5 Key Steps to Building Risk Management into Your Organization’s DNA

Peter Schumacher: All right, thank you everybody. Sorry for the the short delay in getting started. Uh but welcome and thank you for joining our webinar today. Uh this is five key steps to building risk management in your organization’s DNA. Uh we’re lucky enough to be joined today by Brian Johnson who’s the senior director of information security at PayPal. My name is Peter Schumacher. I’ll be your and our host today. And I’ve got a couple housekeeping items to go over before we get started officially. So, first of all, uh this is a reminder that all of the attendee lines are muted to keep keep background noise to a minimum. Um in that in an effort to keep the session interactive, however, we do invite you to ask questions via the Q&A console. Uh you’ll see that at the bottom of your screen. Uh at the end of the hour, time permitting, we’ll host a live Q&A with Brian. Today’s webinar is being recorded. We’re going to offer a a uh copy of that recording and we’ll send that to you via email in a day or two. Um I know you didn’t join to hear my voice, so I’d like to turn things over to Brian. Thanks so much for joining us, Brian, and please take it away.

Brian Johnson: Well, thanks for having me, Peter, and welcome everyone. Thank you for joining this uh this webinar about the critical topic of risk management and how to build that into your organization’s DNA. Um it’s a topic that is more relevant than ever, especially given the the current circumstances and um global climate with a with a global pandemic with changes in our our work environment. Um how we do social life and how we do work life and everything has really been disrupted with a moment’s notice. And it highlights even more importantly than than we’ve ever seen in our generation at least the need to have not only well thoughtout plans and contingency plans and business plan readinesses uh to to have our business prepared to make critical decisions in a timely manner, but also to do those from an informed position. Being able to make decisions with the right information at the right time is what differentiates businesses that uh that thrive and uh and survive through situations like this from those that struggle. And so even when we teed up this topic uh many months ago um even before COVID, it was as relevant as ever. Now when we see these kind of conditions play out in our environment. We see the need to make and give leadership and and board level and executive level information um to help make those decisions as uh relevant appropriate as they can. So, so first off, I hope everyone is safe and and doing well. It’s it’s a great sign that you’re able to now take some time to earn some CE credits or just some skills or even just collaborate a bit on some relevant topics while we have some time to do that. Um in in our environment at PayPal, we’re we’re very busy. The that the market and climate has has definitely changed a lot of how we’re working and what our interactions are like. Meeting with uh with my my peers around the globe, we hear a lot of different stories about how um of course jobs are affected and and market changes are causing a lot of impacts to the way we do things. Um but in all of that, of course, the the kind of unity around humanity and and build of of trust with each other and m maintenance of trust is is a key factor that we’re investing in making sure that relationships are are continuing to be invested in that um that folks are are feeling uh you know safe as as possible and that we’re making accommodations to meet those needs. So with that said um I’ll launch into a brief background and then get into the material today and we will save some time for Q&A. I’d love to hear some of your your comments about the material as well as some of the thoughts that that I’ll share and and would love to hear what your perspectives are and any questions you have. Um so to give a little context and background on my role in technology. Um I’ve been in technology leadership for over 20 years and have played a role in both infrastructure and operations functions um at large financials um at some small startup technology companies in the past and then most recently um in the fintech sector with PayPal. And so in technology and security world um I’ve experienced a lot of different modes of maturity and levels of of advocacy for security whether it be resistance to uh to risk management philosophies and and what information security and and cyber trust or cyber safety looks like in an organization to full-on support and significant investment. And I know that you guys are coming from different perspectives as well. Some of your organizations will wholeheartedly agree with a security and program and the investments needed to maintain and grow a security program. So those those kinds of uh of investments are things that we we tend to trust as um you know as models of of operating conditions and we have to work to maintain. And then in many cases, we’re making a business case to try to convince leadership to invest in a particular area of business or a particular expansion into a new market or even just to to manage a basic risk management program. Um, I’m going to pause for one second. I I see a note that someone says there’s a very bad echo. Um, let me see if we can we can uh fix the audio uh pushing me the comment there. Can you uh can you respond if it’s any better or if you can hear any better?

Peter Schumacher: From what I can tell, Brian, uh it does seem okay. Uh there is a little bit of an echo, but your audio is in sync with your video now, and I think uh this is this is working.

