On top of that, vendor management plays a lot within the organization by enhancing processes, potentially adding more control or less control, or even driving issues as you embed new software or new solutions. Having it within a risk space, they can actually take a look and do a risk assessment pretty quickly to say, is this going to impact our organization? Going back to that concept of cost avoidance, we’re avoiding those additional costs up front and being more proactive than any other organization that I know of because we’re thinking about this ahead of time.
ANGELA: I know you care about the long game that fraudsters can play. How they can lay in wait, lie in wait, for years along the way. How does that impact your planning when you know someone has you in their sights, maybe forever?
KRISTEN: Any financial service organization has a target on their back given the regulations that are in place because the fraudsters know that it’s not going to be the end customer client that’s going to have to pay if money’s out of the account. It’s going to be the financial institution. They’re always focusing on the deep pockets. In that case, folks like myself and others in my risk group, we have to start to consider that. The same thing with our information security teams. You really have to start to think what is that next big hack or cyberattack? Or maybe they’re going to try to come in other ways and why it’s so important to understand the risks with vendors.
ANGELA: When I think about all the things you just covered, just in this short time we’ve been talking, I just wonder how’s your sleep at night? Do you sleep well? Or do you worry a lot? You seem so cheery for someone who has so much on her plate.
KRISTEN: I do worry but, quite frankly, I worry more about what am I not thinking of. Or as I look externally to other of my peers or peer organizations, I wonder, if they’re getting impacted, can we get impacted. But in the end, you have to really say what are the critical risks to the organization and really focus more on those than worrying about everything.
From my perspective, having those right mitigation plans in place and knowing that the firm either will have to spend additional funds or get some additional resources to mitigate those risks. But as long as they’re actually acting on them and trying to mitigate them, that’s the best that we can do.
ANGELA: If we were in a big networking group right now and someone said, give me your one thing I should be thinking about today, what would it be for other risk professionals?
KRISTEN: For me it’s going back to how much data has been stolen and what is going to be the next kind of largest data breach or potential impact from a data breach that an organization would have. Given the extreme increase in ransomware, they’re getting data. Whether you’re part of one or multiple of these attacks, it all lends itself to your being bought and sold. And eventually the fraudsters, like we saw with unemployment fraud during COVID, they’re going to use that data.
I try to focus on and figure out how to ensure we again have the right control environment and also how would something like that impact us. Then the other side of this is, what else is potentially going to happen? We’ve had the pandemic. But what other things are down the pike that are potentially similar to the pandemic that could impact my organization and maybe the financial markets? Those are things that I start to consider and really think back in history and look back on how we’ve dealt with other events potentially similar in nature and how do we start to make sure we have the right mitigation measures in place.