orangeblock
Menu

Why third party risk management matters

11 September 2012 | Risk Management | General | Anita Leong, Consultant, Marsh Risk Consulting

Too many South African organisations that have suffered a catastrophe go on to develop self-managed and self-monitored risk management systems in the belief that these will prevent future disasters

Unfortunately, “organisations that implement and monitor their own crisis management systems often ignore the very errors and weaknesses that should act as early warnings of catastrophe” says Anita Leong, Consultant, Marsh Risk Consulting.

In the recent explosion at the Amuay refinery in Venezuela, early reports are indicating that there were plenty of warnings in the form of smaller accidents and spills that any third party risk assessment would have picked up right away. However, to those involved in the day-to-day business of such a large operation, those incidents had become the norm.

In the 2010 case of an oil pipeline owned and operated by Enbridge Incorporated, spilling crude oil into an ecologically sensitive area near the Kalamazoo River in Marshall, Michigan, USA, it emerged that:

· if Enbridge’s own safety procedures had been followed the magnitude of the spill would have been dramatically reduced,

· Enbridge’s internal safety monitoring were defined by a ‘culture of deviance’ in which personnel had developed an operating culture in which not adhering to safety protocols was normalised,

· Enbridge’s internal crack assessment process was technically inadequate, increasing the risk of rupture.

The investigation concluded that for the regulator to have delegated so much authority to the regulated to assess and correct their own system risks was tantamount to the fox guarding the hen house.

Cases like this lead South Africa’s own King 3 Report to specify that in the interests of long term sustainability, the Board is responsible for governance of risk and disclosure, while management responsibilities include implementation, monitoring, and continual improvement of the risk management plan. Importantly, the report “recommends external auditing to provide assurance - along with the material aspects of this sustainability reporting which includes integrity assessment to improve and maintain the organisation’s integrity” says Leong.

The Report goes on to recommend independent auditing because of “the impartiality and absence of conflict of interest provided by third party appraisal” adds Leong.

During times of normal catastrophe-free operation in-house risk management procedure is often ignored, delayed, or postponed. This is not the case with third party assessments which follow a documented scope and timeline, regularly addressing key issues to be acknowledged and re-assessed in future planned assessments.

In order to provide competent third party risk assessment and meet King 3 recommendations, Marsh Risk Consulting uses only trained and qualified auditors familiar with required and evolving legislation and standards. These deliver robust monitoring, auditor controls and accountability.

What this means in practice is that for an incident to be managed effectively and efficiently, organisations should have emergency response andcrisis management plans in place whichoutline the actions required by specific individuals in dealing with an incident,along with escalation protocols, and the criteria differentiating an emergency from a crisis.Specific “business recovery plans should also be developed to enable an organisation to continue with operations, following a disruptive incident” adds Leong.

Moreover, it is imperative that staff is trained to manage emergency situations, crisis management and business continuity. Competent third party managed risk management programmes should also outline the necessary actions and communications required to ensure a swift response is delivered by appropriate operational, tactical and strategic personnel. “Exercises and tests are also required to ensure plans are fit for purpose and to evaluate staff's response to an incident” says Leong.

Further toaiding in operational efficiency, third party administered risk management plans will assist with the protection of an organisations brand.

Certainly, “the kind of reputational damage that BP, for instance, suffered as a result of the 2010 Gulf oil spills will live with BP for generations - arguably costing far more than the physical loss, damage, legal fees and immediate reparations” concludes Leong.

quick poll
Question

If you had to hazard a guess, when do you reckon the COFI Bill will be signed into law?

Answer
View the Results arrow
FAnews April 2026
THE LATEST EDITION FANEWS MAGAZINE
  • Geopolitical risk: the rising threat to global trade and insurance markets
  • The regulatory tightrope: achieving consumer protection without overregulation
  • Liability disclaimers and consumer protection: key lessons from recent case law
  • From promise to payout: the real test for employee benefits
  • Retirement planning: when the maths doesn’t math
Products & Services
Useful Links
Important Links
Jobs

© FAnews | Privacy Policy | Site Map | Website Design by Online Innovations