Atul Vashistha:
Hi, everyone. This is Atul. I’m the chairman and CEO of Supply Wisdom. Thank you for joining. Let me begin. I’ll set the stage for this webinar. So one of the key things that we’re seeing in the marketplace as we go back, of course, to 2020 with the pandemic and the risk that it posed, and then you fast over to 2021 and now, and we’re seeing significant challenges in terms of supply chain disruptions for many, many risk issues. Right. Not just cyber, location based, adoption of zero COVID policies and so much more. And so there’s a very strong drive that is coming all the way from board and for forward leaning and forward thinking risk leaders that one needs to mature the risk programs enterprises have to really keep up and stay with what’s happening in our environment today.
Atul Vashistha:
So I’m really delighted to have an incredible panel to discuss, Hey, how do you mature your risk programs when you see disruption risk rising? And reality is when you go back to even pre 2020, what you start to see is this is not a phenomena because of COVID. Number of disruptions to businesses because of the third-party has been rising steadily over the years, even prior to COVID. And it’s not, not just limited to cyber as we will talk in this webinar.
Atul Vashistha:
I’m really delighted to have two leaders. I’m a firm believer that peer wisdom learning, from the leaders we either aspire to be or the leaders that we respect and hearing from them can truly add perspective that can help us speed up our programs. So I’m delighted to have with us today, Eileen Fahey. Eileen is a chief risk officer at Fitch Group. She joined Fitch in 1998 and played a number of different roles and has been in this position since 2017. She’s responsible for evaluating and also helping mitigate as a second line of defense any risk that the Fitch Group may be exposed to. Eileen was also a national bank examiner for the OCC, so she brings a very diverse and very experienced perspective to today’s session. Welcome Eileen.
Eileen Fahey:
Thank you, Atul.
The first thing is the selection process and trying to evaluate very competitive markets and all types of products. What are your specific needs? How will these two or three companies that you’re looking at meet those needs and are there things that they can do that can push you forward. So that’s one thing. The other is important too – looking at what potential conflicts could you have with them; and not just the conflicts, but also their stability.
Atul Vashistha:
Thank you. We’re also delighted to have with us today, Dr. Laura Jones. Dr. Jones served in the army for 20 years, retired as a master[sergeant 00:02:38]and then… A sergeant and then decided to really make a career in risk and has played that role in a number of different organization. And currently, congratulations on a recent promotion to senior director of GRC at Hearst.
Dr. Laura Jones:
Thank you, Atul.
Atul Vashistha:
Thank you, Dr. Jones. One of the interesting thing about Dr. Jones is she’s also an author and has written books to educate kids on cyber and other related risk. So if you get a chance after the session, please do take a look at both their backgrounds. I’m the chairman and CEO of Supply Wisdom, a risk intelligence firm that’s focused on helping companies move their procurement risk management programs to an ongoing risk intelligence risk monitoring system. So without further ado, Dr. Jones and Eileen let’s get started. So one of the key things that companies, enterprises and organizations are seeing is that disruption risk are multiplying. Right. We go in front of boards and we talk about cyber risk, but the reality of the last two years is we’re seeing risk because of climate change, we’re seeing risk because of social disruptions, diversity issues and of course, a lot of supply chain bottlenecks for many, many reasons beyond COVID.
Atul Vashistha:
And on top of that, while this risk landscape is changing very rapidly, so is the transformation that companies are undertaking. So that makes many of us look at and say, one needs to mature their risk management programs. So I think what are we going to try and do today during this webinar is help provide a guide and your personal experience across multiple organizations you’ve been at in terms of how should one think about it.
Atul Vashistha:
So let’s first talk about the third-party risk management life cycle, and how you personally, if you think about the whole program and starting, and then thinking about risk program maturity, how do you think about, from an entire lifecycle perspective? Eileen let’s get started with you.
Eileen Fahey:
Sure. So I would say that, I think the first thing certainly is the selection process and trying to evaluate very competitive markets and all types of products. What are your specific needs? How will these two or three companies that you’re looking at meet those needs and are there things that they can do that can push you more forward into thinking differently about what your needs are perhaps and not just the immediate needs, but what you might need in several years from now? So that’s one thing. I think the other is important and you’ve got it up here in terms of governance, is looking at what potential conflicts could you have with them or the processes that they might be following and not just the conflicts, but also their stability. So you have to look at each of these vendors as what’s their stability in the marketplace, what’s their financial stability, what can they contribute and what else can you do to widen and offer them and offer yourselves a longer term product or something that’s within your market?
Atul Vashistha:
Right. And Dr. Jones, when you think about maturity perspective, would you say that it’s also important to kind of make sure you understand where you are? Can you talk a little bit about that, how you think about maturity?
Dr. Laura Jones:
Oh, absolutely. It’s an imperative to understand where you are within your organization in terms of risk maturity. And to Eileen’s point, a lot of your vendor selection is really going to be predicated upon what you need for your business and where you are and so looking back at that vendor selection process that you previously showed, that life cycle model, that’s very much going to be an integral part of your own risk management program and your process to maturity. What do you need? Exactly, what would be enough, what would be too much? Where are those vendors in terms of your own process and how can they then really help push you forward?
Dr. Laura Jones:
So that was spot on, what Eileen said. In terms of the risk management maturity model, I would say it’s really important to understand where your organization is today. That would entail a risk assessment, really more of a gap assessment to analyze where your companies are underneath you, what your… We’ll talk about risk appetite, hopefully, risk tolerance and so forth, but what are those key components of your environment, including your culture, right, your appetite for risk? How does that play into your key business processes and where are you really?
