Education Increasingly Important in Third Party Risk Management

Who does your organization trust to assess key service providers with access to your confidential and proprietary data? Specialized skills and expertise are required to manage risk in a rapidly evolving outsourced economy. Certifications are an important way to demonstrate competency in a complicated field to employers, colleagues, and customers.

According to the 2015 Shared Assessments and Protiviti Benchmarking study, which examined the maturity levels of organizations’ third party risk management programs, skills and expertise is the least mature component across the board. Relatively few organizations offer training on third party risk management policies and procedures, or measure employee understanding of third party risk management accountabilities.

This gap between the importance of education and a critical need at many organizations for third party risk professionals led to the creation of the Shared Assessments Certified Third Party Risk Professional (CTPRP) program. The CTPRP certification provides formal training in third party risk management policies and practices, and prepares individuals in managing the vendor lifecycle, vendor risk identification and rating, and fundamental knowledge of vendor risk assessment, monitoring and management. The CTPRP certification offers the right knowledge to build, shape and modify a third party risk program and ensure alignment with management’s expectations, government regulations and industry standards.

In a recent survey of the Shared Assessments membership, the majority of respondents reported holding one or more industry certifications with the Certified Information Security Professional (CISSP) and CTPRP certification ranking the highest.

What certifications do members of your third party risk management team hold?
(multiple answers allowed)

The Shared Assessments member survey also identified a growing mandate within organizations to require certification for their third party risk professionals. The need for specialized skills and training is evident as a comprehensive third party management program will include various components such as vendor risk identification and rating, contracts, tools, measurement and analysis, and monitoring and review. There are several professional certifications that focus on components of third party risk, but the Shared Assessments CTPRP is the only certification that covers these topics holistically, and is increasingly a mandatory training for employees at our member organizations who perform third party risk tasks and analysis.

Are any of these certifications mandatory for your third party risk management team members? (multiple answers allowed)

In addition to more organizations requiring specialized training for their third party risk practitioners, it is wise for professionals to seek certification as a way to highlight and verify experience in a professional development portfolio. Increased organizational focus and management attention on third party risk, coupled with a market demand for a specialized skill set indicates that third party risk certification will continue to be adopted by organizations and individuals.

To learn more about how to gain a CTPRP certification for yourself or to hold a training at your organization, please visit: or contact Katherine Kneeland at

Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn