that a financial service institution uses is third-party risk management. Let’s bring you to today because I know during COVID you took all this knowledge, this wisdom that you gained over these years, and have written, not just one book, but two books. Tell us a little bit about it and what could the audience takeaway from those books.
Until the pandemic hit, I think that there were still a lot of organizations that , A, had not invested anything at third-party risk management or, B, were still really treating it like something over here that we had to comply with. There’s a lot of highly regulated industries. It was like, well, maybe it’s cyber, or maybe it’s GDPR, or maybe it’s compliance for something. What the pandemic has done is really caused the C-suite and their board members to seem quite differently about the entire enterprise and where third party relationships fit in.
Linda Tuck Chapman:
The first book that I wrote published by Risk Management Association is really about the what and the why of third party risk management, because third party risk management can be sought of as its own type of risk, when, in fact, it is a very, very broad topic, which is all operational risk. In the first book, I really wanted to explain, where did all this come from? What does it actually mean? How does it fit together? What should you know about it if you’re in a leadership role or have to support third party risk management, or in fact, if you’re in business. I really wrote from that lens and I wrote it probably more at the graduate level, because it’s really aimed at an audience that already is grounded in third party risk, there’s just so much to learn, and how do you take these concepts and really turn them into something useful.
The second book that I’ve written will be published this fall by Institute for Internal Auditors. They carry my first book in the bookstore and they approached me and asked me if I would write a book for auditors. Well, I’m not an auditor myself, but I do know where they were going with us. The second book that I’ve written is Third Party Risk Management: A Practical Guide. The first one is Third-Party Risk Management: Growing Enterprise Value, and this is a practical guide. It should be published in the fall. I’m just in final edits with them. It’s more about the what and the how, so try and put the pieces together so that you’re more at the ground level trying to understand the totality of third-party risk and what should you think of when you’re putting a program in place. The reason why it will be helpful for an auditor in particular is that it should guide them through the thinking in terms of how does this work.
You’ve got a program and then you’ve got the execution, and it touches so many, many parts of an enterprise. What should they know about not just the program, but how it’s implemented.
Atul Vashistha:
That’s great, Linda. Good to hear. This point about internal auditors, in my risk business, we see that very often that more and more they’re paying attention to the third-party risk management programs and they want to be able to see evidence how well it’s run. The other point I wanted to reinforce what you said really for the audiences, don’t think of third party risk management as a risk that’s just thought of as how do you think about your third parties, but it truly is becoming an issue about operational risk management and operational resilience. We’re seeing that application also in supply chain management, where it’s become a must-have function.
Linda Tuck Chapman:
Well, I like the fact you’re focusing on business resilience and tool because in the long run, this is what it’s all about. When I wrote the first book, I saw it about companies operating in an extended enterprise. It was a term that I use very frequently a few years ago, but I’ll tell you what I don’t like about that term. It makes you feel like you’re in this evolving environment that you have little control over. The term I use now is the extended enterprise. If you start to think about your organization as operating as an extended enterprise, it puts you more in the driver’s seat, but also helps you think more intentionally about how you’re delivering either goods and services to your clients or core services to your employees. When you think about the extended enterprise and how it all fits together, it makes a lot more sense that you’re going to understand how all the component pieces work, not just how do you work and then what you need to know about your “vendors.”
Atul Vashistha:
Absolutely. Linda, I remember 15 years ago talking to Rob Carter, CIO at FedEx, who said to me that when he thought about his vendors, he actually integrated that labor pool right into his organization because they were absolutely his extended enterprise. Good point there. Let’s tap into your expertise on some of the challenges that companies are facing today.
Linda Tuck Chapman:
Until the pandemic hit, I think that there were still a lot of organizations that , A, had not invested anything at third-party risk management or, B, were still really treating it like something over here that we had to comply with. There’s a lot of highly regulated industries. It was like, well, maybe it’s cyber, or maybe it’s GDPR, or maybe it’s compliance for something. What the pandemic has done is really caused the C-suite and their board members to seem quite differently about the entire enterprise and where third party relationships fit in. Because, depending on the industry you’re in, there was either a lot of panic and not a lot of bad things happening, or maybe not enough panic and action because that is definitely happening to your supply base, to your third parties. Different parts of the world were going through these wave of different impact.
I think that what has done is really woken us all up to a lot of new concepts. Let me tell you about the first thing. First of all, that concept of business resilience, I really like that into it because that has to be why you’re doing this, in order to give you a more resilient enterprise than you would have if you weren’t entirely sure who was doing what for you and whether or not they were protecting you from harm. The second thing that I was thinking about is, going into the pandemic, what I’ve been teaching through my books and through my certification program is really the separation of the concept of criticality. The criticality is the relationship itself or the activities that supports is all inward looking, and then the other thing you want to look at is exposure to risk, how do you know you’re exposed to the risks and what types of risks, and after you examined the controls, what’s the residual risk. That’s very fundamental. I still see organizations trying to combine those things, but nonetheless, I mean, the practice has been that they’re separate concepts.
