Share on twitter
Share on facebook
Share on linkedin
Share on whatsapp

CRO Wisdom Episode 7: Avani Desai, President, Schellman & Company

Atul Vashistha:

Hi, everyone. Welcome to a new episode of CRO Wisdom, the voice of risk leaders. I’m delighted to have Avani Desai of Schellman Group as our guest today. Avani, welcome.

Avani Desai:

Thank you, Atul, it’s great to be here.

Atul Vashistha:

Wonderful. Avani, let’s start by telling the audience what your role is at the Schellman group.

Avani Desai:

Sure. I’m President of Schellman and Company and we are an IT audit and security assessment and certification firm. It’s funny because I tell people I work for a CPA firm so they typically think that I work for a tax audit or accounting firm. We’re actually a very niche specialized certification firm where we focus on things like ISO Certification, PCI, SOC assessments and so forth. So really focusing around security and privacy and risk management has a big play in what we do.

Atul Vashistha:

Great. This is going to be an interesting conversation. One of the first questions I ask everybody, Avani how did you get started in the risk management profession? Because most people that I talk to didn’t really start there, they started somewhere else.

Avani Desai:

Sure. So maybe I’m one of the unique ones that I actually came right into risk management but I can tell you… I’m going to take you back a little bit, in college I spent my days coding and I’m not even sure I even knew what risk management exactly was. I graduated from University of Florida an engineering degree and I focused on computer science and actually started a job with the big four accounting firm and that’s really where it began. I was hired into a group called information risk management and over time I learned more and more and I realized that I started acquiring this skillset centered around data, hardware, software, security, privacy. And all of it really was able to, can you tie the bow around it, with risk management. So to compliment that I decided that I need more business acumen.

Avani Desai:

I realized from a risk management perspective that I had the technology skill sets but you can’t have technology without business, so I ended up going back to… I got my executive MBA from the Wharton School, returned to my job and took it to another level. And on like that I got comfortable in a space where now, what we do at Schellman and Company, we’re able to help clients understand not only the risk issues within technology but the risk issues within the entire business environment.

Atul Vashistha:

That’s wonderful. It’s good to see a different model where you actually started in this. Let’s talk about the impact of COVID and particularly more so, think about your plans for 21, 2022, where are you focused as you think about the risk market?

Avani Desai:

Sure, I was thinking about the current risk environment and the key priorities especially with COVID. At Schellman and Company, we focus on audits to help our clients from security and privacy perspective. And the start of the new year’s really good time that we tell our clients, December, January, before we start the new year, look at the 12 months ahead and shape your plans more precisely. One thing we realized and you’ve probably seen it, technology is advancing at such a staggering speed that there’s a lot of risks to prioritize, for us and for our clients. And COVID just threw a wrench in all that.

Avani Desai:

We serve about 800 organizations so we get ample opportunity to discuss what everyone’s concerns are and I would say, if you asked me what are some of the key priorities that I tell my clients and we have for ourselves in 2021 first and foremost is really going to be cybersecurity and breaches. And you probably hear this and I’ve listened to your other conversations as well. But the ever present risk of cybersecurity especially in this COVID age, is supreme again. We are seeing breaches, some high profile breaches like, solar winds for instance. So technology advancing but unfortunately so are cyber criminals and that’s why risk managers and IT teams have to have these stringent contingency plans and prevention strategies in place. Because you see it, without this there’s damage to reputation, there’s financial issues associated with it, there’s legal issues associated with it.

Avani Desai:

That’s why I talk to my clients, I tell them prevention education is crucial and should really be a top priority. The other thing I would say from a priority perspective, it’s a little bit out of the box but what I’m starting to see again with COVID, the people who are able to pivot and who were able to be agile have seen success. So a major concern I have in the fight against failure to innovate and becoming obsolete. So emerging technologies are coming at work speed, understanding these. I take a look at Supply Wisdom for instance and understanding utilizing AI and RPA to streamline processes that really are going to give, not only us internally we’re looking at it but targets a head start and you don’t want to become obsolete. And the third thing I would really say, which ties into AI is analytics. At Schellman, the power of business intelligence and big data and analytics is so important for us to mitigate risk but also for me as a leader to see the overall health of the company.

