James Lam has been an advisor to boards on matters of risk management and mitigation for roughly 25 years. He has been the Chief Risk Officer at GE Capital Markets Services, and Fidelity Investments. He was a partner at Oliver Wyman, and started ERisk under its auspices. That unit would later be sold to SunGard. He started an eponymous risk management company in 2002. Since then, he has served on the boards of several companies including E*TRADE Financial Corporation, where he is the chair of the risk oversight committee, as well as a member of the audit committee.
As someone with deep experience in advising companies on how best to de-risk the enterprise, I wanted to find out what advice he would offer to boards and to management teams. For instance, he notes that his top five recommendations for boards to consider in their oversight roles are (1) Double down, or triple down, on the basics; (2) establish a cybersecurity risk policy with clear risk appetite statements; (3) ask for an effective risk report with qualitative assessments and quantitative analytics; (4) provide credible challenge and oversight of the cybersecurity program; and (5) focus on people and culture. He provides thoughts on each of these, and many other suggestions in this interview.