By Paul Huggett, Head of Third Party Risk Profile & Governance, Bank of Ireland Group
What for you are the benefits of attending a conference like the ‘New Generation Operational Risk: Europe’ and what have attendees learnt from your session?
For me the biggest benefits of attending an event like this are to interact and network with my peers at a range of other firms. We are all facing into common challenges and understanding how others are tackling these problems can yield valuable insights and fresh perspectives on potential solutions.
Every company has its own way of dealing with operational risk and this can sometimes lead us to address a problem in a fairly standard way based on the framework in place, our past habits and the wider corporate culture. Seeing how others react when working in different environments can deliver lightbulb moments and fresh ideas to take away and apply in the day job. It might only take a small change in approach to deliver a breakthrough moment.
My session was about how the topic of Third Party Risk Management can get a bit stale and what we can do to reboot it. It has been a theme in the Financial Services industry for a long time now but can struggle to get a decent amount of support unless in reaction to a material event – everybody loves a crisis!
Third party risk is often viewed as an overhead we can do without, the business have got more exciting things to do and they feel that it doesn’t help them deliver key goals. Stakeholders don’t see the point. However we have the various regulators who have been going in the other direction. We are subject to more and more governance and assurance because the industry cannot always be trusted to do the right things by our customers.
In my recent roles I have been asked to deal with these factors and make Supplier Risk more interesting and relevant, to take the current approaches, but to start over to get better results. I’m therefore going to talk about a few things that I believe will help us deliver benefits from Third Party Risk by rebooting the approach.
From your experience, how can third party risk be delivered in a highly regulated environment?
I think you have to start with a good understanding of the supplier base that you are managing before examining the regulations themselves. Start with identifying the scope of the population you have to manage and pull together key data on their core characteristics. Use that data to highlight the areas that require the most attention, it can be easy to build an overly complex and restrictive approach that stifles the business if you ignore the proportionality principle. You don’t have to manage every risk everywhere to the same degree. That’s a hard sell in a risk adverse environment, but all of the recent regulation related to Third Party Suppliers has this as a foundation concept, so don’t let that opportunity to save some effort pass by.
Of course the flip side is identifying those areas where the risk is the greatest and the impact would be most keenly felt. Aligning the risk framework to the core purpose of the company demonstrates to business stakeholders that you are aligned to their goals, that you are here to help, not to hinder and will make any organisational changes and resourcing challenges an easier sell. It helps that the regulators are more focussed than ever on continuity of service and customer impacts, so the aims of the external and internal stakeholders should be aligned if we can translate for our corporate colleagues.
What are the emerging third party risk themes that you have noticed in the industry? Are there any themes which are becoming more critical?
I see the European and UK regulation being more concerned with resilience and continuity of service than ever, with increased attention on the deeper supply chain as a source of risk. The prevalence of cloud computing solutions that sit behind many of our supplier’s services raises the spectre of broader concentration risk for the industry and national economies, and I sense that the balance of influence has already shifted away from the buying organisations who can do little to influence suppliers that dwarf them.
The demand to ensure resilience of key services has shifted the focus from prevention to readiness. I think companies will need to move away from traditional policy and BCP/Exit documentation and large scale scenario planning as a primary means to mitigate the risk. Supplier relationships and services are so much more complex that it is also inevitable that some sort of event will occur. Companies therefore need to be ready to deal with the event, big or small, when it happens. The recent PRA Consultation Papers on Impact Tolerances show the direction of travel.
There has been a shift in public perception in relation to topics that would have previously been grouped under the CSR banner and sometimes not given much focus beyond meeting basic regulatory obligations. The proactive management of Diversity and Sustainability risks throughout the supply chain have become a key differentiator for customers and investors and this means companies need to understand and be more transparent about their supplier base than ever before.
In your opinion, how can third party risk become a less painful every day activity?
I don’t see it as painful if it can be linked to and support a business priority. I have seen companies move the third party risk agenda from a contractual afterthought to key supplier evaluation criteria by changing the sequence of the executive governance. Evaluating suppliers based on their support or alignment to strategic priorities naturally drives out a risk conversation. A risk conversation couched in purely policy and compliance terms will lose the audience and generate pain all round.
I’m also a firm believer in the human interaction behind the data. Taking some time to properly explain and educate suppliers on your expectations up front can save a lot of pain later. Also, using data and remote assessments can work brilliantly, but a good old-fashioned site visit will always uncover more in the most important areas and put all of that data in proper context.
What do you see ahead for the future of third party risk management?
I see the regulatory environment continuing to evolve and demanding more from the buyers of goods and services, but I also see the regulation acknowledging that there are cost and efficiency challenges that come with these increasing obligations. The ability to use shared assessments and to place reliance on other assurance evidence will shift how we go about out Third Party Risk Management, and I think we will see some consolidation of the multiple providers that have sprung up in the space in the longer term as that market matures. I think that our major suppliers will also start to see commercial benefits in participating more fully in the shared schemes so that both supplier and buyer can realise the gains.
I am sure there will be new risks to tackle and an ever growing mountain of supplier data to analyse with innovative technology that will streamline our processes. I do, however, believe that good Third Party Risk Management will continue to be a human activity. The challenge for us is to find a way to tell the same story in a different way by understanding what makes the story work and reaching new audiences in new and interesting ways.