Anisha Gizersky is a well-rounded technical Governance Risk and Compliance (GRC) professional with over 15 years of experience in evaluating and addressing third-party risk. Gizersky has relied on her Certified Third-Party Risk Professional (CTPRP) designation for over a decade as she has built third-party risk management programs from the ground up.
Tell us about your professional journey in third-party risk management (TPRM).
Anisha Gizersky: I am proud to have led and built Third-Party Cyber Risk Management programs from the ground up. I have implemented global end-to-end, enterprise-level programs that identify and evaluate complex business and technology risks. I have developed and given oversight to framework, processes, governance, policy, standards, technology, training, and metrics/reporting. In my career, I have encompassed the entire risk management journey from start to end.
What makes or breaks a TPRM program?
Anisha Gizersky:Generally, a business process is outsourced to an appropriate provider to leverage expertise that an organization wouldn’t have in-house. Hence it is critical to have a formalized TPRM process in place that identifies, assesses and mitigates the risks that are posed to your organization, these risks can grow out of many different areas including regulatory compliance, poor data management, information security, or issues related to operations or finances. Hence, it is very important to determine the inherent risk and criticality of the vendor engagement as that is how appropriate and risk-based due diligence should be performed when onboarding a vendor.
I am a strong proponent of understanding and highlighting the different types of risk posed by a vendor during the onboarding process. Then, I can customize and cater to the company I am assessing.
Share your CTPRP Experience.
Anisha Gizersky:In 2013, I found myself building a third-party cyber risk program. Around the same time, Shared Assessments launched its certifications. I am one of the first CTPRP candidates to be certified!
How has the CTPRP benefited you personally and helped advance your career goals?
Anisha Gizersky:I knew the CTPRP would be a great endorsement for me professionally. I was able to combine the unique perspective of someone who had already built a TPRM program from the ground up with the certification.
In risk management, you learn so much going through the process. You don’t typically go to college and minor in TPRM, but you do need foundational background.
The CTPRP reinforced my experiential knowledge of third-party risk management, allowing me to help clients connect the dots between GRC and TPRM. When someone sees my CTPRP certification, they understand that I am a subject matter expert in third-party risk management.
How would you characterize the current TPRM landscape and how can practitioners rise to meet its challenges?
Anisha Gizersky:Third-party risk management was once seen as an administrative role. But the cybersecurity point of view is essential. Risk management now is so much more than asking questions and conducting surveys. The CTPRP helps risk managers gain the foundational knowledge to be able to put controls in place for technology and security to build an end-to-end, enterprise-level program.