On March 28th, the event “Kriptia Meeting Miami 2025 | Risk Management, the Key to Success for Future” was held at The Ritz-Carlton South Beach, Miami (FL), in collaboration with Kriptia USA and the Italy-America Chamber of Commerce Southeast (IACCSE). The event focused on risk management as a key element for the future success of businesses.
The round table was moderated by Gaspare Ruggia, Intelligence Analysis Manager at Kriptia, responsible for overseeing strategic analysis activities, with solid experience in anti-money laundering and counter-terrorism financing.
The event’s guest speakers were:
- Richard W. Kollmar, a high-level figure in security and risk management with over two decades of experience in the FBI (Deputy Assistant Director), former Chief Security Officer for Haniwa International Global Security, currently Vice President and Chief Security Officer of a major healthcare company in Georgia, also a board member of Palm Security Group and a strategic security consultant.
- Joseph M. Deters, with over 20 years of experience in the FBI as Deputy Assistant Director at the Cincinnati Field Office. His career has focused on critical areas such as international corruption, kidnapping investigations, and counterterrorism. He is now President of The Ackerman Group, bringing vast experience in intelligence and risk mitigation.
Let’s go over the key topics and main ideas discussed during the session, based on the speakers’ contributions:
THIRD-PARTY RISK MANAGEMENT – GASPARE RUGGIA
In a world shaped by globalization and digital transformation, companies depend more than ever on external players, such as international suppliers and remote workers. Third parties are an integral part of modern operations but, while this interdependence offers opportunities such as cost reduction, it also exposes organizations to significant operational, legal, financial, and reputational risk.
Managing third-party risk—suppliers, joint venture licensees, distributors, and even customers in certain regulated sectors—requires a structured approach to evaluating and monitoring the external entities involved.
The first step is initial due diligence during screening and onboarding. Even if third-party failure might seem unrelated to the core business of a company, it can severely impact the organization’s reputation. A notable case study is a potato supplier for McDonald’s, who was involved in a major organized crime scheme. Now, think about how journalists framed the headline of their article: did they limit attention to McDonald’s supplier? No, the title was “McDonald’s suppliers involved in mafia affairs.”
The reputational risk towards stakeholders, shareholders, and customers is extremely high. That’s why investing in this procedure is mandatory as a preventive measure, not just as a reaction. Because once the risk manifests, it’s much harder to overcome.
Another case study we can use to talk about third-party risk management comes from our own experience. A multinational client requested due diligence on a new supplier. This supplier was fundamental for a large-scale production initiative and, on the surface, the company seemed entirely legitimate: updated credentials, tax records, solid banking, existing accounts and references, and the client had a structured supplier onboarding process. But upon further investigation, we uncovered a highly complex ownership chain involving offshore companies, nominee directors, and a multilayered holding structure.
The complexity itself isn’t a problem—it’s not illegal, as many companies use complex corporate schemes simply for tax efficiency. And that’s perfectly legal. But there are certain patterns that, with the right experience, can be recognized: we analyzed the entities’ documents and cross-border records and noticed familiar signs of concealment: shell companies in tax havens, circular ownership loops, and sudden directorship changes.
These were indicators of international obfuscation of real control. With further research, we traced the ultimate beneficial owner, who was linked to an NGO sanctioned by an international regulatory authority for financing terrorist organizations in the Middle East. This connection was not visible in the initial onboarding process. But with deeper investigation, we were able to identify it and alert the client. Since this company was strategic in the client’s supply chain and critical to the production of a flagship product for a major automotive brand, our client was able to quickly switch to another supplier.
As a final reflection on background checks for individuals, it’s important to note that in the United States, background checks are a professional industry, while in Europe we lack such strict regulation. At Kriptia, we apply many American best practices and have already integrated them into our clients’ policies for screening employees—especially C-level hires from abroad.
For one of our clients, who had hired two remote workers claiming to be in the UK, we conducted an in-depth investigation using OSINT methodologies and data analysis, and discovered that those individuals were actually in Pakistan. Although not illegal, this raised major concerns in terms of cybersecurity, compliance, and potential misconduct by those remote workers. At the end of the investigation, our client was able to identify the risk, remove the individuals, and inform law enforcement about the fraud.
Before moving on to the next speakers’ contributions, we want to emphasize that intelligence is a crucial component of risk management strategies.
TRAVEL MANAGEMENT AND CRISIS SITUATIONS – JOE DETERS
The second speaker was Joe Deters, President of The Ackerman Group for the past four years, based in Fort Lauderdale. The company was founded around 50 years ago by Mike Ackerman, a former CIA agent, and has long collaborated with the insurance company Chubb, working closely on claims related to kidnapping and ransom insurance policies.
