Atul:
Hello, Alpa. Welcome to CRO Wisdom, the voice of risk leaders. I’m delighted that you’re able to join us today.
Alpa:
Thank you so much, Atul. Really excited to be here.
Atul:
So, Alpa, let’s begin by telling the audience a little bit about yourself, what you do, and where were you before this role that you have today?
Alpa:
Sure. So look, I’ve been in the industry for about 23 plus years. Started my career in manufacturing, and then was in engineering and construction for a couple of years. Also did aero defense and in last 15 years have been in the financial industry. Specifically, with Softgen, Goldman Sachs, and currently at BNY Mellon and really, really excited because at BNY Mellon I currently am head of third party governance advisory group, which looks at across 22 lines of businesses and how we actually look at vendor risk. So that’s what my current role is at BNY Mellon.
Atul:
Great. So Alpa, it seems like number of different kind of roles, how did you get started in risk management?
Alpa:
It’s a pretty interesting story. Right. And what happened is after the 2008 financial crisis, I just joined Goldman Sachs after that. And if we think about the regulations and how it’s changing the industry and the stress testing, having Dodd-Frank. It was something that was front and center for the financial industry. And that’s how I got into it because nobody knew what the regulation’s impacts were. And to be kind of spearheading that, I actually was a chief of staff at that time.
Atul:
So Alpa reflect on kind of what you’ve experienced in 2020. And as you think about 2021, what are your key priorities? What is going to change?
Alpa:
So current priorities, I’ll focus on three or four of them. The first one is cybersecurity risk and data breaches. I think that’s across all the industries, I think that’s the ultimate priority for most regulators or ECs as well as the board. I think the second is really looking at not just the cyber risks, but also other aspects of risk, which is operational risk, financial risk, and strong governance I think is also as critical. And then third, I would say probably is resiliency, right? As we are going through so much change from a technology perspective during the pandemic, I think most organizations are really prioritizing on not just the risk, but how resilient are we as an organization? So I think those are a couple of the priorities we have currently.
Atul:
You know, I’m so delighted to hear you, not just fixated or focused on just cyber. And you talked about all these other risks because too often we see companies traditionally being so focused on third-party risk, looking at financial risk and looking at cyber risk, but very clearly you’re you have a much wider risk aperture. Any other examples of risk categories that you see that you said, “I’m glad we are monitoring this because it has such a direct impact on resiliency.”
Alpa:
Yeah, definitely. If you think about we are looking at economic risk. We are looking at geopolitical risks, especially now in the current landscape. I think location and concentration risk has significantly helped us because where vendors are based out of, there are clients as well. Equally important, and then where our internal offices are. So I think it’s a threefold and all of them, I think has a significant impact if we think about our concentration and location. So yeah. Look, We have a wide array of risks that we are looking at and like you said, it’s not good enough just to have cybersecurity risks. Right? You have to think about between the hurricanes, what’s happening in the current climate change, all of that, we are actually incorporating in our day-to-day risk profiles.
The first priority is cybersecurity risk and data breaches… I think that’s the ultimate priority for most regulators. I think the second is really looking at not just the cyber risks, but also other aspects of risk, which is operational risk, financial risk, and strong governance I think is also as critical. And then third, I would say probably is resiliency.
Atul:
Yeah. But that’s really good. That’s really good advice. Right? Financial, cyber, environmental location, geopolitical, current status of companies, solutions and others. Now often when you think about all these solutions, traditionally, what we have seen is that companies are getting these from different providers and different parts of the company are getting this. So what’s compliant may never get exposed to sourcing. And what sourcing may have never gets exposed to third party risks. What’s your thinking around the challenges around being able to integrate all this so that you can get a single integrated point of view?
Alpa:
You know, it’s so important, what you’re bringing up, right? Having that single integrated approach. I’ll be honest. We are not quite there yet. We are working on it like most of the other competitors or peers given the fact that every single different, like you said, sections of lines of businesses, they do have their own different vendors that provide different services. Either it’s OFAC, sanction screening, either it’s cyber risk, legal, they are maybe desperate and separate in silos and the criteria’s very different too. Right? So depending on the vendor, they measure risk very differently as well and how they categorize them. So having a single integrated approach, I think gives us a holistic or an enterprise view, which we are currently somewhat missing because you kind of threading all these different elements of the risk. So I think we’re eventually going to get to that integrated approach where you have an enterprise view of what that risk is for specific vendor, specific client. We are working, but I don’t think we have a solution as of yet to be honest.
Atul:
Right. Well, great programs are always work in progress. So Alpa, I know that one of the other programs that you are integrating fairly well and making good progress on is that the addition of continuous monitor and talk to us about how you’re incorporating it, how you’re using it. And what advice would you have for others regarding adoption of continuous monitoring?
Alpa:
Yeah. Look, continuous monitoring has been critical for our success, especially if we think about last decade in general. It has really transformed the way how we operate in the businesses. And I think I will have to say as an organization, why we have been successful is because one of the reasons I would say is because of having continuous monitoring. So let me define what continuous monitoring means for us and how we actually operate based on continuous monitoring. So if we think about earlier time, what we did is we had a single point of time where we looked at risk assessment. We usually would onboard a vendor. We’ll do a great due diligence. And at that time that was it. Right? And then unless based on the category of the risk of that vendor, high, moderate, critical, we would then go on renewal basis and look at that every year or two years, every three years.
Atul:
Right.
