Introduction
Commercial relationships with suppliers of goods and services of several types are essential to the business model of insurance manufacturers. In pursuit of strategic objectives, insurers leverage the products and services of third parties which often are material in the delivery of important business services under the UK Operational Resilience regulation.
Our client is a global manufacturer of insurance products. As a result, they were in scope of new UK Outsourcing & TPRM regulation and engaged FourthLine for support to help them achieve compliance.
The Challenge
Consequently, rapid growth in headcount due to recent acquisition investment in systems, processes and procedures was required to ensure our client improved the maturity of its risk management approach. The firm had invested in a tooling solution to support its third-party risk management.
Requirements, Solution and Approach
The main requirement of the regulatory policy requires firms to:
- Identify all their suppliers
- Segment their suppliers in order of importance
- Identify those suppliers that are material to the delivery of the firm’s important business services
- Build a third-party register which becomes the system of record of the firm’s approach to third-party risk management
FourthLine mobilised an engagement with an initial requirements traceability assessment (‘RTA’) with the aim of identifying evidence of pre-existing alignment with the policy already active within the firm. This allows for the most efficient engagement design appropriate to the firm’s needs. The ‘RTA’ identified new capabilities required as a result of the policy, but also identified good examples of current best practice.
The engagement design therefore focused upon developing the following capabilities:
- Develop a material outsourcing playbook with risk outcomes with roles & responsibilities
- Establish a third-party register in line with regulatory requirements
- Enhance inherent risk assessment and align TPRM Governance and oversight to Enterprise Risk Framework
- Design new third-party risk management framework and policy
- Embed resilience strategies into outsourcing agreements
- Design a strategy to operationalise, embed and socialise the new TPRM capabilities across 3 lines of defence
The outcome & next steps
The engagement delivered a successful compliant outcome for the client and enabled them to acquire new risk management capabilities to manage a key principal risk in their operations that impacts customer and resilience outcomes.
To achieve further maturity our client is considering investing further in technology to enhance third-party monitoring & detection capabilities particularly around financial risks.
