youtube icon linkedin icon mail icon
Login Get Paid Blog Resources
Who We Serve
What We Do
Vendor Risk Management

Vendor Risk Management

Vendor Verification

Vendor Verification

Vendor Onboarding Software

Vendor Onboarding Software

Vendor Fraud

Vendor Fraud

Vendor Compliance

Vendor Compliance

B2B Electronic Payments

B2B Electronic Payments

Why Trust Us
Resources
Case Studies

Case Studies

Real-life examples of how organizations use PaymentWorks to improve compliance, reduce workload, and add value. Stuff to Watch

Stuff to Watch

Library of short and sweet videos featuring product demos, customer interviews, and sessions with experts. Podcasts

Podcasts

The perfect way to geek out on all things vendor management, and get tips from our guests, partners, and customers. Vendor Management Appreciation Day

Vendor Management Appreciation Day

Dedicated to celebrating the unsung heroes of vendor management and up-leveling your strategy. Events

Events

We go places. We do things. Join us!
Partnerships
About Us
Why We Built This

Why We Built This

Read the story of how PaymentWorks came to be. Who We Are

Who We Are

Get to know our management team. Release Radar

Release Radar

Up-to-date product news! Become a Partner

Become a Partner

Join our eco-system! Work With Us

Work With Us

Interested in solving a real-world problem that affects businesses of all sizes?
Demo

Risky Business with PaymentWorks: E10–The Risk and the Reward

Chief Risk and Privacy Officer for Commonwealth Financial Network Kristen Drobnis discusses her approach to risk and dealing with fraudsters.

by Angela Sarno

by Angela Sarno

VP Marketing

Risky Business with PaymentWorks: E10–The Risk and the Reward

We first published on this topic back in November 2021. We’re updating it now, in December 2023, because vendor risk mitigation never goes out of style. To help, we’ve summarized the biggest takeaways on managing risk. 

Vendor risk mitigation is central to vendor onboarding. Both known and unknown third-party risks can rack up costs for your organization. Yes, they can cause reputational harm. But they can also cost you financially, via money lost to fraud, legal fees, and fines and penalties from regulatory bodies. And they can cost people their jobs. 

In other words, risk is expensive. 

But risk doesn’t have to be viewed as a big drag. To prove it, we’re going to dig into what vendor risk mitigation looks like through the eyes of someone with ample experience in this area. 

Let’s go!

Table of Contents

Listen to the Full Episode

Key Takeaways on Vendor Risk Mitigation

#1. See both sides of risk 

#2. Have controls in place

#3. Focus on being proactive

#4. Vendor risk mitigation is broader than just vendor fraud…

#5. But don’t overlook how vendor fraud might be lying in wait

#6. Planning structure + critical risks = A+ vendor risk mitigation

#7. An eye toward the future can keep the bad guys at bay

Must-Read Episode Quotes On Vendor Risk Mitigation

How Vendor Management Appreciation Day Can Help

Want Help Aligning Your Teams on Vendor Risk Mitigation?

Interested In Regular Vendor Risk Mitigation Tips?

Want Personalized Guidance on Vendor Risk Mitigation?

Listen to the Full Episode

Listen to the episode here.

Welcome to Episode 10 of Risky Business with PaymentWorks!

Let’s play a game of Jeopardy. 

Clue: This instills fear into the hearts of vendor managers everywhere due to its insidious nature. If you answered “What is vendor fraud,” give yourself a pat on the back. 

We’ll be answering that question and more about broader risks that the vendor desk faces in this week’s episode.

And while the word ‘risk’ itself conjures up images of theft, fraud and other treacherous topics, this week’s guest brings a calm and measured approach to this fascinating industry.

As the former Chief Risk and Privacy Officer for Commonwealth Financial Network, one of the largest private broker-dealers in the United States, Kristen Drobnis understands risk as well as anybody.

While she was still with CFN, PaymentWorks sat down with Kristen to discuss many topics, including why she loves her job, how to deal with fraudsters intent on playing the long game, and what element of dealing with risk keeps her up at night.

PaymentWorks Presents Risky Business Episode 10: The Risk and the Reward

Key Takeaways on Vendor Risk Mitigation

#1. See both sides of risk 

Dobnis opens with a unique perspective on vendor risk mitigation, saying, “I’m passionate about it because it is a critical component of organizations. Everyone thinks it’s negative and it’s not, it’s positive.”

In other words, there are two sides to every coin. As Drobnis points out, it’s the ability to be proactive that matters. A proactive approach to risk management not only helps strategic initiatives to become more impactful, but it can make them more cost-effective too. 

