Blogpost

Third Party Risk Management Programme Fundamentals Webinar Summary

On Thursday, March 16, Shared Assessments launched its six-part webinar series “Optimizing Your TPRM Program” in partnership with OneTrust. The series runs through July 2020 and covers a broad range of topics. Scheduled to occur once a month on Thursdays at 2:00 PM GMT, the webinars fit into the European workday.  (Alternatively, the webinars offer a bright and early start to the day at 9:00 AM ET. For points further west in the United States, we recommend the recorded session below or coffee while listening in to the live presentation.)

Moderated by Tom Garrubba (Vice President, Shared Assessments), the Third Party Risk Management Programme Fundamentals Webinar offered an understanding of the building blocks needed for a strong Third Party Risk Management Program. The perspectives of Nassar Fatah (U.S. Steering Committee Vice Chair) and Jaymin Desai (TPR offering manager at OneTrust) further complimented the session.

 

First, the webinar touched on Governance, the organizational structure supporting a strong risk management program.  Fattah introduced the notion that no organization is an island. Vendors help organizations remain competitive by delivering goods, services or the power of emerging technologies more efficiently than the organization can itself. Fatah recommends we view vendors as partners that add essential value to the organization.  We should honor the value third parties bring by approaching our vendor relationships with a strong risk culture: organized procedures delivered through transparent communications.

 

For risk culture to become embedded in an organization, executives and the board must set the tone at the top.  (Nowhere is this clearer than in regulated industries, where executive and third party commitment to awareness around these regulations is essential.)

 

Garrubba described a comprehensive set of policies, procedures and standards behind every effective TPRM program:

  • Policies should not be more than 2-3 pages long, including all relevant corporate functions that tie into your risk program.
  • Standards reflect the standards within the organization itself.  Your third parties are an extension of your organization and should be treated as such: if you keep records for X years, your third parties should also keep records for X years.
  • Your procedures are your playbook and should remain flexible and separate from your policies.

 

A Vendor Risk Assessment is a key procedure that will help you understand exactly who your vendors are and how they operate. Fattah described the importance of having a vendor definition: in your organization, what constitutes a vendor? Regulated spaces tend to have a definition of a vendor in place already, but in other circumstances, your organization must clarify your own definition. For example, is the florist from whom you order office floral arrangements a vendor?

 

Contract Development is the longest and most costly procedure for onboarding a vendor, enforceable for the lifespan of the organization’s engagement with a vendor. This procedure returns to the original notion presented by Fattah at the webinar’s beginning: third parties deliver great value to your organization, so take a holistic view and build a strong relationship based on transparent communication of expectations. As you develop contracts, view your relationship with the vendor as a complete system or cycle, from onboarding to offboarding.  Consider what the vendor has that belongs to you: equipment, network connections or data.  Ending a relationship with a vendor will be more seamless if you have mapped out an exit strategy – a predetermined process for the return of property or data that belongs to your organization.

 

Finally, returning to the tone at the top, sharing risk information via dashboards and scorecards to senior level management will drive your Third Party Risk Program forward as a value center (rather than a cost center).     

For more information on future webinars in the series, click here.