Brian Kostek

Managing Director

Brian is a Managing Director with Protiviti and is part of the Regulatory Risk team with more than 16 years of experience in consulting financial services organisations. Brian leads the Third Party Risk Management (TPRM) solution offering within the Risk and Compliance solution in the United States, and coordinates with Protiviti’s Business Performance Improvement and Technology Consulting Practices for our cross-solution TPRM offering. Brian’s experience and expertise focuses on regulatory compliance risk, third party vendor risk, and operational risk. 

Major Projects

  • Third Party Risk Management Programme Development – Led several TPRM related Programme development projects across various industries and organisation complexities, ranging from Programme component enhancements to end-to-end Programme development and implementation. 
  • Third Party Technology Implementation – Led a software implementation supporting the third party risk management Programme of a top 30 US bank. Project required redesign of third party risk processes, documented business requirements for the software platform, and managed the implementation effort through go live. The project resulted in a successfully implemented technology platform to support the third party risk management processes, enhanced assessments and monitoring activities, and more efficient and effective reporting. 
  • Targeted Third Party Assessments – Developed a review work Programme, oversaw the review of twenty-six (26) third party vendors in accordance with OCC 2013 – 29  and FR 13-19 expectations, and provided subject matter expertise feedback to the applicable business line personnel and compliance staff, when applicable. Developed recommendations based on risks identified to ensure current gaps were remediated and ongoing oversight would be enhanced to ensure compliance with regulatory expectations moving forward. Third Party Regulatory Compliance – Managed the assessment of regulatory compliance requirements for third party vendors for a top ten US bank, including listing the required regulatory requirements for more than 250 vendors, and assisting the supplier managers in developing applicable controls to mitigate associated risks.
  • Third Party Remediation – Oversaw an independent validation of the actions taken by a bank’s vendor who was identified as not providing the full extent of the services advertised to its customers, including a validation of the customer base requiring refunds, testing the associated refund processes, and partnering with bank management to ensure the actions taken met the requirements of the regulators.
  • Monitoring and Testing Programme Design – Managed the development and implementation of an enhanced Monitoring and Testing Framework for a leading Financial Technology company. The Programme focused on all domestic and international operations, including operational, compliance, information technology, and credit risks. The effort focused on leveraging available data to create efficiencies in the monitoring and testing approaches, developing new methodologies and testing templates, and prioritising key risk areas based on Key Risk Indicators and the supported Risk Appetite. 
  • International Compliance Risk Assessment - Managed a multi-year, international compliance risk assessment effort for a large multi-national financial institution. Provided subject matter expertise that supported the Compliance organisation in creating a detailed mapping of regulatory requirements to the client’s products, processes, legal entities, and third parties. Completed analysis and mapping of existing operational controls, policies and procedures, training, and monitoring and testing for specific business units, and provided oversight to other business process and control mapping teams for their mapping activities. The results of the enhancements to the compliance risk assessment methodology drove improvements to the organisation’s monitoring and testing Programme, compliance action plans, and the overall compliance governance framework. 
  • Risk and Control Mapping Support – Managed and provided subject matter support to several projects focused on mapping regulatory content to an organisations business processes, risks, and controls. 

Areas of Expertise

  • Regulatory & Risk Consulting
  • Third Party Management
  • Operational Risk
  • Credit Risk and Loan Review
  • Asset Management and Trust
  • Regulatory Reporting


  • M.B.A. – Global Management, Thunderbird School of Global Management
  • B.B.A. – Business Economics, University of North Dakota

Professional Memberships and Certifications

  • Certified Regulatory Compliance Manager (CRCM)
  • Member, Global Association of Risk Professionals (GARP)
  • Member, Association of Certified Anti-Money Laundering Specialists (ACAMS)

Professional Awards

  • 2019 Rising Stars of the Profession – Consulting Magazine
  • John B Thurston Outstanding Contributor – 2021 Award – The Institute of Internal Auditors