Contemplating Counterparty Risk Management Across the Organization (Source Callé)

Announcer  00:04

Welcome to the Treasury Update Podcast presented by Strategic Treasurer, your source for interesting treasury news, analysis, and insights in your car, at the gym, or wherever you decide to tune in.

Craig Jeffery  00:18

Welcome to the Treasure Update Podcast. I’m Craig Jeffery, your host today. Today we’re talking about contemplating counterparty risk across the organization. And I am joined by Craig Callé. So there’s two Craig’s on today’s podcast. Craig, welcome to the Treasury Update Podcast.

Craig Callé  00:36

Nice to be here.

Craig Jeffery  00:37

I think it was four or five years ago when we did a podcast before. So I’m glad to have you back. You know, our topic is contemplating counterparty risk across the organization, we’ve had some fun conversations about what that looks like. But as we think about counterparty risk, as we talk about it as different areas look at it, it’s part of a broader focus. And there’s multiple areas that do something along the lines of counterparty risk, it looks a little different in different areas. So Treasury tends to focus on banks, procurement might focus on key suppliers, credit management on the major customers, Craig, maybe you could start us off with how do you think about third parties, and the risks an organization faces, you know, either individually or broadly, however you look at them?

Craig Callé  01:27

Sure. Well, I look at counterparty risk as an aspect of what I define as third party risk management or TPRM for short. That practice area really had a catalyst in as far back as 2013. With a major security breach at Target Corp, most companies get attacked directly. This was one of the early cases of a major company getting hacked through a weak third party that was providing HVAC services, across stores in North America. So weak backdoor, if you will, through which a hacker was able to tunnel their way all the way up to the point of sale devices, where consumers are swiping their credit cards all day long. And so that became a call to action to reevaluate the practices security teams were taking to secure themselves and developed the need for new technology.

Craig Jeffery  02:29

Yeah, that’s a pretty interesting case. Right? That’s a that’s a common attack method to find a weak entry point. You know, we see that, you know, there’s been breaches that have used, you know, the uninterruptible power supplies that are managed, right, so it gets in there, and they use that to compromise an HR system, and then they’re, then they’re off to the races. So that’s certainly important. But we’re a decade on from there. How has the industry responded to this type of situation?

Craig Callé  02:58

Well, for one thing, you know, the problem if anything, is only gotten worse. Today, more than half of all security breaches are attributable to weak third parties, companies need to do a lot more to get ahead of this problem. As I said, before, you know, there’s certainly been a much greater scrutiny of traditional practices, like questionnaires that a customer might send to its vendors, usually based on some IT framework, like NIST, or COBIT, or Sans, that is very time consuming, very thorough, but not enough. And so over the last 10 years, you’ve seen some new developments in order to help lighten the burden through technology. So I’m thinking of a category like cyber risk ratings, a body of work devoted to continuously monitor the third parties that are part of your vendor community, you know, they reach conclusions that are conveyed and easy to follow metrics, much like a FICO score for consumer credit, and really helps triage the group. So you can focus more attention on the more deserving based on the cyber risk rating that’s been developed. So that’s one one area there are others, but I’ll let you react to that.

Craig Jeffery  04:15

So are you describing cyber risk gradients is like a general concept, and there’s specific scores that are out there, or is that an actual score?

Craig Callé  04:24

There are a number of firms now that scan virtually every company on the planet, they have sinkholes, honey pots, looking for compromised systems, they’re determining the state of it, housekeeping it every every organization and they put weightings on these different risk factors and come up with a score. You know, in the case of one, you know, it might be you know, 300 to 820. Another might be a letter grade A to F that sort of thing. But, you know, very much a quantified approach to risk management, you know, following You know, a generation of work that was, frankly based more on qualitative assessments expressed in traffic lights and heat maps.

