As part of our Venminder Thought Leadership series where we speak with the industry’s sought-after thought leaders for their perspective and advice on third parties, mitigating risk, best practices, trends and more, I had the opportunity to speak with Keith Koo, Founder and Managing Partner of Guardian Insight Group. Guardian Insight Group is a technology risk advisory firm dedicated to identifying, assessing, controlling and mitigating risks associated with doing business between clients and their third parties.
Keith has an extensive background in third party risk management. He was previously the Managing Director and head of third party risk management for the Mitsubishi Financial Group where he was responsible for ensuring the bank had the proper framework, policies and controls to meet regulatory standards for effective oversight of third parties and vendors. In addition, Keith is the creator and host of Silicon Valley Insider radio show and podcast.
Keith Koo Interview Highlights
During our time, we covered:
- Third party risk management team qualifications
- Cybersecurity risk
- Outsourcing risk
Be sure to check out the full interview here.
Qualifications for a Third Party Risk Management Team: What Do They Look Like?
The opening of our call was surrounding third party risk management team qualifications. Throughout our tenure, Keith and I both concur that we see the following as some of the skills you’re looking for in someone on the team:
- A full understanding of SOC reports
- Is well-versed in business continuity planning and disaster recovery
- Has a strong working knowledge of financial reports and how to perform an analysis
To be clear, those are just a few of the skills you’d like someone to have. This will make them a strong asset to your team but, as one can imagine, it’d be quite difficult to find one person who has all of this knowledge. For this very reason, you need to hire multiple people with many different skill sets and backgrounds.
Additionally, not only do you want someone on the team who has the educational background in third party risk, but you also want someone who has been in the trenches Keith shares.
“Somebody who can read the regulation around third party oversight, that's all great. But what about somebody who's actually been in the trenches with the vendor on constructing a statement of work and what happens when that complexity arises, and there's 800 statements of work? You really need to have that skill set that somebody who knows how to manage the function itself.”
It’s important that somebody have both the expertise and experience regarding what to do when you come across unanticipated vendor hurdles.
Cybersecurity Risk: Can It Ever Be Defeated?
In short, cyber risk can’t be solved for, says Keith. In his opinion, cybersecurity can’t be defeated because of a few factors but simply put, the financial incentives are too great, and the cost is too inexpensive for hackers to access sensitive data. This makes it extremely important to have strong incident response plans and reporting. Testing and follow through needs to be implemented in order to be as proactive as possible.
Regulatory Reform and Outsourcing Risk
“The whole point of why we have third party risk, which was originally vendor risk to begin with, is the regulator is saying very bluntly, that you can outsource the task or activity, but you can't outsource the risk,” said Keith when discussing regulatory reform.
Keith does not feel that there will be any third party risk management relief even if reform occurs. Since you can’t outsource the risk, he feels that the burden will only become higher as the regulations increase.
A Thought to Take With You
Keith ended our discussion with a conundrum that I’d like to share with you. His question for all third party risk individuals is this, “With the introduction of decentralized technology, like blockchain, how do you account for third party risk?” It’s an interesting challenge that will only continue to get more complex.
On behalf of Venminder, I would like to extend a thank you to Keith for his time and participation in this series. It was a very impactful conversation.
Stay on top of the State of Third Party Risk Management in 2019. Download the whitepaper now.