Avani Desai:

So yeah, there’s a lot of things to prioritize but before we leave this topic, the other thing is Cloud. And the technology and the risks, it may be the last one of my priorities but it’s in my wheel house. And Cloud technology is leading the way to what I call digitalization and there’s so many benefits of not having things like paper trails and so forth. And I think it’s really important that we understand the governance, the regulation and the changing regulations about storing data. Those are the things that from a COVID perspective what we have been looking at.

Atul Vashistha:

So let’s take that thread, as you were talking about these rising risks and prevention and monitoring. When you think about cyber as an example or even other risks, COVID made assessments in a sense very challenging. Maybe not obsolete but there was a period of time where you really couldn’t, things are opening up a little bit more with travel. So talk to us about how are companies moving to continuous monitoring. Do you see that as a trend or do you see that as the movement or the addition of a next set of approach to risk management?

Avani Desai:

Sure. I’ll say for our clients, we saw fit to incorporate continuous monitoring prior to the pandemic. And that could be because, they were remote workforces distributed systems, but absolutely the emergence of COVID has increased the need. There’s no doubt about it, in all industries and all sectors as well. But establishing an effective continuous monitoring program is not something you can do overnight. We get so many questions from our clients saying, “We need a continuous monitoring program, can you give us a checklist?” And that’s not how it works. It requires planning, effort, timing, a strong team, cross-functionality and you have to hit the ground running as most compliance frameworks include continuous monitoring. Recognizing that compliance is in a point in time so when we do things like SOC and PCI and FedRAMP specifically, there is a continuous monitoring program to it.

Avani Desai:

At Schellman, we have incorporated continuous monitoring into our risk management program but there’s probably four areas that we tell our clients. First and foremost, being asset management and really having a thorough understanding of the devices and systems. And for us and most of our clients, it’s cloud-based under direct organization is a massive benefit for continuous monitoring for you to understand, interdependencies or to reducing vector attacks for instance, sensitive data and to make sure… And the other thing I would say from a continuous monitoring, isn’t just about knowing what systems are in your ecosystem. It’s really understanding the threat profile created for all the systems. Understanding what is the actual risk per system, I see so many times and we’ve done that and we’ve made the mistakes of saying, “These are our risks.” But we’re not looking at the system specifically understand the underpinnings of it.

Avani Desai:

And one thing that we forget about a lot is, adding to the threat landscapers reputational risk. It’s not enough to know how your systems and assets are vulnerable. It’s what are people saying about you on online and at Schellman, we have tools that monitor posts and statements made about our company and our executives. We’re monitoring things on the dark web for instance. So it’s not just critical to know if someone is planning something nefarious but it’s also negative statements. And I would say the last thing from a continuous monitoring perspective, it’s probably more at a tactical level. It’s important to implement multiple types of continuous monitoring tool. Again, our clients come to us and say, “We want to implement continuous monitoring, do you have a checklist? Do you have a tool that’s going to help us do that?”

Avani Desai:

But that’s not how it works, we have to conduct vulnerability, scanning on our assets that are both physical and virtual, but also use behavior-based tools to monitor for irregularities. We employ something called a zero trust as a strategy. And it’s not a buzzword, as our professionals are either remoter onsite at our clients. And we can’t always be reliant from a technology perspective on our firewalls. So yes, continuous monitoring it was there and our clients embraced it, but post COVID, we’re starting to see a lot more and more of it. And people are understanding the actual need for it and not just, “Hey, I need to pass an assessment. I need a continuous monitoring process.”

Atul Vashistha:

One of the clarification’s I feel I constantly have to do in the market, is I’ll be talking to executives and they’ll talk to me about, they have a continuous program and what they’re really talking about is that they do assessments every year. And because it’s continuous, that is… We don’t define continuous that way. We define continuous as it’s live all the time, it’s ongoing. Avani, you were talking about cyber risk and very clearly, cyber risk are rising, we’ve seen that effect during COVID but COVID didn’t start off as a cyber risk. It actually started off as a location risk and then cascaded into cyber. What are you seeing customers do in expanding their risk aperture, their risk domains that they monitor.

