The Third Party Risk Institute Podcast
Go beyond the headlines with The Third Party Risk Institute Podcast, the official podcast of Third Party Risk Institute.
Each episode brings you into the room with top experts in third-party risk, cybersecurity, procurement, governance, and compliance. Hear how risk leaders tackle real-world challenges, share lessons learned, and stay ahead of evolving threats.
We explore the strategies that work, the mistakes that teach, and the insights you won’t hear anywhere else.
Perfect for risk professionals, procurement leaders, auditors, and decision-makers who want to lead with confidence.
🎧 Subscribe now, new episodes drop monthly on Spotify, Apple Podcasts, YouTube Music, and Amazon Music.
The Third Party Risk Institute Podcast
Mastering Systemic Third-Party Risk: Insights from OCC's CRO Vishal Thakkar
In this episode of The Third Party Risk Institute Podcast, we sit down with Vishal Thakkar, Chief Risk Officer at the Options Clearing Corporation (OCC), to explore what it takes to manage third-party risk at the world's largest equity derivatives clearing organization, designated as a Systemically Important Financial Market Utility (SIFMU). Given OCC's profound interconnectedness within the financial ecosystem, their approach to risk management sets a benchmark for market integrity and stability.
With over 20 years of experience leading risk, regulatory compliance, operational management, cybersecurity, and internal audit functions across various organizations, Vishal shares a behind-the-scenes view of how OCC safeguards market integrity by delivering reliable clearing and settlement services for millions of transactions globally. Drawing from his unique vantage point, having worked in all three lines of defence, Vishal provides invaluable insights into building resilient risk programs and navigating complex regulatory expectations.
What we cover in this episode:
• OCC’s lifecycle-based third-party risk management (TPRM) framework
• Defining the “extended enterprise” to include non-vendor critical entities
• Using scenario analysis to test operational resilience
• Aligning the three lines of defence in risk governance
• Rationalizing controls for efficiency
• Board engagement on outsourcing and cloud strategy
You’ll walk away with practical guidance on:
• How to identify “crown jewel” third parties
• Strategies to scale TPRM without losing control
• Applying standards like NIST CSF, ISO, and Interagency Guidance
• How OCC prepares for regulatory reviews and evolves its risk posture
This episode is perfect for:
• Chief Risk Officers and other risk management professionals.
• Internal auditors and compliance officers.
• Cybersecurity leaders and professionals.
• Business leaders and operational managers responsible for critical third-party relationships.
• Anyone dedicated to building robust risk management frameworks and operational resilience in financial services, critical infrastructure, or other highly regulated industries.
🎧 Enjoying the podcast?
Explore more resources, expert insights, and certification programs at www.thirdpartyriskinstitute.com
📱 Follow us on LinkedIn for real-world conversations and industry trends: Third Party Risk Institute Ltd.
📬 Have a question or topic you'd like us to cover?
Email us at: info@thirdpartyriskinstitute.com
Linda Tuck Chapman: Hello, my name is Linda Tuck Chapman. I'm CEO of Third Party Risk Institute. I'm so delighted to have a very special guest with me today, Vishal Thakkar, Chief Risk Officer of Options Clearing Corporation. So, first of all, before we get started, so welcome before we get started, let me tell you a little bit about him. So, uh he has a really fascinating uh background prior to joining uh prior to becoming chief risk officer. So, you have over 20 years of experience in risk management, regulatory compliance, operational management, cyber security, and internal audit. And I think that's where our paths cross when you're in internal audit. So, you've had a lot of leadership positions in management, compliance, and internal audit in different organizations. And but as chief risk officer at OC, you oversee uh anything to do with the uh the um the risk function and all the things that that means. And I think bringing your audit background together, we will talk about that a little bit uh because I find that really interesting this combination. So, one thing people do say about you is you have this uncanny ability to identify emerging risks to assess their their potential impact and to think of proactive and and really uh high impact uh ways of dealing with them. So, I know that you're very much into having a creating a a culture of risk awareness in in OC and every organization you work with and also bringing in the compliance aspects of this. Now, for anyone who doesn't know about OP Options clearing corp don't confuse it with OC the regulator right same same uh uh initials but very very different organization so the options clearing corporation is the world world's largest equity derivatives clearing organization. I might ask you to explain what that means to people are not in this sector so you've been founded in 73 been around for a while and part of what you do is promote the stability and market integrity by by delivering very very reliable clearing and settlement services for options futures and lending transactions and this means millions and millions of transactions across the globe. So you have the futurist stock loan products that you deal with every day and you have a system that's designed to safeguard the integrity and the safety of each contract mitigating the risk between the buyers and sellers. This is a really really important um organization. In fact, it's so important I believe you've been uh designated as a systemically important financial market utility. which puts you under the jurisdiction of the SEC, the Securities and Exchange Commission in the US, the US Commodity Futures Trading Commission, the F uh CFTC, and the Board of Governors for the Federal Reserve System. So, everybody wants you to be safe and sound. So, it's a good thing. So, I I think that maybe where we start is this whole notion of third party risk management. I mean, there's a lot of ideas about what this is, and I know it's vendors and non-venors, and in in my language, you would be a non-venor third party. So, anybody out there who's wondering these are not your vendor population where you're paying through a commercial contract there's a very different type of relationship and in the financial services sector where I'm most familiar there are many of these but from your lens as chief risk officer for the OC and also your background with with audit can you tell us a little bit about thirdparty risk management why do you think it's important that people that organizations pay attention to this and and what what does it cover yeah so maybe we'll start with a broad topic.
