Risk Management

SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Meshkat Rahman shares her systematic analysis of Reputational Risk with a methodical solution design process.

I have decided to partake in the certification of the C3PRMP course by SIG University as I have a growing passion for the topic of third-party risk management. I have learned various aspects of vendor risk management, which includes the types of risk, how to identify risks and their remediation plan, the importance of RACI and the role of various stakeholders, industry trends, and best practices. The list will go on. With this in-depth knowledge gained via this course, I can demonstrate a high proficiency level in the topic I am most passionate about. This will help me help my clients and my company in the future.

One of the topics that can be deemed simple and self-explanatory but possess a high value is reputational risk. In this article, I would like to dive deep into the topic of reputational risk and discuss its implications and how to apply the knowledge gained from this course in an organization. 

SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Steve Williams provides a look through Johari’s Window, and how knowing what we know and don’t know can unlock our understanding of a company’s risk profile while supporting it through negotiated contracts and governance.

Procurement is such an interesting field because so many companies do it differently. This is especially true in the area of third-party risk management and the role that procurement practitioners play in that area, and I submit that most practitioners could be doing more to support their organizations when it comes to managing third party risk, from understanding the company’s risk profile, to helping stakeholders and business owners identify risk, to being part of the solution in terms of mitigating or preventing known risks.

To lean on Johari’s Window, I believe many practitioners sit in the you don’t know what you know, or you don’t know what you don’t know spaces. The pendulum needs to shift drastically and as procurement professionals we need to know what we know and know what we don’t know more than anything else– but how do we get there? Surely this is not something that happens overnight and developing the knowledge required to assess and address third party risk at a company takes time during the employee onboarding process and consistently throughout their career.

SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Anna Sgro shares how adding procurement roles into third-party risk management systems can be a very effective contribution to your team.

Across many organizations, there is an outstanding need to baseline what, if any, activities are taking place to manage third-party due diligence proactively. From my specific experience, Procurement's role is only sometimes well established and often has limited involvement in third-party risk management. The lack of engagement with the Procurement team introduces unnecessary risk and exposure for an organization.

Incorporating Procurement in third-party risk management and analysis will increase visibility, broaden awareness, and reduce risk by ensuring consistent sourcing, contracting controls, management, and monitoring processes. The standard practice for most Procurement teams includes evaluating new third parties, facilitating the sourcing and contract negotiations, and primarily being responsible for ensuring appropriate terms are in place. However, without a clearly defined path of communication and standardized processes, there's still potential for the organization to be exposed to unknown risks when bringing on a new critical third.

SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate MJ Ellis shares a unique perspective on the fundamentals of effective third-party risk management through the panes of Johari's Window.

SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Nathan Coffet discusses the process of  updating a Third-Party Risk Management program and the benefits it can have.

Large fast growing multinational companies involving multiple mergers & acquisitions will often have many disparate processes in place to manage Third-Party Risk. There may be programs developed by individual group companies or parts of the group to meet general procurement needs. Corporate functions such as Privacy, Information Security, Corporate Social Responsibility, or Anti-Corruption may have developed customized programs to meet regulatory requirements or address audit findings. Other programs may have been driven by the need to respond to vulnerabilities arising from macroeconomic events: systemic risks in the financial market; or the impact of Covid on the viability of cross-border supply lines. The multiple languages and cultures add a layer of complexity.

A root and branch review may enable the business to simplify processes, strip out unnecessary costs and duplication and ensure that the key risks are appropriately overseen proportionately. The approach must be focused on the return on investment to make it easier to justify and obtain necessary resourcing.

But where to start?

It is tempting to jump in and start solving the problem before it is well understood. But do not rush.

First - Remember to Reinvent the Wheel.