Avani Desai:

One thing that I’m starting to see more and more, is people are breaking away from quantitative risk. When I think of cyber risk, I think of quantitative risk and trust me, I like that. I’m a number person and that’s the way my mind works but it’s also very important what we’re starting to see from our client perspective, is they’re looking at qualitative risks. The ones that are based on personal judgment and expertise of the assessor, for instance or the board. They’ll often use their own experience but consult with others carrying out activities and best practice guidance, probably reaching out to you guys from a decision perspective.

Avani Desai:

Any risk in the area should come out during conversations they have with executive leadership or managers. And that’s becoming very, very important. And I think that’s where risk management started. And then we saw it going away from that and focusing just on quantitative, financial risk but then it comes back to what I was talking about earlier. Some of the priorities that we’re telling people is, reputational risk is very important. So that’s what I’m starting to see more and more as the risk management process becomes very more robust at organizations.

Atul Vashistha:

Because often we’ve seen companies these are like siloed, compliance is looking at compliance and cyber looks at cyber and procurement looks at maybe financial, are you seeing it come together be more integrated, so you get a singular view of these third parties?

Avani Desai:

Definitely. We’re starting to see a lot more and more of, is cross-functionality. When you start the risk management program, before it could have been just IT and maybe the chief risk officer and their team. But now we’re seeing HR, we’re seeing compliance coming into play, we’re seeing the audit team coming into play. So yes, there’s definitely this cross-functionality that is needed, because when you look at risk management and you look at enterprise risk tone at the top, you look at cyber risk, you look at legal risk, it can’t be siloed. If you just focus on the silo perspective, I can tell you from our assessments, that’s really where we see most of our issues is because it’s siloed and there’s not cross documentation and there’s not cross education. And there’s not knowledge sharing which from an auditor’s perspective, without having that you have a significant potential deficiency within your report.

Atul Vashistha:

And how are you seeing AI in automation or data science having an impact on risk management?

Avani Desai:

I mentioned one of our priorities is definitely AI. And I think AI is definitely changing risk management. The ability of machine learning models to analyze large amount of data specifically structured and unstructured, really improves the capability of… I can tell you from my perspective, compliance, risk management, technology across all the different industries. But what’s really important and I talked about technology, is really outpacing regulations, outpacing people. So to be able to identify these risks with all this data in an effective and timely manner, it allows me as a president of a company to make more informed decisions that are less risky. And a company like ours with 300 employees, we’re small so then take a look at a company that is having massive amount of data. To make those decisions much quicker with less risk is just, it’s invaluable. AI and automation is that next level RPA and blockchain, all that, the next level technology that I’m really excited about from a risk perspective.

Atul Vashistha:

I don’t think a company can really keep up with all the data, especially as their third-party universe is also expanding for sure. Let me switch subjects, Bloomberg, declared risk manager, a hot job. So when you look across your hundreds of customers, is risk manager a hot job? What do you think about that?

Avani Desai:

That’s funny. I was thinking about this and I’m thinking about my career, I started about 20 years ago and risk management professionals wasn’t even a thing. Back then risk employees were focused on insurance programs, maybe environmental controls, natural disasters. And even from an academic perspective, when I had graduated from University of Florida and started with the big four and the information risk management, I tried to go back to say, “Where could I find from an academic perspective?” And there was no programs focused on this career at this time. But I really think this pandemic has really put us in hyper-drive, into a field really overnight. Risk management now has the board’s attention, it’s been given a seat at the table for input and consideration just like, when you looked at Sarbanes-Oxley and a financial expert was given a seat at the table. Given everything involved in the field, yes, 100% a hot job.

Avani Desai:

And I was recently listening to a webinar by the National Association of Corporate Directors and they said I think, the best and I’m going to remember what I can remember. But they said, “Chief risk officers need to be analytical. They need to evaluate everything from supply chain to staffing. They need to maintain relationships with law firms, insurance brokers. They need the power of persuasion for the board and executives. They need to communicate very savvy. They need to handle employees and media and crisis. And then they also have to have some financial literacy to understand company’s balance sheet, how much money would be lost if there was a crisis and so forth.” So, yeah, it’s a hot job but it’s also a lot on somebody’s plate. And at the same time they have to make sure that they’re answering to the board and to investors and to executive management and to government regulators. And COVID was a very tough time and as I said, I think risk officers have become a necessity overnight because of this.