Craig Jeffery  05:08

And you had introduced us to one of those some years back, and we do use one, we won’t, I won’t mention it. But it was very helpful in both our self assessment as well as Counterparty. So, you know, one of the things on the responses, you know, things have only gotten worse, I think is what you said, we see requirements placed on third parties, you know, as a consulting firm, far less as a researcher, but as a consulting firm, new requirements come to us first from banks, then from non bank, financial institutions, then from the largest multinationals, and then it falls downstream from there. And so when people start first asking about, do you have vulnerability scan, you need to do a vulnerability scan every year. And so when that we heard that, from one of them was optional, this was a long time ago, we’re like, we’re gonna do it every month. And then it was, hey, we’d like a pen test. When one starts asking, it’s going to be a requirement very soon, you only have a limited time where you can push these things off when it becomes an idea to a requirement that’s at most two years. And then answering responding to those has become more involved in the community of responding to show that you have a certain level of rigor and this is more focused on the cyber side, the financial risk side for as referred to as TPRM, or third party risk management. On the the credit and financing side, there’s often been scores, and people look those up just to maintain a level. But this this growth in cybers happened.

Craig Callé  06:41

Now, I’d like to think that every organization would treat strong security and privacy compliance is competitive advantages. If you can demonstrate that you’re a reliable vendor, you’re going to get more business. But in reality, regulation has played a really important and valuable role in raising the bar, especially in sectors that you’re very familiar with, like banking and financial services, but also in healthcare in the like. And so these days, if you don’t know your cyber risk rating, you darn well better should because a lot of these customers of yours will be looking at that and generate a reputation, or at least you’ll have a reputation based on that rating that’s out there. But as you mentioned, you’re not unaccustomed to penetration tests, and the like, you probably should have an audited sock to report and make these artifacts easily available to anyone who asks so so that you can be transparent about the practices that you have in place to ensure that you’re a reliable third party.

Craig Jeffery  07:50

Craig, as you think about your experiences, both good and bad. Do you have a story that probably influenced the most your thinking on this area?

Craig Callé  08:01

Well, it’s really a question of where I have roots in third party risk. Ironically, despite spending almost a decade now in it, cybersecurity, in particular, my start in the business came in the early 2000s, when I was part of the team at Gateway computer, trying to turn around the company, and one of our Asian suppliers went bankrupt. And so the next day, I found myself in the CEOs office along with the head of ops and supply chain, we all agreed, you know, This shall never happen again. And so my second shift started at seven in the evening, in Irvine, California, making calls to Asia, trying to get financial statements and ideally, projections so that I could model default risk. So when I started with vendor risk management, it was very much from an exclusive financial viability standpoint, as I mentioned earlier, you know, it was really 2013 When target became the celebrated case of the vulnerabilities associated with weak third parties from a cybersecurity standpoint. And so, you know, we’ve been talking about the potential for a deep recession now for three years. I think the common prognostication today is that we’re in a soft landing already. But I had always expected that to generate even greater interest from a third party risk management standpoint on the financial risk and it even after all that time worrying about it has never really risen to anywhere near as great a concern that people still have over the cybersecurity posture of their third parties.

Craig Jeffery  09:44

I don’t know that the audience just listened to our other podcasts, we gave some of your background but I’d love for you to give the the elevator not pitch but the elevator review of your career because I think that provides some good context as you talk on the cyber side as well as the finance side.

Craig Callé  10:02

My career is broken down into three major buckets. The first was as an investment banker at Salomon Brothers were among other things, I was head of new product development in the Capital Markets Group. The second bucket is CFO or Treasurer, and a number of public and private companies such as Amazon, digital media, and books, chronicle conceal gateway computer and others. And then third bucket is in most recent is in technology strategy. The two roles there include Chief Strategy Officer at Shi internationalist, the second largest technology value added reseller in North America. And for the last eight years, I’ve been building my own firm that’s focused on cybersecurity, GRC, privacy and ESG.

Craig Jeffery  10:50

What’s your what’s your website?

Craig Callé  10:53

www.sourcecalle.com. That’s sourcecalle.com. Thanks for the plug.

