Yes We Can
Yes We Can is a recurring series presented by Cloudflare Co-founder, President, and COO Michelle Zatlyn, featuring interviews with women entrepreneurs and tech leaders who clearly debunk the myth that there are no women in tech.
Valerie Spillman, Senior Director of Enterprise Risk Management at ServiceNow, is responsible for managing risks, issues and remediations across the corporate, commercial, regulated markets and federal environments. Her career started out as a Software Engineer in Australia but she quickly found herself more interested in the world of internal audit, business continuity management, and risk management. While by day she wears a risk cape, by night she wears an apron – Valerie owns a dessert business and loves creating novelty and custom cakes.
To watch more episodes of Yes We Can — and submit suggestions for future guests — visit cloudflare.com/yeswecan
Hi, everyone. Welcome back to this week's episode of Yes We Can. And I'm just thrilled to be here with Valerie Spillman.
Hi, Valerie. Thanks so much for joining us today.
Hey, Michelle. So happy to be here. Thank you for having me. My God, I love your backdrop.
I want to be wherever you are. It's gorgeous. Isn't it lovely? It's very peaceful, very serene.
It's so serene. I feel already more serene and risk management, which hopefully will make me even more serene.
So I'm looking forward to it.
Good. Well, just a couple housekeeping items before we dive in to talk with Valerie.
If you have any questions as a way to submit them online, you're welcome to share questions throughout this episode.
And then if you have suggestions for people you'd love to see on this show, email yeswecanatCloudflare.tv.
And so with that, let's dive in. So Valerie, let's start with what you're currently doing.
We have so much to cover. So currently, you're a Senior Director of Enterprise Risk Management at a great company called ServiceNow.
And so maybe you could start by sharing with the audience more about your role and what it means.
Excellent. OK. So yes, ServiceNow, I joined about just over two years ago.
Absolutely love it. As you said, I'm the Senior Director of Enterprise Risk Management.
I actually, at a very high level, manage issues, risks, and remediations across the corporate, commercial, regulated markets, and federal environments.
A lot of people, when they think of issues and risks, they often mix them up.
And especially if you're not in the world of risk management, they typically say, you know, issues, observations, findings, risks, they're all the same thing.
But in fact, in our world, they are a little bit different.
And so if you think of issues and issue management as unplanned events that have happened that require remediation, so control gaps and control breakdowns that have been identified, or in audit, they're called findings, that's what we refer to as the issue management side of the house.
And then the risk management is really the potential of something happening, right?
So if you think about it as more of an if-then-else scenario, that's kind of more the risk and how we plan to control it or reduce exposure.
Also, when we look at risk management, we're looking at the likelihood and the impact, and sometimes the velocity, of that risk actually occurring.
So yeah, two different sides of the house, but very much related.
I love it. Yeah, that's, I mean, that's a really clear explanation, because I think there's a lot of people who aren't familiar with what does enterprise risk management mean?
I'm sure when you go to a party and someone says, what do you do?
And you say, oh, I work at ServiceNow. Like, what do you do for them?
You're like, I work at enterprise risk management. You get some blank stares.
Like, how do you explain it to somebody at a barbecue? Yeah, everyone's just like, yeah, move on.
I think it's cool, but that's how I explain it.
You know what? I'm one of those nerds that just happen to like, you know, risk management and the different areas of it.
And I've been fortunate enough in my career to have had exposure to different parts of risk management and kind of bring in different, you know, bits and pieces, like business continuity planning or management and disaster recovery planning and internal audit and kind of piece it together as part of risk management.
So it's fun. Not for everybody, but I think it's pretty sexy.
Sounds amazing. So let's give, maybe to help contextualize this, I mean, on the issue side about these unplanned events and what are we going to do about it?
Or then the risk side of predicting or trying to anticipate something happening, what we're going to do about it.
And if something happened like that, what would the impact be?
I mean, you've worked at, you said SourceNow, you've worked at PayPal, you've worked at Cisco, you've worked at Deloitte, where you've been advising companies.
And so you've seen a lot of companies in a lot of different arenas.