Remember when we said that risk gone wrong can cost people jobs earlier? Turns out the flipside is true, too. Listen to our customer Matt McDonald with the City of Vista discuss how strategic vendor onboarding and the revenue generated led to a promotion within his department: 

Great risk management means additional revenue growth above and beyond what is expected. This is what we mean when we talk about strategic vendor onboarding and management. There’s always an upside – if your team has the resources and support from leadership to make it happen. 

#2. Have controls in place

Another key point that Dobnis makes is that it’s all about controls. Once organizations start to look at their processes, vendors, and internal controls, they can start to connect the dots. When organizations look at new initiatives and tools, they can start to see how they will impact processes. 

The trick is to be aware of any new issues that could be added to the environment with these changes. Obviously, you want to avoid costs arising from those types of issues. 

Unfortunately, organizations aren’t always so lucky. Dobnis highlights a real-world example of digital transformation gone wrong because this type of due diligence wasn’t done. 

Dobnis says, “One of the things I have noticed and experienced is that as folks work on these projects to transform their technology space, they’re forgetting about that old code.”

It’s a costly oversight. The company goes on thinking they have “all this beautiful, flashy, new technology” and everything seems to be working. 

Then disaster strikes. A new code string gets added and things break down. Why? Because no one took out the old code or even added a step to the project plan to make sure the old code is no longer active. 

The result? The organization spent millions upon millions of dollars to digitally transform and is now faced with a system that just doesn’t work. It’s a significant cost burden for an oversight that could have been avoided with the proper controls in place 

#3. Focus on being proactive

Dobnis explains how vendor management organically fell under the risk team within her organization – and how it allows them to be more proactive. 

She talks about how the vendor management group focused more on contract management and vendor due diligence. From there, it seemed to make sense to live within the risk management space. 

In many ways, a lot of what vendor management does has inherent connections to risk. Vendor management can enhance (or fudge) processes, add more (or less) control, and streamline processes (or drive risk) through the types of software and solutions used. 

With vendor management under risk, there’s a straighter line of communication for the vendor desk to tap the risk team on the shoulder and ask, “Hey, we’re thinking about doing X. How will this impact the organization?”

As a result, snafus – and the associated costs – can be avoided. It’s a proactive approach to stop issues before they start. 

#4. Vendor risk mitigation is broader than just vendor fraud…

Vendor fraud is a big piece of the broader vendor risk mitigation puzzle – and with good reason. IBM’s Cost of a Data Breach 2022 report notes that business email compromise (BEC) scams cost an average of $4.89 million. Not exactly a drop in the bucket. 

Yet, there are compliance angles and considerations about sanctions and debarment that the vendor desk has to weigh, too.

Consequently, the best lens for viewing vendor risk is a wide-angled one. A holistic perspective can ensure that vendor fraud is stopped in its tracks. And it can enhance processes and controls over contracts and due diligence to make sure other vendor issues don’t increase costs or cause issues down the line. 

#5. But don’t overlook how vendor fraud might be lying in wait

Having a plan for fraud is good practice. Dobnis emphasizes that financial services are prone to having targets on their backs. Additionally, they make appealing targets because fraudsters know that the organization – not the end customer – is on the hook for any fraud perpetrated. 

In other words, they have an eye for deep pockets. 

As a result, the risk group needs to be aware of that potential. That responsibility extends to information security teams as well. 

Dobnis says, “You really have to start to think, ‘Okay, what is that next big hack or cyber attack?’”

Worse yet, what is the next thing we don’t even know about? Technology is evolving at a breakneck pace, but fraudsters are too. Bad actors will forever be trying to find their angle.

#6. Planning structure + focus on critical risks = A+ vendor risk mitigation

For Dobnis, the best approach is a comprehensive one. She points to the great planning structure her organization has. But planning is just one part of risk management. 

The right control structure framework can make a huge difference, but it may not prevent lost sleep over what is coming next. 

A holistic approach can ease some of that pain, but it requires an equally strong focus on the critical risks – the weakest points in the chain. Dobnis says, “In the end, you have to really say, ‘Okay, what are the critical risks to the organization?’ and really focus more on those than worrying about everything.”

Focusing on what’s critical and employing the right mitigation plans is the best path forward. Sometimes that means spending additional funds or bringing on additional resources. The important thing is to take action. 

#7. An eye toward the future can keep the bad guys at bay

Even with the best control structure framework, the possibilities of risk and fraud are endless. Data breaches have plagued organizations on an industry-agnostic scale. As a result, there is a lot of stolen data floating around. 

