Simon Shepherd, Managing Director, MYRIAD Group Technologies

Below is an insight into what can be expected from Simon’s session at Vendor & Third Party Risk Europe.

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

Why is it important for organisations to enhance collaboration across teams to monitor risk throughout the lifecycle?

Answer: Collaboration across teams ensures risks are identified rather than falling through the cracks. Different teams may well be responsible for taking on the risk, compared to subsequent monitoring. Monitoring may well be conducted by multiple teams, including the business line responsible for running the relationship. Once you split risk down into its constituent components – financial, legal, compliance, reputational – the different domain expertise needs to be brought to bear, providing heightened transparency and improved visibility across various teams, both of which underpin awareness. Those different teams will have different perspectives on different risks.

Collaboration enables organisations to be nimbler in adapting to world events, working together to adjust and execute on strategic plans, overcoming challenges and improving their resiliency. They key is the starting point: how best to position the various teams for collaboration on said risks. More teams mean more data; more data means better understanding and – one hopes – better informed decisions. The starting point, therefore, has to be mapping of relationships: see the final question and answer.

How can organisations transition from activity-based metrics to a more risk-based approach?

Answer: A risk-based approach represents a pro-active stance rather than a reactive stance, typically triggered by adverse activity or ‘after the fact’ monitoring and remediation. Indeed, it is almost the difference between remediation and mitigation, two entirely different things. A risk-based approach puts in place a framework within which the risk management function anticipates risk and acts accordingly, to mitigate those risks. By understanding the parameters within which risk is being taken, a risk-based framework can be put in place which moves the monitoring activity onto the front-foot. Adherence to, for example, DORA will move organisations from a passive ‘review’ stance to a pro-active ‘ask the questions upfront and then scrutinise the answers, better to spot weakness in time and do something about it.’

What are the benefits of enhancing governance by prioritising risk management over activity monitoring?

Answer: The whole GRC Industry segment has grown up around Governance, Risk and Compliance. Governance and Risk are intimately connected and enhanced governance will position an Institution to identify, understand and mitigate the risks facing it. A well-formed Governance structure will articulate and identify risks and determine how best to mitigate – or indeed accept – those risks. A good Governance structure will enable impact analysis which in turn will determine where the risk management priorities might lie. Occasionally the ‘C’ in ‘GRC’ is changed to Control (from Compliance) as this is a better acronym from a Risk perspective, because it drills into what is needed around the Risk function i.e. greater control, though there is no doubt that Compliance is also a significant Risk function. You could almost distil this down into: no Governance, no Risk Management; no Risk Management, no Control; no Control, no Compliance.

What strategies can be employed to distinguish primary risks from cascading or downstream risks?

Answer: Improved visibility and transparency. This is the distinction between third-, fourth- and fifth-party risk: how do you know your third-party is not running significant third-party risk itself – because your third-party’s third-party is in fact your fourth-party. And so on. Being one step removed from your own TPRM function, it does not matter how good your TPRM function is if your counterparty’s TPRM is lacking. So, a fundamental part of any primary risk function is TPRM and part of the TPRM function must be the ability to look through your third-party to the downstream risks they might be running with their Providers and their Providers’ Providers.

What steps are involved in developing a comprehensive TPRM reporting programme?

Answer: The only true starting point is mapping. If an Institution does not map its relationships, it cannot understand where it is running risk and therefore what risk it is running. This is the fundamental pre-requisite for risk management. How can you manage risk if you do not know where you are exposed (by counterparty? by product? by Market? by jurisdiction?) Thereafter, a Governance framework which demands policies and procedures which anticipate risk, and which puts in place a methodology for sizing and for mitigating all material risks in an orderly and timely manner. Such a framework moves the organisation to data-based decision-making, but based on the mapping of relationships and risks in the first place. Once you have a holistic view of your relationships you are able to see where there may be concentration risk and what risks need to be mitigated. Performing continuous and targeted Due Dilienge enables consistent reviews of a Provider’s abilities and their performance. The Due Diligence exercise and scope needs to be reviewed regularly to ensure relevant questions are asked and it’s not just a box ticking exercise.