Skip to content
InTechnology Podcast

#40 – What That Means with Camille: Governance and Audit

In today’s episode of What That Means, Camille speaks with Thomas LaLevee, Chief Internal Auditor chez China Construction Bank S.A. He sheds light on the implications of an increasingly digitized world when it comes to assessing cybersecurity risk in governance and audit, and offers great insight into what traits and discussions will be necessary in future board meetings.

The conversation covers:

  • What makes a good internal auditor
  • Why the tone from the top is important
  • The need for adequate information to be provided to the board in developing cybersecurity protection strategies and the kinds of discussions that are needed as governance models are developed
  • How digitalization trends will impact governance and audit


…and more  Tune in and join us for this incredibly important discussion!


The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.


Here are some key take-aways:

  • -While governance is one of the most complex topics in a company, in simple terms it’s about risk management, protecting the culture and reputation of the company, as well as protecting company assets. Internal audits, meanwhile, involve adding value to the company through the development of recommendations for risk management and mitigation.
  • While an out-of-the-box approach might seem like it doesn’t belong in the realm of internal audits, a mix of traditional and innovative risk thinking is key to being able to provide better information to the board.
  • Whether they like it or not, banks will have to adapt to cryptocurrencies for better strategic integration in the future.
  • As we increasingly shift towards a digitized world and automate processes along the way, we increase potential security breaches that come with huge sanctions. This means that each department has to have its own governance that must be audited in a specific way.
  • In selecting independent directors, it’s important to consider competence, but it’s also important to source people working in other companies that are trained in digitalization; this way, they have a good understanding of what’s happening in the world.
  • In developing governance strategies, it’s important to focus on the human impact of cybersecurity risks in addition to the potential financial consequences; reputation is often more difficult to recover.
  • Now more than ever, it’s crucial to bridge the language gap between IT and the board in order to convey the complex technical issues dealing with digitalization and cybersecurity.


Some interesting quotes from today’s episode:

“It’s really important for me, the CIA, to do a mix between traditional risk thinking and thinking out of the box in order to give better information to the board and also to help them make better decisions.”


“If you do not develop a good strategy now, notably if you’re working as a private banking industry, then you can definitely lose lots of clients in the coming years.”


“Definitely one of the most important topics is also reactivity, because it can be the response to cyber risk; as I mentioned, we work in a way more dynamic environment than before. The concept of risk awareness is definitely extremely important.”


“We have to adapt our risk analysis so that we’re sure our audits are adapted to this new world. I think one extremely important thing is that IT, more than ever before, will be a central function inside of the company.”

“One main word in our job is humility. And I think that more than before we’ll need the help of specialists to help us ensure that we analyze the company in the best way. Humility.”

Share on social:


Camille M: [00:00:00] Hi, and welcome to today’s episode of What That Means, Governance and Audit.  Today we have with us Thomas LaLevee from the China Construction Bank.  Thomas Lalevee has been in banking for 20 years, both public and private. He graduated from ? Strasbourg, specializing in economy and finance. And after a short time in front office banking in Strasbourg, he served mandatory French military service in the Navy, which he describes as a beautiful experience.

He then worked in private banking for the Rothschilds for about 15 years where he was in charge of all Rothschild’s funds in Luxembourg. While he was working for the Rothschilds, he got a Master of Business Law where he specialized in fraud prevention and anti-money laundering and terrorist financing at Strabourg University.

And after that, he moved into the role of Internal Audit Manager for the Rothschilds. He also has worked for Mirabaud as Chief Internal Auditor for all Europe. Now he is Chief Internal Auditor for all of Europe, for the China Construction Bank. And for those of you who don’t know the China Construction Bank is in fact, one of the biggest banks in the world.

Thomas is based in Luxembourg.  Welcome to the show Thomas. It’s really good to have you on. 


Thomas L: [00:01:20] Excellent. I’m really happy to be here today to share with you and to discuss about this extremely complex and interesting topic. 


Camille M: [00:01:33] So Thomas can you start us off by just defining governance and audit in under three minutes? 


Thomas L: [00:01:41] Yes. Um, governance is one of the most complex topic, uh, in a company.  It’s simply just about managing risks, protecting the culture of the company, its reputation, and also [00:02:00] its uh, assets.  Internal audits is about managing risks and, uh, doing recommendations as to mitigate these risks. But also it’s about adding value inside of the company regarding these risks. And also helps the company anticipate potential risks.

Internal audits does report to the board, but internal audits is also a way to ensure that through recommendations that are done by the boards will be adequately implemented inside of the company.  When we talk about governance, we also talk about the boards and the authorized management itself. 


Camille M: [00:02:57] So Thomas when we were chatting before you said thinking outside the box, you thought was really important and especially in decision analysis. And I just thought to myself, this doesn’t sound like a chief internal audit officer way of thinking. I was wondering how those two things reconcile–thinking outside the box and being in charge of audit? 