Vishal Thakkar: Yeah. No, third party risk management, you know, as going dating back to like 2012 when we were designated systematically important. Part of, you know, we were designated for a couple reasons. One of the key reasons that we were uh named to be systematically important is because we are a financial market utility that's so heavily interconnected with other third parties across the financial ecosystem in the US. So considering we're a financial market utility, we s provide the plumbing for the various transactions that flow in between the exchanges. So I think um as you kind of described we kind of look at our third parties through like two broad lenses. One is like what we would deem as traditional third parties such as your vendors.
Vishal Thakkar: and then we have other non- vendors which we also consider as third parties which because of our interconnectedness is are considered very critical to us which include exchanges settlement banks, custodian banks, liquidation agents, um other financial market utilities such as the DTCC, CME, etc. So because of how interconnected we are in the financial system uh and the financial markets, our third party risk management framework is comprehensive enough that it, you know, provides sort of an oversight and governance structure around all those third parties. and how do we effectively manage the risks as it relates to onboarding those relationships, offboarding those relationships and then ongoing monitoring and due diligence. Now, just based on the nature and the the the type of oversight that each of these third parties may have. So, for example, like an exchange already is a heavily regulated institution which has you know number of uh requirements that they have to meet with their regulators etc. when they're being being onboarded or being established. So we have slightly different processes but at the end of the day the the you know there's a planning onboarding monitoring offboarding and then the due diligence aspect. So we kind of follow a similar life cycle um that we've laid out in our third party risk management framework which is one of the key elements of our overall risk management framework. Um uh we have made this our framework document available to the public. It's available on the on the OC website so others listening to this podcast can you know go and visit it and uh on our website and um understand how we've structured that. I I think to your final question about why I consider this important you know third party risk management is just an extension of risk management in the sense that for activities that we choose to use utilize third parties for doesn't mean that we're sort of outsourcing the activity and we're no longer respons responsible as you know proper risk managers. We have to make sure that those activities are you know per being performed in the same effective manner as we would expect them to be performed because at the end of the day we hold ultimate responsibilities to our key stakeholders which includes our owners, our regulators, our board and the markets where we have to meet these critical service level requirements whether it's relates to system availability, downtime, you know, cyber security measures and then financial risk management. So, it's very important that we have a robust third party risk management framework in place.
Linda Tuck Chapman: Well, you did such a wonderful job of describing what I I've often called an extended enterprise. So, because of the interconnectedness of your organization and the hu huge huge reliance that the financial services sector has on you, it's not just confined to the US, right? So, uh so if If anybody's listening, it's it's an illustration of what an extent enterprise can be like and you're a piece of of that. But you are also hugely reliant on other parties and counterparties and other third parties and fourth parties. So, uh certainly that's I I think a lens that that a that a third party risk manageer can place on a critical service provider no matter what the industry sector because you've done such a great job of describing it and also you are very heavily regulated. it. I you know I I know you're an auditor, but I was didn't really when I was in corporate I didn't mind being audited at all because to me it's it's a way to have a look at the goalpost and see are you within the goalposts and and also auditors can be extremely helpful in explaining to you some things that perhaps you could do differently or better. So and I I do want to touch on that. So you come from risk and audit. So you know what are the different roles of the different parts of the organization? right? You've got risk and on and audit and you've got compliance etc. So how does it all come together uh to bring appropriate processes and oversight for third parties?
Vishal Thakkar: Yeah. Yeah. I mean I think uh as most people are familiar financial service institutions uh often adopt the third the three lines of defense. You know we here at the OC have done the same uh where we have our what we define as our first line of defense which is the people that day-to-day manage the risks. own the risks uh I would say run the business you know which includes people in our information technology our credit risk teams market risk teams etc that are in charge of day-to-day operations of the financial market utility here at the OCC and we've got our second line functions which includes corporate risk management you know which we are an oversight function that you know helps establish guardrails around what is acceptable levels of risk within the organization and how do how should the organization operate within that risk uh appetite and tolerance. We also have in parallel a compliance function that um helps evaluate OCC's complex regulatory legal framework in the sense of what are the various rules requirements that we need to comply with and you know puts that in what we define as plain English for the average person to understand what all does do we need to have to do we have to comply with with to make sure we're operating in a safe resilient manner. And then finally our you know and also in our second line of defense we have cyber security which is very interconnected with um with third party risk management in terms of performing some due diligence etc. Um uh and then finally we've got our third line of defense which is internal audit which is a group that you know provides oversight not just to our first line of defense but also evaluates the effectiveness of the oversight that the second lines provide to the company, to the board, to senior management. Um, so, you know, being an internal audit, I think as you kind of um, you know, I've spent a few years in internal audit. I also spent a few years in the first line of defense where I worked in our financial risk management team and information technology teams. You just get, you know, you you get different perspectives.