Brian Johnson: All right. Excellent. So, I’ll continue. So, the um the basis and background kind of what I want to discuss and present to you is a topic that Gartner has done some research around and um as a as a component of this and it’s a methodology and framework for developing risk management and what I would like to share is how I’ve viewed and what my organization and partners have viewed as a way to implement this into the organization’s practices um including the structure the functions and the priorities of how to build this into your organization. Um some of it has actually resulted in ways that we’ve seen different industry partners shape their organization. Um maybe even change the the structure of teams and then also designate certain roles in an organization that may not have existed before. So I’ll cover some of those of our time together. Um and then I’ll present to you some concepts that may be familiar, may be new to you. Um hopefully it’ll give you some nuggets and some takeaways that you can use in your organization though. So um I want to ask the question of quantitative or qualitative as it relates to risk management and technology and security risk management. By show of hands, if you can use the raise hand option in the feature on uh on the Zoom call here, raise your hand, click the raise hand option if you would if you have used uh quantitative risk analysis in your business. In other words, a way of measuring by quantitative uh models or some type of a statistical analysis, risk measurements and risk management in your organization. We’re getting some hand raises there. Uh 10. So, so far about 10% incentive you have. Um, thanks for the feedback on that. By the way, it’s good to know where you guys are coming from. Um, okay. So, so looks like just under about 10% of you are saying that you’ve used quantitative risk analysis. So, that’s good to understand. So, what I’ll discuss as it relates to quantitative risk analysis is new to most organizations because many of us quite frankly haven’t had a tool or a framework or a methodology to even measure risk um in a quantitative way.

Brian Johnson: So, most of us have been qualitatively measuring risk usually by stoplight report maybe a red yellow green um maybe some kind of a arrow up arrow down indicator um Harvey balls that indicate maybe percent complete progress or indications of risk momentum um so those things are are what we want to look at in combination so as it relates to a maturing risk management program we’re going to find that the tools and uh platforms that we see in the market and the industry are beginning to evolve into a both both and approach. So yes, you should measure qualitatively the risks in your organization and across the company, but you should also quantitatively measure so we can baseline and look for trends and then also measure progress. So as we’re investing in our technology and security platforms and business initiatives, we should be able to measure the difference in and the delta and change to risk over time to be able to prove value back to business. So a lot of the theme of what we’re talking about is going to be around uh value to business and the business value of risk management is a tremendous uh focus that we should increase in in our business leadership areas too. So so let’s advance a bit into um some of the approaches and and the industry problems that that are dealing with this. So when we consider industry challenges in this space um you know we’ve we’ve got of course when we when you think of what kind of environment we we live in um it is rapidly changing. So in the sense of of things like you know a worldwide pandemic or even even just on a regular course of business when things get back to normal, if you will, we constantly have new regulations being proposed. And as a regulated entity, if you work in a business that’s either in healthcare or energy or finance or whatever the segment is, you’re likely um faced with some regulatory pressure and requirements from regulators or compliance bodies that you’ve got to adhere to. So, one of the things we’re seeing the trend in those uh segments of of regulation begin to do is more than test become more of a proactive and a continuous test.

Brian Johnson: So part of the approach of what we’re going to address with this model of integrating risk in your organization is to become more proactive about risk assessments and risk management. And the continuous testing and validation of the controls that relate to risk is one of the tenants that I’m suggesting has to be implemented. It’s one that Gartner strongly recommends as well is to build your program into being a continuous and proactive model. And some of the methods I’ll talk about later in the in the presentation will talk about how we can help implement that. Another one is integrated and automated. So if in the fashion of integrating risk management across your organization, it’s often a silo organization and it treats the data that we get into risk assessments as an adjunct. Um but what I’m going to propose is that you embed risk management as a practice within business functions at least in a virtual alignment. Um and do that in a way that automates processes to gather data, automates dashboarding or KPIs and KRI relationships so that that data is collected in a way that can be used real time um and not just on that quarterly or annual basis, but data that you could pull up a dashboard at any time and at least have key performance indicators to relate to uh those risk drivers and then be able to integrate it into business lines so that your OKRs, if you use objectives and key results or if you use any model of business goal alignment to risk that those are integrated within business plans and it actually drives decisions and priorities across your business group. groups and uh and partners in the organization. Um third item here in the approach is to quantify and contextualize and the key point here is as we look for risk to be qualitative and we’ll use the red yellow green stopw or arrow up arrow down um business speak doesn’t usually understand that over a period of time.

Brian Johnson: So it it’s it’s good to catch attention and you’ll go in with a report or oftentimes if you’re managing risk from a perspective of a compliance team or a technology organization you present risk in a way that sounds scary and say, “Hey, this is a really bad area that we need to focus on.” But quantifying risk in the way of business impact is going to deliver a much more sound message that will persist so you can prove value over time as opposed to we went from red to orange or we went to a little amber um kind of shaded or variant. And then we start to play qualitative discussions and I’m sure some of you deal with the same topics where you’re trying to pick a model analogy to communicate risk. Doing that in a pure qualitative approach doesn’t always convey the right message. So contextualizing it by business might look like something uh more along the lines that if your uh payment services app or if your transaction app that’s doing transfers with a bank or with a healthcare provider loss is a partner network SLA. Let’s say you’ve got a service level agreement and contractually you’ll lose $10,000 an hour for every impact of whether it’s a service impact or whether it’s downtime. loss of productivity of the customer um or whether it’s an impact because of fines and sanctions from a regulator. Those become contextualized by business service and quantified by dollars or by local currency to business and can be unitized to the point where you can measure risk as a component of the business value and measure back the business value of risk in the way of of real hard dollars or savings and uh and bottom line savings. So cost avoidance and a model of contextualizing risk to to be you know progressive in decision-m needs to be contextualized and quantified. Measurement and accountability is something that we we would see driving more improvement across the industry but you’ll see a lot of the you know committee structures oftent times are not measuring and and holding accountable the deliverables and because most of the time they aren’t holding an OKR or an objective and key result type of an assignment.