Maybe you can share one or two projects to help contextualize to the audience, you know, a little bit more about your role on a daily basis.
Yeah. You know, I'm going to start, I'll go back to the very first role I had at IBM.
And one of the roles that I was exposed to very, very early on in my career, probably my first real corporate job, was I got exposure to helping with the business continuity plan for the Sydney Olympics.
That was back in, the Olympics were in 2000.
So obviously the plan was being worked on in the 90s. So I'm really dating myself.
But I got exposure to that. And it was just really, you know, that was my first real risk type role, right?
Risk type related role. And I got to see how a business continuity plan was developed.
It was like a, it was a seven layer plan.
What could go wrong? You know, you start at the very, very top and then you just keep slicing and dicing and slicing and dicing.
And they got into the most details of everything, you know, if, you know, the weather's bad or if, you know, there's a pandemic or there's, you know, all these different things that they looked at and you start to plan for if, then, else.
Because as you can imagine, right, this is a worldwide event, everyone's coming.
I think the other, the other big impactful project, I guess, or program for me is probably the most recent one, which is at ServiceNow.
When I joined, we didn't really have a formal enterprise risk management program per se.
And so the more I spoke to my boss at the time or my potential boss at the time, and we talked about what that looked like, I said, well, it sounds like you need an issue management program, because there isn't real structure around what we currently have.
It's just kind of, you know, everyone's throwing in risks and issues and observations, as I mentioned earlier, into one sort of bucket and build a framework around that.
And then also a risk management program and build a framework around that.
And what does that look like?
And so I have an amazing team that I adore. And so together, we've built these programs that basically centralize the issue management function.
So we called it the Enterprise Issue Management Functional Program.
And we centralize this, because when you start reporting, you can then report consistent, transparent information to the executive leadership team or to the board.
And they can see across the board versus just kind of, you know, piecemeal here and there silos.
So that's been pretty exciting for me, because it's from scratch. And currently, we're developing a product review program as well, which is going to be super exciting.
So maybe I can share that in about a year. For sure, exactly. You come back with what's your favorite project since I last saw you?
Exactly. Where are they now?
Yeah, right. Where are you now? Where's Valerie now? Exactly. I can only imagine what the background will be then.
When you say this centralized issue management program, which I think is, which is great.
Is it right to say that anyone across service now can kind of say, oh, here's an unplanned event that happened, which is now characterized as an issue.
And then your team helps to figure out, okay, how do we characterize this?
How do we categorize it? What are we going to do about it going forward, so that you start to knock them down.
So there are fewer issues going forward.
Is that the right way to think about it for the audience?
You nailed it. Yes. We, when we developed the program, we said, you know, what are the different channels that you can accept issues, right?
That we can accept issues.
And one of those channels was self-identified or is, I should say, self-identified.
And really what that means is anyone in the company can say, can go into the employee portal and say, or pick up the phone and tell us and say, hey, look, I think this is a potential control breakdown in my area or in my function, or I've witnessed this, you know, so they throw it over to us.
And then our role is really to triage it.
So we go in, we figure out, is it a one-off incident?
Is it something that's systemic? Is it a control breakdown? Is it, is it a gap?
Is it, you know, an inefficiency in some ways? And so the more we start deep diving into it, we realize, okay, well, this is something that now probably requires remediation.
So who's the right person to go back to? Who's the issue owner?
Where it is at full? Is it cross -functional? Who's impacted by it? Let's define who, you know, let's identify who the remediation owner is.
And then what are the tasks?
What are the remediation tasks that have to take place for this control gap to be eliminated, right?
So ultimately what we're trying to do in general risk management, as well as, you know, specifically issue management and risk management is limit exposure or eliminate it, right?
So, oops, excuse me, eliminate exposure.
So it's, that's really the point that we're trying to, I guess, carry across when we're doing risk management.
I love that. I think that was somebody reporting an issue for you.
Well, I think I had it on vibrate, but you know, when they call several times and it starts ringing, it must've been somebody, so nevermind.
I love it. So I love, so this is kind of the idea of a employee, you know, if you have a security vulnerability program to kind of report something that's, you know, suspicious, like report it to the security team or even, I mean, and so in this case, it's, Hey, if you see something where it feels like it's off in terms of exposing the company, let us know.
