SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Sandra Ilogu discusses how critical the relationship manager is to third-party risk.
The Relationship Manager is the first line of organizational defense, tasked with ownership of relationships and risks. The overall accountability of these risks, the performance and the cost management for the supplier through the life of the relationship are also key focus points.
I will discuss how the Relationship Manager (RM) functions as the nucleus of Third-Party Risk Management (TPRM) activities for a supplier with the following points.
Provides Information for Reviews and Decides on Risk Acceptance for a Third Party
It is understood that the liability of our third parties is ultimately ours. This means that the liability of the third parties of our third parties (i.e., our subcontractors) also becomes ours. An effective framework in which risk is indicated and mitigated is essential for our suppliers and subcontractors.
In such a framework, exit strategies and termination processes are set in place for cases in which the risk cannot be mitigated or when a contract needs to be terminated. These are defined by the Relationship Manager, who provides information on the supplier and finds out if there are subcontractors involved. Responses provided will trigger due diligence risk areas for information from the supplier.
Once the relationship is fully defined and risks are highlighted, it is the responsibility of the Relationship Manager to determine whether or not to accept the risk and contract with the supplier.
Within this framework, a supplier could be linked with different stakeholders in the company. This could include members of the first line of defense, like the operations team responsible for the day-to-day monitoring of progress and escalations during due diligence and issues management. It could include risk area SMEs who interact with the supplier to get information about their risk area to determine the controls in place or escalations to the third line of defense (audit) in times of non-compliance.
The Relationship Manager is responsible for the communication between the company and supplier. This person engages with stakeholders throughout the lifecycle management workflow to monitor progress, request follow up, and navigate through the needs and personalities of the supplier and internal colleagues to create a mutually beneficial relationship between the company and supplier.
Acts as “Eyes and Ears” of the Company to Ensure Effective Oversight
Relationship Managers get to learn from agreed ongoing risk monitoring meetings, reviews of the TPRM workflow (also known as a refresh) or even just from the news if the supplier set-up and stance on issues aligns with the organization’s. If that could hurt your reputational brand by association or their financial viability, then that is a critical factor.
For example, in light of their solidarity for the Black Lives Matter movement, companies have made strong statements on their Diversity and Inclusion policies. A top funding institution recently declared unwillingness to provide funding to any company that cannot show diversity in their executive board.
Knowing a supplier got a rejection for funding because of inadequate diversity within their company would alert on whether to review controls for financial viability or reputational risk. When looking at the demographics of our population today, we see a higher percentage of those who believe in a cause typically expecting equity for all and would boycott if the ideology is not met.
In a robust TPRM framework, there is most likely a tool that automates workflows to all the players in the determination of the inherent risk, controls and residual risk for the supplier. The tool would also automate ongoing risk monitoring, recording of risks, the workflow to mitigate those risks and even performance monitoring.
This collected data about the supplier and relationship is reviewed for correctness and would typically result in a risk profile for this supplier, which should be reportable to present by the Relationship Manager as needed for further oversight.
The Relationship Manager is known as the nucleus of the TPRM framework, but the ultimate responsibility for TPRM lies with the executive board and senior management. They dictate the tone at the top to indicate the strength of the risk culture and how seriously the function is taken.
Guided by policies, guidelines and clear definitions of roles and responsibilities while ensuring that people in these roles have enabling tools, opportunities to build on relationships, and are held accountable to execute their work would lead to complete and successful TPRM and monitoring.
SIG University's Certified Third-Party Risk Management Professional (C3PRMP) program is a globally recognized certification that is the “gold standard” in terms of relevance, scope and content. The C3PRMP program was created by Linda Tuck Chapman, an advisor, educator, author and expert.
I currently manage the application that supports a relatively mature Third-Party Risk Management (TPRM) framework and manages outsourced suppliers at Credit Suisse. I am self-sponsored to take this course for a fully rounded content and certification in Third-Party Risk Management. This course has put a holistic and structured context to the activities that provide input to or receive output from the application I manage. Aside from lifecycle management, the area that resonated with me the most was relationship management.