Craig Jeffery  11:01

Yeah, no worries. Thanks for your background. Before I asked you for that, I was complaining a little bit about the increased requirements around third party risk management, or just mentioning how much more is involved on it. This creates quite a bit of overhead, especially when there’s multiple platforms asking for have you responded to this particular threat or risk, provide this report the same growth on the insurance side where it was like, we used to have a couple types of insurance policies that are required. Now I think we have to have seven or eight for most firms we work with, this creates a bit of overhead for the those that are receiving these requests, and it becomes a cost of doing business. It needs to be become more efficient. So there’s, you know, we’re doing the same things for multiple companies. But, you know, what do you see happening here? Do you see that same trend? Or maybe some more nuances in that trend? And where do you see us going forward on that?

Craig Callé  12:00

Well, there’s a term for what you’re referring to. It’s called vendor fatigue. And it comes from the requirements that you described, getting numerous questionnaires, sometimes over 500 questions, many of which look very familiar and similar to ones that they may have already filled out for another customer. And so there is a lot of redundancy in the system that can be streamlined. One of the developments I’ve seen to address this is the emergence of what are called trust centers, or exchanges. And they store these documents or artifacts, you know, for easy confidential access to things like questionnaires have already been filled out based on standard frameworks like NIST, COVID, sans or SIG are created by shared assessments. And you know, that not only makes it easy for a customer to audit you efficiently, but in the case of new business, you know, you’re able to clear those hurdles quickly. So it accelerates what we call time to sail. And mentioned already the role cyber and other risk ratings play and we move beyond cyber now two categories like financial risk, ESG alignment, you know, there are firms that are measuring firms along these other risk axes. And so, you know, it’s not a complete solution by any means. But it’s certainly more than a smoke detector and gives you a way to triage your community to see, you know, which ones are deserving of more attention. I guess, a third thing that I’ve seen, and let’s face it, it’s in the headlines all the time now, but artificial intelligence driven engines that can parse through all these artifacts, and quickly surface critical issues. So those are really three ways that we’ve really gotten at this really critical issue of what I call vendor fatigue.

Craig Jeffery  13:53

And it’s interesting, especially, I guess, it makes sense that you use AI engines to identify that information, especially when people are asking for huge reports. And they’re getting tons of reports as they select from three to eight different vendors.

Craig Callé  14:08

Right. Yeah, it’s sort of, you know, tell me what I really need to know, the eyes quickly glaze over in this in this field.

Craig Jeffery  14:14

Yeah. Those those broader reports, just like audited financial statements, or certain reports that show, you know, financial strength or good system hygiene or protection. We found more relying on those now, as opposed to their own custom activities, which is certainly some relief. You know, it just was untenable. The direction things are going very manual, like you said, 500 unique questions every time.

Craig Callé  14:43

Well, let’s face it, there’s just a mountain of work to be done. I think we’re still in the early innings, even in the most mature vendor risk management programs today. And the only way we’re going to scale to accomplish to get this work done is to employ technology. On a cost effective basis, you can’t, you can’t throw enough bodies at the problem, or for that matter, find them to get the job done. And so technology really is playing an important role in addressing a very large and growing problem out there of vendor risk management.

Craig Jeffery  15:18

Yes, so you know, whether it’s vendors, its banks, its third parties, however you classify these. Where do you see things going over the next 10 years? Where would you like things to go? Over the next 10 years, there’s certainly growth in technology. There’s a specialization. And if anything, there’s more third parties, we use more technology, third parties, our data activity and footprint in our offices smaller, we use more services, and we’re a tiny company compared to, you know, the multi 10s of billion companies that are out there. And we’re doing that what what’s your vision for the future? Where do you see things moving to?