Dr. Laura Jones:
I think back to younger days when we played the game pickup sticks. Right. The pixie sticks and we throw them in the air and they would land and it was just a really sporadic kind of landing, no organization. They’re not laid from a military term, dress right, dress. Right. So it’s very initial, very ad hoc in nature, but it’s also then to understand, where do you really want to be. Most organizations as they’re assessing their maturity will start at the initial level more than likely and then you’re headed to those higher tiered maturity areas. Tiers, rather. And so that would entail a risk assessment, a gap assessment, to understand where you should be, where are you? It’s kind of aspirational to think that you would want to be in an optimized state, but where do you really need to go? So that’s kind of how I think about risk management maturity, starting out.
Atul Vashistha:
Right. So very clearly, if you are looking to mature your risk program, one needs to understand where are you on this journey?
Dr. Laura Jones:
Exactly.
Atul Vashistha:
Right. And in some cases, that journey might be in terms of how you look at your own organization, but also how you look at your supply chain, your third-parties. Right. In terms of, what is your maturity relationship to them? Eileen, when you look at this risk management model, any other thoughts in terms of how would you recommend companies approach it? They maybe at an earlier stage of their risk management programs.
Eileen Fahey:
I think it depends on who’s driving it. So is it a top down driven process or is it a bottoms up, or do you need to combine the two? Is it recognized that you need a second line of defense or a third line? Most companies have first line and those are the people responsible for integrating. So is the first line aware of the risks that presenting whatever business area that they’re in and then how does then transfer? How are they measuring that risk and how are they assessing the internal controls? They have to eliminate that risk or consciously assume it because they want to make some progress in either a business line or process where you really agree to say, okay, I can accept this risk today. I want to mitigate it by such and such a date and then you can build that into your strategic process.
Eileen Fahey:
And if so, if your first line is aware of those, I think a lot of the education on the risk process has been done, but then challenging them to look at other potentials and particularly, when bringing on a third-party. Are you giving up all these controls? Are you making sure that they can? That this third-party function will include all those controls in the process of whatever they’re doing, or if they can’t, what do you need to do… If that’s the optimal party for you, what do you need to do to mitigate those risks that they may not be capable of addressing them?
Dr. Laura Jones:
Yeah, I totally agree with what Eileen said and it’s going to be important also to conduct a risk assessment on the vendors’ prequalification. Right. Your pre-qual phase to understand what type of they might engender to your operation and to your organization. And then from a risk management perspective, just how mature are they in terms of business continuity, if they are a true and integral part of your process, if something were to happen and their business was disrupted, what does that mean for you? Do you have a backup plan? If not, sometimes some vendors may be the only option depending on your industry and the product or service that you need. But how mature are they? Do you have their business plans? Their business continuity plans, for example, their disaster recovery plans? How does that fit into your SLAs, your service level agreements with them? If they’re providing some sort of cyber platform or some other key business process, we would need to know, are they able then to really support your business and keep it going as a third-party provider?
Dr. Laura Jones:
So if they have recovery times, recovery point objectives, et cetera, with a platform that they’re providing, are they able to meet then those times and objectives that you’ve agreed to with them? So that’s something else to could consider in terms of this third-party risk management life cycle.
Atul Vashistha:
Right. So I want to go back to the first line, but before I do that, to the audience, if you have any questions, you have a comment, something you want to share, please put that in chat or Q&A, and I’m happy to pick it up and of course, ask Dr. Jones and Eileen, and also happy to share your point of view on challenges or a solution that you might have. So use this opportunity to also learn from each other. So let’s go back. When we think about maturing risk programs, Eileen, you talked about it, Dr. Jones, you reinforced it, which is, Hey, let’s make sure you start at the first line.
Atul Vashistha:
And for those of you in the audience that may not necessarily be from a financial services background, when we talk about first line, we’re talking about the business, we’re talking about procurement sourcing. Right. So think about from a procurement sourcing perspective, the very first, when you are looking at selecting, when you’re looking at understanding the initial and doing the initial due diligence on what risk am I being exposed to, or will be exposed to if I onboard this third-party? Talk about how do you mature practices in the sourcing and onboarding process and then we’ll talk about kind of like the later life cycle.
Dr. Laura Jones:
Yeah. Go ahead, Eileen.
Eileen Fahey:
In terms of the sourcing it, and I think you have to throw a wide net initially and see what’s out there, see what you’re looking for and if it meets your needs, generally you’re never going to find a perfect fit. But you have to say, okay, by engaging this third-party, what risks am I adding to my process or what risks am I expecting them to manage? And as we said, if they’re a key part of your process, how important is they do these security checks or how important is it that they have a process that is embedded and widely embedded in the processes that you have? What could disrupt them? What could disrupt you? And if that’s a no go, if there’s a major disruption that you can’t live with then they’re probably not the right party for you. I think that’s one of the things that you really have to decide early on.
I would also think about reputation. Reputation is a big risk. It’s a key risk. I would say to you that in looking at an organization’s reputation, that your reputation, the other organization’s reputation, that’s the biggest asset that any organization owns. It’s intangible, but it’s also… It’s everything, it’s a make or break. It’s whether or not you’ll get customers, it’s whether or not you’ll hit your financial objectives, you’ll get a piece of the projected profitability. It all hinges on reputation.