Brian Johnson: So I’d suggest and this is kind of again a best practice model that organizational leaders not only understand what and and participate in the process of setting what goals they have established for key risks and for measurements of risk in the organization, but they’re held accountable to those through some type of a format of of leadership accountability or committee oversight and that your oversight structure would play a role in making sure that the organization leaders and department domain owners are uh are actually managing to those uh risk reduction goals. One thing again on this this topic of measurement and accountability If your organization or or enterprise hasn’t adopted lines of defense, um that’s a model we’re seeing a lot more traction in and over the years as it’s evolved, um I I’d strongly encourage you consider the three line of defense model and what the the approach to three lines of defense is that you’ve got firstline technology and product and functional organizations. Um let’s take the CIO organization that may be delivering corporate services to your enterprise and the corporate services team is responsible for ensuring that your messaging system, your you know whether it’s email delivery, your mobile applications are all delivered and working properly. That team is considered a first-line function. And in the designation of their role and ownership, a first-line function is responsible for managing their own risk goals, measuring their own delivery, and then their engineering and operational functions of supporting it. As a second line organization, oftentimes a risk organization will then play oversight to manage and maintain the definition of those thresholds to define the risks and the objectives as an OKR kind of a model and then to oversee traction and progress against those that align to business goals. So your first line function of delivering and operating technology and uh risk ownership at a functional level then reports up into the second line organization as an oversight function to ensure that there is a a separation of duties and accountability and delivery structure that’s maintained um and that the business is then aligned with the overall strategic goals.

Brian Johnson: And your third line organization would be internal audit, external regulators, maybe third parties that you bring in to do testing and assurance functions, whether it be in a, you know, a HIPPA assessment or a PCI assessment or whatever model in your industry you you fall under. Third line of defense is considered the tertiary oversight function that’s then validating that the scope of controls, the validation of those methods and approaches that you’ve adhered to are being tested appropriately across second line and are being delivered. and meeting commitments as a first-line organization. So again, for measurement and accountability, if you haven’t implemented a third line of defense model, it doesn’t have to be an overly bureaucratic model. It could it could include just a, you know, a small group of of 10 or 12 people in a mid-size company, but designating them within those roles helps to delineate between their objectives and the separation of duties of those functions to manage goals and oversight functions. And then fifth, but certainly not last, um I’m a strong advocate that of course companies remain compliant. But compliance must be an outcome, not an objective. One of the most significant faults that we’ve seen across the industry is the assumption that a compliant company is a secure company and that a compliant company is managed company. And that’s just not true. Every breach that we’ve seen in recent years has been of a compliant company. Um, rarely have you seen, well, Equifax failed their PCI assessment. Of course, that didn’t happen. You don’t see that an SA SSA 16 audit was failed by a company just before before they were breached. Compliance does not measure the level of SEC. It of course ensures adherence to a base level of controls. But you should consider compliance as a function that the teams especially second line organizations measure as outcomes. We are doing a pentest program as an example and the pentest program will produce outcomes that contribute to the report that the compliance organization is looking for.

Brian Johnson: Um but if you set compliance as an objective then you’re focusing on a bar that’s set by an industry level expectation that isn’t appropriate necessarily for your business risk. So contextualizing business risk is something that you have to think of as a scope of responsibilities to say that our outcomes of testing, our outcomes of oversight functions will be delivered as a result of our test. But your test scope can be more comprehensive than that. So don’t limit yourself, in other words, to a compliance-driven program if you can define those as outcomes. All right, I’ll pause there for a second. in advance to um this topic of again the industry challenges. So now why do we care about performing risk management? Um what is it that we’re looking at for uh regulatory compliance and and why is this something that we need to work on? Of course as I mentioned earlier regs are increasing we’re seeing the increase of regulations and data privacy. Uh we see that in the way of uh of assurance of even vulnerability management programs that are being tested against compliance levels. And if your company is global you’re seeing that and in a significantly diverse fashion. Sometimes even identify data types differently by region. So as regulations increase, we’ve got to adapt our risk models and our risk approaches to the business. Measuring risk isn’t easy. It’s certainly not an easy process to measure the risk to your business. But it’s absolutely necessary measure risk and we measure it in a way that can again quantitatively show progress. Integration is key. So putting it in the business and embedding functions within each of the business units or lines of business business that you support is not uh is not an easy process but um but it’s something we must figure out how to embed so that it’s relevant. We don’t appear a risk management function doesn’t appear to be some ivory tower approach at measuring something that functional organizations would dismiss as irrelevant or is just a checkbox function that certainly won’t advise business on priorities and help with an oversight function.

