Updating A Third-Party Risk Management Program

Image of Third-Party Risk Management

SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Nathan Coffet discusses the process of  updating a Third-Party Risk Management program and the benefits it can have.

Large fast growing multinational companies involving multiple mergers & acquisitions will often have many disparate processes in place to manage Third-Party Risk. There may be programs developed by individual group companies or parts of the group to meet general procurement needs. Corporate functions such as Privacy, Information Security, Corporate Social Responsibility, or Anti-Corruption may have developed customized programs to meet regulatory requirements or address audit findings. Other programs may have been driven by the need to respond to vulnerabilities arising from macroeconomic events: systemic risks in the financial market; or the impact of Covid on the viability of cross-border supply lines. The multiple languages and cultures add a layer of complexity.

A root and branch review may enable the business to simplify processes, strip out unnecessary costs and duplication and ensure that the key risks are appropriately overseen proportionately. The approach must be focused on the return on investment to make it easier to justify and obtain necessary resourcing.

But where to start?

It is tempting to jump in and start solving the problem before it is well understood. But do not rush.

First - Remember to Reinvent the Wheel.

It is tempting to think your problems are unique. But, like many areas of compliance, the key lesson is not to reinvent the wheel. Some highly regulated sectors have had to learn what works and what does not. For experienced compliance practitioners, the general concepts should be clear and well-understood. The key difference with other compliance programs is that it is only possible to directly manage the control environment in the Third-Party. The Third-Party controls must be overseen rather than directly managed.  

But all the immediate priorities of the job often mean there needs to be a headspace to reflect and plan. This is where external study can help. Not just the direct teaching but the articles and reference materials. Essays and research from other practitioners can help to shape ideas and provide the supporting material necessary for those discussions with key stakeholders. Benchmarking programs help when arguing for resources and business attention. Leveraging existing governance frameworks and seeing how others have applied them to the Third-Party space saves time. In short, taking the time to understand the experience of others pays dividends.

Second - Do Your Due Diligence and Planning

Spend time identifying what processes are currently in place and where the gaps are. 

  • Are Vendors and Non-Vendor Third-Parties identified?
  • Are the key risks clearly understood? 
  • Are the critical controls in place?
  • Are the rules in place still adequate, and does the risk justify them? (or should they be replaced or withdrawn)  
  • Are roles and responsibilities clear? 
  • Do those responsible have the necessary skills?
  • Could a different structure reduce duplication and increase efficiency?  
  • What processes work well and could be leveraged?  
  • Who are the key stakeholders, and do you understand their needs and goals?
  • Is reporting effective, and are the key messages easy to digest?

Vendor Third-Parties are at least relatively easy to identify. Larger scale Vendors will often go through some procurement function, and the invoices are identifiable through accounts payable. However, some types of Third-Party Risk may need to be better understood or visible to the business. This is particularly the case for some kinds of Non-Vendor Third-Parties.  

Non-Vendor Third-Party relationships are typically acquired directly by a business line/ segment, not through the procurement function. Financial remuneration, if applicable, is typically rendered outside of accounts payable processes. These Third-Party relationships may be managed solely by a business line/ segment or in conjunction with a corporate Third-Party risk management function. Non-Vendors include charities, sponsorships, joint ventures, agents, affinity members, and trade associations. Being managed directly by business lines means Non-Vendor Third-Parties can only be visible once something goes wrong. The adequacy of the controls and oversight risks could be more consistent, and it is more challenging to leverage the experience of the critical risk experts. Non-Vendor Third-Parties are a key potential risk area. 

Once it is clear where the gaps lie, it is crucial to work out how to articulate the critical focus of the program in a meaningful way to the board and senior management. Pulling together the existing programs and taking the best bits helps to benefit from and retain enterprise experience. Process mapping allows us to highlight inconsistencies and duplication visually.  

Categorizing Third-Parties based on how much impact they could have on the business if something went wrong helps to focus minds. For instance, ranking them into four simple Tiers: Tier 1 Enterprise Critical, Tier 2 Highly Critical, Tier 3 Medium Criticality, and Tier 4 Low or Insignificant Criticality. And they were then focusing first on Tier 1 and Tier 2 Third Parties with a lighter touch approach for Tiers 3 and 4. A logical, explainable approach makes it an easier sell to the business. Considering early on what technology can facilitate the workflow and making the process flexible and scalable will save later pain. Having a Risk Committee of another body to help focus the discussion and track progress helps to maintain momentum and future oversight.

It is a challenging task, but the potential value added can be significant. Courage!

SIG University's Certified Third-Party Risk Management Professional (C3PRMP) program is a globally recognized certification that is the “gold standard” in terms of relevance, scope and content. The C3PRMP program was created by Linda Tuck Chapman, an advisor, educator, author and expert.


Nathan Coffey, Senior Vice President of Privacy & Compliance, Teleperformance

Data Protection Officer, compliance and risk professional with strong management experience and a focus on team development.  Expertise in leading at global and EMEA level designing and implementing privacy, compliance & risk programs.  Wide understanding of privacy laws, with specialisms in GDPR, ISO27701 and cross border privacy challenges. 

Providing pro-active pragmatic advice at both a tactical and strategic level to boards and senior management.  Expertise in finding and driving creative solutions to complex challenges in high pressure environments with multiple stakeholders.

Barrister/Solicitor Advocate 20 years pqe. Specialisms: EMEA - Privacy - Data Protection - Big Data - Compliance - Labour - Risk.  IAPP certified: FIP (Fellow Information Profession), CIPP, CIPT, CIPM, CIPPE.