Enhancing Third-Party Risk Management | Second Line Oversight

The need to protect an organisation from operational risks linked to third-Operational risk governance and oversight are paramount in today's complex business environment. In the PRA’s fine of insurer MS Amlin in October 2022 linked to operational risk failings, it was evident that the second line of defence didn't provide sufficient oversight of the first line.

This blog will delve into how the emergence of "line 1B" or "line 1.5," has impacted firms when it comes to managing third-party risk.

Understanding Line 1B and Line 1.5
The challenge of line 1B or line 1.5 roles is that neither fully belong to the first line nor possess the authority of the second line. This ambiguity can complicate matters because at times, they lack the authority to enforce policies and implement controls.

In some firms, this can inadvertently absolve the first line of some of its responsibilities, which runs counter to the principles of the three lines of defence model. This can lead to significant risk:  a team that lacks the authority to enforce controls effectively and lacks the necessary business engagement to ensure that controls are being implemented as intended.

Understanding the Triggers for Creating Line 1.5
There are two primary triggers for firms to create line 1.5 roles: 

1. Capacity: Firms sometimes create line 1.5 roles due to a shortage of time or resources in the first line to carry out all the necessary risk management activities effectively. This lack of capacity leads to the establishment of separate teams to handle specific risks.
2. Knowledge and Expertise: Another trigger is the need for specialised knowledge and expertise. Rather than attempting to embed this capability within the first line or expand the first line's capacity, firms choose to create isolated teams responsible for particular risk areas. For example, this approach is common in managing business continuity risks.

Critical Considerations for Effective TPRM
Creation of line 1.5 roles may address the symptoms and provide temporary relief, however it’s important to examine the root causes of ineffective controls in the first line. 

Here are a few critical considerations:

• Understanding Supplier Risks: One fundamental issue is a lack of full comprehension of supplier risks. Often, firms fail to recognise the potential risks associated with their suppliers, both initially during the onboarding process and in the long term as supplier relationships evolve. Continuously assessing these risks is essential.
• Risk Impact Matrix: Firms should evaluate their risk impact matrix. In some cases, supplier failure risk may not even be included, or it might not be given the attention it deserves. Aligning the risk impact matrix with the firm's risk appetite is crucial.
• Criticality Assessment: Conducting a criticality assessment of suppliers is essential. This assessment should be designed to align with the firm's risk impact matrix and overall risk management strategy. This step will avoid overwhelming the first line with an excessive number of critical suppliers to oversee.
  

Conclusion
Effective oversight is the linchpin of successful third-party risk management. We’ve addressed some of the challenges created by line 1.5 roles, however, addressing the root causes of ineffective controls, understanding supplier risks, and optimising the risk impact matrix are key steps toward enhancing Third-Party Risk Management effectiveness.

Firms should strive for a clear and well-defined three lines of defence model, where responsibilities and authorities are unambiguous. By doing so, they can not only navigate the complexities of Third-Party Risk Management more effectively but also reduce operational risk and strengthen their overall risk management capabilities.