Atul:
Welcome to the next episode of CRO Wisdom. I’m delighted to have as our guest today, Dr. Laura Jones from Hearst and an expert on GRC. Dr. Jones, welcome.
Laura:
Thank you so much, Atul it is really nice to be here with you.
Atul:
Thank you. You know, one of the questions I really enjoy asking risk professionals is how do they get started? Because that’s not where most people actually really began their careers. So, Dr. Jones, what about you?
Laura:
Yeah, that’s exactly right. And I’m no exception. I started out as a quality manager. I went into that field after I retired from the Army, I went into consulting; spent about 10 years as a consultant. And during that time again, I was a quality manager, which was my major as I would consider it, but I wanted to select a minor with the intent of saying billable. And so I selected a risk management because I thought it was one of those functional areas that cut across the organization and really transcended all functional areas and all industries. And so I began to work as a risk manager. I came to love it so much, the art, the science managing risk. And so I decided that’s where I wanted to focus. And I did. So my first project out as a global management consultant was working with a large government organization in DC implementing public key infrastructure. And then, you know, just having that background in quality, eventually I learned to integrate both of those disciplines building risk management programs while underscoring it with principles of quality. So that’s how I got started and where I am today with risk management.
Atul:
Right. No, it definitely gives you a company-wide, enterprise-wide view of operations and the business. So true. So fast forward to today, right? Fast forward to today, would you share with us a little bit about kind of your role, but more importantly, what would you say are your priorities today around governance, risk and compliance?
Laura:
Yeah, absolutely. So today my role entails building out a governance risk and compliance program for Hearst. Our Hurst has 360 over 360 businesses under its purview. And I am working to establish capabilities around many verticals security awareness and social engineering, business continuity, all sorts of risk management that is cyber technology, vendor, third party, risk management, and so forth, several disciplines. So that’s my focus. My key priorities are really those of my senior most leadership at Hearst. Their priorities are mine. The things that may keep them up at night, such as any leader becomes my priority, right? Now, I have some areas that I really like to focus on such as vendor risk because there is for any organization when you lose that line of sight into various aspects of partnering, then that needs to be a steadfast focus. And so, I would say that’s true of any organization. And so that is my focus in terms of more of a passionate area. But I would say that those upper right risks as we refer to them when we think of the magic quadrant that’s where I’d like to focus. And so, my priorities also include establishing a world-class innovative program that’ll help keep pace with, or outpace the threat side that challenges us to achieving our objectives. And so again, there are specific risk based categories that cut across every organization but those tend to be on my radar, but I really pay attention from a hierarchal perspective of those risks. That again, my senior, most leadership cares about.
Atul:
Right. No. So definitely driven by the business risk, translate it to how you think about risk from your perspective and what third parties contribute to it.
Laura:
Absolutely, absolutely. And you know, that those are my priorities, I’ll say by day. And if I can, if I can mention by night my key priorities personally include writing children’s books and material to help children and, and really adults think through their time online, cyber safety cybersecurity. And so really one of my goals again by night is helping kids manage their risk of being online.
Atul:
Gosh, I love that, you know, we, we all talk about, you know, being responsible socially responsible, and you are taking your business skillset and applying it to such a great cause to help kids and others be safe online. Gosh, I’m glad you mentioned that.
Laura:
Well, thank you. I definitely appreciate that. It is really an area that I care about. I care about, you know, keep it helping to keep kids safe while they’re online and actually empowering teachers and their parents. And just any adult that cares have a meaningful conversation with kids other than the don’t do this and do this and the things, you know, that as parents, grandparents and so forth, we tend to do. That’s okay. But sometimes we need a little bit of help with those conversations. And so that’s what my books propose to do for kids.
COVID made it really clear that continuous monitoring of risks is very important and, actually, the way we aggregate our information to see a picture unfold and hopefully get ahead of it.
Atul:
I think this would be a good topic one day as kind of a discussion at the international consortium of minority cyber professionals. I think this would be that, that group that I know about you and I, and our friends are part of, would be worth looking at. So, Dr. Jones think about kind of over the last, you know, 12 months or so COVID fundamentally had a very big impact on our third parties and how we assess our third parties and the need for continuous monitoring. Talk to us about kind of your experience around the challenges with assessment, how you’re dealing with them, because we can’t really be onsite as much. And then secondly, as you think about wanting to have continuous intelligence on your suppliers, how are you accomplishing that?
