The Road To A Risk Management Career

Andrew Moyad (CEO, Shared Assessments) recently sat down with Michael Crawford (Head of Operations, Opstream) to talk about his risk management career. This blog post presents outtakes from the interview, exploring Andrew’s winding career path (along with a few laughs). Whether you are wondering about how to make Legal an ally, curious about becoming a CEO or just looking to learn about trends in the risk management industry, read on!

Thanks for coming on today.  Everyone I talk to says you’re quite the interesting guy.  You were in procurement, had a career in financial services, moved on to CEO of Shared Assessments and you’re making quite an impact.  How does your story start?  How did you first get into procurement?

I got into procurement from my own impatience to get deals closed! (Laughs)

In my career, I have had to wait in queues as a project support person or a salesperson and was told many times “I can’t deal with your contract right now.”

Before I got into procurement and risk management, I worked in energy and environmental engineering sales. People had pressing deadlines and issues where they might have a central heating plant needing an equipment upgrade because their primary equipment had broken and wouldn’t meet capacity for the coming winter. These clients wanted to buy better, newer, more efficient technologies in the interim with financing – but they couldn’t!

I started discussing the highlights of what I saw with clients and prospective clients. After a while, beyond the initial weeks and months of annoying many of my colleagues, my clients were relieved I understood their issues.

Any good practitioner in any field – whether it’s engineering, procurement, risk, or elsewhere – wants the person they’re working with internally and externally to understand their worldview and to speak their language.

Is that when you became the procurement specialist then?

Not quite – in subsequent roles, I was (again) impatient with how long I was taking to get things done.  I never blamed anyone because they all had full-time jobs before I showed up. I just wanted them to hurry up! (Laughs)

I just got more and more involved. It got to the point where people in finance would say, “I don’t need to review Moyad’s contracts.”  They knew I would negotiate the right thing.

Even the lawyers didn’t need to look at the terms because they knew I would loop them in if there were egregious departures that the counterparty was trying to negotiate.

Participating in and understanding the worldview of my supporting colleagues, I developed trust and got into procurement. Just lucky, I guess.

I’d wager luck didn’t have much to do with it.  If legal is vouching for you, that’s a big deal.

(Laughs) Well, the number of lawyers who have told me in my career “You know, you should have been a lawyer.” Whether or not that’s a compliment or an insult, I don’t know, but I’ll take it.

I am an enthusiastic learner. I really want to understand the issue.  What challenges are people facing? With a spirit of learning and respect towards a colleague who’s swamped, I think you can get a lot done.

You must understand the limitations people are facing and how you can help them. Leading and building a team is not about barking orders.

When you were in procurement what did that look like?

I was running sourcing categories. I was at Citigroup, BlackRock, and Blackstone where I ran or supported entire sourcing categories. That was fun!

What categories were you over?

When I was doing energy environmental services, it was engineering, consulting, and transportation in construction as well as maintenance agreements.

As I came into financial services, I started in technology and eventually, professional services, consulting, and a bit of market data as well. That was a whole different point of view.

All categories have basically been technology or data related.

Is that your strong suit?

Today it is, but back then, the demand was in technology. Since I’d been with a technology consulting firm, my job morphed into doing technology procurement for one of our clients.

Because one former client liked how I interacted with their procurement and legal teams, their technology leadership thought it’d be a good idea to invite me to join them. That was interesting and totally caught me off guard. It speaks to the need for keeping an open mind for new opportunities.

I was with that client for many years due to their contract negotiation times – they had a very long, bureaucratic process. My role was to make sure contracts went smoothly and quickly.

That’s when I made my move into financial services.

So, you moved to financial services and now you’re the CEO.  How did your perspective shift going from procurement into the CEO role?

When OneTrust and Shared Assessments reached out to me and let me know they had the CEO position at Shared Assessments opening up, I thought, “Great, I’ve known them for years! I am a big fan.” Naturally, I thought they were going to ask if I knew any good people for the role.  So, I started thinking of names right away.

Instead, they said “With your history in procurement and risk and the good things we’ve heard about you in the marketplace, we’re wondering if you would apply for the job.”  Just like the other job offer, that again caught me off guard! I’d led teams and led departments, but I’d never been CEO before.

What strikes me is you have this notion in your head about being CEO.  You think you’re going to be helping people think about how to use their memberships, how to improve their risk management programs, how to address their daily challenges.

