Opening The Curtain Of Third-Party Risk Management

Image of Third-Party Risk Management

SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Shani Richards shares how this course has opened her eyes to the inherent risks associated with not having a solidified third-party risk management system in place.

I enrolled in this program to earn my Third-Party Risk Certification but gained much more. I have been in audit for over five years, but this is the first time that third-party risk management has been broken down and explained on a granular level.
I found it interesting to learn about Business Resilience Risk and its importance to an organization. When performing walkthroughs to learn more about a process and the controls included, I asked some questions about business continuity to ensure a plan was in place if there was a business interruption. I never thought that having a disaster recovery plan after a business interruption should be a part of business continuity management. Since the ecosystem of third parties can be a complex and intertwined ecosystem of interdependent services, it’s imperative to understand the points of risk to make it through an interruption and to recover after an interruption. 
Business continuity risk management is not an “open-size fits all” approach. The level of control should be directly correlated with the level of impact on the enterprise should there be a third-party business interruption and the criticality level of the product/service to the enterprise. When considering a third party, a contingency plan must be part of our due diligence process. Two main elements that should be investigated are the recovery time objectives and the recovery point objectives of the third party’s plan. These two areas within a continuity plan get lost and can go overlooked. 
I understood the expected turnaround time for a company to be “back online” from a disaster and how files are kept in backup storage, including the age of the files that will be stored. I also learned that a business impact analysis is a regular practice at multiple enterprises to identify the level of operational risk exposure. I will request evidence of a business impact assessment for my upcoming audits when appropriate. Given the criticality of understanding the impact of third-party disasters on a third-party service, it’s imperative as an audit to ensure continuity plans are created. 
Also, I think that it’s crucial that, as an auditor, we investigate the monitoring process around the contingency & disaster recovery plans, including how often they are reviewed, ensuring policies are in place, who is responsible for business continuity management, and the general objectives.
The second area that intrigued me was how comprehensive information technology risk management is and how critical it is to every enterprise. It is a part of how every company does business regardless of where it falls under the umbrella: architecture, infrastructure, networks, applications, hardware, etc. When I thought of IT risk before taking this training, I only thought about cloud-based technology for storing data. Unfortunately, I have been the victim of data breaches on two separate occasions. When the credit institution, Experian, was hacked, my account information was a part of the data breach. 
I had to notify the other credit institutions of the breach, change my passwords, get new credit cards, etc., to protect myself as best as possible. I also was the victim of an account hack through a fitness clothing company. I held a membership account with a company called Fabletics, and my account was hacked. Since my PayPal was hooked up to my Fabletics account, the hacker could gain access to money in my bank account. It was an absolute nightmare to deal with.
After taking this training, I’ve learned that so many other points of risk within IT require exposure management. I agree that we can’t mitigate systematic risk completely. However, having common sense controls and policy guidance in place with third-party requirements based on the criticality of risk will undoubtedly help.

SIG University's Certified Third-Party Risk Management Professional (C3PRMP) program is a globally recognized certification that is the “gold standard” in terms of relevance, scope and content. The C3PRMP program was created by Linda Tuck Chapman, an advisor, educator, author and expert.


Shani Parker, Sr. Internal Auditor, Citi

My name is Shani Parker, and I have over five (5) years of experience in audit services. I have experience in financial auditing, third-party risk management, issue validation, and SOX compliance work. I have extensive knowledge in the following areas: Internal Audit Assurance: Helping organizations accomplish objectives by bringing a systematic approach to improve the effectiveness of risk management & control. Fraud Assessment: Assisting organizations in developing & enhancing anti-fraud programs at the business & significant account levels. Project management & Control: Designed and Implemented database project controls to ensure effective data collection, integrity, and analysis. Accounting Operations & Compliance: Strategies of financial reporting, policies & procedures, and evaluation of accounting controls