Preparing for regulatory expectations based on high level principles to ensure timely compliance with limited resources

Preparing for regulatory expectations based on high level principles to ensure timely compliance with limited resources

By Neil Hutchison, Head of Vendor Due Diligence, Aberdeen Standard Investments and  Amanda Earnshaw, Head of Procurement, Royal Sun Alliance.

 Neil, can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?

I am the Head of Vendor Due Diligence within the Operations function at Aberdeen Standard Investments.  Prior to joining ASI last year, I worked in various management roles within risk and compliance at Martin Currie Investment Management and their US parent Legg Mason.  Before that, I was at Deloitte in their Internal Audit and Risk Management practice.  So, I have experience of working in oversight and governance roles in each of the three lines of defence.

The focus of my current role is embedding the disciplines of assurance and control oversight familiar to 2ndand 3rdline functions into the 1stline operations of the firm in a time of constantly changing regulatory expectations.

Amanda, can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?

My career spans over 10 years in Financial Services across RSA, RBS and JPMorgan. As Head of Procurement at RSA UK & International, I oversee £300m of 3rdparty operational expenses for household, pet and motor insurance. My challenge is to make the procurement of indirect goods and services ‘Best in Class’ for our customers and my current focus is on transforming ongoing 3rdparty management post contract signature.

In your opinion, what are some of the key challenges in responding to new or changing regulations with respect to vendor risk?

Neil: Since the GFC, the financial services sector has been subject to wave after wave of regulatory change – and asset management has not been exempt from this.  Far from it.

One of the challenges that all global businesses face is adapting to parallel streams of regulatory change in different jurisdictions. Firms are faced with the choice of taking a global approach to third party oversight, applying the highest local requirements to all locations through global policy frameworks, or taking a decentralised approach.  Neither option is without downside risk and both require resource to be dedicated to co-ordination and tracking of changes in regulations.

There is also a challenge in ensuring that the full corporate estate, including the third party universe, is taken into account when considering the impact of changes in regulations.  GDPR, for example, has a substantial third party component, which could be easy to neglect in order to focus on internal op model changes.

At the Vendor & Third-Party Risk EMEA 2018 Summit, you provided insights on ‘Ensuring adaptability to understand and prepare for regulatory expectations based on high level principles to ensure timely compliance with limited resources’. Why is this a key concern? And what are the essential things to remember?

Neil: Third party oversight has been an area of focus for global regulators for some time now and there is no sign that this trend is likely to reverse any time soon.  The ‘cost of compliance’ for a third party oversight team is the diversion of resources away from the ‘day job’ to participate in firm-wide reg. change projects.  This requires careful management of existing resources and planning for future requirements.

There is a balance to be struck between delivering planned / ad-hoc due diligence activities and supporting the wider business in managing the third party aspects of change projects.  The challenge is to build in enough contingency to annual plans to allow for flexibility in responding to incoming project activity.  Change is here to stay, so this is likely to remain a challenge for the foreseeable future.

Amanda: Safeharbour, GDPR and Brexit are all recent regulatory requirements that firms were not well equipped to handle at the flip of a switch. We need to find ways to meet future regulatory requirements quickly, without the expensive project costs and without turning everything into an admin heavy process. Many firms are developing ways to do this but approaching it in very different ways because there is currently no industry norm. The key for myself is understanding the different approaches available and identify the route RSA should take to enable us to meet the regulatory requirements of the future and ensure we have a fit for purpose supply chain for our needs.

In your opinion, what are the key elements to remember when setting up a business under the new regulations?

Amanda: That they may well change! GDPR, Brexit and Safeharbour are all examples where we have needed to be proactive in order to meet regulatory timelines but where regulatory policies were not actually set in stone until late in the day and have not as yet been tested by case law.  Instead we focus on keeping our customers’ needs at the forefront of our decision making; what we feel is right for them is more likely to be right for the regulator.

What are the main regulatory focuses and challenges when dealing with on boarded vendors?

Neil: The principal risks for consideration as part of an initial due diligence tend to be a reflection of the current ‘hot topics’ in the industry and these are often driven by regulatory themes or new legislation.

And while these are important aspects of the design of the due diligence exercise, it is also worth taking a wider view of third party risk.  There is much to be learned from analyzing third party events in other industry sectors and jurisdictions.

One of the key challenges in managing third party regulatory risk is the global reach of local regulations, particularly in UK and EMEA.  Providers in the Americas or Asia may not be familiar with the requirements of the UK Bribery Act, for example, or European data privacy regulations.  There can often be a challenge to close the gap between the regulatory maturity of an overseas market and the requirements of the host jurisdiction.

How do you see the vendor and third-party risk landscape evolving over the next 6-12 months?

Neil: As mentioned above, the trend of increasing regulatory focus on third party management risk is likely to continue. This will necessarily require investment in oversight resource on the ‘buy side’ and in client service and SME resource on the ‘sell side’.

And it is not a controversial statement to predict that technology will continue to evolve how third party risk is managed. The hope must be that the efficiency gained through IT enhancements provide some balance to the additional resource requirements referenced above.

I look forward to hearing the views of other contributors to the Vendor Risk EMEA seminar in June.

Amanda: I see a continued trend towards firms working together to share costs of implementing improved supplier risk management, rather than pass it on to the customer. I would also expect to see greater appetite for 4thparty risk management as companies start to gain greater clarity around their 3rdparties and realise how extended their supply chain has become.


You may also be interested in…