Laying the Foundation for a Vendor Management Program

A Senior IT Consultant talks about shaping a risk culture and standardizing her company's vendor review process.

While enrolled in SIG University's Certified Third Party Risk Management Professional (C3PRMP) Program, Wendy Hsu was able to immediately apply what she learned and contribute her expertise toward sourcing a third-party risk management tool to develop her organization's Third Party Risk Management Program.

In the C3PRMP program, students focus on best and emerging practices to identify, assess, manage and control third-party risk throughout the lifecycle of relationships, and learn how to align risk fundamentals and frameworks with risk culture to develop the essential tools and controls for effective governance.

In more ways than one, the learning opportunity with SIG University’s Certified Third Party Risk Management Professional (C3PRMP) program was more than coincidental. Earlier in the year, I had chosen the C3PRMP program to fulfill my 2019 Individual Development Plan objective. Little did I know that by July I would be fully engaged in assisting my manager to source a suitable third-party risk management tool and develop a project plan to implement our future Third Party Risk Management (TPRM) program. While the timing of my taking the certification program couldn’t be better, the challenges ahead of my company’s TPRM program (which will soon be called Key Vendor Management Program) couldn’t be greater given we are a young company still in the process of shaping our risk culture and standardizing our vendor review process.

I am looking forward to participating in the development of our Key Vendor Management Program (KVMP) and contributing my learning experience in various discussions and working groups. Although I am excited to support our undertaking from program development to program implementation, there are three areas in which I feel compelled to focus: (1) define the program framework; (2) develop risk rating criteria, relevant screenings and/or required reviews; and (3) develop KVMP program metrics (key risk indicators).

Program Framework

I believe the program framework development will be a cross-functional effort where the input from multiple disciplines and expertise will be necessary to create a sound and comprehensive model. I started to research relevant regulations that may govern our business and my manager has begun to work with our Compliance Officer to confirm any relevant regulations that we need to consider as we build this program. As we kick off our framework discussion, I anticipate that I will perform additional research using FFIEC as one of the resources, an organization that I learned from the C3PRMP course. One of the items not yet in our plan is that I would like to advocate for an educational element where our business owners will receive on-going training to more fully recognize the importance of third-party risk management and their roles in it.

>>Learn more about upcoming changes and benefits of a C3PRMP designation, as well as a profile of our students.<<

Develop Risk Rating Criteria, Relevant Screenings and/or Required Reviews

In our current state, vendor risk rating is determined by our IT Security team. In our future state, we are envisioning that our vendor review process will expand the concept of vendor risk rating to be more comprehensive and include areas beyond data and IT security. In our future internal working session, I would like to help shape our discussion in such a way so that we can spend time to consider risk drivers along with the equation of “inherent risk minus existing controls results in residual risks” to define the criteria and parameters governing the risk rating process. Another perspective that I propose to add to our discussion is whether the business criticality of the vendor engagement should be a component in the vendor risk rating process.

We are in the process of exploring a TPRM tool that has a built-in vendor risk scoring capability and will address aspects that we are currently not reviewing, such as OFAC screening and financial viability. Although we are still vetting the tool and making a business case for executive leadership review, our goal to ensure a thorough third-party due diligence will be a primary focus. In turn, this will be the precursor to determine a plan for risk remediation standards, on-going monitoring requirements and/or risk acceptance. I plan to recommend that the risk rating process should be at the vendor engagement level rather than at the vendor company level as risks may be different for each engagement performed by the same vendor.

Develop KVMP Program Metrics (Key Risk Indicators)

One other area that I have a strong interest in is to help develop our KVMP program metrics. Realizing that developing good Key Risk Indicators (KRIs) is no easy task as the KRIs need to be quantifiable, indicative of potential problems, and supportive of and comparable for benchmarking, it is another effort that will require multiple cross-functional working sessions. I believe we will also need to include an educational element as a part of the roll out for KRI reporting so that our business owners understand the importance of including and designing relevant and appropriate controls and monitoring of vendor performance in their business process and how these efforts feed into the KRI process.

In summary, I am excited for my company’s Key Vendor Management Program initiative and would embrace any opportunity to apply the lessons that I learned from the C3PRMP program to make it an effective and successful program.

The Certified Third Party Risk Management Professional Program is a video-based program designed for the time-constrained professional. Get more information on enrollment to join your colleagues in the virtual classroom! 

Wendy Hsu, Sr. IT Procurement Consultant, Venerable

Wendy is a dedicated Client and Vendor Management Professional with 20 years of experience in contract negotiation, business operations, procurement, and project management. From 1999 until 2005, Wendy was a Contracts Manager for Alternative Resources Corporation where she assumed progressive levels of responsibilities as a negotiator and created long-term value for complex, multi-party business relationships. From 2006 until 2007, Wendy provided her vendor management expertise at The Vanguard Group. From 2008 until 2018, Wendy worked for Prudential as a Manager, Process Management in the contracting unit of the Individual Life Insurance’s Vendor Governance organization. Currently, Wendy is in the role of Sr. IT Procurement Consultant at Venerable. Wendy received her MBA from Saint Joseph’s University and her Bachelor of Science degree from Pennsylvania State University.