That means two things: 1) the bad guys are still really good at data breaches, and 2) the maximum potential impacts from data breaches past may not be fully realized yet. 

We believe fraud expert Linda Miller when she says protecting against fraud is getting harder to do: 

Pair that with an extreme increase in ransomware and it’s a recipe for disaster. Firstly, you have data being bought and sold on the black market. Secondly, you have bad actors that are going to use that data. Dobnis notes the unemployment fraud that reached a high during COVID. 

Understanding how a potential breach could impact your organization can help you plan for risk mitigation. This requires some forethought and imagination. What other things – like a pandemic – could impact your organization and/or the financial markets?

With those risks in focus, you can begin to reverse engineer the best way to deal with those things should they ever arise. 

And of course, you make sure you have the right risk mitigation measures in place today. Check out our recent post on creating a top-notch vendor risk management framework for additional things to consider. 

Must-Read Episode Quotes On Vendor Risk Mitigation

  • “As organizations start to be more proactive with risk management, it’s only going to help their projects. Their strategic initiatives and other initiatives become less impactful on the organization but also more cost-effective. And it drives additional revenue growth more than they would ever expect.” (1:19)
  • “We have all this beautiful flashy new technology, everything seems to be working. All of a sudden a new code string is added and, next thing you know, things are breaking down or not working…What ends up happening is no one took out the old code or no one put that in the project plan to say let’s make sure that the old code is no longer active. Now you’ve just added a significant amount of cost to the organization and that project that you spent millions of dollars on to transform is actually potentially not working because of the old code sitting there.” (3:12)
  • “We’re avoiding those additional costs upfront and being more proactive than any other organization that I know of because we’re thinking about [vendor management] ahead of time.” (6:02)
  • “Fraudsters know that it’s not going to be the end customer client that’s going to have to pay if money’s out of the account. It’s going to be the financial institution. So they’re always focusing on the deep pockets.”  (7:47)
  • “Yes, I do worry. And quite frankly, [I’m] worrying more about ‘What am I not thinking of?’ Or as I look externally to other of my peers or peer organizations, I wonder, ‘If they’re getting impacted, can we get impacted?’” (9:39)
  • “Whether you’re part of one or multiple of these attacks, it all lends itself to your being bought and sold. And eventually, the fraudsters, like we saw with unemployment fraud during COVID, they’re going to use that data.” (11:26)
  • “I try to focus on…’How do I ensure we again have the right control environment,’ but also ‘How would something like that impact us?’ And then the other side of this is, what else is going to happen potentially? We’ve had the pandemic, but what other things are down the pike that…could impact my organization and maybe the financial markets? (12:20)

How Vendor Management Appreciation Day Can Help

It’s time to stop losing sleep over vendor risk. We think you should let loose a bit and join us for the party of the year!

It’s time for everyone to come together in honor of one of the most important, under-recognized roles across industries: vendor management. 

How? Join us in observing Vendor Management Appreciation Day (VMAD)!

VMAD is a brand-new holiday geared toward unifying vendor management professionals and celebrating innovation in the field.

We’ve been releasing gifts each month to help you supercharge your vendor management efforts. We’re also planning some awesome events so everyone can connect and celebrate the important, strategic role of vendor management. 

Learn more here, and grab some free vendor management goodies.

Want Help Aligning Your Teams on Vendor Risk Mitigation

Explore our blogs below. They’re filled with action items you can implement right away.

The Missing Link When Building a Vendor Risk Management Framework

B2B Payments Fraud in Times of Chaos: 2023 Edition

Social Engineering Fraud Never Sleeps: 3 Ways to Prevent It

Vendor Management Tips From the Experts Themselves

Vendor Verification: How NOT to Do it and What to Do Instead

Interested In Regular Vendor Risk Mitigation Tips?

Subscribe to our blog

Want Personalized Guidance on Vendor Risk Mitigation?

Contact Us–we’d love to help you

Let us show you how we can help

We’d love to walk through your process with you and talk about security, compliance, efficiency and sleeping better at night.

Request a Demo
empty space
PaymentWorks Logo

280 Moody Street, Unit #5
Waltham, MA 02453

Get help with registration.

Follow us on

youtube icon linkedin icon mail icon

Who We Serve

What We Do

Why Trust Us

About Us

Blog

Resources

Request a Demo

Get Paid

Jobs

Partnerships

Partner Referral

Events

© Copyright 2025 - PaymentWorks

Privacy Policy Terms of Service PaymentWorks EarlyPay Terms of Service Transparency in Coverage