CRO Wisdom Episode 22: Matt Moog, General Manager – TPRM, OneTrust – Part 3

Atul Vashistha:

Let’s switch to jobs and careers and risk. I’ve known you for a while and I know very clearly you have demonstrated how much more today than when we first met. In a sense, it’s all about growth. Talk to us about what resources you use, and what you leverage to make yourself a better risk professional.

Matt Moog:

It changes. It changes a lot. I’m actually one of those people that goes in and reads regulations. God forbid we actually do that. It’s boring. If you’re looking to go to sleep, read the regulations. Yeah, I’m sure it’ll put you to-

Atul Vashistha:

You and Victor Meyer.

You have to read the materials, you have to understand it, print it out, read it once, underline some things that are interesting, put it aside. A month later, read it again.

Matt Moog:

Oh, man. I distinctly remember the PCAOB put out a statement. I think I was like a senior, maybe I’m three or four years into my career at EY, and I was like, oh, this must be Q&A time. So I sent a response back. They treated that as Ernst Young’s formal global response to the regulatory body and people were calling me and I had to back that out. But in the end, someone told me, you know what? We couldn’t fault you. One, you read it, and two, you had a really good question, and it was about the reliance on internal audit, in external audit activities.

So, I think you have to do the things that no one really wants to do. You have to read the materials, you have to understand it, print it out, read it once, underline some things that are interesting, put it aside. A month later, read it again.

I mean, my client discussions constantly change where I’m focused, what I’m interested in, what I’m pursuing, and how I’m growing. And I always tell people as I’m advising them in their careers that you almost have to look at your career like that trivial pursuit pie. There are different pieces that you’re going to be working on, and sometimes you master something, and you can kind of put that off to the side and you can choose a new slice of pie that you want to put in there. But always be looking at those four or five things that you have a material interest in. And don’t just tell yourself you’re interested. Spend the time, put it in your calendar that you’re going to spend an hour reading, and stick to that. When I was traveling a lot, I never opened my laptop unless I absolutely had to on a plane. One, just the security aspects of it and people looking over your shoulder.

But I just felt like that was the time that I had where I had an uninterrupted ability to read. If you looked at my bag three or four years ago when I was traveling heavily, it was filled with paper. I was reading things and underlying things and questioning things. And then when people would come to me and say, “Oh, Matt, I really don’t understand this privacy regulation that’s coming out in, I don’t know, Singapore”, I’d say, oh, I got five pages here. I can just show you this.

Atul Vashistha:

It’s underlined.

Matt Moog:

Read it. it’s underlined. It’ll give you the footnotes. And sometimes you just have to take that time and again, it’s not easy. I mean, it’s easy to go from meeting to meeting to meeting, and at the end of the day, you didn’t really grow or learn. It’s harder to keep an hour or even two hours to sit and thought and think. It does get easier as you get in more advanced in your career because you have a little bit more white space and control of your schedule. Obviously, when I was a staff member, people told me to go places and I went there happily. But making sure that you understand what you’re doing, why you’re doing it. I mean, you can’t be a risk management professional in any industry without understanding how your company makes money.

And how they operate and what the different divisions are. I think the hardest thing that I’ve ever done in my career is come out of financial services as a discipline and try to apply that to energy and pharma and healthcare and tech. And when you learn an entire industry, it’s almost a year to a year and a half of just reading and knowledge to understand how they operate. And the older you get, the less leniency you have in asking dumb questions. So I have to ask my dumb questions off to the side. But yeah, I mean understand the business. I think it’s probably my point.

Atul Vashistha:

So Matt, final question. You already gave some good advice that I think applies to those that want a career in risk management and want to move up. So again, just wanted to see, is there any other advice you would give to somebody who is earlier in their risk career or is considering a risk career? What else should they be doing?

I think organizations that don’t have chief risk officers and don’t have to hold people to account and ask those questions are certainly in positions that are not helpful to the organization. We saw that with Silicon Valley.