Brian Johnson: And the market potential and timing um of what our businesses are faced with is tremendous of course and meaning that Our businesses are faced with challenges in any industry and market with ensuring that we’re risk compliant and uh and risk adhering and measuring measuring risk. So, this is going to be an eye chart, but we’re going to camp on it for just a minute. I’ll pause and let that load. Um, and I’m going to sit on basically the view of what um Gartner has proposed and they call it the Carter model. And the Carter model is an approach that’s been documented as a view. And this view is to be continuous, adaptive with risk and trust assessments. So what this is really addressing is taking what we’ve built in a lot of organizations as a functionally siloed model. And functional silos are where we’ll have a team maybe there’s two folks doing scanning of vulnerabilities and two folks doing um issue management and two folks doing architecture or maybe there were multiple hats in small and mediumsiz businesses. You may have an architect that’s also playing a role as the technologist that’s also email. In any rate defining the roles So those those people as uh as part of a risk organization has to be done from an adaptive and risk centered approach. And what that means is unless we define what the business risks are that people’s work is actually aligned to then it’s going to be difficult for them to understand how their work contributes to the greater cause or the greater good of the company. And so wearing that that hat of a risk manager um we’ve got a responsibility to ensure that they’re um not only risk adapted to the business but that we’ve also got a view of the business risks and the key business drivers are in the organization at any time. So in the sense of defining this risk centered approach what I’ve uh kind of adapted of of the Carter model um is a kind of four-pronged approach here and here’s here’s the way I articulate it.

Brian Johnson: If if we build information security and technology into and break it down into its uh its sum total pieces, we have a risk management, a compliance management, an enforcement and a strategic function and those again may be scaled in your organization into two or three people or it may be expanded in large enterprises to two or 300 people. The fact is we’re still performing these functions as a part of risk management. So consider this if you’ve got um a risk manager in the organization that’s defining and measuring risk and saying here’s our business risk and a list of those that we may have a top 10 risks that we’re measuring against. If their function doesn’t tie to compliance in a direct way. Then what happens is the compliance team often goes off and builds their own compliance program and then the enforcement function or governance or oversight or maybe it’s a technology governance function is off building their own process and they’re delivering their own results. And then the strategy team is coming up with a three-year roadmap on some cool tech that they’d like to deploy. And strategy is often um more a result of business drivers and long-term emphasis on technology evolution. than it is about managing risk. So what I’m proposing and this is something that again I’ve adapted from a Gartner model is that we take a different approach to managing risk as integrated and that integrated risk centric view says I want the risk management team to measure and prioritize risk while feeding their output to a security assessment team and that means that if they’re going to go in and measure an organization’s risk appetite and measure what risk thresholds they’ll say you know the risk of data breach is really high Then the security assessment team should take its priorities from the risk team’s assessment. And a security assessment team might be a pentest team. It might be a third party team that you bring in to do uh penetration testing or some type of uh technology assessment. And they should take their cues from a risk assessment. And that risk assessment is then measured and prioritized against again a business goal and and aligning to the business appetite and forecast.

Brian Johnson: And that test program will then quantify outcomes. They’ll provide their control assurance and say we’ve measured four priority one incidents, we’ve detected two priority 2 incidents and we’re you know indicating this as a vulnerable environment. That then feeds into of course compliance and governance. And this function or framework of building an adaptive risk process really helps inform each of the teams along the way so that you maintain a risk centric approach through the security assurance, the governance functions, um your enforcement or your issue management team and then all the way into feeding into strategy and the function of strategy then has to say if we’re going to write policy and let’s say the organization is small and you have one policy for technology oftentimes that starts with like enduser management if we’re going to say acceptable use policy is people will use email and internet for business purposes and you define some criteria around that that strategic direction or the policy um driver is rarely informed by the risk that’s been measured through test results. It’s usually an aspect aspirational goal that we’ll write an AUP or we’ll write a IT policy out of an obligation. So we tend to draw the line if you look directly across at a horizontal level we tend to draw the line of compliance and strategy as the key indicator of what should be in policy. What should our strategic direction be? Well, let’s look at what compliance obligations are. And my my argument is that it should be more than that. It should be also informed by what we’ve built into a governance function issue management uh feedback and output. And then uh prioritized and vetted based on risk assessments. And for risk assessments, um again, you can use a spreadsheet or a back and napkin approach at least to start with. But as long as you can say we’ve measured a business risk, we can quantify outcomes, then that will inform each of the test driver plans, the enforcement of issue management, and then the strategy team is going to build their policies and their assessments of how to write policy or how to drive a roadmap against those objectives and out of the value that comes out of test results in government. functions.

