Creating Effective Change in Third-Party Relationship Management

Image of third party risk management

SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Noelia Valentina Novoa Pena discusses the value of Third-Party relationship management and how it can help take your team to the next level.

I have had the opportunity to work for a variety of different Financial Institutions where I have specialized in Enterprise Risk Management (ERM). Now that I’m part of a Third-Party Risk Management (TPRM) team for a large national company with over 13 million customers, it has exposed me to the importance of practicing sound risk management throughout the ERM and TPRM spaces. It has also provided me with an opportunity to broaden my knowledge base, applying what I have learned and expanding upon the foundations of what good and effective ERM and TPRM practices are and should be. I have learned that following the fundamentals of the Risk Management cycle, requires a complete understanding of the Vendor/Supplier Life Cycle.
Among the different topics discussed in this certification program, at this moment I can closely relate to Effective Challenge and Building an Effective Third-Party Relationship Framework Modules.
In our company, Effective Challenge is encouraged at all levels of the organization and has become part of the risk culture. As part of a TPRM Due Diligence team from the First Line of Defense (FLOD), effective challenge is applied when identifying, analyzing, monitoring, reporting, and working toward remediating third-party risk as a common task when evaluating Third Parties. It is my responsibility to communicate findings that can result in exceeding the company’s risk appetite.
Furthermore, I am also encouraged by Senior Management to challenge our methodologies, procedures, and the scope of the evaluation the team applies when assessing third-party and fourth party risk. Notably, the quality of the risk analysis is important to mitigate any exposure to financial, operational, regulatory, or reputational loss. There are specific teams in the TPRM Second Line of Defense (SLOD) that periodically conduct effective challenge reviews on the different aspects of the activities performed by the Due Diligence team within the TPRM FLOD.
Based on that, the FLOD Due Diligence team has been given the authority and accountability from senior management to perform an analysis for improving and simplifying a grouping of third-party assessment methodologies. I am applying what I have learned with the purpose of improving efficiency and accuracy, maintaining alignment to regulatory guidance, and focusing on building a process that supports adequate control of the key risks. 
As an example of what I have already implemented and in alignment with effective challenge principles recommended in the applicable modules from the C3PRMP, I with team partners have: 
1. Identified issues, such as 
  • Due Diligence Questionnaire (DDQ) and Due Diligence Assessment (DDA) containing non-specific and confusing language that does not directly match either the regulatory guidance or a relevant activity to effective risk identification of a material risk. 
  • Identifying duplicative questionnaire questions causing supplier response confusion and prompting immediate and additional requests for clarification extending the overall timeline for effective due diligence completion. 
  • Recognizing duplicative questions that exist across assessments that could be better addressed by subject matter experts better qualified to assess those particular risks. Noelia Valentina Novoa Pena Essay – C3PRMP 
2. Issued effective challenge by: 
  • Improving alignment of DDQ & DDA questions to current OCC guidance for assessing and managing the relevant key third and fourth-party risks. 
  • Improving efficiency by clarifying existing questionnaire language. i.e., a recommendation for clarifying Third Party and business expectations for requested artifacts in support of demonstrating appropriate third party risk controls and risk-mitigating activities. 
  • Recommending reduction to the overall volume of questions by combining or removing duplicative and redundant questions by 27%. 
  • Recommendation to consult and align similar questions with other risk dimensions. 
  • Recommendation to consult the Compliance team to ensure compliance with the processing and regulatory requirements.
  • Recommendations and paths for consideration to updating our system of record to reflect changes made to DDQs and DDAs questions and related communications with a minimal impact on technology costs. 
3. Exercised our responsibility to challenge and escalated results and proposals based on our analysis.
I have learned that building an effective Third Party Relationship framework involves many stakeholders and processes. That is why it is key for Senior Management to set the “Tone at the Top” for executors to have supporting leaders that allow initiatives that create a positive impact on the organization. 
There is no doubt that these types of challenges will find resistance along the way where the effective challenge can be used to demonstrate a better way forward even though there may be much work related to making necessary improvements to be implemented in our systems, in support of good risk management of our Third Parties. Based upon what I have learned, I will continue to focus on building better methodologies and procedures as well as the return on the financials investments and improved risk position that naturally come when these enhancements are implemented.

SIG University's Certified Third-Party Risk Management Professional (C3PRMP) program is a globally recognized certification that is the “gold standard” in terms of relevance, scope and content. The C3PRMP program was created by Linda Tuck Chapman, an advisor, educator, author and expert.


Noelia Valentina Novoa Pena, Third-Party Risk Management, USAA

MBA, BSc. Actuarial Sciences, with thirteen years of professional experience in Enterprise Risk Management (ERM) and Third Party Risk Management (TPRM). I started my professional experience at PwC in the Risk & Value Management department, in which I was part of the team that implemented ERM frameworks for financial and non-financial institutions in Latin-American countries and performed audits to evaluate compliance with regulations and international risk-standards.

I continued my career in the Financial Services industry managing the Enterprise Risk Management departments in which I developed ERM frameworks from scratch and developed methodologies and financial models to assess credit risk, market risk, liquidity risk and operational risk. Currently, I am part of the Third Party Risk Management (TPRM) due diligence team that performs operational, people and subcontractor assessments in the First Line of Defense (FLOD), in addition to other TPRM activities.