Each business unit owns the risks associated with the contracts they decide to enter into. This is a fundamental principle built into third-party risk management (TRPM) programs. In large organizations, the program's success is highly dependent upon each Business Unit fulfilling their responsibilities.
The Business Unit Structure for Risk Management Success
The business unit needs to ensure they have a suitable organizational structure and resources to fulfill their third-party risk management program responsibilities. This includes having team members trained in specific competencies and adequate capacity based on the level of risk associated with the business unit's third parties and sufficient capacity based on the level of risk associated with the business unit's third parties.
Once the contract is set, the business unit is responsible for the activities and tasks related to owning the relationship ( “relationship management”), including communication, contract, performance, and risk management. Team Members who reside within a business unit who perform relationship management activities comprise the largest internal population of team members who should manage risk due diligence activities with third parties.
Outlined here is information about the upcoming changes and benefits of your C3PRMP designation, as well as a profile of our students.
What is different about SIG University’s C3PRMP program?
In January of 2020, the duration of SIG University's C3PRMP program was extended from eight weeks to 10 weeks. Multiple-choice review questions at the end of each module will test all students’ knowledge and require a minimum passing score of 80%.
Members of the Global Association of Risk Professionals (GARP) will continue to earn 20 Continuing Professional Development (CPD) credits, GARP’s highest award for a continuing professional development program.
Stacy Mendoza, Managing Editor, Future of Sourcing
SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Andrea Solano discusses how taking the C3PRMP program helped her to implement the framework for her team to operate as an optimal risk management and risk mitigation function across her department and enterprise-wide.
There are different types of workstreams and specializations that have been around a long time. However, the discipline of Third-Party Risk Management is something that is in the very beginning stages of inception. Currently, it is evolving into a discipline that many organizations shall be implementing as a standard operating function in the Silicon Valley business sector I work at. Working at Silicon Valley, the term Third-Party Risk management is still somewhat foreign and not understood as a critical and vital risk management function.
Third-Party Risk Management Function
The key role that I fulfill within the Third-Party Risk Management life cycle is in the due diligence process, which is the internal audit function that serves as a 2.5 – 3rd line of defense within my organization’s Risk Management Function. The SIG University Third-Party Risk Management training that I have taken throughout these past ten weeks has been highly instrumental for me. It will help create, build-out, and develop an internal audit framework that will be customized to meet the needs of this brand-new Third-Party Risk Management function within my organization.
Andrea Solano, Global Security 3rd Party/Outsourced Audit Manager, Facebook
The supplier community plays an integral role in improving enterprise diversity standing. I’d like to share some observations from my career, along with tips for the supplier community and enterprise procurement teams to improve diverse supplier access, expand opportunities and provide support.
A Risky Approach to Client Management
Historically, client management and sales practices have been disjointed and focused on winning by dividing and conquering. A generation of sales teams has been trained to get as much information as possible out of the client organization to sell them what they have, instead of what the client needs, and have been somewhat siloed in the process.
In large supplier organizations, clients doing business with them on the applications side would struggle to engage from the marketing or infrastructure side. This short-sided view usually led to the client chasing the supplier organization to find the right resources.
The "whole client" management approach is necessary to transform the sales process to fit the more modern and sophisticated enterprise customers. Not having a modern sales approach is one area where clients, both Procurement and business stakeholders, get incredibly frustrated when dealing with a supplier organization. Many of the practices considered “old-school sales tactics” have become relatively visible to the enterprise client. For example, taking enterprise employees (particularly business stakeholders) to lunches or dinners at fancy restaurants, sporting events in private boxes and conferences in an attempt to build relationships, with a focus on gaining commitment to sales, early visibility and access to opportunities.
Purvee Kondal, Senior Director of Technology & Engineering Sourcing
When I first registered for this course, I wasn’t exactly sure what to expect. I initially thought I would learn a lot of things that I was completely unaware of. I was pleasantly surprised to see that I was learning the “why” behind the changes my organization has been implementing over the past two years.
This course took me deeper into what I need to know to be a successful third-party risk management professional (TPRMP). I will discuss how my organization has evolved, how it has impacted me, and how this course helped me see how I can grow more effectively through these changes.
Evolving into Third-Party Risk Management
My journey as a TPRMP started four years ago. At that time, we were known as Vendor Relationship Managers. My job was to perform the ongoing monitoring task. At that time, I did not know that I was performing a TPRM function under the Enterprise Third-Party Risk Management Framework (ETPRM).
It wouldn’t be until two years into my role that ETPRM was introduced to us. I remember being told that things were changing, and my role was going to evolve quickly. My leadership team was not kidding! Not only have I have learned more than I ever imagined, but my role has also significantly changed during this time.
The Relationship Manager is the first line of organizational defense, tasked with ownership of relationships and risks. The overall accountability of these risks, the performance and the cost management for the supplier through the life of the relationship are also key focus points.
I will discuss how the Relationship Manager (RM) functions as the nucleus of Third-Party Risk Management (TPRM) activities for a supplier with the following points.