Atul Vashistha:
So just on that thread, Eileen, talk a little bit about too often in the past practices, I’ve seen companies do financial due diligence and cyber due diligence, and that’s pretty much it. And I think as I just talked about the beginning of the session, one needs to have a wider risk aperture. Talk to us about based on the learnings that you have had, and same for you, Dr. Jones, what else should you actually be looking at and not just be limited to a financial and cyber due diligence?
Eileen Fahey:
So we do a lot of operational. Fitch engages in mostly data sourcing and processes through our third-parties or consultants. So it’s usually a soft skill. It’s not hard goods. I think with hard goods, you have to explore if there’s alternatives. If going to buy some type of lumber and you needed a certain grade, how many sources are there or what are your alternatives to that, if there’s a failure? In the data sourcing, there’s a plethora of data providers, but is it the format that you need? Is it something that you need to manipulate? Do you need to validate it? How reliant are you upon that data? And if it’s a key process in the system, then I think the financial side of things, if they’re a reliable party.
Eileen Fahey:
Service side, I think is the most important. Ignoring financial and the security part of it, how good are they at providing it? How timely is the data? How accurate is it? Is it meeting their standards? So those are the types of things of, is it a full replacement? Am I relying on them 100% or do I need staff to do things, additional staff? And you have to build that cost into your whole process and off late review the cost of mitigating those risks and the cost of the service versus bringing it all in-house yourself.
Atul Vashistha:
Great. Dr. Jones, are there risk domains that companies should be looking at?
Dr. Laura Jones:
Yeah, I would say not so much a domain as it is a key part of the process would be the contractual piece. When entering into agreements with third-party, it’s important to have that language embedded in the contracts to make sure that there is a clear understanding of what the relationship is, the timeframes, the expected products and services, the deliverables, et cetera. And then that also goes back to again, when we talk about a domain in terms of operational, making sure that your business is able to continue, you can sustain your business through that third-party they’re brought on because there is a need there. So to make sure that they’re actually able then to fulfill that need and make sure that they are able to support you in such a way that’s expected.
Dr. Laura Jones:
I would also think about reputation. Reputation is a big risk. It’s a key risk. I would say to you that in looking at an organization’s reputation, that your reputation, the other organization’s reputation, that’s the biggest asset that any organization owns. It’s intangible, but it’s also… It’s everything, it’s a make or break. It’s whether or not you’ll get customers, it’s whether or not you’ll hit your financial objectives, you’ll get a piece of the projected profitability. It all hinges on reputation. So again, going back to the due diligence piece, to make sure that there are some controls in place such as contracts, for example.
Dr. Laura Jones:
And so that’s one of the big ones for me would be to make sure we aren’t taking on more risk reputationally more than anything else. It is operational. It is financial. It is some of those other categories, but if you’re hit reputationally, those costs can be incalculable and they’re not necessarily something you’ve projected and planned for, so it can go on for several years and there could be quite a loss. So that is one that I would definitely think about. And so what that means from a more practical perspective is how well is the vendor doing? How well is the third-party doing? Are they at risk of bankruptcy, for example. What line of sight do you have into their financials? When was the last time, if they had a breach, how recent was the breach? Did they make course corrections, et cetera.
Atul Vashistha:
Right. So Dr. Jones and Eileen, this is… When we think about it, I can summarize the areas you talked about into kind of… We think of them as seven risk domains, which we’ll talk about in a little bit, financial, cyber, operations, compliance, ESG, Nth party and locations. And when you bring it all together, it addresses the operations, the contracts and so many areas that can have an on not just operations but also reputation. The other area that I wanted us to talk about. But let’s talk about it in a little bit, which is the way we talk about assessments and the way we’ve been doing assessments for decades is such an old practice because they’re done at a point in time and risk is no longer an area that changes on this continuous model of once a year or once a quarter. So how does one think about risk exposure on an ongoing basis is a question that I’m going to come to in a little bit.
Atul Vashistha:
What I thought we should do is as part of us sharing our information, I also wanted to ask the audience to kind of share where they are in their journey. So when you think about it, to the audience, I’m going to ask you a poll question in a second. So think about in these five stages, where is your third-party risk management program today? So think about it while I bring up a polling question.
Atul Vashistha:
And when I launch it, hopefully all of you’re able to see the survey. So how mature is your current risk management program? Are you at an initial state, just got started? Certain practices that are well defined. Are you at manage, which means the program is in a decent place? 4 being you’re fully integrated. Standard processes, global metrics, leaders driving a risk culture. 5, of course, is where you’re fully aligned to the business and really driving true differentiation in the business. Only about half of you have answered, the others I’m going to give another 30 seconds. As you’re seeing the results, I’m sure they’re going to change only slightly. Dr. Jones, Eileen, any thoughts on the fact that… Of course nobody believes they’re optimized. What do you think when you see… Which is good to know, right? Which is good to know that people still have a journey that they are on. What do you think about the results as such?
Eileen Fahey:
Yes. So to me, I think if you’re in the defined, managed and integrated, a lot of people are, I think more critical of their own processes than they perhaps need to be, so I would guess that many of the managed groups are in the integrated. When you have a managed and an integrated process, I think is where the first line or the people that are engaging those parties are already thinking about many of the things we talked about. So they know what they’re depending on the third-parties for. They’ve entered into a contract, they’re managing that contract and they’re managing that service. And they can anticipate and be proactive about some of the things that could go wrong and what they need to do. So to me, that’s managed and integrated. Defined is you’re largely at, I think, a disadvantage because you know what you need to do, but you’re not quite doing it yet.
