Aligning Risk Management Tools to Protect Customer Data

SIG University's Certified Third Party Risk Management Professional Program helps protect against company data breaches

SIG University Certified Third Party Risk Management Professional (C3PRMP) Program graduate Cindy Lingerfelt works at Blue Cross Blue Shield of Florida. She shares what she’s learned about third-party risk management and how her small team plans to build a stronger risk culture.

In the C3PRMP program, students focus on best and emerging practices to identify, assess, manage and control third-party risk throughout the lifecycle of relationships, and learn how to align risk fundamentals and frameworks with risk culture to develop the essential tools and controls for effective governance.


I work for Blue Cross Blue Shield of Florida on the Procurement team. My sub-team, Supplier Management, is small and we wear many hats. We were the first in our organization to implement some standardization for how critical suppliers were managed by developing a segmentation questionnaire to tier our suppliers and worked with business owners to get all Tier 1 suppliers on performance scorecards. Our role was to provide standard formatted scorecards with a library of the most common KPIs, stationary, QBR templates and more. 

Due to an incident with a supplier, the board made a directive that supplier risk should have a more explicit focus. A new team called Enterprise Risk Management was formed within Corporate Affairs/Internal Audit to address supplier risk and closely partner with Procurement on new suppliers and manage risk with our current supplier base.

Applying Best-in-Class Lessons

The Standard Operation Procedure for this new process rolled out March 1. This team is so new that enrolling in the Certified Third Party Risk Management Professional Program couldn't have come at a better time. I can bring so much of this class back to the joint teams to grow with these best-in-class lessons — precisely, the typical structure of a third-party risk program and the oversight governance of that framework. Since our Supplier Relationship Management (SRM) program is so new, it was very encouraging to see how we are heading in the right direction. For example, our path came from the Board of Directors; we have the Supplier Risk Program and also have formed the Supplier Risk Management Governance Committee. In addition to this, we are creating an SRM Executive Governance Committee.

The module on building a strong risk culture will be very beneficial to my team and the new SRM team as we roll out the program. Our goal is to develop a dashboard of a supplier’s performance, scores and spend and we recently started using a version of Kate Vitasek's whitepaper on Sourcing Business Models. Our team developed an excel version to answer a series of questions to come up with an SBM score, which is our version of a risk score, while keeping in mind that we need to keep our KRIs quantifiable, measurable,  trackable and informative, with the ability to set alerts, all of which will help us a great deal to develop the dashboard. Since I often participate in audits, I have a great appreciation for the phrase "Trust but Test."

The lessons on financial viability were enlightening as we have struggled to find a solution on this type of risk. We need to build several checks because no one solution can be all-inclusive. A combination of D&B, checking capital, cash flow, litigations and whether they invest in cutting-edge technology will be a much better solution for us.

I found the module on building relationship management frameworks to be the most intriguing. I think this is where our company has the most need to improve, probably because our program is so new. We learned that all risk cannot be removed, but we have the responsibility to mitigate the risk and how quickly we respond to an event or incident will significantly affect the incident's impact. We need to do more scenario building and learn whether there is an automated software solution to help us.

Keeping Up with Contract Management Regulations

Another hat I wear is for contract compliance. We are responsible for administering several different government contracts, including Medicare, Qualified Health Plans and the Federal Employees Health Benefits Program (FEP). My role is to audit our commitments to make sure we are compliant with government requirements.

We operate under the umbrella of these “prime” government contracts. We have a responsibility to meet contractual, regulatory and statutory requirements when acquiring goods and services to be used in the performance of the government contracts. These regulatory requirements include provisions within the Federal Acquisition Regulation (FAR).

During one of the modules, it was mentioned that many master services agreements are evergreen or have no end date. We have moved away from this practice because the government requires that we bid any delegated or subcontractor work every five years. Also, if the amount we allocate to the government over the entire term of one of the subcontract agreements exceeds the Truth in Negotiation Act limits, we would need prior approval and give notice to the federal government.

In the health insurance industry, the protection of personal health information is paramount. If we are sharing any Protected Information or Protected Health Information with a supplier, both a Business Associate Agreement and a Supplier Security Agreement are required. Both include language about protecting our member’s information and what happens to that information if our relationship changes with the supplier. Protection of our members’ data is our most significant risk factor. 


The Certified Third Party Risk Management Professional Program is a video-based program designed for the time-constrained professional. Get more information on enrollment to join your colleagues in the virtual classroom!

Cindy Lingerfelt, C3PRMP, Sourcing Specialist, Florida Blue

Cindy F. Lingerfelt is a Sourcing Specialist with Blue Cross Blue Shield of Florida dba Florida Blue.  She works remotely for the Jacksonville, Florida, company from her home in Denver, North Carolina. Early in her career, Cindy worked in the printing market and began her career with a printing company in Charlotte, North Carolina. She started as a cost estimator, moved into sales for the company’s national account and then purchased printing for the fourth largest bank in the U.S.  With Florida Blue, Cindy continued her procurement progression into sourcing, contracting, supplier management and contract regulatory compliance. Cindy specializes in developing strong business relationships with her internal customers, making her their go-to person.  She guides new suppliers through Florida Blue’s due diligence process and their registration via the Florida Blue website portal.  Cindy assists the business to segment new suppliers and to develop the necessary performance monitoring tools.