And so do people actually take you up on it?
Do people across the organization submit issues for your team to go triage?
Because that seems like something that we're not asked to do on a daily basis.
And it's amazing that you and your team are asking everyone at ServiceNow to do that, but then do your colleagues actually do it?
Yeah. So, so in addition to self-identify, there are some other channels like customer audits, if a customer comes and audits us, certification audits, internal audit is also a channel.
While we don't manage internal audit, it's still reported in that same dashboard.
And then, you know, continuous monitoring, testing and stuff. Now we originally focused on certain high profile organizations within the company, you know, security, privacy, legal, blah, blah, blah.
And we, we were very proactive in going and promoting the program so that people would come back to us and submit issues.
And that's been working very effectively. So we've been, we've got great partnership with security and legal and everyone else that we originally went to.
What we're trying to do now as we have a Lights on Doors Open program is start promoting it to the groups that we weren't necessarily targeting initially, right?
Because it was kind of a work in progress.
Let's figure out what's working, what's not and tweak it.
Now that we are Lodo Lights on Doors Open, it's, you know, we're going to the product organization, we're going to various different organizations.
Now, you mentioned vulnerabilities. We don't look at vulnerability specifically because that's kind of outside of our scope that security specifically manages that.
But there are various other areas that we are focusing on.
So absolutely. I think people are becoming more comfortable knowing that this is a positive thing versus a negative thing.
It's good to highlight gaps in the company for us to help close those gaps and limit exposure.
I love that. I mean, I could not agree more on this point where it's a good thing.
It's a good thing for us to know the faster we know, the faster we can dig in and do something about it.
And it's great that you have many sources, as you pointed out, all those audit reviews or internal audit.
I mean, that makes sense, but it's almost like a good sales pipeline.
And I'm an enterprise software company, so I'm always thinking about the sales pipeline.
You want to have lots of sources of input for new ways to track these issues.
This is good. I think we all better understand issue and risk management now, Valerie.
So thank you so much for educating all of us. And so let's say there's somebody listening on the sales team.
Let's say there's an account executive listening or a product manager listening or an engineer listening, and they're thinking to themselves, wow, now I finally understand what my colleagues in risk do.
I never really understood. Thank you, Valerie, for teaching me. What kind of advice or tips do you have for these colleagues in these organizations of how they can better partner with their colleagues in the risk team?
Yeah, I think...
I don't... So I see everybody in the organization as being responsible for risk management, right?
It's not just the ERM team. It's not just my team, for example, at ServiceNow.
In my mind, everybody should have a part to play in helping minimize risk and exposure to the company, right?
So when I look at these folks outside of my group, I call them risk partners to us.
So whether it's sales or product, engineering, finance, legal, I call them risk partners, just like we are risk partners to them.
Now, the difference is all the information comes to us in a centralized way, and we help massage it and report on it and show trending information, for example, slice and dice it for the executive team to see as a whole.
But in the various different organizations, like sales, for example, they get to see stuff that we don't get to see, right?
And they're the subject matter experts from that end.
And so for them to be able to come back to us and say, hey, this is a control breakdown, or hey, this is real big risk to the company, that you should be aware of.
That's super helpful to us. So it's really everybody's part to play as a risk partner.
Get to know your risk team, get to know them, build that connection.
We have from our side, in terms of the risk side, we have proactively set up an emerging risks working group, right?
So we identified about, I think it's like 12 to 15 different folks at a director level across the company who are subject matter experts in their organizations, right?
So we have someone representing sales, legal, security.
And so we meet every couple of months, every two months, we meet and basically, or ad hoc, if something comes up, but our discussion is really, hey, what's happening in your area that we should be aware of, right?
If we had had this a couple of years ago, chances are we would have been aware of the pandemic maybe a little bit sooner.
I mean, we acted pretty fast, but maybe we would have been aware of it even sooner than that, right?
We also have steering committees and they're made up of executive leadership teams.