Atul Vashistha:
Yeah. Maybe not getting a funding, so need to prove that case. Right.
Eileen Fahey:
So that’s where I think that more of the challenges in terms of onboarding, selecting, and then getting into more of a management or even a contingency plan of what could go wrong and what would we do when things go wrong are more of a challenge for you.
Atul Vashistha:
Right. Right. When you think about this, what about fourth-party risk? We are seeing, especially when you look at disruptions in 2021, and one of our friends in the audience question about how are you ensuring that your third-parties are fully disclosing their critical third, which is our fourth-parties?
Dr. Laura Jones:
So a lot of that’s going to come out. Again, it starts with the contract. So it’s making sure that there’s this obligation. I have seen in the past with some risk management programs, in order to go back to a vendor to get them to disclose, if you haven’t agreed to it already contractually, they’ll actually ask you to pay. It could be 10,000, 30,000, what have you, to come back and pay for that information because they’ll tell you that it’s consuming their resources and their time. And so it starts then with the contract. Right.
Dr. Laura Jones:
But I would also say that it would also be imperative for you to have such a relationship that everything is again, defined, it’s documented. And I’ll go back to having those plans. It’s having not only things laid out terms of timeframes, timelines and being very specific with what that is in terms of the deliveries and notifications, but it’s also having their plans to understand what you can do to hold them accountable. That’s the type of information you would need. If you don’t have that, then now you’re relying on sort of what’s happening in the news, what is emerging, what is trending, where there’s been an exploit, you’re looking also to see how that impacts you, if they’re a vendor in your ecosystem. And it’s also a reliance then on any sort of publicly accessible information that you can pull. So not having that line of sight, not having things documented and agreed upon is really not going to be helpful because there’s no obligation to disclose.
Atul Vashistha:
Yeah, there’s great systems today. Right. We can discover IP addresses, which makes it easy to discover at least those fourth-parties that are in integrated in your organization. So I think there’s definitely tools out there. Before I move on from the risk maturity model to risk appetite, because I think that’s a really important part of maturing risk programs, any other… So we just shared a model, for example, right here from a simple model about a five stage risk maturity. Are there other maturity models that you either follow, look at that you would recommend to the audience?
Dr. Laura Jones:
So for what I’ve seen in the past and what I’ve implemented in organizations, this is really a model. It’s typically a five step model, in some cases, a four step. And these are typically the words, but you’ll also have things like sort of reactive, compliance, siloed, integrated, optimize. So they sort of just change. And it depends on the organization in terms of the taxonomy.
Atul Vashistha:
The Language. Yeah.
Dr. Laura Jones:
… that they would want to use. Yes. The language that they would want to use. But this is pretty much what I would expect to see and what I’ve used in the past as well.
Atul Vashistha:
How about you, Eileen?
Eileen Fahey:
Yes, very similar and they’re easy to view and apply to organizations. I think too important pieces to add to that though are, how much support are you getting from senior management in terms of the execution of that and they’re holding their managers accountable for the implementation as well as the board and who are the key stakeholders? I think that those two pieces will to tell you a lot about the risk culture and the maturity level in an organization.
Atul Vashistha:
Right.
Dr. Laura Jones:
And so there was, I believe around 34% of the respondents who answered the polling questions were around managed. And I actually think that that was a pretty good response rate. I would expect to see it… Yeah. 34%. I would’ve expected to see it more around the defined area, because when you start getting at a level three, and there may be some very mature organizations out there, and it’s really going to depend on what industry you’re in. If you’re in a more regulated industry, of course, there’s more rigor, there’s more oversight. And so then your numbers would be a bit higher in terms of where you are in the maturity scale. You have to get there quicker and you have to get there, otherwise it’s a compliant issues, fines, et cetera.
Dr. Laura Jones:
But when you start getting to the managed stage, you’re actually looking at having key risk indicators, you’re having metrics, you have a dashboard, you are working your three lines of defense, you’re doing self-assessment. There’s a lot that goes into that middle area to say that we are actually managed. And that may very well be happening, but I would’ve expected to see more of a response at the defined stage. But again, it’s very much… It depends on the industry. Again, if it’s more heavily regulated, you’re going to have to get to the maturity level that’s expected for that industry just a bit quicker.
Atul Vashistha:
Right. So we’ve had a good discussion around kind of how to think about the maturity of your program, what are some of the components of it. Let’s talk about the importance of risk appetite. Eileen, maybe we’ll kick off with you and why that can be very critical to your risk program. And then I want to talk about some specific areas around risk appetite. Let’s talk initially, just about why is that important? First of all, what is it and why is that important?
Eileen Fahey:
So risk appetite is… I think there’s multiple ways you could talk about it. You can get very specific in terms of how many categories would you put your processes in? Is it 5, is it 10, when you start to look at the interconnectedness of some of these risk? So for example, if you’re looking at your operations, certainly your human resources are connected as well as metrics and other processes. So I think it depends on how you devise it. Risk appetite for many, and what we do here at Fitch is look at each of the major divisions. So we have 10 categories. Our ratings process is a major category and actually has two categories in of itself. But you also have… So you can define it in terms of a very specific here’s for risk for our ratings process. We don’t want to violate any regulations and what does that mean for the internal controls and the processes that come along with it?