Brian Johnson: So, um I’m going to sit on that for just a second and then also cover this point. So, as we look at building a function of information security and risk management programs into the organization, again, if you’re if you’re thinking about how to start, this looks like a lot to chew on, but if you’re thinking about how to start, I would start by defining objectives and key results. I would say, so what are the objectives of the organization that we’re looking to achieve? If it’s expand to a new market or even if it’s retract out of the market, we want to measure the key results out of that in the form of risk and key risk indicators. So in in a lot of climates right now companies are thinking if we’re going to downsize or if we’re going to reduce a function in the organization that’s delivering a product that needs to be risk assessed as well. So while we think of risk management as usually managing ongoing operations and expansions um I contend that risk management is a part of the life cycle of any business whether it’s expansion or downturn and when we’re thinking of downturn options managing riskmanagement decisions into to those executive considerations is just as important if not more so than when we’reending or we’re maintaining existing operations. So those key indic key risk indicators might be something to the effect that as we turn down business let’s ensure that we’ve done a validation of data movement of data destruction of access offboarding of all the key functions that you would build into what would present potentially brand impact or data theft loss and impact to a business by some loss of record uh quantification you might build. And that approach is going to give us again a more like holistic business facing view of what is the business risk that we want to make sure executives make decisions including that and assuming the business risk and measurements that we provided. Um so the other part that I would say is in the in the compliance assessment if we’re upleveling policy we’ll often see that a policy will be built written and left in place for a year or so.

Brian Johnson: Part of the adaptive model is using policies and they don’t have to be so in-depth that you’re writing 20 policies, but even just two or three policies written in an appropriate way should be on like a quarterly update cycle or even updated and informed based on inputs from all teams. So a policy revision process if you’re writing a policy for the first time would include of course a key stakeholder from each of the functions. Is there a leader from the risk team or a representative analyst? Is there somebody from a testing team that can highlight the gaps that they see in control failures? Um somebody from compliance represent regulatory and required components to your policy. And then how does the function of issue management and strategy fit into the policy writing um as kind of the encompassing view of and here’s how we’re going to make sure you enforce policy. So it’s written in such a way that we can measure it and the strategy team is getting a future benefit out of a a direction that will give you a projected goal and that the policy is written to actually move your control state forward, not just draw adherence to what we would consider a baseline level um expect. ation for policies. So those are some components that I would just highlight as you’re as you’re thinking about rolling out a risk management program. Um let me also address those topics. So and I think I saw a question I want to interject on that and answer it real time actually. So Bob Shaw asked about covering items that are mostly aspirational for a lot of companies and quantification of it. Risk quantification is again something that is built into um not only the the function of an organization’s DNA as we’re saying, but it’s also something that can be measured by a a repeatable process that says we’re going to build a quantification model. And that model may say that we’re going to measure risk of vulnerabilities and vulnerabilities might actually have an associated score.

Brian Johnson: And if that is we’re going to build a you know a score of vulnerability management and weight that let’s take the Equifax breach as an example, vulnerability management might have a weighted score of 40% of the risk of the integrity to the environment or of the impact to system availability. Um, measuring that in a way that you can quantify risk is saying that we can take that risk and and articulate it in a scoring system. So, if you start with a 1 to 10 score on that risk, then you draw down risk by adding up or accumulating a sum total of those u those scores whether it’s vulnerability or access taking something like the NIST CSF framework or taking a a model from ISO. Um, though there’s some great tools that you can model and weight the way of uh of measuring security domains and I would associate those into an objective risk and that score uh or objective risk format is derived or it’s actually added up from the control that you’re measuring. So if you take a vulnerability score and you you build a model that says I’m going to take all the outstanding vulnerabilities measure them against an SLA and say how long does it take us to patch those then quantify a score and say um you know on a scale of 1 to 10 or 1 to 100 however granular would like to to deliver that score. Then I’m going to measure that score of vulnerability management and associate it then with the risk. And in your business, it may be the risk of availability loss. It may be the risk of um service resilience if you have a contractual obligation to deliver service time or it may be a risk to to the data breach and and business impact for brand. You associate those controls like vulnerability controls for scanning, for patching, for remediation and configuration. And you associate those controls into the risk and and roll them up into a sum total. Um, and tools that you’ll see on the market that relate to those will begin to evolve as we see more and more advancements like prevalence making.

Brian Johnson: You’ll see you’ll you’ll see that the uh assumption of those controls and the quantification of risk will start to derive into a model that you can adapt into your business and build that in a way that helps you manage controls to risk mappings to then a business risk uh threshold. And the view of the measuring progress is a lot simpler to convey when you’ve got an actual set of objectives that you’ve defined and a way of measuring and monitoring risk against those. So, I’ll pause there. I think um you know this is probably a good point even though I’ve I’ve uh covered a lot of material there. Um let’s let’s take let’s see if we have any questions. Peter, are you still on the line?

Peter Schumacher: I am. I’m still here. And uh we do have a few questions that have come in. I do encourage everybody to um type your questions in the Q&A section there at the bottom. But in the meantime, uh the ones that have come in, let me read a couple to you. Um oh, let me launch a poll in the meantime. Let me just have this up on your screen. All right. So, if you don’t mind answering that polling question while we we go through a couple questions, uh I’d appreciate it. So, uh the first one here is um how does thirdparty risk management continue to provide business value? And then, uh second part of that question is how can you use that to then get funding from your board?