In fact, that’s actually been a very small part of being CEO of Shared Assessments. It’s a very rewarding part where I can use my experience in risk and procurement – but it’s a small part.

What I focused on immediately were metrics around the health of the business, where we stand in the marketplace, and where our opportunities are. I cannot simply say, well, it’s in my gut as a risk management practitioner. Decisions must be based on data.

My focus shifted to thinking about strategies I could support with data, even if all the data are not necessarily available at the time. We used and are using data to make informed decisions, to be flexible and pivot.

That’s been the radical change.

Fascinating.  And what trends are you seeing now from your vantage point at Shared Assessments?


For a long time, there was no centralized place to gain knowledge and think about standardization and diligence reviews. Historically, many companies have come up with their own bespoke questionnaires – a very narrow view because it assumes you know everything there is to know for a given review.

But – what pitfalls or best practices have others already encountered?  Where do you share and learn that information? This is what our founder Cathy and the team were trying to address when they started: a solution to the challenge of creating standardization.

The Shared Assessments approach has always been to consult with many people in the industry.  We are a community and learn from each other.

Trends we are seeing include evolving regulatory requirements.  It’s become apparent to me as other verticals join the Shared Assessments community saying “We need to have a risk management program, or we need to improve our risk management program.”

For folks like me who come from financial services, we often wonder, “Did you get in trouble with a regulator?”

But, there’s actually more momentum separate from any regulatory pressure that has spurred other sectors to embrace risk management. More organizations and sectors feel the need to be good stewards driven by their clients, themselves, or their boards. It’s very interesting and a great trend to see.

That is interesting.

Yes! And another trend we’ve seen revolves around risk itself. Over the last five or six years, more and more companies have been hurt because they were not mindful enough about their third-party relationships.

I don’t mean mindful in the sense of commercial terms they had with vendors or being aware of what they were spending on vendors. I mean being mindful of the controls those parties had with their own data and their client data.

A significant number of breaches, including ransomware events that have happened to organizations, have come through their third parties.

Of course, 10 or 15 years ago, those events were outliers. Now they are becoming a dominant source of compromise.

Cyber vulnerabilities have taken front and center, though other risks remain essential.

Automate only with trusted partners, verify risk, and mitigate for vulnerabilities: that’s where we should be.

Continuing that train of thought, when we think about this struggle out there around procurement and risk, teams don’t know whether they should build and standardize their process in-house or look for something already established.  What’s your advice being in the industry for as long as you have?

Great question.  So many organizations don’t know where to start.

The best answer is: “It depends.” There’s got to be enough human capital so that people can be leaders, managers, strategic thinkers around this.  But they must be supplemented by strong services in the consulting and software space from market data providers and platform providers to really get this right.


Don’t make the mistake that many of us did 10 to 20 years ago in third-party risk management programs: we treated everything as an internal exercise and tried to figure it out on our own. You will not get to the level of maturity you want and grow fast enough.


Today, with solutions like OneTrust, Opstream, and others, and with third-party risk management programs like Shared Assessments, it is much easier to build an end-to-end program to make procurement efficient and to mitigate risk.

Andrew we’re almost out of time.  Let’s end with a lighthearted question.  As a procurement specialist, what’s the strangest thing you ever had to obtain?


When I was at BlackRock, the Chief Risk Officer asked me to perform a review of a particular vendor that was very close to the company.

He was not able to make this event, but he knew this company I was going to review gave guests umbrellas. In fact, my Chief Risk Officer said this was the best umbrella he ever had.  But he had lost it.

He tasked me with negotiating for an umbrella on his behalf.

Naturally, I do the review, get ready to go, and, sure enough, they offer me an umbrella.  I said, “Thank you very much, but you know, my boss said he would love to get an umbrella as well.”

And their founder looked me straight in the eye and said, “He knows the rules.  If he wants an umbrella, he’ll have to come and get one in person.”



Yeah.  Very strict with their umbrellas.  It was clear I wasn’t getting another one. So, I went home empty-handed.  But I gave him my umbrella, he graciously declined and gave it back to me, so it all worked out.

Andrew, that’s a great story.  I wish we could keep going but we’re at the end of our time. I want to say thank you so much for coming on, it was super interesting.


Absolutely.  Thanks for having me.