Eileen Fahey:
So you can get very, very specific, but in addition, I think it does help the board and managers to think bigger picture. And how does the risk appetite align with the strategy and how does that balance? So to Dr. Jones’s point, you have to have a fairly mature, more than managed risk process to really integrate the strategy into the appetite statement. But it is something that in order to do that you then have to… You’re coordinating and sometimes herding cats, because everybody’s got a different view of what their risk appetite is. But you need an agreement at a very senior level of, okay, we’re willing to let risk or, say, commercial people take higher risk, because we know our processes are so tight and we can deliver more product in the timeframes that are asked and we can scale that up quickly versus holding back on the sales range. So it’s a give and take that is very important at a very senior level, I think.
A lot of people may not understand what a risk appetite is, what that’s going to do for them and their business, but it is all about making informed business decisions. So it’s important to know then how do the senior most sponsors or senior most leadership in an organization think about key risk areas? What are their priorities? Is it cyber? Is it data governance? Is it privacy, data privacy, data use? Is it business continuity?
Atul Vashistha:
Yeah. We had a really interesting discussion on a group of risk leaders that I moderate on a monthly basis, along with John Bree. And the question was about who owns risk acceptance, first line, second line. And it was really interesting to see, even in financial services, the answer was not the same across different financial companies. Yeah. So on that, Dr. Jones, let’s go through kind of area by area and see how much we can cover. Let’s talk about stakeholders that, Dr. Jones, you make sure are part of the discussion when you are dealing with setting or kind of evolving to the next stage in your risk appetite framework.
Dr. Laura Jones:
Exactly. Yeah. Thank you. So there are two key stakeholders in the process, I would say. Lots of people are involved but two key sets of folks that you would definitely want to embed into this risk appetite journey. One would be the business. Again, and Eileen mentioned it, in terms of having these various requirements, missions, et cetera, you would want to make sure that you understand what their needs are and how they’re thinking about risk and what are the key priorities for them, what are the key risk areas that they’re dealing with in trying to meet their own individual company objectives? The other party that I would definitely integrate into the process and first off of all, would be the senior most leadership, who are your sponsors in this process. Are they asking for it? Do they agree with it? Because without that senior sponsor leadership, your journey may not be successful.
Dr. Laura Jones:
So you need to know at what level this is being requested and where is your support coming from? Because it’s imperative, in everything that we do, we need to have that level of support, but especially more so in risk management, because it is oftentimes looked at as a cost center, although most business leaders understand the necessity of having risk management in place. A lot of people may not understand what a risk appetite is, what that’s going to do for them and their business, but it is all about making informed business decisions. So it’s important to know then how do the senior most sponsors or senior most leadership in an organization think about key risk areas? What are their priorities? Is it cyber? Is it data governance? Is it privacy, data privacy, data use? Is it business continuity?
Dr. Laura Jones:
And then aligning to those key areas, what is their appetite for risk in cyber? It may be very low. We have a very low appetite and we’re going to make very conservative decisions and we’re going to do our risk analytics before we move forward. It may be something else. It may be scalable even within having that same level of a risk appetite, if we say cyber is low. If we are doing a merger and acquisition, for example, and we’re acquiring a company, we may let it scale a little bit right, because they may not have everything in place.
Dr. Laura Jones:
That company may not have everything in place, so we’re going to account for that because we want to bring that company on board. And so it may scale a little bit. There’s some flexibility in there, but I would say that it’s predicated upon the senior most leadership or the sponsors being involved. They absolutely need to be your advocates for this process. And then as well, I would say the business, because they’re the ones that are going to use it. It’s going to be handed down whether this is built from a bottoms up approach, starting with the businesses or whether it’s driven top down by the leadership they are going to… You’re going to need both of those parties involved and so that you can have good user adoption.
We have an office in Moscow, being a US… I mean, a EU and a UK based company, depending upon the sanctions, what do we do? How do we operate? Do we retain those people? Can we pay those people? How do we make those decisions? How quickly do you need to make those decisions? So location is very pertinent and you’re also potentially subjecting yourself to multiple regulations that may be in conflict.
Atul Vashistha:
Right. By the way, I think you use some great examples. Let’s use another example because it’s a question from the audience on location. So maybe from you Eileen, how do you or in your experience, how should risk leaders think about risk appetite when it comes to location? I’ve got some great examples I can use, for example what’s happening in Russia and Ukraine… By the way, that’s webinar we’re doing tomorrow to talk about geopolitical risk. So talk a little bit about risk appetite regarding locations.
Eileen Fahey:
So location is… So Fitch has 30 offices globally. We’ve entered certain locations that on very early basis of, do we… Is there an issuer base or an investor base and do we want to have a sales office there or do we need a credit office there? And what does it mean to staff? Are the skills available in the location that we’re going to be in? We’ve learned certainly from COVID that you also have to have the systems and the process to co-locate. So can you afford not to be in offices? How do you operate? What are the contingencies when you run into those things. If you can’t travel, can you still communicate? Can you continue to operate your business?
Eileen Fahey:
We have an office in Moscow, being a US… I mean, a EU and a UK based company, depending upon the sanctions, what do we do? How do we operate? Do we retain those people? Can we pay those people? How do we make those decisions? How quickly do you need to make those decisions? So location is very pertinent and you’re also potentially subjecting yourself to multiple regulations that may be in conflict. And so can you work around those conflicts? Can you manage that process? So it pulls it all forward immediately when you’re looking at location.