So again, sales, engineering, product, everyone's involved, everyone's having these discussions, but it's really great at all levels to be having these discussions and keep in the back of your mind that you are just as responsible for managing risk within your company as I am.
Yeah. I love that. I love that.
I think in a technology world, that's the, I mean, this is not even just tech companies.
I think it's just general. It's securities, everyone, part of everyone's job, managing risk is a part of everyone's job.
It's kind of the new part of any job description is these are kind of expectations of the best companies.
So that's amazing.
Yeah. Don't be afraid of the risk team. Right, exactly. No, I think some people are, I think sometimes the risk team is kind of scary because it's like, wait, you're going to remediate, you're going to triage.
That just, I, what I, what sometimes I think what maybe I would hear if I was rolling my career is that sounds like a lot of work for me.
I got to go out to fix all these things and do that sort of action sometimes.
We do. But my response is, well, how about you use me?
Well, leverage me and my team to go back to your management and say, we, these are risks or these are control gaps in our area.
We need to fix them. And so now we need to budget whether it's resources, expanding the budget, et cetera, et cetera.
But we need help in fixing these to limit our exposure. Now there is also, there are times where a company or a functional leader will say, look, we're aware of the risk.
We're aware of this gap, but we're willing to risk accept it.
Right. Because of X, Y, Z. It just, you know, it doesn't make sense. Cost versus time versus this versus that versus the exposure.
And so there are, there is that opportunity to also risk accept.
And that's also built into the program to formally have a place where there is justification submitted, risk acceptance approved, like formal approvals at the VP plus level.
You know, discussions to be had if it's cross -functional.
So that's all recorded as well.
Formally. So, you know, not every risk or every issue has to be remediated, but, you know, use us for that and use us for budgeting.
You become an ally. Yeah. Yeah.
I love it. That's good. That's great. Good. Good. So what are some, you know, as someone who's worked with so many organizations, again, both you've worked inside the organization, so you understand it so well, but you've also worked where you've been a partner organization again, Deloitte, where you've been consulting with the Sydney Olympics.
I'm just curious, what are some common mistakes that you might see teams or organizations make that you can share with the audience just so you can just, so they can maybe get ahead of these common mistakes?
Yeah. Excuse me.
Not having a centralized function, I think is probably one of the biggest mistakes.
And I say that because when you're working in a silo, what you don't see is the impact or the lack of impact that you're making across the company, right?
So when you're working in a silo and you're reporting on your risks or your issues and you're managing those, that's great.
It works for you. It works for your organization. But let me ask you this.
What if your issue or this gap actually impacts another organization because they're dependent on you or you're dependent on them?
Now, if you're fixing this on your own and they're maybe identifying it, maybe they haven't identified it, maybe they're not even aware of it or they're fixing it on their own, it's just, it's not feasible, right?
So what we're trying to do is by having a centralized function, you're trying to see across the company.
What a centralized function ultimately does is connect the dots.
It helps you connect the dots. Ultimately, that'll also help you report consistently.
It'll help you have transparent reporting.
The other thing that I've noticed at some companies is there's no common language, right?
So when I say that, I mean a common ratings language, a risk ratings language.
If one part of the organization is reporting on high, medium, and low, another part of the organization is reporting on a five-point scale and they have a completely different definition of what a high is versus this part of the organization, how are you able to report that back to the board or back to the leadership team and say that these two are equal, right?
So if you have a common language, that also helps.
I think they're probably the few biggest key areas that I've seen mistakes made.
It's just, it's so much easier when everyone's speaking the same language.
Well, and then you can, as you said, spot the trends, right?
Are things trending in a better direction or a worse direction? And I think like in business, often the trends are you're trying to say, are things getting better or worse or is there a hot zone?
And so that really resonates. That's great.
Okay. So you describe yourself as a geek of, a nerd who loves enterprise risk or risk management or a geek who loves risk management.
And I, you know, when you first said that to me, as we were getting ready for this conversation, I like, I really smiled to myself because I thought, how in the world did you discover this passion?
And so I would love, can you share with the audience how you discovered your passion for risk management?
Because that is not something that I hear very often.
