I have decided to partake in the certification of the C3PRMP course by SIG University as I have a growing passion for the topic of third-party risk management. I have learned various aspects of vendor risk management, which includes the types of risk, how to identify risks and their remediation plan, the importance of RACI and the role of various stakeholders, industry trends, and best practices. The list will go on. With this in-depth knowledge gained via this course, I can demonstrate a high proficiency level in the topic I am most passionate about. This will help me help my clients and my company in the future.
One of the topics that can be deemed simple and self-explanatory but possess a high value is reputational risk. In this article, I would like to dive deep into the topic of reputational risk and discuss its implications and how to apply the knowledge gained from this course in an organization.
Meshkat Rahman, Senior Consultant in Risk Advisory, Deloitte
SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Lokesh Bhatnagar provides descriptions to determine which 4th parties are material, and how to incorporate them into the post-contract phase in the lifecycle as well as effective risk monitoring and oversight.
In the increasingly interconnected global economy, organizations depend on third-party vendors and service providers to maintain efficient, competitive supply chains. Effective third-party risk management (TPRM) is vital to safeguard organizations against financial, operational, and reputational damage. However, many TPRM strategies often overlook the risks posed by fourth-party subcontractors, particularly those that are material to the organization.
Understanding Materiality in Fourth-Party Risk
Before delving into the management of fourth-party risk, it is essential to grasp the concept of materiality. A material subcontractor is one whose failure or poor performance could significantly impact an organization's operations, reputation, or regulatory compliance. Factors contributing to a subcontractor's materiality include:
Sensitive data handling: Assess the risk associated with subcontractors managing confidential information, as they pose a higher risk of data breaches or misuse.
Impact on third-party service delivery: Evaluate how a subcontractor's performance could impair a third party's ability to deliver contracted products or services, possibly leading to operational disruptions.
Lokesh Bhatnagar, Senior Service Delivery Leader, American Express
Each business unit owns the risks associated with the contracts they decide to enter into. This is a fundamental principle built into third-party risk management (TRPM) programs. In large organizations, the program's success is highly dependent upon each Business Unit fulfilling their responsibilities.
The Business Unit Structure for Risk Management Success
The business unit needs to ensure they have a suitable organizational structure and resources to fulfill their third-party risk management program responsibilities. This includes having team members trained in specific competencies and adequate capacity based on the level of risk associated with the business unit's third parties and sufficient capacity based on the level of risk associated with the business unit's third parties.
Once the contract is set, the business unit is responsible for the activities and tasks related to owning the relationship ( “relationship management”), including communication, contract, performance, and risk management. Team Members who reside within a business unit who perform relationship management activities comprise the largest internal population of team members who should manage risk due diligence activities with third parties.
SIG University Certified Supplier Management Professional (CSMP) program graduate Adrienne Westerfield outlines how supplier governance programs and relationships are extremely beneficial to all stakeholders involved and can help drive business success.
What is a governance program? During the SIG University Certified Supplier Management Professional (CSMP) program, while learning unfamiliar governance terminology, I realized I had been involved with creating and establishing various types of governance throughout my career. Supplier governance is a relationship or framework that is mutually agreed upon. Both the company and the supplier benefit from this relationship. The framework can be at a corporate, business unit or contract level depending on the needs and value sought by both parties.
If it is an established relationship that has never been formalized, adding governance will ensure contract compliance. It will mitigate risks for both parties while making sure the objectives of the relationship are met. Over time, the goals for each company may change so that the structure can be re-evaluated accordingly and adjustments made to align with a new direction or specific initiatives. A more structured governance framework will also define the roles and responsibilities for teams, departments and individuals at each company, which will mitigate the risk of any tasks remaining incomplete or done incorrectly.
Adrienne Westerfield, Contract Administrator, Louisville Gas & Electric Company (LG&E)
SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Andrea Solano discusses how taking the C3PRMP program helped her to implement the framework for her team to operate as an optimal risk management and risk mitigation function across her department and enterprise-wide.
There are different types of workstreams and specializations that have been around a long time. However, the discipline of Third-Party Risk Management is something that is in the very beginning stages of inception. Currently, it is evolving into a discipline that many organizations shall be implementing as a standard operating function in the Silicon Valley business sector I work at. Working at Silicon Valley, the term Third-Party Risk management is still somewhat foreign and not understood as a critical and vital risk management function.