Matt Moog:                                

I mean, in addition to understanding the business, don’t be afraid to take a position. Don’t be afraid to justify your position. I think a lot of risk professionals, again, going back to that risk management versus compliance are real comfortable about saying, well, I got my three things done, so I’m okay. As opposed to saying, hey, I don’t think this is a risk worth accepting, or I think this is a risk that’s too detrimental, and here’s why. I think when you start to ask those uncomfortable questions and you start to actually look at risk as a spectrum, then you start to engage other people around you in those discussions where you’re both growing.

I mean, I could be completely wrong on a topic. I’ve been wrong on topics before. I’m happy to admit that I was wrong on certain topics, but that’s how we grow. We bring things into a community, we talk to it about other people, and we understand what’s acceptable and what’s not acceptable. Most of the discussions that I had with clients weren’t sitting down and talking about processes, sitting down, and talking about different risks and how they handle and what are the options to handle them, and how I manage a relationship with a business when I don’t think the amount of risk, they’re taking on is sufficient.

I think organizations that don’t have chief risk officers and don’t have to hold people to account and ask those questions are certainly in positions that are not helpful to the organization. We saw that with Silicon Valley.

So, as you grow and don’t be afraid as a risk professional to take a role in the business, I mean, he was one of the first bosses I ever had, and I still catch up with them after 20 years every year or so, and I always look at his LinkedIn and he’s bouncing back and forth between risk and audit and business operations. And you’d think that someone has a career where they’re just going to do an audit and they’re constantly moving around and every time we talk, he’s like, I’m just fascinated. Once I get a year or two into a role, I want to go challenge myself to look at another part of the organization, be it running technology and operations or helping to run an equity business.

I always want to be kind of a part of that to understand the complexity of everything, because I can’t be a good effective risk manager if I don’t understand all the other complexities of how the business operates.

Atul Vashistha:

Yeah, I think I’m going to add one more because I know Matt, this is how we’ve got to know each other over the last few years. One is the whole network, right? Risk is an industry where a lot of the players know each other. We meet at events, third-party risk associations, shared assessments, and SAFPRO. So I would encourage people to do that.

Matt, this has been wonderful talking to you in a different format, right? Interviewing you for it. I really enjoyed kind of your talking about risk from your perspective now being at an innovator like OneTrust, but I really appreciate you also the fact that you give time, not just to something like our CRO Wisdom series, but how you participate in organizations like Shared Assessment and others to help the industry move forward. So Matt, thank you so much. I really appreciate it.

Matt Moog:

Oh, it’s been a pleasure. Thank you, Atul.



Matt Moog

General Manager - TPRM


Matthew Moog serves as the General Manager, Third-Party Risk at OneTrust, the category-defining enterprise platform to operationalize trust. In his role, Matthew advises companies throughout their third-party risk management implementations to help meet requirements relating to relevant standards, frameworks, and laws. Prior to joining OneTrust, Matthew spent 18 years at EY where he led their Global Third-party Risk offering for Financial Services and their Third-party Risk Managed Service offering for the Americas. Moog is a CISA, a CIPM and has a BS in Management Information systems from Rensselaer Polytechnic Institute in Troy, NY

Atul Vashistha

Chairman & CEO

Supply Wisdom

Atul is the Founder of Supply Wisdom & Neo Group, and is also the visionary behind the GBSBoard and RiskBoard. For more than 21 years, Atul and his teams have worked with nations and corporations to leverage global talent, big data, automation and other technology mega-trends to accelerate new capabilities, increase resiliency, mitigate risks and enable better corporate and societal outcomes. Atul Vashistha currently serves on the boards of Shared Assessments and IAOP. Atul had the distinguished honor of serving on the US DoD Business Board for over 12 years, including as former Vice Chairman from 2018-20.

Recent Conversations

Stay Updated

We will notify you when a new conversation is posted

Recommend a Speaker

SVB Collapse - Comprehensive TPRM Analysis

The Collapse of SVB: Analysis of Risk Indicators and Next Steps for TPRM

Get Supply Wisdom’s comprehensive analysis on SVB, including indicators across a full spectrum of risks, the causes of the collapse, and precautionary steps you can take in response to the SVB collapse.