Laura:
Yeah. You know, COVID made it really clear that continuous monitoring of risks is very important and, actually, the way we aggregate our information to see a picture unfold and hopefully get ahead of it. And so, whereas we think about risk categories, the common ones around financial and strategic and operational, and we definitely in the risk industry and beyond have our finger on the pulse of those various risks within those categories. But how do we use that information? How would we take that to help us tell a story ahead of time and then too, you know, what do we need to think about that we would not normally think about or have had to think about in the past things we might’ve thought were very much for the movies only, right. This whole contagion or, you know, this global pandemic and, Oh my goodness, what would happen if we all had all of a sudden go home and work remotely?
Nah, never happened. Right? So how do we think about those risks? And some people report refer to them as black Swan risks. How do we think about those things that we ideally would not have thought about before? And then if we take the time to brainstorm, even if we do it mentally, how would we assess those risks? How would we be received if we were to even start talking about some of those very hypothetical, theoretical risks that people would ordinarily say, never, we don’t have the time to commit to sort of pie in the sky thinking. And, but, you know, that is really what risk management is about at its core. It’s looking at things that have the potential to happen and then thinking about how apt they are to happen. And then to what degree could we be impacted if they were to happen?
Of course, we have to prioritize our resources. Of course, we have to keep our feet grounded in our thoughts and in such a place that we are prioritizing our resources, but we do also now we’ve shown that some of these out of the box thoughts that some of us have had there’s credence to, you know, to actually sit down and have some meaningful conversations. And especially because we’re primarily virtual and remote, it’s easier to do that. I don’t know if it’s a risk management happy hour that we need to have or what it is, but that’s it bears thinking through now of some of these things that we hadn’t thought about before, does that mean we’re going to build a risk mitigation plan? Depends on what industry you’re in. Maybe you do need to think about it now. And so that’s what I think we, how we would look at how COVID has impacted us and how challenging assessments can be in today’s time. And, you know, one thing I like though, are the tools and applications and so forth that give us real-time data feeds and a way to aggregate data. That’ll give us glimpses into a truer picture before it unfolds,
Atul:
Right. Dr. Jones, I know you, and I’ve talked about this. You just referred to kind of earlier the need to look at a broad category of risk, right? Financial cyber, not enough, you know, for example, we can see in the agenda today in our country and around the world, ESG environmental, societal governance became really important criteria. And then you just talked about the need to do that continuously and how data science is being applied and risk management along with automation, to be able to do that. When you think about it, do you see benefits? Do you see challenges in terms of applications, all this data science and automation and/or how do you plan to take advantage of that?
Laura:
So, I do plan to take advantage of it because it will, in some ways help, I think automation can be a great help. I think it takes some of the human error potential for human error out of our calculations, out of our projections and so forth. So I do think there are huge benefits to using some of these technologies, emerging technologies, in some sense. But I do think we also have to temper our decision-making with the information that comes out of this sort of applications and tools. I think they’re very useful for the data feeds for the information and content that we will be receiving, but I think the human expert judgment is always going to need to be overlaid atop of data points that come from a computer. And then, and especially because the computer doesn’t necessarily, I mean there’s machine learning, right? And so the, the data sets though that go into these machines that go into the applications, the feeds, and then the machine continues to learn, continues to expand its knowledge artificially, if you will, it’s artificial knowledge and then that’s contributed back to us. But we have to remember too, that the data sets that were coded that were programmed, that go into the machines that do then learn artificially and then aggregate amalgamate, analyze that information and give it back to us is as a result of what went in and that is very much touched by humans. And then that’s this machine learning, and then we get the output. And so, I think it’s still imperative and incumbent on us to take that information and then apply our expert judgment on top of that, some will say, well, that biases the information. I would say that the information is inherently biased at the point of the data sets being developed, right? We can’t, we can’t separate the two. So I think going in as it’s being computed, as the decisions are rendered, and then we take that and we make the decision, and I think it’s no different in the risk management field. I think automation and artificial intelligence, machine learning and so forth are going to be a great help to us. I definitely intend to leverage that information or those capabilities, but I also intend to take a look at what I’m receiving from those tools.
