America’s love affair with e-cigarettes evaporated quickly as millions of users were recently confronted with unnerving news—their vapes could actually contain toxic chemicals powerful enough to be deadly.
The CDC issued words of caution on September 27, “Anyone who uses an e-cigarette or vaping product should not buy these products off the street.” The sentiment is clear—consumers need to avoid e-cigs from potentially shadowy manufacturers and distributors fed by an unregulated supply chain.
Duty to the Consumer
E-cig manufacturers have a responsibility to pinpoint precisely what in their products is harmful, just as distributers must be confident they are only carrying reputable items that are sourced through a responsible supply chain. Many vaping products have been found to contain illegal synthetic marijuana, even when consumers believed they were buying THC-free products such as CBD pods.
In an industry as young and unregulated as e-cigs, it’s not surprising an unknown health consequence was lurking on the horizon. Consumers had no idea what ingredients or manufacturers to be wary of because no one yet knew there was a concrete hazard.
Liz Mantovani, CSP, CSMP, C3PRMP, Director of Operations, SIG
SIG University’s Certified Third Party Risk Management Professional (C3PRMP) program is a globally recognized certification that is the “gold standard” in terms of relevance, scope and content. The C3PRMP program was created by Linda Tuck Chapman, an advisor, educator, author and expert, and is based on her experience and her book, Third Party Risk Management: Driving Enterprise Value (published by the Risk Management Association). You’ll soon learn that investing in the C3PRMP designation is an investment that will enhance your knowledge base and deepen your expertise.
Outlined here is information about the upcoming changes and benefits of your C3PRMP designation, as well as a profile of our students.
What changes are coming to SIG University’s C3PRMP program in January 2020?
In January 2020, the duration of SIG University's C3PRMP program will be extended from eight weeks to 10 weeks. Multiple-choice review questions at the end of each module will test all students’ knowledge and require a minimum passing score of 80%.
SIG University student Hanne McBlain enrolled in the Certified Third Party Risk Management Professional (C3PRMP) Program while working at Information Services Group. She shares what she learned from her own experience with a data breach and how she is taking a proactive approach to IT vendor risk management to mitigate future business disruptions.
In times of cost-cutting, vendor management functions that include third party risk are often the first to go or be significantly reduced. Many senior executives fail to see the value these functions bring and are usually happy to cover third party risk as part of a general risk function.
Stakeholder Support is Critical
I previously worked for an organization that prided itself on not relying on third parties for any critical functions. Redundancy was abundant and built into every platform, and on the surface, there was not much to worry about when it came to third party risk.
During my time there things started to change. We convinced the organization to implement a third party risk management framework. But with no experience in this area, we were fighting an uphill battle. We managed to win support and quickly implemented standard due diligence and on-going monitoring of critical suppliers. The business stakeholders generally regarded the added due diligence and tracking as unnecessary and bureaucratic.
Wow, who would have thought that I would leave a conference hosted by a supplier and feel better about the world and the impact we can have on it? That is exactly the way I felt not once, but twice, at SAP Ariba Live in Texas and in Barcelona. While I adore Tifenn Dano Kwan’s influencer team, particularly Amisha Gandhi, who is the Vice President of Influencer Marketing, and Gale Daikoku, the Global Communities and Ambassador Program Lead, the person who struck a chord most deeply with me was Padmini Ranganathan. She’s the Global Vice President of Sustainability and Risk with SAP Ariba. What first struck me as odd was the combination of “sustainability” and “risk” in her title.
Often when people think of sustainability, they think of one of these two definitions:
Daryl Hammett is COO and General Manager at ConnXus, a supplier management software company. Daryl completed the Certified Third Party Risk Management Professional (C3PRMP) program through SIG University. He shares how he is implementing the best practices he learned in the program to mitigate cybersecurity risk at ConnXus.
In the global supply chain landscape, cybersecurity threats are increasing exponentially. Fortune 500 companies’ sensitive information is leaked because hackers target their vendors and business partners, and organizations that might not be as secure as their corporate buyers. Every supplier and business partner can become an added risk. Working with global companies big and small, one of the most significant opportunities that I've observed is managing multi-tier suppliers and mitigating risk. We can support all our suppliers through secured technology and the principle of “unconditional procurement.”
Daryl Hammett, CSMP, CSP, C3PRMP, General Manager/Chief Operating Officer, ConnXus
When the future you expect never arrives and business predictions fall short of their mark, the culprit is—more often than not—bad or missing data. Procurement staff must ensure their data is accurate from start to finish so that their forecasts have the desired outcomes.
Idioms abound about how to tackle future challenges such as “past results do not guarantee future performance” or conversely, “those who do not learn history are doomed to repeat it.” We have all seen or heard these intuitive phrases. On the surface, they would seem to be at odds. In reality, they address two different concepts associated with using the past (data) to understand, predict and influence the future.
Similarly, when it comes to projects that involve the need for data, whether it is to predict sales to manage inventories or to train a system to automate a process, success hinges on having the right set of data to use as input to the decision making process. Today, where machines are often making decisions, the notion of “right set of data” becomes a lot harder to understand. This is because machines learn in a different way and the rationale for the output they produce is difficult to reconstruct.
Machines do not have the intuition or the critical reasoning that can help to elevate or discount one data point over another. Input data must be accurate, representative, and free from bias so here are some key guidelines about your data to help ensure successful projects:
1. Accurate Data. Having accurate data is essential because a machine can learn on both accurate and inaccurate data, but only accurate data provides the desired results: a machine that provides output, which is reliable.
