Business Resiliency and Robust Risk Management Practices in the Company Service Provider Industry
Over the past years, the Company Service Provider (“CSPs”) industry has faced increased pressures to enhance their overall governance and risk management functions. To this extent, the MFSA has recently published the Company Service Providers (Amendment) Act, 2020 which initiates the first steps in implementing this reform and adds guidelines for CSPs to revamp and align their governance structures, systems, policies, and procedures and ensure that they are proportionate to the nature, scale, and complexity of the business they conduct.
Many may question as to why such pressure has been stemming over the recent years, the answer to this is that local Authorities are raising the bar to ensure that any CSP delivers the best possible service to its clients, whereby the financial services industry benefits as a whole. To this extent, CSPs should not perceive enhanced governance and risk management practices with the notion of hindering the growth of their business line due to the associated increased costs that stem from risk management. More importantly, a robust governance framework and risk management practices will ensure that the business is resilient in managing its day-to-day operations and ensure the existence of proper controls in managing the risks identified along the way. It is only when a business has identified its potential downfalls and associated risks, will it be able to perform and grow to reach its full capacity and capabilities.
From a risk management perspective, the first steps of any CSP should be to start by carrying out a gap analysis of their current risk management practices and where they hope to be in the months to come to ensure proper risk mitigation and control in relation to the CSPs activities processes and systems. Prior to all this, a CSP needs to firstly understand and decide at a senior management level, the risk appetite and risk tolerance it is willing and able to take on and ensure this is understood enterprise-wide. This all needs to be clearly documented in effective risk management policies and procedures.
The challenge a CSP might face is in the implementation stage of the risk management framework. A CSP needs to understand that this is not a process that is performed by a single individual alone, it requires the input and feedback of all parties of the CSP, only then will all risks be identified and assessed accordingly. Any risk assessments carried out in relation to the risk identification stage needs to be clearly documented, reviewed, and re-assessed on an ongoing basis.
The risks identified during these risk assessments need to be carefully logged into a live risk register that shall encapsulate the risks identified from the CSP itself as an entity vis-à-vis the clients of the same entity in terms of their risk rating as well as the risks that emanate from the clients business model. Only then will the CSP have a fully-blown risk assessment that considers all risks the entity is exposed to.
The next steps include the assessment of the current controls in place to ensure risk mitigation. From a CSPs perspective, it is not enough to say that there are controls in place, these controls need to be tested and documented on an ongoing basis to prove their efficacy in managing the risk of the Company. The final steps of the process shall be to ensure continuous monitoring and review, whilst also reporting and advising the senior officials of the CSP on a way forward.
The Implementation of a Risk Management Framework shall be a challenging one indeed, but if done correctly can prove to be rewarding in nature. Information is not always easily available and at this stage, the CSP enterprise-wide needs to acknowledge the fact that this is all being done for one sole purpose, that being that risk is being managed to ensure that the Company can have a prosperous future and achieve subsequent sustainable growth in the industry, whilst simultaneously safeguarding the CSPs resources, integrity, and ethical values.
Stephanie Borg Caruana, Senior Risk Associate, RMC Wise Limited