Atul:
Right. Two things I want to summarize from what you said, because I think they’re really important. One is the fact that this data science, the data sets, they need to be literally governed and monitored and reviewed on a very frequent basis because the efficacy actually drops over a period of time if you don’t analyze them again, which is one point you made. The second one I’m really excited about Dr. Jones is that the whole combination of data science and automation makes the ability of humans to then focus on the areas that really matter, that require that judgment. And because data science and automation enable a lot of work to be off their plate, they actually have the freedom and the time to be able to do
Laura:
I agree. I definitely agree with that, but I think some of these capabilities, or Ā I would say decision points that are being made based on the delivery of the information from the artificial intelligence machine learning and so forth, I still say it would need to be in a review because for me, I’m helping this organization grow and expand those capabilities – super important, in my opinion, but there are other organizations that will make life-changing decisions, our judicial system, for example, and so forth. And so, if you take that and you say, okay, I’m not going to bias the information; I’m just going to take it as it is and make my decision because this is what the machine is telling me. Then I think that’s where it becomes even more important, right. Because there’s a life impact here. And so it becomes even more important for them to actually take the data and sort of give some, apply some athletics to it before a decision is ultimately rendered. So, absolutely.
Atul:
Right. Yeah. Good point. So, Bloomberg recently declared risk manager to be a hot job. What are your, what are your thoughts about that?
Laura:
Yeah, no, that’s great. First of all, I sincerely applaud Bloomberg for recognizing the value of this role, our role in our industry. And it’s one that hasn’t typically had as much consistent visibility as it should and funding in many cases. As the other, I’ll say, C-titled roles outside of the banking industry, which is heavily regulated. So, risk, in my opinion, it’s omnipresent, it’s always there. So risk management should be as well. And I think that’s part of what Bloomberg is recognizing. So, there’s an organization that I support that I’ll just mention: Carnegie Mellon, the Heinz college, they have the Chief Risk Officers course, and I give them kudos all the time for seeing the vision just as Bloomberg has and really understanding the value and that chief risk officers and risk leaders deliver to an organization.
We can say, okay, it’s a cost center, right? It’s not one of those revenue generating sort of professions, but I will say that it is one that after you generate, or even before you generate the revenue, we help protect it. We will show you the hotspots. We will show you what you maybe should be thinking about, and then what you need to get in front of. So, there’s the idea of achieving profit and there’s the idea of projected profitability and as we’re all in business and largely it is to generate revenue for the most part, we want to be able to keep that revenue. We want to be able to claim more of the market share. And so, I would say that a role like Chief Risk Officer, Risk Manager, risk leader, or what have you, is a hot job.
And so I love what Carnegie Mellon is doing as well, and turning out the chief risk officers through their program. I serve as a coach there for the program I have since I’ve graduated about four cohorts ago. And so just growing that cadre of risk professionals and helping us maintain that visibility is definitely what we need CROs and risk managers are really no longer an option for organizations. Their skills, the skill sets that they bring to any organization are pertinent because when it comes to identifying and addressing uncertainty to maintain that business, that’s what we offer. That’s what we will bring. And so I definitely agree with Bloomberg. It is a hot job. I’ve always thought it was a hot job before I got into it years ago.
Risk is not one of those revenue generating sort of professions, but I will say that it is one that after you generate, or even before you generate the revenue, we help protect it. We will show you the hotspots. We will show you what you maybe should be thinking about, and then what you need to get in front of.
Atul:
Absolutely. That’s right. I made my decision to be in this field. So Dr. Jones, that’s a great resource. You identified, are there other resources that you leverage, you know, associations, organizations, magazines, blogs, that you feel are good resources to make yourself a better risk professional?
Laura:
Absolutely. Absolutely. So one is the network, right? It’s, it’s the risk leader network. And to me that that is invaluable. Being able to speak to people like you, with what you’re doing right here, Atul and giving a more credence to the risk management professional, making it more visible giving risks leaders an opportunity to speak about all things risk, things like this and opportunities like this, and just the networking piece and aligning myself to other risk leaders to share information and also to glean information. No one person in any industry has all the answers. And so, this for me is, is an imperative, the networking and it’s more networking for alignment and so forth as we all work to grow our organizations. So that’s very important to me. I belong to a number of organizations RIMS, the IT Senior Management Forum (ITSMF) and again, back to Carnegie Mellon, there are just a number of organizations that I leverage. Your Risk Board – being a part of the Risk Board is wonderful. That is a decision-making sort of body in terms of leaning more on one another for information that’s current, that’s trending, that’s hot. So I love that as well. Yeah, so that’s one thing that I do in terms of filling my own cup and then being able to give back, because that’s what it’s about. Being a solid risk leader means staying abreast of emerging trends. So for me, I write I speak, I publish, I speak, I have a goal of speaking on every continent in the world. I’ll have to figure out Antarctica, Atul, we’ll figure it out.
Atul:
There’s a couple of bases there. I think the Army could use you there.