Craig Callé  16:01

Oh, for one thing, I’m like a lot of people influenced by a book that Thomas Friedman wrote called The World is Flat. And it speaks to the IT dependencies that companies face when they rely on a growing number of interconnected third parties to get the job done. Now, a lot of the supply chain disruptions that we’ve seen over the last five to seven years, may result in work that had been done, say in Asia, coming to the US, but it’s still a third party connection regardless, and the way we think about that relationship really has to change and be much deeper and meaningful in order to achieve the goals of better security, and alignment with other objectives to manage privacy, ESG and other risks. So I think that that bias for horizontal organizations will continue, you know, we’ve come a long way from, from Ford’s vertically integrated River Rouge complex. And so, you know, we need to think about these decisions about how vertically integrated we want to be in a more comprehensive way. It’s almost as if that’s determined by default today, rather than some more high level strategic objective that that sought. And so I firmly believe that we need to scrutinize third parties as intensively as a company might treat employees and job candidates. So that’s to say that we have a chief HR officer who worries about the performance aspects of those internal resources, if you will, you know, through performance reviews, background checks, in the like, and also on the risk side, what’s Joe’s phishing click through rate? How well does he score on security awareness tests? And how familiar is that person with our compliance requirements is varied as that list is becoming today. So there’s a lot of work involved on the internal side through HR today. And I want to turn that same level of scrutiny to our external resources, which, as I said before, I think we’re just scratching the surface on today, even after, you know, 10 plus years of trying, part of that comes from maybe thinking about the definition of third party in a different way, traditionally, you know, we’re just thinking about our core vendors and suppliers. But there are a lot of other categories that really don’t even get inventory today. outsourced service providers, SAS apps, like salesforce.com, and 50,000. others that are out there today, that can be found in enterprise networks, cloud hosts, contractors, ecosystem partners, you know, think about, you know, a technology firm that’s bringing in a technology partner to get a certain aspect of their service delivered, you know, any security weaknesses in that partner is now going to get built into the product that the ecosystem partner was creating in the first place. And so you need to think about third parties in a more holistic manner, tear them appropriately based on measures like network connection, location of sensitive data, criticality, to the business, and ease of migrating to an alternative if that’s what’s needed. But we also need to achieve a dramatic shift away from solely the CISOs responsibility in the case of cybersecurity, or the Data Protection Officer in the case of privacy and create responsibility at the relationship owners level. That’s something that’s especially important today among CISOs as you’re starting to see, civil and even criminal liability for the seaso in the event of a breach, seeing that in the case of Uber, and SolarWinds, recently, it’s probably one of the most important things keeping CISOs up at night. And I think only until we reach your true partnership between these advisory or functional experts like CISOs, to the business owners of the relationship, we can make a truly informed, holistic decision about that third party’s role with our organization, both from the standpoint of performance, how good a job are they doing it, as well as the risk? How risky are they and footnote, there are no risk less third parties. So it’s it’s all relative, which underscores the need to make a balanced decision based on his assessment of both performance and risk. At the relationship owner level.

Craig Jeffery  20:52

Much of what we talked about, has been on the technology side, and, you know, the financial side exists from if we look at banks as key partners, and they’re certainly third parties, you know, in terms of checking them for exposures to cyber, that’s an area and an industry that’s extremely well covered from all of the oversight that the banks have. But there’s certainly some financial risk that people need to look at in manage counterparties, you know, they might be the other side of some type of hedge that might may last multiple years, you want to make sure that they’re standing there. And so there’s, there’s ways to, to look at them. Are they material, like you said, Are there tears? Treasury looks at those puts them in tears understands the level of exposure? And is that something they want to bear? Or do they want to shift on that in some manner, both operationally and financial? When you think about this chief third party officer, and the overall third party risk management, how do these come together? You know, there’s how do you get to the point where you’re managing relationships? Is it still Treasury’s managing? Do you think Treasury would still manage banks, procurement was still managed to some of the elements of supply chain, another area would focus on other but this is a role that helps coordinate and leverage some of the tools, skill sets and discipline or what would that look like?

Craig Callé  22:21

Well, I see the chief third party officer or CTPO, much like an orchestra leader, there’s so many people doing so much work all on their own in silos, that the key to this is going to involve someone at that level in an organization to really pull things together. And frankly, one of the reasons why I was so excited about coming onto this podcast, speaking to your audience of senior Treasury officers, among others, is that they get the need to look at risk in a multifaceted way. So while we’ve talked about the last 10 years of third party risk management being so heavily if not uniquely focused on cyber risk, there’s so many other types of risk out there. So you say when sizing up counterparty risk, this is a credit analysis, this is a financial viability analysis, you’re starting to move into multiple categories of risk, developing a broader view of what that third party means to the organization.

