vendor management

Learning Why Third-Party Risk Management Matters

Implementing the Enterprise Third-Party Risk Management Framework

SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Jaclyn Seals discusses how taking the C3PRMP program has given her the resources to grow in her role and the expertise to be an asset to her team.


 When I first registered for this course, I wasn’t exactly sure what to expect. I initially thought I would learn a lot of things that I was completely unaware of. I was pleasantly surprised to see that I was learning the “why” behind the changes my organization has been implementing over the past two years.

This course took me deeper into what I need to know to be a successful third-party risk management professional (TPRMP). I will discuss how my organization has evolved, how it has impacted me, and how this course helped me see how I can grow more effectively through these changes.

Evolving into Third-Party Risk Management

My journey as a TPRMP started four years ago. At that time, we were known as Vendor Relationship Managers. My job was to perform the ongoing monitoring task. At that time, I did not know that I was performing a TPRM function under the Enterprise Third-Party Risk Management Framework (ETPRM).  

It wouldn’t be until two years into my role that ETPRM was introduced to us. I remember being told that things were changing, and my role was going to evolve quickly. My leadership team was not kidding! Not only have I have learned more than I ever imagined, but my role has also significantly changed during this time. 

Implementing the Enterprise Third-Party Risk Management Framework

The change to my role is largely due to heightened regulatory requirements that my organization has put in place. We were never really that “big” to have all eyes on us. Due to our significant growth over the past several years, we are now seen as a large financial institution.

Jaclyn Seals, Third-Party Relationship Manager, USAA

8 Steps to Manage Vendor Data Privacy Compliance

Eight vital steps organizations can take to ensure that vendors aren’t jeopardizing data privacy compliance.

Around the world, new regulations about the collection and usage of personal data are changing workflows for major organizations. Following the passage of legislation like General Data Protection Regulation (GDPR) in the EU and the California Consumer Privacy Act (CCPA), businesses are auditing privacy practices and creating much stricter guidelines when they select partners and vendors.

With tighter regulations about the way consumer data is collected and used, organizations have to increase scrutiny for every party that has access to personal data. The entire system is only as secure as the weakest part, so it’s more important than ever to vet external parties and maintain visibility into their data practices. Here are eight vital steps organizations can take to ensure that vendors aren’t jeopardizing data privacy compliance.

Step 1: Audit Your Existing Data Privacy System

Before you do anything else, examine what’s currently in place to understand the changes that need to be made to maintain compliance with new regulations. You want to avoid reinventing the wheel and make adjustments without slowing down the business or adding risks.

After that self-examination, conduct the same check on your network of vendors. It’s imperative that you have a 360-degree understanding of vendors’ business practices and overall reliability before entering or continuing business relationships.

Docusign

COVID-19 Resources for Sourcing, Procurement and Workforce Management

Covid-19 resources

SIG is always asking our event attendees, current and future members, and readers about their current issues and concerns. I have been tracking and analyzing their responses for almost 10 years now. While cost savings and value-add remain consistent and strong priorities, there's no doubt many are very concerned about meeting pandemic-related needs.

We are blessed to have a community of thought leaders and generous, experienced professionals who are willing to share their experiences and describe their wins.

We offer the following resources in your quest for COVID-19 related items specific to sourcing, procurement, and workforce management. SIG members can continue to search for related articles here.

In the resources listed here, you can learn how to set up crow's nest and a war chest, hear how Sprint/T-Mobile are managing the crisis using AI for their spend analytics, specific procurement best practices for today's market, how technology enhances continuity in your workforce and what happens if and when this is "all over." Plus, so much more.

Checklist: 6 Steps for Navigating Through the COVID-19 Storm

Covid-19 has transformed from a short-term hiccup to a perfect storm at an unprecedented pace. It is normal to feel disoriented and to feel like you're running in eight directions at once.

>>Read More

Mary Zampino, Vice President – Content, Research & Analytics

Balancing Third-Party Risk with Specialized Categories

third-party risk

SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Michele Wesseling discusses balance between satisfying your firm's need to generate revenue and mitigate third-party risk.


