SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Anna Sgro shares how adding procurement roles into third-party risk management systems can be a very effective contribution to your team.
Across many organizations, there is an outstanding need to baseline what, if any, activities are taking place to manage third-party due diligence proactively. From my specific experience, Procurement's role is only sometimes well established and often has limited involvement in third-party risk management. The lack of engagement with the Procurement team introduces unnecessary risk and exposure for an organization.
Incorporating Procurement in third-party risk management and analysis will increase visibility, broaden awareness, and reduce risk by ensuring consistent sourcing, contracting controls, management, and monitoring processes. The standard practice for most Procurement teams includes evaluating new third parties, facilitating the sourcing and contract negotiations, and primarily being responsible for ensuring appropriate terms are in place. However, without a clearly defined path of communication and standardized processes, there's still potential for the organization to be exposed to unknown risks when bringing on a new critical third.
Ideally, Procurement's role will fit seamlessly into existing third-party risk management activities. With the knowledge and resources provided by the SIG C3PRMP program, Procurement can improve the framework to help further reduce or mitigate potential risks. By evaluating the current landscape, Procurement's extensive experience with third parties and KPIs can yield further benefits, such as identifying additional gaps, driving process continuity, ensuring the appropriate framework is established and utilized, and the relevant company representatives are engaged.
The questions below provide a starting point to initiate the assessment of third-party risk management activities currently taking place within the organization:
Has the organization identified which teams are engaged and accountable for performing due diligence?
Who are the most critical third parties, how were they identified, and who manages the relationship?
What is the cadence of due diligence reviews?
Is there an established framework and standards, and where is this information documented?
Have there been any reported incidents, and what corrective actions were taken?
What contractual controls are in place today, and who monitors these controls for compliance?
What parameters are used for reporting to the board of directors?
The team should then outline gaps identified through this evaluation and document any proposed actions with specified owners and target completion dates. Once the current state and maturity of the organization's third-party risk management has been captured, the Lifecycle Management structure from Module 1 (Image A) and the Three Lines of Defense defined in Module 3 (Image B) from the SIG program can provide a starting point to design the framework, roles, and ownership throughout the process.
Ultimately, the objective is to develop recommended KRIs (Key Risk Indicators) that the organization can utilize when evaluating current and future third parties in a measurable, quantifiable, informative, and trackable manner. To achieve this, the team must consider the organization's risk appetite and tolerance levels and define the process, cadence, and audience for reporting the recommended KRIs. An adjacent improvement area will be revisiting KPIs (Key Performance Indicators) and confirming alignment with the recommended Risk Indicators.
Taking a refreshed look at the landscape and changing activities, the third-party risk management teams will collaborate on building consistent and measurable KPIs using the SMART (Specific, Measurable, Attainable, Relevant, Time-Based) method covered in Module 1 and throughout the SIG program. With the agreement on KRIs, a re-evaluation of all third parties is needed to determine their level of criticality, risks, controls (if applicable), and due diligence schedule. It's critical to socialize the refreshed framework, new methodologies deployed, and the assessment findings that led to the refinement of the third-party risk management program with all defense levels, owners, and board of directors.
As a final step, "inspect what you expect," as featured in Module 11. The collective third-party risk management team is accountable for determining a schedule to evaluate the effectiveness of controls and processes, assuring a solid control environment to mitigate, manage and monitor third-party risk. As a complement to the cadenced reviews, this collective team should establish a precedent of leveraging a combination of internal and external sources, as demonstrated in the C3PRMP program reading by The Institute of Internal Auditors and COSO.
Successfully implementing Procurement's role in third-party risk management will result in cohesive communication with the board of directors, internal leadership, and business owners. The collective strategic framework provided by the second line of defense will improve the organization's visibility of the most critical third parties while providing consistent controls and committed processes for an overall healthier dialog on how our organization classifies and manages risk.
SIG University's Certified Third-Party Risk Management Professional (C3PRMP) program is a globally recognized certification that is the “gold standard” in terms of relevance, scope and content. The C3PRMP program was created by Linda Tuck Chapman, an advisor, educator, author and expert.
Anna Sgro, Procurement Category Manager of IT, Maxar
Anna Sgro is the Corporate Procurement Category Manager of IT at Maxar. Anna has worked in various industries, including aerospace, financial, and oil & gas; with these competencies, she demonstrates her flexibility and expertise in all things procurement.
She is a passionate Procurement professional that enjoys identifying improvements, and driving efficiencies, believes there is always something to learn, and brings over 10 years of Procurement, Supply Chain, and Contract Management experience. She enjoys spending time with her family, skiing, hiking, and paddle boarding outdoors and loves to travel.
SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Anna Sgro shares how adding procurement roles into third-party risk management systems can be a very effective contribution to your team.
Across many organizations, there is an outstanding need to baseline what, if any, activities are taking place to manage third-party due diligence proactively. From my specific experience, Procurement's role is only sometimes well established and often has limited involvement in third-party risk management. The lack of engagement with the Procurement team introduces unnecessary risk and exposure for an organization.
Incorporating Procurement in third-party risk management and analysis will increase visibility, broaden awareness, and reduce risk by ensuring consistent sourcing, contracting controls, management, and monitoring processes. The standard practice for most Procurement teams includes evaluating new third parties, facilitating the sourcing and contract negotiations, and primarily being responsible for ensuring appropriate terms are in place. However, without a clearly defined path of communication and standardized processes, there's still potential for the organization to be exposed to unknown risks when bringing on a new critical third.
Ideally, Procurement's role will fit seamlessly into existing third-party risk management activities. With the knowledge and resources provided by the SIG C3PRMP program, Procurement can improve the framework to help further reduce or mitigate potential risks. By evaluating the current landscape, Procurement's extensive experience with third parties and KPIs can yield further benefits, such as identifying additional gaps, driving process continuity, ensuring the appropriate framework is established and utilized, and the relevant company representatives are engaged.
The questions below provide a starting point to initiate the assessment of third-party risk management activities currently taking place within the organization:
The team should then outline gaps identified through this evaluation and document any proposed actions with specified owners and target completion dates. Once the current state and maturity of the organization's third-party risk management has been captured, the Lifecycle Management structure from Module 1 (Image A) and the Three Lines of Defense defined in Module 3 (Image B) from the SIG program can provide a starting point to design the framework, roles, and ownership throughout the process.
Ultimately, the objective is to develop recommended KRIs (Key Risk Indicators) that the organization can utilize when evaluating current and future third parties in a measurable, quantifiable, informative, and trackable manner. To achieve this, the team must consider the organization's risk appetite and tolerance levels and define the process, cadence, and audience for reporting the recommended KRIs. An adjacent improvement area will be revisiting KPIs (Key Performance Indicators) and confirming alignment with the recommended Risk Indicators.
Taking a refreshed look at the landscape and changing activities, the third-party risk management teams will collaborate on building consistent and measurable KPIs using the SMART (Specific, Measurable, Attainable, Relevant, Time-Based) method covered in Module 1 and throughout the SIG program. With the agreement on KRIs, a re-evaluation of all third parties is needed to determine their level of criticality, risks, controls (if applicable), and due diligence schedule. It's critical to socialize the refreshed framework, new methodologies deployed, and the assessment findings that led to the refinement of the third-party risk management program with all defense levels, owners, and board of directors.
As a final step, "inspect what you expect," as featured in Module 11. The collective third-party risk management team is accountable for determining a schedule to evaluate the effectiveness of controls and processes, assuring a solid control environment to mitigate, manage and monitor third-party risk. As a complement to the cadenced reviews, this collective team should establish a precedent of leveraging a combination of internal and external sources, as demonstrated in the C3PRMP program reading by The Institute of Internal Auditors and COSO.
Successfully implementing Procurement's role in third-party risk management will result in cohesive communication with the board of directors, internal leadership, and business owners. The collective strategic framework provided by the second line of defense will improve the organization's visibility of the most critical third parties while providing consistent controls and committed processes for an overall healthier dialog on how our organization classifies and manages risk.
SIG University's Certified Third-Party Risk Management Professional (C3PRMP) program is a globally recognized certification that is the “gold standard” in terms of relevance, scope and content. The C3PRMP program was created by Linda Tuck Chapman, an advisor, educator, author and expert.
Anna Sgro is the Corporate Procurement Category Manager of IT at Maxar. Anna has worked in various industries, including aerospace, financial, and oil & gas; with these competencies, she demonstrates her flexibility and expertise in all things procurement.
She is a passionate Procurement professional that enjoys identifying improvements, and driving efficiencies, believes there is always something to learn, and brings over 10 years of Procurement, Supply Chain, and Contract Management experience. She enjoys spending time with her family, skiing, hiking, and paddle boarding outdoors and loves to travel.