Vishal Thakkar: Um, you know, you're you're in different So you get different perspectives of how different people think from their vantage point. But most importantly, I think, you know, being an internal audit, um, what I what I realized is it's it's really important to make sure that you have documented processes, things that are fairly easy to understand for people that are not doing these activities dayto-day that can pick up these policies, procedures, can reperform some of the work that my teams do, and then can get to a similar or outcome and that we maintain sufficient evidence um and support as we're executing our controls um you know whether it's say for example we're onboarding a new third party like um a new say cloud providing vendor.
Vishal Thakkar: and what is the various types of due diligence that we do we'll do a cyber risk assessment a business continuity assessment etc so we we want to make sure that one we're following a consistent process as we're doing that due diligence. We're adopting industry standards where practical and feasible so that you know there's something that we can benchmark our assessment too saying you've aligned us to industry best practices versus something that we just kind of uh developed on our own and within the organization. Um so I I think being in an internal audit certainly gives you that vantage point or viewpoint in the sense that those are the types of things that you're looking for and I you know working in that function and before moving into risk management certainly gave me that discipline that as I oversee these various risk functions here at the OCC it's important I ground the processes and industry standards so whether it's you know the in the third party risk management space it's the inter agency guidance that we've adopted um you know that's been published by the various agencies so that we can demonstrate that you know we're abiding by best practices is and um our policies procedures are solid and and you know we get examined by the regulators very frequently. So we often get those types of questions around you know what industry standards have you adopted and our and our and our partners in internal audit help us always you know get us to the right place by challenging us and making sure that we're thinking outside the box to comply with these requirements.
Linda Tuck Chapman: Well and your your background basically you've been in the first line right so you've been in the business side audit things and you have owned been very responsible for the relationships and and you actually as a business leader own those risks and you're currently in the second line. You've also been in compliance. You well not in compliance but you work very closely with compliance and that's considered the second line of defense in in the framework. And then the third line of defense is audit representing the board and and other stakeholders. And that gives you what I always like to think of as that sort of three-legged stool vantage point. Anybody who's heard me talk, I always think in terms of three legs of the stool and you've you actually have been in all of those and that's that's actually not very common that you would have the opportunity to be in each of those functions. Usually that it's kind of two out of three. So it sounds to me that in your you know where you're sitting in terms of chief risk officer you can empathize with the business right because it's they've got a lot of things to worry about and I'm thinking you mentioned you know efficiency and effectiveness and bringing those things together. Now anyone who's not familiar with the three lines a defense framework. It was developed by the Institute for Internal Auditors and it's not an orchard, right? It's you didn't describe an archive, you describe responsibilities. So, bringing all those together makes it makes a huge difference. I I want to I want to backtrack just a little bit. You talked about uh different regulators. So, you are examined by the regulators just like many everybody else in the financial services sector. So, and you also talked about best practices. How do you bring all these things together to to make sure that you've got really best practices and that you're accepting these recommendations and tips or whatever from parts of your organization and stakeholders in your in your sector because that that's pretty tricky. I talked to somebody just the other day and they were saying they really wish it was more prescriptive, right, in the regulations. I said don't be careful what you wish for.
Vishal Thakkar: That's right. Yeah. Yeah. No, and I you know I think we we are overseen primarily by the SEC because we're more in the equity options markets, but we also do bit of futures. So, we have the CFTC as one of our regulators as well. Um, and then the the the Fed, which I think you kind of also mentioned, right? The the SEC requirements are primarily principalbased. So, there's. there's there is an opportunity to eval um to interpret what those requirements are. And there, you know, there could be differences of opinions in terms of how people would interpret some of those principalbased requirements. I think that's okay, right? Because it's depends on your business, right? And and how you manage the business.
Vishal Thakkar: Exactly. So I think I think as as a result of that, one of the key things that you know or a few of the key things that we do, one is in areas where there are industry frameworks or practices out there, you know, whether it's third party risk management, um modern risk management, technology risk management, where you know, you have things like uh Kobit or NIS CSF or in the third party risk management space, the inter agency guidance to the extent possible that provides sort of the next level of depth in terms of what best practices would be um and gives a much more thorough guidance and it's often you know when we get examined um more more often than not that's the type of question we get is like what um uh industry standard or whether it's ISO or you know some sort of other regulatory standard that you've adopted that.
