Richard Kessler is a Director in the Cyber Services practice at KPMG, and specializes in IG, data governance, and operational risk control. He is part of the Strategy and Governance pillar with a specific focus on enterprise data and IG, and privacy. He advises firms on ways to design and implement programs that address IG, RIM, e-discovery, privacy/EU GPDR compliance, operational risk management, litigation readiness and response, data governance, technology risk, and enterprise change management. He has extensive experience working with organizations in the financial services, pharmaceutical, healthcare, biotech, legal services, insurance, retail, and aerospace industries, as well as with assisting law firms and attorneys with litigation, regulatory, and general investigative readiness and response.
Where did you grow up? Go to school?
I grew up in Bayside in Queens, NY and went to Polytechnic School of Engineering at NYU.
What were your interests as a kid?
I was interested in science, history, cycling, camping, fishing, basketball, volleyball, electronics, music, art, and just about anything related to computers and technology. My older brother taught me how to build computers––he was an expert coder at an early age before it was mainstream––and the first PC I built was an Apple II clone. Later on, when I was a high school senior, our school received a new client/ server classroom and the teachers didn’t know how to set it up. They handed the manuals to me and my friends and we set up the network for the school.
How did you get into the records management side of the business?
After interning at Chase Manhattan Bank as a helpdesk systems administrator while in college, I decided I wanted to work in technology roles on Wall Street as a career. I worked my way up the chain to technology infrastructure management; and after approximately 15 years at large financial services firms, I landed a lead role in IT at Citigroup Asset Management, based at 7 World Trade Center. On the day after September 11, 2001, I became responsible for the production recovery of the systems lost due to the terrorist attack. After recovery events, my management asked if––given my unique role during the recovery––I would help the firm to understand what data was important to our clients and to our business operations. This would help inform technology going forward and how to make available and best manage the most important data for the firm, and improve our resiliency. My first records management role had a very practical, very real, post-9/11 focus. In addition to other responsibilities, I took on a records management role for Citi Global Investment Management technology.
Creating an environment that fosters collaboration and encourages healthy conflict and challenge is one of the most important skills to have if one wishes to be successful
When did you move into more of an Information Governance role?
Following my records management role, I worked for a few years as a data architect and business process reengineering evangelist focusing on trade automation and systems integration. That was a healthy departure from my roots and an opportunity to gain more of a business perspective on data. A tremendous opportunity arose in Citi Architecture and Technology Engineering to work on records and electronic communications management for Citi firm-wide. This was a dream job for me, and I landed the role. This included a year-long analysis of firm wide operational, security, discovery, risk, and records management requirements, focused on unstructured data and, in particular, electronic mail communications. I joined Citigroup’s Records Management steering committee, became interested in electronic discovery in 2005, and helped launch efforts to improve eDiscovery in 2006-2007––just after the first electronic discovery changes to the Federal Rules of Civil Procedure. This led to a more holistic perspective of many different domains related to data and information management. Put simply, this changed not only how the data and information was stored and managed, but also how it was accessed and used by business units and corporate functions, and the many purposes it serves.
What key skillsets are most in demand in the IG space?
My view is that real-world experience is vital. In particular, individuals with multi-disciplinary perspectives and big-picture views, who can also grasp how to operationalize information governance concepts, will have the most to offer. IG also requires individuals with high emotional intelligence because of the different types of individuals we seek to bring together. IG leaders should value people of all opinions, backgrounds, and views; the magic of IG lies in bringing many leaders and subject matter experts together in a cohesive way such that the sum is always greater than the parts. Creating an environment that fosters collaboration and encourages healthy conflict and challenge is one of the most important skills to have if one wishes to be successful. In the near future, skillsets related to artificial intelligence will become vital; but at this moment, skills and experience in data science and analytics, privacy, security, agile development, intelligent automation and business process reengineering, data governance, information lifecycle (records management rebranded), and investigations (including eDiscovery) are all important. A strong foundation in technology is essential, and even better when coupled with law, risk management, or compliance.
