In highly regulated industries, there are seemingly endless regulatory and compliance requirements and activities, and they often are inseparable from the underlying risk management activities themselves, including those for third parties.
Since the 2008 financial crisis, the U.S. has arguably become the most complex and costly jurisdiction for regulatory compliance. An article published by World Economic Forum on enterprise risk management points out that banks are “less experienced with non-traditional threats such as cyber risk, strategic risk, operational risk, regulatory risk and legal risk. Making matters trickier, these risks aren’t easily quantified.” The authors also note that “the growth in such risks is virtually unprecedented in the history of banking. This puts a premium on firms’ abilities to make connections and to recognize the complex whole is far greater than the sum of its parts.”
The financial services sector leads the pack in terms of the amount of regulation it is subject to, including the compliance challenges, regulations and laws in near and far-flung jurisdictions, as well as the cost and complexity of compliance, risk management and governance practices. This sector is not alone is the endless struggle to balance costs and compliance. Healthcare, oil and gas, and the tech sector are also struggling with the cost and complexity to managing sector-specific risks and compliance.
Jai Chinnakonda, co-founder of a provider technology start-up, enrolled in SIG University's Certified Third Party Risk Management Professional (C3PRMP) program to learn how he can better serve his clients by gaining a more thorough understanding of third-party risk management best practices.
In the C3PRMP program, students focus on best and emerging practices to identify, assess, manage and control third-party risk throughout the lifecycle of relationships, and learn how to align risk fundamentals and frameworks with risk culture to develop the essential tools and controls for effective governance.
The digital age is seeing an increased dependence on third-party service providers of varying sizes – including start-ups – to meet the challenges of technological innovation, cost, demand for service excellence and heightened competition.
Organizations are often locked in a love-hate relationship with their vendors as they struggle to meet expectations, sometimes both ways. In today’s digital journey, no organization can thrive on its own. To create true value for your organization and help meet business objectives, your organization will need to build a lasting relationship with your third parties. Organizations will need to adopt the art and science of engagement.
The business ecosystem is experiencing a fundamental shift. Organizations are moving away from purely cost-savings partnerships to value-generating risk-sharing partnership models. As the third-party ecosystem grows, the ability to manage and govern third parties is becoming more critical to success.
What’s keeping you up at night? CPOs today are under continued pressure to reduce costs and find new sources of value – and of course, manage risk.
At the same time, CPOs want to become more strategic advisors to the business. We’ve found the perfect opportunity to help you achieve those goals and more.
As a CPO, you probably manage millions of dollars’ worth of spend on services. Think of all the money your company spends on consultancies, IT services providers, marketing agencies, law firms, accounting firms, facilities management companies and more. These services providers operate across the enterprise, perform vital work and deliver enormous value.
You manage the contracts and rates for these services, but beyond that, how much attention do you pay to that spend? Do you know whether these services providers are delivering high-quality work? Do they hit deadlines? Is your business getting good value for money?
Most of us are guilty of under-managing services providers. That’s one of the key findings from a groundbreaking new research study published by SAP Fieldglass in collaboration with Oxford Economics, titled Services Procurement Insights 2019: The Big Reveal.
Growing economic uncertainty, geopolitical unrest, and emerging cyber threats mean that security and risk management are now critical boardroom priorities. If that weren’t enough, businesses today are not only accountable for the factors that impact them directly, but they’re also responsible for those that impact their suppliers.
Take the recent Quest Diagnostics data breach as an example. Despite Quest’s strong internal cybersecurity infrastructure, the sensitive information of 11.9 million patients was hacked through a third-party billing vendor with subpar security standards. The lesson is clear: a company is only as safe as its weakest vendor.
Many organizations continue to manage suppliers, contracts, and procurement processes manually or with outdated, clunky technology that is too complicated for efficient use. These haphazard systems are, unfortunately, perfect harbors for risk, but there is tremendous opportunity here. According to a recent McKinsey & Company report, 56% of source-to-pay tasks could be “fully or largely automated using currently available technologies.”
While automation isn’t a cure-all, it does have the potential to drastically decrease overall risk. How? By reducing the “human factor” in supplier management and allowing sourcing employees to focus on more critical projects. In addition to putting risk mitigation at the forefront, automating supplier-related processes benefits businesses in these four key ways:
Chris Crane, Co-Founder, Product, Scout RFP, a Workday company
While enrolled in SIG University's Certified Third Party Risk Management Professional (C3PRMP) Program, Wendy Hsu was able to immediately apply what she learned and contribute her expertise toward sourcing a third-party risk management tool to develop her organization's Third Party Risk Management Program.
In the C3PRMP program, students focus on best and emerging practices to identify, assess, manage and control third-party risk throughout the lifecycle of relationships, and learn how to align risk fundamentals and frameworks with risk culture to develop the essential tools and controls for effective governance.
In more ways than one, the learning opportunity with SIG University’s Certified Third Party Risk Management Professional (C3PRMP) program was more than coincidental. Earlier in the year, I had chosen the C3PRMP program to fulfill my 2019 Individual Development Plan objective. Little did I know that by July I would be fully engaged in assisting my manager to source a suitable third-party risk management tool and develop a project plan to implement our future Third Party Risk Management (TPRM) program. While the timing of my taking the certification program couldn’t be better, the challenges ahead of my company’s TPRM program (which will soon be called Key Vendor Management Program) couldn’t be greater given we are a young company still in the process of shaping our risk culture and standardizing our vendor review process.
Wendy Hsu, Sr. IT Procurement Consultant, Venerable
SIG University Certified Third Party Risk Management Professional (C3PRMP) Program graduate Cindy Lingerfelt works at Blue Cross Blue Shield of Florida. She shares what she’s learned about third-party risk management and how her small team plans to build a stronger risk culture.
