As the threats that face organizations continue to evolve in scope and complexity, so too does the role of chief risk officer.
In his position as Vice President of Global Risk Management for TNS, Umer Ayub understands this reality firsthand.
During a recent conversation with PYMNTS, Ayub shared his perspective on how the role of CRO is becoming more integral throughout the ecosystem and the importance of cross-departmental communication as a tool in risk management towards a more successful commercial enterprise.
PYMNTS: What does a day in the life of a chief risk officer look like?
UA: As chief risk officer, my role is to implement a risk and controls framework that is relevant to TNS, takes into account our operational challenges and culture and delivers practical solutions to help meet applicable compliance requirements.
At TNS, this includes managing compliance with regulatory requirements, such as PCI standards, card scheme rules and SSAE16 reports. We complete customer and vendor due diligence and audits, manage disaster recovery planning and testing, manage customer contracts for compliance with regulatory and recovery clauses and ensure staff are aware of compliance requirements.
My global risk management team and I support all of TNS’ business divisions globally, which ensures a diverse set of responsibilities and a varied working day. We promote a culture of knowledge sharing and adhere to a set of core values, including collaboration, optimal effort, communication, professionalism and delivery, which means I get to speak with many different people as part of my daily role. This can include briefings with my direct reports, advising management on audit findings and discussing issues of common interest with peers, auditors, customers and industry experts.
I am also active with several working groups, so I frequently attend events and participate in valuable discussions.
PYMNTS: What is the most difficult part of your job, and why?
UA: Our role can sometimes set us at odds with colleagues, and convincing them that we do not create the compliance requirements ourselves can be difficult. We have sought to tackle this through our regular Risk Academy sessions that promote two-way knowledge sharing and aim to help colleagues understand we are here to help TNS achieve continuous compliance through meeting the requirements in an effective and efficient manner.
Managing risk is also not always about meeting known requirements but anticipating what might be the next big thing around the corner. This is a challenging, but also hugely interesting, part of the role that encourages debate, both internally and externally, with other industry experts.
And finally, while we stagger our audit cycles to spread the workload and learn from recent experiences, delivering against compliance deadlines is only achieved through strong teamwork with common and clear objectives agreed from the outset.
PYMNTS: What do you wish you had more time to do?
UA: In an ideal world, I would like to have more time with customers and industry experts to debate current issues and possible solutions. Most issues affect the payments industry as a whole and are seldom specific to an individual organization, so these valuable discussions are beneficial to all parties.
We should operate as a community of interest, working together and in harmony, to deliver a transaction in an efficient and secure manner. Building on this, I would also like to use my insights and spend more time with our product and sales teams to help identify commercial opportunities for delivering robust and secure solutions.
PYMNTS: How has the role of chief risk officer changed over the years, and what new tools do CROs need to protect their organizations from new threats?
UA: In my 14 years with TNS, the role has changed quite significantly. Chief risk officers are seen more and more as an integral part of an organization’s senior management team, and as a result, I now report directly to our chief executive officer, Mike Keegan.
We are often called on to mediate between technology operations and the business. Communication is our most effective tool, and being connected with the business, operations teams and external experts is essential. We are also moving into an area where we can take the lead on identifying and establishing links between risk management and the commercial benefit it can deliver.
PYMNTS: Where do you draw the line between sharing information about risks and threats with the people in your own company and keeping such things from them? Why?
UA: This is a balancing act and needs careful attention, or a genuine issue can be mistaken as unnecessary scare-mongering. The frequency of sharing is not often the problem but how the issue is being communicated. We find the key to success is taking into account the audience’s requirements. Some prefer a quick overview, while others need a more detailed report. Either way, you should present the facts first, followed by an assessment of how it affects the organization. The objective is to present a reasonable picture without hype or emotion.
PYMNTS: Outside of work, what are the three most valuable assets you wish to protect?
UA: The first item would be my family. I am heavily focused on my children’s education, their hobbies and helping them develop into responsible members of society. They are aged seven and one currently and filled with wonder at the world around them.
Secondly, I’d like to protect the ability to have “me” time. Going to the gym, making time for my own hobbies and maintaining friendships is very important to me.
And, last but not least, I enjoy giving back to the community. I support a number of charities in London that are focused on education and providing skills based training to children and adults of less privileged backgrounds.