How would you compare working as an IG professional, as you did at UBS, versus performing IG consulting work?
In my experience, I would compare it to the role of a plumber, electrician, or carpenter in building a house, or some combination thereof, as opposed to being the general contractor, engineer, architect, and builder. In-house roles typically limit IG professionals to a particular domain. All of those roles are vital, but now I’m being given the opportunity to design the village and have the benefit of an aerial view when inspecting a building site, as opposed to being inside the house while working on it. I’m blessed in that I’ve loved my work for decades, continue to be very passionate about it, and now consulting allows me more variety and work adventures than ever––and a chance to work on our clients’ most difficult problems. Most importantly, I feel that the work I’ve done as a consultant has helped inform my worldview of governance because I’ve been able to evaluate and assist multiple firms, across industries, as they tackle the same issues. For someone who is interested in having a broad and holistic view of what’s happening in the world today, it’s like being a “kid in a candy store.”
IG had a rather slow awakening in the United States. Do you see that changing? What forces or influences are impacting that shift?
Regardless of its original awakening, I see the adoption of IG in the U.S. accelerating significantly. This is due to disruptive forces that require firms to quickly modernize and adapt to new technology. Digital transformation, AI//intelligent automation, focus on the customer, new regulations, and, in general, and the explosion of data (e.g., IoT) are amongst the key disruptors and strongest forces that create the imperative for an integrated, simplified, and aligned view of data and information at an enterprise level. Without IG, I don’t know how organizations develop a clear view of information risk, for example. Lacking a unifying function, the right hand simply will not have the bandwidth to know what the left hand is doing, figuratively speaking. However, I’ve seen a paradigm shift. Organizations are finally waking up to the business need for governance and I am thrilled to help them succeed in this transition. Information and data governance must be tied to the bottom line: what’s growing the business, what’s serving the clients, what’s driving innovation, and new product development. I strongly believe this is the key element that was missing historically. Sophisticated organizations now lead with value creation as a basis for establishing IG, while also including those things that are value-enablers (e.g., privacy, security, compliance) and embedding them as part of the design of every business or technology change. IG needs to be seen as an innovation accelerator, and not an inhibitor, for it to take root.
How has the EU GDPR legislation impacted your U.S. clients?
In anticipation of U.S. regulations that could come in the wake of the EU’s GPDR, and evidence of that reality arriving in the form of the California Consumer Privacy Act, our clients are realizing that addressing privacy appropriately requires a paradigm shift in thinking––in corporate culture, and most importantly how the personal data is governed. For example, using opt-out mechanisms are no longer sufficient as a sign of consent; consent settings and data gathering and management will have to change on all of their platforms in order to be compliant. The consent mechanism also has to be closely linked to the processing activity to prevent unlawful processing. Doing this consistently and at an enterprise scale is challenging, to say the least. These are just examples of other rights Americans are taking more and more seriously as they realize the dangers of unfettered abuses of data, over-collection without proper safe handling, and, in particular, the risk that data breaches may bring to an individual’s everyday life. It will take most organizations years to truly understand all of their data-processing activities connected with personal data, so data privacy regulations have warranted taking a risk-based and risk-prioritized approach vs. a boiling the ocean, remediate-all approach. Also, organizations that think they may not subject to such requirements may need to take a closer look. For example, GDPR impacts many U.S. firms without a physical presence in the EU who participate in the EU digital single market––firms that electronically monitor the behavior of, or intentionally market products or services to, individuals in the EU.
What is your take on some of the IG assessment models, such as the IG Process Maturity Model from CGOC or ARMA’s IG Maturity Model?
I have made use of these types of models extensively in my career. Advancements in thinking about governance do not throw out the matured concepts in these models, but rather build and expand upon them, and, in particular, shift the emphasis that these models had on legal, risk, and compliance elements to those that would represent more of a business, client, and product-oriented view of data. In others words, these IG models have a lot of value, but have fallen short in capturing the attention of the C-Suite because the big picture is to transform and innovate or die, grow your business, create an agile enterprise, etc., and such frameworks have unfortunately (and often incorrectly) been viewed as inhibitors to progress.
