Risk
Intel
Skills
Knowledge
Tuned to R.I.S.K.
01484 648114
info@tunedtorisk.co.uk
Blog Layout
Outsourcing and third-party risk
Dominic Owen • 24 May 2021
Increased focus in financial services
The Bank of England's Prudential Regulation Authority (PRA) regulates over 1,500 financial and insurance service providers in the UK. At the end of March 2021 it released its' latest guidance on outsourcing and third party risk management. As usual with PRA updates, there was a Policy Statement (PS7/21) to accompany the Supervisory Statement (SS7/21). The former explains the approach to updated control guidelines in the latter.
If you're not practising in Financial Services, PRA's approach is an eye-opener. The overarching strategy, following a number of significant IT failures in the industry in recent years, is to help improve the operational resilience of its members. PS7/21 sets out a number of proposals to improve operational resilience when using third parties to provide products and services. It is comprehensive. SS7/21 is similarly comprehensive, and if you can cut through the jargon (there is no glossary, and the number of acronyms is almost overwhelming) it is an excellent guide on the different types of risk scenarios you should consider; and how to approach each one. It was particularly pleasing to see vendor concentration and lock-in risks covered - the threat of supplier dependency and single/sole sourcing is something that isn't always covered in great detail elsewhere.
If you are practising in Financial Services, you'll know what I mean, but if you aren't, I would still recommend you reading these documents.
A recommendation.
Why the Nolan principles are a useful guide for all of us
....as long as we have some control over how our information flows
For the first time in a while I guested on a webinar this week, hosted by Tim Pinnell from NQA. Tim really knows his onions on auditing, certifications, security and information governance. Together we took the audience through the challenges of controlling and assuring risk the supply chain,; and the role of audit and standards in providing assurance and reducing uncertainty. It was a listen-only webinar, with questions raised via a chat portal. It felt a little like a microcosm of the last 12 months: working remotely, trying to summon up the energy that you'd get from a live presentation, getting delayed feedback. Whilst I really enjoy these sessions, particularly the test of a good Q&A session, I for one cannot wait to get back to a live audience! By the way, if you did want to view the webinar, it's here: Supply Chain Assurance and Risk Management | NQA Videos
I'm taking advantage of a small amount of downtime to start a diploma course on business risk management. I was aware of the relationship between business risk and insurance, but I don't think I had quite appreciated how recently the risk techniques we use on a daily basis were actually formulated. Back in the day, business risk management was effectively the placement of insurance to offset the negative impact of a loss event. Insurance companies grew massively, particularly during the huge capital investment programmes after both World Wars. The size of the Refuge Assurance building in Manchester (in the pic), a building I know well growing up in that city, is testament to the power and wealth they had built up. I've learned about a chap called Russell B Gallagher, an insurance manager for PhilCo in Philadelphia, USA. Gallagher and his contemporaries from the University of Philadelphia proposed that the professional insurance manager should think about business risk a different way. How should a company go about analysing its risks? What factors should it look for? What difficulties is it likely to encounter? What efforts should be made to avert or abate risks? When should a company insure itself against risks? How can insurance costs be kept to a minimum? Gallager's approach was more about risk reduction (individuals putting risk controls in place) and risk assumption (individual's taking more accountability for potential loss/injury, including self-insurance), rather than just relying on offsetting business risk on others. This was is mid-50s America. Gallagher was a visionary - these concepts took another 15-20 years to be fully developed. Today, we take things like risk reduction (e.g. fitting smoke alarms) and risk assumption (e.g. an excess on insurance policies) for granted, but in the history of business they are still a relatively modern concept.
I may be entering into a potential minefield here, but this latest blog entry is about COVID-19 and risk. I’m sticking to facts and logic, no politics! We know the inherent risks associated with COVID-19. They are largely negative, although flexible working, digital innovation and a cleaner environment have been the positive opportunities of 2020 so far. Focusing on the negative risks (to mental and physical health, the economy, educational outcomes etc.), we know that if we don’t link risks to a clear set of objectives (a strategy) at the outset, it results in reactive risk management. In business, a strategy needs to be clear to all parts of an organisation. Outside of work, we also need to be clear on what our leaders are doing to manage the important matters of the day. In both cases, reasonable people want to know how they can play their part without being mandated to do so. To deal with COVID-19, the strategy is a delicate balance of protecting the NHS, saving lives, keeping the economy moving and keeping schools open. All levels of society need to understand the strategy in order to understand the risks involved. So what happens when a strategy isn’t clear, or is only clear those setting it? 1. The absence of clear strategy justifies any approach to try and deliver it. 2. Outcomes cannot be measured against expectations. So for some people, any response is good – for others, it’s never good enough. 3. We may not realise we’ve drifted off course until it’s too late. We're reacting all the time. 4. People can’t be proactive if they’re not clear on their contribution to the overall strategy, or what non-compliance looks like. 5. We can’t complain if people haven’t bought into what we’re trying to achieve, or we fail to take action on non-compliance. There are some fairly basic principles at play here, albeit in a hugely complex environment. Good management starts with clear strategy, clear communication, clear accountability and a clear system for delegated authority. Good risk management links uncertainties to the achievement of objectives,- clearly articulated, owned and managed. Governments that have been successful at managing COVID-19 to date have demonstrated both. #COVID #goodriskmanagement #tunedtorisk
As a result of the current pandemic, the main cycling events that would normally take place in Spring-Summer have moved back to Autumn. The spring classics, Le Tour de France, Il Giro, La Vuelta - they're all now happening this autumn. Which, if you're a cycling fan like me, is amazing, if somewhat distracting. I'm also a big fan of Geraint Thomas. As a cyclist, his risk management skills are par excellence. His ability to keep out of trouble is second to none, although he has been unlucky a few times in recent years. At the 2013 Tour, he had to ride over 2,000km with a broken pelvis . Earlier this year I broke 2 ribs cycling and it was too painful to do anything for a month! Next time you watch cycling on TV, think about all the risks that the teams have had to identify, evaluate and treat. The uphills, the downhills, the street furniture, the last kilometre mad dash, the weather. Top cyclists can be protected to some extent by their teams, but there are still many unknowns - overenthusiastic fans, a momentary lack of concentration by a steward, and now COVID-19. You may imagine that in top level cycling, risks are all extremely high. Too high for us mortals to ever consider taking. This is probably true, but to put them into context, you need to consider what each cyclist is trying to achieve. The definition of a risk is the effect of uncertainty on objectives, but not all cyclists have the same objectives. A 'domestique' helping the team leader win a stage can sit up when they have done their job for the team. The team leader needs to focus until the very end of each stage. When, Geraint won the 2018 Tour, he wasn't the principle rider on Team Sky, but problems with doping tests meant that Chris Froome, the team leader, was initially banned by ASO. After some legal wrangling, Froome was only cleared to race 5 days before it started. Not great preparation. Even though the team principal Dave Brailsford gave G a pep talk about being prepared to take over the team leadership if Froome stuggled, Thomas started that Tour with a different objective. When it became clear that Froome wasn't quite fit enough to win (he came 3rd), Sky's focus switched to supporting Thomas. He then had to think about a whole new set of risks, which he fortunately overcame to win the Tour. Cycling and risk go hand in hand, but without an objective, an end-goal, we react to risks as they occur, rather than plan ahead for the most critical ones. The best teams always plan ahead - something we can take into our working day .