Thomas L: [00:03:24] I think so that we are clearly in a disrupted world.  And that the ways such internal audit was done before must adapted in the same way that the business is evolving. Now we are entering in real digitals worlds and if I do not understand as a CIA the way it will evolve in the five coming years or maybe in shorter term, then I will not be able to add value to the company. This is why it’s really important for me, for CIA, to do a mix between traditional risk thinking and also thinking out of the box in the way to help give a better information to the board and also to help them make better decision.


Camille M: [00:04:18] I think that’s fascinating and I really can’t wait for the rest of our conversation. Let’s dive a little deeper.  When I was poking around on LinkedIn to learn more about you, you’ve got one thing on there that’s personal. And it’s a quote from Albert Einstein that says “there are only two ways to live your life. One is as though nothing is a miracle. The other is as though everything is a miracle.”  Why do you have that on your LinkedIn? What does that mean to you? 


Thomas L: [00:04:51] I think it’s some most important sense of this quote for me is that it sees the role of everyone to help this world be a better world. Okay. And we can focus on negative things, but I think it’s not the best way to solve the problems in our world. 


Camille M: [00:05:12] And I want to ask you something else that’s maybe a bit more general, uh, even then, and complex, possibly than governance and audit before we get started, because you are in banking. Um, and you’ve been in private and public banking and the world is changing, as you say.  I would like you to help me understand what is money? what is money these days?  I’m not sure where it originates or what it stands for now. 


Thomas L: [00:05:45] Uh, I, I can make the link between the old world and new worlds and the crypto currencies.  I think it’s, it’s the aim of your question. It means the ways that so world was organized before, we change because we are going from a centralized world with the central banks to a new world more based on digital currencies and blockchains.

The banks will have to adapt–and mostly to private banks–so that they, uh, integrates these aspects. And this will because now we mostly working with Gen Y and Gen Z that will be more used to work with, uh, crypto monies. If you look at some countries, like Sweden, I think less than 5% of the people are only using physical money.  The rest of the population is only using credit cards or crypto currencies.  The way the money is evolving I think it’s, it’s definitely on that way in the future.  But you will still have to maintain a regulation. You know, you had this discussion in the United States in which way to define digital money.  And you had the debates about if it was to be integrated as a security or not.


Camille M: [00:07:30] Make it a security. So it’s something that could be traded essentially like a stock, or do you consider it more along the lines of the fiat currency? Like the U S dollar. 


Thomas L: [00:07:41] Yeah, and it is part of the debate we still need to have in Europe because we are some delays if we compare to United States or China in such a way to use such a new money. Uh, it’s a, it’s really a huge debate. And, uh, it’s something we need also to know as a banker, because it will help us also adapt our controls and, uh, our strategy. 


Camille M: [00:08:10] Do, do banks care whether it goes one way or the other, or is it just a matter of understanding which way it goes so they can work with that?


Thomas L: [00:08:20] I think it’s definitely really care because if you do not develop the good strategy now, notably, if you are working as a private banking industry, then definitely you can lose lots of clients in the, into two or three coming years. This is why is the digitalization topic can be seen inside of the bank. You know, in Luxembourg we have many banks that have already created specific departments only to focus on the way to adapt digitalization inside of, uh, of the company. Because they know that if you do not manage it well, definitely you are dead. 

For the most important banks like retail banks, I think it’s more easy because you have many more ways to develop your business and to stabilize.  But for small banks, it will be a lot more hard, I think. And maybe many institutions should disappear in the coming years. 


Camille M: [00:09:26] Do you think that some of this shift or whether or not it’s a shift, I guess is a debate. Um, but do you think that this is placing a higher focus on cyber security in general? 


Thomas L: [00:09:43] I think it has always be there, but it is taking now huge proportions for different reasons. So, first one is that when we move to a more digitalized world and also when we try to automate many processes that were manually done many years ago, it means that we increase potential breaches inside of the company because of this interconnection.


Camille M: [00:10:18] You expand the breach surface, you’re saying.  Because-


Thomas L: [00:10:22] Yes.  Definitely. And also because of the regulation, because when you look for example, at GDPR regulation in Europe, it means that you have to organize data protection in a way that is much more strong than before. And also you can face sanctions if you are act and if you lose some data, you can have huge sanctions that can be some percentages of your revenues. And it means that you are obliged, whatever happened to organize, to manage this risk.


Camille M: [00:11:06] Right. That’s in every industry, not, not just banking, right? The privacy regulation. 


Thomas L: [00:11:13] Yes, definitely. It is why the role of the board is extremely important.


Camille M: [00:11:21] I want to hear more about that because you were saying you thought one of the most important things is governance.  And from that, one of the most important things is composing the board. So can you say more about that? 


