At Visa, the Globalization of Risk - and of Its Chief Risk Officer

In September 2019, Paul D. Fabara became executive vice president and chief risk officer of Visa. Over the previous eight years he held several senior positions at American Express Co., including risk and compliance responsibilities - underlining his value to Visa. His predecessor as CRO, Ellen Richey, retired after 11 years with the international payments giant.

Richey's relatively long tenure may bode well for another one, and Fabara, while naturally affixed on the coronavirus pandemic and its effects on an enterprise touching commerce virtually everywhere in the world, also prioritizes long-term sustainability.

In addition to a global risk framework with personnel apportioned across Visa's regional entities, “I run the crisis management group; we are responsible for resilience and business continuity planning,” Fabara says in an interview. “We are in the middle of every crisis, to say the least.”

The mission comes down to “making sure our systems, people and clients are taken care of.”

Don't let that simple statement obscure the complexity involved in putting the necessary organizational pieces together - not to mention the winding but ultimately logical path that brought Fabara into the management team led by chairman and CEO Alfred F. Kelly Jr.

An Infrastructure and Its Risks

Visa, which has some 19,500 employees and had $23 billion in fiscal 2019 net revenue, “is constantly looking at ways to add more robust fraud and risk management capabilities that we can extend to our clients and their customers,” Kelly wrote in the 2019 annual report. That's across a network that can handle more than 65,000 transaction messages a second.

“Over the past year alone, we helped financial institutions prevent an estimated $25 billion in fraud using our artificial intelligence (AI)-powered risk scoring engine,” said the CEO's shareholder letter. “Our Visa Advanced Authorization (VAA) platform uses AI and machine learning to evaluate 500 risk attributes in each authorization request, in real time. Today, more than 8,000 issuers in 129 countries receive VAA scores to help reduce fraudulent transactions.”

Corporate disclosures typically catalogue a litany of risk factors. Visa's most recent 10-K filing devotes about 10 pages to them, starting with regulatory risks: “As a global payments technology company, we are subject to complex and evolving regulations that govern our operations . . . The impact of these regulations on us, our clients, and other third parties could limit our ability to enforce our payments system rules; require us to adopt new rules or change existing rules; affect our existing contractual arrangements; increase our compliance costs; require us to make our technology or intellectual property available to third parties, including competitors, in an undesirable manner; and reduce our revenue opportunities.”

Fabara has been there, too.

Cards and Payments

He came up through the bank credit card and payments industry, spending 10 years, through 2002, with Providian Financial Corp., getting exposed to risk management, underwriting, marketing, sales and service, and credit administration. Subsequent positions included chief operating officer of Alliance Data Systems, servicing more than 400 private label credit card programs; and global chief operating officer for Barclays' credit card business, based in London and responsible for operations across 71 countries.

At American Express, aside from a CRO stint, Fabara was most recently president of the global services group, managing all support groups including new accounts, customer service, credit, collections, asset recoveries, fraud operations, procurement, manufacturing, automation, facilities, sales and business enablement, enterprise strategy and execution.

At banks he has worked for, Fabara was called on to manage remediation of issues raised by regulatory agencies like the Federal Reserve and Office of the Comptroller of the Currency - useful experience for the post‐financial‐crisis reality that regulatory relations and related policy matters have become part of the CRO remit. He is Visa's principal regulatory liaison across its 200‐plus country footprint.

“CROs were traditionally distant from the supervisory folks,” Fabara notes. “Today there is not a CRO who is not in constant communication when those risks are identified.”

CROs have also become regular and vital communicators between the C-suite and board. Longtime Silicon Valley technology executive Lloyd Carney of Carney Global Ventures chairs Visa's audit and risk committee, with which communication is “very fluid and not just at board meetings,” Fabara says.

Operational Resilience

Compared to banking, Visa's business, although related, presents “a different set of expectations” and “different set of challenges” of a cross-border nature, “where my experience is very helpful,” Fabara says. Information security, personal privacy, anti-money-laundering and “third-party lifecycle management” are a few at top of mind.

To what extent has Fabara's world changed between his arrival at Visa - he is based in New York - and the pandemic “new normal”? The CRO recently answered a few questions.

Before the coronavirus was on the radar, how would you have rated Visa in terms of crisis management and preparedness?

When I first joined Visa, I spent several weeks traveling to meet the global team. I met with Visa's operational resilience team during an initial meeting where I was given an overview of how they operate, and it was immediately clear that Visa's crisis management approach is best in class, and is led and executed by smart and deeply experienced team members available 24/7/365 around the globe. At a macro level, Visa has developed a clear framework that aims to drive operational resilience in the face of changing business conditions and, ultimately, to withstand disruptive events through coordinated responses and sound decision making. Our goal is to minimize impact to the Visa brand, services, our stakeholders, and the broader payments ecosystem.

Our dedicated team works with key partners across the enterprise to facilitate implementation of the operational resilience framework. The team's approach sets clear standards and provides guidance for internal stakeholders to build resilience plans, while also helping us continually challenge planning and readiness assumptions through exercises and after-activation analysis.

As the crisis has played out, is there any reason to change that evaluation? Even if not, are there any examples of steps or reactions taken more recently to shore up the resiliency of Visa and its people?

My initial impression was both validated and elevated.

From the early stages of the COVID-19 outbreak in China to the reach and scope of today's global pandemic, Visa has relied on our established and tested business continuity plans, which are based on a combination of risk assessments, impact analysis and key business priorities. They are designed to ensure the safety of employees, contractors, visitors, and all other personnel as well as the continuity of business operations, processes, and services. Included in these plans is a dedicated Global Pandemic Plan based on World Health Organization (WHO) terms and definitions.

Throughout this time, we have continued to review the most up-to-date WHO guidelines, local ordinances, and regulatory guidance, while also consulting with relevant authorities and experts and staying focused on market-specific needs as a focal point of our preparedness.

Since the emergence of COVID-19, the health and well-being of our employees has remained a top priority. Today, we continue to have a wide range of precautionary safety measures in place to help mitigate risk and minimize the impact of COVID-19 on our teams and our ability to service our clients.

To what extent are you looking medium- to longer-term as to "lessons learned" and ensuring robustness in the face of future events?

We have witnessed an unprecedented acceleration of digital adoption throughout our industry and broader society as a result of the COVID-19 pandemic. While the near-term response has focused on maintaining business continuity and mitigating client impact, businesses should develop risk strategies that promote payment security and strengthen the trust foundation necessary for long-term recovery and growth.

Did Visa have an “advantage,” so to speak, through its global footprint, in seeing the potential outbreak of the coronavirus sooner than another type of enterprise would have?

I believe Visa's operational resilience framework gives us an advantage in the face of changing business conditions. As a global enterprise, our teams in the Asia-Pacific region were the first in the company to activate our business continuity plans, to help ensure the safety of employees in that region. Their coordinated response and sound decision-making at a local level proved valuable as we scaled our response globally and leveraged their early response measures.

The pandemic poses risk management questions and challenges not just for any business or sector, but on a massive social and economic scale. Do you have any thoughts on how risk management thinking or principles could be applied more impactfully on that larger scale?

I think risk principles can apply beyond the risk function. Investing in the right technologies and resources to make management processes more efficient, developing a risk-aware culture with the right talent in place to help deliver on actions, and improving business analytics to capture data and translate into insights for better decision-making can be applied broadly to other functions and throughout a business.