Laura:
That’s all right. That’s all right. I’m from Michigan originally. So we’ll, we’ll have to see about this whole cold weather thing, but yeah, so I’ve made it to, you know, a few different continents. And so I want that to continue once we’re back in the sort of normalcy, whatever normalcy we will, we’ll find ourselves in serving on boards, presenting locally, nationally, internationally. Those are things that, that I would want to do and mentoring. So apart too you know, of really becoming a better professional is interacting with those that want to get in this profession. And so I’m mentoring, formally mentoring three different people. We meet frequently and I learn from them as well at, through the questions that they ask and again also able to give back. So for me, that is very important.
There’s a lot of good information out there, resources that we know LinkedIn. We have some strong professionals that are out there writing some great articles. And so for me, that’s really important to tap in sometimes and lean in and, and, and glean from some of that information as well. There’s a few different groups on LinkedIn that I belong to that are risk focused. So that’s also helpful to hear the discussion and to be able to contribute. And so those are some of the bigger things that I would say that really helped me out quite a bit.
I say all that to say for a future risk leader, do not be afraid to blaze a trail, do not be afraid. You take that white space and you make it yours, you network. As I said, you read, you, write, you speak. You look for information and you understand what the trends are.
Atul:
Right? No, I think those are really good suggestions not just to make yourself a better risk professional, but you also gave some advice that future risk leaders could rely on. So as my final question, I was going to actually ask you, maybe there’s a few other things you want to, so if you are talking to kind of risk professionals that are early in their risks career, and you think about how they should be mapping their next 10 or 20 year journey in this field, what advice would you give them?
Laura:
The first thing I’ll say is when it comes to risk management, study your craft, study your craft. What I have found over the years is people often say, I know risk management. I understand it. And that’s great. I believe that many people do, but as you sit down to have deeper conversations about risk, it may not be as clear. You’ll hear little things such as well. We need a remediation plan. We need to manage this issue. So just kind of knowing some of the semantics and they don’t have to know the details like we do, but the difference between a risk response plan or a mitigation plan, or what-have-you, versus something actually having happened, not the risk, but it’s actually happened. And now we need a remediation plan to go after it. So study your craft and understand the nuances so that you’ll be able to share information in a credible way. I would also say that while automation is definitely the future of risk management, risk leaders will still be needed. Again, back to that expert judgment, whether we have to tweak the AI or tweak the machine learning, or what-have-you, I think we will, my belief is that we will be needed. So there’s no lack of need now, or nor in the future for risk management. And so again, I’ll say again, study your craft. If you plan to lead in this industry, prepare yourself: learn to speak publicly, learn to write. If, again, I’m speaking more of an entry-level person who may be very junior. So prepare yourself and get comfortable with some of these ideas, at least comfortable enough, right? So possible enough to sit down and do an interview or what-have-you, but that level of comfort will also come from knowing your craft and knowing what, you know, know what you know. And so, yeah, be a trailblazer where you can. All of my jobs including just before I retired from the military almost 20 years ago now, they were, every job since then 10 years as a global management consultant, being in public sector, private sector, privately held companies, publicly held companies, small businesses. I’ve never had a job where I’ve gone in to build a program after someone. I’ve always had a job where the seat was new, no one had sat – plenty of white space. It’s something I never asked for, Atul.
So it’s interesting how my career has evolved. And so that has been my career. And so, and it’s been, you know, eight, nine, 10 different programs, Pentagon included. I’ve done the beltway in DC and other areas. I say all that to say for a future risk leader, do not be afraid to blaze a trail, do not be afraid. You take that white space and you make it yours, you network. As I said, you read, you, write, you speak. You look for information and you understand what the trends are. You understand what the threats are, and the opportunities for your organization, understand what the business requirements are for the program that you’re building. And that’s going to mean talking with your stakeholders. We don’t build an, a vacuum. So it’s taking all of those things. It’s understanding what sort of technology you’ll need, what platform is really going to help you with, what verticals are under your belt for risk management, it’s understanding all of these things and taking a 360 view at the different stages as you progress in your career. Right? And, I’ll say again, don’t be afraid to blaze a trail, be a trailblazer where you can, and also study your craft because it matters.
Atul:
Wonderful. Dr. Jones, that’s really Sage advice. And thank you so much for making time today. And I’m really looking forward to seeing the next set of steps that you take, whether that’s in your career. Are, it sounds like there may be a future in writing and speaking. Thank you again.
Laura:
Oh, you’re very welcome until thank you for having me.