I have decided to partake in the certification of the C3PRMP course by SIG University as I have a growing passion for the topic of third-party risk management. I have learned various aspects of vendor risk management, which includes the types of risk, how to identify risks and their remediation plan, the importance of RACI and the role of various stakeholders, industry trends, and best practices. The list will go on. With this in-depth knowledge gained via this course, I can demonstrate a high proficiency level in the topic I am most passionate about. This will help me help my clients and my company in the future.
One of the topics that can be deemed simple and self-explanatory but possess a high value is reputational risk. In this article, I would like to dive deep into the topic of reputational risk and discuss its implications and how to apply the knowledge gained from this course in an organization.
Meshkat Rahman, Senior Consultant in Risk Advisory, Deloitte
SIG University Certified Sourcing Professional (CSP) program graduate Heather Frazer discusses how TCO is a great tool that will help capture the entire potential for cost savings and risk and how it is increasingly important for procurement organizations to secure reliable data.
Heather Frazer, Procurement Specialist, Blue Cross Blue Shield of Tennessee
SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Steve Williams provides a look through Johari’s Window, and how knowing what we know and don’t know can unlock our understanding of a company’s risk profile while supporting it through negotiated contracts and governance.
Procurement is such an interesting field because so many companies do it differently. This is especially true in the area of third-party risk management and the role that procurement practitioners play in that area, and I submit that most practitioners could be doing more to support their organizations when it comes to managing third party risk, from understanding the company’s risk profile, to helping stakeholders and business owners identify risk, to being part of the solution in terms of mitigating or preventing known risks.
To lean on Johari’s Window, I believe many practitioners sit in the you don’t know what you know, or you don’t know what you don’t know spaces. The pendulum needs to shift drastically and as procurement professionals we need to know what we know and know what we don’t know more than anything else– but how do we get there? Surely this is not something that happens overnight and developing the knowledge required to assess and address third party risk at a company takes time during the employee onboarding process and consistently throughout their career.
Steve Williams, Technology Procurement Manager, REI
SIG University Certified Supplier Management Professional (CSMP) program graduate Samantha Peters explains the objectives, strategies, and collaboration necessary to achieve supplier relationship compatibility.
Across many organizations, there is an outstanding need to baseline what, if any, activities are taking place to manage third-party due diligence proactively. From my specific experience, Procurement's role is only sometimes well established and often has limited involvement in third-party risk management. The lack of engagement with the Procurement team introduces unnecessary risk and exposure for an organization.
Incorporating Procurement in third-party risk management and analysis will increase visibility, broaden awareness, and reduce risk by ensuring consistent sourcing, contracting controls, management, and monitoring processes. The standard practice for most Procurement teams includes evaluating new third parties, facilitating the sourcing and contract negotiations, and primarily being responsible for ensuring appropriate terms are in place. However, without a clearly defined path of communication and standardized processes, there's still potential for the organization to be exposed to unknown risks when bringing on a new critical third.
Anna Sgro, Procurement Category Manager of IT, Maxar
SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Shani Richards shares how this course has opened her eyes to the inherent risks associated with not having a solidified third-party risk management system in place.
Large fast growing multinational companies involving multiple mergers & acquisitions will often have many disparate processes in place to manage Third-Party Risk. There may be programs developed by individual group companies or parts of the group to meet general procurement needs. Corporate functions such as Privacy, Information Security, Corporate Social Responsibility, or Anti-Corruption may have developed customized programs to meet regulatory requirements or address audit findings. Other programs may have been driven by the need to respond to vulnerabilities arising from macroeconomic events: systemic risks in the financial market; or the impact of Covid on the viability of cross-border supply lines. The multiple languages and cultures add a layer of complexity.
A root and branch review may enable the business to simplify processes, strip out unnecessary costs and duplication and ensure that the key risks are appropriately overseen proportionately. The approach must be focused on the return on investment to make it easier to justify and obtain necessary resourcing.
But where to start?
It is tempting to jump in and start solving the problem before it is well understood. But do not rush.
First - Remember to Reinvent the Wheel.
Nathan Coffey, Senior Vice President of Privacy & Compliance, Teleperformance
SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Lokesh Bhatnagar provides descriptions to determine which 4th parties are material, and how to incorporate them into the post-contract phase in the lifecycle as well as effective risk monitoring and oversight.
In the increasingly interconnected global economy, organizations depend on third-party vendors and service providers to maintain efficient, competitive supply chains. Effective third-party risk management (TPRM) is vital to safeguard organizations against financial, operational, and reputational damage. However, many TPRM strategies often overlook the risks posed by fourth-party subcontractors, particularly those that are material to the organization.
Understanding Materiality in Fourth-Party Risk
Before delving into the management of fourth-party risk, it is essential to grasp the concept of materiality. A material subcontractor is one whose failure or poor performance could significantly impact an organization's operations, reputation, or regulatory compliance. Factors contributing to a subcontractor's materiality include:
Sensitive data handling: Assess the risk associated with subcontractors managing confidential information, as they pose a higher risk of data breaches or misuse.
Impact on third-party service delivery: Evaluate how a subcontractor's performance could impair a third party's ability to deliver contracted products or services, possibly leading to operational disruptions.
Lokesh Bhatnagar, Senior Service Delivery Leader, American Express