We had the pleasure of welcoming over forty Risk and Compliance professionals at the City of London Club on 20 October for a breakfast and networking seminar titled Operational Resilience, Outsourcing and Third-Party Risk Management.
Background and keynote
The disruption experienced across many business sectors over the past two years has led to various operational challenges, impacting consumers and firms. Hence a key priority for financial services regulators is to promote the operational resilience of firms and financial market infrastructures.
Outsourcing is not a new topic. With increasing pressures for organisations to keep pace with market innovation, firms have been seeking solutions from third-party service providers. This rising trend in outsourcing continues, notably driven by cost reduction, technological advances and the requirement for firms to increase agility.
Against this backdrop, the keynote session focused on how suppliers can be used and managed to enhance an organisation’s resilience profile. The session covered what has been achieved so far on the operational resilience journey, what firms could consider doing next, as well as future priorities. The speaker notably discussed mapping, scenario exercises, exit plans, the nature of the relationship and interaction with suppliers, roles and responsibilities, as well as responsible business requirements.
The keynote speaker was Sarah Garrington, Operational Resilience Lead at Fidelity International. She was joined in the panel discussion by:
– Chris Clark (Executive Director at JP Morgan Asset Management)
– Sean Miles (Head of Compliance, MLRO & DPO UK at Apex Group)
– Tamir Morgan (Third-Party Specialist at RSA Insurance Group)
The interactive panel discussions were chaired by Lindsey Domingo (Senior Director and Regulatory Compliance Lead at Xcina Consulting) and covered the following topics:
What aspects of Operational Resilience have been the most challenging?
With the first regulatory deadline of 31 March 2022 behind us, the panel discussed the challenges and benefits of operational resilience. We spoke about the Day 2 challenges of operational resilience, especially with economic headwinds of inflation, dollar strength and investor confidence. We also covered cloud concentration risk, regulation, and the issue of who should manage supplier resiliency in the organisation.
The Operational Resilience roadmap between now and March 2025
Financial regulators require that, as soon as reasonably practicable, and in any case, no later than March 2025, firms must be capable of maintaining their important business services within their respective impact tolerances. The panel notably touched on the requirement to keep all documentation up to date, whether supplier resilience is critical for the management of overall resiliency, and what other priorities should be balanced alongside supplier resiliency to ensure overall organisation resiliency. The need to align the requirements of different frameworks, including operational resilience, operational risk, IFPR and OCIR, was also covered.
Considerations when undertaking third-party risk assessments and due diligence
In line with regulatory requirements and good practices, firms are expected to perform appropriate and proportionate due diligence on all potential service providers and assess the risks of every outsourcing arrangement, irrespective of materiality. Due diligence and risk assessment feed into each other and notably cover financial, operational, information security, legal and regulatory, geographical, concentration, reputation and capability considerations. The panel discussed some of the broader risks associated with supplier relationships, including reputation, ESG, bribery and corruption.
We conducted a brief poll of the participants in the room, which indicated that:
- The majority do not have a dedicated team for third-party risk management (TPRM)
- A minority of the participants have a dedicated TPRM system or platform. In most cases, this is provided by an existing vendor already supplying other modules to the firm (as opposed to a best-of-breed solution).
It was emphasised that there isn’t necessarily a right or wrong answer when choosing between best-of-breed and integrated solutions. However, ensuring that any system can effectively support the organisation’s TPRM framework and specific requirements is essential.
Approach for monitoring of third parties
We discussed the use of questionnaires for assessments, how these should be deployed and designed with a data focus, and the need for validation of business-completed questionnaires and independent attestation or verification. The panel also considered TPRM operating models which include managed services such as those provided by Xcina Consulting, dedicated internal teams, and opting in subject matter experts from a range of operational risk domains.
Final questions and concluding remarks
Our panellists recapped their top challenges for the year ahead, which can be concisely summarised as staying on top of all current and upcoming regulatory requirements whilst being consistent and proportionate in applying these.
A final poll of the audience revealed that most participants regard the lack of skills and experience as the biggest obstacle to having an effective TPRM framework. Budget limitations and inadequate supporting technologies are not considered to be significant factors.
Our next breakfast event will be held at the City of London Club on Thursday 1 December, at 08.30 on the topic: UK Data Protection Update: taking stock & navigating the road ahead.
If you missed our last event or any of our earlier ones in the Regulatory Compliance or Information Security series, further details have been shared at the page below:
To participate in our future discussions, stay up to date as we announce new dates and address wider topics by emailing us at firstname.lastname@example.org, or join our events guest list.