The Certified Third Party Risk Professional (CTPRP) designation from the Shared Assessments Program validates expertise while providing professional credibility, recognition and marketability in third party risk. Two years after the initial program launch, we created the Associate CTPRP designation to provide an opportunity for individuals newer to third party risk management to leverage the course and exam for training purposes. They are able to earn the Associate CTPRP designation (thus demonstrating a proficiency in third party risk management) and apply for the CTPRP certification once they’ve earned the requisite five years of experience.
This year, we’ve been holding interviews with individuals who have earned the CTPRP certification to find out how the credential has benefitted their organizations and their careers. Our discussions have been illuminating – and varied. Our CTPRP interview subjects range from self-described “third party risk management nerds” to chief executive officers (CEOs).
As we’ve listened to CTPRPs describe how they’ve leveraged the certification (and access to the network of experts it provides) to strengthen their companies’ third party risk management capabilities, we’ve heard benefits we expected to hear (e.g., improvements to the rigor, scope and efficiency of third party risk management programs) and learned about unexpected advantages (e.g., using the CTPRP to strengthen staff retention).
We’re in the process of publishing those discussions in a new Q&A series. In the meantime, here are some highlights from the interviews. The following list reflects some of the ways in which Certified Third Party Risk Professionals say that earning, and retaining, the designation has helped their organizations:
1. Less guess work, more efficiency: A third party risk manager reports that his company’s use of risk scoring and risk tiers helped it manage a large group of vendors more effectively. “We’re able to focus our lean resources on the areas of highest risk, which strengthens our due diligence in an efficient manner,” he explains. “Until you start doing that, you’re just shooting randomly and hoping that you address the high-risk vendors – and that’s just guess work.
2. More structure, less scrambling: Leveraging the certification and the Shared Assessments network, a third party risk manager designed a better framework to respond to requests from all client companies. He says the framework “enables us to be far more nimble and effective when we respond to tailored requests. We can be sensitive to those unique information requests without launching an all-out fire drill.”
3. Deeper scrutiny of more vendors: In some cases, the CTPRP experience shows leaders of mature third party risk management programs how they can make further refinements. A CTPRP who manages third party risk from an information security perspective says his experience earning the designation showed him how his company could “significantly increase the number of vendors that are in scope.” That change helped his team identify more problem areas along with new ways to address those issues. “We’ve also expanded our enterprise TPRM program to additional areas of the [company] and worked to include more types of third parties in scope”. He adds, “Many of those changes were made as a result of the training I received in the CTPRP coursework.”
4. Effective communications promote TPR best practices holistically: A manager of third party risk says his certification experience helped him recalibrate how he communicates about vendor risks with business partners. When business partners ask him if he can “approve” a new vendor, he treats it as an education opportunity by explaining that his role is to conduct research and then share it with them so that they can make an informed decision about how to proceed. “I’ve learned how important it is for me to market third party risk management best practices throughout the organization,” he notes. “The education and communications pieces are a huge part of what we do as third party risk management professionals.”
5. Retention and staff development benefits: A CEO who holds the CTPRP designation says the certification has provided staff development and retention benefits. “I’m a big believer in organically grooming staff members to move up the ranks to more meaningful and challenging roles,” she explains. “The CTPRP and the continuing education have helped our people advance their careers while advancing the company’s capabilities.”
6. More business: The same CEO also notes that the certification helps convey her firm’s commitment to privacy and security issues to client companies and prospects. “I know that the certifications we have as a firm, and as individuals, really make a difference,” she adds. “I can think of three situations where our involvement with Shared Assessments and the CTPRP certification were helpful factors in securing major new customers.”
Bottom-line improvements and other organizational benefits are only one part of the CTPRP’s value proposition. “It’s really changed the direction of my career,” says a third party risk manager responsible for information security. “Inside the company, I’m a primary advocate for analyzing third parties. Outside the company, I’ve been speaking about third party risk at information security conferences.”
Check the current schedule to earn your CTPRP.
If you are a CTPRP holder, and want to speak about how this has helped your career or third party risk program, please contact Laura. laura@santa-fe-group.com
