We are delighted to introduce risk expert Ayesha James as one of our speakers at #RISK London, coming to London’s ExCeL next month.
As a lawyer in the City, Ayesha built up a decade’s experience in long-term engagement between the government and public-sector entities. Ayesha then joined HSBC, before stepping into the world of operational risk in 2017. She has since moved into managing operational and resilience risk in Europe and is now HSBC’s third-party risk steward.
Attendees of #RISK London can hear Ayesha give her views on third-party risk management, and best practices when engaging with vendors.
We spoke with Ayesha about this crucial issue and to learn more of her career pathway to date.
Could you outline your professional journey so far?
I started my professional life as a lawyer. I worked in the City of London as a technology and outsourcing lawyer working on large-scale, long-term engagements between central government, investment firms, banks, and insurance houses. This gave me that foundation of contracting in a way that wasn’t adversarial; building up the engagement, the relationship that was really going to see both sides through over a 10-year period.
Obviously, I acted for one side, and usually it was the customer side. But it gave me a very early lesson that there’s absolutely no point in squeezing your vendor as hard as humanly possible. You may feel really good on the day you sign the contract, but you can almost guarantee that within maybe two months or even two years, that relationship will sour, because there is just simply not enough margin for the vendor to make a really good fist of your service, or to go the extra mile for you because there simply aren’t any extra miles left.
But that was the first ten years of my career before I moved into HSBC. HSBC had been one of my clients, and I moved here to set up a legal team that would do support the Technology, Operations, Real Estate and Procurement functions at HSBC. I built and then lead the Technology and Outsourcing legal team. In HSBC’s history, we haven’t been a huge outsourcer. But as I arrived, we were starting to turn in that direction. Since then, as a bank, we’ve continued to offshore and outsource some activity, and my team supported the technology function with all of those deals.
In 2017, I moved into the world of operational risk. I now recognise my previous job as being about managing legal risk, but a lot of lawyers didn’t think that way, and I certainly didn’t think that way when I was first in legal. But I gradually understood that it was just one type of risk, and there was all this other risk bubbling around that I wanted to learn about. So, in 2017, I moved to be the chief controls officer for the ring-fenced bank in the UK.
Finally, last year, I moved to my current job of managing operational and resilience risk in Europe, and I’m also the group’s third-party risk steward. The combination allows me to maintain perspective on both sides, because they’re both quite different. It allows me to have boots on the ground, and to step back and have days where I can rethink a subject, build a policy, and build the three-year vision. It gives me a mix that I really benefit from. I like to have that otherwise, I can get quite narrow in my focus, which is never a good thing, particularly for risk.
Why is it so critical to properly assess vendors upfront?
I liken a vendor engagement to any important relationship that we go into. There are all sorts of things that we say, such as “go in with your eyes open”, and that, for me is absolutely the truth.
Regarding entering into a relationship with a vendor, at HSBC we set very strict policies, rules and procedures to ensure that not only are we all working to give our customers the best service, but that we’re also doing it a safe and sustainable way.
You may hand component parts of that activity out to an external third party that doesn’t work in banking. Their definition of “safe and sustainable” may just naturally differ from our own because of the heavy and extensive regulation that we in banking come to get very familiar with in the industry. In such a situation, it’s important that we set that stall out early and we make our standards very clear.
As such, the risk assessment approach is less about an objective assessment of the vendor’s suitability. It’s more about how they fit with the standards that we operate to ourselves. We also think about how we fit with the way the vendor operates; whether we can still reach the quality commercial service that we need.
All this needs to be applied to the confines of what can be quite cumbersome, strict rules of conduct and testing, regulatory compliance and legislative compliance and training for staff – all of those things that, as bank employees, we’re just very used to, day in day out, but which can seem quite unusual to outside parties.
So, finding that right match is so important, as is getting as much of that clarity upfront on both sides equally; being very clear with the vendor that this is what you’re coming into. That first point in the engagement is absolutely pivotal for the strength of the relationship going forward. It’s also about understanding between the two sides, and indeed the longer supply chain, having that clarity upfront.
What are the key questions that organisations should be asking when onboarding new vendors?
All your questions – not just key questions – should be asked as early as possible, and give the other side the opportunity to ask as many questions as they can think of. This is essential, again, to building a really strong foundation.
Although, looking at specifics, ask questions that may not be core to the service – those that often get forgotten about, such as questions around values and conduct: What does good customer service look like? What does poor customer service look like? Why is resilience such an important topic for the bank? How would that translate into the engagement?
I think questions of this nature often get side-lined in favour of pragmatics, such as speed, price, quality of service, etc. Worse, such concerns can often be placed in non-binding ways – perhaps in a document outlining working rules which are eventually forgotten about and not woven into the rest of the relationship.
What key challenges must organisations overcome to make vendor monitoring run smoothly?
I think we’re all suffering from the rapid-fire of the unknown just now. I think the extraordinarily unusual times that we’ve all lived through have translated into extraordinarily unusual tensions on our business at HSBC. This requires us to hold new data and interrogate existing data in different ways. Obviously, this applies to the extended enterprise, including the entire outsourced, vendor, and third-party population.
This is going to continue to be a major challenge, because you have to find that right balance between asking for and capturing all of the data, without completely overwhelming both sides of the relationship in nothing but Q&A, and data capture – things that actually distract from core service and the core relationship.
The other big challenge at the moment is caused by the change in working pattern from the pandemic. Pre-pandemic, there was a much more set, standardised pattern of when we come on premise and when we stay remote. And I think the move to more hybrid working patterns, to more location-agnostic working patterns, has meant that we’re now really having to rethink what the right rhythm is for on-site monitoring, audit inspections and due diligence, and how we expect our suppliers to operate and monitor controls.
We have to think about what we can do remotely through enhanced tooling and enhanced reporting, and get used to conversations over video. Besides the practicality side of this, and also the awareness that tomorrows challenges will test the strength of vendor relationships. Again, success will depend upon having a really strong, clearly aligned relationship, one which enables us to bring up new challenges and work on them together.
The event unites thought leaders and subject matter experts for a deep-dive into organisational approaches to handling risk. Content is delivered through five content hubs, each featuring insightful sessions, case studies, networking, high-level thought leadership presentations and panel discussions.
→ Session: “Third-Party Risk Management: Best Practices for Vetting and Monitoring Vendors”
→ Time: 11:20 – 12:05 GMT
→ Date: Wednesday 16 November 2022
→ Venue: ExCeL London