Atul Vashistha:
And Dr. Jones to that point, Eileen, that’s a great way to say that. And to that point, we think about the whole ESG aspects. Right. And that intersection with location, where companies are saying, there’s certain locations we don’t want to source from. There’s certain locations we don’t want to operate in because of their DEI or other practices. Can you share any other points kind of how else you think about risk appetite in terms of certain hurdles that you should think about when you’re thinking about laying out your risk appetite?
Dr. Laura Jones:
Well, it is all about the risk assessment and Eileen was spot on with what she said quite honestly. And it is about location, it’s about understanding what’s happening in those areas. And again, it goes back to reputational risk. It’s not only getting the products and services that you need delivered. It’s not just about getting those products at a better rate, but it is also understanding kind of from a humanistic standpoint, if you will, what’s happening in those areas and what does it take to actually get those products into your environment for sale? What is happening with the human resources that are actually producing those products and providing those services for you? And then what does that mean to you? From an integrity perspective, reputationally, if something were to be found out and you didn’t do a proper risk assessment due diligence and something were to come back to your organization, it could be pretty catastrophic.
Dr. Laura Jones:
It’s not only the immediate fines, it’s not only the severed relation, it’s not only a business disruption, potentially, but again, it goes back to that reputational risk. There’s a lot of damage and people like to… I call it reputational distancing. Right. Like social distancing. It’s that reputational distancing, where people just don’t want to be aligned to you. Everyone loves a winner but we’re definitely not going to align ourselves to something like that. So ESG tends to play out in quite a big way when we’re talking about location, when we’re talking about risk appetite, when we’re talking about doing business in locations that may not be as desirable for those reasons in past history and so forth.
Atul Vashistha:
Yeah. I think these are great examples from both of you, why you can’t limit your risk aperture to just financial and cyber. Right. There’s all these areas that you have to think about. Let’s move to another key topic. Right. Even though when you talk about these risk assessments, even though you might expand your risk aperture, the reality is often these are survey-driven instruments either when somebody’s being onboarded or doing initial due diligence, or when there’s a problem or an incident, the reality is there’s still at a point in time. Let’s talk ongoing monitoring and why that’s critical in your risk program and maturing your risk programs. I’d love for the two of you to talk from your experience, the pros and cons or for that matter, why this is critical.
Dr. Laura Jones:
Yeah. Thank you. So, Eileen more talks from a Fitch perspective. I never really speak about the organization and that’s fine. She’s a chief risk officer, she can do that. But I always sort of go back to my own experiences. I’ve built eight risk management programs. They include the Pentagon, Kimberly Clark, publicly traded organizations, private organizations, Department of the Army, Department of Defense. So lots of different experiences, so that’s what… I speak more from a general, actually a very general sense. But what I will tell you, having built a different program is that real time data is going to make the difference. Spreadsheets, we can translate data to PowerPoint slides. That’s fine. It’s a mechanism in which to communicate information. But getting that risk intelligence, those risk communications, making sure that we can expedite our analytics and what we’re learning, and how does that apply to our environment. It’s the real time data or near real time data that’s going to make the difference for us.
Dr. Laura Jones:
So in terms of monitoring, definitely recommend having a tool or platforms in your environment that will help you with that. I’ll stay vendor agnostic here, but we do see a logo in the corner as an example and there are some others out there that are very, very good platforms to use, but you need to automate the process of monitoring. It’s too reactive to wait for the headlines to then understand, are we using these vendors? Are we using this platform? We have to have a way within our risk management ecosystem to have some real time or as close to real time as we can get in terms of monitoring. And if we don’t have that, we’re behind the power curve and we’re playing catch up and we know on this call, that the difference between a risk, the risk is uncertain, it hasn’t happened yet, right, versus a sort of compliance issue.
Dr. Laura Jones:
So that’s more issue management, problem management. And that’s where we’re going to spend the bulk of our resources is trying to do cleanup work and repair and PR at that, when we could have looked proactively at the potential risk that were challenging our business, prioritize those risks, did our cost benefit analysis to understand whether or not it would be beneficial to actually address this risk and respond to it and once we know that move forward and then continue our monitoring from that standpoint. But we have to have that. It’s an imperative.
Atul Vashistha:
Right. Just to add to that, to ask you, Eileen, it’s been interesting for me to just see how enterprise is sending out surveys on Log4J to ask if they’ve been compromised or they have it in their system. And now I’m starting to see organizations talking about, Hey, what is the impact from exposure to potential Ukraine or Russia issue? Well, we can live in this world where we’re constantly doing these surveys, why are we not leveraging real time risk intelligence? Eileen, love your comments about any thoughts on that from you.
Eileen Fahey:
So I agree with Dr. Jones, the more data you have, the more proactive you can be. I think you could have a lot of data, but if you don’t have the critical thinking processes behind that, it’s not going to help you, but you do have to be proactive. And I think it’s a challenge. So Fitch is a thought company and we assign credit ratings to entities and we expect them to be proactive and forward looking and we try to embed that in our ratings process as well. So we challenge ourselves to do that within our own processes, but the data and the real time consideration of how quickly things can change and how flexible an organization you are, are also very, very important.
