SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Andy Ignaciodescribes and compares some of the related concepts he learned throughout the program to his organization's evolution from "check the boxes" to a strong risk culture and program.
Our company has undergone a risk management transformation in the last five years. The approach changed from a check-the-box approach to having a risk mentality in daily operations. The topic of “Building a Strong Risk Culture” validates our company’s risk trajectory. This paper covers our journey and highlights key milestones that contributed to having a stronger risk culture.
In the financial industry, the company’s initial approach focused on regulatory compliance. It was not a bad strategy. The efforts centered around keeping regulators happy and meeting the minimum standards. We had a hybrid model where frontline business units maintained the day-to-day relationships with third parties or vendors, and a centralized team of dedicated risk practitioners facilitated risk assessments to hold the business units accountable. In addition, the Internal Audit department completed the components for the three lines of defense model.
Vendor due diligence involved business units populating a risk questionnaire which drove the types of risk assessments needed, such as Information Security, Privacy, Business Resilience, Compliance, Model Risk, Bank Secrecy Act/Anti-Money Laundering, and Financial Stability. The process worked satisfactorily and met regulatory requirements. However, components of a strong risk culture were not as evident. The tone from the top regarding the company’s overall vendor or outsourcing appetite was lacking. While specific vendor risks were understood, the overall picture of risk exposure was not clearly conveyed. Also, we had no governing body that served to review our general practices and identify potential improvements.
The transformation began with the backfilling of the Chief Procurement Officer, CPO. Once the new CPO understood the current model and practice, they partnered with the risk practitioners to create a long-term maturity roadmap. The roadmap had key milestones, one of which was to shore up a committee to oversee critical vendor engagements and serve as a governing body to continually evaluate our third-party risk management standards. Moreover, the roadmap had items for maturing contract management, improving the monitoring of vendors, and providing visibility through better reporting.
The Critical Vendor Committee consists of subject matter experts from each risk practitioner area. The oversight structure is conducted on a quarterly meeting cycle. The standing agenda includes reviews of vendors who perform critical services for the organization, emerging industry risk trends, and suggestions or concerns to modify our practices. Evaluation of industry risk events such as the SolarWinds malicious code and MOVEit cyberattack are also covered. The committee serves as a good reflection point for what the organization is doing well and what we need to strengthen.
Contract management was another area that contributed to a stronger risk culture. The new CPO obtained top executive approval to requisition a dedicated, centralized team of contract managers. The contract manager’s role focused on contract structuring and negotiation. Our previous practice relied too heavily on frontline business units, who are not experts in contract management, to work with Legal Counsel to redline and negotiate specific terms of vendor contracts. With a dedicated team of contract managers, we could lean on using our standard clauses and contract provisions while also helping frontline drive business unit terms and desires into the agreements. As a result, the risk exposure from missing and undesirable contract language diminished.
Vendor monitoring was advanced through continual monitoring of our vendor inventory. The monitoring involved implementing a vendor solution that overwatches our vendor list and escalates specific news alerts. The monitoring program did not replace the periodic risk reviews of existing vendors. It augmented it so that any recent significant news is communicated immediately and escalated appropriately. We identified vendor information such as company leadership, financial characteristics, public filing, and government indicators, which kept us abreast of changes to our vendors’ risk profiles.
The last improvement highlighted from the maturity roadmap is in reporting. This area is currently in development, and we are re-evaluating the existing third-party risk management metrics being reported to executives. Several of the initial metric additions are the inclusion of concentration risks associated with fourth parties, as well as the risk correlated with foreign-based service providers. We are attempting to apply the best practices for developing key risk indicators to ensure our metrics are easily quantifiable, measurable, trackable, and informative and can serve as early warnings of vendor risks.
The specifics of “Building a Strong Risk Culture” from SIG’s Certified Third-Party Risk Management Professional course validated our improvement trajectory and showed us that we are on the right track. It also reinforced the need for better transparency and reporting to executives to keep vendor risk management at the forefront.
SIG University's Certified Third-Party Risk Management Professional (C3PRMP) program is a globally recognized certification that is the “gold standard” in terms of relevance, scope and content. The C3PRMP program was created by Linda Tuck Chapman, an advisor, educator, author and expert.
Andy Ignacio, Contract Management and Third-Party Oversight Manager, Umpqua Bank
My education is in industrial engineering, and my initial career in the financial industry was centered on process improvement. In the last five years, I transitioned to risk management, specifically around third-party risk management. Our company had a significant transformation in this area. We went from a check-the-box approach to the current daily risk-minded approach, where we continually evaluate the organization’s risk appetite and exposure. In my free time, I like to spend time with family, travel to new places, and try the local eatery.
SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Andy Ignacio describes and compares some of the related concepts he learned throughout the program to his organization's evolution from "check the boxes" to a strong risk culture and program.
SIG University's Certified Third-Party Risk Management Professional (C3PRMP) program is a globally recognized certification that is the “gold standard” in terms of relevance, scope and content. The C3PRMP program was created by Linda Tuck Chapman, an advisor, educator, author and expert.
My education is in industrial engineering, and my initial career in the financial industry was centered on process improvement. In the last five years, I transitioned to risk management, specifically around third-party risk management. Our company had a significant transformation in this area. We went from a check-the-box approach to the current daily risk-minded approach, where we continually evaluate the organization’s risk appetite and exposure. In my free time, I like to spend time with family, travel to new places, and try the local eatery.