When I first registered for this course, I wasn’t exactly sure what to expect. I initially thought I would learn a lot of things that I was completely unaware of. I was pleasantly surprised to see that I was learning the “why” behind the changes my organization has been implementing over the past two years.
This course took me deeper into what I need to know to be a successful third-party risk management professional (TPRMP). I will discuss how my organization has evolved, how it has impacted me, and how this course helped me see how I can grow more effectively through these changes.
Evolving into Third-Party Risk Management
My journey as a TPRMP started four years ago. At that time, we were known as Vendor Relationship Managers. My job was to perform the ongoing monitoring task. At that time, I did not know that I was performing a TPRM function under the Enterprise Third-Party Risk Management Framework (ETPRM).
It wouldn’t be until two years into my role that ETPRM was introduced to us. I remember being told that things were changing, and my role was going to evolve quickly. My leadership team was not kidding! Not only have I have learned more than I ever imagined, but my role has also significantly changed during this time.
Implementing the Enterprise Third-Party Risk Management Framework
The change to my role is largely due to heightened regulatory requirements that my organization has put in place. We were never really that “big” to have all eyes on us. Due to our significant growth over the past several years, we are now seen as a large financial institution.
The Relationship Manager is the first line of organizational defense, tasked with ownership of relationships and risks. The overall accountability of these risks, the performance and the cost management for the supplier through the life of the relationship are also key focus points.
I will discuss how the Relationship Manager (RM) functions as the nucleus of Third-Party Risk Management (TPRM) activities for a supplier with the following points.
Provides Information for Reviews and Decides on Risk Acceptance for a Third Party
It is understood that the liability of our third parties is ultimately ours. This means that the liability of the third parties of our third parties (i.e., our subcontractors) also becomes ours. An effective framework in which risk is indicated and mitigated is essential for our suppliers and subcontractors.
In such a framework, exit strategies and termination processes are set in place for cases in which the risk cannot be mitigated or when a contract needs to be terminated. These are defined by the Relationship Manager, who provides information on the supplier and finds out if there are subcontractors involved. Responses provided will trigger due diligence risk areas for information from the supplier.
Once the relationship is fully defined and risks are highlighted, it is the responsibility of the Relationship Manager to determine whether or not to accept the risk and contract with the supplier.
Third-party risk management in the financial industry requires careful consideration when developing an operating model. It is essential to consider the regions and regulations that govern. In most of the banking industry, your internal risk culture allows you to easily implement a third-party risk program that methodically measures inherent risk, provides time to assess third party controls and negotiates contracts that enforce controls and mitigates residual risk.
Internal vs. Third-Party
The internal risk culture changes once you enter the world of capital markets where decisions are made quickly, risk is a way of life and patience is a rare quality. Now add the risk of a trade execution platform failing during a stock market dive and counterparties not having the ability to trade for several hours. The outage would be noticed and gain publicity, potentially causing Regulators to investigate. Should this occur and the necessary due diligence steps that would have highlighted this vulnerability were skipped, the repercussions could be costly. Your firm's reputation would be at stake and you most likely will face regulatory scrutiny that could result in fines. Striking a balance between satisfying your firm's need to generate revenue and mitigate third-party risk is an interesting challenge. If your operating model is too slow and cumbersome, your business will most likely attempt to circumvent the process. Careful consideration needs to be taken when aligning your control assessments to the true inherent risk.
Certified Professional Accountants (CPAs) who are looking to earn Continuing Professional Education (CPE) credits to maintain their licenses can improve their knowledge in third-party risk management by enrolling in SIG University’s Certified Third Party Risk Management Professional (C3PRMP) program.
SIG was recently approved by the National Association of State Boards of Accountancy (NASBA) on the National Registry of CPE Sponsors. CPAs and equivalent designations who enroll in the CPE-track of SIG University’s Certified Third Party Risk Management Professional (C3PRMP) program can receive 66 CPE credits and graduate with a strong knowledge base of third-party risk management best practices that can be implemented immediately.
CPAs are in possession of highly sensitive client data that cybercriminals and other bad actors could exploit. This program touches on all areas of operational risk, including cyber, business resilience, financial, technology and reputational risk. Anyone who is serious about investing in their team and protecting the wider enterprise will benefit from the program’s focus on governance and oversight best practices, controls and board reporting with a view from the top.
Business today isn’t business as usual, as the COVID-19 pandemic impacts organizations and supply chains across the globe. And in uncertain times such as these, leaders in every industry and business function must step up. New leadership skills and traits will be necessary to ensure business continuity, and to inspire teams to work together to support each other and remain productive.
We recently interviewed Dawn Tiura, President and CEO of Sourcing Industry Group (SIG). Dawn will be presenting a thought-leader keynote titled “Leadership in Uncertain Times” at Ivalua NOW, the premier virtual event for procurement leaders, on May 5. During our interview, she shared with us her thoughts about how leaders must draw on different skills and traits when unexpected circumstances arise, and how the COVID-19 pandemic is inspiring them to employ different leadership styles to unite and motivate employees.
Today, procurement leaders have a seat at the table in e-staff meetings. How has the role changed over the past few years?
