Avert disaster with third party risk management


The misconception that self-monitored risk management systems will prevent future disasters is one shared by too many organisations. In a world plagued by catastrophe, outsourcing risk management to a third party will prove invaluable, according to Anita Leong, consultant at Marsh Risk Consulting, a division of Marsh Africa.

Prevention better than cure

“Unfortunately, organisations implementing and monitoring their own crisis management systems often ignore errors and weaknesses that should immediately send alarm bells ringing,” says Leong.

During the recent explosion at the Amuay refinery in Venezuela, early reports suggest that smaller accidents and spills prior to the blast offered sufficient warning. While a third party risk assessment would have picked up on these warnings, for those involved in the day-to-day business of this large operation, incidents like these had become the norm.

In the case of the Enbridge Incorporated oil pipeline, which spilled crude oil into the ecologically-sensitive Kalamazoo River in Michigan, USA in 2010, it emerged that:

  • If Enbridge’s own safety procedure was followed, the magnitude of the spill would have been dramatically reduced.
  • Enbridge’s internal safety monitoring was defined by a culture of deviance, where personnel did not adhere to safety protocols.
  • Enbridge’s internal crack assessment process was technically inadequate, increasing the risk of rapture.

The investigation concludes that for Enbridge to have been given so much authority by the regulator to assess and correct its own system risks, was tantamount to the fox guarding the hen house.

Cases like these lead South Africa’s own King 3 report to specify that, in the interest of long-term sustainability, the board is responsible for the governance of risk and disclosure, while management responsibilities include implementation, monitoring and continual improvement of the risk management plan.

“The report recommends external auditing to provide assurance, along with the material aspects of this sustainability reporting, which includes assessment to improve and maintain the organisation’s integrity,” says Leong. The report also recommends independent auditing because of “the absence of conflict of interest provided by third party appraisal”, she adds.

Risky business

During times of catastrophe-free operation, in-house risk management procedure is often ignored, delayed or postponed. However, third party assessments follow a documented scope and timeline, and regularly address key issues to be acknowledged and re-assessed in future planned assessments.

For incidents to be managed effectively, organisations should have emergency response and crisis management plans in place. These plans should outline the actions required in dealing with an incident, along with escalation protocols and the differences between an emergency and a crisis. “Business recovery plans should also be developed to enable an organisation to continue with operations, following a disruptive incident,” adds Leong.

She says it is imperative that the staff is trained for emergency situations, crisis management and business continuity. Competent third party risk management programmes should outline the necessary actions and communications required to ensure a swift response by appropriate operational, tactical and strategic personnel.

Further aiding in operational efficiency, third party risk management will assist with the protection of an organisation’s brand. “The reputational damage that BP sustained from the 2010 Gulf oil spills will remain for generations to come – arguably costing far more than physical loss, damage, legal fees and immediate reparations,” concludes Leong.