Risk practitioners wonder about it: “CTPRP vs. CTPRA? Which certification is right for me?” Poet Robert Frost wrote about it: “Two roads diverged in a yellow wood…” Major League Baseball player Yogi Berra spoke of it: “When you come to the fork in the road, take it!”
Doing business in an outsourced economy requires expertise to implement the strategies, processes, and practices for evaluating and managing vendor risk. Overseeing the security of sensitive data, once in the hands of third parties, calls for competence.
Wondering which risk management certification will establish competence and nourish your career? Let’s look at both.
Shared Assessments Third Party Risk Management Certifications
The Shared Assessments Program proudly offers two certifications for third party risk professionals and IT risk assessors. Shared Assessments’ Certified Third Party Risk Professional (CTPRP) and Certified Third Party Risk Assessor (CTPRA) certifications are both recognized as golden standards in the industry.
Certifications in the third party risk space have become the norm on the individual, organizational and industry levels.
For individuals, the certifications validate achievement of a standardized level of competency. Third party risk management certifications nurture careers:
- 80% CTPRP holders report training improved their ability to fulfill their job duties
- 47% CTPRP holders report certification helped them land a new job or earn a promotion
- 68% CTPRP holders report that current annual compensation ranged from $90,000 to $120,000
For companies, the certifications ensure a level of competency for particular positions or functions. For the industry, as risks have expanded and evolved, vulnerabilities and volatility have increased, and career opportunities have grown.
Certified Third Party Risk Professional (CTPRP)
The CTPRP is comprised of four distinct sections:
- Risk Management Foundation (understanding risk to your organization)
- Program Management (how to set up and manage your program)
- Risk Control Domains (the IT risk controls you should concentrate on during an assessment)
- Risk Assessment Process (best practices in performing an assessment)
Attendees of the CTPRP course represent security, compliance, procurement, business resilience, legal, audit, IT vendor management and even facilities management backgrounds.
Anyone involved with the third party risk management lifecycle within their company or anyone seeking insight into best practices for establishing and managing a program will benefit from the knowledge gained by attending a CTPRP class.
The CTPRP class takes great care to cover both the perspectives of the outsourcer and the vendor. The CTPRP certification is industry and organizationally agnostic; professionals with diverse backgrounds have found significant value in attending the class and in achieving the certification.
Recently, the CTPRP launched an on-demand self-study class – helping in-demand professionals with full schedules to gain certification.
Certified Third Party Risk Assessor (CTPRA)
The CTPRA certification validates knowledge within specific IT risk control domains that individuals need to perform thorough evaluations of third parties during assessments. Like the CTPRP, the CTPRA has four sections:
- Risk Management Foundation
- Risk Based Due Diligence
- Risk Control Domains
- Risk Assessment Process
The CTPRA focuses on audit, security, privacy best practices and principles. The certification is geared toward IT Security Professionals, providing a foundation for developing a solid playbook for performing virtual or onsite assessments.
In risk management, a CTPRA:
- Plans and Scopes on-site and virtual assessments for specific third party relationships
- Conducts assessments and testing of the third party’s location and control environment
- Performs discovery and evaluates compliance artifacts
- Summarizes assessments results, findings and remediation actions
Understanding the risk control domains discussed within the CTPRA strengthens a practitioner’s understanding of how to evaluate and assess SIG questionnaire responses and information.
CTPRP vs. CTPRA – Any Fine Print?
To achieve either of these certifications, a professional must first take the class and next pass an online exam within 15 weeks after the conclusion of the class. (You must take the class; you cannot just take the test. More details are available in the FAQ of the CTPRP and the CTPRA webpages.)
Upon completion of the exam, individuals are required to hold a minimum of five years’ experience as a risk management professional and are required to complete the Proof of Experience form along with an employer attestation. These forms are reviewed by the CTPRP/A Certification Committee to opine on the candidate’s credentials and experience.
In the event the individual passes the exam but does not have the requisite experience, the term “Associate” is assigned until the minimum standards are met.
CTPRP vs. CTPRA – Which Risk Management Certification Is Right For Me?
So…which certification is right for you? This really depends on your present responsibilities or even your future aspirations. Are you tasked with setting up a new program? Or, are you vetting your business unit’s vendors? Maybe you have been assigned to assist in data security requirements for a vendor contract. Perhaps you are in a business unit seeking to gain additional understanding of your role in the third party risk management chain.
Whether you choose the Shared Assessments’ CTPRP or CTPRA, these certifications will ensure that you are doing the most to nourish your own career while establishing best practices in your TPRM program through education and tools to reduce and manage third party risk.