Enhancing Third-Party Risk Management | Breaking down silos

Introduction
Building upon our previous discussions about TPRM roles and responsibilities, we now turn our attention to the issue of silos within organisations.

Our insights were inspired by an illuminating podcast from ORX that examined the failings in governance, risk management, and risk culture, using the case study of the Prudential Regulation Authority's (PRA) enforcement action against MS Amlin. 

What stood out for us was how closely these findings mirrored what we see when conducting Third-Party Risk Management reviews.

The Problem of Disjointed Independent Silos
One of the PRA’s critical findings in their examination of MS Amlin's operational risk governance was the existence of too many disjointed, independent silos within the organisation. These silos hindered information sharing and resulted in an ineffective control environment.

We’ve seen this issue manifest in various ways within firms. 

One common scenario is the presence of pockets of excellence—business units that excel in managing third-party risks. However, due to a lack of coordination at the organisational level, vulnerabilities persist in how the whole firm manages third-party risk.

Consider this scenario; An organisation grows through acquisitions, and these acquired entities continue to operate independently, each with its own approach to risk management. The lack of integration between these frameworks creates inconsistencies and inefficiencies in Third-Party Risk Management.

Another example can be found in the London insurance market, which is comprised of Lloyd's syndicates, reinsurance businesses, retail insurers, and more. Each of these entities often operates independently, with its own leadership and risk management functions. As a result, they may fail to see the bigger picture when it comes to third-party risk exposure.

Regulators' Expectations and the Challenge of Reporting
Regulators are increasingly focused on firms demonstrating their capability and adherence to good governance practices. Establishing a strong policy and framework that sets minimum standards is essential. Without this foundation, challenges arise when attempting to generate consistent and meaningful Management Information (MI) on supplier risks across various areas of the business.

Inconsistent MI and reporting can erode regulators' confidence in an organisation's ability to effectively manage third-party risk. This can impact critical assessments and regulatory measures, making it essential for firms to align reporting practices with their risk management capabilities.

Conclusion
Navigating the complex landscape of third-party risk management requires addressing the issue of silos within organisations. The ORX podcast and the MS Amlin case study shed light on how disjointed and independent silos can hinder effective risk management. 

Firms must strive to create a unified approach to Third Party Risk Management, even in the face of acquisitions or diverse business units. By developing consistent policies, frameworks, and reporting practices, they can break down silos and ensure that risk management efforts are aligned across the entire organisation.