(270) 506-5140 CONTACT US
Best Practices

Third Party Risk Thought Leadership Discussion with Silicon Valley Tech Guru

Jan 28, 2019 by Branan Cooper

As part of our Venminder Thought Leadership series where we speak with the industry’s sought-after thought leaders for their perspective and advice on third parties, mitigating risk, best practices, trends and more, I had the opportunity to speak with Keith Koo, Founder and Managing Partner of Guardian Insight Group. Guardian Insight Group is a technology risk advisory firm dedicated to identifying, assessing, controlling and mitigating risks associated with doing business between clients and their third parties.

Keith has an extensive background in third party risk management. He was previously the Managing Director and head of third party risk management for the Mitsubishi Financial Group where he was responsible for ensuring the bank had the proper framework, policies and controls to meet regulatory standards for effective oversight of third parties and vendors. In addition, Keith is the creator and host of Silicon Valley Insider radio show and podcast.

Keith Koo Interview Highlights

During our time, we covered:

  • Third party risk management team qualifications
  • Cybersecurity risk
  • Outsourcing risk

Be sure to check out the full interview here.

Qualifications for a Third Party Risk Management Team: What Do They Look Like?

The opening of our call was surrounding third party risk management team qualifications. Throughout our tenure, Keith and I both concur that we see the following as some of the skills you’re looking for in someone on the team:

  1. A full understanding of SOC reports
  2. Is well-versed in business continuity planning and disaster recovery
  3. Has a strong working knowledge of financial reports and how to perform an analysis 

To be clear, those are just a few of the skills you’d like someone to have. This will make them a strong asset to your team but, as one can imagine, it’d be quite difficult to find one person who has all of this knowledge. For this very reason, you need to hire multiple people with many different skill sets and backgrounds.

Additionally, not only do you want someone on the team who has the educational background in third party risk, but you also want someone who has been in the trenches Keith shares.

“Somebody who can read the regulation around third party oversight, that's all great. But what about somebody who's actually been in the trenches with the vendor on constructing a statement of work and what happens when that complexity arises, and there's 800 statements of work? You really need to have that skill set that somebody who knows how to manage the function itself.”

It’s important that somebody have both the expertise and experience regarding what to do when you come across unanticipated vendor hurdles.

Cybersecurity Risk: Can It Ever Be Defeated?

In short, cyber risk can’t be solved for, says Keith. In his opinion, cybersecurity can’t be defeated because of a few factors but simply put, the financial incentives are too great, and the cost is too inexpensive for hackers to access sensitive data. This makes it extremely important to have strong incident response plans and reporting. Testing and follow through needs to be implemented in order to be as proactive as possible.

Regulatory Reform and Outsourcing Risk

The whole point of why we have third party risk, which was originally vendor risk to begin with, is the regulator is saying very bluntly, that you can outsource the task or activity, but you can't outsource the risk,” said Keith when discussing regulatory reform.

Keith does not feel that there will be any third party risk management relief even if reform occurs. Since you can’t outsource the risk, he feels that the burden will only become higher as the regulations increase.

A Thought to Take With You

Keith ended our discussion with a conundrum that I’d like to share with you. His question for all third party risk individuals is this, “With the introduction of decentralized technology, like blockchain, how do you account for third party risk?” It’s an interesting challenge that will only continue to get more complex.

On behalf of Venminder, I would like to extend a thank you to Keith for his time and participation in this series. It was a very impactful conversation.

Stay on top of the State of Third Party Risk Management in 2019. Download the whitepaper now.


Branan Cooper

Written by Branan Cooper

Branan Cooper is the Chief Risk Officer at Venminder. Branan has nearly 30 years of experience in the financial services industry with a focus on the management of operational and regulatory processes and controls—most notably in the area of third party risk and operational compliance. Branan leads the Venminder delivery team as the third party risk management subject matter expert in residence. Branan also serves as an industry thought leader. He's a member of InfraGard and the Professional Risk Management Industry Association (PRMIA). And, he was selected in 2018 as an advisor to the Center for Financial Professionals (CEFPro) and board member for the Global Sourcing Resource Network (GSRN).

Follow Branan Cooper

Subscribe to the Venminder Blog