Third-Party Risk Management Function
The key role that I fulfill within the Third-Party Risk Management life cycle is in the due diligence process, which is the internal audit function that serves as a 2.5 – 3rd line of defense within my organization’s Risk Management Function. The SIG University Third-Party Risk Management training that I have taken throughout these past ten weeks has been highly instrumental for me. It will help create, build-out, and develop an internal audit framework that will be customized to meet the needs of this brand-new Third-Party Risk Management function within my organization.
Andrea Solano, Global Security 3rd Party/Outsourced Audit Manager, Facebook
Before any organization can do business with an external vendor, it needs to examine its data privacy protocol against new legal requirements. Recent legislations like General Data Protection Regulation (GDPR) in the EU and the California Consumer Privacy Act (CCPA) in the U.S. has cast a spotlight on the handling of consumer data, especially the way it is shared among third parties. Organizations of all sizes in every industry are upgrading the vetting processes to make sure that new vendors don’t bring additional risks.
These risk assessment processes contain several moving parts, and a mistake at any point along the way can jeopardize the result. The easiest way to pinpoint the holes in your organization's vendor vetting workflow is to review the entire process from beginning to end and examine the opportunities for data privacy lapses. Here are four common pitfalls to look for:
1. Overlooking Contract-level Details
Amid all the changes happening to the regulatory landscape, it’s easy to overlook errors in the language of your contracts. In a short window of time, contract language—on old and new agreements—needs to be updated to provide consumers with new legal protections and redefine business-to-business relationships with any party that touches consumer data. If contracts are being negotiated in that window, some terms might slip through the cracks and expose you to new risks.
Around the world, new regulations about the collection and usage of personal data are changing workflows for major organizations. Following the passage of legislation like General Data Protection Regulation (GDPR) in the EU and the California Consumer Privacy Act (CCPA), businesses are auditing privacy practices and creating much stricter guidelines when they select partners and vendors.
With tighter regulations about the way consumer data is collected and used, organizations have to increase scrutiny for every party that has access to personal data. The entire system is only as secure as the weakest part, so it’s more important than ever to vet external parties and maintain visibility into their data practices. Here are eight vital steps organizations can take to ensure that vendors aren’t jeopardizing data privacy compliance.
Step 1: Audit Your Existing Data Privacy System
Before you do anything else, examine what’s currently in place to understand the changes that need to be made to maintain compliance with new regulations. You want to avoid reinventing the wheel and make adjustments without slowing down the business or adding risks.
After that self-examination, conduct the same check on your network of vendors. It’s imperative that you have a 360-degree understanding of vendors’ business practices and overall reliability before entering or continuing business relationships.
COVID-19 has created a ripple effect of disruption through supply chains across the world, causing many companies to assess their weak spots and reevaluate their operations to ensure future resiliency and continuity.
Rebounding from the current crisis with more solid resilience is itself creating immense value. Forward-thinking companies are looking a step further, perhaps with the climate crisis clearly in view. They are leveraging sustainability and purpose – with an upside creating long-term value across a wide range of business levers, from competitive differentiation, grow sales revenue, supplier innovation to support future circular business models, talent recruitment and retention.
Procurement’s Key Role in Turning Purpose into Profit
With momentum growing toward stakeholder capitalism, businesses have made a greater commitment to sustainable purpose through reducing emissions of greenhouse gas, limiting plastic use, providing decent working conditions and more. The recent COVID-19 pandemic has brought risk mitigation and resiliency top-of-mind – and we’re seeing clear proof points that sustainable procurement is the answer.
SIG is always asking our event attendees, current and future members, and readers about their current issues and concerns. I have been tracking and analyzing their responses for almost 10 years now. While cost savings and value-add remain consistent and strong priorities, there's no doubt many are very concerned about meeting pandemic-related needs.
We are blessed to have a community of thought leaders and generous, experienced professionals who are willing to share their experiences and describe their wins.
We offer the following resources in your quest for COVID-19 related items specific to sourcing, procurement, and workforce management. SIG members can continue to search for related articles here.
In the resources listed here, you can learn how to set up crow's nest and a war chest, hear how Sprint/T-Mobile are managing the crisis using AI for their spend analytics, specific procurement best practices for today's market, how technology enhances continuity in your workforce and what happens if and when this is "all over." Plus, so much more.