<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">
Vendor Risk Management

BitSight EXCHANGE Sound Bites: Risk Management in Financial Services

BitSight | December 20, 2018

In the months since BitSight’s inaugural EXCHANGE forum, we have been digesting and processing the incredible sessions and discussions that came about from this forum. It was a great event that brought together security executives from all over to discuss the challenges they face in their roles every day.

One interesting panel discussion was focused on the evolution of risk in the financial services industry. Speakers included Mark Watson (Deputy Leader, Financial Services Center for Board Matters, Ernst & Young), Derek Vadala (Managing Director & CISO at Moody’s Corporation), Bob Lewis (Head of External Cyber Assurance & Monitoring at Barclays UK), James Lam (Chair, Risk Oversight Committee, E*TRADE), and moderator Peter Pernebo  (Executive Director of Third Party Risk Management, KY3P by IHS Markit).

James Lam shared his thoughts on the role of effective risk management within an organization below.


“I think qualitative assessment is useful, but insufficient because you're telling me what you think. So, it's a good start. And what doesn't work is also just providing information about our maturity relative to a framework like NIST. So, if you have higher maturity basically you're telling me you're doing your job. Okay. You're paid to do your job. But what's more important to me is how effective are you doing in terms of your work. So, I don't want to just hear about input. I am much more concerned about output. So, in terms of output, I want really good metrics. And I think Bitsight has done a really good job in getting the conversation in something that's objective and that's measurable, that's benchmarkable. And I want to understand how does this risk compare to the other risk that we oversee in terms of potential economic impact and business impact. And then finally, I want to understand what our exposures are relative to risk appetite. And so, to me, I think you need to have that kind of balance. And having just the input assessment and metrics are insufficient. You really have to understand how effective the program is. And the key question that directors ask is, how do I know if our cybersecurity program is working effectively? And to the degree that your assessments and metrics answer that question that's how you serve the board.”


“It's not a matter of just mitigating and minimizing risk. The job of risk management is to optimize the risk-return profile of the organization. And I've seen that evolution every other risk and right now I think cyber is challenged to be able to go through those (three) steps.”

Thank you to James and our other panelists for an extremely insightful conversation!

Read the recap of the inaugural BitSight EXCHANGE forum. 

Suggested Posts

BitSight Security Ratings Platform Expands Its Visibility in Compromised Systems

Since creating the Security Ratings market in 2011, a core component of BitSight’s value to users has been providing industry-leading comprehensive visibility into malware communications.


Top 5 Trends in Telecom Risk Management

As regulations shift and providers enter new markets, the telecom industry is changing rapidly. In preparation for these changes, telecom risk management professionals must become aware of new risks on the horizon. Privacy and net...


How to Be Confident In Your Third-Party Risk Management Program

When it comes to third-party risk management (TPRM), many organizations are just beginning to figure out the core components of their program — and some are not implementing any measures to monitor their third parties at all.


Subscribe to get security news and updates in your inbox.