Brian Johnson: Excellent question. So, you know, third-party risk management as a function of our risk management programs has become not only as we migrate to more SAS providers or more cloud providers. Um, but it’s this this um interesting space of almost um ignorance is bliss at times. We tend to take third parties for granted and their controls and yet we’ve seen repeatedly the risk from third third party providers um that we’re not measuring often enough. And as the vendor management aspect of of life cycle and vendors of uh measuring the risk of those to our business is more associated with the business functions, we’ll see that whether it’s a cloud provider or a payroll provider or whomever else that measuring risk on behalf of the thirdparty integrations to your business has to be contextualized within your business impact. Right? So in other words, a payroll provider may may impose a small risk on one company and a more significant risk on another. So quantifying that in a way that you wait back to the scoring and waiting. Um we’ll give you then a view that you can take as a dashboard, as a heat map or some chart and offer that up into um you know when you when you consider a word level presentation into a view that says third party risk must be part of an investment plan. And whether it be staffing or controls or tools, the cost of investing in third parties has to assume that the risks that we’re weighing that the validation of what those third parties impose as risk to our company. cost. And buying down risk is that we’re either going to accept the residual risk of that third party imposing a high risk um you know to the business or we can invest in controls and buy down that risk and articulate that in a way that says you know buying down risk from a high level severity into a medium level might be by putting additional controls on or running additional assessments against third parties. Um not measuring of course is not an option because not only do we impose risk that’s then um inherent ly not understood or not measured. But then the board is holding accountable to whom, what visibility and we leave a lot of gaps in our leadership oversight. But we’ve often seen in the industry where taking thirdparty assessments and vendor management risks and rolling those into a more level report with quantifiable scores is going to drive a lot of a lot of attention and a lot more appetite for a CFO or or COO to say how can I buy down risk? If you’ve articulated risk in this area, the second question we have to come in with answer to is and how do I buy it down? What’s the alternative and the solution to that? And a buy down might be that we’ve looked at other providers. We might actually look for other thirdparty vendors that have a lower inherent risk and we may may consider that as an option in our program or we may just say we’re either going to accept this risk this risk but at least understand and measure it or we may implement additional controls. There may be a discussion with the provider. We’re going to ask you during the next renewal process to uplevel your your audit access. your assessment plan for us. You’re going to give us a an additional control or tool or suggest something to give us additional asurances around data protection, access restrictions, whatever the the model is that we’re trying to provide for third parties assurance. But I would provide that in a way to the board that again is as quantitative as possible and with solutions and proposals for alternatives too.

Peter Schumacher: Interesting. Yeah, I find the the buy down of risk to be a fascinating topic and I know you could do a entire webinar on that. Um, we do have a couple other questions uh have come in since. So, let’s go to the kind of on the same topic here. What specific risk events areas do you suggest including in your quantitative analysis uh to measure risk and prove the risk management program value to business? I think you can probably see that question there.

Brian Johnson: Yeah, great question, Rob. So, I think in the in the sense of measuring those specific risk event areas, you’re looking for things like, you know, loss of financial so financial loss loss. There’s a list of those actually if you if you look across um and and it depends on your industry but industry specific um you know healthcare has one, energy has one, tech so and a lot of those frameworks for risk events will be articulated specific to your industry but at the general sense the risk events are generally speaking um you know financial impact, brand impact um you know regulatory impact and fines um you know if if you’re looking for an industry specific impact then you can quantify based on what you know those sanctions or or cost per record types of impacts might be and then what I would consider and I I didn’t dive too much into it because I wanted to save some Q&A time but threat management and the threat assessment part of risk is an interesting view that you can start to look at as well and that would be something if you’re looking for um if you look at NIST if you just uh you know Google NIST CSF cyber security framework defined by NIST will actually give you a list of view and and relate the controls with the risks and you can then articulate a risk view. Gartner has a great article on how to define risk management and risk scorecards for your business as well. Forester has one too. Um I’m I’m very uh very encouraged though by the fact that risk business risk discussions and the terminology around risk are starting to mature quite a bit. Um there’s in fact um for those that are related to to D&D or energy or excuse me or government contracts, you’ll see the CMMC. Um you can actually Google CMMC and and it’s on on the gov portal. There’s a view for um Fed Ramp and for uh for requirements for minimum level of maturity assessments and they actually articulate a framework that they derive from NIST and from ISO and from some other standards that gives a really great view on cyber security and risk management uh maturity levels and they’ll designate certain things if you’re in the in the government entity or in the sector of defense you’ll see a lot of those defense contractor expectations increasing the requirements for maturity assessments and those maturity assessments are made through risk assessment. So I would strongly encourage those those those resources and tools too.