We hear KPMG is developing its own IG methodology. Can you tell us more about how that came about and where it stands?
Thought leaders across several practices contributed to a new approach to IG that enables positive business value by addressing the disruption that innovation in each domain can create. By viewing disruption as an opportunity and recognizing data as a strategic asset capable of empowering new business, our new framework represents a dramatic shift from the traditional models. We leverage governance with a focus on profit-generating activities, providing the organization what it needs to enable value. Areas such as addressing privacy, security, investigations, and lifecycle requirements are “baked in,” without being the primary focus. The approach has allowed firms to operationalize governance as a way to first achieve its primary objectives, all while embedding X by design, where X equals the aforementioned (e.g., risk, compliance, information protection etc.).
Infonomics is a new hot topic area in IG. Can you generally describe your work in this area?
While closely working with our clients, we’ve been exploring innovative ways to operationalize governance through proprietary approaches. These approaches are designed to quickly risk- and value-profile data in a way that enables informed decision-making around key data management activities. In contrast, many data valuation models and platforms being developed now are so complex, and so onerous from a data-collection perspective, that despite today’s technologies and computing horsepower, they may never be completed. To me, a parallel is the difference between modeling weather vs. walking outside, looking at the clouds, and knowing from experience that it is likely going to rain. It only takes a few seconds vs. millions or billions of calculations. There is a lot of readily available data and metadata that can be utilized; you just need to know where and when to look.
What advice do you have for companies wanting to manage and monetize their information assets?
Scaling traditional approaches and building ever-more complex models to mimic our increasingly complex world is not always the answer. The answer to many of our difficult problems lies in a radical re-thinking and new approaches to analysis; for example, looking for opportunities to make decisions on meta-information, rather than the detailed valuation attributes and underlying, gigantic pools of data. They are only going to get bigger and more complex; and if you miss a key data source that would change your decision, you’ve failed. The answer is in how the monetization works, not how much data can be channeled into the models, which is what I’m seeing now. Firms are getting smarter about the cost-benefit of complex data modelling. They are paying more attention to origins and quality of the information they are relying on for key business decisions and risk management.
What hobby or special skill do you have that might surprise your colleagues? What is your favorite book? Movie?
I absolutely love scuba diving and, in particular, the disconnect from technology and the digital world that comes with underwater exploration. It is incredibly relaxing and peaceful to me, although some may think it is a terrifying activity to have as a hobby (I would advise them to try it with certified instructors). I also love to drive, and have explored a good part of the U.S. by car; although, there are many roads I’ve yet to explore in the U.S. and abroad.
My favorite nonfiction book is Getting Things Done; it’s had a dramatic impact on my life and inspired me to pursue continuous learning, while maintaining a focus on the most important work of the day. My favorite fictional book (there are many) is probably Neuromancer by William Gibson. It opened up my imagination and filled me with wonder about the future. This won’t surprise you, but The Matrix is my favorite movie. Many sci-fi concepts in Neuromancer and The Matrix are becoming a reality today; that is more often than not an unsettling thought.
What do you like most about New York City? What is your favorite lunch spot?
New York is an adventurer’s paradise. It is constantly changing, improving, growing, and transforming––seemingly all for the better, especially when I compare it now to when I was growing up there decades ago. My favorite lunch spot is Virgil’s in Times Square; I’ve never been disappointed there and I enjoy the relaxed atmosphere. However, I’m always looking for a new favorite and thanks to NYC’s diversity, the opportunities are limitless.
RICHARD KESSLER IS A DIRECTOR IN THE CYBER SERVICES PRACTICE AT KPMG, AND SPECIALIZES IN IG, DATA GOVERNANCE, AND OPERATIONAL RISK CONTROL. HE IS PART OF THE STRATEGY AND GOVERNANCE PILLAR WITH A SPECIFIC FOCUS ON ENTERPRISE DATA AND IG, AND PRIVACY. HE MAY BE REACHED AT RKESSLER@KPMG.COM