By Sucharita Banerjee Lodha, Head of Operational Risk, International GI, Enterprise Risk Management, AIG
What for you are the benefits of attending a conference like the ‘New Generation Operational Risk: Europe’ and what can attendees expect to learn from your session?
Conferences help to ignite our ‘thinking cells’! They encourage the participants to share their experiences, innovative ideas and challenges with other like-minded professionals. The empowerment that comes from these hours spent with peer-professionals discussing topics of common interest help the business to enhance their own risk controls environment significantly.
In addition to the carefully selected topics for the sessions, conferences serve as a catalyst to connect with the wider industry and keep up with the progress within an ever changing business landscape.
During this session, I look forward to connecting with industry professionals to focus on the pros on cons of managing concentration risk with resilience on outsourcing arrangement. While outsourcing seems to be a natural lever to minimise concertation risk, we need to think about the additional controls that are needed to manage the outsourcing risk. Done right, it is a great risk mitigation tool. However, incorrect implementation will mean multi-fold risk exposure for business.
It is also interesting to observe the integrated risk frameworks related to this topic: conduct risk, ineffective risk culture, reputational risk, impact of global geo-political risk, data protection and data privacy related risks are some of the few other considerations that need to be addressed as part of this strategic decision.
How can third parties be effectively categorised to identify critical ones and target resources?
Businesses need to first identify their critical processes. A number of lenses can be used for this exercise alone: customer impact, regulatory impact, financial impact, technology impact and the like! The third-parties that support the critical activities will need to undergo additional due-diligence to ensure that the end-to-end process is truly resilient.
Aggregation risk by third-party, process and customer base cannot be ignored and thus need to be carefully considered as part of this categorisation exercise. With, ‘siloed’ approaches, materiality lenses and global processes, this is a complex task. Centralised analytics with local empowerment and clear alignment on the process risk usually helps business to adjust investment on resources. One may also want to consider the relevance of AI in these analytics.
What key considerations need to be made when onboarding and offboarding critical suppliers?
Criticality of the process must drive the level of due-diligence on the third-party. It is also important to understand the complexity of the process design and impact of the process on business performance. A simple, repeatable and well documented process may require a different level of risk treatment than that of a complex, judgmental and ‘broken’ process.
Some of the criteria that need to be considered as part of the exercise include external (e.g. customer, regulatory) impact, operational resiliency, up-front and ongoing investments, service level agreement design and monitoring, intellectual property, sub-contractors/ fourth party, process documentation, risk frameworks, business continuity management, aggregation risk, data privacy and protection, capacity and skill-set. Robust exit criteria and a back-up exit plan are an absolute necessity for any critical outsourcing programme.
Use of AI and robotics within business and third-party processes are quite common. While these provide immense benefits to the end-to-end process optimisation, it also calls for additional due-diligence to ensure that the processes are truly resilient.
What impacts can be expected from increasing geopolitical risk offshoring to different jurisdictions?
There is indeed a growing recognition within businesses that we do need to proactively manage the impact of geo-political risk with outsourcing. This becomes even more important as we see the industry trend of supporting operations from remote ‘centres of excellence’. A distributed model of concentered specialised skill-sets and resources make global geo-political risk exposure more material for business.
With the advancement of technology, focus on automation and reduction on human capital in certain types of operations, local businesses often lack the skill and capacity to execute processes in-house. In addition, with optimisation comes interdependence of activities and thus the end-to-end critical path may get negatively impacted as a result of local geo-political issues.
Businesses need to consider the financial and non-financial impact of geo-political risk as part of their annual business plan. In addition to considering the impact of the failure points of current processes, businesses also need to proactively plan for compliance with changing industry practices and regulatory requirements related to these jurisdictions.
In your opinion, what is the importance of training with vendors internal processes for effective performance monitoring?
Third-party risk is going to change its form and become more integrated with other risk types. It will continue to remain one of the significant risk categories that businesses need to proactively manage. With the ever-increasing complexity related to this risk type, we should see new nimble tools within the reg-tech space that will help the business to better manage this risk as part of the integrated risk management framework. Governance related to third-party risk management should also be enhanced as businesses acknowledge that outsourcing is a strategic decision with significant impact to the overall risk control environment of the business.