I woke up one day and this is what I knew I wanted to do. So I'd love to hear, I want you to tell the story to the audience because I think it's a really good one.
Yeah. I actually studied computer science. And so I thought I was going to be a software engineer.
That happened. That went by really quickly. I knew it wasn't for me, but when I joined Deloitte, when I joined IBM, sorry, as a software engineer, I tried it out and I was like, not too excited.
I got to know my boss, my boss's boss actually really well.
And he became my mentor and I said, you know, I'm kind of out of here.
This isn't really for me. So he said, well, why don't you start doing some business analyst work?
And he got me into the more of that continuity, business continuity work.
And that was my intro to that if then else scenario.
And I think instinctually I'm also, I think like that anyway, you know, I'm always thinking ahead.
I'm always thinking, well, what if this happens and what if this happens?
And so that was my first intro. And then when I, when I moved over to the US 21 years ago, I joined Deloitte and Deloitte gave me a little bit more of that business continuity planning exposure as well across a couple of different companies.
And then a partner ended up pulling me into internal audit.
We had the largest client I joined. I'm so grateful for the opportunity.
I was so grateful for the opportunity, but I was, I had no idea what I was doing.
I would sit there in meetings and I'd be like, what are these people talking about?
What is internal audit? You know? And after a few days, you know, I do want to, I really, really want to be successful in this role, but I just don't know what they're talking about.
And I was so junior, you know? So I went back to him and I said, Hey, I really want to be successful.
I just don't know what I'm doing.
And so he printed out, oh, I'll never forget. He printed out, you know, the COSO manual, the COSO framework, and then the COBIT framework.
And he said, here you go, read these and you'll be fine.
And so I did the nerd that I am. I read everything.
And of course I'm like, oh, okay, well that makes sense. And so when I was, you know, in these conversations with my manager and, you know, taking notes, feverishly taking notes, I started to understand what internal audit was all about.
And so I kind of got into that, oh, wow, this is pretty cool.
You get to, you know, go in and in a concentrated, like pressure cooker fashion, you get to learn about this area.
You get to test it. You get to see what the control gaps you, you, you contribute, and then you walk away and then you do it again.
You know? So it was, that's kind of where I started. It was, it was fun for me.
I love it. I love it. I mean, I just, it's, it's, it's, I mean, you know, that story, Valerie, obviously speaks a lot to you that you were so open that you were willing to tell.
I mean, I think a lot of people earlier in their career would never go to their manager and be like, I don't understand a thing that just happened in that meeting.
Like you kind of pretend you might fake it until you make it.
And you don't have the confidence to say, I want to be successful, but I don't really know what's going on.
Can you help? And then again, good on your manager for saying, well, actually, here you go.
Instead of saying you're fired is, I think those are some of the stories you never hear around people and careers.
And so I think it's good for you for kind of sticking your neck out and being open to learn and saying, I don't know much about this, but I want to learn about it and going down the rabbit hole and then deciding, actually, I love this is also really cool.
I think part of it was just youth, you know, when you're young and you're just honest.
So, but yeah, no, it was, it was really, I mean, it really helped my, it helped shape my career.
Yeah, that's good. That's good. So one of the things that I like to explore, we have about six minutes left and there's a couple of things I want to talk about, but one of the topics that I'd love to explore why I started Yes We Can is to hear just about different parts of an organization and why people are in risk management and why you love it and how that helps organizations and how that helps technology.
And it's amazing. The other piece of it is just trying to around this idea of the impact that you're making, like in terms of you and your role or your team or the company you're at, because I think that the reason why I like to explore this is tech technology went from an industry that could do no wrong where people were like, oh my God, I love technology companies to almost like the one that gets beaten up all the time.
They can do no right.
And so I'm just trying to hear from people who show up every day in the industry of how do you think about the impact you're having?
And that's a pretty broad question.
It could be mean in your team or what your team is doing or what the company you choose to spend your time and talents at.
Just curious, how do you think about impact in the technology world from your perspective?
Wow, that's a difficult question, I think.
I'm so proud of what we've done internally at ServiceNow and the impact that we've made within ServiceNow, right?
Just because of the programs and formalizing the programs that we have and decentralizing them.