It’s changed dramatically. In the past, we were seen as overhead, not as a strategic partner. Procurement teams were just buyers who delivered what other departments told them to buy. Organizations viewed procurement as the bottleneck between what they wanted and when they received it. In reality, procurement sees all the waste and redundancy that exists in the supply chain, and has a significant impact on a business’s bottom line.
Aurelie Teyssier, Sr. Director of Marketing, Americas
Outlined here is information about the upcoming changes and benefits of your C3PRMP designation, as well as a profile of our students.
What is different about SIG University’s C3PRMP program in 2020?
In January, the duration of SIG University's C3PRMP program was extended from eight weeks to 10 weeks. Multiple-choice review questions at the end of each module will test all students’ knowledge and require a minimum passing score of 80%.
Members of the Global Association of Risk Professionals (GARP) will continue to earn 20 Continuing Professional Development (CPD) credits, GARP’s highest award for a continuing professional development program.
In highly regulated industries, there are seemingly endless regulatory and compliance requirements and activities, and they often are inseparable from the underlying risk management activities themselves, including those for third parties.
Since the 2008 financial crisis, the U.S. has arguably become the most complex and costly jurisdiction for regulatory compliance. An article published by World Economic Forum on enterprise risk management points out that banks are “less experienced with non-traditional threats such as cyber risk, strategic risk, operational risk, regulatory risk and legal risk. Making matters trickier, these risks aren’t easily quantified.” The authors also note that “the growth in such risks is virtually unprecedented in the history of banking. This puts a premium on firms’ abilities to make connections and to recognize the complex whole is far greater than the sum of its parts.”
The financial services sector leads the pack in terms of the amount of regulation it is subject to, including the compliance challenges, regulations and laws in near and far-flung jurisdictions, as well as the cost and complexity of compliance, risk management and governance practices. This sector is not alone is the endless struggle to balance costs and compliance. Healthcare, oil and gas, and the tech sector are also struggling with the cost and complexity to managing sector-specific risks and compliance.
Jai Chinnakonda, co-founder of a provider technology start-up, enrolled in SIG University's Certified Third Party Risk Management Professional (C3PRMP) program to learn how he can better serve his clients by gaining a more thorough understanding of third-party risk management best practices.
In the C3PRMP program, students focus on best and emerging practices to identify, assess, manage and control third-party risk throughout the lifecycle of relationships, and learn how to align risk fundamentals and frameworks with risk culture to develop the essential tools and controls for effective governance.
The digital age is seeing an increased dependence on third-party service providers of varying sizes – including start-ups – to meet the challenges of technological innovation, cost, demand for service excellence and heightened competition.
Organizations are often locked in a love-hate relationship with their vendors as they struggle to meet expectations, sometimes both ways. In today’s digital journey, no organization can thrive on its own. To create true value for your organization and help meet business objectives, your organization will need to build a lasting relationship with your third parties. Organizations will need to adopt the art and science of engagement.
The business ecosystem is experiencing a fundamental shift. Organizations are moving away from purely cost-savings partnerships to value-generating risk-sharing partnership models. As the third-party ecosystem grows, the ability to manage and govern third parties is becoming more critical to success.
What’s keeping you up at night? CPOs today are under continued pressure to reduce costs and find new sources of value – and of course, manage risk.
At the same time, CPOs want to become more strategic advisors to the business. We’ve found the perfect opportunity to help you achieve those goals and more.
As a CPO, you probably manage millions of dollars’ worth of spend on services. Think of all the money your company spends on consultancies, IT services providers, marketing agencies, law firms, accounting firms, facilities management companies and more. These services providers operate across the enterprise, perform vital work and deliver enormous value.
You manage the contracts and rates for these services, but beyond that, how much attention do you pay to that spend? Do you know whether these services providers are delivering high-quality work? Do they hit deadlines? Is your business getting good value for money?
Most of us are guilty of under-managing services providers. That’s one of the key findings from a groundbreaking new research study published by SAP Fieldglass in collaboration with Oxford Economics, titled Services Procurement Insights 2019: The Big Reveal.
Growing economic uncertainty, geopolitical unrest, and emerging cyber threats mean that security and risk management are now critical boardroom priorities. If that weren’t enough, businesses today are not only accountable for the factors that impact them directly, but they’re also responsible for those that impact their suppliers.
Take the recent Quest Diagnostics data breach as an example. Despite Quest’s strong internal cybersecurity infrastructure, the sensitive information of 11.9 million patients was hacked through a third-party billing vendor with subpar security standards. The lesson is clear: a company is only as safe as its weakest vendor.
Many organizations continue to manage suppliers, contracts, and procurement processes manually or with outdated, clunky technology that is too complicated for efficient use. These haphazard systems are, unfortunately, perfect harbors for risk, but there is tremendous opportunity here. According to a recent McKinsey & Company report, 56% of source-to-pay tasks could be “fully or largely automated using currently available technologies.”
While automation isn’t a cure-all, it does have the potential to drastically decrease overall risk. How? By reducing the “human factor” in supplier management and allowing sourcing employees to focus on more critical projects. In addition to putting risk mitigation at the forefront, automating supplier-related processes benefits businesses in these four key ways:
Chris Crane, Co-Founder, Product, Scout RFP, a Workday company