The need to protect an organisation from operational risks linked to third-Operational risk governance and oversight are paramount in today's complex business environment. In the PRA’s fine of insurer MS Amlin in October 2022 linked to operational risk failings, it was evident that the second line of defence didn't provide sufficient oversight of the first line.
This blog will delve into how the emergence of "line 1B" or "line 1.5," has impacted firms when it comes to managing third-party risk.
Understanding Line 1B and Line 1.5
The challenge of line 1B or line 1.5 roles is that neither fully belong to the first line nor possess the authority of the second line. This ambiguity can complicate matters because at times, they lack the authority to enforce policies and implement controls.
In some firms, this can inadvertently absolve the first line of some of its responsibilities, which runs counter to the principles of the three lines of defence model. This can lead to significant risk: a team that lacks the authority to enforce controls effectively and lacks the necessary business engagement to ensure that controls are being implemented as intended.
Understanding the Triggers for Creating Line 1.5
There are two primary triggers for firms to create line 1.5 roles:
Critical Considerations for Effective TPRM
Creation of line 1.5 roles may address the symptoms and provide temporary relief, however it’s important to examine the root causes of ineffective controls in the first line.
Here are a few critical considerations:
Conclusion
Effective oversight is the linchpin of successful third-party risk management. We’ve addressed some of the challenges created by line 1.5 roles, however, addressing the root causes of ineffective controls, understanding supplier risks, and optimising the risk impact matrix are key steps toward enhancing Third-Party Risk Management effectiveness.
Firms should strive for a clear and well-defined three lines of defence model, where responsibilities and authorities are unambiguous. By doing so, they can not only navigate the complexities of Third-Party Risk Management more effectively but also reduce operational risk and strengthen their overall risk management capabilities.