Alpa:
Given the pandemic and just in general, all the changes that you’re going through in last decade, I think it’s important to see continuous monitoring has played a significant role because the companies that existed a year ago might not be in today. Even companies that existed a month ago might not. Either from a financial challenges that they having, operational challenges, location challenges. So one of the things we were looking at is having these real time alerts. And based on these real-time alerts, we have changing other processes as an organization. So for example, we could have some vendors that we classified as critical.
Alpa:
Maybe let’s say six months ago. This is alerts and continuous monitoring and what we’re seeing, the trends. We are now literally rearranging our process. And now they’re going to these vendors and saying based on these alerts, you’re going to specifically choose a domain and get much more comfortability to make sure do they have the right evidences or do they have the right mitigates? And I think that has kind of changed or transformed continuous monitoring ways for us. I also think it’s so important as once we get these alerts, how do we actually take action? Or how do we execute it? So that is something that you’ll be finding every day to get better and better to be able to then, you’ve got predictive capabilities.
Atul:
Right. Right. What’s interesting to me about that is that you are actually taking a risk based approach to risk management. You’re focusing on where the issues and challenges are and focusing on making sure they’re mitigated rather than being generic across all of the third parties.
Alpa:
Yeah. Especially if you think about it, look, a lot of the times we used to go to a critical vendors, we used to do onsite assessments. We can’t do that too. Everybody’s working from home now. Right? So I think the continuous monitoring has significantly helped us because we are seeing these alerts and that data triggers for us to then do the investigation that needs to be accurately with that from our best perspective. So, couldn’t agree with you more.
Atul:
Good. Let’s get into to the profession of risk management and you. Bloomberg identified risk manager as a hot job. What do you think about it?
Alpa:
I’m really excited to be honest. And the reason why is I’m a risk leader. So for all of us who are in the risk industry, I think this is a great thing. I think in the past, we have always been on behind the scenes. If you think about the risk space, I think now if you can see, we are driving the agenda. The risk leaders are talking to the regulators and talking to the ECS and the board to give them their insights and make sure, do we have the right risk protocols? And do we have the right predicates? So I think it’s an exciting time right now for all the risk leaders, because we are really kind of looking at it strategically. We’re trying to be resilient and be proactive and then help the organization make sure that they are resilient.
Atul:
Right. I think it’s extremely well deserved when you look at what risk managers, what risk leaders have done. Particularly around resilience, and the companies that have done well have shown the great competitive advantage and benefit of great, good risk management.
Alpa:
No, I agree with you because there is never a predictive risk as I call the calculator, right? There’s nothing that can tell you what the risks are coming. Nobody predicted COVID. But I will say it’s how resilient are organizations and how quickly can they adapt, right? Because a lot of the organizations, especially with the legacy infrastructure that you have, with the talent that you currently have, it makes it very, very difficult. So yes, I think resiliency is going to be a key critical aspect.
Continuous monitoring has been critical for our success, especially if we think about last decade in general. It has really transformed the way how we operate in the businesses. And I think I will have to say as an organization, why we have been successful is because of having continuous monitoring.
Atul:
So Alpa, talk about a little bit about yourself. What resources do you rely on to make yourself a better professional?
Alpa:
So look, I think industry forums are really important to be in this position. I have been very fortunate. I sit on the shared assessment committee and they are, as you guys I know, they are the industry leaders in third party risk and certifications. I also sit on the Risk Board, which is another organization that is really peer to peer network. Where it’s across different industries and we leverage each other for best practices and insights. So that’s where we kind of talk about what other industries are doing within the space of third party governance.
Alpa:
And then there’s naturally another one is Women Corporate Directors, where women are really helping each other in this specific third party governance. So I think those are a couple of the industries that I think highly makes me successful by being affiliated with them. I also am a look abreast with the latest articles and the white papers as it’s important. And then having a strong network, I can’t emphasize how important it is. Especially during this time to really understand how other organizations are managing the risk and are we in par with them, or are we below or average. So I think those are a couple of things that I am personally doing to make sure that I’m on top of the risk space.
Atul:
I really appreciate it because you’re not just talking about sitting in a class or just taking it in. You’re also talking about all these organizations, that you talked about is also about sharing. So you’re learning and also sharing. I really appreciate that.
Alpa:
It’s so important now, right? Because listen, we don’t get to be in those conference rooms. We don’t get to have dinners with our peers. So I think having that communication and being able to share insights and best practices, I think that’s pushing us all in a better direction as an organization.
Atul:
Right? So for my final question. What advice would you have for future risk leaders? How can they have a great career in risk management? How to prepare themselves?
Alpa:
Well look, I think it’s a growing, growing demand field right now. I think you couldn’t choose any other field than being in risk and I’m being one of them. I think there are a couple of things you need to have in order to be successful in this field. One is being agile, right? You really need to understand the risk. You need to assess those risks and given the rapid advancing technology, I think you need to take the risk, but you need to be also able to get ready to fail fast. Right? So if you’re going to do something and it doesn’t work, be okay to fail, but do it very quickly. I think also need to have a mindset of being very problem solver and innovative. It’s not like working in a production line.
Alpa:
The third one is having a good judgment. It is so, so critical, right? In risk profession to have that timely decision, but be able to understand the business and impact. So I think if they want to be successful, I would strongly suggest that if they have these three skill set, they will be as I call golden in that space.
Atul:
Alpa, that is sage advice. And again, thank you so much for joining this episode of CRO Wisdom. To the audience, if you have a guest in mind that I should be interviewing, please send an email to info@riskboard.org. And I will make sure that we make them on an episode of CRO Wisdom. Thank you again, Alpa.
Alpa:
Thank you so much Atul. Have a great day.
Atul:
Thank you.