Craig Jeffery  23:24

Yeah, that’s helpful. You know, I, you know, one of the things that’s that’s happening, that, that moves towards that direction of this broader look, or horizontal look, if you will, you know, you think about managing liquidity, Treasury’s focused on that. But the banks, there’s certainly an interplay with AR and AP, other elements, the cash conversion cycle. And so people look at things like supply chain financing to have a bigger impact than just using the overall balance sheet alone, but some of the elements, the balance sheet to get liquidity. There’s also the same types of discipline financially for counterparty risk and AR and AP. done differently. And then cyber and some of the caught the operational areas of the supply chain are done by different different groups. So it’s, everyone’s solving a bunch of similar problems. And oftentimes using different tools than this idea of the orchestra. You know, had all the instruments are making woodwinds and brass and they’re all making different sounds. But they all have to play together. There’s there’s some overlap right there. They’re doing it together and organization. There’s some overlap. I’m not sure where he’s going with all that. But I’ve liked that idea, that orchestra because there’s that difference. And there’s calibration.

Craig Callé  24:45

Right. Now, I think that there’s a level of complexity in an orchestra that needs to be teased out. And just to give you an example, you know, we’ve talked so much about third party risk management, but every one of your third parties is is dependent upon its own set of third parties or what we call fourth party risk management. And that’s still in its early stages, the more regulated industries, not surprisingly, tend to be deeper in the scrutiny along fourth party lines, and frankly, beyond. But you mentioned, he made reference to supply chain. And that’s got to be on the list of top five things a CEO has, has asked about in the past three years. And so all of this work in the third party risk management area has extended into procurement in terms of a related category that I would call supply chain resilience. And so this is a question maybe not so much for finance professionals. But certainly on the manufacturing side, you know, there’s a growing interest in tracking your suppliers and vendors, not just at the corporate level, but all the way down to the factory level, so that you can see your dependencies in vulnerabilities. From a supply chain standpoint, perhaps you might have, you know, a reliance on one factory in a remote part of the world, that is dependent upon certain shipping lanes, to get it just in time to some assembly facility, you know, without which, you know, the line stops. And so you’re looking at other risk categories and supply chain resilience. That would include things like weather in logistics, something that has been compromised by climate change wars in the like. And so it’s a really a complex field. And we’re just an industry sort of chipping away at it in pieces, and not to the level that we need to get in order to really get ahead of this mountainous problem.

Craig Jeffery  26:47

Yeah, excellent. I know, there’s a few more avenues we could run down, but I wanted to give you an opportunity at the end to do you have any? Do you have any additional or final comments to leave people with either about the current situation or about how to think about the road ahead? Or what, what to do, what to read what to act upon?

Craig Callé  27:07

Well, I would say I think you have to be a glass half full kind of person in this business, the work that’s being done needs to be elevated within the organization. You know, that’s why I’m a big proponent of this role. I call CTPO or chief third party officer, because it’s not just, you know, creating another sea level role. But serving is that you know, critical advocate that cuts across an organization in so many dimensions, be they performance based or risk oriented. And until you can pull all that together, you won’t achieve the level of resilience that you need to be a world class performer.

Craig Jeffery  27:47

Thank you so much, Craig.

Craig Callé  27:49

Thanks for having me. I enjoyed it.

Announcer  27:53

You’ve reached the end of another episode of the Treasury Update Podcast. Be sure to follow Strategic Treasurer on LinkedIn. Just search for Strategic Treasurer. This podcast is provided for informational purposes only, and statements made by Strategic Treasurer LLC on this podcast are not intended as legal, business, consulting, or tax advice. For more information, visit and bookmark StrategicTreasurer.com.