Managing Third-Party Risk Resources

Image of Third-Party Risk Management

SIG University  Certified  Third-Party Risk Management Professional  (C3PRMP) program graduate Elizabeth Marquez shares what she has found helps with managing third-party risk resources and how to apply these concepts.


My Organization is a leading provider of insurance and banking services, and we rely on Third-Party Resources for Non-Vendor and Vendor relationships. Over the past four years, I have worked in the procurement space onboarding Third Party resources, and over the past one and a half years, I have been a Risk and Controls Advisor. As a Risk and Controls Advisor, I have supported the Third-Party Risk Management (TPRM) group since May 2021.
 
I took this course to obtain a higher business acumen in TPRM so that I may assist the business with identifying and managing existing and emerging risks that stem from the business activities conducted with our Third Party Partners.  I work closely with the Process and Control Owners to ensure that risks associated with business activities are effectively identified, measured, monitored, controlled, and drive solutions for more robust controls. Although the entire course has provided excellent knowledge, what stood out to me the most was the Operational Risk Management Framework and lifecycle; this is what my role primarily consists of.
 
I must understand the risks of working with Third-Party Resources. I need to anticipate business needs and proactively identify opportunities to improve and strengthen the control environment through actionable insights. This course has helped me think outside the box regarding the risks associated with conducting business with Third Parties and sharing that knowledge with my business partners. In a couple of instances, while in a meeting to discuss controls, I ‘ve been able to reference my book and add value to the conversation. I ‘ve had team members compliment my knowledge of the topic and bring up good insight.
 
In the first module and our Book, Third-Party Risk management Driving Enterprise Value, Linda Tuck Chapman goes into detail about Johari ‘s Window and explains that it is a €œthinking and doing tool € to help you consider the question you need to ask about the Third-party you are conducting business with and in turn helps you to identify something you may have overlooked. I ‘ve used Johari ‘s Window since being introduced to this tool and will continue to use this tool in the future.
 
Before this course, I thought that once you sign the contract, you were done, all is well, and you continue with the Third Party relationship as the contract terms have been agreed upon. Still, I came across a few sentences in the book that opened my eyes to how necessary due diligence is, €œLifecycle management assumes that every third-party relationship has a beginning and an end, and may change over time.
 
Each third-party relationship is part of your institution ‘s operational, financial, and reputational ecosystem. € (Chapman, p. 27) For me, this means that I need to make sure we are reviewing the risks and controls as the relationship changes with the Third Party and that we need to make sure we are looking at the protocols we have in place, improving if necessary, and utilize the due diligence activities conducted to make better-informed decisions.
 
I work with the business to provide oversight and ensure compliance with laws and regulations and the risk and regulatory compliance related initiatives which include: management of procedures/process, risk control self-assessments, control design, whether that be preventative or detective controls, and new product controls for the Third Parties we work with. I assisted the business with translating control deficiencies into action plans.
 
Recently, I assisted the industry with evaluating a risk acceptance which would be identified as an action plan, the topics we covered in the modules and the book helped me to have insight on and formulate the critical questions I would ask before we finalized a risk acceptance process.
 
One of the topics we have been discussing within our job function is business continuity, what that looks like from a Third Party perspective, and how we can deliver on that. The lessons learned in this module will help me in the future as we start to have more in-depth conversations about this topic. Linda Tuck Chapman discusses the €œISO €œPlan do Check Act € (PDCA) model applied to the BCM process € (Champan p.71), and I will utilize this model in the future to help implement these procedures within the Organization.

SIG University’s  Certified  Third-Party Risk Management Professional  (C3PRMP) program is a globally recognized certification that is the €œgold standard € in terms of relevance, scope and content. The C3PRMP  program was created by Linda Tuck Chapman, an advisor, educator, author and expert.

Elizabeth Marquez

Elizabeth Marquez

Risk and Controls Advisor, USAA

My Name is Elizabeth Marquez, and my current role in the Organization is a Risk and Controls Advisor for our Third-Party Risk Management (TPRM) Team. I work for an Organization that provides Insurance and Banking services, and we utilize Third-Party Resources. My current role consists of working closely with TPRM and providing ongoing supervision and oversight of the business controls to anticipate business needs and proactively identify opportunities to improve and strengthen the control environment through actionable insights. I provide recommendations to enhance the control environment to align with the risk and compliance frameworks. I lead projects that implement phases for effective and timely risk remediation, and last. Still not least, I partner with stakeholders such as the three lines of defense to drive improvement efforts to correct or prevent negative trends and assess the impacts of the risk-associated activities. Although I am relatively new to this space, I am excited to learn and grow my knowledge and skills related to Third-Party Risk Management.