Third-party risk management in the financial industry requires careful consideration when developing an operating model. It is essential to consider the regions and regulations that govern. In most of the banking industry, your internal risk culture allows you to easily implement a third-party risk program that methodically measures inherent risk, provides time to assess third party controls and negotiates contracts that enforce controls and mitigates residual risk.

Internal vs. Third-Party

The internal risk culture changes once you enter the world of capital markets where decisions are made quickly, risk is a way of life and patience is a rare quality. Now add the risk of a trade execution platform failing during a stock market dive and counterparties not having the ability to trade for several hours. The outage would be noticed and gain publicity, potentially causing Regulators to investigate. Should this occur and the necessary due diligence steps that would have highlighted this vulnerability were skipped, the repercussions could be costly. Your firm's reputation would be at stake and you most likely will face regulatory scrutiny that could result in fines. Striking a balance between satisfying your firm's need to generate revenue and mitigate third-party risk is an interesting challenge. If your operating model is too slow and cumbersome, your business will most likely attempt to circumvent the process. Careful consideration needs to be taken when aligning your control assessments to the true inherent risk.

Michele Wesseling, Associate Vice President

SIG Speaks to Shashank Saxena, CEO and Co-Founder of VNDLY

Shashank Saxena is a presenter at the SIG Procurement Technology Summit

What is your role and your day-to-day responsibilities? 

As CEO of a software SaaS company, I spend time with my leadership team focusing on the product and obsessing over the problems we're trying to solve for our customers. I focus on making sure all of our teams – internal product management, sales, engineering and customer support – are functioning at optimal levels. I also enjoy spending time with our customers, hearing about their pain points and how they're actually using the software we've built. 

What is something that you wish more people knew about sourcing and procurement? 

Sourcing isn't just about finding the right vendor or supplier, it's about understanding the problems business stakeholders are trying to solve. Very often I see teams obsess over the solution, its features and price, rather than focusing on the problem the stakeholder is experiencing. The best sourcing and procurement teams I've worked with are strategic in their approach and never lose sight of the pain points stakeholders have throughout the sourcing process. 

Shashank Saxena, CEO and Co-Founder, VNDLY

Drive an Effective Governance Program with Technology

Artificial intelligence and machine learning technology can help organizations foster a culture of innovation with their third parties.

Jai Chinnakonda, co-founder of a provider technology start-up, enrolled in SIG University's Certified Third Party Risk Management Professional (C3PRMP) program to learn how he can better serve his clients by gaining a more thorough understanding of third-party risk management best practices.

In the C3PRMP program, students focus on best and emerging practices to identify, assess, manage and control third-party risk throughout the lifecycle of relationships, and learn how to align risk fundamentals and frameworks with risk culture to develop the essential tools and controls for effective governance.


The digital age is seeing an increased dependence on third-party service providers of varying sizes – including start-ups – to meet the challenges of technological innovation, cost, demand for service excellence and heightened competition. 

Organizations are often locked in a love-hate relationship with their vendors as they struggle to meet expectations, sometimes both ways. In today’s digital journey, no organization can thrive on its own. To create true value for your organization and help meet business objectives, your organization will need to build a lasting relationship with your third parties. Organizations will need to adopt the art and science of engagement.

The business ecosystem is experiencing a fundamental shift. Organizations are moving away from purely cost-savings partnerships to value-generating risk-sharing partnership models. As the third-party ecosystem grows, the ability to manage and govern third parties is becoming more critical to success.

Jai Chinnakonda, Co-Founder, ENGAIZ

Laying the Foundation for a Vendor Management Program

A Senior IT Consultant talks about shaping a risk culture and standardizing her company's vendor review process.

While enrolled in SIG University's Certified Third Party Risk Management Professional (C3PRMP) Program, Wendy Hsu was able to immediately apply what she learned and contribute her expertise toward sourcing a third-party risk management tool to develop her organization's Third Party Risk Management Program.

In the C3PRMP program, students focus on best and emerging practices to identify, assess, manage and control third-party risk throughout the lifecycle of relationships, and learn how to align risk fundamentals and frameworks with risk culture to develop the essential tools and controls for effective governance.