For anyone worldwide insured with Chubb against this type of risk, they are the first to respond. This is why it’s essential to reach quickly any location where clients might find themselves in critical situations, also leveraging proximity to two major international airports to get anywhere fast.
Previously, he was with the FBI for 20 years, spending about half of that time abroad. In the U.S., the law provides that if an American citizen is kidnapped anywhere in the world, the crime can be prosecuted federally—under certain conditions, of course. That’s why the FBI handles investigations into kidnappings of U.S. citizens, regardless of location.
Fluent in Spanish, he worked mostly on Latin America during his career. Unsurprisingly, global kidnapping maps show that Mexico has been the most dangerous country for years. They have many clients operating there, and a large part of their work focuses on that region. Other Latin American countries are unfortunately not much safer when it comes to kidnapping risk.
In addition to internal staff, they also work with security companies worldwide, such as Kriptia, an experienced partner to expand services and maintain high standards of quality and client care.
They have an extensive network of collaborators and partner companies with whom they have been in contact for decades, to stay updated on security and risk situations that could affect their clients.
At The Ackerman Group, they continuously gather information—not only from open sources but also from well-placed global contacts. This allows them to provide clients with reports useful for preventing risks such as kidnappings or other safety-related issues.
One of their main activities is travel risk management for corporate clients. After the COVID-19 pandemic, travel was first suspended and then gradually resumed. Many companies had to rethink their travel policies, asking themselves if, when, and why it’s truly necessary to send personnel around the world, with all the associated costs and risks.
One key step they take with clients before an executive departs is understanding the purpose of the trip: Where are they going? What activities will they be performing? What risks can be mitigated in advance to ensure their safety and that of local colleagues?
This reflection process, which they encourage with clients, helps to assess when travel is truly necessary and when a virtual meeting would suffice. There are situations where face-to-face contact is irreplaceable—for example, when a leader must deliver an important (or difficult) message to staff. In such cases, physical presence is essential to communicate effectively and with empathy.
Another reason travel remains essential concerns specialized professionals like engineers or technicians with unique skills. Often, they support clients who must send their experts to overseas plants—such as in Brazil—where no one else has the skills needed to work on specific machines.
Once the necessity of travel is established, they move to the operational phase: Where are they going? What’s the security context? In some countries, the situation is particularly delicate, and this is where their role becomes crucial.
They inform clients about what to expect, procedures to follow, necessary documents (visas, permits), and give advice on what to bring—or not to bring. They always recommend traveling with as few sensitive materials as possible, digital or physical. In many countries, one must assume everything brought might be examined—at customs, immigration, or even just leaving a briefcase unattended in a hotel room.
Executives are often met at the airport by local staff with good intentions. But from a security standpoint, this isn’t always wise. The local manager—with a predictable routine—is more at risk than the short-term visiting executive.
For this reason, they recommend low-profile approaches: better to rely on secure transportation services than involve high-level company figures. The same goes for movements during the stay: they must be planned, coordinated carefully, and, if needed, supported by security professionals.
At check-in, they advise giving only the bare minimum of personal information. Better to avoid leaving cell numbers, home addresses, or emergency contacts—often hotels aren’t great at protecting this data.
During the stay, it’s important to remain alert to unexpected calls or visits. Choose hotels with good security standards, but always remember that no place is completely secure.
Upon return, they recommend avoiding carrying packages or gifts from strangers. Everything transported should be received in a clear, transparent context.
After each trip, they suggest a sort of debriefing: What worked? What could be improved? This helps strengthen protocols for future travel.
During the entire trip, it’s crucial that the headquarters knows the traveler’s itinerary: flights, hotels, agenda. A double check is always needed to ensure swift intervention in emergencies.
All of this is part of the standard process to ensure safe business travel, especially in high-risk countries.
His speech ended with a meaningful story. Last year they handled six cases: five in Mexico and one in Colombia. Just a few weeks ago, they dealt with another case, again in Mexico, which involved a “virtual kidnapping.”
There are three types:
- Classic kidnapping, with physical abduction, ransom demand, and release after negotiation.
- Express kidnapping, usually happening on the street, like getting into the wrong taxi: the victim is forced to withdraw money for several hours, often until the next day to access new funds.
- Virtual kidnapping, increasingly common: no one is physically abducted, but the victim or their family is convinced of a real threat and money is extorted.
The latest case involved a client traveling for work, who had checked into a hotel and provided their cell number. Soon after, they received a fake call and were psychologically manipulated into believing a loved one was in danger. This is precisely why we insist on every little detail.
RISK IN THE HEALTHCARE SECTOR – RICHARD KOLLMAR
The third speaker was Richard Kollmar, who has worked in the security sector for around 25 years, most of them spent at the FBI, where he ended his career as Deputy Assistant Director of the National Security Division. About nine years ago, he moved to the private sector and shared with us some practical experiences related to corporate security and risk management across different industries.
