Strengthening process and communication across risk, procurement and business to align frameworks across the lifecycle

Strengthening process and communication across risk, procurement and business to align frameworks across the lifecycle

By Emma Mansfield, Head of Outsourced Services Assurance, Bank of Ireland and Kurt Neilson, Head of Third Party Relationship Management, Aegon.

Can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?

Emma: I am the Head of Outsourced Services Assurance with responsibility for Sourcing and Continuity Risk within the First Line, including the design, delivery and embedding of the relevant Frameworks. In addition to this I am passionate about and actively involved in the Banks I&D and CSR programs. Further to this I hold the I&D Council Seat for the GSA UK and Ireland and I’m a member of the IWE.

Kurt, can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?

Kurt: I’ve always worked in Financial Services (now over 26 years) and for the past 20 years have been involved in outsourcing, both as a provider and as a customer.  I set up a Third Party Management team at Aegon 4 years ago and we’ve build an oversight framework since then and it continues to evolve.  My current focus is actually to fundamentally change our model by developing a clear 3 lines of defence model, with a new Supplier Risk Management team being set up.

What are the key components of process controls and regulatory oversight?

Kurt: Our business is highly regulated and we need to be able to evidence our processes and controls.  There needs to be clarity over who is responsible for making something happen. The use of RACI matrices helps with this.  So, for me the key components are clarity, accountability, evidence and the individual capability of the people involved.

Can you describe the challenges of defining frameworks and parameters within a first line role?

Emma: The main challenge with defining is frameworks within the first line, is that we are only one third of the Banks approach to risk management. As such there are numerous frameworks, supported by assurance and monitoring plans coming from multiple areas.  Therefore it’s important to design, deliver and embed a framework that manages risk and ensures brilliant customer outcomes in the most efficient way.  It also needs flexibility so that it can quickly adapt to the changing needs of our Regulators, Stakeholders, Customers and Colleagues.

At the Vendor & Third Party Risk EMEA 2018 Summit, you will be speaking on your insight regarding ‘Strengthening process and communication across risk, procurement and business to align frameworks across the lifecycle’. Why is this a key concern right now? And what are the essential things to remember?

Kurt: Our business has undergone significant changes in the past 2 years with more legal entities, more locations and a growing number of material critical suppliers.   Our existing model is not fit for purpose hence the need to review and improve. We’re looking for the right capability in the right area, i.e. 1stline, with a 2ndline team owning the oversight framework and monitoring compliance with it.

Emma: This question links to Q4 below. It’s about engaging the relevant SMEs at the right time to ensure appropriate selection, onboarding and oversight of Suppliers. This can be achieved efficiently with appropriate frameworks in place.

What are some of the challenges when meeting the increasing business divisional demands within a life cycle?

Emma: One of the main challenges is to ensure that Vendor Managers are appropriately trained and supported with relevant tools to manage suppliers. Often the Supplier Relationship Managers are the business managers and as such are not experts in vendor management. This can impact the end to end lifecycle from onboarding to exit.

 What are some of the ways business divisional demands are changing?

Kurt: In our business, there are new divisions being set up who may require to leverage our existing supply chain but also add new suppliers to it. There is a need for speed in making these arrangements happen and we have to get the balance right to ensure that we remain compliant and don’t take on unnecessary additional risk.

Without giving too much away, could you please describe some of the pros and cons for both centralised and decentralised functions.

Emma: There are pros and cons for both, depending on whether the Firm’s appetite is for SME in the line/Business Unit or for a centralised Centre of Excellence.

Without giving too much away, why are centralized and decentralized function an important point to consider?

Kurt: We’ve tried both in the past and are now moving back to a decentralized function.  Initially it didn’t work for a variety of reasons and the key points are:

a.  Do we have dedicated resource to oversee the suppliers or are people expected to do another job on top?
b. What controls can we put in place to ensure that all activities are undertaken and Policy complied with?
c. How do we ensure that the decentralized team is trained and continuously developed?

How do you see the vendor & third-party risk landscape evolving over the next 6-12 months?

Kurt: I see Supplier Risk continuing to evolve both in terms of its processes and its importance within organizations’.  The regulators are focusing in on outsourcing but also other critical third party relationships.  The alignment between Info Sec, Business Continuity, Operational Risk and Supplier Risk will continue to improve.

Emma: You can’t answer this question without mentioning Brexit and the potential impact that may have, as well as GDPR.

Understandably from a Regulatory perspective both at home and from a European viewpoint, they are increasingly focused on third party relationships, as well as the chain sourcing that can follow. It is vital that firms have a clear strategy, policy and framework to support their oversight of third party relationships.  However, with more positivity seen towards third party management tools, this may become quicker, smarter and more consistent.

You may also be interested in…