Provides Information for Reviews and Decides on Risk Acceptance for a Third Party
It is understood that the liability of our third parties is ultimately ours. This means that the liability of the third parties of our third parties (i.e., our subcontractors) also becomes ours. An effective framework in which risk is indicated and mitigated is essential for our suppliers and subcontractors.
In such a framework, exit strategies and termination processes are set in place for cases in which the risk cannot be mitigated or when a contract needs to be terminated. These are defined by the Relationship Manager, who provides information on the supplier and finds out if there are subcontractors involved. Responses provided will trigger due diligence risk areas for information from the supplier.
Once the relationship is fully defined and risks are highlighted, it is the responsibility of the Relationship Manager to determine whether or not to accept the risk and contract with the supplier.
Third-party risk management in the financial industry requires careful consideration when developing an operating model. It is essential to consider the regions and regulations that govern. In most of the banking industry, your internal risk culture allows you to easily implement a third-party risk program that methodically measures inherent risk, provides time to assess third party controls and negotiates contracts that enforce controls and mitigates residual risk.
Internal vs. Third-Party
The internal risk culture changes once you enter the world of capital markets where decisions are made quickly, risk is a way of life and patience is a rare quality. Now add the risk of a trade execution platform failing during a stock market dive and counterparties not having the ability to trade for several hours. The outage would be noticed and gain publicity, potentially causing Regulators to investigate. Should this occur and the necessary due diligence steps that would have highlighted this vulnerability were skipped, the repercussions could be costly. Your firm's reputation would be at stake and you most likely will face regulatory scrutiny that could result in fines. Striking a balance between satisfying your firm's need to generate revenue and mitigate third-party risk is an interesting challenge. If your operating model is too slow and cumbersome, your business will most likely attempt to circumvent the process. Careful consideration needs to be taken when aligning your control assessments to the true inherent risk.
Certified Professional Accountants (CPAs) who are looking to earn Continuing Professional Education (CPE) credits to maintain their licenses can improve their knowledge in third-party risk management by enrolling in SIG University’s Certified Third Party Risk Management Professional (C3PRMP) program.
SIG was recently approved by the National Association of State Boards of Accountancy (NASBA) on the National Registry of CPE Sponsors. CPAs and equivalent designations who enroll in the CPE-track of SIG University’s Certified Third Party Risk Management Professional (C3PRMP) program can receive 66 CPE credits and graduate with a strong knowledge base of third-party risk management best practices that can be implemented immediately.
CPAs are in possession of highly sensitive client data that cybercriminals and other bad actors could exploit. This program touches on all areas of operational risk, including cyber, business resilience, financial, technology and reputational risk. Anyone who is serious about investing in their team and protecting the wider enterprise will benefit from the program’s focus on governance and oversight best practices, controls and board reporting with a view from the top.
Business today isn’t business as usual, as the COVID-19 pandemic impacts organizations and supply chains across the globe. And in uncertain times such as these, leaders in every industry and business function must step up. New leadership skills and traits will be necessary to ensure business continuity, and to inspire teams to work together to support each other and remain productive.
We recently interviewed Dawn Tiura, President and CEO of Sourcing Industry Group (SIG). Dawn will be presenting a thought-leader keynote titled “Leadership in Uncertain Times” at Ivalua NOW, the premier virtual event for procurement leaders, on May 5. During our interview, she shared with us her thoughts about how leaders must draw on different skills and traits when unexpected circumstances arise, and how the COVID-19 pandemic is inspiring them to employ different leadership styles to unite and motivate employees.
Today, procurement leaders have a seat at the table in e-staff meetings. How has the role changed over the past few years?
It’s changed dramatically. In the past, we were seen as overhead, not as a strategic partner. Procurement teams were just buyers who delivered what other departments told them to buy. Organizations viewed procurement as the bottleneck between what they wanted and when they received it. In reality, procurement sees all the waste and redundancy that exists in the supply chain, and has a significant impact on a business’s bottom line.
Aurelie Teyssier, Sr. Director of Marketing, Americas
In highly regulated industries, there are seemingly endless regulatory and compliance requirements and activities, and they often are inseparable from the underlying risk management activities themselves, including those for third parties.
Since the 2008 financial crisis, the U.S. has arguably become the most complex and costly jurisdiction for regulatory compliance. An article published by World Economic Forum on enterprise risk management points out that banks are “less experienced with non-traditional threats such as cyber risk, strategic risk, operational risk, regulatory risk and legal risk. Making matters trickier, these risks aren’t easily quantified.” The authors also note that “the growth in such risks is virtually unprecedented in the history of banking. This puts a premium on firms’ abilities to make connections and to recognize the complex whole is far greater than the sum of its parts.”
The financial services sector leads the pack in terms of the amount of regulation it is subject to, including the compliance challenges, regulations and laws in near and far-flung jurisdictions, as well as the cost and complexity of compliance, risk management and governance practices. This sector is not alone is the endless struggle to balance costs and compliance. Healthcare, oil and gas, and the tech sector are also struggling with the cost and complexity to managing sector-specific risks and compliance.