The need to protect an organisation from operational risks linked to third-party relationships is paramount, as illustrated by MS Amlin's operational risk failings and the subsequent fine by the Prudential Regulation Authority (PRA) in October 2022.
One of the primary challenges faced in Third-Party Risk Management is the unclear delineation of roles and responsibilities. This issue is not unique to a specific organisation but is a widespread problem observed across various firms.
Here, we'll dive into how this impacts the effectiveness of Third-Party Risk Management programmes.
Insufficient Second-Line Capacity
We often find that the second line of defence lacks the necessary capacity to provide the level of oversight required for a robust operational risk management program. This is particularly challenging given the multitude of suppliers that support most financial services firms.
The consequence is Third-Party Risk Management scope becomes limited and typically focuses primarily on the onboarding process.
Once supplier contracts are signed, and business relationships commence, there is often no further assessment or oversight of these suppliers from a risk perspective.
The first line of defence, in the absence of appropriate second line guidance and training, typically gravitates towards a supply performance model. This means they concentrate on Service Level Agreements (SLAs), performance metrics, relationship management and handling complaints.
They frequently overlook crucial risk-related questions, such as the stability of suppliers, how suppliers manage their own risks, and whether these align with the organisation's risk appetite. This deviation from risk management best practices results from the lack of clear policy and controls in place.
Smaller firms or those without well-defined operational risk policies are particularly vulnerable to this challenge. In many cases, the person responsible for risk management within these firms often wears multiple hats. For example, they may serve as the Head of Risk and Compliance, which may lead to a focus on regulatory reporting and compliance rather than robust Third-Party Risk Management.
Recommendations for Effective Third-Party Risk Management Roles and Responsibilities
To address these issues and ensure a well-rounded Third-Party Risk Management programme, organisations should consider the following recommendations:
- Clear Policy and Framework: Develop a comprehensive Third-Party Risk Management policy and framework that outlines the procedures and responsibilities for managing third-party risks. Ensure that this policy is integrated into the broader risk management framework.
- Dedicated Resources: Allocate dedicated resources to Third-Party Risk Management, especially in firms dealing with a large number of suppliers. This could involve hiring specialist professionals or providing training to existing staff.
- Role Clarification: Clearly define the roles and responsibilities of individuals involved in the supplier lifecycle. Ensure that the focus considers both risk oversight and relationship management.
- Communication and Training: Promote communication and collaboration between the first and second lines of defence. Provide training to first-line staff to ensure they understand the importance of Third-Party Risk Management and how it aligns with the firm's risk appetite.
Conclusion
The challenges related to unclear roles and responsibilities within Third-Party Risk Management can have far-reaching consequences. Effectively managing third-party risks is a critical component of a sound operational risk management program.
By enhancing their approach, firms can better navigate the complexities of Third-Party Risk Management, reduce operational risk, and enhance their overall risk management and operational resilience capabilities.
If you would like to understand how FourthLine could support your firm with an enhanced third-party risk management approach, please get in touch