What the pandemic really hit home for me was a concept that was on the periphery for me, but now I think it needs to be part of core programs, and that is, what does it take to deliver a dollar of revenue? If you were to look at that differently than you did before the pandemic, what you would really look at is the combination of third parties and your own resources to deliver different products and services to your clients. When you add that third dimension, criticality, exposure to risk and impact on revenue, it would cause you to think very differently about your tiering system. Your relationship segmentation has forced organizations to focus on their most critical relationships, which in most cases are with these big, very well run third parties, and not spend as much attention or pay as much attention on the lower tiers. What we learned with the pandemic is that’s probably not wise because that’s often where the gap is. That’s the point of failure, not the big guys. It’s further down the food chain.
Atul Vashistha:
Yeah. Linda, I think you bring up a great point, which is, one of my big concerns in the marketplace today is that there’s an inordinate focus on cyber. Cyber definitely is a huge risk, but if you were to look at any cyber major incident that occurs and you look back over a period of six months, 12 months, you can actually see that there was inherent risk in other areas where the risk exposure was clear, employee loss, governance issues, moving into high risk areas. You saw that actually challenges take place that then actually evolve into a cyber risk. When you think about that as a discipline and companies are moving more and more to ongoing monitoring, Linda, talk to us about both the pros and really the challenges of adopting ongoing and continuous monitoring.
Linda Tuck Chapman:
Well, continuous monitoring is still elusive as you know, because most organizations when they built their third party risk management program, a lot of organizations are still only assessing exposure to risk and the control environment when they get into the relationship itself, and then it falls away and they might go back to it when the contract renews, but there’s not much between that contract signing and the renewal date. It’s left up to the business and the cyber is basically a reaction to the event that’s happening. But you hit on a really important point, which is, the control environment is not a single isolated component. If you focus directly on cyber controls, you decided, “Well, I’m going to look for access controls and pen testing and this laundry list of items,” that’s actually not going to cover it for you, because what you described was insider threat, perhaps a physical security threat. You have to weave the same together to determine what the actual exposure is, and when you’re seeing deficiencies in more than one area, that should be a bit of a red flag. That’s basically where you start.
And then, when it comes to continuous monitoring, there are really great services that are coming on online. We see them. The most common one, of course, is for financial health and then there’s quite a few companies out there now that are monitoring for cyber attacks if there’s a lot of chatter about companies, et cetera. That can allow you to have at least an early warning system if something’s going on with your critical third parties, and if you know who has your data or who has access, et cetera, then you’re better prepared. That’s not the whole story. What we’re not seeing though, are other forms of continuous monitoring, and that’s really where things fall down.
You expect the business or somebody to monitor for negative news about their third parties, but if they put, say, a Google alert, they’re just going to be bombarded. When you put too much noise in the system, they don’t know how to sort it out. I guess where I’m really going is that figure out where you need to spend your energy, and then start to think about how can technology support that. Even for financial health, I mean, doing financial analysis on companies yourself makes no sense when there’s really great solutions out there that can just give you alerts of things are changing.
Atul Vashistha:
So Linda, you’re absolutely correct. Linda, when I think about continuous monitoring, we think of them as seven risk domains. Financial, cyber, those are most common that companies look at. Compliance, operations and operations thinking about the impact on employees, your own infrastructure and others. ESG, locations and nth party. The way we think about that is if all these seven risk domains were continuous and ongoing, now very often you have an early warning system in place because you can see deterioration in one area. COVID a perfect example. I remember that supply was going to put out a release on January 2nd talking about this health and employee issue, which was basically the health issue impacting potentially your employees needing to quarantine and health resources. What started as a localized location issue very soon expanded into a global issue, impacted employees, and very soon when employees moved to work from home, impacted infrastructure, financial health, and guess what? Started to result in many, many cyber service exists. Suppliers does that today in all these seven domains.
But, Linda, the area that I want to ask you is how do companies prepare as you think about organizations, if all those seven risk domains they were ingesting continuously, how do you think they have to change their risk management programs to actually handle that kind of a risk finding volume in a sense?
Linda Tuck Chapman:
Well, we’re not using technology particularly effectively at the moment. There are very, very good solutions out there. Basically, you’re a company that fits in this broad reg tech. Reg tech is anything that allows you to comply with regulations, and even if you’re not in a highly regulated industry, you can still use reg tech. Because, part of the problem is that there are companies that don’t even invest in a third-party risk management platform today and they expect their people to stay on top of everything. It’s actually impossible. You just bury them with tasks management. They cannot get involved in risk management. They don’t have any time. Better use of technology to allow you to really have a better look at their portfolio is really your first step. If you don’t have a platform in the first place, you really need to find a way to create a business case that says this is the only sensible path forward. That’s number one.
