Implementing Third-Party Risk Management Framework

Third-Party Risk Management Framework

SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Andrea Solano discusses how taking the C3PRMP program helped her to implement the framework for her team to operate as an optimal risk management and risk mitigation function across her department and enterprise-wide. 


 There are different types of workstreams and specializations that have been around a long time. However, the discipline of Third-Party Risk Management is something that is in the very beginning stages of inception. Currently, it is evolving into a discipline that many organizations shall be implementing as a standard operating function in the Silicon Valley business sector I work at. Working at Silicon Valley, the term Third-Party Risk management is still somewhat foreign and not understood as a critical and vital risk management function.

Third-Party Risk Management Function

The key role that I fulfill within the Third-Party Risk Management life cycle is in the due diligence process, which is the internal audit function that serves as a 2.5 – 3rd line of defense within my organization’s Risk Management Function. The SIG University Third-Party Risk Management training that I have taken throughout these past ten weeks has been highly instrumental for me. It will help create, build-out, and develop an internal audit framework that will be customized to meet the needs of this brand-new Third-Party Risk Management function within my organization.  

One of the lesson’s fundamentals within the training that directly aligns with one of the core objectives of our Third-Party Risk Management Audit program is reputation(al) risk. Unfortunately, reputational risk is not covered in the COSO framework that my organization currently utilizes, nor is there any sort of risk committee addressing risks pertinent to our Third Parties. 

With Linda Tuck Chapman’s subject matter expertise in advising the importance of having such committees, this provides the confidence and empowerment to begin planning this initiative and developing a third-party risk oversight committee within my Global Security department. In this major collaboration between board members and senior leadership, we can help drive conversations that benefit both parties establish a risk appetite, risk tolerance, a risk threshold, and key risk indicators within the appropriateness of what the business is comfortable with. 

Third-Party Audits

Once these elements are established, a tone at the top approach can easily be executed and help the business understand the risk culture. When my organization can understand their risk culture of third parties, it will enable the first line of defense to create tailored and customized controls along with the guidance and recommendation of the organization’s risk specialists. The Third-Party Audit function within my organization will support in assessing, monitoring, and reporting such vulnerabilities identified within our Third-Party Audits. They provide opportunities to validate whether the control environment is effective and reflective of the business’ established risk appetite and risk threshold on an annual basis. Additionally, the findings derived from these Third-Party Audits will enable board members and senior leadership to make risk-based informed decision-making in adjusting risk appetite, risk tolerance, and risk thresholds as the need arises.

Secondly, with the Third-Party Audit program being fairly new, there must be a framework set in place to determine the frequency of audits for our third parties. Luckily last year, because of the COVID-19 pandemic, we were able to conduct audits remotely. Due to the number of third-party offices our organization has, it will be impossible to conduct audits physically on all of these locations. With the number of growing third-party spaces we have, we must create a frequency of audits to remain scalable. 

Furthermore, through Linda Tuck Chapman’s lesson on risk segmentation and tiering by the criticality of these third parties, I will utilize this methodology to develop the audit frequency that will take place. We will begin with tiering our organization’s most critical third-party relationships by the following tiers, enterprise-critical – tier 1 relationship critical, high – tier 2 relationship critical and moderate – tier 3. We will review all of the types of criticality operations in these third parties and assess whether any system failures that could occur could lead to significant losses and leave our social media platform vulnerable to security breaches compromising the user’s privacy that utilize our social media platform. 

Mitigating Reputational Risk

Any security breach within our organization could wreak havoc on our organization’s reputation, which could take many years to regain. Identifying the criticality and risk of our third parties will determine the audit frequency by yearly (enterprise-critical), every other year (high), or every three years (medium, low).

In conclusion, implementing all of these core foundational elements into my Third-Party Audit Program will help me drive and fulfill my department's overall objective: to mitigate reputational risk. A statement that Linda Tuck Chapman covered in her book, Third-Party Risk Management, Driving Enterprise Value, resonated tremendously with me about reputational risk. Linda indicated that “ There is a direct correlation between an institution’s reputation and its revenues and market capitalization.” This summarizes in a nutshell why the third-party audit program exists within my organization. 

If not actively monitored, reputation risk may pose company revenue losses, the organization’s market share power, and employee’s market share stakes they may have in the business. As Linda Tuck Chapman covered in our training, recovering from a reputational downfall could take 10-20 years to create and recreate and only 5 minutes to destroy. The third-party risk management discipline is such an essential one. I am glad that I have acquired this knowledge to implement into my third-party audit function while tailoring the strategic priority of our organization; to operate as an optimal risk management and risk mitigation function across our department and enterprise-wide.


SIG University's Certified Third-Party Risk Management Professional (C3PRMP) program is a globally recognized certification that is the “gold standard” in terms of relevance, scope and content. The C3PRMP program was created by Linda Tuck Chapman, an advisor, educator, author and expert.

 

Andrea Solano, Global Security 3rd Party/Outsourced Audit Manager, Facebook

My name is Andrea Solano, I am the Global Security 3rd Party/Outsourced Audit Manager at Facebook. I conduct physical security audits on all of Facebook’s 3rd Party/Outsourced office spaces globally. We ensure that the security controls implemented in all of the 3rd Party/Outsourced office spaces are within compliance, while ensuring that reputational risks to the business are significantly mitigated. I have over 13 years of extensive experience in the security technology/integration field which lead me over to work at the organization I belong to today.