As the Chief Risk and Privacy Officer for Commonwealth Financial Network, one of the largest privately-held broker dealers in the United States, Kristen Drobnis understands risk as well as anybody.
And while the word ‘risk’ itself conjures up images of theft, fraud and other treacherous topics, Kristen brings a calm and measured approach to this fascinating industry.
PaymentWorks sat down with Kristen to discuss many topics, including why she loves her job, how to deal with fraudsters intent on playing the long game, and what element of dealing with risk keeps her up at night.
You can listen to the entire podcast here.
ANGELA: Risk in itself is a dangerous word. But you glow when you talk about your job and about what it entails and what’s entrusted to you. I’d just love to know what is it that you love so much about what you do?
KRISTEN: I’m passionate about it because it is a critical component of organizations. Everyone thinks it’s negative and it’s not, it’s positive. Obviously, you have to see both sides of risk. One of the things I like to bring to the table is talking about that proactive nature. As organizations start to be more proactive with risk management, it’s only going to help their projects. Their strategic initiatives and other initiatives become less impactful on the organization but also more cost effective. And it drives additional revenue growth more than they would ever expect.
ANGELA: One of the things I took away from talking to you is the idea of cost avoidance. It’s actually measurable. Can you give us a real world example that you’re comfortable sharing?
KRISTEN: One of the things I have noticed and experienced is that as folks work on these projects to transform their technology space, they’re forgetting about that old code. We have all this beautiful flashy new technology, everything seems to be working. All of a sudden a new code string is added and, next thing you know, things are breaking down or not working.
What ends up happening is no one took out the old code or no one put that in the project plan to say let’s make sure that the old code is no longer active. Now you’ve just added a significant amount of cost to the organization and that project that you spent millions of dollars on to transform is actually potentially not working because of the old code sitting there. Which could have been taken care of pretty easily.
ANGELA: Now at the risk of leading the witness, a really intriguing component to me is that in your world vendor management reports up to risk. This is the first time I’ve heard of it reporting up to risk. Tell me about where that came from at your organization and what argument you’d make to other folks that they should maybe think about it as well.
KRISTEN: It really grew organically within my organization. It was a group that just made sense to be within the risk management space. As they’re bringing on new vendors, they’re looking at contracts, which drive risk in terms of what type of language are in those contracts. In addition to that, under my team we also have our corporate insurance program. So when you’re thinking about vendor contracts, you need to have the right insurance liabilities in there.
On top of that, vendor management plays a lot within the organization by enhancing processes, potentially adding more control or less control, or even driving issues as you embed new software or new solutions. Having it within a risk space, they can actually take a look and do a risk assessment pretty quickly to say, is this going to impact our organization? Going back to that concept of cost avoidance, we’re avoiding those additional costs up front and being more proactive than any other organization that I know of because we’re thinking about this ahead of time.
ANGELA: I know you care about the long game that fraudsters can play. How they can lay in wait, lie in wait, for years along the way. How does that impact your planning when you know someone has you in their sights, maybe forever?
KRISTEN: Any financial service organization has a target on their back given the regulations that are in place because the fraudsters know that it’s not going to be the end customer client that’s going to have to pay if money’s out of the account. It’s going to be the financial institution. They’re always focusing on the deep pockets. In that case, folks like myself and others in my risk group, we have to start to consider that. The same thing with our information security teams. You really have to start to think what is that next big hack or cyberattack? Or maybe they’re going to try to come in other ways and why it’s so important to understand the risks with vendors.
ANGELA: When I think about all the things you just covered, just in this short time we’ve been talking, I just wonder how’s your sleep at night? Do you sleep well? Or do you worry a lot? You seem so cheery for someone who has so much on her plate.
KRISTEN: I do worry but, quite frankly, I worry more about what am I not thinking of. Or as I look externally to other of my peers or peer organizations, I wonder, if they’re getting impacted, can we get impacted. But in the end, you have to really say what are the critical risks to the organization and really focus more on those than worrying about everything.
From my perspective, having those right mitigation plans in place and knowing that the firm either will have to spend additional funds or get some additional resources to mitigate those risks. But as long as they’re actually acting on them and trying to mitigate them, that’s the best that we can do.
ANGELA: If we were in a big networking group right now and someone said, give me your one thing I should be thinking about today, what would it be for other risk professionals?
KRISTEN: For me it’s going back to how much data has been stolen and what is going to be the next kind of largest data breach or potential impact from a data breach that an organization would have. Given the extreme increase in ransomware, they’re getting data. Whether you’re part of one or multiple of these attacks, it all lends itself to your being bought and sold. And eventually the fraudsters, like we saw with unemployment fraud during COVID, they’re going to use that data.
I try to focus on and figure out how to ensure we again have the right control environment and also how would something like that impact us. Then the other side of this is, what else is potentially going to happen? We’ve had the pandemic. But what other things are down the pike that are potentially similar to the pandemic that could impact my organization and maybe the financial markets? Those are things that I start to consider and really think back in history and look back on how we’ve dealt with other events potentially similar in nature and how do we start to make sure we have the right mitigation measures in place.