Peter Schumacher: Thanks Brian. Um let’s see next. So this one’s interesting. I I don’t know if you’re going to have a good answer. Um it’s how do you address the forward-looking risks due to the CO9 pandemic and when most risk based assessment assessments are based on historical data. So um get out your little fortune teller ball and and let us know. Brian,

Brian Johnson: I mean, I’ll I’ll avoid any of the economic or political projections, but I would say that the business risk measurements um should never and I know this is a utopian world, but they should never be a surprise to your business. In other words, with appropriate contingency planning, with appropriate business risk assessments, your plan should be built to accommodate for business flex up, flex down, um continuity planning, uh alternate workforce environments. Now, of course, a large enterprise has in doing that. Um, you know, large enterprises that uh that we have absolutely have um the capability and the breadth to manage those employee continuity plans. But I’ve also worked with some small business owners and medium business partners and peers of mine and some friends that just run small businesses that have also done the same. So if you implement a quarterly assessment of like how do we make sure our employees can connect remotely if the building blows up, right? Or if the sites are are not not available. Building those simp continuity plans into your business plan will then give you the risk forward assessment. So the forward-looking risks after the pandemic um are looking a lot interesting because I mean you know in some cases businesses I I trying to shop on Walmart the other day and I mean this is no knock on Walmart. I’m I’m a big fan but just trying to shop on walmart.com my wife told me yesterday their website’s unavailable. I go that’s interesting because you know you can try to go into the store and then you’re you’re limited to the number of people. Um but website planning is something that when you think of capacity allocation business businesses that are now going online as the majority where it used to be kind of a secondary haven’t planned on that kind of growth. So some of those forward-looking adjustments are now taking the model of going what what happens and the what if scenarios what happens if our three-year assessment that we’ll move shopping to 25% checkout online what if that happened tomorrow and asking those interesting questions we’ll at least get a scenario planning so I would say tabletop exercises Patrick to answer your point as closely as I can I would say tabletop exercises around those forward-looking risk assessments would look like taking a projection, reversing it backwards. So, what if we grow by 50% in three years? What if we shrink by 50% in three years? And then modeling those on six-month intervals. So, if we look back and and we say, what did what did the industry plan on doing over the next three years? In some cases, in most cases, businesses have seen the inverse of what their plans look like. And so, how often do we plan for downturns and assess risk around contingency planning? Okay, if we’re not doing that as an active course of business, um I would say that the forward-looking view on how do we look for risks forward are going to look at those models, how will we plan for staff reductions, what will we look for expansion, are there acquisition opportunities in this market where some companies are valued really low that our business may be pursuing and what kind of risk would that expand to us? Or are we looking at shrinking and reducing footprint and measuring risk based on those decisions that the business will make? And all of those scenarios um should at least needs to be documented as a tabletop. Play through a tabletop exercise, throw the three-year road map out, consider it what if it happened in three months, and then reverse it back the other way. What would happen if we reverted back year ago business and what if that happened in the next three months? And those to me just it’s easy for me to kind of deal with with threes. Three year ahead with a three-month acceleration option, three year behind with a three-month acceleration option. May maybe give you some scenario planning constraints.

Peter Schumacher: Good advice. Um, couple more questions here. We’ve got Let’s see what time it is. Yep, we’ve got a little bit of time. So, um, let me skip to this one. Um, and it’s along the same lines, but what do you think regulators will be focusing on, uh, and in later this year and into next year for third party risk management? Do you think regulations will change at all or or will they what’s your your insight on that?

Brian Johnson: Yeah, we’ve already actually in some of the discussions I’ve had with with uh with folks in in the regulator communities and such, we’ve already seen a dramatic shift in regulator attention around third parties. Um, we’re already starting to ask questions about what were your contingency plans and it’s a part of every discussion that we’re having at executive and board level topics. Um, and your plans around thirdparty dependence, business resilience, and business reliance on third parties are significant parts of your business plan. Now, so we’re seeing that regulators are of course taking attention um taking note of the fact that our dependence as businesses heavily relies on third parties. The capacity models, the reliance on their availability of resources and people to deliver and supply chain um have been significant areas of focus. So measuring risk on third party I think is is and truly isn’t just a genuine sale. It couldn’t be more important and critical to a business planning process because of the fact that we’re seeing such knockoff effects um as to downstream suppliers um upstream delivery partners, distribution and logistics networks. It’s it’s a a you know, a stark contrast to what problems we used to. Um, unless you’re an Amazon, right, or, you know, a Netflix, you’re looking at the business from a completely different model and a different light on how we’re delivering services with our providers and if our providers can meet the demands through thirdparty lens that says, um, hey, third party, tell me what would happen if business increased 50%. What are your capacity thresholds should your reduction of force impact us? And what are the SLAs that I need to make sure are included in contract and the contractual obligations around those SLAs’s will then hopefully give you an insight into what kind of risk based decisions you make. You have a contingent contract uh with another provider. Maybe you’ve got a backup option that you can deliver um services or or or capabilities through and you build a test site. And one thing we’ve done at times in in different companies I’ve been at is at least have a party that’s kind of your contingent and third party where you at least have a relationship, you have them on standby or you host one function on that site so that you can have the ready be able to deploy services to it. But yeah, it’s it’s certainly, you know, a significant change in both the regulatory landscape as well as just what we’re seeing from compliance and rags that will increase in the next year.

