SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Jessica Mckenzie provides an exceptional and readable display of the topics covered, making this complex topic accessible for practitioners and novices, and shares her common sense advice with risk professionals.
As we experience an ever-growing expansion of business relationships worldwide, dependency on one another to ensure our day-to-day operations run smoothly has become increasingly apparent. We rely on third parties to expand the reach of our companies globally, improve customer experience, and build partnerships that help us collaborate and create innovative opportunities. We rely on them to help us build financial strength and resiliency. With this reliance we have on third-party relationships, how do we ensure that the companies and people who run them are operating in a sound manner and that they hold the same values that we do? How do we ensure that as we enter and maintain relationships with third parties and their third parties, they will do what they say they will so that we can minimize impacts on our own financial stability, reputation, business strategies, or operational functions?
Jessica Mckenzie, Third Party Risk manager, American Express
SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Lokesh Bhatnagar provides descriptions to determine which 4th parties are material, and how to incorporate them into the post-contract phase in the lifecycle as well as effective risk monitoring and oversight.
In the increasingly interconnected global economy, organizations depend on third-party vendors and service providers to maintain efficient, competitive supply chains. Effective third-party risk management (TPRM) is vital to safeguard organizations against financial, operational, and reputational damage. However, many TPRM strategies often overlook the risks posed by fourth-party subcontractors, particularly those that are material to the organization.
Understanding Materiality in Fourth-Party Risk
Before delving into the management of fourth-party risk, it is essential to grasp the concept of materiality. A material subcontractor is one whose failure or poor performance could significantly impact an organization's operations, reputation, or regulatory compliance. Factors contributing to a subcontractor's materiality include:
Sensitive data handling: Assess the risk associated with subcontractors managing confidential information, as they pose a higher risk of data breaches or misuse.
Impact on third-party service delivery: Evaluate how a subcontractor's performance could impair a third party's ability to deliver contracted products or services, possibly leading to operational disruptions.
Lokesh Bhatnagar, Senior Service Delivery Leader, American Express
SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Charlie Swartwood shares his description of important elements in an effective and efficient third-party risk management program and how he plans to make good use of them in his firm.
Charlie Swartwood, Vendor Compliance Advisor, Hyland Software Inc.
Each business unit owns the risks associated with the contracts they decide to enter into. This is a fundamental principle built into third-party risk management (TRPM) programs. In large organizations, the program's success is highly dependent upon each Business Unit fulfilling their responsibilities.
The Business Unit Structure for Risk Management Success
The business unit needs to ensure they have a suitable organizational structure and resources to fulfill their third-party risk management program responsibilities. This includes having team members trained in specific competencies and adequate capacity based on the level of risk associated with the business unit's third parties and sufficient capacity based on the level of risk associated with the business unit's third parties.
Once the contract is set, the business unit is responsible for the activities and tasks related to owning the relationship ( “relationship management”), including communication, contract, performance, and risk management. Team Members who reside within a business unit who perform relationship management activities comprise the largest internal population of team members who should manage risk due diligence activities with third parties.
When I first registered for this course, I wasn’t exactly sure what to expect. I initially thought I would learn a lot of things that I was completely unaware of. I was pleasantly surprised to see that I was learning the “why” behind the changes my organization has been implementing over the past two years.
This course took me deeper into what I need to know to be a successful third-party risk management professional (TPRMP). I will discuss how my organization has evolved, how it has impacted me, and how this course helped me see how I can grow more effectively through these changes.
Evolving into Third-Party Risk Management
My journey as a TPRMP started four years ago. At that time, we were known as Vendor Relationship Managers. My job was to perform the ongoing monitoring task. At that time, I did not know that I was performing a TPRM function under the Enterprise Third-Party Risk Management Framework (ETPRM).
It wouldn’t be until two years into my role that ETPRM was introduced to us. I remember being told that things were changing, and my role was going to evolve quickly. My leadership team was not kidding! Not only have I have learned more than I ever imagined, but my role has also significantly changed during this time.
SIG’s Global Executive Summit is where forward-thinking procurement leaders come to experience pioneering trends grounded in today’s new realities. It provides a dedicated space for you to network with industry thought leaders, learn from different perspectives, and keep pace with emerging developments in strategic planning and procurement technology, all of which are essential to inform the way we work.
Taking place October 13 to 15, this Summit isn’t just a three-day-long webinar, it’s a live event! Everyone who attends will come away with data-backed insights and actionable resources. Sourcing and procurement leaders are continuously being shaped by new developments in contract management, remote work, sustainability, stakeholder buy-in and third-party risk management.
The keynote addresses and breakout sessions will directly address these trending topics and more:
Contract Lifecycle Management
Many sourcing bottlenecks are the result of poor contract management practices. Digitizing and automating the process, from initiation to award and renewal, can expedite the process and enhance compliance.
In my conversations with practitioners and procurement leaders, this topic comes up frequently. You can expect sessions that focus on executing complex negotiations to the role that advanced technologies like Artificial Intelligence and Machine Learning play in managing the lifecycle of contracts.
The Relationship Manager is the first line of organizational defense, tasked with ownership of relationships and risks. The overall accountability of these risks, the performance and the cost management for the supplier through the life of the relationship are also key focus points.
I will discuss how the Relationship Manager (RM) functions as the nucleus of Third-Party Risk Management (TPRM) activities for a supplier with the following points.
Provides Information for Reviews and Decides on Risk Acceptance for a Third Party
It is understood that the liability of our third parties is ultimately ours. This means that the liability of the third parties of our third parties (i.e., our subcontractors) also becomes ours. An effective framework in which risk is indicated and mitigated is essential for our suppliers and subcontractors.
In such a framework, exit strategies and termination processes are set in place for cases in which the risk cannot be mitigated or when a contract needs to be terminated. These are defined by the Relationship Manager, who provides information on the supplier and finds out if there are subcontractors involved. Responses provided will trigger due diligence risk areas for information from the supplier.
Once the relationship is fully defined and risks are highlighted, it is the responsibility of the Relationship Manager to determine whether or not to accept the risk and contract with the supplier.