Atul Vashistha:
Yeah. And by the way, based on this, this is one of the reasons when I talk about this, I almost never use the word data only because the reality is if you cannot get actionable insights, all it does is just all around the entire team, because you need to know the relevant from what’s not relevant to you, especially when you have access to real-time streaming data. So this is a thinking that we’ve been sharing as an example is, just like how IT has had network operating centers, major incident response centers. I think risk is evolving to the similar approach to it that says, if I can get access to real time continuous risk intelligence, I can leverage a workflow software to automate a number of my risk actions. Right. So that I can then free up my risk managers to really do critical thinking, to think early warning and prevent many of those risk by preparing.
Atul Vashistha:
So now you are actually building a very resilient organization and then you have a learning loop in place so that when incidents happen, like for example, there’s typhoons in Philippines on a pretty much annual basis, elections disturbance in many parts of the world, that you know how… You have a playbook that you can respond and be much more proactive with. Any thoughts around, as you think about the organizations you have built over the years, whether there’s this whole approach to risk and resilience more from a capability perspective, rather than just the process that’s being run?
Eileen Fahey:
I think it’s important, Atul, like you mentioned, the thought process. So playbooks are things that we’re working on and making sure that various divisions have them and have them at their hand. But generally the playbook you’ve built based on your last event or crisis is not going to be the playbook you will need next. So the capability and the thought process and yes, we could do X, Y, or Z and this is the flexibility we’ve built into our system, is more important oftentimes than having the playbook. I also think that you have to have the memory of the testing and the processes where people, risk managers, and this is where you get into the first line. They need to know who to call and they have to have those relationships pre-established. And that way you can call somebody up from IT or from finance and say, okay what are you seeing? What do I need to do?
Eileen Fahey:
We build that through quarterly operations and meetings and testing scenarios. And that’s one of the ways that you have that then muscle memory in your brain to say, okay, this is what’s happening, oh, maybe I need to think about X, Y, and Z. Oh, I need to call so and so, and that way it’s more of a living process than a system. And the systems are needed, don’t get me wrong. You need to have the systems of the data, but you also need to have that process systematized in your management.
Atul Vashistha:
Right. Right. It’s what enables the organizations to build these ongoing sets of expertise, so you’re constantly learning also.
Eileen Fahey:
Yes.
Atul Vashistha:
Let me ask a poll. And then Dr. Jones, when you start seeing the results, we’ll jump on it. So to the audience, the second poll is, which of the following do you believe pose the biggest risk to your organizations? I’m going to give you a choice of six, please select only your top three. And so kind of think about 2022 in context now, because we’re heading out through the new year. Which of these risks do you see as the biggest for your organization? Please mark your top three choices.
Atul Vashistha:
I think prior to 2020, when I would do some of these surveys, cyber was absolutely showing up as the top. And then 2020, we started to see location based issues, right, because of the pandemic. And then in 2021, we started to actually see a rise in human resource in terms of business disruptions, due to people which I think, it’s not a choice here, but we saw that rise also in 2020. I’m really curious to see where people are now. I think we have a lot of people that have answered. I’m going to end the poll in about 10 seconds and then I’m going to make the results available, so maybe Dr. Jones, you can comment on it first.
Dr. Laura Jones:
Sure.
Atul Vashistha:
Hopefully you can see the results now?
Dr. Laura Jones:
That is exactly I would’ve expected. Is exactly what I would have expected. I think cyber security, cyber incidents are definitely top of mind for pretty much all business leaders. It can shut a business down. And again, I always go back to reputation, I think partly because that was what my research was in for my PhD, so it’s always top of mind. But it is, it’s an intangible asset. So I would expect that would be number one. Business disruptions, I had that on my top three as well from a personal, a professional standpoint, that makes sense to me. And as well, but again, those two are closely tied and then changes in regulation. I would imagine a lot of participants on this call are in a more regulated environment and so the legislation and the volatility of the changes of legislations and regulations would be top of mind for them as well.
Dr. Laura Jones:
I would’ve reordered it a bit. So I would have, even though I’m in the cyber space, information security, I probably would’ve put business interruptions first, only because when we talk about other than supply chain disruptions, business interruptions could be a lot of these things and all of these things. So for that perspective, I would’ve ordered it number one, but I get by cyber incidents has the highest percentage, the response rates.
Atul Vashistha:
Yeah. Interesting. For either of you, what do you think of the fact that climate change, increasing volatility of weather, almost a third. Right. I don’t think we would’ve seen that necessarily three, four years ago.
Eileen Fahey:
I think more companies are thinking about power and their source of where they are as well as the impact that could have on business interruption. Whether you’re in the receipt business or the supply… Whether you’re receiving or supplying, it’s always been significant. It’s been quite… It’s been interesting because I think in one of your earlier questions talked about unexpected or unplanned events and I think the power grid down in Texas in February last year really disrupted a lot of business, but I was actually buying furniture at the time. And I was surprised that apparently all foam cushions that are made in the United States are made in Texas. And so that was one thing that just disrupted not just my world, but many, many worlds after that. And you don’t think of the interconnectedness of some of these businesses.
Atul Vashistha:
Yeah.
Eileen Fahey:
It is very important and that you know these facts and you have that data.