Vishal Thakkar: um so from our perspective that is very important the uh to do. Um the other thing we often do is we often do benchmarking with our peer organizations um in terms of like other financial market utilities other cifhies as you were talking about these large banks to understand let's say for example in third party risk management what are the best practices how do they go about doing due diligence of this um what what are the practices of what they would consider critical vendor or strategic vendor? What is the right level of due diligence that they would perform before onboarding that type of a vendor? I you know what I found most useful is like um benchmarking with these other organizations really helps me gives insights in terms of you know areas where we could improve or we could share insights with those other institutions on what they could do better um because What we often again find with our um during our regulatory exams is you know our regulators will go from in financial institution to institution and they're kind of doing the same thing where they're.
Vishal Thakkar: benchmarking where they'll they'll look at our you know sim another clearing house and they'll see like hey you know for their third party risk management um they're they've adopted these standards and here's sort of the level of detail and the procedures and the monitoring etc. And you know when they come and look at us, they're looking for those types of examples. So I you know I certainly I think in my opinion that's a great way to evolve quickly for an organization that's looking to improve their program quickly and and try and understand whether on a maturity scale of one to five are they good enough. Compare yourself to your peer organizations.
Linda Tuck Chapman: And we we try to teach that in our certification programs third party certified thirdparty risk management professionals. So a lot of the things you mentioned in terms of there's a lot of great resources out there either from.orgs um or such as ISO there's NIST there's KOSO the Treadway Commission and so on and I I think that learning from each other uh so you've got you've got the standards or the you know sort of accepted standards to read or or regulatory guidance and then also I I like the fact that your in your regulators also give you some positive feedback in terms of very being very constructive but also That's the role of audit and compliance too, right? To not to get in your way but to help you be better. And then of course it goes without saying that that being part of of peer organizations so that you can share you know don't share the keys to the kingdom right but on the other hand you can share a lot of practices because the questions about well how deep do you do or go do you do you include this type of vendor or third party in your in your program? Those things people always want to know and it's That's the only way you're really going to find out is if you have trusted relationships with particularly with people in your sector. And I'd say back to the lines of defense, just don't just rely on people who do what you do. Talk to other people as well. I think that that's that's really really excellent. So the three lines of defense framework is is really a way to bring it all together. And it sounds to me like you've done a really masterful job at at OC to bring the people together because it's not a huge organization, but it's very has to have very very high standards. Right. Standards of operation, standards of control.
Linda Tuck Chapman: So, one of the things when we were preparing, we were talking about scenario analysis, and I know when scenario analysis first came up in certainly in the regulations a few years ago, everybody saying, "Well, we're so busy. How are we supposed to do scenario analysis on top of everything else?" But, but just from your perspective, what's a scenario like? What do people do? Why should they do it? Why should they spend the cycles to to create scenarios? And what are you going to do with them when you're there? So, can you talk to me about your recommendations.
Vishal Thakkar: Yeah. No, I you know I I think scenario analysis is a tool. It's kind of one of the various tools in our sort of riskmanagement toolbox that I find as very valuable. Part of it is um because it lets you explore things that what we deem as extreme but plausible um um or sometimes extreme but not plausible but at least you know you want to sort of test the boundaries of what's feasible. Um, but it really, you know, as it relates to thirdparty risk management, um, we've kind of engaged in this activity quite a bit both with our third party risk management team and our business continuity team in working with several of our third parties, partly going back to when we started here today. Because of how interconnected we are with the exchanges.
Vishal Thakkar: with other market participants, with some of our large clearing members um we and some of our large vendors such as cloud vendors we often want to run scenario tabletops to you know evaluating and I'll just use an example where. please do yes. um as you know we have we you know we as we process transactions we uh work with a number of settlement banks and we move money around at the end of the day so we one of the scenarios we practiced uh both intern And then recently with the regulators was what they deemed as like a settlement bank outage for a extended period which is say 48 hours. You know what would you do if your largest set Yeah. What would you do if your largest.
Vishal Thakkar: Yeah. your largest settlement bank experienced an outage for 48 hours? What alternative procedures do you have in place? What how would you vire the funds? Um how would you keep the financial systems continuing to work? without uh minimizing the impact that it would have on the rest of the financial markets if such an event were to occur. And you know these are types of things I you know again I it it's always hard to simulate a real life scenario um uh and I'll give another example here in a moment but.
Linda Tuck Chapman: before you before you go on with that particular scenario uh did I hear you correctly to say that you have your organization uh clearing organization so your scenario analysis They're not combined to your just your organization and your people. You're bringing in others as well. Well, that must be quite the coordination activity.
Vishal Thakkar: Yeah, we often bring in our some of our critical third parties in some of these scenario you know whether it's a critical vendor that's supporting our system where they have an extended outage. What would we do in the event of that would you know something like that would occur? Could we run without them? How long could we run without them? And in some cases that you know you may not be able to run without them. at all. Um so then the purpose of the scenario is like well do you need um you know do you do you need a redundant vendor? Do you need to have some other level redundancy etc. So yes I think that's what we find very useful is especially as risk managers to think about um situations which don't occur often but could occur and have occurred.
