TPRM Roles & Responsibilities: If you lead a horse to water, make sure it drinks

If you’re leading a horse to water, make sure it drinks. 

March's edition of the ORX Association podcast discussed their recent survey on the difficulties firms encounter when implementing Operational Risk Management frameworks.   

The survey results fed down into four key challenges: 

1. Difficult firm structures with siloed working, and governance and oversight issues.
2. Knowledge and culture issues and support often required by first line and slow pace of change.
3. Quality of data.
4. Resource challenges.

The first challenge links directly to the findings of our third-party risk management reviews.  

In particular, a key challenge for firms is defining clear roles and responsibilities to create first line supplier risk management accountability.  We often find that the robust risk assessment that takes place in supplier onboarding, doesn’t carry through to BAU first line assurance during the rest of the supplier lifecycle.   

A Gartner study suggests that firms need to reassess how they invest in supplier risk management.  They found that three-quarters of investment dollars focus on supplier due diligence and onboarding with only 27% set aside for risk identification throughout the relationship.   The same study found that 90% of material supplier risks where not considered identifiable through current due diligence activities.    

This final point highlights the importance of developing mature risk management capability in the first line to support the firms’ wider risk management efforts and responsibilities.    

In contrast, we usually find that 1LOD Supplier Relationship owners focus exclusively on supplier performance against operational targets and don’t consider supplier risks.  This leads to second line experiencing tension as they try to enforce the policy and framework and seek evidence of risk identification, management, and assurance.   With first line not meeting the policy requirements or operating controls effectively, second line is forced to step in to review their own work, rendering the framework, controls, and governance as ineffective through a lack of independent oversight.   

Referring back to the podcast, ORX used a worked example of the PRA's fine of MS Amlin from late 2022.  

The PRA’s summary shows how siloed working and poor oversight created an ineffective operational risk approach. 

• Unclear delineation of roles and responsibilities and a lack of sufficient second line capability. 
  
• Second line not providing sufficient oversight and first line not operating controls effectively which led to creation of unnecessary roles such as line 1B.
  
• Disjointed independent silos with no information sharing leading to an ineffective control environment.
  
• Governance structure overengineered for its size leading to too much cost, duplication, complexity, and compromised decision making.
  

To meet governance and oversight expectations we suggest that firms address overarching risk management principles to support programme objectives.  

1. Align the Third-Party Risk Management Framework with the organisation’s Risk Impact Matrix and use the Risk Impact Matrix as the basis of all risk-related frameworks.
2. Establish and embed risk management principles of Identify, Assess, Monitor, and Manage into the defined phases of the third-party lifecycle to devolve responsibility appropriately.  
3. Define minimum requirements and activities in the oversight, ongoing management and monitoring of third-party arrangements and align with the relevant regulations and socialise the requirements and outcomes with all Business Units. 
   
4. Develop a Third-Party Risk Management manual which documents risk management activities, expected outcomes, governance, and roles and responsibilities in accordance with the defined phases of the supplier lifecycle (see point 2).  The manual should also outline specific requirements for Material Suppliers. 
   
5. Train, socialise and educate Business Units on the requirements in the sourcing, oversight, and management of a third-party arrangements.  
   

As the PRA’s attention increases around governance and oversight of third parties, we can expect to see further censure of firms who fail to address their supplier risk exposure and supplier resilience.