SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Mona Josten discusses the importance of having a high-quality third-party risk management program
"Without data, you're just another person with an opinion."
- Edwards Deming, Statistician
Linda Tuck Chapman, instructor and course designer at SIG University, states that Third-Party Risk Management is a team sport. A team consists of lots of different people with lots of different opinions. These opinions might be based on the various roles and result in other goals they have. They all strive for the same overall target, a managed and their company acceptable risk, but might have a different focus. The risk analyst might be especially eager to analyze the risk deeply, and the buyer might want to focus on a fast decision to close a deal.
So, what can help turn their opinions into a decision? Or help, whoever has the right and the responsibility, help them make a decision? Of course, the answer is a high-quality database that turns opinions into facts. It is essential to ensure a high-quality database, especially in a worldwide program with different risk areas, teams, and global regulatory requirements. High quality, in that case, means (at least) that the data is accurate, that it contains all required data fields, that it has a clear structure, and that it is accessible to all relevant people while still restricting the possibility of editing the database itself (meaning strict controls).
This can be ensured by solid governance and a strong RACI, which includes the role of a data steward who is responsible for maintaining the high quality of the database. If that is the case, the database can be used as an archive to document the development of the third-party relationships, as a basis for risk analysis or analysis of the program's effectiveness, as well as for management and board reporting.
For the research and the reporting, especially on the global agenda, the second step is to ensure that people who use the data to report or analyze have a basic understanding of the taxonomy and the data structure. For example, the question "how many different risk assessments do we have," which is typically asked for reporting to the board, might be answered differently by two teams. Some might also count mere "attestations" that need to be signed as an assessment, and some might not; some risk areas might currently have two versions, one older and one newer, which some might count as one assessment by some two. Therefore, if a specific knowledge by the data user is not ensured, we again have different opinions in different teams.
But if we now have a high-quality database and educated users, the last question is, "where do the educated users find the data? Where is the database stored?". At a specific size of the program, it can be very worthwhile to leave the excel files behind and invest in a Third-Party Risk Management Tool, which can act as the database across the whole Third-Party Risk Management Program. Most of the tools offer additional reporting and dashboarding capabilities that can help analyze, report, and visualize the data directly in the device. They also provide other third-party risk management functions; they contain your workflows and help you communicate with your third parties. Again, it must be ensured that the tool is widely accepted and that all relevant users know how to use it.
Suppose we have a high-quality database in a proper Third-Party Risk Management Tool, which educated team players to use. In that case, we have the basis for solid and aligned decision-making and, therefore, a mature Third-Party Risk Management Program.
SIG University's Certified Third-Party Risk Management Professional (C3PRMP) program is a globally recognized certification that is the “gold standard” in terms of relevance, scope and content. The C3PRMP program was created by Linda Tuck Chapman, an advisor, educator, author and expert.
Mona Josten has been working in various areas of the large field of "Third-Party Risk Management" for three years. As part of the globally operating company Deloitte, she currently advises companies on the implementation and optimization of Third-Party Risk Management Programs.