Share on twitter
Share on facebook
Share on linkedin
Share on whatsapp

CRO Wisdom Episode 3: Catherine A Allen, Founder and Chairman, Shared Assessments

Atul:

I’m delighted to welcome Cathy Allen, Chairman and Founder of Shared Assessments to this next episode of CRO Wisdom. Cathy. Welcome.

Cathy:

Thank you, Atul. Thank you for inviting me to be part of this.

Atul:

Wonderful. So, Cathy, let’s begin with talking about how did your career in risk management start?

Cathy:

Well, it’s interesting because I didn’t start out in risk, but I first got accustomed to understanding the risk issues when I was working at Citibank and I helped for John Reed to set up the smart card forum; and we were looking at the use of smart cards for both security access and to load information on them. So that got me into thinking about security, cybersecurity, some of the risk issues that people face. After that, I was recruited to be the CEO of BITS, the Banking Industry Technology Secretariat, which was part of the financial services round table. And before 9/11, we were focused primarily on e-commerce, B2B commerce and the opportunities that the internet was bringing and then 9/11 happened. And all of a sudden, we pivoted to look at things like cybersecurity, anti-money laundering, fraud, anti-terrorism, and so that really was the beginning of the focus on cyber security risk management.

Cathy:

I worked with Dick Clark, who was then the Cyber Czar at the White House. We use the financial sector as the poster child for cybersecurity. And so, then that led me to be the CEO of BITS for 10 years; during that time the six largest banks and the big four, asked me through the Santa Fe group, my company to create a format for Shared Assessments, and that was to look at third-party risk management. So, you know, 1.0 started from that effort. And today the Santa Fe group manages the Shared Assessments program, which is all about third-party risk management, the broader risk management frameworks in cyber security. In addition to that, I sit on corporate boards and I often am the either digital director or the risk management director, and I’m passionate about having risk committees on board. So we’ll can talk about that a little bit later, but I’m, I, it’s one of the things that I’m really working on today and actually it’s set up a non-profit, the board risk committee to do.

Atul:

I think that was an excellent way to, to kind of describe your risk journey, Cathy. And one of the things that stood out to me is you’ve had a career in risk within organizations, but you’ve had this incredible entrepreneurial career now in terms of setting up Santa Fe group and now Shared Assessments and Shared Assessments has been a tremendous organization in terms of helping companies get to better practices by collaborating with each other and to be able to do that. So, when you think about priorities today, whether it’s the Santa Fe group or Shared Assessments, what would be your priorities for 2021?

Cathy:

Well, there are a lot. And as we all see with the solar winds breach, we continue to have concerns about cybersecurity and in particular attacks on the infrastructure as we’ve recently seen in your home state of Florida on the water system. And I think we’re going to have more of that, unfortunately concerns about geopolitical risks and location risks. We’ve seen that because of the pandemic and climate change concerns about ESG. In fact, our tools in Shared Assessments include a number of issues around ESG, and we have a task force working on that. So that’s not just the environment and climate change. It’s also social justice, social equity diversity and inclusion, all of the things about our employees and our stakeholders. I think another way to think about it is the pandemic. The social unrest has kind of awakened us at the board and corporate level to really look at our stakeholders, not just our shareholders. And that’s a different mindset in thinking about risk and then thinking about how you manage your company,

Atul:

Cathy, that’s a, that’s a really interesting way to look at it, right. Stakeholders and not just not just shareholders. So, Cathy, when you talked about all these different areas of risk that the organization is focusing on, I think it would be helpful for the audience to kind of hear from you in terms of how does the Shared Assessments community kind of raise these topics and how does it provide value to the members?

Cathy:

Well, so it’s all about thought leadership. We want to be the thought leaders in the field of third-party risk management and frankly third-party risk is really enterprise wide risk approach, given and looking at your third parties, fourth parties, fifth parties. So, we have working groups that are around business issues or best practices or regulation or around verticals, that address issues that are coming up. We have the summit that’s coming up in April, which has a fabulous group of speakers around things like ESG, critical infrastructure attacks and cyber security and panel CISOs. We put out white papers and research documents, which help our members and others to be able to understand this – the risks that they’re facing. And it’s something, you know, it’s something to not be competitive about. In fact, the risks keep growing and as they grow, we feel like we’re scrambling to address them. So, having a collegial cross industry peer group exchange helps for that to happen. As I mentioned earlier, we’re creating a new non-profit that is focused on board directors to give the same kind of peer exchange with Chief Risk Officers and the same thing, to be able to look at the issues and discuss how their company is handling it. So that model of peer exchange – trusted peer exchange and providing the expertise and, you know, like your company knows, you guys are experts in geopolitical risks, location risk, and continuous monitoring issues. And you bring that to, you know, unselfishly, you bring it to the conversations that we have in Shared Assessments.