Atul Vashistha:

You just described a profession that’s extremely dynamic, especially today. So what resources do you rely on to make yourself a better risk leader?

Avani Desai:

I think we’re lucky that we have some of the most credible technology companies as our clients. So really a lot of my knowledge comes from speaking with executives and the boards at these companies. We’re in there doing assessments related to technology and security and privacy. And we’re talking about the top risks that they have, even if they aren’t connected to technology, because of the risk assessment process. I also do a lot of reading peer to peer discussions, chats with vendors like, yourself and listening to your podcasts and so forth.

Avani Desai:

I still think that we are going so quickly from a risk management perspective that there’s no textbook that’s out there that will tell you how to be a good risk manager. I think a lot of what we do is what we’re having here, these peer to peer conversations. And as I mentioned, these companies that we work with are in this day in and day out and talking to risk managers and risk officers there to truly understand the industry risks and the service line risks and so forth is just again, invaluable for us.

Atul Vashistha:

No, well said. I don’t think this leaders can no longer be insular, you have to open up and leverage the network. So my final question to you, what risk… Sorry, what advice would you give to future risk leaders?

Avani Desai:

We don’t live in a world for which conventional risk management, as I mentioned, textbooks or curriculums or trainings prepare us. When I think back and I look at COVID and how we could have predicted it and what we could have been doing better, I realized no forecasting model, except my son said the Simpsons he’s like, “You should have watched the Simpsons.” No forecasting model really predicted the impact of we were going to have this type of crisis. And the consequences continue to take established economist and technologist and futurist and academics really by surprise.

Avani Desai:

But it’s easier to be okay. What I learned through this, is easier to be okay, as a leader, if you’re agile and flexible. So when something like COVID or an economic crisis hits, you have to pivot and you have to pivot quickly and that is going to make you a good risk leader. Being able to take the data and just running with it and pivoting and being okay with that. Because like I said, as risk leaders, we’re very quantitative and we want to decide the likelihood, the impact, the effect, and so forth. But we’re starting to see, you have to be able to be agile and you have to pivot. And with that I think there’ll be a lot of success.

Atul Vashistha:

Well said. You have to be agile and you have to pivot. I often use the words resilience as a key skillset. Well, that was a great conversation, thank you so much for making time to be on this episode. I wish you the very best in 2021 and even greater success in 2022.

Avani Desai:

Thank you, Atul. It was great to be on, I appreciate it.

Share on twitter
Share on facebook
Share on linkedin
Share on whatsapp

Speakers

Avani Desai


President

Schellman & Company

Avani Desai is a Partner and President at Schellman & Company, LLC, the largest niche CPA firm in the world that focuses on technology and security assessments. She is also CEO and co-founder of MyCryptoAlert, a push notification and portfolio app for cryptocurrency. Avani started her career working at a Big 4 accounting firm (KPMG) for over 10 years, where she led a team and oversaw IT Risk Management and Privacy across national service-lines. At Schellman & Company, Avani has been focusing on growth strategies, strategic client and market development, industry analysis, and new services for the last seven years.

Atul Vashistha


Chairman and CEO

Supply Wisdom

Atul Vashistha is recognized globally as a leading expert on globalization, governance, and risk. He has authored three best-selling books: The Offshore Nation, Globalization Wisdom and Outsourcing Wisdom. Atul pioneered the global sourcing advisory space in 1999 when he founded Neo Group and is also the founder and Chairman of Supply Wisdom. Founded in 2012 as an early warning service for business disruption risk, today, Supply Wisdom® is the market leading patented real-time and continuous risk intelligence and monitoring solution. Atul serves on the boards of the US Department of Defense Business Board (Vice Chair), IAOP, Shared Assessments, and Zemoga.

Recent Conversations

Stay Updated

We will notify you when a new conversation is posted

Recommend a Speaker