In the C3PRMP program, students focus on best and emerging practices to identify, assess, manage and control third-party risk throughout the lifecycle of relationships, and learn how to align risk fundamentals and frameworks with risk culture to develop the essential tools and controls for effective governance.
I work for Blue Cross Blue Shield of Florida on the Procurement team. My sub-team, Supplier Management, is small and we wear many hats. We were the first in our organization to implement some standardization for how critical suppliers were managed by developing a segmentation questionnaire to tier our suppliers and worked with business owners to get all Tier 1 suppliers on performance scorecards. Our role was to provide standard formatted scorecards with a library of the most common KPIs, stationary, QBR templates and more.
Due to an incident with a supplier, the board made a directive that supplier risk should have a more explicit focus. A new team called Enterprise Risk Management was formed within Corporate Affairs/Internal Audit to address supplier risk and closely partner with Procurement on new suppliers and manage risk with our current supplier base.
Cindy Lingerfelt, C3PRMP, Sourcing Specialist, Florida Blue
America’s love affair with e-cigarettes evaporated quickly as millions of users were recently confronted with unnerving news—their vapes could actually contain toxic chemicals powerful enough to be deadly.
The CDC issued words of caution on September 27, “Anyone who uses an e-cigarette or vaping product should not buy these products off the street.” The sentiment is clear—consumers need to avoid e-cigs from potentially shadowy manufacturers and distributors fed by an unregulated supply chain.
Duty to the Consumer
E-cig manufacturers have a responsibility to pinpoint precisely what in their products is harmful, just as distributers must be confident they are only carrying reputable items that are sourced through a responsible supply chain. Many vaping products have been found to contain illegal synthetic marijuana, even when consumers believed they were buying THC-free products such as CBD pods.
In an industry as young and unregulated as e-cigs, it’s not surprising an unknown health consequence was lurking on the horizon. Consumers had no idea what ingredients or manufacturers to be wary of because no one yet knew there was a concrete hazard.
Liz Mantovani, CSP, CSMP, C3PRMP, Director of Operations, SIG
SIG University’s Certified Third Party Risk Management Professional (C3PRMP) program is a globally recognized certification that is the “gold standard” in terms of relevance, scope and content. The C3PRMP program was created by Linda Tuck Chapman, an advisor, educator, author and expert, and is based on her experience and her book, Third Party Risk Management: Driving Enterprise Value (published by the Risk Management Association). You’ll soon learn that investing in the C3PRMP designation is an investment that will enhance your knowledge base and deepen your expertise.
Outlined here is information about the upcoming changes and benefits of your C3PRMP designation, as well as a profile of our students.
What changes are coming to SIG University’s C3PRMP program in January 2020?
In January 2020, the duration of SIG University's C3PRMP program will be extended from eight weeks to 10 weeks. Multiple-choice review questions at the end of each module will test all students’ knowledge and require a minimum passing score of 80%.
SIG University student Hanne McBlain enrolled in the Certified Third Party Risk Management Professional (C3PRMP) Program while working at Information Services Group. She shares what she learned from her own experience with a data breach and how she is taking a proactive approach to IT vendor risk management to mitigate future business disruptions.
In times of cost-cutting, vendor management functions that include third party risk are often the first to go or be significantly reduced. Many senior executives fail to see the value these functions bring and are usually happy to cover third party risk as part of a general risk function.
Stakeholder Support is Critical
I previously worked for an organization that prided itself on not relying on third parties for any critical functions. Redundancy was abundant and built into every platform, and on the surface, there was not much to worry about when it came to third party risk.
During my time there things started to change. We convinced the organization to implement a third party risk management framework. But with no experience in this area, we were fighting an uphill battle. We managed to win support and quickly implemented standard due diligence and on-going monitoring of critical suppliers. The business stakeholders generally regarded the added due diligence and tracking as unnecessary and bureaucratic.
Wow, who would have thought that I would leave a conference hosted by a supplier and feel better about the world and the impact we can have on it? That is exactly the way I felt not once, but twice, at SAP Ariba Live in Texas and in Barcelona. While I adore Tifenn Dano Kwan’s influencer team, particularly Amisha Gandhi, who is the Vice President of Influencer Marketing, and Gale Daikoku, the Global Communities and Ambassador Program Lead, the person who struck a chord most deeply with me was Padmini Ranganathan. She’s the Global Vice President of Sustainability and Risk with SAP Ariba. What first struck me as odd was the combination of “sustainability” and “risk” in her title.
Often when people think of sustainability, they think of one of these two definitions:
RegTech and the Role of Third-Party Risk Management
In highly regulated industries, there are seemingly endless regulatory and compliance requirements and activities, and they often are inseparable from the underlying risk management activities themselves, including those for third parties.
Since the 2008 financial crisis, the U.S. has arguably become the most complex and costly jurisdiction for regulatory compliance. An article published by World Economic Forum on enterprise risk management points out that banks are “less experienced with non-traditional threats such as cyber risk, strategic risk, operational risk, regulatory risk and legal risk. Making matters trickier, these risks aren’t easily quantified.” The authors also note that “the growth in such risks is virtually unprecedented in the history of banking. This puts a premium on firms’ abilities to make connections and to recognize the complex whole is far greater than the sum of its parts.”
The financial services sector leads the pack in terms of the amount of regulation it is subject to, including the compliance challenges, regulations and laws in near and far-flung jurisdictions, as well as the cost and complexity of compliance, risk management and governance practices. This sector is not alone is the endless struggle to balance costs and compliance. Healthcare, oil and gas, and the tech sector are also struggling with the cost and complexity to managing sector-specific risks and compliance.
>>More from Linda Tuck Chapman -- Third Party Risk Management: An Opportunity for Procurement<<