Recently we were asked by a client to undertake a ‘third line’ review of its approach to due diligence around its onboarding and ongoing relationship with intermediaries.
This wasn’t a reaction to a significant problematic issue but more of a proactive decision by the firm to get a better understanding of the risks it faced from the distribution of its products by both the intermediaries it had current relationships with and those it might have relationships with in future.
This area of activity is becoming more frequent as business-critical relationships are scrutinised in more depth. The FCA has also become increasingly interested in how firms are managing their operational resilience. As a result, there is a growing need for oversight and governance of third parties to manage those risks and, where deemed appropriate, to mitigate them as far as possible.
The risks to organisations of not managing their third parties properly could include a loss of customer data, among many other things. The implications for customers who have placed their trust in a financial services firm are significant, and the potential harm that could arise from such an incident should not be underestimated.
The nature of the work we have undertaken has involved reviewing the firm’s policies and procedures and the onboarding process for new relationships. The firm wants to know far more detailed information about the intermediaries it engages with; more than just a review of the FCA register. This approach is not a one-off. This particular client firm looks at and refreshes the data it holds on its intermediary population annually.
Further, we were asked to undertake site visits to a sample of intermediaries to find out more about how each one operated: its culture, its advice service, the way it engaged with customers, the panel selection criteria, how it trained its advising and other staff, and what due diligence it was undertaking itself on wholesale and provider firms.
What we are seeing now is the bar being raised to minimise the potential for customer harm
Linked to this work, we have also recently published a risk governance report in conjunction with Oxford Economics, which involved engagement with a significant number of firms responding to a survey. It was also based on interviews with senior individuals to get a better understanding of what those firms were focused on from a risk governance perspective.
Management teams and boards perceive a broad range of threats to their business today. When asked about the top risks to their organisation, directors most frequently cited cyber risk, operational or third-party risk, regulatory risk, financial risk, reputational risk and risks to their business model from digital transformation.
Board members know they cannot rest on their laurels. While our survey results show that corporate governance is, in fact, evolving to meet new challenges, there is always room for improvement. The coming revolution in artificial intelligence and robotics has the potential to either mitigate risks or multiply them, depending on how organisations deploy these technologies.
Always on the horizon, too, are the ‘unknown unknowns’ that boards must try to identify – even when these risks are unpredictable.
While certain catastrophic risks may lie beyond a board’s control, our research shows many directors are nevertheless discussing and preparing for potential disaster in areas that may not have appeared on agendas just a decade ago. As we have seen, effective boards and senior managers are already changing their oversight procedures around cyber risk. Furthermore, at the best-run companies, the board and management strive to turn emerging risks into opportunities.
There are two distinct levels of digital transformation risk. One is the threat that ‘digital native’ rivals from outside the industry will swoop in to disrupt the business. The other is the opportunity cost of neglecting how emerging technology fits in to the company’s long-term growth strategy.
A director of a financial services firm said: “Digital transformation is a risk if you miss the boat, but it actually presents the biggest opportunity to leapfrog the competition. It’s only a risk if you fail to take advantage.”
The research findings also show that the financial services sector has evolved its risk management approach further than many other sectors. It has more mature frameworks and structures in place as well as staff with in-depth knowledge of risk and compliance issues.
What we are seeing now is the bar being raised to minimise the potential for customer harm.
Simon Collins is managing director, regulatory, at Eversheds Sutherland