Crucial Aspects for Building your Third-Party Risk Team

Image of Third-Party risk

SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Jonathan Purdon discusses the vital aspects to add to your risk management framework and the best practices for creating a risk culture.


Over the past ten weeks, the C3PRMP program has taught many topics relating to Third Party Risk Management and vendor lifecycle management. I found vital frameworks, sets of standards, and best practices for building a risk culture very impactful for my current role in our organization’s Third Party Risk Management Team. 
 
Two critical frameworks resonated with me are Johari’s Window and three Lines of Defense. Johari’s Window speaks about what you know and doesn’t know as well as what is documented and what is not. This framework is a great exercise to clarify business requirements by asking four simple questions. This framework could be efficiently utilized to define processes, SLAs, and more. I will use these four questions when reviewing our process documents to ensure we can identify what is known and reduce the unknown. I want to highlight the third-party risk management program’s second framework, the 3 Lines of Defense, the basic building block.
 
This framework separates roles and duties into three levels. Starting with the first level, roles include business owners or relationship owners focusing on the ownership of risk associated with third parties. They also ensure internal controls are in place and working. The second line of defense is the corporate function. I can relate to this level as I work in the second line of defense. The second line of defense focuses on building oversight and support for the first line of defense. Lastly, the third line of defense is Internal Audit which reports directly to the board. They provide an independent assurance that the program is working and sufficiently identify and address risks. These frameworks are two of many taught in the C3PRMP program, which is crucial to building processes and determining how functions will work in our three lines of defense.
 
Another crucial part of third-party risk management is utilizing common standards, particularly in Information Security Risk. Two of these highlighted sets of measures were the ISO and NIST standards. ISO was formed in a collaborative effort by experts from governments and NGOs. ISO establishes a common risk taxonomy and provides a control environment model to follow. NIST was developed by the US Department of Commerce and worked explicitly to protect hidden assets. Both are excellent standards, and the primary difference is that NIST is ubiquitous in the US, whereas ISO is more common globally.
 
Aside from sets of standards and frameworks, C3PRMP taught a lot about Risk Culture and how to build a risk culture. Everyone in the organization is responsible for risk management; however, the tone of risk culture starts at the top. Tone at the top begins with senior management creating risk appetite and risk tolerance which help guide employee behavior. Risk Appetite is the amount of risk the organization is comfortable taking, which is translated into Risk Tolerance, which provides acceptable boundaries for decision making. In the second line of defense, risk appetite and tolerance help provide a strategy for creating policies and procedures. Learning more about risk appetite and tolerance could also make better reports.
 
Learning about the overall risk culture could help show important key risk indicators to your senior management and the board of directors. A part of my current role is to help support board and quarterly senior management reporting. Risk culture is also essential in building buy-in to your overall program. 
 
Overall the C3PRMP program has taught an immense amount of information over only ten weeks. From learning about reporting to governance, there is numerous best practice I will take away and implement in my day-to-day work. Recent events over the past three years have solidified third-party risk management as a crucial part of the business. I have gained confidence in my risk management knowledge, and I know this certification will benefit me for years. 

SIG University's Certified Third-Party Risk Management Professional (C3PRMP) program is a globally recognized certification that is the “gold standard” in terms of relevance, scope and content. The C3PRMP program was created by Linda Tuck Chapman, an advisor, educator, author and expert.

Jonathan Purdon, Sr. Business Analyst, ATB Financial

My name is Jonathan Purdon, I work for ATB Financial, a regional bank that supports Albertans. I work on our Third Party Risk Management team as a Sr. Business Analyst for the past 3 years. My work on our TPRM team is primarily focused on the assessment of risk associated with each individual contract and the financial health of our critical third party relationships. I also perform our media monitoring for our critical third parties. I graduated from the Alberta School of Business at University of Alberta in 2019 with a Major in Operation Management and Certificate in Leadership.