SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Kyle Brown discusses the value proposition and responsibilities for the key players in an effective third-party risk management program.
Each business unit owns the risks associated with the contracts they decide to enter into. This is a fundamental principle built into third-party risk management (TRPM) programs. In large organizations, the program's success is highly dependent upon each Business Unit fulfilling their responsibilities.
The Business Unit Structure for Risk Management Success
The business unit needs to ensure they have a suitable organizational structure and resources to fulfill their third-party risk management program responsibilities. This includes having team members trained in specific competencies and adequate capacity based on the level of risk associated with the business unit's third parties and sufficient capacity based on the level of risk associated with the business unit's third parties.
Once the contract is set, the business unit is responsible for the activities and tasks related to owning the relationship ( “relationship management”), including communication, contract, performance, and risk management. Team Members who reside within a business unit who perform relationship management activities comprise the largest internal population of team members who should manage risk due diligence activities with third parties.
The challenge is that relationship management might not be their core competency. It might be peripheral to their defined job description, lack alignment with business unit executives on the importance of these activities, or insufficient data and knowledge about operational aspects of the contracts they own. For those third parties segmented in the critical and high segments, dedicated resources should be assigned by the business unit to manage the relationships.
Managing Business Unit Resources
For third parties segmented in medium and low segments, activities and tasks can be dispersed to individuals who conduct relationship management as a secondary function or are not part of the dedicated team managing the critical and high segments.
At the enterprise level, a description of activities and tasks, the cadence, and whether they are mandatory or recommended practices need to be defined by the third-party Risk management program. A centralized shared services function, such as a TPRM team, can offer the following:
- Processes, tools and guidance to drive mandatory and recommended activities across each Business Unit
- Continuous improvements of the enterprise life cycle
- Centralized assessments for critical and high segmentation tiers, such as service auditor report reviews (ex: SOC2), media alert monitoring, financial stability assessments, and insurance verification
- Reporting to the board of directors on enterprise-critical third parties; and
- Operational administration of enterprise software that supports the end-to-end life cycle
Relationship Management is best owned and performed by the accountable business unit to match responsibility with accountability. Leading practices recommend keeping this responsibility within the business unit rather than centralizing relationship management as an enterprise shared service. Some of the relationship management activities within each business unit are as follows:
Business Unit; Accountable Executive
- Owns the decision to enter into a contract with a third party;
- Owns the risks associated with the third party;
Accountable for the overall relationship, including management and monitoring activities, and managing the capacity of third-party relationship managers
- Communicates the business strategy to the third party
Business Unit; Third-Party Relationship Manager
- Communication Management: day-to-day interactions with the third party, alignment of objectives, escalations, and builds the business relationship between both organizations;
- Risk Management: responsible for managing the risks associated with the third party;
- Performance Management: ensures operational outcomes are met. Responsible for escalating issues and incidences, and reporting deteriorating performance; and
- Contract Management: ensure terms and conditions are current, and all parties meet their obligations. Review and approval of invoices, ensuring value for money and awareness of aggregate spend against the contract.
The Different Organizational Structures of Risk Business Units
In large organizations with multiple business units, it is common for more than one Business Unit to share the ownership of the contract and the corresponding risks. In these situations, a team representing key stakeholders from each applicable business unit can be formed to establish the relationship management team.
In organizations that have matured their third-party risk management programs, the third-party relationship managers within business units can rely upon a set of enterprise tools, processes, and technology to enable them to be effective and efficient in their roles. This is where an appropriately staffed shared services team can add a lot of value to the organization.
They drive continuous improvement across all business units and elevate the collective capabilities across the enterprise. They do this through designing the enterprise programs and the toolkit that enables the business units to meet their responsibilities.
The following are some techniques that third party risk management teams can utilize to help build relationship management capabilities within each business unit:
- Creation of an enterprise third party strategy that sets the tone at the top of the organization regarding the relevance of third parties to long term strategic plans;
- Establish clarity around the role and responsibilities that Business Units are expected to perform. Include mandatory and recommended activities and tasks in either a third-party relationship management framework or embedded within the third-Party risk management framework. Update or create the corresponding policies as needed;
- Encourage internal audit to conduct audits against the third party relationship management framework or third-party risk management framework
- Work closely with the internal audit by sharing the segmentation list of third parties that the business unit is accountable for. Encourage internal audit to test the activities and tasks the Business Unit should be performing through regular audit cycles.
- Collaborate with the human resources department to create or update job profiles. Request a review of resourcing adequacy within each Business Unit, specific to the responsibilities the Business Unit is responsible for, and support requests for additional employees where feasible.
In closing, each business unit’s risk exposure with third parties will vary. However, utilizing some of the above approaches may result in elevated enterprise-wide capabilities in third-party risk management.
SIG University's Certified Third-Party Risk Management Professional (C3PRMP) program is a globally recognized certification that is the “gold standard” in terms of relevance, scope and content. The C3PRMP program was created by Linda Tuck Chapman, an advisor, educator, author and expert.
As the Managing Director of the Third-Party Risk Management team at ATB Financial, I'm responsible for overseeing the execution of the third-party risk management program and its adoption across the enterprise. ATB Financial is based in Alberta, Canada, and has 5500 Team Members and $1.8 billion in operating revenue.