Number two is people try to integrate with too many things. You don’t have to do that anymore. RPA and different types of tools, like a Spotfire or Tableau, can allow you to have systems to talk to each other without actually integrating. I think that it’s a bit of a fool’s game trying to integrate everything because by the time you’re done, everything will be out of date anyways. That’s number one. Start with that, and also start with an end in mind. Where do you want to go with all the information you’re ingesting and how are you going to get more efficiently? The use of AI, for example, and it’s probably not exactly AI, it’s not really intelligence per se, but it’s just a way to really speed up the ingesting of a lot of data. One of the areas that I think is a real black hole is negative news monitoring. I’d love to see a company come up with a better solution for that.
Because, what happens basically is you expect the business or somebody to monitor for negative news about their third parties, but if they put, say, a Google alert, they’re just going to be bombarded. When you put too much noise in the system, they don’t know how to sort it out. I guess where I’m really going is that figure out where you need to spend your energy, and then start to think about how can technology support that. Even for financial health, I mean, doing financial analysis on companies yourself makes no sense when there’s really great solutions out there that can just give you alerts of things are changing.
Atul Vashistha:
Linda, I think you bring up a great point in terms of how does one use automation data science. To the audience, there’s an interview on CRO WISDOM that I interviewed Jim Routh. Jim Routh, who was formerly the chief security officer at Aetna, CVS, MassMutual, really talks about how he uses data science and automation. Linda let’s turn the conversation back to you, a successful risk leader, and people always want to know, especially when you think about professionals that trying to grow their roles and their contributions to risk management, what resources did you rely on and you still rely on to make yourself a better risk leader?
Linda Tuck Chapman:
One of the things that I think is probably under-emphasized is soft skills. In the long run, why are you doing what you’re doing? A lot of people do get very focused on the rules or the policy or the regulations, but it needs to be about the business, and that’s the first thing that I would suggest it to anybody who is looking to advance their careers is try to look at everything you do through the lens of the business. They’re not your clients. They are your business partners. They have a job to do, and it’s your job to support them. Whatever you need to do to understand the business better, I think, is the number one investment that you should make in yourself and in them. And then, it comes to, well, where can you go to learn? There’s a lot of great forums.
I mean, this is really a great forum that you’re putting out there. There are organizations that you can join. I mean, I’m trying to build a network, it’s a slow slog, but I’m trying to build a network of third-party risk management professionals and people who are interested because you need a place to go for conversation. I have the great good fortune of being the subject matter expert for risk management association and we have a third party risk management round table that I run for them twice a year. That gets me in the room in candid conversations with a group of 35 executives. That’s our limit. 35 executives who are accountable for third party risk management and it’s Cambridge rules that we don’t repeat what happens outside of the meeting, but we have an organized conversation around the topics that are our greatest interest.
During the pandemic, we had weekly one hour meetings for 12 weeks. We had a lot to talk about because people were trying to figure out what to do. Listening to your peers in an organized or facilitated conversation is a great way to learn. There’s other things you can do. Obviously, I have certification program, there’s books you can read. Whether you’re in the sector or not, the financial services’ sector in North America has done a very, very good job with this. The OCC, in particular has very good guidance and followed very closely by the fed. If you look to Singapore, the MES has done a very good job. There’s new regulations in the UK focused on business resilience and brings in this concept of revenue. If you look around, you don’t need to make this stuff up. If you’re new to it or you’re building a new program in your organization, you don’t have to learn the same mistakes that other people have made yourself. Rather just see what they’ve done, what works and what doesn’t work, and you can build from there.
That really is networking and it’s being open-minded. I mean, gosh, I sure don’t know everything and I’ve been focused on this for years, and it’s also listening to other people. What else can I say? I should also mention some of the .org like NIST and ISO. I mean, they’ve very, very good materials as well, as does the COSO, C O S O, Treadway Commission.
Atul Vashistha:
Linda, that’s really helpful. I think you’ve highlighted some great resources, both from an organization perspective, networking perspective and knowledge perspective. Let me end by asking you one final question. Bloomberg recently in an article declared risk manager a hot job.
Linda Tuck Chapman:
Well, isn’t that interesting? It reminds me of the rise of the CIO. You remember when the head of technology was kind of along there with everybody else? We had the rise of the CIO, and then we had the rise of the CISO, and now we have the rise of the risk professional. I think that risk a lot of people think it’s a very dry subject like procurement. People think it’s a narrow field when in fact it’s not. A chief risk officer has the ears and the hearts and the minds and the hopes of not just their peers at the senior level, but of the board and the CEO. Because, if they do a really good job of building a sensible risk framework and giving the organization good tools to help them manage within the risk appetite, not over it and not under it, the company will be much more successful.
I’m delighted to see risks coming to the forefront because it can add so much value to an organization. It helps to protect their employees, their shareholders, and their customers from harm, and they have a much more robust bottom line. What’s wrong with that?
Atul Vashistha:
Absolutely. Linda, thank you so much for making time today. And especially, I’m delighted that you also reinforce for the audience as you think about risk management, understand that it’s an operations resilience function that can have tremendous positive impact when done well on revenue and, of course, the profitability of the company. Linda, thanks again. We look forward to seeing your second book come out.
Linda Tuck Chapman:
Thanks for inviting me today. I appreciate it.
Atul Vashistha:
Thank you.