Atul:

Right. So, Cathy, on that point one of the things when I’m talking to companies, you know, both through this and my role as Chairman of Supply Wisdom, one of the things I keep hearing about is how risk management has evolved for them, right. Which is the assessments are valuable, but they were challenged during COVID. I’m sure you heard the same thing with members. What have you been hearing from your members around how they’re taking a look at these assessments to kind of moving to continuous monitoring and any challenges that you hear them talk about in terms of that movement or that adoption?

Cathy:

Well, we all acknowledge that we’ve got to go to continuous monitoring, really, you know, every second kind of monitoring because the kinds of risks that are out there, whether they are a reputational risk or a cyber-attack or a technology glitch or a resiliency issue, it’s daily, it’s every hour, it’s every minute. So having that and the ability to do assessments virtually has actually helped. I mean, it’s interesting, cause we all were concerned early on that, well, if we’re not on the premises, you know, what is that going to mean? But we’re finding that there are ways to do that, and new technologies evolving that help with that. We can talk about that a little bit later, but I think that it’s driven us to really think, how do we commit to continuously understand the risks that are there, what technologies will help us to monitor those risks? And then more importantly, how do we bring that up to senior management and board attention in a way that prioritize those risks so that they can act on them? And you ask about Shared Assessments earlier, we again have a continuous monitoring, working group. We have a virtual assessments working group. We also have done webinars on that and published papers on that, again, trying to help the community to understand better how to do it.

Well, we all acknowledge that we’ve got to go to continuous monitoring, really, you know, every second kind of monitoring because the kinds of risks that are out there, whether they are a reputational risk or a cyber-attack or a technology glitch or a resiliency issue, it’s daily, it’s every hour, it’s every minute.

Atul:

Right. Cathy, you just talked about how does one better inform the board? What, what should Chief Risk Officers be doing to make sure that the board has a better understanding of their risk practices and risk programs, and you have a very unique point of view because not only are you leading the Shared Assessments community, but you actually sat on these risk committees of boards and on boards. So, what do you think they should be doing?

Cathy:

I said earlier, I’m an advocate for risk committees of boards; and the reason is there are so many risks, emerging risks that are coming not only do you not have the expertise in the audit committee, where traditionally risk has been, but you also don’t have the time. The risk committees I sit on, they actually meet longer than the audit committees too. So financial risk, yes should be under the audit committee, but all the operational risks, the reputational risk compliance, legal, privacy, all of those emerging risks and geopolitical, those need to be addressed by people who have the expertise and time to understand that. So, the risk committees allow members of the board and of the senior management and experts within the organization to meet on a regular basis and to have the time to go in depth around issues and then bring what emerges as really critical issues to the board discussion. It also, if you have a risk committee, it allows them to be able to create off-sites and to help educate the board. But that’s not the only thing you have to have. You’ve talked about having risk operations centres. That’s another component piece. So, I think there’s three, well, three legs to the risks stool is having a risk committee of the board, having a Chief Risk Officer, which many companies still don’t have and having a risk operations centres, so that you have within management and within the firm an ability to identify and move those risks upward.

But there’s an even broader issue on this: most corporate boards think of their responsibilities in three buckets – fiduciary, or the financial (and that’s where audit comes in), the strategy for the company, and succession planning, and to some extent, talent management. That is all changing because the fourth leg of that table, I would say, is risk. And that’s why having the risk committee equal to the audit committee to the nominations and governance committee, and to the compensation committees, which are often now called talent management. Let’s take a topic like ESG. You know, sometimes firms set up a ESG committee specifically around that. We’re going to have a lot more disclosure requirements coming up with the current administration and also just in general with corporate understanding of these issues. But sometimes ESG gets portioned out. The social responsibility part may go to nom gov or the talent management DNI may go to communication, I mean compensation. But again, risks need to look at, be looked at in a holistic manner. They, because they’re oftentimes interrelated or reputational risks comes from a business continuity risk or a cyber risk leads to a privacy risk. You really need to look at that holistically. And that’s why I’m an advocate for the risk committees.

Atul:

And it’s the reason why Bloomberg said or called Risk Manager a hot job. What are your thoughts on that?

Cathy:

I absolutely think so, and I’m encouraging as many people as I can to get into the risk area. I think knowing there are job opportunities in that, but again, a seasoned business professional who can look at risk and, and understand that from a holistic perspective is so important. What’s unusual is many of the board educational groups they might do…they might have education about cybersecurity or maybe reputational risks, but they’re not looking at it holistically. And again, that’s why we’re, you know, through all the efforts of the Shared Assessments and Santa Fe group, we’re setting up this non-profit on board risk committees, and it’s again to have a place where those board directors can not only have a peer exchange, but also get the information that they need to understand the risks as they’re emerging.