Thomas L: [00:11:36] Yes. You mentioned that the world is evolving and it is becoming more complex and, uh, a lot more professionalization of the board has to be increased since many years. And also governance is parts of many processes. It is not only the board. It means each department as its own governance and this must also be audited in a specific way. 

As you know, it’s many years we had to comply or explain approach that was known as, uh, one of the most important concepts in general governance. And also what is important for me is to ensure that the composition of the boards is done in a wholistic way.  It means you will have the internal members of the board that come from the company itself and you will also have the independent directors.  That is I think one of the most important concepts that has been developed since many years in the old world. When you cannot have part the knowledge dealing with new technologies, of cyber security inside the companies, and you can find it with a choice of adequate independent directors.  But definitely this is also a choice of the shareholder.


Camille M: [00:13:09] Well, how do you pick?  Or how, what is a good selection of independent directors, in your opinion? 


Thomas L: [00:13:17] In my personal opinion you have to select them based on the actual competencies. Also, you have to find people that are also working in other companies so that they can have a good benchmark of what is happening in the world. And also that are trained in a digitalization topic. It’s extremely important.  What is important in independent directors is that they are independent. And most of the time, you know, say, can raise topics, uh, in a more smooth way in the company. 


Camille M: [00:13:58] They step around the politics. Right?


Thomas L: [00:14:02] Yes. Okay. We are facing the same, yeah.


Camille M: [00:14:03] How do you go about that when you, when you were in, uh, private banking and you’re working for like a family?  Is that different when you’re selecting, are there independent directors and how is that different when you’re selecting them?


Thomas L: [00:14:19] I think it’s, it has to be done in the same way, whatever company it is. The difference is that when you work in the private banking world, is he relation with the shadow that can be different compared with companies where, where you are not composing such way or, where you have many different shareholders, you know? The impact on the decision is the same.


Camille M: [00:14:48] I was remembering, um, when you had talked about working with the French national police, Gendarmerie I think is that the right translation? 


Thomas L: [00:14:58] You mean when I was trained in Strasbourg University in fight against fraud?


Camille M: [00:15:06] That’s right.  You specifically did anti-fraud with them and cyber hacking. 


Thomas L: [00:15:11] Yes, it’s really interesting at this point because when I did my master in business law, it was organized by someone was named Shantelle K? in France. Is that he’s also in charge of some associations working on the analysis on the fight against, uh, finance fraud. Okay. And the interest of these trainings that have this master is that it was a mix between a students like me and also integrating people from the, uh, Gendarmerie Nationale in France. Part of the training was also done by Gendarmerie Nationale to put us in a practical way to make us act as actors in a closed network, uh, in the university. And we were asked to attack the network, just to see the impacts. And when you do this, I think you realize a lot more is danger of cyber risks.  

And, um, I think it, it was a good basis for me after that, to, to go on studying cyber security in a more intellectual way, because when you see the impact, again, after that , at this stage, you can give all sorts of ? that is different. 


Camille M: [00:16:39] So the other thing that you did after that was work on this transparency study–international transparency study. And I think a lot of audit and governance is, is kind of fundamentally linked to transparency. So I’m hoping you can say a little bit more about what you were doing with that study. 


Thomas L: [00:16:59] Yes. I had the chance to participate in the National integrity system studies that was done in our world by Transparency International in 2012 and 2013.  And part of the study was dealing with companies and also help to do an analysis on the link between governance and it’s impacts about corruption.  Then I made lots of researches about what should be a good governance inside of a company. It was the basis for me of all the studies I’m doing now and applying internal audits when I, uh, do some researches, uh, for my company, uh, on governance. 

And it was really interesting to see the evolution of governance as usual approach is called a disciplinary approach. It means that you had before, more focused on the mastering. Uh, financial data, but now we are more moving in a cognitive approach. That means that you have to develop more competencies to be able to match the evolving business activities.

It was my, um, first conclusion when I, when I did this study.  Of course, after that, I made to link with, uh, potential impact for corruption. And it means, for example, in the past, uh, if I talk about France, you had a concentration of roles inside of many boards of the biggest company in France. It means that about 40 persons in the biggest company in France were shared by only 100 people. This is why after that the concept of independent directors, uh, has been also improved to help, you know, avoid such concentration. 


Camille M: [00:19:11] What happens if you don’t have governance or audit setup in a company? Or what happens if it’s not set up well–doesn’t have appropriate external directors or things like that?


Thomas L: [00:19:23] It cannot happen because it is something definitely mandatory, you know? And so it’s so regulated and, uh, I think, um, definitely you have no company if that’s a case. (laughs) Okay. And, um, regarding the, a cognitive approach what is also important it’s like to say is that governance audits are monetary is also, is the fact that we have to follow, uh, guidances that are received from professional associations.  And United States you have the International Corporate Governance Network that is an important basis that was also used in France later on. In France, we have the ?? code that is quite the equivalent.  And all the staff, you know, are asked to give a supports and, uh, references as to structures boards, and also you have the regulation, as I mentioned, that impose you to have an adequate governance.