Vishal Thakkar: um as As we know that, you know, there have been outages at vendors that have impacted companies globally. You know, Crowd Strike being an example just last year. screen of death. Yep. Right. The blue, right, as an example, or you know, an outage with a large cloud vendor that lasted a few hours and then how would how would markets operate in the event something like that would occur. So, for us, it's it's a very critical tool. It makes us think outside the box of, you know, what's um you know what could have happened in a one in five year one in 10 year but rather more in like a one in 20 one in 30 one in 50 year scenario.
Vishal Thakkar: you know and a good example was before the pandemic at the OCC we had practiced a scenario of a pandemic um um continuity exercise and we had kind of worked through that and we are one of the few organizations that. few good thing we did that. that's right that's right I I think even in that situation again like the settlement bank example you know What most scenarios are like, oh, you have this scenario where your employees are working remotely one or two days. No one still anticipated an scenario with like people are working remotely for six months, one year. Um, so I I think I think uh I always encourage people as they're thinking about these scenarios certainly try to ratch up sort of the severity because um you know in real life situations sometimes the scenario that plays out could be much worse than what you hypothetically could think about.
Linda Tuck Chapman: well in the scenario analysis it's an interesting challenge right because they do take time and uh especially when you're involving others and so trying to run through a realistic scenario and actually get through and come up with some good ideas on what to do is well worth the time. It sounds like you've done a number of these but I would caution people that you're not running scenarios every day right so you're going to put together a few few high impact scenarios a year is my guess and and try and run through them and see what happens.
Linda Tuck Chapman: But I'm I'm hearing this more and more that the more sophisticated we get in terms of risk management, more and more companies seem to be actually engaging in scenario analysis and actually running through scenarios because I would observe that as a systemically important financial market utility, you are not replaceable. If you're not up and running, they can't go and somewhere else, right? You're the only game in town. So anyhow, okay. Well, I wanted to talk also a little bit about about, you know, how do you know which your relationships are critical? You talked about, well, some some of them are obvious, right? You can't operate without them, but a lot of people think about, you know, tearing or all these, you know, h how would you put together your portfolio of relationships to know where to spend your time and energy, who which are most important and which should just be in in the sort of managed category. How how would that work?
Vishal Thakkar: Yeah. So, I You know, I think one of the first things we did when we were relooking at the third party risk management program now almost um you know, eight or 10 years ago here at the OC was yeah, really re-evaluating the inherent risk of each relationship with a third party and it and and so we kind of went deeper than just the third party itself because we would have number of relationships with say a single third party and I'll just you know use IBM as an example where.
Vishal Thakkar: you know we We still have a mainframe relationship with IBM, but then we also have other consulting relationships with IBM as an example. And you know, one may be more critical than the other. And we want to really hone we wanted to really hone in on which are those really critical relationships that tie back to I think one of the points we opened with is us being critically important.
Vishal Thakkar: to the financial markets. Um, and you know, keeping our on. So those are sort of our crown jewel third parties and that we deem as critically important uh that we perform the most due diligence. But I think you know it all boils down to one you've got to have a full inventory and universe of making sure you have a full comprehensive understanding of all the relationships that your firm has with all third parties across the organization and then using a systematic approach to appropriately riskrank what you believe is the inherent risk. that that third party poses to your organization. And for us, you know, the primary risks facing the organization, as I mentioned, is making sure our systems are available. We're providing appropriate financial risk management.
Vishal Thakkar: We're settling and clearing transactions and we're making sure our customers receive the service that they need. And you know, to achieve that objective, we have a handful of third parties that we rely on that we deem as most important. Um you know I I think in addition to that obviously then we've kind of get into the second layer of third parties which is which are not um you know they that they support other services at OC but you know uh I wouldn't consider them that you know we couldn't operate without them for like you know one of our uh system recovery objectives from is you know making sure our systems are uh up and running within two hours from the time there's an incident. So to meet that objective, you know, we we have to make sure we have the right level of third party support, etc. Um, as we're thinking through that, so that's when we kind of go down to our next level. It's where we get into things like our operating systems, our databases, etc. What we have in the most critical bucket are like generally our cloud vendors or vendors that are supporting our most critical systems.
Vishal Thakkar: right? You know, I in day-to-day execution. Um, um, uh of those systems.
Linda Tuck Chapman: Well, and I find it interesting you say that because I think most people in any organization could identify that short list of absolutely essential, the most critical and they do get a lot of attention. They they always have probably always will. The next layer down, the next couple of layers down are in fact to me there sometimes they're a bit of a gray zone and quite truthfully I think there's often kind of more risk in them because they're not quite as visible. You don't have quite as many cycles to spend on them. You may not have a dedicated relationship manager. And that's what makes it really really important to to to look at your overall operational resilience as you described as opposed to just looking at these as discrete individual relationships. You also mentioned Vashelle that sometimes you have multiple relationships with the same third party and I think that's something to to consider as well. One of the companies that I did some work with they once they hit 10 you know sort of important managed services with with one uh one vendor they bumped them up to mission critical.
Linda Tuck Chapman: Just a just a thought. I thought it was an interesting idea because when you look at the individual contracts or types of services it may not be apparent. that they're actually you really in gag aggregate you can't get get by without them. So anyhow so is there any difference in your mind between a relationship is critical and a relationship that is strategic?
