Authorities on Risk Assurance

The Shared Assessments Blog

Building Your TPRM Program – Part 1: Four Foundational Steps to Build Your Third Party Risk Management Program On

Published on February 3, 2017 By | Posted in: Best Practices, Business Resiliency, Certified Third Party Risk Professional (CTPRP) program, Education, Framework, Outsourcing, Risk Management, Vendor Risk Managment

Male executive drawing risk management diagram on a whiteboard

This two-part article responds to an increasing number of requests to outline foundational concepts to support Boards and executive managers as they work to define, design and implement best practice-based Third Party Risk Management (TRPM) programs. In particular, this article provides starting point approaches and essential areas for focus for an organization attempting to implement a TPRM program from scratch. The second part will provide key program activities that need definition and implementation at a third party risk management program level within an organization.

Four foundational elements for achieving a successful TPRM program are:

  1. Early High-Level Buy-In: Obtaining Board and senior management buy-in is essential, along with the need to set early expectations for ongoing, defined reporting periods and effective metrics for managing and mitigating third party risk. In most cases, this will require a Board and senior management education initiative.
  2. Defined Metrics: In parallel with program implementation, a set of program metrics must be developed that includes Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs). Depending on organization maturity and approach, this can be implemented along with an independent Operational Risk Management (ORM) function implementation and defined program reporting requirements that meet Board and senior management expectations defined from step 1 above.
  3. Defined Roles: Clear definition of stakeholder roles and responsibilities at each phase of the framework is needed, as defined in the table below.
  4. Address the Effect of Silos on Implementation: This element has to be addressed prior to implementation if the program is to achieve a functional level of effectiveness and maturity. Recommendations and other input from all relevant stakeholders should be sought to provide insight into the true structure and nature of key roles and responsibilities and the perceived effect that silos have on program implementation. Continuous quality improvement (CQI) is an essential element of understanding how silos and other organizational structure elements impact the program as it develops and becomes mature.

The following table will assist in understanding which stakeholders can effectively interact together throughout these four foundational steps.

TPRM chart

This concise, considered approach to TPRM program development and execution will assist your organization in reaping the return on investment in risk management programs and help you achieve a program level that responds directly to evolving regulatory, industry and other guidelines and standards and emerging risks. The second part of this article will provide guidance regarding essential activities for implementing a robust TPRM program.

Robert Wilkinson, Chief Strategy Officer at The Santa Fe Group and the Shared Assessments Program has provided support to these organizations for more than 15 years, including as an Advisory Board member and Advisory Board Chair with a deep understanding of results-oriented risk management. He has more than 30 years of extensive global experience developing and implementing enterprise operational risk management solutions focusing on Operations and Technology, having worked in 45 countries and various locations throughout the United States. He has extensive experience interacting with government regulators and addressing regulatory findings.

Shared Assessments Logo Deloitte
Shared Assessments Licensee ControlCase
Shared Assessments Licensee TD Ameritrade
Shared Assessments Logo Bank Of New York Mellon
MetricStream logo
Shared Assessments Licensee Protiviti
Shared Assessments Logo first data
Shared Assessments Logo Ernst & Young
Shared Assessments Licensee-Copytalk
Shared Assessments Licensee ctg
Shared Assessments Licensee ZS logo
Shared Assessments Licensee Identity Theft 911
Viewpoint Logo
Shared Assessments Logo pwc
Shared Assessments Logo sei
Shared Assessments Logo radian
Shared Assessments Licensee Lockpath
Shared Assessments Licensee Pivot Point Security
Shared Assessments Licensee Power Advocate
intralinks-logo
Shared Assessments Licensee Rsam
Shared Assessments Logo Deluxe Corp
Shared Assessments Licensee Bank of the West
Shared Assessments Logo dtcc
Shared Assessments Logo usbank
Shared Assessments Program licensee Churchill & Harriman logo
Shared Assessments Logo yodlee
Shared Assessments Logo Iron Mountain