You Can’t Build a Robust Risk Management Program Without the Right Skills

The intricate third party risk management (TPRM) lifecycle requires coordinated and well-integrated knowledge from the Board and C-Suite through management and general staff, and extends throughout the relationship with third and fourth parties. The complex elements of a robust TPRM program involve effective design, control and monitoring of policies and processes, third party and system inventories, contracts, risk tiering and assessment techniques, ongoing oversight, tools and technology and awareness of the threat, regulatory and industry landscapes. Yet, maturity levels of organizations’ third party risk management programs, skills and expertise remains consistently the least mature component (Shared Assessments and Protiviti, 2015). A stunning 55% of risk professionals recently reported having no regular access to any IT security experts, either internal or third party. Of those that reported having IT professionals, 67% of those professionals say they have no security certifications (Spiceworks, 2016).

The 2015 (ISC)2 Global Information Security Workforce Study projects a 1.5 million shortfall in the global information security workforce by 2019 (Frost & Sullivan, 2015). This shortfall stems from an existing gap that is deepening year over year.

While there are several professional training programs and certifications, such as ISACA’s Certified in Risk Information Systems Controls (CRISC), that focus on components of third party risk, only Shared Assessments Certified Third Party Risk Professional (CTPRP) and Associate CTPRP holistically address the key elements of a solid TPRM program. In 2016, more than 80% of Shared Assessments members reported that they do not mandate any of the following training certifications for their third party risk management team members: Certified Information Security Officer (CISM), Certified in Risk Information Systems Controls (CRISC), Certified Information Privacy Professional (CIPP), Certified Information Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Third Party Risk Professional (CTPRP) (Shared Assessments Member Survey, 2016). Of those members who do mandate certifications, CTPRP, at 12%, was the leading training that organizations required, followed by CISA and CISSP at 10% each.

In short, in response to the growing regulatory and industry need to adapt quickly to the changing threat landscape, organizations need to carefully review their staffing and management expertise to ensure that their staff and management are supported in their risk management efforts with:

  1. Crisp, functional, nimble technology and tools.
  2. Clearly defined, qualified certified skill holders with disciplined expertise.
  3. Ongoing education that provides employees, procurement and third parties with clear, consistent information and messaging to increase awareness of risk management goals and policies.

Marya Roddis is Vice President of Communications for The Santa Fe Group. She develops blog content and assists staff and members to document committee projects in white papers and briefings, as well as working on blog editing, press releases and other marketing documentation projects. She has worked as a Resource Development Consultant since 2003 for primarily non-profit organizations in the fields of arts, education, social services and regional economic and business development.