Vishal Thakkar: Yeah I mean you know there could be some overlaps but there could be some some difference. is in the sense that strategic you we could have some short-term strategic priorities.
Vishal Thakkar: in the organization like we're going through a technology transformation and to support that we have certain third party relationships that uh support that strategic effort. um you know I I wouldn't say those. those so while those third party relationships are strategic in nature and they support our core strategy which right now is this technology transformation they're not those third aren't u necessary to you know for us daytoday to keep our lights on. yeah core operations. core operations etc. So that's where you do once in a while can distinguish but you know if your core strategy is very aligned to just making sure you're executing um then there could be significant overlap between your critical and what you consider a strategic vendors um you know they could be one and the same but there there there are opportunities for different differences as in the example that I outlined and.
Linda Tuck Chapman: and I think that's important. I come from uh procurement and risk management and the term strategic is often used in in you know those relationships sometimes they're small third parties that are just bringing new products and services and I think that that drawing a line in the sand to say these are critical to our operations and these are strategic to our overall future there's some value in distinguishing those so anyhow now I I also wanted to move on to controls we talked a little bit about controls and. Certainly as an as a uh a former auditor and a and a chief risk officer, I'm sure that controls are a top of mind with you all the time. So, one of the things that a lot of people don't even really understand the term controls, is there kind of an elevator speech that you could give them that could say what a control is?.
Vishal Thakkar: Yeah. I mean, the the you know, the the way to think about is, you know, any important step in your process that you need to have occur to make sure that the process is functioning, you know. know appropriately. So you know you could have um you know for example automated controls where your system is ensuring that certain activities are occurring. um uh where say for example you have a three-way match in your procurement system for all the goods and receipts that are occurring. So you make sure that you're receiving goods and you're paying for them appropriately and those are all tied to a purchase order. Um or you could have manual controls where there's human oversight around a certain process to make sure those activities are occurring consistently and effectively. But those are, you know, uh that's one of the things my uh operational risk management team does is make sure that we have the right level of controls across the organization. Um and they work fairly closely with my third party risk management team in the sense that as we're working with critical vendors where we are potentially outsourcing a certain business process, that they are um that they've got the right set of controls that we would expect them to have in place to make sure and you know a simple example I would give is you know if we use a payroll vendor to perform our.
Vishal Thakkar: you know payroll activities that they make sure that they have simple data security controls in place so that. um that you know that information is protected and uh and it's accurate um so that people get paid effectively and that that information stays confidential.
Linda Tuck Chapman: Well, and and so I think to parse that down, you talked about uh kind of repeatability uh making sure that actually things are happening as expected and that's that's all that a control really is. I mean people get a bit bamboozled by by what is the control but um h how do you how do your folks know what is the right level of control? And I I have to say that sometimes I see particularly in the world of cyber I mean it's never a question of of you know if it's it's going to be how bad it is and because of that it's it must be very difficult to do their job but there can be a tendency to you know set higher levels of controls than are really necessary for that particular service.
Linda Tuck Chapman: So how do you think about this notion of riskadjusting controls. in order to make sure that they really are what you need?.
Vishal Thakkar: Yeah. No, I I mean ultimately I think that's where it's important to think about this holistic ally, you know, where risk compliance and audit in most organizations should work very closely together in the sense that you know the risk organization should work to set up the risk appetite for the organization. with the board with the senior management team of the company and then you know the company should then organize their processes and corresponding controls sort of to match the risk appetite that's established within the organization. Now you know Again, I think that's good theoretically, but practically I think your your your point is valid in the sense that people will often overengineer controls, etc. So, I think it's important that's where you you know the second lines of defense often play have an opportunity to step in and what we look at is rationalize controls to make sure that, you know, we're not overinvesting in controls in certain areas or underinvesting in certain areas. Um, you know, and and I what I often find is we tend to overinvest in in processes that are very simple, straightforward, etc. But processes that people don't sometimes understand, more complicated, uh don't tend to receive the right level of attention, etc. But it but it's more just as it relates to human nature as such. You know, I always think the controls should be um uh should be attuned to the amount of risk with that you believe that that particular business process poses to the organization. And you know for for us for example again our core processes to make sure we clear and settle and we risk manage but then there's a lot of other activities that we do in the organization um and you know we may have overengineered controls but that's where my organization comes in and kind of often educates people saying well you know let's think about the risk um and and that's where I I would encourage risk managers to think about the role of risk management is not just to continue adding adding risk controls but to make sure that processes are efficient, effective and you know that they have the right level of controls that are necessary that's aligned.
