When Mary Rentoumis was offered an opportunity to join embattled banking giant Wells Fargo as the head of global third-party risk management, she heard some unexpected advice from a mentor: read Bad Blood by John Carreyrou.

The book chronicles the collapse of a one-time multi-billion-dollar biotech startup, Theranos, and the rise and demise of its ruthlessly ambitious founder and CEO, Elizabeth Holmes. It was written by the journalist credited for breaking the story of widespread fraud at the company.

“At first I thought my mentor was a little crazy,” Rentoumis told a room of more than 130 compliance practitioners at CW’s Third-Party Risk Management and Oversight Summit in San Francisco. “I work in financial services; what the heck does that have to do with this [bio]technology company? But I went ahead and read the book, and I realized: He was right.”

Mary Rentoumis

Mary Rentoumis is “a huge fan of keeping it simple.”

By reading and deconstructing Theranos’ layers of corporate fraud, Rentoumis gleaned an array of lessons from Holmes.

The now 35-year-old founder “had really siloed every one of her departments. She ruled with fear. She managed up to her board and her leadership advisors with incredible finesse. She rewarded anybody who got close to finding out her secret with another path; then she diverted their attention. And she never let anyone see her process end-to-end,” Rentoumis reflected.

Therein laid the answer Rentoumis was looking for: If she was going to accept the position at Wells Fargo, she needed to make sure she could look at the multinational financial services company’s processes end-to-end; that she did it in a way that was fact-based and courageous; and that she asked questions and validated the answers.

Rentoumis accepted the position at Wells Fargo eight months ago.

While she did not expressly state a parallel between the Theranos scandal and Wells Fargo’s history of misconduct, the TPRM specialist strongly implied lessons of ethics and culture drawn from Bad Blood are both portable and universal; they apply to all businesses, no matter the industry or organization.

Rentoumis set out to foster a risk culture at Wells Fargo where employees feel empowered to do the right thing, even—or especially—when it isn’t the easy thing. Thus, she challenged herself to build tools and templates that make it easier for people to raise their hand when something doesn’t feel quite right.

“If I had been at Theranos, would I have had the courage to raise my hand and say something?” Rentoumis wondered aloud.

Her vision for Wells Fargo’s risk culture was tied to two objectives: aligning the responsibilities of risk management to the larger goals of the company and keeping frameworks and processes as simple as possible.

Regarding the first item, Rentoumis knew she would need the support of leadership to set the right tone from the top, ensuring a strong risk culture permeated the company. Identifying shared goals with business leaders was a surefire way to establish buy-in for sound risk management practices. It wasn’t about going into meetings with complaints and scare tactics, but, rather, ideas and solutions. It was imperative to keep the bigger picture of the company in mind.

“If I talk about rules first, people immediately shut down. They don’t want to hear it. … I had to get people to understand the value that building that risk culture would bring to them,” said Rentoumis.

As for the objective of simplicity, Rentoumis recognized creating a process with 300 “easy steps” would only make it hard for people to do business with and within her organization. Making a six-step checklist, for example, that is easy for users to consume would facilitate the understanding of risk and, with that, the execution of sound risk management activity.

“I’m a huge fan of keeping it simple. … If you can’t explain it to me in 10 minutes or less, or if you can’t do it with a 10-question questionnaire, you’ve probably made it too complicated for anybody to understand the risk,” Rentoumis said.

Toward the end of her keynote, Rentoumis summarized her tips for compliance practitioners:

  • Create a clear mission of your organization and the value you bring to the firm.
  • Participate in your business’ planning sessions. Ask questions.
  • Build a strong “front door” to your third-party process.
  • Make the templates and tools easy.
  • Establish clear roles. Who really owns the risk of that third party?
  • Follow the data when you provide it to a third party.
  • Connect the dots with third-party dependency process mappings.

Looking back at what happened at Theranos and her path at Wells Fargo, Rentoumis believes the nexus of risk, culture, and ethics really stems back to keeping things simple from the get-go, creating a common risk language, and asking the right questions.

It’s not about building a “culture of nice,” as Rentoumis put it, where people have good intentions but are afraid to rock the boat or publicly disagree with one another. A culture of nice is not conducive to sound risk management—or to a sustainable ethical culture, for that matter.

Instead, Rentoumis believes her tips will help to create a risk culture where the roadblocks of communication have lifted so individuals at all levels of an organization feel safe and comfortable speaking up. If risk professionals can achieve that, she said, then companies will move forward.