Continuously Assessing and Monitoring
Claire Keelty’s work never ends. The Sungard Availability Services (Sungard AS) information security manager handles all third-party risk management responsibilities for the global company’s 300 vendors, most of which she periodically revaluates to monitor any changes in risk profiles. A global organization with data and recovery centers in 45 locations worldwide, Sungard AS applies its deep expertise and experience in business continuity and disaster recovery to design, build and run production environments for clients that are resilient and available in the present and positioned for growth in the future. Keelty discusses how her certified third-party risk professional (CTPRP) certification compliments three decades of experience as an information technology (IT) trainer, the head of an IT function and an operational risk manager.
What are your current third-party risk management responsibilities?
Claire Keelty: My role in Sungard AS is focused almost entirely on Third-Party Risk Management. I risk-assess all our suppliers. I currently have about 300 assessments of active suppliers in my filing system. I’m approached by procurement or the business to make an initial assessment of a new supplier. I typically assign an initial risk grade — critical, high, medium or low — to a supplier and then send out an appropriate questionnaire. When the questionnaire and/or any alternative information is returned, I evaluate those responses and compare them to our own information security policies and procedures. Once my assessment is complete, I make a recommendation to procurement or the business indicating that the supplier is an acceptable risk for Sungard AS — or, occasionally, that the supplier is not an acceptable risk. In some cases, I provide a cut-and-dried “yes” or “no.” More often, I indicate that a supplier represents an acceptable risk as long we contractually address a few specific issues or gaps in their processes. We also have a process through which we continually reevaluate the risk profiles of our existing critical- and high-risk suppliers, usually on an annual basis. So, my assessment work is fairly constant.
What motivated you to earn your CTPRP credentials?
Claire Keelty: I joined Sungard AS with more than 10 years of operational risk and IT management experience. Although some of that work involved third-party risk management, it was never my full-time role. The training and certification appealed to me because I was relatively new to Third-Party Risk Management and I wanted to be able to operate at the same level as my colleagues who were already CTPRP-certified. Now, we all speak the same Third-Party Risk Management language and share a clear understanding of the goals we’re aiming to achieve with our assessment and monitoring activities.
How have your training and certification experiences helped you on the job?
Claire Keelty: It’s certainly helped with my current role. It’s given me the security and authority to address tricky situations when they arise. If I make the decision to reject a supplier, I have the confidence to go back to my business or procurement partner and explain the rationale for my decision. My colleagues recognize that I’m not acting on a whim — and that there is substantial knowledge behind that decision.
What benefits do you gain from maintaining your CTPRP designation?
Claire Keelty: I find the informal discussions with other Shared Assessments members, whether they occur at the annual summit or on the steering committee, to be valuable. I like being able to chat about challenges and decisions with other third-party risk management experts who have similar roles but operate in different industries. I’ve recently been picking the brains of various peers and experts regarding the minimum amount of data that can be requested of especially low-risk suppliers. I’ve received some useful advice and now realize that the minimum amount of data we should ask for is more than what I initially thought it would be.
Connect with Claire.