Utilizing Third-Party Relationships

Image of Third-Party Risk Relationships

SIG University  Certified  Third-Party Risk Management Professional  (C3PRMP) program graduate Charlie Swartwood shares his description of important elements in an effective and efficient third-party risk management program and how he plans to make good use of them in his firm.


Over the past ten weeks, I have been able to connect with other members of the risk management community. Through our weekly discussions, I understood and identified process pain points that other risk managers are experiencing in the industry. Each week’s coursework provided greater insight into third-party relationships and what tools I can utilize in those relationships.
 
Each week I felt the coursework provided a great insight into the dynamics and overall processes that encompass a robust third-party risk management program. Linda was knowledgeable and helped me dive deeper into third-party programs’ current issues and how to navigate those better as we built our agenda.
 
One of those lessons was on service level agreements and how to appropriately design those agreements to benefit. During this lesson, we focused on the critical points of how a service level agreement can limit risk and how it can enhance a partnership with a third party. For example, one of the concepts I would like to bring back to my company is incentivizing service-level agreements. This concept highlights one of my company’s core values, partnership, and enables us to form a mutually beneficial service level agreement.
 
Our third party would be financially compensated for exceeding service levels agreement terms like downtime, service support, or recovery time. Instead of focusing on the negative aspects of not meeting a service level agreement, it would focus on the potential benefits of exceeding those support levels from our third party.
 
Another concept learned during my coursework was reviewing fourth-party relationships and how those possibly impact my company and put us at risk. We checked how to ensure our third-party vendors performed due diligence on their relationships and why that was important. The value in achieving this additional level of due diligence was highlighted by Linda when she used the example of how Target’s network was compromised through their third-party vendor’s access to the Target network.
 
It highlighted the importance of ensuring that not just managing your relationship with a third party but how they manage their relationships and networks is vital. I will give my company a proposal that we install additional due diligence questions around the fourth party by asking our third-party vendors for more detail on how they handle their third-party relationships and what security measures they have in place to evaluate the risk to their networks.
 
The final concept I would like to bring into my organization is creating and using a risk matrix or a standard risk tolerance approved by leadership. Currently, my organization does not use any risk rating of third-party vendors outside the separated due diligence functions during the initial onboarding process. While I think the level of due diligence we are currently performing in my department is more than the industry standard, I feel there is some confusion within the organization on what those processes are and how each process helps access risk.
This has caused some frustration within different business units within our organization, and I think a broader understanding of what the Vendor Compliance department does and how it protects the organization is a message I would like to work with leadership on creating. By creating a more defined risk tolerance statement and explaining the overall due diligence process and what each aspect means in the risk evaluation of a third party, I am confident that this will relieve some of the frustrations we are currently experiencing within the organization.
 
I want to thank SIG University and our instructors for providing an excellent opportunity to enhance my knowledge of third-party risk management. These past ten weeks have helped me take a more holistic approach to what my organization is currently doing and design some process improvements that will help us reduce our overall risk. I truly appreciate the time invested with SIG University and look forward to my next learning opportunity.

SIG University’s  Certified  Third-Party Risk Management Professional  (C3PRMP) program is a globally recognized certification that is the €œgold standard € in terms of relevance, scope and content. The C3PRMP  program was created by Linda Tuck Chapman, an advisor, educator, author and expert.

Charlie Swartwood

Charlie Swartwood

Vendor Compliance Advisor, Hyland Software Inc.

Charlie Swartwood is an experienced Vendor Compliance Advisor with a background in supply chain management. Driven by enhancing the partnerships his organization has with vendors, he takes pride in enhancing process efficiencies to ensure overall risk is reduced and business functions received the services or products needed. With a bachelor's in business management, as well as a Green Belt in Lean Six Sigma, he is equipped to manage not just those vendor partnerships but also to evaluate and improve processes for his organization.