In more ways than one, the learning opportunity with SIG University’s Certified Third Party Risk Management Professional (C3PRMP) program was more than coincidental. Earlier in the year, I had chosen the C3PRMP program to fulfill my 2019 Individual Development Plan objective. Little did I know that by July I would be fully engaged in assisting my manager to source a suitable third-party risk management tool and develop a project plan to implement our future Third Party Risk Management (TPRM) program. While the timing of my taking the certification program couldn’t be better, the challenges ahead of my company’s TPRM program (which will soon be called Key Vendor Management Program) couldn’t be greater given we are a young company still in the process of shaping our risk culture and standardizing our vendor review process.

Wendy Hsu, Sr. IT Procurement Consultant, Venerable

Breathing New Life into Traditional Vendor Management

Vendor risk management is part of effective governance.

SIG University Certified Third Party Risk Management Professional (C3PRMP) Program graduate David England has noticed a decline in vendor management teams. He shares his thoughts on how the adoption of third-party risk management strategies by vendor management teams can help position them as a key asset and reverse their decline.

In the C3PRMP program, students focus on best and emerging practices to identify, assess, manage and control third-party risk throughout the lifecycle of relationships, and learn how to align risk fundamentals and frameworks with risk culture to develop the essential tools and controls for effective governance.


There is a growing awareness within the mainstream business community of the importance associated with effective third-party risk management – a capability that has been nicely incubating and maturing within heavily regulated industries, such as banking and financial services, for eons. This increased exposure and attention could be just what is needed to revitalize the flagging vendor management movement.

Many F500 organizations have well-established vendor management capabilities that spawned several decades ago with the onset of strategic process outsourcing and continue today as an effective operational strategy. Many organizations I have consulted with over the past 15 years benefit from these capabilities, which has helped them achieve the value intended from these important vendor relationships. These key capabilities include:

David England, Director, Governance Services at ISG

Vendor Risk Management: A Proactive Approach

Colorful blocks that spell risk

SIG University student Hanne McBlain enrolled in the Certified Third Party Risk Management Professional (C3PRMP) Program while working at Information Services Group. She shares what she learned from her own experience with a data breach and how she is taking a proactive approach to IT vendor risk management to mitigate future business disruptions.  


In times of cost-cutting, vendor management functions that include third party risk are often the first to go or be significantly reduced. Many senior executives fail to see the value these functions bring and are usually happy to cover third party risk as part of a general risk function.

Stakeholder Support is Critical

I previously worked for an organization that prided itself on not relying on third parties for any critical functions. Redundancy was abundant and built into every platform, and on the surface, there was not much to worry about when it came to third party risk.

During my time there things started to change. We convinced the organization to implement a third party risk management framework. But with no experience in this area, we were fighting an uphill battle. We managed to win support and quickly implemented standard due diligence and on-going monitoring of critical suppliers. The business stakeholders generally regarded the added due diligence and tracking as unnecessary and bureaucratic.

Hanne McBlain, Director - ANZ Managed Services

Join the Conversation in the SIG Community

An image of people around a conference table with watercolor overlay.

The SIG Peer2Peer (P2P) program allows members to access benchmarking insights and best practices on topics specific to their needs. Using the Peer2Peer resource, members can leverage the experience of other industry professionals by posing questions to the greater SIG community on issues they are facing within their organization. Members use the forum to locate resources, source providers, seek advice on hot topics and share their lessons learned.

Below are the latest Peer2Peer inquiries. You or someone on your team may know the answer to one of the questions below. If you do, please take a moment to help a SIG member from the buy-side. You may need their help one day, too! To submit your own Peer2Peer inquiry, get in touch and we’ll pose your question to the SIG Community.

 

Procurement Best Practices

This buy-side member is re-writing their procurement policy and revamping their process for the requested addition/approval of a new supplier. They are seeking best practices for procurement policies, specifically covering the following topics:

  • What spend does/does not require a PO?
  • What are the consequences for procurement policy violations? For example: Committing company funds without a PO or contract.
  • How are violations to the procurement policy enforced?
  • What is the process for requesting a new supplier add? Who reviews/approves/denies this request?

 

Stacy Mendoza, Digital Marketing Specialist