Peter Schumacher: Interesting. Um, time for two more questions, I think. Uh, and and this one again feel free to to punt on, but um, what does PayPal currently do to to manage third-party risk? And I understand if you can’t discuss or prefer not to.

Brian Johnson: Yeah. I apologize Tony. I’m not I’m not actually at liberty to discuss that in this topic or this forum. I’d be glad to in a peer forum where I’ve I’ve uh you know kind of queued up the topic but I would just say you know assume at an enterprise level that you know the the things that I mentioned today include you know a holistic view with a lot of levels of of risk management and and appetite definitions built into the programs.

Peter Schumacher: Fair enough. Uh so next question. How to avoid risks when we share data online these days? Um the most days the most uh through the most through any mode specifically when there is no other option. How to avoid risk when we share data online these days is the most.

Brian Johnson: one thing I would just answer and and and Ponita I’ll just um directly state first off we can’t avoid risk there’s just no risk avoidance is the the only way to really avoid risk is like the most secure computer is the one that’s shut off um and even then there’s risk right so u so I would say avoiding risk when you’re sharing data online is more about mitigating and managing risk and that’s measuring different methods of data sharing agreements through you know whether it be through encryption or or tunnels of sharing uh through secure channels. I’ve seen though and especially in the last six months I’ve seen a lot of providers um whether it be through Office 365 or Gmail or um or even of course data providers that we contract with that there’s an increased um amount of options and flexible capabilities within data sharing offerings that will allow for a secure data socket or for a you know give me an encrypted email method or if you’re doing a a stream of data and sharing data with third parties through that method there’s a significant um amount of new features and new capabilities available on the market now to encrypt and and manage data through keybased encryption and management options. So at a technology level um the options have grown significantly at an organizational level I’ve seen even with you know Salesforce and Workday and a lot of others they’re all up leveling their game on data sharing and encryption and capabilities of managing data. So, as it relates to a third party, if you’re saying, you know, I’m going to send data to ADP, I’m going to send data to my supplier and make sure it’s secure, um those options are are plentiful. Um secure data delivery options um are hitting the market at uh at a much much higher rate with industrial strength and with ease of implementation. So, I would say that your data sharing agreements, your thirdparty agreements must include classifications of data you know, use a data classification matrix and define whether I’ve got class one, class two, class three, class four. Use some data classifier and describe what the types of data are for each of those types based on your business. It might be that public health information is a class in in your classification metrics. And then that matrix drives what requirements and what controls you’ll enforce with the third party. And you establish those in your contract and ensure that the data exchanges and then oversee and test those, of course, to make sure they’re adherent with your policy, but define those in policy with your third parties. Measure them as part of your questionnaires. Get data and feedback through the product to manage thirdparty assessments to ensure data security standards are met within your classification and definition of data exchange. And then do routine auditing of that. Um quick sample checks, even ask them to attest to it at times if you can build that into your contract and then have your team or or yourself ask for samples to validate that and measure changes as you need to what tools and solutions you implement between them. But I’d be I’d be really surprised if any third party doesn’t offer the option with um confidential with uh you know proprietary data or certainly with sensitive level uh information a secure data exchange option um and if they don’t I would of course look for another provider.

Peter Schumacher: good advice thank you not the not the look for another provider but the uh overall answer there a lot of good advice um so I think final question here uh it’s a good one I think. Uh if you are part of a business that has heavy reliance on third parties, would you consider third parties concentration risk as part of your top strategic risks? If not, how would you address such risk and would you lump it in under another risk category or have it as a standalone risk category?

Brian Johnson: Yeah. So great great question. Um and I would say that the third party risk category in most businesses is a top level category. Um third party risk is related to of course a lot of other areas in business, but as a third-party risk management function. It is very often related as a topline um you know even board reported level risk item and so managing thirdparty risk is not shrinking. I don’t think anybody’s business is dependent less on third parties today than we were 10 years ago or five years ago. So as the amount of dependence on third parties increases the amount of diligence and control requirements and validation of those risks has to increase as well. So it’s you know in one argument when cloud started to become a popular topic and people would say, “Hey, cloud is just somebody else’s data center and everything works the same.” No, it’s not. Um, you know, no third party, no service provider is doing business the way you would do it if it were in-house. So, the controls have to adapt to that such to the risks and the quantification of risk to your business have to adapt to those risks. You don’t necessarily have the thing this the same impact of a third party outage or a third party resource unavailability or a strike or a employment um you know problem or litigation against that third party isn’t going to be reflected in your own core business. So you have to manage those risks in a unique way to represent that the third party risk while it becomes more significant a part of your business is measured and quantified differently and uniquely as third party risk assessment team.

Brian Johnson: Thanks for that question.

Peter Schumacher: Good point. Good question to end on. Um I’m going to end polling here and thank you so much for joining us today. Thank you Brian for all the insight. Um, a reminder that we will we are recording this session and we’ll be sending that out uh by the end of the day tomorrow. So, thanks everyone for joining. Enjoy the rest of your day and we’ll see you on the next webinar.

Brian Johnson: Thanks Peter. Thanks a lot.