And that really was a big effort.
I mean, it's taken, it's still going, two plus years and it's still going.
I think externally what I'm super proud of, and we had a small part to play in this overall, but just from a ServiceNow impact to the industry or to the world, shameless plug for ServiceNow, but boy, we did really well in terms of turning around and developing these emergency response COVID apps, right, for the pandemic very, very early on.
And so that actually, and they were free, and that made quite a bit of a difference from an impact perspective and helping manage risk overall within the world, like in the world at different companies.
So that was really, that was something that I'm very proud of. We had a little bit of a, you know, especially on the government side, we had a bit of an impact, but that was really, really important for us.
But yeah, it's just, you know, I think impact-wise as well, it's really nice to partner with the sales organization, which I often do, and be able to tell other customers how we do things as customer zero, right, program -wise, and then using our own technology as well, or using our own applications, and how they can leverage the same thing, you know, or something similar.
So that's kind of the impact internally and a bit of externally as well.
I love that, I love that. You know, your COVID, how ServiceNow gave an app to help enable all these other customers.
I mean, they're just something, those are proud moments where it's like, well, we can do this, and we have the technology that can help in this time of need.
We did something similar with the vaccine distribution, where those sites got huge surge in traffic, so we created like a waiting room, and if anybody was distributing the vaccine, it just, these municipal health clinics just never went over, or whoever was going to distribute these vaccinations, and to this day, the countries around the world are rolling it out.
France just did it yesterday, and it's like, you just feel so good to be a part of it, like I did one small thing.
We're not putting vaccines in people's arms, but technology does help enable the coordination and other pieces of it.
Yeah, good. Okay, so one of the things that's happening during COVID is this great talent migration.
People are changing jobs. I mean, they're really rethinking their lives, like, where do I want to be?
And you have had lots of great, you've worked with a lot of great companies.
I know ServiceNow, you love that you were at PayPal, you were at Cisco, you talked about IBM, you talked about Deloitte.
I mean, any tips that you have for someone who's trying to rethink, like, where they want to go next, or they think about, oh, I'm ready for a new adventure.
Any advice for those people thinking about what's next in their career?
Yeah. Network, mingle, ask for introductions, LinkedIn. We're so lucky to have LinkedIn to be able to connect to people.
I would recommend, though, if you are connecting to people, personalize your invite, right?
Personalize and say why you want to connect with them, because if I have some random person wanting to link with me, I typically don't unless I try to keep my network pretty intimate if I know the person.
I recently had an individual from Deloitte very early on in her career, and she reached out to me via LinkedIn and said, hey, I noticed you were at Deloitte, and then you went to corporate.
I want to move to corporate, but I don't know how. Would you set up some time and talk to me?
I was more than happy. Complete stranger, two years into her career, I was more than happy to have a discussion with her just to help guide her, because I never had that.
I would have loved that. I would say mingle, ask questions, ask for an intro.
Don't be shy. Just ask. I love it. Did she get her job in corporate, Valerie?
I don't know. I did guide her a little bit, and then I didn't follow up, but I probably should.
Or she didn't follow up with you. Or she didn't follow up.
Yeah. Follow up and let us know what happened. That's right.
Absolutely, absolutely. Yeah, but I think it was just really nice to have that.
I mean, people pay it forward. Yeah, exactly, pay it forward. You have to ask. You have to ask, for sure.
Okay, there's 45 seconds left, and then we say goodbye to this episode of Yes, We Can.
The one question I like to ask everyone is, as a woman in technology, where has the industry lived up to your expectations, and where has it fallen short in 30 seconds?
Okay, I'm going to say fallen short first.
I think women have always been one step behind, maybe two steps behind, and that's always been super disappointing.
I unfortunately probably contributed to that as well, because I had the attitude of, if you can't beat them, join them, because I was always in male -dominated industries.
But now I feel like we're making changes.
Just this program itself, right? Exposure, telling people you can.
I love the whole diversity, inclusion, belonging approach. I love the inclusion of minorities.
That's really, really uplifting to me to see that that's all a focus for pretty much every company nowadays.