Camille M: [00:20:28] And you’re global, so you, you have to, um, adhere to regulations across all the country countries you’re operating in, right? 


Thomas L: [00:20:37] Yes. And, uh, internally, definitely when, uh, we work in a huge, uh, companies, it means that we have also to master the regulation in each branches. And it’s really where you see some parts of some training in our job. And, um, [00:21:00] I think for cyber security, when you work in a huge companies and you have many things that are centralized and when you work in the branches and you go to the branches, most of the things, you know, are attributed in the edifice itself. 

But definitely one of the most important topic is also as a reactivity because it can be so the response to cyber risk, because as I mentioned, we [00:21:30] work in a way more dynamic environment than before.  And the concept of risk awareness, I think is definitely extremely important. It is also as important, for the CISO. Most of the companies have to create a digital governance model because if you want to digitalize a company and if you do not ask such model, uh, it’s quite, uh, impossible to implement.   You can have excellent strategies, but if you do not implement it, uh, you know, it makes no sense.  

Then when, when you go back to see digital governance model and that was, we just share, is that a powerful message is the explosion of hacking. When you go and analyze dark webs, the ransomware, the phishing, definitely it is also the role of the board to be aware of this and, uh, o be clear on the impact it could be on the image of the company.  Because when you look at the cyber security, then you can have clearly financial impact, if you are hacked. You can have legal compliance impacts. But I think that the reputation is maybe the most hard to recover if you lose some data or if you did not manage this topic well.


Camille M: [00:23:06] It’s probably also the hardest to quantify. 


Thomas L: [00:23:09] Yes, definitely. I think what is important when you talk about governance is that we must keep in mind that decision making and also strategies also dealing on the way it will impact human people in inside of the company.  Okay. And as we all know, threats mostly come due to internal, uh, human weaknesses. Uh, so this is why if you ensures that the message given by the boards on that topic is well done then when we do our internal audits, it’s helps us also lots.  And I think you have to see it in two ways–the tone from the top. And of course the message we can raise to the board through our audits.


Camille M: [00:24:07] I like that. I like that he thought that you have to get the right independent auditors and then the tone from the top matters a lot when you’re setting up a digital governance strategy or model.


Thomas L: [00:24:20] Yes. And also as a CISO definitely because I think it’s that if you want to create a specific culture of cyber risk awareness, you need to ensure that the CISO can give the messages in a regular way to the board. And also because if you want to make the best decisions, uh, the quality of the information you receive is crucial.  Because if it’s not the case, you cannot define good strategies.   So if we, if you talk about cyber securities and definitely the board will have to validate the strategies in terms of prevention, resilience, under attack, about detection and recovery—these are usual topics. If they have the adequate information about impact itself, that will help the company of change, adequate tools and also the budgets—that’s an extremely important tool to improve the system and also the cyber protection environment. 


Camille M: [00:25:35] You had mentioned that one of the most important things was understanding how the digital world is going to evolve in the coming five years or fewer. What would be your one insight, top insight that you think governance or audit folks should be really thinking about?  What thing do you think is coming in the digital world that’s going to affect governance and audit? 


Thomas L: [00:26:04] It’s definitely a huge and complex question. I think that we to understand the new businesses and also to adapt our risk analysis so that we are sure that our new audits are adapted to this new world. I think one extremely important thing is that IT more than ever before will be a central part of function inside of the company. And so there is a real need to make the bridge between the IT–the complex on technical issues, dealing with digitalization, cyber security and the message to be delivered, to the board.  And I think it is maybe some most important thing for us in the coming year.  It means really to understand is the impact on the business, to understand the language and to help the company align.  Because the way a ways of business was done before will not be done to the same if you had machine learning, if you had blockchains. So definitely is the interaction inside of the company would not be the same.  And it means that you can have many more potential breaches dealing with these topics than before.

And one message also, one main word in our job is humility. And I think that more than before we will need the help of real specialists to help us ensure that we analyze as a company in the best way. Really humility.


Camille M: [00:28:02] Thank you. That’s beautiful, beautifully said.  Thomas it was, it was actually really. Interesting and enlightening talking with you today and learning quite a bit about thoughtfully, about what it is, is to do internal audit and governance well.   You’re really at the top of that field in the world. And so it was really nice to have a conversation with you about what matters. 


Thomas L: [00:28:34] Definitely it is my pleasure, Camille. And, uh, with your podcasts, you are part of people’s that make, try to make this world a better world. And, uh, this is why it’s also, it’s a real pleasure, you know, to discuss some interesting topic with you and to have the  sharing moments and thanks a lot.


More From