Authorities on Risk Assurance
The Shared Assessments Blog
Building Your TPRM Program – Part 1: Four Foundational Steps to Build Your Third Party Risk Management Program On
Published on February 3, 2017 By Robert Wilkinson | Posted in: Best Practices, Business Resiliency, Certified Third Party Risk Professional (CTPRP) program, Education, Framework, Outsourcing, Risk Management, Vendor Risk Managment
This two-part article responds to an increasing number of requests to outline foundational concepts to support Boards and executive managers as they work to define, design and implement best practice-based Third Party Risk Management (TRPM) programs. In particular, this article provides starting point approaches and essential areas for focus for an organization attempting to implement a TPRM program from scratch. The second part will provide key program activities that need definition and implementation at a third party risk management program level within an organization.
Four foundational elements for achieving a successful TPRM program are:
- Early High-Level Buy-In: Obtaining Board and senior management buy-in is essential, along with the need to set early expectations for ongoing, defined reporting periods and effective metrics for managing and mitigating third party risk. In most cases, this will require a Board and senior management education initiative.
- Defined Metrics: In parallel with program implementation, a set of program metrics must be developed that includes Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs). Depending on organization maturity and approach, this can be implemented along with an independent Operational Risk Management (ORM) function implementation and defined program reporting requirements that meet Board and senior management expectations defined from step 1 above.
- Defined Roles: Clear definition of stakeholder roles and responsibilities at each phase of the framework is needed, as defined in the table below.
- Address the Effect of Silos on Implementation: This element has to be addressed prior to implementation if the program is to achieve a functional level of effectiveness and maturity. Recommendations and other input from all relevant stakeholders should be sought to provide insight into the true structure and nature of key roles and responsibilities and the perceived effect that silos have on program implementation. Continuous quality improvement (CQI) is an essential element of understanding how silos and other organizational structure elements impact the program as it develops and becomes mature.
The following table will assist in understanding which stakeholders can effectively interact together throughout these four foundational steps.
This concise, considered approach to TPRM program development and execution will assist your organization in reaping the return on investment in risk management programs and help you achieve a program level that responds directly to evolving regulatory, industry and other guidelines and standards and emerging risks. The second part of this article will provide guidance regarding essential activities for implementing a robust TPRM program.
Robert Wilkinson, Chief Strategy Officer at The Santa Fe Group and the Shared Assessments Program has provided support to these organizations for more than 15 years, including as an Advisory Board member and Advisory Board Chair with a deep understanding of results-oriented risk management. He has more than 30 years of extensive global experience developing and implementing enterprise operational risk management solutions focusing on Operations and Technology, having worked in 45 countries and various locations throughout the United States. He has extensive experience interacting with government regulators and addressing regulatory findings.