Greg Council, Vice President of Product Management, Parascript
As a Director in SC&H Group’s Contract Compliance Audit Services practice, Patrick has a few key professional motivations with all of his clients: increasing third-party transparency, optimizing supplier relationships, and improving governance. He works with Fortune 100 companies to evaluate contract compliance in categories such as marketing and advertising, contingent staffing, facilities management, construction, computer hardware/software, MRO, security, events, and office supplies. Projects under Patrick’s leadership have resulted in client savings of over $150 million in addition to practical control developments, valuable process improvements, enhanced earnings, and proven cost-savings initiatives. He is very passionate about helping to influence the operations and cultures of global enterprises, and one of his greatest professional achievements was being able to hand over a $1 million recovery check to his client.
It was the very best one-day event I have attended in my life! The Midwestern Regional SIGnature Event, held on March 6 at the Minneapolis Central Library, was attended by 66 extraordinary third-party risk management and sourcing professionals. Not only was the agenda amazing, but every speaker delivered insightful content and engaged the audience. At the Executive Roundtable, we had thoughtful conversations about many issues. Tom Lutz from U.S. Bank led a “day in the life” discussion that lasted almost 45 minutes because so many people wanted to discuss what he was doing, and it prompted other conversations as well.
In our opening session, Linda Tuck Chapman, a Sourcing Supernova Hall of Fame inductee, knocked it out of the park by delivering an interactive workshop on third-party risk management. People said that their two hours of training FLEW BY. When the group joined back together, we had an incredible presentation by Rohan Ranadive from BB&T about building an AI-powered digital workforce which prompted so many questions, I had to stop them to stay on agenda! Then we had an absolutely inspiring one-hour talk by Nancy Brooks, the CPO of Best Buy. Nancy shared that she had declined previous invitations to speak, because she doesn’t care for speaking engagements, but she agreed to speak at SIG’s event because she had a story that needed to be shared about her team. We are thrilled that she joined us. She engaged everyone with Best Buy’s story the entire time and Nancy’s team was so proud to be there.
Hundreds, thousands, or even tens of thousands of third parties power your company every minute of every day, in all your markets and geographies, for every product and service. Third parties are everywhere, in virtually every part of your business. You have less control over third parties than over your internal operations, so getting this right is essential for your company’s success.
Third-party relationships are complicated. But the “right” third parties, if thoughtfully evaluated, managed and controlled, deliver what you contracted for and serve up many opportunities to be better. Better means new products, services and markets. Better means access to specialized top talent, processes and technology. Better means less risk.
Unfortunately, risk is everywhere and even though technology is advancing in leaps and bounds, operational ecosystems are growing more complex every day. Consequently, risk events, cyber attacks, fraud, data corruption and privacy breaches are becoming commonplace, and are too often the fault of a careless third party. The proliferation of third-party relationships and new technologies means that it’s hard for companies to stay on top of third-party risks, and even harder to implement effective controls, monitoring and oversight.
A New Discipline
Management of third-party risk is a relatively new discipline – involving a new set of skills, rigorous methodologies, well-crafted tools and advanced technologies. But proactive professionals need to learn the language of risk and learn it quickly because everyone is now a risk manager and everyone is responsible for effective and efficient risk management, particularly for critical third parties.
Linda Tuck Chapman, Third Party Management advisor, author, popular speaker & President, Ontala
Keynote speakers, thought leaders and industry publications show no signs of slowing when it comes to evangelizing the benefits of the supply chain’s digital transformation. With its promises to save you time and money, the market has exploded with offerings of cloud-based solutions, IoT devices and a legion of outsourced practitioners who can make all of your spend visibility and risk management dreams come true. But for all the benefits touted, what is often left out of the conversation is the topic of security, especially as it relates to third-party vendors.
The Path of Least Resistance
As hackers become cleverer in their approaches, they’ve moved from directly attacking large organizations to exploiting vulnerabilities and penetrating third-party cloud software, apps and IoT devices to implant malware directly into the software or steal login credentials. “The challenge with supply chains is that they are multifaceted and there are many places where a hacker can enter,” says Brandon Curry, Senior Vice President with NTT Communications. Curry, who is also a Certified Ethical Hacker, frequently reports on trends in cloud and supply chain software security. He notes that the top cost of a supply chain breach is legal and reputational costs, with software supply chain attacks costing an average $1.1 million per attack globally.
Compromised software is one of the primary causes of supply chain software breaches, and the damage isn’t limited to grabbing customer credit card numbers or personally identifiable information (PII). Hackers are also looking to steal intellectual property, mine your customer base, counterfeit your product and take over your market share.
How a Tainted Supply Chain Spelled Disaster for the e-Cig Industry
America’s love affair with e-cigarettes evaporated quickly as millions of users were recently confronted with unnerving news—their vapes could actually contain toxic chemicals powerful enough to be deadly.
With 12 confirmed deaths and more than 800 people sick with a mysterious lung illness, tainted THC-infused vape products appear to be the culprit. Unchecked systemic risk combined with a complex supply chain has jolted the e-cig business.
The CDC issued words of caution on September 27, “Anyone who uses an e-cigarette or vaping product should not buy these products off the street.” The sentiment is clear—consumers need to avoid e-cigs from potentially shadowy manufacturers and distributors fed by an unregulated supply chain.
Duty to the Consumer
E-cig manufacturers have a responsibility to pinpoint precisely what in their products is harmful, just as distributers must be confident they are only carrying reputable items that are sourced through a responsible supply chain. Many vaping products have been found to contain illegal synthetic marijuana, even when consumers believed they were buying THC-free products such as CBD pods.
In an industry as young and unregulated as e-cigs, it’s not surprising an unknown health consequence was lurking on the horizon. Consumers had no idea what ingredients or manufacturers to be wary of because no one yet knew there was a concrete hazard.