Atul:

Cathy, you touched on it already with your advice. But what other resources do you rely on to be a better risk leader, to be a better leader in risk management?

Cathy:

So, I’ll start by saying, I’ve had some board members say, you know, Oh, these boards are taking up so much time, you know, it’s taking more time, and my answer to them is then you shouldn’t be on the board, because if you don’t take the time to understand the issues, it’s not possible to go to four, six board meetings a year, and that’s it. You’ve really got to read continuously. So, I read the agenda of corporate boards of directors, and I read the Wall Street Journal and the New York Times and business publications. I watch webinars. I go to conferences like RSA. I call them a brain dump, you know to help understand, and I try to talk to people to understand what those risks are and then I bring it, not only bring it back into my board meetings, but I also, if there’s great articles, then I will share those articles with board members as well, because, and I’m seeing more of that happen, especially within the risk committees of boards, sharing research or articles. But you’ve got to stay up to speed. If not, you’re not really fulfilling your responsibility on a board.

Most corporate boards think of their responsibilities in three buckets – fiduciary, or the financial (and that’s where audit comes in), the strategy for the company, and succession planning, and to some extent, talent management. That is all changing because the fourth leg of that table, I would say, is risk. And that’s why having the risk committee equal to the audit committee to the nominations and governance committee, and to the compensation committees, which are often now called talent management.

Atul:

So Cathy, one of the interesting initiatives that I – now it’s in its ninth month – is called RiskBoard.org every month for an hour, we’re getting together about 20 Chief Risk Officers or heads of third-party risk management peer environment, no vendors, no suppliers be able to exchange ideas with each other, and you can see the eagerness with which these leaders want to share with each other and learn from each other.

Cathy:

Absolutely. And Chief Risk Officers play an important role because generally they work with the chair of the risk committee to set the agenda for the meetings to also showcase some of the executives that are maybe at one or two levels down, but we want to know as board members how talented they are and how they’re looking at things. And I think, again, those Chief Risk Officers are going to play an even more important role in the future as boards sort of understand that fourth leg to the table.

Atul:

Right. So, Cathy, for my final question, what advice would you give to future risk leaders and how to form a better career?

Cathy:

First of all, I think having experience in both the operations, as well as staff positions, so that you have the understanding of the organization in total. So that’s one thing. Secondly, you know, many people come to risk from compliance or they may come out of they may be attorneys. They may come from a cyber background or a CIO background. All of those are important. I think having an understanding or experience in those various areas is important, but the single, single most important thing is to learn how to communicate with the board and the C-suite. And if you cannot understand how to align the risks with the strategy of the organization and align, what is, what needs to happen or what is emerging risk with what dangers it might bring or opportunities, because the flip side of risk is opportunity. So, you have to have… you can’t be locked into just looking at the risks very narrowly. You have to look at them holistically. You have to look for the opportunities that might be there, and then you have to be a really important communicator with the C-suite and the board.

Atul:

Thank you, Cathy. Thank you for sharing your experience and your expertise with the audience. Thank you again for coming.

Cathy:

Thank you for this opportunity. I enjoyed it, Atul. Thank you.

Share on twitter
Share on facebook
Share on linkedin
Share on whatsapp

Speakers

Catherine A Allen


Founder and Chairman

Shared Assessments

For more than 30 years, Catherine A. Allen has been an outstanding leader in technology strategy and financial services and a key thought leader in business innovation. Today, Catherine is Chairman and CEO of The Santa Fe Group, a strategic consulting company based in Santa Fe, NM. The Santa Fe Group specializes in briefings to C-level executives and boards of directors at financial institutions and other critical infrastructure companies, and provides management for strategic industry and institutional projects, including the Shared Assessments Program, focused on third party risk.

Atul Vashistha


Chairman and CEO

Supply Wisdom

Atul Vashistha is recognized globally as a leading expert on globalization, governance, and risk. He has authored three best-selling books: The Offshore Nation, Globalization Wisdom and Outsourcing Wisdom. Atul pioneered the global sourcing advisory space in 1999 when he founded Neo Group and is also the founder and Chairman of Supply Wisdom. Founded in 2012 as an early warning service for business disruption risk, today, Supply Wisdom® is the market leading patented real-time and continuous risk intelligence and monitoring solution. Atul serves on the boards of the US Department of Defense Business Board (Vice Chair), IAOP, Shared Assessments, and Zemoga.

Recent Conversations

Stay Updated

We will notify you when a new conversation is posted

Recommend a Speaker