Introduction
Welcome back to the fourth and last blog in our series on third-party risk management (TPRM).
This series of blogs were prompted by insights from an ORX podcast, which closely resonated with our experiences in our client TPRM reviews.
In our previous blogs, we've explored various aspects of TPRM, including roles and responsibilities, second-line oversight, and the challenges of siloed approaches.
Today, we dive into a crucial aspect: governance structures.
The Problem of Over-Engineered Governance
The Prudential Regulation Authority (PRA) identified a significant concern in its review of MS Amlin's operational risk governance: an over-engineered governance structure. This structure, often found in larger firms, resulted in excessive costs, duplicated efforts, complexity, and compromised decision-making processes.
This issue isn't unique to MS Amlin; it's a challenge we frequently encounter with the financial service firms we interact with and support. Whether in the context of TPRM or operational resilience, over-engineered governance structures can hinder an organisation's effectiveness.
Let's examine how this issue manifests in different scenarios.
The Challenge of Unclear Risk Ownership
In larger organisations, the lack of clarity regarding risk ownership can be a significant problem. When first-line roles and responsibilities are unclear, every risk appears critical. As a result, risks tend to be escalated up the chain of command, involving numerous committees and stakeholders. This process leads to additional paperwork, assessments, and delays in decision-making.
For instance, a risk that could have been handled by a department head is escalated up to senior stakeholders or even the C-suite due to a lack of confidence in the existing risk management model. This not only hampers efficiency but also consumes valuable time and resources.
Inefficiencies in Smaller Firms
On the flip side, smaller firms often grapple with the challenge of creating separate committees and governance structures for new disciplines like operational resilience and TPRM. While this approach may seem logical, it can result in duplicated efforts and decision-making inertia.
These new committees often discuss the same issues and analyse the same data as the broader risk management or operational risk committees. Yet, it's unclear which committee holds the ultimate decision-making authority. This lack of clarity can lead to stagnation, with important decisions falling through the cracks.
Circular Approval Processes and Disenfranchised First Line
In the worst cases, organisations may fall into circular approval processes, where committees cannot sign off until another committee has done so, creating a gridlock. These processes also lead to disenfranchised first-line teams, as they become frustrated with the bureaucracy and struggle to get things done.
Bypassing controls or ignoring processes becomes tempting when the first line feels unable to make meaningful contributions. This goes against the principles of the three lines of defence model and can erode an organisation's risk management culture.
Conclusion
Effective governance structures are essential for successful third-party risk management. The lessons from the ORX podcast and the case study of MS Amlin underscore the importance of streamlining governance to avoid over-engineering.
Organisations, regardless of size, should strive for clear and efficient governance structures. These structures should empower the first line to make risk-related decisions within a defined framework, eliminate duplication of efforts, and ensure that risk management processes are streamlined
If you would like to understand how FourthLine could support your firm with an enhanced third-party risk management approach, please get in touch