Linda Tuck Chapman: I I love the idea of rationalizing the controls. So um you know quite often and I I mean even if fundamentally in in some organizations that I've worked with it's unclear who owns certain types of responsibilities, right? Because privacy and information security and records management are pretty closely tied. Yeah. And so I find often people are trying to do control the same stuff in slightly different ways. And to your point, some other parts are kind of nobody owns it. And I think I mean fundamentally being very clear with people around you're accountable for this is super helpful. But then that collaborative nature uh your approach actually I I can't say that happens all that often and I think that you know it's a wonderful way of approaching uh a fully integrated kind of non-siloed organization that can deliver the right things because that because being able to actually talk to audit and risk and compliance about how to rationalize the control I can assure you that's not a lot of times they're trying to like please don't come near me because you're going to find fault with what I do as opposed to looking at this more positively and that's leadership visual at the end of the day that's leadership that's what it's all about because if you're the police then people are going to be very you know shy about letting you in but if you're a collaborative business partner the way that your organization is everybody's better for it so.
Linda Tuck Chapman: so I I want to I want to move on to this whole idea of governance and oversight you have a unique position you're part of the executive committee of your organization you're part of the you know executive oversight So you're kind of sitting between the organization and senior as a part of part of senior management. You're you're really also trying to support the board. And so when it comes to the basics around, you know, I think you've got a board that comes primarily from financial services, do you not?.
Vishal Thakkar: That's right.
Linda Tuck Chapman: Do they have more knowledge than you think maybe they might have otherwise if they came from manufacturing or consumer packaged goods?.
Vishal Thakkar: Yeah, I mean I you know we're very fortunate. I think as I mentioned We're jointly owned by a few exchanges. So we have what we deem as exchange directors from those organizations. Um and in addition to that we have member directors uh who are from some of these large banks such as Goldman Sachs, uh JP Morgan, Bank of America, etc. And then we also have what we deem as independent directors that are totally independent but have deep financial risk manage financial services experience and uh can provide the right level of necessary oversight um to us as we're sort of operating such an important organization. I think um you know I the way I see it is we're very fortunate to have such an intelligent board that has um you know such far-reaching implications in terms of the US financial markets and the global financial markets because we get to learn from that we get to you know evolve from that and then we get to um gain ideas and best practices of what the best and brightest are doing um in terms of you know managing risks including thirdparty risks within their organization. Um you know I think one of the things just um a few months ago before the last administration um um uh had left you know they had passed new increased requirements for us in the in the financial market util space of additional oversight of our critical third parties by not just senior management but also by the board. So our our board is very actively engaged in one um being aware of what those critical third parties are. How do we monitor and make sure that any changes in performance uh of those third parties is appropriately escalated and then appropriately risk mitigation actions that we take as it relates to those third parties are all shared very um uh in in pretty much in depth with our with our board. So they're very actively engaged and I'm very happy to be working with them.
Linda Tuck Chapman: Well, I I think the board composition makes makes a huge difference. You have the great good fortune of having a lot of senior people from very wellrespected financial institutions who understand risk and third party risk. That isn't necessarily the norm in a lot of organizations. And also all the work that's taken place over the last what 25 years in terms of uh really strengthening board governance has has made a big difference. I do I do see organizations where they do have to educate their board. Do you do any sort of regular training for your board in terms of cyber third party? Well, everything everything in operational risk has a third party component. So I'm thinking you know things like cyber security is moving very very quickly or privacy laws or how do you keep your board informed because there's so much of a board agenda. It must be tough. Yeah, you know, obviously I think through our through our corporate secretary and general counsel's office, you know, there are ongoing programs for board orientation, awareness, training, oversight. I think the uh so that I think certainly keeps the board a breast of new information, new um uh uh uh new opportunities as they may arise. In addition to that, um you know, I from from our uh vantage point, we certainly give the board you know an overview of any evolving processes that we take that could materially impact the organization to keep them ab breast and then you know I think as I mentioned we're kind of fortunate we as as for example you know I report into our risk committee of the board and we have number of ex- chief risk officers or current chief risk officers that are on the board so these are real practitioners at some of the largest global banks in the in in the world that are sitting on our board so these folks are very well versed on um you know what the various emerging risks are what the changing dynamics are and how the industry is moving forward. So I you know I think I think again that as you mentioned the board composition is important and I think you know we're very fortunate to have a have a great board that provides the right level.
Vishal Thakkar: overight. Well if you don't mind if you don't mind my saying they're very lucky that they have you have so much experience uh and so much breath and death because when you're dealing with people of that caliber, they're pretty sharp and so they would definitely keep you on on your toes. So I I I'm sort of imagining some of the questions that you might get asked and uh and I would have to say that that they're they're fortunate that you've got all this experience because you can probably.
Vishal Thakkar: I can imagine you can you can uh navigate the questions and and also where they're coming from because you come from first, second, and third line of defense. and that's that's really important because In my own experience in presenting to boards, it's been a while since I've been in corporate. You have to be you have to be very very uh clear around what you what you would like to get out of that particular segment of the board meeting because it's easy to get distracted by by something that's happening, right? As opposed to getting into enough detail in certain things and then also sticking with the big picture. So, uh so can can you talk a little bit about kind of just your recommendations? I'm not asking for any trade secrets here, but people are very curious around, well, how do we report up the chain of command by the time we hit the board? Because you've got cyber over there talking about cyber, which would include third parties, and you've got you've got all these different uh constituents coming to the table. Do you have any sort of best practice recommendations for what to put together, what to put in a third party package to make sure that you are.