His first job in the private sector was with a major defense contractor, where he led the global security team. He later joined Honeywell International, still in charge of security, with a particular focus on the manufacturing division. Today, he works in the healthcare sector, where he is responsible for the security of a large hospital system in Georgia valued at around $8 billion, with 350 facilities and over 45,000 employees.
Based on this experience, he reflected on some common dynamics in risk management, showing how threats can vary depending on the context. Each sector has its own specifics and requires different approaches.
First of all, an effective security program—whether in a public or private company—must start at the top: it needs real support from leadership. They must believe in the value of security, fund it adequately, and back up the responsible teams. He recalled a job interview in which an executive told him: “I want you to eliminate all risks from our company.” He replied with a smile: “Then we’d have to shut down.” Because, let’s be clear: risk is part of every business. The key is recognizing it, managing it, and deciding what level of risk is acceptable.
A concrete example: when he joined the defense sector company, security was seen as an obstacle. For many, he was just the guy saying, “You can’t do that.” But the job of security professionals is not to stop the business—it’s to protect it. Protecting assets, employees, reputation, and the company’s future.
He recalled an interesting episode involving the HR department. They had signed a contract for an employee call center service. He just wanted to take a look at the contract and was told: “Why? It’s just a support line for payroll and vacation questions.” But in the contract, there was a clause stating that services could be provided by third parties. Eventually, they discovered that outside office hours, calls were being routed to a call center in China. In practice, sensitive employee data—many of them tied to defense contracts—were potentially being exposed. That service was immediately discontinued. The CEO personally called to thank him: “We would never have known, if we hadn’t checked.”
In the defense sector, the biggest risk is the insider threat, given that the company had around 45,000 employees, many working on classified projects. If even one of them had betrayed trust, the consequences could be devastating: damage to reputation, loss of trade or government secrets. That’s why in that environment, every signal needs to be thoroughly analyzed.
In the manufacturing sector, the main risks concern the loss of proprietary information, sometimes through disgruntled employees. Honeywell, for example, employs many brilliant software engineers, but balancing innovation with security policies is not always easy. He recalled clear violations: USB drives plugged into corporate computers, data copied to work from home. Corporate Security must highlight the issue, assess the severity, and work with the company to decide how to proceed: do we accept the risk or take action?
In the healthcare sector, however, the number one risk is physical safety for employees. Healthcare workers are five times more likely to be assaulted than any other profession. This was a shock to him when he entered the field. If nurses and doctors don’t feel safe, they leave. And without them, a healthcare system simply can’t function.
When he was hired, his position didn’t exist yet. The company had finally realized that a central figure was needed to manage security. He went through 24 interviews, including one with the CEO. They wanted to understand how he would handle risk—but more importantly, if the company truly intended to invest in security. Without leadership support, even the best ideas remain on paper.
Now, for example, he attends every board meeting to provide updates on security status. This is a major signal: security is no longer a secondary department, but a strategic function.
Sometimes the risks are quite disturbing. Not everyone knows that some of the most prolific serial killers in history were healthcare workers. One of them, featured in the HBO documentary “The Good Nurse”, admitted to killing more than 50 patients, although investigations estimate over 400 cases. The healthcare system is especially vulnerable: patients are defenseless, medications are accessible, and often supervision is lacking. When colleagues began suspecting something, the nurse would resign and switch facilities. It took years before they finally arrested her.
Today, thanks to technology, much more is possible. They now have over 5,000 cameras in hospitals—but recording is not enough. Artificial intelligence is needed to detect abnormal behavior. For example, if a door that’s usually never used opens multiple times at night, an alert is triggered and the command center immediately analyzes the situation.
They can also track staff movements: if a nurse is seen too often in departments where they don’t work, an alert is triggered. Another example: if an access badge is used in one facility but a network connection is detected from another area, the security team immediately spots something suspicious. In such cases, they can disable both physical and digital access instantly, and retrieve camera footage right away.
Technology also helps during expansion phases. In the past, the real estate department would acquire buildings without consulting security. Sometimes, these were in high-crime areas, and later they would ask to install cameras and fix everything. Now, security is involved from the beginning. They assess the area’s crime rate and provide executives with a risk estimate. The final decision is always strategic—but at least the company can make an informed choice.
In the end, every sector has different risks, but one thing is certain: risk is inevitable. Without risk, there is no innovation, no growth. The job of security professionals is to identify it, assess it, and decide how to respond. We shouldn’t fear risk, but we must be prepared.
The final quote summed up the whole conference:
“Risk is inevitable. If we don’t manage it, we may avoid dangerous situations—but also miss out on business opportunities.”