Atul Vashistha:
Yeah. On that point there’s been a huge challenge with shipping as an example. And one of the things I learned recently also was that over 95% of the refrigerated containers, shipping containers, are all made in China. So when the export, import dropped in 2021, many of these containers were no longer making their way around the world, so they ended up in places where the trade has not started at the same level yet. So there’s a total imbalance in terms of where they are both in manufacturing, but also the placement. So people don’t realize it’s not necessarily always that the ports are not open also it really where these containers are. So all this complexity in kind of like the second, third level effects that are happening because of our supply chain issues.
Dr. Laura Jones:
And Atul, I think the ESG conversation as well has a quite a large bearing on the climate change response rate as well. There’s a lot of information that’s out there now and people’s sense of ESG issues are heightened and so I think that also has something to do with it. It’s a topical conversation now.
Atul Vashistha:
Right. So as we are coming to the end of our webinar on maturing risk programs, I want to leave the audience with a few messages, so I’m going to ask the two of you to also kind of add anything else that the audience should know about maturing their risk programs. So a couple of points that I just want to add, I think from our discussion, hopefully it’s clear to the audience that when you think about your risk aperture or risk domains or the risk coverage that you should have, very clearly one of the things all of us are saying is, don’t limit yourself just to a few sets of risks. Right. That your risk aperture needs to be wider and we definitely saw that in 2020 and 2021. And you can see those risk domains.
Atul Vashistha:
I think the second thing we talked about is the value of ongoing monitoring real time risk intelligence. But very clearly as Eileen and Dr. Jones specified is make sure that it’s not just about overwhelming data, but as reality is, systems to enable actionable insight and then how do you cut through all that noise so that you can actually take actions? So Eileen, to you first, what would be the final words of advice you would leave the audience as they’re thinking about and working on maturing their risk programs?
Eileen Fahey:
I would add two things that we haven’t mentioned yet. One is, ask a lot of questions. Don’t think that you know the answers, ask staff and ask all levels of staff. And then the other is to do what a regulator has suggested. We think about in that as reverse stress testing. So rather than trying to think about climate risk and how that impact, look at your business and think, what could disrupt my business and what could really cause me a problem, and then how would that occur? So you’re looking at it from a reverse direction and your staff and have collaboration and discussions about it because people will raise things to you that you probably haven’t thought of.
Atul Vashistha:
Thank you.
Dr. Laura Jones:
Yes. So one thing that we’ve talked about, two things that we haven’t. One is to ensure that your organization does a gap assessment, a risk assessment, but looking for those gaps. If you’re looking to mature your risk program, then you have to kind of understand where you are, base line your program, and then understand where on the maturity scale you think is feasible for your industry. You can benchmark and so forth to make sure that you have a plan that it’s reasonable, that it’s not necessarily too aspirational, because that will put too much pressure on your people and your program may not move forward. The other thing is establish a risk hierarchy for reporting purposes. Not every risk has to be elevated. So starting from the top down, understanding what the key priorities are for your senior most leaders, what are those prevalent risks for your organization, specifically. Having a line of sight and the capacity and capability to report to those risks is going to be important.
Dr. Laura Jones:
So then to establish that hierarchy again, make sure that it’s automated, if you can versus Spreadsheets and Excel sheets and PowerPoints. So the risk communications is more expedient. And as well, I would say that whomever your advocates are, your senior most leadership, those sponsors who you have access to, make sure that the message is communicating that this program is to be taken seriously. That’s going to make or break your program. So those senior leaders, those VPs or however your organization is constructed, that they understand that they could be tapped to be risk owners, if you will. This is coming into your environment. It may be a marketing risk, it may be a cyber risk or what have you. If you’re over that particular domain in the organization, you may be tapped to be a risk owner and then the risk management, that second line, will work with you to help identify the appropriate risk lead, so that not only have we identified these risks, but we actually have some actionable strategies and risk response strategies to apply to them so that we reduce our risk exposure overall.
Atul Vashistha:
Thank you for that. I want to reinforce to the audience how important it is that we spend time learning from leaders like you, Dr. Jones, like you, Eileen Fahey, and I highly recommend follow them on LinkedIn. Because one of the best words of growth for me has always been… Is actually learning from leaders who are experiencing this every day. Right. They’re the best sources of information. So tomorrow as an example, we have a webinar on geopolitical, like what is the potential impact of the Russia-Ukraine crisis on our third-parties and what are the second and third effects of that crisis to potentially Germany as such, because of energy and related aspects.
Atul Vashistha:
So if you want to scan the QR code, you’ll be able to attend this event live on LinkedIn tomorrow. As an additional resource, many of us spend quite a bit of time interviewing risk leaders regarding, Hey, how do you accelerate the adoption of continuous monitoring? We talked about the positive aspect of that, but also the challenge of having access to all the data. So, this is an e-book that’s available to you. Let me just conclude by Dr. Jones and Eileen Fahey, thank you so much for spending time today, talking to us about how to mature risk programs and more importantly sharing the experience that you’ve had over all these years that you brought to the table today. Thank you so much for your time. Really appreciate it.
Eileen Fahey:
Thank you, Atul.
Dr. Laura Jones:
My pleasure. Thank you.
Atul Vashistha:
Thank you. And to the audience, if you have suggestions on any other topics that are of importance to you, that you would like us to bring and leaders that you want to hear from, please send us an email at info@supplywisdom.com. This session will be available on CRO Wisdom, so you’ll be able to actually take this recording and share this with your colleagues. Thank you everyone. And I appreciate your time again, Dr. Jones and Eileen. Take care.