Vishal Thakkar: respectful of the other your colleagues, but also informative. Yeah. No, I think I think um I'm sorry. What one of the things that has worked for us is obviously we've kind of kept our reporting consistency is important because I think what we want to make sure is our board is receiving, you know, they can orient themselves to the materials that they're receiving and that they know exactly what they're receiving so they can easily digest that information. But with that said, I think, you know, it's it's it's really important that this is where you're distilling what's really important. Um, for the board that type of information out to the board rather than sort of inundating them with a whole lot of information that you know that they just have to read and.
Vishal Thakkar: too much data no information. no information type of right exactly so I think I think. that is one of the key things we focus on is. you know what are the one or two or three things that we want to convey as it relates to third party risk management in this quarter that we want to highlight any material risk in performance, any new relationships, anything any any change in relationships that we want to highlight um or certain industry events as it relates to third parties and you know what's evolving in the markets as it relates to that that we want to outline for the board. And that to me is sort of like the best way to get their attention and we often try and engage them for you know um uh uh making sure sure that they're aligned with us in our decision making. So as we make decisions on certain risk mitigation activities whether we decide to switch a third party because of that. So when when we bring it to the risk committee you know we bring our recommendation make sure that they understand sort of the soundness of our recommendation and then certainly they as a board can provide effective oversight and challenge and you know ask us questions as we're kind of entering in a new relationship or exiting a new relationship or are having performance issues with an existing relationship and sometimes are unsure exactly, you know, which path to move forward with that. I think I think that's where certainly the board feedback is very valuable.
Linda Tuck Chapman: Well, and it's interesting because a lot of people sort of imagine you going to report to the board and you're telling them all this information, but as a fiduci with your fiduciary responsibilities, we make an extremely good point that they're part of the decision-making, right? They help set the strategic direction for the organization. They are personally liable. They have fiduciary for responsibility. And so I know in talking with someone a while back, they said that as a board member, they actually wanted to pres be presented with things that weren't all fully baked, right? So if there's things in in the works that you would like to get some feedback. So can you just talk about that a little bit because you touched on that. I think it's a really important point.
Vishal Thakkar: Yeah. No, I I think that's a great question there, Linda. And you know, a good example is we, you know, over as we're going through our technology transformation, we we were working with a number of vendors um you know one being our cloud vendor which is AWS. We were working with NASDAQ who is one of our large implementation partners. So we engaged you know as we were doing due diligence with the you know around these vendors as part of the onboarding um you know not only did we engage with the regulators because in like for the cloud work we needed regulatory approvals etc as we were thinking about that but we engaged very early on on with the board on you know what are what would be the changing risk profile in the landscape if we go from a full on premise critical system stack to a full on cloud uh stack and then how would those risks evolve how would we manage those risks um you know and on a go forward basis um before we went ahead and finalized sort of our decision making as it relates to that third party and you know we got lots of good insights in those discussions with our board um and evaluating that even before we kind of took those decisions in front of our regulators for like final approval. So I I think I think it's important as you get into these longlasting strategic relationships or critical relationships that the organization would get into you know and you know for example if you're going to put your technology infrastructure stack in the cloud that has to be a long-term relationship that could be very impactful to an organization. Um uh or you're engaging into a multi-year agreement with off for a very critical part of your business. Um it's important to seek input from the board in terms of that you've considered um various riskmanagement thoughts and practices. And you know another example I would give is in we we've also engaged with the board in areas where we've thought about utilizing a third party for a certain activity and we've often you know as part of their oversight have received guidance and feedback as hey maybe this is you know your core competency your intellectual IP you may want to continue to do this kind of activity inhouse rather than utilizing a third party to sort of maintain that IP or.
Vishal Thakkar: um uh as as a as sort of a clearing house. So I you know I I find that.
Linda Tuck Chapman: also very useful insights from certain uh um from senior members on our on our on our board in the sense that they also help us think through like strategically uh in in a certain discipline within the organization you know we may uh be thinking about using um a certain technology and then or a certain third party and they you know their thought is hey maybe you're better off being self-reliant in the space that you develop that expertise because this is part of your core competency. So I I found that.
Linda Tuck Chapman: I I I love that example because I mean certainly I myself had had those discussions with executive management and I remember somebody saying well where are the goalposts right what what what will we never outsource. and so yeah. yeah. and it just shows that those conversations continue right that was a long time ago. so I I I want to thank you very much this has been a very very fascinating conversation so I just want to remind everybody we're talking with Vishal Thakkar from he's the chief risk officer at the options clearing operation based in uh in Chicago in the US uh representing uh systemically important financial market utilities quite quite truthfully around the world. What what works there I'm sure works elsewhere. I'm Linda Tuck Chapman, CEO of Third Party Risk Institute and thank you so much for listening to us today. Thanks.
